Change initrc_var_run_t interface noun from script_pid to utmp for clarity.
This commit is contained in:
parent
b94cc19178
commit
68228b3300
@ -1,3 +1,5 @@
|
||||
- Change initrc_var_run_t interface noun from script_pid to utmp,
|
||||
for greater clarity.
|
||||
- Added modules:
|
||||
portage
|
||||
userhelper
|
||||
|
@ -81,7 +81,7 @@ files_manage_var_files(firstboot_t)
|
||||
files_manage_var_symlinks(firstboot_t)
|
||||
|
||||
init_domtrans_script(firstboot_t)
|
||||
init_rw_script_pid(firstboot_t)
|
||||
init_rw_utmp(firstboot_t)
|
||||
|
||||
libs_use_ld_so(firstboot_t)
|
||||
libs_use_shared_libs(firstboot_t)
|
||||
|
@ -64,7 +64,7 @@ template(`su_restricted_domain_template', `
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
init_dontaudit_use_script_pty($1_su_t)
|
||||
# Write to utmp.
|
||||
init_rw_script_pid($1_su_t)
|
||||
init_rw_utmp($1_su_t)
|
||||
|
||||
libs_use_ld_so($1_su_t)
|
||||
libs_use_shared_libs($1_su_t)
|
||||
@ -199,7 +199,7 @@ template(`su_per_userdomain_template',`
|
||||
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
# Write to utmp.
|
||||
init_rw_script_pid($1_su_t)
|
||||
init_rw_utmp($1_su_t)
|
||||
|
||||
libs_use_ld_so($1_su_t)
|
||||
libs_use_shared_libs($1_su_t)
|
||||
|
@ -121,7 +121,7 @@ template(`sudo_per_userdomain_template',`
|
||||
# for some PAM modules and for cwd
|
||||
files_dontaudit_search_home($1_sudo_t)
|
||||
|
||||
init_rw_script_pid($1_sudo_t)
|
||||
init_rw_utmp($1_sudo_t)
|
||||
|
||||
libs_use_ld_so($1_sudo_t)
|
||||
libs_use_shared_libs($1_sudo_t)
|
||||
|
@ -115,7 +115,7 @@ files_dontaudit_search_var(chfn_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(chfn_t)
|
||||
init_dontaudit_rw_utmp(chfn_t)
|
||||
|
||||
libs_use_ld_so(chfn_t)
|
||||
libs_use_shared_libs(chfn_t)
|
||||
@ -218,8 +218,8 @@ term_use_all_user_ttys(groupadd_t)
|
||||
term_use_all_user_ptys(groupadd_t)
|
||||
|
||||
init_use_fd(groupadd_t)
|
||||
init_read_script_pid(groupadd_t)
|
||||
init_dontaudit_write_script_pid(groupadd_t)
|
||||
init_read_utmp(groupadd_t)
|
||||
init_dontaudit_write_utmp(groupadd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(groupadd_t)
|
||||
|
||||
@ -319,7 +319,7 @@ files_relabel_etc_files(passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(passwd_t)
|
||||
init_dontaudit_rw_utmp(passwd_t)
|
||||
|
||||
libs_use_ld_so(passwd_t)
|
||||
libs_use_shared_libs(passwd_t)
|
||||
@ -413,7 +413,7 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(sysadm_passwd_t)
|
||||
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
||||
|
||||
libs_use_ld_so(sysadm_passwd_t)
|
||||
libs_use_shared_libs(sysadm_passwd_t)
|
||||
@ -486,7 +486,7 @@ files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
|
||||
init_use_fd(useradd_t)
|
||||
init_rw_script_pid(useradd_t)
|
||||
init_rw_utmp(useradd_t)
|
||||
|
||||
libs_use_ld_so(useradd_t)
|
||||
libs_use_shared_libs(useradd_t)
|
||||
|
@ -123,8 +123,8 @@ template(`irc_per_userdomain_template',`
|
||||
term_list_ptys($1_irc_t)
|
||||
|
||||
# allow utmp access
|
||||
init_read_script_pid($1_irc_t)
|
||||
init_dontaudit_lock_pid($1_irc_t)
|
||||
init_read_utmp($1_irc_t)
|
||||
init_dontaudit_lock_utmp($1_irc_t)
|
||||
|
||||
libs_use_ld_so($1_irc_t)
|
||||
libs_use_shared_libs($1_irc_t)
|
||||
|
@ -142,7 +142,7 @@ template(`screen_per_userdomain_template',`
|
||||
auth_dontaudit_exec_utempter($1_screen_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_rw_script_pid($1_screen_t)
|
||||
init_rw_utmp($1_screen_t)
|
||||
|
||||
libs_use_ld_so($1_screen_t)
|
||||
libs_use_shared_libs($1_screen_t)
|
||||
|
@ -127,7 +127,7 @@ files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
|
||||
init_domtrans_script(apmd_t)
|
||||
init_use_fd(apmd_t)
|
||||
init_use_script_pty(apmd_t)
|
||||
init_rw_script_pid(apmd_t)
|
||||
init_rw_utmp(apmd_t)
|
||||
init_write_initctl(apmd_t)
|
||||
|
||||
libs_exec_ld_so(apmd_t)
|
||||
|
@ -64,8 +64,8 @@ files_list_usr(comsat_t)
|
||||
files_search_spool(comsat_t)
|
||||
files_search_home(comsat_t)
|
||||
|
||||
init_read_script_pid(comsat_t)
|
||||
init_dontaudit_write_script_pid(comsat_t)
|
||||
init_read_utmp(comsat_t)
|
||||
init_dontaudit_write_utmp(comsat_t)
|
||||
|
||||
libs_use_ld_so(comsat_t)
|
||||
libs_use_shared_libs(comsat_t)
|
||||
|
@ -120,7 +120,7 @@ files_search_default(crond_t)
|
||||
|
||||
init_use_fd(crond_t)
|
||||
init_use_script_pty(crond_t)
|
||||
init_rw_script_pid(crond_t)
|
||||
init_rw_utmp(crond_t)
|
||||
|
||||
libs_use_ld_so(crond_t)
|
||||
libs_use_shared_libs(crond_t)
|
||||
@ -331,8 +331,8 @@ ifdef(`targeted_policy',`
|
||||
init_use_fd(system_crond_t)
|
||||
init_use_script_fd(system_crond_t)
|
||||
init_use_script_pty(system_crond_t)
|
||||
init_read_script_pid(system_crond_t)
|
||||
init_dontaudit_rw_script_pid(system_crond_t)
|
||||
init_read_utmp(system_crond_t)
|
||||
init_dontaudit_rw_utmp(system_crond_t)
|
||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||
init_write_initctl(system_crond_t)
|
||||
|
||||
|
@ -99,7 +99,7 @@ files_dontaudit_list_default(dovecot_t)
|
||||
|
||||
init_use_fd(dovecot_t)
|
||||
init_use_script_pty(dovecot_t)
|
||||
init_getattr_script_pids(dovecot_t)
|
||||
init_getattr_utmp(dovecot_t)
|
||||
|
||||
libs_use_ld_so(dovecot_t)
|
||||
libs_use_shared_libs(dovecot_t)
|
||||
|
@ -81,8 +81,8 @@ files_search_home(fingerd_t)
|
||||
files_read_etc_files(fingerd_t)
|
||||
files_read_etc_runtime_files(fingerd_t)
|
||||
|
||||
init_read_script_pid(fingerd_t)
|
||||
init_dontaudit_write_script_pid(fingerd_t)
|
||||
init_read_utmp(fingerd_t)
|
||||
init_dontaudit_write_utmp(fingerd_t)
|
||||
init_use_fd(fingerd_t)
|
||||
init_use_script_pty(fingerd_t)
|
||||
|
||||
|
@ -62,7 +62,7 @@ files_read_etc_files(howl_t)
|
||||
|
||||
init_use_fd(howl_t)
|
||||
init_use_script_pty(howl_t)
|
||||
init_rw_script_pid(howl_t)
|
||||
init_rw_utmp(howl_t)
|
||||
|
||||
libs_use_ld_so(howl_t)
|
||||
libs_use_shared_libs(howl_t)
|
||||
|
@ -80,7 +80,7 @@ files_read_usr_files(NetworkManager_t)
|
||||
|
||||
init_use_fd(NetworkManager_t)
|
||||
init_use_script_pty(NetworkManager_t)
|
||||
init_read_script_pid(NetworkManager_t)
|
||||
init_read_utmp(NetworkManager_t)
|
||||
init_domtrans_script(NetworkManager_t)
|
||||
|
||||
libs_use_ld_so(NetworkManager_t)
|
||||
|
@ -99,7 +99,7 @@ files_read_var_lib_symlinks(pegasus_t)
|
||||
|
||||
init_use_fd(pegasus_t)
|
||||
init_use_script_pty(pegasus_t)
|
||||
init_rw_script_pid(pegasus_t)
|
||||
init_rw_utmp(pegasus_t)
|
||||
|
||||
libs_use_ld_so(pegasus_t)
|
||||
libs_use_shared_libs(pegasus_t)
|
||||
|
@ -187,7 +187,7 @@ domain_dontaudit_use_wide_inherit_fd(portmap_helper_t)
|
||||
files_read_etc_files(portmap_helper_t)
|
||||
files_rw_generic_pids(portmap_helper_t)
|
||||
|
||||
init_rw_script_pid(portmap_helper_t)
|
||||
init_rw_utmp(portmap_helper_t)
|
||||
|
||||
libs_use_ld_so(portmap_helper_t)
|
||||
libs_use_shared_libs(portmap_helper_t)
|
||||
|
@ -121,7 +121,7 @@ files_search_etc(postgresql_t)
|
||||
files_read_etc_runtime_files(postgresql_t)
|
||||
files_read_usr_files(postgresql_t)
|
||||
|
||||
init_read_script_pid(postgresql_t)
|
||||
init_read_utmp(postgresql_t)
|
||||
init_use_fd(postgresql_t)
|
||||
init_use_script_pty(postgresql_t)
|
||||
|
||||
|
@ -153,8 +153,8 @@ files_read_etc_runtime_files(pppd_t)
|
||||
# for scripts
|
||||
files_read_etc_files(pppd_t)
|
||||
|
||||
init_read_script_pid(pppd_t)
|
||||
init_dontaudit_write_script_pid(pppd_t)
|
||||
init_read_utmp(pppd_t)
|
||||
init_dontaudit_write_utmp(pppd_t)
|
||||
init_use_fd(pppd_t)
|
||||
init_use_script_pty(pppd_t)
|
||||
|
||||
|
@ -99,7 +99,7 @@ files_list_mnt(remote_login_t)
|
||||
# for when /var/mail is a sym-link
|
||||
files_read_var_symlink(remote_login_t)
|
||||
|
||||
init_rw_script_pid(remote_login_t)
|
||||
init_rw_utmp(remote_login_t)
|
||||
|
||||
libs_use_ld_so(remote_login_t)
|
||||
libs_use_shared_libs(remote_login_t)
|
||||
|
@ -75,7 +75,7 @@ files_read_etc_runtime_files(rlogind_t)
|
||||
files_search_home(rlogind_t)
|
||||
files_search_default(rlogind_t)
|
||||
|
||||
init_rw_script_pid(rlogind_t)
|
||||
init_rw_utmp(rlogind_t)
|
||||
|
||||
libs_use_ld_so(rlogind_t)
|
||||
libs_use_shared_libs(rlogind_t)
|
||||
|
@ -76,8 +76,8 @@ files_read_etc_runtime_files(sendmail_t)
|
||||
init_use_fd(sendmail_t)
|
||||
init_use_script_pty(sendmail_t)
|
||||
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
|
||||
init_read_script_pid(sendmail_t)
|
||||
init_dontaudit_write_script_pid(sendmail_t)
|
||||
init_read_utmp(sendmail_t)
|
||||
init_dontaudit_write_utmp(sendmail_t)
|
||||
|
||||
libs_use_ld_so(sendmail_t)
|
||||
libs_use_shared_libs(sendmail_t)
|
||||
|
@ -97,10 +97,10 @@ storage_dontaudit_read_removable_device(snmpd_t)
|
||||
|
||||
term_dontaudit_use_console(snmpd_t)
|
||||
|
||||
init_read_script_pid(snmpd_t)
|
||||
init_read_utmp(snmpd_t)
|
||||
init_use_fd(snmpd_t)
|
||||
init_use_script_pty(snmpd_t)
|
||||
init_dontaudit_write_script_pid(snmpd_t)
|
||||
init_dontaudit_write_utmp(snmpd_t)
|
||||
|
||||
libs_use_ld_so(snmpd_t)
|
||||
libs_use_shared_libs(snmpd_t)
|
||||
|
@ -99,7 +99,7 @@ files_read_etc_runtime_files(spamd_t)
|
||||
|
||||
init_use_fd(spamd_t)
|
||||
init_use_script_pty(spamd_t)
|
||||
init_dontaudit_rw_script_pid(spamd_t)
|
||||
init_dontaudit_rw_utmp(spamd_t)
|
||||
|
||||
libs_use_ld_so(spamd_t)
|
||||
libs_use_shared_libs(spamd_t)
|
||||
|
@ -473,7 +473,7 @@ template(`ssh_server_template', `
|
||||
files_read_etc_files($1_t)
|
||||
files_read_etc_runtime_files($1_t)
|
||||
|
||||
init_rw_script_pid($1_t)
|
||||
init_rw_utmp($1_t)
|
||||
|
||||
libs_use_ld_so($1_t)
|
||||
libs_use_shared_libs($1_t)
|
||||
|
@ -74,7 +74,7 @@ files_read_etc_runtime_files(telnetd_t)
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
files_search_home(telnetd_t)
|
||||
|
||||
init_rw_script_pid(telnetd_t)
|
||||
init_rw_utmp(telnetd_t)
|
||||
|
||||
libs_use_ld_so(telnetd_t)
|
||||
libs_use_shared_libs(telnetd_t)
|
||||
|
@ -105,7 +105,7 @@ fs_search_auto_mountpoints(pam_t)
|
||||
term_use_all_user_ttys(pam_t)
|
||||
term_use_all_user_ptys(pam_t)
|
||||
|
||||
init_dontaudit_rw_script_pid(pam_t)
|
||||
init_dontaudit_rw_utmp(pam_t)
|
||||
|
||||
files_read_etc_files(pam_t)
|
||||
files_list_pids(pam_t)
|
||||
@ -289,7 +289,7 @@ term_dontaudit_use_all_user_ttys(utempter_t)
|
||||
term_dontaudit_use_all_user_ptys(utempter_t)
|
||||
term_dontaudit_use_ptmx(utempter_t)
|
||||
|
||||
init_rw_script_pid(utempter_t)
|
||||
init_rw_utmp(utempter_t)
|
||||
|
||||
files_read_etc_files(utempter_t)
|
||||
|
||||
|
@ -89,7 +89,7 @@ files_rw_generic_pids(getty_t)
|
||||
files_read_etc_runtime_files(getty_t)
|
||||
files_read_etc_files(getty_t)
|
||||
|
||||
init_rw_script_pid(getty_t)
|
||||
init_rw_utmp(getty_t)
|
||||
init_use_script_pty(getty_t)
|
||||
init_dontaudit_use_script_pty(getty_t)
|
||||
|
||||
|
@ -774,7 +774,7 @@ interface(`init_filetrans_script_tmp',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_getattr_script_pids',`
|
||||
interface(`init_getattr_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class file getattr;
|
||||
@ -785,9 +785,9 @@ interface(`init_getattr_script_pids',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_read_script_pid(domain)
|
||||
# init_read_utmp(domain)
|
||||
#
|
||||
interface(`init_read_script_pid',`
|
||||
interface(`init_read_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class file r_file_perms;
|
||||
@ -799,9 +799,9 @@ interface(`init_read_script_pid',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_dontaudit_write_script_pid(domain)
|
||||
# init_dontaudit_write_utmp(domain)
|
||||
#
|
||||
interface(`init_dontaudit_write_script_pid',`
|
||||
interface(`init_dontaudit_write_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class file { write lock };
|
||||
@ -819,7 +819,7 @@ interface(`init_dontaudit_write_script_pid',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_dontaudit_lock_pid',`
|
||||
interface(`init_dontaudit_lock_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
@ -829,9 +829,9 @@ interface(`init_dontaudit_lock_pid',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_rw_script_pid(domain)
|
||||
# init_rw_utmp(domain)
|
||||
#
|
||||
interface(`init_rw_script_pid',`
|
||||
interface(`init_rw_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class file rw_file_perms;
|
||||
@ -843,9 +843,9 @@ interface(`init_rw_script_pid',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_dontaudit_rw_script_pid(domain)
|
||||
# init_dontaudit_rw_utmp(domain)
|
||||
#
|
||||
interface(`init_dontaudit_rw_script_pid',`
|
||||
interface(`init_dontaudit_rw_utmp',`
|
||||
gen_require(`
|
||||
type initrc_var_run_t;
|
||||
class file rw_file_perms;
|
||||
@ -856,7 +856,7 @@ interface(`init_dontaudit_rw_script_pid',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage init files like utmp.
|
||||
## Create, read, write, and delete utmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain access allowed.
|
||||
|
@ -142,7 +142,7 @@ files_read_world_readable_sockets(local_login_t)
|
||||
# for when /var/mail is a symlink
|
||||
files_read_var_symlink(local_login_t)
|
||||
|
||||
init_rw_script_pid(local_login_t)
|
||||
init_rw_utmp(local_login_t)
|
||||
init_dontaudit_use_fd(local_login_t)
|
||||
|
||||
libs_use_ld_so(local_login_t)
|
||||
|
@ -313,8 +313,8 @@ term_dontaudit_use_console(syslogd_t)
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
|
||||
# for sending messages to logged in users
|
||||
init_read_script_pid(syslogd_t)
|
||||
init_dontaudit_write_script_pid(syslogd_t)
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
term_write_all_user_ttys(syslogd_t)
|
||||
|
||||
corenet_raw_sendrecv_all_if(syslogd_t)
|
||||
|
@ -264,7 +264,7 @@ domain_use_wide_inherit_fd(newrole_t)
|
||||
domain_sigchld_wide_inherit_fd(newrole_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_rw_script_pid(newrole_t)
|
||||
init_rw_utmp(newrole_t)
|
||||
|
||||
files_read_etc_files(newrole_t)
|
||||
files_read_var_files(newrole_t)
|
||||
@ -439,7 +439,7 @@ ifdef(`targeted_policy',`',`
|
||||
|
||||
init_domtrans_script(run_init_t)
|
||||
# for utmp
|
||||
init_rw_script_pid(run_init_t)
|
||||
init_rw_utmp(run_init_t)
|
||||
|
||||
libs_use_ld_so(run_init_t)
|
||||
libs_use_shared_libs(run_init_t)
|
||||
|
@ -133,7 +133,7 @@ files_dontaudit_search_locks(dhcpc_t)
|
||||
|
||||
init_use_fd(dhcpc_t)
|
||||
init_use_script_pty(dhcpc_t)
|
||||
init_rw_script_pid(dhcpc_t)
|
||||
init_rw_utmp(dhcpc_t)
|
||||
|
||||
logging_send_syslog_msg(dhcpc_t)
|
||||
|
||||
|
@ -115,8 +115,8 @@ files_getattr_generic_locks(udev_t)
|
||||
files_search_mnt(udev_t)
|
||||
|
||||
init_use_fd(udev_t)
|
||||
init_read_script_pid(udev_t)
|
||||
init_dontaudit_write_script_pid(udev_t)
|
||||
init_read_utmp(udev_t)
|
||||
init_dontaudit_write_utmp(udev_t)
|
||||
|
||||
libs_use_ld_so(udev_t)
|
||||
libs_use_shared_libs(udev_t)
|
||||
|
@ -588,10 +588,10 @@ template(`unpriv_user_template', `
|
||||
files_read_world_readable_pipes($1_t)
|
||||
files_read_world_readable_sockets($1_t)
|
||||
|
||||
init_read_script_pid($1_t)
|
||||
init_read_utmp($1_t)
|
||||
# The library functions always try to open read-write first,
|
||||
# then fall back to read-only if it fails.
|
||||
init_dontaudit_write_script_pid($1_t)
|
||||
init_dontaudit_write_utmp($1_t)
|
||||
# Stop warnings about access to /dev/console
|
||||
init_dontaudit_use_fd($1_t)
|
||||
init_dontaudit_use_script_fd($1_t)
|
||||
|
Loading…
Reference in New Issue
Block a user