patch from dan, Thu, 2007-01-25 at 08:12 -0500
This commit is contained in:
parent
4bd55ebf32
commit
6b19be3360
@ -1,5 +1,7 @@
|
||||
- Fix explicit use of httpd_t in openca_domtrans().
|
||||
- Clean up file context regexes in apache and java, from Eamon Walsh.
|
||||
- Patches from Dan Walsh:
|
||||
Thu, 25 Jan 2007
|
||||
|
||||
* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
|
||||
- Add policy patterns support macros. This changes the behavior of
|
||||
|
@ -1,2 +1,3 @@
|
||||
system_u:system_u:s0-mcs_systemhigh
|
||||
root:root:s0-mcs_systemhigh
|
||||
__default__:user_u:s0
|
||||
|
@ -1,2 +1,3 @@
|
||||
system_u:system_u:s0-mls_systemhigh
|
||||
root:root:s0-mls_systemhigh
|
||||
__default__:user_u:s0
|
||||
|
@ -1,2 +1,3 @@
|
||||
system_u:system_u
|
||||
root:root
|
||||
__default__:user_u
|
||||
|
@ -1,4 +1,12 @@
|
||||
.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
|
||||
.SH "DESCRIPTION"
|
||||
@ -9,38 +17,32 @@ control.
|
||||
SELinux requires files to have an extended attribute to define the file type.
|
||||
Policy governs the access daemons have to these files.
|
||||
SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
|
||||
.TP
|
||||
.PP
|
||||
The following file contexts types are defined for httpd:
|
||||
.br
|
||||
|
||||
.EX
|
||||
httpd_sys_content_t
|
||||
.br
|
||||
.EE
|
||||
- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
|
||||
.br
|
||||
|
||||
.EX
|
||||
httpd_sys_script_exec_t
|
||||
.br
|
||||
.EE
|
||||
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
|
||||
.br
|
||||
|
||||
.EX
|
||||
httpd_sys_script_ro_t
|
||||
.br
|
||||
.EE
|
||||
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
|
||||
.br
|
||||
|
||||
.EX
|
||||
httpd_sys_script_rw_t
|
||||
.br
|
||||
.EE
|
||||
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
|
||||
.br
|
||||
|
||||
.EX
|
||||
httpd_sys_script_ra_t
|
||||
.br
|
||||
.EE
|
||||
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
|
||||
|
||||
.EX
|
||||
httpd_unconfined_script_exec_t
|
||||
.br
|
||||
.EE
|
||||
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
|
||||
.br
|
||||
|
||||
.SH NOTE
|
||||
With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
|
||||
@ -48,71 +50,81 @@ With certain policies you can define addional file contexts based on roles like
|
||||
.SH SHARING FILES
|
||||
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
|
||||
|
||||
.EX
|
||||
setsebool -P allow_httpd_anon_write=1
|
||||
.EE
|
||||
|
||||
or
|
||||
|
||||
.EX
|
||||
setsebool -P allow_httpd_sys_script_anon_write=1
|
||||
.EE
|
||||
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on least access required. So by
|
||||
default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
|
||||
.TP
|
||||
.PP
|
||||
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_enable_cgi 1
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_enable_homedirs 1
|
||||
.br
|
||||
chcon -R -t httpd_sys_content_t ~user/public_html
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_tty_comm 1
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_unified 0
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
httpd can be configured to turn off internal scripting (PHP). PHP and other
|
||||
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_builtin_scripting 0
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
httpd scripts by default are not allowed to connect out to the network.
|
||||
This would prevent a hacker from breaking into you httpd server and attacking
|
||||
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_can_network_connect 1
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
You can disable suexec transition, set httpd_suexec_disable_trans deny this
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_suexec_disable_trans 1
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
You can disable SELinux protection for the httpd daemon by executing:
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_disable_trans 1
|
||||
.br
|
||||
service httpd restart
|
||||
.EE
|
||||
|
||||
.TP
|
||||
.PP
|
||||
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
@ -1,4 +1,12 @@
|
||||
.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
|
||||
.SH "DESCRIPTION"
|
||||
@ -6,23 +14,19 @@ kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
|
||||
Security-Enhanced Linux secures the system via flexible mandatory access
|
||||
control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.
|
||||
.SH BOOLEANS
|
||||
.TP
|
||||
.PP
|
||||
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
|
||||
.TP
|
||||
.EX
|
||||
setsebool -P allow_kerberos 1
|
||||
.TP
|
||||
.EE
|
||||
If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans.
|
||||
.br
|
||||
|
||||
.EX
|
||||
setsebool -P krb5kdc_disable_trans 1
|
||||
.br
|
||||
service krb5kdc restart
|
||||
.br
|
||||
setsebool -P kadmind_disable_trans booleans 1
|
||||
.br
|
||||
service kadmind restart
|
||||
|
||||
.TP
|
||||
.EE
|
||||
.PP
|
||||
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
@ -1,4 +1,12 @@
|
||||
.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
|
||||
.SH "DESCRIPTION"
|
||||
@ -8,17 +16,16 @@ control.
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on least access required. So by
|
||||
default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
|
||||
.TP
|
||||
.br
|
||||
.EX
|
||||
setsebool -P named_write_master_zones 1
|
||||
|
||||
.TP
|
||||
.EE
|
||||
.PP
|
||||
You can disable SELinux protection for the named daemon by executing:
|
||||
.TP
|
||||
.EX
|
||||
setsebool -P named_disable_trans 1
|
||||
.br
|
||||
service named restart
|
||||
.TP
|
||||
.EE
|
||||
.PP
|
||||
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
@ -1,4 +1,12 @@
|
||||
.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
|
||||
.SH "DESCRIPTION"
|
||||
@ -14,24 +22,25 @@ would need to label the directory with the chcon tool.
|
||||
chcon -t public_content_t /var/rsync
|
||||
.TP
|
||||
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
|
||||
.TP
|
||||
.EX
|
||||
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
||||
.br
|
||||
/var/rsync(/.*)? system_u:object_r:public_content_t
|
||||
.EE
|
||||
|
||||
.SH SHARING FILES
|
||||
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
|
||||
|
||||
.EX
|
||||
setsebool -P allow_rsync_anon_write=1
|
||||
|
||||
.EE
|
||||
|
||||
.SH BOOLEANS
|
||||
.TP
|
||||
You can disable SELinux protection for the rsync daemon by executing:
|
||||
.TP
|
||||
.EX
|
||||
setsebool -P rsync_disable_trans 1
|
||||
.br
|
||||
service xinetd restart
|
||||
.EE
|
||||
.TP
|
||||
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
|
@ -64,6 +64,14 @@ gen_tunable(allow_execstack,false)
|
||||
## </desc>
|
||||
gen_tunable(allow_ftpd_anon_write,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ftp servers to login to local users and
|
||||
## read/write all files on the system, governed by DAC.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_ftpd_full_access,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ftp servers to use cifs
|
||||
@ -326,6 +334,13 @@ gen_tunable(samba_share_nfs,false)
|
||||
## </desc>
|
||||
gen_tunable(squid_connect_any,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(ssh_sysadm_login,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Configure stunnel to be a standalone daemon or
|
||||
@ -348,6 +363,13 @@ gen_tunable(use_nfs_home_dirs,false)
|
||||
## </desc>
|
||||
gen_tunable(use_samba_home_dirs,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(xdm_sysadm_login,false)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Strict policy specific
|
||||
@ -496,13 +518,6 @@ gen_tunable(run_ssh_inetd,false)
|
||||
## </desc>
|
||||
gen_tunable(spamassassin_can_network,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(ssh_sysadm_login,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow staff_r users to search the sysadm home
|
||||
@ -511,6 +526,13 @@ gen_tunable(ssh_sysadm_login,false)
|
||||
## </desc>
|
||||
gen_tunable(staff_read_sysadm_file,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Use lpd server instead of cups
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(use_lpd_server,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow regular users direct mouse access
|
||||
@ -565,13 +587,6 @@ gen_tunable(user_ttyfile_stat,false)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(write_untrusted_content,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(xdm_sysadm_login,false)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -2,11 +2,6 @@
|
||||
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
|
||||
/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bootloader,1.4.0)
|
||||
policy_module(bootloader,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -93,6 +93,8 @@ fs_read_tmpfs_symlinks(bootloader_t)
|
||||
fs_manage_dos_files(bootloader_t)
|
||||
|
||||
mls_file_read_up(bootloader_t)
|
||||
mls_file_write_down(bootloader_t)
|
||||
|
||||
|
||||
term_getattr_all_user_ttys(bootloader_t)
|
||||
term_dontaudit_manage_pty_dirs(bootloader_t)
|
||||
@ -163,9 +165,6 @@ ifdef(`distro_redhat',`
|
||||
# new file system defaults to file_t, granting file_t access is still bad.
|
||||
allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
|
||||
|
||||
# mkinitrd mount initrd on bootloader temp dir
|
||||
files_mountpoint(bootloader_tmp_t)
|
||||
|
||||
# new file system defaults to file_t, granting file_t access is still bad.
|
||||
files_manage_isid_type_dirs(bootloader_t)
|
||||
files_manage_isid_type_files(bootloader_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(consoletype,1.2.0)
|
||||
policy_module(consoletype,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -87,6 +87,11 @@ optional_policy(`
|
||||
firstboot_rw_pipes(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dontaudit_use_fds(consoletype_t)
|
||||
hal_dontaudit_rw_pipes(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
logrotate_dontaudit_use_fds(consoletype_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logwatch,1.3.0)
|
||||
policy_module(logwatch,1.3.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -58,6 +58,7 @@ dev_search_sysfs(logwatch_t)
|
||||
# Read /proc/PID directories for all domains.
|
||||
domain_read_all_domains_state(logwatch_t)
|
||||
|
||||
files_list_var(logwatch_t)
|
||||
files_read_etc_files(logwatch_t)
|
||||
files_read_etc_runtime_files(logwatch_t)
|
||||
files_read_usr_files(logwatch_t)
|
||||
@ -112,6 +113,10 @@ optional_policy(`
|
||||
mta_getattr_spool(logwatch_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(logwatch_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(logwatch_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(prelink,1.3.0)
|
||||
policy_module(prelink,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,6 +18,9 @@ files_type(prelink_cache_t)
|
||||
type prelink_log_t;
|
||||
logging_log_file(prelink_log_t)
|
||||
|
||||
type prelink_tmp_t;
|
||||
files_tmp_file(prelink_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -37,6 +40,10 @@ append_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
|
||||
read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
|
||||
logging_log_filetrans(prelink_t, prelink_log_t, file)
|
||||
|
||||
allow prelink_t prelink_tmp_t:file { manage_file_perms execute };
|
||||
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
|
||||
fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
|
||||
|
@ -1,14 +1,19 @@
|
||||
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
|
||||
|
||||
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
|
||||
/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
|
||||
',`
|
||||
/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
|
||||
')
|
||||
|
||||
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
||||
|
||||
/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(quota,1.1.0)
|
||||
policy_module(quota,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,7 +26,15 @@ dontaudit quota_t self:capability sys_tty_config;
|
||||
allow quota_t self:process signal_perms;
|
||||
|
||||
# for /quota.*
|
||||
allow quota_t quota_db_t:file { read write quotaon };
|
||||
allow quota_t quota_db_t:file { manage_file_perms quotaon };
|
||||
files_root_filetrans(quota_t, quota_db_t, file)
|
||||
files_boot_filetrans(quota_t, quota_db_t, file)
|
||||
files_etc_filetrans(quota_t, quota_db_t, file)
|
||||
files_tmp_filetrans(quota_t, quota_db_t, file)
|
||||
files_home_filetrans(quota_t, quota_db_t, file)
|
||||
files_usr_filetrans(quota_t, quota_db_t, file)
|
||||
files_var_filetrans(quota_t, quota_db_t, file)
|
||||
files_spool_filetrans(quota_t, quota_db_t, file)
|
||||
|
||||
kernel_list_proc(quota_t)
|
||||
kernel_read_proc_symlinks(quota_t)
|
||||
@ -55,6 +63,7 @@ files_read_all_files(quota_t)
|
||||
files_read_all_symlinks(quota_t)
|
||||
files_getattr_all_pipes(quota_t)
|
||||
files_getattr_all_sockets(quota_t)
|
||||
files_getattr_all_file_type_fs(quota_t)
|
||||
# Read /etc/mtab.
|
||||
files_read_etc_runtime_files(quota_t)
|
||||
|
||||
@ -81,12 +90,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(quota_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# quotacheck creates new quota_db_t files
|
||||
file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
|
||||
|
||||
allow quota_t file_t:file quotaon;
|
||||
|
||||
allow quota_t proc_t:file getattr;
|
||||
') dnl end TODO
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpm,1.5.0)
|
||||
policy_module(rpm,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -188,11 +188,11 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_chat(rpm_t)
|
||||
cron_system_entry(rpm_t,rpm_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(rpm_t,rpm_exec_t)
|
||||
hal_dbus_chat(rpm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -368,6 +368,11 @@ optional_policy(`
|
||||
nis_use_ypbind(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tzdata_domtrans(rpm_t)
|
||||
tzdata_domtrans(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
usermanage_domtrans_groupadd(rpm_script_t)
|
||||
usermanage_domtrans_useradd(rpm_script_t)
|
||||
|
@ -61,6 +61,7 @@ template(`su_restricted_domain_template', `
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
kernel_search_key($1_su_t)
|
||||
kernel_link_key($1_su_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
@ -160,11 +161,12 @@ template(`su_restricted_domain_template', `
|
||||
#
|
||||
template(`su_per_role_template',`
|
||||
gen_require(`
|
||||
attribute su_domain_type;
|
||||
type su_exec_t;
|
||||
bool secure_mode;
|
||||
')
|
||||
|
||||
type $1_su_t;
|
||||
type $1_su_t, su_domain_type;
|
||||
domain_entry_file($1_su_t,su_exec_t)
|
||||
domain_type($1_su_t)
|
||||
domain_interactive_fd($1_su_t)
|
||||
@ -177,6 +179,7 @@ template(`su_per_role_template',`
|
||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||
allow $1_su_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||
allow $1_su_t self:key { search write };
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domtrans_pattern($2, su_exec_t, $1_su_t)
|
||||
@ -189,12 +192,17 @@ template(`su_per_role_template',`
|
||||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
kernel_search_key($1_su_t)
|
||||
kernel_link_key($1_su_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_su_t)
|
||||
|
||||
# needed for pam_rootok
|
||||
selinux_compute_access_vector($1_su_t)
|
||||
|
||||
auth_domtrans_user_chk_passwd($1,$1_su_t)
|
||||
auth_dontaudit_read_shadow($1_su_t)
|
||||
auth_use_nsswitch($1_su_t)
|
||||
@ -213,6 +221,8 @@ template(`su_per_role_template',`
|
||||
# Write to utmp.
|
||||
init_rw_utmp($1_su_t)
|
||||
|
||||
mls_file_write_down($1_su_t)
|
||||
|
||||
libs_use_ld_so($1_su_t)
|
||||
libs_use_shared_libs($1_su_t)
|
||||
|
||||
@ -230,7 +240,6 @@ template(`su_per_role_template',`
|
||||
|
||||
selinux_get_fs_mount($1_su_t)
|
||||
selinux_validate_context($1_su_t)
|
||||
selinux_compute_access_vector($1_su_t)
|
||||
selinux_compute_create_context($1_su_t)
|
||||
selinux_compute_relabel_context($1_su_t)
|
||||
selinux_compute_user_contexts($1_su_t)
|
||||
@ -297,9 +306,7 @@ template(`su_per_role_template',`
|
||||
|
||||
# Modify .Xauthority file (via xauth program).
|
||||
optional_policy(`
|
||||
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
||||
# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
|
||||
# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
|
||||
xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
|
||||
xserver_domtrans_user_xauth($1, $1_su_t)
|
||||
')
|
||||
|
||||
|
@ -1,10 +1,12 @@
|
||||
|
||||
policy_module(su,1.5.0)
|
||||
policy_module(su,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute su_domain_type;
|
||||
|
||||
type su_exec_t;
|
||||
corecmd_executable_file(su_exec_t)
|
||||
|
@ -71,6 +71,7 @@ template(`sudo_per_role_template',`
|
||||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||
allow $1_sudo_t self:unix_stream_socket connectto;
|
||||
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||
allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# Enter this derived domain from the user domain
|
||||
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
|
||||
@ -83,6 +84,7 @@ template(`sudo_per_role_template',`
|
||||
|
||||
kernel_read_kernel_sysctls($1_sudo_t)
|
||||
kernel_read_system_state($1_sudo_t)
|
||||
kernel_search_key($1_sudo_t)
|
||||
|
||||
dev_read_urand($1_sudo_t)
|
||||
|
||||
@ -90,6 +92,8 @@ template(`sudo_per_role_template',`
|
||||
fs_getattr_xattr_fs($1_sudo_t)
|
||||
|
||||
auth_domtrans_chk_passwd($1_sudo_t)
|
||||
# sudo stores a token in the pam_pid directory
|
||||
auth_manage_pam_pid($1_sudo_t)
|
||||
|
||||
corecmd_getattr_bin_files($1_sudo_t)
|
||||
corecmd_read_sbin_symlinks($1_sudo_t)
|
||||
@ -140,9 +144,5 @@ template(`sudo_per_role_template',`
|
||||
domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`pam.te', `
|
||||
allow $1_sudo_t pam_var_run_t:dir manage_dir_perms;
|
||||
allow $1_sudo_t pam_var_run_t:file manage_file_perms;
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sudo,1.0.0)
|
||||
policy_module(sudo,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
1
policy/modules/admin/tzdata.fc
Normal file
1
policy/modules/admin/tzdata.fc
Normal file
@ -0,0 +1 @@
|
||||
/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
|
19
policy/modules/admin/tzdata.if
Normal file
19
policy/modules/admin/tzdata.if
Normal file
@ -0,0 +1,19 @@
|
||||
## <summary>Time zone updater</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run tzdata.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tzdata_domtrans',`
|
||||
gen_require(`
|
||||
type tzdata_t, tzdata_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,tzdata_exec_t,tzdata_t)
|
||||
')
|
40
policy/modules/admin/tzdata.te
Normal file
40
policy/modules/admin/tzdata.te
Normal file
@ -0,0 +1,40 @@
|
||||
|
||||
policy_module(tzdata,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type tzdata_t;
|
||||
type tzdata_exec_t;
|
||||
init_daemon_domain(tzdata_t, tzdata_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# tzdata local policy
|
||||
#
|
||||
|
||||
files_read_etc_files(tzdata_t)
|
||||
files_search_spool(tzdata_t)
|
||||
|
||||
term_dontaudit_list_ptys(tzdata_t)
|
||||
|
||||
libs_use_ld_so(tzdata_t)
|
||||
libs_use_shared_libs(tzdata_t)
|
||||
|
||||
locallogin_dontaudit_use_fds(tzdata_t)
|
||||
|
||||
miscfiles_read_localization(tzdata_t)
|
||||
miscfiles_manage_localization(tzdata_t)
|
||||
miscfiles_etc_filetrans_localization(tzdata_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(tzdata_t)
|
||||
term_dontaudit_use_generic_ptys(tzdata_t)
|
||||
')
|
||||
|
||||
# tzdata looks for /var/spool/postfix/etc/localtime.
|
||||
optional_policy(`
|
||||
postfix_search_spool(tzdata_t)
|
||||
')
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage,1.5.0)
|
||||
policy_module(usermanage,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -112,6 +112,7 @@ domain_use_interactive_fds(chfn_t)
|
||||
files_manage_etc_files(chfn_t)
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
files_dontaudit_search_var(chfn_t)
|
||||
files_dontaudit_search_home(chfn_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
@ -486,6 +487,8 @@ files_read_etc_runtime_files(useradd_t)
|
||||
fs_search_auto_mountpoints(useradd_t)
|
||||
fs_getattr_xattr_fs(useradd_t)
|
||||
|
||||
mls_file_upgrade(useradd_t)
|
||||
|
||||
# Allow access to context for shadow file
|
||||
selinux_get_fs_mount(useradd_t)
|
||||
selinux_validate_context(useradd_t)
|
||||
@ -517,16 +520,16 @@ miscfiles_read_localization(useradd_t)
|
||||
seutil_read_config(useradd_t)
|
||||
seutil_read_file_contexts(useradd_t)
|
||||
seutil_read_default_contexts(useradd_t)
|
||||
seutil_domtrans_semanage(useradd_t)
|
||||
seutil_domtrans_restorecon(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(useradd_t)
|
||||
# for when /root is the cwd
|
||||
userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
|
||||
# Add/remove user home directories
|
||||
userdom_home_filetrans_generic_user_home_dir(useradd_t)
|
||||
userdom_manage_generic_user_home_content_dirs(useradd_t)
|
||||
userdom_manage_generic_user_home_content_files(useradd_t)
|
||||
userdom_manage_generic_user_home_dirs(useradd_t)
|
||||
userdom_manage_staff_home_dirs(useradd_t)
|
||||
userdom_manage_all_users_home_content_dirs(useradd_t)
|
||||
userdom_manage_all_users_home_content_files(useradd_t)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
|
||||
|
||||
mta_manage_spool(useradd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(vpn,1.3.0)
|
||||
policy_module(vpn,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -95,6 +95,7 @@ logging_send_syslog_msg(vpnc_t)
|
||||
miscfiles_read_localization(vpnc_t)
|
||||
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
seutil_use_newrole_fds(vpnc_t)
|
||||
|
||||
sysnet_exec_ifconfig(vpnc_t)
|
||||
sysnet_etc_filetrans_config(vpnc_t)
|
||||
|
@ -34,6 +34,10 @@
|
||||
#
|
||||
template(`ethereal_per_role_template',`
|
||||
|
||||
gen_require(`
|
||||
type ethereal_exec_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ethereal,1.1.0)
|
||||
policy_module(ethereal,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -53,7 +53,7 @@ template(`evolution_per_role_template',`
|
||||
userdom_user_home_content($1,$1_evolution_home_t)
|
||||
|
||||
type $1_evolution_orbit_tmp_t;
|
||||
files_type($1_evolution_orbit_tmp_t)
|
||||
files_tmp_file($1_evolution_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_alarm_t;
|
||||
domain_type($1_evolution_alarm_t)
|
||||
@ -64,7 +64,7 @@ template(`evolution_per_role_template',`
|
||||
files_tmpfs_file($1_evolution_alarm_tmpfs_t)
|
||||
|
||||
type $1_evolution_alarm_orbit_tmp_t;
|
||||
files_type($1_evolution_alarm_orbit_tmp_t)
|
||||
files_tmp_file($1_evolution_alarm_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_exchange_t;
|
||||
domain_type($1_evolution_exchange_t)
|
||||
@ -78,7 +78,7 @@ template(`evolution_per_role_template',`
|
||||
files_tmp_file($1_evolution_exchange_tmp_t)
|
||||
|
||||
type $1_evolution_exchange_orbit_tmp_t;
|
||||
files_type($1_evolution_exchange_orbit_tmp_t)
|
||||
files_tmp_file($1_evolution_exchange_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_server_t;
|
||||
domain_type($1_evolution_server_t)
|
||||
@ -86,7 +86,7 @@ template(`evolution_per_role_template',`
|
||||
role $3 types $1_evolution_server_t;
|
||||
|
||||
type $1_evolution_server_orbit_tmp_t;
|
||||
files_type($1_evolution_server_orbit_tmp_t)
|
||||
files_tmp_file($1_evolution_server_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_webcal_t;
|
||||
domain_type($1_evolution_webcal_t)
|
||||
@ -97,7 +97,7 @@ template(`evolution_per_role_template',`
|
||||
files_tmpfs_file($1_evolution_webcal_tmpfs_t)
|
||||
|
||||
type $1_orbit_tmp_t;
|
||||
files_type($1_orbit_tmp_t)
|
||||
files_tmp_file($1_orbit_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -129,6 +129,10 @@ template(`evolution_per_role_template',`
|
||||
allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
|
||||
|
||||
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
|
||||
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_evolution_server_t,$1_evolution_orbit_tmp_t,{ dir file })
|
||||
|
||||
allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
|
||||
allow $1_evolution_t $1_evolution_server_t:file read;
|
||||
|
||||
@ -171,6 +175,8 @@ template(`evolution_per_role_template',`
|
||||
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_evolution_t:process getattr;
|
||||
|
||||
domain_dontaudit_read_all_domains_state($1_evolution_t)
|
||||
|
||||
#FIXME check to see if really needed
|
||||
kernel_read_kernel_sysctls($1_evolution_t)
|
||||
kernel_read_system_state($1_evolution_t)
|
||||
@ -238,6 +244,7 @@ template(`evolution_per_role_template',`
|
||||
userdom_manage_user_tmp_dirs($1,$1_evolution_t)
|
||||
userdom_manage_user_tmp_sockets($1,$1_evolution_t)
|
||||
userdom_manage_user_tmp_files($1,$1_evolution_t)
|
||||
userdom_use_user_terminals($1, $1_evolution_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
@ -246,6 +253,7 @@ template(`evolution_per_role_template',`
|
||||
mta_read_config($1_evolution_t)
|
||||
|
||||
xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
|
||||
xserver_read_xdm_tmp_files($1_evolution_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_evolution_t)
|
||||
@ -367,7 +375,10 @@ template(`evolution_per_role_template',`
|
||||
tunable_policy(`write_untrusted_content',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
userdom_manage_user_untrusted_content_files($1,$1_evolution_t,{ dir file })
|
||||
userdom_manage_user_untrusted_content_files($1,$1_evolution_t)
|
||||
userdom_user_home_dir_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
|
||||
userdom_user_home_content_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
files_dontaudit_list_tmp($1_evolution_t)
|
||||
@ -394,6 +405,10 @@ template(`evolution_per_role_template',`
|
||||
dbus_send_user_bus($1,$1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
# Encrypt mail
|
||||
optional_policy(`
|
||||
gpg_domtrans_user_gpg($1,$1_evolution_t)
|
||||
@ -404,13 +419,18 @@ template(`evolution_per_role_template',`
|
||||
lpd_domtrans_user_lpr($1,$1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mozilla_read_user_home_files($1, $1_evolution_t)
|
||||
mozilla_domtrans_user_mozilla($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_exchange_t)
|
||||
nscd_socket_use($1_evolution_t)
|
||||
')
|
||||
|
||||
### Junk mail filtering (start spamd)
|
||||
@ -427,9 +447,6 @@ template(`evolution_per_role_template',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
#dbus connect to
|
||||
allow $1_evolution_t $1_dbusd_t:unix_stream_socket connectto;
|
||||
|
||||
# Gnome common stuff
|
||||
gnome_application($1_evolution, $1)
|
||||
|
||||
@ -450,12 +467,6 @@ template(`evolution_per_role_template',`
|
||||
ifdef(`TODO',`
|
||||
gnome_file_dialog($1_evolution, $1)
|
||||
')
|
||||
# Start links in web browser
|
||||
ifdef(`mozilla', `
|
||||
corecmd_exec_shell($1_evolution_t)
|
||||
domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
|
||||
')
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -463,7 +474,8 @@ template(`evolution_per_role_template',`
|
||||
# Evolution alarm local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_alarm_t self:fifo_file { read write };
|
||||
allow $1_evolution_alarm_t self:process { signal getsched };
|
||||
allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
|
||||
@ -489,7 +501,15 @@ template(`evolution_per_role_template',`
|
||||
domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
|
||||
allow $1_evolution_alarm_t $2:fd use;
|
||||
|
||||
dev_read_urand($1_evolution_alarm_t)
|
||||
|
||||
files_read_etc_files($1_evolution_alarm_t)
|
||||
files_read_usr_files($1_evolution_alarm_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_alarm_t)
|
||||
|
||||
libs_use_ld_so($1_evolution_alarm_t)
|
||||
libs_use_shared_libs($1_evolution_alarm_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_alarm_t)
|
||||
|
||||
@ -511,6 +531,15 @@ template(`evolution_per_role_template',`
|
||||
fs_manage_cifs_files($1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_user_bus_client_template($1,$1_evolution_alarm,$1_evolution_alarm_t)
|
||||
dbus_send_user_bus($1,$1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_alarm_t)
|
||||
')
|
||||
@ -525,6 +554,9 @@ template(`evolution_per_role_template',`
|
||||
# Evolution exchange connector local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_exchange_t self:process getsched;
|
||||
allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
|
||||
allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -571,8 +603,18 @@ template(`evolution_per_role_template',`
|
||||
# Allow netstat
|
||||
corecmd_exec_bin($1_evolution_exchange_t)
|
||||
|
||||
dev_read_urand($1_evolution_exchange_t)
|
||||
|
||||
files_read_etc_files($1_evolution_exchange_t)
|
||||
files_read_usr_files($1_evolution_exchange_t)
|
||||
|
||||
# Access evolution home
|
||||
fs_search_auto_mountpoints($1_evolution_exchange_t)
|
||||
|
||||
libs_use_ld_so($1_evolution_exchange_t)
|
||||
libs_use_shared_libs($1_evolution_exchange_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_exchange_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
|
||||
@ -591,6 +633,10 @@ template(`evolution_per_role_template',`
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_exchange_t)
|
||||
@ -606,6 +652,8 @@ template(`evolution_per_role_template',`
|
||||
# Evolution data server local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_server_t self:process { getsched signal };
|
||||
|
||||
allow $1_evolution_server_t self:fifo_file { read write };
|
||||
allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
|
||||
# Talk to ldap (address book),
|
||||
@ -643,6 +691,8 @@ template(`evolution_per_role_template',`
|
||||
corenet_sendrecv_http_client_packets($1_evolution_server_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
|
||||
|
||||
dev_read_urand($1_evolution_server_t)
|
||||
|
||||
files_read_etc_files($1_evolution_server_t)
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
files_read_usr_files($1_evolution_server_t)
|
||||
@ -652,6 +702,7 @@ template(`evolution_per_role_template',`
|
||||
libs_use_ld_so($1_evolution_server_t)
|
||||
libs_use_shared_libs($1_evolution_server_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_server_t)
|
||||
# Look in /etc/pki
|
||||
miscfiles_read_certs($1_evolution_server_t)
|
||||
|
||||
@ -681,6 +732,10 @@ template(`evolution_per_role_template',`
|
||||
fs_manage_cifs_files($1_evolution_server_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_server_t)
|
||||
')
|
||||
@ -813,3 +868,45 @@ template(`evolution_stream_connect',`
|
||||
allow $2 $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $2 $1_evolution_home_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## evolution over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`evolution_dbus_chat',`
|
||||
gen_require(`
|
||||
type $1_evolution_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $2 $1_evolution_t:dbus send_msg;
|
||||
allow $1_evolution_t $2:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## evolution_alarm over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`evolution_alarm_dbus_chat',`
|
||||
gen_require(`
|
||||
type $1_evolution_alarm_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $2 $1_evolution_alarm_t:dbus send_msg;
|
||||
allow $1_evolution_alarm_t $2:dbus send_msg;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(evolution,1.1.0)
|
||||
policy_module(evolution,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -34,6 +34,10 @@
|
||||
#
|
||||
template(`games_per_role_template',`
|
||||
|
||||
gen_require(`
|
||||
type games_exec_t, games_data_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(games,1.1.0)
|
||||
policy_module(games,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,3 +1,5 @@
|
||||
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
|
||||
|
||||
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
|
||||
|
||||
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
||||
|
@ -35,19 +35,24 @@
|
||||
template(`gnome_per_role_template',`
|
||||
gen_require(`
|
||||
type gconfd_exec_t;
|
||||
attribute gnomedomain;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type $1_gconfd_t;
|
||||
type $1_gconfd_t, gnomedomain;
|
||||
|
||||
domain_type($1_gconfd_t)
|
||||
domain_entry_file($1_gconfd_t, gconfd_exec_t)
|
||||
role $3 types $1_gconfd_t;
|
||||
|
||||
type $1_gconf_home_t;
|
||||
files_type($1_gconf_home_t)
|
||||
userdom_user_home_content($1, $1_gconf_home_t)
|
||||
|
||||
type $1_gnome_home_t;
|
||||
userdom_user_home_content($1, $1_gnome_home_t)
|
||||
|
||||
type $1_gconf_tmp_t;
|
||||
files_tmp_file($1_gconf_tmp_t)
|
||||
@ -58,6 +63,7 @@ template(`gnome_per_role_template',`
|
||||
#
|
||||
|
||||
allow $1_gconfd_t self:process getsched;
|
||||
allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
|
||||
manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
|
||||
@ -75,6 +81,8 @@ template(`gnome_per_role_template',`
|
||||
allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
|
||||
|
||||
ps_process_pattern($2,$1_gconfd_t)
|
||||
|
||||
dev_read_urand($1_gconfd_t)
|
||||
|
||||
files_read_etc_files($1_gconfd_t)
|
||||
@ -124,6 +132,64 @@ template(`gnome_stream_connect_gconf_template',`
|
||||
type $1_gconf_tmp_t;
|
||||
')
|
||||
|
||||
read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t)
|
||||
allow $2 $1_gconfd_t:unix_stream_socket connectto;
|
||||
allow $2 $1_gconf_tmp_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run gconfd in the role-specific gconfd domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Run gconfd in the role-specfic gconfd domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_domtrans_user_gconf',`
|
||||
gen_require(`
|
||||
type $1_gconfd_t, gconfd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($2,gconfd_exec_t,$1_gconfd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage gnome homedir content (.config)
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gnome_manage_user_gnome_config',`
|
||||
gen_require(`
|
||||
type $1_gnome_home_t;
|
||||
')
|
||||
|
||||
allow $2 $1_gnome_home_t:dir manage_dir_perms;
|
||||
allow $2 $1_gnome_home_t:file manage_file_perms;
|
||||
')
|
||||
|
@ -1,11 +1,13 @@
|
||||
|
||||
policy_module(gnome,1.0.0)
|
||||
policy_module(gnome,1.0.1)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute gnomedomain;
|
||||
|
||||
type gconf_etc_t;
|
||||
files_type(gconf_etc_t)
|
||||
|
||||
|
@ -169,6 +169,39 @@ template(`java_per_role_template',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run java in javaplugin domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Run java in javaplugin domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`java_domtrans_user_javaplugin',`
|
||||
gen_require(`
|
||||
type $1_javaplugin_t, java_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($2,java_exec_t,$1_javaplugin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the java program in the java domain.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(java,1.3.1)
|
||||
policy_module(java,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,6 +18,10 @@ init_system_domain(java_t,java_exec_t)
|
||||
ifdef(`targeted_policy',`
|
||||
# execheap is needed for itanium/BEA jrocket
|
||||
allow java_t self:process { execstack execmem execheap };
|
||||
unconfined_domain_noaudit(java_t)
|
||||
role system_r types java_t;
|
||||
|
||||
init_dbus_chat_script(java_t)
|
||||
|
||||
unconfined_domain_noaudit(java_t)
|
||||
unconfined_dbus_chat(java_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(loadkeys,1.0.0)
|
||||
policy_module(loadkeys,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -15,10 +15,8 @@ ifdef(`targeted_policy',`
|
||||
# all user domain ttys
|
||||
|
||||
type loadkeys_t;
|
||||
domain_type(loadkeys_t)
|
||||
|
||||
type loadkeys_exec_t;
|
||||
domain_entry_file(loadkeys_t,loadkeys_exec_t)
|
||||
init_system_domain(loadkeys_t,loadkeys_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -29,15 +27,22 @@ ifdef(`targeted_policy',`
|
||||
ifdef(`targeted_policy',`
|
||||
# loadkeys domain disabled in targeted policy
|
||||
',`
|
||||
allow loadkeys_t self:capability { setuid sys_tty_config };
|
||||
allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
|
||||
allow loadkeys_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
kernel_read_system_state(loadkeys_t)
|
||||
|
||||
corecmd_exec_bin(loadkeys_t)
|
||||
corecmd_exec_shell(loadkeys_t)
|
||||
corecmd_search_sbin(loadkeys_t)
|
||||
|
||||
files_dontaudit_read_etc_runtime_files(loadkeys_t)
|
||||
files_read_etc_files(loadkeys_t)
|
||||
files_read_etc_runtime_files(loadkeys_t)
|
||||
|
||||
term_dontaudit_use_console(loadkeys_t)
|
||||
term_dontaudit_use_unallocated_ttys(loadkeys_t)
|
||||
|
||||
init_dontaudit_use_script_ptys(loadkeys_t)
|
||||
|
||||
libs_use_ld_so(loadkeys_t)
|
||||
libs_use_shared_libs(loadkeys_t)
|
||||
|
@ -60,7 +60,7 @@ template(`mozilla_per_role_template',`
|
||||
|
||||
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
|
||||
allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
|
||||
allow $1_mozilla_t self:fifo_file { getattr read write };
|
||||
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
|
||||
allow $1_mozilla_t self:sem create_sem_perms;
|
||||
allow $1_mozilla_t self:socket create_socket_perms;
|
||||
@ -150,6 +150,7 @@ template(`mozilla_per_role_template',`
|
||||
dev_write_sound($1_mozilla_t)
|
||||
dev_read_sound($1_mozilla_t)
|
||||
dev_dontaudit_rw_dri($1_mozilla_t)
|
||||
dev_getattr_sysfs_dirs($1_mozilla_t)
|
||||
|
||||
files_read_etc_runtime_files($1_mozilla_t)
|
||||
files_read_usr_files($1_mozilla_t)
|
||||
@ -159,10 +160,13 @@ template(`mozilla_per_role_template',`
|
||||
# interacting with gstreamer
|
||||
files_read_var_files($1_mozilla_t)
|
||||
files_read_var_symlinks($1_mozilla_t)
|
||||
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_mozilla_t)
|
||||
fs_search_inotifyfs($1_mozilla_t)
|
||||
fs_list_inotifyfs($1_mozilla_t)
|
||||
fs_rw_tmpfs_files($1_mozilla_t)
|
||||
|
||||
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
|
||||
|
||||
libs_use_ld_so($1_mozilla_t)
|
||||
libs_use_lib_files($1_mozilla_t)
|
||||
@ -185,7 +189,9 @@ template(`mozilla_per_role_template',`
|
||||
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
|
||||
|
||||
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
|
||||
|
||||
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
|
||||
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow $1_mozilla_t self:process { execmem execstack };
|
||||
')
|
||||
@ -318,12 +324,14 @@ template(`mozilla_per_role_template',`
|
||||
|
||||
tunable_policy(`write_untrusted_content',`
|
||||
files_search_home($1_mozilla_t)
|
||||
userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
|
||||
files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
|
||||
files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
|
||||
|
||||
userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,file)
|
||||
userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,dir)
|
||||
',`
|
||||
userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
|
||||
userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
|
||||
userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
|
||||
',`
|
||||
files_dontaudit_list_home($1_mozilla_t)
|
||||
files_dontaudit_list_tmp($1_mozilla_t)
|
||||
|
||||
@ -339,18 +347,37 @@ template(`mozilla_per_role_template',`
|
||||
apache_read_user_content($1,$1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
automount_dontaudit_getattr_tmp_dirs($1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cups_read_rw_config($1_mozilla_t)
|
||||
cups_dbus_chat($1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
|
||||
dbus_send_system_bus($1_mozilla_t)
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`
|
||||
allow cupsd_t $1_mozilla_t:dbus send_msg;
|
||||
')
|
||||
')
|
||||
dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
|
||||
dbus_send_user_bus($1,$1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_domtrans_user_javaplugin($1, $1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_user_lpr($1,$1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
|
||||
mplayer_read_user_home_files($1, $1_mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -358,44 +385,16 @@ template(`mozilla_per_role_template',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_user_lpr($1,$1_mozilla_t)
|
||||
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Java plugin
|
||||
optional_policy(`
|
||||
#reh, these are hacked in types due to the use of the java_per_role_template
|
||||
type $1_mozilla_tmp_t;
|
||||
files_tmp_file($1_mozilla_tmp_t)
|
||||
|
||||
#this looks even more ugly.
|
||||
type $1_mozilla_tty_device_t;
|
||||
term_tty($1_mozilla_t,$1_mozilla_tty_device_t)
|
||||
type $1_mozilla_devpts_t;
|
||||
term_pty($1_mozilla_devpts_t)
|
||||
type $1_mozilla_home_dir_t;
|
||||
userdom_user_home_content($1,$1_mozilla_home_dir_t)
|
||||
|
||||
java_per_role_template($1_mozilla,$2,$3)
|
||||
')
|
||||
|
||||
######### Launch mplayer
|
||||
optional_policy(`
|
||||
domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
|
||||
dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
|
||||
dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
|
||||
dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
|
||||
')
|
||||
#NOTE commented out in strict.
|
||||
######### Launch email client, and make webcal links work
|
||||
#ifdef(`evolution.te', `
|
||||
#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
|
||||
#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
|
||||
#')
|
||||
#NOTE commented out in strict
|
||||
#ifdef(`thunderbird.te', `
|
||||
#domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
|
||||
#')
|
||||
|
||||
# Macros for mozilla/mozilla (or other browser) domains.
|
||||
# FIXME: Rules were removed to centralize policy in a gnome_app macro
|
||||
@ -409,3 +408,174 @@ template(`mozilla_per_role_template',`
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read mozilla per user homedir
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Read mozilla per user homedir
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mozilla_read_user_home_files',`
|
||||
gen_require(`
|
||||
type $1_mozilla_home_t;
|
||||
')
|
||||
|
||||
allow $2 $1_mozilla_home_t:dir list_dir_perms;
|
||||
allow $2 $1_mozilla_home_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## write mozilla per user homedir
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Read mozilla per user homedir
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mozilla_write_user_home_files',`
|
||||
gen_require(`
|
||||
type $1_mozilla_home_t;
|
||||
')
|
||||
|
||||
allow $2 $1_mozilla_home_t:dir list_dir_perms;
|
||||
allow $2 $1_mozilla_home_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run mozilla in user mozilla domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Run mozilla in mozilla domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mozilla_domtrans_user_mozilla',`
|
||||
gen_require(`
|
||||
type $1_mozilla_t, mozilla_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($2, mozilla_exec_t,$1_mozilla_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## mozilla over dbus.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Send and receive messages from
|
||||
## mozilla over dbus.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mozilla_dbus_chat',`
|
||||
gen_require(`
|
||||
type $1_mozilla_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $2 $1_mozilla_t:dbus send_msg;
|
||||
allow $1_mozilla_t $2:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## read/write mozilla per user tcp_socket
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## read/write mozilla per user tcp_socket
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mozilla_rw_user_tcp_sockets',`
|
||||
gen_require(`
|
||||
type $1_mozilla_t;
|
||||
')
|
||||
|
||||
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mozilla,1.1.0)
|
||||
policy_module(mozilla,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -33,6 +33,9 @@
|
||||
## </param>
|
||||
#
|
||||
template(`mplayer_per_role_template',`
|
||||
gen_require(`
|
||||
type mencoder_exec_t, mplayer_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -198,6 +201,10 @@ template(`mplayer_per_role_template',`
|
||||
userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
|
||||
')
|
||||
|
||||
tunable_policy(`write_untrusted_content',`
|
||||
userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
|
||||
')
|
||||
|
||||
# Save encoded files
|
||||
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
|
||||
files_search_home($1_mencoder_t)
|
||||
@ -249,6 +256,7 @@ template(`mplayer_per_role_template',`
|
||||
|
||||
allow $1_mplayer_t self:process { signal_perms getsched };
|
||||
allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_mplayer_t self:sem create_sem_perms;
|
||||
|
||||
manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
|
||||
manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
|
||||
@ -320,6 +328,7 @@ template(`mplayer_per_role_template',`
|
||||
|
||||
fs_dontaudit_getattr_all_fs($1_mplayer_t)
|
||||
fs_search_auto_mountpoints($1_mplayer_t)
|
||||
fs_list_inotifyfs($1_mplayer_t)
|
||||
|
||||
libs_use_ld_so($1_mplayer_t)
|
||||
libs_use_shared_libs($1_mplayer_t)
|
||||
@ -435,3 +444,69 @@ template(`mplayer_per_role_template',`
|
||||
nscd_socket_use($1_mplayer_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run mplayer in mplayer domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Run mplayer in mplayer domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mplayer_domtrans_user_mplayer',`
|
||||
gen_require(`
|
||||
type $1_mplayer_t, mplayer_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read mplayer per user homedir
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Read mplayer per user homedir
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`mplayer_read_user_home_files',`
|
||||
gen_require(`
|
||||
type $1_mplayer_home_t;
|
||||
')
|
||||
|
||||
read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mplayer,1.1.0)
|
||||
policy_module(mplayer,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -19,3 +19,23 @@ interface(`slocate_create_append_log',`
|
||||
create_files_pattern($1,locate_log_t,locate_log_t)
|
||||
append_files_pattern($1,locate_log_t,locate_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read locate lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`locate_read_lib_files',`
|
||||
gen_require(`
|
||||
type locate_var_lib_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1,locate_var_lib_t,locate_var_lib_t)
|
||||
allow $1 locate_var_lib_t:dir list_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(slocate,1.3.0)
|
||||
policy_module(slocate,1.3.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -44,6 +44,7 @@ files_read_etc_files(locate_t)
|
||||
|
||||
fs_getattr_xattr_fs(locate_t)
|
||||
fs_getattr_rpc_pipefs(locate_t)
|
||||
fs_getattr_rpc_dirs(locate_t)
|
||||
|
||||
libs_use_shared_libs(locate_t)
|
||||
libs_use_ld_so(locate_t)
|
||||
|
@ -46,6 +46,7 @@ template(`thunderbird_per_role_template',`
|
||||
|
||||
type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
|
||||
files_poly_member($1_thunderbird_home_t)
|
||||
userdom_user_home_content($1, $1_thunderbird_home_t)
|
||||
|
||||
type $1_thunderbird_tmpfs_t;
|
||||
files_tmpfs_file($1_thunderbird_tmpfs_t)
|
||||
@ -62,6 +63,7 @@ template(`thunderbird_per_role_template',`
|
||||
allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
|
||||
allow $1_thunderbird_t self:tcp_socket create_socket_perms;
|
||||
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
|
||||
allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# Access ~/.thunderbird
|
||||
manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
@ -89,16 +91,19 @@ template(`thunderbird_per_role_template',`
|
||||
manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
|
||||
relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
|
||||
|
||||
# Allow netstat
|
||||
kernel_read_network_state($1_thunderbird_t)
|
||||
kernel_read_net_sysctls($1_thunderbird_t)
|
||||
kernel_read_system_state($1_thunderbird_t)
|
||||
|
||||
corecmd_exec_shell($1_thunderbird_t)
|
||||
# Startup shellscript
|
||||
corecmd_exec_bin($1_thunderbird_t)
|
||||
corecmd_search_sbin($1_thunderbird_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
|
||||
@ -122,11 +127,22 @@ template(`thunderbird_per_role_template',`
|
||||
corenet_sendrecv_pop_client_packets($1_thunderbird_t)
|
||||
corenet_sendrecv_http_client_packets($1_thunderbird_t)
|
||||
|
||||
dev_read_urand($1_thunderbird_t)
|
||||
dev_dontaudit_search_sysfs($1_thunderbird_t)
|
||||
|
||||
files_list_tmp($1_thunderbird_t)
|
||||
files_read_usr_files($1_thunderbird_t)
|
||||
files_read_etc_files($1_thunderbird_t)
|
||||
files_read_etc_runtime_files($1_thunderbird_t)
|
||||
files_read_var_files($1_thunderbird_t)
|
||||
files_read_var_symlinks($1_thunderbird_t)
|
||||
files_dontaudit_getattr_all_tmp_files($1_thunderbird_t)
|
||||
files_dontaudit_getattr_boot_dirs($1_thunderbird_t)
|
||||
files_dontaudit_getattr_lost_found_dirs($1_thunderbird_t)
|
||||
files_dontaudit_search_mnt($1_thunderbird_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_thunderbird_t)
|
||||
fs_list_inotifyfs($1_thunderbird_t)
|
||||
# Access ~/.thunderbird
|
||||
fs_search_auto_mountpoints($1_thunderbird_t)
|
||||
|
||||
@ -134,6 +150,7 @@ template(`thunderbird_per_role_template',`
|
||||
libs_use_ld_so($1_thunderbird_t)
|
||||
|
||||
miscfiles_read_fonts($1_thunderbird_t)
|
||||
miscfiles_read_localization($1_thunderbird_t)
|
||||
|
||||
sysnet_read_config($1_thunderbird_t)
|
||||
# Allow DNS
|
||||
@ -147,7 +164,9 @@ template(`thunderbird_per_role_template',`
|
||||
userdom_read_user_home_content_files($1,$1_thunderbird_t)
|
||||
|
||||
xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
|
||||
|
||||
xserver_read_xdm_tmp_files($1_thunderbird_t)
|
||||
xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
|
||||
|
||||
# Transition from user type
|
||||
tunable_policy(`! disable_thunderbird_trans',`
|
||||
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
|
||||
@ -200,7 +219,6 @@ template(`thunderbird_per_role_template',`
|
||||
userdom_read_user_tmp_symlinks($1,$1_thunderbird_t)
|
||||
userdom_search_user_home_dirs($1,$1_thunderbird_t)
|
||||
userdom_read_user_home_content_files($1,$1_thunderbird_t)
|
||||
userdom_read_user_home_content_symlinks($1,$1_thunderbird_t)
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
fs_search_removable($1_thunderbird_t)
|
||||
@ -284,9 +302,10 @@ template(`thunderbird_per_role_template',`
|
||||
files_search_home($1_thunderbird_t)
|
||||
files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file)
|
||||
files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir)
|
||||
|
||||
userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file)
|
||||
userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir)
|
||||
userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t)
|
||||
userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
|
||||
userdom_user_home_dir_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir })
|
||||
userdom_user_home_content_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir })
|
||||
',`
|
||||
files_dontaudit_list_home($1_thunderbird_t)
|
||||
files_dontaudit_list_tmp($1_thunderbird_t)
|
||||
@ -305,44 +324,81 @@ template(`thunderbird_per_role_template',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_user_lpr($1,$1_thunderbird_t)
|
||||
cups_read_rw_config($1_thunderbird_t)
|
||||
cups_dbus_chat($1_thunderbird_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cups_read_rw_config($1_thunderbird_t)
|
||||
gnome_stream_connect_gconf_template($1,$1_thunderbird_t)
|
||||
gnome_domtrans_user_gconf($1, $1_thunderbird_t)
|
||||
gnome_manage_user_gnome_config($1, $1_thunderbird_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gpg_domtrans_user_gpg($1,$1_thunderbird_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_user_lpr($1,$1_thunderbird_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mozilla_read_user_home_files($1, $1_thunderbird_t)
|
||||
mozilla_domtrans_user_mozilla($1, $1_thunderbird_t)
|
||||
mozilla_dbus_chat($1, $1_thunderbird_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_thunderbird_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_thunderbird_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# FIXME: Rules were removed to centralize policy in a gnome_app macro
|
||||
# A similar thing might be necessary for mozilla compiled without GNOME
|
||||
# support (is this possible?).
|
||||
|
||||
# Start links in web browser
|
||||
ifdef(`mozilla.te', `
|
||||
can_exec($1_thunderbird_t, shell_exec_t)
|
||||
domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t)
|
||||
')
|
||||
|
||||
# GNOME support
|
||||
optional_policy(`
|
||||
gnome_application($1_thunderbird, $1)
|
||||
gnome_file_dialog($1_thunderbird, $1)
|
||||
allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
|
||||
')
|
||||
optinal_policy(`
|
||||
allow $1_t $2_dbusd_t:dbus send_msg;
|
||||
ifdef(`cups.te', `
|
||||
allow cupsd_t $1_t:dbus send_msg;
|
||||
')
|
||||
')
|
||||
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run thunderbird in the user thunderbird domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Run thunderbird in the user thunderbird domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`thunderbird_domtrans_user_thunderbird',`
|
||||
gen_require(`
|
||||
type $1_thunderbird_t, thunderbird_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($2, thunderbird_exec_t,$1_thunderbird_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(thunderbird,1.1.0)
|
||||
policy_module(thunderbird,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -33,6 +33,9 @@
|
||||
## </param>
|
||||
#
|
||||
template(`tvtime_per_role_template',`
|
||||
gen_require(`
|
||||
type tvtime_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tvtime,1.1.0)
|
||||
policy_module(tvtime,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -34,6 +34,10 @@
|
||||
#
|
||||
template(`uml_per_role_template',`
|
||||
|
||||
gen_require(`
|
||||
type uml_ro_t, uml_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(uml,1.1.0)
|
||||
policy_module(uml,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -49,7 +49,7 @@ template(`userhelper_per_role_template',`
|
||||
domain_obj_id_change_exemption($1_userhelper_t)
|
||||
domain_interactive_fd($1_userhelper_t)
|
||||
domain_subj_id_change_exemption($1_userhelper_t)
|
||||
role system_r types $1_userhelper_t;
|
||||
role $3 types $1_userhelper_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -287,3 +287,21 @@ template(`userhelper_sigchld_user',`
|
||||
|
||||
allow $2 $1_userhelper_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the userhelper program in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userhelper_exec',`
|
||||
gen_require(`
|
||||
type userhelper_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,userhelper_exec_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userhelper,1.1.0)
|
||||
policy_module(userhelper,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -33,6 +33,9 @@
|
||||
## </param>
|
||||
#
|
||||
template(`vmware_per_role_template',`
|
||||
gen_require(`
|
||||
type vmware_exec_t, vmware_sys_conf_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(vmware,1.0.0)
|
||||
policy_module(vmware,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(webalizer,1.3.0)
|
||||
policy_module(webalizer,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -67,6 +67,7 @@ corenet_tcp_sendrecv_all_nodes(webalizer_t)
|
||||
corenet_tcp_sendrecv_all_ports(webalizer_t)
|
||||
|
||||
fs_search_auto_mountpoints(webalizer_t)
|
||||
fs_getattr_xattr_fs(webalizer_t)
|
||||
|
||||
files_read_etc_files(webalizer_t)
|
||||
files_read_etc_runtime_files(webalizer_t)
|
||||
|
@ -73,6 +73,7 @@ ifdef(`distro_debian',`
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
@ -189,7 +190,12 @@ ifdef(`distro_redhat', `
|
||||
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
@ -463,6 +463,25 @@ interface(`corecmd_list_sbin',`
|
||||
list_dirs_pattern($1,sbin_t,sbin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write
|
||||
## sbin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_write_sbin_dirs',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sbin_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of sbin files.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.5.0)
|
||||
policy_module(corecommands,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1003,6 +1003,25 @@ interface(`corenet_tcp_connect_all_ports',`
|
||||
allow $1 port_type:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to connect TCP sockets
|
||||
## to all ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_dontaudit_tcp_connect_all_ports',`
|
||||
gen_require(`
|
||||
attribute port_type;
|
||||
')
|
||||
|
||||
dontaudit $1 port_type:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive TCP network traffic on generic reserved ports.
|
||||
@ -1271,6 +1290,42 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
|
||||
dontaudit $1 reserved_port_type:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to all ports > 1024.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_tcp_bind_all_unreserved_ports',`
|
||||
gen_require(`
|
||||
attribute port_type, reserved_port_type;
|
||||
')
|
||||
|
||||
allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind UDP sockets to all ports > 1024.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_udp_bind_all_unreserved_ports',`
|
||||
gen_require(`
|
||||
attribute port_type, reserved_port_type;
|
||||
')
|
||||
|
||||
allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect TCP sockets to reserved ports.
|
||||
@ -1510,6 +1565,35 @@ interface(`corenet_dontaudit_udp_recv_netlabel',`
|
||||
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive Raw IP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_raw_recv_netlabel',`
|
||||
kernel_raw_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_dontaudit_raw_recv_netlabel',`
|
||||
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic client packets.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.2.3)
|
||||
policy_module(corenetwork,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -111,7 +111,7 @@ network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
|
||||
network_port(ntp, udp,123,s0)
|
||||
network_port(ocsp, tcp,9080,s0)
|
||||
network_port(openvpn, udp,1194,s0)
|
||||
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
@ -196,6 +196,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo,s0 - mls_systemhigh)
|
||||
',`
|
||||
typealias netif_t alias netif_lo_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1053,6 +1053,25 @@ interface(`domain_dontaudit_getattr_all_pipes',`
|
||||
dontaudit $1 domain:fifo_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified type to set context of all
|
||||
## domains IPSEC associations.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type of subject to be allowed this.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_ipsec_setcontext_all_domains',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
allow $1 domain:association setcontext;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of entry point
|
||||
@ -1112,6 +1131,24 @@ interface(`domain_exec_all_entry_files',`
|
||||
can_exec($1,entry_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit checking for execute on all entry point files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_exec_all_entry_files',`
|
||||
gen_require(`
|
||||
attribute entry_type;
|
||||
')
|
||||
|
||||
dontaudit $1 entry_type:file exec_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete all
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(domain,1.2.0)
|
||||
policy_module(domain,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1002,6 +1002,29 @@ interface(`files_dontaudit_search_all_dirs',`
|
||||
dontaudit $1 file_type:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all filesystems
|
||||
## with the type of a file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
# dwalsh: This interface is to allow quotacheck to work on a
|
||||
# a filesystem mounted with the --context switch
|
||||
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
|
||||
#
|
||||
interface(`files_getattr_all_file_type_fs',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel a filesystem to the type of a file.
|
||||
@ -1937,6 +1960,24 @@ interface(`files_read_etc_symlinks',`
|
||||
read_lnk_files_pattern($1,etc_t,etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links in /etc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_etc_symlinks',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
manage_lnk_files_pattern($1,etc_t,etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in /etc with a private
|
||||
@ -2487,6 +2528,25 @@ interface(`files_getattr_lost_found_dirs',`
|
||||
allow $1 lost_found_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes of
|
||||
## lost+found directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_lost_found_dirs',`
|
||||
gen_require(`
|
||||
type lost_found_t;
|
||||
')
|
||||
|
||||
dontaudit $1 lost_found_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete objects in
|
||||
@ -3129,6 +3189,43 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
allow $1 tmpfile:dir { search_dir_perms setattr };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain not to audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_tmp_files',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
')
|
||||
|
||||
dontaudit $1 tmpfile:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_all_tmp_files',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
')
|
||||
|
||||
read_files_pattern($1,tmpfile,tmpfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in the tmp directories, with a private
|
||||
@ -3513,6 +3610,24 @@ interface(`files_dontaudit_write_var_dirs',`
|
||||
dontaudit $1 var_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to write to /var.dirs
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_write_var_dirs',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
@ -3786,6 +3901,7 @@ interface(`files_read_var_lib_files',`
|
||||
type var_t, var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 var_lib_t:dir list_dir_perms;
|
||||
read_files_pattern($1,{ var_t var_lib_t },var_lib_t)
|
||||
')
|
||||
|
||||
@ -4421,7 +4537,7 @@ interface(`files_polyinstantiate_all',`
|
||||
selinux_compute_member($1)
|
||||
|
||||
# Need sys_admin capability for mounting
|
||||
allow $1 self:capability sys_admin;
|
||||
allow $1 self:capability { chown fsetid sys_admin };
|
||||
|
||||
# Need to give access to the directories to be polyinstantiated
|
||||
allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
|
||||
@ -4437,7 +4553,7 @@ interface(`files_polyinstantiate_all',`
|
||||
allow $1 self:process setfscreate;
|
||||
allow $1 polymember: dir { create setattr relabelto };
|
||||
allow $1 polydir: dir { write add_name };
|
||||
allow $1 polyparent:dir { write add_name relabelfrom relabelto };
|
||||
allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
|
||||
|
||||
# Default type for mountpoints
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.4.0)
|
||||
policy_module(files,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,6 +50,8 @@ files_mountpoint(default_t)
|
||||
#
|
||||
type etc_t;
|
||||
files_type(etc_t)
|
||||
# compatibility aliases for removed types:
|
||||
typealias etc_t alias automount_etc_t;
|
||||
|
||||
#
|
||||
# etc_runtime_t is the type of various
|
||||
|
@ -2719,6 +2719,25 @@ interface(`fs_tmpfs_filetrans',`
|
||||
filetrans_pattern($1,tmpfs_t,$2,$3)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to getattr
|
||||
## generic tmpfs files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_getattr_tmpfs_files',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tmpfs_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or write
|
||||
@ -2735,7 +2754,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tmpfs_t:file { read write };
|
||||
dontaudit $1 tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.5.0)
|
||||
policy_module(filesystem,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -103,6 +103,7 @@ genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
|
||||
type rpc_pipefs_t;
|
||||
fs_type(rpc_pipefs_t)
|
||||
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
|
||||
files_mountpoint(rpc_pipefs_t)
|
||||
|
||||
#
|
||||
# tmpfs_t is the type for tmpfs filesystems
|
||||
@ -139,6 +140,7 @@ genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
|
||||
#
|
||||
type cifs_t alias sambafs_t;
|
||||
fs_noxattr_type(cifs_t)
|
||||
files_mountpoint(cifs_t)
|
||||
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
|
||||
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
|
||||
|
||||
@ -151,6 +153,7 @@ fs_noxattr_type(dosfs_t)
|
||||
allow dosfs_t fs_t:filesystem associate;
|
||||
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
|
||||
|
@ -2300,6 +2300,67 @@ interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
|
||||
dontaudit $1 unlabeled_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive Raw IP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Receive Raw IP packets from a NetLabel connection, NetLabel is an
|
||||
## explicit packet labeling framework which implements CIPSO and
|
||||
## similar protocols.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_raw_recv_netlabel() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_raw_recvfrom_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:rawip_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
||||
## connection. NetLabel is an explicit packet labeling framework
|
||||
## which implements CIPSO and similar protocols.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_dontaudit_raw_recv_netlabel() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
dontaudit $1 unlabeled_t:rawip_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive unlabeled packets.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.5.0)
|
||||
policy_module(kernel,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -239,6 +239,11 @@ mcs_process_set_categories(kernel_t)
|
||||
mls_process_read_up(kernel_t)
|
||||
mls_process_write_down(kernel_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# Bugzilla 222337
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(kernel_t)
|
||||
')
|
||||
@ -345,7 +350,7 @@ optional_policy(`
|
||||
# Rules for unconfined acccess to this module
|
||||
#
|
||||
|
||||
allow kern_unconfined proc_type:{ dir file } *;
|
||||
allow kern_unconfined proc_type:{ dir file lnk_file } *;
|
||||
|
||||
allow kern_unconfined sysctl_t:{ dir file } *;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.5.1)
|
||||
policy_module(apache,1.5.2)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -424,6 +424,11 @@ optional_policy(`
|
||||
seutil_sigchld_newrole(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(httpd_t)
|
||||
')
|
||||
@ -684,10 +689,6 @@ optional_policy(`
|
||||
nscd_socket_use(httpd_unconfined_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# httpd_rotatelogs local policy
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apm,1.3.0)
|
||||
policy_module(apm,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -109,6 +109,7 @@ term_dontaudit_use_console(apmd_t)
|
||||
corecmd_exec_all_executables(apmd_t)
|
||||
|
||||
domain_read_all_domains_state(apmd_t)
|
||||
domain_dontaudit_ptrace_all_domains(apmd_t)
|
||||
domain_use_interactive_fds(apmd_t)
|
||||
domain_dontaudit_getattr_all_sockets(apmd_t)
|
||||
domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
|
||||
|
@ -2,7 +2,6 @@
|
||||
# /etc
|
||||
#
|
||||
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
|
||||
/etc/auto\..+ -- gen_context(system_u:object_r:automount_etc_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount,1.4.0)
|
||||
policy_module(automount,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,9 +13,6 @@ init_daemon_domain(automount_t,automount_exec_t)
|
||||
type automount_var_run_t;
|
||||
files_pid_file(automount_var_run_t)
|
||||
|
||||
type automount_etc_t;
|
||||
files_config_file(automount_etc_t)
|
||||
|
||||
type automount_lock_t;
|
||||
files_lock_file(automount_lock_t)
|
||||
|
||||
@ -28,7 +25,7 @@ files_mountpoint(automount_tmp_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
|
||||
allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin };
|
||||
dontaudit automount_t self:capability sys_tty_config;
|
||||
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
|
||||
allow automount_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -40,9 +37,6 @@ allow automount_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow automount_t automount_etc_t:file { getattr read };
|
||||
# because config files can be shell scripts
|
||||
can_exec(automount_t, automount_etc_t)
|
||||
can_exec(automount_t, automount_exec_t)
|
||||
|
||||
allow automount_t automount_lock_t:file manage_file_perms;
|
||||
|
@ -4,5 +4,7 @@
|
||||
|
||||
/usr/sbin/aisexec -- gen_context(system_u:object_r:ccs_exec_t,s0)
|
||||
|
||||
/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0)
|
||||
|
||||
/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
|
||||
/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ccs,1.0.0)
|
||||
policy_module(ccs,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,6 +18,10 @@ files_type(cluster_conf_t)
|
||||
type ccs_var_log_t;
|
||||
logging_log_file(ccs_var_log_t)
|
||||
|
||||
# var lib files
|
||||
type ccs_var_lib_t;
|
||||
logging_log_file(ccs_var_lib_t)
|
||||
|
||||
# pid files
|
||||
type ccs_var_run_t;
|
||||
files_pid_file(ccs_var_run_t)
|
||||
@ -27,7 +31,7 @@ files_pid_file(ccs_var_run_t)
|
||||
# ccs local policy
|
||||
#
|
||||
|
||||
allow ccs_t self:capability { ipc_lock sys_nice sys_resource };
|
||||
allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
|
||||
allow ccs_t self:process { signal setrlimit setsched };
|
||||
allow ccs_t self:fifo_file { read write };
|
||||
allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
@ -46,6 +50,11 @@ manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
|
||||
allow ccs_t ccs_var_log_t:dir setattr;
|
||||
logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir })
|
||||
|
||||
# var lib files
|
||||
manage_dirs_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t)
|
||||
manage_files_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t)
|
||||
files_var_lib_filetrans(ccs_t,ccs_var_lib_t,{ file dir })
|
||||
|
||||
# pid file
|
||||
manage_dirs_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
|
||||
manage_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
|
||||
@ -87,6 +96,11 @@ miscfiles_read_localization(ccs_t)
|
||||
|
||||
sysnet_dns_name_resolve(ccs_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
corecmd_dontaudit_write_sbin_dirs(ccs_t)
|
||||
files_manage_isid_type_files(ccs_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(ccs_t)
|
||||
term_dontaudit_use_unallocated_ttys(ccs_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.5.0)
|
||||
policy_module(cups,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -203,6 +203,10 @@ files_read_var_files(cupsd_t)
|
||||
files_read_var_symlinks(cupsd_t)
|
||||
# for /etc/printcap
|
||||
files_dontaudit_write_etc_files(cupsd_t)
|
||||
# smbspool seems to be iterating through all existing tmp files.
|
||||
# redhat bug #214953
|
||||
# cjp: this might be a broken behavior
|
||||
files_dontaudit_getattr_all_tmp_files(cupsd_t)
|
||||
|
||||
selinux_compute_access_vector(cupsd_t)
|
||||
|
||||
|
@ -71,6 +71,7 @@ template(`dbus_per_role_template',`
|
||||
|
||||
allow $1_dbusd_t self:process { getattr sigkill signal };
|
||||
allow $1_dbusd_t self:file { getattr read write };
|
||||
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -102,22 +103,6 @@ template(`dbus_per_role_template',`
|
||||
kernel_read_system_state($1_dbusd_t)
|
||||
kernel_read_kernel_sysctls($1_dbusd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_if($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
|
||||
corenet_tcp_bind_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_bind_reserved_port($1_dbusd_t)
|
||||
|
||||
dev_read_urand($1_dbusd_t)
|
||||
|
||||
selinux_get_fs_mount($1_dbusd_t)
|
||||
selinux_validate_context($1_dbusd_t)
|
||||
selinux_compute_access_vector($1_dbusd_t)
|
||||
selinux_compute_create_context($1_dbusd_t)
|
||||
selinux_compute_relabel_context($1_dbusd_t)
|
||||
selinux_compute_user_contexts($1_dbusd_t)
|
||||
|
||||
corecmd_list_bin($1_dbusd_t)
|
||||
corecmd_read_bin_symlinks($1_dbusd_t)
|
||||
corecmd_read_bin_files($1_dbusd_t)
|
||||
@ -129,11 +114,32 @@ template(`dbus_per_role_template',`
|
||||
corecmd_read_sbin_pipes($1_dbusd_t)
|
||||
corecmd_read_sbin_sockets($1_dbusd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_if($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
|
||||
corenet_tcp_bind_all_nodes($1_dbusd_t)
|
||||
corenet_tcp_bind_reserved_port($1_dbusd_t)
|
||||
|
||||
dev_read_urand($1_dbusd_t)
|
||||
|
||||
domain_use_interactive_fds($1_dbusd_t)
|
||||
|
||||
files_read_etc_files($1_dbusd_t)
|
||||
files_list_home($1_dbusd_t)
|
||||
files_read_usr_files($1_dbusd_t)
|
||||
files_dontaudit_search_var($1_dbusd_t)
|
||||
|
||||
fs_getattr_romfs($1_dbusd_t)
|
||||
fs_getattr_xattr_fs($1_dbusd_t)
|
||||
|
||||
selinux_get_fs_mount($1_dbusd_t)
|
||||
selinux_validate_context($1_dbusd_t)
|
||||
selinux_compute_access_vector($1_dbusd_t)
|
||||
selinux_compute_create_context($1_dbusd_t)
|
||||
selinux_compute_relabel_context($1_dbusd_t)
|
||||
selinux_compute_user_contexts($1_dbusd_t)
|
||||
|
||||
auth_read_pam_console_data($1_dbusd_t)
|
||||
|
||||
libs_use_ld_so($1_dbusd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dbus,1.4.0)
|
||||
policy_module(dbus,1.4.1)
|
||||
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
|
@ -24,6 +24,10 @@
|
||||
## </param>
|
||||
#
|
||||
template(`ftp_per_role_template',`
|
||||
gen_require(`
|
||||
type ftpd_t;
|
||||
')
|
||||
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
userdom_manage_user_home_content_files($1,ftpd_t)
|
||||
userdom_manage_user_home_content_symlinks($1,ftpd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ftp,1.4.0)
|
||||
policy_module(ftp,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -102,6 +102,8 @@ corenet_tcp_bind_all_nodes(ftpd_t)
|
||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||
corenet_tcp_bind_generic_port(ftpd_t)
|
||||
corenet_tcp_bind_all_unreserved_ports(ftpd_t)
|
||||
corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
|
||||
corenet_tcp_connect_all_ports(ftpd_t)
|
||||
corenet_sendrecv_ftp_server_packets(ftpd_t)
|
||||
|
||||
@ -123,6 +125,7 @@ auth_domtrans_chk_passwd(ftpd_t)
|
||||
auth_append_login_records(ftpd_t)
|
||||
#kerberized ftp requires the following
|
||||
auth_write_login_records(ftpd_t)
|
||||
auth_append_faillog(ftpd_t)
|
||||
|
||||
init_use_fds(ftpd_t)
|
||||
init_use_script_ptys(ftpd_t)
|
||||
@ -173,6 +176,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
||||
fs_manage_nfs_files(ftpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_ftpd_full_access',`
|
||||
allow ftpd_t self:capability { dac_override dac_read_search };
|
||||
auth_manage_all_files_except_shadow(ftpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
allow ftpd_t self:capability { dac_override dac_read_search };
|
||||
|
||||
|
@ -18,6 +18,43 @@ interface(`hal_domtrans',`
|
||||
domtrans_pattern($1,hald_exec_t,hald_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use file descriptors from hal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type hald_t;
|
||||
')
|
||||
|
||||
dontaudit $1 hald_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and write to
|
||||
## hald unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_dontaudit_rw_pipes',`
|
||||
gen_require(`
|
||||
type hald_t;
|
||||
')
|
||||
|
||||
dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send to hal over a unix domain
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.5.0)
|
||||
policy_module(hal,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inetd,1.2.0)
|
||||
policy_module(inetd,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,10 +37,11 @@ files_pid_file(inetd_child_var_run_t)
|
||||
|
||||
allow inetd_t self:capability { setuid setgid };
|
||||
dontaudit inetd_t self:capability sys_tty_config;
|
||||
allow inetd_t self:process setsched;
|
||||
allow inetd_t self:process { setsched setexec };
|
||||
allow inetd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow inetd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow inetd_t self:udp_socket create_socket_perms;
|
||||
allow inetd_t self:fd use;
|
||||
|
||||
allow inetd_t inetd_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(inetd_t,inetd_log_t,file)
|
||||
@ -55,6 +56,8 @@ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
|
||||
kernel_read_kernel_sysctls(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
kernel_read_proc_symlinks(inetd_t)
|
||||
kernel_read_system_state(inetd_t)
|
||||
kernel_tcp_recvfrom_unlabeled(inetd_t)
|
||||
|
||||
# base networking:
|
||||
corenet_non_ipsec_sendrecv(inetd_t)
|
||||
@ -88,6 +91,7 @@ corenet_udp_bind_rsync_port(inetd_t)
|
||||
corenet_tcp_bind_swat_port(inetd_t)
|
||||
corenet_udp_bind_swat_port(inetd_t)
|
||||
corenet_udp_bind_tftp_port(inetd_t)
|
||||
corenet_tcp_bind_ssh_port(inetd_t)
|
||||
|
||||
# service port packets:
|
||||
corenet_sendrecv_amanda_server_packets(inetd_t)
|
||||
@ -109,6 +113,9 @@ dev_read_sysfs(inetd_t)
|
||||
fs_getattr_all_fs(inetd_t)
|
||||
fs_search_auto_mountpoints(inetd_t)
|
||||
|
||||
selinux_validate_context(inetd_t)
|
||||
selinux_compute_create_context(inetd_t)
|
||||
|
||||
term_dontaudit_use_console(inetd_t)
|
||||
|
||||
# Run other daemons in the inetd_child_t domain.
|
||||
@ -129,11 +136,23 @@ logging_send_syslog_msg(inetd_t)
|
||||
|
||||
miscfiles_read_localization(inetd_t)
|
||||
|
||||
# xinetd needs MLS override privileges to work
|
||||
mls_fd_use_all_levels(inetd_t)
|
||||
mls_fd_share_all_levels(inetd_t)
|
||||
mls_socket_read_to_clearance(inetd_t)
|
||||
mls_process_set_level(inetd_t)
|
||||
mls_socket_read_to_clearance(inetd_t)
|
||||
|
||||
sysnet_read_config(inetd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
corenet_tcp_recv_netlabel(inetd_t)
|
||||
corenet_udp_recv_netlabel(inetd_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(inetd_t)
|
||||
term_dontaudit_use_generic_ptys(inetd_t)
|
||||
@ -209,10 +228,8 @@ miscfiles_read_localization(inetd_child_t)
|
||||
|
||||
sysnet_read_config(inetd_child_t)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
tunable_policy(`run_ssh_inetd',`
|
||||
corenet_tcp_bind_ssh_port(inetd_t)
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(inetd_child_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(irqbalance,1.0.0)
|
||||
policy_module(irqbalance,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,12 +18,16 @@ files_pid_file(irqbalance_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow irqbalance_t self:capability net_admin;
|
||||
allow irqbalance_t self:udp_socket create_socket_perms;
|
||||
|
||||
dontaudit irqbalance_t self:capability sys_tty_config;
|
||||
allow irqbalance_t self:process signal_perms;
|
||||
|
||||
manage_files_pattern(irqbalance_t,irqbalance_var_run_t,irqbalance_var_run_t)
|
||||
files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
|
||||
|
||||
kernel_read_network_state(irqbalance_t)
|
||||
kernel_read_system_state(irqbalance_t)
|
||||
kernel_read_kernel_sysctls(irqbalance_t)
|
||||
kernel_rw_irq_sysctls(irqbalance_t)
|
||||
|
@ -40,7 +40,8 @@ interface(`kerberos_use',`
|
||||
files_search_etc($1)
|
||||
allow $1 krb5_conf_t:file { getattr read };
|
||||
dontaudit $1 krb5_conf_t:file write;
|
||||
dontaudit $1 krb5kdc_conf_t:dir r_dir_perms;
|
||||
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
||||
dontaudit $1 krb5kdc_conf_t:file read_file_perms;
|
||||
|
||||
tunable_policy(`allow_kerberos',`
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
@ -63,6 +64,12 @@ interface(`kerberos_use',`
|
||||
sysnet_read_config($1)
|
||||
sysnet_dns_name_resolve($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`allow_kerberos',`
|
||||
pcscd_stream_connect($1)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kerberos,1.3.0)
|
||||
policy_module(kerberos,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,4 +1,7 @@
|
||||
|
||||
/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
|
||||
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
|
||||
/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ktalk,1.3.0)
|
||||
policy_module(ktalk,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -77,6 +77,11 @@ miscfiles_read_localization(ktalkd_t)
|
||||
|
||||
sysnet_read_config(ktalkd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(ktalkd_t)
|
||||
term_dontaudit_use_unallocated_ttys(ktalkd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(ktalkd_t)
|
||||
')
|
||||
|
@ -64,31 +64,33 @@ template(`lpd_per_role_template',`
|
||||
allow $1_lpr_t self:udp_socket create_socket_perms;
|
||||
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# lpr can run in lightweight mode, without a local print spooler.
|
||||
allow $1_lpr_t lpd_var_run_t:dir search;
|
||||
allow $1_lpr_t lpd_var_run_t:sock_file write;
|
||||
files_read_var_files($1_lpr_t)
|
||||
|
||||
# Connect to lpd via a Unix domain socket.
|
||||
allow $1_lpr_t printer_t:sock_file rw_file_perms;
|
||||
allow $1_lpr_t lpd_t:unix_stream_socket connectto;
|
||||
# Send SIGHUP to lpd.
|
||||
allow $1_lpr_t lpd_t:process signal;
|
||||
|
||||
can_exec($1_lpr_t,lpr_exec_t)
|
||||
|
||||
manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
|
||||
manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
|
||||
files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
|
||||
tunable_policy(`use_lpd_server',`
|
||||
# lpr can run in lightweight mode, without a local print spooler.
|
||||
allow $1_lpr_t lpd_var_run_t:dir search;
|
||||
allow $1_lpr_t lpd_var_run_t:sock_file write;
|
||||
files_read_var_files($1_lpr_t)
|
||||
|
||||
manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t)
|
||||
filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file)
|
||||
# Read and write shared files in the spool directory.
|
||||
allow $1_lpr_t print_spool_t:file rw_file_perms;
|
||||
# Connect to lpd via a Unix domain socket.
|
||||
allow $1_lpr_t printer_t:sock_file rw_sock_file_perms;
|
||||
allow $1_lpr_t lpd_t:unix_stream_socket connectto;
|
||||
# Send SIGHUP to lpd.
|
||||
allow $1_lpr_t lpd_t:process signal;
|
||||
|
||||
allow $1_lpr_t printconf_t:dir list_dir_perms;
|
||||
read_files_pattern($1_lpr_t,printconf_t,printconf_t)
|
||||
read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t)
|
||||
manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
|
||||
manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
|
||||
files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t)
|
||||
filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file)
|
||||
# Read and write shared files in the spool directory.
|
||||
allow $1_lpr_t print_spool_t:file rw_file_perms;
|
||||
|
||||
allow $1_lpr_t printconf_t:dir list_dir_perms;
|
||||
read_files_pattern($1_lpr_t,printconf_t,printconf_t)
|
||||
read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t)
|
||||
')
|
||||
|
||||
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
|
||||
|
||||
@ -215,10 +217,14 @@ template(`lpd_per_role_template',`
|
||||
template(`lpr_admin_template',`
|
||||
gen_require(`
|
||||
type $1_lpr_t;
|
||||
type print_spool_t;
|
||||
')
|
||||
|
||||
userdom_read_all_users_home_content_files($1_lpr_t)
|
||||
|
||||
# Read and write shared files in the spool directory.
|
||||
allow $1_lpr_t print_spool_t:file rw_file_perms;
|
||||
|
||||
# Allow per user lpr domain read acces for specific user.
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
userdom_read_all_untrusted_content($1_lpr_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd,1.4.0)
|
||||
policy_module(lpd,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -40,6 +40,11 @@ interface(`mta_stub',`
|
||||
#
|
||||
template(`mta_base_mail_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute user_mail_domain;
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# $1_mail_t declarations
|
||||
@ -174,6 +179,10 @@ template(`mta_base_mail_template',`
|
||||
## </param>
|
||||
#
|
||||
template(`mta_per_role_template',`
|
||||
gen_require(`
|
||||
attribute mta_user_agent;
|
||||
attribute mailserver_delivery;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mta,1.5.0)
|
||||
policy_module(mta,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -58,6 +58,7 @@ dev_read_urand(system_mail_t)
|
||||
init_use_script_ptys(system_mail_t)
|
||||
|
||||
userdom_use_sysadm_terms(system_mail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
typealias system_mail_t alias sysadm_mail_t;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.5.0)
|
||||
policy_module(networkmanager,1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,6 +119,8 @@ ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(NetworkManager_t)
|
||||
term_dontaudit_use_generic_ptys(NetworkManager_t)
|
||||
files_dontaudit_read_root_files(NetworkManager_t)
|
||||
# Read gnome-keyring
|
||||
userdom_read_generic_user_home_content_files(NetworkManager_t)
|
||||
|
||||
optional_policy(`
|
||||
unconfined_rw_pipes(NetworkManager_t)
|
||||
|
@ -6,7 +6,7 @@
|
||||
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||
|
||||
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
|
||||
/usr/sbin/rpc\.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
|
||||
|
||||
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
|
||||
|
@ -50,12 +50,12 @@ interface(`nis_use_ypbind_uncond',`
|
||||
corenet_udp_bind_generic_port($1)
|
||||
corenet_tcp_bind_reserved_port($1)
|
||||
corenet_udp_bind_reserved_port($1)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports($1)
|
||||
corenet_dontaudit_tcp_bind_all_ports($1)
|
||||
corenet_dontaudit_udp_bind_all_ports($1)
|
||||
corenet_tcp_connect_portmap_port($1)
|
||||
corenet_tcp_connect_reserved_port($1)
|
||||
corenet_tcp_connect_generic_port($1)
|
||||
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
|
||||
corenet_dontaudit_tcp_connect_all_ports($1)
|
||||
corenet_sendrecv_portmap_client_packets($1)
|
||||
corenet_sendrecv_generic_client_packets($1)
|
||||
corenet_sendrecv_generic_server_packets($1)
|
||||
@ -81,8 +81,6 @@ interface(`nis_use_ypbind',`
|
||||
|
||||
tunable_policy(`allow_ypbind',`
|
||||
nis_use_ypbind_uncond($1)
|
||||
',`
|
||||
dontaudit $1 var_yp_t:dir search;
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nis,1.3.0)
|
||||
policy_module(nis,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -285,6 +285,7 @@ corecmd_exec_bin(ypserv_t)
|
||||
domain_use_interactive_fds(ypserv_t)
|
||||
|
||||
files_read_var_files(ypserv_t)
|
||||
files_read_etc_files(ypserv_t)
|
||||
|
||||
init_use_fds(ypserv_t)
|
||||
init_use_script_ptys(ypserv_t)
|
||||
@ -324,6 +325,10 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ypxfr_t self:tcp_socket connected_socket_perms;
|
||||
allow ypxfr_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
|
||||
|
||||
allow ypxfr_t ypserv_t:tcp_socket { read write };
|
||||
allow ypxfr_t ypserv_t:udp_socket { read write };
|
||||
@ -352,3 +357,5 @@ files_search_usr(ypxfr_t)
|
||||
|
||||
libs_use_shared_libs(ypxfr_t)
|
||||
libs_use_ld_so(ypxfr_t)
|
||||
|
||||
sysnet_read_config(ypxfr_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nscd,1.3.0)
|
||||
policy_module(nscd,1.3.1)
|
||||
|
||||
gen_require(`
|
||||
class nscd all_nscd_perms;
|
||||
@ -35,7 +35,6 @@ allow nscd_t self:fifo_file { read write };
|
||||
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow nscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow nscd_t self:tcp_socket create_socket_perms;
|
||||
allow nscd_t self:udp_socket create_socket_perms;
|
||||
@ -66,6 +65,7 @@ term_dontaudit_use_console(nscd_t)
|
||||
|
||||
# for when /etc/passwd has just been updated and has the wrong type
|
||||
auth_getattr_shadow(nscd_t)
|
||||
auth_use_nsswitch(nscd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(nscd_t)
|
||||
corenet_tcp_sendrecv_all_if(nscd_t)
|
||||
@ -99,14 +99,12 @@ libs_use_shared_libs(nscd_t)
|
||||
|
||||
logging_send_syslog_msg(nscd_t)
|
||||
|
||||
miscfiles_read_certs(nscd_t)
|
||||
miscfiles_read_localization(nscd_t)
|
||||
|
||||
seutil_read_config(nscd_t)
|
||||
seutil_read_default_contexts(nscd_t)
|
||||
seutil_sigchld_newrole(nscd_t)
|
||||
|
||||
sysnet_dns_name_resolve(nscd_t)
|
||||
sysnet_read_config(nscd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||
@ -121,14 +119,6 @@ ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(nscd_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn,1.1.0)
|
||||
policy_module(openvpn,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,11 +28,11 @@ files_pid_file(openvpn_var_run_t)
|
||||
# openvpn local policy
|
||||
#
|
||||
|
||||
allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
|
||||
allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
|
||||
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow openvpn_t self:udp_socket create_socket_perms;
|
||||
allow openvpn_t self:tcp_socket create_socket_perms;
|
||||
allow openvpn_t self:tcp_socket server_stream_socket_perms;
|
||||
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
||||
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
|
||||
|
5
policy/modules/services/pcscd.fc
Normal file
5
policy/modules/services/pcscd.fc
Normal file
@ -0,0 +1,5 @@
|
||||
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
|
||||
|
||||
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
|
58
policy/modules/services/pcscd.if
Normal file
58
policy/modules/services/pcscd.if
Normal file
@ -0,0 +1,58 @@
|
||||
## <summary>PCSC smart card service</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run pcscd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pcscd_domtrans',`
|
||||
gen_require(`
|
||||
type pcscd_t, pcscd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,pcscd_exec_t,pcscd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read pcscd pub files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pcscd_read_pub_files',`
|
||||
gen_require(`
|
||||
type pcscd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 pcscd_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to pcscd over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pcscd_stream_connect',`
|
||||
gen_require(`
|
||||
type pcscd_t, pcscd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 pcscd_var_run_t:sock_file write;
|
||||
allow $1 pcscd_t:unix_stream_socket connectto;
|
||||
')
|
69
policy/modules/services/pcscd.te
Normal file
69
policy/modules/services/pcscd.te
Normal file
@ -0,0 +1,69 @@
|
||||
|
||||
policy_module(pcscd,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type pcscd_t;
|
||||
type pcscd_exec_t;
|
||||
domain_type(pcscd_t)
|
||||
init_daemon_domain(pcscd_t, pcscd_exec_t)
|
||||
|
||||
# pid files
|
||||
type pcscd_var_run_t;
|
||||
files_pid_file(pcscd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# pcscd local policy
|
||||
#
|
||||
|
||||
allow pcscd_t self:capability { dac_override dac_read_search };
|
||||
allow pcscd_t self:fifo_file { read write };
|
||||
allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pcscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pcscd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
|
||||
manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
|
||||
files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
|
||||
|
||||
corenet_tcp_sendrecv_all_if(pcscd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(pcscd_t)
|
||||
corenet_tcp_sendrecv_all_ports(pcscd_t)
|
||||
corenet_non_ipsec_sendrecv(pcscd_t)
|
||||
corenet_tcp_connect_http_port(pcscd_t)
|
||||
|
||||
dev_rw_generic_usb_dev(pcscd_t)
|
||||
dev_rw_usbfs(pcscd_t)
|
||||
dev_search_sysfs(pcscd_t)
|
||||
|
||||
files_read_etc_files(pcscd_t)
|
||||
files_read_etc_runtime_files(pcscd_t)
|
||||
|
||||
term_dontaudit_getattr_pty_dirs(pcscd_t)
|
||||
|
||||
init_dontaudit_use_fds(pcscd_t)
|
||||
|
||||
libs_use_ld_so(pcscd_t)
|
||||
libs_use_shared_libs(pcscd_t)
|
||||
|
||||
locallogin_use_fds(pcscd_t)
|
||||
|
||||
logging_send_syslog_msg(pcscd_t)
|
||||
|
||||
miscfiles_read_localization(pcscd_t)
|
||||
|
||||
sysnet_dns_name_resolve(pcscd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(pcscd_t)
|
||||
term_dontaudit_use_unallocated_ttys(pcscd_t)
|
||||
term_dontaudit_use_console(pcscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_script_fds(pcscd_t)
|
||||
')
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user