patch from dan Fri, 22 Sep 2006 16:30:34 -0400
This commit is contained in:
parent
8708d9bef2
commit
693d4aedb5
|
@ -70,6 +70,7 @@
|
||||||
Fri, 01 Sep 2006
|
Fri, 01 Sep 2006
|
||||||
Tue, 05 Sep 2006
|
Tue, 05 Sep 2006
|
||||||
Wed, 20 Sep 2006
|
Wed, 20 Sep 2006
|
||||||
|
Fri, 22 Sep 2006
|
||||||
- Added modules:
|
- Added modules:
|
||||||
afs
|
afs
|
||||||
amavis (Erich Schubert)
|
amavis (Erich Schubert)
|
||||||
|
|
|
@ -573,6 +573,13 @@ gen_tunable(xdm_sysadm_login,false)
|
||||||
#
|
#
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow all daemons the ability to use unallocated ttys
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_daemons_use_tty,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow mount to mount any file
|
## Allow mount to mount any file
|
||||||
|
|
|
@ -6,7 +6,9 @@
|
||||||
|
|
||||||
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
|
||||||
/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
|
||||||
|
#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
|
||||||
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(bootloader,1.2.6)
|
policy_module(bootloader,1.2.7)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(readahead,1.2.1)
|
policy_module(readahead,1.2.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -52,6 +52,8 @@ fs_dontaudit_read_ramfs_pipes(readahead_t)
|
||||||
fs_dontaudit_read_ramfs_files(readahead_t)
|
fs_dontaudit_read_ramfs_files(readahead_t)
|
||||||
fs_read_tmpfs_symlinks(readahead_t)
|
fs_read_tmpfs_symlinks(readahead_t)
|
||||||
|
|
||||||
|
mls_file_read_up(readahead_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(readahead_t)
|
term_dontaudit_use_console(readahead_t)
|
||||||
|
|
||||||
auth_dontaudit_read_shadow(readahead_t)
|
auth_dontaudit_read_shadow(readahead_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(corenetwork,1.1.16)
|
policy_module(corenetwork,1.1.17)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -82,7 +82,7 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||||
network_port(giftd, tcp,1213,s0)
|
network_port(giftd, tcp,1213,s0)
|
||||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
|
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||||
network_port(i18n_input, tcp,9010,s0)
|
network_port(i18n_input, tcp,9010,s0)
|
||||||
|
|
|
@ -20,7 +20,7 @@ ifdef(`distro_redhat',`
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`distro_suse',`
|
ifdef(`distro_suse',`
|
||||||
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -49,7 +49,7 @@ ifdef(`distro_suse',`
|
||||||
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
|
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
|
||||||
|
@ -58,7 +58,7 @@ ifdef(`distro_suse',`
|
||||||
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||||
|
|
||||||
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
|
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(files,1.2.18)
|
policy_module(files,1.2.19)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -58,6 +58,8 @@ files_type(etc_t)
|
||||||
#
|
#
|
||||||
type etc_runtime_t;
|
type etc_runtime_t;
|
||||||
files_type(etc_runtime_t)
|
files_type(etc_runtime_t)
|
||||||
|
#Temporarily in policy until FC5 dissappears
|
||||||
|
typealias etc_runtime_t alias firstboot_rw_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
# file_t is the default type of a file that has not yet been
|
# file_t is the default type of a file that has not yet been
|
||||||
|
|
|
@ -455,7 +455,7 @@ interface(`fs_register_binary_executable_type',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 binfmt_misc_fs_t:dir { getattr search };
|
allow $1 binfmt_misc_fs_t:dir { getattr search };
|
||||||
allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
|
allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(filesystem,1.3.15)
|
policy_module(filesystem,1.3.16)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(bind,1.1.9)
|
policy_module(bind,1.1.10)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -223,6 +223,7 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
|
||||||
allow ndc_t named_t:unix_stream_socket connectto;
|
allow ndc_t named_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
allow ndc_t named_conf_t:file { getattr read };
|
allow ndc_t named_conf_t:file { getattr read };
|
||||||
|
allow ndc_t named_conf_t:lnk_file { getattr read };
|
||||||
|
|
||||||
allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
||||||
|
|
||||||
|
|
|
@ -10,6 +10,7 @@
|
||||||
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
|
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
|
||||||
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
||||||
|
|
||||||
|
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||||
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||||
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||||
/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(cron,1.3.13)
|
policy_module(cron,1.3.14)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(hal,1.3.13)
|
policy_module(hal,1.3.14)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -111,6 +111,10 @@ storage_raw_write_removable_device(hald_t)
|
||||||
storage_raw_read_fixed_disk(hald_t)
|
storage_raw_read_fixed_disk(hald_t)
|
||||||
storage_raw_write_fixed_disk(hald_t)
|
storage_raw_write_fixed_disk(hald_t)
|
||||||
|
|
||||||
|
# hal_probe_serial causes these
|
||||||
|
term_setattr_unallocated_ttys(hald_t)
|
||||||
|
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||||
|
|
||||||
auth_use_nsswitch(hald_t)
|
auth_use_nsswitch(hald_t)
|
||||||
|
|
||||||
init_use_fds(hald_t)
|
init_use_fds(hald_t)
|
||||||
|
@ -144,8 +148,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
term_dontaudit_use_console(hald_t)
|
term_dontaudit_use_console(hald_t)
|
||||||
term_setattr_unallocated_ttys(hald_t)
|
|
||||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
|
||||||
term_dontaudit_use_generic_ptys(hald_t)
|
term_dontaudit_use_generic_ptys(hald_t)
|
||||||
files_dontaudit_read_root_files(hald_t)
|
files_dontaudit_read_root_files(hald_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(networkmanager,1.3.8)
|
policy_module(networkmanager,1.3.9)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -163,6 +163,7 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ppp_domtrans(NetworkManager_t)
|
ppp_domtrans(NetworkManager_t)
|
||||||
ppp_read_pid_files(NetworkManager_t)
|
ppp_read_pid_files(NetworkManager_t)
|
||||||
|
ppp_signal(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(nscd,1.2.8)
|
policy_module(nscd,1.2.9)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class nscd all_nscd_perms;
|
class nscd all_nscd_perms;
|
||||||
|
@ -89,6 +89,8 @@ domain_use_interactive_fds(nscd_t)
|
||||||
|
|
||||||
files_read_etc_files(nscd_t)
|
files_read_etc_files(nscd_t)
|
||||||
files_read_generic_tmp_symlinks(nscd_t)
|
files_read_generic_tmp_symlinks(nscd_t)
|
||||||
|
# Needed to read files created by firstboot "/etc/hesiod.conf"
|
||||||
|
files_read_etc_runtime_files(nscd_t)
|
||||||
|
|
||||||
init_use_fds(nscd_t)
|
init_use_fds(nscd_t)
|
||||||
init_use_script_ptys(nscd_t)
|
init_use_script_ptys(nscd_t)
|
||||||
|
|
|
@ -22,6 +22,7 @@ ifdef(`distro_redhat', `
|
||||||
/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
||||||
/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
||||||
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||||
|
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||||
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
||||||
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
||||||
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(postfix,1.2.13)
|
policy_module(postfix,1.2.14)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(ssh,1.3.12)
|
policy_module(ssh,1.3.13)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -71,12 +71,15 @@ ifdef(`targeted_policy',`
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
# so a tunnel can point to another ssh tunnel
|
# so a tunnel can point to another ssh tunnel
|
||||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
allow sshd_t self:key { search link write };
|
||||||
|
|
||||||
allow sshd_t sshd_tmp_t:dir create_dir_perms;
|
allow sshd_t sshd_tmp_t:dir create_dir_perms;
|
||||||
allow sshd_t sshd_tmp_t:file create_file_perms;
|
allow sshd_t sshd_tmp_t:file create_file_perms;
|
||||||
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
|
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
|
||||||
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
|
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
|
||||||
|
|
||||||
|
kernel_link_key(sshd_t)
|
||||||
|
|
||||||
# for X forwarding
|
# for X forwarding
|
||||||
corenet_tcp_bind_xserver_port(sshd_t)
|
corenet_tcp_bind_xserver_port(sshd_t)
|
||||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||||
|
|
|
@ -63,8 +63,11 @@ interface(`init_daemon_domain',`
|
||||||
attribute direct_run_init, direct_init, direct_init_entry;
|
attribute direct_run_init, direct_init, direct_init_entry;
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
role system_r;
|
role system_r;
|
||||||
|
attribute daemon;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
typeattribute $1 daemon;
|
||||||
|
|
||||||
domain_type($1)
|
domain_type($1)
|
||||||
domain_entry_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(init,1.3.25)
|
policy_module(init,1.3.26)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
@ -16,6 +16,9 @@ attribute direct_run_init;
|
||||||
attribute direct_init;
|
attribute direct_init;
|
||||||
attribute direct_init_entry;
|
attribute direct_init_entry;
|
||||||
|
|
||||||
|
# Mark process types as daemons
|
||||||
|
attribute daemon;
|
||||||
|
|
||||||
#
|
#
|
||||||
# init_t is the domain of the init process.
|
# init_t is the domain of the init process.
|
||||||
#
|
#
|
||||||
|
@ -206,6 +209,7 @@ optional_policy(`
|
||||||
|
|
||||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||||
allow initrc_t self:capability ~{ sys_admin sys_module };
|
allow initrc_t self:capability ~{ sys_admin sys_module };
|
||||||
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
||||||
allow initrc_t self:passwd rootok;
|
allow initrc_t self:passwd rootok;
|
||||||
|
|
||||||
# Allow IPC with self
|
# Allow IPC with self
|
||||||
|
@ -513,6 +517,11 @@ ifdef(`targeted_policy',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mono_domtrans(initrc_t)
|
mono_domtrans(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`allow_daemons_use_tty',`
|
||||||
|
term_use_unallocated_ttys(daemon)
|
||||||
|
term_use_generic_ptys(daemon)
|
||||||
|
')
|
||||||
',`
|
',`
|
||||||
# cjp: require doesnt work in the else of optionals :\
|
# cjp: require doesnt work in the else of optionals :\
|
||||||
# this also would result in a type transition
|
# this also would result in a type transition
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(logging,1.3.11)
|
policy_module(logging,1.3.12)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -161,6 +161,7 @@ libs_use_shared_libs(auditd_t)
|
||||||
miscfiles_read_localization(auditd_t)
|
miscfiles_read_localization(auditd_t)
|
||||||
|
|
||||||
mls_file_read_up(auditd_t)
|
mls_file_read_up(auditd_t)
|
||||||
|
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
||||||
mls_rangetrans_target(auditd_t)
|
mls_rangetrans_target(auditd_t)
|
||||||
|
|
||||||
seutil_dontaudit_read_config(auditd_t)
|
seutil_dontaudit_read_config(auditd_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(udev,1.3.5)
|
policy_module(udev,1.3.6)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -92,6 +92,7 @@ dev_rw_generic_files(udev_t)
|
||||||
dev_delete_generic_files(udev_t)
|
dev_delete_generic_files(udev_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(udev_t)
|
domain_read_all_domains_state(udev_t)
|
||||||
|
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||||
|
|
||||||
files_read_etc_runtime_files(udev_t)
|
files_read_etc_runtime_files(udev_t)
|
||||||
files_read_etc_files(udev_t)
|
files_read_etc_files(udev_t)
|
||||||
|
|
|
@ -4317,6 +4317,7 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 user_home_dir_t:dir search_dir_perms;
|
dontaudit $1 user_home_dir_t:dir search_dir_perms;
|
||||||
|
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||||
dontaudit $1 user_home_t:file r_file_perms;
|
dontaudit $1 user_home_t:file r_file_perms;
|
||||||
',`
|
',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
@ -4324,7 +4325,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
||||||
dontaudit $1 sysadm_home_t:dir r_file_perms;
|
dontaudit $1 sysadm_home_t:dir search_dir_perms;
|
||||||
|
dontaudit $1 sysadm_home_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -5121,6 +5123,28 @@ interface(`userdom_write_unpriv_users_tmp_files',`
|
||||||
allow $1 user_tmpfile:file { getattr write append };
|
allow $1 user_tmpfile:file { getattr write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write unprivileged user ttys.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_use_unpriv_users_ttys',`
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_use_unallocated_ttys($1)
|
||||||
|
',`
|
||||||
|
gen_require(`
|
||||||
|
attribute user_ttynode;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 user_ttynode:chr_file rw_file_perms;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to use unprivileged
|
## Do not audit attempts to use unprivileged
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(userdomain,1.3.34)
|
policy_module(userdomain,1.3.35)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
@ -111,6 +111,10 @@ ifdef(`strict_policy',`
|
||||||
|
|
||||||
init_exec(sysadm_t)
|
init_exec(sysadm_t)
|
||||||
|
|
||||||
|
# Following for sending reboot and wall messages
|
||||||
|
userdom_use_unpriv_users_ptys(sysadm_t)
|
||||||
|
userdom_use_unpriv_users_ttys(sysadm_t)
|
||||||
|
|
||||||
ifdef(`direct_sysadm_daemon',`
|
ifdef(`direct_sysadm_daemon',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
|
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
@ -128,11 +132,13 @@ ifdef(`strict_policy',`
|
||||||
domain_kill_all_domains(auditadm_t)
|
domain_kill_all_domains(auditadm_t)
|
||||||
seutil_read_bin_policy(auditadm_t)
|
seutil_read_bin_policy(auditadm_t)
|
||||||
corecmd_exec_shell(auditadm_t)
|
corecmd_exec_shell(auditadm_t)
|
||||||
|
logging_send_syslog_msg(auditadm_t)
|
||||||
logging_read_generic_logs(auditadm_t)
|
logging_read_generic_logs(auditadm_t)
|
||||||
logging_manage_audit_log(auditadm_t)
|
logging_manage_audit_log(auditadm_t)
|
||||||
logging_manage_audit_config(auditadm_t)
|
logging_manage_audit_config(auditadm_t)
|
||||||
logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
|
logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
|
||||||
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
||||||
|
userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
|
||||||
|
|
||||||
allow secadm_t self:capability dac_override;
|
allow secadm_t self:capability dac_override;
|
||||||
corecmd_exec_shell(secadm_t)
|
corecmd_exec_shell(secadm_t)
|
||||||
|
@ -148,6 +154,7 @@ ifdef(`strict_policy',`
|
||||||
logging_read_audit_log(secadm_t)
|
logging_read_audit_log(secadm_t)
|
||||||
logging_read_generic_logs(secadm_t)
|
logging_read_generic_logs(secadm_t)
|
||||||
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
||||||
|
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
|
||||||
',`
|
',`
|
||||||
logging_manage_audit_log(sysadm_t)
|
logging_manage_audit_log(sysadm_t)
|
||||||
logging_manage_audit_config(sysadm_t)
|
logging_manage_audit_config(sysadm_t)
|
||||||
|
@ -376,11 +383,12 @@ ifdef(`strict_policy',`
|
||||||
selinux_set_parameters(secadm_t)
|
selinux_set_parameters(secadm_t)
|
||||||
|
|
||||||
seutil_manage_bin_policy(secadm_t)
|
seutil_manage_bin_policy(secadm_t)
|
||||||
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
|
seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||||
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
|
seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||||
seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
|
seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||||
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
|
seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||||
seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
|
seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
|
||||||
|
logging_send_syslog_msg(secadm_t)
|
||||||
', `
|
', `
|
||||||
selinux_set_enforce_mode(sysadm_t)
|
selinux_set_enforce_mode(sysadm_t)
|
||||||
selinux_set_boolean(sysadm_t)
|
selinux_set_boolean(sysadm_t)
|
||||||
|
|
Loading…
Reference in New Issue