more merging from nsa cvs
This commit is contained in:
Chris PeBenito
parent
5a2649cefd
commit
605ba28540
@ -9,9 +9,12 @@ policy_module(consoletype, 1.0)
|
||||
type consoletype_t; #, mlsfileread, mlsfilewrite
|
||||
type consoletype_exec_t;
|
||||
init_domain(consoletype_t,consoletype_exec_t)
|
||||
init_system_domain(consoletype_t,consoletype_exec_t)
|
||||
role system_r types consoletype_t;
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
init_system_domain(consoletype_t,consoletype_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local declarations
|
||||
@ -54,7 +57,7 @@ userdom_use_sysadm_terms(consoletype_t)
|
||||
userdom_use_sysadm_fd(consoletype_t)
|
||||
userdom_rw_sysadm_pipe(consoletype_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
fs_use_tmpfs_chr_dev(consoletype_t)
|
||||
')
|
||||
|
||||
@ -99,8 +102,10 @@ allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
# this goes to xdm module
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_domtrans(xdm_t)
|
||||
ifdef(`targeted_policy',`
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_domtrans(xdm_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
|
||||
@ -10,6 +10,7 @@ type firstboot_t;
|
||||
type firstboot_exec_t;
|
||||
init_system_domain(firstboot_t,firstboot_exec_t)
|
||||
domain_obj_id_change_exempt(firstboot_t)
|
||||
domain_subj_id_change_exempt(firstboot_t)
|
||||
role system_r types firstboot_t;
|
||||
|
||||
type firstboot_etc_t; #, usercanread;
|
||||
@ -103,8 +104,10 @@ userdom_manage_user_home_files(firstboot_t)
|
||||
userdom_manage_user_home_symlinks(firstboot_t)
|
||||
userdom_manage_user_home_pipes(firstboot_t)
|
||||
userdom_manage_user_home_sockets(firstboot_t)
|
||||
usermanage_domtrans_useradd(firstboot_t)
|
||||
usermanage_domtrans_groupadd(firstboot_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domtrans(firstboot_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_rw_config(firstboot_t)
|
||||
@ -114,6 +117,11 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(firstboot_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_domtrans_useradd(firstboot_t)
|
||||
usermanage_domtrans_groupadd(firstboot_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow firstboot_t proc_t:file write;
|
||||
|
||||
|
||||
@ -116,4 +116,12 @@ ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(updfstab_t)
|
||||
')
|
||||
ifdef(`dbusd.te',`
|
||||
allow initrc_t updfstab_t:dbus send_msg;
|
||||
allow updfstab_t initrc_t:dbus send_msg;
|
||||
')
|
||||
allow updfstab_t tmpfs_t:dir getattr;
|
||||
ifdef(`hald.te', `
|
||||
can_unix_connect(updfstab_t, hald_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -520,6 +520,7 @@ logging_send_syslog_msg(useradd_t)
|
||||
miscfiles_read_localization(useradd_t)
|
||||
|
||||
seutil_read_config(useradd_t)
|
||||
seutil_read_file_contexts(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(useradd_t)
|
||||
|
||||
|
||||
@ -395,12 +395,12 @@ interface(`dev_del_generic_symlinks',`
|
||||
interface(`dev_manage_generic_symlinks',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
||||
class lnk_file { create read getattr setattr link unlink rename };
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
||||
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
allow $1 device_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1492,7 +1492,7 @@ interface(`kernel_use_shared_libs_from',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class lnk_file r_file_perms;
|
||||
class file rx_dir_perms;
|
||||
class file rx_file_perms;
|
||||
')
|
||||
|
||||
allow kernel_t $1:dir r_dir_perms;
|
||||
|
||||
@ -25,7 +25,7 @@ attribute sysctl_type;
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
#
|
||||
type kernel_t, can_load_kernmodule;
|
||||
type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
|
||||
role system_r types kernel_t;
|
||||
domain_base_type(kernel_t)
|
||||
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
||||
@ -169,6 +169,9 @@ allow kernel_t sysctl_t:dir r_dir_perms;
|
||||
allow kernel_t sysctl_kernel_t:dir r_dir_perms;
|
||||
allow kernel_t sysctl_kernel_t:file r_file_perms;
|
||||
|
||||
# cjp: this seems questionable
|
||||
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
|
||||
|
||||
# Kernel-generated traffic e.g., ICMP replies:
|
||||
corenet_raw_sendrecv_all_if(kernel_t)
|
||||
corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
@ -176,20 +179,24 @@ corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
term_use_console(kernel_t)
|
||||
dev_read_sysfs(kernel_t)
|
||||
dev_search_usbfs(kernel_t)
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
fs_mount_all_fs(kernel_t)
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
term_use_console(kernel_t)
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_sbin(kernel_t)
|
||||
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
||||
corecmd_exec_bin(kernel_t)
|
||||
|
||||
domain_signal_all_domains(kernel_t)
|
||||
domain_search_all_domains_state(kernel_t)
|
||||
|
||||
files_list_root(kernel_t)
|
||||
files_list_etc(kernel_t)
|
||||
|
||||
@ -10,8 +10,6 @@
|
||||
/usr/sbin/cron(d)? -- context_template(system_u:object_r:crond_exec_t,s0)
|
||||
/usr/sbin/fcron -- context_template(system_u:object_r:crond_exec_t,s0)
|
||||
|
||||
/var/log/cron.* -- context_template(system_u:object_r:crond_log_t,s0)
|
||||
|
||||
/var/run/atd\.pid -- context_template(system_u:object_r:crond_var_run_t,s0)
|
||||
/var/run/crond?\.pid -- context_template(system_u:object_r:crond_var_run_t,s0)
|
||||
/var/run/crond\.reboot -- context_template(system_u:object_r:crond_var_run_t,s0)
|
||||
|
||||
@ -188,8 +188,6 @@ template(`cron_per_userdomain_template',`
|
||||
# crontab signals crond by updating the mtime on the spooldir
|
||||
allow $1_crontab_t cron_spool_t:dir setattr;
|
||||
|
||||
allow $1_crontab_t crond_log_t:file ra_file_perms;
|
||||
|
||||
# for the checks used by crontab -u
|
||||
selinux_dontaudit_search_fs($1_crontab_t)
|
||||
|
||||
@ -384,24 +382,6 @@ interface(`cron_rw_pipe',`
|
||||
allow $1 crond_t:file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the cron daemon log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_rw_log',`
|
||||
gen_require(`
|
||||
type crond_log_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 crond_log_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the directory containing user cron tables.
|
||||
|
||||
@ -19,9 +19,6 @@ init_daemon_domain(crond_t,crond_exec_t)
|
||||
domain_wide_inherit_fd(crond_t)
|
||||
domain_cron_exemption_source(crond_t)
|
||||
|
||||
type crond_log_t;
|
||||
logging_log_file(crond_log_t)
|
||||
|
||||
type crond_tmp_t;
|
||||
files_tmp_file(crond_tmp_t)
|
||||
|
||||
@ -65,8 +62,6 @@ allow crond_t self:sem create_sem_perms;
|
||||
allow crond_t self:msgq create_msgq_perms;
|
||||
allow crond_t self:msg { send receive };
|
||||
|
||||
allow crond_t crond_log_t:file create_file_perms;
|
||||
|
||||
allow crond_t crond_var_run_t:file create_file_perms;
|
||||
files_create_pid(crond_t,crond_var_run_t)
|
||||
|
||||
@ -228,10 +223,6 @@ type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
|
||||
allow system_crond_t cron_spool_t:dir r_dir_perms;
|
||||
allow system_crond_t cron_spool_t:file r_file_perms;
|
||||
|
||||
# Access crond log files
|
||||
allow system_crond_t crond_log_t:file create_file_perms;
|
||||
logging_create_log(system_crond_t,crond_log_t)
|
||||
|
||||
kernel_read_kernel_sysctl(system_crond_t)
|
||||
kernel_read_system_state(system_crond_t)
|
||||
kernel_read_software_raid_state(system_crond_t)
|
||||
@ -372,7 +363,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl;
|
||||
# Required for webalizer
|
||||
#
|
||||
ifdef(`apache.te', `
|
||||
allow system_crond_t httpd_log_t:file r_file_perms;
|
||||
allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`mta.te', `
|
||||
|
||||
@ -342,9 +342,8 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(utempter_t)
|
||||
')
|
||||
|
||||
optional_policy(`xdm.te', `
|
||||
#allow utempter_t xdm_t:fd use;
|
||||
xdm_use_fd(utempter_t)
|
||||
#allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
xdm_write_pipe(utempter_t)
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`xdm.te',`
|
||||
can_pipe_xdm(utempter_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -423,13 +423,30 @@ interface(`domain_kill_all_domains',`
|
||||
allow $1 domain:process sigkill;
|
||||
allow $1 self:capability kill;
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the process state directory (/proc/pid) of all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_search_all_domains_state',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 domain:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid) of all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_read_all_domains_state',`
|
||||
@ -441,6 +458,7 @@ interface(`domain_read_all_domains_state',`
|
||||
class process { getattr ptrace };
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 domain:dir r_dir_perms;
|
||||
allow $1 domain:lnk_file r_file_perms;
|
||||
allow $1 domain:file r_file_perms;
|
||||
@ -453,6 +471,38 @@ interface(`domain_read_all_domains_state',`
|
||||
dontaudit $1 domain:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid) of all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_read_confined_domains_state',`
|
||||
gen_require(`
|
||||
attribute domain, unconfined_domain;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file r_file_perms;
|
||||
class process { getattr ptrace };
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 { domain -unconfined_domain }:dir r_dir_perms;
|
||||
allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
|
||||
allow $1 { domain -unconfined_domain }:file r_file_perms;
|
||||
allow $1 { domain -unconfined_domain }:process getattr;
|
||||
|
||||
dontaudit $1 unconfined_domain:dir search;
|
||||
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $1 { domain -unconfined_domain }:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read the process
|
||||
@ -767,6 +817,8 @@ interface(`domain_unconfined',`
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
typeattribute $1 unconfined_domain;
|
||||
|
||||
# pass all constraints
|
||||
typeattribute $1 can_change_process_identity;
|
||||
typeattribute $1 can_change_process_role;
|
||||
|
||||
@ -12,6 +12,9 @@ attribute domain;
|
||||
# Transitions only allowed from domains to other domains
|
||||
neverallow domain ~domain:process { transition dyntransition };
|
||||
|
||||
# Domains that are unconfined
|
||||
attribute unconfined_domain;
|
||||
|
||||
# Domains that can set their current context
|
||||
# (perform dynamic transitions)
|
||||
attribute set_curr_context;
|
||||
|
||||
@ -123,10 +123,10 @@ ifdef(`distro_redhat', `
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
unconfined_domain_template(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_domtrans(hotplug_t)
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_domtrans(hotplug_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`dbus.te',`
|
||||
|
||||
@ -157,6 +157,23 @@ interface(`init_domtrans',`
|
||||
allow init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the init program in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_exec',`
|
||||
gen_require(`
|
||||
type init_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
can_exec($1,init_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_get_process_group(domain)
|
||||
|
||||
@ -239,6 +239,7 @@ dev_write_snd_mixer_dev(initrc_t)
|
||||
dev_setattr_all_chr_files(initrc_t)
|
||||
dev_read_lvm_control(initrc_t)
|
||||
dev_delete_lvm_control(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
# Wants to remove udev.tbl:
|
||||
dev_del_generic_symlinks(initrc_t)
|
||||
|
||||
@ -317,6 +318,7 @@ logging_send_syslog_msg(initrc_t)
|
||||
logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_auditd_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
|
||||
@ -386,6 +388,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
domain_subj_id_change_exempt(initrc_t)
|
||||
unconfined_domain_template(initrc_t)
|
||||
unconfined_shell_domtrans(initrc_t)
|
||||
')
|
||||
|
||||
@ -18,7 +18,7 @@ interface(`locallogin_domtrans',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow processes to inherit local login file descriptors
|
||||
## Allow processes to inherit local login file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -33,6 +33,23 @@ interface(`locallogin_use_fd',`
|
||||
allow $1 local_login_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to inherit local login file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`locallogin_dontaudit_use_fd',`
|
||||
gen_require(`
|
||||
type local_login_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
dontaudit $1 local_login_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a null signal to local login processes.
|
||||
|
||||
@ -83,6 +83,24 @@ interface(`logging_send_syslog_msg',`
|
||||
term_use_console($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the auditd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_read_auditd_config',`
|
||||
gen_require(`
|
||||
type auditd_etc_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 auditd_etc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the domain to open a file in the
|
||||
|
||||
@ -8,7 +8,15 @@ policy_module(logging,1.0)
|
||||
|
||||
attribute logfile;
|
||||
|
||||
type auditd_log_t;
|
||||
type auditctl_t; #, privlog;
|
||||
type auditctl_exec_t;
|
||||
init_system_domain(auditctl_t,auditctl_exec_t)
|
||||
role system_r types auditctl_t;
|
||||
|
||||
type auditd_etc_t; #, secure_file_type;
|
||||
files_type(auditd_etc_t)
|
||||
|
||||
type auditd_log_t; # secure_file_type;
|
||||
files_type(auditd_log_t)
|
||||
|
||||
type auditd_t;
|
||||
@ -49,13 +57,55 @@ files_type(var_log_t)
|
||||
# Auditd local policy
|
||||
#
|
||||
|
||||
allow auditctl_t self:capability { audit_write audit_control };
|
||||
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
|
||||
libs_use_ld_so(auditctl_t)
|
||||
libs_use_shared_libs(auditctl_t)
|
||||
|
||||
allow auditctl_t etc_t:file { getattr read };
|
||||
|
||||
allow auditctl_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(auditctl_t)
|
||||
|
||||
domain_use_wide_inherit_fd(auditctl_t)
|
||||
|
||||
init_use_script_pty(auditctl_t)
|
||||
init_dontaudit_use_fd(auditctl_t)
|
||||
|
||||
locallogin_dontaudit_use_fd(auditctl_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role secadm_r types auditctl_t;
|
||||
role sysadm_r types auditctl_t;
|
||||
audit_manager_domain(secadm_t)
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
ifdef(`separate_secadm', `', `
|
||||
audit_manager_domain(sysadm_t)
|
||||
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
|
||||
')
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Auditd local policy
|
||||
#
|
||||
|
||||
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:process { signal_perms setsched };
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
allow auditd_t self:file { getattr read write };
|
||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
|
||||
allow auditd_t var_log_t:dir rw_dir_perms;
|
||||
allow auditd_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
allow auditd_t auditd_log_t:dir rw_dir_perms;
|
||||
allow auditd_t auditd_log_t:file create_file_perms;
|
||||
allow auditd_t var_log_t:dir search;
|
||||
|
||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
files_create_pid(auditd_t,auditd_var_run_t)
|
||||
@ -72,6 +122,8 @@ fs_search_auto_mountpoints(auditd_t)
|
||||
term_dontaudit_use_console(auditd_t)
|
||||
|
||||
init_use_fd(auditd_t)
|
||||
init_exec(auditd_t)
|
||||
init_write_initctl(auditd_t)
|
||||
init_use_script_pty(auditd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(auditd_t)
|
||||
@ -91,10 +143,8 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
|
||||
# cjp: this is questionable
|
||||
userdom_use_sysadm_tty(auditd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(auditd_t)
|
||||
term_dontaudit_use_generic_pty(auditd_t)
|
||||
files_dontaudit_read_root_file(auditd_t)
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
@ -155,11 +205,12 @@ miscfiles_read_localization(klogd_t)
|
||||
# syslogd local policy
|
||||
#
|
||||
|
||||
# sys_admin chown fsetid for syslog-ng
|
||||
# cjp: why net_admin!
|
||||
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin };
|
||||
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
allow syslogd_t self:process signal_perms;
|
||||
|
||||
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
# receive messages to be logged
|
||||
allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -167,9 +218,18 @@ allow syslogd_t self:unix_dgram_socket sendto;
|
||||
allow syslogd_t self:fifo_file rw_file_perms;
|
||||
allow syslogd_t self:udp_socket { connected_socket_perms connect };
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file create_file_perms;
|
||||
files_create_pid(syslogd_t,devlog_t,sock_file)
|
||||
# cjp: I belive these are not needed:
|
||||
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
||||
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
||||
|
||||
# create/append log files.
|
||||
allow syslogd_t var_log_t:dir rw_dir_perms;
|
||||
allow syslogd_t var_log_t:file create_file_perms;
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
# manage temporary files
|
||||
allow syslogd_t syslogd_tmp_t:file create_file_perms;
|
||||
@ -178,13 +238,6 @@ files_create_tmp_files(syslogd_t,syslogd_tmp_t)
|
||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_pid(syslogd_t,syslogd_var_run_t,file)
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file create_file_perms;
|
||||
files_create_pid(syslogd_t,devlog_t,sock_file)
|
||||
# I belive these are not needed:
|
||||
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
||||
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
||||
|
||||
# manage pid file
|
||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_pid(syslogd_t,syslogd_var_run_t)
|
||||
@ -192,6 +245,10 @@ files_create_pid(syslogd_t,syslogd_var_run_t)
|
||||
kernel_read_kernel_sysctl(syslogd_t)
|
||||
kernel_read_proc_symlinks(syslogd_t)
|
||||
kernel_send_syslog_msg_from(devlog_t,syslogd_t)
|
||||
# Allow access to /proc/kmsg for syslog-ng
|
||||
kernel_read_messages(klogd_t)
|
||||
kernel_clear_ring_buffer(klogd_t)
|
||||
kernel_change_ring_buffer_level(klogd_t)
|
||||
|
||||
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
@ -213,7 +270,9 @@ corenet_raw_sendrecv_all_nodes(syslogd_t)
|
||||
corenet_udp_sendrecv_all_nodes(syslogd_t)
|
||||
corenet_udp_sendrecv_all_ports(syslogd_t)
|
||||
corenet_udp_bind_all_nodes(syslogd_t)
|
||||
corenet_udp_bind_syslogd_port(syslogd_t)
|
||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
||||
#cjp: why?
|
||||
corenet_tcp_connect_rsh_port(syslogd_t)
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
|
||||
@ -223,6 +282,8 @@ init_use_script_pty(syslogd_t)
|
||||
domain_use_wide_inherit_fd(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
# /initrd is not umounted before minilog starts
|
||||
files_dontaudit_search_isid_type_dir(syslogd_t)
|
||||
|
||||
libs_use_ld_so(syslogd_t)
|
||||
libs_use_shared_libs(syslogd_t)
|
||||
@ -234,38 +295,18 @@ miscfiles_read_localization(syslogd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
|
||||
|
||||
#
|
||||
# /initrd is not umounted before minilog starts
|
||||
#
|
||||
files_dontaudit_search_isid_type_dir(syslogd_t)
|
||||
#allow syslogd_t tmpfs_t:dir search;
|
||||
#dontaudit syslogd_t unlabeled_t:file read;
|
||||
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||
allow syslogd_t self:capability net_admin;
|
||||
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
ifdef(`distro_suse',`
|
||||
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
||||
files_create_var_lib(syslogd_t,devlog_t,sock_file)
|
||||
')
|
||||
|
||||
ifdef(`klogd.te', `', `
|
||||
# Allow access to /proc/kmsg for syslog-ng
|
||||
kernel_read_messages(syslogd_t)
|
||||
kernel_clear_ring_buffer(syslogd_t)
|
||||
kernel_change_ring_buffer_level(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
ifdef(`targeted_policy',`
|
||||
allow syslogd_t var_run_t:fifo_file { ioctl read write };
|
||||
term_dontaudit_use_unallocated_tty(syslogd_t)
|
||||
term_dontaudit_use_generic_pty(syslogd_t)
|
||||
files_dontaudit_read_root_file(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_rw_log(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`inn.te',`
|
||||
inn_manage_log(syslogd_t)
|
||||
')
|
||||
@ -283,16 +324,19 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(syslogd_t)
|
||||
')
|
||||
|
||||
allow syslogd_t tmpfs_t:dir search;
|
||||
dontaudit syslogd_t unlabeled_t:file { getattr read };
|
||||
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||
|
||||
# log to the xconsole
|
||||
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
||||
|
||||
#
|
||||
# Special case to handle crashes
|
||||
#
|
||||
allow syslogd_t { device_t file_t }:sock_file unlink;
|
||||
allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
|
||||
') dnl end TODO
|
||||
|
||||
@ -72,7 +72,7 @@ corecmd_exec_sbin(cardmgr_t)
|
||||
domain_use_wide_inherit_fd(cardmgr_t)
|
||||
domain_exec_all_entry_files(cardmgr_t)
|
||||
# Read /proc/PID directories for all domains (for fuser).
|
||||
domain_read_all_domains_state(cardmgr_t)
|
||||
domain_read_confined_domains_state(cardmgr_t)
|
||||
# cjp: these look excessive:
|
||||
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
|
||||
domain_dontaudit_getattr_all_sockets(cardmgr_t)
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
#
|
||||
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ;
|
||||
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
|
||||
role system_r types kernel_t;
|
||||
general_domain_access(kernel_t)
|
||||
general_proc_read_access(kernel_t)
|
||||
@ -22,8 +22,8 @@ can_exec(kernel_t, shell_exec_t)
|
||||
# Use capabilities.
|
||||
allow kernel_t self:capability *;
|
||||
|
||||
allow kernel_t sysfs_t:dir search;
|
||||
allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
|
||||
r_dir_file(kernel_t, sysfs_t)
|
||||
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
|
||||
|
||||
# Run init in the init_t domain.
|
||||
domain_auto_trans(kernel_t, init_exec_t, init_t)
|
||||
@ -36,6 +36,7 @@ allow kernel_t fs_type:filesystem mount_fs_perms;
|
||||
|
||||
# Send signal to any process.
|
||||
allow kernel_t domain:process signal;
|
||||
allow kernel_t domain:dir search;
|
||||
|
||||
# Access the console.
|
||||
allow kernel_t device_t:dir search;
|
||||
@ -50,6 +51,7 @@ can_exec(kernel_t, chroot_exec_t)
|
||||
allow kernel_t self:capability sys_chroot;
|
||||
|
||||
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
|
||||
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
|
||||
allow kernel_t file_t:dir rw_dir_perms;
|
||||
allow kernel_t file_t:blk_file create_file_perms;
|
||||
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
|
||||
|
||||
@ -2,11 +2,66 @@
|
||||
#
|
||||
# Authors: Colin Walters <walters@verbum.org>
|
||||
#
|
||||
# Some fixes by Paul Moore <paul.moore@hp.com>
|
||||
#
|
||||
define(`audit_manager_domain', `
|
||||
allow $1 auditd_etc_t:file rw_file_perms;
|
||||
create_dir_file($1, auditd_log_t)
|
||||
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
|
||||
')
|
||||
|
||||
daemon_domain(auditd)
|
||||
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
||||
allow auditd_t self:capability { audit_write audit_control };
|
||||
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
||||
|
||||
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
|
||||
allow auditd_t self:process setsched;
|
||||
allow auditd_t self:file { getattr read write };
|
||||
allow auditd_t etc_t:file { getattr read };
|
||||
log_domain(auditd)
|
||||
|
||||
# Do not use logdir_domain since this is a security file
|
||||
type auditd_log_t, file_type, secure_file_type;
|
||||
allow auditd_t var_log_t:dir search;
|
||||
rw_dir_create_file(auditd_t, auditd_log_t)
|
||||
|
||||
can_exec(auditd_t, init_exec_t)
|
||||
allow auditd_t initctl_t:fifo_file write;
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
dontaudit auditd_t unconfined_t:fifo_file read;
|
||||
')
|
||||
|
||||
type auditctl_t, domain, privlog;
|
||||
type auditctl_exec_t, file_type, exec_type, sysadmfile;
|
||||
uses_shlib(auditctl_t)
|
||||
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditctl_t self:capability { audit_write audit_control };
|
||||
allow auditctl_t etc_t:file { getattr read };
|
||||
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
|
||||
|
||||
type auditd_etc_t, file_type, secure_file_type;
|
||||
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
|
||||
allow initrc_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
role secadm_r types auditctl_t;
|
||||
role sysadm_r types auditctl_t;
|
||||
audit_manager_domain(secadm_t)
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
ifdef(`separate_secadm', `', `
|
||||
audit_manager_domain(sysadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
role system_r types auditctl_t;
|
||||
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
|
||||
|
||||
dontaudit auditctl_t local_login_t:fd use;
|
||||
allow auditctl_t proc_t:dir search;
|
||||
allow auditctl_t sysctl_kernel_t:dir search;
|
||||
allow auditctl_t sysctl_kernel_t:file { getattr read };
|
||||
dontaudit auditctl_t init_t:fd use;
|
||||
allow auditctl_t initrc_devpts_t:chr_file { read write };
|
||||
allow auditctl_t privfd:fd use;
|
||||
|
||||
|
||||
|
||||
@ -61,7 +61,9 @@ allow ifconfig_t cardmgr_t:fd use;
|
||||
allow cardmgr_t proc_t:file { getattr read ioctl };
|
||||
|
||||
# Read /proc/PID directories for all domains (for fuser).
|
||||
can_ps(cardmgr_t, domain)
|
||||
can_ps(cardmgr_t, domain -unrestricted)
|
||||
dontaudit cardmgr_t unrestricted:dir search;
|
||||
|
||||
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
|
||||
allow cardmgr_t ttyfile:chr_file getattr;
|
||||
dontaudit cardmgr_t ptyfile:chr_file getattr;
|
||||
|
||||
@ -12,6 +12,7 @@
|
||||
type checkpolicy_t, domain;
|
||||
role sysadm_r types checkpolicy_t;
|
||||
role system_r types checkpolicy_t;
|
||||
role secadm_r types checkpolicy_t;
|
||||
|
||||
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
@ -19,7 +20,7 @@ type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
|
||||
#
|
||||
# Rules
|
||||
|
||||
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||
domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
|
||||
|
||||
# able to create and modify binary policy files
|
||||
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
|
||||
|
||||
@ -19,28 +19,28 @@ role system_r types consoletype_t;
|
||||
uses_shlib(consoletype_t)
|
||||
general_domain_access(consoletype_t)
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
|
||||
|
||||
allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
|
||||
allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
|
||||
allow consoletype_t xdm_tmp_t:file { read write };
|
||||
')
|
||||
|
||||
allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
|
||||
allow consoletype_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`hotplug.te', `
|
||||
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
|
||||
')
|
||||
')
|
||||
|
||||
allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
|
||||
|
||||
allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
|
||||
|
||||
# Use capabilities.
|
||||
allow consoletype_t self:capability sys_admin;
|
||||
|
||||
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
|
||||
allow consoletype_t initrc_t:fifo_file write;
|
||||
allow consoletype_t tty_device_t:chr_file read;
|
||||
allow consoletype_t nfs_t:file write;
|
||||
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
|
||||
|
||||
|
||||
@ -43,8 +43,6 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
||||
|
||||
read_locale(crond_t)
|
||||
|
||||
log_domain(crond)
|
||||
|
||||
# Use capabilities.
|
||||
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
|
||||
dontaudit crond_t self:capability sys_resource;
|
||||
@ -101,9 +99,6 @@ can_setexec(crond_t)
|
||||
# Still need to study anacron.
|
||||
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
|
||||
|
||||
# Access log files
|
||||
file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
|
||||
|
||||
# Inherit and use descriptors from init for anacron.
|
||||
allow system_crond_t init_t:fd use;
|
||||
|
||||
@ -205,11 +200,11 @@ domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
|
||||
r_dir_file(system_crond_t, file_context_t)
|
||||
can_getsecurity(system_crond_t)
|
||||
}
|
||||
allow system_crond_t removable_t:filesystem { getattr };
|
||||
dontaudit system_crond_t removable_t:filesystem getattr;
|
||||
#
|
||||
# Required for webalizer
|
||||
#
|
||||
ifdef(`apache.te', `
|
||||
allow system_crond_t httpd_log_t:file { getattr read };
|
||||
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
|
||||
')
|
||||
dontaudit crond_t self:capability { sys_tty_config };
|
||||
dontaudit crond_t self:capability sys_tty_config;
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
#
|
||||
# firstboot_exec_t is the type of the firstboot executable.
|
||||
#
|
||||
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
|
||||
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
|
||||
type firstboot_rw_t, file_type, sysadmfile;
|
||||
role system_r types firstboot_t;
|
||||
|
||||
@ -29,8 +29,10 @@ domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
|
||||
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
|
||||
|
||||
can_exec_any(firstboot_t)
|
||||
ifdef(`useradd.te',`
|
||||
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
|
||||
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
|
||||
')
|
||||
allow firstboot_t etc_runtime_t:file { getattr read };
|
||||
|
||||
r_dir_file(firstboot_t, etc_t)
|
||||
@ -107,8 +109,10 @@ read_sysctl(firstboot_t)
|
||||
|
||||
allow firstboot_t var_run_t:dir getattr;
|
||||
allow firstboot_t var_t:dir getattr;
|
||||
ifdef(`hostname.te', `
|
||||
allow hostname_t devtty_t:chr_file { read write };
|
||||
allow hostname_t firstboot_t:fd use;
|
||||
')
|
||||
ifdef(`iptables.te', `
|
||||
allow iptables_t devtty_t:chr_file { read write };
|
||||
allow iptables_t firstboot_t:fd use;
|
||||
@ -128,4 +132,7 @@ file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
|
||||
# The big hammer
|
||||
#
|
||||
unconfined_domain(firstboot_t)
|
||||
ifdef(`targeted_policy', `
|
||||
allow firstboot_t unconfined_t:process transition;
|
||||
')
|
||||
|
||||
|
||||
@ -42,6 +42,7 @@ allow getty_t wtmp_t:file rw_file_perms;
|
||||
# Chown, chmod, read and write ttys.
|
||||
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
|
||||
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
|
||||
dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
|
||||
|
||||
# for error condition handling
|
||||
allow getty_t fs_t:filesystem getattr;
|
||||
|
||||
@ -120,7 +120,10 @@ allow initrc_t domain:process { getattr getsession };
|
||||
|
||||
# Mount and unmount file systems.
|
||||
allow initrc_t fs_type:filesystem mount_fs_perms;
|
||||
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
|
||||
allow initrc_t file_t:dir { read search getattr mounton };
|
||||
|
||||
# during boot up initrc needs to do the following
|
||||
allow initrc_t default_t:dir { read search getattr mounton };
|
||||
|
||||
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
|
||||
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
|
||||
@ -153,9 +156,6 @@ allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
|
||||
# Kill all processes.
|
||||
allow initrc_t domain:process signal_perms;
|
||||
|
||||
# Read and unlink /var/run/*.pid files.
|
||||
allow initrc_t pidfile:file { getattr read unlink };
|
||||
|
||||
# Write to /dev/urandom.
|
||||
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
|
||||
|
||||
@ -229,9 +229,13 @@ allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
|
||||
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
|
||||
allow initrc_t home_type:file r_file_perms;
|
||||
|
||||
# Read and unlink /var/run/*.pid files.
|
||||
allow initrc_t pidfile:file { getattr read unlink };
|
||||
|
||||
# for system start scripts
|
||||
allow initrc_t pidfile:dir rw_dir_perms;
|
||||
allow initrc_t pidfile:sock_file unlink;
|
||||
|
||||
rw_dir_create_file(initrc_t, var_lib_t)
|
||||
|
||||
# allow start scripts to clean /tmp
|
||||
@ -252,7 +256,9 @@ type run_init_t, domain;
|
||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||
typeattribute initrc_t privuser;
|
||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||
allow initrc_t unconfined_t:system syslog_mod;
|
||||
', `
|
||||
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
|
||||
')
|
||||
@ -309,3 +315,4 @@ ifdef(`distro_gentoo', `
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
')
|
||||
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow initrc_t device_t:lnk_file create_file_perms;
|
||||
|
||||
@ -9,14 +9,13 @@
|
||||
# Declarations for Samba
|
||||
#
|
||||
|
||||
daemon_domain(smbd, `, auth_chkpwd')
|
||||
daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
|
||||
daemon_domain(nmbd)
|
||||
type samba_etc_t, file_type, sysadmfile, usercanread;
|
||||
type samba_log_t, file_type, sysadmfile, logfile;
|
||||
type samba_var_t, file_type, sysadmfile;
|
||||
type samba_share_t, file_type, sysadmfile, customizable;
|
||||
type samba_secrets_t, file_type, sysadmfile;
|
||||
typealias samba_var_t alias samba_spool_t;
|
||||
|
||||
# for /var/run/samba/messages.tdb
|
||||
allow smbd_t nmbd_var_run_t:file rw_file_perms;
|
||||
@ -41,14 +40,17 @@ allow system_crond_t samba_log_t:file { read getattr lock };
|
||||
general_domain_access(smbd_t)
|
||||
general_proc_read_access(smbd_t)
|
||||
|
||||
type smbd_port_t, port_type, reserved_port_type;
|
||||
allow smbd_t smbd_port_t:tcp_socket name_bind;
|
||||
|
||||
# Use capabilities.
|
||||
allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
|
||||
|
||||
# Use the network.
|
||||
can_network_server(smbd_t)
|
||||
can_network(smbd_t)
|
||||
can_ldap(smbd_t)
|
||||
can_kerberos(smbd_t)
|
||||
can_winbind(smbd_t)
|
||||
allow smbd_t ipp_port_t:tcp_socket name_connect;
|
||||
|
||||
allow smbd_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
@ -62,13 +64,16 @@ allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
|
||||
|
||||
# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
|
||||
allow smbd_t var_lib_t:dir search;
|
||||
allow smbd_t samba_var_t:dir create_dir_perms;
|
||||
allow smbd_t samba_var_t:file create_file_perms;
|
||||
create_dir_file(smbd_t, samba_var_t)
|
||||
|
||||
# Needed for shared printers
|
||||
allow smbd_t var_spool_t:dir search;
|
||||
|
||||
# Permissions to write log files.
|
||||
allow smbd_t samba_log_t:file { create ra_file_perms };
|
||||
allow smbd_t var_log_t:dir search;
|
||||
allow smbd_t samba_log_t:dir ra_dir_perms;
|
||||
dontaudit smbd_t samba_log_t:dir remove_name;
|
||||
|
||||
allow smbd_t usr_t:file { getattr read };
|
||||
|
||||
@ -88,7 +93,6 @@ can_exec(logrotate_t, samba_log_t)
|
||||
general_domain_access(nmbd_t)
|
||||
general_proc_read_access(nmbd_t)
|
||||
|
||||
type nmbd_port_t, port_type, reserved_port_type;
|
||||
allow nmbd_t nmbd_port_t:udp_socket name_bind;
|
||||
|
||||
# Use capabilities.
|
||||
@ -111,6 +115,7 @@ allow nmbd_t usr_t:file { getattr read };
|
||||
allow nmbd_t samba_log_t:file { create ra_file_perms };
|
||||
allow nmbd_t var_log_t:dir search;
|
||||
allow nmbd_t samba_log_t:dir ra_dir_perms;
|
||||
allow nmbd_t etc_t:file { getattr read };
|
||||
ifdef(`cups.te', `
|
||||
allow smbd_t cupsd_rw_etc_t:file { getattr read };
|
||||
')
|
||||
@ -136,6 +141,7 @@ allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_over
|
||||
# Access samba config
|
||||
allow smbmount_t samba_etc_t:file r_file_perms;
|
||||
allow smbmount_t samba_etc_t:dir r_dir_perms;
|
||||
allow initrc_t samba_etc_t:file rw_file_perms;
|
||||
|
||||
# Write samba log
|
||||
allow smbmount_t samba_log_t:file create_file_perms;
|
||||
@ -153,6 +159,7 @@ allow smbmount_t etc_t:file r_file_perms;
|
||||
|
||||
# Networking
|
||||
can_network(smbmount_t)
|
||||
allow smbmount_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(smbmount_t)
|
||||
allow smbmount_t self:unix_dgram_socket create_socket_perms;
|
||||
allow smbmount_t self:unix_stream_socket create_socket_perms;
|
||||
@ -180,3 +187,28 @@ access_terminal(smbmount_t, sysadm)
|
||||
allow smbmount_t userdomain:fd use;
|
||||
allow smbmount_t local_login_t:fd use;
|
||||
')
|
||||
# Derive from app. domain. Transition from mount.
|
||||
application_domain(samba_net, `, nscd_client_domain')
|
||||
file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
|
||||
read_locale(samba_net_t)
|
||||
allow samba_net_t samba_etc_t:file r_file_perms;
|
||||
r_dir_file(samba_net_t, samba_var_t)
|
||||
can_network_udp(samba_net_t)
|
||||
access_terminal(samba_net_t, sysadm)
|
||||
allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
||||
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
||||
rw_dir_create_file(samba_net_t, samba_var_t)
|
||||
allow samba_net_t etc_t:file { getattr read };
|
||||
can_network_client(samba_net_t)
|
||||
allow samba_net_t smbd_port_t:tcp_socket name_connect;
|
||||
can_ldap(samba_net_t)
|
||||
can_kerberos(samba_net_t)
|
||||
allow samba_net_t urandom_device_t:chr_file r_file_perms;
|
||||
allow samba_net_t proc_t:dir search;
|
||||
allow samba_net_t proc_t:lnk_file read;
|
||||
allow samba_net_t self:dir search;
|
||||
allow samba_net_t self:file read;
|
||||
allow samba_net_t self:process signal;
|
||||
tmp_domain(samba_net)
|
||||
dontaudit samba_net_t sysadm_home_dir_t:dir search;
|
||||
allow samba_net_t privfd:fd use;
|
||||
|
||||
@ -64,8 +64,6 @@ can_unix_connect(privlog,syslogd_t)
|
||||
allow privlog devlog_t:lnk_file read;
|
||||
|
||||
ifdef(`crond.te', `
|
||||
# Write to the cron log.
|
||||
allow syslogd_t crond_log_t:file rw_file_perms;
|
||||
# for daemon re-start
|
||||
allow system_crond_t syslogd_t:lnk_file read;
|
||||
')
|
||||
@ -79,16 +77,10 @@ allow syslogd_t initrc_var_run_t:file { read lock };
|
||||
dontaudit syslogd_t initrc_var_run_t:file write;
|
||||
allow syslogd_t ttyfile:chr_file { getattr write };
|
||||
|
||||
ifdef(`klogd.te', `', `
|
||||
# Allow access to /proc/kmsg for syslog-ng
|
||||
allow syslogd_t proc_t:dir search;
|
||||
allow syslogd_t proc_kmsg_t:file { getattr read };
|
||||
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
|
||||
')
|
||||
#
|
||||
# Special case to handle crashes
|
||||
#
|
||||
allow syslogd_t { device_t file_t }:sock_file unlink;
|
||||
allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
|
||||
|
||||
# Allow syslog to a terminal
|
||||
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
|
||||
@ -100,6 +92,18 @@ allow syslogd_t syslogd_port_t:udp_socket name_bind;
|
||||
#
|
||||
dontaudit syslogd_t file_t:dir search;
|
||||
allow syslogd_t { tmpfs_t devpts_t }:dir search;
|
||||
dontaudit syslogd_t unlabeled_t:file read;
|
||||
dontaudit syslogd_t unlabeled_t:file { getattr read };
|
||||
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
ifdef(`targeted_policy', `
|
||||
allow syslogd_t var_run_t:fifo_file { ioctl read write };
|
||||
')
|
||||
|
||||
# Allow access to /proc/kmsg for syslog-ng
|
||||
allow syslogd_t proc_t:dir search;
|
||||
allow syslogd_t proc_kmsg_t:file { getattr read };
|
||||
allow syslogd_t kernel_t:system { syslog_mod syslog_console };
|
||||
allow syslogd_t self:capability { sys_admin chown fsetid };
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
allow syslogd_t syslogd_port_t:tcp_socket name_bind;
|
||||
allow syslogd_t rsh_port_t:tcp_socket name_connect;
|
||||
|
||||
@ -31,6 +31,8 @@ read_locale(updfstab_t)
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, updfstab)
|
||||
allow updfstab_t system_dbusd_t:dbus { send_msg };
|
||||
allow initrc_t updfstab_t:dbus send_msg;
|
||||
allow updfstab_t initrc_t:dbus send_msg;
|
||||
')
|
||||
|
||||
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
|
||||
@ -72,3 +74,8 @@ can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
|
||||
dontaudit updfstab_t home_root_t:dir { getattr search };
|
||||
dontaudit updfstab_t { home_dir_type home_type }:dir search;
|
||||
allow updfstab_t fs_t:filesystem { getattr };
|
||||
allow updfstab_t tmpfs_t:dir getattr;
|
||||
ifdef(`hald.te', `
|
||||
can_unix_connect(updfstab_t, hald_t)
|
||||
')
|
||||
|
||||
|
||||
@ -98,3 +98,7 @@ allow groupadd_t self:capability { setuid sys_resource };
|
||||
allow groupadd_t self:process setrlimit;
|
||||
allow groupadd_t initrc_var_run_t:file r_file_perms;
|
||||
dontaudit groupadd_t initrc_var_run_t:file write;
|
||||
|
||||
allow useradd_t default_context_t:dir search;
|
||||
allow useradd_t file_context_t:dir search;
|
||||
allow useradd_t file_context_t:file { getattr read };
|
||||
|
||||
@ -38,10 +38,7 @@ allow utempter_t user_tmpfile:file { getattr write append };
|
||||
|
||||
# Inherit and use descriptors from login.
|
||||
allow utempter_t privfd:fd use;
|
||||
ifdef(`xdm.te', `
|
||||
allow utempter_t xdm_t:fd use;
|
||||
allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
')
|
||||
ifdef(`xdm.te', `can_pipe_xdm(utempter_t)')
|
||||
|
||||
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
# samba scripts
|
||||
/usr/sbin/smbd -- system_u:object_r:smbd_exec_t
|
||||
/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t
|
||||
/usr/bin/net -- system_u:object_r:samba_net_exec_t
|
||||
/etc/samba(/.*)? system_u:object_r:samba_etc_t
|
||||
/var/log/samba(/.*)? system_u:object_r:samba_log_t
|
||||
/var/cache/samba(/.*)? system_u:object_r:samba_var_t
|
||||
|
||||
Loading…
Reference in New Issue
Block a user