rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

Browse Source
This commit is contained in:
Dan Walsh 2010-09-22 16:46:04 -04:00
commit 5d82597463
195 changed files with 1621 additions and 1708 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
policy/modules/admin/shorewall.if
View File

@ -185,18 +185,18 @@ interface(`shorewall_admin',`
role_transition $2 shorewall_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, shorewall_etc_t)
files_search_locks($1)
files_list_locks($1)
admin_pattern($1, shorewall_lock_t)
files_search_var_lib($1)
files_list_var_lib($1)
admin_pattern($1, shorewall_var_lib_t)
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, shorewall_log_t)
files_search_tmp($1)
files_list_tmp($1)
admin_pattern($1, shorewall_tmp_t)
')

6
policy/modules/apps/gnome.if
View File

@ -320,7 +320,7 @@ interface(`gnome_admin_home_gconf_filetrans',`
## </summary>
## </param>
#
template(`gnome_read_gconf_config',`
interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
@ -498,7 +498,7 @@ interface(`gnome_stream_connect',`
## </summary>
## </param>
#
template(`gnome_list_home_config',`
interface(`gnome_list_home_config',`
gen_require(`
type config_home_t;
')
@ -535,7 +535,7 @@ template(`gnome_setattr_home_config',`
## </summary>
## </param>
#
template(`gnome_read_home_config',`
interface(`gnome_read_home_config',`
gen_require(`
type config_home_t;
')

18
policy/modules/kernel/files.if
View File

@ -5286,6 +5286,24 @@ interface(`files_manage_mounttab',`
manage_files_pattern($1, var_lib_t, var_lib_t)
')
########################################
## <summary>
## List generic lock directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_list_locks',`
gen_require(`
type var_t, var_lock_t;
')
list_dirs_pattern($1, var_t, var_lock_t)
')
########################################
## <summary>
## Search the locks directory (/var/lock).

10
policy/modules/services/abrt.if
View File

@ -326,18 +326,18 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, abrt_etc_t)
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
files_search_var($1)
files_list_var($1)
admin_pattern($1, abrt_var_cache_t)
files_search_pids($1)
files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
files_search_tmp($1)
files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
')

30
policy/modules/services/abrt.te
View File

@ -6,10 +6,10 @@ policy_module(abrt, 1.1.1)
#
## <desc>
## <p>
## Allow ABRT to modify public files
## used for public file transfer services.
## </p>
## <p>
## Allow ABRT to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(abrt_anon_write, false)
@ -154,7 +154,7 @@ userdom_dontaudit_read_user_home_content_files(abrt_t)
userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
miscfiles_manage_public_files(abrt_t)
')
optional_policy(`
@ -175,7 +175,7 @@ optional_policy(`
')
optional_policy(`
policykit_dbus_chat(abrt_t)
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@ -214,7 +214,7 @@ optional_policy(`
########################################
#
# abrt--helper local policy
# abrt-helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@ -248,27 +248,27 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
optional_policy(`
rpm_dontaudit_leaks(abrt_helper_t)
')
dev_dontaudit_read_all_blk_files(abrt_helper_t)
dev_dontaudit_read_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
optional_policy(`
rpm_dontaudit_leaks(abrt_helper_t)
')
')
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
gen_require(`
attribute domain;
attribute domain;
')
allow abrt_t self:capability sys_resource;
allow abrt_t self:capability sys_resource;
allow abrt_t domain:file write;
allow abrt_t domain:process setrlimit;
')

4
policy/modules/services/accountsd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run accountsd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`accountsd_domtrans',`

8
policy/modules/services/afs.te
View File

@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
ifdef(`hide_broken_symptoms', `
kernel_rw_unlabeled_files(afs_t)
')
corenet_all_recvfrom_unlabeled(afs_t)
corenet_all_recvfrom_netlabel(afs_t)
corenet_tcp_sendrecv_generic_if(afs_t)
@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t)
sysnet_dns_name_resolve(afs_t)
ifdef(`hide_broken_symptoms',`
kernel_rw_unlabeled_files(afs_t)
')
########################################
#
# AFS bossserver local policy

10
policy/modules/services/aiccu.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run aiccu.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`aiccu_domtrans',`
@ -19,7 +19,6 @@ interface(`aiccu_domtrans',`
corecmd_search_bin($1)
')
########################################
## <summary>
## Execute aiccu server in the aiccu domain.
@ -78,7 +77,6 @@ interface(`aiccu_manage_var_run',`
files_search_pids($1)
')
########################################
## <summary>
## All of the rules required to administrate
@ -111,8 +109,8 @@ interface(`aiccu_admin',`
allow $2 system_r;
admin_pattern($1, aiccu_etc_t)
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, aiccu_var_run_t)
files_search_pids($1)
files_list_pids($1)
')

4
policy/modules/services/aiccu.te
View File

@ -35,8 +35,8 @@ allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
allow aiccu_t aiccu_etc_t:file read_file_perms;
manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
kernel_read_system_state(aiccu_t)

1
policy/modules/services/aide.if
View File

@ -33,6 +33,7 @@ interface(`aide_domtrans',`
## The role to allow the AIDE domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`aide_run',`
gen_require(`

4
policy/modules/services/aisexec.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run aisexec.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`aisexec_domtrans',`

12
policy/modules/services/ajaxterm.if
View File

@ -1,4 +1,3 @@
## <summary>policy for ajaxterm</summary>
########################################
@ -6,9 +5,9 @@
## Execute a domain transition to run ajaxterm.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`ajaxterm_domtrans',`
@ -19,14 +18,13 @@ interface(`ajaxterm_domtrans',`
domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
')
########################################
## <summary>
## Execute ajaxterm server in the ajaxterm domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed to transition.
## </summary>
## </param>
#
@ -57,8 +55,7 @@ interface(`ajaxterm_initrc_domtrans',`
#
interface(`ajaxterm_admin',`
gen_require(`
type ajaxterm_t;
type ajaxterm_initrc_exec_t;
type ajaxterm_t, ajaxterm_initrc_exec_t;
')
allow $1 ajaxterm_t:process { ptrace signal_perms };
@ -68,5 +65,4 @@ interface(`ajaxterm_admin',`
domain_system_change_exemption($1)
role_transition $2 ajaxterm_initrc_exec_t system_r;
allow $2 system_r;
')

4
policy/modules/services/ajaxterm.te
View File

@ -1,4 +1,4 @@
policy_module(ajaxterm,1.0.0)
policy_module(ajaxterm, 1.0.0)
########################################
#
@ -30,7 +30,7 @@ allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)

2
policy/modules/services/amavis.if
View File

@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
type amavis_var_run_t;
')
allow $1 amavis_var_run_t:file setattr;
allow $1 amavis_var_run_t:file setattr_file_perms;
files_search_pids($1)
')

4
policy/modules/services/amavis.te
View File

@ -76,7 +76,7 @@ files_search_spool(amavis_t)
# tmp files
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
allow amavis_t amavis_tmp_t:dir setattr;
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
# var/lib files for amavis
@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
files_search_var_lib(amavis_t)
# log files
allow amavis_t amavis_var_log_t:dir setattr;
allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })

136
policy/modules/services/apache.if
View File

@ -13,8 +13,7 @@
#
template(`apache_content_template',`
gen_require(`
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
type httpd_sys_content_t;
')
@ -50,8 +49,6 @@ template(`apache_content_template',`
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
@ -132,6 +129,8 @@ template(`apache_content_template',`
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@ -152,6 +151,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
@ -180,8 +181,6 @@ template(`apache_content_template',`
optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
')
########################################
@ -202,16 +201,15 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
type httpd_user_ra_content_t, httpd_user_rw_content_t;
type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@ -314,21 +312,21 @@ interface(`apache_domtrans',`
######################################
## <summary>
## Allow the specified domain to execute apache
## in the caller domain.
## Allow the specified domain to execute apache
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_exec',`
gen_require(`
type httpd_exec_t;
')
gen_require(`
type httpd_exec_t;
')
can_exec($1, httpd_exec_t)
can_exec($1, httpd_exec_t)
')
#######################################
@ -501,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
allow $1 httpd_cache_t:dir setattr;
allow $1 httpd_cache_t:dir setattr_dir_perms;
')
########################################
@ -732,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
dontaudit $1 httpd_log_t:file { getattr append };
dontaudit $1 httpd_log_t:file append_file_perms;
')
########################################
@ -895,7 +893,6 @@ interface(`apache_manage_sys_content',`
')
files_search_var($1)
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@ -903,45 +900,45 @@ interface(`apache_manage_sys_content',`
######################################
## <summary>
## Allow the specified domain to read
## apache system content rw files.
## Allow the specified domain to read
## apache system content rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_read_sys_content_rw_files',`
gen_require(`
gen_require(`
type httpd_sys_rw_content_t;
')
read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
######################################
## <summary>
## Allow the specified domain to manage
## apache system content rw files.
## Allow the specified domain to manage
## apache system content rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_manage_sys_content_rw',`
gen_require(`
gen_require(`
type httpd_sys_rw_content_t;
')
files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
########################################
@ -985,8 +982,7 @@ interface(`apache_delete_sys_content_rw',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
type httpd_sys_content_t;
type httpd_sys_script_t, httpd_sys_content_t;
')
tunable_policy(`httpd_enable_cgi',`
@ -1049,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
## Role allowed access..
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apache_run_all_scripts',`
gen_require(`
@ -1221,21 +1218,21 @@ interface(`apache_read_tmp_files',`
######################################
## <summary>
## Dontaudit attempts to read and write
## apache tmp files.
## Dontaudit attempts to read and write
## apache tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_tmp_files',`
gen_require(`
type httpd_tmp_t;
')
gen_require(`
type httpd_tmp_t;
')
dontaudit $1 httpd_tmp_t:file { read write };
dontaudit $1 httpd_tmp_t:file { read write };
')
########################################
@ -1317,17 +1314,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
attribute httpdcontent;
attribute httpd_script_exec_type;
attribute httpdcontent, httpd_script_exec_type;
type httpd_t, httpd_config_t, httpd_log_t;
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_modules_t, httpd_lock_t, httpd_bool_t;
type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
type httpd_initrc_exec_t, httpd_bool_t;
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
allow $1 httpd_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
@ -1338,10 +1332,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, httpd_config_t)
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@ -1352,26 +1346,22 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
ps_process_pattern($1, httpd_t)
read_lnk_files_pattern($1, httpd_t, httpd_t)
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
seutil_domtrans_setfiles($1)
files_list_tmp($1)
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
ifdef(`TODO',`
apache_set_booleans($1, $2, $3, httpd_bool_t )
seutil_setsebool_role_template($1, $3, $2)
allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
')
ifdef(`TODO',`
apache_set_booleans($1, $2, $3, httpd_bool_t)
seutil_setsebool_role_template($1, $3, $2)
allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
')
')
########################################
@ -1380,7 +1370,7 @@ ifdef(`TODO',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#
@ -1390,7 +1380,7 @@ interface(`apache_dontaudit_leaks',`
')
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 httpd_t:tcp_socket { read write };
dontaudit $1 httpd_t:tcp_socket { read write };
dontaudit $1 httpd_t:unix_dgram_socket { read write };
dontaudit $1 httpd_t:unix_stream_socket { read write };
')

316
policy/modules/services/apache.te
View File

@ -21,182 +21,189 @@ policy_module(apache, 2.2.0)
selinux_genbool(httpd_bool_t)
## <desc>
## <p>
## Allow Apache to modify public files
## used for public file transfer services. Directories/Files must
## be labeled public_content_rw_t.
## </p>
## <p>
## Allow Apache to modify public files
## used for public file transfer services. Directories/Files must
## be labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write, false)
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_pam, false)
## <desc>
## <p>
## Allow httpd scripts and modules execmem/execstack
## </p>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
## <desc>
## <p>
## Allow httpd scripts and modules execmem/execstack
## </p>
## </desc>
gen_tunable(httpd_execmem, false)
## <desc>
## <p>
## Allow httpd daemon to change system limits
## </p>
## <p>
## Allow httpd daemon to change system limits
## </p>
## </desc>
gen_tunable(httpd_setrlimit, false)
## <desc>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## </desc>
gen_tunable(httpd_builtin_scripting, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to connect to the network using any TCP port.
## </p>
## <p>
## Allow HTTPD scripts and modules to connect to the network using any TCP port.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to connect to cobbler over the network.
## </p>
## <p>
## Allow HTTPD scripts and modules to connect to cobbler over the network.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_cobbler, false)
## <desc>
## <p>
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## <p>
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
## <desc>
## <p>
## Allow httpd to connect to memcache server
## </p>
## <p>
## Allow httpd to connect to memcache server
## </p>
## </desc>
gen_tunable(httpd_can_network_memcache, false)
## <desc>
## <p>
## Allow httpd to act as a relay
## </p>
## <p>
## Allow httpd to act as a relay
## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
## <p>
## Allow http daemon to send mail
## </p>
## <p>
## Allow http daemon to send mail
## </p>
## </desc>
gen_tunable(httpd_can_sendmail, false)
## <desc>
## <p>
## Allow http daemon to check spam
## </p>
## <p>
## Allow http daemon to check spam
## </p>
## </desc>
gen_tunable(httpd_can_check_spam, false)
## <desc>
## <p>
## Allow Apache to communicate with avahi service via dbus
## </p>
## <p>
## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
gen_tunable(httpd_dbus_avahi, false)
## <desc>
## <p>
## Allow httpd to execute cgi scripts
## </p>
## <p>
## Allow httpd to execute cgi scripts
## </p>
## </desc>
gen_tunable(httpd_enable_cgi, false)
## <desc>
## <p>
## Allow httpd to act as a FTP server by
## listening on the ftp port.
## </p>
## <p>
## Allow httpd to act as a FTP server by
## listening on the ftp port.
## </p>
## </desc>
gen_tunable(httpd_enable_ftp_server, false)
## <desc>
## <p>
## Allow httpd to read home directories
## </p>
## <p>
## Allow httpd to read home directories
## </p>
## </desc>
gen_tunable(httpd_enable_homedirs, false)
## <desc>
## <p>
## Allow httpd to read user content
## </p>
## <p>
## Allow httpd to read user content
## </p>
## </desc>
gen_tunable(httpd_read_user_content, false)
## <desc>
## <p>
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## <p>
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
gen_tunable(httpd_ssi_exec, false)
## <desc>
## <p>
## Allow Apache to execute tmp content.
## </p>
## <p>
## Allow Apache to execute tmp content.
## </p>
## </desc>
gen_tunable(httpd_tmp_exec, false)
## <desc>
## <p>
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
## </p>
## <p>
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
## </p>
## </desc>
gen_tunable(httpd_tty_comm, false)
## <desc>
## <p>
## Unify HTTPD handling of all content files.
## </p>
## <p>
## Unify HTTPD handling of all content files.
## </p>
## </desc>
gen_tunable(httpd_unified, false)
## <desc>
## <p>
## Allow httpd to access cifs file systems
## </p>
## <p>
## Allow httpd to access cifs file systems
## </p>
## </desc>
gen_tunable(httpd_use_cifs, false)
## <desc>
## <p>
## Allow httpd to run gpg in gpg-web domain
## </p>
## <p>
## Allow httpd to run gpg in gpg-web domain
## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
## <desc>
## <p>
## Allow httpd to access nfs file systems
## </p>
## <p>
## Allow httpd to access nfs file systems
## </p>
## </desc>
gen_tunable(httpd_use_nfs, false)
## <desc>
## <p>
## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
## </p>
## <p>
## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
## </p>
## </desc>
gen_tunable(allow_httpd_sys_script_anon_write, false)
@ -279,6 +286,13 @@ typeattribute httpd_sys_content_t httpdcontent; # customizable
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
# Removal of fastcgi, will cause problems without the following
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@ -320,6 +334,9 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
# Removal of fastcgi, will cause problems without the following
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
@ -506,22 +523,21 @@ tunable_policy(`allow_httpd_mod_auth_pam',`
logging_send_audit_msgs(httpd_t)
')
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
optional_policy(`
tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
samba_domtrans_winbind_helper(httpd_t)
')
')
')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mssql_port(httpd_t)
corenet_sendrecv_mssql_client_packets(httpd_t)
')
tunable_policy(`httpd_can_network_memcache',`
corenet_tcp_connect_memcache_port(httpd_t)
')
@ -541,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',`
corenet_sendrecv_squid_client_packets(httpd_t)
')
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
allow httpd_sys_script_t self:process { execmem execstack };
allow httpd_suexec_t self:process { execmem execstack };
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@ -549,7 +571,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
tunable_policy(`allow_httpd_sys_script_anon_write',`
miscfiles_manage_public_files(httpd_sys_script_t)
')
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
@ -575,16 +597,12 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_t)
')
tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
can_exec(httpd_t, httpd_tmp_t)
can_exec(httpd_t, httpd_tmp_t)
')
tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
can_exec(httpd_sys_script_t, httpd_tmp_t)
can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@ -723,21 +741,15 @@ optional_policy(`
')
optional_policy(`
passenger_domtrans(httpd_t)
passenger_manage_pid_content(httpd_t)
passenger_read_lib_files(httpd_t)
passenger_domtrans(httpd_t)
passenger_manage_pid_content(httpd_t)
passenger_read_lib_files(httpd_t)
')
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
')
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
allow httpd_sys_script_t self:process { execmem execstack };
allow httpd_suexec_t self:process { execmem execstack };
')
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
@ -745,7 +757,6 @@ optional_policy(`
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
postgresql_tcp_connect(httpd_sys_script_t)
')
')
@ -830,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mysqld_port(httpd_t)
corenet_sendrecv_mysqld_client_packets(httpd_t)
corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_t)
corenet_sendrecv_mssql_client_packets(httpd_t)
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_php_t)
corenet_sendrecv_mssql_client_packets(httpd_php_t)
')
optional_policy(`
mysql_stream_connect(httpd_php_t)
mysql_rw_db_sockets(httpd_php_t)
mysql_read_config(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_php_t)
')
')
optional_policy(`
postgresql_stream_connect(httpd_php_t)
postgresql_unpriv_client(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_php_t)
')
')
########################################
@ -877,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@ -917,11 +931,13 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mssql_port(httpd_suexec_t)
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
')
domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@ -930,9 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_cgi',`
domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_suexec_t)
@ -961,6 +974,19 @@ optional_policy(`
mysql_stream_connect(httpd_suexec_t)
mysql_rw_db_sockets(httpd_suexec_t)
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_suexec_t)
')
')
optional_policy(`
postgresql_stream_connect(httpd_suexec_t)
postgresql_unpriv_client(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_suexec_t)
')
')
########################################
@ -1002,9 +1028,14 @@ tunable_policy(`httpd_can_sendmail',`
')
optional_policy(`
tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
spamassassin_domtrans_client(httpd_t)
')
tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
spamassassin_domtrans_client(httpd_t)
')
')
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
')
fs_cifs_entry_type(httpd_sys_script_t)
@ -1042,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_sys_script_t)
userdom_search_user_home_dirs(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@ -1050,6 +1081,10 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_sys_script_t)
')
tunable_policy(`httpd_use_cifs',`
fs_manage_cifs_dirs(httpd_sys_script_t)
fs_manage_cifs_files(httpd_sys_script_t)
@ -1073,10 +1108,19 @@ optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
mysql_read_config(httpd_sys_script_t)
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_sys_script_t)
')
')
optional_policy(`
postgresql_stream_connect(httpd_sys_script_t)
postgresql_unpriv_client(httpd_sys_script_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_sys_script_t)
')
')
########################################
@ -1136,19 +1180,7 @@ tunable_policy(`httpd_enable_homedirs',`
')
tunable_policy(`httpd_read_user_content',`
userdom_read_user_home_content_files(httpd_user_script_t)
userdom_read_user_home_content_files(httpd_suexec_t)
')
tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
userdom_read_user_home_content_files(httpd_t)
userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
')
# Removal of fastcgi, will cause problems without the following
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;

18
policy/modules/services/apcupsd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run apcupsd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`apcupsd_domtrans',`
@ -83,9 +83,9 @@ interface(`apcupsd_read_log',`
## apcupsd log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`apcupsd_append_log',`
@ -103,9 +103,9 @@ interface(`apcupsd_append_log',`
## Execute a domain transition to run httpd_apcupsd_cgi_script.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`apcupsd_cgi_script_domtrans',`
@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',`
#
interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t;
type apcupsd_log_t, apcupsd_lock_t;
type apcupsd_var_run_t;
type apcupsd_initrc_exec_t;
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t;
')
allow $1 apcupsd_t:process { ptrace signal_perms };

7
policy/modules/services/apm.if
View File

@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
type apmd_t;
')
allow $1 apmd_t:fifo_file write;
allow $1 apmd_t:fifo_file write_fifo_file_perms;
')
########################################
@ -89,7 +89,7 @@ interface(`apm_append_log',`
')
logging_search_logs($1)
allow $1 apmd_log_t:file append;
allow $1 apmd_log_t:file append_file_perms;
')
########################################
@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
')
files_search_pids($1)
allow $1 apmd_var_run_t:sock_file write;
allow $1 apmd_t:unix_stream_socket connectto;
stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')

1
policy/modules/services/apm.te
View File

@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
#
# Declarations
#
type apmd_t;
type apmd_exec_t;
init_daemon_domain(apmd_t, apmd_exec_t)

3
policy/modules/services/automount.if
View File

@ -29,7 +29,6 @@ interface(`automount_domtrans',`
## </summary>
## </param>
#
#
interface(`automount_signal',`
gen_require(`
type automount_t;
@ -124,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
type automount_tmp_t;
')
dontaudit $1 automount_tmp_t:dir getattr;
dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
')
########################################

3
policy/modules/services/avahi.if
View File

@ -151,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',`
#
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t;
type avahi_initrc_exec_t;
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
')
allow $1 avahi_t:process { ptrace signal_perms };

2
policy/modules/services/avahi.te
View File

@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
allow avahi_t avahi_var_run_t:dir setattr;
allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)

11
policy/modules/services/bind.if
View File

@ -186,7 +186,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
allow $1 named_conf_t:file setattr;
allow $1 named_conf_t:file setattr_file_perms;
')
########################################
@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
allow $1 named_var_run_t:dir setattr;
allow $1 named_var_run_t:dir setattr_dir_perms;
')
########################################
@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
allow $1 named_zone_t:dir setattr;
allow $1 named_zone_t:dir setattr_dir_perms;
')
########################################
@ -380,10 +380,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
type named_conf_t, named_var_run_t;
type named_cache_t, named_zone_t;
type named_conf_t, named_var_run_t, named_cache_t;
type named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_keytab_t;
type named_initrc_exec_t;
')
allow $1 named_t:process { ptrace signal_perms };

14
policy/modules/services/bind.te
View File

@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
#
## <desc>
## <p>
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS or zone transfers.
## </p>
## <p>
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS or zone transfers.
## </p>
## </desc>
gen_tunable(named_write_master_zones, false)
@ -202,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
allow ndc_t dnssec_t:lnk_file { getattr read };
allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
allow ndc_t named_conf_t:lnk_file { getattr read };
allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@ -245,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
allow ndc_t named_conf_t:dir search_dir_perms;
')
optional_policy(`

2
policy/modules/services/bitlbee.if
View File

@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
## <summary>
## Domain allowed accesss.
## Domain allowed accesss.
## </summary>
## </param>
#

2
policy/modules/services/bitlbee.te
View File

@ -26,7 +26,7 @@ files_type(bitlbee_var_t)
#
# Local policy
#
#
allow bitlbee_t self:capability { setgid setuid };
allow bitlbee_t self:udp_socket create_socket_perms;

14
policy/modules/services/bluetooth.if
View File

@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_role',`
gen_require(`
@ -27,7 +28,7 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
allow $2 bluetooth_helper_t:process signal;
allow $2 bluetooth_helper_t:process { ptrace signal_perms };
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
type bluetooth_conf_t;
')
allow $1 bluetooth_conf_t:file { getattr read ioctl };
allow $1 bluetooth_conf_t:file read_file_perms;
')
########################################
@ -178,7 +179,7 @@ interface(`bluetooth_run_helper',`
########################################
## <summary>
## Read bluetooth helper state files.
## Do not audit attempts to read bluetooth helper state files.
## </summary>
## <param name="domain">
## <summary>
@ -191,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
type bluetooth_helper_t;
')
dontaudit $1 bluetooth_helper_t:dir search;
dontaudit $1 bluetooth_helper_t:file { read getattr };
dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
dontaudit $1 bluetooth_helper_t:file read_file_perms;
')
########################################
@ -215,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process { ptrace signal_perms };

1
policy/modules/services/bluetooth.te
View File

@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
#
# Declarations
#
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)

37
policy/modules/services/boinc.if
View File

@ -1,4 +1,3 @@
## <summary>policy for boinc</summary>
########################################
@ -6,9 +5,9 @@
## Execute a domain transition to run boinc.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`boinc_domtrans',`
@ -21,20 +20,20 @@ interface(`boinc_domtrans',`
#######################################
## <summary>
## Execute boinc server in the boinc domain.
## Execute boinc server in the boinc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`boinc_initrc_domtrans',`
gen_require(`
type boinc_initrc_exec_t;
')
gen_require(`
type boinc_initrc_exec_t;
')
init_labeled_script_domtrans($1, boinc_initrc_exec_t)
init_labeled_script_domtrans($1, boinc_initrc_exec_t)
')
########################################
@ -72,7 +71,7 @@ interface(`boinc_read_lib_files',`
')
files_search_var_lib($1)
read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
')
########################################
@ -92,7 +91,7 @@ interface(`boinc_manage_lib_files',`
')
files_search_var_lib($1)
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
')
########################################
@ -110,9 +109,10 @@ interface(`boinc_manage_var_lib',`
type boinc_var_lib_t;
')
manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
files_search_var_lib($1)
manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
')
########################################
@ -134,8 +134,7 @@ interface(`boinc_manage_var_lib',`
#
interface(`boinc_admin',`
gen_require(`
type boinc_t, boinc_initrc_exec_t;
type boinc_var_lib_t;
type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
')
allow $1 boinc_t:process { ptrace signal_perms };
@ -145,7 +144,7 @@ interface(`boinc_admin',`
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, boinc_var_lib_t)
')

37
policy/modules/services/boinc.te
View File

@ -1,4 +1,4 @@
policy_module(boinc,1.0.0)
policy_module(boinc, 1.0.0)
########################################
#
@ -27,6 +27,9 @@ role system_r types boinc_project_t;
permissive boinc_project_t;
type boinc_project_tmp_t;
files_tmp_file(boinc_project_tmp_t)
type boinc_project_var_lib_t;
files_type(boinc_project_var_lib_t)
@ -49,15 +52,15 @@ manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
kernel_read_system_state(boinc_t)
@ -120,16 +123,20 @@ allow boinc_project_t self:process { execmem execstack };
allow boinc_project_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
allow boinc_project_t boinc_project_var_lib_t:file execmod;
allow boinc_project_t boinc_t:shm rw_shm_perms;
allow boinc_project_t boinc_tmpfs_t:file { read write };
allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
@ -144,10 +151,16 @@ corecmd_exec_shell(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
dev_read_rand(boinc_project_t)
dev_read_urand(boinc_project_t)
dev_read_sysfs(boinc_project_t)
dev_rw_xserver_misc(boinc_project_t)
files_read_etc_files(boinc_project_t)
miscfiles_read_fonts(boinc_project_t)
miscfiles_read_localization(boinc_project_t)
optional_policy(`
java_exec(boinc_project_t)
')

11
policy/modules/services/bugzilla.if
View File

@ -57,10 +57,9 @@ interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
#
interface(`bugzilla_admin',`
gen_require(`
type httpd_bugzilla_script_t;
type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
type httpd_bugzilla_htaccess_t;
')
allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
@ -69,9 +68,9 @@ interface(`bugzilla_admin',`
files_list_tmp($1)
admin_pattern($1, httpd_bugzilla_tmp_t)
files_search_var_lib(httpd_bugzilla_script_t)
files_list_var_lib(httpd_bugzilla_script_t)
apache_search_sys_content($1)
apache_list_sys_content($1)
admin_pattern($1, httpd_bugzilla_script_exec_t)
admin_pattern($1, httpd_bugzilla_script_t)
admin_pattern($1, httpd_bugzilla_content_t)

1
policy/modules/services/bugzilla.te
View File

@ -53,4 +53,3 @@ optional_policy(`
optional_policy(`
postgresql_stream_connect(httpd_bugzilla_script_t)
')

12
policy/modules/services/cachefilesd.if
View File

@ -14,7 +14,6 @@
#
# Define the policy interface for the CacheFiles userspace management daemon.
#
## <summary>policy for cachefilesd</summary>
########################################
@ -22,9 +21,9 @@
## Execute a domain transition to run cachefilesd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cachefilesd_domtrans',`
@ -32,10 +31,5 @@ interface(`cachefilesd_domtrans',`
type cachefilesd_t, cachefilesd_exec_t;
')
domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
allow $1 cachefilesd_t:fd use;
allow cachefilesd_t $1:fd use;
allow cachefilesd_t $1:fifo_file rw_file_perms;
allow cachefilesd_t $1:process sigchld;
domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')

53
policy/modules/services/cachefilesd.te
View File

@ -17,7 +17,7 @@
# cache, on behalf of the processes accessing the cache through a network
# filesystem such as NFS
#
policy_module(cachefilesd,1.0.17)
policy_module(cachefilesd, 1.0.17)
###############################################################################
#
@ -42,7 +42,6 @@ dev_node(cachefiles_dev_t)
#
type cachefilesd_t;
type cachefilesd_exec_t;
domain_type(cachefilesd_t)
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
#
@ -78,36 +77,33 @@ rpm_use_script_fds(cachefilesd_t)
# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
# rules.
#
allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
# Allow manipulation of pid file
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
files_create_as_is_all_files(cachefilesd_t)
# Allow access to cachefiles device file
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
# Allow access to cache superstructure
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
# Basic access
files_read_etc_files(cachefilesd_t)
libs_use_ld_so(cachefilesd_t)
libs_use_shared_libs(cachefilesd_t)
miscfiles_read_localization(cachefilesd_t)
logging_send_syslog_msg(cachefilesd_t)
init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
# Allow manipulation of pid file
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_file(cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
files_create_as_is_all_files(cachefilesd_t)
# Allow access to cachefiles device file
allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
# Allow access to cache superstructure
allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
###############################################################################
#
# When cachefilesd invokes the kernel module to begin caching, it has to tell
@ -119,14 +115,14 @@ fs_getattr_xattr_fs(cachefilesd_t)
# (1) the security context used by the module to access files in the cache,
# as set by the 'secctx' command in /etc/cachefilesd.conf, and
#
allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
#
# (2) the label that will be assigned to new files and directories created in
# the cache by the module, which will be the same as the label on the
# directory pointed to by the 'dir' command.
#
allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
###############################################################################
#
@ -136,11 +132,12 @@ allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
# cache.
#
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
allow cachefiles_kernel_t initrc_t:process sigchld;
manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
fs_getattr_xattr_fs(cachefiles_kernel_t)
dev_search_sysfs(cachefiles_kernel_t)
init_sigchld_script(cachefiles_kernel_t)

2
policy/modules/services/canna.te
View File

@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
allow canna_t canna_log_t:dir setattr;
allow canna_t canna_log_t:dir setattr_dir_perms;
logging_log_filetrans(canna_t, canna_log_t, { file dir })
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)

4
policy/modules/services/ccs.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run ccs.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ccs_domtrans',`

4
policy/modules/services/ccs.te
View File

@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
allow ccs_t ccs_var_log_t:dir setattr;
allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')

13
policy/modules/services/certmaster.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run certmaster.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`certmaster_domtrans',`
@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the syslog domain.
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
type certmaster_etc_rw_t, certmaster_var_log_t;
type certmaster_initrc_exec_t;
type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
allow $1 certmaster_t:process { ptrace signal_perms };
@ -129,8 +128,8 @@ interface(`certmaster_admin',`
allow $2 system_r;
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
miscfiles_manage_generic_cert_files($1)
miscfiles_manage_generic_cert_dirs($1)
miscfiles_manage_generic_cert_files($1)
admin_pattern($1, certmaster_etc_rw_t)

4
policy/modules/services/certmaster.te
View File

@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
# pid file
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
# read meminfo
kernel_read_system_state(certmaster_t)

8
policy/modules/services/certmonger.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run certmonger.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`certmonger_domtrans',`
@ -166,9 +166,9 @@ interface(`certmonger_admin',`
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
files_search_pids($1)
files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')

2
policy/modules/services/certmonger.te
View File

@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)

16
policy/modules/services/cgroup.if
View File

@ -6,9 +6,9 @@
## CG Clear.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cgroup_domtrans_cgclear',`
@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',`
## CG config parser.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cgroup_domtrans_cgconfig',`
@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
## CG rules engine daemon.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cgroup_domtrans_cgred',`
@ -182,10 +182,10 @@ interface(`cgroup_admin',`
admin_pattern($1, cgconfig_etc_t)
admin_pattern($1, cgrules_etc_t)
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, cgred_var_run_t)
files_search_pids($1)
files_list_pids($1)
cgroup_initrc_domtrans_cgconfig($1)
domain_system_change_exemption($1)

17
policy/modules/services/chronyd.if
View File

@ -25,7 +25,7 @@ interface(`chronyd_domtrans',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain allowed to transition.
## </summary>
## </param>
#
@ -151,10 +151,9 @@ interface(`chronyd_append_keys',`
#
interface(`chronyd_admin',`
gen_require(`
type chronyd_t, chronyd_var_log_t;
type chronyd_var_run_t, chronyd_var_lib_t;
type chronyd_tmpfs_t;
type chronyd_initrc_exec_t, chronyd_keys_t;
type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
type chronyd_keys_t;
')
allow $1 chronyd_t:process { ptrace signal_perms };
@ -165,16 +164,16 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
files_search_var_lib($1)
files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
files_search_pids($1)
files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
admin_pattern($1, chronyd_tmpfs_t)

6
policy/modules/services/clamav.if
View File

@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
type clamd_t, clamd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
')
@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
type clamd_var_log_t, clamd_var_lib_t;
type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
type clamd_initrc_exec_t;
type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
')

20
policy/modules/services/clamav.te
View File

@ -1,9 +1,9 @@
policy_module(clamav, 1.8.1)
## <desc>
## <p>
## Allow clamd to use JIT compiler
## </p>
## <p>
## Allow clamd to use JIT compiler
## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
@ -150,7 +150,7 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
allow clamscan_t self:process execmem;
', `
',`
dontaudit clamd_t self:process execmem;
dontaudit clamscan_t self:process execmem;
')
@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr;
allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t)
userdom_stream_connect(freshclam_t)
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
', `
',`
dontaudit freshclam_t self:process execmem;
')
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
########################################
#
# clamscam local policy

4
policy/modules/services/clogd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run clogd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`clogd_domtrans',`

3
policy/modules/services/clogd.te
View File

@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
allow clogd_t self:capability { net_admin mknod };
allow clogd_t self:process signal;
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
allow clogd_t self:netlink_socket create_socket_perms;
@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
# pid files
manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
files_pid_filetrans(clogd_t, clogd_var_run_t, file)
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)

33
policy/modules/services/cmirrord.if
View File

@ -1,4 +1,3 @@
## <summary>policy for cmirrord</summary>
########################################
@ -6,9 +5,9 @@
## Execute a domain transition to run cmirrord.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cmirrord_domtrans',`
@ -58,26 +57,25 @@ interface(`cmirrord_read_pid_files',`
#######################################
## <summary>
## Read and write to cmirrord shared memory.
## Read and write to cmirrord shared memory.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`cmirrord_rw_shm',`
gen_require(`
type cmirrord_t;
type cmirrord_tmpfs_t;
')
gen_require(`
type cmirrord_t, cmirrord_tmpfs_t;
')
allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
fs_search_tmpfs($1)
')
########################################
@ -99,9 +97,7 @@ interface(`cmirrord_rw_shm',`
#
interface(`cmirrord_admin',`
gen_require(`
type cmirrord_t;
type cmirrord_initrc_exec_t;
type cmirrord_var_run_t;
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
allow $1 cmirrord_t:process { ptrace signal_perms };
@ -112,7 +108,6 @@ interface(`cmirrord_admin',`
role_transition $2 cmirrord_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
')

8
policy/modules/services/cmirrord.te
View File

@ -1,4 +1,4 @@
policy_module(cmirrord,1.0.0)
policy_module(cmirrord, 1.0.0)
########################################
#
@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
allow cmirrord_t self:capability { net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process signal;
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
allow cmirrord_t self:sem create_sem_perms;
allow cmirrord_t self:shm create_shm_perms;
allow cmirrord_t self:netlink_socket create_socket_perms;
@ -40,7 +38,7 @@ fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
@ -51,5 +49,5 @@ logging_send_syslog_msg(cmirrord_t)
miscfiles_read_localization(cmirrord_t)
optional_policy(`
corosync_stream_connect(cmirrord_t)
corosync_stream_connect(cmirrord_t)
')

30
policy/modules/services/cobbler.if
View File

@ -1,12 +1,12 @@
## <summary>Cobbler installation server.</summary>
## <desc>
## <p>
## Cobbler is a Linux installation server that allows for
## rapid setup of network installation environments. It
## glues together and automates many associated Linux
## tasks so you do not have to hop between lots of various
## commands and applications when rolling out new systems,
## and, in some cases, changing existing ones.
## Cobbler is a Linux installation server that allows for
## rapid setup of network installation environments. It
## glues together and automates many associated Linux
## tasks so you do not have to hop between lots of various
## commands and applications when rolling out new systems,
## and, in some cases, changing existing ones.
## </p>
## </desc>
@ -15,9 +15,9 @@
## Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cobblerd_domtrans',`
@ -153,7 +153,7 @@ interface(`cobbler_manage_lib_files',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#
@ -185,25 +185,23 @@ interface(`cobbler_dontaudit_rw_log',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t, cobblerd_initrc_exec_t;
type httpd_cobbler_content_t;
type httpd_cobbler_content_ra_t;
type httpd_cobbler_content_rw_t;
type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
files_search_etc($1)
files_list_etc($1)
admin_pattern($1, cobbler_etc_t)
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, cobbler_var_log_t)
apache_search_sys_content($1)
apache_list_sys_content($1)
admin_pattern($1, httpd_cobbler_content_t)
admin_pattern($1, httpd_cobbler_content_ra_t)
admin_pattern($1, httpd_cobbler_content_rw_t)

30
policy/modules/services/cobbler.te
View File

@ -6,32 +6,32 @@ policy_module(cobbler, 1.1.0)
#
## <desc>
## <p>
## Allow Cobbler to modify public files
## used for public file transfer services.
## </p>
## <p>
## Allow Cobbler to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
## <desc>
## <p>
## Allow Cobbler to connect to the
## network using TCP.
## </p>
## <p>
## Allow Cobbler to connect to the
## network using TCP.
## </p>
## </desc>
gen_tunable(cobbler_can_network_connect, false)
## <desc>
## <p>
## Allow Cobbler to access cifs file systems.
## </p>
## <p>
## Allow Cobbler to access cifs file systems.
## </p>
## </desc>
gen_tunable(cobbler_use_cifs, false)
## <desc>
## <p>
## Allow Cobbler to access nfs file systems.
## </p>
## <p>
## Allow Cobbler to access nfs file systems.
## </p>
## </desc>
gen_tunable(cobbler_use_nfs, false)

4
policy/modules/services/consolekit.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run consolekit.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`consolekit_domtrans',`

2
policy/modules/services/consolekit.te
View File

@ -113,7 +113,7 @@ optional_policy(`
')
optional_policy(`
policykit_dbus_chat(consolekit_t)
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)

18
policy/modules/services/corosync.if
View File

@ -20,21 +20,21 @@ interface(`corosync_domtrans',`
######################################
## <summary>
## Execute corosync in the caller domain.
## Execute corosync in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corosync_exec',`
gen_require(`
type corosync_exec_t;
')
gen_require(`
type corosync_exec_t;
')
corecmd_search_bin($1)
can_exec($1, corosync_exec_t)
corecmd_search_bin($1)
can_exec($1, corosync_exec_t)
')
#######################################

4
policy/modules/services/corosync.te
View File

@ -92,10 +92,6 @@ userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
gen_require(`
attribute unconfined_services;
')
fs_manage_tmpfs_files(corosync_t)
init_manage_script_status_files(corosync_t)
')

4
policy/modules/services/courier.if
View File

@ -138,6 +138,7 @@ interface(`courier_read_config',`
type courier_etc_t;
')
files_search_etc($1)
read_files_pattern($1, courier_etc_t, courier_etc_t)
')
@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@ -194,6 +197,7 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')

2
policy/modules/services/courier.te
View File

@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
allow courier_pop_t courier_var_lib_t:file { read write };
allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
miscfiles_read_localization(courier_pop_t)

35
policy/modules/services/cron.if
View File

@ -52,7 +52,7 @@ template(`cron_common_crontab_template',`
files_list_spool($1_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_t cron_spool_t:dir setattr;
allow $1_t cron_spool_t:dir setattr_dir_perms;
kernel_read_system_state($1_t)
@ -113,12 +113,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t;
type crond_t;
type user_cron_spool_t, crond_t;
')
role $1 types { cronjob_t crontab_t };
@ -138,7 +138,7 @@ interface(`cron_role',`
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
allow $2 crontab_t:process signal;
allow $2 crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
@ -152,9 +152,8 @@ interface(`cron_role',`
')
dbus_stub(cronjob_t)
allow cronjob_t $2:dbus send_msg;
')
')
')
########################################
@ -171,6 +170,7 @@ interface(`cron_role',`
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`cron_unconfined_role',`
gen_require(`
@ -181,6 +181,7 @@ interface(`cron_unconfined_role',`
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
optional_policy(`
gen_require(`
@ -188,9 +189,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
allow unconfined_cronjob_t $2:dbus send_msg;
')
')
')
########################################
@ -207,6 +207,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`cron_admin_role',`
gen_require(`
@ -227,7 +228,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
allow $2 admin_crontab_t:process signal;
allow $2 admin_crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
@ -241,9 +242,8 @@ interface(`cron_admin_role',`
')
dbus_stub(admin_cronjob_t)
allow cronjob_t $2:dbus send_msg;
')
')
')
########################################
@ -311,7 +311,7 @@ interface(`cron_exec',`
########################################
## <summary>
## Execute crond server in the nscd domain.
## Execute crond server in the crond domain.
## </summary>
## <param name="domain">
## <summary>
@ -524,6 +524,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
@ -579,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
allow $1 system_cronjob_t:file write;
allow $1 system_cronjob_t:fifo_file write;
')
########################################
@ -695,8 +696,8 @@ interface(`cron_read_system_job_lib_files',`
type system_cronjob_var_lib_t;
')
read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
files_search_var_lib($1)
read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
########################################
@ -714,6 +715,6 @@ interface(`cron_manage_system_job_lib_files',`
type system_cronjob_var_lib_t;
')
manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
files_search_var_lib($1)
manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')

48
policy/modules/services/cron.te
View File

@ -10,18 +10,18 @@ gen_require(`
#
## <desc>
## <p>
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
## </p>
## <p>
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond, false)
@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
@ -122,13 +118,17 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
type system_cronjob_var_run_t;
files_pid_file(system_cronjob_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
########################################
#
# Admin crontab local policy
#
# Allow our crontab domain to unlink a user cron spool file.
allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond', `
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
@ -251,7 +251,7 @@ ifdef(`distro_debian',`
')
')
ifdef(`distro_redhat', `
ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
@ -263,13 +263,17 @@ tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(crond_t)
')
tunable_policy(`fcron_crond',`
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
apache_search_sys_content(crond_t)
')
optional_policy(`
djbdns_search_tinydns_keys(crond_t)
djbdns_link_tinydns_keys(crond_t)
djbdns_search_tinydns_keys(crond_t)
djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
@ -287,10 +291,6 @@ optional_policy(`
mono_domtrans(crond_t)
')
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
amanda_search_var_lib(crond_t)
')
@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
ifdef(`distro_redhat', `
ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
allow crond_t system_cron_spool_t:file manage_file_perms;
@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
tunable_policy(`fcron_crond', `
tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')

10
policy/modules/services/cups.if
View File

@ -316,12 +316,10 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t;
type ptal_var_run_t, hplip_var_run_t;
type cupsd_initrc_exec_t;
type hplip_etc_t;
type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
type ptal_var_run_t;
')
allow $1 cupsd_t:process { ptrace signal_perms };

14
policy/modules/services/cups.te
View File

@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:dir setattr;
allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t : sock_file setattr;
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t)
lpd_manage_spool(cups_pdf_t)
optional_policy(`
gnome_read_config(cups_pdf_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
fs_manage_nfs_dirs(cups_pdf_t)
@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
optional_policy(`
gnome_read_config(cups_pdf_t)
')
########################################
#
# HPLIP local policy
@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)

3
policy/modules/services/cvs.if
View File

@ -58,9 +58,8 @@ interface(`cvs_exec',`
#
interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t;
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t;
type cvs_initrc_exec_t;
')
allow $1 cvs_t:process { ptrace signal_perms };

8
policy/modules/services/cvs.te
View File

@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0)
#
## <desc>
## <p>
## Allow cvs daemon to read shadow
## </p>
## <p>
## Allow cvs daemon to read shadow
## </p>
## </desc>
gen_tunable(allow_cvs_read_shadow, false)
@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
# Local policy
#
allow cvs_t self:capability { setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:capability { setuid setgid };
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)

4
policy/modules/services/cyphesis.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run cyphesis.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`cyphesis_domtrans',`

17
policy/modules/services/dbus.if
View File

@ -41,9 +41,7 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
attribute dbusd_unconfined;
attribute session_bus_type;
attribute dbusd_unconfined, session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
type $1_t;
')
@ -90,14 +88,15 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
allow $3 $1_dbusd_t:process { signull sigkill signal };
ps_process_pattern($3, $1_dbusd_t)
allow $3 $1_dbusd_t:process { ptrace signal_perms };
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
allow $3 $1_dbusd_t:process sigchld;
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
@ -118,7 +117,7 @@ template(`dbus_role_template',`
dev_read_urand($1_dbusd_t)
domain_use_interactive_fds($1_dbusd_t)
domain_use_interactive_fds($1_dbusd_t)
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
@ -156,7 +155,7 @@ template(`dbus_role_template',`
userdom_manage_user_home_content_files($1_dbusd_t)
userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
@ -463,7 +462,7 @@ interface(`dbus_system_domain',`
unconfined_dbus_send($1)
')
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
@ -520,6 +519,6 @@ interface(`dbus_delete_pid_files',`
type system_dbusd_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
')

2
policy/modules/services/dbus.te
View File

@ -152,7 +152,7 @@ optional_policy(`
')
optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')

2
policy/modules/services/dcc.if
View File

@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
files_search_var($1)
files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')

4
policy/modules/services/ddclient.if
View File

@ -64,8 +64,8 @@ interface(`ddclient_run',`
interface(`ddclient_admin',`
gen_require(`
type ddclient_t, ddclient_etc_t, ddclient_log_t;
type ddclient_var_t, ddclient_var_lib_t;
type ddclient_var_run_t, ddclient_initrc_exec_t;
type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
type ddclient_var_run_t;
')
allow $1 ddclient_t:process { ptrace signal_perms };

17
policy/modules/services/denyhosts.if
View File

@ -13,12 +13,12 @@
## Execute a domain transition to run denyhosts.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`denyhosts_domtrans', `
interface(`denyhosts_domtrans',`
gen_require(`
type denyhosts_t, denyhosts_exec_t;
')
@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
## </summary>
## </param>
#
interface(`denyhosts_initrc_domtrans', `
interface(`denyhosts_initrc_domtrans',`
gen_require(`
type denyhosts_initrc_exec_t;
')
@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`denyhosts_admin', `
interface(`denyhosts_admin',`
gen_require(`
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
files_search_locks($1)
files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
')

2
policy/modules/services/denyhosts.te
View File

@ -77,5 +77,5 @@ optional_policy(`
')
optional_policy(`
gnome_dontaudit_search_config(denyhosts_t)
gnome_dontaudit_search_config(denyhosts_t)
')

20
policy/modules/services/devicekit.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run devicekit.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`devicekit_domtrans',`
@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the devicekit domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`devicekit_admin',`
@ -175,11 +165,11 @@ interface(`devicekit_admin',`
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
files_search_tmp($1)
files_list_tmp($1)
admin_pattern($1, devicekit_var_lib_t)
files_search_var_lib($1)
files_list_var_lib($1)
admin_pattern($1, devicekit_var_run_t)
files_search_pids($1)
files_list_pids($1)
')

1
policy/modules/services/devicekit.te
View File

@ -309,4 +309,3 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')

2
policy/modules/services/dhcp.if
View File

@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
')
sysnet_search_dhcp_state($1)
allow $1 dhcpd_state_t:file setattr;
allow $1 dhcpd_state_t:file setattr_file_perms;
')
########################################

8
policy/modules/services/djbdns.te
View File

@ -23,11 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
# Local policy for axfrdns component
#
files_config_file(djbdns_axfrdns_conf_t)
daemontools_ipc_domain(djbdns_axfrdns_t)
daemontools_read_svc(djbdns_axfrdns_t)
allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
@ -41,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
files_search_var(djbdns_axfrdns_t)
daemontools_ipc_domain(djbdns_axfrdns_t)
daemontools_read_svc(djbdns_axfrdns_t)
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
########################################

11
policy/modules/services/dnsmasq.if
View File

@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`dnsmasq_read_config',`
@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`dnsmasq_write_config',`
@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
type dnsmasq_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')

13
policy/modules/services/dovecot.if
View File

@ -9,13 +9,13 @@
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dovecot_stream_connect_auth',`
gen_require(`
type dovecot_auth_t, dovecot_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',`
type dovecot_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
@ -94,13 +95,9 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
interface(`dovecot_admin',`
gen_require(`
type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
type dovecot_spool_t, dovecot_var_lib_t;
type dovecot_var_run_t, dovecot_tmp_t;
type dovecot_var_log_t;
type dovecot_cert_t, dovecot_passwd_t;
type dovecot_initrc_exec_t;
type dovecot_keytab_t;
type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };

4
policy/modules/services/dovecot.te
View File

@ -164,8 +164,8 @@ optional_policy(`
')
optional_policy(`
postfix_manage_private_sockets(dovecot_t)
postfix_search_spool(dovecot_t)
postfix_manage_private_sockets(dovecot_t)
postfix_search_spool(dovecot_t)
')
optional_policy(`

26
policy/modules/services/exim.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run exim.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`exim_domtrans',`
@ -24,11 +24,11 @@ interface(`exim_domtrans',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`exim_initrc_domtrans', `
interface(`exim_initrc_domtrans',`
gen_require(`
type exim_initrc_exec_t;
')
@ -119,9 +119,9 @@ interface(`exim_read_log',`
## exim log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`exim_append_log',`
@ -229,10 +229,10 @@ interface(`exim_manage_spool_files',`
## </summary>
## </param>
#
interface(`exim_admin', `
interface(`exim_admin',`
gen_require(`
type exim_t, exim_initrc_exec_t, exim_log_t;
type exim_tmp_t, exim_spool_t, exim_var_run_t;
type exim_t, exim_initrc_exec_t, exim_log_t;
type exim_tmp_t, exim_spool_t, exim_var_run_t;
')
allow $1 exim_t:process { ptrace signal_perms };
@ -243,15 +243,15 @@ interface(`exim_admin', `
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
logging_list_logs($1)
admin_pattern($1, exim_log_t)
files_search_tmp($1)
files_list_tmp($1)
admin_pattern($1, exim_tmp_t)
files_search_spool($1)
files_list_spool($1)
admin_pattern($1, exim_spool_t)
files_search_pids($1)
files_list_pids($1)
admin_pattern($1, exim_var_run_t)
')

22
policy/modules/services/exim.te
View File

@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
#
## <desc>
## <p>
## Allow exim to connect to databases (postgres, mysql)
## </p>
## <p>
## Allow exim to connect to databases (postgres, mysql)
## </p>
## </desc>
gen_tunable(exim_can_connect_db, false)
## <desc>
## <p>
## Allow exim to read unprivileged user files.
## </p>
## <p>
## Allow exim to read unprivileged user files.
## </p>
## </desc>
gen_tunable(exim_read_user_files, false)
## <desc>
## <p>
## Allow exim to create, read, write, and delete
## unprivileged user files.
## </p>
## <p>
## Allow exim to create, read, write, and delete
## unprivileged user files.
## </p>
## </desc>
gen_tunable(exim_manage_user_files, false)
@ -174,7 +174,7 @@ optional_policy(`
')
optional_policy(`
nagios_search_spool(exim_t)
nagios_search_spool(exim_t)
')
optional_policy(`

12
policy/modules/services/fail2ban.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run fail2ban.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`fail2ban_domtrans',`
@ -102,9 +102,9 @@ interface(`fail2ban_read_log',`
## fail2ban log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`fail2ban_append_log',`
@ -175,8 +175,8 @@ interface(`fail2ban_dontaudit_leaks',`
#
interface(`fail2ban_admin',`
gen_require(`
type fail2ban_t, fail2ban_log_t;
type fail2ban_var_run_t, fail2ban_initrc_exec_t;
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
type fail2ban_var_run_t;
')
allow $1 fail2ban_t:process { ptrace signal_perms };

4
policy/modules/services/fail2ban.te
View File

@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
allow fail2ban_t fail2ban_log_t:dir setattr;
allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
@ -94,7 +94,7 @@ optional_policy(`
')
optional_policy(`
gnome_dontaudit_search_config(fail2ban_t)
gnome_dontaudit_search_config(fail2ban_t)
')
optional_policy(`

5
policy/modules/services/fprintd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run fprintd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`fprintd_domtrans',`
@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
')

22
policy/modules/services/ftp.if
View File

@ -51,25 +51,6 @@ interface(`ftp_read_config',`
allow $1 ftpd_etc_t:file read_file_perms;
')
########################################
## <summary>
## Execute FTP daemon entry point programs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ftp_check_exec',`
gen_require(`
type ftpd_exec_t;
')
corecmd_search_bin($1)
allow $1 ftpd_exec_t:file { getattr execute };
')
########################################
## <summary>
## Read FTP transfer logs
@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',`
interface(`ftp_admin',`
gen_require(`
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
type ftpd_etc_t, ftpd_lock_t;
type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
type ftpd_var_run_t, xferlog_t;
type ftpd_initrc_exec_t;
')
allow $1 ftpd_t:process { ptrace signal_perms };

114
policy/modules/services/ftp.te
View File

@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
#
## <desc>
## <p>
## Allow ftp servers to upload files, used for public file
## transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## <p>
## Allow ftp servers to upload files, used for public file
## transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)
## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)
## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)
## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)
## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir, false)
## <desc>
## <p>
## Allow anon internal-sftp to upload files, used for
## public file transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## <p>
## Allow anon internal-sftp to upload files, used for
## public file transfer services. Directories must be labeled
## public_content_rw_t.
## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)
## <desc>
## <p>
## Allow sftp-internal to read and write files
## in the user home directories
## </p>
## <p>
## Allow sftp-internal to read and write files
## in the user home directories
## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)
## <desc>
## <p>
## Allow sftp-internal to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## <p>
## Allow sftp-internal to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(sftpd_full_access, false)
## <desc>
## <p>
## Allow interlnal-sftp to read and write files
## in the user ssh home directories.
## </p>
## <p>
## Allow interlnal-sftp to read and write files
## in the user ssh home directories.
## </p>
## </desc>
gen_tunable(sftpd_write_ssh_home, false)
@ -181,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@ -291,10 +291,10 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
', `
# Needed for permissive mode, to make sure everything gets labeled correctly
userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
',`
# Needed for permissive mode, to make sure everything gets labeled correctly
userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@ -349,8 +349,8 @@ optional_policy(`
')
tunable_policy(`ftpd_connect_db',`
corenet_tcp_connect_mysqld_port(ftpd_t)
corenet_tcp_connect_postgresql_port(ftpd_t)
mysql_tcp_connect(ftpd_t)
postgresql_tcp_connect(ftpd_t)
')
optional_policy(`
@ -385,10 +385,11 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
files_search_pids(ftpdctl_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
@ -400,6 +401,7 @@ userdom_use_user_terminals(ftpdctl_t)
#
# sftpd local policy
#
files_read_etc_files(sftpd_t)
# allow read access to /home by default
@ -408,13 +410,13 @@ userdom_read_user_home_content_symlinks(sftpd_t)
userdom_dontaudit_list_admin_dir(sftpd_t)
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
')
tunable_policy(`sftpd_write_ssh_home',`
ssh_manage_home_files(sftpd_t)
ssh_manage_home_files(sftpd_t)
')
tunable_policy(`sftpd_enable_homedirs',`
@ -424,9 +426,9 @@ tunable_policy(`sftpd_enable_homedirs',`
files_list_home(sftpd_t)
userdom_read_user_home_content_files(sftpd_t)
userdom_manage_user_home_content(sftpd_t)
', `
# Needed for permissive mode, to make sure everything gets labeled correctly
userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
',`
# Needed for permissive mode, to make sure everything gets labeled correctly
userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`

2
policy/modules/services/gatekeeper.te
View File

@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
allow gatekeeper_t self:udp_socket create_socket_perms;
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
files_search_etc(gatekeeper_t)

9
policy/modules/services/git.fc
View File

@ -1,9 +1,10 @@
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)

17
policy/modules/services/git.if
View File

@ -1,10 +1,10 @@
## <summary>Fast Version Control System.</summary>
## <desc>
## <p>
## A really simple TCP git daemon that normally listens on
## port DEFAULT_GIT_PORT aka 9418. It waits for a
## connection asking for a service, and will serve that
## service if it is enabled.
## A really simple TCP git daemon that normally listens on
## port DEFAULT_GIT_PORT aka 9418. It waits for a
## connection asking for a service, and will serve that
## service if it is enabled.
## </p>
## </desc>
@ -25,8 +25,7 @@
#
interface(`git_session_role',`
gen_require(`
type git_session_t, gitd_exec_t;
type git_session_content_t;
type git_session_t, gitd_exec_t, git_session_content_t;
')
########################################
@ -59,10 +58,8 @@ interface(`git_session_role',`
## </param>
#
template(`git_content_template',`
gen_require(`
attribute git_system_content;
attribute git_content;
attribute git_system_content, git_content;
')
########################################
@ -86,7 +83,6 @@ template(`git_content_template',`
## </param>
#
template(`git_role_template',`
gen_require(`
class context contains;
role system_r;
@ -522,4 +518,3 @@ interface(`git_relabel_session_content',`
relabel_files_pattern($1, git_session_content_t, git_session_content_t)
userdom_search_user_home_dirs($1)
')

44
policy/modules/services/git.te
View File

@ -1,23 +1,23 @@
policy_module(git, 1.0.3)
## <desc>
## <p>
## Allow Git daemon system to search home directories.
## </p>
## <p>
## Allow Git daemon system to search home directories.
## </p>
## </desc>
gen_tunable(git_system_enable_homedirs, false)
## <desc>
## <p>
## Allow Git daemon system to access cifs file systems.
## </p>
## <p>
## Allow Git daemon system to access cifs file systems.
## </p>
## </desc>
gen_tunable(git_system_use_cifs, false)
## <desc>
## <p>
## Allow Git daemon system to access nfs file systems.
## </p>
## <p>
## Allow Git daemon system to access nfs file systems.
## </p>
## </desc>
gen_tunable(git_system_use_nfs, false)
@ -31,6 +31,7 @@ attribute git_system_content;
attribute git_content;
type gitd_exec_t;
application_executable_file(gitd_exec_t)
########################################
#
@ -51,10 +52,10 @@ typealias git_system_content_t alias git_data_t;
#
## <desc>
## <p>
## Allow Git daemon session to bind
## tcp sockets to all unreserved ports.
## </p>
## <p>
## Allow Git daemon session to bind
## tcp sockets to all unreserved ports.
## </p>
## </desc>
gen_tunable(git_session_bind_all_unreserved_ports, false)
@ -119,26 +120,26 @@ list_dirs_pattern(git_system_t, git_content, git_content)
read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)
tunable_policy(`git_system_enable_homedirs', `
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_cifs', `
tunable_policy(`git_system_use_cifs',`
fs_list_cifs(git_system_t)
fs_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_nfs', `
tunable_policy(`git_system_use_nfs',`
fs_list_nfs(git_system_t)
fs_read_nfs_files(git_system_t)
')
@ -156,17 +157,17 @@ userdom_search_user_home_dirs(git_session_t)
userdom_use_user_terminals(git_session_t)
tunable_policy(`git_session_bind_all_unreserved_ports', `
tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_tcp_bind_all_unreserved_ports(git_session_t)
corenet_sendrecv_generic_server_packets(git_session_t)
')
tunable_policy(`use_nfs_home_dirs', `
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(git_session_t)
fs_read_nfs_files(git_session_t)
')
tunable_policy(`use_samba_home_dirs', `
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(git_session_t)
fs_read_cifs_files(git_session_t)
')
@ -189,4 +190,3 @@ optional_policy(`
git_role_template(git_shell)
gen_user(git_shell_u, user, git_shell_r, s0, s0)

6
policy/modules/services/gnomeclock.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run gnomeclock.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`gnomeclock_domtrans',`
@ -71,7 +71,7 @@ interface(`gnomeclock_dbus_chat',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#

10
policy/modules/services/gpm.if
View File

@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
type gpmctl_t, gpm_t;
')
allow $1 gpmctl_t:sock_file rw_sock_file_perms;
allow $1 gpm_t:unix_stream_socket connectto;
dev_list_all_dev_nodes($1)
stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
')
########################################
@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
')
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr;
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
')
########################################
@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
type gpmctl_t;
')
dontaudit $1 gpmctl_t:sock_file getattr;
dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
')
########################################
@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
')
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file setattr;
allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
')

36
policy/modules/services/hal.if
View File

@ -18,24 +18,6 @@ interface(`hal_domtrans',`
domtrans_pattern($1, hald_exec_t, hald_t)
')
########################################
## <summary>
## Get the attributes of a hal process.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`hal_getattr',`
gen_require(`
type hald_t;
')
allow $1 hald_t:process getattr;
')
########################################
## <summary>
## Read hal system state
@ -88,7 +70,7 @@ interface(`hal_use_fds',`
type hald_t;
')
allow $1 hald_t:fd use;
allow $1 hald_t:fd use;
')
########################################
@ -106,7 +88,7 @@ interface(`hal_dontaudit_use_fds',`
type hald_t;
')
dontaudit $1 hald_t:fd use;
dontaudit $1 hald_t:fd use;
')
########################################
@ -125,7 +107,7 @@ interface(`hal_rw_pipes',`
type hald_t;
')
allow $1 hald_t:fifo_file rw_fifo_file_perms;
allow $1 hald_t:fifo_file rw_fifo_file_perms;
')
########################################
@ -144,7 +126,7 @@ interface(`hal_dontaudit_rw_pipes',`
type hald_t;
')
dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
')
########################################
@ -378,7 +360,7 @@ interface(`hal_read_pid_files',`
########################################
## <summary>
## Do not audit attempts to read
## Do not audit attempts to read
## hald PID files.
## </summary>
## <param name="domain">
@ -464,14 +446,12 @@ interface(`hal_manage_pid_files',`
#
interface(`hal_dontaudit_leaks',`
gen_require(`
type hald_log_t;
type hald_t;
type hald_var_run_t;
type hald_log_t, hald_t, hald_var_run_t;
')
dontaudit $1 hald_t:fd use;
dontaudit $1 hald_t:fd use;
dontaudit $1 hald_log_t:file rw_inherited_file_perms;
dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit hald_t $1:socket_class_set { read write };
dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
')

8
policy/modules/services/hal.te
View File

@ -316,7 +316,7 @@ optional_policy(`
')
optional_policy(`
policykit_dbus_chat(hald_t)
policykit_dbus_chat(hald_t)
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
@ -333,7 +333,7 @@ optional_policy(`
optional_policy(`
shutdown_domtrans(hald_t)
')
')
optional_policy(`
udev_domtrans(hald_t)
@ -411,7 +411,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
policykit_dbus_chat(hald_acl_t)
policykit_dbus_chat(hald_acl_t)
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
@ -493,7 +493,7 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
# This is caused by a bug in hald and PolicyKit.
# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
cron_read_system_job_lib_files(hald_t)

2
policy/modules/services/hddtemp.if
View File

@ -69,5 +69,5 @@ interface(`hddtemp_admin',`
allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
files_list_etc($1)
')

1
policy/modules/services/hddtemp.te
View File

@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)

10
policy/modules/services/icecast.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run icecast.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`icecast_domtrans',`
@ -118,9 +118,9 @@ interface(`icecast_read_log',`
## icecast log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`icecast_append_log',`
@ -183,7 +183,5 @@ interface(`icecast_admin',`
allow $2 system_r;
icecast_manage_pid_files($1)
icecast_manage_log($1)
')

10
policy/modules/services/icecast.te
View File

@ -6,10 +6,10 @@ policy_module(icecast, 1.0.1)
#
## <desc>
## <p>
## Allow icecast to connect to all ports, not just
## sound ports.
## </p>
## <p>
## Allow icecast to connect to all ports, not just
## sound ports.
## </p>
## </desc>
gen_tunable(icecast_connect_any, false)
@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)

8
policy/modules/services/ifplugd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run ifplugd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ifplugd_domtrans',`
@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
#
interface(`ifplugd_admin',`
gen_require(`
type ifplugd_t, ifplugd_etc_t;
type ifplugd_var_run_t, ifplugd_initrc_exec_t;
type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
type ifplugd_initrc_exec_t;
')
allow $1 ifplugd_t:process { ptrace signal_perms };

1
policy/modules/services/inetd.if
View File

@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
## </param>
#
interface(`inetd_tcp_service_domain',`
gen_require(`
type inetd_t;
')

7
policy/modules/services/inn.if
View File

@ -93,6 +93,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
files_search_etc($1)
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
files_search_spool($1)
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@ -195,8 +198,8 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
type news_spool_t, innd_var_lib_t;
type innd_var_run_t, innd_initrc_exec_t;
type news_spool_t, innd_var_lib_t, innd_var_run_t;
type innd_initrc_exec_t;
')
allow $1 innd_t:process { ptrace signal_perms };

Some files were not shown because too many files have changed in this diff Show More