more merging from 1.27.1-15
This commit is contained in:
Chris PeBenito
parent
f9d771d299
commit
65a2523024
@ -11,16 +11,23 @@
|
||||
daemon_domain(bluetooth)
|
||||
|
||||
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
|
||||
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
|
||||
|
||||
tmp_domain(bluetooth)
|
||||
var_lib_domain(bluetooth)
|
||||
|
||||
# Use capabilities.
|
||||
allow bluetooth_t self:file read;
|
||||
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
|
||||
allow bluetooth_t self:process getsched;
|
||||
allow bluetooth_t proc_t:file { getattr read };
|
||||
|
||||
allow bluetooth_t self:shm create_shm_perms;
|
||||
|
||||
lock_domain(bluetooth)
|
||||
|
||||
# Use the network.
|
||||
can_network_server(bluetooth_t)
|
||||
can_network(bluetooth_t)
|
||||
can_ypbind(bluetooth_t)
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, bluetooth)
|
||||
@ -35,6 +42,7 @@ dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
|
||||
|
||||
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
|
||||
type bluetooth_conf_t, file_type, sysadmfile;
|
||||
type bluetooth_conf_rw_t, file_type, sysadmfile;
|
||||
|
||||
# Read /etc/bluetooth
|
||||
allow bluetooth_t bluetooth_conf_t:dir search;
|
||||
@ -44,5 +52,56 @@ allow initrc_t usbfs_t:file { getattr read };
|
||||
allow bluetooth_t usbfs_t:dir r_dir_perms;
|
||||
allow bluetooth_t usbfs_t:file rw_file_perms;
|
||||
allow bluetooth_t bin_t:dir search;
|
||||
can_exec(bluetooth_t, bin_t)
|
||||
can_exec(bluetooth_t, { bin_t shell_exec_t })
|
||||
allow bluetooth_t bin_t:lnk_file read;
|
||||
|
||||
#Handle bluetooth serial devices
|
||||
allow bluetooth_t tty_device_t:chr_file rw_file_perms;
|
||||
allow bluetooth_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
r_dir_file(bluetooth_t, fonts_t)
|
||||
allow bluetooth_t urandom_device_t:chr_file r_file_perms;
|
||||
allow bluetooth_t usr_t:file { getattr read };
|
||||
|
||||
application_domain(bluetooth_helper, `, nscd_client_domain')
|
||||
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
||||
role system_r types bluetooth_helper_t;
|
||||
read_locale(bluetooth_helper_t)
|
||||
typeattribute bluetooth_helper_t unrestricted;
|
||||
r_dir_file(bluetooth_helper_t, domain)
|
||||
allow bluetooth_helper_t bin_t:dir { getattr search };
|
||||
can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
|
||||
allow bluetooth_helper_t bin_t:lnk_file read;
|
||||
allow bluetooth_helper_t self:capability sys_nice;
|
||||
allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t self:process fork;
|
||||
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
r_dir_file(bluetooth_helper_t, fonts_t)
|
||||
r_dir_file(bluetooth_helper_t, proc_t)
|
||||
read_sysctl(bluetooth_helper_t)
|
||||
allow bluetooth_helper_t tmp_t:dir search;
|
||||
allow bluetooth_helper_t usr_t:file { getattr read };
|
||||
allow bluetooth_helper_t home_dir_type:dir search;
|
||||
ifdef(`xserver.te', `
|
||||
allow bluetooth_helper_t xserver_log_t:dir search;
|
||||
allow bluetooth_helper_t xserver_log_t:file { getattr read };
|
||||
')
|
||||
ifdef(`targeted_policy', `
|
||||
allow bluetooth_helper_t tmp_t:sock_file { read write };
|
||||
allow bluetooth_helper_t tmpfs_t:file { read write };
|
||||
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
|
||||
allow bluetooth_t unconfined_t:dbus send_msg;
|
||||
allow unconfined_t bluetooth_t:dbus send_msg;
|
||||
', `
|
||||
ifdef(`xdm.te', `
|
||||
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
')
|
||||
allow bluetooth_t unpriv_userdomain:dbus send_msg;
|
||||
allow unpriv_userdomain bluetooth_t:dbus send_msg;
|
||||
')
|
||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||
|
||||
dontaudit bluetooth_helper_t default_t:dir { read search };
|
||||
dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
|
||||
|
||||
@ -44,7 +44,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
||||
read_locale(crond_t)
|
||||
|
||||
# Use capabilities.
|
||||
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
|
||||
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
|
||||
dontaudit crond_t self:capability sys_resource;
|
||||
|
||||
# Get security policy decisions.
|
||||
@ -208,4 +208,7 @@ dontaudit system_crond_t removable_t:filesystem getattr;
|
||||
dontaudit crond_t self:capability sys_tty_config;
|
||||
ifdef(`apache.te', `
|
||||
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
|
||||
allow system_crond_t httpd_modules_t:lnk_file read;
|
||||
# Needed for certwatch
|
||||
can_exec(system_crond_t, httpd_modules_t)
|
||||
')
|
||||
|
||||
@ -135,7 +135,6 @@ allow dhcpc_t { userdomain kernel_t }:fd use;
|
||||
allow dhcpc_t home_root_t:dir search;
|
||||
allow initrc_t dhcpc_state_t:file { getattr read };
|
||||
dontaudit dhcpc_t var_lock_t:dir search;
|
||||
dontaudit dhcpc_t selinux_config_t:dir search;
|
||||
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
dontaudit dhcpc_t domain:dir getattr;
|
||||
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
|
||||
@ -146,6 +145,7 @@ can_exec(dhcpc_t, initrc_exec_t)
|
||||
ifdef(`ypbind.te', `
|
||||
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
|
||||
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
|
||||
allow dhcpc_t ypbind_t:process signal;
|
||||
')
|
||||
ifdef(`ntpd.te', `
|
||||
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
|
||||
|
||||
@ -118,3 +118,6 @@ allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
|
||||
allow fsadm_t usbfs_t:dir { getattr search };
|
||||
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
|
||||
allow fsadm_t device_type:chr_file getattr;
|
||||
|
||||
# for tune2fs
|
||||
allow fsadm_t file_type:dir { getattr search };
|
||||
|
||||
@ -99,9 +99,11 @@ bool ftp_home_dir false;
|
||||
|
||||
if (ftp_home_dir) {
|
||||
# allow access to /home
|
||||
allow ftpd_t home_root_t:dir { getattr search };
|
||||
allow ftpd_t home_dir_type:dir r_dir_perms;
|
||||
allow ftpd_t home_root_t:dir r_dir_perms;
|
||||
create_dir_file(ftpd_t, home_type)
|
||||
ifdef(`targeted_policy', `
|
||||
file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
|
||||
')
|
||||
}
|
||||
if (use_nfs_home_dirs && ftp_home_dir) {
|
||||
r_dir_file(ftpd_t, nfs_t)
|
||||
|
||||
@ -24,7 +24,8 @@ dbusd_client(system, hald)
|
||||
allow hald_t self:dbus send_msg;
|
||||
')
|
||||
|
||||
allow hald_t { self proc_t }:file { getattr read };
|
||||
allow hald_t self:file { getattr read };
|
||||
allow hald_t proc_t:file rw_file_perms;
|
||||
|
||||
allow hald_t { bin_t sbin_t }:dir search;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
|
||||
@ -62,6 +62,11 @@ can_exec($1_login_t, pam_exec_t)
|
||||
|
||||
ifdef(`pamconsole.te', `
|
||||
rw_dir_create_file($1_login_t, pam_var_console_t)
|
||||
domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
|
||||
')
|
||||
|
||||
ifdef(`alsa.te', `
|
||||
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
|
||||
')
|
||||
|
||||
# Use capabilities
|
||||
|
||||
@ -140,8 +140,9 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
|
||||
|
||||
allow insmod_t fs_t:filesystem getattr;
|
||||
allow insmod_t sysfs_t:dir search;
|
||||
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
|
||||
allow insmod_t { usbfs_t usbdevfs_t }:dir search;
|
||||
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
|
||||
r_dir_file(insmod_t, debugfs_t)
|
||||
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
read_sysctl(insmod_t)
|
||||
|
||||
@ -42,7 +42,7 @@ allow mysqld_t proc_t:file { getattr read };
|
||||
create_dir_file(mysqld_t, mysqld_db_t)
|
||||
allow mysqld_t var_lib_t:dir { getattr search };
|
||||
|
||||
can_network_server(mysqld_t)
|
||||
can_network(mysqld_t)
|
||||
can_ypbind(mysqld_t)
|
||||
|
||||
# read config files
|
||||
|
||||
@ -36,7 +36,7 @@ allow named_t sbin_t:dir search;
|
||||
allow named_t self:process { setsched setcap setrlimit };
|
||||
|
||||
# A type for configuration files of named.
|
||||
type named_conf_t, file_type, sysadmfile;
|
||||
type named_conf_t, file_type, sysadmfile, mount_point;
|
||||
|
||||
# for primary zone files
|
||||
type named_zone_t, file_type, sysadmfile;
|
||||
@ -101,6 +101,13 @@ allow named_t random_device_t:chr_file r_file_perms;
|
||||
# Use a pipe created by self.
|
||||
allow named_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Enable named dbus support:
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, named)
|
||||
allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
allow named_t self:dbus send_msg;
|
||||
')
|
||||
|
||||
# Set own capabilities.
|
||||
#A type for /usr/sbin/ndc
|
||||
type ndc_exec_t, file_type,sysadmfile, exec_type;
|
||||
|
||||
@ -63,3 +63,4 @@ allow restorecon_t kernel_t:fd use;
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
allow restorecon_t kernel_t:unix_dgram_socket { read write };
|
||||
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
|
||||
allow restorecon_t autofs_t:dir search;
|
||||
|
||||
@ -1,67 +1,67 @@
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
|
||||
/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
|
||||
/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
|
||||
/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0
|
||||
/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0
|
||||
/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0
|
||||
/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0
|
||||
/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0
|
||||
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0
|
||||
/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0
|
||||
/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0
|
||||
/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
|
||||
/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
|
||||
/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
|
||||
/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
|
||||
/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t
|
||||
/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
|
||||
/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t
|
||||
/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t
|
||||
/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t
|
||||
/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t
|
||||
/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t
|
||||
/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
|
||||
/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
|
||||
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
|
||||
/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
|
||||
/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
|
||||
#
|
||||
# /emul/ia32-linux/usr
|
||||
#
|
||||
/emul(/.*)? system_u:object_r:usr_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
|
||||
/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
|
||||
/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0
|
||||
/emul(/.*)? system_u:object_r:usr_t
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t
|
||||
/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
||||
/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
||||
/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
|
||||
/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
|
||||
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
|
||||
/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
|
||||
/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
|
||||
/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
|
||||
/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t
|
||||
# /emul/ia32-linux/lib
|
||||
/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0
|
||||
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
|
||||
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
|
||||
/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t
|
||||
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
||||
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
|
||||
# /emul/ia32-linux/bin
|
||||
/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0
|
||||
/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t
|
||||
# /emul/ia32-linux/sbin
|
||||
/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0
|
||||
/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t
|
||||
|
||||
ifdef(`dbusd.te', `', `
|
||||
/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
|
||||
/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
|
||||
')
|
||||
|
||||
# The following are libraries with text relocations in need of execmod permissions
|
||||
@ -69,96 +69,96 @@ ifdef(`dbusd.te', `', `
|
||||
|
||||
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
|
||||
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
|
||||
/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0
|
||||
/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0
|
||||
/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/program(/.*)? system_u:object_r:bin_t
|
||||
/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t
|
||||
/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t
|
||||
|
||||
# Fedora Extras packages: ladspa, imlib2, ocaml
|
||||
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t
|
||||
|
||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||
/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
|
||||
HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
|
||||
|
||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
|
||||
/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
|
||||
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
|
||||
|
||||
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0
|
||||
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0
|
||||
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
|
||||
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
|
||||
/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
|
||||
/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t
|
||||
')
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0
|
||||
/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0
|
||||
/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0
|
||||
/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
|
||||
/success -- system_u:object_r:etc_runtime_t:s0
|
||||
/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0
|
||||
/var/lib/samba/bin/.+ system_u:object_r:bin_t
|
||||
/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t
|
||||
/usr/lib/samba/classic/.* -- system_u:object_r:bin_t
|
||||
/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
||||
/success -- system_u:object_r:etc_runtime_t
|
||||
/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t
|
||||
')
|
||||
|
||||
@ -1,8 +1,11 @@
|
||||
# bluetooth
|
||||
/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
|
||||
/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t
|
||||
/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t
|
||||
/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
|
||||
/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
|
||||
/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
|
||||
/var/run/sdp -s system_u:object_r:bluetooth_var_run_t
|
||||
/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
|
||||
/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t
|
||||
/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
|
||||
|
||||
@ -4,9 +4,11 @@
|
||||
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
|
||||
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
|
||||
/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
|
||||
/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t
|
||||
/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
|
||||
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
|
||||
/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
|
||||
/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t
|
||||
/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
|
||||
/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
|
||||
# pump
|
||||
|
||||
@ -13,6 +13,7 @@ ifdef(`distro_gentoo', `
|
||||
/etc/dhcp -d system_u:object_r:dhcp_etc_t
|
||||
/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
|
||||
/var/lib/dhcp -d system_u:object_r:dhcp_state_t
|
||||
/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t
|
||||
/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
|
||||
/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
|
||||
|
||||
|
||||
@ -10,7 +10,8 @@
|
||||
/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
|
||||
/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
|
||||
/var/log/xferlog.* -- system_u:object_r:xferlog_t
|
||||
/var/log/vsftpd.* -- system_u:object_r:xferlog_t
|
||||
/var/log/xferreport.* -- system_u:object_r:xferlog_t
|
||||
/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
|
||||
/var/ftp(/.*)? system_u:object_r:ftpd_anon_t
|
||||
/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t
|
||||
/var/ftp(/.*)? system_u:object_r:public_content_t
|
||||
/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
|
||||
|
||||
@ -21,6 +21,7 @@
|
||||
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
|
||||
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
|
||||
/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t
|
||||
/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t
|
||||
|
||||
# Kame
|
||||
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
# mdadm - manage MD devices aka Linux Software Raid.
|
||||
/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
|
||||
/sbin/mdadm -- system_u:object_r:mdadm_exec_t
|
||||
/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
|
||||
/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
|
||||
|
||||
@ -16,5 +16,5 @@
|
||||
/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t
|
||||
/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
|
||||
/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
|
||||
')
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
/usr/bin/yum -- system_u:object_r:rpm_exec_t
|
||||
/usr/bin/apt-get -- system_u:object_r:rpm_exec_t
|
||||
/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t
|
||||
/usr/bin/synaptic -- system_u:object_r:rpm_exec_t
|
||||
/usr/bin/synaptic -- system_u:object_r:rpm_exec_t
|
||||
/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t
|
||||
/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t
|
||||
/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t
|
||||
@ -23,3 +23,7 @@ ifdef(`distro_suse', `
|
||||
/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
|
||||
/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
|
||||
')
|
||||
|
||||
ifdef(`mls_policy', `
|
||||
/sbin/cpio -- system_u:object_r:rpm_exec_t
|
||||
')
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
# rsync program
|
||||
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
|
||||
/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t
|
||||
/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
|
||||
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
|
||||
/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
|
||||
/usr/bin/gdm-binary -- system_u:object_r:xdm_exec_t
|
||||
/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t
|
||||
/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
|
||||
/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
|
||||
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
# ypserv
|
||||
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
|
||||
/usr/lib/yp/.+ -- system_u:object_r:bin_t
|
||||
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
|
||||
|
||||
@ -133,6 +133,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t
|
||||
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
|
||||
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
|
||||
/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t
|
||||
/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t
|
||||
/dev/isdn.* -c system_u:object_r:tty_device_t
|
||||
/dev/.*tty[^/]* -c system_u:object_r:tty_device_t
|
||||
/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t
|
||||
@ -485,6 +486,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
# Turboprint
|
||||
#
|
||||
/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
|
||||
/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t
|
||||
|
||||
#
|
||||
# initrd mount point, only used during boot
|
||||
|
||||
@ -40,6 +40,12 @@ file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_f
|
||||
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
|
||||
can_setfscreate($1_t)
|
||||
|
||||
ifdef(`ftpd.te' , `
|
||||
if (ftpd_is_daemon) {
|
||||
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
|
||||
}
|
||||
')
|
||||
|
||||
allow $1_t self:capability { setgid chown fowner };
|
||||
dontaudit $1_t self:capability { sys_nice fsetid };
|
||||
|
||||
|
||||
@ -84,6 +84,7 @@ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_per
|
||||
# the perl executable will be able to run a perl script
|
||||
#########################################################################
|
||||
can_exec_any(httpd_$1_script_t)
|
||||
|
||||
allow httpd_$1_script_t etc_t:file { getattr read };
|
||||
dontaudit httpd_$1_script_t selinux_config_t:dir search;
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
|
||||
|
||||
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
|
||||
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
|
||||
allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
|
||||
can_access_pty($1_cdrecord_t, $1)
|
||||
allow $1_cdrecord_t $1_home_t:dir search;
|
||||
allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
|
||||
allow $1_cdrecord_t $1_home_t:file r_file_perms;
|
||||
|
||||
@ -68,7 +68,7 @@ ifdef(`crond.te', `
|
||||
allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
|
||||
allow mta_user_agent system_crond_tmp_t:file { read getattr };
|
||||
')
|
||||
allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
|
||||
can_access_pty(system_mail_t, initrc)
|
||||
|
||||
', `
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
|
||||
@ -20,6 +20,8 @@ uses_shlib($1_t)
|
||||
read_locale($1_t)
|
||||
read_sysctl($1_t)
|
||||
|
||||
allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||
|
||||
# for when the user types "exec newrole" at the command line
|
||||
allow $1_t privfd:process sigchld;
|
||||
|
||||
|
||||
@ -54,7 +54,7 @@ allow $1_su_t proc_t:file read;
|
||||
allow $1_su_t self:process { setsched setrlimit };
|
||||
allow $1_su_t device_t:dir search;
|
||||
allow $1_su_t self:process { fork sigchld };
|
||||
can_ypbind($1_su_t)
|
||||
nsswitch_domain($1_su_t)
|
||||
r_dir_file($1_su_t, selinux_config_t)
|
||||
|
||||
dontaudit $1_su_t shadow_t:file { getattr read };
|
||||
|
||||
Loading…
Reference in New Issue
Block a user