patch from dan Fri, 22 Sep 2006 16:30:34 -0400
This commit is contained in:
Chris PeBenito
parent
8708d9bef2
commit
693d4aedb5
|
|
@ -70,6 +70,7 @@
|
|||
Fri, 01 Sep 2006
|
||||
Tue, 05 Sep 2006
|
||||
Wed, 20 Sep 2006
|
||||
Fri, 22 Sep 2006
|
||||
- Added modules:
|
||||
afs
|
||||
amavis (Erich Schubert)
|
||||
|
|
|
|||
|
|
@ -573,6 +573,13 @@ gen_tunable(xdm_sysadm_login,false)
|
|||
#
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow all daemons the ability to use unallocated ttys
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_daemons_use_tty,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow mount to mount any file
|
||||
|
|
|
|||
|
|
@ -6,7 +6,9 @@
|
|||
|
||||
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
|
||||
#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
|
||||
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(bootloader,1.2.6)
|
||||
policy_module(bootloader,1.2.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(readahead,1.2.1)
|
||||
policy_module(readahead,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -52,6 +52,8 @@ fs_dontaudit_read_ramfs_pipes(readahead_t)
|
|||
fs_dontaudit_read_ramfs_files(readahead_t)
|
||||
fs_read_tmpfs_symlinks(readahead_t)
|
||||
|
||||
mls_file_read_up(readahead_t)
|
||||
|
||||
term_dontaudit_use_console(readahead_t)
|
||||
|
||||
auth_dontaudit_read_shadow(readahead_t)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(corenetwork,1.1.16)
|
||||
policy_module(corenetwork,1.1.17)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -82,7 +82,7 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
|||
network_port(giftd, tcp,1213,s0)
|
||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(i18n_input, tcp,9010,s0)
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ ifdef(`distro_redhat',`
|
|||
')
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
|
|
@ -49,7 +49,7 @@ ifdef(`distro_suse',`
|
|||
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
|
||||
|
|
@ -58,7 +58,7 @@ ifdef(`distro_suse',`
|
|||
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
|
||||
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(files,1.2.18)
|
||||
policy_module(files,1.2.19)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -58,6 +58,8 @@ files_type(etc_t)
|
|||
#
|
||||
type etc_runtime_t;
|
||||
files_type(etc_runtime_t)
|
||||
#Temporarily in policy until FC5 dissappears
|
||||
typealias etc_runtime_t alias firstboot_rw_t;
|
||||
|
||||
#
|
||||
# file_t is the default type of a file that has not yet been
|
||||
|
|
|
|||
|
|
@ -455,7 +455,7 @@ interface(`fs_register_binary_executable_type',`
|
|||
')
|
||||
|
||||
allow $1 binfmt_misc_fs_t:dir { getattr search };
|
||||
allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
|
||||
allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(filesystem,1.3.15)
|
||||
policy_module(filesystem,1.3.16)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(bind,1.1.9)
|
||||
policy_module(bind,1.1.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -223,6 +223,7 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
|
|||
allow ndc_t named_t:unix_stream_socket connectto;
|
||||
|
||||
allow ndc_t named_conf_t:file { getattr read };
|
||||
allow ndc_t named_conf_t:lnk_file { getattr read };
|
||||
|
||||
allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
|
||||
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
||||
|
||||
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||
/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(cron,1.3.13)
|
||||
policy_module(cron,1.3.14)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(hal,1.3.13)
|
||||
policy_module(hal,1.3.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -111,6 +111,10 @@ storage_raw_write_removable_device(hald_t)
|
|||
storage_raw_read_fixed_disk(hald_t)
|
||||
storage_raw_write_fixed_disk(hald_t)
|
||||
|
||||
# hal_probe_serial causes these
|
||||
term_setattr_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
|
||||
auth_use_nsswitch(hald_t)
|
||||
|
||||
init_use_fds(hald_t)
|
||||
|
|
@ -144,8 +148,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
|
|||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_console(hald_t)
|
||||
term_setattr_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_generic_ptys(hald_t)
|
||||
files_dontaudit_read_root_files(hald_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(networkmanager,1.3.8)
|
||||
policy_module(networkmanager,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -163,6 +163,7 @@ optional_policy(`
|
|||
optional_policy(`
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
ppp_signal(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(nscd,1.2.8)
|
||||
policy_module(nscd,1.2.9)
|
||||
|
||||
gen_require(`
|
||||
class nscd all_nscd_perms;
|
||||
|
|
@ -89,6 +89,8 @@ domain_use_interactive_fds(nscd_t)
|
|||
|
||||
files_read_etc_files(nscd_t)
|
||||
files_read_generic_tmp_symlinks(nscd_t)
|
||||
# Needed to read files created by firstboot "/etc/hesiod.conf"
|
||||
files_read_etc_runtime_files(nscd_t)
|
||||
|
||||
init_use_fds(nscd_t)
|
||||
init_use_script_ptys(nscd_t)
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ ifdef(`distro_redhat', `
|
|||
/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
||||
/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
||||
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
||||
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(postfix,1.2.13)
|
||||
policy_module(postfix,1.2.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ssh,1.3.12)
|
||||
policy_module(ssh,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -71,12 +71,15 @@ ifdef(`targeted_policy',`
|
|||
ifdef(`strict_policy',`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
|
||||
allow sshd_t sshd_tmp_t:dir create_dir_perms;
|
||||
allow sshd_t sshd_tmp_t:file create_file_perms;
|
||||
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
|
||||
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
|
||||
|
||||
kernel_link_key(sshd_t)
|
||||
|
||||
# for X forwarding
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
|
|
|||
|
|
@ -63,8 +63,11 @@ interface(`init_daemon_domain',`
|
|||
attribute direct_run_init, direct_init, direct_init_entry;
|
||||
type initrc_t;
|
||||
role system_r;
|
||||
attribute daemon;
|
||||
')
|
||||
|
||||
typeattribute $1 daemon;
|
||||
|
||||
domain_type($1)
|
||||
domain_entry_file($1,$2)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.3.25)
|
||||
policy_module(init,1.3.26)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
@ -16,6 +16,9 @@ attribute direct_run_init;
|
|||
attribute direct_init;
|
||||
attribute direct_init_entry;
|
||||
|
||||
# Mark process types as daemons
|
||||
attribute daemon;
|
||||
|
||||
#
|
||||
# init_t is the domain of the init process.
|
||||
#
|
||||
|
|
@ -206,6 +209,7 @@ optional_policy(`
|
|||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
allow initrc_t self:capability ~{ sys_admin sys_module };
|
||||
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||
allow initrc_t self:passwd rootok;
|
||||
|
||||
# Allow IPC with self
|
||||
|
|
@ -513,6 +517,11 @@ ifdef(`targeted_policy',`
|
|||
optional_policy(`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_daemons_use_tty',`
|
||||
term_use_unallocated_ttys(daemon)
|
||||
term_use_generic_ptys(daemon)
|
||||
')
|
||||
',`
|
||||
# cjp: require doesnt work in the else of optionals :\
|
||||
# this also would result in a type transition
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logging,1.3.11)
|
||||
policy_module(logging,1.3.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -161,6 +161,7 @@ libs_use_shared_libs(auditd_t)
|
|||
miscfiles_read_localization(auditd_t)
|
||||
|
||||
mls_file_read_up(auditd_t)
|
||||
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
||||
mls_rangetrans_target(auditd_t)
|
||||
|
||||
seutil_dontaudit_read_config(auditd_t)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(udev,1.3.5)
|
||||
policy_module(udev,1.3.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -92,6 +92,7 @@ dev_rw_generic_files(udev_t)
|
|||
dev_delete_generic_files(udev_t)
|
||||
|
||||
domain_read_all_domains_state(udev_t)
|
||||
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
|
||||
files_read_etc_runtime_files(udev_t)
|
||||
files_read_etc_files(udev_t)
|
||||
|
|
|
|||
|
|
@ -4317,6 +4317,7 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
|||
')
|
||||
|
||||
dontaudit $1 user_home_dir_t:dir search_dir_perms;
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
dontaudit $1 user_home_t:file r_file_perms;
|
||||
',`
|
||||
gen_require(`
|
||||
|
|
@ -4324,7 +4325,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
|||
')
|
||||
|
||||
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
||||
dontaudit $1 sysadm_home_t:dir r_file_perms;
|
||||
dontaudit $1 sysadm_home_t:dir search_dir_perms;
|
||||
dontaudit $1 sysadm_home_t:file r_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
|
|
@ -5121,6 +5123,28 @@ interface(`userdom_write_unpriv_users_tmp_files',`
|
|||
allow $1 user_tmpfile:file { getattr write append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write unprivileged user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_unpriv_users_ttys',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_unallocated_ttys($1)
|
||||
',`
|
||||
gen_require(`
|
||||
attribute user_ttynode;
|
||||
')
|
||||
|
||||
allow $1 user_ttynode:chr_file rw_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use unprivileged
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(userdomain,1.3.34)
|
||||
policy_module(userdomain,1.3.35)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
|
@ -111,6 +111,10 @@ ifdef(`strict_policy',`
|
|||
|
||||
init_exec(sysadm_t)
|
||||
|
||||
# Following for sending reboot and wall messages
|
||||
userdom_use_unpriv_users_ptys(sysadm_t)
|
||||
userdom_use_unpriv_users_ttys(sysadm_t)
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
optional_policy(`
|
||||
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
|
||||
|
|
@ -128,11 +132,13 @@ ifdef(`strict_policy',`
|
|||
domain_kill_all_domains(auditadm_t)
|
||||
seutil_read_bin_policy(auditadm_t)
|
||||
corecmd_exec_shell(auditadm_t)
|
||||
logging_send_syslog_msg(auditadm_t)
|
||||
logging_read_generic_logs(auditadm_t)
|
||||
logging_manage_audit_log(auditadm_t)
|
||||
logging_manage_audit_config(auditadm_t)
|
||||
logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
|
||||
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
||||
userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
|
||||
|
||||
allow secadm_t self:capability dac_override;
|
||||
corecmd_exec_shell(secadm_t)
|
||||
|
|
@ -148,6 +154,7 @@ ifdef(`strict_policy',`
|
|||
logging_read_audit_log(secadm_t)
|
||||
logging_read_generic_logs(secadm_t)
|
||||
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
||||
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
|
||||
',`
|
||||
logging_manage_audit_log(sysadm_t)
|
||||
logging_manage_audit_config(sysadm_t)
|
||||
|
|
@ -376,11 +383,12 @@ ifdef(`strict_policy',`
|
|||
selinux_set_parameters(secadm_t)
|
||||
|
||||
seutil_manage_bin_policy(secadm_t)
|
||||
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
|
||||
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
|
||||
seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
|
||||
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
|
||||
seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
|
||||
seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||
seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||
seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||
seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||
seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||
logging_send_syslog_msg(secadm_t)
|
||||
', `
|
||||
selinux_set_enforce_mode(sysadm_t)
|
||||
selinux_set_boolean(sysadm_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue