misc fixes
This commit is contained in:
Chris PeBenito
parent
b11a75a5e3
commit
603f90ab9d
@ -52,6 +52,7 @@ domain_use_wide_inherit_fd(acct_t)
|
||||
|
||||
files_read_etc_files(acct_t)
|
||||
files_read_etc_runtime_files(acct_t)
|
||||
files_list_usr(acct_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_pids(acct_t)
|
||||
|
||||
|
||||
@ -66,9 +66,9 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
|
||||
allow bootloader_t self:process { sigkill sigstop signull signal };
|
||||
allow bootloader_t self:fifo_file { getattr read write };
|
||||
|
||||
allow bootloader_t boot_t:dir ra_dir_perms;
|
||||
allow bootloader_t boot_t:file { rw_file_perms create };
|
||||
allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
|
||||
allow bootloader_t boot_t:dir rw_dir_perms;
|
||||
allow bootloader_t boot_t:file create_file_perms;
|
||||
allow bootloader_t boot_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||
# uncomment the following lines if you use "lilo -p"
|
||||
|
||||
@ -116,6 +116,11 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`pcmcia.te',`
|
||||
pcmcia_manage_pid(hald_t)
|
||||
pcmcia_manage_runtime_chr(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(hald_t)
|
||||
')
|
||||
|
||||
@ -14,6 +14,7 @@ type mysqld_var_run_t;
|
||||
files_pid_file(mysqld_var_run_t)
|
||||
|
||||
type mysqld_db_t;
|
||||
files_type(mysqld_db_t)
|
||||
|
||||
type mysqld_etc_t alias etc_mysqld_t;
|
||||
files_type(mysqld_etc_t)
|
||||
|
||||
@ -73,8 +73,6 @@ template(`authlogin_per_userdomain_template',`
|
||||
|
||||
seutil_read_config($1_chkpwd_t)
|
||||
|
||||
#can_ldap($1_chkpwd_t)
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||
|
||||
@ -104,6 +102,17 @@ template(`authlogin_per_userdomain_template',`
|
||||
kerberos_use($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`ldap.te',`
|
||||
allow $1_chkpwd_t self:tcp_socket create_socket_perms;
|
||||
corenet_tcp_sendrecv_all_if($1_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_if($1_chkpwd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
||||
corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
|
||||
corenet_tcp_bind_all_nodes($1_chkpwd_t)
|
||||
sysnet_read_config($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_chkpwd_t)
|
||||
')
|
||||
@ -243,7 +252,16 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
kerberos_use($1)
|
||||
')
|
||||
|
||||
#can_ldap($1)
|
||||
optional_policy(`ldap.te',`
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_ldap_port($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
sysnet_read_config($1)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1)
|
||||
|
||||
@ -287,6 +287,17 @@ optional_policy(`kerberos.te',`
|
||||
kerberos_use(system_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`ldap.te',`
|
||||
allow system_chkpwd_t self:tcp_socket create_socket_perms;
|
||||
corenet_tcp_sendrecv_all_if(system_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_if(system_chkpwd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
||||
corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
|
||||
corenet_tcp_bind_all_nodes(system_chkpwd_t)
|
||||
sysnet_read_config(system_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_chkpwd_t)
|
||||
')
|
||||
@ -295,10 +306,6 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(system_chkpwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_ldap(system_chkpwd_t)
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Utempter local policy
|
||||
|
||||
@ -1608,6 +1608,24 @@ interface(`files_search_usr',`
|
||||
allow $1 usr_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of generic
|
||||
## directories in /usr.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_usr',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 usr_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in /usr.
|
||||
|
||||
@ -13,6 +13,7 @@ domain_wide_inherit_fd(getty_t)
|
||||
|
||||
type getty_etc_t;
|
||||
typealias getty_etc_t alias etc_getty_t;
|
||||
files_type(getty_etc_t)
|
||||
|
||||
type getty_log_t;
|
||||
logging_log_file(getty_log_t)
|
||||
|
||||
@ -48,9 +48,8 @@ type initrc_exec_t;
|
||||
domain_entry_file(initrc_t,initrc_exec_t)
|
||||
|
||||
type initrc_devpts_t;
|
||||
fs_associate(initrc_devpts_t)
|
||||
fs_associate_noxattr(initrc_devpts_t)
|
||||
term_pty(initrc_devpts_t)
|
||||
files_type(initrc_devpts_t)
|
||||
|
||||
type initrc_var_run_t;
|
||||
files_pid_file(initrc_var_run_t)
|
||||
|
||||
@ -54,8 +54,7 @@ dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:process { signal_perms setsched };
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
|
||||
allow auditd_t var_log_t:dir search;
|
||||
allow auditd_t auditd_log_t:dir rw_dir_perms;
|
||||
allow auditd_t var_log_t:dir rw_dir_perms;
|
||||
allow auditd_t auditd_log_t:file create_file_perms;
|
||||
|
||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
@ -78,6 +77,7 @@ init_use_script_pty(auditd_t)
|
||||
domain_use_wide_inherit_fd(auditd_t)
|
||||
|
||||
files_read_etc_files(auditd_t)
|
||||
files_list_usr(auditd_t)
|
||||
|
||||
logging_send_syslog_msg(auditd_t)
|
||||
|
||||
|
||||
@ -148,11 +148,6 @@ optional_policy(`pcmcia.te',`
|
||||
pcmcia_domtrans_cardctl(apmd_t)
|
||||
')
|
||||
|
||||
# this goes to hald
|
||||
optional_policy(`pcmcia.te',`
|
||||
pcmcia_manage_pid(hald_t)
|
||||
pcmcia_manage_runtime_chr(hald_t)
|
||||
')
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(cardmgr_t)
|
||||
')
|
||||
|
||||
@ -35,6 +35,7 @@ template(`base_user_template',`
|
||||
# user pseudoterminal
|
||||
type $1_devpts_t;
|
||||
term_user_pty($1_t,$1_devpts_t)
|
||||
files_type($1_devpts_t)
|
||||
|
||||
# type for contents of home directory
|
||||
type $1_home_t, $1_file_type, home_type;
|
||||
@ -42,7 +43,7 @@ template(`base_user_template',`
|
||||
|
||||
# type of home directory
|
||||
type $1_home_dir_t, home_dir_type, home_type;
|
||||
files_type($1_home_t)
|
||||
files_type($1_home_dir_t)
|
||||
|
||||
type $1_tmp_t, $1_file_type;
|
||||
files_tmp_file($1_tmp_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user