fixes from sediff
This commit is contained in:
Chris PeBenito
parent
1d85c7a7c6
commit
681c9a02e7
@ -1,3 +1,5 @@
|
||||
- Fix errors uncovered by sediff.
|
||||
|
||||
* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
|
||||
- Make logrotate, sendmail, sshd, and rpm policies
|
||||
unconfined in the targeted policy so no special
|
||||
|
||||
@ -49,6 +49,7 @@ init_use_script_fd(consoletype_t)
|
||||
domain_use_wide_inherit_fd(consoletype_t)
|
||||
|
||||
files_dontaudit_read_root_file(consoletype_t)
|
||||
files_list_usr(consoletype_t)
|
||||
|
||||
libs_use_ld_so(consoletype_t)
|
||||
libs_use_shared_libs(consoletype_t)
|
||||
|
||||
@ -295,6 +295,22 @@ interface(`bootloader_create_runtime_file',`
|
||||
type_transition $1 boot_t:file boot_runtime_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of the kernel module directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_search_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of the kernel module directories.
|
||||
@ -306,7 +322,6 @@ interface(`bootloader_create_runtime_file',`
|
||||
interface(`bootloader_list_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
|
||||
@ -120,6 +120,7 @@ domain_exec_all_entry_files(bootloader_t)
|
||||
domain_use_wide_inherit_fd(bootloader_t)
|
||||
|
||||
files_read_etc_files(bootloader_t)
|
||||
files_exec_etc_files(bootloader_t)
|
||||
files_read_etc_runtime_files(bootloader_t)
|
||||
files_read_usr_src_files(bootloader_t)
|
||||
files_read_usr_files(bootloader_t)
|
||||
@ -135,6 +136,7 @@ init_rw_script_pipe(bootloader_t)
|
||||
libs_use_ld_so(bootloader_t)
|
||||
libs_use_shared_libs(bootloader_t)
|
||||
libs_read_lib(bootloader_t)
|
||||
libs_exec_lib_files(bootloader_t)
|
||||
|
||||
logging_send_syslog_msg(bootloader_t)
|
||||
logging_rw_generic_logs(bootloader_t)
|
||||
|
||||
@ -28,7 +28,7 @@ allow comsat_t self:dir search;
|
||||
allow comsat_t self:fifo_file rw_file_perms;
|
||||
allow comsat_t self:{ lnk_file file } { getattr read };
|
||||
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow comsat_t self:tcp_socket create_stream_socket_perms;
|
||||
allow comsat_t self:tcp_socket connected_stream_socket_perms;
|
||||
|
||||
allow comsat_t comsat_tmp_t:dir create_dir_perms;
|
||||
allow comsat_t comsat_tmp_t:file create_file_perms;
|
||||
@ -41,18 +41,21 @@ kernel_read_kernel_sysctl(comsat_t)
|
||||
kernel_read_network_state(comsat_t)
|
||||
kernel_read_system_state(comsat_t)
|
||||
|
||||
corenet_raw_sendrecv_all_if(comsat_t)
|
||||
corenet_tcp_sendrecv_all_if(comsat_t)
|
||||
corenet_raw_sendrecv_all_nodes(comsat_t)
|
||||
corenet_udp_sendrecv_all_if(comsat_t)
|
||||
corenet_raw_sendrecv_all_if(comsat_t)
|
||||
corenet_tcp_sendrecv_all_nodes(comsat_t)
|
||||
corenet_tcp_bind_all_nodes(comsat_t)
|
||||
corenet_udp_sendrecv_all_nodes(comsat_t)
|
||||
corenet_raw_sendrecv_all_nodes(comsat_t)
|
||||
corenet_tcp_sendrecv_all_ports(comsat_t)
|
||||
corenet_tcp_bind_all_nodes(comsat_t)
|
||||
|
||||
dev_read_urand(comsat_t)
|
||||
|
||||
fs_getattr_xattr_fs(comsat_t)
|
||||
|
||||
files_read_etc_files(comsat_t)
|
||||
files_list_usr(comsat_t)
|
||||
files_search_spool(comsat_t)
|
||||
files_search_home(comsat_t)
|
||||
|
||||
|
||||
@ -182,7 +182,7 @@ template(`cron_per_userdomain_template',`
|
||||
allow $2 $1_crontab_t:process signal;
|
||||
|
||||
# Allow crond to read those crontabs in cron spool.
|
||||
allow crond_t $1_cron_spool_t:file r_file_perms;
|
||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||
|
||||
# dac_override is to create the file in the directory under /tmp
|
||||
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
|
||||
|
||||
@ -51,10 +51,10 @@ files_tmp_file(system_crond_tmp_t)
|
||||
# Cron Local policy
|
||||
#
|
||||
|
||||
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
|
||||
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
|
||||
dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow crond_t self:process setexec;
|
||||
allow crond_t self:process { setexec setfscreate };
|
||||
allow crond_t self:fd use;
|
||||
allow crond_t self:fifo_file rw_file_perms;
|
||||
allow crond_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -73,7 +73,7 @@ allow crond_t crond_tmp_t:dir create_dir_perms;
|
||||
allow crond_t crond_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
|
||||
|
||||
allow crond_t cron_spool_t:dir r_dir_perms;
|
||||
allow crond_t cron_spool_t:dir rw_dir_perms;
|
||||
allow crond_t cron_spool_t:file r_file_perms;
|
||||
allow crond_t system_cron_spool_t:dir r_dir_perms;
|
||||
allow crond_t system_cron_spool_t:file r_file_perms;
|
||||
@ -104,6 +104,7 @@ domain_use_wide_inherit_fd(crond_t)
|
||||
|
||||
files_read_etc_files(crond_t)
|
||||
files_read_generic_spools(crond_t)
|
||||
files_list_usr(crond_t)
|
||||
# Read from /var/spool/cron.
|
||||
files_search_var_lib(crond_t)
|
||||
files_search_default(crond_t)
|
||||
|
||||
@ -25,6 +25,7 @@ files_pid_file(dhcpd_var_run_t)
|
||||
#
|
||||
|
||||
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
|
||||
allow dhcpd_t self:process signal_perms;
|
||||
allow dhcpd_t self:fifo_file { read write getattr };
|
||||
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dhcpd_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
@ -42,6 +42,7 @@ files_tmp_file(lvm_tmp_t)
|
||||
#
|
||||
|
||||
dontaudit clvmd_t self:capability sys_tty_config;
|
||||
allow clvmd_t self:process signal_perms;
|
||||
allow clvmd_t self:socket create_socket_perms;
|
||||
allow clvmd_t self:fifo_file { read write };
|
||||
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
@ -78,6 +79,8 @@ term_dontaudit_use_console(clvmd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(clvmd_t)
|
||||
|
||||
files_list_usr(clvmd_t)
|
||||
|
||||
init_use_fd(clvmd_t)
|
||||
init_use_script_pty(clvmd_t)
|
||||
|
||||
|
||||
@ -171,6 +171,7 @@ init_use_script_pty(depmod_t)
|
||||
files_read_etc_runtime_files(depmod_t)
|
||||
files_read_etc_files(depmod_t)
|
||||
files_read_usr_src_files(depmod_t)
|
||||
files_list_usr(depmod_t)
|
||||
|
||||
libs_use_ld_so(depmod_t)
|
||||
libs_use_shared_libs(depmod_t)
|
||||
|
||||
@ -52,6 +52,8 @@ kernel_list_proc(cardmgr_t)
|
||||
kernel_read_proc_symlinks(cardmgr_t)
|
||||
kernel_dontaudit_getattr_message_if(cardmgr_t)
|
||||
|
||||
bootloader_search_kernel_modules(cardmgr_t)
|
||||
|
||||
dev_read_sysfs(cardmgr_t)
|
||||
dev_getattr_all_chr_files(cardmgr_t)
|
||||
dev_getattr_all_blk_files(cardmgr_t)
|
||||
@ -79,6 +81,7 @@ domain_dontaudit_ptrace_confined_domains(cardmgr_t)
|
||||
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
|
||||
domain_dontaudit_getattr_all_sockets(cardmgr_t)
|
||||
|
||||
files_list_usr(cardmgr_t)
|
||||
files_search_home(cardmgr_t)
|
||||
files_read_etc_runtime_files(cardmgr_t)
|
||||
files_exec_etc_files(cardmgr_t)
|
||||
@ -104,6 +107,8 @@ logging_send_syslog_msg(cardmgr_t)
|
||||
|
||||
miscfiles_read_localization(cardmgr_t)
|
||||
|
||||
modutils_domtrans_insmod(cardmgr_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(cardmgr_t)
|
||||
# for /etc/resolv.conf
|
||||
sysnet_create_config(cardmgr_t)
|
||||
@ -126,6 +131,7 @@ optional_policy(`sysnetwork.te',`
|
||||
sysnet_domtrans_dhcpc(cardmgr_t)
|
||||
|
||||
sysnet_read_dhcpc_pid(cardmgr_t)
|
||||
sysnet_delete_dhcpc_pid(cardmgr_t)
|
||||
sysnet_kill_dhcpc(cardmgr_t)
|
||||
sysnet_sigchld_dhcpc(cardmgr_t)
|
||||
sysnet_signal_dhcpc(cardmgr_t)
|
||||
@ -138,12 +144,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow cardmgr_t modules_object_t:dir search;
|
||||
|
||||
ifdef(`dhcpc.te',`
|
||||
allow cardmgr_t dhcpc_var_run_t:file unlink;
|
||||
')
|
||||
|
||||
# Create device files in /tmp.
|
||||
# cjp: why is this created all over the place?
|
||||
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
|
||||
|
||||
@ -125,6 +125,7 @@ term_use_console(checkpolicy_t)
|
||||
|
||||
domain_use_wide_inherit_fd(checkpolicy_t)
|
||||
|
||||
files_list_usr(checkpolicy_t)
|
||||
# directory search permissions for path to source and binary policy files
|
||||
files_search_etc(checkpolicy_t)
|
||||
|
||||
|
||||
@ -11,9 +11,6 @@
|
||||
interface(`sysnet_domtrans_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t, dhcpc_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -61,7 +58,6 @@ interface(`sysnet_run_dhcpc',`
|
||||
interface(`sysnet_sigchld_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process sigchld;
|
||||
@ -78,7 +74,6 @@ interface(`sysnet_sigchld_dhcpc',`
|
||||
interface(`sysnet_kill_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process sigkill;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process sigkill;
|
||||
@ -95,7 +90,6 @@ interface(`sysnet_kill_dhcpc',`
|
||||
interface(`sysnet_sigstop_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process sigstop;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process sigstop;
|
||||
@ -112,7 +106,6 @@ interface(`sysnet_sigstop_dhcpc',`
|
||||
interface(`sysnet_signull_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process signull;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process signull;
|
||||
@ -129,7 +122,6 @@ interface(`sysnet_signull_dhcpc',`
|
||||
interface(`sysnet_signal_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process signal;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process signal;
|
||||
@ -146,7 +138,6 @@ interface(`sysnet_signal_dhcpc',`
|
||||
interface(`sysnet_rw_dhcp_config',`
|
||||
gen_require(`
|
||||
type dhcp_etc_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -164,7 +155,6 @@ interface(`sysnet_rw_dhcp_config',`
|
||||
interface(`sysnet_read_dhcpc_state',`
|
||||
gen_require(`
|
||||
type dhcpc_state_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 dhcpc_state_t:file { getattr read };
|
||||
@ -181,7 +171,6 @@ interface(`sysnet_read_dhcpc_state',`
|
||||
interface(`sysnet_read_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -200,7 +189,6 @@ interface(`sysnet_read_config',`
|
||||
interface(`sysnet_create_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
files_create_etc_config($1,net_conf_t,file)
|
||||
@ -217,7 +205,6 @@ interface(`sysnet_create_config',`
|
||||
interface(`sysnet_manage_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 net_conf_t:file create_file_perms;
|
||||
@ -234,13 +221,28 @@ interface(`sysnet_manage_config',`
|
||||
interface(`sysnet_read_dhcpc_pid',`
|
||||
gen_require(`
|
||||
type dhcpc_var_run_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
files_list_pids($1)
|
||||
allow $1 dhcpc_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Delete the dhcp client pid file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_delete_dhcpc_pid',`
|
||||
gen_require(`
|
||||
type dhcpc_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_var_run_t:file unlink;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute ifconfig in the ifconfig domain.
|
||||
@ -336,7 +338,6 @@ interface(`sysnet_read_dhcp_config',`
|
||||
interface(`sysnet_search_dhcp_state',`
|
||||
gen_require(`
|
||||
type dhcp_state_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
@ -370,7 +371,6 @@ interface(`sysnet_search_dhcp_state',`
|
||||
interface(`sysnet_create_dhcp_state',`
|
||||
gen_require(`
|
||||
type dhcp_state_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
@ -393,7 +393,6 @@ interface(`sysnet_create_dhcp_state',`
|
||||
interface(`sysnet_dns_name_resolve',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class udp_socket create_socket_perms;
|
||||
')
|
||||
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
@ -419,7 +418,6 @@ interface(`sysnet_dns_name_resolve',`
|
||||
interface(`sysnet_use_ldap',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class tcp_socket create_socket_perms;
|
||||
')
|
||||
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
@ -447,8 +445,6 @@ interface(`sysnet_use_ldap',`
|
||||
interface(`sysnet_use_portmap',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class tcp_socket create_socket_perms;
|
||||
class udp_socket create_socket_perms;
|
||||
')
|
||||
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
|
||||
@ -45,12 +45,12 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_s
|
||||
dontaudit dhcpc_t self:capability sys_tty_config;
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
|
||||
allow dhcpc_t self:tcp_socket create_socket_perms;
|
||||
allow dhcpc_t self:process signal_perms;
|
||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dhcpc_t self:udp_socket create_socket_perms;
|
||||
allow dhcpc_t self:packet_socket create_socket_perms;
|
||||
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
|
||||
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user