add fstools, and more cleanup
This commit is contained in:
parent
80436b9b8f
commit
58c3da55f3
@ -126,6 +126,7 @@ files_read_generic_etc_files(bootloader_t)
|
|||||||
files_read_etc_runtime_files(bootloader_t)
|
files_read_etc_runtime_files(bootloader_t)
|
||||||
files_read_usr_src(bootloader_t)
|
files_read_usr_src(bootloader_t)
|
||||||
files_read_usr_files(bootloader_t)
|
files_read_usr_files(bootloader_t)
|
||||||
|
files_read_var_file(bootloader_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_pids(bootloader_t)
|
files_dontaudit_search_pids(bootloader_t)
|
||||||
|
|
||||||
@ -141,13 +142,16 @@ miscfiles_read_localization(bootloader_t)
|
|||||||
seutil_read_binary_pol(bootloader_t)
|
seutil_read_binary_pol(bootloader_t)
|
||||||
seutil_read_loadpol(bootloader_t)
|
seutil_read_loadpol(bootloader_t)
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian',`
|
||||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||||
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
||||||
allow bootloader_t boot_t:file relabelfrom;
|
allow bootloader_t boot_t:file relabelfrom;
|
||||||
|
|
||||||
|
# for /usr/share/initrd-tools/scripts
|
||||||
|
files_exec_usr_files(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat',`
|
||||||
# for memlock
|
# for memlock
|
||||||
allow bootloader_t self:capability ipc_lock;
|
allow bootloader_t self:capability ipc_lock;
|
||||||
|
|
||||||
@ -157,17 +161,22 @@ ifdef(`distro_redhat', `
|
|||||||
# mkinitrd mount initrd on bootloader temp dir
|
# mkinitrd mount initrd on bootloader temp dir
|
||||||
files_mountpoint(bootloader_tmp_t)
|
files_mountpoint(bootloader_tmp_t)
|
||||||
|
|
||||||
|
# new file system defaults to file_t, granting file_t access is still bad.
|
||||||
|
files_manage_isid_type_dir(bootloader_t)
|
||||||
|
files_manage_isid_type_file(bootloader_t)
|
||||||
|
files_manage_isid_type_symlink(bootloader_t)
|
||||||
|
files_manage_isid_type_blk_node(bootloader_t)
|
||||||
|
files_manage_isid_type_chr_node(bootloader_t)
|
||||||
|
|
||||||
# for mke2fs
|
# for mke2fs
|
||||||
mount_domtrans(bootloader_t)
|
mount_domtrans(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`filesystemtools.te', `
|
optional_policy(`filesystemtools.te',`
|
||||||
filesystemtools_execute(bootloader_t)
|
filesystemtools_execute(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# LVM2 / Device Mapper's /dev/mapper/control
|
optional_policy(`lvm.te',`
|
||||||
# maybe we should change the labeling for this
|
|
||||||
optional_policy(`lvm.te', `
|
|
||||||
dev_rw_lvm_control(bootloader_t)
|
dev_rw_lvm_control(bootloader_t)
|
||||||
|
|
||||||
lvm_domtrans(bootloader_t)
|
lvm_domtrans(bootloader_t)
|
||||||
@ -185,8 +194,9 @@ optional_policy(`modutils.te',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
allow bootloader_t var_t:dir search;
|
dontaudit bootloader_t selinux_config_t:dir search;
|
||||||
allow bootloader_t var_t:file { getattr read };
|
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||||
|
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
||||||
@ -197,18 +207,6 @@ ifdef(`distro_debian', `
|
|||||||
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
||||||
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
||||||
|
|
||||||
# for /usr/share/initrd-tools/scripts
|
|
||||||
can_exec(bootloader_t, usr_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
|
||||||
# new file system defaults to file_t, granting file_t access is still bad.
|
|
||||||
allow bootloader_t file_t:dir create_dir_perms;
|
|
||||||
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
|
|
||||||
allow bootloader_t file_t:lnk_file create_lnk_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
dontaudit bootloader_t selinux_config_t:dir search;
|
|
||||||
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
|
||||||
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -172,11 +172,11 @@ interface(`kernel_dontaudit_read_ring_buffer',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
##
|
## Change the level of kernel messages logged to the console.
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
##
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`kernel_change_ring_buffer_level',`
|
interface(`kernel_change_ring_buffer_level',`
|
||||||
|
@ -88,6 +88,10 @@ fs_search_auto_mountpoints(inetd_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(inetd_t)
|
term_dontaudit_use_console(inetd_t)
|
||||||
|
|
||||||
|
# Run other daemons in the inetd_child_t domain.
|
||||||
|
corecmd_search_bin(inetd_t)
|
||||||
|
corecmd_read_sbin_symlink(inetd_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd(inetd_t)
|
domain_use_wide_inherit_fd(inetd_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(inetd_t)
|
files_read_generic_etc_files(inetd_t)
|
||||||
@ -112,8 +116,8 @@ ifdef(`targeted_policy', `
|
|||||||
files_dontaudit_read_root_file(inetd_t)
|
files_dontaudit_read_root_file(inetd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rhgb.te',`
|
optional_policy(`mount.te',`
|
||||||
rhgb_domain(inetd_t)
|
mount_send_nfs_client_request(inetd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -129,17 +133,13 @@ allow inetd_t proc_t:dir r_dir_perms;
|
|||||||
allow inetd_t proc_t:lnk_file read;
|
allow inetd_t proc_t:lnk_file read;
|
||||||
dontaudit inetd_t sysadm_home_dir_t:dir search;
|
dontaudit inetd_t sysadm_home_dir_t:dir search;
|
||||||
|
|
||||||
ifdef(`mount.te', `
|
optional_policy(`rhgb.te',`
|
||||||
allow inetd_t mount_t:udp_socket rw_socket_perms;
|
rhgb_domain(inetd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# allow any domain to connect to inetd
|
# allow any domain to connect to inetd
|
||||||
can_tcp_connect(userdomain, inetd_t)
|
can_tcp_connect(userdomain, inetd_t)
|
||||||
|
|
||||||
# Run other daemons in the inetd_child_t domain.
|
|
||||||
allow inetd_t { bin_t sbin_t }:dir search;
|
|
||||||
allow inetd_t sbin_t:lnk_file read;
|
|
||||||
|
|
||||||
# Bind to the telnet, ftp, rlogin and rsh ports.
|
# Bind to the telnet, ftp, rlogin and rsh ports.
|
||||||
ifdef(`talk.te', `
|
ifdef(`talk.te', `
|
||||||
allow inetd_t talk_port_t:tcp_socket name_bind;
|
allow inetd_t talk_port_t:tcp_socket name_bind;
|
||||||
|
@ -51,7 +51,7 @@ interface(`clock_run',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <desc>
|
||||||
## Execute hwclock
|
## Execute hwclock in the caller domain.
|
||||||
## </desc>
|
## </desc>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
|
@ -43,6 +43,7 @@ interface(`corecmd_list_bin',`
|
|||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of files in bin directories.
|
## Get the attributes of files in bin directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
@ -58,6 +59,7 @@ interface(`corecmd_getattr_bin_file',`
|
|||||||
allow $1 bin_t:file getattr;
|
allow $1 bin_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read symbolic links in bin directories.
|
## Read symbolic links in bin directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
@ -144,6 +146,24 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
|
|||||||
dontaudit $1 sbin_t:file getattr;
|
dontaudit $1 sbin_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read symbolic links in sbin directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
interface(`corecmd_read_sbin_symlink',`
|
||||||
|
gen_require(`
|
||||||
|
type sbin_t;
|
||||||
|
class dir search;
|
||||||
|
class lnk_file read;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sbin_t:dir search;
|
||||||
|
allow $1 sbin_t:lnk_file read;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecmd_exec_sbin(domain)
|
# corecmd_exec_sbin(domain)
|
||||||
|
@ -591,9 +591,33 @@ interface(`files_create_etc_config',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to search directories on new filesystems
|
||||||
|
## that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
# files_rw_isid_type_dir(domain)
|
interface(`files_dontaudit_search_isid_type_dir',`
|
||||||
|
gen_require(`
|
||||||
|
type file_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 file_t:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write directories on new filesystems
|
||||||
|
## that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_rw_isid_type_dir',`
|
interface(`files_rw_isid_type_dir',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -605,29 +629,121 @@ interface(`files_rw_isid_type_dir',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete directories
|
||||||
|
## on new filesystems that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
# files_dontaudit_getattr_isid_type_dir(domain)
|
interface(`files_manage_isid_type_dir',`
|
||||||
#
|
|
||||||
interface(`files_dontaudit_getattr_isid_type_dir',`
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type file_t;
|
type file_t;
|
||||||
class dir search;
|
class dir create_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 file_t:dir search;
|
allow $1 file_t:dir create_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files
|
||||||
|
## on new filesystems that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
# files_dontaudit_search_isid_type_dir(domain)
|
interface(`files_manage_isid_type_file',`
|
||||||
|
gen_require(`
|
||||||
|
type file_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_t:dir rw_dir_perms;
|
||||||
|
allow $1 file_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete symbolic links
|
||||||
|
## on new filesystems that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_dontaudit_search_isid_type_dir',`
|
interface(`files_manage_isid_type_symlink',`
|
||||||
|
gen_require(`
|
||||||
|
type file_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_t:dir rw_dir_perms;
|
||||||
|
allow $1 file_t:lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write block device nodes on new filesystems
|
||||||
|
## that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_rw_isid_type_blk_node',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type file_t;
|
type file_t;
|
||||||
class dir search;
|
class dir search;
|
||||||
|
class blk_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 file_t:dir search;
|
allow $1 file_t:dir search;
|
||||||
|
allow $1 file_t:blk_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete block device nodes
|
||||||
|
## on new filesystems that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_manage_isid_type_blk_node',`
|
||||||
|
gen_require(`
|
||||||
|
type file_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class blk_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_t:dir rw_dir_perms;
|
||||||
|
allow $1 file_t:blk_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete character device nodes
|
||||||
|
## on new filesystems that have not yet been labeled.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_manage_isid_type_chr_node',`
|
||||||
|
gen_require(`
|
||||||
|
type file_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class chr_file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 file_t:dir rw_dir_perms;
|
||||||
|
allow $1 file_t:chr_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -807,6 +923,25 @@ interface(`files_dontaudit_search_var',`
|
|||||||
dontaudit $1 var_t:dir search;
|
dontaudit $1 var_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read files in the /var directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_var_file',`
|
||||||
|
gen_require(`
|
||||||
|
type var_t;
|
||||||
|
class dir search;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 var_t:dir search;
|
||||||
|
allow $1 var_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <desc>
|
||||||
## Search the /var/lib directory.
|
## Search the /var/lib directory.
|
||||||
|
36
refpolicy/policy/modules/system/fstools.fc
Normal file
36
refpolicy/policy/modules/system/fstools.fc
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
/sbin/blockdev -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/e2label -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/fdisk -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/findfs -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/lsraid -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/mkraid -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/mkswap -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/parted -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/partprobe -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/partx -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
|
||||||
|
/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
|
||||||
|
|
||||||
|
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
|
||||||
|
/usr/bin/raw -- system_u:object_r:fsadm_exec_t
|
||||||
|
/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
|
||||||
|
|
||||||
|
/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
|
66
refpolicy/policy/modules/system/fstools.if
Normal file
66
refpolicy/policy/modules/system/fstools.if
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <desc>
|
||||||
|
## Execute fs tools in the fstools domain.
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fstools_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type fsadm_t, fsadm_exec_t;
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,fsadm_exec_t,fsadm_t)
|
||||||
|
|
||||||
|
allow $1 fsadm_t:fd use;
|
||||||
|
allow fsadm_t $1:fd use;
|
||||||
|
allow fsadm_t $1:fifo_file rw_file_perms;
|
||||||
|
allow fsadm_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <desc>
|
||||||
|
## Execute fs tools in the fstools domain, and
|
||||||
|
## allow the specified role the fs tools domain.
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## The role to be allowed the fs tools domain.
|
||||||
|
## </param>
|
||||||
|
## <param name="terminal">
|
||||||
|
## The type of the terminal allow the fs tools domain to use.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fstools_run',`
|
||||||
|
gen_require(`
|
||||||
|
type fsadm_t;
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
|
fstools_domtrans($1)
|
||||||
|
role $2 types fsadm_t;
|
||||||
|
allow fsadm_t $3:chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <desc>
|
||||||
|
## Execute fsadm in the caller domain.
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fstools_exec',`
|
||||||
|
gen_require(`
|
||||||
|
type fsadm_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
can_exec($1,fsadm_exec_t)
|
||||||
|
')
|
143
refpolicy/policy/modules/system/fstools.te
Normal file
143
refpolicy/policy/modules/system/fstools.te
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
|
||||||
|
policy_module(fstools,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
type fsadm_t;
|
||||||
|
type fsadm_exec_t;
|
||||||
|
init_system_domain(fsadm_t,fsadm_exec_t)
|
||||||
|
role system_r types fsadm_t;
|
||||||
|
|
||||||
|
type fsadm_tmp_t;
|
||||||
|
files_tmp_file(fsadm_tmp_t)
|
||||||
|
|
||||||
|
type swapfile_t;
|
||||||
|
files_file_type(swapfile_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
|
||||||
|
# ipc_lock is for losetup
|
||||||
|
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
|
||||||
|
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||||
|
allow fsadm_t self:fd use;
|
||||||
|
allow fsadm_t self:fifo_file rw_file_perms;
|
||||||
|
allow fsadm_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow fsadm_t self:unix_dgram_socket sendto;
|
||||||
|
allow fsadm_t self:unix_stream_socket connectto;
|
||||||
|
allow fsadm_t self:shm create_shm_perms;
|
||||||
|
allow fsadm_t self:sem create_sem_perms;
|
||||||
|
allow fsadm_t self:msgq create_msgq_perms;
|
||||||
|
allow fsadm_t self:msg { send receive };
|
||||||
|
|
||||||
|
can_exec(fsadm_t, fsadm_exec_t)
|
||||||
|
|
||||||
|
allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
|
||||||
|
allow fsadm_t fsadm_tmp_t:file create_file_perms;
|
||||||
|
files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })
|
||||||
|
|
||||||
|
# Enable swapping to files
|
||||||
|
allow fsadm_t swapfile_t:file { getattr swapon };
|
||||||
|
|
||||||
|
kernel_read_system_state(fsadm_t)
|
||||||
|
kernel_read_kernel_sysctl(fsadm_t)
|
||||||
|
# Allow console log change (updfstab)
|
||||||
|
kernel_change_ring_buffer_level(fsadm_t)
|
||||||
|
|
||||||
|
# mkreiserfs and other programs need this for UUID
|
||||||
|
dev_read_rand(fsadm_t)
|
||||||
|
dev_read_urand(fsadm_t)
|
||||||
|
# Recreate /dev/cdrom.
|
||||||
|
dev_manage_generic_symlinks(fsadm_t)
|
||||||
|
# Access to /initrd devices
|
||||||
|
dev_search_usbfs(fsadm_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints(fsadm_t)
|
||||||
|
fs_getattr_xattr_fs(fsadm_t)
|
||||||
|
# remount file system to apply changes
|
||||||
|
fs_remount_xattr_fs(fsadm_t)
|
||||||
|
|
||||||
|
storage_raw_read_fixed_disk(fsadm_t)
|
||||||
|
storage_raw_write_fixed_disk(fsadm_t)
|
||||||
|
storage_raw_read_removable_device(fsadm_t)
|
||||||
|
storage_raw_write_removable_device(fsadm_t)
|
||||||
|
storage_read_scsi_generic(fsadm_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(fsadm_t)
|
||||||
|
|
||||||
|
files_list_home(fsadm_t)
|
||||||
|
files_read_usr_files(fsadm_t)
|
||||||
|
files_read_generic_etc_files(fsadm_t)
|
||||||
|
files_list_mnt(fsadm_t)
|
||||||
|
# Write to /etc/mtab.
|
||||||
|
files_manage_etc_runtime_files(fsadm_t)
|
||||||
|
# Access to /initrd devices
|
||||||
|
files_rw_isid_type_dir(fsadm_t)
|
||||||
|
files_rw_isid_type_blk_node(fsadm_t)
|
||||||
|
|
||||||
|
init_use_fd(fsadm_t)
|
||||||
|
init_use_script_pty(fsadm_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(fsadm_t)
|
||||||
|
libs_use_shared_libs(fsadm_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(fsadm_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(fsadm_t)
|
||||||
|
|
||||||
|
modutils_read_module_conf(fsadm_t)
|
||||||
|
|
||||||
|
seutil_read_config(fsadm_t)
|
||||||
|
|
||||||
|
userdom_use_unpriv_users_fd(fsadm_t)
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(fsadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
# for swapon
|
||||||
|
allow fsadm_t sysfs_t:dir { search getattr };
|
||||||
|
|
||||||
|
# for /dev/shm
|
||||||
|
allow fsadm_t tmpfs_t:dir { getattr search };
|
||||||
|
|
||||||
|
allow fsadm_t bin_t:dir r_dir_perms;
|
||||||
|
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
|
||||||
|
allow fsadm_t sbin_t:dir r_dir_perms;
|
||||||
|
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
|
||||||
|
if (read_default_t) {
|
||||||
|
allow fsadm_t default_t:dir r_dir_perms;
|
||||||
|
allow fsadm_t default_t:notdevfile_class_set r_file_perms;
|
||||||
|
}
|
||||||
|
|
||||||
|
# mkreiserfs needs this
|
||||||
|
allow fsadm_t proc_t:filesystem getattr;
|
||||||
|
|
||||||
|
# Access lost+found.
|
||||||
|
allow fsadm_t lost_found_t:dir create_dir_perms;
|
||||||
|
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
|
||||||
|
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
|
||||||
|
|
||||||
|
allow fsadm_t file_t:dir { search read getattr rmdir create };
|
||||||
|
|
||||||
|
# Recreate /mnt/cdrom.
|
||||||
|
allow fsadm_t mnt_t:dir { rmdir create };
|
||||||
|
|
||||||
|
# Enable swapping to devices and files
|
||||||
|
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
|
||||||
|
|
||||||
|
# Access terminals.
|
||||||
|
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||||
|
|
||||||
|
# for smartctl cron jobs
|
||||||
|
system_crond_entry(fsadm_exec_t, fsadm_t)
|
||||||
|
|
||||||
|
# Access to /initrd devices
|
||||||
|
allow fsadm_t unlabeled_t:dir rw_dir_perms;
|
||||||
|
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
|
||||||
|
allow fsadm_t usbfs_t:dir getattr;
|
||||||
|
|
||||||
|
') dnl end TODO
|
@ -131,6 +131,10 @@ optional_policy(`consoletype.te',`
|
|||||||
consoletype_domtrans(hotplug_t)
|
consoletype_domtrans(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`fstools.te',`
|
||||||
|
fstools_domtrans(hotplug_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_exec(hotplug_t)
|
hostname_exec(hotplug_t)
|
||||||
')
|
')
|
||||||
@ -188,10 +192,6 @@ optional_policy(`hotplug.te',`
|
|||||||
allow hald_t hotplug_etc_t:file { getattr read };
|
allow hald_t hotplug_etc_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`fsadm.te', `
|
|
||||||
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`lpd.te', `
|
optional_policy(`lpd.te', `
|
||||||
allow hotplug_t printer_device_t:chr_file setattr;
|
allow hotplug_t printer_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
@ -138,12 +138,15 @@ fs_getattr_xattr_fs(depmod_t)
|
|||||||
|
|
||||||
term_use_console(depmod_t)
|
term_use_console(depmod_t)
|
||||||
|
|
||||||
|
corecmd_search_bin(depmod_t)
|
||||||
|
corecmd_search_sbin(depmod_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(depmod_t)
|
||||||
|
|
||||||
init_use_fd(depmod_t)
|
init_use_fd(depmod_t)
|
||||||
init_use_script_fd(depmod_t)
|
init_use_script_fd(depmod_t)
|
||||||
init_use_script_pty(depmod_t)
|
init_use_script_pty(depmod_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd(depmod_t)
|
|
||||||
|
|
||||||
files_read_etc_runtime_files(depmod_t)
|
files_read_etc_runtime_files(depmod_t)
|
||||||
files_read_generic_etc_files(depmod_t)
|
files_read_generic_etc_files(depmod_t)
|
||||||
files_read_usr_src(depmod_t)
|
files_read_usr_src(depmod_t)
|
||||||
@ -153,8 +156,6 @@ libs_use_shared_libs(depmod_t)
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
allow depmod_t { bin_t sbin_t }:dir search;
|
|
||||||
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||||
|
|
||||||
# Read System.map from home directories.
|
# Read System.map from home directories.
|
||||||
|
@ -84,6 +84,10 @@ optional_policy(`clock.te',`
|
|||||||
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`fstools.te',`
|
||||||
|
fstools_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user