Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
This commit is contained in:
commit
5d82597463
@ -185,18 +185,18 @@ interface(`shorewall_admin',`
|
||||
role_transition $2 shorewall_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, shorewall_etc_t)
|
||||
|
||||
files_search_locks($1)
|
||||
files_list_locks($1)
|
||||
admin_pattern($1, shorewall_lock_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, shorewall_var_lib_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, shorewall_log_t)
|
||||
|
||||
files_search_tmp($1)
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, shorewall_tmp_t)
|
||||
')
|
||||
|
@ -320,7 +320,7 @@ interface(`gnome_admin_home_gconf_filetrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_read_gconf_config',`
|
||||
interface(`gnome_read_gconf_config',`
|
||||
gen_require(`
|
||||
type gconf_etc_t;
|
||||
')
|
||||
@ -498,7 +498,7 @@ interface(`gnome_stream_connect',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_list_home_config',`
|
||||
interface(`gnome_list_home_config',`
|
||||
gen_require(`
|
||||
type config_home_t;
|
||||
')
|
||||
@ -535,7 +535,7 @@ template(`gnome_setattr_home_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_read_home_config',`
|
||||
interface(`gnome_read_home_config',`
|
||||
gen_require(`
|
||||
type config_home_t;
|
||||
')
|
||||
|
@ -5286,6 +5286,24 @@ interface(`files_manage_mounttab',`
|
||||
manage_files_pattern($1, var_lib_t, var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List generic lock directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_locks',`
|
||||
gen_require(`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, var_t, var_lock_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the locks directory (/var/lock).
|
||||
|
@ -326,18 +326,18 @@ interface(`abrt_admin',`
|
||||
role_transition $2 abrt_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, abrt_etc_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, abrt_var_log_t)
|
||||
|
||||
files_search_var($1)
|
||||
files_list_var($1)
|
||||
admin_pattern($1, abrt_var_cache_t)
|
||||
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, abrt_var_run_t)
|
||||
|
||||
files_search_tmp($1)
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, abrt_tmp_t)
|
||||
')
|
||||
|
@ -214,7 +214,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
# abrt--helper local policy
|
||||
# abrt-helper local policy
|
||||
#
|
||||
|
||||
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
||||
@ -248,22 +248,22 @@ miscfiles_read_localization(abrt_helper_t)
|
||||
term_dontaudit_use_all_ttys(abrt_helper_t)
|
||||
term_dontaudit_use_all_ptys(abrt_helper_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
domain_dontaudit_leaks(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
||||
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
||||
optional_policy(`
|
||||
rpm_dontaudit_leaks(abrt_helper_t)
|
||||
')
|
||||
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
||||
dev_dontaudit_read_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
||||
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
||||
|
||||
optional_policy(`
|
||||
rpm_dontaudit_leaks(abrt_helper_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
|
||||
|
||||
kernel_rw_afs_state(afs_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
kernel_rw_unlabeled_files(afs_t)
|
||||
')
|
||||
|
||||
corenet_all_recvfrom_unlabeled(afs_t)
|
||||
corenet_all_recvfrom_netlabel(afs_t)
|
||||
corenet_tcp_sendrecv_generic_if(afs_t)
|
||||
@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t)
|
||||
|
||||
sysnet_dns_name_resolve(afs_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
kernel_rw_unlabeled_files(afs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# AFS bossserver local policy
|
||||
|
@ -19,7 +19,6 @@ interface(`aiccu_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute aiccu server in the aiccu domain.
|
||||
@ -78,7 +77,6 @@ interface(`aiccu_manage_var_run',`
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
@ -111,8 +109,8 @@ interface(`aiccu_admin',`
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, aiccu_etc_t)
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
|
||||
admin_pattern($1, aiccu_var_run_t)
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
')
|
||||
|
@ -33,6 +33,7 @@ interface(`aide_domtrans',`
|
||||
## The role to allow the AIDE domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`aide_run',`
|
||||
gen_require(`
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
## <summary>policy for ajaxterm</summary>
|
||||
|
||||
########################################
|
||||
@ -19,14 +18,13 @@ interface(`ajaxterm_domtrans',`
|
||||
domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ajaxterm server in the ajaxterm domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -57,8 +55,7 @@ interface(`ajaxterm_initrc_domtrans',`
|
||||
#
|
||||
interface(`ajaxterm_admin',`
|
||||
gen_require(`
|
||||
type ajaxterm_t;
|
||||
type ajaxterm_initrc_exec_t;
|
||||
type ajaxterm_t, ajaxterm_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ajaxterm_t:process { ptrace signal_perms };
|
||||
@ -68,5 +65,4 @@ interface(`ajaxterm_admin',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ajaxterm_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
')
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(ajaxterm,1.0.0)
|
||||
policy_module(ajaxterm, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -30,7 +30,7 @@ allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||
allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
|
||||
term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
|
||||
|
||||
manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
|
||||
|
@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
|
||||
type amavis_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 amavis_var_run_t:file setattr;
|
||||
allow $1 amavis_var_run_t:file setattr_file_perms;
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
|
@ -76,7 +76,7 @@ files_search_spool(amavis_t)
|
||||
|
||||
# tmp files
|
||||
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
|
||||
allow amavis_t amavis_tmp_t:dir setattr;
|
||||
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
|
||||
files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
|
||||
|
||||
# var/lib files for amavis
|
||||
@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
|
||||
files_search_var_lib(amavis_t)
|
||||
|
||||
# log files
|
||||
allow amavis_t amavis_var_log_t:dir setattr;
|
||||
allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
|
||||
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
|
||||
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
|
||||
|
@ -13,8 +13,7 @@
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
gen_require(`
|
||||
attribute httpd_exec_scripts;
|
||||
attribute httpd_script_exec_type;
|
||||
attribute httpd_exec_scripts, httpd_script_exec_type;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
type httpd_sys_content_t;
|
||||
')
|
||||
@ -50,8 +49,6 @@ template(`apache_content_template',`
|
||||
|
||||
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
|
||||
|
||||
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
|
||||
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
|
||||
|
||||
@ -132,6 +129,8 @@ template(`apache_content_template',`
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
||||
|
||||
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
|
||||
# privileged users run the script:
|
||||
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
|
||||
|
||||
@ -152,6 +151,8 @@ template(`apache_content_template',`
|
||||
allow httpd_$1_script_t httpd_t:fd use;
|
||||
allow httpd_$1_script_t httpd_t:process sigchld;
|
||||
|
||||
dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
kernel_read_system_state(httpd_$1_script_t)
|
||||
|
||||
dev_read_urand(httpd_$1_script_t)
|
||||
@ -180,8 +181,6 @@ template(`apache_content_template',`
|
||||
optional_policy(`
|
||||
nscd_socket_use(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -202,16 +201,15 @@ template(`apache_content_template',`
|
||||
interface(`apache_role',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
type httpd_user_content_t, httpd_user_htaccess_t;
|
||||
type httpd_user_script_t, httpd_user_script_exec_t;
|
||||
type httpd_user_ra_content_t, httpd_user_rw_content_t;
|
||||
type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
|
||||
type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
|
||||
')
|
||||
|
||||
role $1 types httpd_user_script_t;
|
||||
|
||||
allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
|
||||
|
||||
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
||||
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
|
||||
|
||||
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
@ -501,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
|
||||
type httpd_cache_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_cache_t:dir setattr;
|
||||
allow $1 httpd_cache_t:dir setattr_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -732,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
|
||||
type httpd_log_t;
|
||||
')
|
||||
|
||||
dontaudit $1 httpd_log_t:file { getattr append };
|
||||
dontaudit $1 httpd_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -895,7 +893,6 @@ interface(`apache_manage_sys_content',`
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
apache_search_sys_content($1)
|
||||
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
@ -985,8 +982,7 @@ interface(`apache_delete_sys_content_rw',`
|
||||
interface(`apache_domtrans_sys_script',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
type httpd_sys_script_t;
|
||||
type httpd_sys_content_t;
|
||||
type httpd_sys_script_t, httpd_sys_content_t;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
@ -1049,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access..
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`apache_run_all_scripts',`
|
||||
gen_require(`
|
||||
@ -1226,7 +1223,7 @@ interface(`apache_read_tmp_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1317,17 +1314,14 @@ interface(`apache_cgi_domain',`
|
||||
#
|
||||
interface(`apache_admin',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
attribute httpd_script_exec_type;
|
||||
|
||||
attribute httpdcontent, httpd_script_exec_type;
|
||||
type httpd_t, httpd_config_t, httpd_log_t;
|
||||
type httpd_modules_t, httpd_lock_t;
|
||||
type httpd_var_run_t, httpd_php_tmp_t;
|
||||
type httpd_modules_t, httpd_lock_t, httpd_bool_t;
|
||||
type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
|
||||
type httpd_suexec_tmp_t, httpd_tmp_t;
|
||||
type httpd_initrc_exec_t, httpd_bool_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_t:process { getattr ptrace signal_perms };
|
||||
allow $1 httpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, httpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
||||
@ -1338,10 +1332,10 @@ interface(`apache_admin',`
|
||||
apache_manage_all_content($1)
|
||||
miscfiles_manage_public_files($1)
|
||||
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, httpd_config_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, httpd_log_t)
|
||||
|
||||
admin_pattern($1, httpd_modules_t)
|
||||
@ -1352,26 +1346,22 @@ interface(`apache_admin',`
|
||||
admin_pattern($1, httpd_var_run_t)
|
||||
files_pid_filetrans($1, httpd_var_run_t, file)
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 httpd_t:dir list_dir_perms;
|
||||
ps_process_pattern($1, httpd_t)
|
||||
read_lnk_files_pattern($1, httpd_t, httpd_t)
|
||||
|
||||
admin_pattern($1, httpdcontent)
|
||||
admin_pattern($1, httpd_script_exec_type)
|
||||
|
||||
seutil_domtrans_setfiles($1)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, httpd_tmp_t)
|
||||
admin_pattern($1, httpd_php_tmp_t)
|
||||
admin_pattern($1, httpd_suexec_tmp_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
apache_set_booleans($1, $2, $3, httpd_bool_t )
|
||||
ifdef(`TODO',`
|
||||
apache_set_booleans($1, $2, $3, httpd_bool_t)
|
||||
seutil_setsebool_role_template($1, $3, $2)
|
||||
allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
|
||||
allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1380,7 +1370,7 @@ ifdef(`TODO',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
@ -36,6 +36,13 @@ gen_tunable(allow_httpd_anon_write, false)
|
||||
## </desc>
|
||||
gen_tunable(allow_httpd_mod_auth_pam, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to use mod_auth_pam
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd scripts and modules execmem/execstack
|
||||
@ -279,6 +286,13 @@ typeattribute httpd_sys_content_t httpdcontent; # customizable
|
||||
typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
|
||||
typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
|
||||
|
||||
# Removal of fastcgi, will cause problems without the following
|
||||
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
|
||||
typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
|
||||
typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
|
||||
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
|
||||
@ -320,6 +334,9 @@ files_type(httpd_var_lib_t)
|
||||
type httpd_var_run_t;
|
||||
files_pid_file(httpd_var_run_t)
|
||||
|
||||
# Removal of fastcgi, will cause problems without the following
|
||||
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
|
||||
# File Type of squirrelmail attachments
|
||||
type squirrelmail_spool_t;
|
||||
files_tmp_file(squirrelmail_spool_t)
|
||||
@ -506,22 +523,21 @@ tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
logging_send_audit_msgs(httpd_t)
|
||||
')
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to use mod_auth_pam
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
|
||||
optional_policy(`
|
||||
tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
|
||||
tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
|
||||
samba_domtrans_winbind_helper(httpd_t)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
corenet_tcp_connect_mssql_port(httpd_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_memcache',`
|
||||
corenet_tcp_connect_memcache_port(httpd_t)
|
||||
')
|
||||
@ -541,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',`
|
||||
corenet_sendrecv_squid_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_execmem',`
|
||||
allow httpd_t self:process { execmem execstack };
|
||||
allow httpd_sys_script_t self:process { execmem execstack };
|
||||
allow httpd_suexec_t self:process { execmem execstack };
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
|
||||
filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
|
||||
@ -575,10 +597,6 @@ tunable_policy(`httpd_enable_ftp_server',`
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_read_user_home_content_files(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
|
||||
can_exec(httpd_t, httpd_tmp_t)
|
||||
')
|
||||
@ -732,12 +750,6 @@ optional_policy(`
|
||||
rpc_search_nfs_state_data(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_execmem',`
|
||||
allow httpd_t self:process { execmem execstack };
|
||||
allow httpd_sys_script_t self:process { execmem execstack };
|
||||
allow httpd_suexec_t self:process { execmem execstack };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@ -745,7 +757,6 @@ optional_policy(`
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
postgresql_tcp_connect(httpd_sys_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -830,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
|
||||
userdom_use_unpriv_users_fds(httpd_php_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
|
||||
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
|
||||
|
||||
corenet_tcp_connect_mssql_port(httpd_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_t)
|
||||
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
|
||||
corenet_tcp_connect_mssql_port(httpd_suexec_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
||||
corenet_tcp_connect_mssql_port(httpd_php_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_php_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_php_t)
|
||||
mysql_rw_db_sockets(httpd_php_t)
|
||||
mysql_read_config(httpd_php_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_php_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(httpd_php_t)
|
||||
postgresql_unpriv_client(httpd_php_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_php_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -877,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
|
||||
|
||||
read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@ -917,11 +931,13 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
corenet_tcp_connect_mssql_port(httpd_suexec_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_sys_script_t httpdcontent:file entrypoint;
|
||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
@ -930,9 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||
manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
||||
')
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_suexec_t)
|
||||
@ -961,6 +974,19 @@ optional_policy(`
|
||||
mysql_stream_connect(httpd_suexec_t)
|
||||
mysql_rw_db_sockets(httpd_suexec_t)
|
||||
mysql_read_config(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_suexec_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(httpd_suexec_t)
|
||||
postgresql_unpriv_client(httpd_suexec_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_suexec_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1007,6 +1033,11 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
corenet_tcp_connect_mssql_port(httpd_sys_script_t)
|
||||
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
fs_cifs_entry_type(httpd_sys_script_t)
|
||||
fs_read_iso9660_files(httpd_sys_script_t)
|
||||
fs_nfs_entry_type(httpd_sys_script_t)
|
||||
@ -1042,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_read_user_home_content_files(httpd_sys_script_t)
|
||||
userdom_search_user_home_dirs(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@ -1050,6 +1081,10 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content',`
|
||||
userdom_read_user_home_content_files(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_use_cifs',`
|
||||
fs_manage_cifs_dirs(httpd_sys_script_t)
|
||||
fs_manage_cifs_files(httpd_sys_script_t)
|
||||
@ -1073,10 +1108,19 @@ optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
mysql_read_config(httpd_sys_script_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
mysql_tcp_connect(httpd_sys_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(httpd_sys_script_t)
|
||||
postgresql_unpriv_client(httpd_sys_script_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_sys_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1136,19 +1180,7 @@ tunable_policy(`httpd_enable_homedirs',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content',`
|
||||
userdom_read_user_home_content_files(httpd_user_script_t)
|
||||
userdom_read_user_home_content_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
|
||||
userdom_read_user_home_content_files(httpd_t)
|
||||
userdom_read_user_home_content_files(httpd_suexec_t)
|
||||
userdom_read_user_home_content_files(httpd_user_script_t)
|
||||
')
|
||||
|
||||
# Removal of fastcgi, will cause problems without the following
|
||||
typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
|
||||
typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
|
||||
typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
|
||||
typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
|
||||
|
@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',`
|
||||
#
|
||||
interface(`apcupsd_admin',`
|
||||
gen_require(`
|
||||
type apcupsd_t, apcupsd_tmp_t;
|
||||
type apcupsd_log_t, apcupsd_lock_t;
|
||||
type apcupsd_var_run_t;
|
||||
type apcupsd_initrc_exec_t;
|
||||
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
|
||||
type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 apcupsd_t:process { ptrace signal_perms };
|
||||
|
@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
|
||||
type apmd_t;
|
||||
')
|
||||
|
||||
allow $1 apmd_t:fifo_file write;
|
||||
allow $1 apmd_t:fifo_file write_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -89,7 +89,7 @@ interface(`apm_append_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 apmd_log_t:file append;
|
||||
allow $1 apmd_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 apmd_var_run_t:sock_file write;
|
||||
allow $1 apmd_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
|
||||
')
|
||||
|
@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type apmd_t;
|
||||
type apmd_exec_t;
|
||||
init_daemon_domain(apmd_t, apmd_exec_t)
|
||||
|
@ -29,7 +29,6 @@ interface(`automount_domtrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`automount_signal',`
|
||||
gen_require(`
|
||||
type automount_t;
|
||||
@ -124,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
|
||||
type automount_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 automount_tmp_t:dir getattr;
|
||||
dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -151,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',`
|
||||
#
|
||||
interface(`avahi_admin',`
|
||||
gen_require(`
|
||||
type avahi_t, avahi_var_run_t;
|
||||
type avahi_initrc_exec_t;
|
||||
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 avahi_t:process { ptrace signal_perms };
|
||||
|
@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
|
||||
manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
allow avahi_t avahi_var_run_t:dir setattr;
|
||||
allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
|
||||
files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
|
||||
|
||||
kernel_read_system_state(avahi_t)
|
||||
|
@ -186,7 +186,7 @@ interface(`bind_write_config',`
|
||||
')
|
||||
|
||||
write_files_pattern($1, named_conf_t, named_conf_t)
|
||||
allow $1 named_conf_t:file setattr;
|
||||
allow $1 named_conf_t:file setattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
|
||||
type named_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 named_var_run_t:dir setattr;
|
||||
allow $1 named_var_run_t:dir setattr_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
|
||||
type named_zone_t;
|
||||
')
|
||||
|
||||
allow $1 named_zone_t:dir setattr;
|
||||
allow $1 named_zone_t:dir setattr_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -380,10 +380,9 @@ interface(`bind_udp_chat_named',`
|
||||
interface(`bind_admin',`
|
||||
gen_require(`
|
||||
type named_t, named_tmp_t, named_log_t;
|
||||
type named_conf_t, named_var_run_t;
|
||||
type named_cache_t, named_zone_t;
|
||||
type named_conf_t, named_var_run_t, named_cache_t;
|
||||
type named_zone_t, named_initrc_exec_t;
|
||||
type dnssec_t, ndc_t, named_keytab_t;
|
||||
type named_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 named_t:process { ptrace signal_perms };
|
||||
|
@ -202,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
|
||||
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ndc_t dnssec_t:file read_file_perms;
|
||||
allow ndc_t dnssec_t:lnk_file { getattr read };
|
||||
allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
|
||||
|
||||
allow ndc_t named_conf_t:file read_file_perms;
|
||||
allow ndc_t named_conf_t:lnk_file { getattr read };
|
||||
allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow ndc_t named_zone_t:dir search_dir_perms;
|
||||
|
||||
@ -245,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
|
||||
|
||||
# for /etc/rndc.key
|
||||
ifdef(`distro_redhat',`
|
||||
allow ndc_t named_conf_t:dir search;
|
||||
allow ndc_t named_conf_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -26,7 +26,7 @@ files_type(bitlbee_var_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
#
|
||||
|
||||
allow bitlbee_t self:capability { setgid setuid };
|
||||
|
||||
allow bitlbee_t self:udp_socket create_socket_perms;
|
||||
|
@ -14,6 +14,7 @@
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`bluetooth_role',`
|
||||
gen_require(`
|
||||
@ -27,7 +28,7 @@ interface(`bluetooth_role',`
|
||||
|
||||
# allow ps to show cdrecord and allow the user to kill it
|
||||
ps_process_pattern($2, bluetooth_helper_t)
|
||||
allow $2 bluetooth_helper_t:process signal;
|
||||
allow $2 bluetooth_helper_t:process { ptrace signal_perms };
|
||||
|
||||
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
||||
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
||||
@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
|
||||
type bluetooth_conf_t;
|
||||
')
|
||||
|
||||
allow $1 bluetooth_conf_t:file { getattr read ioctl };
|
||||
allow $1 bluetooth_conf_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -178,7 +179,7 @@ interface(`bluetooth_run_helper',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read bluetooth helper state files.
|
||||
## Do not audit attempts to read bluetooth helper state files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -191,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
||||
type bluetooth_helper_t;
|
||||
')
|
||||
|
||||
dontaudit $1 bluetooth_helper_t:dir search;
|
||||
dontaudit $1 bluetooth_helper_t:file { read getattr };
|
||||
dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
|
||||
dontaudit $1 bluetooth_helper_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -215,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
||||
interface(`bluetooth_admin',`
|
||||
gen_require(`
|
||||
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
||||
type bluetooth_var_lib_t, bluetooth_var_run_t;
|
||||
type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
|
||||
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
||||
type bluetooth_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bluetooth_t:process { ptrace signal_perms };
|
||||
|
@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type bluetooth_t;
|
||||
type bluetooth_exec_t;
|
||||
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
## <summary>policy for boinc</summary>
|
||||
|
||||
########################################
|
||||
@ -110,6 +109,7 @@ interface(`boinc_manage_var_lib',`
|
||||
type boinc_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
||||
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
||||
manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
||||
@ -134,8 +134,7 @@ interface(`boinc_manage_var_lib',`
|
||||
#
|
||||
interface(`boinc_admin',`
|
||||
gen_require(`
|
||||
type boinc_t, boinc_initrc_exec_t;
|
||||
type boinc_var_lib_t;
|
||||
type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 boinc_t:process { ptrace signal_perms };
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(boinc,1.0.0)
|
||||
policy_module(boinc, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -27,6 +27,9 @@ role system_r types boinc_project_t;
|
||||
|
||||
permissive boinc_project_t;
|
||||
|
||||
type boinc_project_tmp_t;
|
||||
files_tmp_file(boinc_project_tmp_t)
|
||||
|
||||
type boinc_project_var_lib_t;
|
||||
files_type(boinc_project_var_lib_t)
|
||||
|
||||
@ -49,12 +52,12 @@ manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
||||
files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
|
||||
|
||||
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
|
||||
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
|
||||
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
|
||||
|
||||
exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
|
||||
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
@ -120,6 +123,10 @@ allow boinc_project_t self:process { execmem execstack };
|
||||
|
||||
allow boinc_project_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
||||
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
||||
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
|
||||
|
||||
allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
|
||||
exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
||||
@ -129,7 +136,7 @@ files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
|
||||
allow boinc_project_t boinc_project_var_lib_t:file execmod;
|
||||
|
||||
allow boinc_project_t boinc_t:shm rw_shm_perms;
|
||||
allow boinc_project_t boinc_tmpfs_t:file { read write };
|
||||
allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
|
||||
|
||||
list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
|
||||
@ -144,10 +151,16 @@ corecmd_exec_shell(boinc_project_t)
|
||||
|
||||
corenet_tcp_connect_boinc_port(boinc_project_t)
|
||||
|
||||
dev_read_rand(boinc_project_t)
|
||||
dev_read_urand(boinc_project_t)
|
||||
dev_read_sysfs(boinc_project_t)
|
||||
dev_rw_xserver_misc(boinc_project_t)
|
||||
|
||||
files_read_etc_files(boinc_project_t)
|
||||
|
||||
miscfiles_read_fonts(boinc_project_t)
|
||||
miscfiles_read_localization(boinc_project_t)
|
||||
|
||||
optional_policy(`
|
||||
java_exec(boinc_project_t)
|
||||
')
|
||||
|
@ -57,10 +57,9 @@ interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
|
||||
#
|
||||
interface(`bugzilla_admin',`
|
||||
gen_require(`
|
||||
type httpd_bugzilla_script_t;
|
||||
type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
|
||||
type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
|
||||
type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
|
||||
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
|
||||
type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
|
||||
type httpd_bugzilla_htaccess_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
|
||||
@ -69,9 +68,9 @@ interface(`bugzilla_admin',`
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, httpd_bugzilla_tmp_t)
|
||||
|
||||
files_search_var_lib(httpd_bugzilla_script_t)
|
||||
files_list_var_lib(httpd_bugzilla_script_t)
|
||||
|
||||
apache_search_sys_content($1)
|
||||
apache_list_sys_content($1)
|
||||
admin_pattern($1, httpd_bugzilla_script_exec_t)
|
||||
admin_pattern($1, httpd_bugzilla_script_t)
|
||||
admin_pattern($1, httpd_bugzilla_content_t)
|
||||
|
@ -53,4 +53,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(httpd_bugzilla_script_t)
|
||||
')
|
||||
|
||||
|
@ -14,7 +14,6 @@
|
||||
#
|
||||
# Define the policy interface for the CacheFiles userspace management daemon.
|
||||
#
|
||||
|
||||
## <summary>policy for cachefilesd</summary>
|
||||
|
||||
########################################
|
||||
@ -32,10 +31,5 @@ interface(`cachefilesd_domtrans',`
|
||||
type cachefilesd_t, cachefilesd_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
|
||||
|
||||
allow $1 cachefilesd_t:fd use;
|
||||
allow cachefilesd_t $1:fd use;
|
||||
allow cachefilesd_t $1:fifo_file rw_file_perms;
|
||||
allow cachefilesd_t $1:process sigchld;
|
||||
domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
|
||||
')
|
||||
|
@ -17,7 +17,7 @@
|
||||
# cache, on behalf of the processes accessing the cache through a network
|
||||
# filesystem such as NFS
|
||||
#
|
||||
policy_module(cachefilesd,1.0.17)
|
||||
policy_module(cachefilesd, 1.0.17)
|
||||
|
||||
###############################################################################
|
||||
#
|
||||
@ -42,7 +42,6 @@ dev_node(cachefiles_dev_t)
|
||||
#
|
||||
type cachefilesd_t;
|
||||
type cachefilesd_exec_t;
|
||||
domain_type(cachefilesd_t)
|
||||
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
|
||||
|
||||
#
|
||||
@ -78,36 +77,33 @@ rpm_use_script_fds(cachefilesd_t)
|
||||
# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
|
||||
# rules.
|
||||
#
|
||||
allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
|
||||
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
|
||||
|
||||
# Allow manipulation of pid file
|
||||
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
|
||||
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
|
||||
manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
|
||||
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
|
||||
files_create_as_is_all_files(cachefilesd_t)
|
||||
|
||||
# Allow access to cachefiles device file
|
||||
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
|
||||
|
||||
# Allow access to cache superstructure
|
||||
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
|
||||
allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
|
||||
|
||||
# Permit statfs on the backing filesystem
|
||||
fs_getattr_xattr_fs(cachefilesd_t)
|
||||
|
||||
# Basic access
|
||||
files_read_etc_files(cachefilesd_t)
|
||||
libs_use_ld_so(cachefilesd_t)
|
||||
libs_use_shared_libs(cachefilesd_t)
|
||||
miscfiles_read_localization(cachefilesd_t)
|
||||
logging_send_syslog_msg(cachefilesd_t)
|
||||
init_dontaudit_use_script_ptys(cachefilesd_t)
|
||||
term_dontaudit_use_generic_ptys(cachefilesd_t)
|
||||
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
|
||||
|
||||
# Allow manipulation of pid file
|
||||
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
|
||||
manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
|
||||
manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
|
||||
files_pid_file(cachefilesd_var_run_t)
|
||||
files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
|
||||
files_create_as_is_all_files(cachefilesd_t)
|
||||
|
||||
# Allow access to cachefiles device file
|
||||
allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
|
||||
|
||||
# Allow access to cache superstructure
|
||||
allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
|
||||
allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
|
||||
|
||||
# Permit statfs on the backing filesystem
|
||||
fs_getattr_xattr_fs(cachefilesd_t)
|
||||
|
||||
###############################################################################
|
||||
#
|
||||
# When cachefilesd invokes the kernel module to begin caching, it has to tell
|
||||
@ -119,14 +115,14 @@ fs_getattr_xattr_fs(cachefilesd_t)
|
||||
# (1) the security context used by the module to access files in the cache,
|
||||
# as set by the 'secctx' command in /etc/cachefilesd.conf, and
|
||||
#
|
||||
allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
|
||||
allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
|
||||
|
||||
#
|
||||
# (2) the label that will be assigned to new files and directories created in
|
||||
# the cache by the module, which will be the same as the label on the
|
||||
# directory pointed to by the 'dir' command.
|
||||
#
|
||||
allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
|
||||
allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
|
||||
|
||||
###############################################################################
|
||||
#
|
||||
@ -136,11 +132,12 @@ allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
|
||||
# cache.
|
||||
#
|
||||
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
|
||||
allow cachefiles_kernel_t initrc_t:process sigchld;
|
||||
|
||||
manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
|
||||
manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
|
||||
manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
|
||||
manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
|
||||
|
||||
fs_getattr_xattr_fs(cachefiles_kernel_t)
|
||||
|
||||
dev_search_sysfs(cachefiles_kernel_t)
|
||||
|
||||
init_sigchld_script(cachefiles_kernel_t)
|
||||
|
@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
allow canna_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
|
||||
allow canna_t canna_log_t:dir setattr;
|
||||
allow canna_t canna_log_t:dir setattr_dir_perms;
|
||||
logging_log_filetrans(canna_t, canna_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
|
||||
|
@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
|
||||
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
|
||||
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
|
||||
|
||||
allow ccs_t ccs_var_log_t:dir setattr;
|
||||
allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
|
||||
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
|
||||
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
|
||||
@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
|
||||
userdom_manage_unpriv_user_shared_mem(ccs_t)
|
||||
userdom_manage_unpriv_user_semaphores(ccs_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
corecmd_dontaudit_write_bin_dirs(ccs_t)
|
||||
files_manage_isid_type_files(ccs_t)
|
||||
')
|
||||
|
@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
|
||||
interface(`certmaster_admin',`
|
||||
gen_require(`
|
||||
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
|
||||
type certmaster_etc_rw_t, certmaster_var_log_t;
|
||||
type certmaster_initrc_exec_t;
|
||||
type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 certmaster_t:process { ptrace signal_perms };
|
||||
|
@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
|
||||
|
||||
# log files
|
||||
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
|
||||
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
|
||||
|
||||
# pid file
|
||||
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
|
||||
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
|
||||
files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
|
||||
|
||||
# read meminfo
|
||||
kernel_read_system_state(certmaster_t)
|
||||
|
@ -166,9 +166,9 @@ interface(`certmonger_admin',`
|
||||
role_transition $2 certmonger_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_var_lib($1)
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, certmonger_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, certmonger_var_run_t)
|
||||
')
|
||||
|
@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
||||
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
||||
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
|
||||
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
|
||||
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
|
||||
|
@ -182,10 +182,10 @@ interface(`cgroup_admin',`
|
||||
|
||||
admin_pattern($1, cgconfig_etc_t)
|
||||
admin_pattern($1, cgrules_etc_t)
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
|
||||
admin_pattern($1, cgred_var_run_t)
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
|
||||
cgroup_initrc_domtrans_cgconfig($1)
|
||||
domain_system_change_exemption($1)
|
||||
|
@ -25,7 +25,7 @@ interface(`chronyd_domtrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -151,10 +151,9 @@ interface(`chronyd_append_keys',`
|
||||
#
|
||||
interface(`chronyd_admin',`
|
||||
gen_require(`
|
||||
type chronyd_t, chronyd_var_log_t;
|
||||
type chronyd_var_run_t, chronyd_var_lib_t;
|
||||
type chronyd_tmpfs_t;
|
||||
type chronyd_initrc_exec_t, chronyd_keys_t;
|
||||
type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
|
||||
type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
|
||||
type chronyd_keys_t;
|
||||
')
|
||||
|
||||
allow $1 chronyd_t:process { ptrace signal_perms };
|
||||
@ -165,16 +164,16 @@ interface(`chronyd_admin',`
|
||||
role_transition $2 chronyd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, chronyd_keys_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, chronyd_var_log_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, chronyd_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, chronyd_var_run_t)
|
||||
|
||||
admin_pattern($1, chronyd_tmpfs_t)
|
||||
|
@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
|
||||
type clamd_t, clamd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
|
||||
')
|
||||
|
||||
@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
|
||||
interface(`clamav_admin',`
|
||||
gen_require(`
|
||||
type clamd_t, clamd_etc_t, clamd_tmp_t;
|
||||
type clamd_var_log_t, clamd_var_lib_t;
|
||||
type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
|
||||
type clamd_initrc_exec_t;
|
||||
type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
|
||||
type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
|
||||
type freshclam_t, freshclam_var_log_t;
|
||||
')
|
||||
|
||||
|
@ -150,7 +150,7 @@ optional_policy(`
|
||||
tunable_policy(`clamd_use_jit',`
|
||||
allow clamd_t self:process execmem;
|
||||
allow clamscan_t self:process execmem;
|
||||
', `
|
||||
',`
|
||||
dontaudit clamd_t self:process execmem;
|
||||
dontaudit clamscan_t self:process execmem;
|
||||
')
|
||||
@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
|
||||
|
||||
# log files (own logfiles only)
|
||||
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
|
||||
allow freshclam_t freshclam_var_log_t:dir setattr;
|
||||
allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
|
||||
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
|
||||
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
|
||||
|
||||
@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t)
|
||||
|
||||
userdom_stream_connect(freshclam_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(freshclam_t, freshclam_exec_t)
|
||||
')
|
||||
|
||||
tunable_policy(`clamd_use_jit',`
|
||||
allow freshclam_t self:process execmem;
|
||||
', `
|
||||
',`
|
||||
dontaudit freshclam_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(freshclam_t, freshclam_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# clamscam local policy
|
||||
|
@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
|
||||
|
||||
allow clogd_t self:capability { net_admin mknod };
|
||||
allow clogd_t self:process signal;
|
||||
|
||||
allow clogd_t self:sem create_sem_perms;
|
||||
allow clogd_t self:shm create_shm_perms;
|
||||
allow clogd_t self:netlink_socket create_socket_perms;
|
||||
@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
|
||||
# pid files
|
||||
manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
|
||||
manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
|
||||
files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
|
||||
files_pid_filetrans(clogd_t, clogd_var_run_t, file)
|
||||
|
||||
dev_read_lvm_control(clogd_t)
|
||||
dev_manage_generic_blk_files(clogd_t)
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
## <summary>policy for cmirrord</summary>
|
||||
|
||||
########################################
|
||||
@ -68,8 +67,7 @@ interface(`cmirrord_read_pid_files',`
|
||||
#
|
||||
interface(`cmirrord_rw_shm',`
|
||||
gen_require(`
|
||||
type cmirrord_t;
|
||||
type cmirrord_tmpfs_t;
|
||||
type cmirrord_t, cmirrord_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 cmirrord_t:shm { rw_shm_perms destroy };
|
||||
@ -99,9 +97,7 @@ interface(`cmirrord_rw_shm',`
|
||||
#
|
||||
interface(`cmirrord_admin',`
|
||||
gen_require(`
|
||||
type cmirrord_t;
|
||||
type cmirrord_initrc_exec_t;
|
||||
type cmirrord_var_run_t;
|
||||
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 cmirrord_t:process { ptrace signal_perms };
|
||||
@ -112,7 +108,6 @@ interface(`cmirrord_admin',`
|
||||
role_transition $2 cmirrord_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, cmirrord_var_run_t)
|
||||
|
||||
')
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(cmirrord,1.0.0)
|
||||
policy_module(cmirrord, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
|
||||
allow cmirrord_t self:capability { net_admin kill };
|
||||
dontaudit cmirrord_t self:capability sys_tty_config;
|
||||
allow cmirrord_t self:process signal;
|
||||
|
||||
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow cmirrord_t self:sem create_sem_perms;
|
||||
allow cmirrord_t self:shm create_shm_perms;
|
||||
allow cmirrord_t self:netlink_socket create_socket_perms;
|
||||
@ -40,7 +38,7 @@ fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
|
||||
manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
|
||||
files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
|
||||
files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
|
||||
|
||||
domain_use_interactive_fds(cmirrord_t)
|
||||
|
||||
|
@ -153,7 +153,7 @@ interface(`cobbler_manage_lib_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -185,25 +185,23 @@ interface(`cobbler_dontaudit_rw_log',`
|
||||
interface(`cobblerd_admin',`
|
||||
gen_require(`
|
||||
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
|
||||
type cobbler_etc_t, cobblerd_initrc_exec_t;
|
||||
type httpd_cobbler_content_t;
|
||||
type httpd_cobbler_content_ra_t;
|
||||
type httpd_cobbler_content_rw_t;
|
||||
type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
|
||||
type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
|
||||
')
|
||||
|
||||
allow $1 cobblerd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cobblerd_t)
|
||||
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, cobbler_etc_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, cobbler_var_lib_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, cobbler_var_log_t)
|
||||
|
||||
apache_search_sys_content($1)
|
||||
apache_list_sys_content($1)
|
||||
admin_pattern($1, httpd_cobbler_content_t)
|
||||
admin_pattern($1, httpd_cobbler_content_ra_t)
|
||||
admin_pattern($1, httpd_cobbler_content_rw_t)
|
||||
|
@ -24,7 +24,7 @@ interface(`corosync_domtrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
@ -92,10 +92,6 @@ userdom_delete_user_tmpfs_files(corosync_t)
|
||||
userdom_rw_user_tmpfs_files(corosync_t)
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
attribute unconfined_services;
|
||||
')
|
||||
|
||||
fs_manage_tmpfs_files(corosync_t)
|
||||
init_manage_script_status_files(corosync_t)
|
||||
')
|
||||
|
@ -138,6 +138,7 @@ interface(`courier_read_config',`
|
||||
type courier_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, courier_etc_t, courier_etc_t)
|
||||
')
|
||||
|
||||
@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
|
||||
type courier_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
|
||||
')
|
||||
|
||||
@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
|
||||
type courier_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
manage_files_pattern($1, courier_spool_t, courier_spool_t)
|
||||
')
|
||||
|
||||
@ -194,6 +197,7 @@ interface(`courier_read_spool',`
|
||||
type courier_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
read_files_pattern($1, courier_spool_t, courier_spool_t)
|
||||
')
|
||||
|
||||
|
@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
|
||||
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
|
||||
|
||||
# inherits file handle - should it?
|
||||
allow courier_pop_t courier_var_lib_t:file { read write };
|
||||
allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
|
||||
|
||||
miscfiles_read_localization(courier_pop_t)
|
||||
|
||||
|
@ -52,7 +52,7 @@ template(`cron_common_crontab_template',`
|
||||
files_list_spool($1_t)
|
||||
|
||||
# crontab signals crond by updating the mtime on the spooldir
|
||||
allow $1_t cron_spool_t:dir setattr;
|
||||
allow $1_t cron_spool_t:dir setattr_dir_perms;
|
||||
|
||||
kernel_read_system_state($1_t)
|
||||
|
||||
@ -113,12 +113,12 @@ template(`cron_common_crontab_template',`
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`cron_role',`
|
||||
gen_require(`
|
||||
type cronjob_t, crontab_t, crontab_exec_t;
|
||||
type user_cron_spool_t;
|
||||
type crond_t;
|
||||
type user_cron_spool_t, crond_t;
|
||||
')
|
||||
|
||||
role $1 types { cronjob_t crontab_t };
|
||||
@ -138,7 +138,7 @@ interface(`cron_role',`
|
||||
|
||||
# crontab shows up in user ps
|
||||
ps_process_pattern($2, crontab_t)
|
||||
allow $2 crontab_t:process signal;
|
||||
allow $2 crontab_t:process { ptrace signal_perms };
|
||||
|
||||
# Run helper programs as the user domain
|
||||
#corecmd_bin_domtrans(crontab_t, $2)
|
||||
@ -152,7 +152,6 @@ interface(`cron_role',`
|
||||
')
|
||||
|
||||
dbus_stub(cronjob_t)
|
||||
|
||||
allow cronjob_t $2:dbus send_msg;
|
||||
')
|
||||
')
|
||||
@ -171,6 +170,7 @@ interface(`cron_role',`
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`cron_unconfined_role',`
|
||||
gen_require(`
|
||||
@ -181,6 +181,7 @@ interface(`cron_unconfined_role',`
|
||||
|
||||
# cronjob shows up in user ps
|
||||
ps_process_pattern($2, unconfined_cronjob_t)
|
||||
allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
@ -188,7 +189,6 @@ interface(`cron_unconfined_role',`
|
||||
')
|
||||
|
||||
dbus_stub(unconfined_cronjob_t)
|
||||
|
||||
allow unconfined_cronjob_t $2:dbus send_msg;
|
||||
')
|
||||
')
|
||||
@ -207,6 +207,7 @@ interface(`cron_unconfined_role',`
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`cron_admin_role',`
|
||||
gen_require(`
|
||||
@ -227,7 +228,7 @@ interface(`cron_admin_role',`
|
||||
|
||||
# crontab shows up in user ps
|
||||
ps_process_pattern($2, admin_crontab_t)
|
||||
allow $2 admin_crontab_t:process signal;
|
||||
allow $2 admin_crontab_t:process { ptrace signal_perms };
|
||||
|
||||
# Run helper programs as the user domain
|
||||
#corecmd_bin_domtrans(admin_crontab_t, $2)
|
||||
@ -241,7 +242,6 @@ interface(`cron_admin_role',`
|
||||
')
|
||||
|
||||
dbus_stub(admin_cronjob_t)
|
||||
|
||||
allow cronjob_t $2:dbus send_msg;
|
||||
')
|
||||
')
|
||||
@ -311,7 +311,7 @@ interface(`cron_exec',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute crond server in the nscd domain.
|
||||
## Execute crond server in the crond domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -524,6 +524,7 @@ interface(`cron_manage_pid_files',`
|
||||
type crond_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
|
||||
')
|
||||
|
||||
@ -579,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
|
||||
type system_cronjob_t;
|
||||
')
|
||||
|
||||
allow $1 system_cronjob_t:file write;
|
||||
allow $1 system_cronjob_t:fifo_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -695,7 +696,7 @@ interface(`cron_read_system_job_lib_files',`
|
||||
type system_cronjob_var_lib_t;
|
||||
')
|
||||
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||
')
|
||||
|
||||
@ -714,6 +715,6 @@ interface(`cron_manage_system_job_lib_files',`
|
||||
type system_cronjob_var_lib_t;
|
||||
')
|
||||
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||||
')
|
||||
|
@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
|
||||
type system_cronjob_tmp_t alias system_crond_tmp_t;
|
||||
files_tmp_file(system_cronjob_tmp_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
type unconfined_cronjob_t;
|
||||
domain_type(unconfined_cronjob_t)
|
||||
domain_cron_exemption_target(unconfined_cronjob_t)
|
||||
@ -122,13 +118,17 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
|
||||
type system_cronjob_var_run_t;
|
||||
files_pid_file(system_cronjob_var_run_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Admin crontab local policy
|
||||
#
|
||||
|
||||
# Allow our crontab domain to unlink a user cron spool file.
|
||||
allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
|
||||
allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
|
||||
|
||||
# Manipulate other users crontab.
|
||||
selinux_get_fs_mount(admin_crontab_t)
|
||||
@ -138,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
|
||||
selinux_compute_relabel_context(admin_crontab_t)
|
||||
selinux_compute_user_contexts(admin_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
tunable_policy(`fcron_crond',`
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
# also crontab does a security check for crontab -u
|
||||
allow admin_crontab_t self:process setfscreate;
|
||||
@ -251,7 +251,7 @@ ifdef(`distro_debian',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
optional_policy(`
|
||||
@ -263,6 +263,10 @@ tunable_policy(`allow_polyinstantiation',`
|
||||
files_polyinstantiate_all(crond_t)
|
||||
')
|
||||
|
||||
tunable_policy(`fcron_crond',`
|
||||
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
apache_search_sys_content(crond_t)
|
||||
')
|
||||
@ -287,10 +291,6 @@ optional_policy(`
|
||||
mono_domtrans(crond_t)
|
||||
')
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
amanda_search_var_lib(crond_t)
|
||||
')
|
||||
@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
|
||||
|
||||
# This is to handle /var/lib/misc directory. Used currently
|
||||
# by prelink var/lib files for cron
|
||||
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
|
||||
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
|
||||
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
|
||||
|
||||
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
|
||||
@ -472,7 +472,7 @@ miscfiles_manage_man_pages(system_cronjob_t)
|
||||
|
||||
seutil_read_config(system_cronjob_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||||
|
||||
@ -687,7 +687,7 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||||
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
tunable_policy(`fcron_crond',`
|
||||
allow crond_t user_cron_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
|
@ -316,12 +316,10 @@ interface(`cups_stream_connect_ptal',`
|
||||
interface(`cups_admin',`
|
||||
gen_require(`
|
||||
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
|
||||
type cupsd_etc_t, cupsd_log_t;
|
||||
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
|
||||
type cupsd_var_run_t, ptal_etc_t;
|
||||
type ptal_var_run_t, hplip_var_run_t;
|
||||
type cupsd_initrc_exec_t;
|
||||
type hplip_etc_t;
|
||||
type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
|
||||
type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
|
||||
type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
|
||||
type ptal_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 cupsd_t:process { ptrace signal_perms };
|
||||
|
@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
||||
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
|
||||
|
||||
allow cupsd_t cupsd_var_run_t:dir setattr;
|
||||
allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
|
||||
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
||||
@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
|
||||
allow cupsd_t hplip_var_run_t:file read_file_perms;
|
||||
|
||||
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
||||
allow cupsd_t ptal_var_run_t : sock_file setattr;
|
||||
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
||||
|
||||
kernel_read_system_state(cupsd_t)
|
||||
kernel_read_network_state(cupsd_t)
|
||||
@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t)
|
||||
|
||||
lpd_manage_spool(cups_pdf_t)
|
||||
|
||||
optional_policy(`
|
||||
gnome_read_config(cups_pdf_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_search_auto_mountpoints(cups_pdf_t)
|
||||
fs_manage_nfs_dirs(cups_pdf_t)
|
||||
@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(cups_pdf_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_read_config(cups_pdf_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# HPLIP local policy
|
||||
@ -657,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
||||
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
||||
|
||||
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
|
||||
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
|
||||
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
|
||||
|
||||
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
||||
|
@ -58,9 +58,8 @@ interface(`cvs_exec',`
|
||||
#
|
||||
interface(`cvs_admin',`
|
||||
gen_require(`
|
||||
type cvs_t, cvs_tmp_t;
|
||||
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
|
||||
type cvs_data_t, cvs_var_run_t;
|
||||
type cvs_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 cvs_t:process { ptrace signal_perms };
|
||||
|
@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow cvs_t self:capability { setuid setgid };
|
||||
allow cvs_t self:process signal_perms;
|
||||
allow cvs_t self:fifo_file rw_fifo_file_perms;
|
||||
allow cvs_t self:tcp_socket connected_stream_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow cvs_t self:capability { setuid setgid };
|
||||
|
||||
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
||||
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
|
||||
|
@ -41,9 +41,7 @@ interface(`dbus_stub',`
|
||||
template(`dbus_role_template',`
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
|
||||
attribute dbusd_unconfined;
|
||||
attribute session_bus_type;
|
||||
attribute dbusd_unconfined, session_bus_type;
|
||||
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
|
||||
type $1_t;
|
||||
')
|
||||
@ -90,14 +88,15 @@ template(`dbus_role_template',`
|
||||
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
|
||||
|
||||
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
|
||||
allow $3 $1_dbusd_t:process { signull sigkill signal };
|
||||
|
||||
ps_process_pattern($3, $1_dbusd_t)
|
||||
allow $3 $1_dbusd_t:process { ptrace signal_perms };
|
||||
|
||||
# cjp: this seems very broken
|
||||
corecmd_bin_domtrans($1_dbusd_t, $1_t)
|
||||
allow $1_dbusd_t $3:process sigkill;
|
||||
allow $3 $1_dbusd_t:fd use;
|
||||
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||
allow $3 $1_dbusd_t:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_dbusd_t)
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
@ -156,7 +155,7 @@ template(`dbus_role_template',`
|
||||
userdom_manage_user_home_content_files($1_dbusd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
|
||||
@ -463,7 +462,7 @@ interface(`dbus_system_domain',`
|
||||
unconfined_dbus_send($1)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
||||
')
|
||||
')
|
||||
@ -520,6 +519,6 @@ interface(`dbus_delete_pid_files',`
|
||||
type system_dbusd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
||||
')
|
||||
|
||||
|
@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
|
||||
type dcc_var_t, dccifd_var_run_t, dccifd_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
|
||||
')
|
||||
|
@ -64,8 +64,8 @@ interface(`ddclient_run',`
|
||||
interface(`ddclient_admin',`
|
||||
gen_require(`
|
||||
type ddclient_t, ddclient_etc_t, ddclient_log_t;
|
||||
type ddclient_var_t, ddclient_var_lib_t;
|
||||
type ddclient_var_run_t, ddclient_initrc_exec_t;
|
||||
type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
|
||||
type ddclient_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 ddclient_t:process { ptrace signal_perms };
|
||||
|
@ -18,7 +18,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`denyhosts_domtrans', `
|
||||
interface(`denyhosts_domtrans',`
|
||||
gen_require(`
|
||||
type denyhosts_t, denyhosts_exec_t;
|
||||
')
|
||||
@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', `
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`denyhosts_initrc_domtrans', `
|
||||
interface(`denyhosts_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type denyhosts_initrc_exec_t;
|
||||
')
|
||||
@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', `
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`denyhosts_admin', `
|
||||
interface(`denyhosts_admin',`
|
||||
gen_require(`
|
||||
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
|
||||
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
|
||||
@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
|
||||
role_transition $2 denyhosts_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_var_lib($1)
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, denyhosts_var_lib_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, denyhosts_var_log_t)
|
||||
|
||||
files_search_locks($1)
|
||||
files_list_locks($1)
|
||||
admin_pattern($1, denyhosts_var_lock_t)
|
||||
')
|
||||
|
@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the devicekit domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`devicekit_admin',`
|
||||
@ -175,11 +165,11 @@ interface(`devicekit_admin',`
|
||||
ps_process_pattern($1, devicekit_power_t)
|
||||
|
||||
admin_pattern($1, devicekit_tmp_t)
|
||||
files_search_tmp($1)
|
||||
files_list_tmp($1)
|
||||
|
||||
admin_pattern($1, devicekit_var_lib_t)
|
||||
files_search_var_lib($1)
|
||||
files_list_var_lib($1)
|
||||
|
||||
admin_pattern($1, devicekit_var_run_t)
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
')
|
||||
|
@ -309,4 +309,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
vbetool_domtrans(devicekit_power_t)
|
||||
')
|
||||
|
||||
|
@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
|
||||
')
|
||||
|
||||
sysnet_search_dhcp_state($1)
|
||||
allow $1 dhcpd_state_t:file setattr;
|
||||
allow $1 dhcpd_state_t:file setattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -23,11 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
|
||||
# Local policy for axfrdns component
|
||||
#
|
||||
|
||||
files_config_file(djbdns_axfrdns_conf_t)
|
||||
|
||||
daemontools_ipc_domain(djbdns_axfrdns_t)
|
||||
daemontools_read_svc(djbdns_axfrdns_t)
|
||||
|
||||
allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
|
||||
|
||||
allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
|
||||
@ -41,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
|
||||
|
||||
files_search_var(djbdns_axfrdns_t)
|
||||
|
||||
daemontools_ipc_domain(djbdns_axfrdns_t)
|
||||
daemontools_read_svc(djbdns_axfrdns_t)
|
||||
|
||||
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
|
||||
|
||||
########################################
|
||||
|
@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`dnsmasq_delete_pid_files',`
|
||||
gen_require(`
|
||||
type dnsmasq_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
')
|
||||
|
||||
@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
|
||||
type dnsmasq_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||
')
|
||||
|
||||
|
@ -9,13 +9,13 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dovecot_stream_connect_auth',`
|
||||
gen_require(`
|
||||
type dovecot_auth_t, dovecot_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
|
||||
')
|
||||
|
||||
@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',`
|
||||
type dovecot_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
||||
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
||||
')
|
||||
@ -94,13 +95,9 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
|
||||
interface(`dovecot_admin',`
|
||||
gen_require(`
|
||||
type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
|
||||
type dovecot_spool_t, dovecot_var_lib_t;
|
||||
type dovecot_var_run_t, dovecot_tmp_t;
|
||||
type dovecot_var_log_t;
|
||||
|
||||
type dovecot_cert_t, dovecot_passwd_t;
|
||||
type dovecot_initrc_exec_t;
|
||||
type dovecot_keytab_t;
|
||||
type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
|
||||
type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
|
||||
type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 dovecot_t:process { ptrace signal_perms };
|
||||
|
@ -24,11 +24,11 @@ interface(`exim_domtrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`exim_initrc_domtrans', `
|
||||
interface(`exim_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type exim_initrc_exec_t;
|
||||
')
|
||||
@ -229,7 +229,7 @@ interface(`exim_manage_spool_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`exim_admin', `
|
||||
interface(`exim_admin',`
|
||||
gen_require(`
|
||||
type exim_t, exim_initrc_exec_t, exim_log_t;
|
||||
type exim_tmp_t, exim_spool_t, exim_var_run_t;
|
||||
@ -243,15 +243,15 @@ interface(`exim_admin', `
|
||||
role_transition $2 exim_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_search_logs($1)
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, exim_log_t)
|
||||
|
||||
files_search_tmp($1)
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, exim_tmp_t)
|
||||
|
||||
files_search_spool($1)
|
||||
files_list_spool($1)
|
||||
admin_pattern($1, exim_spool_t)
|
||||
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, exim_var_run_t)
|
||||
')
|
||||
|
@ -175,8 +175,8 @@ interface(`fail2ban_dontaudit_leaks',`
|
||||
#
|
||||
interface(`fail2ban_admin',`
|
||||
gen_require(`
|
||||
type fail2ban_t, fail2ban_log_t;
|
||||
type fail2ban_var_run_t, fail2ban_initrc_exec_t;
|
||||
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
|
||||
type fail2ban_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 fail2ban_t:process { ptrace signal_perms };
|
||||
|
@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
# log files
|
||||
allow fail2ban_t fail2ban_log_t:dir setattr;
|
||||
allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
||||
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
||||
|
||||
|
@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
|
||||
allow $1 fprintd_t:dbus send_msg;
|
||||
allow fprintd_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
|
@ -51,25 +51,6 @@ interface(`ftp_read_config',`
|
||||
allow $1 ftpd_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute FTP daemon entry point programs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ftp_check_exec',`
|
||||
gen_require(`
|
||||
type ftpd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
allow $1 ftpd_exec_t:file { getattr execute };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read FTP transfer logs
|
||||
@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',`
|
||||
interface(`ftp_admin',`
|
||||
gen_require(`
|
||||
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
|
||||
type ftpd_etc_t, ftpd_lock_t;
|
||||
type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
|
||||
type ftpd_var_run_t, xferlog_t;
|
||||
type ftpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ftpd_t:process { ptrace signal_perms };
|
||||
|
@ -181,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
|
||||
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
|
||||
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
|
||||
files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
|
||||
|
||||
# proftpd requires the client side to bind a socket so that
|
||||
# it can stat the socket to perform access control decisions,
|
||||
# since getsockopt with SO_PEERCRED is not available on all
|
||||
# proftpd-supported OSs
|
||||
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
|
||||
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
|
||||
@ -291,7 +291,7 @@ tunable_policy(`ftp_home_dir',`
|
||||
userdom_manage_user_home_content(ftpd_t)
|
||||
userdom_manage_user_tmp_files(ftpd_t)
|
||||
userdom_tmp_filetrans_user_tmp(ftpd_t, file)
|
||||
', `
|
||||
',`
|
||||
# Needed for permissive mode, to make sure everything gets labeled correctly
|
||||
userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
|
||||
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
||||
@ -349,8 +349,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
tunable_policy(`ftpd_connect_db',`
|
||||
corenet_tcp_connect_mysqld_port(ftpd_t)
|
||||
corenet_tcp_connect_postgresql_port(ftpd_t)
|
||||
mysql_tcp_connect(ftpd_t)
|
||||
postgresql_tcp_connect(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -385,10 +385,11 @@ optional_policy(`
|
||||
|
||||
# Allow ftpdctl to talk to ftpd over a socket connection
|
||||
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
||||
files_search_pids(ftpdctl_t)
|
||||
|
||||
# ftpdctl creates a socket so that the daemon can perform
|
||||
# access control decisions (see comments in ftpd_t rules above)
|
||||
allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
|
||||
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
|
||||
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
||||
|
||||
# Allow ftpdctl to read config files
|
||||
@ -400,6 +401,7 @@ userdom_use_user_terminals(ftpdctl_t)
|
||||
#
|
||||
# sftpd local policy
|
||||
#
|
||||
|
||||
files_read_etc_files(sftpd_t)
|
||||
|
||||
# allow read access to /home by default
|
||||
@ -424,7 +426,7 @@ tunable_policy(`sftpd_enable_homedirs',`
|
||||
files_list_home(sftpd_t)
|
||||
userdom_read_user_home_content_files(sftpd_t)
|
||||
userdom_manage_user_home_content(sftpd_t)
|
||||
', `
|
||||
',`
|
||||
# Needed for permissive mode, to make sure everything gets labeled correctly
|
||||
userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
|
||||
')
|
||||
|
@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
|
||||
allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow gatekeeper_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
|
||||
allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
|
||||
allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
|
||||
files_search_etc(gatekeeper_t)
|
||||
|
||||
|
@ -1,9 +1,10 @@
|
||||
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
|
||||
HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
|
||||
HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
|
||||
HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
|
||||
HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
|
||||
|
||||
/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
|
||||
/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
|
||||
|
||||
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
|
||||
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
|
||||
|
||||
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
|
||||
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
||||
|
@ -25,8 +25,7 @@
|
||||
#
|
||||
interface(`git_session_role',`
|
||||
gen_require(`
|
||||
type git_session_t, gitd_exec_t;
|
||||
type git_session_content_t;
|
||||
type git_session_t, gitd_exec_t, git_session_content_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -59,10 +58,8 @@ interface(`git_session_role',`
|
||||
## </param>
|
||||
#
|
||||
template(`git_content_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute git_system_content;
|
||||
attribute git_content;
|
||||
attribute git_system_content, git_content;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -86,7 +83,6 @@ template(`git_content_template',`
|
||||
## </param>
|
||||
#
|
||||
template(`git_role_template',`
|
||||
|
||||
gen_require(`
|
||||
class context contains;
|
||||
role system_r;
|
||||
@ -522,4 +518,3 @@ interface(`git_relabel_session_content',`
|
||||
relabel_files_pattern($1, git_session_content_t, git_session_content_t)
|
||||
userdom_search_user_home_dirs($1)
|
||||
')
|
||||
|
||||
|
@ -31,6 +31,7 @@ attribute git_system_content;
|
||||
attribute git_content;
|
||||
|
||||
type gitd_exec_t;
|
||||
application_executable_file(gitd_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,26 +120,26 @@ list_dirs_pattern(git_system_t, git_content, git_content)
|
||||
read_files_pattern(git_system_t, git_content, git_content)
|
||||
files_search_var_lib(git_system_t)
|
||||
|
||||
tunable_policy(`git_system_enable_homedirs', `
|
||||
tunable_policy(`git_system_enable_homedirs',`
|
||||
userdom_search_user_home_dirs(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
|
||||
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_list_nfs(git_system_t)
|
||||
fs_read_nfs_files(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
|
||||
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_list_cifs(git_system_t)
|
||||
fs_read_cifs_files(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_use_cifs', `
|
||||
tunable_policy(`git_system_use_cifs',`
|
||||
fs_list_cifs(git_system_t)
|
||||
fs_read_cifs_files(git_system_t)
|
||||
')
|
||||
|
||||
tunable_policy(`git_system_use_nfs', `
|
||||
tunable_policy(`git_system_use_nfs',`
|
||||
fs_list_nfs(git_system_t)
|
||||
fs_read_nfs_files(git_system_t)
|
||||
')
|
||||
@ -156,17 +157,17 @@ userdom_search_user_home_dirs(git_session_t)
|
||||
|
||||
userdom_use_user_terminals(git_session_t)
|
||||
|
||||
tunable_policy(`git_session_bind_all_unreserved_ports', `
|
||||
tunable_policy(`git_session_bind_all_unreserved_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(git_session_t)
|
||||
corenet_sendrecv_generic_server_packets(git_session_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs', `
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_list_nfs(git_session_t)
|
||||
fs_read_nfs_files(git_session_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs', `
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_list_cifs(git_session_t)
|
||||
fs_read_cifs_files(git_session_t)
|
||||
')
|
||||
@ -189,4 +190,3 @@ optional_policy(`
|
||||
|
||||
git_role_template(git_shell)
|
||||
gen_user(git_shell_u, user, git_shell_r, s0, s0)
|
||||
|
||||
|
@ -71,7 +71,7 @@ interface(`gnomeclock_dbus_chat',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
|
||||
type gpmctl_t, gpm_t;
|
||||
')
|
||||
|
||||
allow $1 gpmctl_t:sock_file rw_sock_file_perms;
|
||||
allow $1 gpm_t:unix_stream_socket connectto;
|
||||
dev_list_all_dev_nodes($1)
|
||||
stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 gpmctl_t:sock_file getattr;
|
||||
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
|
||||
type gpmctl_t;
|
||||
')
|
||||
|
||||
dontaudit $1 gpmctl_t:sock_file getattr;
|
||||
dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 gpmctl_t:sock_file setattr;
|
||||
allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
|
||||
')
|
||||
|
@ -18,24 +18,6 @@ interface(`hal_domtrans',`
|
||||
domtrans_pattern($1, hald_exec_t, hald_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of a hal process.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_getattr',`
|
||||
gen_require(`
|
||||
type hald_t;
|
||||
')
|
||||
|
||||
allow $1 hald_t:process getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read hal system state
|
||||
@ -464,9 +446,7 @@ interface(`hal_manage_pid_files',`
|
||||
#
|
||||
interface(`hal_dontaudit_leaks',`
|
||||
gen_require(`
|
||||
type hald_log_t;
|
||||
type hald_t;
|
||||
type hald_var_run_t;
|
||||
type hald_log_t, hald_t, hald_var_run_t;
|
||||
')
|
||||
|
||||
dontaudit $1 hald_t:fd use;
|
||||
|
@ -69,5 +69,5 @@ interface(`hddtemp_admin',`
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, hddtemp_etc_t)
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
')
|
||||
|
@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
|
||||
logging_send_syslog_msg(hddtemp_t)
|
||||
|
||||
miscfiles_read_localization(hddtemp_t)
|
||||
|
||||
|
@ -183,7 +183,5 @@ interface(`icecast_admin',`
|
||||
allow $2 system_r;
|
||||
|
||||
icecast_manage_pid_files($1)
|
||||
|
||||
icecast_manage_log($1)
|
||||
|
||||
')
|
||||
|
@ -39,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
|
||||
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
|
||||
logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
|
||||
logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
|
||||
|
@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
|
||||
#
|
||||
interface(`ifplugd_admin',`
|
||||
gen_require(`
|
||||
type ifplugd_t, ifplugd_etc_t;
|
||||
type ifplugd_var_run_t, ifplugd_initrc_exec_t;
|
||||
type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
|
||||
type ifplugd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ifplugd_t:process { ptrace signal_perms };
|
||||
|
@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_tcp_service_domain',`
|
||||
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
')
|
||||
|
@ -93,6 +93,7 @@ interface(`inn_read_config',`
|
||||
type innd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 innd_etc_t:dir list_dir_perms;
|
||||
allow $1 innd_etc_t:file read_file_perms;
|
||||
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
|
||||
@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
|
||||
type innd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 innd_var_lib_t:dir list_dir_perms;
|
||||
allow $1 innd_var_lib_t:file read_file_perms;
|
||||
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
|
||||
@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
|
||||
type news_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 news_spool_t:dir list_dir_perms;
|
||||
allow $1 news_spool_t:file read_file_perms;
|
||||
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
|
||||
@ -195,8 +198,8 @@ interface(`inn_domtrans',`
|
||||
interface(`inn_admin',`
|
||||
gen_require(`
|
||||
type innd_t, innd_etc_t, innd_log_t;
|
||||
type news_spool_t, innd_var_lib_t;
|
||||
type innd_var_run_t, innd_initrc_exec_t;
|
||||
type news_spool_t, innd_var_lib_t, innd_var_run_t;
|
||||
type innd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 innd_t:process { ptrace signal_perms };
|
||||
|
@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type innd_t;
|
||||
type innd_exec_t;
|
||||
init_daemon_domain(innd_t, innd_exec_t)
|
||||
@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow innd_t self:capability { dac_override kill setgid setuid };
|
||||
dontaudit innd_t self:capability sys_tty_config;
|
||||
allow innd_t self:process { setsched signal_perms };
|
||||
@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
|
||||
can_exec(innd_t, innd_exec_t)
|
||||
|
||||
manage_files_pattern(innd_t, innd_log_t, innd_log_t)
|
||||
allow innd_t innd_log_t:dir setattr;
|
||||
allow innd_t innd_log_t:dir setattr_dir_perms;
|
||||
logging_log_filetrans(innd_t, innd_log_t, file)
|
||||
|
||||
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
|
||||
|
@ -113,8 +113,7 @@ interface(`jabberd_manage_lib_files',`
|
||||
interface(`jabber_admin',`
|
||||
gen_require(`
|
||||
type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
|
||||
type jabberd_var_run_t, jabberd_initrc_exec_t;
|
||||
type jabberd_router_t;
|
||||
type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t;
|
||||
')
|
||||
|
||||
allow $1 jabberd_t:process { ptrace signal_perms };
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
policy_module(jabber, 1.8.0)
|
||||
|
||||
########################################
|
||||
|
@ -69,8 +69,7 @@ interface(`kerberos_domtrans_kpropd',`
|
||||
#
|
||||
interface(`kerberos_use',`
|
||||
gen_require(`
|
||||
type krb5_conf_t, krb5kdc_conf_t;
|
||||
type krb5_host_rcache_t;
|
||||
type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -103,7 +102,7 @@ interface(`kerberos_use',`
|
||||
corenet_sendrecv_kerberos_client_packets($1)
|
||||
corenet_sendrecv_ocsp_client_packets($1)
|
||||
|
||||
allow $1 krb5_host_rcache_t:file getattr;
|
||||
allow $1 krb5_host_rcache_t:file getattr_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -338,9 +337,8 @@ interface(`kerberos_admin',`
|
||||
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
||||
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
||||
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
||||
type krb5kdc_principal_t, krb5kdc_tmp_t;
|
||||
type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
||||
type krb5kdc_var_run_t, krb5_host_rcache_t;
|
||||
type kpropd_t;
|
||||
')
|
||||
|
||||
allow $1 kadmind_t:process { ptrace signal_perms };
|
||||
|
@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
|
||||
dontaudit kadmind_t krb5_conf_t:file write;
|
||||
|
||||
read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
|
||||
dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
|
||||
|
||||
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
|
||||
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
|
||||
|
||||
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
|
||||
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
|
||||
@ -197,7 +197,7 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
|
||||
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
||||
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
||||
|
||||
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
|
||||
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
|
||||
|
||||
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
||||
|
@ -12,8 +12,7 @@
|
||||
#
|
||||
interface(`kerneloops_domtrans',`
|
||||
gen_require(`
|
||||
type kerneloops_t;
|
||||
type kerneloops_exec_t;
|
||||
type kerneloops_t, kerneloops_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
|
||||
@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',`
|
||||
#
|
||||
interface(`kerneloops_admin',`
|
||||
gen_require(`
|
||||
type kerneloops_t, kerneloops_initrc_exec_t;
|
||||
type kerneloops_tmp_t;
|
||||
type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 kerneloops_t:process { ptrace signal_perms };
|
||||
@ -111,5 +109,6 @@ interface(`kerneloops_admin',`
|
||||
role_transition $2 kerneloops_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, kerneloops_tmp_t)
|
||||
')
|
||||
|
@ -55,8 +55,7 @@ interface(`ksmtuned_initrc_domtrans',`
|
||||
#
|
||||
interface(`ksmtuned_admin',`
|
||||
gen_require(`
|
||||
type ksmtuned_t, ksmtuned_var_run_t;
|
||||
type ksmtuned_initrc_exec_t;
|
||||
type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ksmtuned_t:process { ptrace signal_perms };
|
||||
@ -70,5 +69,4 @@ interface(`ksmtuned_admin',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ksmtuned_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
')
|
||||
|
@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t)
|
||||
term_use_all_terms(ksmtuned_t)
|
||||
|
||||
miscfiles_read_localization(ksmtuned_t)
|
||||
|
||||
|
@ -16,7 +16,6 @@ interface(`ldap_domtrans',`
|
||||
')
|
||||
|
||||
domtrans_pattern($1, slapd_exec_t, slapd_t)
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -37,7 +36,6 @@ interface(`ldap_initrc_domtrans',`
|
||||
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the contents of the OpenLDAP
|
||||
@ -189,6 +187,7 @@ interface(`ldap_admin',`
|
||||
|
||||
admin_pattern($1, slapd_lock_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, slapd_replog_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
|
@ -82,7 +82,7 @@ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
|
||||
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
|
||||
fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
|
||||
|
||||
manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
|
||||
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
|
||||
|
@ -63,7 +63,7 @@ template(`likewise_domain_template',`
|
||||
allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow $1_t likewise_var_lib_t:dir setattr;
|
||||
allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
|
||||
|
||||
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||
files_pid_filetrans($1_t, $1_var_run_t, file)
|
||||
|
@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
|
||||
# Likewise DC location service local policy
|
||||
#
|
||||
|
||||
allow netlogond_t self:capability {dac_override};
|
||||
allow netlogond_t self:capability dac_override;
|
||||
|
||||
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
|
||||
|
||||
|
@ -16,7 +16,6 @@ interface(`lircd_domtrans',`
|
||||
')
|
||||
|
||||
domain_auto_trans($1, lircd_exec_t, lircd_t)
|
||||
|
||||
')
|
||||
|
||||
######################################
|
||||
@ -76,8 +75,8 @@ interface(`lircd_read_config',`
|
||||
#
|
||||
interface(`lircd_admin',`
|
||||
gen_require(`
|
||||
type lircd_t, lircd_var_run_t;
|
||||
type lircd_initrc_exec_t, lircd_etc_t;
|
||||
type lircd_t, lircd_var_run_t, lircd_etc_t;
|
||||
type lircd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 lircd_t:process { ptrace signal_perms };
|
||||
@ -88,9 +87,9 @@ interface(`lircd_admin',`
|
||||
role_transition $2 lircd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_etc($1)
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, lircd_etc_t)
|
||||
|
||||
files_search_pids($1)
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, lircd_var_run_t)
|
||||
')
|
||||
|
@ -14,6 +14,7 @@
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`lpd_role',`
|
||||
gen_require(`
|
||||
@ -27,7 +28,7 @@ interface(`lpd_role',`
|
||||
dontaudit lpr_t $2:unix_stream_socket { read write };
|
||||
|
||||
ps_process_pattern($2, lpr_t)
|
||||
allow $2 lpr_t:process signull;
|
||||
allow $2 lpr_t:process { ptrace signal_perms };
|
||||
|
||||
optional_policy(`
|
||||
cups_read_config($2)
|
||||
@ -186,7 +187,7 @@ interface(`lpd_read_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`lpd_domtrans_lpr',`
|
||||
interface(`lpd_domtrans_lpr',`
|
||||
gen_require(`
|
||||
type lpr_t, lpr_exec_t;
|
||||
')
|
||||
|
@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
|
||||
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
|
||||
files_search_spool(checkpc_t)
|
||||
|
||||
allow checkpc_t printconf_t:file getattr;
|
||||
allow checkpc_t printconf_t:file getattr_file_perms;
|
||||
allow checkpc_t printconf_t:dir list_dir_perms;
|
||||
|
||||
kernel_read_system_state(checkpc_t)
|
||||
@ -284,13 +284,13 @@ userdom_read_user_tmp_files(lpr_t)
|
||||
|
||||
tunable_policy(`use_lpd_server',`
|
||||
# lpr can run in lightweight mode, without a local print spooler.
|
||||
allow lpr_t lpd_var_run_t:dir search;
|
||||
allow lpr_t lpd_var_run_t:sock_file write;
|
||||
allow lpr_t lpd_var_run_t:dir search_dir_perms;
|
||||
allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
|
||||
files_read_var_files(lpr_t)
|
||||
|
||||
# Connect to lpd via a Unix domain socket.
|
||||
allow lpr_t printer_t:sock_file rw_sock_file_perms;
|
||||
allow lpr_t lpd_t:unix_stream_socket connectto;
|
||||
allow lpr_t printer_t:sock_file read_sock_file_perms;
|
||||
stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
|
||||
# Send SIGHUP to lpd.
|
||||
allow lpr_t lpd_t:process signal;
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user