misc fixes
This commit is contained in:
parent
b11a75a5e3
commit
603f90ab9d
@ -52,6 +52,7 @@ domain_use_wide_inherit_fd(acct_t)
|
|||||||
|
|
||||||
files_read_etc_files(acct_t)
|
files_read_etc_files(acct_t)
|
||||||
files_read_etc_runtime_files(acct_t)
|
files_read_etc_runtime_files(acct_t)
|
||||||
|
files_list_usr(acct_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_pids(acct_t)
|
files_dontaudit_search_pids(acct_t)
|
||||||
|
|
||||||
|
@ -66,9 +66,9 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
|
|||||||
allow bootloader_t self:process { sigkill sigstop signull signal };
|
allow bootloader_t self:process { sigkill sigstop signull signal };
|
||||||
allow bootloader_t self:fifo_file { getattr read write };
|
allow bootloader_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
allow bootloader_t boot_t:dir ra_dir_perms;
|
allow bootloader_t boot_t:dir rw_dir_perms;
|
||||||
allow bootloader_t boot_t:file { rw_file_perms create };
|
allow bootloader_t boot_t:file create_file_perms;
|
||||||
allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
|
allow bootloader_t boot_t:lnk_file create_lnk_perms;
|
||||||
|
|
||||||
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||||
# uncomment the following lines if you use "lilo -p"
|
# uncomment the following lines if you use "lilo -p"
|
||||||
|
@ -116,6 +116,11 @@ optional_policy(`nscd.te',`
|
|||||||
nscd_use_socket(hald_t)
|
nscd_use_socket(hald_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`pcmcia.te',`
|
||||||
|
pcmcia_manage_pid(hald_t)
|
||||||
|
pcmcia_manage_runtime_chr(hald_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`selinuxutil.te',`
|
optional_policy(`selinuxutil.te',`
|
||||||
seutil_sigchld_newrole(hald_t)
|
seutil_sigchld_newrole(hald_t)
|
||||||
')
|
')
|
||||||
|
@ -14,6 +14,7 @@ type mysqld_var_run_t;
|
|||||||
files_pid_file(mysqld_var_run_t)
|
files_pid_file(mysqld_var_run_t)
|
||||||
|
|
||||||
type mysqld_db_t;
|
type mysqld_db_t;
|
||||||
|
files_type(mysqld_db_t)
|
||||||
|
|
||||||
type mysqld_etc_t alias etc_mysqld_t;
|
type mysqld_etc_t alias etc_mysqld_t;
|
||||||
files_type(mysqld_etc_t)
|
files_type(mysqld_etc_t)
|
||||||
|
@ -73,8 +73,6 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
|
|
||||||
seutil_read_config($1_chkpwd_t)
|
seutil_read_config($1_chkpwd_t)
|
||||||
|
|
||||||
#can_ldap($1_chkpwd_t)
|
|
||||||
|
|
||||||
# Transition from the user domain to this domain.
|
# Transition from the user domain to this domain.
|
||||||
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||||
|
|
||||||
@ -104,6 +102,17 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
kerberos_use($1_chkpwd_t)
|
kerberos_use($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`ldap.te',`
|
||||||
|
allow $1_chkpwd_t self:tcp_socket create_socket_perms;
|
||||||
|
corenet_tcp_sendrecv_all_if($1_chkpwd_t)
|
||||||
|
corenet_raw_sendrecv_all_if($1_chkpwd_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
||||||
|
corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
|
||||||
|
corenet_tcp_bind_all_nodes($1_chkpwd_t)
|
||||||
|
sysnet_read_config($1_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1_chkpwd_t)
|
nis_use_ypbind($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
@ -243,7 +252,16 @@ interface(`auth_domtrans_chk_passwd',`
|
|||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
#can_ldap($1)
|
optional_policy(`ldap.te',`
|
||||||
|
allow $1 self:tcp_socket create_socket_perms;
|
||||||
|
corenet_tcp_sendrecv_all_if($1)
|
||||||
|
corenet_raw_sendrecv_all_if($1)
|
||||||
|
corenet_tcp_sendrecv_all_nodes($1)
|
||||||
|
corenet_raw_sendrecv_all_nodes($1)
|
||||||
|
corenet_tcp_sendrecv_ldap_port($1)
|
||||||
|
corenet_tcp_bind_all_nodes($1)
|
||||||
|
sysnet_read_config($1)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1)
|
nis_use_ypbind($1)
|
||||||
|
@ -287,6 +287,17 @@ optional_policy(`kerberos.te',`
|
|||||||
kerberos_use(system_chkpwd_t)
|
kerberos_use(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`ldap.te',`
|
||||||
|
allow system_chkpwd_t self:tcp_socket create_socket_perms;
|
||||||
|
corenet_tcp_sendrecv_all_if(system_chkpwd_t)
|
||||||
|
corenet_raw_sendrecv_all_if(system_chkpwd_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
||||||
|
corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
|
||||||
|
corenet_tcp_bind_all_nodes(system_chkpwd_t)
|
||||||
|
sysnet_read_config(system_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(system_chkpwd_t)
|
nis_use_ypbind(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
@ -295,10 +306,6 @@ optional_policy(`nscd.te',`
|
|||||||
nscd_use_socket(system_chkpwd_t)
|
nscd_use_socket(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
can_ldap(system_chkpwd_t)
|
|
||||||
') dnl end TODO
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Utempter local policy
|
# Utempter local policy
|
||||||
|
@ -1608,6 +1608,24 @@ interface(`files_search_usr',`
|
|||||||
allow $1 usr_t:dir search;
|
allow $1 usr_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List the contents of generic
|
||||||
|
## directories in /usr.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_list_usr',`
|
||||||
|
gen_require(`
|
||||||
|
type usr_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 usr_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of files in /usr.
|
## Get the attributes of files in /usr.
|
||||||
|
@ -13,6 +13,7 @@ domain_wide_inherit_fd(getty_t)
|
|||||||
|
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
typealias getty_etc_t alias etc_getty_t;
|
typealias getty_etc_t alias etc_getty_t;
|
||||||
|
files_type(getty_etc_t)
|
||||||
|
|
||||||
type getty_log_t;
|
type getty_log_t;
|
||||||
logging_log_file(getty_log_t)
|
logging_log_file(getty_log_t)
|
||||||
|
@ -48,9 +48,8 @@ type initrc_exec_t;
|
|||||||
domain_entry_file(initrc_t,initrc_exec_t)
|
domain_entry_file(initrc_t,initrc_exec_t)
|
||||||
|
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
fs_associate(initrc_devpts_t)
|
|
||||||
fs_associate_noxattr(initrc_devpts_t)
|
|
||||||
term_pty(initrc_devpts_t)
|
term_pty(initrc_devpts_t)
|
||||||
|
files_type(initrc_devpts_t)
|
||||||
|
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
files_pid_file(initrc_var_run_t)
|
files_pid_file(initrc_var_run_t)
|
||||||
|
@ -54,8 +54,7 @@ dontaudit auditd_t self:capability sys_tty_config;
|
|||||||
allow auditd_t self:process { signal_perms setsched };
|
allow auditd_t self:process { signal_perms setsched };
|
||||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||||
|
|
||||||
allow auditd_t var_log_t:dir search;
|
allow auditd_t var_log_t:dir rw_dir_perms;
|
||||||
allow auditd_t auditd_log_t:dir rw_dir_perms;
|
|
||||||
allow auditd_t auditd_log_t:file create_file_perms;
|
allow auditd_t auditd_log_t:file create_file_perms;
|
||||||
|
|
||||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||||
@ -78,6 +77,7 @@ init_use_script_pty(auditd_t)
|
|||||||
domain_use_wide_inherit_fd(auditd_t)
|
domain_use_wide_inherit_fd(auditd_t)
|
||||||
|
|
||||||
files_read_etc_files(auditd_t)
|
files_read_etc_files(auditd_t)
|
||||||
|
files_list_usr(auditd_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(auditd_t)
|
logging_send_syslog_msg(auditd_t)
|
||||||
|
|
||||||
|
@ -148,11 +148,6 @@ optional_policy(`pcmcia.te',`
|
|||||||
pcmcia_domtrans_cardctl(apmd_t)
|
pcmcia_domtrans_cardctl(apmd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# this goes to hald
|
|
||||||
optional_policy(`pcmcia.te',`
|
|
||||||
pcmcia_manage_pid(hald_t)
|
|
||||||
pcmcia_manage_runtime_chr(hald_t)
|
|
||||||
')
|
|
||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
rhgb_domain(cardmgr_t)
|
rhgb_domain(cardmgr_t)
|
||||||
')
|
')
|
||||||
|
@ -35,6 +35,7 @@ template(`base_user_template',`
|
|||||||
# user pseudoterminal
|
# user pseudoterminal
|
||||||
type $1_devpts_t;
|
type $1_devpts_t;
|
||||||
term_user_pty($1_t,$1_devpts_t)
|
term_user_pty($1_t,$1_devpts_t)
|
||||||
|
files_type($1_devpts_t)
|
||||||
|
|
||||||
# type for contents of home directory
|
# type for contents of home directory
|
||||||
type $1_home_t, $1_file_type, home_type;
|
type $1_home_t, $1_file_type, home_type;
|
||||||
@ -42,7 +43,7 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
# type of home directory
|
# type of home directory
|
||||||
type $1_home_dir_t, home_dir_type, home_type;
|
type $1_home_dir_t, home_dir_type, home_type;
|
||||||
files_type($1_home_t)
|
files_type($1_home_dir_t)
|
||||||
|
|
||||||
type $1_tmp_t, $1_file_type;
|
type $1_tmp_t, $1_file_type;
|
||||||
files_tmp_file($1_tmp_t)
|
files_tmp_file($1_tmp_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user