diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide index 871d4dc4..3376e2ac 100644 --- a/docs/macro_conversion_guide +++ b/docs/macro_conversion_guide @@ -31,7 +31,7 @@ auth_domtrans_chk_passwd($1) # daemon: complete # optional_policy(`nscd',` - nscd_use_socket($1) + nscd_socket_use($1) ') # @@ -44,6 +44,11 @@ domain_type($1) # # handled by appropriate interfaces +# +# exec_type: complete +# +corecmd_executable_file($1) + # # file_type: complete # @@ -119,19 +124,19 @@ optional_policy(`arpwatch',` dontaudit mta_user_agent arpwatch_t:packet_socket { read write }; ') ') -optional_policy(`cron',` +optional_policy(` cron_sigchld($1) cron_read_system_job_tmp_files($1) ') -optional_policy(`logrotate',` +optional_policy(` logrotate_read_tmp_files($1) ') # # nscd_client_domain: complete # -optional_policy(`nscd',` - nscd_use_socket($1) +optional_policy(` + nscd_socket_use($1) ') # @@ -142,9 +147,7 @@ domain_interactive_fd($1) # # privlog: complete # -optional_policy(`logging',` - logging_send_syslog_msg($1) -') +logging_send_syslog_msg($1) # # privmail: complete @@ -367,9 +370,7 @@ term_create_pty($1_t,$1_devpts_t) # # can_exec_any(): complete # -corecmd_exec_bin($1) -corecmd_exec_sbin($1) -domain_exec_all_entry_files($1) +corecmd_exec_all_executables($1) files_exec_etc_files($1) libs_use_ld_so($1) libs_use_shared_libs($1) @@ -643,11 +644,6 @@ sysnet_read_config($1) allow $1 $2:dir { search getattr read }; allow $1 $2:{ file lnk_file } { read getattr }; allow $1 $2:process getattr; -# We need to suppress this denial because procps tries to access -# /proc/pid/environ and this now triggers a ptrace check in recent kernels -# (2.4 and 2.6). Might want to change procps to not do this, or only if -# running in a privileged domain. -dontaudit $1 $2:process ptrace; # # can_ptrace(): @@ -787,24 +783,24 @@ kernel_list_proc($1_t) kernel_read_proc_symlinks($1_t) kernel_read_kernel_sysctls($1_t) dev_read_sysfs($1_t) +domain_use_interactive_fds($1_t) fs_search_auto_mountpoints($1_t) term_dontaudit_use_console($1_t) -domain_use_interactive_fds($1_t) init_use_fds($1_t) -init_use_script_pty($1_t) +init_use_script_ptys($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) userdom_dontaudit_use_unpriv_user_fds($1_t) ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_tty($1_t) - term_dontaudit_use_generic_pty($1_t) + term_dontaudit_use_unallocated_ttys($1_t) + term_dontaudit_use_generic_ptys($1_t) files_dontaudit_read_root_files($1_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole($1_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db($1_t) ') @@ -820,32 +816,32 @@ dontaudit $1_t self:capability sys_tty_config; allow $1_t self:process signal_perms; allow $1_t $1_var_run_t:file create_file_perms; allow $1_t $1_var_run_t:dir rw_dir_perms; -files_pid_filetrans($1_t,$1_var_run_t) +files_pid_filetrans($1_t,$1_var_run_t,file) kernel_read_kernel_sysctls($1_t) kernel_list_proc($1_t) kernel_read_proc_symlinks($1_t) dev_read_sysfs($1_t) +domain_use_interactive_fds($1_t) fs_getattr_all_fs($1_t) fs_search_auto_mountpoints($1_t) term_dontaudit_use_console($1_t) -domain_use_interactive_fds($1_t) init_use_fds($1_t) -init_use_script_pty($1_t) +init_use_script_ptys($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) miscfiles_read_localization($1_t) userdom_dontaudit_use_unpriv_user_fds($1_t) userdom_dontaudit_search_sysadm_home_dirs($1_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_tty($1_t) - term_dontaudit_use_generic_pty($1_t) +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys($1_t) + term_dontaudit_use_generic_ptys($1_t) files_dontaudit_read_root_files($1_t) ') -optional_policy(`selinuxutil',` +optional_policy(` seutil_sigchld_newrole($1_t) ') -optional_policy(`udev',` +optional_policy(` udev_read_db($1_t) ') @@ -1044,7 +1040,7 @@ optional_policy(`nis',` nis_use_ypbind($1_t) ') optional_policy(`nscd',` - nscd_use_socket($1_t) + nscd_socket_use($1_t) ') # @@ -1060,7 +1056,7 @@ libs_legacy_use_ld_so($1_t) type $1_lock_t; files_lock_file($1_lock_t) allow $1_t $1_lock_t:file create_file_perms; -files_lock_filetrans($1_t,$1_lock_t) +files_lock_filetrans($1_t,$1_lock_t,file) # # log_domain(): complete @@ -1068,7 +1064,7 @@ files_lock_filetrans($1_t,$1_lock_t) type $1_log_t; logging_log_file($1_log_t) allow $1_t $1_log_t:file create_file_perms; -logging_log_filetrans($1_t,$1_log_t) +logging_log_filetrans($1_t,$1_log_t,file) # # logdir_domain(): complete @@ -1230,7 +1226,7 @@ type $1_var_lib_t; files_type($1_var_lib_t) allow $1_t $1_var_lib_t:file create_file_perms; allow $1_t $1_var_lib_t:dir rw_dir_perms; -files_var_lib_filetrans($1_t,$1_var_lib_t) +files_var_lib_filetrans($1_t,$1_var_lib_t,file) # # var_run_domain($1): complete @@ -1239,7 +1235,7 @@ type $1_var_run_t; files_pid_file($1_var_run_t) allow $1_t $1_var_run_t:file create_file_perms; allow $1_t $1_var_run_t:dir rw_dir_perms; -files_pid_filetrans($1_t,$1_var_run_t) +files_pid_filetrans($1_t,$1_var_run_t,file) # # var_run_domain($1,$2): complete diff --git a/mls/COPYING b/mls/COPYING deleted file mode 100644 index 5b6e7c66..00000000 --- a/mls/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/mls/ChangeLog b/mls/ChangeLog deleted file mode 100644 index a2f029b0..00000000 --- a/mls/ChangeLog +++ /dev/null @@ -1,434 +0,0 @@ -1.27.3 2005-11-17 - * Removed the seuser policy as suggested by Kevin Carr. - * Removed unnecessary allow rule concerning tmpfs_t in the squid - policy as suggested by Russell Coker. - * Merged a patch from Jonathan Kim which modified the restorecon policy - to use the secadmin attribute. - * Merged a patch from Dan Walsh. Added avahi, exim, and yppasswdd - policies. Added the unconfinedtrans attribute for domains that - can transistion to unconfined_t. Added httpd_enable_ftp_server, - allow_postgresql_use_pam, pppd_can_insmod, and allow_gssd_read_tmp - booleans. Created a $1_disable_trans boolean used in the - init_service_domain macro to specify whether init should - transition to a new domain when executing. Included Chad Hanson's - patch which adds the mls* attributes to more domains and makes - other changes to support MLS. Included Russell Coker's patch - which makes many changes to the sendmail policy. Added rules to - allow initscripts to execute scripts that they generate. Added - dbus support to the named policy. Made other fixes and cleanups - to various policies including amanda, apache, bluetooth, pegasus, - postfix, pppd, and slapd. Removed sendmail policy from targeted. -1.27.2 2005-10-20 - * Merged patch from Chad Hanson. Modified MLS constraints. - Provided comments for the MLS attributes. - * Merged two patches from Thomas Bleher which made some minor - fixes and cleanups. - * Merged patches from Russell Coker. Added comments to some of the - MLS attributes. Added the secure_mode_insmod boolean to determine - whether the system permits loading policy, setting enforcing mode, - and changing boolean values. Made minor fixes for the cdrecord_domain - macro, application_domain, newrole_domain, and daemon_base_domain - macros. Added rules to allow the mail server to access the user - home directories in the targeted policy and allows the postfix - showq program to do DNS lookups. Minor fixes for the MCS - policy. Made other minor fixes and cleanups. - * Merged patch from Dan Walsh. Added opencd, pegasus, readahead, - and roundup policies. Created can_access_pty macro to handle pty - output. Created nsswithch_domain macro for domains using - nsswitch. Added mcs transition rules. Removed mqueue and added - capifs genfscon entries. Added dhcpd and pegasus ports. Added - domain transitions from login domains to pam_console and alsa - domains. Added rules to allow the httpd and squid domains to - relay more protocols. For the targeted policy, removed sysadm_r - role from unconfined_t. Made other fixes and cleanups. -1.27.1 2005-09-15 - * Merged small patches from Russell Coker for the apostrophe, - dhcpc, fsadm, and setfiles policy. - * Merged a patch from Russell Coker with some minor fixes to a - multitude of policy files. - * Merged patch from Dan Walsh from August 15th. Adds certwatch - policy. Adds mcs support to Makefile. Adds mcs file which - defines sensitivities and categories for the MSC policy. Creates - an authentication_domain macro in global_macros.te for domains - that use pam_authentication. Creates the anonymous_domain macro - so that the ftpd, rsync, httpd, and smbd domains can share the - ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to - start isolating individual ethernet devices. Changes vpnc from a - daemon to an application_domain. Adds audit_control capability to - crond_t. Adds dac_override and dac_read_search capabilities to - fsadm_t to allow the manipulation of removable media. Adds - read_sysctl macro to the base_passwd_domain macro. Adds rules to - allow alsa_t to communicate with userspace. Allows networkmanager - to communicate with isakmp_port and to use vpnc. For targeted - policy, removes transitions of sysadm_t to apm_t, backup_t, - bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t. - Makes other minor cleanups and fixes. - -1.26 2005-09-06 - * Updated version for release. - -1.25.4 2005-08-10 - * Merged small patches from Russell Coker for the restorecon, - kudzu, lvm, radvd, and spamassasin policies. - * Added fs_use_trans rule for mqueue from Mark Gebhart to support - the work he has done on providing SELinux support for mqueue. - * Merged a patch from Dan Walsh. Removes the user_can_mount - tunable. Adds disable_evolution_trans and disable_thunderbird_trans - booleans. Adds the nscd_client_domain attribute to insmod_t. - Removes the user_ping boolean from targeted policy. Adds - hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts. - Adds the isakmp_port for vpnc. Creates the pptp daemon domain. - Allows getty to run sbin_t for pppd. Allows initrc to write to - default_t for booting. Allows Hotplug_t sys_rawio for prism54 - card at boot. Other minor fixes. - -1.25.3 2005-07-18 - * Merged patch from Dan Walsh. Adds auth_bool attribute to allow - domains to have read access to shadow_t. Creates pppd_can_insmod - boolean to control the loading of modem kernel modules. Allows - nfs to export noexattrfile types. Allows unix_chpwd to access - cert files and random devices for encryption purposes. Other - minor cleanups and fixes. - -1.25.2 2005-07-11 - * Merged patch from Dan Walsh. Added allow_ptrace boolean to - allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the - audit_control and audit_write capabilities. Stops targeted policy - from transitioning from unconfined_t to netutils. Allows cupsd to - audit messages. Gives prelink the execheap, execmem, and execstack - permissions by default. Adds can_winbind boolean and functions to - better handle samba and winbind communications. Eliminates - allow_execmod checks around texrel_shlib_t libraries. Other minor - cleanups and fixes. - -1.25.1 2005-07-05 - * Moved role_tty_type_change, reach_sysadm, and priv_user macros - from user.te to user_macros.te as suggested by Steve. - * Modified admin_domain macro so autrace would work and removed - privuser attribute for dhcpc as suggested by Russell Coker. - * Merged rather large patch from Dan Walsh. Moves - targeted/strict/mls policies closer together. Adds local.te for - users to customize. Includes minor fixes to auditd, cups, - cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch - that defines all ports in network.te. Ports are always defined - now, no ifdefs are used in network.te. Also includes Ivan - Gyurdiev's user home directory policy patches. These patches add - alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs, - iceauth, orbit, and thunderbird policy. They create read_content, - write_trusted, and write_untrusted macros in content.te. They - create network_home, write_network_home, read_network_home, - base_domain_ro_access, home_domain_access, home_domain, and - home_domain_ro macros in home_macros.te. They also create - $3_read_content, $3_write_content, and write_untrusted booleans. - -1.24 2005-06-20 - * Updated version for release. - -1.23.18 2005-05-31 - * Merged minor fixes to pppd.fc and courier.te by Russell Coker. - * Removed devfsd policy as suggested by Russell Coker. - * Merged patch from Dan Walsh. Includes beginnings of Ivan - Gyurdiev's Font Config policy. Don't transition to fsadm_t from - unconfined_t (sysadm_t) in targeted policy. Add support for - debugfs in modutil. Allow automount to create and delete - directories in /root and /home dirs. Move can_ypbind to - chkpwd_macro.te. Allow useradd to create additional files and - types via the skell mechanism. Other minor cleanups and fixes. - -1.23.17 2005-05-23 - * Merged minor fixes by Petre Rodan to the daemontools, dante, - gpg, kerberos, and ucspi-tcp policies. - * Merged minor fixes by Russell Coker to the bluetooth, crond, - initrc, postfix, and udev policies. Modifies constraints so that - newaliases can be run. Modifies types.fc so that objects in - lost+found directories will not be relabled. - * Modified fc rules for nvidia. - * Added Chad Sellers policy for polyinstantiation support, which - creates the polydir, polyparent, and polymember attributes. Also - added the support_polyinstantiation tunable. - * Merged patch from Dan Walsh. Includes mount_point attribute, - read_font macros and some other policy fixes from Ivan Gyurdiev. - Adds privkmsg and secadmfile attributes and ddcprobe policy. - Removes the use_syslogng boolean. Many other minor fixes. - -1.23.16 2005-05-13 - * Added rdisc policy from Russell Coker. - * Merged minor fix to named policy by Petre Rodan. - * Merged minor fixes to policy from Russell Coker for kudzu, - named, screen, setfiles, telnet, and xdm. - * Merged minor fix to Makefile from Russell Coker. - -1.23.15 2005-05-06 - * Added tripwire and yam policy from David Hampton. - * Merged minor fixes to amavid and a clarification to the - httpdcontent attribute comments from David Hampton. - * Merged patch from Dan Walsh. Includes fixes for restorecon, - games, and postfix from Russell Coker. Adds support for debugfs. - Restores support for reiserfs. Allows udev to work with tmpfs_t - before /dev is labled. Removes transition from sysadm_t - (unconfined_t) to ifconfig_t for the targeted policy. Other minor - cleanups and fixes. - -1.23.14 2005-04-29 - * Added afs policy from Andrew Reisse. - * Merged patch from Lorenzo Hernández García-Hierro which defines - execstack and execheap permissions. The patch excludes these - permissions from general_domain_access and updates the macros for - X, legacy binaries, users, and unconfined domains. - * Added nlmsg_relay permisison where netlink_audit_socket class is - used. Added nlmsg_readpriv permission to auditd_t and auditctl_t. - * Merged some minor cleanups from Russell Coker and David Hampton. - * Merged patch from Dan Walsh. Many changes made to allow - targeted policy to run closer to strict and now almost all of - non-userspace is protected via SELinux. Kernel is now in - unconfined_domain for targeted and runs as root:system_r:kernel_t. - Added transitionbool to daemon_sub_domain, mainly to turn off - httpd_suexec transitioning. Implemented web_client_domain - name_connect rules. Added yp support for cups. Now the real - hotplug, udev, initial_sid_contexts are used for the targeted - policy. Other minor cleanups and fixes. Auditd fixes by Paul - Moore. - -1.23.13 2005-04-22 - * Merged more changes from Dan Walsh to initrc_t for removal of - unconfined_domain. - * Merged Dan Walsh's split of auditd policy into auditd_t for the - audit daemon and auditctl_t for the autoctl program. - * Added use of name_connect to uncond_can_ypbind macro by Dan - Walsh. - * Merged other cleanup and fixes by Dan Walsh. - -1.23.12 2005-04-20 - * Merged Dan Walsh's Netlink changes to handle new auditing pam - modules. - * Merged Dan Walsh's patch removing the sysadmfile attribute from - policy files to separate sysadm_t from secadm_t. - * Added CVS and uucpd policy from Dan Walsh. - * Cleanup by Dan Walsh to handle turning off unlimitedRC. - * Merged Russell Coker's fixes to ntpd, postgrey, and named - policy. - * Cleanup of chkpwd_domain and added permissions to su_domain - macro due to pam changes to support audit. - * Added nlmsg_relay and nlmsg_readpriv permissions to the - netlink_audit_socket class. - -1.23.11 2005-04-14 - * Merged Dan Walsh's separation of the security manager and system - administrator. - * Removed screensaver.te as suggested by Thomas Bleher - * Cleanup of typealiases that are no longer used by Thomas Bleher. - * Cleanup of fc files and additional rules for SuSE by Thomas - Bleher. - * Merged changes to auditd and named policy by Russell Coker. - * Merged MLS change from Darrel Goeddel to support the policy - hierarchy patch. - -1.23.10 2005-04-08 - * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te - -1.23.9 2005-04-07 - * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup - of x_client apps. - * Added dmidecode policy from Ivan Gyurdiev. - -1.23.8 2005-04-05 - * Added netlink_kobject_uevent_socket class. - * Removed empty files pump.te and pump.fc. - * Added NetworkManager policy from Dan Walsh. - * Merged Dan Walsh's major restructuring of Apache's policy. - -1.23.7 2005-04-04 - * Merged David Hampton's amavis and clamav cleanups. - * Added David Hampton's dcc, pyzor, and razor policy. - -1.23.6 2005-04-01 - * Merged cleanup of the Makefile and other stuff from Dan Walsh. - Dan's patch includes some desktop changes from Ivan Gyurdiev. - * Merged Thomas Bleher's patches which increase the usage of - lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to - DOMAIN_var_lib_t, and removes use of notdevfile_class_set where - possible. - * Merged Greg Norris's cleanup of fetchmail. - -1.23.5 2005-03-23 - * Added name_connect support from Dan Walsh. - * Added httpd_unconfined_t from Dan Walsh. - * Merged cleanup of assert.te to allow unresticted full access - from Dan Walsh. - -1.23.4 2005-03-21 - * Merged diffs from Dan Walsh: - * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan - Gyurdiev. - * Added syslogng support to syslog.te. - -1.23.3 2005-03-15 - * Added policy for nx_server from Thomas Bleher. - * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and - publicfile from Petre Rodan. - -1.23.2 2005-03-14 - * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's - gift policy. - * Made sysadm_r the first role for root, so root's home will be labled - as sysadm_home_dir_t instead of staff_home_dir_t. - * Modified fs_use and Makefile to reflect jfs now supporting security - xattrs. - -1.23.1 2005-03-10 - * Merged diffs from Dan Walsh. Dan's patch includes Ivan - Gyurdiev's cleanup of homedir macros and more extensive use of - read_sysctl() - -1.22 2005-03-09 - * Updated version for release. - -1.21 2005-02-24 - * Added secure_file_type attribute from Dan Walsh - * Added access_terminal() macro from Ivan Gyurdiev - * Updated capability access vector for audit capabilities. - * Added mlsconvert Makefile target to help generate MLS policies - (see selinux-doc/README.MLS for instructions). - * Changed policy Makefile to still generate policy.18 as well, - and use it for make load if the kernel doesn't support 19. - * Merged enhanced MLS support from Darrel Goeddel (TCS). - * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris. - * Merged man pages from Dan Walsh. - -1.20 2005-01-04 - * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and - Petre Rodan. - * Merged can_create() macro used for file_type_{,auto_}trans() - from Thomas Bleher. - * Merged dante and stunnel policy by Petre Rodan. - * Merged $1_file_type attribute from Thomas Bleher. - * Merged network_macros from Dan Walsh. - -1.18 2004-10-25 - * Merged diffs from Russell Coker and Dan Walsh. - * Merged mkflask and mkaccess_vector patches from Ulrich Drepper. - * Added reserved_port_t type and portcon entries to map all other - reserved ports to this type. - * Added distro_ prefix to distro tunables to avoid conflicts. - * Merged diffs from Russell Coker. - -1.16 2004-08-16 - * Added nscd definitions. - * Converted many tunables to policy booleans. - * Added crontab permission. - * Merged diffs from Dan Walsh. - This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well. - * Merged diffs from Russell Coker. - * Adjusted constraints for crond restart. - * Merged dbus/userspace object manager policy from Colin Walters. - * Merged dbus definitions from Matthew Rickard. - * Merged dnsmasq policy from Greg Norris. - * Merged gpg-agent policy from Thomas Bleher. - -1.14 2004-06-28 - * Removed vmware-config.pl from vmware.fc. - * Added crond entry to root_default_contexts. - * Merged patch from Dan Walsh. - * Merged mdadm and postfix changes from Colin Walters. - * Merged reiserfs and rpm changes from Russell Coker. - * Merged runaway .* glob fix from Valdis Kletnieks. - * Merged diff from Dan Walsh. - * Merged fine-grained netlink classes and permissions. - * Merged changes for new /etc/selinux layout. - * Changed mkaccess_vector.sh to provide stable order. - * Merged diff from Dan Walsh. - * Fix restorecon path in restorecon.fc. - * Merged pax class and access vector definition from Joshua Brindle. - -1.12 2004-05-12 - * Added targeted policy. - * Merged atd/at into crond/crontab domains. - * Exclude bind mounts from relabeling to avoid aliasing. - * Removed some obsolete types and remapped their initial SIDs to unlabeled. - * Added SE-X related security classes and policy framework. - * Added devnull initial SID and context. - * Merged diffs from Fedora policy. - -1.10 2004-04-07 - * Merged ipv6 support from James Morris of RedHat. - * Merged policy diffs from Dan Walsh. - * Updated call to genhomedircon to reflect new usage. - * Merged policy diffs from Dan Walsh and Russell Coker. - * Removed config-users and config-services per Dan's request. - -1.8 2004-03-09 - * Merged genhomedircon patch from Karl MacMillan of Tresys. - * Added restorecon domain. - * Added unconfined_domain macro. - * Added default_t for /.* file_contexts entry and replaced some - uses of file_t with default_t in the policy. - * Added su_restricted_domain() macro and use it for initrc_t. - * Merged policy diffs from Dan Walsh and Russell Coker. - These included a merge of an earlier patch by Chris PeBenito - to rename the etc types to be consistent with other types. - -1.6 2004-02-18 - * Merged xfs support from Chris PeBenito. - * Merged conditional rules for ping.te. - * Defined setbool permission, added can_setbool macro. - * Partial network policy cleanup. - * Merged with Russell Coker's policy. - * Renamed netscape macro and domain to mozilla and renamed - ipchains domain to iptables for consistency with Russell. - * Merged rhgb macro and domain from Russell Coker. - * Merged tunable.te from Russell Coker. - Only define direct_sysadm_daemon by default in our copy. - * Added rootok permission to passwd class. - * Merged Makefile change from Dan Walsh to generate /home - file_contexts entries for staff users. - * Added automatic role and domain transitions for init scripts and - daemons. Added an optional third argument (nosysadm) to - daemon_domain to omit the direct transition from sysadm_r when - the same executable is also used as an application, in which - case the daemon must be restarted via the init script to obtain - the proper security context. Added system_r to the authorized roles - for admin users at least until support for automatic user identity - transitions exist so that a transition to system_u can be provided - transparently. - * Added support to su domain for using pam_selinux. - Added entries to default_contexts for the su domains to - provide reasonable defaults. Removed user_su_t. - * Tighten restriction on user identity and role transitions in constraints. - * Merged macro for newrole-like domains from Russell Coker. - * Merged stub dbusd domain from Russell Coker. - * Merged stub prelink domain from Dan Walsh. - * Merged updated userhelper and config tool domains from Dan Walsh. - * Added send_msg/recv_msg permissions to can_network macro. - * Merged patch by Chris PeBenito for sshd subsystems. - * Merged patch by Chris PeBenito for passing class to var_run_domain. - * Merged patch by Yuichi Nakamura for append_log_domain macros. - * Merged patch by Chris PeBenito for rpc_pipefs labeling. - * Merged patch by Colin Walters to apply m4 once so that - source file info is preserved for checkpolicy. - -1.4 2003-12-01 - * Merged patches from Russell Coker. - * Revised networking permissions. - * Added new node_bind permission. - * Added new siginh, rlimitinh, and setrlimit permissions. - * Added proc_t:file read permission for new is_selinux_enabled logic. - * Added failsafe_context configuration file to appconfig. - * Moved newrules.pl to policycoreutils, renamed to audit2allow. - * Merged newrules.pl patch from Yuichi Nakamura. - -1.2 2003-09-30 - * More policy merging with Russell Coker. - * Transferred newrules.pl script from the old SELinux. - * Merged MLS configuration patch from Karl MacMillan of Tresys. - * Limit staff_t to reading /proc entries for unpriv_userdomain. - * Updated Makefile and spec file to allow non-root builds, - based on patch by Paul Nasrat. - -1.1 2003-08-13 - * Merged Makefile check-all and te-includes patches from Colin Walters. - * Merged x-debian-packages.patch from Colin Walters. - * Folded read permission into domain_trans. - -1.0 2003-07-11 - * Initial public release. - diff --git a/mls/Makefile b/mls/Makefile deleted file mode 100644 index 933e3d56..00000000 --- a/mls/Makefile +++ /dev/null @@ -1,356 +0,0 @@ -# -# Makefile for the security policy. -# -# Targets: -# -# install - compile and install the policy configuration, and context files. -# load - compile, install, and load the policy configuration. -# reload - compile, install, and load/reload the policy configuration. -# relabel - relabel filesystems based on the file contexts configuration. -# policy - compile the policy configuration locally for testing/development. -# -# The default target is 'install'. -# - -# Set to y if MLS is enabled in the policy. -MLS=y - -# Set to y if MCS is enabled in the policy -MCS=n - -FLASKDIR = flask/ -PREFIX = /usr -BINDIR = $(PREFIX)/bin -SBINDIR = $(PREFIX)/sbin -LOADPOLICY = $(SBINDIR)/load_policy -CHECKPOLICY = $(BINDIR)/checkpolicy -GENHOMEDIRCON = $(SBINDIR)/genhomedircon -SETFILES = $(SBINDIR)/setfiles -VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') -PREVERS := 20 -KERNVERS := $(shell cat /selinux/policyvers) -MLSENABLED := $(shell cat /selinux/mls) -POLICYVER := policy.$(VERS) -TOPDIR = $(DESTDIR)/etc/selinux -TYPE=mls - -INSTALLDIR = $(TOPDIR)/$(TYPE) -POLICYPATH = $(INSTALLDIR)/policy -SRCPATH = $(INSTALLDIR)/src -USERPATH = $(INSTALLDIR)/users -CONTEXTPATH = $(INSTALLDIR)/contexts -LOADPATH = $(POLICYPATH)/$(POLICYVER) -FCPATH = $(CONTEXTPATH)/files/file_contexts -HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template - -ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) -ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) -ALL_TYPES := $(wildcard types/*.te) -ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) -ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te -TE_RBAC_FILES := $(ALLTEFILES) rbac -ALL_TUNABLES := $(wildcard tunables/*.tun ) -USER_FILES := users -POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) -ifeq ($(MLS),y) -POLICYFILES += mls -CHECKPOLMLS += -M -endif -ifeq ($(MCS), y) -POLICYFILES += mcs -CHECKPOLMLS += -M -endif -DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts -POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) -POLICYFILES += $(USER_FILES) -POLICYFILES += constraints -POLICYFILES += $(DEFCONTEXTFILES) -CONTEXTFILES = $(DEFCONTEXTFILES) -POLICY_DIRS = domains domains/program domains/misc macros macros/program - -UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) - -FC = file_contexts/file_contexts -HOMEDIR_TEMPLATE = file_contexts/homedir_template -FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) -CONTEXTFILES += $(FCFILES) - -APPDIR=$(CONTEXTPATH) -APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media -CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media - -ROOTFILES = $(addprefix $(APPDIR)/users/,root) - -all: policy - -tmp/valid_fc: $(LOADPATH) $(FC) - @echo "Validating file contexts files ..." - $(SETFILES) -q -c $(LOADPATH) $(FC) - @touch tmp/valid_fc - -install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users - -$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf - @mkdir -p $(USERPATH) - @echo "# " > tmp/system.users - @echo "# Do not edit this file. " >> tmp/system.users - @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users - @echo "# Please edit local.users to make local changes." >> tmp/system.users - @echo "#" >> tmp/system.users - @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users - install -m 644 tmp/system.users $@ - -$(USERPATH)/local.users: local.users - @mkdir -p $(USERPATH) - install -b -m 644 $< $@ - -$(CONTEXTPATH)/files/media: appconfig/media - @mkdir -p $(CONTEXTPATH)/files/ - install -m 644 $< $@ - -$(APPDIR)/default_contexts: appconfig/default_contexts - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/removable_context: appconfig/removable_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/customizable_types: policy.conf - @mkdir -p $(APPDIR) - @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types - install -m 644 tmp/customizable_types $@ - -$(APPDIR)/port_types: policy.conf - @mkdir -p $(APPDIR) - @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types - install -m 644 tmp/port_types $@ - -$(APPDIR)/default_type: appconfig/default_type - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/userhelper_context: appconfig/userhelper_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/initrc_context: appconfig/initrc_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/failsafe_context: appconfig/failsafe_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/dbus_contexts: appconfig/dbus_contexts - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/users/root: appconfig/root_default_contexts - @mkdir -p $(APPDIR)/users - install -m 644 $< $@ - -$(LOADPATH): policy.conf $(CHECKPOLICY) - @echo "Compiling policy ..." - @mkdir -p $(POLICYPATH) - $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf -ifneq ($(VERS),$(PREVERS)) - $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf -endif - -# Note: Can't use install, so not sure how to deal with mode, user, and group -# other than by default. - -policy: $(POLICYVER) - -$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) - $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf - @echo "Validating file contexts files ..." - $(SETFILES) -q -c $(POLICYVER) $(FC) - -reload tmp/load: $(LOADPATH) - @echo "Loading Policy ..." - $(LOADPOLICY) - touch tmp/load - -load: tmp/load $(FCPATH) - -enableaudit: policy.conf - grep -v dontaudit policy.conf > policy.audit - mv policy.audit policy.conf - -policy.conf: $(POLICYFILES) $(POLICY_DIRS) - @echo "Building policy.conf ..." - @mkdir -p tmp - m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp - @mv $@.tmp $@ - -install-src: - rm -rf $(SRCPATH)/policy.old - -mv $(SRCPATH)/policy $(SRCPATH)/policy.old - @mkdir -p $(SRCPATH)/policy - cp -R . $(SRCPATH)/policy - -tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program - @mkdir -p tmp - ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp - ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp - mv $@.tmp $@ - -FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';` - -checklabels: $(SETFILES) - $(SETFILES) -v -n $(FC) $(FILESYSTEMS) - -restorelabels: $(SETFILES) - $(SETFILES) -v $(FC) $(FILESYSTEMS) - -relabel: $(FC) $(SETFILES) - $(SETFILES) $(FC) $(FILESYSTEMS) - -file_contexts/misc: - @mkdir -p file_contexts/misc - -$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types - @echo "Installing file contexts files..." - @mkdir -p $(CONTEXTPATH)/files - install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) - install -m 644 $(FC) $(FCPATH) - @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) - -$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd - @echo "Building file contexts files..." - @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp - @grep -v -e HOME -e ROLE -e USER $@.tmp > $@ - @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE) - @-rm $@.tmp - -# Create a tags-file for the policy: -# we need exuberant ctags; unfortunately it is named differently on different distros, sigh... -pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs -CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme -ifeq ($(strip $(CTAGS)),) -CTAGS := $(call pathsearch,ctags) # suse naming scheme -endif - -tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te) - @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) - @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \ - --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \ - --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ - --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \ - --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ - --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ - -clean: - rm -f policy.conf $(POLICYVER) - rm -f tags - rm -f tmp/* - rm -f $(FC) - rm -f flask/*.h -# for the policy regression tester - find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \ - -# Policy regression tester. -# Written by Colin Walters -cur_te = $(filter-out %/,$(subst /,/ ,$@)) - -TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES)) - -define compute_depends - export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //') -endef - - -ifeq ($(TE_DEPENDS_DEFINED),) -ifeq ($(MAKECMDGOALS),check-all) - GENRULES := $(TESTED_TE_FILES) - export TE_DEPENDS_DEFINED := yes -else - # Handle the case where checkunused/blah.te is run directly. - ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),) - GENRULES := $(TESTED_TE_FILES) - export TE_DEPENDS_DEFINED := yes - endif -endif -endif - -# Test for a new enough version of GNU Make. -$(eval have_eval := yes) -ifneq ($(GENRULES),) - ifeq ($(have_eval),) -$(error Need GNU Make 3.80 or better!) -Need GNU Make 3.80 or better - endif -endif -$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f)))) - -PHONIES := - -define compute_presymlinks -PHONIES += presymlink/$(1) -presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1))) - @if ! test -L domains/program/$(1); then \ - cd domains/program && ln -s unused/$(1) .; \ - fi -endef - -# Compute dependencies. -$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f)))) - -PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) -$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : - @$(MAKE) -s clean - -$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/% - @if test -n "$(TE_DEPENDS_$(cur_te))"; then \ - echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \ - fi - @echo "Testing $(cur_te)..."; - @if ! make -s policy 1>/dev/null; then \ - echo "Testing $(cur_te)...FAILED"; \ - exit 1; \ - fi; - @echo "Testing $(cur_te)...success."; \ - -check-all: - @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \ - $(MAKE) --no-print-directory $$goal; \ - done - -.PHONY: clean $(PHONIES) - -mlsconvert: - @for file in $(CONTEXTFILES); do \ - echo "Converting $$file"; \ - sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @for file in $(USER_FILES); do \ - echo "Converting $$file"; \ - sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts - @echo "Enabling MLS in the Makefile" - @sed "s/MLS=y/MLS=y/" Makefile > Makefile.new - @mv Makefile.new Makefile - @echo "Done" - -mcsconvert: - @for file in $(CONTEXTFILES); do \ - echo "Converting $$file"; \ - sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @for file in $(USER_FILES); do \ - echo "Converting $$file"; \ - sed -r -e 's/\;/ level s0 range s0;/' $$file | \ - sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \ - mv $$file.new $$file; \ - done - @echo "Enabling MCS in the Makefile" - @sed "s/MCS=n/MCS=y/" Makefile > Makefile.new - @mv Makefile.new Makefile - @echo "Done" - diff --git a/mls/README b/mls/README deleted file mode 100644 index 6818b66d..00000000 --- a/mls/README +++ /dev/null @@ -1,125 +0,0 @@ -The Makefile targets are: -policy - compile the policy configuration. -install - compile and install the policy configuration. -load - compile, install, and load the policy configuration. -relabel - relabel the filesystem. -check-all - check individual additional policy files in domains/program/unused. -checkunused/FILE.te - check individual file FILE from domains/program/unused. - -If you have configured MLS into your module, then set MLS=y in the -Makefile prior to building the policy. Of course, you must have also -built checkpolicy with MLS enabled. - -Three of the configuration files are independent of the particular -security policy: -1) flask/security_classes - - This file has a simple declaration for each security class. - The corresponding symbol definitions are in the automatically - generated header file . - -2) flask/initial_sids - - This file has a simple declaration for each initial SID. - The corresponding symbol definitions are in the automatically - generated header file . - -3) access_vectors - - This file defines the access vectors. Common prefixes for - access vectors may be defined at the beginning of the file. - After the common prefixes are defined, an access vector - may be defined for each security class. - The corresponding symbol definitions are in the automatically - generated header file . - -In addition to being read by the security server, these configuration -files are used during the kernel build to automatically generate -symbol definitions used by the kernel for security classes, initial -SIDs and permissions. Since the symbol definitions generated from -these files are used during the kernel build, the values of existing -security classes and permissions may not be modified by load_policy. -However, new classes may be appended to the list of classes and new -permissions may be appended to the list of permissions associated with -each access vector definition. - -The policy-dependent configuration files are: -1) tmp/all.te - - This file defines the Type Enforcement (TE) configuration. - This file is automatically generated from a collection of files. - - The macros subdirectory contains a collection of m4 macro definitions - used by the TE configuration. The global_macros.te file contains global - macros used throughout the configuration for common groupings of classes - and permissions and for common sets of rules. The user_macros.te file - contains macros used in defining user domains. The admin_macros.te file - contains macros used in defining admin domains. The macros/program - subdirectory contains macros that are used to instantiate derived domains - for certain programs that encode information about both the calling user - domain and the program, permitting the policy to maintain separation - between different instances of the program. - - The types subdirectory contains several files with declarations for - general types (types not associated with a particular domain) and - some rules defining relationships among those types. Related types - are grouped together into each file in this directory, e.g. all - device type declarations are in the device.te file. - - The domains subdirectory contains several files and directories - with declarations and rules for each domain. User domains are defined in - user.te. Administrator domains are defined in admin.te. Domains for - specific programs, including both system daemons and other programs, are - in the .te files within the domains/program subdirectory. The domains/misc - subdirectory is for miscellaneous domains such as the kernel domain and - the kernel module loader domain. - - The assert.te file contains assertions that are checked after evaluating - the entire TE configuration. - -2) rbac - - This file defines the Role-Based Access Control (RBAC) configuration. - -3) mls - - This file defines the Multi-Level Security (MLS) configuration. - -4) users - - This file defines the users recognized by the security policy. - -5) constraints - - This file defines additional constraints on permissions - in the form of boolean expressions that must be satisfied in order - for specified permissions to be granted. These constraints - are used to further refine the type enforcement tables and - the role allow rules. Typically, these constraints are used - to restrict changes in user identity or role to certain domains. - -6) initial_sid_contexts - - This file defines the security context for each initial SID. - A security context consists of a user identity, a role, a type and - optionally a MLS range if the MLS policy is enabled. If left unspecified, - the high MLS level defaults to the low MLS level. The syntax of a valid - security context is: - - user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]] - -7) fs_use - - This file defines the labeling behavior for inodes in particular - filesystem types. - -8) genfs_contexts - - This file defines security contexts for files in filesystems that - cannot support persistent label mappings or use one of the fixed - labeling schemes specified in fs_use. - -8) net_contexts - - This file defines the security contexts of network objects - such as ports, interfaces, and nodes. - -9) file_contexts/{types.fc,program/*.fc} - These files define the security contexts for persistent files. - -It is possible to test the security server functions on a given policy -configuration by running the checkpolicy program with the -d option. -This program is built from the same sources as the security server -component of the kernel, so it may be used both to verify that a -policy configuration will load successfully and to determine how the -security server would respond if it were using that policy -configuration. A menu-based interface is provided for calling any of -the security server functions after the policy is loaded. diff --git a/mls/VERSION b/mls/VERSION deleted file mode 100644 index 3bae5204..00000000 --- a/mls/VERSION +++ /dev/null @@ -1 +0,0 @@ -1.27.3 diff --git a/mls/appconfig/dbus_contexts b/mls/appconfig/dbus_contexts deleted file mode 100644 index 116e684f..00000000 --- a/mls/appconfig/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/mls/appconfig/default_contexts b/mls/appconfig/default_contexts deleted file mode 100644 index 5024209e..00000000 --- a/mls/appconfig/default_contexts +++ /dev/null @@ -1,12 +0,0 @@ -system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 -system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0 -system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/mls/appconfig/default_type b/mls/appconfig/default_type deleted file mode 100644 index af878bd7..00000000 --- a/mls/appconfig/default_type +++ /dev/null @@ -1,4 +0,0 @@ -secadm_r:secadm_t -sysadm_r:sysadm_t -staff_r:staff_t -user_r:user_t diff --git a/mls/appconfig/failsafe_context b/mls/appconfig/failsafe_context deleted file mode 100644 index 999abd9a..00000000 --- a/mls/appconfig/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -sysadm_r:sysadm_t:s0 diff --git a/mls/appconfig/initrc_context b/mls/appconfig/initrc_context deleted file mode 100644 index 30ab971d..00000000 --- a/mls/appconfig/initrc_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:initrc_t:s0 diff --git a/mls/appconfig/media b/mls/appconfig/media deleted file mode 100644 index 81f3463e..00000000 --- a/mls/appconfig/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t:s0 -floppy system_u:object_r:removable_device_t:s0 -disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/mls/appconfig/removable_context b/mls/appconfig/removable_context deleted file mode 100644 index 7fcc56e4..00000000 --- a/mls/appconfig/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t:s0 diff --git a/mls/appconfig/root_default_contexts b/mls/appconfig/root_default_contexts deleted file mode 100644 index e9d95e86..00000000 --- a/mls/appconfig/root_default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -# -# Uncomment if you want to automatically login as sysadm_r -# -#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/mls/appconfig/userhelper_context b/mls/appconfig/userhelper_context deleted file mode 100644 index dc37a69b..00000000 --- a/mls/appconfig/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:sysadm_r:sysadm_t:s0 diff --git a/mls/assert.te b/mls/assert.te deleted file mode 100644 index 02b2878c..00000000 --- a/mls/assert.te +++ /dev/null @@ -1,156 +0,0 @@ -############################## -# -# Assertions for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################## -# -# Access vector assertions. -# -# An access vector assertion specifies permissions that should not be in -# an access vector based on a source type, a target type, and a class. -# If any of the specified permissions are in the corresponding access -# vector, then the policy compiler will reject the policy configuration. -# Currently, there is only one kind of access vector assertion, neverallow, -# but support for the other kinds of vectors could be easily added. Access -# vector assertions use the same syntax as access vector rules. -# - -# -# Verify that every type that can be entered by -# a domain is also tagged as a domain. -# -neverallow domain ~domain:process { transition dyntransition }; - -# -# Verify that only the insmod_t and kernel_t domains -# have the sys_module capability. -# -neverallow {domain -privsysmod -unrestricted } self:capability sys_module; - -# -# Verify that executable types, the system dynamic loaders, and the -# system shared libraries can only be modified by administrators. -# -neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename }; -neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto; - -# -# Verify that only appropriate domains can access /etc/shadow -neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr; -neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms; - -# -# Verify that only appropriate domains can write to /etc (IE mess with -# /etc/passwd) -neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms; -neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms; -neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms }; - -# -# Verify that other system software can only be modified by administrators. -# -neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; -neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename }; - -# -# Verify that only certain domains have access to the raw disk devices. -# -neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append }; - -# -# Verify that only the X server and klogd have access to memory devices. -# -neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append }; - -# -# Verify that only domains with the privlog attribute can actually syslog -# -neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append }; - -# -# Verify that /proc/kmsg is only accessible to klogd. -# -neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms; - -# -# Verify that /proc/kcore is inaccessible. -# - -neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms; - -# -# Verify that sysctl variables are only changeable -# by initrc and administrators. -# -neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append }; -neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append }; -neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append }; - -# -# Verify that certain domains are limited to only being -# entered by their entrypoint types and to only executing -# the dynamic loader without a transition to another domain. -# - -define(`assert_execute', ` - ifelse($#, 0, , - $#, 1, - ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', - `assert_execute($1) assert_execute(shift($@))')') - -ifdef(`getty.te', `assert_execute(getty)') -ifdef(`klogd.te', `assert_execute(klogd)') -ifdef(`tcpd.te', `assert_execute(tcpd)') -ifdef(`portmap.te', `assert_execute(portmap)') -ifdef(`syslogd.te', `assert_execute(syslogd)') -ifdef(`rpcd.te', `assert_execute(rpcd)') -ifdef(`rlogind.te', `assert_execute(rlogind)') -ifdef(`ypbind.te', `assert_execute(ypbind)') -ifdef(`xfs.te', `assert_execute(xfs)') -ifdef(`gpm.te', `assert_execute(gpm)') -ifdef(`ifconfig.te', `assert_execute(ifconfig)') -ifdef(`iptables.te', `assert_execute(iptables)') - -ifdef(`login.te', ` -neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint; -neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans; -') - -# -# Verify that the passwd domain can only be entered by its -# entrypoint type and can only execute the dynamic loader -# and the ordinary passwd program without a transition to another domain. -# -ifdef(`passwd.te', ` -neverallow passwd_t ~passwd_exec_t:file entrypoint; -neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint; -neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans; -') - -# -# Verify that only the admin domains and initrc_t have setenforce. -# -neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce; - -# -# Verify that only the kernel and load_policy_t have load_policy. -# - -neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy; - -# -# for gross mistakes in policy -neverallow * domain:dir ~r_dir_perms; -neverallow * domain:file_class_set ~rw_file_perms; -neverallow { domain unlabeled_t } file_type:process *; -neverallow ~{ domain unlabeled_t } *:process *; diff --git a/mls/attrib.te b/mls/attrib.te deleted file mode 100644 index 44e2f70d..00000000 --- a/mls/attrib.te +++ /dev/null @@ -1,562 +0,0 @@ -# -# Declarations for type attributes. -# - -# A type attribute can be used to identify a set of types with a similar -# property. Each type can have any number of attributes, and each -# attribute can be associated with any number of types. Attributes are -# explicitly declared here, and can then be associated with particular -# types in type declarations. Attribute names can then be used throughout -# the configuration to express the set of types that are associated with -# the attribute. Attributes have no implicit meaning to SELinux. The -# meaning of all attributes are completely defined through their -# usage within the configuration, but should be documented here as -# comments preceding the attribute declaration. - -##################### -# Attributes for MLS: -# - -# Common Terminology -# MLS Range: low-high -# low referred to as "Effective Sensitivity Label (SL)" -# high referred to as "Clearance SL" - - -# -# File System MLS attributes/privileges -# -# Grant MLS read access to files not dominated by the process Effective SL -attribute mlsfileread; -# Grant MLS read access to files dominated by the process Clearance SL -attribute mlsfilereadtoclr; -# Grant MLS write access to files not equal to the Effective SL -attribute mlsfilewrite; -# Grant MLS write access to files which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsfilewritetoclr; -# Grant MLS ability to change file label to a new label which dominates -# the old label -attribute mlsfileupgrade; -# Grant MLS ability to change file label to a new label which is -# dominated by or incomparable to the old label -attribute mlsfiledowngrade; - -# -# Network MLS attributes/privileges -# -# Grant MLS read access to packets not dominated by the process Effective SL -attribute mlsnetread; -# Grant MLS read access to packets dominated by the process Clearance SL -attribute mlsnetreadtoclr; -# Grant MLS write access to packets not equal to the Effective SL -attribute mlsnetwrite; -# Grant MLS write access to packets which dominate the Effective SL -# and are dominated by the process Clearance SL -attribute mlsnetwritetoclr; -# Grant MLS read access to packets from hosts or interfaces which dominate -# or incomparable to the process Effective SL -attribute mlsnetrecvall; -# Grant MLS ability to change socket label to a new label which dominates -# the old label -attribute mlsnetupgrade; -# Grant MLS ability to change socket label to a new label which is -# dominated by or incomparable to the old label -attribute mlsnetdowngrade; - -# -# IPC MLS attributes/privileges -# -# Grant MLS read access to IPC objects not dominated by the process Effective SL -attribute mlsipcread; -# Grant MLS read access to IPC objects dominated by the process Clearance SL -attribute mlsipcreadtoclr; -# Grant MLS write access to IPC objects not equal to the process Effective SL -attribute mlsipcwrite; -# Grant MLS write access to IPC objects which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsipcwritetoclr; - -# -# Process MLS attributes/privileges -# -# Grant MLS read access to processes not dominated by the process Effective SL -attribute mlsprocread; -# Grant MLS read access to processes dominated by the process Clearance SL -attribute mlsprocreadtoclr; -# Grant MLS write access to processes not equal to the Effective SL -attribute mlsprocwrite; -# Grant MLS write access to processes which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsprocwritetoclr; -# Grant MLS ability to change Effective SL or Clearance SL of process to a -# label dominated by the Clearance SL -attribute mlsprocsetsl; - -# -# X Window MLS attributes/privileges -# -# Grant MLS read access to X objects not dominated by the process Effective SL -attribute mlsxwinread; -# Grant MLS read access to X objects dominated by the process Clearance SL -attribute mlsxwinreadtoclr; -# Grant MLS write access to X objects not equal to the process Effective SL -attribute mlsxwinwrite; -# Grant MLS write access to X objects which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsxwinwritetoclr; -# Grant MLS read access to X properties not dominated by -# the process Effective SL -attribute mlsxwinreadproperty; -# Grant MLS write access to X properties not equal to the process Effective SL -attribute mlsxwinwriteproperty; -# Grant MLS read access to X colormaps not dominated by -# the process Effective SL -attribute mlsxwinreadcolormap; -# Grant MLS write access to X colormaps not equal to the process Effective SL -attribute mlsxwinwritecolormap; -# Grant MLS write access to X xinputs not equal to the process Effective SL -attribute mlsxwinwritexinput; - -# Grant MLS read/write access to objects which internally arbitrate MLS -attribute mlstrustedobject; - -# -# Both of the following attributes are needed for a range transition to succeed -# -# Grant ability for the current domain to change SL upon process transition -attribute privrangetrans; -# Grant ability for the new process domain to change SL upon process transition -attribute mlsrangetrans; - -######################### -# Attributes for domains: -# - -# The domain attribute identifies every type that can be -# assigned to a process. This attribute is used in TE rules -# that should be applied to all domains, e.g. permitting -# init to kill all processes. -attribute domain; - -# The daemon attribute identifies domains for system processes created via -# the daemon_domain, daemon_base_domain, and init_service_domain macros. -attribute daemon; - -# The privuser attribute identifies every domain that can -# change its SELinux user identity. This attribute is used -# in the constraints configuration. NOTE: This attribute -# is not required for domains that merely change the Linux -# uid attributes, only for domains that must change the -# SELinux user identity. Also note that this attribute makes -# no sense without the privrole attribute. -attribute privuser; - -# The privrole attribute identifies every domain that can -# change its SELinux role. This attribute is used in the -# constraints configuration. -attribute privrole; - -# The userspace_objmgr attribute identifies every domain -# which enforces its own policy. -attribute userspace_objmgr; - -# The priv_system_role attribute identifies every domain that can -# change role from a user role to system_r role, and identity from a user -# identity to system_u. It is used in the constraints configuration. -attribute priv_system_role; - -# The privowner attribute identifies every domain that can -# assign a different SELinux user identity to a file, or that -# can create a file with an identity that is not the same as the -# process identity. This attribute is used in the constraints -# configuration. -attribute privowner; - -# The privlog attribute identifies every domain that can -# communicate with syslogd through its Unix domain socket. -# There is an assertion that other domains can not do it, -# and an allow rule to permit it -attribute privlog; - -# The privmodule attribute identifies every domain that can run -# modprobe, there is an assertion that other domains can not do it, -# and an allow rule to permit it -attribute privmodule; - -# The privsysmod attribute identifies every domain that can have the -# sys_module capability -attribute privsysmod; - -# The privmem attribute identifies every domain that can -# access kernel memory devices. -# This attribute is used in the TE assertions to verify -# that such access is limited to domains that are explicitly -# tagged with this attribute. -attribute privmem; - -# The privkmsg attribute identifies every domain that can -# read kernel messages (/proc/kmsg) -# This attribute is used in the TE assertions to verify -# that such access is limited to domains that are explicitly -# tagged with this attribute. -attribute privkmsg; - -# The privfd attribute identifies every domain that should have -# file handles inherited widely (IE sshd_t and getty_t). -attribute privfd; - -# The privhome attribute identifies every domain that can create files under -# regular user home directories in the regular context (IE act on behalf of -# a user in writing regular files) -attribute privhome; - -# The auth attribute identifies every domain that needs -# to read /etc/shadow, and grants the permission. -attribute auth; - -# The auth_bool attribute identifies every domain that can -# read /etc/shadow if its boolean is set; -attribute auth_bool; - -# The auth_write attribute identifies every domain that can have write or -# relabel access to /etc/shadow, but does not grant it. -attribute auth_write; - -# The auth_chkpwd attribute identifies every system domain that can -# authenticate users by running unix_chkpwd -attribute auth_chkpwd; - -# The change_context attribute identifies setfiles_t, restorecon_t, and other -# system domains that change the context of most/all files on the system -attribute change_context; - -# The etc_writer attribute identifies every domain that can write to etc_t -attribute etc_writer; - -# The sysctl_kernel_writer attribute identifies domains that can write to -# sysctl_kernel_t, in addition the admin attribute is permitted write access -attribute sysctl_kernel_writer; - -# the sysctl_net_writer attribute identifies domains that can write to -# sysctl_net_t files. -attribute sysctl_net_writer; - -# The sysctl_type attribute identifies every type that is assigned -# to a sysctl entry. This can be used in allow rules to grant -# permissions to all sysctl entries without enumerating each individual -# type, but should be used with care. -attribute sysctl_type; - -# The admin attribute identifies every administrator domain. -# It is used in TE assertions when verifying that only administrator -# domains have certain permissions. -# This attribute is presently associated with sysadm_t and -# certain administrator utility domains. -# XXX The use of this attribute should be reviewed for consistency. -# XXX Might want to partition into several finer-grained attributes -# XXX used in different assertions within assert.te. -attribute admin; - -# The secadmin attribute identifies every security administrator domain. -# It is used in TE assertions when verifying that only administrator -# domains have certain permissions. -# This attribute is presently associated with sysadm_t and secadm_t -attribute secadmin; - -# The userdomain attribute identifies every user domain, presently -# user_t and sysadm_t. It is used in TE rules that should be applied -# to all user domains. -attribute userdomain; - -# for a small domain that can only be used for newrole -attribute user_mini_domain; - -# pty for the mini domain -attribute mini_pty_type; - -# pty created by a server such as sshd -attribute server_pty; - -# attribute for all non-administrative devpts types -attribute userpty_type; - -# The user_tty_type identifies every type for a tty or pty owned by an -# unpriviledged user -attribute user_tty_type; - -# The admin_tty_type identifies every type for a tty or pty owned by a -# priviledged user -attribute admin_tty_type; - -# The user_crond_domain attribute identifies every user_crond domain, presently -# user_crond_t and sysadm_crond_t. It is used in TE rules that should be -# applied to all user domains. -attribute user_crond_domain; - -# The unpriv_userdomain identifies non-administrative users (default user_t) -attribute unpriv_userdomain; - -# This attribute is for the main user home directory for unpriv users -attribute user_home_dir_type; - -# The gphdomain attribute identifies every gnome-pty-helper derived -# domain. It is used in TE rules to permit inheritance and use of -# descriptors created by these domains. -attribute gphdomain; - -# The fs_domain identifies every domain that may directly access a fixed disk -attribute fs_domain; - -# This attribute is for all domains for the userhelper program. -attribute userhelperdomain; - -############################ -# Attributes for file types: -# - -# The file_type attribute identifies all types assigned to files -# in persistent filesystems. It is used in TE rules to permit -# the association of all such file types with persistent filesystem -# types, and to permit certain domains to access all such types as -# appropriate. -attribute file_type; - -# The secure_file_type attribute identifies files -# which will be treated with a higer level of security. -# Most domains will be prevented from manipulating files in this domain -attribute secure_file_type; - -# The device_type attribute identifies all types assigned to device nodes -attribute device_type; - -# The proc_fs attribute identifies all types that may be assigned to -# files under /proc. -attribute proc_fs; - -# The dev_fs attribute identifies all types that may be assigned to -# files, sockets, or pipes under /dev. -attribute dev_fs; - -# The sysadmfile attribute identifies all types assigned to files -# that should be completely accessible to administrators. It is used -# in TE rules to grant such access for administrator domains. -attribute sysadmfile; - -# The secadmfile attribute identifies all types assigned to files -# that should be only accessible to security administrators. It is used -# in TE rules to grant such access for security administrator domains. -attribute secadmfile; - -# The fs_type attribute identifies all types assigned to filesystems -# (not limited to persistent filesystems). -# It is used in TE rules to permit certain domains to mount -# any filesystem and to permit most domains to obtain the -# overall filesystem statistics. -attribute fs_type; - -# The mount_point attribute identifies all types that can serve -# as a mount point (for the mount binary). It is used in the mount -# policy to grant mounton permission, and in other domains to grant -# getattr permission over all the mount points. -attribute mount_point; - -# The exec_type attribute identifies all types assigned -# to entrypoint executables for domains. This attribute is -# used in TE rules and assertions that should be applied to all -# such executables. -attribute exec_type; - -# The tmpfile attribute identifies all types assigned to temporary -# files. This attribute is used in TE rules to grant certain -# domains the ability to remove all such files (e.g. init, crond). -attribute tmpfile; - -# The user_tmpfile attribute identifies all types associated with temporary -# files for unpriv_userdomain domains. -attribute user_tmpfile; - -# for the user_xserver_tmp_t etc -attribute xserver_tmpfile; - -# The tmpfsfile attribute identifies all types defined for tmpfs -# type transitions. -# It is used in TE rules to grant certain domains the ability to -# access all such files. -attribute tmpfsfile; - -# The home_type attribute identifies all types assigned to home -# directories. This attribute is used in TE rules to grant certain -# domains the ability to access all home directory types. -attribute home_type; - -# This attribute is for the main user home directory /home/user, to -# distinguish it from sub-dirs. Often you want a process to be able to -# read the user home directory but not read the regular directories under it. -attribute home_dir_type; - -# The ttyfile attribute identifies all types assigned to ttys. -# It is used in TE rules to grant certain domains the ability to -# access all ttys. -attribute ttyfile; - -# The ptyfile attribute identifies all types assigned to ptys. -# It is used in TE rules to grant certain domains the ability to -# access all ptys. -attribute ptyfile; - -# The pidfile attribute identifies all types assigned to pid files. -# It is used in TE rules to grant certain domains the ability to -# access all such files. -attribute pidfile; - - -############################ -# Attributes for network types: -# - -# The socket_type attribute identifies all types assigned to -# kernel-created sockets. Ordinary sockets are assigned the -# domain of the creating process. -# XXX This attribute is unused. Remove? -attribute socket_type; - -# Identifies all types assigned to port numbers to control binding. -attribute port_type; - -# Identifies all types assigned to reserved port (<1024) numbers to control binding. -attribute reserved_port_type; - -# Identifies all types assigned to network interfaces to control -# operations on the interface (XXX obsolete, not supported via LSM) -# and to control traffic sent or received on the interface. -attribute netif_type; - -# Identifies all default types assigned to packets received -# on network interfaces. -attribute netmsg_type; - -# Identifies all types assigned to network nodes/hosts to control -# traffic sent to or received from the node. -attribute node_type; - -# Identifier for log files or directories that only exist for log files. -attribute logfile; - -# Identifier for lock files (/var/lock/*) or directories that only exist for -# lock files. -attribute lockfile; - - - -############################## -# Attributes for security policy types: -# - -# The login_contexts attribute idenitifies the files used -# to define default contexts for login types (e.g., login, cron). -attribute login_contexts; - -# Identifier for a domain used by "sendmail -t" (IE user_mail_t, -# sysadm_mail_t, etc) -attribute user_mail_domain; - -# Identifies domains that can transition to system_mail_t -attribute privmail; - -# Type for non-sysadm home directory -attribute user_home_type; - -# For domains that are part of a mail server and need to read user files and -# fifos, and inherit file handles to enable user email to get to the mail -# spool -attribute mta_user_agent; - -# For domains that are part of a mail server for delivering messages to the -# user -attribute mta_delivery_agent; - -# For domains that make outbound TCP port 25 connections to send mail from the -# mail server. -attribute mail_server_sender; - -# For a mail server process that takes TCP connections on port 25 -attribute mail_server_domain; - -# For web clients such as netscape and squid -attribute web_client_domain; - -# For X Window System server domains -attribute xserver; - -# For X Window System client domains -attribute xclient; - -# For X Window System protocol extensions -attribute xextension; - -# For X Window System property types -attribute xproperty; - -# -# For file systems that do not have extended attributes but need to be -# r/w by users -# -attribute noexattrfile; - -# -# For filetypes that the usercan read -# -attribute usercanread; - -# -# For serial devices -# -attribute serial_device; - -# Attribute to designate unrestricted access -attribute unrestricted; - -# Attribute to designate can transition to unconfined_t -attribute unconfinedtrans; - -# For clients of nscd. -attribute nscd_client_domain; - -# For clients of nscd that can use shmem interface. -attribute nscd_shmem_domain; - -# For labeling of content for httpd. This attribute is only used by -# the httpd_unified domain, which says treat all httpdcontent the -# same. If you want content to be served in a "non-unified" system -# you must specifically add "r_dir_file(httpd_t, your_content_t)" to -# your policy. -attribute httpdcontent; - -# For labeling of domains whos transition can be disabled -attribute transitionbool; - -# For labelling daemons that should not have a range transition to "s0" -# included in the daemon_base_domain macro -attribute no_daemon_range_trans; - -# For labeling of file_context domains which users can change files to rather -# then the default file context. These file_context can survive a relabeling -# of the file system. -attribute customizable; - -############################## -# Attributes for polyinstatiation support: -# - -# For labeling types that are to be polyinstantiated -attribute polydir; - -# And for labeling the parent directories of those polyinstantiated directories -# This is necessary for remounting the original in the parent to give -# security aware apps access -attribute polyparent; - -# And labeling for the member directories -attribute polymember; - diff --git a/mls/constraints b/mls/constraints deleted file mode 100644 index 46a98757..00000000 --- a/mls/constraints +++ /dev/null @@ -1,83 +0,0 @@ -# -# Define m4 macros for the constraints -# - -# -# Define the constraints -# -# constrain class_set perm_set expression ; -# -# validatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for validatetrans) -# | r3 op names (NOTE: this is only available for validatetrans) -# | t3 op names (NOTE: this is only available for validatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name# -# - -# -# Restrict the ability to transition to other users -# or roles to a few privileged types. -# - -constrain process transition - ( u1 == u2 or ( t1 == privuser and t2 == userdomain ) -ifdef(`crond.te', ` - or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) -') -ifdef(`userhelper.te', - `or (t1 == userhelperdomain)') - or (t1 == priv_system_role and u2 == system_u ) - ); - -constrain process transition - ( r1 == r2 or ( t1 == privrole and t2 == userdomain ) -ifdef(`crond.te', ` - or (t1 == crond_t and t2 == user_crond_domain) -') -ifdef(`userhelper.te', - `or (t1 == userhelperdomain)') -ifdef(`postfix.te', ` -ifdef(`direct_sysadm_daemon', - `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') -') - or (t1 == priv_system_role and r2 == system_r ) - ); - -constrain process dyntransition - ( u1 == u2 and r1 == r2); - -# -# Restrict the ability to label objects with other -# user identities to a few privileged types. -# - -constrain dir_file_class_set { create relabelto relabelfrom } - ( u1 == u2 or t1 == privowner ); - -constrain socket_class_set { create relabelto relabelfrom } - ( u1 == u2 or t1 == privowner ); diff --git a/mls/domains/admin.te b/mls/domains/admin.te deleted file mode 100644 index 464cc914..00000000 --- a/mls/domains/admin.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC Admin - Domains for administrators. -# -################################# - -# sysadm_t is the system administrator domain. -type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain -ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans') -; dnl end of sysadm_t type declaration - -allow privhome home_root_t:dir { getattr search }; - -# system_r is authorized for sysadm_t for single-user mode. -role system_r types sysadm_t; - -general_proc_read_access(sysadm_t) - -# sysadm_t is also granted permissions specific to administrator domains. -admin_domain(sysadm) - -# for su -allow sysadm_t userdomain:fd use; - -ifdef(`separate_secadm', `', ` -security_manager_domain(sysadm_t) -') - -# Add/remove user home directories -file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) - -limited_user_role(secadm) -typeattribute secadm_t admin; -role secadm_r types secadm_t; -security_manager_domain(secadm_t) -r_dir_file(secadm_t, { var_t var_log_t }) - -typeattribute secadm_tty_device_t admin_tty_type; -typeattribute secadm_devpts_t admin_tty_type; - -bool allow_ptrace false; - -if (allow_ptrace) { -can_ptrace(sysadm_t, domain) -} diff --git a/mls/domains/misc/auth-net.te b/mls/domains/misc/auth-net.te deleted file mode 100644 index e954a9bf..00000000 --- a/mls/domains/misc/auth-net.te +++ /dev/null @@ -1,3 +0,0 @@ -#DESC Policy for using network servers for authenticating users (IE PAM-LDAP) - -can_network(auth) diff --git a/mls/domains/misc/fcron.te b/mls/domains/misc/fcron.te deleted file mode 100644 index 57209be9..00000000 --- a/mls/domains/misc/fcron.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC fcron - additions to cron policy for a more powerful cron program -# -# Domain for fcron, a more powerful cron program. -# -# Needs cron.te installed. -# -# Author: Russell Coker - -# Use capabilities. -allow crond_t self:capability { dac_override dac_read_search }; - -# differences between r_dir_perms and rw_dir_perms -allow crond_t cron_spool_t:dir { add_name remove_name write }; - -ifdef(`mta.te', ` -# not sure why we need write access, but Postfix does not work without it -# I will have to change fcron to avoid the need for this -allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr }; -') - -ifdef(`distro_debian', ` -can_exec(dpkg_t, crontab_exec_t) -file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file) -') - -rw_dir_create_file(crond_t, cron_spool_t) -can_setfscreate(crond_t) - -# for /var/run/fcron.fifo -file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file) diff --git a/mls/domains/misc/kernel.te b/mls/domains/misc/kernel.te deleted file mode 100644 index 5b13c0fe..00000000 --- a/mls/domains/misc/kernel.te +++ /dev/null @@ -1,75 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################# -# -# Rules for the kernel_t domain. -# - -# -# kernel_t is the domain of kernel threads. -# It is also the target type when checking permissions in the system class. -# -type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ; -role system_r types kernel_t; -general_domain_access(kernel_t) -general_proc_read_access(kernel_t) -base_file_read_access(kernel_t) -uses_shlib(kernel_t) -can_exec(kernel_t, shell_exec_t) - -# Use capabilities. -allow kernel_t self:capability *; - -r_dir_file(kernel_t, sysfs_t) -allow kernel_t { usbfs_t usbdevfs_t }:dir search; - -# Run init in the init_t domain. -domain_auto_trans(kernel_t, init_exec_t, init_t) - -ifdef(`mls_policy', ` -# run init with maximum MLS range -range_transition kernel_t init_exec_t s0 - s15:c0.c255; -') - -# Share state with the init process. -allow kernel_t init_t:process share; - -# Mount and unmount file systems. -allow kernel_t fs_type:filesystem mount_fs_perms; - -# Send signal to any process. -allow kernel_t domain:process signal; -allow kernel_t domain:dir search; - -# Access the console. -allow kernel_t device_t:dir search; -allow kernel_t console_device_t:chr_file rw_file_perms; - -# Access the initrd filesystem. -allow kernel_t file_t:chr_file rw_file_perms; -can_exec(kernel_t, file_t) -ifdef(`chroot.te', ` -can_exec(kernel_t, chroot_exec_t) -') -allow kernel_t self:capability sys_chroot; - -allow kernel_t { unlabeled_t root_t file_t }:dir mounton; -allow kernel_t unlabeled_t:fifo_file rw_file_perms; -allow kernel_t file_t:dir rw_dir_perms; -allow kernel_t file_t:blk_file create_file_perms; -allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; - -# Lookup the policy. -allow kernel_t policy_config_t:dir r_dir_perms; - -# Load the policy configuration. -can_loadpol(kernel_t) - -# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. -can_exec(kernel_t, bin_t) - -ifdef(`targeted_policy', ` -unconfined_domain(kernel_t) -') diff --git a/mls/domains/misc/local.te b/mls/domains/misc/local.te deleted file mode 100644 index cedba3c4..00000000 --- a/mls/domains/misc/local.te +++ /dev/null @@ -1,5 +0,0 @@ -# Local customization of existing policy should be done in this file. -# If you are creating brand new policy for a new "target" domain, you -# need to create a type enforcement (.te) file in domains/program -# and a file context (.fc) file in file_context/program. - diff --git a/mls/domains/misc/startx.te b/mls/domains/misc/startx.te deleted file mode 100644 index 16c4910f..00000000 --- a/mls/domains/misc/startx.te +++ /dev/null @@ -1,7 +0,0 @@ -#DESC startx - policy for running an X server from a user domain -# -# Author: Russell Coker -# - -# Everything is in the macro files - diff --git a/mls/domains/misc/userspace_objmgr.te b/mls/domains/misc/userspace_objmgr.te deleted file mode 100644 index ae3b2055..00000000 --- a/mls/domains/misc/userspace_objmgr.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC Userspace Object Managers -# -################################# - -# Get our own security context. -can_getcon(userspace_objmgr) -# Get security decisions via selinuxfs. -can_getsecurity(userspace_objmgr) -# Read /etc/selinux -r_dir_file(userspace_objmgr, { selinux_config_t default_context_t }) -# Receive notifications of policy reloads and enforcing status changes. -allow userspace_objmgr self:netlink_selinux_socket { create bind read }; - diff --git a/mls/domains/misc/xclient.te b/mls/domains/misc/xclient.te deleted file mode 100644 index ae4552f3..00000000 --- a/mls/domains/misc/xclient.te +++ /dev/null @@ -1,14 +0,0 @@ -# -# Authors: Eamon Walsh -# - -####################################### -# -# Domains for the SELinux-enabled X Window System -# - -# -# Domain for all non-local X clients -# -type remote_xclient_t, domain; -in_user_role(remote_xclient_t) diff --git a/mls/domains/program/NetworkManager.te b/mls/domains/program/NetworkManager.te deleted file mode 100644 index 922b4f57..00000000 --- a/mls/domains/program/NetworkManager.te +++ /dev/null @@ -1,122 +0,0 @@ -#DESC NetworkManager - -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the NetworkManager_t domain. -# -# NetworkManager_t is the domain for the NetworkManager daemon. -# NetworkManager_exec_t is the type of the NetworkManager executable. -# -daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' ) - -can_network(NetworkManager_t) -allow NetworkManager_t port_type:tcp_socket name_connect; -allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind; -allow NetworkManager_t dhcpc_t:process signal; - -can_ypbind(NetworkManager_t) -uses_shlib(NetworkManager_t) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock}; - -allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -allow NetworkManager_t self:process { setcap getsched }; -allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket create_socket_perms; -allow NetworkManager_t self:file { getattr read }; -allow NetworkManager_t self:packet_socket create_socket_perms; -allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; - - -# -# Communicate with Caching Name Server -# -ifdef(`named.te', ` -allow NetworkManager_t named_zone_t:dir search; -rw_dir_create_file(NetworkManager_t, named_cache_t) -domain_auto_trans(NetworkManager_t, named_exec_t, named_t) -allow named_t NetworkManager_t:udp_socket { read write }; -allow named_t NetworkManager_t:netlink_route_socket { read write }; -allow NetworkManager_t named_t:process signal; -allow named_t NetworkManager_t:packet_socket { read write }; -') - -allow NetworkManager_t selinux_config_t:dir search; -allow NetworkManager_t selinux_config_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, NetworkManager) -allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow NetworkManager_t self:dbus send_msg; -ifdef(`hald.te', ` -allow NetworkManager_t hald_t:dbus send_msg; -allow hald_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t initrc_t:dbus send_msg; -allow initrc_t NetworkManager_t:dbus send_msg; -ifdef(`targeted_policy', ` -allow NetworkManager_t unconfined_t:dbus send_msg; -allow unconfined_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t userdomain:dbus send_msg; -allow userdomain NetworkManager_t:dbus send_msg; -') - -allow NetworkManager_t usr_t:file { getattr read }; - -ifdef(`ifconfig.te', ` -domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - -allow NetworkManager_t { sbin_t bin_t }:dir search; -allow NetworkManager_t bin_t:lnk_file read; -can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) - -# in /etc created by NetworkManager will be labelled net_conf_t. -file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) - -allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; -allow NetworkManager_t proc_t:file { getattr read }; -r_dir_file(NetworkManager_t, proc_net_t) - -allow NetworkManager_t { domain -unrestricted }:dir search; -allow NetworkManager_t { domain -unrestricted }:file { getattr read }; -dontaudit NetworkManager_t unrestricted:dir search; -dontaudit NetworkManager_t unrestricted:file { getattr read }; - -allow NetworkManager_t howl_t:process signal; -allow NetworkManager_t initrc_var_run_t:file { getattr read }; - -ifdef(`modutil.te', ` -if (!secure_mode_insmod) { -domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) -} -') - -allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; -# allow vpnc connections -allow NetworkManager_t self:rawip_socket create_socket_perms; -allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms; - -domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) -domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) -ifdef(`vpnc.te', ` -domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) -') - -ifdef(`dhcpc.te', ` -allow NetworkManager_t dhcp_state_t:dir search; -allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; -') -allow NetworkManager_t var_lib_t:dir search; -dontaudit NetworkManager_t user_tty_type:chr_file { read write }; -dontaudit NetworkManager_t security_t:dir search; - -ifdef(`consoletype.te', ` -can_exec(NetworkManager_t, consoletype_exec_t) -') - diff --git a/mls/domains/program/acct.te b/mls/domains/program/acct.te deleted file mode 100644 index bbb4fdc9..00000000 --- a/mls/domains/program/acct.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Acct - BSD process accounting -# -# Author: Russell Coker -# X-Debian-Packages: acct -# - -################################# -# -# Rules for the acct_t domain. -# -# acct_exec_t is the type of the acct executable. -# -daemon_base_domain(acct) -ifdef(`crond.te', ` -system_crond_entry(acct_exec_t, acct_t) - -# for monthly cron job -file_type_auto_trans(acct_t, var_log_t, wtmp_t, file) -') - -# for SSP -allow acct_t urandom_device_t:chr_file read; - -type acct_data_t, file_type, logfile, sysadmfile; - -# not sure why we need this, the command "last" is reported as using it -dontaudit acct_t self:capability kill; - -# gzip needs chown capability for some reason -allow acct_t self:capability { chown fsetid sys_pacct }; - -allow acct_t var_t:dir { getattr search }; -rw_dir_create_file(acct_t, acct_data_t) - -can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t }) -allow acct_t { bin_t sbin_t }:dir search; -allow acct_t bin_t:lnk_file read; - -read_locale(acct_t) - -allow acct_t fs_t:filesystem getattr; - -allow acct_t self:unix_stream_socket create_socket_perms; - -allow acct_t self:fifo_file { read write getattr }; - -allow acct_t { self proc_t }:file { read getattr }; - -read_sysctl(acct_t) - -dontaudit acct_t sysadm_home_dir_t:dir { getattr search }; - -# for nscd -dontaudit acct_t var_run_t:dir search; - - -allow acct_t devtty_t:chr_file { read write }; - -allow acct_t { etc_t etc_runtime_t }:file { read getattr }; - -ifdef(`logrotate.te', ` -domain_auto_trans(logrotate_t, acct_exec_t, acct_t) -rw_dir_create_file(logrotate_t, acct_data_t) -can_exec(logrotate_t, acct_data_t) -') - diff --git a/mls/domains/program/alsa.te b/mls/domains/program/alsa.te deleted file mode 100644 index ab804751..00000000 --- a/mls/domains/program/alsa.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC ainit - configuration tool for ALSA -# -# Author: Dan Walsh -# -# -type alsa_t, domain, privlog, daemon; -type alsa_exec_t, file_type, sysadmfile, exec_type; -uses_shlib(alsa_t) -allow alsa_t { unpriv_userdomain self }:sem create_sem_perms; -allow alsa_t { unpriv_userdomain self }:shm create_shm_perms; -allow alsa_t self:unix_stream_socket create_stream_socket_perms; -allow alsa_t self:unix_dgram_socket create_socket_perms; -allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write }; -allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms }; - -type alsa_etc_rw_t, file_type, sysadmfile, usercanread; -rw_dir_create_file(alsa_t,alsa_etc_rw_t) -allow alsa_t self:capability { setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; -allow alsa_t devpts_t:chr_file { read write }; -allow alsa_t etc_t:file { getattr read }; -domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t) -role system_r types alsa_t; -read_locale(alsa_t) diff --git a/mls/domains/program/amanda.te b/mls/domains/program/amanda.te deleted file mode 100644 index 4b63f5f4..00000000 --- a/mls/domains/program/amanda.te +++ /dev/null @@ -1,284 +0,0 @@ -#DESC Amanda - Automated backup program -# -# This policy file sets the rigths for amanda client started by inetd_t -# and amrecover -# -# X-Debian-Packages: amanda-common amanda-server -# Depends: inetd.te -# Author : Carsten Grohmann -# -# License : GPL -# -# last change: 27. August 2002 -# -# state : complete and tested -# -# Hints : -# - amanda.fc is the appendant file context file -# - If you use amrecover please extract the files and directories to the -# directory speficified in amanda.fc as type amanda_recover_dir_t. -# - The type amanda_user_exec_t is defined to label the files but not used. -# This configuration works only as an client and a amanda client does not need -# this programs. -# -# Enhancements/Corrections: -# - set tighter permissions to /bin/tar instead bin_t - -############################################################################## -# AMANDA CLIENT DECLARATIONS -############################################################################## - -# General declarations -###################### - -type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain; -role system_r types amanda_t; - -# type for the amanda executables -type amanda_exec_t, file_type, sysadmfile, exec_type; - -# type for the amanda executables started by inetd -type amanda_inetd_exec_t, file_type, sysadmfile, exec_type; - -# type for amanda configurations files -type amanda_config_t, file_type, sysadmfile; - -# type for files in /usr/lib/amanda -type amanda_usr_lib_t, file_type, sysadmfile; - -# type for all files in /var/lib/amanda -type amanda_var_lib_t, file_type, sysadmfile; - -# type for all files in /var/lib/amanda/gnutar-lists/ -type amanda_gnutarlists_t, file_type, sysadmfile; - -# type for user startable files -type amanda_user_exec_t, file_type, sysadmfile, exec_type; - -# type for same awk and other scripts -type amanda_script_exec_t, file_type, sysadmfile, exec_type; - -# type for the shell configuration files -type amanda_shellconfig_t, file_type, sysadmfile; - -tmp_domain(amanda) - -# type for /etc/amandates -type amanda_amandates_t, file_type, sysadmfile; - -# type for /etc/dumpdates -type amanda_dumpdates_t, file_type, sysadmfile; - -# type for amanda data -type amanda_data_t, file_type, sysadmfile; - -# Domain transitions -#################### - -domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t) - - -################## -# File permissions -################## - -# configuration files -> read only -allow amanda_t amanda_config_t:file { getattr read }; - -# access to amanda_amandates_t -allow amanda_t amanda_amandates_t:file { getattr lock read write }; - -# access to amanda_dumpdates_t -allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; - -# access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file { read write }; - -# access to proc_t -allow amanda_t proc_t:file { getattr read }; - -# access to etc_t and similar -allow amanda_t etc_t:file { getattr read }; -allow amanda_t etc_runtime_t:file { getattr read }; - -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) -rw_dir_create_file(amanda_t, amanda_gnutarlists_t) - -# access to device_t and similar -allow amanda_t devtty_t:chr_file { read write }; - -# access to fs_t -allow amanda_t fs_t:filesystem getattr; - -# access to sysctl_kernel_t ( proc/sys/kernel/* ) -read_sysctl(amanda_t) - -##################### -# process permissions -##################### - -# Allow to use shared libs -uses_shlib(amanda_t) - -# Allow to execute a amanda executable file -allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read }; - -# Allow to run a shell -allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read }; - -# access to bin_t (tar) -allow amanda_t bin_t:file { execute execute_no_trans }; - -allow amanda_t self:capability { chown dac_override setuid }; -allow amanda_t self:process { fork sigchld setpgid signal }; -allow amanda_t self:dir search; -allow amanda_t self:file { getattr read }; - - -################################### -# Network and process communication -################################### - -can_network_server(amanda_t); -can_ypbind(amanda_t); -can_exec(amanda_t, sbin_t); - -allow amanda_t self:fifo_file { getattr read write ioctl lock }; -allow amanda_t self:unix_stream_socket create_stream_socket_perms; -allow amanda_t self:unix_dgram_socket create_socket_perms; - - -########################## -# Communication with inetd -########################## - -allow amanda_t inetd_t:udp_socket { read write }; - - -################### -# inetd permissions -################### - -allow inetd_t amanda_usr_lib_t:dir search; - - -######################## -# Access to to save data -######################## - -# access to user_home_t -allow amanda_t user_home_type:file { getattr read }; - -############################################################################## -# AMANDA RECOVER DECLARATIONS -############################################################################## - - -# General declarations -###################### - -# type for amrecover -type amanda_recover_t, domain; -role sysadm_r types amanda_recover_t; -role system_r types amanda_recover_t; - -# exec types for amrecover -type amanda_recover_exec_t, file_type, sysadmfile, exec_type; - -# type for recover files ( restored data ) -type amanda_recover_dir_t, file_type, sysadmfile; -file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t) - -# domain transsition -domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t) - -# file type auto trans to write debug messages -file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t) - - -# amanda recover process permissions -#################################### - -uses_shlib(amanda_recover_t) -allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; -can_exec(amanda_recover_t, shell_exec_t) -allow amanda_recover_t privfd:fd use; - - -# amrecover network and process communication -############################################# - -can_network(amanda_recover_t); -allow amanda_recover_t amanda_port_t:tcp_socket name_connect; -can_ypbind(amanda_recover_t); -read_locale(amanda_recover_t); - -allow amanda_recover_t self:fifo_file { getattr ioctl read write }; -allow amanda_recover_t self:unix_stream_socket { connect create read write }; -allow amanda_recover_t var_log_t:dir search; -rw_dir_create_file(amanda_recover_t, amanda_log_t) - -# amrecover file permissions -############################ - -# access to etc_t and similar -allow amanda_recover_t etc_t:dir search; -allow amanda_recover_t etc_t:file { getattr read }; -allow amanda_recover_t etc_runtime_t:file { getattr read }; - -# access to amanda_recover_dir_t -allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write }; -allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink }; - -# access to var_t and var_run_t -allow amanda_recover_t var_t:dir search; -allow amanda_recover_t var_run_t:dir search; - -# access to proc_t -allow amanda_recover_t proc_t:dir search; -allow amanda_recover_t proc_t:file { getattr read }; - -# access to sysctl_kernel_t -read_sysctl(amanda_recover_t) - -# access to dev_t and similar -allow amanda_recover_t device_t:dir search; -allow amanda_recover_t devtty_t:chr_file { read write }; -allow amanda_recover_t null_device_t:chr_file { getattr write }; - -# access to bin_t -allow amanda_recover_t bin_t:file { execute execute_no_trans }; - -# access to sysadm_home_t and sysadm_home_dir_t to start amrecover -# in the sysadm home directory -allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr }; - -# access to use sysadm_tty_device_t (/dev/tty?) -allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write }; - -# access to amanda_tmp_t and tmp_t -allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write }; -allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink }; -allow amanda_recover_t tmp_t:dir search; - -# -# Rules to allow amanda to be run as a service in xinetd -# -allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind; - -#amanda needs to look at fs_type directories to decide whether it should backup -allow amanda_t { fs_type file_type }:dir {getattr read search }; -allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read }; -allow amanda_t device_type:{ blk_file chr_file } getattr; -allow amanda_t fixed_disk_device_t:blk_file read; -domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t) - -allow amanda_t file_type:sock_file getattr; -logdir_domain(amanda) - -dontaudit amanda_t proc_t:lnk_file read; -dontaudit amanda_t unlabeled_t:file getattr; -#amanda wants to check attributes on fifo_files -allow amanda_t file_type:fifo_file getattr; diff --git a/mls/domains/program/anaconda.te b/mls/domains/program/anaconda.te deleted file mode 100644 index 175947d2..00000000 --- a/mls/domains/program/anaconda.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Anaconda - Red Hat Installation program -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the anaconda_t domain. -# -# anaconda_t is the domain of the installation program -# -type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer; -role system_r types anaconda_t; -unconfined_domain(anaconda_t) - -role system_r types ldconfig_t; -domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) - -# Run other rc scripts in the anaconda_t domain. -domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) - -ifdef(`dmesg.te', ` -domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t) -') - -ifdef(`distro_redhat', ` -file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file) -') - -ifdef(`rpm.te', ` -# Access /var/lib/rpm. -domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) -') - -file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file) - -ifdef(`udev.te', ` -domain_auto_trans(anaconda_t, udev_exec_t, udev_t) -') - -ifdef(`ssh-agent.te', ` -role system_r types sysadm_ssh_agent_t; -domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') -ifdef(`passwd.te', ` -domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t) -') diff --git a/mls/domains/program/apache.te b/mls/domains/program/apache.te deleted file mode 100644 index 1b9cab63..00000000 --- a/mls/domains/program/apache.te +++ /dev/null @@ -1,415 +0,0 @@ -#DESC Apache - Web server -# -# X-Debian-Packages: apache2-common apache -# -############################################################################### -# -# Policy file for running the Apache web server -# -# NOTES: -# This policy will work with SUEXEC enabled as part of the Apache -# configuration. However, the user CGI scripts will run under the -# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the -# of the creating user. -# -# The user CGI scripts must be labeled with the httpd_$1_script_exec_t -# type, and the directory containing the scripts should also be labeled -# with these types. This policy allows user_r role to perform that -# relabeling. If it is desired that only sysadm_r should be able to relabel -# the user CGI scripts, then relabel rule for user_r should be removed. -# -############################################################################### - -define(`httpd_home_dirs', ` -r_dir_file(httpd_t, $1) -r_dir_file(httpd_suexec_t, $1) -can_exec(httpd_suexec_t, $1) -') - -bool httpd_unified false; - -# Allow httpd to use built in scripting (usually php) -bool httpd_builtin_scripting false; - -# Allow httpd cgi support -bool httpd_enable_cgi false; - -# Allow httpd to read home directories -bool httpd_enable_homedirs false; - -# Run SSI execs in system CGI script domain. -bool httpd_ssi_exec false; - -# Allow http daemon to communicate with the TTY -bool httpd_tty_comm false; - -# Allow http daemon to tcp connect -bool httpd_can_network_connect false; - -######################################################### -# Apache types -######################################################### -# httpd_config_t is the type given to the configuration -# files for apache /etc/httpd/conf -# -type httpd_config_t, file_type, sysadmfile; - -# httpd_modules_t is the type given to module files (libraries) -# that come with Apache /etc/httpd/modules and /usr/lib/apache -# -type httpd_modules_t, file_type, sysadmfile; - -# httpd_cache_t is the type given to the /var/cache/httpd -# directory and the files under that directory -# -type httpd_cache_t, file_type, sysadmfile; - -# httpd_exec_t is the type give to the httpd executable. -# -daemon_domain(httpd, `, privmail, nscd_client_domain') - -append_logdir_domain(httpd) -#can read /etc/httpd/logs -allow httpd_t httpd_log_t:lnk_file read; - -# For /etc/init.d/apache2 reload -can_tcp_connect(httpd_t, httpd_t) - -can_tcp_connect(web_client_domain, httpd_t) - -can_exec(httpd_t, httpd_exec_t) -file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file) - -general_domain_access(httpd_t) - -allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read }; - -read_sysctl(httpd_t) - -allow httpd_t crypt_device_t:chr_file rw_file_perms; - -# for modules that want to access /etc/mtab and /proc/meminfo -allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; - -uses_shlib(httpd_t) -allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; -allow httpd_t usr_t:lnk_file { getattr read }; - -# for apache2 memory mapped files -var_lib_domain(httpd) - -# for tomcat -r_dir_file(httpd_t, var_lib_t) - -# execute perl -allow httpd_t { bin_t sbin_t }:dir r_dir_perms; -can_exec(httpd_t, { bin_t sbin_t }) -allow httpd_t bin_t:lnk_file read; - -######################################## -# Set up networking -######################################## - -can_network_server(httpd_t) -can_kerberos(httpd_t) -can_resolve(httpd_t) -nsswitch_domain(httpd_t) -allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; -# allow httpd to connect to mysql/posgresql -allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect; -# allow httpd to work as a relay -allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; - -if (httpd_can_network_connect) { -can_network_client(httpd_t) -allow httpd_t port_type:tcp_socket name_connect; -} - -########################################## -# Legacy: remove when it's fixed # -# Allow libphp5.so with text relocations # -########################################## -allow httpd_t texrel_shlib_t:file execmod; - -######################################### -# Allow httpd to search users directories -######################################### -allow httpd_t home_root_t:dir { getattr search }; -dontaudit httpd_t sysadm_home_dir_t:dir getattr; - -############################################################################ -# Allow the httpd_t the capability to bind to a port and various other stuff -############################################################################ -allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -dontaudit httpd_t self:capability net_admin; - -################################################# -# Allow the httpd_t to read the web servers config files -################################################### -r_dir_file(httpd_t, httpd_config_t) -# allow logrotate to read the config files for restart -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, httpd_config_t) -domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t) -allow logrotate_t httpd_t:process signull; -') -r_dir_file(initrc_t, httpd_config_t) -################################################## - -############################### -# Allow httpd_t to put files in /var/cache/httpd etc -############################## -create_dir_file(httpd_t, httpd_cache_t) - -############################### -# Allow httpd_t to access the tmpfs file system -############################## -tmpfs_domain(httpd) - -##################### -# Allow httpd_t to access -# libraries for its modules -############################### -allow httpd_t httpd_modules_t:file rx_file_perms; -allow httpd_t httpd_modules_t:dir r_dir_perms; -allow httpd_t httpd_modules_t:lnk_file r_file_perms; - -###################################################################### -# Allow initrc_t to access the Apache modules directory. -###################################################################### -allow initrc_t httpd_modules_t:dir r_dir_perms; - -############################################## -# Allow httpd_t to have access to files -# such as nisswitch.conf -# need ioctl for php -############################################### -allow httpd_t etc_t:file { read getattr ioctl }; -allow httpd_t etc_t:lnk_file { getattr read }; - -# setup the system domain for system CGI scripts -apache_domain(sys) -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -# Run SSI execs in system CGI script domain. -if (httpd_ssi_exec) { -domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) -} -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -################################################## -# -# PHP Directives -################################################## - -type httpd_php_exec_t, file_type, sysadmfile, exec_type; -type httpd_php_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) - -# The system role is authorized for this domain. -role system_r types httpd_php_t; - -general_domain_access(httpd_php_t) -uses_shlib(httpd_php_t) -can_exec(httpd_php_t, lib_t) - -# allow php to read and append to apache logfiles -allow httpd_php_t httpd_log_t:file ra_file_perms; - -# access to /tmp -tmp_domain(httpd) -tmp_domain(httpd_php) - -# Creation of lock files for apache2 -lock_domain(httpd) - -# Allow apache to used public_content_t -anonymous_domain(httpd) - -# connect to mysql -ifdef(`mysqld.te', ` -can_unix_connect(httpd_php_t, mysqld_t) -can_unix_connect(httpd_t, mysqld_t) -can_unix_connect(httpd_sys_script_t, mysqld_t) -allow httpd_php_t mysqld_var_run_t:dir search; -allow httpd_php_t mysqld_var_run_t:sock_file write; -allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search; -allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms; -allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms; -') -allow httpd_t bin_t:dir search; -allow httpd_t sbin_t:dir search; -allow httpd_t httpd_log_t:dir remove_name; - -read_fonts(httpd_t) - -allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; - -allow httpd_t autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs && httpd_enable_homedirs) { -httpd_home_dirs(nfs_t) -} -if (use_samba_home_dirs && httpd_enable_homedirs) { -httpd_home_dirs(cifs_t) -} - -# -# Allow users to mount additional directories as http_source -# -allow httpd_t mnt_t:dir r_dir_perms; - -ifdef(`targeted_policy', ` -domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t) -typealias httpd_sys_content_t alias httpd_user_content_t; -typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; - -if (httpd_enable_homedirs) { -allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search }; -} -') dnl targeted policy - -# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context -typealias httpd_sys_content_t alias httpd_sysadm_content_t; - -ifdef(`distro_redhat', ` -# -# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat -# This is a bug but it still exists in FC2 -# -typealias httpd_log_t alias httpd_runtime_t; -allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; -dontaudit httpd_t httpd_runtime_t:file ioctl; -') dnl distro_redhat -# -# Customer reported the following -# -ifdef(`snmpd.te', ` -dontaudit httpd_t snmpd_var_lib_t:dir search; -dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; -', ` -dontaudit httpd_t usr_t:dir write; -') - -application_domain(httpd_helper) -role system_r types httpd_helper_t; -domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) -allow httpd_helper_t httpd_config_t:file { getattr read }; -allow httpd_helper_t httpd_log_t:file { append }; - -######################################## -# When the admin starts the server, the server wants to access -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are dontaudited here. -################################################## - -if (httpd_tty_comm) { -allow { httpd_t httpd_helper_t } devpts_t:dir search; -ifdef(`targeted_policy', ` -allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms; -') -allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms; -} else { -dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; -} - -read_sysctl(httpd_sys_script_t) -allow httpd_sys_script_t var_lib_t:dir search; -dontaudit httpd_t selinux_config_t:dir search; -r_dir_file(httpd_t, cert_t) - -# -# unconfined domain for apache scripts. Only to be used as a last resort -# -type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable; -type httpd_unconfined_script_t, domain, nscd_client_domain; -role system_r types httpd_unconfined_script_t; -unconfined_domain(httpd_unconfined_script_t) - -# The following are types for SUEXEC,which runs user scripts as their -# own user ID -# -daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool') -allow httpd_t httpd_suexec_exec_t:file { getattr read }; - -######################################################### -# Permissions for running child processes and scripts -########################################################## - -allow httpd_suexec_t self:capability { setuid setgid }; - -dontaudit httpd_suexec_t var_run_t:dir search; -allow httpd_suexec_t { var_t var_log_t }:dir search; -allow httpd_suexec_t home_root_t:dir search; - -allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; -allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; -allow httpd_suexec_t httpd_t:fifo_file getattr; -allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; - -allow httpd_suexec_t etc_t:file { getattr read }; -read_locale(httpd_suexec_t) -read_sysctl(httpd_suexec_t) -allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; - -# for shell scripts -allow httpd_suexec_t bin_t:dir search; -allow httpd_suexec_t bin_t:lnk_file read; -can_exec(httpd_suexec_t, { bin_t shell_exec_t }) - -if (httpd_can_network_connect) { -can_network(httpd_suexec_t) -allow httpd_suexec_t port_type:tcp_socket name_connect; -} - -can_ypbind(httpd_suexec_t) -allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; - -allow httpd_suexec_t autofs_t:dir { search getattr }; -tmp_domain(httpd_suexec) - -if (httpd_enable_cgi && httpd_unified) { -domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) -') -} -if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) { -domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) -create_dir_file(httpd_t, httpdcontent) -} -if (httpd_enable_cgi) { -domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; -allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; -} - -# -# Types for squirrelmail -# -type httpd_squirrelmail_t, file_type, sysadmfile; -create_dir_file(httpd_t, httpd_squirrelmail_t) -allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; -# File Type of squirrelmail attachments -type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; -allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; -create_dir_file(httpd_t, squirrelmail_spool_t) -r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) - -ifdef(`mta.te', ` -# apache should set close-on-exec -dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; -dontaudit system_mail_t httpd_log_t:file { append getattr }; -allow system_mail_t httpd_squirrelmail_t:file { append read }; -dontaudit system_mail_t httpd_t:tcp_socket { read write }; -') -bool httpd_enable_ftp_server false; -if (httpd_enable_ftp_server) { -allow httpd_t ftp_port_t:tcp_socket name_bind; -} - diff --git a/mls/domains/program/apmd.te b/mls/domains/program/apmd.te deleted file mode 100644 index 82b4a4da..00000000 --- a/mls/domains/program/apmd.te +++ /dev/null @@ -1,157 +0,0 @@ -#DESC Apmd - Automatic Power Management daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: apmd -# - -################################# -# -# Rules for the apmd_t domain. -# -daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain') - -# for SSP -allow apmd_t urandom_device_t:chr_file read; - -type apm_t, domain, privlog; -type apm_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, apm_exec_t, apm_t) -') -uses_shlib(apm_t) -allow apm_t privfd:fd use; -allow apm_t admin_tty_type:chr_file rw_file_perms; -allow apm_t device_t:dir search; -allow apm_t self:capability { dac_override sys_admin }; -allow apm_t proc_t:dir search; -allow apm_t proc_t:file r_file_perms; -allow apm_t fs_t:filesystem getattr; -allow apm_t apm_bios_t:chr_file rw_file_perms; -role sysadm_r types apm_t; -role system_r types apm_t; - -allow apmd_t device_t:lnk_file read; -allow apmd_t proc_t:file { getattr read write }; -can_sysctl(apmd_t) -allow apmd_t sysfs_t:file write; - -allow apmd_t self:unix_dgram_socket create_socket_perms; -allow apmd_t self:unix_stream_socket create_stream_socket_perms; -allow apmd_t self:fifo_file rw_file_perms; -allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read }; -allow apmd_t etc_t:lnk_file read; - -# acpid wants a socket -file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) - -# acpid also has a logfile -log_domain(apmd) -tmp_domain(apmd) - -ifdef(`distro_suse', ` -var_lib_domain(apmd) -') - -allow apmd_t self:file { getattr read ioctl }; -allow apmd_t self:process getsession; - -# Use capabilities. -allow apmd_t self:capability { sys_admin sys_nice sys_time kill }; - -# controlling an orderly resume of PCMCIA requires creating device -# nodes 254,{0,1,2} for some reason. -allow apmd_t self:capability mknod; - -# Access /dev/apm_bios. -allow apmd_t apm_bios_t:chr_file rw_file_perms; - -# Run helper programs. -can_exec_any(apmd_t) - -# apmd calls hwclock.sh on suspend and resume -allow apmd_t clock_device_t:chr_file r_file_perms; -ifdef(`hwclock.te', ` -domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) -allow apmd_t adjtime_t:file rw_file_perms; -allow hwclock_t apmd_log_t:file append; -allow hwclock_t apmd_t:unix_stream_socket { read write }; -') - - -# to quiet fuser and ps -# setuid for fuser, dac* for ps -dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; -dontaudit apmd_t domain:socket_class_set getattr; -dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; -dontaudit apmd_t device_type:devfile_class_set getattr; -dontaudit apmd_t home_type:dir { search getattr }; -dontaudit apmd_t domain:key_socket getattr; -dontaudit apmd_t domain:dir search; - -ifdef(`distro_redhat', ` -can_exec(apmd_t, apmd_var_run_t) -# for /var/lock/subsys/network -lock_domain(apmd) - -# ifconfig_exec_t needs to be run in its own domain for Red Hat -ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)') -ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)') -ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)') -', ` -# for ifconfig which is run all the time -dontaudit apmd_t sysctl_t:dir search; -') - -ifdef(`udev.te', ` -allow apmd_t udev_t:file { getattr read }; -allow apmd_t udev_t:lnk_file { getattr read }; -') -# -# apmd tells the machine to shutdown requires the following -# -allow apmd_t initctl_t:fifo_file write; -allow apmd_t initrc_var_run_t:file { read write lock }; - -# -# Allow it to run killof5 and pidof -# -typeattribute apmd_t unrestricted; -r_dir_file(apmd_t, domain) - -# Same for apm/acpid scripts -domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) -ifdef(`consoletype.te', ` -allow consoletype_t apmd_t:fd use; -allow consoletype_t apmd_t:fifo_file write; -') -ifdef(`mount.te', `allow mount_t apmd_t:fd use;') -ifdef(`crond.te', ` -domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) -allow apmd_t crond_t:fifo_file { getattr read write ioctl }; -') - -# for a find /dev operation that gets /dev/shm -dontaudit apmd_t tmpfs_t:dir r_dir_perms; -dontaudit apmd_t selinux_config_t:dir search; -allow apmd_t user_tty_type:chr_file rw_file_perms; -# Access /dev/apm_bios. -allow initrc_t apm_bios_t:chr_file { setattr getattr read }; - -ifdef(`logrotate.te', ` -allow apmd_t logrotate_t:fd use; -')dnl end if logrotate.te -allow apmd_t devpts_t:dir { getattr search }; -allow apmd_t security_t:dir search; -allow apmd_t usr_t:dir search; -r_dir_file(apmd_t, hwdata_t) -ifdef(`targeted_policy', ` -unconfined_domain(apmd_t) -') - -ifdef(`NetworkManager.te', ` -ifdef(`dbusd.te', ` -allow apmd_t NetworkManager_t:dbus send_msg; -allow NetworkManager_t apmd_t:dbus send_msg; -') -') diff --git a/mls/domains/program/arpwatch.te b/mls/domains/program/arpwatch.te deleted file mode 100644 index 3065800c..00000000 --- a/mls/domains/program/arpwatch.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC arpwatch - keep track of ethernet/ip address pairings -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the arpwatch_t domain. -# -# arpwatch_exec_t is the type of the arpwatch executable. -# -daemon_domain(arpwatch, `, privmail') - -# for files created by arpwatch -type arpwatch_data_t, file_type, sysadmfile; -create_dir_file(arpwatch_t,arpwatch_data_t) -tmp_domain(arpwatch) - -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; - -can_network_server(arpwatch_t) -allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; -allow arpwatch_t self:udp_socket create_socket_perms; -allow arpwatch_t self:unix_dgram_socket create_socket_perms; -allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; - -allow arpwatch_t { sbin_t var_lib_t }:dir search; -allow arpwatch_t sbin_t:lnk_file read; -r_dir_file(arpwatch_t, etc_t) -r_dir_file(arpwatch_t, usr_t) -can_ypbind(arpwatch_t) - -ifdef(`qmail.te', ` -allow arpwatch_t bin_t:dir search; -') - -ifdef(`distro_gentoo', ` -allow initrc_t arpwatch_data_t:dir { add_name write }; -allow initrc_t arpwatch_data_t:file create; -')dnl end distro_gentoo - -# why is mail delivered to a directory of type arpwatch_data_t? -allow mta_delivery_agent arpwatch_data_t:dir search; -allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; -ifdef(`hide_broken_symptoms', ` -dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; -') diff --git a/mls/domains/program/auditd.te b/mls/domains/program/auditd.te deleted file mode 100644 index 69b105a8..00000000 --- a/mls/domains/program/auditd.te +++ /dev/null @@ -1,76 +0,0 @@ -#DESC auditd - System auditing daemon -# -# Authors: Colin Walters -# -# Some fixes by Paul Moore -# -define(`audit_manager_domain', ` -allow $1 auditd_etc_t:file rw_file_perms; -create_dir_file($1, auditd_log_t) -domain_auto_trans($1, auditctl_exec_t, auditctl_t) -') - -daemon_domain(auditd) - -ifdef(`mls_policy', ` -# run at the highest MLS level -typeattribute auditd_t mlsrangetrans; -range_transition initrc_t auditd_exec_t s15:c0.c255; -') - -allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditd_t self:unix_dgram_socket create_socket_perms; -allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; -allow auditd_t self:process setsched; -allow auditd_t self:file { getattr read write }; -allow auditd_t etc_t:file { getattr read }; - -# Do not use logdir_domain since this is a security file -type auditd_log_t, file_type, secure_file_type; -allow auditd_t var_log_t:dir search; -rw_dir_create_file(auditd_t, auditd_log_t) - -can_exec(auditd_t, init_exec_t) -allow auditd_t initctl_t:fifo_file write; - -ifdef(`targeted_policy', ` -dontaudit auditd_t unconfined_t:fifo_file read; -') - -type auditctl_t, domain, privlog; -type auditctl_exec_t, file_type, exec_type, sysadmfile; -uses_shlib(auditctl_t) -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditctl_t self:capability { audit_write audit_control }; -allow auditctl_t etc_t:file { getattr read }; -allow auditctl_t admin_tty_type:chr_file rw_file_perms; - -type auditd_etc_t, file_type, secure_file_type; -allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms; -allow initrc_t auditd_etc_t:file r_file_perms; - -role secadm_r types auditctl_t; -role sysadm_r types auditctl_t; -audit_manager_domain(secadm_t) - -ifdef(`targeted_policy', `', ` -ifdef(`separate_secadm', `', ` -audit_manager_domain(sysadm_t) -') -') - -role system_r types auditctl_t; -domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t) - -dontaudit auditctl_t local_login_t:fd use; -allow auditctl_t proc_t:dir search; -allow auditctl_t sysctl_kernel_t:dir search; -allow auditctl_t sysctl_kernel_t:file { getattr read }; -dontaudit auditctl_t init_t:fd use; -allow auditctl_t initrc_devpts_t:chr_file { read write }; -allow auditctl_t privfd:fd use; - - -allow auditd_t sbin_t:dir search; -can_exec(auditd_t, sbin_t) -allow auditd_t self:fifo_file rw_file_perms; diff --git a/mls/domains/program/automount.te b/mls/domains/program/automount.te deleted file mode 100644 index d1bb20ea..00000000 --- a/mls/domains/program/automount.te +++ /dev/null @@ -1,79 +0,0 @@ -#DESC Automount - Automount daemon -# -# Authors: Stephen Smalley -# Modified by Russell Coker -# X-Debian-Packages: amd am-utils autofs -# - -################################# -# -# Rules for the automount_t domain. -# -daemon_domain(automount) - -etc_domain(automount) - -# for SSP -allow automount_t urandom_device_t:chr_file read; - -# for if the mount point is not labelled -allow automount_t file_t:dir getattr; -allow automount_t default_t:dir getattr; - -allow automount_t autofs_t:dir { create_dir_perms ioctl }; -allow automount_t fs_type:dir getattr; - -allow automount_t { etc_t etc_runtime_t }:file { getattr read }; -allow automount_t proc_t:file { getattr read }; -allow automount_t self:process { getpgid setpgid setsched }; -allow automount_t self:capability { sys_nice dac_override }; -allow automount_t self:unix_stream_socket create_socket_perms; -allow automount_t self:unix_dgram_socket create_socket_perms; - -# because config files can be shell scripts -can_exec(automount_t, { etc_t automount_etc_t }) - -can_network_server(automount_t) -can_resolve(automount_t) -can_ypbind(automount_t) -can_ldap(automount_t) - -ifdef(`fsadm.te', ` -domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t) -') - -lock_domain(automount) - -tmp_domain(automount) -allow automount_t self:fifo_file rw_file_perms; - -# Run mount in the mount_t domain. -domain_auto_trans(automount_t, mount_exec_t, mount_t) -allow mount_t autofs_t:dir { search mounton read }; -allow mount_t automount_tmp_t:dir mounton; - -ifdef(`apmd.te', -`domain_auto_trans(apmd_t, automount_exec_t, automount_t) -can_exec(automount_t, bin_t)') - -allow automount_t { bin_t sbin_t }:dir search; -can_exec(automount_t, mount_exec_t) -can_exec(automount_t, shell_exec_t) - -allow mount_t autofs_t:dir getattr; -dontaudit automount_t var_t:dir write; - -allow userdomain autofs_t:dir r_dir_perms; -allow kernel_t autofs_t:dir { getattr ioctl read search }; - -allow automount_t { boot_t home_root_t }:dir getattr; -allow automount_t mnt_t:dir { getattr search }; - -can_exec(initrc_t, automount_etc_t) - -# Allow automount to create and delete directories in / and /home -file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir) - -allow automount_t var_lib_t:dir search; -allow automount_t var_lib_nfs_t:dir search; - diff --git a/mls/domains/program/avahi.te b/mls/domains/program/avahi.te deleted file mode 100644 index 861559d3..00000000 --- a/mls/domains/program/avahi.te +++ /dev/null @@ -1,31 +0,0 @@ -#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture -# -# Author: Dan Walsh -# - -daemon_domain(avahi, `, privsysmod') -r_dir_file(avahi_t, proc_net_t) -can_network_server(avahi_t) -can_ypbind(avahi_t) -allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow avahi_t self:unix_dgram_socket create_socket_perms; -allow avahi_t self:capability { dac_override setgid chown kill setuid }; -allow avahi_t urandom_device_t:chr_file r_file_perms; -allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind; -allow avahi_t self:fifo_file { read write }; -allow avahi_t self:netlink_route_socket r_netlink_socket_perms; -allow avahi_t self:process setrlimit; -allow avahi_t etc_t:file { getattr read }; -allow avahi_t initrc_t:process { signal signull }; -allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow avahi_t avahi_var_run_t:dir setattr; -allow avahi_t avahi_var_run_t:sock_file create_file_perms; - -ifdef(`dbusd.te', ` -dbusd_client(system, avahi) -ifdef(`targeted_policy', ` -allow avahi_t unconfined_t:dbus send_msg; -allow unconfined_t avahi_t:dbus send_msg; -') -') - diff --git a/mls/domains/program/bluetooth.te b/mls/domains/program/bluetooth.te deleted file mode 100644 index c6c5631b..00000000 --- a/mls/domains/program/bluetooth.te +++ /dev/null @@ -1,116 +0,0 @@ -#DESC Bluetooth -# -# Authors: Dan Walsh -# RH-Packages: Bluetooth -# - -################################# -# -# Rules for the bluetooth_t domain. -# -daemon_domain(bluetooth) - -file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) -file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) - -tmp_domain(bluetooth) -var_lib_domain(bluetooth) - -# Use capabilities. -allow bluetooth_t self:file read; -allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; -allow bluetooth_t self:process getsched; -allow bluetooth_t proc_t:file { getattr read }; - -allow bluetooth_t self:shm create_shm_perms; - -lock_domain(bluetooth) - -# Use the network. -can_network(bluetooth_t) -can_ypbind(bluetooth_t) -ifdef(`dbusd.te', ` -dbusd_client(system, bluetooth) -allow bluetooth_t system_dbusd_t:dbus send_msg; -') -allow bluetooth_t self:socket create_stream_socket_perms; - -allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; - -dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write }; - -# bluetooth_conf_t is the type of the /etc/bluetooth dir. -type bluetooth_conf_t, file_type, sysadmfile; -type bluetooth_conf_rw_t, file_type, sysadmfile; - -# Read /etc/bluetooth -allow bluetooth_t bluetooth_conf_t:dir search; -allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; -#/usr/sbin/hid2hci causes the following -allow initrc_t usbfs_t:file { getattr read }; -allow bluetooth_t usbfs_t:dir r_dir_perms; -allow bluetooth_t usbfs_t:file rw_file_perms; -allow bluetooth_t bin_t:dir search; -can_exec(bluetooth_t, { bin_t shell_exec_t }) -allow bluetooth_t bin_t:lnk_file read; - -#Handle bluetooth serial devices -allow bluetooth_t tty_device_t:chr_file rw_file_perms; -allow bluetooth_t self:fifo_file rw_file_perms; -allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(bluetooth_t, fonts_t) -allow bluetooth_t urandom_device_t:chr_file r_file_perms; -allow bluetooth_t usr_t:file { getattr read }; - -application_domain(bluetooth_helper, `, nscd_client_domain') -domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) -role system_r types bluetooth_helper_t; -read_locale(bluetooth_helper_t) -typeattribute bluetooth_helper_t unrestricted; -r_dir_file(bluetooth_helper_t, domain) -allow bluetooth_helper_t bin_t:dir { getattr search }; -can_exec(bluetooth_helper_t, { bin_t shell_exec_t }) -allow bluetooth_helper_t bin_t:lnk_file read; -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:fifo_file rw_file_perms; -allow bluetooth_helper_t self:process { fork getsched sigchld }; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; -allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(bluetooth_helper_t, fonts_t) -r_dir_file(bluetooth_helper_t, proc_t) -read_sysctl(bluetooth_helper_t) -allow bluetooth_helper_t tmp_t:dir search; -allow bluetooth_helper_t usr_t:file { getattr read }; -allow bluetooth_helper_t home_dir_type:dir search; -ifdef(`xserver.te', ` -allow bluetooth_helper_t xserver_log_t:dir search; -allow bluetooth_helper_t xserver_log_t:file { getattr read }; -') -ifdef(`targeted_policy', ` -allow bluetooth_helper_t tmp_t:sock_file { read write }; -allow bluetooth_helper_t tmpfs_t:file { read write }; -allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; -allow bluetooth_t unconfined_t:dbus send_msg; -allow unconfined_t bluetooth_t:dbus send_msg; -', ` -ifdef(`xdm.te', ` -allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; -') -allow bluetooth_t unpriv_userdomain:dbus send_msg; -allow unpriv_userdomain bluetooth_t:dbus send_msg; -') -allow bluetooth_helper_t bluetooth_t:socket { read write }; -allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_helper_t self:unix_stream_socket connectto; -tmp_domain(bluetooth_helper) -allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms; - -dontaudit bluetooth_helper_t default_t:dir { read search }; -dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write }; -dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms; -ifdef(`xserver.te', ` -allow bluetooth_helper_t xserver_log_t:dir search; -allow bluetooth_helper_t xserver_log_t:file { getattr read }; -') diff --git a/mls/domains/program/bonobo.te b/mls/domains/program/bonobo.te deleted file mode 100644 index c23f1d2f..00000000 --- a/mls/domains/program/bonobo.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - Bonobo Activation Server -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type bonobo_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/bonobo_macros.te diff --git a/mls/domains/program/bootloader.te b/mls/domains/program/bootloader.te deleted file mode 100644 index 37e1c19e..00000000 --- a/mls/domains/program/bootloader.te +++ /dev/null @@ -1,167 +0,0 @@ -#DESC Bootloader - Lilo boot loader/manager -# -# Author: Russell Coker -# X-Debian-Packages: lilo -# - -################################# -# -# Rules for the bootloader_t domain. -# -# bootloader_exec_t is the type of the bootloader executable. -# -type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin'); -type bootloader_exec_t, file_type, sysadmfile, exec_type; -etc_domain(bootloader) - -role sysadm_r types bootloader_t; -role system_r types bootloader_t; - -allow bootloader_t var_t:dir search; -create_append_log_file(bootloader_t, var_log_t) -allow bootloader_t var_log_t:file write; - -# for nscd -dontaudit bootloader_t var_run_t:dir search; - -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) -') -allow bootloader_t { initrc_t privfd }:fd use; - -tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file }) - -read_locale(bootloader_t) - -# for tune2fs -file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file) - -# for /vmlinuz sym link -allow bootloader_t root_t:lnk_file read; - -# lilo would need read access to get BIOS data -allow bootloader_t proc_kcore_t:file getattr; - -allow bootloader_t { etc_t device_t }:dir r_dir_perms; -allow bootloader_t etc_t:file r_file_perms; -allow bootloader_t etc_t:lnk_file read; -allow bootloader_t initctl_t:fifo_file getattr; -uses_shlib(bootloader_t) - -ifdef(`distro_debian', ` -allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; -allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; -allow bootloader_t boot_t:file relabelfrom; -allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; -allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; -allow bootloader_t usr_t:lnk_file read; -allow bootloader_t tmpfs_t:dir r_dir_perms; -allow bootloader_t initrc_var_run_t:dir r_dir_perms; -allow bootloader_t var_lib_t:dir search; -allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; -allow bootloader_t dpkg_var_lib_t:file { getattr read }; -# for /usr/share/initrd-tools/scripts -can_exec(bootloader_t, usr_t) -') - -allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; -dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms; -allow bootloader_t device_t:lnk_file { getattr read }; - -# LVM2 / Device Mapper's /dev/mapper/control -# maybe we should change the labeling for this -ifdef(`lvm.te', ` -allow bootloader_t lvm_control_t:chr_file rw_file_perms; -domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) -allow lvm_t bootloader_tmp_t:file rw_file_perms; -r_dir_file(bootloader_t, lvm_etc_t) -') - -# uncomment the following line if you use "lilo -p" -#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); - -can_exec_any(bootloader_t) -allow bootloader_t shell_exec_t:lnk_file read; -allow bootloader_t { bin_t sbin_t }:dir search; -allow bootloader_t { bin_t sbin_t }:lnk_file read; - -allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms; -allow bootloader_t modules_object_t:dir r_dir_perms; -ifdef(`distro_redhat', ` -allow bootloader_t modules_object_t:lnk_file { getattr read }; -') - -# for ldd -ifdef(`fsadm.te', ` -allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; -') -ifdef(`modutil.te', ` -allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans }; -') - -dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; - -allow bootloader_t boot_t:dir { create rw_dir_perms }; -allow bootloader_t boot_t:file create_file_perms; -allow bootloader_t boot_t:lnk_file create_lnk_perms; - -allow bootloader_t load_policy_exec_t:file { getattr read }; - -allow bootloader_t random_device_t:chr_file { getattr read }; - -ifdef(`distro_redhat', ` -# for mke2fs -domain_auto_trans(bootloader_t, mount_exec_t, mount_t); -allow mount_t bootloader_tmp_t:dir mounton; - -# new file system defaults to file_t, granting file_t access is still bad. -allow bootloader_t file_t:dir create_dir_perms; -allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; -allow bootloader_t file_t:lnk_file create_lnk_perms; -allow bootloader_t self:unix_stream_socket create_socket_perms; -allow bootloader_t boot_runtime_t:file { read getattr unlink }; - -# for memlock -allow bootloader_t zero_device_t:chr_file { getattr read }; -allow bootloader_t self:capability ipc_lock; -') - -allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; -# allow bootloader to get attributes of any device node -allow bootloader_t { device_type ttyfile }:chr_file getattr; -allow bootloader_t device_type:blk_file getattr; -dontaudit bootloader_t devpts_t:dir create_dir_perms; - -allow bootloader_t self:process { fork signal_perms }; -allow bootloader_t self:lnk_file read; -allow bootloader_t self:dir search; -allow bootloader_t self:file { getattr read }; -allow bootloader_t self:fifo_file rw_file_perms; - -allow bootloader_t fs_t:filesystem getattr; - -allow bootloader_t proc_t:dir { getattr search }; -allow bootloader_t proc_t:file r_file_perms; -allow bootloader_t proc_t:lnk_file { getattr read }; -allow bootloader_t proc_mdstat_t:file r_file_perms; -allow bootloader_t self:dir { getattr search read }; -read_sysctl(bootloader_t) -allow bootloader_t etc_runtime_t:file r_file_perms; - -allow bootloader_t devtty_t:chr_file rw_file_perms; -allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; -allow bootloader_t initrc_t:fifo_file { read write }; - -# for reading BIOS data -allow bootloader_t memory_device_t:chr_file r_file_perms; - -allow bootloader_t policy_config_t:dir { search read }; -allow bootloader_t policy_config_t:file { getattr read }; - -allow bootloader_t lib_t:file { getattr read }; -allow bootloader_t sysfs_t:dir getattr; -allow bootloader_t urandom_device_t:chr_file read; -allow bootloader_t { usr_t var_t }:file { getattr read }; -r_dir_file(bootloader_t, src_t) -dontaudit bootloader_t selinux_config_t:dir search; -dontaudit bootloader_t sysctl_t:dir search; diff --git a/mls/domains/program/canna.te b/mls/domains/program/canna.te deleted file mode 100644 index feb4e52f..00000000 --- a/mls/domains/program/canna.te +++ /dev/null @@ -1,46 +0,0 @@ -#DESC canna - A Japanese character set input system. -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the canna_t domain. -# -daemon_domain(canna) - -file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file) - -logdir_domain(canna) -var_lib_domain(canna) - -allow canna_t self:capability { setgid setuid net_bind_service }; -allow canna_t tmp_t:dir { search }; -allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; -allow canna_t self:unix_dgram_socket create_stream_socket_perms; -allow canna_t etc_t:file { getattr read }; -allow canna_t usr_t:file { getattr read }; - -allow canna_t proc_t:file r_file_perms; -allow canna_t etc_runtime_t:file r_file_perms; -allow canna_t canna_var_lib_t:dir create; - -rw_dir_create_file(canna_t, canna_var_lib_t) - -can_network_tcp(canna_t) -allow canna_t port_type:tcp_socket name_connect; -can_ypbind(canna_t) - -allow userdomain canna_var_run_t:dir search; -allow userdomain canna_var_run_t:sock_file write; -can_unix_connect(userdomain, canna_t) - -ifdef(`i18n_input.te', ` -allow i18n_input_t canna_var_run_t:dir search; -allow i18n_input_t canna_var_run_t:sock_file write; -can_unix_connect(i18n_input_t, canna_t) -') - -dontaudit canna_t kernel_t:fd use; -dontaudit canna_t root_t:file read; diff --git a/mls/domains/program/cardmgr.te b/mls/domains/program/cardmgr.te deleted file mode 100644 index 8f789886..00000000 --- a/mls/domains/program/cardmgr.te +++ /dev/null @@ -1,90 +0,0 @@ -#DESC Cardmgr - PCMCIA control programs -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: pcmcia-cs -# - -################################# -# -# Rules for the cardmgr_t domain. -# -daemon_domain(cardmgr, `, privmodule') - -# for SSP -allow cardmgr_t urandom_device_t:chr_file read; - -type cardctl_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) -') -role sysadm_r types cardmgr_t; -allow cardmgr_t admin_tty_type:chr_file { read write }; - -allow cardmgr_t sysfs_t:dir search; -allow cardmgr_t home_root_t:dir search; - -# Use capabilities (net_admin for route), setuid for cardctl -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; - -# for /etc/resolv.conf -file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file) - -allow cardmgr_t etc_runtime_t:file { getattr read }; - -allow cardmgr_t modules_object_t:dir search; -allow cardmgr_t self:unix_dgram_socket create_socket_perms; -allow cardmgr_t self:unix_stream_socket create_socket_perms; -allow cardmgr_t self:fifo_file rw_file_perms; - -# Create stab file -var_lib_domain(cardmgr) - -# for /var/lib/misc/pcmcia-scheme -# would be better to have it in a different type if I knew how it was created.. -allow cardmgr_t var_lib_t:file { getattr read }; - -# Create device files in /tmp. -type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs; -file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) - -# Create symbolic links in /dev. -type cardmgr_lnk_t, file_type, sysadmfile; -file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file) - -# Run a shell, normal commands, /etc/pcmcia scripts. -can_exec_any(cardmgr_t) -allow cardmgr_t etc_t:lnk_file read; - -# Run ifconfig. -domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t) -allow ifconfig_t cardmgr_t:fd use; - -allow cardmgr_t proc_t:file { getattr read ioctl }; - -# Read /proc/PID directories for all domains (for fuser). -can_ps(cardmgr_t, domain -unrestricted) -dontaudit cardmgr_t unrestricted:dir search; - -allow cardmgr_t device_type:{ chr_file blk_file } getattr; -allow cardmgr_t ttyfile:chr_file getattr; -dontaudit cardmgr_t ptyfile:chr_file getattr; -dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; -dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; -dontaudit cardmgr_t proc_kmsg_t:file getattr; - -allow cardmgr_t tty_device_t:chr_file rw_file_perms; - -ifdef(`apmd.te', ` -domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) -') - -ifdef(`hide_broken_symptoms', ` -dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; -dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; -') -ifdef(`hald.te', ` -rw_dir_file(hald_t, cardmgr_var_run_t) -allow hald_t cardmgr_var_run_t:chr_file create_file_perms; -') -allow cardmgr_t device_t:lnk_file { getattr read }; diff --git a/mls/domains/program/cdrecord.te b/mls/domains/program/cdrecord.te deleted file mode 100644 index 6460090d..00000000 --- a/mls/domains/program/cdrecord.te +++ /dev/null @@ -1,10 +0,0 @@ -# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master -# -# Author: Thomas Bleher - -# Type for the cdrecord excutable. -type cdrecord_exec_t, file_type, sysadmfile, exec_type; - -# everything else is in the cdrecord_domain macros in -# macros/program/cdrecord_macros.te. - diff --git a/mls/domains/program/certwatch.te b/mls/domains/program/certwatch.te deleted file mode 100644 index 2abb1685..00000000 --- a/mls/domains/program/certwatch.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC certwatch - generate SSL certificate expiry warnings -# -# Domains for the certwatch process -# Authors: Dan Walsh , -# -application_domain(certwatch) -role system_r types certwatch_t; -r_dir_file(certwatch_t, cert_t) -can_exec(certwatch_t, httpd_modules_t) -system_crond_entry(certwatch_exec_t, certwatch_t) -read_locale(certwatch_t) diff --git a/mls/domains/program/checkpolicy.te b/mls/domains/program/checkpolicy.te deleted file mode 100644 index 0cfa5a08..00000000 --- a/mls/domains/program/checkpolicy.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Checkpolicy - SELinux policy compliler -# -# Authors: Frank Mayer, mayerf@tresys.com -# X-Debian-Packages: checkpolicy -# - -########################### -# -# checkpolicy_t is the domain type for checkpolicy -# checkpolicy_exec_t if file type for the executable - -type checkpolicy_t, domain; -role sysadm_r types checkpolicy_t; -role system_r types checkpolicy_t; -role secadm_r types checkpolicy_t; - -type checkpolicy_exec_t, file_type, exec_type, sysadmfile; - -########################## -# -# Rules - -domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t) - -# able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir rw_dir_perms; -allow checkpolicy_t policy_config_t:file create_file_perms; - -########################### -# constrain what checkpolicy can use as source files -# - -# only allow read of policy source files -allow checkpolicy_t policy_src_t:dir r_dir_perms; -allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms; - -# allow test policies to be created in src directories -file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) - -# directory search permissions for path to source and binary policy files -allow checkpolicy_t root_t:dir search; -allow checkpolicy_t etc_t:dir search; - -# Read the devpts root directory. -allow checkpolicy_t devpts_t:dir r_dir_perms; -ifdef(`sshd.te', -`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') - -# Other access -allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; -uses_shlib(checkpolicy_t) -allow checkpolicy_t self:capability dac_override; - -########################## -# Allow users to execute checkpolicy without a domain transition -# so it can be used without privilege to write real binary policy file -can_exec(unpriv_userdomain, checkpolicy_exec_t) - -allow checkpolicy_t { userdomain privfd }:fd use; - -allow checkpolicy_t fs_t:filesystem getattr; -allow checkpolicy_t console_device_t:chr_file { read write }; -allow checkpolicy_t init_t:fd use; -allow checkpolicy_t selinux_config_t:dir search; diff --git a/mls/domains/program/chkpwd.te b/mls/domains/program/chkpwd.te deleted file mode 100644 index 22ac7f2d..00000000 --- a/mls/domains/program/chkpwd.te +++ /dev/null @@ -1,18 +0,0 @@ -#DESC Chkpwd - PAM password checking programs -# X-Debian-Packages: libpam-modules -# -# Domains for the /sbin/.*_chkpwd utilities. -# - -# -# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables. -# -type chkpwd_exec_t, file_type, sysadmfile, exec_type; - -chkpwd_domain(system) -dontaudit system_chkpwd_t privfd:fd use; -role sysadm_r types system_chkpwd_t; -in_user_role(system_chkpwd_t) - -# Everything else is in the chkpwd_domain macro in -# macros/program/chkpwd_macros.te. diff --git a/mls/domains/program/chroot.te b/mls/domains/program/chroot.te deleted file mode 100644 index 8992c660..00000000 --- a/mls/domains/program/chroot.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC Chroot - Establish chroot environments -# -# Author: Russell Coker -# X-Debian-Packages: -# -type chroot_exec_t, file_type, sysadmfile, exec_type; - -# For a chroot environment named potato that can be entered from user_t (so -# the user can run an old version of Debian in a chroot), with the possibility -# of user_devpts_t or user_tty_device_t being the controlling tty type for -# administration. This also defines a mount_domain for the user (so they can -# mount file systems). -#chroot(user, potato) -# For a chroot environment named apache that can be entered from initrc_t for -# running a different version of apache. -# initrc is a special case, uses the system_r role (usually appends "_r" to -# the base name of the parent domain), and has sysadm_devpts_t and -# sysadm_tty_device_t for the controlling terminal -#chroot(initrc, apache) - -# the main code is in macros/program/chroot_macros.te diff --git a/mls/domains/program/comsat.te b/mls/domains/program/comsat.te deleted file mode 100644 index cd0e3f93..00000000 --- a/mls/domains/program/comsat.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC comsat - biff server -# -# Author: Dan Walsh -# Depends: inetd.te -# - -################################# -# -# Rules for the comsat_t domain. -# -# comsat_exec_t is the type of the comsat executable. -# - -inetd_child_domain(comsat, udp) -allow comsat_t initrc_var_run_t:file r_file_perms; -dontaudit comsat_t initrc_var_run_t:file write; -allow comsat_t mail_spool_t:dir r_dir_perms; -allow comsat_t mail_spool_t:lnk_file read; -allow comsat_t var_spool_t:dir search; -dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; diff --git a/mls/domains/program/consoletype.te b/mls/domains/program/consoletype.te deleted file mode 100644 index b1cc1266..00000000 --- a/mls/domains/program/consoletype.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC consoletype - determine the type of a console device -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the consoletype_t domain. -# -# consoletype_t is the domain for the consoletype program. -# consoletype_exec_t is the type of the corresponding program. -# -type consoletype_t, domain, mlsfileread, mlsfilewrite; -type consoletype_exec_t, file_type, sysadmfile, exec_type; - -role system_r types consoletype_t; - -uses_shlib(consoletype_t) -general_domain_access(consoletype_t) - -ifdef(`targeted_policy', `', ` -domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t) - -ifdef(`xdm.te', ` -domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) -allow consoletype_t xdm_tmp_t:file { read write }; -') - -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t) -') -') - -allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms; - -allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; - -# Use capabilities. -allow consoletype_t self:capability sys_admin; - -allow consoletype_t console_device_t:chr_file { getattr ioctl read write }; -allow consoletype_t initrc_t:fifo_file write; -allow consoletype_t nfs_t:file write; -allow consoletype_t sysadm_t:fifo_file rw_file_perms; - -ifdef(`lpd.te', ` -allow consoletype_t printconf_t:file { getattr read }; -') - -ifdef(`pam.te', ` -allow consoletype_t pam_var_run_t:file { getattr read }; -') -ifdef(`distro_redhat', ` -allow consoletype_t tmpfs_t:chr_file rw_file_perms; -') -ifdef(`firstboot.te', ` -allow consoletype_t firstboot_t:fifo_file write; -') -dontaudit consoletype_t proc_t:dir search; -dontaudit consoletype_t proc_t:file read; -dontaudit consoletype_t root_t:file read; -allow consoletype_t crond_t:fifo_file { read getattr ioctl }; -allow consoletype_t system_crond_t:fd use; -allow consoletype_t fs_t:filesystem getattr; diff --git a/mls/domains/program/cpucontrol.te b/mls/domains/program/cpucontrol.te deleted file mode 100644 index 23a13b75..00000000 --- a/mls/domains/program/cpucontrol.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU -# -# Author: Russell Coker -# - -type cpucontrol_conf_t, file_type, sysadmfile; - -daemon_base_domain(cpucontrol) - -# Access cpu devices. -allow cpucontrol_t cpu_device_t:chr_file rw_file_perms; -allow cpucontrol_t device_t:lnk_file { getattr read }; -allow initrc_t cpu_device_t:chr_file getattr; - -allow cpucontrol_t self:capability sys_rawio; - -r_dir_file(cpucontrol_t, cpucontrol_conf_t) diff --git a/mls/domains/program/cpuspeed.te b/mls/domains/program/cpuspeed.te deleted file mode 100644 index b80f7054..00000000 --- a/mls/domains/program/cpuspeed.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC cpuspeed - domain for microcode_ctl, powernowd, etc -# -# Authors: Russell Coker -# Thomas Bleher -# - -daemon_base_domain(cpuspeed) -read_locale(cpuspeed_t) - -allow cpuspeed_t sysfs_t:dir search; -allow cpuspeed_t sysfs_t:file rw_file_perms; -allow cpuspeed_t proc_t:dir r_dir_perms; -allow cpuspeed_t proc_t:file { getattr read }; -allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read }; - -allow cpuspeed_t self:process setsched; -allow cpuspeed_t self:unix_dgram_socket create_socket_perms; diff --git a/mls/domains/program/crack.te b/mls/domains/program/crack.te deleted file mode 100644 index 1706f6ec..00000000 --- a/mls/domains/program/crack.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Crack - Password cracking application -# -# Author: Russell Coker -# X-Debian-Packages: crack -# - -################################# -# -# Rules for the crack_t domain. -# -# crack_exec_t is the type of the crack executable. -# -system_domain(crack) -ifdef(`crond.te', ` -system_crond_entry(crack_exec_t, crack_t) -') - -# for SSP -allow crack_t urandom_device_t:chr_file read; - -type crack_db_t, file_type, sysadmfile, usercanread; -allow crack_t var_t:dir search; -rw_dir_create_file(crack_t, crack_db_t) - -allow crack_t device_t:dir search; -allow crack_t devtty_t:chr_file rw_file_perms; -allow crack_t self:fifo_file { read write getattr }; - -tmp_domain(crack) - -# for dictionaries -allow crack_t usr_t:file { getattr read }; - -can_exec(crack_t, bin_t) -allow crack_t { bin_t sbin_t }:dir search; - -allow crack_t self:process { fork signal_perms }; - -allow crack_t proc_t:dir { read search }; -allow crack_t proc_t:file { read getattr }; - -# read config files -allow crack_t { etc_t etc_runtime_t }:file { getattr read }; -allow crack_t etc_t:dir r_dir_perms; - -allow crack_t fs_t:filesystem getattr; - -dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; diff --git a/mls/domains/program/crond.te b/mls/domains/program/crond.te deleted file mode 100644 index 46493487..00000000 --- a/mls/domains/program/crond.te +++ /dev/null @@ -1,214 +0,0 @@ -#DESC Crond - Crond daemon -# -# Domains for the top-level crond daemon process and -# for system cron jobs. The domains for user cron jobs -# are in macros/program/crond_macros.te. -# -# X-Debian-Packages: cron -# Authors: Jonathan Crowley (MITRE) , -# Stephen Smalley and Timothy Fraser -# - -# NB The constraints file has some entries for crond_t, this makes it -# different from all other domains... - -# Domain for crond. It needs auth_chkpwd to check for locked accounts. -daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain') - -# This domain is granted permissions common to most domains (including can_net) -general_domain_access(crond_t) - -# Type for the anacron executable. -type anacron_exec_t, file_type, sysadmfile, exec_type; - -# Type for temporary files. -tmp_domain(crond) - -crond_domain(system) - -allow system_crond_t proc_mdstat_t:file { getattr read }; -allow system_crond_t proc_t:lnk_file read; -allow system_crond_t proc_t:filesystem getattr; -allow system_crond_t usbdevfs_t:filesystem getattr; - -ifdef(`mta.te', ` -allow mta_user_agent system_crond_t:fd use; -') - -# read files in /etc -allow system_crond_t etc_t:file r_file_perms; -allow system_crond_t etc_runtime_t:file { getattr read }; - -allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; - -read_locale(crond_t) - -# Use capabilities. -allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control }; -dontaudit crond_t self:capability sys_resource; - -# Get security policy decisions. -can_getsecurity(crond_t) - -# for finding binaries and /bin/sh -allow crond_t { bin_t sbin_t }:dir search; -allow crond_t { bin_t sbin_t }:lnk_file read; - -# Read from /var/spool/cron. -allow crond_t var_lib_t:dir search; -allow crond_t var_spool_t:dir r_dir_perms; -allow crond_t cron_spool_t:dir r_dir_perms; -allow crond_t cron_spool_t:file r_file_perms; - -# Read /etc/security/default_contexts. -r_dir_file(crond_t, default_context_t) - -allow crond_t etc_t:file { getattr read }; -allow crond_t etc_t:lnk_file read; - -allow crond_t default_t:dir search; - -# crond tries to search /root. Not sure why. -allow crond_t sysadm_home_dir_t:dir r_dir_perms; - -# to search /home -allow crond_t home_root_t:dir { getattr search }; -allow crond_t user_home_dir_type:dir r_dir_perms; - -# Run a shell. -can_exec(crond_t, shell_exec_t) - -ifdef(`distro_redhat', ` -# Run the rpm program in the rpm_t domain. Allow creation of RPM log files -# via redirection of standard out. -ifdef(`rpm.te', ` -allow crond_t rpm_log_t: file create_file_perms; - -system_crond_entry(rpm_exec_t, rpm_t) -allow system_crond_t rpm_log_t:file create_file_perms; -#read ahead wants to read this -allow initrc_t system_cron_spool_t:file { getattr read }; -') -') - -allow system_crond_t var_log_t:file r_file_perms; - - -# Set exec context. -can_setexec(crond_t) - -# Transition to this domain for anacron as well. -# Still need to study anacron. -domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) - -# Inherit and use descriptors from init for anacron. -allow system_crond_t init_t:fd use; - -# Inherit and use descriptors from initrc for anacron. -allow system_crond_t initrc_t:fd use; -can_access_pty(system_crond_t, initrc) - -# Use capabilities. -allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; - -allow crond_t urandom_device_t:chr_file { getattr read }; - -# Read the system crontabs. -allow system_crond_t system_cron_spool_t:file r_file_perms; - -allow crond_t system_cron_spool_t:dir r_dir_perms; -allow crond_t system_cron_spool_t:file r_file_perms; - -# Read from /var/spool/cron. -allow system_crond_t cron_spool_t:dir r_dir_perms; -allow system_crond_t cron_spool_t:file r_file_perms; - -# Write to /var/lib/slocate.db. -allow system_crond_t var_lib_t:dir rw_dir_perms; -allow system_crond_t var_lib_t:file create_file_perms; - -# Update whatis files. -allow system_crond_t man_t:dir create_dir_perms; -allow system_crond_t man_t:file create_file_perms; -allow system_crond_t man_t:lnk_file read; - -# Write /var/lock/makewhatis.lock. -lock_domain(system_crond) - -# for if /var/mail is a symlink -allow { system_crond_t crond_t } mail_spool_t:lnk_file read; -allow crond_t mail_spool_t:dir search; - -ifdef(`mta.te', ` -r_dir_file(system_mail_t, crond_tmp_t) -') - -# Stat any file and search any directory for find. -allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr; -allow system_crond_t device_type:{ chr_file blk_file } getattr; -allow system_crond_t file_type:dir { read search getattr }; - -# Create temporary files. -type system_crond_tmp_t, file_type, sysadmfile, tmpfile; -file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t) - -# /sbin/runlevel ask for w access to utmp, but will operate -# correctly without it. Do not audit write denials to utmp. -# /sbin/runlevel needs lock access however -dontaudit system_crond_t initrc_var_run_t:file write; -allow system_crond_t initrc_var_run_t:file { getattr read lock }; - -# Access other spool directories like -# /var/spool/anacron and /var/spool/slrnpull. -allow system_crond_t var_spool_t:file create_file_perms; -allow system_crond_t var_spool_t:dir rw_dir_perms; - -# Do not audit attempts to search unlabeled directories (e.g. slocate). -dontaudit system_crond_t unlabeled_t:dir r_dir_perms; -dontaudit system_crond_t unlabeled_t:file r_file_perms; - -# -# reading /var/spool/cron/mailman -# -allow crond_t var_spool_t:file { getattr read }; -allow system_crond_t devpts_t:filesystem getattr; -allow system_crond_t sysfs_t:filesystem getattr; -allow system_crond_t tmpfs_t:filesystem getattr; -allow system_crond_t rpc_pipefs_t:filesystem getattr; - -# -# These rules are here to allow system cron jobs to su -# -ifdef(`su.te', ` -su_restricted_domain(system_crond,system) -role system_r types system_crond_su_t; -allow system_crond_su_t crond_t:fifo_file ioctl; -') -allow system_crond_t self:passwd rootok; -# -# prelink tells init to restart it self, we either need to allow or dontaudit -# -allow system_crond_t initctl_t:fifo_file write; -dontaudit userdomain system_crond_t:fd use; - -r_dir_file(crond_t, selinux_config_t) - -# Allow system cron jobs to relabel filesystem for restoring file contexts. -bool cron_can_relabel false; -if (cron_can_relabel) { -domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) -} else { -r_dir_file(system_crond_t, file_context_t) -can_getsecurity(system_crond_t) -} -dontaudit system_crond_t removable_t:filesystem getattr; -# -# Required for webalizer -# -dontaudit crond_t self:capability sys_tty_config; -ifdef(`apache.te', ` -allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; -allow system_crond_t httpd_modules_t:lnk_file read; -# Needed for certwatch -can_exec(system_crond_t, httpd_modules_t) -') diff --git a/mls/domains/program/crontab.te b/mls/domains/program/crontab.te deleted file mode 100644 index 48b5fcca..00000000 --- a/mls/domains/program/crontab.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC Crontab - Crontab manipulation programs -# -# Domains for the crontab program. -# -# X-Debian-Packages: cron -# - -# Type for the crontab executable. -type crontab_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the crontab_domain macro in -# macros/program/crontab_macros.te. diff --git a/mls/domains/program/cups.te b/mls/domains/program/cups.te deleted file mode 100644 index 6bc5106c..00000000 --- a/mls/domains/program/cups.te +++ /dev/null @@ -1,321 +0,0 @@ -#DESC Cups - Common Unix Printing System -# -# Created cups policy from lpd policy: Russell Coker -# X-Debian-Packages: cupsys cupsys-client cupsys-bsd -# Depends: lpd.te lpr.te - -################################# -# -# Rules for the cupsd_t domain. -# -# cupsd_t is the domain of cupsd. -# cupsd_exec_t is the type of the cupsd executable. -# -daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain') -etcdir_domain(cupsd) -type cupsd_rw_etc_t, file_type, sysadmfile, usercanread; - -can_network(cupsd_t) -allow cupsd_t port_type:tcp_socket name_connect; -logdir_domain(cupsd) - -tmp_domain(cupsd, `', { file dir fifo_file }) - -allow cupsd_t devpts_t:dir search; - -allow cupsd_t device_t:lnk_file read; -allow cupsd_t printer_device_t:chr_file rw_file_perms; -allow cupsd_t urandom_device_t:chr_file { getattr read }; -dontaudit cupsd_t random_device_t:chr_file ioctl; - -# temporary solution, we need something better -allow cupsd_t serial_device:chr_file rw_file_perms; - -r_dir_file(cupsd_t, usbdevfs_t) -r_dir_file(cupsd_t, usbfs_t) - -ifdef(`logrotate.te', ` -domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) -') - -ifdef(`inetd.te', ` -allow inetd_t printer_port_t:tcp_socket name_bind; -domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t) -') - -# write to spool -allow cupsd_t var_spool_t:dir search; - -# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong -file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file }) -allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms }; -allow cupsd_t cupsd_etc_t:file setattr; -allow cupsd_t cupsd_etc_t:dir setattr; - -allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl }; -can_exec(cupsd_t, initrc_exec_t) -allow cupsd_t proc_t:file r_file_perms; -allow cupsd_t proc_t:dir r_dir_perms; -allow cupsd_t self:file { getattr read }; -read_sysctl(cupsd_t) -allow cupsd_t sysctl_dev_t:dir search; -allow cupsd_t sysctl_dev_t:file { getattr read }; - -# for /etc/printcap -dontaudit cupsd_t etc_t:file write; - -# allow cups to execute its backend scripts -can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search; -allow cupsd_t cupsd_exec_t:lnk_file read; -allow cupsd_t reserved_port_t:tcp_socket name_bind; -dontaudit cupsd_t reserved_port_type:tcp_socket name_bind; - -allow cupsd_t self:unix_stream_socket create_socket_perms; -allow cupsd_t self:unix_dgram_socket create_socket_perms; -allow cupsd_t self:fifo_file rw_file_perms; - -# Use capabilities. -allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write }; -dontaudit cupsd_t self:capability net_admin; - -# -# /usr/lib/cups/backend/serial needs sys_admin -# Need new context to run under??? -allow cupsd_t self:capability sys_admin; - -allow cupsd_t self:process setsched; - -# for /var/lib/defoma -allow cupsd_t var_lib_t:dir search; -r_dir_file(cupsd_t, readable_t) - -# Bind to the cups/ipp port (631). -allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind; - -can_tcp_connect(web_client_domain, cupsd_t) -can_tcp_connect(cupsd_t, cupsd_t) - -# Send to portmap. -ifdef(`portmap.te', ` -can_udp_send(cupsd_t, portmap_t) -can_udp_send(portmap_t, cupsd_t) -') - -# Write to /var/spool/cups. -allow cupsd_t print_spool_t:dir { setattr rw_dir_perms }; -allow cupsd_t print_spool_t:file create_file_perms; -allow cupsd_t print_spool_t:file rw_file_perms; - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -allow cupsd_t { bin_t sbin_t }:dir { search getattr }; -allow cupsd_t bin_t:lnk_file read; -can_exec(cupsd_t, { shell_exec_t bin_t sbin_t }) - -# They will also invoke ghostscript, which needs to read fonts -read_fonts(cupsd_t) - -# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -allow cupsd_t lib_t:file { read getattr }; - -# read python modules -allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl }; - -# -# lots of errors generated requiring the following -# -allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms }; - -# -# Satisfy readahead -# -allow initrc_t cupsd_log_t:file { getattr read }; -r_dir_file(cupsd_t, var_t) - -r_dir_file(cupsd_t, usercanread) -ifdef(`samba.te', ` -rw_dir_file(cupsd_t, samba_var_t) -allow smbd_t cupsd_etc_t:dir search; -') - -ifdef(`pam.te', ` -dontaudit cupsd_t pam_var_run_t:file { getattr read }; -') -dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; -# PTAL -daemon_domain(ptal) -etcdir_domain(ptal) - -file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t) -allow ptal_t self:capability { chown sys_rawio }; -allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ptal_t self:unix_stream_socket { listen accept }; -can_network_server_tcp(ptal_t) -allow ptal_t ptal_port_t:tcp_socket name_bind; -allow userdomain ptal_t:unix_stream_socket connectto; -allow userdomain ptal_var_run_t:sock_file write; -allow userdomain ptal_var_run_t:dir search; -allow ptal_t self:fifo_file rw_file_perms; -allow ptal_t device_t:dir read; -allow ptal_t printer_device_t:chr_file rw_file_perms; -allow initrc_t printer_device_t:chr_file getattr; -allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(ptal_t, usbdevfs_t) -rw_dir_file(ptal_t, usbfs_t) -allow cupsd_t ptal_var_run_t:sock_file { write setattr }; -allow cupsd_t ptal_t:unix_stream_socket connectto; -allow cupsd_t ptal_var_run_t:dir search; -dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - -allow initrc_t ptal_var_run_t:dir rmdir; -allow initrc_t ptal_var_run_t:fifo_file unlink; - - -# HPLIP -daemon_domain(hplip) -etcdir_domain(hplip) -allow hplip_t etc_t:file r_file_perms; -allow hplip_t etc_runtime_t:file { read getattr }; -allow hplip_t printer_device_t:chr_file rw_file_perms; -allow cupsd_t hplip_var_run_t:file { read getattr }; -allow hplip_t cupsd_etc_t:dir search; -can_network(hplip_t) -allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect; -allow hplip_t hplip_port_t:tcp_socket name_bind; - -# Uses networking to talk to the daemons -allow hplip_t self:unix_dgram_socket create_socket_perms; -allow hplip_t self:unix_stream_socket create_socket_perms; -allow hplip_t self:rawip_socket create_socket_perms; - -# for python -can_exec(hplip_t, bin_t) -allow hplip_t { sbin_t bin_t }:dir search; -allow hplip_t self:file { getattr read }; -allow hplip_t proc_t:file r_file_perms; -allow hplip_t urandom_device_t:chr_file { getattr read }; -allow hplip_t usr_t:{ file lnk_file } r_file_perms; -allow hplip_t devpts_t:dir search; -allow hplip_t devpts_t:chr_file { getattr ioctl }; - - -dontaudit cupsd_t selinux_config_t:dir search; -dontaudit cupsd_t selinux_config_t:file { getattr read }; - -allow cupsd_t printconf_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, cupsd) -allow cupsd_t system_dbusd_t:dbus send_msg; -allow cupsd_t userdomain:dbus send_msg; -') - -# CUPS configuration daemon -daemon_domain(cupsd_config, `, nscd_client_domain') - -allow cupsd_config_t devpts_t:dir search; -allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -') -allow cupsd_config_t initrc_exec_t:file getattr; -')dnl end distro_redhat - -allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read }; -allow cupsd_config_t self:file { getattr read }; - -allow cupsd_config_t proc_t:file { getattr read }; -allow cupsd_config_t cupsd_var_run_t:file { getattr read }; -allow cupsd_config_t cupsd_t:process { signal }; -allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; -can_ps(cupsd_config_t, cupsd_t) - -allow cupsd_config_t self:capability { chown sys_tty_config }; - -rw_dir_create_file(cupsd_config_t, cupsd_etc_t) -rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) -file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file) -allow cupsd_config_t var_t:lnk_file read; - -can_network_tcp(cupsd_config_t) -can_ypbind(cupsd_config_t) -allow cupsd_config_t port_type:tcp_socket name_connect; -can_tcp_connect(cupsd_config_t, cupsd_t) -allow cupsd_config_t self:fifo_file rw_file_perms; - -allow cupsd_config_t self:unix_stream_socket create_socket_perms; -allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -ifdef(`dbusd.te', ` -dbusd_client(system, cupsd_config) -allow cupsd_config_t userdomain:dbus send_msg; -allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; -allow userdomain cupsd_config_t:dbus send_msg; -')dnl end if dbusd.te - -ifdef(`hald.te', ` - -ifdef(`dbusd.te', ` -allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg; -allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; -')dnl end if dbusd.te - -allow hald_t cupsd_config_t:process signal; -domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t) - -') dnl end if hald.te - - -can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t }) -ifdef(`hostname.te', ` -can_exec(cupsd_t, hostname_exec_t) -can_exec(cupsd_config_t, hostname_exec_t) -') -allow cupsd_config_t { bin_t sbin_t }:dir { search getattr }; -allow cupsd_config_t { bin_t sbin_t }:lnk_file read; -# killall causes the following -dontaudit cupsd_config_t domain:dir { getattr search }; -dontaudit cupsd_config_t selinux_config_t:dir search; - -can_exec(cupsd_config_t, cupsd_config_exec_t) - -allow cupsd_config_t usr_t:file { getattr read }; -allow cupsd_config_t var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -allow cupsd_config_t printconf_t:file { getattr read }; - -allow cupsd_config_t urandom_device_t:chr_file { getattr read }; - -ifdef(`logrotate.te', ` -allow cupsd_config_t logrotate_t:fd use; -')dnl end if logrotate.te -allow cupsd_config_t system_crond_t:fd use; -allow cupsd_config_t crond_t:fifo_file r_file_perms; -allow cupsd_t crond_t:fifo_file read; -allow cupsd_t crond_t:fd use; - -# Alternatives asks for this -allow cupsd_config_t initrc_exec_t:file getattr; -ifdef(`targeted_policy', ` -can_unix_connect(cupsd_t, initrc_t) -allow cupsd_t initrc_t:dbus send_msg; -allow initrc_t cupsd_t:dbus send_msg; -allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; -allow unconfined_t cupsd_config_t:dbus send_msg; -allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; -') -typealias printer_port_t alias cupsd_lpd_port_t; -inetd_child_domain(cupsd_lpd) -allow inetd_t printer_port_t:tcp_socket name_bind; -r_dir_file(cupsd_lpd_t, cupsd_etc_t) -r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t) -allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect; -ifdef(`use_mcs', ` -range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; -') - diff --git a/mls/domains/program/cvs.te b/mls/domains/program/cvs.te deleted file mode 100644 index 503c8097..00000000 --- a/mls/domains/program/cvs.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC cvs - Concurrent Versions System -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the cvs_t domain. -# -# cvs_exec_t is the type of the cvs executable. -# - -inetd_child_domain(cvs, tcp) -typeattribute cvs_t privmail; -typeattribute cvs_t auth_chkpwd; - -type cvs_data_t, file_type, sysadmfile, customizable; -create_dir_file(cvs_t, cvs_data_t) -can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) -allow cvs_t bin_t:dir search; -allow cvs_t { bin_t sbin_t }:lnk_file read; -allow cvs_t etc_runtime_t:file { getattr read }; -allow system_mail_t cvs_data_t:file { getattr read }; -dontaudit cvs_t devtty_t:chr_file { read write }; -ifdef(`kerberos.te', ` -# Allow kerberos to work -allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; -dontaudit cvs_t krb5_conf_t:file write; -') diff --git a/mls/domains/program/cyrus.te b/mls/domains/program/cyrus.te deleted file mode 100644 index 13b2f663..00000000 --- a/mls/domains/program/cyrus.te +++ /dev/null @@ -1,60 +0,0 @@ -#DESC cyrus-imapd -# -# Authors: Dan Walsh -# - -# cyrusd_exec_t is the type of the cyrusd executable. -# cyrusd_key_t is the type of the cyrus private key files -daemon_domain(cyrus) - -general_domain_access(cyrus_t) -file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file) - -type cyrus_var_lib_t, file_type, sysadmfile; - -allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -allow cyrus_t self:process setrlimit; - -can_network(cyrus_t) -allow cyrus_t port_type:tcp_socket name_connect; -can_ypbind(cyrus_t) -can_exec(cyrus_t, bin_t) -allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; -allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; -allow cyrus_t etc_t:file { getattr read }; -allow cyrus_t lib_t:file { execute execute_no_trans getattr read }; -read_locale(cyrus_t) -read_sysctl(cyrus_t) -tmp_domain(cyrus) -allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind; -allow cyrus_t proc_t:dir search; -allow cyrus_t proc_t:file { getattr read }; -allow cyrus_t sysadm_devpts_t:chr_file { read write }; - -allow cyrus_t var_lib_t:dir search; - -allow cyrus_t etc_runtime_t:file { read getattr }; -ifdef(`crond.te', ` -system_crond_entry(cyrus_exec_t, cyrus_t) -allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms; -allow system_crond_t cyrus_var_lib_t:file create_file_perms; -') -create_dir_file(cyrus_t, mail_spool_t) -allow cyrus_t var_spool_t:dir search; - -ifdef(`saslauthd.te', ` -allow cyrus_t saslauthd_var_run_t:dir search; -allow cyrus_t saslauthd_var_run_t:sock_file { read write }; -allow cyrus_t saslauthd_t:unix_stream_socket { connectto }; -') - -r_dir_file(cyrus_t, cert_t) -allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr }; - -ifdef(`postfix.te', ` -allow postfix_master_t cyrus_t:unix_stream_socket connectto; -allow postfix_master_t var_lib_t:dir search; -allow postfix_master_t cyrus_var_lib_t:dir search; -allow postfix_master_t cyrus_var_lib_t:sock_file write; -') - diff --git a/mls/domains/program/dbskkd.te b/mls/domains/program/dbskkd.te deleted file mode 100644 index e75d90b9..00000000 --- a/mls/domains/program/dbskkd.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC dbskkd - A dictionary server for the SKK Japanese input method system. -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the dbskkd_t domain. -# -# dbskkd_exec_t is the type of the dbskkd executable. -# -# Depends: inetd.te - -inetd_child_domain(dbskkd) diff --git a/mls/domains/program/dbusd.te b/mls/domains/program/dbusd.te deleted file mode 100644 index acad4def..00000000 --- a/mls/domains/program/dbusd.te +++ /dev/null @@ -1,27 +0,0 @@ -#DESC dbus-daemon-1 server for dbus desktop bus protocol -# -# Author: Russell Coker - -dbusd_domain(system) - -allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; - -ifdef(`pamconsole.te', ` -r_dir_file(system_dbusd_t, pam_var_console_t) -') - -# dac_override: /var/run/dbus is owned by messagebus on Debian -allow system_dbusd_t self:capability { dac_override setgid setuid }; -nsswitch_domain(system_dbusd_t) - -# I expect we need more than this - -allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; -allow initrc_t system_dbusd_t:unix_stream_socket connectto; -allow initrc_t system_dbusd_var_run_t:sock_file write; - -can_exec(system_dbusd_t, sbin_t) -allow system_dbusd_t self:fifo_file { read write }; -allow system_dbusd_t self:unix_stream_socket connectto; -allow system_dbusd_t self:unix_stream_socket connectto; -allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/mls/domains/program/ddcprobe.te b/mls/domains/program/ddcprobe.te deleted file mode 100644 index 40871266..00000000 --- a/mls/domains/program/ddcprobe.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC ddcprobe - output ddcprobe results from kudzu -# -# Author: dan walsh -# - -type ddcprobe_t, domain, privmem; -type ddcprobe_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types ddcprobe_t; -role system_r types ddcprobe_t; -domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t) - -uses_shlib(ddcprobe_t) - -# Allow terminal access -access_terminal(ddcprobe_t, sysadm) - -# Allow ddcprobe to read /dev/mem -allow ddcprobe_t memory_device_t:chr_file read; -allow ddcprobe_t memory_device_t:chr_file { execute write }; -allow ddcprobe_t self:process execmem; -allow ddcprobe_t zero_device_t:chr_file { execute read }; - -allow ddcprobe_t proc_t:dir search; -allow ddcprobe_t proc_t:file { getattr read }; -can_exec(ddcprobe_t, sbin_t) -allow ddcprobe_t user_tty_type:chr_file rw_file_perms; -allow ddcprobe_t userdomain:fd use; -read_sysctl(ddcprobe_t) -allow ddcprobe_t urandom_device_t:chr_file { getattr read }; -allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms; -allow ddcprobe_t self:capability { sys_rawio sys_admin }; - -allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read }; -allow ddcprobe_t kudzu_exec_t:file getattr; -allow ddcprobe_t lib_t:file { getattr read }; -read_locale(ddcprobe_t) -allow ddcprobe_t modules_object_t:dir search; -allow ddcprobe_t modules_dep_t:file { getattr read }; -allow ddcprobe_t usr_t:file { getattr read }; -allow ddcprobe_t kernel_t:system syslog_console; diff --git a/mls/domains/program/dhcpc.te b/mls/domains/program/dhcpc.te deleted file mode 100644 index 83cbe81d..00000000 --- a/mls/domains/program/dhcpc.te +++ /dev/null @@ -1,169 +0,0 @@ -#DESC DHCPC - DHCP client -# -# Authors: Wayne Salamon (NAI Labs) -# Russell Coker -# X-Debian-Packages: pump dhcp-client udhcpc -# - -################################# -# -# Rules for the dhcpc_t domain. -# -# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP -# network configurator daemon started by /etc/sysconfig/network-scripts -# rc scripts, runs in this domain. -# dhcpc_exec_t is the type of the dhcpcd executable. -# The dhcpc_t can be used for other DHCPC related files as well. -# -daemon_domain(dhcpc) - -# for SSP -allow dhcpc_t urandom_device_t:chr_file read; - -can_network(dhcpc_t) -allow dhcpc_t port_type:tcp_socket name_connect; -can_ypbind(dhcpc_t) -allow dhcpc_t self:unix_dgram_socket create_socket_perms; -allow dhcpc_t self:unix_stream_socket create_socket_perms; -allow dhcpc_t self:fifo_file rw_file_perms; - -allow dhcpc_t devpts_t:dir search; - -# for localization -allow dhcpc_t lib_t:file { getattr read }; - -ifdef(`consoletype.te', ` -domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t) -') -ifdef(`nscd.te', ` -domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t) -allow dhcpc_t nscd_var_run_t:file { getattr read }; -') -ifdef(`cardmgr.te', ` -domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) -allow cardmgr_t dhcpc_var_run_t:file { getattr read }; -allow cardmgr_t dhcpc_t:process signal_perms; -allow cardmgr_t dhcpc_var_run_t:file unlink; -allow dhcpc_t cardmgr_dev_t:chr_file { read write }; -') -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) -allow hotplug_t dhcpc_t:process signal_perms; -allow hotplug_t dhcpc_var_run_t:file { getattr read }; -allow hotplug_t dhcp_etc_t:file rw_file_perms; -allow dhcpc_t hotplug_etc_t:dir { getattr search }; -ifdef(`distro_redhat', ` -domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t) -') -')dnl end hotplug.te - -# for the dhcp client to run ping to check IP addresses -ifdef(`ping.te', ` -domain_auto_trans(dhcpc_t, ping_exec_t, ping_t) -ifdef(`hotplug.te', ` -allow ping_t hotplug_t:fd use; -') dnl end if hotplug -ifdef(`cardmgr.te', ` -allow ping_t cardmgr_t:fd use; -') dnl end if cardmgr -', ` -allow dhcpc_t self:capability setuid; -allow dhcpc_t self:rawip_socket create_socket_perms; -') dnl end if ping - -ifdef(`dhcpd.te', `', ` -type dhcp_state_t, file_type, sysadmfile; -type dhcp_etc_t, file_type, sysadmfile, usercanread; -') -type dhcpc_state_t, file_type, sysadmfile; - -allow dhcpc_t etc_t:lnk_file read; -allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read }; -allow dhcpc_t proc_net_t:dir search; -allow dhcpc_t { proc_t proc_net_t }:file { getattr read }; -allow dhcpc_t self:file { getattr read }; -read_sysctl(dhcpc_t) -allow dhcpc_t userdomain:fd use; -ifdef(`run_init.te', ` -allow dhcpc_t run_init_t:fd use; -') - -# Use capabilities -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; - -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit dhcpc_t self:capability { dac_read_search sys_module }; - -# for udp port 68 -allow dhcpc_t dhcpc_port_t:udp_socket name_bind; - -# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files -# in /etc created by dhcpcd will be labelled net_conf_t. -file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file) - -# Allow access to the dhcpc file types -r_dir_file(dhcpc_t, dhcp_etc_t) -allow dhcpc_t sbin_t:dir search; -can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t }) -ifdef(`distro_redhat', ` -can_exec(dhcpc_t, etc_t) -allow initrc_t dhcp_etc_t:file rw_file_perms; -') -ifdef(`ifconfig.te', ` -domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - - -tmp_domain(dhcpc) - -# Allow dhcpc_t to use packet sockets -allow dhcpc_t self:packet_socket create_socket_perms; -allow dhcpc_t var_lib_t:dir search; -file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -rw_dir_create_file(dhcpc_t, dhcpc_state_t) -allow dhcpc_t dhcp_state_t:file { getattr read }; - -allow dhcpc_t bin_t:dir { getattr search }; -allow dhcpc_t bin_t:lnk_file read; -can_exec(dhcpc_t, { bin_t shell_exec_t }) - -ifdef(`hostname.te', ` -domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t) -') -dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms; -allow dhcpc_t { userdomain kernel_t }:fd use; - -allow dhcpc_t home_root_t:dir search; -allow initrc_t dhcpc_state_t:file { getattr read }; -dontaudit dhcpc_t var_lock_t:dir search; -allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; -dontaudit dhcpc_t domain:dir getattr; -allow dhcpc_t initrc_var_run_t:file rw_file_perms; -# -# dhclient sometimes starts ypbind and ntdp -# -can_exec(dhcpc_t, initrc_exec_t) -ifdef(`ypbind.te', ` -domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) -allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; -allow dhcpc_t ypbind_t:process signal; -') -ifdef(`ntpd.te', ` -domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) -') -role sysadm_r types dhcpc_t; -domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t) -ifdef(`dbusd.te', ` -dbusd_client(system, dhcpc) -domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) -allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow dhcpc_t self:dbus send_msg; -allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; -allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; -ifdef(`unconfined.te', ` -allow unconfined_t dhcpc_t:dbus send_msg; -allow dhcpc_t unconfined_t:dbus send_msg; -')dnl end ifdef unconfined.te -') -ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)') -allow dhcpc_t locale_t:file write; diff --git a/mls/domains/program/dhcpd.te b/mls/domains/program/dhcpd.te deleted file mode 100644 index 137fbbf2..00000000 --- a/mls/domains/program/dhcpd.te +++ /dev/null @@ -1,79 +0,0 @@ -#DESC DHCPD - DHCP server -# -# Author: Russell Coker -# based on the dhcpc_t policy from: -# Wayne Salamon (NAI Labs) -# X-Debian-Packages: dhcp dhcp3-server -# - -################################# -# -# Rules for the dhcpd_t domain. -# -# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP -# server daemon rc scripts, runs in this domain. -# dhcpd_exec_t is the type of the dhcpdd executable. -# The dhcpd_t can be used for other DHCPC related files as well. -# -daemon_domain(dhcpd, `, nscd_client_domain') - -# for UDP port 4011 -allow dhcpd_t pxe_port_t:udp_socket name_bind; - -type dhcp_etc_t, file_type, sysadmfile, usercanread; - -# Use the network. -can_network(dhcpd_t) -allow dhcpd_t port_type:tcp_socket name_connect; -allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind; -can_ypbind(dhcpd_t) -allow dhcpd_t self:unix_dgram_socket create_socket_perms; -allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; - -allow dhcpd_t var_lib_t:dir search; - -allow dhcpd_t devtty_t:chr_file { read write }; - -# Use capabilities -allow dhcpd_t self:capability { net_raw net_bind_service }; -dontaudit dhcpd_t self:capability net_admin; - -# Allow access to the dhcpd file types -type dhcp_state_t, file_type, sysadmfile; -type dhcpd_state_t, file_type, sysadmfile; -allow dhcpd_t dhcp_etc_t:file { read getattr }; -allow dhcpd_t dhcp_etc_t:dir search; -file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file) -rw_dir_create_file(dhcpd_t, dhcpd_state_t) - -allow dhcpd_t etc_t:lnk_file read; -allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms; - -# Allow dhcpd_t programs to execute themselves and bin_t (uname etc) -can_exec(dhcpd_t, { dhcpd_exec_t bin_t }) - -# Allow dhcpd_t to use packet sockets -allow dhcpd_t self:packet_socket create_socket_perms; -allow dhcpd_t self:rawip_socket create_socket_perms; - -# allow to run utilities and scripts -allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms; -allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms; -allow dhcpd_t self:fifo_file { read write getattr }; - -# allow reading /proc -allow dhcpd_t proc_t:{ file lnk_file } r_file_perms; -tmp_domain(dhcpd) - -ifdef(`distro_gentoo', ` -allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -allow initrc_t dhcpd_state_t:file setattr; -') -r_dir_file(dhcpd_t, usr_t) -allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms; - -ifdef(`named.te', ` -allow dhcpd_t { named_conf_t named_zone_t }:dir search; -allow dhcpd_t dnssec_t:file { getattr read }; -') diff --git a/mls/domains/program/dictd.te b/mls/domains/program/dictd.te deleted file mode 100644 index d610d073..00000000 --- a/mls/domains/program/dictd.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Dictd - Dictionary daemon -# -# Authors: Russell Coker -# X-Debian-Packages: dictd -# - -################################# -# -# Rules for the dictd_t domain. -# -# dictd_exec_t is the type of the dictd executable. -# -daemon_base_domain(dictd) -type dictd_var_lib_t, file_type, sysadmfile; -typealias dictd_var_lib_t alias var_lib_dictd_t; -etc_domain(dictd) - -# for checking for nscd -dontaudit dictd_t var_run_t:dir search; - -# read config files -allow dictd_t { etc_t etc_runtime_t }:file r_file_perms; - -read_locale(dictd_t) - -allow dictd_t { var_t var_lib_t }:dir search; -allow dictd_t dictd_var_lib_t:dir r_dir_perms; -allow dictd_t dictd_var_lib_t:file r_file_perms; - -allow dictd_t self:capability { setuid setgid }; - -allow dictd_t usr_t:file r_file_perms; - -allow dictd_t self:process { setpgid fork sigchld }; - -allow dictd_t proc_t:file r_file_perms; - -allow dictd_t dict_port_t:tcp_socket name_bind; - -allow dictd_t devtty_t:chr_file rw_file_perms; - -allow dictd_t self:unix_stream_socket create_stream_socket_perms; - -can_network_server(dictd_t) -can_ypbind(dictd_t) -can_tcp_connect(userdomain, dictd_t) - -allow dictd_t fs_t:filesystem getattr; diff --git a/mls/domains/program/dmesg.te b/mls/domains/program/dmesg.te deleted file mode 100644 index 9f9392e1..00000000 --- a/mls/domains/program/dmesg.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC dmesg - control kernel ring buffer -# -# Author: Dan Walsh dwalsh@redhat.com -# -# X-Debian-Packages: util-linux - -################################# -# -# Rules for the dmesg_t domain. -# -# dmesg_exec_t is the type of the dmesg executable. -# -# while sysadm_t has the sys_admin capability there is no point in using -# dmesg_t when run from sysadm_t, so we use nosysadm. -# -daemon_base_domain(dmesg, , `nosysadm') - -# -# Rules used for dmesg -# -allow dmesg_t self:capability sys_admin; -allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod }; -allow dmesg_t admin_tty_type:chr_file { getattr read write }; -allow dmesg_t sysadm_tty_device_t:chr_file ioctl; -allow dmesg_t var_log_t:file { getattr write }; -read_locale(dmesg_t) - -# for when /usr is not mounted -dontaudit dmesg_t file_t:dir search; diff --git a/mls/domains/program/dmidecode.te b/mls/domains/program/dmidecode.te deleted file mode 100644 index 05b93f79..00000000 --- a/mls/domains/program/dmidecode.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC dmidecode - decodes DMI data for x86/ia64 bioses -# -# Author: Ivan Gyurdiev -# - -type dmidecode_t, domain, privmem; -type dmidecode_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types dmidecode_t; -role system_r types dmidecode_t; -domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t) - -uses_shlib(dmidecode_t) - -# Allow terminal access -access_terminal(dmidecode_t, sysadm) - -# Allow dmidecode to read /dev/mem -allow dmidecode_t memory_device_t:chr_file read; - -allow dmidecode_t self:capability sys_rawio; diff --git a/mls/domains/program/dovecot.te b/mls/domains/program/dovecot.te deleted file mode 100644 index bd3873a7..00000000 --- a/mls/domains/program/dovecot.te +++ /dev/null @@ -1,75 +0,0 @@ -#DESC Dovecot POP and IMAP servers -# -# Author: Russell Coker -# X-Debian-Packages: dovecot-imapd, dovecot-pop3d - -# -# Main dovecot daemon -# -daemon_domain(dovecot, `, privhome') -etc_domain(dovecot); - -allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; - -can_exec(dovecot_t, dovecot_exec_t) - -type dovecot_cert_t, file_type, sysadmfile; -type dovecot_passwd_t, file_type, sysadmfile; -type dovecot_spool_t, file_type, sysadmfile; - -allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; -allow dovecot_t self:process setrlimit; -can_network_tcp(dovecot_t) -allow dovecot_t port_type:tcp_socket name_connect; -can_ypbind(dovecot_t) -allow dovecot_t self:unix_dgram_socket create_socket_perms; -allow dovecot_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(dovecot_t, self) - -allow dovecot_t etc_t:file { getattr read }; -allow dovecot_t initrc_var_run_t:file getattr; -allow dovecot_t bin_t:dir { getattr search }; -can_exec(dovecot_t, bin_t) - -allow dovecot_t pop_port_t:tcp_socket name_bind; -allow dovecot_t urandom_device_t:chr_file { getattr read }; -allow dovecot_t cert_t:dir search; -r_dir_file(dovecot_t, dovecot_cert_t) -r_dir_file(dovecot_t, cert_t) - -allow dovecot_t { self proc_t }:file { getattr read }; -allow dovecot_t self:fifo_file rw_file_perms; - -can_kerberos(dovecot_t) - -allow dovecot_t tmp_t:dir search; -rw_dir_create_file(dovecot_t, mail_spool_t) - - -create_dir_file(dovecot_t, dovecot_spool_t) -create_dir_file(mta_delivery_agent, dovecot_spool_t) -allow dovecot_t mail_spool_t:lnk_file read; -allow dovecot_t var_spool_t:dir { search }; - -# -# Dovecot auth daemon -# -daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd') -can_ldap(dovecot_auth_t) -can_ypbind(dovecot_auth_t) -can_kerberos(dovecot_auth_t) -can_resolve(dovecot_auth_t) -allow dovecot_auth_t self:process { fork signal_perms }; -allow dovecot_auth_t self:capability { setgid setuid }; -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -allow dovecot_auth_t self:fifo_file rw_file_perms; -allow dovecot_auth_t urandom_device_t:chr_file { getattr read }; -allow dovecot_auth_t etc_t:file { getattr read }; -allow dovecot_auth_t { self proc_t }:file { getattr read }; -read_locale(dovecot_auth_t) -read_sysctl(dovecot_auth_t) -allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; -dontaudit dovecot_auth_t selinux_config_t:dir search; -allow dovecot_auth_t etc_runtime_t:file { getattr read }; diff --git a/mls/domains/program/fetchmail.te b/mls/domains/program/fetchmail.te deleted file mode 100644 index 225f08ea..00000000 --- a/mls/domains/program/fetchmail.te +++ /dev/null @@ -1,32 +0,0 @@ -#DESC fetchmail - remote-mail retrieval utility -# -# Author: Greg Norris -# X-Debian-Packages: fetchmail -# Depends: mta.te -# -# Note: This policy is only required when running fetchmail in daemon mode. - -################################# -# -# Rules for the fetchmail_t domain. -# -daemon_domain(fetchmail); -type fetchmail_etc_t, file_type, sysadmfile; -type fetchmail_uidl_cache_t, file_type, sysadmfile; - -# misc. requirements -allow fetchmail_t self:process setrlimit; - -# network-related goodies -can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t }) -can_network_udp(fetchmail_t, dns_port_t) -allow fetchmail_t port_type:tcp_socket name_connect; - -allow fetchmail_t self:unix_dgram_socket create_socket_perms; -allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; - -# file access -allow fetchmail_t etc_t:file r_file_perms; -allow fetchmail_t fetchmail_etc_t:file r_file_perms; -allow fetchmail_t mail_spool_t:dir search; -file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file) diff --git a/mls/domains/program/fingerd.te b/mls/domains/program/fingerd.te deleted file mode 100644 index 73fee16b..00000000 --- a/mls/domains/program/fingerd.te +++ /dev/null @@ -1,80 +0,0 @@ -#DESC Fingerd - Finger daemon -# -# Author: Russell Coker -# X-Debian-Packages: fingerd cfingerd efingerd ffingerd -# - -################################# -# -# Rules for the fingerd_t domain. -# -# fingerd_exec_t is the type of the fingerd executable. -# -daemon_domain(fingerd) - -etcdir_domain(fingerd) - -allow fingerd_t etc_t:lnk_file read; -allow fingerd_t { etc_t etc_runtime_t }:file { read getattr }; - -log_domain(fingerd) -system_crond_entry(fingerd_exec_t, fingerd_t) -ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)') - -allow fingerd_t fingerd_port_t:tcp_socket name_bind; -ifdef(`inetd.te', ` -allow inetd_t fingerd_port_t:tcp_socket name_bind; -# can be run from inetd -domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t) -allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl }; -') -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t) -') - -allow fingerd_t self:capability { setgid setuid }; -# for gzip from logrotate -dontaudit fingerd_t self:capability fsetid; - -# cfingerd runs shell scripts -allow fingerd_t { bin_t sbin_t }:dir search; -allow fingerd_t bin_t:lnk_file read; -can_exec(fingerd_t, { shell_exec_t bin_t sbin_t }) -allow fingerd_t devtty_t:chr_file { read write }; - -allow fingerd_t { ttyfile ptyfile }:chr_file getattr; - -# Use the network. -can_network_server(fingerd_t) -can_ypbind(fingerd_t) - -allow fingerd_t self:unix_dgram_socket create_socket_perms; -allow fingerd_t self:unix_stream_socket create_socket_perms; -allow fingerd_t self:fifo_file { read write getattr }; - -# allow any user domain to connect to the finger server -can_tcp_connect(userdomain, fingerd_t) - -# for .finger, .plan. etc -allow fingerd_t { home_root_t user_home_dir_type }:dir search; -# should really have a different type for .plan etc -allow fingerd_t user_home_type:file { getattr read }; -# stop it accessing sub-directories, prevents checking a Maildir for new mail, -# have to change this when we create a type for Maildir -dontaudit fingerd_t user_home_t:dir search; - -# for mail -allow fingerd_t { var_spool_t mail_spool_t }:dir search; -allow fingerd_t mail_spool_t:file getattr; -allow fingerd_t mail_spool_t:lnk_file read; - -# see who is logged in and when users last logged in -allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr }; -dontaudit fingerd_t initrc_var_run_t:file lock; -allow fingerd_t devpts_t:dir search; -allow fingerd_t ptyfile:chr_file getattr; - -allow fingerd_t proc_t:file { read getattr }; - -# for date command -read_sysctl(fingerd_t) diff --git a/mls/domains/program/firstboot.te b/mls/domains/program/firstboot.te deleted file mode 100644 index e07bc432..00000000 --- a/mls/domains/program/firstboot.te +++ /dev/null @@ -1,131 +0,0 @@ -#DESC firstboot -# -# Author: Dan Walsh -# X-Debian-Packages: firstboot -# - -################################# -# -# Rules for the firstboot_t domain. -# -# firstboot_exec_t is the type of the firstboot executable. -# -application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer') -type firstboot_rw_t, file_type, sysadmfile; -role system_r types firstboot_t; - -ifdef(`xserver.te', ` -domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') - -etc_domain(firstboot) - -allow firstboot_t proc_t:file r_file_perms; - -allow firstboot_t urandom_device_t:chr_file { getattr read }; -allow firstboot_t proc_t:file { getattr read write }; - -domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t) -file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file) - -can_exec_any(firstboot_t) -ifdef(`useradd.te',` -domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t) -domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t) -') -allow firstboot_t etc_runtime_t:file { getattr read }; - -r_dir_file(firstboot_t, etc_t) - -allow firstboot_t firstboot_rw_t:dir create_dir_perms; -allow firstboot_t firstboot_rw_t:file create_file_perms; -allow firstboot_t self:fifo_file { getattr read write }; -allow firstboot_t self:process { fork sigchld }; -allow firstboot_t self:unix_stream_socket { connect create }; -allow firstboot_t initrc_exec_t:file { getattr read }; -allow firstboot_t initrc_var_run_t:file r_file_perms; -allow firstboot_t lib_t:file { getattr read }; -allow firstboot_t local_login_t:fd use; -read_locale(firstboot_t) - -allow firstboot_t proc_t:dir search; -allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms; -allow firstboot_t usr_t:file r_file_perms; - -allow firstboot_t etc_t:file write; - -# Allow write to utmp file -allow firstboot_t initrc_var_run_t:file write; - -ifdef(`samba.te', ` -rw_dir_file(firstboot_t, samba_etc_t) -') - -dontaudit firstboot_t shadow_t:file getattr; - -role system_r types initrc_t; -#role_transition firstboot_r initrc_exec_t system_r; -domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t) - -allow firstboot_t self:passwd rootok; - -ifdef(`userhelper.te', ` -role system_r types sysadm_userhelper_t; -domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) -') - -ifdef(`consoletype.te', ` -allow consoletype_t devtty_t:chr_file { read write }; -allow consoletype_t etc_t:file { getattr read }; -allow consoletype_t firstboot_t:fd use; -') - -allow firstboot_t etc_t:{ file lnk_file } create_file_perms; - -allow firstboot_t self:capability { dac_override setgid }; -allow firstboot_t self:dir search; -allow firstboot_t self:file { read write }; -allow firstboot_t self:lnk_file read; -can_setfscreate(firstboot_t) -allow firstboot_t krb5_conf_t:file rw_file_perms; - -allow firstboot_t modules_conf_t:file { getattr read }; -allow firstboot_t modules_dep_t:file { getattr read }; -allow firstboot_t modules_object_t:dir search; -allow firstboot_t port_t:tcp_socket { recv_msg send_msg }; -allow firstboot_t proc_t:lnk_file read; - -can_getsecurity(firstboot_t) - -dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition }; -read_sysctl(firstboot_t) - -allow firstboot_t var_run_t:dir getattr; -allow firstboot_t var_t:dir getattr; -ifdef(`hostname.te', ` -allow hostname_t devtty_t:chr_file { read write }; -allow hostname_t firstboot_t:fd use; -') -ifdef(`iptables.te', ` -allow iptables_t devtty_t:chr_file { read write }; -allow iptables_t firstboot_t:fd use; -allow iptables_t firstboot_t:fifo_file write; -') -can_network_server(firstboot_t) -can_ypbind(firstboot_t) -ifdef(`printconf.te', ` -can_exec(firstboot_t, printconf_t) -') -create_dir_file(firstboot_t, var_t) -# Add/remove user home directories -file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t) - -# -# The big hammer -# -unconfined_domain(firstboot_t) -ifdef(`targeted_policy', ` -allow firstboot_t unconfined_t:process transition; -') - diff --git a/mls/domains/program/fs_daemon.te b/mls/domains/program/fs_daemon.te deleted file mode 100644 index 05c98a9f..00000000 --- a/mls/domains/program/fs_daemon.te +++ /dev/null @@ -1,28 +0,0 @@ -#DESC file system daemons -# -# Author: Russell Coker -# X-Debian-Packages: smartmontools - -daemon_domain(fsdaemon, `, fs_domain, privmail') -allow fsdaemon_t self:unix_dgram_socket create_socket_perms; -allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; - -# for config -allow fsdaemon_t etc_t:file { getattr read }; - -allow fsdaemon_t device_t:dir read; -allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms; -allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; -allow fsdaemon_t etc_runtime_t:file { getattr read }; - -allow fsdaemon_t proc_mdstat_t:file { getattr read }; - -can_exec_any(fsdaemon_t) -allow fsdaemon_t self:fifo_file rw_file_perms; -can_network_udp(fsdaemon_t) -tmp_domain(fsdaemon) -allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read }; - -dontaudit fsdaemon_t devpts_t:dir search; -allow fsdaemon_t proc_t:file { getattr read }; -dontaudit system_mail_t fixed_disk_device_t:blk_file read; diff --git a/mls/domains/program/fsadm.te b/mls/domains/program/fsadm.te deleted file mode 100644 index 0bfbb686..00000000 --- a/mls/domains/program/fsadm.te +++ /dev/null @@ -1,123 +0,0 @@ -#DESC Fsadm - Disk and file system administration -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount -# - -################################# -# -# Rules for the fsadm_t domain. -# -# fsadm_t is the domain for disk and file system -# administration. -# fsadm_exec_t is the type of the corresponding programs. -# -type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite; -role system_r types fsadm_t; -role sysadm_r types fsadm_t; - -general_domain_access(fsadm_t) - -# for swapon -r_dir_file(fsadm_t, sysfs_t) - -# Read system information files in /proc. -r_dir_file(fsadm_t, proc_t) - -# Read system variables in /proc/sys -read_sysctl(fsadm_t) - -# for /dev/shm -allow fsadm_t tmpfs_t:dir { getattr search }; -allow fsadm_t tmpfs_t:file { read write }; - -base_file_read_access(fsadm_t) - -# Read /etc. -r_dir_file(fsadm_t, etc_t) - -# Read module-related files. -allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow fsadm_t device_t:dir r_dir_perms; -allow fsadm_t device_t:lnk_file r_file_perms; - -uses_shlib(fsadm_t) - -type fsadm_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) -') -tmp_domain(fsadm) - -# remount file system to apply changes -allow fsadm_t fs_t:filesystem remount; - -allow fsadm_t fs_t:filesystem getattr; - -# mkreiserfs needs this -allow fsadm_t proc_t:filesystem getattr; - -# mkreiserfs and other programs need this for UUID -allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; - -# Use capabilities. ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; - -# Write to /etc/mtab. -file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) - -# Inherit and use descriptors from init. -allow fsadm_t init_t:fd use; - -# Run other fs admin programs in the fsadm_t domain. -can_exec(fsadm_t, fsadm_exec_t) - -# Access disk devices. -allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; -allow fsadm_t removable_device_t:devfile_class_set rw_file_perms; -allow fsadm_t scsi_generic_device_t:chr_file r_file_perms; - -# Access lost+found. -allow fsadm_t lost_found_t:dir create_dir_perms; -allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; -allow fsadm_t lost_found_t:lnk_file create_lnk_perms; - -allow fsadm_t file_t:dir { search read getattr rmdir create }; - -# Recreate /mnt/cdrom. -allow fsadm_t mnt_t:dir { search read getattr rmdir create }; - -# Recreate /dev/cdrom. -allow fsadm_t device_t:dir rw_dir_perms; -allow fsadm_t device_t:lnk_file { unlink create }; - -# Enable swapping to devices and files -allow fsadm_t swapfile_t:file { getattr swapon }; -allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; - -# Allow console log change (updfstab) -allow fsadm_t kernel_t:system syslog_console; - -# Access terminals. -can_access_pty(fsadm_t, initrc) -allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') -allow fsadm_t privfd:fd use; - -read_locale(fsadm_t) - -# for smartctl cron jobs -system_crond_entry(fsadm_exec_t, fsadm_t) - -# Access to /initrd devices -allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; -allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; -allow fsadm_t usbfs_t:dir { getattr search }; -allow fsadm_t ramfs_t:fifo_file rw_file_perms; -allow fsadm_t device_type:chr_file getattr; - -# for tune2fs -allow fsadm_t file_type:dir { getattr search }; diff --git a/mls/domains/program/ftpd.te b/mls/domains/program/ftpd.te deleted file mode 100644 index b20252bd..00000000 --- a/mls/domains/program/ftpd.te +++ /dev/null @@ -1,116 +0,0 @@ -#DESC Ftpd - Ftp daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd -# - -################################# -# -# Rules for the ftpd_t domain -# -daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain') -etc_domain(ftpd) - -can_network(ftpd_t) -allow ftpd_t port_type:tcp_socket name_connect; -allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow ftpd_t self:unix_stream_socket create_socket_perms; -allow ftpd_t self:process { getcap setcap setsched setrlimit }; -allow ftpd_t self:fifo_file rw_file_perms; - -allow ftpd_t bin_t:dir search; -can_exec(ftpd_t, bin_t) -allow ftpd_t bin_t:lnk_file read; -read_sysctl(ftpd_t) - -allow ftpd_t urandom_device_t:chr_file { getattr read }; - -ifdef(`crond.te', ` -system_crond_entry(ftpd_exec_t, ftpd_t) -allow system_crond_t xferlog_t:file r_file_perms; -can_exec(ftpd_t, { sbin_t shell_exec_t }) -allow ftpd_t usr_t:file { getattr read }; -ifdef(`logrotate.te', ` -can_exec(ftpd_t, logrotate_exec_t) -')dnl end if logrotate.te -')dnl end if crond.te - -allow ftpd_t ftp_data_port_t:tcp_socket name_bind; -allow ftpd_t port_t:tcp_socket name_bind; - -# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally -type ftpd_lock_t, file_type, sysadmfile, lockfile; - -# Allow ftpd to run directly without inetd. -bool ftpd_is_daemon false; -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file) -allow ftpd_t ftp_port_t:tcp_socket name_bind; -can_tcp_connect(userdomain, ftpd_t) -# Allows it to check exec privs on daemon -allow inetd_t ftpd_exec_t:file x_file_perms; -} -ifdef(`inetd.te', ` -if (!ftpd_is_daemon) { -ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') -domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) - -# Use sockets inherited from inetd. -allow ftpd_t inetd_t:fd use; -allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Send SIGCHLD to inetd on death. -allow ftpd_t inetd_t:process sigchld; -} -') dnl end inetd.te - -# Access shared memory tmpfs instance. -tmpfs_domain(ftpd) - -# Use capabilities. -allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; - -# Append to /var/log/wtmp. -allow ftpd_t wtmp_t:file { getattr append }; -#kerberized ftp requires the following -allow ftpd_t wtmp_t:file { write lock }; - -# Create and modify /var/log/xferlog. -type xferlog_t, file_type, sysadmfile, logfile; -file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file) - -# Execute /bin/ls (can comment this out for proftpd) -# also may need rules to allow tar etc... -can_exec(ftpd_t, ls_exec_t) - -allow initrc_t ftpd_etc_t:file { getattr read }; -allow ftpd_t { etc_t etc_runtime_t }:file { getattr read }; -allow ftpd_t proc_t:file { getattr read }; - -dontaudit ftpd_t sysadm_home_dir_t:dir getattr; -dontaudit ftpd_t selinux_config_t:dir search; -allow ftpd_t autofs_t:dir search; -allow ftpd_t self:file { getattr read }; -tmp_domain(ftpd) - -# Allow ftp to read/write files in the user home directories. -bool ftp_home_dir false; - -if (ftp_home_dir) { -# allow access to /home -allow ftpd_t home_root_t:dir r_dir_perms; -create_dir_file(ftpd_t, home_type) -ifdef(`targeted_policy', ` -file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t) -') -} -if (use_nfs_home_dirs && ftp_home_dir) { - r_dir_file(ftpd_t, nfs_t) -} -if (use_samba_home_dirs && ftp_home_dir) { - r_dir_file(ftpd_t, cifs_t) -} -dontaudit ftpd_t selinux_config_t:dir search; -anonymous_domain(ftpd) - diff --git a/mls/domains/program/getty.te b/mls/domains/program/getty.te deleted file mode 100644 index 8101b493..00000000 --- a/mls/domains/program/getty.te +++ /dev/null @@ -1,61 +0,0 @@ -#DESC Getty - Manage ttys -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty -# - -################################# -# -# Rules for the getty_t domain. -# -init_service_domain(getty, `, privfd, privmail, mlsfileread, mlsfilewrite') - -etcdir_domain(getty) - -allow getty_t console_device_t:chr_file setattr; - -tmp_domain(getty) -log_domain(getty) - -allow getty_t { etc_t etc_runtime_t }:file { getattr read }; -allow getty_t etc_t:lnk_file read; -allow getty_t self:process { getpgid getsession }; -allow getty_t self:unix_dgram_socket create_socket_perms; -allow getty_t self:unix_stream_socket create_socket_perms; - -# Use capabilities. -allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; - -read_locale(getty_t) - -# Run login in local_login_t domain. -allow getty_t { sbin_t bin_t }:dir search; -domain_auto_trans(getty_t, login_exec_t, local_login_t) - -# Write to /var/run/utmp. -allow getty_t { var_t var_run_t }:dir search; -allow getty_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow getty_t wtmp_t:file rw_file_perms; - -# Chown, chmod, read and write ttys. -allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; -allow getty_t ttyfile:chr_file { setattr rw_file_perms }; -dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; - -# for error condition handling -allow getty_t fs_t:filesystem getattr; - -lock_domain(getty) -r_dir_file(getty_t, sysfs_t) -# for mgetty -var_run_domain(getty) -allow getty_t self:capability { fowner fsetid }; - -# -# getty needs to be able to run pppd -# -ifdef(`pppd.te', ` -domain_auto_trans(getty_t, pppd_exec_t, pppd_t) -') diff --git a/mls/domains/program/gpg-agent.te b/mls/domains/program/gpg-agent.te deleted file mode 100644 index 2942c6c7..00000000 --- a/mls/domains/program/gpg-agent.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC gpg-agent - agent to securely store gpg-keys -# -# Author: Thomas Bleher -# - -# Type for the gpg-agent executable. -type gpg_agent_exec_t, file_type, exec_type, sysadmfile; - -# type for the pinentry executable -type pinentry_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the gpg_agent_domain macro in -# macros/program/gpg_agent_macros.te. diff --git a/mls/domains/program/gpg.te b/mls/domains/program/gpg.te deleted file mode 100644 index b9cadb5f..00000000 --- a/mls/domains/program/gpg.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC GPG - Gnu Privacy Guard (PGP replacement) -# -# Authors: Russell Coker -# X-Debian-Packages: gnupg -# - -# Type for gpg or pgp executables. -type gpg_exec_t, file_type, sysadmfile, exec_type; -type gpg_helper_exec_t, file_type, sysadmfile, exec_type; - -allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search; -allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; - -# Everything else is in the gpg_domain macro in -# macros/program/gpg_macros.te. diff --git a/mls/domains/program/gpm.te b/mls/domains/program/gpm.te deleted file mode 100644 index ff81d697..00000000 --- a/mls/domains/program/gpm.te +++ /dev/null @@ -1,45 +0,0 @@ -#DESC Gpm - General Purpose Mouse driver -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: gpm -# - -################################# -# -# Rules for the gpm_t domain. -# -# gpm_t is the domain of the console mouse server. -# gpm_exec_t is the type of the console mouse server program. -# gpmctl_t is the type of the Unix domain socket or pipe created -# by the console mouse server. -# -daemon_domain(gpm) - -type gpmctl_t, file_type, sysadmfile, dev_fs; - -tmp_domain(gpm) - -# Allow to read the /etc/gpm/ conf files -type gpm_conf_t, file_type, sysadmfile; -r_dir_file(gpm_t, gpm_conf_t) - -# Use capabilities. -allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config }; - -# Create and bind to /dev/gpmctl. -file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file }) -allow gpm_t gpmctl_t:unix_stream_socket name_bind; -allow gpm_t self:unix_dgram_socket create_socket_perms; -allow gpm_t self:unix_stream_socket create_stream_socket_perms; - -# Read and write ttys. -allow gpm_t tty_device_t:chr_file rw_file_perms; - -# Access the mouse. -allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; -allow gpm_t device_t:lnk_file { getattr read }; - -read_locale(gpm_t) - -allow initrc_t gpmctl_t:sock_file setattr; - diff --git a/mls/domains/program/hald.te b/mls/domains/program/hald.te deleted file mode 100644 index a51709a2..00000000 --- a/mls/domains/program/hald.te +++ /dev/null @@ -1,104 +0,0 @@ -#DESC hald - server for device info -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the hald_t domain. -# -# hald_exec_t is the type of the hald executable. -# -daemon_domain(hald, `, fs_domain, nscd_client_domain') - -can_exec_any(hald_t) - -allow hald_t { etc_t etc_runtime_t }:file { getattr read }; -allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow hald_t self:unix_dgram_socket create_socket_perms; - -ifdef(`dbusd.te', ` -allow hald_t system_dbusd_t:dbus { acquire_svc send_msg }; -dbusd_client(system, hald) -allow hald_t self:dbus send_msg; -') - -allow hald_t self:file { getattr read }; -allow hald_t proc_t:file rw_file_perms; - -allow hald_t { bin_t sbin_t }:dir search; -allow hald_t self:fifo_file rw_file_perms; -allow hald_t usr_t:file { getattr read }; -allow hald_t bin_t:file getattr; - -# For backwards compatibility with older kernels -allow hald_t self:netlink_socket create_socket_perms; - -allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; -allow hald_t self:netlink_route_socket r_netlink_socket_perms; -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; -can_network_server(hald_t) -can_ypbind(hald_t) - -allow hald_t device_t:lnk_file read; -allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl }; -allow hald_t removable_device_t:blk_file write; -allow hald_t event_device_t:chr_file { getattr read ioctl }; -allow hald_t printer_device_t:chr_file rw_file_perms; -allow hald_t urandom_device_t:chr_file read; -allow hald_t mouse_device_t:chr_file r_file_perms; -allow hald_t device_type:chr_file getattr; - -can_getsecurity(hald_t) - -ifdef(`updfstab.te', ` -domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) -allow updfstab_t hald_t:dbus send_msg; -allow hald_t updfstab_t:dbus send_msg; -') -ifdef(`udev.te', ` -domain_auto_trans(hald_t, udev_exec_t, udev_t) -allow udev_t hald_t:unix_dgram_socket sendto; -allow hald_t udev_tbl_t:file { getattr read }; -') - -ifdef(`hotplug.te', ` -r_dir_file(hald_t, hotplug_etc_t) -') -allow hald_t fs_type:dir { search getattr }; -allow hald_t usbfs_t:dir r_dir_perms; -allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms; -allow hald_t bin_t:lnk_file read; -r_dir_file(hald_t, { selinux_config_t default_context_t } ) -allow hald_t initrc_t:dbus send_msg; -allow initrc_t hald_t:dbus send_msg; -allow hald_t etc_runtime_t:file rw_file_perms; -allow hald_t var_lib_t:dir search; -allow hald_t device_t:dir create_dir_perms; -allow hald_t device_t:chr_file create_file_perms; -tmp_domain(hald) -allow hald_t mnt_t:dir search; -r_dir_file(hald_t, proc_net_t) - -# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket -ifdef(`apmd.te', ` -allow hald_t apmd_var_run_t:sock_file write; -allow hald_t apmd_t:unix_stream_socket connectto; -') - -# For /usr/libexec/hald-probe-smbios -domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t) - -# ?? -ifdef(`lvm.te', ` -allow hald_t lvm_control_t:chr_file r_file_perms; -') -ifdef(`targeted_policy', ` -allow unconfined_t hald_t:dbus send_msg; -allow hald_t unconfined_t:dbus send_msg; -') -ifdef(`mount.te', ` -domain_auto_trans(hald_t, mount_exec_t, mount_t) -') -r_dir_file(hald_t, hwdata_t) diff --git a/mls/domains/program/hostname.te b/mls/domains/program/hostname.te deleted file mode 100644 index 2138baf5..00000000 --- a/mls/domains/program/hostname.te +++ /dev/null @@ -1,28 +0,0 @@ -#DESC hostname - show or set the system host name -# -# Author: Russell Coker -# X-Debian-Packages: hostname - -# for setting the hostname -daemon_core_rules(hostname, , nosysadm) -allow hostname_t self:capability sys_admin; -allow hostname_t etc_t:file { getattr read }; - -allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; -read_locale(hostname_t) -can_resolve(hostname_t) -allow hostname_t userdomain:fd use; -dontaudit hostname_t kernel_t:fd use; -allow hostname_t net_conf_t:file { getattr read }; -allow hostname_t self:unix_stream_socket create_stream_socket_perms; -dontaudit hostname_t var_t:dir search; -allow hostname_t fs_t:filesystem getattr; - -# for when /usr is not mounted -dontaudit hostname_t file_t:dir search; - -ifdef(`distro_redhat', ` -allow hostname_t tmpfs_t:chr_file rw_file_perms; -') -can_access_pty(hostname_t, initrc) -allow hostname_t initrc_t:fd use; diff --git a/mls/domains/program/hotplug.te b/mls/domains/program/hotplug.te deleted file mode 100644 index d966b4b6..00000000 --- a/mls/domains/program/hotplug.te +++ /dev/null @@ -1,160 +0,0 @@ -#DESC Hotplug - Hardware event manager -# -# Author: Russell Coker -# X-Debian-Packages: hotplug -# - -################################# -# -# Rules for the hotplug_t domain. -# -# hotplug_exec_t is the type of the hotplug executable. -# -ifdef(`unlimitedUtils', ` -daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain') -', ` -daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain') -') - -etcdir_domain(hotplug) - -allow hotplug_t self:fifo_file { read write getattr ioctl }; -allow hotplug_t self:unix_dgram_socket create_socket_perms; -allow hotplug_t self:unix_stream_socket create_socket_perms; -allow hotplug_t self:udp_socket create_socket_perms; - -read_sysctl(hotplug_t) -allow hotplug_t sysctl_net_t:dir r_dir_perms; -allow hotplug_t sysctl_net_t:file { getattr read }; - -# get info from /proc -r_dir_file(hotplug_t, proc_t) -allow hotplug_t self:file { getattr read ioctl }; - -allow hotplug_t devtty_t:chr_file rw_file_perms; - -allow hotplug_t device_t:dir r_dir_perms; - -# for SSP -allow hotplug_t urandom_device_t:chr_file read; - -allow hotplug_t { bin_t sbin_t }:dir search; -allow hotplug_t { bin_t sbin_t }:lnk_file read; -can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t }) -ifdef(`hostname.te', ` -can_exec(hotplug_t, hostname_exec_t) -dontaudit hostname_t hotplug_t:fd use; -') -ifdef(`netutils.te', ` -ifdef(`distro_redhat', ` -# for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t) - -allow hotplug_t tmpfs_t:dir search; -allow hotplug_t tmpfs_t:chr_file rw_file_perms; -')dnl end if distro_redhat -')dnl end if netutils.te - -allow initrc_t usbdevfs_t:file { getattr read ioctl }; -allow initrc_t modules_dep_t:file { getattr read ioctl }; -r_dir_file(hotplug_t, usbdevfs_t) -allow hotplug_t usbfs_t:dir r_dir_perms; -allow hotplug_t usbfs_t:file { getattr read }; - -# read config files -allow hotplug_t etc_t:dir r_dir_perms; -allow hotplug_t etc_t:{ file lnk_file } r_file_perms; - -allow hotplug_t kernel_t:process { sigchld setpgid }; - -ifdef(`distro_redhat', ` -allow hotplug_t var_lock_t:dir search; -allow hotplug_t var_lock_t:file getattr; -') - -ifdef(`hald.te', ` -allow hotplug_t hald_t:unix_dgram_socket sendto; -allow hald_t hotplug_etc_t:dir search; -allow hald_t hotplug_etc_t:file { getattr read }; -') - -# for killall -allow hotplug_t self:process { getsession getattr }; -allow hotplug_t self:file getattr; - -domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t) -ifdef(`mount.te', ` -domain_auto_trans(hotplug_t, mount_exec_t, mount_t) -') -domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t) -ifdef(`updfstab.te', ` -domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) -') - -# init scripts run /etc/hotplug/usb.rc -domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t) -allow initrc_t hotplug_etc_t:dir r_dir_perms; - -ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)') - -r_dir_file(hotplug_t, modules_object_t) -allow hotplug_t modules_dep_t:file { getattr read ioctl }; - -# for lsmod -dontaudit hotplug_t self:capability { sys_module sys_admin }; - -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit hotplug_t self:capability { dac_override dac_read_search }; - -ifdef(`fsadm.te', ` -domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) -') - -allow hotplug_t var_log_t:dir search; - -# for ps -dontaudit hotplug_t domain:dir { getattr search }; -dontaudit hotplug_t { init_t kernel_t }:file read; -ifdef(`initrc.te', ` -can_ps(hotplug_t, initrc_t) -') - -# for when filesystems are not mounted early in the boot -dontaudit hotplug_t file_t:dir { search getattr }; - -# kernel threads inherit from shared descriptor table used by init -dontaudit hotplug_t initctl_t:fifo_file { read write }; - -# Read /usr/lib/gconv/.* -allow hotplug_t lib_t:file { getattr read }; - -allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -allow hotplug_t sysfs_t:dir { getattr read search write }; -allow hotplug_t sysfs_t:file rw_file_perms; -allow hotplug_t sysfs_t:lnk_file { getattr read }; -r_dir_file(hotplug_t, hwdata_t) -allow hotplug_t udev_runtime_t:file rw_file_perms; -ifdef(`lpd.te', ` -allow hotplug_t printer_device_t:chr_file setattr; -') -allow hotplug_t fixed_disk_device_t:blk_file setattr; -allow hotplug_t removable_device_t:blk_file setattr; -allow hotplug_t sound_device_t:chr_file setattr; - -ifdef(`udev.te', ` -domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t) -') - -file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file) - -can_network_server(hotplug_t) -can_ypbind(hotplug_t) -dbusd_client(system, hotplug) - -# Allow hotplug (including /sbin/ifup-local) to start/stop services -domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t) - -allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr }; -allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; - -dontaudit hotplug_t selinux_config_t:dir search; diff --git a/mls/domains/program/howl.te b/mls/domains/program/howl.te deleted file mode 100644 index ccb2fb1f..00000000 --- a/mls/domains/program/howl.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC howl - port of Apple Rendezvous multicast DNS -# -# Author: Russell Coker -# - -daemon_domain(howl, `, privsysmod') -r_dir_file(howl_t, proc_net_t) -can_network_server(howl_t) -can_ypbind(howl_t) -allow howl_t self:unix_dgram_socket create_socket_perms; -allow howl_t self:capability { kill net_admin sys_module }; - -allow howl_t self:fifo_file rw_file_perms; - -allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; - -allow howl_t self:unix_dgram_socket create_socket_perms; - -allow howl_t etc_t:file { getattr read }; -allow howl_t initrc_var_run_t:file rw_file_perms; - diff --git a/mls/domains/program/hwclock.te b/mls/domains/program/hwclock.te deleted file mode 100644 index e8beb31e..00000000 --- a/mls/domains/program/hwclock.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC Hwclock - Hardware clock manager -# -# Author: David A. Wheeler -# Russell Coker -# X-Debian-Packages: util-linux -# - -################################# -# -# Rules for the hwclock_t domain. -# This domain moves time information between the "hardware clock" -# (which runs when the system is off) and the "system clock", -# and it stores adjustment values in /etc/adjtime so that errors in the -# hardware clock are corrected. -# Note that any errors from this domain are NOT recorded by the system logger, -# because the system logger isnt running when this domain is active. -# -daemon_base_domain(hwclock) -role sysadm_r types hwclock_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) -') -type adjtime_t, file_type, sysadmfile; - -allow hwclock_t fs_t:filesystem getattr; - -read_locale(hwclock_t) - -# Give hwclock the capabilities it requires. dac_override is a surprise, -# but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; - -# Allow hwclock to set the hardware clock. -allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms }; - -# Allow hwclock to store & retrieve correction factors. -allow hwclock_t adjtime_t:file { setattr rw_file_perms }; - -# Read and write console and ttys. -allow hwclock_t tty_device_t:chr_file rw_file_perms; -allow hwclock_t ttyfile:chr_file rw_file_perms; -allow hwclock_t ptyfile:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') - -read_locale(hwclock_t) - -# for when /usr is not mounted -dontaudit hwclock_t file_t:dir search; -allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -r_dir_file(hwclock_t, etc_t) diff --git a/mls/domains/program/i18n_input.te b/mls/domains/program/i18n_input.te deleted file mode 100644 index cdff6cac..00000000 --- a/mls/domains/program/i18n_input.te +++ /dev/null @@ -1,33 +0,0 @@ -# i18n_input.te -# Security Policy for IIIMF htt server -# Date: 2004, 12th April (Monday) - -# Establish i18n_input as a daemon -daemon_domain(i18n_input) - -can_exec(i18n_input_t, i18n_input_exec_t) -can_network(i18n_input_t) -allow i18n_input_t port_type:tcp_socket name_connect; -can_ypbind(i18n_input_t) - -can_tcp_connect(userdomain, i18n_input_t) -can_unix_connect(i18n_input_t, initrc_t) - -allow i18n_input_t self:fifo_file rw_file_perms; -allow i18n_input_t i18n_input_port_t:tcp_socket name_bind; - -allow i18n_input_t self:capability { kill setgid setuid }; -allow i18n_input_t self:process { setsched setpgid }; - -allow i18n_input_t { bin_t sbin_t }:dir search; -can_exec(i18n_input_t, bin_t) - -allow i18n_input_t etc_t:file r_file_perms; -allow i18n_input_t self:unix_dgram_socket create_socket_perms; -allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; -allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; -allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; -allow i18n_input_t usr_t:file { getattr read }; -allow i18n_input_t home_root_t:dir search; -allow i18n_input_t etc_runtime_t:file { getattr read }; -allow i18n_input_t proc_t:file { getattr read }; diff --git a/mls/domains/program/ifconfig.te b/mls/domains/program/ifconfig.te deleted file mode 100644 index 6cccc32d..00000000 --- a/mls/domains/program/ifconfig.te +++ /dev/null @@ -1,74 +0,0 @@ -#DESC Ifconfig - Configure network interfaces -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: net-tools -# - -################################# -# -# Rules for the ifconfig_t domain. -# -# ifconfig_t is the domain for the ifconfig program. -# ifconfig_exec_t is the type of the corresponding program. -# -type ifconfig_t, domain, privlog, privmodule; -type ifconfig_exec_t, file_type, sysadmfile, exec_type; - -role system_r types ifconfig_t; -role sysadm_r types ifconfig_t; - -uses_shlib(ifconfig_t) -general_domain_access(ifconfig_t) - -domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) -') - -# for /sbin/ip -allow ifconfig_t self:packet_socket create_socket_perms; -allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms; -allow ifconfig_t self:tcp_socket { create ioctl }; -allow ifconfig_t etc_t:file { getattr read }; - -allow ifconfig_t self:socket create_socket_perms; - -# Use capabilities. -allow ifconfig_t self:capability { net_raw net_admin }; -dontaudit ifconfig_t self:capability sys_module; -allow ifconfig_t self:capability sys_tty_config; - -# Inherit and use descriptors from init. -allow ifconfig_t { kernel_t init_t }:fd use; - -# Access /proc -r_dir_file(ifconfig_t, proc_t) -r_dir_file(ifconfig_t, proc_net_t) - -allow ifconfig_t privfd:fd use; -allow ifconfig_t run_init_t:fd use; - -# Create UDP sockets, necessary when called from dhcpc -allow ifconfig_t self:udp_socket create_socket_perms; - -# Access terminals. -can_access_pty(ifconfig_t, initrc) -allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') - -allow ifconfig_t tun_tap_device_t:chr_file { read write }; - -# ifconfig attempts to search some sysctl entries. -# Do not audit those attempts; comment out these rules if it is desired to -# see the denials. -allow ifconfig_t { sysctl_t sysctl_net_t }:dir search; - -allow ifconfig_t fs_t:filesystem getattr; - -read_locale(ifconfig_t) -allow ifconfig_t lib_t:file { getattr read }; - -rhgb_domain(ifconfig_t) -allow ifconfig_t userdomain:fd use; -dontaudit ifconfig_t root_t:file read; -r_dir_file(ifconfig_t, sysfs_t) diff --git a/mls/domains/program/inetd.te b/mls/domains/program/inetd.te deleted file mode 100644 index 5c88ab35..00000000 --- a/mls/domains/program/inetd.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Inetd - Internet services daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# re-written with daemon_domain by Russell Coker -# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd -# - -################################# -# -# Rules for the inetd_t domain and -# the inetd_child_t domain. -# - -daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) - -can_network(inetd_t) -allow inetd_t port_type:tcp_socket name_connect; -allow inetd_t self:unix_dgram_socket create_socket_perms; -allow inetd_t self:unix_stream_socket create_socket_perms; -allow inetd_t self:fifo_file rw_file_perms; -allow inetd_t etc_t:file { getattr read ioctl }; -allow inetd_t self:process setsched; - -log_domain(inetd) -tmp_domain(inetd) - -# Use capabilities. -allow inetd_t self:capability { setuid setgid net_bind_service }; - -# allow any domain to connect to inetd -can_tcp_connect(userdomain, inetd_t) - -# Run each daemon with a defined domain in its own domain. -# These rules have been moved to the individual target domain .te files. - -# Run other daemons in the inetd_child_t domain. -allow inetd_t { bin_t sbin_t }:dir search; -allow inetd_t sbin_t:lnk_file read; - -# Bind to the telnet, ftp, rlogin and rsh ports. -ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;') -ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') -ifdef(`talk.te', ` -allow inetd_t talk_port_t:tcp_socket name_bind; -allow inetd_t ntalk_port_t:tcp_socket name_bind; -') - -allow inetd_t auth_port_t:tcp_socket name_bind; -# Communicate with the portmapper. -ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') - - -inetd_child_domain(inetd_child) -allow inetd_child_t proc_net_t:dir search; -allow inetd_child_t proc_net_t:file { getattr read }; - -ifdef(`unconfined.te', ` -domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t) -') - -ifdef(`unlimitedInetd', ` -unconfined_domain(inetd_t) -') - diff --git a/mls/domains/program/init.te b/mls/domains/program/init.te deleted file mode 100644 index dc5c0508..00000000 --- a/mls/domains/program/init.te +++ /dev/null @@ -1,147 +0,0 @@ -#DESC Init - Process initialization -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysvinit -# - -################################# -# -# Rules for the init_t domain. -# -# init_t is the domain of the init process. -# init_exec_t is the type of the init program. -# initctl_t is the type of the named pipe created -# by init during initialization. This pipe is used -# to communicate with init. -# -type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite; -role system_r types init_t; -uses_shlib(init_t); -type init_exec_t, file_type, sysadmfile, exec_type; -type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject; - -# for init to determine whether SE Linux is active so it can know whether to -# activate it -allow init_t security_t:dir search; -allow init_t security_t:file { getattr read }; - -# for mount points -allow init_t file_t:dir search; - -# Use capabilities. -allow init_t self:capability ~sys_module; - -# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. -domain_auto_trans(init_t, initrc_exec_t, initrc_t) - -# Run the shell in the sysadm_t domain for single-user mode. -domain_auto_trans(init_t, shell_exec_t, sysadm_t) - -# Run /sbin/update in the init_t domain. -can_exec(init_t, sbin_t) - -# Run init. -can_exec(init_t, init_exec_t) - -# Run chroot from initrd scripts. -ifdef(`chroot.te', ` -can_exec(init_t, chroot_exec_t) -') - -# Create /dev/initctl. -file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) -ifdef(`distro_redhat', ` -file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file) -') - -# Create ioctl.save. -file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) - -# Update /etc/ld.so.cache -allow init_t ld_so_cache_t:file rw_file_perms; - -# Allow access to log files -allow init_t var_t:dir search; -allow init_t var_log_t:dir search; -allow init_t var_log_t:file rw_file_perms; - -read_locale(init_t) - -# Create unix sockets -allow init_t self:unix_dgram_socket create_socket_perms; -allow init_t self:unix_stream_socket create_socket_perms; -allow init_t self:fifo_file rw_file_perms; - -# Permissions required for system startup -allow init_t { bin_t sbin_t }:dir r_dir_perms; -allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; - -# allow init to fork -allow init_t self:process { fork sigchld }; - -# Modify utmp. -allow init_t var_run_t:file rw_file_perms; -allow init_t initrc_var_run_t:file { setattr rw_file_perms }; -can_unix_connect(init_t, initrc_t) - -# For /var/run/shutdown.pid. -var_run_domain(init) - -# Shutdown permissions -r_dir_file(init_t, proc_t) -r_dir_file(init_t, self) -allow init_t devpts_t:dir r_dir_perms; - -# Modify wtmp. -allow init_t wtmp_t:file rw_file_perms; - -# Kill all processes. -allow init_t domain:process signal_perms; - -# Allow all processes to send SIGCHLD to init. -allow domain init_t:process { sigchld signull }; - -# If you load a new policy that removes active domains, processes can -# get stuck if you do not allow unlabeled processes to signal init -# If you load an incompatible policy, you should probably reboot, -# since you may have compromised system security. -allow unlabeled_t init_t:process sigchld; - -# for loading policy -allow init_t policy_config_t:file r_file_perms; - -# Set booleans. -can_setbool(init_t) - -# Read and write the console and ttys. -allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms; -ifdef(`distro_redhat', ` -allow init_t tmpfs_t:chr_file rw_file_perms; -') -allow init_t ttyfile:chr_file rw_file_perms; -allow init_t ptyfile:chr_file rw_file_perms; - -# Run system executables. -can_exec(init_t,bin_t) -ifdef(`consoletype.te', ` -can_exec(init_t, consoletype_exec_t) -') - -# Run /etc/X11/prefdm. -can_exec(init_t,etc_t) - -allow init_t lib_t:file { getattr read }; - -allow init_t devtty_t:chr_file { read write }; -allow init_t ramfs_t:dir search; -allow init_t ramfs_t:sock_file write; -r_dir_file(init_t, sysfs_t) - -r_dir_file(init_t, selinux_config_t) - -# file descriptors inherited from the rootfs. -dontaudit init_t root_t:{ file chr_file } { read write }; -ifdef(`targeted_policy', ` -unconfined_domain(init_t) -') - diff --git a/mls/domains/program/initrc.te b/mls/domains/program/initrc.te deleted file mode 100644 index 683e1e3c..00000000 --- a/mls/domains/program/initrc.te +++ /dev/null @@ -1,346 +0,0 @@ -#DESC Initrc - System initialization scripts -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysvinit policycoreutils -# - -################################# -# -# Rules for the initrc_t domain. -# -# initrc_t is the domain of the init rc scripts. -# initrc_exec_t is the type of the init program. -# -# do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans; - -role system_r types initrc_t; -uses_shlib(initrc_t); -can_network(initrc_t) -allow initrc_t port_type:tcp_socket name_connect; -can_ypbind(initrc_t) -type initrc_exec_t, file_type, sysadmfile, exec_type; - -# for halt to down interfaces -allow initrc_t self:udp_socket create_socket_perms; - -# read files in /etc/init.d -allow initrc_t etc_t:lnk_file r_file_perms; - -read_locale(initrc_t) - -r_dir_file(initrc_t, usr_t) - -# Read system information files in /proc. -r_dir_file(initrc_t, { proc_t proc_net_t }) -allow initrc_t proc_mdstat_t:file { getattr read }; - -# Allow IPC with self -allow initrc_t self:unix_dgram_socket create_socket_perms; -allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow initrc_t self:fifo_file rw_file_perms; - -# Read the root directory of a usbdevfs filesystem, and -# the devices and drivers files. Permit stating of the -# device nodes, but nothing else. -allow initrc_t usbdevfs_t:dir r_dir_perms; -allow initrc_t usbdevfs_t:lnk_file r_file_perms; -allow initrc_t usbdevfs_t:file getattr; -allow initrc_t usbfs_t:dir r_dir_perms; -allow initrc_t usbfs_t:file getattr; - -# allow initrc to fork and renice itself -allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched }; - -# Can create ptys for open_init_pty -can_create_pty(initrc) - -tmp_domain(initrc) -# -# Some initscripts generate scripts that they need to execute (ldap) -# -can_exec(initrc_t, initrc_tmp_t) - -var_run_domain(initrc) -allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; -allow initrc_t var_run_t:dir { create rmdir }; - -ifdef(`distro_debian', ` -allow initrc_t { etc_t device_t }:dir setattr; - -# for storing state under /dev/shm -allow initrc_t tmpfs_t:dir setattr; -file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) -file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) -allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; -') - -allow initrc_t framebuf_device_t:chr_file r_file_perms; - -# Use capabilities. -allow initrc_t self:capability ~{ sys_admin sys_module }; - -# Use system operations. -allow initrc_t kernel_t:system *; - -# Set values in /proc/sys. -can_sysctl(initrc_t) - -# Run helper programs in the initrc_t domain. -allow initrc_t {bin_t sbin_t }:dir r_dir_perms; -allow initrc_t {bin_t sbin_t }:lnk_file read; -can_exec(initrc_t, etc_t) -can_exec(initrc_t, lib_t) -can_exec(initrc_t, bin_t) -can_exec(initrc_t, sbin_t) -can_exec(initrc_t, exec_type) -# -# These rules are here to allow init scripts to su -# -ifdef(`su.te', ` -su_restricted_domain(initrc,system) -role system_r types initrc_su_t; -') -allow initrc_t self:passwd rootok; - -# read /lib/modules -allow initrc_t modules_object_t:dir { search read }; - -# Read conf.modules. -allow initrc_t modules_conf_t:file r_file_perms; - -# Run other rc scripts in the initrc_t domain. -can_exec(initrc_t, initrc_exec_t) - -# Run init (telinit) in the initrc_t domain. -can_exec(initrc_t, init_exec_t) - -# Communicate with the init process. -allow initrc_t initctl_t:fifo_file rw_file_perms; - -# Read /proc/PID directories for all domains. -r_dir_file(initrc_t, domain) -allow initrc_t domain:process { getattr getsession }; - -# Mount and unmount file systems. -allow initrc_t fs_type:filesystem mount_fs_perms; -allow initrc_t file_t:dir { read search getattr mounton }; - -# during boot up initrc needs to do the following -allow initrc_t default_t:dir { write read search getattr mounton }; - -# rhgb-console writes to ramfs -allow initrc_t ramfs_t:fifo_file write; - -# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. -file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) - -# Update /etc/ld.so.cache. -allow initrc_t ld_so_cache_t:file rw_file_perms; - -# Update /var/log/wtmp and /var/log/dmesg. -allow initrc_t wtmp_t:file { setattr rw_file_perms }; -allow initrc_t var_log_t:dir rw_dir_perms; -allow initrc_t var_log_t:file create_file_perms; -allow initrc_t lastlog_t:file { setattr rw_file_perms }; -allow initrc_t logfile:file { read append }; - -# remove old locks -allow initrc_t lockfile:dir rw_dir_perms; -allow initrc_t lockfile:file { getattr unlink }; - -# Access /var/lib/random-seed. -allow initrc_t var_lib_t:file rw_file_perms; -allow initrc_t var_lib_t:file unlink; - -# Create lock file. -allow initrc_t var_lock_t:dir create_dir_perms; -allow initrc_t var_lock_t:file create_file_perms; - -# Set the clock. -allow initrc_t clock_device_t:devfile_class_set rw_file_perms; - -# Kill all processes. -allow initrc_t domain:process signal_perms; - -# Write to /dev/urandom. -allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms; - -# for cryptsetup -allow initrc_t fixed_disk_device_t:blk_file getattr; - -# Set device ownerships/modes. -allow initrc_t framebuf_device_t:chr_file setattr; -allow initrc_t misc_device_t:devfile_class_set setattr; -allow initrc_t device_t:devfile_class_set setattr; -allow initrc_t fixed_disk_device_t:devfile_class_set setattr; -allow initrc_t removable_device_t:devfile_class_set setattr; -allow initrc_t device_t:lnk_file read; -allow initrc_t xconsole_device_t:fifo_file setattr; - -# Stat any file. -allow initrc_t file_type:notdevfile_class_set getattr; -allow initrc_t file_type:dir { search getattr }; - -# Read and write console and ttys. -allow initrc_t devtty_t:chr_file rw_file_perms; -allow initrc_t console_device_t:chr_file rw_file_perms; -allow initrc_t tty_device_t:chr_file rw_file_perms; -allow initrc_t ttyfile:chr_file rw_file_perms; -allow initrc_t ptyfile:chr_file rw_file_perms; - -# Reset tty labels. -allow initrc_t ttyfile:chr_file relabelfrom; -allow initrc_t tty_device_t:chr_file relabelto; - -ifdef(`distro_redhat', ` -# Create and read /boot/kernel.h and /boot/System.map. -# Redhat systems typically create this file at boot time. -allow initrc_t boot_t:lnk_file rw_file_perms; -file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) - -allow initrc_t tmpfs_t:chr_file rw_file_perms; -allow initrc_t tmpfs_t:dir r_dir_perms; - -# Allow initrc domain to set the enforcing flag. -can_setenforce(initrc_t) - -# -# readahead asks for these -# -allow initrc_t etc_aliases_t:file { getattr read }; -allow initrc_t var_lib_nfs_t:file { getattr read }; - -# for /halt /.autofsck and other flag files -file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) - -file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) -allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; -allow initrc_t self:capability sys_admin; -allow initrc_t device_t:dir create; -# wants to delete /poweroff and other files -allow initrc_t root_t:file unlink; -# wants to read /.fonts directory -allow initrc_t default_t:file { getattr read }; -ifdef(`xserver.te', ` -# wants to cleanup xserver log dir -allow initrc_t xserver_log_t:dir rw_dir_perms; -allow initrc_t xserver_log_t:file unlink; -') -')dnl end distro_redhat - -allow initrc_t system_map_t:{ file lnk_file } r_file_perms; -allow initrc_t var_spool_t:file rw_file_perms; - -# Allow access to the sysadm TTYs. Note that this will give access to the -# TTYs to any process in the initrc_t domain. Therefore, daemons and such -# started from init should be placed in their own domain. -allow initrc_t admin_tty_type:chr_file rw_file_perms; - -# Access sound device and files. -allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; - -# Read user home directories. -allow initrc_t { home_root_t home_type }:dir r_dir_perms; -allow initrc_t home_type:file r_file_perms; - -# Read and unlink /var/run/*.pid files. -allow initrc_t pidfile:file { getattr read unlink }; - -# for system start scripts -allow initrc_t pidfile:dir { rmdir rw_dir_perms }; -allow initrc_t pidfile:sock_file unlink; - -rw_dir_create_file(initrc_t, var_lib_t) - -# allow start scripts to clean /tmp -allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir }; -allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink }; - -# for lsof which is used by alsa shutdown -dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; -dontaudit initrc_t proc_kmsg_t:file getattr; - -################################# -# -# Rules for the run_init_t domain. -# -ifdef(`targeted_policy', ` -type run_init_exec_t, file_type, sysadmfile, exec_type; -type run_init_t, domain; -domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) -allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; -allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; -typeattribute initrc_t privuser; -domain_trans(initrc_t, shell_exec_t, unconfined_t) -allow initrc_t unconfined_t:system syslog_mod; -', ` -run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) -') -allow initrc_t privfd:fd use; - -# Transition to system_r:initrc_t upon executing init scripts. -ifdef(`direct_sysadm_daemon', ` -role_transition sysadm_r initrc_exec_t system_r; -domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) -ifdef(`mls_policy', ` -typeattribute initrc_t mlsrangetrans; -range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255; -') -') - -# -# Shutting down xinet causes these -# -# Fam -dontaudit initrc_t device_t:dir { read write }; -# Rsync -dontaudit initrc_t mail_spool_t:lnk_file read; - -allow initrc_t sysfs_t:dir { getattr read search }; -allow initrc_t sysfs_t:file { getattr read write }; -allow initrc_t sysfs_t:lnk_file { getattr read }; -allow initrc_t udev_runtime_t:file rw_file_perms; -allow initrc_t device_type:chr_file setattr; -allow initrc_t binfmt_misc_fs_t:dir { getattr search }; -allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; - -# for lsof in shutdown scripts -can_kerberos(initrc_t) - -# -# Wants to remove udev.tbl -# -allow initrc_t device_t:dir rw_dir_perms; -allow initrc_t device_t:lnk_file unlink; - -r_dir_file(initrc_t,selinux_config_t) - -ifdef(`unlimitedRC', ` -unconfined_domain(initrc_t) -') -# -# initrc script does a cat /selinux/enforce -# -allow initrc_t security_t:dir { getattr search }; -allow initrc_t security_t:file { getattr read }; - -# init script state -type initrc_state_t, file_type, sysadmfile; -create_dir_file(initrc_t,initrc_state_t) - -ifdef(`distro_gentoo', ` -# Gentoo integrated run_init+open_init_pty-runscript: -domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) -') -allow initrc_t self:netlink_route_socket r_netlink_socket_perms; -allow initrc_t device_t:lnk_file create_file_perms; -ifdef(`dbusd.te', ` -allow initrc_t system_dbusd_var_run_t:sock_file write; -') - -# Slapd needs to read cert files from its initscript -r_dir_file(initrc_t, cert_t) -ifdef(`use_mcs', ` -range_transition sysadm_t initrc_exec_t s0; -') diff --git a/mls/domains/program/innd.te b/mls/domains/program/innd.te deleted file mode 100644 index 25047dfb..00000000 --- a/mls/domains/program/innd.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC INN - InterNetNews server -# -# Author: Faye Coker -# X-Debian-Packages: inn -# -################################ - -# Types for the server port and news spool. -# -type news_spool_t, file_type, sysadmfile; - - -# need privmail attribute so innd can access system_mail_t -daemon_domain(innd, `, privmail') - -# allow innd to create files and directories of type news_spool_t -create_dir_file(innd_t, news_spool_t) - -# allow user domains to read files and directories these types -r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t }) - -can_exec(initrc_t, innd_etc_t) -can_exec(innd_t, { innd_exec_t bin_t shell_exec_t }) -ifdef(`hostname.te', ` -can_exec(innd_t, hostname_exec_t) -') - -allow innd_t var_spool_t:dir { getattr search }; - -can_network(innd_t) -allow innd_t port_type:tcp_socket name_connect; -can_ypbind(innd_t) - -can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) -allow innd_t self:unix_dgram_socket create_socket_perms; -allow innd_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(innd_t, self) - -allow innd_t self:fifo_file rw_file_perms; -allow innd_t innd_port_t:tcp_socket name_bind; - -allow innd_t self:capability { dac_override kill setgid setuid net_bind_service }; -allow innd_t self:process setsched; - -allow innd_t { bin_t sbin_t }:dir search; -allow innd_t usr_t:lnk_file read; -allow innd_t usr_t:file { getattr read ioctl }; -allow innd_t lib_t:file ioctl; -allow innd_t etc_t:file { getattr read }; -allow innd_t { proc_t etc_runtime_t }:file { getattr read }; -allow innd_t urandom_device_t:chr_file read; - -allow innd_t innd_var_run_t:sock_file create_file_perms; - -# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type -etcdir_domain(innd) - -# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that -# it can write to -logdir_domain(innd) - -# allow innd read-write directory permissions to /var/lib/news. -var_lib_domain(innd) - -ifdef(`crond.te', ` -system_crond_entry(innd_exec_t, innd_t) -allow system_crond_t innd_etc_t:file { getattr read }; -rw_dir_create_file(system_crond_t, innd_log_t) -rw_dir_create_file(system_crond_t, innd_var_run_t) -') - -ifdef(`syslogd.te', ` -allow syslogd_t innd_log_t:dir search; -allow syslogd_t innd_log_t:file create_file_perms; -') - -allow innd_t self:file { getattr read }; -dontaudit innd_t selinux_config_t:dir { search }; -allow system_crond_t innd_etc_t:file { getattr read }; -allow innd_t bin_t:lnk_file { read }; -allow innd_t sbin_t:lnk_file { read }; diff --git a/mls/domains/program/ipsec.te b/mls/domains/program/ipsec.te deleted file mode 100644 index ea45a367..00000000 --- a/mls/domains/program/ipsec.te +++ /dev/null @@ -1,229 +0,0 @@ -#DESC ipsec - TCP/IP encryption -# -# Authors: Mark Westerman mark.westerman@westcam.com -# massively butchered by paul krumviede -# further massaged by Chris Vance -# X-Debian-Packages: freeswan -# -######################################## -# -# Rules for the ipsec_t domain. -# -# a domain for things that need access to the PF_KEY socket -daemon_base_domain(ipsec, `, privlog') - -# type for ipsec configuration file(s) - not for keys -type ipsec_conf_file_t, file_type, sysadmfile; - -# type for file(s) containing ipsec keys - RSA or preshared -type ipsec_key_file_t, file_type, sysadmfile; - -# type for runtime files, including pluto.ctl -# lots of strange stuff for the ipsec_var_run_t - need to check it -var_run_domain(ipsec) - -type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain; -type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) -file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file) -file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file) -file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file) - -allow ipsec_mgmt_t modules_object_t:dir search; -allow ipsec_mgmt_t modules_object_t:file getattr; - -allow ipsec_t self:capability { net_admin net_bind_service }; -allow ipsec_t self:process signal; -allow ipsec_t etc_t:lnk_file read; - -domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t) - -# Inherit and use descriptors from init. -# allow access (for, e.g., klipsdebug) to console -allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms; -allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use; - -# I do not know where this pesky pipe is... -allow ipsec_t initrc_t:fifo_file write; - -r_dir_file(ipsec_t, ipsec_conf_file_t) -r_dir_file(ipsec_t, ipsec_key_file_t) -allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; -rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t) - -allow ipsec_t self:key_socket { create write read setopt }; - -# for lsof -allow sysadm_t ipsec_t:key_socket getattr; - -# the ipsec wrapper wants to run /usr/bin/logger (should we put -# it in its own domain?) -can_exec(ipsec_mgmt_t, bin_t) -# logger, running in ipsec_mgmt_t needs to use sockets -allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms; -allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms; - -# also need to run things like whack and shell scripts -can_exec(ipsec_mgmt_t, ipsec_exec_t) -can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) -allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -can_exec(ipsec_mgmt_t, shell_exec_t) -can_exec(ipsec_t, shell_exec_t) -can_exec(ipsec_t, bin_t) -can_exec(ipsec_t, ipsec_mgmt_exec_t) -# now for a icky part... -# pluto runs an updown script (by calling popen()!); as this is by default -# a shell script, we need to find a way to make things work without -# letting all sorts of stuff possibly be run... -# so try flipping back into the ipsec_mgmt_t domain -domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t) -allow ipsec_mgmt_t ipsec_t:fd use; - -# the default updown script wants to run route -can_exec(ipsec_mgmt_t, sbin_t) -allow ipsec_mgmt_t sbin_t:lnk_file read; -allow ipsec_mgmt_t self:capability { net_admin dac_override }; - -# need access to /proc/sys/net/ipsec/icmp -allow ipsec_mgmt_t sysctl_t:file write; -allow ipsec_mgmt_t sysctl_net_t:dir search; -allow ipsec_mgmt_t sysctl_net_t:file { write setattr }; - -# whack needs to be able to read/write pluto.ctl -allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; -# and it wants to connect to a socket... -allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; -allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; - -# allow system administrator to use the ipsec script to look -# at things (e.g., ipsec auto --status) -# probably should create an ipsec_admin role for this kind of thing -can_exec(sysadm_t, ipsec_mgmt_exec_t) -allow sysadm_t ipsec_t:unix_stream_socket connectto; - -# _realsetup needs to be able to cat /var/run/pluto.pid, -# run ps on that pid, and delete the file -allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; - -allow ipsec_mgmt_t boot_t:dir search; -allow ipsec_mgmt_t system_map_t:file { read getattr }; - -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit ipsec_mgmt_t domain:dir r_dir_perms; - -# suppress audit messages about unnecessary socket access -dontaudit ipsec_mgmt_t domain:key_socket { read write }; -dontaudit ipsec_mgmt_t domain:udp_socket { read write }; - -# from rbac -role system_r types { ipsec_t ipsec_mgmt_t }; - -# from initrc.te -domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) -domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t) - - -########## The following rules were added by cvance@tislabs.com ########## - -# allow pluto and startup scripts to access /dev/urandom -allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms; - -# allow pluto to access /proc/net/ipsec_eroute; -general_proc_read_access(ipsec_t) -general_proc_read_access(ipsec_mgmt_t) - -# allow pluto to search the root directory (not sure why, but mostly harmless) -# Are these all really necessary? -allow ipsec_t var_t:dir search; -allow ipsec_t bin_t:dir search; -allow ipsec_t device_t:dir { getattr search }; -allow ipsec_mgmt_t device_t:dir { getattr search read }; -dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; -dontaudit ipsec_mgmt_t devpts_t:dir getattr; -allow ipsec_mgmt_t etc_t:lnk_file read; -allow ipsec_mgmt_t var_t:dir search; -allow ipsec_mgmt_t sbin_t:dir search; -allow ipsec_mgmt_t bin_t:dir search; -allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read }; - -# Startup scripts -# use libraries -uses_shlib({ ipsec_t ipsec_mgmt_t }) -# Read and write /dev/tty -allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms; -# fork -allow ipsec_mgmt_t self:process fork; -# startup script runs /bin/gawk with a pipe -allow ipsec_mgmt_t self:fifo_file rw_file_perms; -# read /etc/mtab Why? -allow ipsec_mgmt_t etc_runtime_t:file { read getattr }; -# read link for /bin/sh -allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read; - -# -allow ipsec_mgmt_t self:process { sigchld signal setrlimit }; - -# Allow read/write access to /var/run/pluto.ctl -allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write }; - -# Pluto needs network access -can_network_server(ipsec_t) -can_ypbind(ipsec_t) -allow ipsec_t self:unix_dgram_socket create_socket_perms; - -# for sleep -allow ipsec_mgmt_t fs_t:filesystem getattr; - -# for the start script -can_exec(ipsec_mgmt_t, etc_t) - -# allow access to /etc/localtime -allow ipsec_mgmt_t etc_t:file { read getattr }; -allow ipsec_t etc_t:file { read getattr }; - -# allow access to /dev/null -allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms; -allow ipsec_t null_device_t:chr_file rw_file_perms; - -# Allow scripts to use /var/lock/subsys/ipsec -lock_domain(ipsec_mgmt) - -# allow tncfg to create sockets -allow ipsec_mgmt_t self:udp_socket { create ioctl }; - -#When running ipsec auto --up -allow ipsec_t self:process { fork sigchld }; -allow ipsec_t self:fifo_file { read getattr }; - -# ideally it would not need this. It wants to write to /root/.rnd -file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) - -allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl }; -allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; -allow ipsec_mgmt_t self:lnk_file read; - -allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search }; -read_locale(ipsec_mgmt_t) -var_run_domain(ipsec_mgmt) -dontaudit ipsec_mgmt_t default_t:dir getattr; -dontaudit ipsec_mgmt_t default_t:file getattr; -allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; -allow ipsec_mgmt_t self:key_socket { create setopt }; -can_exec(ipsec_mgmt_t, initrc_exec_t) -allow ipsec_t self:netlink_xfrm_socket create_socket_perms; -allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; -read_locale(ipsec_t) -ifdef(`consoletype.te', ` -can_exec(ipsec_mgmt_t, consoletype_exec_t ) -') -dontaudit ipsec_mgmt_t selinux_config_t:dir search; -dontaudit ipsec_t ttyfile:chr_file { read write }; -allow ipsec_t self:capability { dac_override dac_read_search }; -allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind; -allow ipsec_mgmt_t dev_fs:file_class_set getattr; -dontaudit ipsec_mgmt_t device_t:lnk_file read; -allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms; -allow ipsec_mgmt_t sysctl_net_t:file { getattr read }; -rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t) -rw_dir_create_file(initrc_t, ipsec_var_run_t) -allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; diff --git a/mls/domains/program/iptables.te b/mls/domains/program/iptables.te deleted file mode 100644 index 8d83280c..00000000 --- a/mls/domains/program/iptables.te +++ /dev/null @@ -1,63 +0,0 @@ -#DESC Ipchains - IP packet filter administration -# -# Authors: Justin Smith -# Russell Coker -# X-Debian-Packages: ipchains iptables -# - -# -# Rules for the iptables_t domain. -# -daemon_base_domain(iptables, `, privmodule') -role sysadm_r types iptables_t; -domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) - -ifdef(`modutil.te', ` -# for modprobe -allow iptables_t sbin_t:dir search; -allow iptables_t sbin_t:lnk_file read; -') - -read_locale(iptables_t) - -# to allow rules to be saved on reboot -allow iptables_t initrc_tmp_t:file rw_file_perms; - -domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t) -allow iptables_t var_t:dir search; -var_run_domain(iptables) - -allow iptables_t self:process { fork signal_perms }; - -allow iptables_t { sysctl_t sysctl_kernel_t }:dir search; -allow iptables_t sysctl_modprobe_t:file { getattr read }; - -tmp_domain(iptables) - -# for iptables -L -allow iptables_t self:unix_stream_socket create_socket_perms; -can_resolve(iptables_t) -can_ypbind(iptables_t) - -allow iptables_t iptables_exec_t:file execute_no_trans; -allow iptables_t self:capability { net_admin net_raw }; -allow iptables_t self:rawip_socket create_socket_perms; - -allow iptables_t etc_t:file { getattr read }; - -allow iptables_t fs_t:filesystem getattr; -allow iptables_t { userdomain kernel_t }:fd use; - -# Access terminals. -allow iptables_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') - -allow iptables_t proc_t:file { getattr read }; -allow iptables_t proc_net_t:dir search; -allow iptables_t proc_net_t:file { read getattr }; - -# system-config-network appends to /var/log -allow iptables_t var_log_t:file append; -ifdef(`firstboot.te', ` -allow iptables_t firstboot_t:fifo_file write; -') diff --git a/mls/domains/program/irc.te b/mls/domains/program/irc.te deleted file mode 100644 index 50c11227..00000000 --- a/mls/domains/program/irc.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC Irc - IRC client -# -# Domains for the irc program. -# X-Debian-Packages: tinyirc ircii - -# -# irc_exec_t is the type of the irc executable. -# -type irc_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the irc_domain macro in -# macros/program/irc_macros.te. diff --git a/mls/domains/program/irqbalance.te b/mls/domains/program/irqbalance.te deleted file mode 100644 index 35be1924..00000000 --- a/mls/domains/program/irqbalance.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC IRQBALANCE - IRQ balance daemon -# -# Author: Ulrich Drepper -# - -################################# -# -# Rules for the irqbalance_t domain. -# -daemon_domain(irqbalance) - -# irqbalance needs access to /proc. -allow irqbalance_t proc_t:file { read getattr }; -allow irqbalance_t sysctl_irq_t:dir r_dir_perms; -allow irqbalance_t sysctl_irq_t:file rw_file_perms; diff --git a/mls/domains/program/java.te b/mls/domains/program/java.te deleted file mode 100644 index dfd03723..00000000 --- a/mls/domains/program/java.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC Java VM -# -# Authors: Dan Walsh -# X-Debian-Packages: java -# - -# Type for the netscape, java or other browser executables. -type java_exec_t, file_type, sysadmfile, exec_type; - -# Allow java executable stack -bool allow_java_execstack false; - -# Everything else is in the java_domain macro in -# macros/program/java_macros.te. diff --git a/mls/domains/program/kerberos.te b/mls/domains/program/kerberos.te deleted file mode 100644 index 19cc3c49..00000000 --- a/mls/domains/program/kerberos.te +++ /dev/null @@ -1,91 +0,0 @@ -#DESC Kerberos5 - MIT Kerberos5 -# supports krb5kdc and kadmind daemons -# kinit, kdestroy, klist clients -# ksu support not complete -# -# includes rules for OpenSSH daemon compiled with both -# kerberos5 and SELinux support -# -# Not supported : telnetd, ftpd, kprop/kpropd daemons -# -# Author: Kerry Thompson -# Modified by Colin Walters -# - -################################# -# -# Rules for the krb5kdc_t,kadmind_t domains. -# -daemon_domain(krb5kdc) -daemon_domain(kadmind) - -can_exec(krb5kdc_t, krb5kdc_exec_t) -can_exec(kadmind_t, kadmind_exec_t) - -# types for general configuration files in /etc -type krb5_keytab_t, file_type, sysadmfile, secure_file_type; - -# types for KDC configs and principal file(s) -type krb5kdc_conf_t, file_type, sysadmfile; -type krb5kdc_principal_t, file_type, sysadmfile; - -# Use capabilities. Surplus capabilities may be allowed. -allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice }; -allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice }; - -# krb5kdc and kadmind can use network -can_network_server( { krb5kdc_t kadmind_t } ) -can_ypbind( { krb5kdc_t kadmind_t } ) - -# allow UDP transfer to/from any program -can_udp_send(kerberos_port_t, krb5kdc_t) -can_udp_send(krb5kdc_t, kerberos_port_t) -can_tcp_connect(kerberos_port_t, krb5kdc_t) -can_tcp_connect(kerberos_admin_port_t, kadmind_t) - -# Bind to the kerberos, kerberos-adm ports. -allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; -allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; -allow kadmind_t reserved_port_t:tcp_socket name_bind; -dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; - -# -# Rules for Kerberos5 KDC daemon -allow krb5kdc_t self:unix_dgram_socket create_socket_perms; -allow krb5kdc_t self:unix_stream_socket create_socket_perms; -allow kadmind_t self:unix_stream_socket create_socket_perms; -allow krb5kdc_t krb5kdc_conf_t:dir search; -allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; -allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; -dontaudit krb5kdc_t krb5kdc_principal_t:file write; -allow krb5kdc_t locale_t:file { getattr read }; -dontaudit krb5kdc_t krb5kdc_conf_t:file write; -allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search }; -allow { kadmind_t krb5kdc_t } etc_t:file { getattr read }; -allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms; -dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write; -tmp_domain(krb5kdc) -log_domain(krb5kdc) -allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read }; -allow kadmind_t random_device_t:chr_file { getattr read }; -allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t proc_t:dir r_dir_perms; -allow krb5kdc_t proc_t:file { getattr read }; - -# -# Rules for Kerberos5 Kadmin daemon -allow kadmind_t self:unix_dgram_socket { connect create write }; -allow kadmind_t krb5kdc_conf_t:dir search; -allow kadmind_t krb5kdc_conf_t:file r_file_perms; -allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; -read_locale(kadmind_t) -dontaudit kadmind_t krb5kdc_conf_t:file write; -tmp_domain(kadmind) -log_domain(kadmind) - -# -# Allow user programs to talk to KDC -allow krb5kdc_t userdomain:udp_socket recvfrom; -allow userdomain krb5kdc_t:udp_socket recvfrom; -allow initrc_t krb5_conf_t:file ioctl; diff --git a/mls/domains/program/klogd.te b/mls/domains/program/klogd.te deleted file mode 100644 index dd0b79cc..00000000 --- a/mls/domains/program/klogd.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Klogd - Kernel log daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: klogd -# - -################################# -# -# Rules for the klogd_t domain. -# -daemon_domain(klogd, `, privmem, privkmsg, mlsfileread') - -tmp_domain(klogd) -allow klogd_t proc_t:dir r_dir_perms; -allow klogd_t proc_t:lnk_file r_file_perms; -allow klogd_t proc_t:file { getattr read }; -allow klogd_t self:dir r_dir_perms; -allow klogd_t self:lnk_file r_file_perms; - -# read /etc/nsswitch.conf -allow klogd_t etc_t:lnk_file read; -allow klogd_t etc_t:file r_file_perms; - -read_locale(klogd_t) - -allow klogd_t etc_runtime_t:file { getattr read }; - -# Create unix sockets -allow klogd_t self:unix_dgram_socket create_socket_perms; - -# Use the sys_admin and sys_rawio capabilities. -allow klogd_t self:capability { sys_admin sys_rawio }; -dontaudit klogd_t self:capability sys_resource; - - -# Read /proc/kmsg and /dev/mem. -allow klogd_t proc_kmsg_t:file r_file_perms; -allow klogd_t memory_device_t:chr_file r_file_perms; - -# Control syslog and console logging -allow klogd_t kernel_t:system { syslog_mod syslog_console }; - -# Read /boot/System.map* -allow klogd_t system_map_t:file r_file_perms; -allow klogd_t boot_t:dir r_dir_perms; -ifdef(`targeted_policy', ` -allow klogd_t unconfined_t:system syslog_mod; -') diff --git a/mls/domains/program/ktalkd.te b/mls/domains/program/ktalkd.te deleted file mode 100644 index 7ae0109c..00000000 --- a/mls/domains/program/ktalkd.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC ktalkd - KDE version of the talk server -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the ktalkd_t domain. -# -# ktalkd_exec_t is the type of the ktalkd executable. -# - -inetd_child_domain(ktalkd, udp) diff --git a/mls/domains/program/kudzu.te b/mls/domains/program/kudzu.te deleted file mode 100644 index 9b64f98d..00000000 --- a/mls/domains/program/kudzu.te +++ /dev/null @@ -1,117 +0,0 @@ -#DESC kudzu - Red Hat utility to recognise new hardware -# -# Author: Russell Coker -# - -daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem') - -read_locale(kudzu_t) - -# for /etc/sysconfig/hwconf - probably need a new type -allow kudzu_t etc_runtime_t:file rw_file_perms; - -# for kmodule -if (allow_execmem) { -allow kudzu_t self:process execmem; -} -allow kudzu_t zero_device_t:chr_file rx_file_perms; -allow kudzu_t memory_device_t:chr_file { read write execute }; - -allow kudzu_t ramfs_t:dir search; -allow kudzu_t ramfs_t:sock_file write; -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -allow kudzu_t modules_conf_t:file { getattr read unlink rename }; -allow kudzu_t modules_object_t:dir r_dir_perms; -allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; -allow kudzu_t mouse_device_t:chr_file { read write }; -allow kudzu_t proc_net_t:dir r_dir_perms; -allow kudzu_t { proc_net_t proc_t }:file { getattr read }; -allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; -allow kudzu_t scsi_generic_device_t:chr_file r_file_perms; -allow kudzu_t { bin_t sbin_t }:dir { getattr search }; -allow kudzu_t { bin_t sbin_t }:lnk_file read; -read_sysctl(kudzu_t) -allow kudzu_t sysctl_dev_t:dir { getattr search read }; -allow kudzu_t sysctl_dev_t:file { getattr read }; -allow kudzu_t sysctl_kernel_t:file write; -allow kudzu_t usbdevfs_t:dir search; -allow kudzu_t usbdevfs_t:file { getattr read }; -allow kudzu_t usbfs_t:dir search; -allow kudzu_t usbfs_t:file { getattr read }; -var_run_domain(kudzu) -allow kudzu_t kernel_t:system syslog_console; -allow kudzu_t self:udp_socket { create ioctl }; -allow kudzu_t var_lock_t:dir search; -allow kudzu_t devpts_t:dir search; - -# so it can write messages to the console -allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms; - -role sysadm_r types kudzu_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t) -') -ifdef(`anaconda.te', ` -domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) -') - -allow kudzu_t sysadm_home_dir_t:dir search; -rw_dir_create_file(kudzu_t, etc_t) - -rw_dir_create_file(kudzu_t, mnt_t) -can_exec(kudzu_t, { bin_t sbin_t init_exec_t }) -# Read /usr/lib/gconv/gconv-modules.* -allow kudzu_t lib_t:file { read getattr }; -# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux -allow kudzu_t usr_t:file { read getattr }; -r_dir_file(kudzu_t, hwdata_t) - -# Communicate with rhgb-client. -allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow kudzu_t self:unix_dgram_socket create_socket_perms; - -ifdef(`rhgb.te', ` -allow kudzu_t rhgb_t:unix_stream_socket connectto; -') - -allow kudzu_t self:file { getattr read }; -allow kudzu_t self:fifo_file rw_file_perms; -ifdef(`gpm.te', ` -allow kudzu_t gpmctl_t:sock_file getattr; -') - -can_exec(kudzu_t, shell_exec_t) - -# Write to /proc/sys/kernel/hotplug. Why? -allow kudzu_t sysctl_hotplug_t:file { read write }; - -allow kudzu_t sysfs_t:dir { getattr read search }; -allow kudzu_t sysfs_t:file { getattr read }; -allow kudzu_t sysfs_t:lnk_file read; -file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file) -allow kudzu_t tape_device_t:chr_file r_file_perms; -tmp_domain(kudzu, `', `{ file dir chr_file }') - -# for file systems that are not yet mounted -dontaudit kudzu_t file_t:dir search; -ifdef(`lpd.te', ` -allow kudzu_t printconf_t:file { getattr read }; -') -ifdef(`cups.te', ` -allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; -') -dontaudit kudzu_t src_t:dir search; -ifdef(`xserver.te', ` -allow kudzu_t xserver_exec_t:file getattr; -') - -ifdef(`userhelper.te', ` -role system_r types sysadm_userhelper_t; -domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) -', ` -unconfined_domain(kudzu_t) -') - -allow kudzu_t initrc_t:unix_stream_socket connectto; -allow kudzu_t net_conf_t:file { getattr read }; - diff --git a/mls/domains/program/ldconfig.te b/mls/domains/program/ldconfig.te deleted file mode 100644 index fbb76886..00000000 --- a/mls/domains/program/ldconfig.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC Ldconfig - Configure dynamic linker bindings -# -# Author: Russell Coker -# X-Debian-Packages: libc6 -# - -################################# -# -# Rules for the ldconfig_t domain. -# -type ldconfig_t, domain, privlog, etc_writer; -type ldconfig_exec_t, file_type, sysadmfile, exec_type; - -role sysadm_r types ldconfig_t; -role system_r types ldconfig_t; - -domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t) -dontaudit ldconfig_t device_t:dir search; -can_access_pty(ldconfig_t, initrc) -allow ldconfig_t admin_tty_type:chr_file rw_file_perms; -allow ldconfig_t privfd:fd use; - -uses_shlib(ldconfig_t) - -file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) -allow ldconfig_t lib_t:dir rw_dir_perms; -allow ldconfig_t lib_t:lnk_file create_lnk_perms; - -allow ldconfig_t userdomain:fd use; -# unlink for when /etc/ld.so.cache is mislabeled -allow ldconfig_t etc_t:file { getattr read unlink }; -allow ldconfig_t etc_t:lnk_file read; - -allow ldconfig_t fs_t:filesystem getattr; -allow ldconfig_t tmp_t:dir search; - -ifdef(`apache.te', ` -# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway -dontaudit ldconfig_t httpd_modules_t:dir search; -') - -allow ldconfig_t { var_t var_lib_t }:dir search; -allow ldconfig_t proc_t:file { getattr read }; -ifdef(`hide_broken_symptoms', ` -ifdef(`unconfined.te',` -dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; -'); -')dnl end hide_broken_symptoms -ifdef(`targeted_policy', ` -allow ldconfig_t lib_t:file r_file_perms; -unconfined_domain(ldconfig_t) -') diff --git a/mls/domains/program/load_policy.te b/mls/domains/program/load_policy.te deleted file mode 100644 index 3d43900f..00000000 --- a/mls/domains/program/load_policy.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC LoadPolicy - SELinux policy loading utilities -# -# Authors: Frank Mayer, mayerf@tresys.com -# X-Debian-Packages: policycoreutils -# - -########################### -# load_policy_t is the domain type for load_policy -# load_policy_exec_t is the file type for the executable - -# boolean to determine whether the system permits loading policy, setting -# enforcing mode, and changing boolean values. Set this to true and you -# have to reboot to set it back -bool secure_mode_policyload false; - -type load_policy_t, domain; -role sysadm_r types load_policy_t; -role secadm_r types load_policy_t; -role system_r types load_policy_t; - -type load_policy_exec_t, file_type, exec_type, sysadmfile; - -########################## -# -# Rules - -domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t) - -allow load_policy_t console_device_t:chr_file { read write }; - -# Reload the policy configuration (sysadm_t no longer has this ability) -can_loadpol(load_policy_t) - -# Reset policy boolean values. -can_setbool(load_policy_t) - - -########################### -# constrain from where load_policy can load a policy, specifically -# policy_config_t files -# - -# only allow read of policy config files -allow load_policy_t policy_src_t:dir search; -r_dir_file(load_policy_t, policy_config_t) -r_dir_file(load_policy_t, selinux_config_t) - -# directory search permissions for path to binary policy files -allow load_policy_t root_t:dir search; -allow load_policy_t etc_t:dir search; - -# for mcs.conf -allow load_policy_t etc_t:file { getattr read }; - -# Other access -can_access_pty(load_policy_t, initrc) -allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; -uses_shlib(load_policy_t) -allow load_policy_t self:capability dac_override; - -allow load_policy_t { userdomain privfd initrc_t }:fd use; - -allow load_policy_t fs_t:filesystem getattr; - -read_locale(load_policy_t) diff --git a/mls/domains/program/loadkeys.te b/mls/domains/program/loadkeys.te deleted file mode 100644 index 09597624..00000000 --- a/mls/domains/program/loadkeys.te +++ /dev/null @@ -1,45 +0,0 @@ -#DESC loadkeys - for changing to unicode at login time -# -# Author: Russell Coker -# -# X-Debian-Packages: console-tools - -# -# loadkeys_exec_t is the type of the wrapper -# -type loadkeys_exec_t, file_type, sysadmfile, exec_type; - -can_exec(initrc_t, loadkeys_exec_t) - -# Derived domain based on the calling user domain and the program. -type loadkeys_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t) - -uses_shlib(loadkeys_t) -dontaudit loadkeys_t proc_t:dir search; -allow loadkeys_t proc_t:file { getattr read }; -allow loadkeys_t self:process { fork sigchld }; - -allow loadkeys_t self:fifo_file rw_file_perms; -allow loadkeys_t bin_t:dir search; -allow loadkeys_t bin_t:lnk_file read; -can_exec(loadkeys_t, { shell_exec_t bin_t }) - -read_locale(loadkeys_t) - -dontaudit loadkeys_t etc_runtime_t:file { getattr read }; - -# Use capabilities. -allow loadkeys_t self:capability { setuid sys_tty_config }; - -allow loadkeys_t local_login_t:fd use; -allow loadkeys_t devtty_t:chr_file rw_file_perms; - -# The user role is authorized for this domain. -in_user_role(loadkeys_t) - -# Write to the user domain tty. -allow loadkeys_t ttyfile:chr_file rw_file_perms; - diff --git a/mls/domains/program/lockdev.te b/mls/domains/program/lockdev.te deleted file mode 100644 index adb2a775..00000000 --- a/mls/domains/program/lockdev.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC Lockdev - libblockdev helper application -# -# Authors: Daniel Walsh -# - - -# Type for the lockdev -type lockdev_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the lockdev_domain macro in -# macros/program/lockdev_macros.te. diff --git a/mls/domains/program/login.te b/mls/domains/program/login.te deleted file mode 100644 index ad9fab00..00000000 --- a/mls/domains/program/login.te +++ /dev/null @@ -1,234 +0,0 @@ -#DESC Login - Local/remote login utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# Macroised by Russell Coker -# X-Debian-Packages: login -# - -################################# -# -# Rules for the local_login_t domain -# and the remote_login_t domain. -# - -# $1 is the name of the domain (local or remote) -define(`login_domain', ` -type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; -role system_r types $1_login_t; - -dontaudit $1_login_t shadow_t:file { getattr read }; - -general_domain_access($1_login_t); - -# Read system information files in /proc. -r_dir_file($1_login_t, proc_t) - -base_file_read_access($1_login_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_login_t readable_t:dir r_dir_perms; -allow $1_login_t readable_t:notdevfile_class_set r_file_perms; - -# Read /var, /var/spool -allow $1_login_t { var_t var_spool_t }:dir search; - -# for when /var/mail is a sym-link -allow $1_login_t var_t:lnk_file read; - -# Read /etc. -r_dir_file($1_login_t, etc_t) -allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms; - -read_locale($1_login_t) - -# for SSP/ProPolice -allow $1_login_t urandom_device_t:chr_file { getattr read }; - -# Read executable types. -allow $1_login_t exec_type:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow $1_login_t device_t:dir r_dir_perms; -allow $1_login_t device_t:lnk_file r_file_perms; - -uses_shlib($1_login_t); - -tmp_domain($1_login) - -ifdef(`pam.te', ` -can_exec($1_login_t, pam_exec_t) -') - -ifdef(`pamconsole.te', ` -rw_dir_create_file($1_login_t, pam_var_console_t) -domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t) -') - -ifdef(`alsa.te', ` -domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) -') - -# Use capabilities -allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow $1_login_t self:process setrlimit; -dontaudit $1_login_t sysfs_t:dir search; - -# Set exec context. -can_setexec($1_login_t) - -allow $1_login_t autofs_t:dir { search read getattr }; -allow $1_login_t mnt_t:dir r_dir_perms; - -if (use_nfs_home_dirs) { -r_dir_file($1_login_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file($1_login_t, cifs_t) -} - -# Login can polyinstantiate -polyinstantiater($1_login_t) - -# FIXME: what is this for? -ifdef(`xdm.te', ` -allow xdm_t $1_login_t:process signull; -') - -ifdef(`crack.te', ` -allow $1_login_t crack_db_t:file r_file_perms; -') - -# Permit login to search the user home directories. -allow $1_login_t home_root_t:dir search; -allow $1_login_t home_dir_type:dir search; - -# Write to /var/run/utmp. -allow $1_login_t var_run_t:dir search; -allow $1_login_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow $1_login_t var_log_t:dir search; -allow $1_login_t wtmp_t:file rw_file_perms; - -# Write to /var/log/lastlog. -allow $1_login_t lastlog_t:file rw_file_perms; - -# Write to /var/log/btmp -allow $1_login_t faillog_t:file { lock append read write }; - -# Search for mail spool file. -allow $1_login_t mail_spool_t:dir r_dir_perms; -allow $1_login_t mail_spool_t:file getattr; -allow $1_login_t mail_spool_t:lnk_file read; - -# Get security policy decisions. -can_getsecurity($1_login_t) - -# allow read access to default_contexts in /etc/security -allow $1_login_t default_context_t:file r_file_perms; -allow $1_login_t default_context_t:dir search; -r_dir_file($1_login_t, selinux_config_t) - -allow $1_login_t mouse_device_t:chr_file { getattr setattr }; - -ifdef(`targeted_policy',` -unconfined_domain($1_login_t) -domain_auto_trans($1_login_t, shell_exec_t, unconfined_t) -') - -')dnl end login_domain macro -################################# -# -# Rules for the local_login_t domain. -# -# local_login_t is the domain of a login process -# spawned by getty. -# -# remote_login_t is the domain of a login process -# spawned by rlogind. -# -# login_exec_t is the type of the login program -# -type login_exec_t, file_type, sysadmfile, exec_type; - -login_domain(local) - -# But also permit other user domains to be entered by login. -login_spawn_domain(local_login, userdomain) - -# Do not audit denied attempts to access devices. -dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; -dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; -dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr }; -dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr }; -dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; -dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t removable_device_t:chr_file { getattr setattr }; -dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; - -# Do not audit denied attempts to access /mnt. -dontaudit local_login_t mnt_t:dir r_dir_perms; - - -# Create lock file. -lock_domain(local_login) - -# Read and write ttys. -allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; -allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; - -# Relabel ttys. -allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; -allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; - -ifdef(`gpm.te', -`allow local_login_t gpmctl_t:sock_file { getattr setattr };') - -# Allow setting of attributes on sound devices. -allow local_login_t sound_device_t:chr_file { getattr setattr }; - -# Allow setting of attributes on power management devices. -allow local_login_t power_device_t:chr_file { getattr setattr }; -dontaudit local_login_t init_t:fd use; - -################################# -# -# Rules for the remote_login_t domain. -# - -login_domain(remote) - -# Only permit unprivileged user domains to be entered via rlogin, -# since very weak authentication is used. -login_spawn_domain(remote_login, unpriv_userdomain) - -allow remote_login_t userpty_type:chr_file { setattr write }; - -# Use the pty created by rlogind. -ifdef(`rlogind.te', ` -can_access_pty(remote_login_t, rlogind) -# Relabel ptys created by rlogind. -allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto }; -') - -# Use the pty created by telnetd. -ifdef(`telnetd.te', ` -can_access_pty(remote_login_t, telnetd) -# Relabel ptys created by telnetd. -allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto }; -') - -allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; -allow remote_login_t fs_t:filesystem { getattr }; - -# Allow remote login to resolve host names (passed in via the -h switch) -can_resolve(remote_login_t) - -ifdef(`use_mcs', ` -ifdef(`getty.te', ` -range_transition getty_t login_exec_t s0 - s0:c0.c127; -') -') diff --git a/mls/domains/program/logrotate.te b/mls/domains/program/logrotate.te deleted file mode 100644 index 9f71da62..00000000 --- a/mls/domains/program/logrotate.te +++ /dev/null @@ -1,150 +0,0 @@ -#DESC Logrotate - Rotate log files -# -# Authors: Stephen Smalley Timothy Fraser -# Russell Coker -# X-Debian-Packages: logrotate -# Depends: crond.te -# - -################################# -# -# Rules for the logrotate_t domain. -# -# logrotate_t is the domain for the logrotate program. -# logrotate_exec_t is the type of the corresponding program. -# -type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade; -role system_r types logrotate_t; -role sysadm_r types logrotate_t; -uses_shlib(logrotate_t) -general_domain_access(logrotate_t) -type logrotate_exec_t, file_type, sysadmfile, exec_type; - -system_crond_entry(logrotate_exec_t, logrotate_t) -allow logrotate_t cron_spool_t:dir search; -allow crond_t logrotate_var_lib_t:dir search; -domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t) -allow logrotate_t self:unix_stream_socket create_socket_perms; -allow logrotate_t devtty_t:chr_file rw_file_perms; - -ifdef(`distro_debian', ` -allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; -# for savelog -can_exec(logrotate_t, logrotate_exec_t) -') - -# for perl -allow logrotate_t usr_t:file { getattr read ioctl }; -allow logrotate_t usr_t:lnk_file read; - -# access files in /etc -allow logrotate_t etc_t:file { getattr read ioctl }; -allow logrotate_t etc_t:lnk_file { getattr read }; -allow logrotate_t etc_runtime_t:file r_file_perms; - -# it should not require this -allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; - -# create lock files -lock_domain(logrotate) - -# Create temporary files. -tmp_domain(logrotate) -can_exec(logrotate_t, logrotate_tmp_t) - -# Run helper programs. -allow logrotate_t { bin_t sbin_t }:dir r_dir_perms; -allow logrotate_t { bin_t sbin_t }:lnk_file read; -can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t }) - -# Read PID files. -allow logrotate_t pidfile:file r_file_perms; - -# Read /proc/PID directories for all domains. -read_sysctl(logrotate_t) -allow logrotate_t proc_t:dir r_dir_perms; -allow logrotate_t proc_t:{ file lnk_file } r_file_perms; -allow logrotate_t domain:notdevfile_class_set r_file_perms; -allow logrotate_t domain:dir r_dir_perms; -allow logrotate_t exec_type:file getattr; - -# Read /dev directories and any symbolic links. -allow logrotate_t device_t:dir r_dir_perms; -allow logrotate_t device_t:lnk_file r_file_perms; - -# Signal processes. -allow logrotate_t domain:process signal; - -# Modify /var/log and other log dirs. -allow logrotate_t var_t:dir r_dir_perms; -allow logrotate_t logfile:dir rw_dir_perms; -allow logrotate_t logfile:lnk_file read; - -# Create, rename, and truncate log files. -allow logrotate_t logfile:file create_file_perms; -allow logrotate_t wtmp_t:file create_file_perms; -ifdef(`squid.te', ` -allow squid_t { system_crond_t crond_t }:fd use; -allow squid_t crond_t:fifo_file { read write }; -allow squid_t system_crond_t:fifo_file write; -allow squid_t self:capability kill; -') - -# Set a context other than the default one for newly created files. -can_setfscreate(logrotate_t) - -# Change ownership on log files. -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; -# for mailx -dontaudit logrotate_t self:capability { setuid setgid }; - -ifdef(`mta.te', ` -allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; -') - -# Access /var/run -allow logrotate_t var_run_t:dir r_dir_perms; - -# for /var/lib/logrotate.status and /var/lib/logcheck -var_lib_domain(logrotate) -allow logrotate_t logrotate_var_lib_t:dir create; - -# Write to /var/spool/slrnpull - should be moved into its own type. -create_dir_file(logrotate_t, var_spool_t) - -allow logrotate_t urandom_device_t:chr_file { getattr read }; - -# Access terminals. -allow logrotate_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') -allow logrotate_t privfd:fd use; - -# for /var/backups on Debian -ifdef(`backup.te', ` -rw_dir_create_file(logrotate_t, backup_store_t) -') - -read_locale(logrotate_t) - -allow logrotate_t fs_t:filesystem getattr; -can_exec(logrotate_t, shell_exec_t) -ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)') -can_exec(logrotate_t,logfile) -allow logrotate_t net_conf_t:file { getattr read }; - -ifdef(`consoletype.te', ` -can_exec(logrotate_t, consoletype_exec_t) -dontaudit consoletype_t logrotate_t:fd use; -') - -allow logrotate_t syslogd_t:unix_dgram_socket sendto; - -domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) - -# Supress libselinux initialization denials -dontaudit logrotate_t selinux_config_t:dir search; -dontaudit logrotate_t selinux_config_t:file { read getattr }; - -# Allow selinux_getenforce -allow logrotate_t security_t:dir search; -allow logrotate_t security_t:file { getattr read }; diff --git a/mls/domains/program/lpd.te b/mls/domains/program/lpd.te deleted file mode 100644 index 76cd44dd..00000000 --- a/mls/domains/program/lpd.te +++ /dev/null @@ -1,161 +0,0 @@ -#DESC Lpd - Print server -# -# Authors: Stephen Smalley and Timothy Fraser -# Modified by David A. Wheeler for LPRng (Red Hat 7.1) -# Modified by Russell Coker -# X-Debian-Packages: lpr -# - -################################# -# -# Rules for the lpd_t domain. -# -# lpd_t is the domain of lpd. -# lpd_exec_t is the type of the lpd executable. -# printer_t is the type of the Unix domain socket created -# by lpd. -# -daemon_domain(lpd) - -allow lpd_t lpd_var_run_t:sock_file create_file_perms; - -read_fonts(lpd_t) - -type printer_t, file_type, sysadmfile, dev_fs; - -type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf. - -tmp_domain(lpd); - -# for postscript include files -allow lpd_t usr_t:{ file lnk_file } { getattr read }; - -# Allow checkpc to access the lpd spool so it can check & fix it. -# This requires that /usr/sbin/checkpc have type checkpc_t. -type checkpc_t, domain, privlog; -role system_r types checkpc_t; -uses_shlib(checkpc_t) -can_network_client(checkpc_t) -allow checkpc_t port_type:tcp_socket name_connect; -can_ypbind(checkpc_t) -log_domain(checkpc) -type checkpc_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t) -domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t) -role sysadm_r types checkpc_t; -allow checkpc_t admin_tty_type:chr_file { read write }; -allow checkpc_t privfd:fd use; -ifdef(`crond.te', ` -system_crond_entry(checkpc_exec_t, checkpc_t) -') -allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process { fork signal_perms }; - -allow checkpc_t proc_t:dir search; -allow checkpc_t proc_t:lnk_file read; -allow checkpc_t proc_t:file { getattr read }; -r_dir_file(checkpc_t, self) -allow checkpc_t self:unix_stream_socket create_socket_perms; - -allow checkpc_t { etc_t etc_runtime_t }:file { getattr read }; -allow checkpc_t etc_t:lnk_file read; - -allow checkpc_t { var_t var_spool_t }:dir { getattr search }; -allow checkpc_t print_spool_t:file { rw_file_perms unlink }; -allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; -allow checkpc_t device_t:dir search; -allow checkpc_t printer_device_t:chr_file { getattr append }; -allow checkpc_t devtty_t:chr_file rw_file_perms; -allow checkpc_t initrc_devpts_t:chr_file rw_file_perms; - -# Allow access to /dev/console through the fd: -allow checkpc_t init_t:fd use; - -# This is less desirable, but checkpc demands /bin/bash and /bin/chown: -allow checkpc_t { bin_t sbin_t }:dir search; -allow checkpc_t bin_t:lnk_file read; -can_exec(checkpc_t, shell_exec_t) -can_exec(checkpc_t, bin_t) - -# bash wants access to /proc/meminfo -allow lpd_t proc_t:file { getattr read }; - -# gs-gnu wants to read some sysctl entries, it seems to work without though -dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search; - -# for defoma -r_dir_file(lpd_t, var_lib_t) - -allow checkpc_t var_run_t:dir search; -allow checkpc_t lpd_var_run_t:dir { search getattr }; - -# This is needed to permit chown to read /var/spool/lpd/lp. -# This is opens up security more than necessary; this means that ANYTHING -# running in the initrc_t domain can read the printer spool directory. -# Perhaps executing /etc/rc.d/init.d/lpd should transition -# to domain lpd_t, instead of waiting for executing lpd. -allow initrc_t print_spool_t:dir read; - -# for defoma -r_dir_file(lpd_t, readable_t) - -# Use capabilities. -allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; - -# Use the network. -can_network_server(lpd_t) -can_ypbind(lpd_t) -allow lpd_t self:fifo_file rw_file_perms; -allow lpd_t self:unix_stream_socket create_stream_socket_perms; -allow lpd_t self:unix_dgram_socket create_socket_perms; - -allow lpd_t self:file { getattr read }; -allow lpd_t etc_runtime_t:file { getattr read }; - -# Bind to the printer port. -allow lpd_t printer_port_t:tcp_socket name_bind; - -# Send to portmap. -ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)') - -ifdef(`ypbind.te', -`# Connect to ypbind. -can_tcp_connect(lpd_t, ypbind_t)') - -# Create and bind to /dev/printer. -file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file) -allow lpd_t printer_t:unix_stream_socket name_bind; -allow lpd_t printer_t:unix_dgram_socket name_bind; -allow lpd_t printer_device_t:chr_file rw_file_perms; - -# Write to /var/spool/lpd. -allow lpd_t var_spool_t:dir search; -allow lpd_t print_spool_t:dir rw_dir_perms; -allow lpd_t print_spool_t:file create_file_perms; -allow lpd_t print_spool_t:file rw_file_perms; - -# Execute filter scripts. -# can_exec(lpd_t, print_spool_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -allow lpd_t bin_t:dir search; -allow lpd_t bin_t:lnk_file read; -can_exec(lpd_t, { bin_t sbin_t shell_exec_t }) - -# lpd must be able to execute the filter utilities in /usr/share/printconf. -can_exec(lpd_t, printconf_t) -allow lpd_t printconf_t:file rx_file_perms; -allow lpd_t printconf_t:dir { getattr search read }; - -# config files for lpd are of type etc_t, probably should change this -allow lpd_t etc_t:file { getattr read }; -allow lpd_t etc_t:lnk_file read; - -# checkpc needs similar permissions. -allow checkpc_t printconf_t:file getattr; -allow checkpc_t printconf_t:dir { getattr search read }; - -# Read printconf files. -allow initrc_t printconf_t:dir r_dir_perms; -allow initrc_t printconf_t:file r_file_perms; - diff --git a/mls/domains/program/lpr.te b/mls/domains/program/lpr.te deleted file mode 100644 index d8ec0c02..00000000 --- a/mls/domains/program/lpr.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC Lpr - Print client -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: lpr lprng -# - - -# Type for the lpr, lpq, and lprm executables. -type lpr_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the lpr_domain macro in -# macros/program/lpr_macros.te. diff --git a/mls/domains/program/lvm.te b/mls/domains/program/lvm.te deleted file mode 100644 index b2e47eb9..00000000 --- a/mls/domains/program/lvm.te +++ /dev/null @@ -1,139 +0,0 @@ -#DESC LVM - Linux Volume Manager -# -# Author: Michael Kaufman -# X-Debian-Packages: lvm10 lvm2 lvm-common -# - -################################# -# -# Rules for the lvm_t domain. -# -# lvm_t is the domain for LVM administration. -# lvm_exec_t is the type of the corresponding programs. -# lvm_etc_t is for read-only LVM configuration files. -# lvm_metadata_t is the type of LVM metadata files in /etc that are -# modified at runtime. -# -type lvm_vg_t, file_type, sysadmfile; -type lvm_metadata_t, file_type, sysadmfile; -type lvm_control_t, device_type, dev_fs; -etcdir_domain(lvm) -lock_domain(lvm) -allow lvm_t lvm_lock_t:dir rw_dir_perms; - -# needs privowner because it assigns the identity system_u to device nodes -# but runs as the identity of the sysadmin -daemon_base_domain(lvm, `, fs_domain, privowner') -role sysadm_r types lvm_t; -domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t) - -# LVM will complain a lot if it cannot set its priority. -allow lvm_t self:process setsched; - -allow lvm_t self:fifo_file rw_file_perms; -allow lvm_t self:unix_dgram_socket create_socket_perms; - -r_dir_file(lvm_t, proc_t) -allow lvm_t self:file rw_file_perms; - -# Read system variables in /proc/sys -read_sysctl(lvm_t) - -# Read /sys/block. Device mapper metadata is kept there. -r_dir_file(lvm_t, sysfs_t) - -allow lvm_t fs_t:filesystem getattr; - -# Read configuration files in /etc. -allow lvm_t { etc_t etc_runtime_t }:file { getattr read }; - -# LVM creates block devices in /dev/mapper or /dev/ -# depending on its version -file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file) - -# LVM(2) needs to create directores (/dev/mapper, /dev/) -# and links from /dev/ to /dev/mapper/- -allow lvm_t device_t:dir create_dir_perms; -allow lvm_t device_t:lnk_file create_lnk_perms; - -# /lib/lvm- holds the actual LVM binaries (and symlinks) -allow lvm_t lvm_exec_t:dir search; -allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; - -tmp_domain(lvm) -allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; - -# DAC overrides and mknod for modifying /dev entries (vgmknodes) -allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod }; - -# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d -file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file) - -allow lvm_t lvm_metadata_t:dir rw_dir_perms; - -# Inherit and use descriptors from init. -allow lvm_t init_t:fd use; - -# LVM is split into many individual binaries -can_exec(lvm_t, lvm_exec_t) - -# Access raw devices and old /dev/lvm (c 109,0). Is this needed? -allow lvm_t fixed_disk_device_t:chr_file create_file_perms; - -# relabel devices -allow lvm_t { default_context_t file_context_t }:dir search; -allow lvm_t file_context_t:file { getattr read }; -can_getsecurity(lvm_t) -allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; -allow lvm_t device_t:lnk_file { relabelfrom relabelto }; - -# Access terminals. -allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; -allow lvm_t devtty_t:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;') -allow lvm_t privfd:fd use; -allow lvm_t devpts_t:dir { search getattr read }; - -read_locale(lvm_t) - -# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... -dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read }; -dontaudit lvm_t ttyfile:chr_file getattr; -dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr; -dontaudit lvm_t devpts_t:dir { getattr read }; -dontaudit lvm_t xconsole_device_t:fifo_file getattr; - -ifdef(`gpm.te', ` -dontaudit lvm_t gpmctl_t:sock_file getattr; -') -dontaudit lvm_t initctl_t:fifo_file getattr; -allow lvm_t sbin_t:dir search; -dontaudit lvm_t sbin_t:file { getattr read }; -allow lvm_t lvm_control_t:chr_file rw_file_perms; -allow initrc_t lvm_control_t:chr_file { getattr read unlink }; -allow initrc_t device_t:chr_file create; -var_run_domain(lvm) - -# for when /usr is not mounted -dontaudit lvm_t file_t:dir search; - -allow lvm_t tmpfs_t:dir r_dir_perms; -r_dir_file(lvm_t, selinux_config_t) - -# it has no reason to need this -dontaudit lvm_t proc_kcore_t:file getattr; -allow lvm_t var_t:dir { search getattr }; -allow lvm_t ramfs_t:filesystem unmount; - -# cluster LVM daemon -daemon_domain(clvmd) -can_network(clvmd_t) -can_ypbind(clvmd_t) -allow clvmd_t self:capability net_bind_service; -allow clvmd_t self:socket create_socket_perms; -allow clvmd_t self:fifo_file { read write }; -allow clvmd_t self:file { getattr read }; -allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow clvmd_t reserved_port_t:tcp_socket name_bind; -dontaudit clvmd_t reserved_port_type:tcp_socket name_bind; -dontaudit clvmd_t selinux_config_t:dir search; diff --git a/mls/domains/program/mailman.te b/mls/domains/program/mailman.te deleted file mode 100644 index 72fe6a75..00000000 --- a/mls/domains/program/mailman.te +++ /dev/null @@ -1,113 +0,0 @@ -#DESC Mailman - GNU Mailman mailing list manager -# -# Author: Russell Coker -# X-Debian-Packages: mailman - -type mailman_data_t, file_type, sysadmfile; -type mailman_archive_t, file_type, sysadmfile; - -type mailman_log_t, file_type, sysadmfile, logfile; -type mailman_lock_t, file_type, sysadmfile, lockfile; - -define(`mailman_domain', ` -type mailman_$1_t, domain, privlog $2; -type mailman_$1_exec_t, file_type, sysadmfile, exec_type; -role system_r types mailman_$1_t; -file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file) -allow mailman_$1_t mailman_log_t:dir rw_dir_perms; -create_dir_file(mailman_$1_t, mailman_data_t) -uses_shlib(mailman_$1_t) -can_exec_any(mailman_$1_t) -read_sysctl(mailman_$1_t) -allow mailman_$1_t proc_t:dir search; -allow mailman_$1_t proc_t:file { read getattr }; -allow mailman_$1_t var_lib_t:dir r_dir_perms; -allow mailman_$1_t var_lib_t:lnk_file read; -allow mailman_$1_t device_t:dir search; -allow mailman_$1_t etc_runtime_t:file { read getattr }; -read_locale(mailman_$1_t) -file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file) -allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; -allow mailman_$1_t fs_t:filesystem getattr; -can_network(mailman_$1_t) -allow mailman_$1_t smtp_port_t:tcp_socket name_connect; -can_ypbind(mailman_$1_t) -allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; -allow mailman_$1_t var_t:dir r_dir_perms; -tmp_domain(mailman_$1) -') - -mailman_domain(queue, `, auth_chkpwd, nscd_client_domain') -can_tcp_connect(mailman_queue_t, mail_server_domain) - -can_exec(mailman_queue_t, su_exec_t) -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:fifo_file rw_file_perms; -dontaudit mailman_queue_t var_run_t:dir search; -allow mailman_queue_t proc_t:lnk_file { getattr read }; - -# for su -dontaudit mailman_queue_t selinux_config_t:dir search; -allow mailman_queue_t self:dir search; -allow mailman_queue_t self:file { getattr read }; -allow mailman_queue_t self:unix_dgram_socket create_socket_perms; -allow mailman_queue_t self:lnk_file { getattr read }; - -# some of the following could probably be changed to dontaudit, someone who -# knows mailman well should test this out and send the changes -allow mailman_queue_t sysadm_home_dir_t:dir { getattr search }; - -mailman_domain(mail) -dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write }; -allow mailman_mail_t mta_delivery_agent:fd use; -ifdef(`qmail.te', ` -allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; -# do we really need this? -allow mailman_mail_t qmail_lspawn_t:fifo_file write; -') - -create_dir_file(mailman_queue_t, mailman_archive_t) - -ifdef(`apache.te', ` -mailman_domain(cgi) -can_tcp_connect(mailman_cgi_t, mail_server_domain) - -domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t) -# should have separate types for public and private archives -r_dir_file(httpd_t, mailman_archive_t) -create_dir_file(mailman_cgi_t, mailman_archive_t) -allow httpd_t mailman_data_t:dir { getattr search }; - -dontaudit mailman_cgi_t httpd_log_t:file append; -allow httpd_t mailman_cgi_t:process signal; -allow mailman_cgi_t httpd_t:process sigchld; -allow mailman_cgi_t httpd_t:fd use; -allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl }; -allow mailman_cgi_t httpd_sys_script_t:dir search; -allow mailman_cgi_t devtty_t:chr_file { read write }; -allow mailman_cgi_t self:process { fork sigchld }; -allow mailman_cgi_t var_spool_t:dir search; -') - -allow mta_delivery_agent mailman_data_t:dir search; -allow mta_delivery_agent mailman_data_t:lnk_file read; -allow initrc_t mailman_data_t:lnk_file read; -allow initrc_t mailman_data_t:dir r_dir_perms; -domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t) -ifdef(`direct_sysadm_daemon', ` -domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t) -') -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - -system_crond_entry(mailman_queue_exec_t, mailman_queue_t) -allow mailman_queue_t devtty_t:chr_file { read write }; -allow mailman_queue_t self:process { fork signal sigchld }; -allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; - -# so MTA can access /var/lib/mailman/mail/wrapper -allow mta_delivery_agent var_lib_t:dir search; - -# Handle mailman log files -rw_dir_create_file(logrotate_t, mailman_log_t) -allow logrotate_t mailman_data_t:dir search; -can_exec(logrotate_t, mailman_mail_exec_t) diff --git a/mls/domains/program/mdadm.te b/mls/domains/program/mdadm.te deleted file mode 100644 index 47f82e2d..00000000 --- a/mls/domains/program/mdadm.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC mdadm - Linux RAID tool -# -# Author: Colin Walters -# - -daemon_base_domain(mdadm, `, fs_domain, privmail') -role sysadm_r types mdadm_t; - -allow initrc_t mdadm_var_run_t:file create_file_perms; - -# Kernel filesystem permissions -r_dir_file(mdadm_t, proc_t) -allow mdadm_t proc_mdstat_t:file rw_file_perms; -read_sysctl(mdadm_t) -r_dir_file(mdadm_t, sysfs_t) - -# Configuration -allow mdadm_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale(mdadm_t) - -# Linux capabilities -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; - -# Helper program access -can_exec(mdadm_t, { bin_t sbin_t }) - -# RAID block device access -allow mdadm_t fixed_disk_device_t:blk_file create_file_perms; -allow mdadm_t device_t:lnk_file { getattr read }; - -# Ignore attempts to read every device file -dontaudit mdadm_t device_type:{ chr_file blk_file } getattr; -dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr }; -dontaudit mdadm_t devpts_t:dir r_dir_perms; - -# Ignore attempts to read/write sysadmin tty -dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms; - -# Other random ignores -dontaudit mdadm_t tmpfs_t:dir r_dir_perms; -dontaudit mdadm_t initctl_t:fifo_file getattr; -var_run_domain(mdadm) -allow mdadm_t var_t:dir { getattr search }; diff --git a/mls/domains/program/modutil.te b/mls/domains/program/modutil.te deleted file mode 100644 index a9345344..00000000 --- a/mls/domains/program/modutil.te +++ /dev/null @@ -1,243 +0,0 @@ -#DESC Modutil - Dynamic module utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: modutils -# - -################################# -# -# Rules for the module utility domains. -# -type modules_dep_t, file_type, sysadmfile; -type modules_conf_t, file_type, sysadmfile; -type modules_object_t, file_type, sysadmfile; - - -ifdef(`IS_INITRD', `', ` -################################# -# -# Rules for the depmod_t domain. -# -type depmod_t, domain; -role system_r types depmod_t; -role sysadm_r types depmod_t; - -uses_shlib(depmod_t) - -r_dir_file(depmod_t, src_t) - -type depmod_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(initrc_t, depmod_exec_t, depmod_t) -allow depmod_t { bin_t sbin_t }:dir search; -can_exec(depmod_t, depmod_exec_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) -') - -# Inherit and use descriptors from init and login programs. -allow depmod_t { init_t privfd }:fd use; - -allow depmod_t { etc_t etc_runtime_t }:file { getattr read }; -allow depmod_t { device_t proc_t }:dir search; -allow depmod_t proc_t:file { getattr read }; -allow depmod_t fs_t:filesystem getattr; - -# read system.map -allow depmod_t boot_t:dir search; -allow depmod_t boot_t:file { getattr read }; -allow depmod_t system_map_t:file { getattr read }; - -# Read conf.modules. -allow depmod_t modules_conf_t:file r_file_perms; - -# Create modules.dep. -file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file) - -# Read module objects. -allow depmod_t modules_object_t:dir r_dir_perms; -allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; -allow depmod_t modules_object_t:file unlink; - -# Access terminals. -can_access_pty(depmod_t, initrc) -allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') - -# Read System.map from home directories. -allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; -r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) -')dnl end IS_INITRD - -################################# -# -# Rules for the insmod_t domain. -# - -type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain -; -role system_r types insmod_t; -role sysadm_r types insmod_t; -type insmod_exec_t, file_type, exec_type, sysadmfile; - -bool secure_mode_insmod false; - -can_ypbind(insmod_t) - -ifdef(`unlimitedUtils', ` -unconfined_domain(insmod_t) -') -uses_shlib(insmod_t) -read_locale(insmod_t) - -# for SSP -allow insmod_t urandom_device_t:chr_file read; -allow insmod_t lib_t:file { getattr read }; - -allow insmod_t { bin_t sbin_t }:dir search; -allow insmod_t { bin_t sbin_t }:lnk_file read; - -allow insmod_t self:dir search; -allow insmod_t self:lnk_file read; - -allow insmod_t usr_t:file { getattr read }; - -allow insmod_t privfd:fd use; -can_access_pty(insmod_t, initrc) -allow insmod_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;') - -allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; - -allow insmod_t sound_device_t:chr_file { read ioctl write }; -allow insmod_t zero_device_t:chr_file read; -allow insmod_t memory_device_t:chr_file rw_file_perms; - -# Read module config and dependency information -allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; - -# Read module objects. -r_dir_file(insmod_t, modules_object_t) -# for locking -allow insmod_t modules_object_t:file write; - -allow insmod_t { var_t var_log_t }:dir search; -ifdef(`xserver.te', ` -allow insmod_t xserver_log_t:file getattr; -allow insmod_t xserver_misc_device_t:chr_file { read write }; -') -rw_dir_create_file(insmod_t, var_log_ksyms_t) -allow insmod_t { etc_t etc_runtime_t }:file { getattr read }; - -allow insmod_t self:udp_socket create_socket_perms; -allow insmod_t self:unix_dgram_socket create_socket_perms; -allow insmod_t self:unix_stream_socket create_stream_socket_perms; -allow insmod_t self:rawip_socket create_socket_perms; -allow insmod_t self:capability { dac_override kill net_raw sys_tty_config }; -allow insmod_t domain:process signal; -allow insmod_t self:process { fork signal_perms }; -allow insmod_t device_t:dir search; -allow insmod_t etc_runtime_t:file { getattr read }; - -# for loading modules at boot time -allow insmod_t { init_t initrc_t }:fd use; -allow insmod_t initrc_t:fifo_file { getattr read write }; - -allow insmod_t fs_t:filesystem getattr; -allow insmod_t sysfs_t:dir search; -allow insmod_t { usbfs_t usbdevfs_t }:dir search; -allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount; -r_dir_file(insmod_t, debugfs_t) - -# Rules for /proc/sys/kernel/tainted -read_sysctl(insmod_t) -allow insmod_t proc_t:dir search; -allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; - -allow insmod_t proc_t:file rw_file_perms; -allow insmod_t proc_t:lnk_file read; - -# Write to /proc/mtrr. -allow insmod_t mtrr_device_t:file write; - -# Read /proc/sys/kernel/hotplug. -allow insmod_t sysctl_hotplug_t:file { getattr read }; - -allow insmod_t device_t:dir read; -allow insmod_t devpts_t:dir { getattr search }; - -if (!secure_mode_insmod) { -domain_auto_trans(privmodule, insmod_exec_t, insmod_t) -allow insmod_t self:capability sys_module; -}dnl end if !secure_mode_insmod - -can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t }) -allow insmod_t devtty_t:chr_file rw_file_perms; -allow insmod_t privmodule:process sigchld; -dontaudit sysadm_t self:capability sys_module; - -ifdef(`mount.te', ` -# Run mount in the mount_t domain. -domain_auto_trans(insmod_t, mount_exec_t, mount_t) -') -# for when /var is not mounted early in the boot -dontaudit insmod_t file_t:dir search; - -# for nscd -dontaudit insmod_t var_run_t:dir search; - -ifdef(`crond.te', ` -rw_dir_create_file(system_crond_t, var_log_ksyms_t) -') - -ifdef(`IS_INITRD', `', ` -################################# -# -# Rules for the update_modules_t domain. -# -type update_modules_t, domain, privlog; -type update_modules_exec_t, file_type, exec_type, sysadmfile; - -role system_r types update_modules_t; -role sysadm_r types update_modules_t; - -domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t) -allow update_modules_t privfd:fd use; -allow update_modules_t init_t:fd use; - -allow update_modules_t device_t:dir { getattr search }; -allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; -can_access_pty(update_modules_t, initrc) -allow update_modules_t admin_tty_type:chr_file rw_file_perms; - -can_exec(update_modules_t, insmod_exec_t) -allow update_modules_t urandom_device_t:chr_file { getattr read }; - -dontaudit update_modules_t sysadm_home_dir_t:dir search; - -uses_shlib(update_modules_t) -read_locale(update_modules_t) -allow update_modules_t lib_t:file { getattr read }; -allow update_modules_t self:process { fork sigchld }; -allow update_modules_t self:fifo_file rw_file_perms; -allow update_modules_t self:file { getattr read }; -allow update_modules_t modules_dep_t:file rw_file_perms; -file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file) -domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) -can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t }) -allow update_modules_t { sbin_t bin_t }:lnk_file read; -allow update_modules_t { sbin_t bin_t }:dir search; -allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms; -allow update_modules_t etc_t:lnk_file read; -allow update_modules_t fs_t:filesystem getattr; - -allow update_modules_t proc_t:dir search; -allow update_modules_t proc_t:file r_file_perms; -allow update_modules_t { self proc_t }:lnk_file read; -read_sysctl(update_modules_t) -allow update_modules_t self:dir search; -allow update_modules_t self:unix_stream_socket create_socket_perms; - -file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file) - -tmp_domain(update_modules) -')dnl end IS_INITRD diff --git a/mls/domains/program/mount.te b/mls/domains/program/mount.te deleted file mode 100644 index b76bf523..00000000 --- a/mls/domains/program/mount.te +++ /dev/null @@ -1,90 +0,0 @@ -#DESC Mount - Filesystem mount utilities -# -# Macros for mount -# -# Author: Brian May -# X-Debian-Packages: mount -# -# based on the work of: -# Mark Westerman mark.westerman@csoconline.com -# - -type mount_exec_t, file_type, sysadmfile, exec_type; - -mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite') -mount_loopback_privs(sysadm, mount) -role sysadm_r types mount_t; -role system_r types mount_t; - -can_access_pty(mount_t, initrc) -allow mount_t console_device_t:chr_file { read write }; - -domain_auto_trans(initrc_t, mount_exec_t, mount_t) -allow mount_t init_t:fd use; -allow mount_t privfd:fd use; - -allow mount_t self:capability { dac_override ipc_lock sys_tty_config }; -allow mount_t self:process { fork signal_perms }; - -allow mount_t file_type:dir search; - -# Access disk devices. -allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms; -allow mount_t removable_device_t:devfile_class_set rw_file_perms; -allow mount_t device_t:lnk_file read; - -# for when /etc/mtab loses its type -allow mount_t file_t:file { getattr read unlink }; - -# Mount, remount and unmount file systems. -allow mount_t fs_type:filesystem mount_fs_perms; -allow mount_t mount_point:dir mounton; -allow mount_t nfs_t:dir search; -allow mount_t sysctl_t:dir search; - -allow mount_t root_t:filesystem unmount; - -can_portmap(mount_t) - -ifdef(`portmap.te', ` -# for nfs -can_network(mount_t) -allow mount_t port_type:tcp_socket name_connect; -can_ypbind(mount_t) -allow mount_t port_t:{ tcp_socket udp_socket } name_bind; -allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -can_udp_send(mount_t, portmap_t) -can_udp_send(portmap_t, mount_t) -allow mount_t rpc_pipefs_t:dir search; -') -dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind; - -# -# required for mount.smbfs -# -allow mount_t sbin_t:lnk_file { getattr read }; - -rhgb_domain(mount_t) - -# for localization -allow mount_t lib_t:file { getattr read }; -allow mount_t autofs_t:dir read; -allow mount_t fs_type:filesystem relabelfrom; -# -# This rule needs to be generalized. Only admin, initrc should have it. -# -allow mount_t file_type:filesystem { unmount mount relabelto }; - -allow mount_t mnt_t:dir getattr; -dontaudit mount_t kernel_t:fd use; -allow mount_t userdomain:fd use; -can_exec(mount_t, { sbin_t bin_t }) -allow mount_t device_t:dir r_dir_perms; -allow mount_t tmpfs_t:chr_file { read write }; - -# tries to read /init -dontaudit mount_t root_t:file { getattr read }; - -allow kernel_t mount_t:tcp_socket { read write }; -allow mount_t self:capability { setgid setuid }; -allow mount_t proc_t:lnk_file read; diff --git a/mls/domains/program/mrtg.te b/mls/domains/program/mrtg.te deleted file mode 100644 index e44889d4..00000000 --- a/mls/domains/program/mrtg.te +++ /dev/null @@ -1,100 +0,0 @@ -#DESC MRTG - Network traffic graphing -# -# Author: Russell Coker -# X-Debian-Packages: mrtg -# - -################################# -# -# Rules for the mrtg_t domain. -# -# mrtg_exec_t is the type of the mrtg executable. -# -daemon_base_domain(mrtg) - -allow mrtg_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(mrtg_exec_t, mrtg_t) -allow system_crond_t mrtg_log_t:dir rw_dir_perms; -allow system_crond_t mrtg_log_t:file { create append getattr }; -') - -allow mrtg_t usr_t:{ file lnk_file } { getattr read }; -dontaudit mrtg_t usr_t:file ioctl; - -logdir_domain(mrtg) -etcdir_domain(mrtg) -typealias mrtg_etc_t alias etc_mrtg_t; -type mrtg_var_lib_t, file_type, sysadmfile; -typealias mrtg_var_lib_t alias var_lib_mrtg_t; -type mrtg_lock_t, file_type, sysadmfile, lockfile; -r_dir_file(mrtg_t, lib_t) - -# Use the network. -can_network_client(mrtg_t) -allow mrtg_t port_type:tcp_socket name_connect; -can_ypbind(mrtg_t) - -allow mrtg_t self:fifo_file { getattr read write ioctl }; -allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms; -allow mrtg_t urandom_device_t:chr_file { getattr read }; -allow mrtg_t self:unix_stream_socket create_socket_perms; -ifdef(`apache.te', ` -rw_dir_create_file(mrtg_t, httpd_sys_content_t) -') - -can_exec(mrtg_t, { shell_exec_t bin_t sbin_t }) -allow mrtg_t { bin_t sbin_t }:dir { getattr search }; -allow mrtg_t bin_t:lnk_file read; -allow mrtg_t var_t:dir { getattr search }; - -ifdef(`snmpd.te', ` -can_udp_send(mrtg_t, snmpd_t) -can_udp_send(snmpd_t, mrtg_t) -r_dir_file(mrtg_t, snmpd_var_lib_t) -') - -allow mrtg_t proc_net_t:dir search; -allow mrtg_t { proc_t proc_net_t }:file { read getattr }; -dontaudit mrtg_t proc_t:file ioctl; - -allow mrtg_t { var_lock_t var_lib_t }:dir search; -rw_dir_create_file(mrtg_t, mrtg_var_lib_t) -rw_dir_create_file(mrtg_t, mrtg_lock_t) -ifdef(`distro_redhat', ` -file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) -') - -# read config files -allow mrtg_t etc_t:file { read getattr }; -dontaudit mrtg_t mrtg_etc_t:dir write; -dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; -read_locale(mrtg_t) - -# for /.autofsck -dontaudit mrtg_t root_t:file getattr; - -dontaudit mrtg_t security_t:dir getattr; - -read_sysctl(mrtg_t) - -# for uptime -allow mrtg_t var_run_t:dir search; -allow mrtg_t initrc_var_run_t:file { getattr read }; -dontaudit mrtg_t initrc_var_run_t:file { write lock }; -allow mrtg_t etc_runtime_t:file { getattr read }; - -allow mrtg_t tmp_t:dir getattr; - -# should not need this! -dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; -dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; -ifdef(`quota.te', ` -dontaudit mrtg_t quota_db_t:file getattr; -') -dontaudit mrtg_t root_t:lnk_file getattr; - -allow mrtg_t self:capability { setgid setuid }; -ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)') -allow mrtg_t var_spool_t:dir search; diff --git a/mls/domains/program/mta.te b/mls/domains/program/mta.te deleted file mode 100644 index 55e7ca9d..00000000 --- a/mls/domains/program/mta.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC MTA - Mail agents -# -# Author: Russell Coker -# X-Debian-Packages: postfix exim sendmail sendmail-wide -# -# policy for all mail servers, including allowing user to send mail from the -# command-line and for cron jobs to use sendmail -t - -# -# sendmail_exec_t is the type of /usr/sbin/sendmail -# -# define sendmail_exec_t if sendmail.te does not do it for us -ifdef(`sendmail.te', `', ` -type sendmail_exec_t, file_type, exec_type, sysadmfile; -') - -# create a system_mail_t domain for daemons, init scripts, etc when they run -# "mail user@domain" -mail_domain(system) - -ifdef(`targeted_policy', ` -# rules are currently defined in sendmail.te, but it is not included in -# targeted policy. We could move these rules permanantly here. -ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') -allow system_mail_t self:dir search; -allow system_mail_t self:lnk_file read; -r_dir_file(system_mail_t, { proc_t proc_net_t }) -allow system_mail_t fs_t:filesystem getattr; -allow system_mail_t { var_t var_spool_t }:dir getattr; -create_dir_file(system_mail_t, mqueue_spool_t) -create_dir_file(system_mail_t, mail_spool_t) -allow system_mail_t mail_spool_t:fifo_file rw_file_perms; -allow system_mail_t etc_mail_t:file { getattr read }; - -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t) -', ` -ifdef(`sendmail.te', ` -# sendmail has an ugly design, the one process parses input from the user and -# then does system things with it. But the sendmail_launch_t domain works -# around this. -domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t) -') -allow initrc_t sendmail_exec_t:lnk_file { getattr read }; - -# allow the sysadmin to do "mail someone < /home/user/whatever" -allow sysadm_mail_t user_home_dir_type:dir search; -r_dir_file(sysadm_mail_t, user_home_type) -') -# for a mail server process that does things in response to a user command -allow mta_user_agent userdomain:process sigchld; -allow mta_user_agent { userdomain privfd }:fd use; -ifdef(`crond.te', ` -allow mta_user_agent crond_t:process sigchld; -') -allow mta_user_agent sysadm_t:fifo_file { read write }; - -allow { system_mail_t mta_user_agent } privmail:fd use; -allow { system_mail_t mta_user_agent } privmail:process sigchld; -allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; -allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; - -allow mta_delivery_agent home_root_t:dir { getattr search }; - -# for /var/spool/mail -ra_dir_create_file(mta_delivery_agent, mail_spool_t) - -# for piping mail to a command -can_exec(mta_delivery_agent, shell_exec_t) -allow mta_delivery_agent bin_t:dir search; -allow mta_delivery_agent bin_t:lnk_file read; -allow mta_delivery_agent devtty_t:chr_file rw_file_perms; -allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; - -allow system_mail_t etc_runtime_t:file { getattr read }; -allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read }; -ifdef(`targeted_policy', ` -typealias system_mail_t alias sysadm_mail_t; -') - diff --git a/mls/domains/program/mysqld.te b/mls/domains/program/mysqld.te deleted file mode 100644 index 637359fa..00000000 --- a/mls/domains/program/mysqld.te +++ /dev/null @@ -1,94 +0,0 @@ -#DESC Mysqld - Database server -# -# Author: Russell Coker -# X-Debian-Packages: mysql-server -# - -################################# -# -# Rules for the mysqld_t domain. -# -# mysqld_exec_t is the type of the mysqld executable. -# -daemon_domain(mysqld, `, nscd_client_domain') - -allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect }; - -allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; - -etcdir_domain(mysqld) -type mysqld_db_t, file_type, sysadmfile; - -log_domain(mysqld) - -# for temporary tables -tmp_domain(mysqld) - -allow mysqld_t usr_t:file { getattr read }; - -allow mysqld_t self:fifo_file { read write }; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -allow initrc_t mysqld_t:unix_stream_socket connectto; -allow initrc_t mysqld_var_run_t:sock_file write; - -allow initrc_t mysqld_log_t:file { write append setattr ioctl }; - -allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource }; -allow mysqld_t self:process { setrlimit setsched getsched }; - -allow mysqld_t proc_t:file { getattr read }; - -# Allow access to the mysqld databases -create_dir_file(mysqld_t, mysqld_db_t) -file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file }) - -can_network(mysqld_t) -can_ypbind(mysqld_t) - -# read config files -r_dir_file(initrc_t, mysqld_etc_t) -allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; - -allow mysqld_t etc_t:dir search; - -read_sysctl(mysqld_t) - -can_unix_connect(sysadm_t, mysqld_t) - -# for /root/.my.cnf - should not be needed -allow mysqld_t sysadm_home_dir_t:dir search; -allow mysqld_t sysadm_home_t:file { read getattr }; - -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, mysqld_etc_t) -allow logrotate_t mysqld_db_t:dir search; -allow logrotate_t mysqld_var_run_t:dir search; -allow logrotate_t mysqld_var_run_t:sock_file write; -can_unix_connect(logrotate_t, mysqld_t) -') - -ifdef(`daemontools.te', ` -domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) -allow svc_start_t mysqld_t:process signal; -svc_ipc_domain(mysqld_t) -')dnl end ifdef daemontools - -ifdef(`distro_redhat', ` -allow initrc_t mysqld_db_t:dir create_dir_perms; - -# because Fedora has the sock_file in the database directory -file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) -') -ifdef(`targeted_policy', `', ` -bool allow_user_mysql_connect false; - -if (allow_user_mysql_connect) { -allow userdomain mysqld_var_run_t:dir search; -allow userdomain mysqld_var_run_t:sock_file write; -} -') - -ifdef(`crond.te', ` -allow system_crond_t mysqld_etc_t:file { getattr read }; -') -allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/mls/domains/program/named.te b/mls/domains/program/named.te deleted file mode 100644 index 5a428774..00000000 --- a/mls/domains/program/named.te +++ /dev/null @@ -1,184 +0,0 @@ -#DESC BIND - Name server -# -# Authors: Yuichi Nakamura , -# Russell Coker -# X-Debian-Packages: bind bind9 -# -# - -################################# -# -# Rules for the named_t domain. -# - -daemon_domain(named, `, nscd_client_domain') -tmp_domain(named) - -type named_checkconf_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t) - -# For /var/run/ndc used in BIND 8 -file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) - -# ndc_t is the domain for the ndc program -type ndc_t, domain, privlog, nscd_client_domain; -role sysadm_r types ndc_t; -role system_r types ndc_t; - -ifdef(`targeted_policy', ` -dontaudit ndc_t root_t:file { getattr read }; -dontaudit ndc_t unlabeled_t:file { getattr read }; -') - -can_exec(named_t, named_exec_t) -allow named_t sbin_t:dir search; - -allow named_t self:process { setsched setcap setrlimit }; - -# A type for configuration files of named. -type named_conf_t, file_type, sysadmfile, mount_point; - -# for primary zone files -type named_zone_t, file_type, sysadmfile; - -# for secondary zone files -type named_cache_t, file_type, sysadmfile; - -# for DNSSEC key files -type dnssec_t, file_type, sysadmfile, secure_file_type; -allow { ndc_t named_t } dnssec_t:file { getattr read }; - -# Use capabilities. Surplus capabilities may be allowed. -allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; - -allow named_t etc_t:file { getattr read }; -allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; - -#Named can use network -can_network(named_t) -allow named_t port_type:tcp_socket name_connect; -can_ypbind(named_t) -# allow UDP transfer to/from any program -can_udp_send(domain, named_t) -can_udp_send(named_t, domain) -can_tcp_connect(domain, named_t) -log_domain(named) - -# Bind to the named port. -allow named_t dns_port_t:udp_socket name_bind; -allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; - -bool named_write_master_zones false; - -#read configuration files -r_dir_file(named_t, named_conf_t) - -if (named_write_master_zones) { -#create and modify zone files -create_dir_file(named_t, named_zone_t) -} -#read zone files -r_dir_file(named_t, named_zone_t) - -#write cache for secondary zones -rw_dir_create_file(named_t, named_cache_t) - -allow named_t self:unix_stream_socket create_stream_socket_perms; -allow named_t self:unix_dgram_socket create_socket_perms; -allow named_t self:netlink_route_socket r_netlink_socket_perms; - -# Read sysctl kernel variables. -read_sysctl(named_t) - -# Read /proc/cpuinfo and /proc/net -r_dir_file(named_t, proc_t) -r_dir_file(named_t, proc_net_t) - -# Read /dev/random. -allow named_t device_t:dir r_dir_perms; -allow named_t random_device_t:chr_file r_file_perms; - -# Use a pipe created by self. -allow named_t self:fifo_file rw_file_perms; - -# Enable named dbus support: -ifdef(`dbusd.te', ` -dbusd_client(system, named) -domain_auto_trans(system_dbusd_t, named_exec_t, named_t) -allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow named_t self:dbus send_msg; -allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg; -allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg; -ifdef(`unconfined.te', ` -allow unconfined_t named_t:dbus send_msg; -allow named_t unconfined_t:dbus send_msg; -') -') - - -# Set own capabilities. -#A type for /usr/sbin/ndc -type ndc_exec_t, file_type,sysadmfile, exec_type; -domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) -uses_shlib(ndc_t) -can_network_client_tcp(ndc_t) -allow ndc_t rndc_port_t:tcp_socket name_connect; -can_ypbind(ndc_t) -can_resolve(ndc_t) -read_locale(ndc_t) -can_tcp_connect(ndc_t, named_t) - -ifdef(`distro_redhat', ` -# for /etc/rndc.key -allow { ndc_t initrc_t } named_conf_t:dir search; -# Allow init script to cp localtime to named_conf_t -allow initrc_t named_conf_t:file { setattr write }; -allow initrc_t named_conf_t:dir create_dir_perms; -allow initrc_t var_run_t:lnk_file create_file_perms; -ifdef(`automount.te', ` -# automount has no need to search the /proc file system for the named chroot -dontaudit automount_t named_zone_t:dir search; -')dnl end ifdef automount.te -')dnl end ifdef distro_redhat - -allow { ndc_t initrc_t } named_conf_t:file { getattr read }; - -allow ndc_t etc_t:dir r_dir_perms; -allow ndc_t etc_t:file r_file_perms; -allow ndc_t self:unix_stream_socket create_stream_socket_perms; -allow ndc_t self:unix_stream_socket connect; -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t var_t:dir search; -allow ndc_t var_run_t:dir search; -allow ndc_t named_var_run_t:sock_file rw_file_perms; -allow ndc_t named_t:unix_stream_socket connectto; -allow ndc_t { privfd init_t }:fd use; -# seems to need read as well for some reason -allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write }; -allow ndc_t fs_t:filesystem getattr; - -# Read sysctl kernel variables. -read_sysctl(ndc_t) - -allow ndc_t self:process { fork signal_perms }; -allow ndc_t self:fifo_file { read write getattr ioctl }; -allow ndc_t named_zone_t:dir search; - -# for chmod in start script -dontaudit initrc_t named_var_run_t:dir setattr; - -# for ndc_t to be used for restart shell scripts -ifdef(`ndc_shell_script', ` -system_crond_entry(ndc_exec_t, ndc_t) -allow ndc_t devtty_t:chr_file { read write ioctl }; -allow ndc_t etc_runtime_t:file { getattr read }; -allow ndc_t proc_t:dir search; -allow ndc_t proc_t:file { getattr read }; -can_exec(ndc_t, { bin_t sbin_t shell_exec_t }) -allow ndc_t named_var_run_t:file getattr; -allow ndc_t named_zone_t:dir { read getattr }; -allow ndc_t named_zone_t:file getattr; -dontaudit ndc_t sysadm_home_t:dir { getattr search read }; -') -allow ndc_t self:netlink_route_socket r_netlink_socket_perms; -dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl }; diff --git a/mls/domains/program/netutils.te b/mls/domains/program/netutils.te deleted file mode 100644 index 8dcbdf11..00000000 --- a/mls/domains/program/netutils.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Netutils - Network utilities -# -# Authors: Stephen Smalley -# X-Debian-Packages: netbase iputils arping tcpdump -# - -# -# Rules for the netutils_t domain. -# This domain is for network utilities that require access to -# special protocol families. -# -type netutils_t, domain, privlog; -type netutils_exec_t, file_type, sysadmfile, exec_type; -role system_r types netutils_t; -role sysadm_r types netutils_t; - -uses_shlib(netutils_t) -can_network(netutils_t) -allow netutils_t port_type:tcp_socket name_connect; -can_ypbind(netutils_t) -tmp_domain(netutils) - -domain_auto_trans(initrc_t, netutils_exec_t, netutils_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) -') - -# Inherit and use descriptors from init. -allow netutils_t { userdomain init_t }:fd use; - -allow netutils_t self:process { fork signal_perms }; - -# Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { net_admin net_raw setuid setgid }; - -# Create and use netlink sockets. -allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; - -# Create and use packet sockets. -allow netutils_t self:packet_socket create_socket_perms; - -# Create and use UDP sockets. -allow netutils_t self:udp_socket create_socket_perms; - -# Create and use TCP sockets. -allow netutils_t self:tcp_socket create_socket_perms; - -allow netutils_t self:unix_stream_socket create_socket_perms; - -# Read certain files in /etc -allow netutils_t etc_t:file r_file_perms; -read_locale(netutils_t) - -allow netutils_t fs_t:filesystem getattr; - -# Access terminals. -allow netutils_t privfd:fd use; -can_access_pty(netutils_t, initrc) -allow netutils_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') -allow netutils_t proc_t:dir search; - -# for nscd -dontaudit netutils_t var_t:dir search; diff --git a/mls/domains/program/newrole.te b/mls/domains/program/newrole.te deleted file mode 100644 index 207274d9..00000000 --- a/mls/domains/program/newrole.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC Newrole - SELinux utility to run a shell with a new role -# -# Authors: Anthony Colatrella (NSA) -# Maintained by Stephen Smalley -# X-Debian-Packages: policycoreutils -# - -# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t -bool secure_mode false; - -type newrole_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(userdomain, newrole_exec_t, newrole_t) - -newrole_domain(newrole) - -# Write to utmp. -allow newrole_t var_run_t:dir r_dir_perms; -allow newrole_t initrc_var_run_t:file rw_file_perms; - -role secadm_r types newrole_t; - -ifdef(`targeted_policy', ` -typeattribute newrole_t unconfinedtrans; -') diff --git a/mls/domains/program/nscd.te b/mls/domains/program/nscd.te deleted file mode 100644 index 8e899c74..00000000 --- a/mls/domains/program/nscd.te +++ /dev/null @@ -1,79 +0,0 @@ -#DESC NSCD - Name service cache daemon cache lookup of user-name -# -# Author: Russell Coker -# X-Debian-Packages: nscd -# -define(`nscd_socket_domain', ` -can_unix_connect($1, nscd_t) -allow $1 nscd_var_run_t:sock_file rw_file_perms; -allow $1 { var_run_t var_t }:dir search; -allow $1 nscd_t:nscd { getpwd getgrp gethost }; -dontaudit $1 nscd_t:fd use; -dontaudit $1 nscd_var_run_t:dir { search getattr }; -dontaudit $1 nscd_var_run_t:file { getattr read }; -dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -') -################################# -# -# Rules for the nscd_t domain. -# -# nscd is both the client program and the daemon. -daemon_domain(nscd, `, userspace_objmgr') - -allow nscd_t etc_t:file r_file_perms; -allow nscd_t etc_t:lnk_file read; -can_network_client(nscd_t) -allow nscd_t port_type:tcp_socket name_connect; -can_ypbind(nscd_t) - -file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) - -allow nscd_t self:unix_stream_socket create_stream_socket_perms; - -nscd_socket_domain(nscd_client_domain) -nscd_socket_domain(daemon) - -# Clients that are allowed to map the database via a fd obtained from nscd. -nscd_socket_domain(nscd_shmem_domain) -allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms; -allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost }; -# Receive fd from nscd and map the backing file with read access. -allow nscd_shmem_domain nscd_t:fd use; - -# For client program operation, invoked from sysadm_t. -# Transition occurs to nscd_t due to direct_sysadm_daemon. -allow nscd_t self:nscd { admin getstat }; -allow nscd_t admin_tty_type:chr_file rw_file_perms; - -read_sysctl(nscd_t) -allow nscd_t self:process { getattr setsched }; -allow nscd_t self:unix_dgram_socket create_socket_perms; -allow nscd_t self:fifo_file { read write }; -allow nscd_t self:capability { kill setgid setuid net_bind_service }; - -# for when /etc/passwd has just been updated and has the wrong type -allow nscd_t shadow_t:file getattr; - -dontaudit nscd_t sysadm_home_dir_t:dir search; - -ifdef(`winbind.te', ` -# -# Handle winbind for samba, Might only be needed for targeted policy -# -allow nscd_t winbind_var_run_t:sock_file { read write getattr }; -can_unix_connect(nscd_t, winbind_t) -allow nscd_t samba_var_t:dir search; -allow nscd_t winbind_var_run_t:dir { getattr search }; -') - -r_dir_file(nscd_t, selinux_config_t) -can_getsecurity(nscd_t) -allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_route_socket r_netlink_socket_perms; -allow nscd_t tmp_t:dir { search getattr }; -allow nscd_t tmp_t:lnk_file read; -allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; -log_domain(nscd) -r_dir_file(nscd_t, cert_t) -allow nscd_t tun_tap_device_t:chr_file { read write }; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/mls/domains/program/ntpd.te b/mls/domains/program/ntpd.te deleted file mode 100644 index 23042c40..00000000 --- a/mls/domains/program/ntpd.te +++ /dev/null @@ -1,88 +0,0 @@ -#DESC NTPD - Time synchronisation daemon -# -# Author: Russell Coker -# X-Debian-Packages: ntp ntp-simple -# - -################################# -# -# Rules for the ntpd_t domain. -# -daemon_domain(ntpd, `, nscd_client_domain') -type ntp_drift_t, file_type, sysadmfile; - -type ntpdate_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) - -logdir_domain(ntpd) - -allow ntpd_t var_lib_t:dir r_dir_perms; -allow ntpd_t usr_t:file r_file_perms; -# reading /usr/share/ssl/cert.pem requires -allow ntpd_t usr_t:lnk_file read; -allow ntpd_t ntp_drift_t:dir rw_dir_perms; -allow ntpd_t ntp_drift_t:file create_file_perms; - -# for SSP -allow ntpd_t urandom_device_t:chr_file { getattr read }; - -# sys_resource and setrlimit is for locking memory -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { fsetid net_admin }; -allow ntpd_t self:process { setcap setsched setrlimit }; -# ntpdate wants sys_nice - -# for some reason it creates a file in /tmp -tmp_domain(ntpd) - -allow ntpd_t etc_t:dir r_dir_perms; -allow ntpd_t etc_t:file { read getattr }; - -# Use the network. -can_network(ntpd_t) -allow ntpd_t ntp_port_t:tcp_socket name_connect; -can_ypbind(ntpd_t) -allow ntpd_t ntp_port_t:udp_socket name_bind; -allow sysadm_t ntp_port_t:udp_socket name_bind; -allow ntpd_t self:unix_dgram_socket create_socket_perms; -allow ntpd_t self:unix_stream_socket create_socket_perms; -allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; - -# so the start script can change firewall entries -allow initrc_t net_conf_t:file { getattr read ioctl }; - -# for cron jobs -# system_crond_t is not right, cron is not doing what it should -ifdef(`crond.te', ` -system_crond_entry(ntpdate_exec_t, ntpd_t) -') - -can_exec(ntpd_t, initrc_exec_t) -allow ntpd_t self:fifo_file { read write getattr }; -allow ntpd_t etc_runtime_t:file r_file_perms; -can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t }) -allow ntpd_t { sbin_t bin_t }:dir search; -allow ntpd_t bin_t:lnk_file read; -read_sysctl(ntpd_t); -allow ntpd_t proc_t:file r_file_perms; -allow ntpd_t sysadm_home_dir_t:dir r_dir_perms; -allow ntpd_t self:file { getattr read }; -dontaudit ntpd_t domain:dir search; -ifdef(`logrotate.te', ` -can_exec(ntpd_t, logrotate_exec_t) -') - -allow ntpd_t devtty_t:chr_file rw_file_perms; - -can_udp_send(ntpd_t, sysadm_t) -can_udp_send(sysadm_t, ntpd_t) -can_udp_send(ntpd_t, ntpd_t) -ifdef(`firstboot.te', ` -dontaudit ntpd_t firstboot_t:fd use; -') -ifdef(`winbind.te', ` -allow ntpd_t winbind_var_run_t:dir r_dir_perms; -allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; -') -# For clock devices like wwvb1 -allow ntpd_t device_t:lnk_file read; diff --git a/mls/domains/program/openct.te b/mls/domains/program/openct.te deleted file mode 100644 index 244fc2fb..00000000 --- a/mls/domains/program/openct.te +++ /dev/null @@ -1,16 +0,0 @@ -#DESC openct - read files in page cache -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for openct -# - -daemon_domain(openct) -# -# openct asks for these -# -rw_dir_file(openct_t, usbfs_t) -allow openct_t etc_t:file r_file_perms; diff --git a/mls/domains/program/orbit.te b/mls/domains/program/orbit.te deleted file mode 100644 index dad353b7..00000000 --- a/mls/domains/program/orbit.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# ORBit related types -# -# Author: Ivan Gyurdiev -# - -# Look in orbit_macros.te diff --git a/mls/domains/program/pam.te b/mls/domains/program/pam.te deleted file mode 100644 index 2d712229..00000000 --- a/mls/domains/program/pam.te +++ /dev/null @@ -1,45 +0,0 @@ -#DESC Pam - PAM -# X-Debian-Packages: -# -# /sbin/pam_timestamp_check -type pam_exec_t, file_type, exec_type, sysadmfile; -type pam_t, domain, privlog, nscd_client_domain; -general_domain_access(pam_t); - -type pam_var_run_t, file_type, sysadmfile; -allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; -allow pam_t pam_var_run_t:file { getattr read unlink }; - -role system_r types pam_t; -in_user_role(pam_t) -domain_auto_trans(userdomain, pam_exec_t, pam_t) - -uses_shlib(pam_t) -# Read the devpts root directory. -allow pam_t devpts_t:dir r_dir_perms; - -# Access terminals. -allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') - -allow pam_t proc_t:dir search; -allow pam_t proc_t:{ lnk_file file } { getattr read }; - -# Read the /etc/nsswitch file -allow pam_t etc_t:file r_file_perms; - -# Read /var/run. -allow pam_t { var_t var_run_t }:dir r_dir_perms; -tmp_domain(pam) - -allow pam_t local_login_t:fd use; -dontaudit pam_t self:capability sys_tty_config; - -allow initrc_t pam_var_run_t:dir rw_dir_perms; -allow initrc_t pam_var_run_t:file { getattr read unlink }; -dontaudit pam_t initrc_var_run_t:file rw_file_perms; - -# Supress xdm denial -ifdef(`xdm.te', ` -dontaudit pam_t xdm_t:fd use; -') dnl ifdef diff --git a/mls/domains/program/pamconsole.te b/mls/domains/program/pamconsole.te deleted file mode 100644 index 06100631..00000000 --- a/mls/domains/program/pamconsole.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC Pamconsole - PAM console -# X-Debian-Packages: -# -# pam_console_apply - -daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread, mlsfilewrite') - -type pam_var_console_t, file_type, sysadmfile; - -allow pam_console_t etc_t:file { getattr read ioctl }; -allow pam_console_t self:unix_stream_socket create_stream_socket_perms; - -# Read /etc/mtab -allow pam_console_t etc_runtime_t:file { read getattr }; - -# Read /proc/meminfo -allow pam_console_t proc_t:file { read getattr }; - -allow pam_console_t self:capability { chown fowner fsetid }; - -# Allow access to /dev/console through the fd: -allow pam_console_t console_device_t:chr_file { read write setattr }; -allow pam_console_t { kernel_t init_t }:fd use; - -# for /var/run/console.lock checking -allow pam_console_t { var_t var_run_t }:dir search; -r_dir_file(pam_console_t, pam_var_console_t) -dontaudit pam_console_t pam_var_console_t:file write; - -# Allow to set attributes on /dev entries -allow pam_console_t device_t:dir { getattr read }; -allow pam_console_t device_t:lnk_file { getattr read }; -# mouse_device_t is for joy sticks -allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; -allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr }; - -allow pam_console_t mnt_t:dir r_dir_perms; - -ifdef(`gpm.te', ` -allow pam_console_t gpmctl_t:sock_file { getattr setattr }; -') -ifdef(`hotplug.te', ` -dontaudit pam_console_t hotplug_etc_t:dir search; -allow pam_console_t hotplug_t:fd use; -') -ifdef(`xdm.te', ` -allow pam_console_t xdm_var_run_t:file { getattr read }; -') -allow initrc_t pam_var_console_t:dir rw_dir_perms; -allow initrc_t pam_var_console_t:file unlink; -allow pam_console_t file_context_t:file { getattr read }; -nsswitch_domain(pam_console_t) diff --git a/mls/domains/program/passwd.te b/mls/domains/program/passwd.te deleted file mode 100644 index e002c090..00000000 --- a/mls/domains/program/passwd.te +++ /dev/null @@ -1,157 +0,0 @@ -#DESC Passwd - Password utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: passwd -# - -################################# -# -# Rules for the passwd_t domain. -# -define(`base_passwd_domain', ` -type $1_t, domain, privlog, $2; - -# for SSP -allow $1_t urandom_device_t:chr_file read; - -allow $1_t self:process setrlimit; - -general_domain_access($1_t); -uses_shlib($1_t); - -# Inherit and use descriptors from login. -allow $1_t privfd:fd use; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -read_locale($1_t) - -allow $1_t fs_t:filesystem getattr; - -# allow checking if a shell is executable -allow $1_t shell_exec_t:file execute; - -# Obtain contexts -can_getsecurity($1_t) - -allow $1_t etc_t:file create_file_perms; - -# read /etc/mtab -allow $1_t etc_runtime_t:file { getattr read }; - -# Allow etc_t symlinks for /etc/alternatives on Debian. -allow $1_t etc_t:lnk_file read; - -# Use capabilities. -allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write }; - -# Access terminals. -allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms; -allow $1_t devtty_t:chr_file rw_file_perms; - -dontaudit $1_t devpts_t:dir getattr; - -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -dontaudit $1_t initrc_var_run_t:file { read write }; - -# user generally runs this from their home directory, so do not audit a search -# on user home dir -dontaudit $1_t { user_home_dir_type user_home_type }:dir search; - -# When the wrong current passwd is entered, passwd, for some reason, -# attempts to access /proc and /dev, but handles failure appropriately. So -# do not audit those denials. -dontaudit $1_t { proc_t device_t }:dir { search read }; - -allow $1_t device_t:dir getattr; -read_sysctl($1_t) -') - -################################# -# -# Rules for the passwd_t domain. -# -define(`passwd_domain', ` -base_passwd_domain($1, `auth_write, privowner') -# Update /etc/shadow and /etc/passwd -file_type_auto_trans($1_t, etc_t, shadow_t, file) -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; -can_setfscreate($1_t) -') - -passwd_domain(passwd) -passwd_domain(sysadm_passwd) -base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner') -can_setfscreate(chfn_t) - -# can exec /sbin/unix_chkpwd -allow chfn_t { bin_t sbin_t }:dir search; - -# uses unix_chkpwd for checking passwords -dontaudit chfn_t shadow_t:file read; -allow chfn_t etc_t:dir rw_dir_perms; -allow chfn_t etc_t:file create_file_perms; -allow chfn_t proc_t:file { getattr read }; -allow chfn_t self:file write; - -in_user_role(passwd_t) -in_user_role(chfn_t) -role sysadm_r types passwd_t; -role sysadm_r types sysadm_passwd_t; -role sysadm_r types chfn_t; -role system_r types passwd_t; -role system_r types chfn_t; - -type admin_passwd_exec_t, file_type, sysadmfile; -type passwd_exec_t, file_type, sysadmfile, exec_type; -type chfn_exec_t, file_type, sysadmfile, exec_type; - -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t) -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) -domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) - -dontaudit chfn_t var_t:dir search; - -ifdef(`crack.te', ` -allow passwd_t var_t:dir search; -dontaudit passwd_t var_run_t:dir search; -allow passwd_t crack_db_t:dir r_dir_perms; -allow passwd_t crack_db_t:file r_file_perms; -', ` -dontaudit passwd_t var_t:dir search; -') - -# allow vipw to exec the editor -allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; -allow sysadm_passwd_t bin_t:lnk_file read; -can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) -r_dir_file(sysadm_passwd_t, usr_t) - -# allow vipw to create temporary files under /var/tmp/vi.recover -allow sysadm_passwd_t var_t:dir search; -tmp_domain(sysadm_passwd) -# for vipw - vi looks in the root home directory for config -dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; -# for /etc/alternatives/vi -allow sysadm_passwd_t etc_t:lnk_file read; - -# for nscd lookups -dontaudit sysadm_passwd_t var_run_t:dir search; - -# for /proc/meminfo -allow sysadm_passwd_t proc_t:file { getattr read }; - -dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search; -dontaudit sysadm_passwd_t devpts_t:dir search; - -# make sure that getcon succeeds -allow passwd_t userdomain:dir search; -allow passwd_t userdomain:file { getattr read }; -allow passwd_t userdomain:process getattr; - -allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -ifdef(`targeted_policy', ` -role system_r types sysadm_passwd_t; -allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; -') diff --git a/mls/domains/program/pegasus.te b/mls/domains/program/pegasus.te deleted file mode 100644 index 3272074e..00000000 --- a/mls/domains/program/pegasus.te +++ /dev/null @@ -1,36 +0,0 @@ -#DESC pegasus - The Open Group Pegasus CIM/WBEM Server -# -# Author: Jason Vas Dias -# Package: tog-pegasus -# -################################# -# -# Rules for the pegasus domain -# -daemon_domain(pegasus, `, nscd_client_domain, auth_chkpwd') -type pegasus_data_t, file_type, sysadmfile; -type pegasus_conf_t, file_type, sysadmfile; -typealias sbin_t alias pegasus_conf_exec_t; -type pegasus_mof_t, file_type, sysadmfile; -allow pegasus_t self:capability { dac_override net_bind_service audit_write }; -can_network_tcp(pegasus_t); -nsswitch_domain(pegasus_t); -allow pegasus_t pegasus_var_run_t:sock_file { create setattr }; -allow pegasus_t self:unix_dgram_socket create_socket_perms; -allow pegasus_t self:unix_stream_socket create_stream_socket_perms; -allow pegasus_t self:file { read getattr }; -allow pegasus_t self:fifo_file rw_file_perms; -allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect }; -allow pegasus_t proc_t:file { getattr read }; -allow pegasus_t sysctl_vm_t:dir search; -allow pegasus_t initrc_var_run_t:file { read write lock }; -allow pegasus_t urandom_device_t:chr_file { getattr read }; -r_dir_file(pegasus_t, etc_t) -r_dir_file(pegasus_t, var_lib_t) -r_dir_file(pegasus_t, pegasus_mof_t) -allow pegasus_t pegasus_conf_t:file { link unlink }; -r_dir_file(pegasus_t, pegasus_conf_t) -file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t) -rw_dir_create_file(pegasus_t, pegasus_data_t) -dontaudit pegasus_t selinux_config_t:dir search; diff --git a/mls/domains/program/ping.te b/mls/domains/program/ping.te deleted file mode 100644 index 0a0d94c1..00000000 --- a/mls/domains/program/ping.te +++ /dev/null @@ -1,63 +0,0 @@ -#DESC Ping - Send ICMP messages to network hosts -# -# Author: David A. Wheeler -# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 -# - -################################# -# -# Rules for the ping_t domain. -# -# ping_t is the domain for the ping program. -# ping_exec_t is the type of the corresponding program. -# -type ping_t, domain, privlog, nscd_client_domain; -role sysadm_r types ping_t; -role system_r types ping_t; -in_user_role(ping_t) -type ping_exec_t, file_type, sysadmfile, exec_type; - -ifdef(`targeted_policy', ` - allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms; -', ` -bool user_ping false; - -if (user_ping) { - domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) - # allow access to the terminal - allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; - ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') -} -') - -# Transition into this domain when you run this program. -domain_auto_trans(sysadm_t, ping_exec_t, ping_t) -domain_auto_trans(initrc_t, ping_exec_t, ping_t) - -uses_shlib(ping_t) -can_network_client(ping_t) -can_resolve(ping_t) -can_ypbind(ping_t) -allow ping_t etc_t:file { getattr read }; -allow ping_t self:unix_stream_socket create_socket_perms; - -# Let ping create raw ICMP packets. -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; - -# Use capabilities. -allow ping_t self:capability { net_raw setuid }; - -# Access the terminal. -allow ping_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') -allow ping_t privfd:fd use; -dontaudit ping_t fs_t:filesystem getattr; - -# it tries to access /var/run -dontaudit ping_t var_t:dir search; -dontaudit ping_t devtty_t:chr_file { read write }; -dontaudit ping_t self:capability sys_tty_config; -ifdef(`hide_broken_symptoms', ` -dontaudit ping_t init_t:fd use; -') - diff --git a/mls/domains/program/portmap.te b/mls/domains/program/portmap.te deleted file mode 100644 index 54cad6fa..00000000 --- a/mls/domains/program/portmap.te +++ /dev/null @@ -1,71 +0,0 @@ -#DESC Portmap - Maintain RPC program number map -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: portmap -# - - - -################################# -# -# Rules for the portmap_t domain. -# -daemon_domain(portmap, `, nscd_client_domain') - -can_network(portmap_t) -allow portmap_t port_type:tcp_socket name_connect; -can_ypbind(portmap_t) -allow portmap_t self:unix_dgram_socket create_socket_perms; -allow portmap_t self:unix_stream_socket create_stream_socket_perms; - -tmp_domain(portmap) - -allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; - -# portmap binds to arbitary ports -allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; -allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind; - -allow portmap_t etc_t:file { getattr read }; - -# Send to ypbind, initrc, rpc.statd, xinetd. -ifdef(`ypbind.te', -`can_udp_send(portmap_t, ypbind_t)') -can_udp_send(portmap_t, { initrc_t init_t }) -can_udp_send(init_t, portmap_t) -ifdef(`rpcd.te', -`can_udp_send(portmap_t, rpcd_t)') -ifdef(`inetd.te', -`can_udp_send(portmap_t, inetd_t)') -ifdef(`lpd.te', -`can_udp_send(portmap_t, lpd_t)') -ifdef(`tcpd.te', ` -can_udp_send(tcpd_t, portmap_t) -') -can_udp_send(portmap_t, kernel_t) -can_udp_send(kernel_t, portmap_t) -can_udp_send(sysadm_t, portmap_t) -can_udp_send(portmap_t, sysadm_t) - -# Use capabilities -allow portmap_t self:capability { net_bind_service setuid setgid }; -allow portmap_t self:netlink_route_socket r_netlink_socket_perms; - -application_domain(portmap_helper) -role system_r types portmap_helper_t; -domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) -dontaudit portmap_helper_t self:capability { net_admin }; -allow portmap_helper_t self:capability { net_bind_service }; -allow portmap_helper_t initrc_var_run_t:file rw_file_perms; -file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) -allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; -can_network(portmap_helper_t) -allow portmap_helper_t port_type:tcp_socket name_connect; -can_ypbind(portmap_helper_t) -dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; -allow portmap_helper_t etc_t:file { getattr read }; -dontaudit portmap_helper_t { userdomain privfd }:fd use; -allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/mls/domains/program/postfix.te b/mls/domains/program/postfix.te deleted file mode 100644 index 4f85e81d..00000000 --- a/mls/domains/program/postfix.te +++ /dev/null @@ -1,373 +0,0 @@ -#DESC Postfix - Mail server -# -# Author: Russell Coker -# X-Debian-Packages: postfix -# Depends: mta.te -# - -# Type for files created during execution of postfix. -type postfix_var_run_t, file_type, sysadmfile, pidfile; - -type postfix_etc_t, file_type, sysadmfile; -type postfix_exec_t, file_type, sysadmfile, exec_type; -type postfix_public_t, file_type, sysadmfile; -type postfix_private_t, file_type, sysadmfile; -type postfix_spool_t, file_type, sysadmfile; -type postfix_spool_maildrop_t, file_type, sysadmfile; -type postfix_spool_flush_t, file_type, sysadmfile; -type postfix_prng_t, file_type, sysadmfile; - -# postfix needs this for newaliases -allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; - -################################# -# -# Rules for the postfix_$1_t domain. -# -# postfix_$1_exec_t is the type of the postfix_$1 executables. -# -define(`postfix_domain', ` -daemon_core_rules(postfix_$1, `$2') -allow postfix_$1_t self:process setpgid; -allow postfix_$1_t postfix_master_t:process sigchld; -allow postfix_master_t postfix_$1_t:process signal; - -allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; -allow postfix_$1_t postfix_etc_t:file r_file_perms; -read_locale(postfix_$1_t) -allow postfix_$1_t etc_t:file { getattr read }; -allow postfix_$1_t self:unix_dgram_socket create_socket_perms; -allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; -allow postfix_$1_t self:unix_stream_socket connectto; - -allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; -allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; -allow postfix_$1_t shell_exec_t:file rx_file_perms; -allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; -allow postfix_$1_t postfix_exec_t:file rx_file_perms; -allow postfix_$1_t devtty_t:chr_file rw_file_perms; -allow postfix_$1_t etc_runtime_t:file r_file_perms; -allow postfix_$1_t proc_t:dir r_dir_perms; -allow postfix_$1_t proc_t:file r_file_perms; -allow postfix_$1_t postfix_exec_t:dir r_dir_perms; -allow postfix_$1_t fs_t:filesystem getattr; -allow postfix_$1_t proc_net_t:dir search; -allow postfix_$1_t proc_net_t:file { getattr read }; -can_exec(postfix_$1_t, postfix_$1_exec_t) -r_dir_file(postfix_$1_t, cert_t) -allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr }; - -allow postfix_$1_t tmp_t:dir getattr; - -file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file) - -read_sysctl(postfix_$1_t) - -')dnl end postfix_domain - -ifdef(`crond.te', -`allow system_mail_t crond_t:tcp_socket { read write create };') - -postfix_domain(master, `, mail_server_domain') -rhgb_domain(postfix_master_t) - -# for a find command -dontaudit postfix_master_t security_t:dir search; - -read_sysctl(postfix_master_t) - -ifdef(`targeted_policy', ` -bool postfix_disable_trans false; -if (!postfix_disable_trans) { -') -domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) -allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; - -domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) -allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; -ifdef(`targeted_policy', `', ` -role_transition sysadm_r postfix_master_exec_t system_r; -') -allow postfix_master_t postfix_etc_t:file rw_file_perms; -dontaudit postfix_master_t admin_tty_type:chr_file { read write }; -allow postfix_master_t devpts_t:dir search; - -domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) -allow system_mail_t sysadm_t:process sigchld; -allow system_mail_t privfd:fd use; - -ifdef(`pppd.te', ` -domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) -') - -ifdef(`targeted_policy', ` -} -') - -allow postfix_master_t privfd:fd use; -ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') -allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; - -# postfix does a "find" on startup for some reason - keep it quiet -dontaudit postfix_master_t selinux_config_t:dir search; -can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) -ifdef(`distro_redhat', ` -# compatability for old default main.cf -file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) -# for newer main.cf that uses /etc/aliases -file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t) -') -file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) -allow postfix_master_t sendmail_exec_t:file r_file_perms; -allow postfix_master_t sbin_t:lnk_file { getattr read }; - -can_exec(postfix_master_t, { ls_exec_t sbin_t }) -allow postfix_master_t self:fifo_file rw_file_perms; -allow postfix_master_t usr_t:file r_file_perms; -can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) -# chown is to set the correct ownership of queue dirs -allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -allow postfix_master_t postfix_public_t:fifo_file create_file_perms; -allow postfix_master_t postfix_public_t:sock_file create_file_perms; -allow postfix_master_t postfix_public_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:sock_file create_file_perms; -allow postfix_master_t postfix_private_t:fifo_file create_file_perms; -can_network(postfix_master_t) -allow postfix_master_t port_type:tcp_socket name_connect; -can_ypbind(postfix_master_t) -allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind; -allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; -allow postfix_master_t postfix_prng_t:file getattr; -allow postfix_master_t privfd:fd use; -allow postfix_master_t etc_aliases_t:file rw_file_perms; -allow postfix_master_t var_lib_t:dir search; - -ifdef(`saslauthd.te',` -allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; -allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; -can_unix_connect(postfix_smtpd_t,saslauthd_t) -') - -create_dir_file(postfix_master_t, postfix_spool_flush_t) -allow postfix_master_t postfix_prng_t:file rw_file_perms; -# for ls to get the current context -allow postfix_master_t self:file { getattr read }; - -# allow access to deferred queue and allow removing bogus incoming entries -allow postfix_master_t postfix_spool_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_t:file create_file_perms; - -dontaudit postfix_master_t man_t:dir search; - -define(`postfix_server_domain', ` -postfix_domain($1, `$2') -domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) -allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow postfix_$1_t self:capability { setuid setgid dac_override }; -can_network_client(postfix_$1_t) -allow postfix_$1_t port_type:tcp_socket name_connect; -can_ypbind(postfix_$1_t) -') - -postfix_server_domain(smtp, `, mail_server_sender') -allow postfix_smtp_t postfix_spool_t:file rw_file_perms; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; -allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; -# if you have two different mail servers on the same host let them talk via -# SMTP, also if one mail server wants to talk to itself then allow it and let -# the SMTP protocol sort it out (SE Linux is not to prevent mail server -# misconfiguration) -can_tcp_connect(postfix_smtp_t, mail_server_domain) - -postfix_server_domain(smtpd) -allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; -allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; -# for OpenSSL certificates -r_dir_file(postfix_smtpd_t,usr_t) -allow postfix_smtpd_t etc_aliases_t:file r_file_perms; -allow postfix_smtpd_t self:file { getattr read }; - -# for prng_exch -allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; - -allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; - -postfix_server_domain(local, `, mta_delivery_agent') -ifdef(`procmail.te', ` -domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) -# for a bug in the postfix local program -dontaudit procmail_t postfix_local_t:tcp_socket { read write }; -dontaudit procmail_t postfix_master_t:fd use; -') -allow postfix_local_t etc_aliases_t:file r_file_perms; -allow postfix_local_t self:fifo_file rw_file_perms; -allow postfix_local_t self:process { setsched setrlimit }; -allow postfix_local_t postfix_spool_t:file rw_file_perms; -# for .forward - maybe we need a new type for it? -allow postfix_local_t postfix_private_t:dir search; -allow postfix_local_t postfix_private_t:sock_file rw_file_perms; -allow postfix_local_t postfix_master_t:unix_stream_socket connectto; -allow postfix_local_t postfix_public_t:dir search; -allow postfix_local_t postfix_public_t:sock_file write; -tmp_domain(postfix_local) -can_exec(postfix_local_t,{ shell_exec_t bin_t }) -ifdef(`spamc.te', ` -can_exec(postfix_local_t, spamc_exec_t) -') -allow postfix_local_t mail_spool_t:dir { remove_name }; -allow postfix_local_t mail_spool_t:file { unlink }; -# For reading spamassasin -r_dir_file(postfix_local_t, etc_mail_t) - -define(`postfix_public_domain',` -postfix_server_domain($1) -allow postfix_$1_t postfix_public_t:dir search; -') - -postfix_public_domain(cleanup) -create_dir_file(postfix_cleanup_t, postfix_spool_t) -allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; -allow postfix_cleanup_t postfix_private_t:dir search; -allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; -allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; -allow postfix_cleanup_t self:process setrlimit; - -allow user_mail_domain postfix_spool_t:dir r_dir_perms; -allow user_mail_domain postfix_etc_t:dir r_dir_perms; -allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; -allow user_mail_domain self:capability dac_override; - -define(`postfix_user_domain', ` -postfix_domain($1, `$2') -domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) -in_user_role(postfix_$1_t) -role sysadm_r types postfix_$1_t; -allow postfix_$1_t userdomain:process sigchld; -allow postfix_$1_t userdomain:fifo_file { write getattr }; -allow postfix_$1_t { userdomain privfd }:fd use; -allow postfix_$1_t self:capability dac_override; -') - -postfix_user_domain(postqueue) -allow postfix_postqueue_t postfix_public_t:dir search; -allow postfix_postqueue_t postfix_public_t:fifo_file getattr; -allow postfix_postqueue_t self:udp_socket { create ioctl }; -allow postfix_postqueue_t self:tcp_socket create; -allow postfix_master_t postfix_postqueue_exec_t:file getattr; -domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -allow postfix_postqueue_t initrc_t:process sigchld; -allow postfix_postqueue_t initrc_t:fd use; - -# to write the mailq output, it really should not need read access! -allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; -ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;') - -# wants to write to /var/spool/postfix/public/showq -allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; -allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; -# write to /var/spool/postfix/public/qmgr -allow postfix_postqueue_t postfix_public_t:fifo_file write; -dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; - -postfix_user_domain(showq) -# the following auto_trans is usually in postfix server domain -domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -can_resolve(postfix_showq_t) -r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) -domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) -allow postfix_showq_t self:capability { setuid setgid }; -allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; -allow postfix_showq_t postfix_spool_t:file r_file_perms; -allow postfix_showq_t self:tcp_socket create_socket_perms; -allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; -dontaudit postfix_showq_t net_conf_t:file r_file_perms; - -postfix_user_domain(postdrop, `, mta_user_agent') -can_resolve(postfix_postdrop_t) -allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; -allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; -allow postfix_postdrop_t postfix_public_t:dir search; -allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; -dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; -dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; -allow postfix_master_t postfix_postdrop_exec_t:file getattr; -ifdef(`crond.te', -`allow postfix_postdrop_t { crond_t system_crond_t }:fd use; -allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') -# usually it does not need a UDP socket -allow postfix_postdrop_t self:udp_socket create_socket_perms; -allow postfix_postdrop_t self:tcp_socket create; -allow postfix_postdrop_t self:capability sys_resource; -allow postfix_postdrop_t self:tcp_socket create; - -postfix_public_domain(pickup) -allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; -allow postfix_pickup_t postfix_private_t:dir search; -allow postfix_pickup_t postfix_private_t:sock_file write; -allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; -allow postfix_pickup_t self:tcp_socket create_socket_perms; - -postfix_public_domain(qmgr) -allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_qmgr_t postfix_public_t:sock_file write; -allow postfix_qmgr_t postfix_private_t:dir search; -allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; -allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; - -# for /var/spool/postfix/active -create_dir_file(postfix_qmgr_t, postfix_spool_t) - -postfix_public_domain(bounce) -type postfix_spool_bounce_t, file_type, sysadmfile; -create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) -create_dir_file(postfix_bounce_t, postfix_spool_t) -allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr; -allow postfix_bounce_t self:capability dac_read_search; -allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t self:tcp_socket create_socket_perms; - -r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t) - -postfix_public_domain(pipe) -allow postfix_pipe_t postfix_spool_t:dir search; -allow postfix_pipe_t postfix_spool_t:file rw_file_perms; -allow postfix_pipe_t self:fifo_file { read write }; -allow postfix_pipe_t postfix_private_t:dir search; -allow postfix_pipe_t postfix_private_t:sock_file write; -ifdef(`procmail.te', ` -domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) -') -ifdef(`sendmail.te', ` -r_dir_file(sendmail_t, postfix_etc_t) -allow sendmail_t postfix_spool_t:dir search; -') - -# Program for creating database files -application_domain(postfix_map) -base_file_read_access(postfix_map_t) -allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; -tmp_domain(postfix_map) -create_dir_file(postfix_map_t, postfix_etc_t) -allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; -dontaudit postfix_map_t proc_t:dir { getattr read search }; -dontaudit postfix_map_t local_login_t:fd use; -allow postfix_master_t postfix_map_exec_t:file rx_file_perms; -read_locale(postfix_map_t) -allow postfix_map_t self:capability setgid; -allow postfix_map_t self:unix_dgram_socket create_socket_perms; -dontaudit postfix_map_t var_t:dir search; -can_network_server(postfix_map_t) -allow postfix_map_t port_type:tcp_socket name_connect; diff --git a/mls/domains/program/postgresql.te b/mls/domains/program/postgresql.te deleted file mode 100644 index 8ab14d0e..00000000 --- a/mls/domains/program/postgresql.te +++ /dev/null @@ -1,145 +0,0 @@ -#DESC Postgresql - Database server -# -# Author: Russell Coker -# X-Debian-Packages: postgresql -# - -################################# -# -# Rules for the postgresql_t domain. -# -# postgresql_exec_t is the type of the postgresql executable. -# -daemon_domain(postgresql) -allow initrc_t postgresql_exec_t:lnk_file read; -allow postgresql_t usr_t:file { getattr read }; - -allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; - -ifdef(`distro_debian', ` -can_exec(postgresql_t, initrc_exec_t) -# gross hack -domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) -can_exec(postgresql_t, dpkg_exec_t) -') - -dontaudit postgresql_t sysadm_home_dir_t:dir search; - -# quiet ps and killall -dontaudit postgresql_t domain:dir { getattr search }; - -# for currect directory of scripts -allow postgresql_t { var_spool_t cron_spool_t }:dir search; - -# capability kill is for shutdown script -allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config }; -dontaudit postgresql_t self:capability sys_admin; - -etcdir_domain(postgresql) -type postgresql_db_t, file_type, sysadmfile; - -logdir_domain(postgresql) - -ifdef(`crond.te', ` -# allow crond to find /usr/lib/postgresql/bin/do.maintenance -allow crond_t postgresql_db_t:dir search; -system_crond_entry(postgresql_exec_t, postgresql_t) -') - -tmp_domain(postgresql, `', `{ dir file sock_file }') -file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) - -# Use the network. -can_network(postgresql_t) -allow postgresql_t self:fifo_file { getattr read write ioctl }; -allow postgresql_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(postgresql_t, self) -allow postgresql_t self:unix_dgram_socket create_socket_perms; - -allow postgresql_t self:shm create_shm_perms; - -ifdef(`targeted_policy', `', ` -bool allow_user_postgresql_connect false; - -if (allow_user_postgresql_connect) { -# allow any user domain to connect to the database server -can_tcp_connect(userdomain, postgresql_t) -allow userdomain postgresql_t:unix_stream_socket connectto; -allow userdomain postgresql_var_run_t:sock_file write; -allow userdomain postgresql_tmp_t:sock_file write; -} -') -ifdef(`consoletype.te', ` -can_exec(postgresql_t, consoletype_exec_t) -') - -ifdef(`hostname.te', ` -can_exec(postgresql_t, hostname_exec_t) -') - -allow postgresql_t postgresql_port_t:tcp_socket name_bind; -allow postgresql_t auth_port_t:tcp_socket name_connect; - -allow postgresql_t { proc_t self }:file { getattr read }; - -# Allow access to the postgresql databases -create_dir_file(postgresql_t, postgresql_db_t) -file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t) -allow postgresql_t var_lib_t:dir { getattr search }; - -# because postgresql start scripts are broken and put the pid file in the DB -# directory -rw_dir_file(initrc_t, postgresql_db_t) - -# read config files -allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; -r_dir_file(initrc_t, postgresql_etc_t) - -allow postgresql_t etc_t:dir rw_dir_perms; - -read_sysctl(postgresql_t) - -allow postgresql_t devtty_t:chr_file { read write }; -allow postgresql_t devpts_t:dir search; - -allow postgresql_t { bin_t sbin_t }:dir search; -allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; - -allow postgresql_t self:sem create_sem_perms; - -allow postgresql_t initrc_var_run_t:file { getattr read lock }; -dontaudit postgresql_t selinux_config_t:dir search; -allow postgresql_t mail_spool_t:dir search; -lock_domain(postgresql) -can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) -ifdef(`apache.te', ` -# -# Allow httpd to work with postgresql -# -allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; -can_unix_connect(httpd_t, postgresql_t) -') - -ifdef(`distro_gentoo', ` -# "su - postgres ..." is called from initrc_t -allow initrc_su_t postgresql_db_t:dir search; -allow postgresql_t initrc_su_t:process sigchld; -dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; -') - -dontaudit postgresql_t home_root_t:dir search; -allow postgresql_t urandom_device_t:chr_file { getattr read }; - -if (allow_execmem) { -allow postgresql_t self:process execmem; -} - -authentication_domain(postgresql_t) -# -# postgresql has pam support -# -bool allow_postgresql_use_pam false; -if (allow_postgresql_use_pam) { -domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t) -} diff --git a/mls/domains/program/pppd.te b/mls/domains/program/pppd.te deleted file mode 100644 index 33b9b8f6..00000000 --- a/mls/domains/program/pppd.te +++ /dev/null @@ -1,153 +0,0 @@ -#DESC PPPD - PPP daemon -# -# Author: Russell Coker -# X-Debian-Packages: ppp -# - -################################# -# -# Rules for the pppd_t domain, et al. -# -# pppd_t is the domain for the pppd program. -# pppd_exec_t is the type of the pppd executable. -# pppd_secret_t is the type of the pap and chap password files -# -bool pppd_for_user false; - -daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain') -type pppd_secret_t, file_type, sysadmfile; - -# Define a separate type for /etc/ppp -etcdir_domain(pppd) -# Define a separate type for writable files under /etc/ppp -type pppd_etc_rw_t, file_type, sysadmfile; -# Automatically label newly created files under /etc/ppp with this type -file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - -# for SSP -allow pppd_t urandom_device_t:chr_file read; - -allow pppd_t sysfs_t:dir search; - -log_domain(pppd) - -# Use the network. -can_network_server(pppd_t) -can_ypbind(pppd_t) - -# Use capabilities. -allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module }; -lock_domain(pppd) - -# Access secret files -allow pppd_t pppd_secret_t:file r_file_perms; - -ifdef(`postfix.te', ` -allow pppd_t postfix_etc_t:dir search; -allow pppd_t postfix_etc_t:file r_file_perms; -allow pppd_t postfix_master_exec_t:file { getattr read }; -allow postfix_postqueue_t pppd_t:fd use; -allow postfix_postqueue_t pppd_t:process sigchld; -') - -# allow running ip-up and ip-down scripts and running chat. -can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t }) -allow pppd_t { bin_t sbin_t }:dir search; -allow pppd_t { sbin_t bin_t }:lnk_file read; -allow ifconfig_t pppd_t:fd use; - -# Access /dev/ppp. -allow pppd_t ppp_device_t:chr_file rw_file_perms; -allow pppd_t devtty_t:chr_file { read write }; - -allow pppd_t self:unix_dgram_socket create_socket_perms; -allow pppd_t self:unix_stream_socket create_socket_perms; - -allow pppd_t proc_t:dir search; -allow pppd_t proc_t:{ file lnk_file } r_file_perms; -allow pppd_t proc_net_t:dir { read search }; -allow pppd_t proc_net_t:file r_file_perms; - -allow pppd_t etc_runtime_t:file r_file_perms; - -allow pppd_t self:socket create_socket_perms; - -allow pppd_t tty_device_t:chr_file { setattr rw_file_perms }; - -allow pppd_t devpts_t:dir search; -allow pppd_t devpts_t:chr_file ioctl; - -# for scripts -allow pppd_t self:fifo_file rw_file_perms; -allow pppd_t etc_t:lnk_file read; - -# for ~/.ppprc - if it actually exists then you need some policy to read it -allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; - -in_user_role(pppd_t) -if (pppd_for_user) { -# Run pppd in pppd_t by default for user -domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t) -allow unpriv_userdomain pppd_t:process signal; -} - -# for pppoe -can_create_pty(pppd) -allow pppd_t self:file { read getattr }; - -allow pppd_t self:packet_socket create_socket_perms; - -file_type_auto_trans(pppd_t, etc_t, net_conf_t, file) -tmp_domain(pppd) -allow pppd_t sysctl_net_t:dir search; -allow pppd_t sysctl_net_t:file r_file_perms; -allow pppd_t self:netlink_route_socket r_netlink_socket_perms; -allow pppd_t initrc_var_run_t:file r_file_perms; -dontaudit pppd_t initrc_var_run_t:file { lock write }; - -# pppd needs to load kernel modules for certain modems -ifdef(`modutil.te', ` -bool pppd_can_insmod false; -typeattribute ifconfig_t privsysmod; - -if (pppd_can_insmod && !secure_mode_insmod) { -domain_auto_trans(pppd_t, insmod_exec_t, insmod_t) -allow ifconfig_t self:capability sys_module; -} - -') - -daemon_domain(pptp, `, nscd_client_domain') -can_network_client_tcp(pptp_t) -allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect; -can_exec(pptp_t, hostname_exec_t) -domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) -allow pptp_t self:rawip_socket create_socket_perms; -allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow pptp_t self:unix_dgram_socket create_socket_perms; -can_exec(pptp_t, pppd_etc_rw_t) -allow pptp_t devpts_t:dir search; -allow pptp_t pppd_devpts_t:chr_file rw_file_perms; -allow pptp_t devpts_t:chr_file ioctl; -r_dir_file(pptp_t, pppd_etc_rw_t) -r_dir_file(pptp_t, pppd_etc_t) -allow pppd_t pptp_t:process signal; -allow pptp_t self:capability net_raw; -allow pptp_t self:fifo_file { read write }; -allow pptp_t ptmx_t:chr_file rw_file_perms; -log_domain(pptp) - -# Fix sockets -allow pptp_t pptp_var_run_t:sock_file create_file_perms; - -# Allow pptp to append to pppd log files -allow pptp_t pppd_log_t:file append; - -ifdef(`named.te', ` -dontaudit ndc_t pppd_t:fd use; -') - -# Allow /etc/ppp/ip-{up,down} to run most anything -type pppd_script_exec_t, file_type, sysadmfile; -domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) -allow pppd_t initrc_t:process noatsecure; diff --git a/mls/domains/program/prelink.te b/mls/domains/program/prelink.te deleted file mode 100644 index 3ffa0d7b..00000000 --- a/mls/domains/program/prelink.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC PRELINK - Security Enhanced version of the GNU Prelink -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the prelink_t domain. -# -# prelink_exec_t is the type of the prelink executable. -# -daemon_base_domain(prelink, `, admin, privowner') - -allow prelink_t self:process { execheap execmem execstack }; -allow prelink_t texrel_shlib_t:file execmod; -allow prelink_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(prelink_exec_t, prelink_t) -allow system_crond_t prelink_log_t:dir rw_dir_perms; -allow system_crond_t prelink_log_t:file create_file_perms; -allow system_crond_t prelink_cache_t:file { getattr read unlink }; -allow prelink_t crond_log_t:file append; -') - -logdir_domain(prelink) -type etc_prelink_t, file_type, sysadmfile; -type var_lock_prelink_t, file_type, sysadmfile, lockfile; - -allow prelink_t etc_prelink_t:file { getattr read }; -allow prelink_t file_type:dir rw_dir_perms; -allow prelink_t file_type:lnk_file r_file_perms; -allow prelink_t file_type:file getattr; -allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom }; -allow prelink_t ld_so_t:file execute_no_trans; - -allow prelink_t self:capability { chown dac_override fowner fsetid }; -allow prelink_t self:fifo_file rw_file_perms; -allow prelink_t self:file { getattr read }; -dontaudit prelink_t sysctl_kernel_t:dir search; -dontaudit prelink_t sysctl_t:dir search; -allow prelink_t etc_runtime_t:file { getattr read }; -read_locale(prelink_t) -allow prelink_t urandom_device_t:chr_file read; -allow prelink_t proc_t:file { getattr read }; -# -# prelink_cache_t is the type of /etc/prelink.cache. -# -type prelink_cache_t, file_type, sysadmfile; -file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file) diff --git a/mls/domains/program/privoxy.te b/mls/domains/program/privoxy.te deleted file mode 100644 index b8a522df..00000000 --- a/mls/domains/program/privoxy.te +++ /dev/null @@ -1,27 +0,0 @@ -#DESC privoxy - privacy enhancing proxy -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the privoxy_t domain. -# -daemon_domain(privoxy, `, web_client_domain') - -logdir_domain(privoxy) - -# Use capabilities. -allow privoxy_t self:capability net_bind_service; - -# Use the network. -can_network_tcp(privoxy_t) -can_ypbind(privoxy_t) -can_resolve(privoxy_t) -allow privoxy_t http_cache_port_t:tcp_socket name_bind; -allow privoxy_t etc_t:file { getattr read }; -allow privoxy_t self:capability { setgid setuid }; -allow privoxy_t self:unix_stream_socket create_socket_perms ; -allow privoxy_t admin_tty_type:chr_file { read write }; - diff --git a/mls/domains/program/procmail.te b/mls/domains/program/procmail.te deleted file mode 100644 index 7616e34d..00000000 --- a/mls/domains/program/procmail.te +++ /dev/null @@ -1,92 +0,0 @@ -#DESC Procmail - Mail delivery agent for mail servers -# -# Author: Russell Coker -# X-Debian-Packages: procmail -# - -################################# -# -# Rules for the procmail_t domain. -# -# procmail_exec_t is the type of the procmail executable. -# -# privhome only works until we define a different type for maildir -type procmail_t, domain, privlog, privhome, nscd_client_domain; -type procmail_exec_t, file_type, sysadmfile, exec_type; - -role system_r types procmail_t; - -uses_shlib(procmail_t) -allow procmail_t device_t:dir search; -can_network(procmail_t) -nsswitch_domain(procmail_t) -allow procmail_t spamd_port_t:tcp_socket name_connect; - -allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; - -allow procmail_t etc_t:dir r_dir_perms; -allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; -allow procmail_t etc_t:lnk_file read; -read_locale(procmail_t) -read_sysctl(procmail_t) - -allow procmail_t sysctl_t:dir search; - -allow procmail_t self:process { setsched fork sigchld signal }; -dontaudit procmail_t sbin_t:dir { getattr search }; -can_exec(procmail_t, { bin_t shell_exec_t }) -allow procmail_t bin_t:dir { getattr search }; -allow procmail_t bin_t:lnk_file read; -allow procmail_t self:fifo_file rw_file_perms; - -allow procmail_t self:unix_stream_socket create_socket_perms; -allow procmail_t self:unix_dgram_socket create_socket_perms; - -# for /var/mail -rw_dir_create_file(procmail_t, mail_spool_t) - -allow procmail_t var_t:dir { getattr search }; -allow procmail_t var_spool_t:dir r_dir_perms; - -allow procmail_t fs_t:filesystem getattr; -allow procmail_t { self proc_t }:dir search; -allow procmail_t proc_t:file { getattr read }; -allow procmail_t { self proc_t }:lnk_file read; - -# for if /var/mail is a symlink to /var/spool/mail -#allow procmail_t mail_spool_t:lnk_file r_file_perms; - -# for spamassasin -allow procmail_t usr_t:file { getattr ioctl read }; -ifdef(`spamassassin.te', ` -can_exec(procmail_t, spamassassin_exec_t) -allow procmail_t port_t:udp_socket name_bind; -allow procmail_t tmp_t:dir getattr; -') -ifdef(`spamc.te', ` -can_exec(procmail_t, spamc_exec_t) -') - -ifdef(`targeted_policy', ` -allow procmail_t port_t:udp_socket name_bind; -allow procmail_t tmp_t:dir getattr; -') - -# Search /var/run. -allow procmail_t var_run_t:dir { getattr search }; - -# Do not audit attempts to access /root. -dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; - -allow procmail_t devtty_t:chr_file { read write }; - -allow procmail_t urandom_device_t:chr_file { getattr read }; - -ifdef(`sendmail.te', ` -r_dir_file(procmail_t, etc_mail_t) -allow procmail_t sendmail_t:tcp_socket { read write }; -') - -ifdef(`hide_broken_symptoms', ` -dontaudit procmail_t mqueue_spool_t:file { getattr read write }; -') diff --git a/mls/domains/program/quota.te b/mls/domains/program/quota.te deleted file mode 100644 index 73740535..00000000 --- a/mls/domains/program/quota.te +++ /dev/null @@ -1,59 +0,0 @@ -#DESC Quota - File system quota management utilities -# -# Author: Russell Coker -# X-Debian-Packages: quota quotatool -# - -################################# -# -# Rules for the quota_t domain. -# -# needs auth attribute because it has read access to shadow_t because checkquota -# is buggy -daemon_base_domain(quota, `, auth, fs_domain') - -# so the administrator can run quotacheck -domain_auto_trans(sysadm_t, quota_exec_t, quota_t) -role sysadm_r types quota_t; -allow quota_t admin_tty_type:chr_file { read write }; - -type quota_flag_t, file_type, sysadmfile; -type quota_db_t, file_type, sysadmfile; - -rw_dir_create_file(initrc_t, quota_flag_t) - -allow quota_t fs_t:filesystem { getattr quotaget quotamod remount }; -# quotacheck creates new quota_db_t files -file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) -# for some reason it wants dac_override not dac_read_search -allow quota_t self:capability { sys_admin dac_override }; -allow quota_t file_type:{ fifo_file sock_file } getattr; -allow quota_t file_t:file quotaon; - -# for quotacheck -allow quota_t file_type:dir r_dir_perms; -# The following line is apparently necessary, although read and -# ioctl seem to be more than should be required. -allow quota_t file_type:file { getattr read ioctl }; -allow quota_t file_type:{ fifo_file sock_file } getattr; -allow quota_t file_type:lnk_file { read getattr }; -allow quota_t device_type:{ chr_file blk_file } getattr; - -allow quota_t fixed_disk_device_t:blk_file { getattr read }; - -# for /quota.* -allow quota_t quota_db_t:file { read write }; -dontaudit unpriv_userdomain quota_db_t:file getattr; -allow quota_t quota_db_t:file quotaon; - -# Read /etc/mtab. -allow quota_t etc_runtime_t:file { read getattr }; - -allow quota_t device_t:dir r_dir_perms; -allow quota_t fixed_disk_device_t:blk_file getattr; -allow quota_t boot_t:dir r_dir_perms; -allow quota_t sysctl_t:dir { getattr search }; - -allow quota_t initrc_devpts_t:chr_file rw_file_perms; - -allow quota_t proc_t:file getattr; diff --git a/mls/domains/program/radius.te b/mls/domains/program/radius.te deleted file mode 100644 index 57eccc28..00000000 --- a/mls/domains/program/radius.te +++ /dev/null @@ -1,67 +0,0 @@ -#DESC RADIUS - Radius server -# -# Author: Russell Coker -# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius -# - -################################# -# -# Rules for the radiusd_t domain. -# -# radiusd_exec_t is the type of the radiusd executable. -# -daemon_domain(radiusd, `, auth_chkpwd') - -etcdir_domain(radiusd) - -system_crond_entry(radiusd_exec_t, radiusd_t) - -allow radiusd_t self:process setsched; - -allow radiusd_t proc_t:file { read getattr }; - -dontaudit radiusd_t sysadm_home_dir_t:dir getattr; - -# allow pthreads to read kernel version -read_sysctl(radiusd_t) - -# read config files -allow radiusd_t etc_t:dir r_dir_perms; -allow radiusd_t { etc_t etc_runtime_t }:file { read getattr }; -allow radiusd_t etc_t:lnk_file read; - -# write log files -logdir_domain(radiusd) -allow radiusd_t radiusd_log_t:dir create; - -allow radiusd_t usr_t:file r_file_perms; - -can_exec(radiusd_t, lib_t) -can_exec(radiusd_t, { bin_t shell_exec_t }) -allow radiusd_t { bin_t sbin_t }:dir search; -allow radiusd_t bin_t:lnk_file read; - -allow radiusd_t devtty_t:chr_file { read write }; -allow radiusd_t self:fifo_file rw_file_perms; -# fsetid is for gzip which needs it when run from scripts -# gzip also needs chown access to preserve GID for radwtmp files -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; - -can_network_server(radiusd_t) -can_ypbind(radiusd_t) -allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; - -# for RADIUS proxy port -allow radiusd_t port_t:udp_socket name_bind; - -ifdef(`snmpd.te', ` -can_tcp_connect(radiusd_t, snmpd_t) -') -ifdef(`logrotate.te', ` -can_exec(radiusd_t, logrotate_exec_t) -') -can_udp_send(sysadm_t, radiusd_t) -can_udp_send(radiusd_t, sysadm_t) - -allow radiusd_t self:unix_stream_socket create_stream_socket_perms; -allow radiusd_t urandom_device_t:chr_file { getattr read }; diff --git a/mls/domains/program/radvd.te b/mls/domains/program/radvd.te deleted file mode 100644 index 868ef8bf..00000000 --- a/mls/domains/program/radvd.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC Radv - IPv6 route advisory daemon -# -# Author: Russell Coker -# X-Debian-Packages: radvd -# - -################################# -# -# Rules for the radvd_t domain. -# -daemon_domain(radvd) - -etc_domain(radvd) -allow radvd_t etc_t:file { getattr read }; - -allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms; - -allow radvd_t self:capability { setgid setuid net_raw }; -allow radvd_t self:{ unix_dgram_socket rawip_socket } create; -allow radvd_t self:unix_stream_socket create_socket_perms; - -can_network_server(radvd_t) -can_ypbind(radvd_t) - -allow radvd_t { proc_t proc_net_t }:dir r_dir_perms; -allow radvd_t { proc_t proc_net_t }:file { getattr read }; -allow radvd_t etc_t:lnk_file read; - -allow radvd_t sysctl_net_t:file r_file_perms; -allow radvd_t sysctl_net_t:dir r_dir_perms; diff --git a/mls/domains/program/rdisc.te b/mls/domains/program/rdisc.te deleted file mode 100644 index 79331fab..00000000 --- a/mls/domains/program/rdisc.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC rdisc - network router discovery daemon -# -# Author: Russell Coker - -daemon_base_domain(rdisc) -allow rdisc_t self:unix_stream_socket create_stream_socket_perms; -allow rdisc_t self:rawip_socket create_socket_perms; -allow rdisc_t self:udp_socket create_socket_perms; -allow rdisc_t self:capability net_raw; - -can_network_udp(rdisc_t) - -allow rdisc_t etc_t:file { getattr read }; diff --git a/mls/domains/program/readahead.te b/mls/domains/program/readahead.te deleted file mode 100644 index dde8e379..00000000 --- a/mls/domains/program/readahead.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC readahead - read files in page cache -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for readahead -# - -daemon_domain(readahead) -# -# readahead asks for these -# -allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read }; -allow readahead_t { file_type -secure_file_type }:dir r_dir_perms; -dontaudit readahead_t shadow_t:file { getattr read }; -allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr; -dontaudit readahead_t file_type:sock_file getattr; -allow readahead_t proc_t:file { getattr read }; -dontaudit readahead_t device_type:blk_file read; diff --git a/mls/domains/program/restorecon.te b/mls/domains/program/restorecon.te deleted file mode 100644 index 27a012bf..00000000 --- a/mls/domains/program/restorecon.te +++ /dev/null @@ -1,69 +0,0 @@ -#DESC restorecon - Restore or check the context of a file -# -# Authors: Russell Coker -# X-Debian-Packages: policycoreutils -# - -################################# -# -# Rules for the restorecon_t domain. -# -# restorecon_exec_t is the type of the restorecon executable. -# -# needs auth_write attribute because it has relabelfrom/relabelto -# access to shadow_t -type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; -type restorecon_exec_t, file_type, sysadmfile, exec_type; - -role system_r types restorecon_t; -role sysadm_r types restorecon_t; -role secadm_r types restorecon_t; - -can_access_pty(restorecon_t, initrc) -allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl }; - -domain_auto_trans({ initrc_t secadmin }, restorecon_exec_t, restorecon_t) -allow restorecon_t { userdomain init_t privfd }:fd use; - -uses_shlib(restorecon_t) -allow restorecon_t self:capability { dac_override dac_read_search fowner }; - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that restorecon can not be run! -allow restorecon_t lib_t:file { read execute }; - -# Get security policy decisions. -can_getsecurity(restorecon_t) - -r_dir_file(restorecon_t, policy_config_t) - -allow restorecon_t file_type:dir r_dir_perms; -allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto }; -allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom }; -allow restorecon_t unlabeled_t:dir read; -allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto }; -ifdef(`distro_redhat', ` -allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; -') -ifdef(`dpkg.te', ` -domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) -') - -allow restorecon_t ptyfile:chr_file getattr; - -allow restorecon_t fs_t:filesystem getattr; - -allow restorecon_t etc_runtime_t:file { getattr read }; -allow restorecon_t etc_t:file { getattr read }; -allow restorecon_t proc_t:file { getattr read }; -dontaudit restorecon_t proc_t:lnk_file { getattr read }; - -allow restorecon_t device_t:file { read write }; -allow restorecon_t kernel_t:fd use; -allow restorecon_t kernel_t:fifo_file { read write }; -allow restorecon_t kernel_t:unix_dgram_socket { read write }; -r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) -allow restorecon_t autofs_t:dir r_dir_perms; -allow restorecon_t devpts_t:chr_file getattr; -# need to restorecon /dev/pts during boot (from /etc/rc.d/rc.sysinit) -allow restorecon_t devpts_t:dir { relabelfrom relabelto }; diff --git a/mls/domains/program/rlogind.te b/mls/domains/program/rlogind.te deleted file mode 100644 index 88af4e4f..00000000 --- a/mls/domains/program/rlogind.te +++ /dev/null @@ -1,40 +0,0 @@ -#DESC Rlogind - Remote login daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: rsh-client rsh-redone-client -# Depends: inetd.te -# - -################################# -# -# Rules for the rlogind_t domain. -# -remote_login_daemon(rlogind) -typeattribute rlogind_t auth_chkpwd; - -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t) -') - -# for /usr/lib/telnetlogin -can_exec(rlogind_t, rlogind_exec_t) - -# Use capabilities. -allow rlogind_t self:capability { net_bind_service }; - -# Run login in remote_login_t. -allow remote_login_t inetd_t:fd use; -allow remote_login_t inetd_t:tcp_socket rw_file_perms; - -# Send SIGCHLD to inetd on death. -allow rlogind_t inetd_t:process sigchld; - -allow rlogind_t home_dir_type:dir search; -allow rlogind_t home_type:file { getattr read }; -allow rlogind_t self:file { getattr read }; -allow rlogind_t default_t:dir search; -typealias rlogind_port_t alias rlogin_port_t; -read_sysctl(rlogind_t); -ifdef(`kerberos.te', ` -allow rlogind_t krb5_keytab_t:file { getattr read }; -') diff --git a/mls/domains/program/roundup.te b/mls/domains/program/roundup.te deleted file mode 100644 index 4c3e97a2..00000000 --- a/mls/domains/program/roundup.te +++ /dev/null @@ -1,29 +0,0 @@ -# Roundup Issue Tracking System -# -# Authors: W. Michael Petullo and Timothy Fraser -# Russell Coker -# Depends: portmap.te -# X-Debian-Packages: nfs-common -# - -################################# -# -# Rules for the rpcd_t and nfsd_t domain. -# -define(`rpc_domain', ` -ifdef(`targeted_policy', ` -daemon_base_domain($1, `, transitionbool') -', ` -daemon_base_domain($1) -') -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_ypbind($1_t) -allow $1_t { etc_runtime_t etc_t }:file { getattr read }; -read_locale($1_t) -allow $1_t self:capability net_bind_service; -dontaudit $1_t self:capability net_admin; - -allow $1_t var_t:dir { getattr search }; -allow $1_t var_lib_t:dir search; -allow $1_t var_lib_nfs_t:dir create_dir_perms; -allow $1_t var_lib_nfs_t:file create_file_perms; -# do not log when it tries to bind to a port belonging to another domain -dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -allow $1_t self:netlink_route_socket r_netlink_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -# bind to arbitary unused ports -allow $1_t port_t:{ tcp_socket udp_socket } name_bind; -allow $1_t sysctl_rpc_t:dir search; -allow $1_t sysctl_rpc_t:file rw_file_perms; -') - -type exports_t, file_type, sysadmfile; -dontaudit userdomain exports_t:file getattr; - -# rpcd_t is the domain of rpc daemons. -# rpcd_exec_t is the type of rpc daemon programs. -# -rpc_domain(rpcd) -var_run_domain(rpcd) -allow rpcd_t rpcd_var_run_t:dir setattr; - -# for rpc.rquotad -allow rpcd_t sysctl_t:dir r_dir_perms; -allow rpcd_t self:fifo_file rw_file_perms; - -# rpcd_t needs to talk to the portmap_t domain -can_udp_send(rpcd_t, portmap_t) - -allow initrc_t exports_t:file r_file_perms; -ifdef(`distro_redhat', ` -allow rpcd_t self:capability { chown dac_override setgid setuid }; -# for /etc/rc.d/init.d/nfs to create /etc/exports -allow initrc_t exports_t:file write; -') - -allow rpcd_t self:file { getattr read }; - -# nfs kernel server needs kernel UDP access. It is less risky and painful -# to just give it everything. -can_network_server(kernel_t) -#can_udp_send(kernel_t, rpcd_t) -#can_udp_send(rpcd_t, kernel_t) - -rpc_domain(nfsd) -domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t) -role sysadm_r types nfsd_t; - -# for /proc/fs/nfs/exports - should we have a new type? -allow nfsd_t proc_t:file r_file_perms; -allow nfsd_t proc_net_t:dir search; -allow nfsd_t exports_t:file { getattr read }; - -allow nfsd_t nfsd_fs_t:filesystem mount; -allow nfsd_t nfsd_fs_t:dir search; -allow nfsd_t nfsd_fs_t:file rw_file_perms; -allow initrc_t sysctl_rpc_t:dir search; -allow initrc_t sysctl_rpc_t:file rw_file_perms; - -type nfsd_rw_t, file_type, sysadmfile, usercanread; -type nfsd_ro_t, file_type, sysadmfile, usercanread; - -bool nfs_export_all_rw false; - -if(nfs_export_all_rw) { -allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; -r_dir_file(kernel_t, noexattrfile) -create_dir_file(kernel_t,{ file_type -shadow_t }) -} - -dontaudit kernel_t shadow_t:file getattr; - -bool nfs_export_all_ro false; - -if(nfs_export_all_ro) { -allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; -r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t }) -} - -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; -create_dir_file(kernel_t, nfsd_rw_t); -r_dir_file(kernel_t, nfsd_ro_t); - -allow kernel_t nfsd_t:udp_socket rw_socket_perms; -can_udp_send(kernel_t, nfsd_t) -can_udp_send(nfsd_t, kernel_t) - -# does not really need this, but it is easier to just allow it -allow nfsd_t var_run_t:dir search; - -allow nfsd_t self:capability { sys_admin sys_resource }; -allow nfsd_t fs_type:filesystem getattr; - -can_udp_send(nfsd_t, portmap_t) -can_udp_send(portmap_t, nfsd_t) - -can_tcp_connect(nfsd_t, portmap_t) - -# for exportfs and rpc.mountd -allow nfsd_t tmp_t:dir getattr; - -r_dir_file(rpcd_t, rpc_pipefs_t) -allow rpcd_t rpc_pipefs_t:sock_file { read write }; -dontaudit rpcd_t selinux_config_t:dir { search }; -allow rpcd_t proc_net_t:dir search; - - -rpc_domain(gssd) -can_kerberos(gssd_t) -ifdef(`kerberos.te', ` -allow gssd_t krb5_keytab_t:file r_file_perms; -') -allow gssd_t urandom_device_t:chr_file { getattr read }; -r_dir_file(gssd_t, tmp_t) -tmp_domain(gssd) -allow gssd_t self:fifo_file { read write }; -r_dir_file(gssd_t, proc_net_t) -allow gssd_t rpc_pipefs_t:dir r_dir_perms; -allow gssd_t rpc_pipefs_t:sock_file { read write }; -allow gssd_t rpc_pipefs_t:file r_file_perms; -allow gssd_t self:capability { dac_override dac_read_search setuid }; -allow nfsd_t devtty_t:chr_file rw_file_perms; -allow rpcd_t devtty_t:chr_file rw_file_perms; - -bool allow_gssd_read_tmp true; -if (allow_gssd_read_tmp) { -# -#needs to be able to udpate the kerberos ticket file -# -ifdef(`targeted_policy', ` -r_dir_file(gssd_t, tmp_t) -allow gssd_t tmp_t:file write; -', ` -r_dir_file(gssd_t, user_tmpfile) -allow gssd_t user_tmpfile:file write; -') -} diff --git a/mls/domains/program/rpm.te b/mls/domains/program/rpm.te deleted file mode 100644 index d772da7d..00000000 --- a/mls/domains/program/rpm.te +++ /dev/null @@ -1,260 +0,0 @@ -#DESC RPM - Red Hat package management -# -# X-Debian-Packages: -################################# -# -# Rules for running the Redhat Package Manager (RPM) tools. -# -# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm -# rpm_exec_t is the type of the rpm executables. -# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*) -# rpm_var_lib_t is the type for rpm files in /var/lib -# -type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade; -role system_r types rpm_t; -uses_shlib(rpm_t) -type rpm_exec_t, file_type, sysadmfile, exec_type; - -general_domain_access(rpm_t) -can_ps(rpm_t, domain) -allow rpm_t self:process setrlimit; -system_crond_entry(rpm_exec_t, rpm_t) -role sysadm_r types rpm_t; -domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t) - -type rpm_file_t, file_type, sysadmfile; - -tmp_domain(rpm) - -tmpfs_domain(rpm) - -log_domain(rpm) - -can_network(rpm_t) -allow rpm_t port_type:tcp_socket name_connect; -can_ypbind(rpm_t) - -# Allow the rpm domain to execute other programs -can_exec_any(rpm_t) - -# Capabilties needed by rpm utils -allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod }; - -# Access /var/lib/rpm files -var_lib_domain(rpm) -allow userdomain var_lib_t:dir { getattr search }; -r_dir_file(userdomain, rpm_var_lib_t) -r_dir_file(rpm_t, proc_t) - -allow rpm_t sysfs_t:dir r_dir_perms; -allow rpm_t usbdevfs_t:dir r_dir_perms; - -# for installing kernel packages -allow rpm_t fixed_disk_device_t:blk_file { getattr read }; - -# Access terminals. -allow rpm_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;') -allow rpm_t privfd:fd use; -allow rpm_t devtty_t:chr_file rw_file_perms; - -domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t) -domain_auto_trans(rpm_t, initrc_exec_t, initrc_t) - -ifdef(`cups.te', ` -r_dir_file(cupsd_t, rpm_var_lib_t) -allow cupsd_t initrc_exec_t:file { getattr read }; -domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) -') - -# for a bug in rm -dontaudit initrc_t pidfile:file write; - -# bash tries to access a block device in the initrd -dontaudit initrc_t unlabeled_t:blk_file getattr; - -# bash tries ioctl for some reason -dontaudit initrc_t pidfile:file ioctl; - -allow rpm_t autofs_t:dir { search getattr }; -allow rpm_t autofs_t:filesystem getattr; -allow rpm_script_t autofs_t:dir { search getattr }; -allow rpm_t devpts_t:dir { setattr r_dir_perms }; -allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr; -dontaudit rpm_t security_t:filesystem getattr; -can_getcon(rpm_t) -can_setfscreate(rpm_t) -can_setexec(rpm_t) -read_sysctl(rpm_t) -general_domain_access(rpm_script_t) - -# read/write/create any files in the system -allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto }; -allow rpm_t { file_type - shadow_t }:dir create_dir_perms; -allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; -allow rpm_t sysfs_t:filesystem getattr; -allow rpm_t tmpfs_t:filesystem getattr; -dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; -# needs rw permission to the directory for an rpm package that includes a mount -# point -allow rpm_t fs_type:dir { setattr rw_dir_perms }; -allow rpm_t fs_type:filesystem getattr; - -# allow compiling and loading new policy -create_dir_file(rpm_t, { policy_src_t policy_config_t }) - -can_getsecurity({ rpm_t rpm_script_t }) -dontaudit rpm_t shadow_t:file { getattr read }; -allow rpm_t urandom_device_t:chr_file read; -allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; -allow rpm_t ttyfile:chr_file unlink; -allow rpm_script_t tty_device_t:chr_file getattr; -allow rpm_script_t devpts_t:dir search; -allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms; - -allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms; - -type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privmail, privrole, priv_system_role, mlsfileread, mlsfilewrite; -# policy for rpm scriptlet -role system_r types rpm_script_t; -uses_shlib(rpm_script_t) -read_locale(rpm_script_t) - -can_ps(rpm_script_t, domain) - -ifdef(`lpd.te', ` -can_exec(rpm_script_t, printconf_t) -') - -read_sysctl(rpm_script_t) - -type rpm_script_exec_t, file_type, sysadmfile, exec_type; - -role sysadm_r types rpm_script_t; -domain_trans(rpm_t, shell_exec_t, rpm_script_t) -ifdef(`hide_broken_symptoms', ` -ifdef(`pamconsole.te', ` -domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) -') -') - -tmp_domain(rpm_script) - -tmpfs_domain(rpm_script) - -# Allow the rpm domain to execute other programs -can_exec_any(rpm_script_t) - -# Capabilties needed by rpm scripts utils -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; - -# ideally we would not need this -allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms; -allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; -allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms; - -# for kernel package installation -ifdef(`mount.te', ` -allow mount_t rpm_t:fifo_file rw_file_perms; -') - -# Commonly used from postinst scripts -ifdef(`consoletype.te', ` -allow consoletype_t rpm_t:fifo_file r_file_perms; -') -ifdef(`crond.te', ` -allow crond_t rpm_t:fifo_file r_file_perms; -') - -allow rpm_script_t proc_t:dir r_dir_perms; -allow rpm_script_t proc_t:{ file lnk_file } r_file_perms; - -allow rpm_script_t devtty_t:chr_file rw_file_perms; -allow rpm_script_t devpts_t:dir r_dir_perms; -allow rpm_script_t admin_tty_type:chr_file rw_file_perms; -allow rpm_script_t etc_runtime_t:file { getattr read }; -allow rpm_script_t privfd:fd use; -allow rpm_script_t rpm_tmp_t:file { getattr read ioctl }; - -allow rpm_script_t urandom_device_t:chr_file read; - -ifdef(`ssh-agent.te', ` -domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') - -ifdef(`useradd.te', ` -domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t) -domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t) -role system_r types { useradd_t groupadd_t }; -allow { useradd_t groupadd_t } rpm_t:fd use; -allow { useradd_t groupadd_t } rpm_t:fifo_file { read write }; -') - -domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t) - -domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t) -domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t) -role sysadm_r types initrc_t; -domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t) -ifdef(`bootloader.te', ` -domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t) -allow bootloader_t rpm_t:fifo_file rw_file_perms; -') - -domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t) - -rw_dir_file(rpm_script_t, nfs_t) -allow rpm_script_t nfs_t:filesystem getattr; - -allow rpm_script_t fs_t:filesystem { getattr mount unmount }; -allow rpm_script_t rpm_script_tmp_t:dir mounton; -can_exec(rpm_script_t, usr_t) -can_exec(rpm_script_t, sbin_t) - -allow rpm_t mount_t:tcp_socket write; -create_dir_file(rpm_t, nfs_t) -allow rpm_t { removable_t nfs_t }:filesystem getattr; - -allow rpm_script_t userdomain:fd use; - -allow domain rpm_t:fifo_file r_file_perms; -allow domain rpm_t:fd use; - -ifdef(`ssh.te', ` -allow sshd_t rpm_script_t:fd use; -allow sshd_t rpm_t:fd use; -') - -dontaudit rpm_script_t shadow_t:file getattr; -allow rpm_script_t sysfs_t:dir r_dir_perms; - -ifdef(`prelink.te', ` -domain_auto_trans(rpm_t, prelink_exec_t, prelink_t) -') - -allow rpm_t rpc_pipefs_t:dir search; -allow rpm_script_t init_t:dir search; - -type rpmbuild_exec_t, file_type, sysadmfile, exec_type; -type rpmbuild_t, domain; -allow rpmbuild_t policy_config_t:dir search; -allow rpmbuild_t policy_src_t:dir search; -allow rpmbuild_t policy_src_t:file { getattr read }; -can_getsecurity(rpmbuild_t) - -allow rpm_script_t domain:process { signal signull }; - -# Access /var/lib/rpm. -allow initrc_t rpm_var_lib_t:dir rw_dir_perms; -allow initrc_t rpm_var_lib_t:file create_file_perms; - -ifdef(`unlimitedRPM', ` -typeattribute rpm_t auth_write; -unconfined_domain(rpm_t) -typeattribute rpm_script_t auth_write; -unconfined_domain(rpm_script_t) -') -if (allow_execmem) { -allow rpm_script_t self:process execmem; -} - diff --git a/mls/domains/program/rshd.te b/mls/domains/program/rshd.te deleted file mode 100644 index 39976c59..00000000 --- a/mls/domains/program/rshd.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC RSHD - RSH daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: rsh-server rsh-redone-server -# Depends: inetd.te -# - -################################# -# -# Rules for the rshd_t domain. -# -daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole') - -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t) -') - -# Use sockets inherited from inetd. -allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Use capabilities. -allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override}; - -# Use the network. -can_network_server(rshd_t) -allow rshd_t rsh_port_t:tcp_socket name_bind; - -allow rshd_t etc_t:file { getattr read }; -read_locale(rshd_t) -allow rshd_t self:unix_dgram_socket create_socket_perms; -allow rshd_t self:unix_stream_socket create_stream_socket_perms; -allow rshd_t { home_root_t home_dir_type }:dir { search getattr }; -can_kerberos(rshd_t) -allow rshd_t { bin_t sbin_t tmp_t}:dir { search }; -allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms; -ifdef(`rlogind.te', ` -allow rshd_t rlogind_tmp_t:file rw_file_perms; -') -allow rshd_t urandom_device_t:chr_file { getattr read }; - -# Read the user's .rhosts file. -allow rshd_t home_type:file r_file_perms ; - -# Random reasons -can_getsecurity(rshd_t) -can_setexec(rshd_t) -r_dir_file(rshd_t, selinux_config_t) -r_dir_file(rshd_t, default_context_t) -read_sysctl(rshd_t); - -if (use_nfs_home_dirs) { -r_dir_file(rshd_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file(rshd_t, cifs_t) -} - -allow rshd_t self:process { fork signal setsched setpgid }; -allow rshd_t self:fifo_file rw_file_perms; - -ifdef(`targeted_policy', ` -unconfined_domain(rshd_t) -domain_auto_trans(rshd_t,shell_exec_t,unconfined_t) -') diff --git a/mls/domains/program/rsync.te b/mls/domains/program/rsync.te deleted file mode 100644 index bed52a3f..00000000 --- a/mls/domains/program/rsync.te +++ /dev/null @@ -1,18 +0,0 @@ -#DESC rsync - flexible replacement for rcp -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the rsync_t domain. -# -# rsync_exec_t is the type of the rsync executable. -# - -inetd_child_domain(rsync) -type rsync_data_t, file_type, sysadmfile; -r_dir_file(rsync_t, rsync_data_t) -anonymous_domain(rsync) -allow rsync_t self:capability sys_chroot; diff --git a/mls/domains/program/samba.te b/mls/domains/program/samba.te deleted file mode 100644 index 2e7b587d..00000000 --- a/mls/domains/program/samba.te +++ /dev/null @@ -1,226 +0,0 @@ -#DESC SAMBA - SMB file server -# -# Author: Ryan Bergauer (bergauer@rice.edu) -# X-Debian-Packages: samba -# - -################################# -# -# Declarations for Samba -# - -daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain') -daemon_domain(nmbd) -type samba_etc_t, file_type, sysadmfile, usercanread; -type samba_log_t, file_type, sysadmfile, logfile; -type samba_var_t, file_type, sysadmfile; -type samba_share_t, file_type, sysadmfile, customizable; -type samba_secrets_t, file_type, sysadmfile; - -# for /var/run/samba/messages.tdb -allow smbd_t nmbd_var_run_t:file rw_file_perms; - -allow smbd_t self:process setrlimit; - -# not sure why it needs this -tmp_domain(smbd) - -# Allow samba to search mnt_t for potential mounted dirs -allow smbd_t mnt_t:dir r_dir_perms; - -ifdef(`crond.te', ` -allow system_crond_t samba_etc_t:file { read getattr lock }; -allow system_crond_t samba_log_t:file { read getattr lock }; -#allow system_crond_t samba_secrets_t:file { read getattr lock }; -') - -################################# -# -# Rules for the smbd_t domain. -# - -# Permissions normally found in every_domain. -general_domain_access(smbd_t) -general_proc_read_access(smbd_t) - -allow smbd_t smbd_port_t:tcp_socket name_bind; - -# Use capabilities. -allow smbd_t self:capability { fowner setgid setuid sys_resource net_bind_service lease dac_override dac_read_search }; - -# Use the network. -can_network(smbd_t) -nsswitch_domain(smbd_t) -can_kerberos(smbd_t) -allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect; - -allow smbd_t urandom_device_t:chr_file { getattr read }; - -# Permissions for Samba files in /etc/samba -# either allow read access to the directory or allow the auto_trans rule to -# allow creation of the secrets.tdb file and the MACHINE.SID file -#allow smbd_t samba_etc_t:dir { search getattr }; -file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file) - -allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms; - -# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba -allow smbd_t var_lib_t:dir search; -create_dir_file(smbd_t, samba_var_t) - -# Needed for shared printers -allow smbd_t var_spool_t:dir search; - -# Permissions to write log files. -allow smbd_t samba_log_t:file { create ra_file_perms }; -allow smbd_t var_log_t:dir search; -allow smbd_t samba_log_t:dir ra_dir_perms; -dontaudit smbd_t samba_log_t:dir remove_name; - -ifdef(`hide_broken_symptoms', ` -dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr; -dontaudit smbd_t devpts_t:dir getattr; -') -allow smbd_t fs_t:filesystem quotaget; - -allow smbd_t usr_t:file { getattr read }; - -# Access Samba shares. -create_dir_file(smbd_t, samba_share_t) - -anonymous_domain(smbd) - -ifdef(`logrotate.te', ` -# the application should be changed -can_exec(logrotate_t, samba_log_t) -') -################################# -# -# Rules for the nmbd_t domain. -# - -# Permissions normally found in every_domain. -general_domain_access(nmbd_t) -general_proc_read_access(nmbd_t) - -allow nmbd_t nmbd_port_t:udp_socket name_bind; - -# Use capabilities. -allow nmbd_t self:capability net_bind_service; - -# Use the network. -can_network_server(nmbd_t) - -# Permissions for Samba files in /etc/samba -allow nmbd_t samba_etc_t:file { getattr read }; -allow nmbd_t samba_etc_t:dir { search getattr }; - -# Permissions for Samba cache files in /var/cache/samba -allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search }; -allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; - -allow nmbd_t usr_t:file { getattr read }; - -# Permissions to write log files. -allow nmbd_t samba_log_t:file { create ra_file_perms }; -allow nmbd_t var_log_t:dir search; -allow nmbd_t samba_log_t:dir ra_dir_perms; -allow nmbd_t etc_t:file { getattr read }; -ifdef(`cups.te', ` -allow smbd_t cupsd_rw_etc_t:file { getattr read }; -') -# Needed for winbindd -allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms; - -# Support Samba sharing of home directories -bool samba_enable_home_dirs false; - -ifdef(`mount.te', ` -# -# Domain for running smbmount -# - -# Derive from app. domain. Transition from mount. -application_domain(smbmount, `, fs_domain, nscd_client_domain') -domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t) - -# Capabilities -# FIXME: is all of this really necessary? -allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; - -# Access samba config -allow smbmount_t samba_etc_t:file r_file_perms; -allow smbmount_t samba_etc_t:dir r_dir_perms; -allow initrc_t samba_etc_t:file rw_file_perms; - -# Write samba log -allow smbmount_t samba_log_t:file create_file_perms; -allow smbmount_t samba_log_t:dir r_dir_perms; - -# Write stuff in var -allow smbmount_t var_log_t:dir r_dir_perms; -rw_dir_create_file(smbmount_t, samba_var_t) - -# Access mtab -file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file) - -# Read nsswitch.conf -allow smbmount_t etc_t:file r_file_perms; - -# Networking -can_network(smbmount_t) -allow smbmount_t port_type:tcp_socket name_connect; -can_ypbind(smbmount_t) -allow smbmount_t self:unix_dgram_socket create_socket_perms; -allow smbmount_t self:unix_stream_socket create_socket_perms; -allow kernel_t smbmount_t:tcp_socket { read write }; -allow userdomain smbmount_t:tcp_socket write; - -# Proc -# FIXME: is this necessary? -r_dir_file(smbmount_t, proc_t) - -# Fork smbmnt -allow smbmount_t bin_t:dir r_dir_perms; -can_exec(smbmount_t, smbmount_exec_t) -allow smbmount_t self:process { fork signal_perms }; - -# Mount -allow smbmount_t cifs_t:filesystem mount_fs_perms; -allow smbmount_t cifs_t:dir r_dir_perms; -allow smbmount_t mnt_t:dir r_dir_perms; -allow smbmount_t mnt_t:dir mounton; - -# Terminal -read_locale(smbmount_t) -access_terminal(smbmount_t, sysadm) -allow smbmount_t userdomain:fd use; -allow smbmount_t local_login_t:fd use; -') -# Derive from app. domain. Transition from mount. -application_domain(samba_net, `, nscd_client_domain') -role system_r types samba_net_t; -in_user_role(samba_net_t) -file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file) -read_locale(samba_net_t) -allow samba_net_t samba_etc_t:file r_file_perms; -r_dir_file(samba_net_t, samba_var_t) -can_network_udp(samba_net_t) -access_terminal(samba_net_t, sysadm) -allow samba_net_t self:unix_dgram_socket create_socket_perms; -allow samba_net_t self:unix_stream_socket create_stream_socket_perms; -rw_dir_create_file(samba_net_t, samba_var_t) -allow samba_net_t etc_t:file { getattr read }; -can_network_client(samba_net_t) -allow samba_net_t smbd_port_t:tcp_socket name_connect; -can_ldap(samba_net_t) -can_kerberos(samba_net_t) -allow samba_net_t urandom_device_t:chr_file r_file_perms; -allow samba_net_t proc_t:dir search; -allow samba_net_t proc_t:lnk_file read; -allow samba_net_t self:dir search; -allow samba_net_t self:file read; -allow samba_net_t self:process signal; -tmp_domain(samba_net) -dontaudit samba_net_t sysadm_home_dir_t:dir search; -allow samba_net_t privfd:fd use; diff --git a/mls/domains/program/saslauthd.te b/mls/domains/program/saslauthd.te deleted file mode 100644 index f614094a..00000000 --- a/mls/domains/program/saslauthd.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC saslauthd - Authentication daemon for SASL -# -# Author: Colin Walters -# - -daemon_domain(saslauthd, `, auth_chkpwd, auth_bool') - -allow saslauthd_t self:fifo_file { read write }; -allow saslauthd_t self:unix_dgram_socket create_socket_perms; -allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; -allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; -allow saslauthd_t var_lib_t:dir search; - -allow saslauthd_t etc_t:dir { getattr search }; -allow saslauthd_t etc_t:file r_file_perms; -allow saslauthd_t net_conf_t:file r_file_perms; - -allow saslauthd_t self:file r_file_perms; -allow saslauthd_t proc_t:file { getattr read }; - -allow saslauthd_t urandom_device_t:chr_file { getattr read }; - -# Needs investigation -dontaudit saslauthd_t home_root_t:dir getattr; -can_network_client_tcp(saslauthd_t) -allow saslauthd_t pop_port_t:tcp_socket name_connect; - -bool allow_saslauthd_read_shadow false; - -if (allow_saslauthd_read_shadow) { -allow saslauthd_t shadow_t:file r_file_perms; -} -dontaudit saslauthd_t selinux_config_t:dir search; -dontaudit saslauthd_t selinux_config_t:file { getattr read }; - - -dontaudit saslauthd_t initrc_t:unix_stream_socket connectto; -ifdef(`mysqld.te', ` -allow saslauthd_t mysqld_db_t:dir search; -allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms; -') -dontaudit saslauthd_t self:capability setuid; diff --git a/mls/domains/program/screen.te b/mls/domains/program/screen.te deleted file mode 100644 index e9be1a09..00000000 --- a/mls/domains/program/screen.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC screen - Program to detach sessions -# -# X-Debian-Packages: screen -# Domains for the screen program. - -# -# screen_exec_t is the type of the screen executable. -# -type screen_exec_t, file_type, sysadmfile, exec_type; -type screen_dir_t, file_type, sysadmfile, pidfile; - -# Everything else is in the screen_domain macro in -# macros/program/screen_macros.te. diff --git a/mls/domains/program/sendmail.te b/mls/domains/program/sendmail.te deleted file mode 100644 index f3f9b715..00000000 --- a/mls/domains/program/sendmail.te +++ /dev/null @@ -1,136 +0,0 @@ -#DESC Sendmail - Mail server -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sendmail sendmail-wide -# Depends: mta.te -# - -################################# -# -# Rules for the sendmail_t domain. -# -# sendmail_t is the domain for the sendmail -# daemon started by the init rc scripts. -# - -daemon_base_domain(sendmail_launch) - -allow sendmail_launch_t { etc_t proc_t etc_runtime_t self }:file { getattr read }; -allow sendmail_launch_t { bin_t sbin_t etc_t }:lnk_file { getattr read }; -allow sendmail_launch_t { bin_t sbin_t }:dir search; -can_exec(sendmail_launch_t, { etc_t bin_t sbin_t shell_exec_t }) -access_terminal(sendmail_launch_t, sysadm) -ifdef(`consoletype.te', ` -domain_auto_trans(sendmail_launch_t, consoletype_exec_t, consoletype_t) -') -read_locale(sendmail_launch_t) -r_dir_file(sendmail_launch_t, etc_mail_t) -allow sendmail_launch_t self:fifo_file rw_file_perms; -allow sendmail_launch_t self:capability { chown kill sys_nice }; -allow sendmail_launch_t self:unix_stream_socket create_stream_socket_perms; -can_ps(sendmail_launch_t, sendmail_t) -dontaudit sendmail_launch_t domain:dir search; -allow sendmail_launch_t sendmail_t:process signal; -ifdef(`distro_redhat', ` -lock_domain(sendmail_launch) -') -dontaudit sendmail_launch_t mnt_t:dir search; -allow sendmail_launch_t devpts_t:dir search; - -file_type_auto_trans(sendmail_launch_t, var_run_t, sendmail_var_run_t, file) - -daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender') - -# stuff from daemon_domain and daemon_base_domain because we can not have an -# automatic transition from initrc_t -rhgb_domain(sendmail_t) -read_sysctl(sendmail_t) -domain_auto_trans(sendmail_launch_t, sendmail_exec_t, sendmail_t) -allow sendmail_t privfd:fd use; -allow { sendmail_t sendmail_launch_t } var_t:dir { getattr search }; -var_run_domain(sendmail) -allow sendmail_t { ttyfile devtty_t }:chr_file rw_file_perms; -dontaudit { sendmail_t sendmail_launch_t } sysadm_home_dir_t:dir search; -read_locale(sendmail_t) -allow sendmail_t fs_t:filesystem getattr; - - -tmp_domain(sendmail) -logdir_domain(sendmail) - -# Use capabilities -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; - -# Use the network. -can_network(sendmail_t) -allow sendmail_t port_type:tcp_socket name_connect; -can_ypbind(sendmail_t) - -allow sendmail_t self:unix_stream_socket create_stream_socket_perms; -allow sendmail_t self:unix_dgram_socket create_socket_perms; -allow sendmail_t self:fifo_file rw_file_perms; - -# Bind to the SMTP port. -allow sendmail_t smtp_port_t:tcp_socket name_bind; - -allow sendmail_t etc_t:file { getattr read }; - -# Write to /etc/aliases and /etc/mail. -allow sendmail_t etc_aliases_t:file { setattr rw_file_perms }; - -allow sendmail_t etc_mail_t:dir rw_dir_perms; -allow sendmail_t etc_mail_t:file create_file_perms; - -# Write to /var/spool/mail and /var/spool/mqueue. -allow sendmail_t var_spool_t:dir { getattr search }; -allow sendmail_t mail_spool_t:dir rw_dir_perms; -allow sendmail_t mail_spool_t:file create_file_perms; -allow sendmail_t mqueue_spool_t:dir rw_dir_perms; -allow sendmail_t mqueue_spool_t:file create_file_perms; -allow sendmail_t urandom_device_t:chr_file { getattr read }; - -# Read /usr/lib/sasl2/.* -allow sendmail_t lib_t:file { getattr read }; - -# When sendmail runs as user_mail_domain, it needs some extra permissions -# to update /etc/mail/statistics. -allow user_mail_domain etc_mail_t:file rw_file_perms; - -# Silently deny attempts to access /root. -dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; - -# Run procmail in its own domain, if defined. -ifdef(`procmail.te',` -domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t) -domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) -allow sendmail_t bin_t:dir { getattr search }; -') - -read_sysctl(sendmail_t) -read_sysctl(system_mail_t) - -allow system_mail_t etc_mail_t:dir { getattr search }; -allow system_mail_t etc_runtime_t:file { getattr read }; -allow system_mail_t proc_t:dir search; -allow system_mail_t proc_t:file { getattr read }; -allow system_mail_t proc_t:lnk_file read; -dontaudit system_mail_t proc_net_t:dir search; -allow system_mail_t fs_t:filesystem getattr; -allow system_mail_t self:dir { getattr search }; -allow system_mail_t var_t:dir getattr; -allow system_mail_t var_spool_t:dir getattr; -dontaudit system_mail_t userpty_type:chr_file { getattr read write }; - -# sendmail -q -allow system_mail_t mqueue_spool_t:dir rw_dir_perms; -allow system_mail_t mqueue_spool_t:file create_file_perms; - -ifdef(`crond.te', ` -dontaudit system_mail_t system_crond_tmp_t:file append; -') -dontaudit sendmail_t admin_tty_type:chr_file rw_file_perms; - -# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console -allow sendmail_t initrc_var_run_t:file { getattr read }; -dontaudit sendmail_t initrc_var_run_t:file { lock write }; - diff --git a/mls/domains/program/setfiles.te b/mls/domains/program/setfiles.te deleted file mode 100644 index 85bcd4ce..00000000 --- a/mls/domains/program/setfiles.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Setfiles - SELinux filesystem labeling utilities -# -# Authors: Russell Coker -# X-Debian-Packages: policycoreutils -# - -################################# -# -# Rules for the setfiles_t domain. -# -# setfiles_exec_t is the type of the setfiles executable. -# -# needs auth_write attribute because it has relabelfrom/relabelto -# access to shadow_t -type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; -type setfiles_exec_t, file_type, sysadmfile, exec_type; - -role system_r types setfiles_t; -role sysadm_r types setfiles_t; -role secadm_r types setfiles_t; - -ifdef(`distro_redhat', ` -domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t) -') -can_access_pty(hostname_t, initrc) -allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl }; - -allow setfiles_t self:unix_dgram_socket create_socket_perms; - -domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t) -allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; - -uses_shlib(setfiles_t) -allow setfiles_t self:capability { dac_override dac_read_search fowner }; - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that setfiles can not be run! -allow setfiles_t lib_t:file { read execute }; - -# Get security policy decisions. -can_getsecurity(setfiles_t) - -r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }) - -allow setfiles_t file_type:dir r_dir_perms; -allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom }; -allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto; -allow setfiles_t unlabeled_t:dir read; -allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto }; -allow setfiles_t { ttyfile ptyfile }:chr_file getattr; -# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal -dontaudit setfiles_t ttyfile:chr_file relabelfrom; - -allow setfiles_t fs_t:filesystem getattr; -allow setfiles_t fs_type:dir r_dir_perms; - -read_locale(setfiles_t) - -allow setfiles_t etc_runtime_t:file { getattr read }; -allow setfiles_t etc_t:file { getattr read }; -allow setfiles_t proc_t:file { getattr read }; -dontaudit setfiles_t proc_t:lnk_file { getattr read }; - -# for config files in a home directory -allow setfiles_t home_type:file r_file_perms; -dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom; diff --git a/mls/domains/program/slapd.te b/mls/domains/program/slapd.te deleted file mode 100644 index 49838709..00000000 --- a/mls/domains/program/slapd.te +++ /dev/null @@ -1,78 +0,0 @@ -#DESC Slapd - OpenLDAP server -# -# Author: Russell Coker -# X-Debian-Packages: slapd -# - -################################# -# -# Rules for the slapd_t domain. -# -# slapd_exec_t is the type of the slapd executable. -# -daemon_domain(slapd) - -allow slapd_t ldap_port_t:tcp_socket name_bind; - -etc_domain(slapd) -type slapd_db_t, file_type, sysadmfile; -type slapd_replog_t, file_type, sysadmfile; - -tmp_domain(slapd) - -# Use the network. -can_network(slapd_t) -allow slapd_t port_type:tcp_socket name_connect; -can_ypbind(slapd_t) -allow slapd_t self:fifo_file rw_file_perms; -allow slapd_t self:unix_stream_socket create_stream_socket_perms; -file_type_auto_trans(slapd_t,var_run_t,slapd_var_run_t,sock_file) -allow slapd_t self:unix_dgram_socket create_socket_perms; -# allow any domain to connect to the LDAP server -can_tcp_connect(domain, slapd_t) - -# Use capabilities should not need kill... -allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search }; -allow slapd_t self:process setsched; - -allow slapd_t proc_t:file r_file_perms; - -# Allow access to the slapd databases -create_dir_file(slapd_t, slapd_db_t) -allow initrc_t slapd_db_t:dir r_dir_perms; -allow slapd_t var_lib_t:dir r_dir_perms; - -# Allow access to write the replication log (should tighten this) -create_dir_file(slapd_t, slapd_replog_t) - -# read config files -allow slapd_t etc_t:{ file lnk_file } { getattr read }; -allow slapd_t etc_runtime_t:file { getattr read }; - -# for startup script -allow initrc_t slapd_etc_t:file { getattr read }; - -allow slapd_t etc_t:dir r_dir_perms; - -read_sysctl(slapd_t) - -allow slapd_t usr_t:{ lnk_file file } { read getattr }; -allow slapd_t urandom_device_t:chr_file { getattr read ioctl }; -allow slapd_t self:netlink_route_socket r_netlink_socket_perms; -r_dir_file(slapd_t, cert_t) - - -type slapd_cert_t, file_type, sysadmfile; -allow slapd_t bin_t:dir search; -can_exec(slapd_t, bin_t) -r_dir_file(slapd_t, proc_net_t) -allow slapd_t self:capability { chown sys_nice }; -allow slapd_t self:file { getattr read }; -allow slapd_t self:process { execstack getsched }; -allow slapd_t sysctl_net_t:dir r_dir_perms; -lock_domain(slapd) -create_dir_file(slapd_t, slapd_lock_t) -dontaudit slapd_t devpts_t:dir search; -rw_dir_create_file(slapd_t, slapd_cert_t) -allow slapd_t usr_t:dir { add_name write }; -allow slapd_t usr_t:file { create write }; diff --git a/mls/domains/program/slocate.te b/mls/domains/program/slocate.te deleted file mode 100644 index 8512aabd..00000000 --- a/mls/domains/program/slocate.te +++ /dev/null @@ -1,77 +0,0 @@ -#DESC LOCATE - Security Enhanced version of the GNU Locate -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the locate_t domain. -# -# locate_exec_t is the type of the locate executable. -# -daemon_base_domain(locate) -role system_r types locate_t; -role sysadm_r types locate_t; -allow locate_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(locate_exec_t, locate_t) -allow system_crond_t locate_log_t:dir rw_dir_perms; -allow system_crond_t locate_log_t:file { create append getattr }; -allow system_crond_t locate_etc_t:file { getattr read }; -') - -allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; - -allow locate_t { fs_type file_type }:dir r_dir_perms; -dontaudit locate_t sysctl_t:dir getattr; -allow locate_t file_type:lnk_file r_file_perms; -allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; -dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; -dontaudit locate_t security_t:dir getattr; -dontaudit locate_t shadow_t:file getattr; - -allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr; -allow locate_t unlabeled_t:dir_file_class_set getattr; -allow locate_t unlabeled_t:dir read; - -logdir_domain(locate) -etcdir_domain(locate) - -type locate_var_lib_t, file_type, sysadmfile; -typealias locate_var_lib_t alias var_lib_locate_t; - -create_dir_file(locate_t, locate_var_lib_t) -dontaudit locate_t sysadmfile:file getattr; - -allow locate_t proc_t:file { getattr read }; -allow locate_t self:unix_stream_socket create_socket_perms; -# -# Need to be able to exec renice -# -can_exec(locate_t, bin_t) - -dontaudit locate_t rpc_pipefs_t:dir r_dir_perms; -dontaudit locate_t rpc_pipefs_t:file getattr; - -# -# Read Mtab file -# -allow locate_t etc_runtime_t:file { getattr read }; - -# -# Read nsswitch file -# -allow locate_t etc_t:file { getattr read }; -dontaudit locate_t self:capability dac_override; -allow locate_t self:capability dac_read_search; - -# sysadm_t runs locate in his own domain. -# We use a type alias to simplify the rest of the policy, -# which often refers to $1_locate_t for the user domains. -typealias sysadm_t alias sysadm_locate_t; - -allow locate_t userdomain:fd use; -ifdef(`cardmgr.te', ` -allow locate_t cardmgr_var_run_t:chr_file getattr; -') diff --git a/mls/domains/program/slrnpull.te b/mls/domains/program/slrnpull.te deleted file mode 100644 index 25edb933..00000000 --- a/mls/domains/program/slrnpull.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC slrnpull -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the slrnpull_t domain. -# -# slrnpull_exec_t is the type of the slrnpull executable. -# -daemon_domain(slrnpull) -type slrnpull_spool_t, file_type, sysadmfile; - -log_domain(slrnpull) - -ifdef(`logrotate.te', ` -create_dir_file(logrotate_t, slrnpull_spool_t) -') -system_crond_entry(slrnpull_exec_t, slrnpull_t) -allow userdomain slrnpull_spool_t:dir search; -rw_dir_create_file(slrnpull_t, slrnpull_spool_t) -allow slrnpull_t var_spool_t:dir search; -allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; diff --git a/mls/domains/program/snmpd.te b/mls/domains/program/snmpd.te deleted file mode 100644 index ea75c8d6..00000000 --- a/mls/domains/program/snmpd.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC SNMPD - Simple Network Management Protocol daemon -# -# Author: Russell Coker -# X-Debian-Packages: snmpd -# - -################################# -# -# Rules for the snmpd_t domain. -# -daemon_domain(snmpd, `, nscd_client_domain') - -#temp -allow snmpd_t var_t:dir getattr; - -can_network_server(snmpd_t) -can_ypbind(snmpd_t) - -allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; - -etc_domain(snmpd) - -# for the .index file -var_lib_domain(snmpd) -file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file }) -file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file) -allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; - -log_domain(snmpd) -# for /usr/share/snmp/mibs -allow snmpd_t usr_t:file { getattr read }; - -can_udp_send(sysadm_t, snmpd_t) -can_udp_send(snmpd_t, sysadm_t) - -allow snmpd_t self:unix_dgram_socket create_socket_perms; -allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -allow snmpd_t etc_t:lnk_file read; -allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms; -allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config }; - -allow snmpd_t proc_t:dir search; -allow snmpd_t proc_t:file r_file_perms; -allow snmpd_t self:file { getattr read }; -allow snmpd_t self:fifo_file rw_file_perms; -allow snmpd_t { bin_t sbin_t }:dir search; -can_exec(snmpd_t, { bin_t sbin_t shell_exec_t }) - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -r_dir_file(snmpd_t, rpm_var_lib_t) -dontaudit snmpd_t rpm_var_lib_t:dir write; -dontaudit snmpd_t rpm_var_lib_t:file write; -') -') - -allow snmpd_t home_root_t:dir search; -allow snmpd_t initrc_var_run_t:file r_file_perms; -dontaudit snmpd_t initrc_var_run_t:file write; -dontaudit snmpd_t rpc_pipefs_t:dir getattr; -allow snmpd_t rpc_pipefs_t:dir getattr; -read_sysctl(snmpd_t) -allow snmpd_t sysctl_net_t:dir search; -allow snmpd_t sysctl_net_t:file { getattr read }; - -dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read }; -allow snmpd_t sysfs_t:dir { getattr read search }; -ifdef(`amanda.te', ` -dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; -') -ifdef(`cupsd.te', ` -allow snmpd_t cupsd_rw_etc_t:file { getattr read }; -') -allow snmpd_t var_lib_nfs_t:dir search; - -# needed in order to retrieve net traffic data -allow snmpd_t proc_net_t:dir search; -allow snmpd_t proc_net_t:file r_file_perms; - -allow snmpd_t domain:dir { getattr search }; -allow snmpd_t domain:file { getattr read }; -allow snmpd_t domain:process signull; - -dontaudit snmpd_t selinux_config_t:dir search; diff --git a/mls/domains/program/sound.te b/mls/domains/program/sound.te deleted file mode 100644 index 01f7355b..00000000 --- a/mls/domains/program/sound.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC Sound - Sound utilities -# -# Authors: Mark Westerman -# X-Debian-Packages: esound -# -################################# -# -# Rules for the sound_t domain. -# -daemon_base_domain(sound) -type sound_file_t, file_type, sysadmfile; -allow initrc_t sound_file_t:file { getattr read }; -allow sound_t sound_file_t:file rw_file_perms; - -# Use capabilities. -# Commented out by default. -#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override }; -dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override }; - -# Read and write the sound device. -allow sound_t sound_device_t:chr_file rw_file_perms; - -# Read and write ttys. -allow sound_t sysadm_tty_device_t:chr_file rw_file_perms; -read_locale(sound_t) -allow initrc_t sound_file_t:file { setattr write }; diff --git a/mls/domains/program/spamassassin.te b/mls/domains/program/spamassassin.te deleted file mode 100644 index d08eaa30..00000000 --- a/mls/domains/program/spamassassin.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC Spamassassin -# -# Author: Colin Walters -# X-Debian-Packages: spamassassin -# - -type spamassassin_exec_t, file_type, sysadmfile, exec_type; - -bool spamassasin_can_network false; - -# Everything else is in spamassassin_macros.te. diff --git a/mls/domains/program/spamc.te b/mls/domains/program/spamc.te deleted file mode 100644 index 9b49fbf0..00000000 --- a/mls/domains/program/spamc.te +++ /dev/null @@ -1,10 +0,0 @@ -#DESC Spamc - Spamassassin client -# -# Author: Colin Walters -# X-Debian-Packages: spamc -# Depends: spamassassin.te -# - -type spamc_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in spamassassin_macros.te. diff --git a/mls/domains/program/spamd.te b/mls/domains/program/spamd.te deleted file mode 100644 index 26f2a5a0..00000000 --- a/mls/domains/program/spamd.te +++ /dev/null @@ -1,57 +0,0 @@ -#DESC Spamd - Spamassassin daemon -# -# Author: Colin Walters -# X-Debian-Packages: spamassassin -# Depends: spamassassin.te -# - -daemon_domain(spamd) - -tmp_domain(spamd) - -general_domain_access(spamd_t) -uses_shlib(spamd_t) -read_sysctl(spamd_t) - -# Various Perl bits -allow spamd_t lib_t:file rx_file_perms; -dontaudit spamd_t shadow_t:file { getattr read }; -dontaudit spamd_t initrc_var_run_t:file { read write lock }; -dontaudit spamd_t sysadm_home_dir_t:dir { getattr search }; - -can_network_server(spamd_t) -allow spamd_t spamd_port_t:tcp_socket name_bind; -allow spamd_t port_type:udp_socket name_bind; -dontaudit spamd_t reserved_port_type:udp_socket name_bind; -can_ypbind(spamd_t) -can_resolve(spamd_t) -allow spamd_t self:capability net_bind_service; - -allow spamd_t proc_t:file { getattr read }; - -# Spamassassin, when run as root and using per-user config files, -# setuids to the user running spamc. Comment this if you are not -# using this ability. -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; - -allow spamd_t { bin_t sbin_t }:dir { getattr search }; -can_exec(spamd_t, bin_t) - -ifdef(`sendmail.te', ` -allow spamd_t etc_mail_t:dir { getattr read search }; -allow spamd_t etc_mail_t:file { getattr ioctl read }; -') -allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read }; - -ifdef(`amavis.te', ` -# for bayes tokens -allow spamd_t var_lib_t:dir { getattr search }; -rw_dir_create_file(spamd_t, amavisd_lib_t) -') - -allow spamd_t usr_t:file { getattr ioctl read }; -allow spamd_t usr_t:lnk_file { getattr read }; -allow spamd_t urandom_device_t:chr_file { getattr read }; - -system_crond_entry(spamd_exec_t, spamd_t) -ifdef(`targeted_policy', `home_domain_access(spamd_t, user)') diff --git a/mls/domains/program/squid.te b/mls/domains/program/squid.te deleted file mode 100644 index 141518b2..00000000 --- a/mls/domains/program/squid.te +++ /dev/null @@ -1,84 +0,0 @@ -#DESC Squid - Web cache -# -# Author: Russell Coker -# X-Debian-Packages: squid -# - -################################# -# -# Rules for the squid_t domain. -# -# squid_t is the domain the squid process runs in -ifdef(`apache.te',` -can_tcp_connect(squid_t, httpd_t) -') -bool squid_connect_any false; -daemon_domain(squid, `, web_client_domain, nscd_client_domain') -type squid_conf_t, file_type, sysadmfile; -general_domain_access(squid_t) -allow { squid_t initrc_t } squid_conf_t:file r_file_perms; -allow squid_t squid_conf_t:dir r_dir_perms; -allow squid_t squid_conf_t:lnk_file read; - -logdir_domain(squid) -rw_dir_create_file(initrc_t, squid_log_t) - -allow squid_t usr_t:file { getattr read }; - -# type for /var/cache/squid -type squid_cache_t, file_type, sysadmfile; - -allow squid_t self:capability { setgid setuid net_bind_service dac_override }; -allow squid_t { etc_t etc_runtime_t }:file r_file_perms; -allow squid_t etc_t:lnk_file read; -allow squid_t self:unix_stream_socket create_socket_perms; -allow squid_t self:unix_dgram_socket create_socket_perms; -allow squid_t self:fifo_file rw_file_perms; - -read_sysctl(squid_t) - -allow squid_t devtty_t:chr_file rw_file_perms; - -allow squid_t { self proc_t }:file { read getattr }; - -# for when we use /var/spool/cache -allow squid_t var_spool_t:dir search; - -# Grant permissions to create, access, and delete cache files. -# No type transitions required, as the files inherit the parent directory type. -create_dir_file(squid_t, squid_cache_t) -ifdef(`logrotate.te', -`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)') -ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') - -# Use the network -can_network(squid_t) -if (squid_connect_any) { -allow squid_t port_type:tcp_socket name_connect; -} -can_ypbind(squid_t) -can_tcp_connect(web_client_domain, squid_t) - -# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) -allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind; -allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; - -# to allow running programs from /usr/lib/squid (IE unlinkd) -# also allow exec()ing itself -can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } ) -allow squid_t { bin_t sbin_t }:dir search; -allow squid_t { bin_t sbin_t }:lnk_file read; - -dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr; -ifdef(`targeted_policy', ` -dontaudit squid_t tty_device_t:chr_file { read write }; -') -allow squid_t urandom_device_t:chr_file { getattr read }; - -#squid requires the following when run in diskd mode, the recommended setting -r_dir_file(squid_t, cert_t) -ifdef(`winbind.te', ` -domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) -allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; -allow winbind_helper_t squid_log_t:file ra_file_perms; -') diff --git a/mls/domains/program/ssh-agent.te b/mls/domains/program/ssh-agent.te deleted file mode 100644 index f2e3d84c..00000000 --- a/mls/domains/program/ssh-agent.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC ssh-agent - agent to securely store ssh-keys -# -# Authors: Thomas Bleher -# -# X-Debian-Packages: ssh -# - -# Type for the ssh-agent executable. -type ssh_agent_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the ssh_agent_domain macro in -# macros/program/ssh_agent_macros.te. - diff --git a/mls/domains/program/ssh.te b/mls/domains/program/ssh.te deleted file mode 100644 index 367e4c73..00000000 --- a/mls/domains/program/ssh.te +++ /dev/null @@ -1,237 +0,0 @@ -#DESC SSH - SSH daemon -# -# Authors: Anthony Colatrella (NSA) -# Stephen Smalley -# Russell Coker -# X-Debian-Packages: ssh -# - -# Allow ssh logins as sysadm_r:sysadm_t -bool ssh_sysadm_login false; - -# allow host key based authentication -bool allow_ssh_keysign false; - -ifdef(`inetd.te', ` -# Allow ssh to run from inetd instead of as a daemon. -bool run_ssh_inetd false; -') - -# sshd_exec_t is the type of the sshd executable. -# sshd_key_t is the type of the ssh private key files -type sshd_exec_t, file_type, exec_type, sysadmfile; -type sshd_key_t, file_type, sysadmfile; - -define(`sshd_program_domain', ` -# privowner is for changing the identity on the terminal device -# privfd is for passing the terminal file handle to the user process -# auth_chkpwd is for running unix_chkpwd and unix_verify. -type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; -can_exec($1_t, sshd_exec_t) -r_dir_file($1_t, self) -role system_r types $1_t; -dontaudit $1_t shadow_t:file { getattr read }; -uses_shlib($1_t) -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:fifo_file rw_file_perms; -allow $1_t self:process { fork sigchld signal setsched setrlimit }; - -dontaudit $1_t self:lnk_file read; - -# do not allow statfs() -dontaudit $1_t fs_type:filesystem getattr; - -allow $1_t bin_t:dir search; -allow $1_t bin_t:lnk_file read; - -# for sshd subsystems, such as sftp-server. -allow $1_t bin_t:file getattr; - -# Read /var. -allow $1_t var_t:dir { getattr search }; - -# Read /var/log. -allow $1_t var_log_t:dir search; - -# Read /etc. -allow $1_t etc_t:dir search; -# ioctl is for pam_console -dontaudit $1_t etc_t:file ioctl; -allow $1_t etc_t:file { getattr read }; -allow $1_t etc_t:lnk_file { getattr read }; -allow $1_t etc_runtime_t:file { getattr read }; - -# Read and write /dev/tty and /dev/null. -allow $1_t devtty_t:chr_file rw_file_perms; -allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms; - -# Read /dev/urandom -allow $1_t urandom_device_t:chr_file { getattr read }; - -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_kerberos($1_t) - -allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -allow $1_t { home_root_t home_dir_type }:dir { search getattr }; -if (use_nfs_home_dirs) { -allow $1_t autofs_t:dir { search getattr }; -allow $1_t nfs_t:dir { search getattr }; -allow $1_t nfs_t:file { getattr read }; -} - -if (use_samba_home_dirs) { -allow $1_t cifs_t:dir { search getattr }; -allow $1_t cifs_t:file { getattr read }; -} - -# Set exec context. -can_setexec($1_t) - -# Update utmp. -allow $1_t initrc_var_run_t:file rw_file_perms; - -# Update wtmp. -allow $1_t wtmp_t:file rw_file_perms; - -# Get security policy decisions. -can_getsecurity($1_t) - -# Allow read access to login context -r_dir_file( $1_t, default_context_t) - -# Access key files -allow $1_t sshd_key_t:file { getattr read }; - -# Update /var/log/lastlog. -allow $1_t lastlog_t:file rw_file_perms; - -read_locale($1_t) -read_sysctl($1_t) - -# Can create ptys -can_create_pty($1, `, server_pty') -allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom }; -dontaudit sshd_t userpty_type:chr_file relabelfrom; - -allow $1_t faillog_t:file { append getattr }; -allow $1_t sbin_t:file getattr; - -# Allow checking users mail at login -allow $1_t { var_spool_t mail_spool_t }:dir search; -allow $1_t mail_spool_t:lnk_file read; -allow $1_t mail_spool_t:file getattr; -')dnl end sshd_program_domain - -# macro for defining which domains a sshd can spawn -# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the -# type of the pty for the child -define(`sshd_spawn_domain', ` -login_spawn_domain($1, $2) -ifdef(`xauth.te', ` -domain_trans($1_t, xauth_exec_t, $2) -') - -# Relabel and access ptys created by sshd -# ioctl is necessary for logout() processing for utmp entry and for w to -# display the tty. -# some versions of sshd on the new SE Linux require setattr -allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr }; - -# inheriting stream sockets is needed for "ssh host command" as no pty -# is allocated -allow $2 $1_t:unix_stream_socket rw_stream_socket_perms; -')dnl end sshd_spawn_domain definition - -################################# -# -# Rules for the sshd_t domain, et al. -# -# sshd_t is the domain for the sshd program. -# sshd_extern_t is the domain for ssh from outside our network -# -sshd_program_domain(sshd) -if (ssh_sysadm_login) { -allow sshd_t devpts_t:dir r_dir_perms; -sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type }) -} else { -sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type) -} - -# for X forwarding -allow sshd_t xserver_port_t:tcp_socket name_bind; - -r_dir_file(sshd_t, selinux_config_t) -sshd_program_domain(sshd_extern) -sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type) - -# for when the network connection breaks after running newrole -r sysadm_r -dontaudit sshd_t sysadm_devpts_t:chr_file setattr; - -ifdef(`inetd.te', ` -if (run_ssh_inetd) { -allow inetd_t ssh_port_t:tcp_socket name_bind; -domain_auto_trans(inetd_t, sshd_exec_t, sshd_t) -domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) -allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms; -allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search }; -allow { sshd_t sshd_extern_t } self:process signal; -} else { -') -can_access_pty({ sshd_t sshd_extern_t }, initrc) -allow { sshd_t sshd_extern_t } self:capability net_bind_service; -allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind; - -# for port forwarding -can_tcp_connect(userdomain, sshd_t) - -domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) -domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) -dontaudit initrc_t sshd_key_t:file { getattr read }; - -# Inherit and use descriptors from init. -allow { sshd_t sshd_extern_t } init_t:fd use; -ifdef(`inetd.te', ` -} -') - -# Create /var/run/sshd.pid -var_run_domain(sshd) -var_run_domain(sshd_extern) - -ifdef(`direct_sysadm_daemon', ` -# Direct execution by sysadm_r. -domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) -role_transition sysadm_r sshd_exec_t system_r; -') - -undefine(`sshd_program_domain') - -# so a tunnel can point to another ssh tunnel... -can_tcp_connect(sshd_t, sshd_t) - -tmp_domain(sshd, `', { dir file sock_file }) -ifdef(`pam.te', ` -can_exec(sshd_t, pam_exec_t) -') - -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t -daemon_base_domain(ssh_keygen) -allow ssh_keygen_t etc_t:file { getattr read }; -file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file) - -# Type for the ssh executable. -type ssh_exec_t, file_type, exec_type, sysadmfile; -type ssh_keysign_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the ssh_domain macro in -# macros/program/ssh_macros.te. - -allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; -allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write }; -allow ssh_keygen_t urandom_device_t:chr_file { getattr read }; -ifdef(`use_mcs', ` -range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -') diff --git a/mls/domains/program/stunnel.te b/mls/domains/program/stunnel.te deleted file mode 100644 index 4dbfcec8..00000000 --- a/mls/domains/program/stunnel.te +++ /dev/null @@ -1,33 +0,0 @@ -# DESC: selinux policy for stunnel -# -# Author: petre rodan -# -ifdef(`distro_gentoo', ` - -daemon_domain(stunnel) - -can_network(stunnel_t) -allow stunnel_t port_type:tcp_socket name_connect; - -allow stunnel_t self:capability { setgid setuid sys_chroot }; -allow stunnel_t self:fifo_file { read write }; -allow stunnel_t self:tcp_socket { read write }; -allow stunnel_t self:unix_stream_socket { connect create }; - -r_dir_file(stunnel_t, etc_t) -', ` -inetd_child_domain(stunnel, tcp) -allow stunnel_t self:capability sys_chroot; - -bool stunnel_is_daemon false; -if (stunnel_is_daemon) { -# Policy to run stunnel as a daemon should go here. -allow stunnel_t self:tcp_socket rw_stream_socket_perms; -allow stunnel_t stunnel_port_t:tcp_socket name_bind; -} -') - -type stunnel_etc_t, file_type, sysadmfile; -r_dir_file(stunnel_t, stunnel_etc_t) -allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; - diff --git a/mls/domains/program/su.te b/mls/domains/program/su.te deleted file mode 100644 index 5769d117..00000000 --- a/mls/domains/program/su.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC Su - Run shells with substitute user and group -# -# Domains for the su program. -# X-Debian-Packages: login - -# -# su_exec_t is the type of the su executable. -# -type su_exec_t, file_type, sysadmfile; - -allow sysadm_su_t user_home_dir_type:dir search; - -# Everything else is in the su_domain macro in -# macros/program/su_macros.te. - -ifdef(`use_mcs', ` -ifdef(`targeted_policy', ` -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t) -# allow user to suspend terminal -allow sysadm_su_t unconfined_t:process signal; -allow sysadm_su_t self:process { signal sigstop }; -can_exec(sysadm_su_t, bin_t) -rw_dir_create_file(sysadm_su_t, home_dir_type) -') -') diff --git a/mls/domains/program/sudo.te b/mls/domains/program/sudo.te deleted file mode 100644 index a1fad31f..00000000 --- a/mls/domains/program/sudo.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC sudo - execute a command as another user -# -# Authors: Dan Walsh, Russell Coker -# Maintained by Dan Walsh -# - -# Type for the sudo executable. -type sudo_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the sudo_domain macro in -# macros/program/sudo_macros.te. diff --git a/mls/domains/program/sulogin.te b/mls/domains/program/sulogin.te deleted file mode 100644 index 0bed085e..00000000 --- a/mls/domains/program/sulogin.te +++ /dev/null @@ -1,56 +0,0 @@ -#DESC sulogin - Single-User login -# -# Authors: Dan Walsh -# -# X-Debian-Packages: sysvinit - -################################# -# -# Rules for the sulogin_t domain -# - -type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth; -type sulogin_exec_t, file_type, exec_type, sysadmfile; -role system_r types sulogin_t; - -general_domain_access(sulogin_t) - -domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t) -allow sulogin_t initrc_t:process getpgid; -uses_shlib(sulogin_t) - -# suse and debian do not use pam with sulogin... -ifdef(`distro_suse', ` -define(`sulogin_no_pam', `') -') -ifdef(`distro_debian', ` -define(`sulogin_no_pam', `') -') - -ifdef(`sulogin_no_pam', ` -domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) -allow sulogin_t init_t:process getpgid; -allow sulogin_t self:capability sys_tty_config; -', ` -domain_trans(sulogin_t, shell_exec_t, sysadm_t) -allow sulogin_t shell_exec_t:file r_file_perms; - -can_setexec(sulogin_t) -can_getsecurity(sulogin_t) -') - -r_dir_file(sulogin_t, etc_t) - -allow sulogin_t bin_t:dir r_dir_perms; -r_dir_file(sulogin_t, proc_t) -allow sulogin_t root_t:dir search; - -allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; -allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; -allow sulogin_t default_context_t:dir search; -allow sulogin_t default_context_t:file { getattr read }; - -r_dir_file(sulogin_t, selinux_config_t) - -# because file systems are not mounted -dontaudit sulogin_t file_t:dir search; diff --git a/mls/domains/program/swat.te b/mls/domains/program/swat.te deleted file mode 100644 index aa94d2f1..00000000 --- a/mls/domains/program/swat.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC swat - Samba Web Administration Tool -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the swat_t domain. -# -# swat_exec_t is the type of the swat executable. -# - -inetd_child_domain(swat) diff --git a/mls/domains/program/syslogd.te b/mls/domains/program/syslogd.te deleted file mode 100644 index 8957feae..00000000 --- a/mls/domains/program/syslogd.te +++ /dev/null @@ -1,110 +0,0 @@ -#DESC Syslogd - System log daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysklogd syslog-ng -# - -################################# -# -# Rules for the syslogd_t domain. -# -# syslogd_t is the domain of syslogd. -# syslogd_exec_t is the type of the syslogd executable. -# devlog_t is the type of the Unix domain socket created -# by syslogd. -# -ifdef(`klogd.te', ` -daemon_domain(syslogd, `, privkmsg, nscd_client_domain') -', ` -daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain') -') - -# can_network is for the UDP socket -can_network_udp(syslogd_t) -can_ypbind(syslogd_t) - -r_dir_file(syslogd_t, sysfs_t) - -type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject; - -# if something can log to syslog they should be able to log to the console -allow privlog console_device_t:chr_file { ioctl read write getattr }; - -tmp_domain(syslogd) - -# read files in /etc -allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms; - -# Use capabilities. -allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config }; - -# Modify/create log files. -create_append_log_file(syslogd_t, var_log_t) - -# Create and bind to /dev/log or /var/run/log. -file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) -ifdef(`distro_suse', ` -# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel -file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) -') -allow syslogd_t self:unix_dgram_socket create_socket_perms; -allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -allow syslogd_t self:fifo_file rw_file_perms; -allow syslogd_t devlog_t:unix_stream_socket name_bind; -allow syslogd_t devlog_t:unix_dgram_socket name_bind; -# log to the xconsole -allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; - -# Domains with the privlog attribute may log to syslogd. -allow privlog devlog_t:sock_file rw_file_perms; -can_unix_send(privlog,syslogd_t) -can_unix_connect(privlog,syslogd_t) -# allow /dev/log to be a link elsewhere for chroot setup -allow privlog devlog_t:lnk_file read; - -ifdef(`crond.te', ` -# for daemon re-start -allow system_crond_t syslogd_t:lnk_file read; -') - -ifdef(`logrotate.te', ` -allow logrotate_t syslogd_exec_t:file r_file_perms; -') - -# for sending messages to logged in users -allow syslogd_t initrc_var_run_t:file { read lock }; -dontaudit syslogd_t initrc_var_run_t:file write; -allow syslogd_t ttyfile:chr_file { getattr write }; - -# -# Special case to handle crashes -# -allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; - -# Allow syslog to a terminal -allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; - -# Allow name_bind for remote logging -allow syslogd_t syslogd_port_t:udp_socket name_bind; -# -# /initrd is not umounted before minilog starts -# -dontaudit syslogd_t file_t:dir search; -allow syslogd_t { tmpfs_t devpts_t }:dir search; -dontaudit syslogd_t unlabeled_t:file { getattr read }; -dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; -allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`targeted_policy', ` -allow syslogd_t var_run_t:fifo_file { ioctl read write }; -allow syslogd_t ttyfile:chr_file { getattr write ioctl append }; -') - -# Allow access to /proc/kmsg for syslog-ng -allow syslogd_t proc_t:dir search; -allow syslogd_t proc_kmsg_t:file { getattr read }; -allow syslogd_t kernel_t:system { syslog_mod syslog_console }; -allow syslogd_t self:capability { sys_admin chown fsetid }; -allow syslogd_t var_log_t:dir { create setattr }; -allow syslogd_t syslogd_port_t:tcp_socket name_bind; -allow syslogd_t rsh_port_t:tcp_socket name_connect; diff --git a/mls/domains/program/sysstat.te b/mls/domains/program/sysstat.te deleted file mode 100644 index f01da4ce..00000000 --- a/mls/domains/program/sysstat.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC Sysstat - Sar and similar programs -# -# Authors: Russell Coker -# X-Debian-Packages: sysstat -# - -################################# -# -# Rules for the sysstat_t domain. -# -# sysstat_exec_t is the type of the sysstat executable. -# -type sysstat_t, domain, privlog; -type sysstat_exec_t, file_type, sysadmfile, exec_type; - -role system_r types sysstat_t; - -allow sysstat_t device_t:dir search; - -allow sysstat_t self:process { sigchld fork }; - -#for date -can_exec(sysstat_t, { sysstat_exec_t bin_t }) -allow sysstat_t bin_t:dir r_dir_perms; -dontaudit sysstat_t sbin_t:dir search; - -dontaudit sysstat_t self:capability sys_admin; -allow sysstat_t self:capability sys_resource; - -allow sysstat_t devtty_t:chr_file rw_file_perms; - -allow sysstat_t urandom_device_t:chr_file read; - -# for mtab -allow sysstat_t etc_runtime_t:file { read getattr }; -# for fstab -allow sysstat_t etc_t:file { read getattr }; - -dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms; - -allow sysstat_t self:fifo_file rw_file_perms; - -# Type for files created during execution of sysstatd. -logdir_domain(sysstat) -allow sysstat_t var_t:dir search; - -allow sysstat_t etc_t:dir r_dir_perms; -read_locale(sysstat_t) - -allow sysstat_t fs_t:filesystem getattr; - -# get info from /proc -allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms; -allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr }; - -domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t) -allow sysstat_t init_t:fd use; -allow sysstat_t console_device_t:chr_file { read write }; - -uses_shlib(sysstat_t) - -system_crond_entry(sysstat_exec_t, sysstat_t) -allow system_crond_t sysstat_log_t:dir { write remove_name add_name }; -allow system_crond_t sysstat_log_t:file create_file_perms; -allow sysstat_t initrc_devpts_t:chr_file { read write }; diff --git a/mls/domains/program/tcpd.te b/mls/domains/program/tcpd.te deleted file mode 100644 index af135be5..00000000 --- a/mls/domains/program/tcpd.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC Tcpd - Access control facilities from internet services -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: tcpd -# Depends: inetd.te -# - -################################# -# -# Rules for the tcpd_t domain. -# -type tcpd_t, domain, privlog; -role system_r types tcpd_t; -uses_shlib(tcpd_t) -type tcpd_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t) - -allow tcpd_t fs_t:filesystem getattr; - -# no good reason for this, probably nscd -dontaudit tcpd_t var_t:dir search; - -can_network_server(tcpd_t) -can_ypbind(tcpd_t) -allow tcpd_t self:unix_dgram_socket create_socket_perms; -allow tcpd_t self:unix_stream_socket create_socket_perms; -allow tcpd_t etc_t:file { getattr read }; -read_locale(tcpd_t) - -tmp_domain(tcpd) - -# Use sockets inherited from inetd. -allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Run each daemon with a defined domain in its own domain. -# These rules have been moved to each target domain .te file. - -# Run other daemons in the inetd_child_t domain. -allow tcpd_t { bin_t sbin_t }:dir search; -domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t) - -allow tcpd_t device_t:dir search; diff --git a/mls/domains/program/telnetd.te b/mls/domains/program/telnetd.te deleted file mode 100644 index bbbb2c19..00000000 --- a/mls/domains/program/telnetd.te +++ /dev/null @@ -1,10 +0,0 @@ -# telnet server daemon -# - -################################# -# -# Rules for the telnetd_t domain -# - -remote_login_daemon(telnetd) -typealias telnetd_port_t alias telnet_port_t; diff --git a/mls/domains/program/tftpd.te b/mls/domains/program/tftpd.te deleted file mode 100644 index c7499871..00000000 --- a/mls/domains/program/tftpd.te +++ /dev/null @@ -1,41 +0,0 @@ -#DESC TFTP - UDP based file server for boot loaders -# -# Author: Russell Coker -# X-Debian-Packages: tftpd atftpd -# Depends: inetd.te -# - -################################# -# -# Rules for the tftpd_t domain. -# -# tftpd_exec_t is the type of the tftpd executable. -# -daemon_domain(tftpd) - -# tftpdir_t is the type of files in the /tftpboot directories. -type tftpdir_t, file_type, sysadmfile; -r_dir_file(tftpd_t, tftpdir_t) - -domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t) - -# Use the network. -can_network_udp(tftpd_t) -allow tftpd_t tftp_port_t:udp_socket name_bind; -ifdef(`inetd.te', ` -allow inetd_t tftp_port_t:udp_socket name_bind; -') -allow tftpd_t self:unix_dgram_socket create_socket_perms; -allow tftpd_t self:unix_stream_socket create_stream_socket_perms; - -# allow any domain to connect to the TFTP server -allow tftpd_t inetd_t:udp_socket rw_socket_perms; - -# Use capabilities -allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot }; - -allow tftpd_t etc_t:dir r_dir_perms; -allow tftpd_t etc_t:file r_file_perms; - -allow tftpd_t var_t:dir r_dir_perms; -allow tftpd_t var_t:{ file lnk_file } r_file_perms; diff --git a/mls/domains/program/timidity.te b/mls/domains/program/timidity.te deleted file mode 100644 index e007d3f0..00000000 --- a/mls/domains/program/timidity.te +++ /dev/null @@ -1,34 +0,0 @@ -# DESC timidity - MIDI to WAV converter and player -# -# Author: Thomas Bleher -# -# Note: You only need this policy if you want to run timidity as a server - -daemon_base_domain(timidity) -can_network_server(timidity_t) - -allow timidity_t device_t:lnk_file read; - -# read /usr/share/alsa/alsa.conf -allow timidity_t usr_t:file { getattr read }; -# read /etc/esd.conf and /proc/cpuinfo -allow timidity_t { etc_t proc_t }:file { getattr read }; -# read libartscbackend.la - should these be shlib_t? -allow timidity_t lib_t:file { getattr read }; - -allow timidity_t sound_device_t:chr_file { read write ioctl }; - -# stupid timidity won't start if it can't search its current directory. -# allow this so /etc/init.d/alsasound start works from /root -allow timidity_t sysadm_home_dir_t:dir search; - -allow timidity_t tmp_t:dir search; -tmpfs_domain(timidity) - -allow timidity_t self:shm create_shm_perms; - -allow timidity_t self:unix_stream_socket create_stream_socket_perms; - -allow timidity_t devpts_t:dir search; -allow timidity_t self:capability { dac_override dac_read_search }; -allow timidity_t self:process getsched; diff --git a/mls/domains/program/tmpreaper.te b/mls/domains/program/tmpreaper.te deleted file mode 100644 index 8cd0fe9d..00000000 --- a/mls/domains/program/tmpreaper.te +++ /dev/null @@ -1,33 +0,0 @@ -#DESC Tmpreaper - Monitor and maintain temporary files -# -# Author: Russell Coker -# X-Debian-Packages: tmpreaper -# - -################################# -# -# Rules for the tmpreaper_t domain. -# -type tmpreaper_t, domain, privlog, mlsfileread, mlsfilewrite; -type tmpreaper_exec_t, file_type, sysadmfile, exec_type; - -role system_r types tmpreaper_t; - -system_crond_entry(tmpreaper_exec_t, tmpreaper_t) -uses_shlib(tmpreaper_t) -# why does it need setattr? -allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir }; -allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink }; -allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink }; -allow tmpreaper_t self:process { fork sigchld }; -allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; -allow tmpreaper_t fs_t:filesystem getattr; - -r_dir_file(tmpreaper_t, etc_t) -allow tmpreaper_t var_t:dir { getattr search }; -r_dir_file(tmpreaper_t, var_lib_t) -allow tmpreaper_t device_t:dir { getattr search }; -allow tmpreaper_t urandom_device_t:chr_file { getattr read }; - -read_locale(tmpreaper_t) - diff --git a/mls/domains/program/traceroute.te b/mls/domains/program/traceroute.te deleted file mode 100644 index af25e20d..00000000 --- a/mls/domains/program/traceroute.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Traceroute - Display network routes -# -# Author: Russell Coker -# based on the work of David A. Wheeler -# X-Debian-Packages: traceroute lft -# - -################################# -# -# Rules for the traceroute_t domain. -# -# traceroute_t is the domain for the traceroute program. -# traceroute_exec_t is the type of the corresponding program. -# -type traceroute_t, domain, privlog, nscd_client_domain; -role sysadm_r types traceroute_t; -role system_r types traceroute_t; -# for user_ping: -in_user_role(traceroute_t) -uses_shlib(traceroute_t) -can_network_client(traceroute_t) -allow traceroute_t port_type:tcp_socket name_connect; -can_ypbind(traceroute_t) -allow traceroute_t node_t:rawip_socket node_bind; -type traceroute_exec_t, file_type, sysadmfile, exec_type; - -# Transition into this domain when you run this program. -domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t) -domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) - -allow traceroute_t etc_t:file { getattr read }; - -# Use capabilities. -allow traceroute_t self:capability { net_admin net_raw setuid setgid }; - -allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow traceroute_t self:unix_stream_socket create_socket_perms; -allow traceroute_t device_t:dir search; - -# for lft -allow traceroute_t self:packet_socket create_socket_perms; -r_dir_file(traceroute_t, proc_t) -r_dir_file(traceroute_t, proc_net_t) - -# Access the terminal. -allow traceroute_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') -allow traceroute_t privfd:fd use; - -# dont need this -dontaudit traceroute_t fs_t:filesystem getattr; -dontaudit traceroute_t var_t:dir search; - -ifdef(`ping.te', ` -if (user_ping) { - domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) - # allow access to the terminal - allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; -} -') -#rules needed for nmap -allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms; -allow traceroute_t usr_t:file { getattr read }; -read_locale(traceroute_t) -dontaudit traceroute_t userdomain:dir search; diff --git a/mls/domains/program/udev.te b/mls/domains/program/udev.te deleted file mode 100644 index cc5f7d45..00000000 --- a/mls/domains/program/udev.te +++ /dev/null @@ -1,152 +0,0 @@ -#DESC udev - Linux configurable dynamic device naming support -# -# Author: Dan Walsh dwalsh@redhat.com -# - -################################# -# -# Rules for the udev_t domain. -# -# udev_exec_t is the type of the udev executable. -# -daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite') - -general_domain_access(udev_t) - -if (allow_execmem) { -# for alsactl -allow udev_t self:process execmem; -} - -etc_domain(udev) -type udev_helper_exec_t, file_type, sysadmfile, exec_type; -can_exec_any(udev_t) - -# -# Rules used for udev -# -type udev_tdb_t, file_type, sysadmfile, dev_fs; -typealias udev_tdb_t alias udev_tbl_t; -file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice }; -allow udev_t self:file { getattr read }; -allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; -allow udev_t self:unix_dgram_socket create_socket_perms; -allow udev_t self:fifo_file rw_file_perms; -allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; -allow udev_t device_t:file { unlink rw_file_perms }; -allow udev_t device_t:sock_file create_file_perms; -allow udev_t device_t:lnk_file create_lnk_perms; -allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -ifdef(`distro_redhat', ` -allow udev_t tmpfs_t:dir create_dir_perms; -allow udev_t tmpfs_t:{ sock_file file } create_file_perms; -allow udev_t tmpfs_t:lnk_file create_lnk_perms; -allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -allow udev_t tmpfs_t:dir search; - -# for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(udev_t, netutils_exec_t, netutils_t) -') -allow udev_t etc_t:file { getattr read ioctl }; -allow udev_t { bin_t sbin_t }:dir r_dir_perms; -allow udev_t { sbin_t bin_t }:lnk_file read; -allow udev_t bin_t:lnk_file read; -can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) -can_exec(udev_t, udev_exec_t) -rw_dir_file(udev_t, sysfs_t) -allow udev_t sysadm_tty_device_t:chr_file { read write }; - -# to read the file_contexts file -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } ) - -allow udev_t policy_config_t:dir search; -allow udev_t proc_t:file { getattr read ioctl }; -allow udev_t proc_kcore_t:file getattr; - -# Get security policy decisions. -can_getsecurity(udev_t) - -# set file system create context -can_setfscreate(udev_t) - -allow udev_t kernel_t:fd use; -allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; -allow udev_t kernel_t:process signal; - -allow udev_t initrc_var_run_t:file r_file_perms; -dontaudit udev_t initrc_var_run_t:file write; - -domain_auto_trans(kernel_t, udev_exec_t, udev_t) -domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t) -ifdef(`hide_broken_symptoms', ` -dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; -') -allow udev_t devpts_t:dir { getattr search }; -allow udev_t etc_runtime_t:file { getattr read }; -ifdef(`xdm.te', ` -allow udev_t xdm_var_run_t:file { getattr read }; -') - -ifdef(`hotplug.te', ` -r_dir_file(udev_t, hotplug_etc_t) -') -allow udev_t var_log_t:dir search; - -ifdef(`consoletype.te', ` -can_exec(udev_t, consoletype_exec_t) -') -ifdef(`pamconsole.te', ` -allow udev_t pam_var_console_t:dir search; -allow udev_t pam_var_console_t:file { getattr read }; -domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) -') -allow udev_t var_lock_t:dir search; -allow udev_t var_lock_t:file getattr; -domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t) -ifdef(`hide_broken_symptoms', ` -dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; -') - -dontaudit udev_t file_t:dir search; -ifdef(`dhcpc.te', ` -domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) -') - -allow udev_t udev_helper_exec_t:dir r_dir_perms; - -dbusd_client(system, udev) - -allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms }; -allow udev_t sysctl_dev_t:dir search; -allow udev_t mnt_t:dir search; -allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read }; -allow udev_t self:rawip_socket create_socket_perms; -dontaudit udev_t domain:dir r_dir_perms; -dontaudit udev_t ttyfile:chr_file unlink; -ifdef(`hotplug.te', ` -r_dir_file(udev_t, hotplug_var_run_t) -') -r_dir_file(udev_t, modules_object_t) -# -# Udev is now writing dhclient-eth*.conf* files. -# -ifdef(`dhcpd.te', `define(`use_dhcp')') -ifdef(`dhcpc.te', `define(`use_dhcp')') -ifdef(`use_dhcp', ` -allow udev_t dhcp_etc_t:file rw_file_perms; -file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file) -') -r_dir_file(udev_t, domain) -allow udev_t modules_dep_t:file r_file_perms; - -nsswitch_domain(udev_t) - -ifdef(`unlimitedUtils', ` -unconfined_domain(udev_t) -') -dontaudit hostname_t udev_t:fd use; -ifdef(`use_mcs', ` -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; -range_transition initrc_t udev_exec_t s0 - s0:c0.c255; -') diff --git a/mls/domains/program/unconfined.te b/mls/domains/program/unconfined.te deleted file mode 100644 index 9497a3ce..00000000 --- a/mls/domains/program/unconfined.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC Unconfined - Use to essentially disable SELinux for a particular program -# This domain will be useful as a workaround for e.g. third-party daemon software -# that has no policy, until one can be written for it. -# -# To use, label the executable with unconfined_exec_t, e.g.: -# chcon -t unconfined_exec_t /usr/local/bin/appsrv -# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc - -type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write; -type unconfined_exec_t, file_type, sysadmfile, exec_type; -role sysadm_r types unconfined_t; -domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t) -role system_r types unconfined_t; -domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t) -unconfined_domain(unconfined_t) diff --git a/mls/domains/program/unused/afs.te b/mls/domains/program/unused/afs.te deleted file mode 100644 index 8bcab3bc..00000000 --- a/mls/domains/program/unused/afs.te +++ /dev/null @@ -1,166 +0,0 @@ -# -# Policy for AFS server -# - -type afs_files_t, file_type; -type afs_config_t, file_type, sysadmfile; -type afs_logfile_t, file_type, logfile; -type afs_dbdir_t, file_type; - -allow afs_files_t afs_files_t:filesystem associate; -# df should show sizes -allow sysadm_t afs_files_t:filesystem getattr; - -# -# Macros for defining AFS server domains -# - -define(`afs_server_domain',` -type afs_$1server_t, domain $2; -type afs_$1server_exec_t, file_type, sysadmfile; - -role system_r types afs_$1server_t; - -allow afs_$1server_t afs_config_t:file r_file_perms; -allow afs_$1server_t afs_config_t:dir r_dir_perms; -allow afs_$1server_t afs_logfile_t:file create_file_perms; -allow afs_$1server_t afs_logfile_t:dir create_dir_perms; -allow afs_$1server_t afs_$1_port_t:udp_socket name_bind; -uses_shlib(afs_$1server_t) -can_network(afs_$1server_t) -read_locale(afs_$1server_t) - -dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms; -dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms; -dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms; -') - -define(`afs_under_bos',` -domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t) -allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms; -allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms; -allow afs_$1server_t net_conf_t:file r_file_perms; -allow afs_bosserver_t afs_$1server_t:process signal_perms; -') - -define(`afs_server_db',` -type afs_$1_db_t, file_type; - -allow afs_$1server_t afs_$1_db_t:file create_file_perms; -file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file); -') - - -# -# bosserver -# - -afs_server_domain(`bos') -base_file_read_access(afs_bosserver_t) - -domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t) - -allow afs_bosserver_t self:process { fork setsched signal_perms }; -allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms }; -allow afs_bosserver_t afs_dbdir_t:dir { search read getattr }; -allow afs_bosserver_t afs_config_t:file create_file_perms; -allow afs_bosserver_t afs_config_t:dir create_dir_perms; - -allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms; -allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms; -allow afs_bosserver_t device_t:dir r_dir_perms; - -# allow sysadm to use bos -allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto }; - -# -# fileserver, volserver, and salvager -# - -afs_server_domain(`fs',`,privlog') -afs_under_bos(`fs') - -base_file_read_access(afs_fsserver_t) -file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t) - -allow afs_fsserver_t self:process { fork sigchld setsched signal_perms }; -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; -allow afs_fsserver_t self:fifo_file { rw_file_perms }; -can_exec(afs_fsserver_t, afs_fsserver_exec_t) -allow afs_fsserver_t afs_files_t:file create_file_perms; -allow afs_fsserver_t afs_files_t:dir create_dir_perms; -allow afs_fsserver_t afs_config_t:file create_file_perms; -allow afs_fsserver_t afs_config_t:dir create_dir_perms; - -allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind; -allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr; - -allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms; -allow afs_fsserver_t device_t:dir r_dir_perms; -allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms; -allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms; - -allow afs_fsserver_t proc_t:dir r_dir_perms; -allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms; -allow afs_fsserver_t { self proc_t } : dir r_dir_perms; - -# fs communicates with other servers -allow afs_fsserver_t self:unix_dgram_socket create_socket_perms; -allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom }; -allow afs_fsserver_t self:udp_socket { sendto recvfrom }; -allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom }; -allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto }; - -dontaudit afs_fsserver_t self:capability fsetid; -dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms; -dontaudit afs_fsserver_t initrc_t:fd use; -dontaudit afs_fsserver_t mnt_t:dir search; - - -# -# kaserver -# - -afs_server_domain(`ka') -afs_under_bos(`ka') -afs_server_db(`ka') - -base_file_read_access(afs_kaserver_t) - -allow afs_kaserver_t kerberos_port_t:udp_socket name_bind; -allow afs_kaserver_t self:capability { net_bind_service }; -allow afs_kaserver_t afs_config_t:file create_file_perms; -allow afs_kaserver_t afs_config_t:dir rw_dir_perms; - -# allow sysadm to use kas -allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto }; - - -# -# ptserver -# - -afs_server_domain(`pt') -afs_under_bos(`pt') -afs_server_db(`pt') - -# allow users to use pts -allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom }; -allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto }; -allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom }; - - -# -# vlserver -# - -afs_server_domain(`vl') -afs_under_bos(`vl') -afs_server_db(`vl') - -allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto }; -allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom }; diff --git a/mls/domains/program/unused/amavis.te b/mls/domains/program/unused/amavis.te deleted file mode 100644 index 1e1752f5..00000000 --- a/mls/domains/program/unused/amavis.te +++ /dev/null @@ -1,117 +0,0 @@ -#DESC Amavis - Anti-virus -# -# Author: Brian May -# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper -# Depends: clamav.te -# - -################################# -# -# Rules for the amavisd_t domain. -# -type amavisd_etc_t, file_type, sysadmfile; -type amavisd_lib_t, file_type, sysadmfile; - -# Virus and spam found and quarantined. -type amavisd_quarantine_t, file_type, sysadmfile, tmpfile; - -daemon_domain(amavisd) -tmp_domain(amavisd) - -allow initrc_t amavisd_etc_t:file { getattr read }; -allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink }; -allow initrc_t amavisd_lib_t:file unlink; -allow initrc_t amavisd_var_run_t:dir setattr; -allow amavisd_t self:capability { chown dac_override setgid setuid }; -dontaudit amavisd_t self:capability sys_tty_config; - -allow amavisd_t usr_t:{ file lnk_file } { getattr read }; -dontaudit amavisd_t usr_t:file ioctl; - -# networking -can_network_server_tcp(amavisd_t, amavisd_recv_port_t) -allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind; -allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect; -# The next line doesn't work right so drop the port specification. -#can_network_client_tcp(amavisd_t, amavisd_send_port_t) -can_network_client_tcp(amavisd_t) -allow amavisd_t amavisd_send_port_t:tcp_socket name_connect; -can_resolve(amavisd_t); -can_ypbind(amavisd_t); -can_tcp_connect(mail_server_sender, amavisd_t); -can_tcp_connect(amavisd_t, mail_server_domain) - -ifdef(`scannerdaemon.te', ` -can_tcp_connect(amavisd_t, scannerdaemon_t); -allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms; -allow scannerdaemon_t amavisd_lib_t:file r_file_perms; -') - -ifdef(`clamav.te', ` -clamscan_domain(amavisd) -role system_r types amavisd_clamscan_t; -domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t) -allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms; -allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms; -can_clamd_connect(amavisd) -allow clamd_t amavisd_lib_t:dir r_dir_perms; -allow clamd_t amavisd_lib_t:file r_file_perms; -') - -# DCC -ifdef(`dcc.te', ` -allow dcc_client_t amavisd_lib_t:file r_file_perms; -') - -# Pyzor -ifdef(`pyzor.te',` -domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t) -#allow pyzor_t amavisd_data_t:dir search; -# Pyzor creates a temp file adjacent to the working file. -create_dir_file(pyzor_t, amavisd_lib_t); -') - -# SpamAssassin is executed from within amavisd, but needs to read its -# config -ifdef(`spamd.te', ` -r_dir_file(amavisd_t, etc_mail_t) -') - -# Can create unix sockets -allow amavisd_t self:unix_stream_socket create_stream_socket_perms; -allow amavisd_t self:unix_dgram_socket create_socket_perms; -allow amavisd_t self:fifo_file getattr; - -read_locale(amavisd_t) - -# Access config files (amavisd). -allow amavisd_t amavisd_etc_t:file r_file_perms; - -log_domain(amavisd) - -# Access amavisd var/lib files. -create_dir_file(amavisd_t, amavisd_lib_t) - -# Access amavisd quarantined files. -create_dir_file(amavisd_t, amavisd_quarantine_t) - -# Run helper programs. -can_exec_any(amavisd_t,bin_t) -allow amavisd_t bin_t:dir { getattr search }; -allow amavisd_t sbin_t:dir search; -allow amavisd_t var_lib_t:dir search; - -# allow access to files for scanning (required for amavis): -allow clamd_t self:capability { dac_override dac_read_search }; - -# unknown stuff -allow amavisd_t self:fifo_file { ioctl read write }; -allow amavisd_t { random_device_t urandom_device_t }:chr_file read; -allow amavisd_t proc_t:file { getattr read }; -allow amavisd_t etc_runtime_t:file { getattr read }; - -# broken stuff -dontaudit amavisd_t sysadm_home_dir_t:dir search; -dontaudit amavisd_t shadow_t:file { getattr read }; -dontaudit amavisd_t sysadm_devpts_t:chr_file { read write }; - diff --git a/mls/domains/program/unused/asterisk.te b/mls/domains/program/unused/asterisk.te deleted file mode 100644 index 7ae5ffc9..00000000 --- a/mls/domains/program/unused/asterisk.te +++ /dev/null @@ -1,56 +0,0 @@ -#DESC Asterisk IP telephony server -# -# Author: Russell Coker -# -# X-Debian-Packages: asterisk - -daemon_domain(asterisk) -allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms; -allow initrc_t asterisk_var_run_t:fifo_file unlink; - -allow asterisk_t self:process setsched; -allow asterisk_t self:fifo_file rw_file_perms; - -allow asterisk_t proc_t:file { getattr read }; - -allow asterisk_t { bin_t sbin_t }:dir search; -allow asterisk_t bin_t:lnk_file read; -can_exec(asterisk_t, bin_t) - -etcdir_domain(asterisk) -logdir_domain(asterisk) -var_lib_domain(asterisk) - -allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind; - -# for VOIP voice channels. -allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind; - -allow asterisk_t device_t:lnk_file read; -allow asterisk_t sound_device_t:chr_file rw_file_perms; - -type asterisk_spool_t, file_type, sysadmfile; -create_dir_file(asterisk_t, asterisk_spool_t) -allow asterisk_t var_spool_t:dir search; - -# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm -# are labeled usr_t -allow asterisk_t usr_t:file r_file_perms; - -can_network_server(asterisk_t) -can_ypbind(asterisk_t) -allow asterisk_t etc_t:file { getattr read }; - -allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow asterisk_t self:sem create_sem_perms; -allow asterisk_t self:shm create_shm_perms; - -# dac_override for /var/run/asterisk -allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; - -# for shutdown -dontaudit asterisk_t self:capability sys_tty_config; - -tmpfs_domain(asterisk) -tmp_domain(asterisk) diff --git a/mls/domains/program/unused/audio-entropyd.te b/mls/domains/program/unused/audio-entropyd.te deleted file mode 100644 index 216108a0..00000000 --- a/mls/domains/program/unused/audio-entropyd.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC audio-entropyd - Generate entropy from audio input -# -# Author: Chris PeBenito -# - -daemon_domain(entropyd) - -allow entropyd_t self:capability { ipc_lock sys_admin }; - -allow entropyd_t random_device_t:chr_file rw_file_perms; -allow entropyd_t device_t:dir r_dir_perms; -allow entropyd_t sound_device_t:chr_file r_file_perms; diff --git a/mls/domains/program/unused/authbind.te b/mls/domains/program/unused/authbind.te deleted file mode 100644 index 6aabc3eb..00000000 --- a/mls/domains/program/unused/authbind.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC Authbind - Program to bind to low ports as non-root -# -# Authors: Russell Coker -# X-Debian-Packages: authbind -# - -################################# -# -# Rules for the authbind_t domain. -# -# authbind_exec_t is the type of the authbind executable. -# -type authbind_t, domain, privlog; -type authbind_exec_t, file_type, sysadmfile, exec_type; - -role system_r types authbind_t; - -etcdir_domain(authbind) - -can_exec(authbind_t, authbind_etc_t) -allow authbind_t etc_t:dir r_dir_perms; - -uses_shlib(authbind_t) - -allow authbind_t self:capability net_bind_service; - -allow authbind_t domain:fd use; - -allow authbind_t console_device_t:chr_file { read write }; diff --git a/mls/domains/program/unused/backup.te b/mls/domains/program/unused/backup.te deleted file mode 100644 index 628527d8..00000000 --- a/mls/domains/program/unused/backup.te +++ /dev/null @@ -1,62 +0,0 @@ -#DESC Backup - Backup scripts -# -# Author: Russell Coker -# X-Debian-Packages: dpkg -# - -################################# -# -# Rules for the backup_t domain. -# -type backup_t, domain, privlog, auth; -type backup_exec_t, file_type, sysadmfile, exec_type; - -type backup_store_t, file_type, sysadmfile; - -role system_r types backup_t; -role sysadm_r types backup_t; - -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, backup_exec_t, backup_t) -') -allow backup_t privfd:fd use; -ifdef(`crond.te', ` -system_crond_entry(backup_exec_t, backup_t) -rw_dir_create_file(system_crond_t, backup_store_t) -') - -# for SSP -allow backup_t urandom_device_t:chr_file read; - -can_network_client(backup_t) -allow backup_t port_type:tcp_socket name_connect; -can_ypbind(backup_t) -uses_shlib(backup_t) - -allow backup_t devtty_t:chr_file rw_file_perms; - -allow backup_t { file_type fs_type }:dir r_dir_perms; -allow backup_t file_type:{ file lnk_file } r_file_perms; -allow backup_t file_type:{ sock_file fifo_file } getattr; -allow backup_t { device_t device_type ttyfile }:chr_file getattr; -allow backup_t { device_t device_type }:blk_file getattr; -allow backup_t var_t:file create_file_perms; - -allow backup_t proc_t:dir r_dir_perms; -allow backup_t proc_t:file r_file_perms; -allow backup_t proc_t:lnk_file { getattr read }; -read_sysctl(backup_t) - -allow backup_t self:fifo_file rw_file_perms; -allow backup_t self:process { signal sigchld fork }; -allow backup_t self:capability dac_override; - -rw_dir_file(backup_t, backup_store_t) -allow backup_t backup_store_t:file { create setattr }; - -allow backup_t fs_t:filesystem getattr; - -allow backup_t self:unix_stream_socket create_socket_perms; - -can_exec(backup_t, bin_t) -ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)') diff --git a/mls/domains/program/unused/calamaris.te b/mls/domains/program/unused/calamaris.te deleted file mode 100644 index 1bfce369..00000000 --- a/mls/domains/program/unused/calamaris.te +++ /dev/null @@ -1,72 +0,0 @@ -#DESC Calamaris - Squid log analysis -# -# Author: Russell Coker -# X-Debian-Packages: calamaris -# Depends: squid.te -# - -################################# -# -# Rules for the calamaris_t domain. -# -# calamaris_t is the domain the calamaris process runs in - -system_domain(calamaris, `, privmail') - -ifdef(`crond.te', ` -system_crond_entry(calamaris_exec_t, calamaris_t) -') - -allow calamaris_t { var_t var_run_t }:dir { getattr search }; -allow calamaris_t squid_log_t:dir search; -allow calamaris_t squid_log_t:file { getattr read }; -allow calamaris_t { usr_t lib_t }:file { getattr read }; -allow calamaris_t usr_t:lnk_file { getattr read }; -dontaudit calamaris_t usr_t:file ioctl; - -type calamaris_www_t, file_type, sysadmfile; -ifdef(`apache.te', ` -allow calamaris_t httpd_sys_content_t:dir search; -') -rw_dir_create_file(calamaris_t, calamaris_www_t) - -# for when squid has a different UID -allow calamaris_t self:capability dac_override; - -logdir_domain(calamaris) - -allow calamaris_t device_t:dir search; -allow calamaris_t devtty_t:chr_file { read write }; - -allow calamaris_t urandom_device_t:chr_file { getattr read }; - -allow calamaris_t self:process { fork signal_perms setsched }; -read_sysctl(calamaris_t) -allow calamaris_t proc_t:dir search; -allow calamaris_t proc_t:file { getattr read }; -allow calamaris_t { proc_t self }:lnk_file read; -allow calamaris_t self:dir search; - -allow calamaris_t { bin_t sbin_t }:dir search; -allow calamaris_t bin_t:lnk_file read; -allow calamaris_t etc_runtime_t:file { getattr read }; -allow calamaris_t self:fifo_file { getattr read write ioctl }; -read_locale(calamaris_t) - -can_exec(calamaris_t, bin_t) -allow calamaris_t self:unix_stream_socket create_stream_socket_perms; -allow calamaris_t self:udp_socket create_socket_perms; -allow calamaris_t etc_t:file { getattr read }; -allow calamaris_t etc_t:lnk_file read; -dontaudit calamaris_t etc_t:file ioctl; -dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search }; -can_network_server(calamaris_t) -can_ypbind(calamaris_t) -ifdef(`named.te', ` -can_udp_send(calamaris_t, named_t) -can_udp_send(named_t, calamaris_t) -') - -ifdef(`apache.te', ` -r_dir_file(httpd_t, calamaris_www_t) -') diff --git a/mls/domains/program/unused/ciped.te b/mls/domains/program/unused/ciped.te deleted file mode 100644 index 6fddf977..00000000 --- a/mls/domains/program/unused/ciped.te +++ /dev/null @@ -1,32 +0,0 @@ - - -daemon_base_domain(ciped) - -# for SSP -allow ciped_t urandom_device_t:chr_file read; - -# cipe uses the afs3-bos port (udp 7007) -allow ciped_t afs_bos_port_t:udp_socket name_bind; - -can_network_udp(ciped_t) -can_ypbind(ciped_t) - -allow ciped_t devpts_t:dir search; -allow ciped_t devtty_t:chr_file { read write }; -allow ciped_t etc_runtime_t:file { getattr read }; -allow ciped_t etc_t:file { getattr read }; -allow ciped_t proc_t:file { getattr read }; -allow ciped_t { bin_t sbin_t }:dir { getattr search read }; -allow ciped_t bin_t:lnk_file read; -can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t }) -allow ciped_t self:fifo_file rw_file_perms; - -read_locale(ciped_t) - -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; -allow ciped_t self:unix_dgram_socket create_socket_perms; -allow ciped_t self:unix_stream_socket create_socket_perms; - -allow ciped_t random_device_t:chr_file { getattr read }; - -dontaudit ciped_t var_t:dir search; diff --git a/mls/domains/program/unused/clamav.te b/mls/domains/program/unused/clamav.te deleted file mode 100644 index 3ef34eeb..00000000 --- a/mls/domains/program/unused/clamav.te +++ /dev/null @@ -1,147 +0,0 @@ -#DESC CLAM - Anti-virus program -# -# Author: Brian May -# X-Debian-Packages: clamav -# - -################################# -# -# Rules for the clamscan_t domain. -# - -# Virus database -type clamav_var_lib_t, file_type, sysadmfile; - -# clamscan_t is the domain of the clamscan virus scanner -type clamscan_exec_t, file_type, sysadmfile, exec_type; - -########## -########## - -# -# Freshclam -# - -daemon_base_domain(freshclam, `, web_client_domain') -read_locale(freshclam_t) - -# not sure why it needs this -read_sysctl(freshclam_t) - -can_network_client_tcp(freshclam_t, http_port_t); -allow freshclam_t http_port_t:tcp_socket name_connect; -can_resolve(freshclam_t) -can_ypbind(freshclam_t) - -# Access virus signatures -allow freshclam_t { var_t var_lib_t }:dir search; -rw_dir_create_file(freshclam_t, clamav_var_lib_t) - -allow freshclam_t devtty_t:chr_file { read write }; -allow freshclam_t devpts_t:dir search; -allow freshclam_t etc_t:file { getattr read }; -allow freshclam_t proc_t:file { getattr read }; - -allow freshclam_t urandom_device_t:chr_file { getattr read }; -dontaudit freshclam_t urandom_device_t:chr_file ioctl; - -# for nscd -dontaudit freshclam_t var_run_t:dir search; - -# setuid/getuid used (although maybe not required...) -allow freshclam_t self:capability { setgid setuid }; - -allow freshclam_t sbin_t:dir search; - -# Allow notification to daemon that virus database has changed -can_clamd_connect(freshclam) - -allow freshclam_t etc_runtime_t:file { read getattr }; -allow freshclam_t self:unix_stream_socket create_stream_socket_perms; -allow freshclam_t self:unix_dgram_socket create_socket_perms; -allow freshclam_t self:fifo_file rw_file_perms; - -# Log files for freshclam executable -logdir_domain(freshclam) -allow initrc_t freshclam_log_t:file append; - -# Pid files for freshclam -allow initrc_t clamd_var_run_t:file { create setattr }; - -system_crond_entry(freshclam_exec_t, freshclam_t) -domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t) - -domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t) -role sysadm_r types freshclam_t; - -create_dir_file(freshclam_t, clamd_var_run_t) - -########## -########## - -# -# Clamscan -# - -# macros/program/clamav_macros.te. -user_clamscan_domain(sysadm) - -########## -########## - -# -# Clamd -# - -type clamd_sock_t, file_type, sysadmfile; - -# clamd executable -daemon_domain(clamd) - -tmp_domain(clamd) - -# The dir containing the clamd log files is labelled freshclam_t -logdir_domain(clamd) -allow clamd_t freshclam_log_t:dir search; - -allow clamd_t self:capability { kill setgid setuid dac_override }; - -# Give the clamd local communications socket a unique type -ifdef(`distro_debian', ` -file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file) -') -ifdef(`distro_redhat', ` -file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file) -') - -# Clamd can be configured to listen on a TCP port. -can_network_server_tcp(clamd_t, clamd_port_t) -allow clamd_t clamd_port_t:tcp_socket name_bind; -can_resolve(clamd_t); - -allow clamd_t var_lib_t:dir search; -r_dir_file(clamd_t, clamav_var_lib_t) -r_dir_file(clamd_t, etc_t) -# allow access /proc/sys/kernel/version -read_sysctl(clamd_t) -allow clamd_t self:unix_stream_socket create_stream_socket_perms; -allow clamd_t self:unix_dgram_socket create_stream_socket_perms; -allow clamd_t self:fifo_file rw_file_perms; - -allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl; - - -########## -########## - -# -# Interaction with external programs -# - -ifdef(`amavis.te',` -allow amavisd_t clamd_var_run_t:dir search; -allow amavisd_t clamd_t:unix_stream_socket connectto; -allow amavisd_t clamd_sock_t:sock_file write; -') - diff --git a/mls/domains/program/unused/clockspeed.te b/mls/domains/program/unused/clockspeed.te deleted file mode 100644 index f79c3144..00000000 --- a/mls/domains/program/unused/clockspeed.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC clockspeed - Simple network time protocol client -# -# Author Petre Rodan -# - -daemon_base_domain(clockspeed) -var_lib_domain(clockspeed) -can_network(clockspeed_t) -allow clockspeed_t port_type:tcp_socket name_connect; -read_locale(clockspeed_t) - -allow clockspeed_t self:capability { sys_time net_bind_service }; -allow clockspeed_t self:unix_dgram_socket create_socket_perms; -allow clockspeed_t self:unix_stream_socket create_socket_perms; -allow clockspeed_t clockspeed_port_t:udp_socket name_bind; -allow clockspeed_t domain:packet_socket recvfrom; - -allow clockspeed_t var_t:dir search; -allow clockspeed_t clockspeed_var_lib_t:file create_file_perms; -allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms; - -# sysadm can play with clockspeed -role sysadm_r types clockspeed_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t) -') diff --git a/mls/domains/program/unused/courier.te b/mls/domains/program/unused/courier.te deleted file mode 100644 index 75e42d38..00000000 --- a/mls/domains/program/unused/courier.te +++ /dev/null @@ -1,139 +0,0 @@ -#DESC Courier - POP and IMAP servers -# -# Author: Russell Coker -# X-Debian-Packages: courier-base -# - -# Type for files created during execution of courier. -type courier_var_run_t, file_type, sysadmfile, pidfile; -type courier_var_lib_t, file_type, sysadmfile; - -type courier_etc_t, file_type, sysadmfile; - -# allow start scripts to read the config -allow initrc_t courier_etc_t:file r_file_perms; - -type courier_exec_t, file_type, sysadmfile, exec_type; -type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type; - -define(`courier_domain', ` -################################# -# -# Rules for the courier_$1_t domain. -# -# courier_$1_exec_t is the type of the courier_$1 executables. -# -daemon_base_domain(courier_$1, `$2') - -allow courier_$1_t var_run_t:dir search; -rw_dir_create_file(courier_$1_t, courier_var_run_t) -allow courier_$1_t courier_var_run_t:sock_file create_file_perms; - -# allow it to read config files etc -allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms; -allow courier_$1_t courier_etc_t:file r_file_perms; -allow courier_$1_t etc_t:dir r_dir_perms; -allow courier_$1_t etc_t:file r_file_perms; - -# execute scripts etc -allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms; -allow courier_$1_t bin_t:dir r_dir_perms; -allow courier_$1_t fs_t:filesystem getattr; - -# set process group and allow permissions over-ride -allow courier_$1_t self:process setpgid; -allow courier_$1_t self:capability dac_override; - -# Use the network. -can_network_server(courier_$1_t) -allow courier_$1_t self:fifo_file { read write getattr }; -allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; -allow courier_$1_t self:unix_dgram_socket create_socket_perms; - -allow courier_$1_t null_device_t:chr_file rw_file_perms; - -# allow it to log to /dev/tty -allow courier_$1_t devtty_t:chr_file rw_file_perms; - -allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms; -allow courier_$1_t usr_t:dir r_dir_perms; -allow courier_$1_t root_t:dir r_dir_perms; -can_exec(courier_$1_t, courier_$1_exec_t) -can_exec(courier_$1_t, bin_t) -allow courier_$1_t bin_t:dir search; - -allow courier_$1_t proc_t:dir r_dir_perms; -allow courier_$1_t proc_t:file r_file_perms; - -')dnl - -courier_domain(authdaemon, `, auth_chkpwd') -allow courier_authdaemon_t sbin_t:dir search; -allow courier_authdaemon_t lib_t:file { read getattr }; -allow courier_authdaemon_t tmp_t:dir getattr; -allow courier_authdaemon_t self:file { getattr read }; -read_locale(courier_authdaemon_t) -can_exec(courier_authdaemon_t, courier_exec_t) -dontaudit courier_authdaemon_t selinux_config_t:dir search; - -# for SSP -allow courier_authdaemon_t urandom_device_t:chr_file read; - -# should not be needed! -allow courier_authdaemon_t home_root_t:dir search; -allow courier_authdaemon_t user_home_dir_type:dir search; -dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search; -allow courier_authdaemon_t self:unix_stream_socket connectto; -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; - -courier_domain(tcpd) -allow courier_tcpd_t self:capability { kill net_bind_service }; -allow courier_tcpd_t pop_port_t:tcp_socket name_bind; -allow courier_tcpd_t sbin_t:dir search; -allow courier_tcpd_t var_lib_t:dir search; -# for TLS -allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -read_locale(courier_tcpd_t) -can_exec(courier_tcpd_t, courier_exec_t) -allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:process sigchld; - -can_tcp_connect(userdomain, courier_tcpd_t) -rw_dir_create_file(courier_tcpd_t, courier_var_lib_t) - -# domain for pop and imap -courier_domain(pop) -read_locale(courier_pop_t) -domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) -allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) -allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; -allow courier_pop_t courier_authdaemon_t:process sigchld; -domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) - -# inherits file handle - should it? -allow courier_pop_t courier_var_lib_t:file { read write }; - -# do the actual work (read the Maildir) -# imap needs to write files -allow courier_pop_t home_root_t:dir { getattr search }; -allow courier_pop_t user_home_dir_type:dir { getattr search }; -# pop does not need to create subdirs, IMAP does -#rw_dir_create_file(courier_pop_t, user_home_type) -create_dir_file(courier_pop_t, user_home_type) - -# for calendaring -courier_domain(pcp) - -allow courier_pcp_t self:capability { setuid setgid }; -allow courier_pcp_t random_device_t:chr_file r_file_perms; - -# for webmail -courier_domain(sqwebmail) -ifdef(`crond.te', ` -system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t) -') -read_sysctl(courier_sqwebmail_t) diff --git a/mls/domains/program/unused/daemontools.te b/mls/domains/program/unused/daemontools.te deleted file mode 100644 index b24a58cd..00000000 --- a/mls/domains/program/unused/daemontools.te +++ /dev/null @@ -1,203 +0,0 @@ -#DESC Daemontools - Tools for managing UNIX services -# -# Author: Petre Rodan -# with the help of Chris PeBenito, Russell Coker and Tad Glines -# - -# -# selinux policy for daemontools -# http://cr.yp.to/daemontools.html -# -# thanks for D. J. Bernstein and the NSA team for the great software -# they provide -# - -############################################################## -# type definitions - -type svc_conf_t, file_type, sysadmfile; -type svc_log_t, file_type, sysadmfile; -type svc_svc_t, file_type, sysadmfile; - - -############################################################## -# Macros -define(`svc_filedir_domain', ` -create_dir_file($1, svc_svc_t) -file_type_auto_trans($1, svc_svc_t, svc_svc_t); -') - -############################################################## -# the domains -daemon_base_domain(svc_script) -svc_filedir_domain(svc_script_t) - -# part started by initrc_t -daemon_base_domain(svc_start) -domain_auto_trans(init_t, svc_start_exec_t, svc_start_t) -svc_filedir_domain(svc_start_t) - -# also get here from svc_script_t -domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t) - -# the domain for /service/*/run and /service/*/log/run -daemon_sub_domain(svc_start_t, svc_run) -r_dir_file(svc_run_t, svc_conf_t) - -# the logger -daemon_sub_domain(svc_run_t, svc_multilog) -file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file); - -###### -# rules for all those domains - -# sysadm can tweak svc_run_exec_t files -allow sysadm_t svc_run_exec_t:file create_file_perms; - -# run_init can control svc_script_t and svc_start_t domains -domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t) -domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t) -allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint; -svc_filedir_domain(initrc_t) - -# svc_start_t -allow svc_start_t self:fifo_file rw_file_perms; -allow svc_start_t self:capability kill; -allow svc_start_t self:unix_stream_socket create_socket_perms; - -allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms; -allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; -allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms; -allow svc_start_t { var_t var_run_t }:dir search; -can_exec(svc_start_t, bin_t) -can_exec(svc_start_t, shell_exec_t) -allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans }; -allow svc_start_t svc_run_t:process signal; -dontaudit svc_start_t proc_t:file r_file_perms; -dontaudit svc_start_t devtty_t:chr_file { read write }; - -# svc script -allow svc_script_t self:capability sys_admin; -allow svc_script_t self:fifo_file { getattr read write }; -allow svc_script_t self:file r_file_perms; -allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms; -allow svc_script_t bin_t:lnk_file r_file_perms; -can_exec(svc_script_t, bin_t) -can_exec(svc_script_t, shell_exec_t) -allow svc_script_t proc_t:file r_file_perms; -allow svc_script_t shell_exec_t:file rx_file_perms; -allow svc_script_t devtty_t:chr_file rw_file_perms; -allow svc_script_t etc_runtime_t:file r_file_perms; -allow svc_script_t svc_run_exec_t:file r_file_perms; -allow svc_script_t svc_script_exec_t:file execute_no_trans; -allow svc_script_t sysctl_kernel_t:dir r_dir_perms; -allow svc_script_t sysctl_kernel_t:file r_file_perms; - -# svc_run_t -allow svc_run_t self:capability { setgid setuid chown fsetid }; -allow svc_run_t self:fifo_file rw_file_perms; -allow svc_run_t self:file r_file_perms; -allow svc_run_t self:process { fork setrlimit }; -allow svc_run_t self:unix_stream_socket create_stream_socket_perms; -allow svc_run_t svc_svc_t:dir r_dir_perms; -allow svc_run_t svc_svc_t:file r_file_perms; -allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans }; -allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms; -allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; -allow svc_run_t { var_t var_run_t }:dir search; -can_exec(svc_run_t, etc_t) -can_exec(svc_run_t, lib_t) -can_exec(svc_run_t, bin_t) -can_exec(svc_run_t, sbin_t) -can_exec(svc_run_t, ls_exec_t) -can_exec(svc_run_t, shell_exec_t) -allow svc_run_t devtty_t:chr_file rw_file_perms; -allow svc_run_t etc_runtime_t:file r_file_perms; -allow svc_run_t exec_type:{ file lnk_file } getattr; -allow svc_run_t init_t:fd use; -allow svc_run_t initrc_t:fd use; -allow svc_run_t proc_t:file r_file_perms; -allow svc_run_t sysctl_t:dir search; -allow svc_run_t sysctl_kernel_t:dir r_dir_perms; -allow svc_run_t sysctl_kernel_t:file r_file_perms; -allow svc_run_t var_lib_t:dir r_dir_perms; - -# multilog creates /service/*/log/status -allow svc_multilog_t svc_svc_t:dir { read search }; -allow svc_multilog_t svc_svc_t:file { append write }; -# writes to /var/log/*/* -allow svc_multilog_t var_t:dir search; -allow svc_multilog_t var_log_t:dir create_dir_perms; -allow svc_multilog_t var_log_t:file create_file_perms; -# misc -allow svc_multilog_t init_t:fd use; -allow svc_start_t svc_multilog_t:process signal; -svc_ipc_domain(svc_multilog_t) - -################################################################ -# scripts that can be started by daemontools -# keep it sorted please. - -ifdef(`apache.te', ` -domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t) -svc_ipc_domain(httpd_t) -dontaudit httpd_t svc_svc_t:dir { search }; -') - -ifdef(`clamav.te', ` -domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t) -svc_ipc_domain(clamd_t) -') - -ifdef(`clockspeed.te', ` -domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t) -svc_ipc_domain(clockspeed_t) -r_dir_file(svc_run_t, clockspeed_var_lib_t) -allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr }; -') - -ifdef(`dante.te', ` -domain_auto_trans( svc_run_t, dante_exec_t, dante_t); -svc_ipc_domain(dante_t) -') - -ifdef(`publicfile.te', ` -svc_ipc_domain(publicfile_t) -') - -ifdef(`qmail.te', ` -allow svc_run_t qmail_start_exec_t:file rx_file_perms; -domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t) -r_dir_file(svc_run_t, qmail_etc_t) -svc_ipc_domain(qmail_send_t) -svc_ipc_domain(qmail_start_t) -svc_ipc_domain(qmail_queue_t) -svc_ipc_domain(qmail_smtpd_t) -') - -ifdef(`rsyncd.te', ` -domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t) -svc_ipc_domain(rsyncd_t) -') - -ifdef(`spamd.te', ` -domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t) -svc_ipc_domain(spamd_t) -') - -ifdef(`ssh.te', ` -domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t) -svc_ipc_domain(sshd_t) -') - -ifdef(`stunnel.te', ` -domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t) -svc_ipc_domain(stunnel_t) -') - -ifdef(`ucspi-tcp.te', ` -domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t) -allow svc_run_t utcpserver_t:process { signal }; -svc_ipc_domain(utcpserver_t) -') - diff --git a/mls/domains/program/unused/dante.te b/mls/domains/program/unused/dante.te deleted file mode 100644 index 70885abb..00000000 --- a/mls/domains/program/unused/dante.te +++ /dev/null @@ -1,23 +0,0 @@ -#DESC dante - socks daemon -# -# Author: petre rodan -# - -type dante_conf_t, file_type, sysadmfile; - -daemon_domain(dante) -can_network_server(dante_t) - -allow dante_t self:fifo_file { read write }; -allow dante_t self:capability { setuid setgid }; -allow dante_t self:unix_dgram_socket { connect create write }; -allow dante_t self:unix_stream_socket { connect create read setopt write }; -allow dante_t self:tcp_socket connect; - -allow dante_t socks_port_t:tcp_socket name_bind; - -allow dante_t { etc_t etc_runtime_t }:file r_file_perms; -r_dir_file(dante_t, dante_conf_t) - -allow dante_t initrc_var_run_t:file { getattr write }; - diff --git a/mls/domains/program/unused/dcc.te b/mls/domains/program/unused/dcc.te deleted file mode 100644 index 4db79d00..00000000 --- a/mls/domains/program/unused/dcc.te +++ /dev/null @@ -1,251 +0,0 @@ -# -# DCC - Distributed Checksum Clearinghouse -# Author: David Hampton -# -# -# NOTE: DCC has writeable files in /etc/dcc that should probably be in -# /var/lib/dcc. For now this policy supports both directories being -# writable. - -# Files common to all dcc programs -type dcc_client_map_t, file_type, sysadmfile; -type dcc_var_t, file_type, sysadmfile; -type dcc_var_run_t, file_type, sysadmfile; - - -########## -########## - -# -# common to all dcc variants -# -define(`dcc_common',` -# Access files in /var/dcc. The map file can be updated -r_dir_file($1_t, dcc_var_t) -allow $1_t dcc_client_map_t:file rw_file_perms; - -# Read mtab, nsswitch and locale -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) - -#Networking -can_resolve($1_t) -ifelse($2, `server', ` -can_network_udp($1_t) -', ` -can_network_udp($1_t, `dcc_port_t') -') -allow $1_t self:unix_dgram_socket create_socket_perms; - -# Create private temp files -tmp_domain($1) - -# Triggered by a call to gethostid(2) in dcc client libs -allow $1_t self:unix_stream_socket { connect create }; - -allow $1_t sysadm_su_t:process { sigchld }; -allow $1_t dcc_script_t:fd use; - -dontaudit $1_t kernel_t:fd use; -dontaudit $1_t root_t:file read; -') - -allow initrc_t dcc_var_run_t:dir rw_dir_perms; - - -########## -########## - -# -# dccd - Server daemon that can be accessed over the net -# -daemon_domain(dccd, `, privlog, nscd_client_domain') -dcc_common(dccd, server); - -# Runs the dbclean program -allow dccd_t bin_t:dir search; -domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) - -# The daemon needs to listen on the dcc ports -allow dccd_t dcc_port_t:udp_socket name_bind; - -# Updating dcc_db, flod, ... -create_dir_file(dccd_t, dcc_var_t); - -allow dccd_t self:capability net_admin; -allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; - -# Reading /proc/meminfo -allow dccd_t proc_t:file { getattr read }; - - -# -# cdcc - control dcc daemon -# -application_domain(cdcc, `, nscd_client_domain') -role system_r types cdcc_t; -dcc_common(cdcc) - -# suid program -allow cdcc_t self:capability setuid; - -# Running from the command line -allow cdcc_t sshd_t:fd use; -allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms; - - - -########## -########## - -# -# DCC Clients -# - -# -# dccifd - Spamassassin and general MTA persistent client -# -daemon_domain(dccifd, `, privlog, nscd_client_domain') -dcc_common(dccifd); -file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file) - -# Allow the domain to communicate with other processes -allow dccifd_t self:unix_stream_socket create_stream_socket_perms; - -# Updating dcc_db, flod, ... -create_dir_notdevfile(dccifd_t, dcc_var_t); - -# Updating map, ... -allow dccifd_t dcc_client_map_t:file rw_file_perms; - -# dccifd communications socket -type dccifd_sock_t, file_type, sysadmfile; -file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file) - -# Reading /proc/meminfo -allow dccifd_t proc_t:file { getattr read }; - - -# -# dccm - sendmail milter client -# -daemon_domain(dccm, `, privlog, nscd_client_domain') -dcc_common(dccm); -file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file) - -# Allow the domain to communicate with other processes -allow dccm_t self:unix_stream_socket create_stream_socket_perms; - -# Updating map, ... -create_dir_notdevfile(dccm_t, dcc_var_t); -allow dccm_t dcc_client_map_t:file rw_file_perms; - -# dccm communications socket -type dccm_sock_t, file_type, sysadmfile; -file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file) - - -# -# dccproc - dcc procmail interface -# -application_domain(dcc_client, `, privlog, nscd_client_domain') -role system_r types dcc_client_t; -dcc_common(dcc_client) - -# suid program -allow dcc_client_t self:capability setuid; - -# Running from the command line -allow dcc_client_t sshd_t:fd use; -allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms; - - -########## -########## - -# -# DCC Utilities -# - -# -# dbclean - database cleanup tool -# -application_domain(dcc_dbclean, `, nscd_client_domain') -role system_r types dcc_dbclean_t; -dcc_common(dcc_dbclean) - -# Updating various files. -create_dir_file(dcc_dbclean_t, dcc_var_t); - -# wants to look at /proc/meminfo -allow dcc_dbclean_t proc_t:dir search; -allow dcc_dbclean_t proc_t:file { getattr read }; - -# Running from the command line -allow dcc_dbclean_t sshd_t:fd use; -allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms; - -########## -########## - -# -# DCC Startup scripts -# -# These are shell sccripts that start/stop/restart the various dcc -# programs. -# -init_service_domain(dcc_script, `, nscd_client_domain') -general_domain_access(dcc_script_t) -general_proc_read_access(dcc_script_t) -can_exec_any(dcc_script_t) -dcc_common(dcc_script) - -# Allow calling the script from an init script (initrt_t) -domain_auto_trans(initrc_t, dcc_script_exec_t, dcc_script_t) - -# Start up the daemon process. These scripts run 'su' to change to -# the dcc user (even though the default dcc user is root). -allow dcc_script_t self:capability setuid; -su_restricted_domain(dcc_script, system) -role system_r types dcc_script_su_t; -domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t) -domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t) -domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t) - -# Stop the daemon process -allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal }; - -# Access various DCC files -allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search }; -allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read }; - -allow { dcc_script_t dcc_script_su_t } initrc_t:fd use; -allow { dcc_script_t dcc_script_su_t } devpts_t:dir search; -allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms; -allow dcc_script_t devtty_t:chr_file { read write }; -allow dcc_script_su_t sysadm_home_dir_t:dir search; -allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition }; -allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto }; - -dontaudit dcc_script_su_t kernel_t:fd use; -dontaudit dcc_script_su_t root_t:file read; -dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search }; - -allow sysadm_t dcc_script_t:fd use; - -########## -########## - -# -# External spam checkers need to run and/or talk to DCC -# -define(`access_dcc',` -domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t); -allow $1_t dcc_var_t:dir search; -allow $1_t dccifd_sock_t:sock_file { getattr write }; -allow $1_t dccifd_t:unix_stream_socket connectto; -allow $1_t dcc_script_t:unix_stream_socket connectto; -') - -ifdef(`amavis.te',`access_dcc(amavisd)') -ifdef(`spamd.te',`access_dcc(spamd)') diff --git a/mls/domains/program/unused/ddclient.te b/mls/domains/program/unused/ddclient.te deleted file mode 100644 index 29255f31..00000000 --- a/mls/domains/program/unused/ddclient.te +++ /dev/null @@ -1,44 +0,0 @@ -#DESC ddclient - Update dynamic IP address at DynDNS.org -# -# Author: Greg Norris -# X-Debian-Packages: ddclient -# - -################################# -# -# Rules for the ddclient_t domain. -# -daemon_domain(ddclient); -type ddclient_etc_t, file_type, sysadmfile; -type ddclient_var_t, file_type, sysadmfile; -log_domain(ddclient) -var_lib_domain(ddclient) - -base_file_read_access(ddclient_t) -can_exec(ddclient_t, { shell_exec_t bin_t }) - -# ddclient can be launched by pppd -ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)') - -# misc. requirements -allow ddclient_t self:fifo_file rw_file_perms; -allow ddclient_t self:socket create_socket_perms; -allow ddclient_t etc_t:file { getattr read }; -allow ddclient_t etc_runtime_t:file r_file_perms; -allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans }; -allow ddclient_t urandom_device_t:chr_file read; -general_proc_read_access(ddclient_t) -allow ddclient_t sysctl_net_t:dir search; - -# network-related goodies -can_network_client(ddclient_t) -allow ddclient_t port_type:tcp_socket name_connect; -allow ddclient_t self:unix_dgram_socket create_socket_perms; -allow ddclient_t self:unix_stream_socket create_socket_perms; - -# allow access to ddclient.conf and ddclient.cache -allow ddclient_t ddclient_etc_t:file r_file_perms; -file_type_auto_trans(ddclient_t, var_t, ddclient_var_t) -dontaudit ddclient_t devpts_t:dir search; -dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms; -dontaudit httpd_t selinux_config_t:dir search; diff --git a/mls/domains/program/unused/distcc.te b/mls/domains/program/unused/distcc.te deleted file mode 100644 index 56034f93..00000000 --- a/mls/domains/program/unused/distcc.te +++ /dev/null @@ -1,34 +0,0 @@ -#DESC distcc - Distributed compiler daemon -# -# Author: Chris PeBenito -# - -daemon_domain(distccd) -can_network_server(distccd_t) -can_ypbind(distccd_t) -log_domain(distccd) -tmp_domain(distccd) - -allow distccd_t distccd_port_t:tcp_socket name_bind; -allow distccd_t self:capability { setgid setuid }; - -# distccd can renice -allow distccd_t self:process setsched; - -# compiler stuff -allow distccd_t { bin_t sbin_t }:dir { search getattr }; -allow distccd_t { bin_t sbin_t }:lnk_file { getattr read }; -can_exec(distccd_t,bin_t) -can_exec(distccd_t,lib_t) - -# comm stuff -allow distccd_t net_conf_t:file r_file_perms; -allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write }; -allow distccd_t self:fifo_file { read write getattr }; - -# config access -allow distccd_t { etc_t etc_runtime_t }:file r_file_perms; -allow distccd_t proc_t:file r_file_perms; - -allow distccd_t var_t:dir search; -allow distccd_t admin_tty_type:chr_file { ioctl read write }; diff --git a/mls/domains/program/unused/djbdns.te b/mls/domains/program/unused/djbdns.te deleted file mode 100644 index 3e113956..00000000 --- a/mls/domains/program/unused/djbdns.te +++ /dev/null @@ -1,46 +0,0 @@ -# DESC selinux policy for djbdns -# http://cr.yp.to/djbdns.html -# -# Author: petre rodan -# -# this policy depends on ucspi-tcp and daemontools policies -# - -ifdef(`daemontools.te', ` -ifdef(`ucspi-tcp.te', ` - -define(`djbdns_daemon_domain', ` -type djbdns_$1_conf_t, file_type, sysadmfile; -daemon_domain(djbdns_$1) -domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t) -svc_ipc_domain(djbdns_$1_t) -can_network(djbdns_$1_t) -allow djbdns_$1_t port_type:tcp_socket name_connect; -allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind; -allow djbdns_$1_t port_t:udp_socket name_bind; -r_dir_file(djbdns_$1_t, djbdns_$1_conf_t) -allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; -allow djbdns_$1_t svc_svc_t:dir r_dir_perms; -') - -define(`djbdns_tcpserver_domain', ` -type djbdns_$1_conf_t, file_type, sysadmfile; -daemon_domain(djbdns_$1) -domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t) -svc_ipc_domain(djbdns_$1_t) -allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind; -r_dir_file(djbdns_$1_t, djbdns_$1_conf_t) -allow djbdns_$1_t utcpserver_t:tcp_socket { read write }; -') - -djbdns_daemon_domain(dnscache) -# read seed file -allow djbdns_dnscache_t svc_svc_t:file r_file_perms; - -djbdns_daemon_domain(tinydns) - -djbdns_tcpserver_domain(axfrdns) -r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t) - -') dnl ifdef ucspi-tcp.te -') dnl ifdef daemontools.te diff --git a/mls/domains/program/unused/dnsmasq.te b/mls/domains/program/unused/dnsmasq.te deleted file mode 100644 index bdef592c..00000000 --- a/mls/domains/program/unused/dnsmasq.te +++ /dev/null @@ -1,38 +0,0 @@ -#DESC dnsmasq - DNS forwarder and DHCP server -# -# Author: Greg Norris -# X-Debian-Packages: dnsmasq -# - -################################# -# -# Rules for the dnsmasq_t domain. -# -daemon_domain(dnsmasq); -type dnsmasq_lease_t, file_type, sysadmfile; - -# misc. requirements -allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw }; -allow dnsmasq_t urandom_device_t:chr_file read; - -# network-related goodies -can_network_server(dnsmasq_t) -can_ypbind(dnsmasq_t) -allow dnsmasq_t self:packet_socket create_socket_perms; -allow dnsmasq_t self:rawip_socket create_socket_perms; -allow dnsmasq_t self:unix_dgram_socket create_socket_perms; -allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms; - -# UDP ports 53 and 67 -allow dnsmasq_t dhcpd_port_t:udp_socket name_bind; -allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind; - -# By default, dnsmasq binds to the wildcard address to listen for DNS requests. -# Comment out the following entry if you do not want to allow this behaviour. -allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind; - -# allow access to dnsmasq.conf -allow dnsmasq_t etc_t:file r_file_perms; - -# dhcp leases -file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file) diff --git a/mls/domains/program/unused/dpkg.te b/mls/domains/program/unused/dpkg.te deleted file mode 100644 index 4feb5085..00000000 --- a/mls/domains/program/unused/dpkg.te +++ /dev/null @@ -1,414 +0,0 @@ -#DESC Dpkg - Debian package manager -# -# Author: Russell Coker -# X-Debian-Packages: dpkg -# - -################################# -# -# Rules for the dpkg_t domain. -# -type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule; -type dpkg_exec_t, file_type, sysadmfile, exec_type; -type dpkg_var_lib_t, file_type, sysadmfile; -type dpkg_etc_t, file_type, sysadmfile, usercanread; -type dpkg_lock_t, file_type, sysadmfile; -type debconf_cache_t, file_type, sysadmfile; - -tmp_domain(dpkg) -can_setfscreate(dpkg_t) -can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t }) - -ifdef(`load_policy.te', ` -domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t) -') -ifdef(`rlogind.te', ` -# for ssh -can_exec(dpkg_t, rlogind_exec_t) -') -can_exec(dpkg_t, { init_exec_t etc_t }) -ifdef(`hostname.te', ` -can_exec(dpkg_t, hostname_exec_t) -') -ifdef(`mta.te', ` -allow system_mail_t dpkg_tmp_t:file { getattr read }; -') -ifdef(`logrotate.te', ` -allow logrotate_t dpkg_var_lib_t:file create_file_perms; -') - -# for open office -can_exec(dpkg_t, usr_t) - -allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read; - -# for upgrading policycoreutils and loading policy -allow dpkg_t security_t:dir { getattr search }; -allow dpkg_t security_t:file { getattr read }; - -ifdef(`setfiles.te', -`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)') -ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)') -ifdef(`modutil.te', ` -domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t) -domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t) - -# for touch -allow initrc_t modules_dep_t:file write; -') -ifdef(`ipsec.te', ` -allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use; -allow ipsec_mgmt_t dpkg_t:fifo_file write; -allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write }; -allow ipsec_t dpkg_t:fifo_file { read write }; -domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) -') -ifdef(`cardmgr.te', ` -allow cardmgr_t dpkg_t:fd use; -allow cardmgr_t dpkg_t:fifo_file write; -domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) -# for start-stop-daemon -allow dpkg_t cardmgr_t:process signull; -') -ifdef(`mount.te', ` -domain_auto_trans(dpkg_t, mount_exec_t, mount_t) -') -ifdef(`mozilla.te', ` -# hate to do this, for mozilla install scripts -can_exec(dpkg_t, mozilla_exec_t) -') -ifdef(`postfix.te', ` -domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t) -') -ifdef(`apache.te', ` -domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t) -') -ifdef(`named.te', ` -file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file) -') -ifdef(`nsd.te', ` -allow nsd_crond_t initrc_t:fd use; -allow nsd_crond_t initrc_devpts_t:chr_file { read write }; -domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t) -') -# because the syslogd package is broken and does not use the start scripts -ifdef(`klogd.te', ` -domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t) -') -ifdef(`syslogd.te', ` -domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t) -allow system_crond_t syslogd_t:dir search; -allow system_crond_t syslogd_t:file { getattr read }; -allow system_crond_t syslogd_t:process signal; -') -# mysqld is broken too -ifdef(`mysqld.te', ` -domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t) -can_unix_connect(dpkg_t, mysqld_t) -allow mysqld_t dpkg_tmp_t:file { getattr read }; -') -ifdef(`postgresql.te', ` -# because postgresql postinst creates scripts in /tmp and then runs them -# also the init scripts do more than they should -allow { initrc_t postgresql_t } dpkg_tmp_t:file write; -# for "touch" when it tries to create the log file -# this works for upgrades, maybe we should allow create access for first install -allow initrc_t postgresql_log_t:file { write setattr }; -# for dumpall -can_exec(postgresql_t, postgresql_db_t) -') -ifdef(`sysstat.te', ` -domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t) -') -ifdef(`rpcd.te', ` -allow rpcd_t dpkg_t:fd use; -allow rpcd_t dpkg_t:fifo_file { read write }; -') -ifdef(`load_policy.te', ` -allow load_policy_t initrc_t:fifo_file { read write }; -') -ifdef(`checkpolicy.te', ` -domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t) -role system_r types checkpolicy_t; -allow checkpolicy_t initrc_t:fd use; -allow checkpolicy_t initrc_t:fifo_file write; -allow checkpolicy_t initrc_devpts_t:chr_file { read write }; -') -ifdef(`amavis.te', ` -r_dir_file(initrc_t, dpkg_var_lib_t) -') -ifdef(`nessusd.te', ` -domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t) -') -ifdef(`crack.te', ` -allow crack_t initrc_t:fd use; -domain_auto_trans(dpkg_t, crack_exec_t, crack_t) -') -ifdef(`xdm.te', ` -domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t) -') -ifdef(`clamav.te', ` -domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t) -') -ifdef(`squid.te', ` -domain_auto_trans(dpkg_t, squid_exec_t, squid_t) -') -ifdef(`useradd.te', ` -domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t) -domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t) -role system_r types { useradd_t groupadd_t }; -') -ifdef(`passwd.te', ` -domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t) -') -ifdef(`ldconfig.te', ` -domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t) -') -ifdef(`portmap.te', ` -# for pmap_dump -domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t) -') - -# for apt -type apt_t, domain, admin, privmail, web_client_domain; -type apt_exec_t, file_type, sysadmfile, exec_type; -type apt_var_lib_t, file_type, sysadmfile; -type var_cache_apt_t, file_type, sysadmfile; -etcdir_domain(apt) -type apt_rw_etc_t, file_type, sysadmfile; -tmp_domain(apt, `', `{ dir file lnk_file }') -can_exec(apt_t, apt_tmp_t) -ifdef(`crond.te', ` -allow system_crond_t apt_etc_t:file { getattr read }; -') - -rw_dir_create_file(apt_t, apt_rw_etc_t) - -allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search }; - -dontaudit apt_t var_log_t:dir getattr; -dontaudit apt_t var_run_t:dir search; - -# for rc files such as ~/.less -r_dir_file(apt_t, sysadm_home_t) -allow apt_t sysadm_home_dir_t:dir { search getattr }; - -allow apt_t bin_t:lnk_file r_file_perms; - -rw_dir_create_file(apt_t, debconf_cache_t) -r_dir_file(userdomain, debconf_cache_t) - -# for python -read_sysctl(apt_t) -read_sysctl(dpkg_t) - -allow dpkg_t console_device_t:chr_file rw_file_perms; - -allow apt_t self:unix_stream_socket create_socket_perms; - -allow dpkg_t domain:dir r_dir_perms; -allow dpkg_t domain:{ file lnk_file } r_file_perms; - -# for shared objects that are not yet labelled (upgrades) -allow { apt_t dpkg_t } lib_t:file execute; - -# when dpkg runs postinst scripts run them in initrc_t domain so that the -# daemons are started in the correct context -domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t) - -ifdef(`bootloader.te', ` -domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t) -# for mkinitrd -can_exec(bootloader_t, dpkg_exec_t) -# for lilo to run dpkg -allow bootloader_t dpkg_etc_t:file { getattr read }; -') - -# for kernel-image postinst -dontaudit dpkg_t fixed_disk_device_t:blk_file read; - -# for /usr/lib/dpkg/controllib.pl calling getpwnam(3) -dontaudit dpkg_t shadow_t:file { getattr read }; - -# allow user domains to execute dpkg -allow userdomain dpkg_exec_t:dir r_dir_perms; -can_exec(userdomain, { dpkg_exec_t apt_exec_t }) - -# allow everyone to read dpkg database -allow userdomain var_lib_t:dir search; -r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t }) - -# for /var/lib/dpkg/lock -rw_dir_create_file(apt_t, dpkg_var_lib_t) - -ifdef(`crond.te', ` -rw_dir_create_file(system_crond_t, dpkg_var_lib_t) -allow system_crond_t dpkg_etc_t:file r_file_perms; - -# for Debian cron job -create_dir_file(system_crond_t, tetex_data_t) -can_exec(dpkg_t, tetex_data_t) -') - -r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t }) -allow install_menu_t initrc_t:fifo_file { read write }; -allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms; -can_exec(sysadm_t, dpkg_etc_t) - -# Inherit and use descriptors from open_init_pty -allow { apt_t dpkg_t install_menu_t } initrc_t:fd use; -dontaudit dpkg_t privfd:fd use; -allow { apt_t dpkg_t install_menu_t } devpts_t:dir search; -allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms; - -allow ifconfig_t dpkg_t:fd use; -allow ifconfig_t dpkg_t:fifo_file { read write }; - -uses_shlib({ dpkg_t apt_t }) -allow dpkg_t proc_t:dir r_dir_perms; -allow dpkg_t proc_t:{ file lnk_file } r_file_perms; -allow dpkg_t fs_t:filesystem getattr; - -allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable }; - -# for fgconsole - need policy for it -allow dpkg_t self:capability sys_tty_config; - -allow dpkg_t self:unix_dgram_socket create_socket_perms; -allow dpkg_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(dpkg_t, self) -allow dpkg_t self:unix_dgram_socket sendto; -allow dpkg_t self:unix_stream_socket connect; - -allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms; -allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms; - -# dpkg really needs to be able to kill any process, unfortunate but true -allow dpkg_t domain:process signal; -allow dpkg_t sysadm_t:process sigchld; -allow dpkg_t self:process { setpgid signal_perms fork getsched }; - -# read/write/create any files in the system -allow dpkg_t sysadmfile:dir create_dir_perms; -allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms; -allow dpkg_t sysadmfile:lnk_file create_lnk_perms; -allow dpkg_t device_type:{ chr_file blk_file } getattr; -dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; -allow dpkg_t proc_kmsg_t:file getattr; -allow dpkg_t fs_type:dir getattr; - -# allow compiling and loading new policy -create_dir_file(dpkg_t, { policy_src_t policy_config_t }) - -# change to the apt_t domain on exec from dpkg_t (dselect) -domain_auto_trans(dpkg_t, apt_exec_t, apt_t) - -# allow apt to change /var/lib/apt files -allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms; -allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms; - -# allow apt to create /usr/lib/site-python/DebianControlParser.pyc -rw_dir_create_file(apt_t, lib_t) - -# for apt-listbugs -allow apt_t usr_t:file { getattr read ioctl }; -allow apt_t usr_t:lnk_file read; - -# allow /var/cache/apt/archives to be owned by non-root -allow apt_t self:capability { chown dac_override fowner fsetid }; - -can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t }) -allow apt_t { bin_t sbin_t }:dir search; -allow apt_t self:process { signal sigchld fork }; -allow apt_t sysadm_t:process sigchld; -can_network({ apt_t dpkg_t }) -allow { apt_t dpkg_t } port_type:tcp_socket name_connect; -can_ypbind({ apt_t dpkg_t }) - -allow { apt_t dpkg_t } var_t:dir { search getattr }; -dontaudit apt_t { fs_type file_type }:dir getattr; -allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms; - -allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms }; - -# for /proc/meminfo and for "ps" -allow apt_t { proc_t apt_t }:dir r_dir_perms; -allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms; -allow apt_t self:fifo_file rw_file_perms; -allow dpkg_t self:fifo_file rw_file_perms; - -allow apt_t etc_t:dir r_dir_perms; -allow apt_t etc_t:file r_file_perms; -allow apt_t etc_t:lnk_file read; -read_locale(apt_t) -r_dir_file(userdomain, apt_etc_t) - -# apt wants to check available disk space -allow apt_t fs_t:filesystem getattr; -allow apt_t etc_runtime_t:file r_file_perms; - -# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you -# have apt run dpkg. -# This means that getting apt_t access is almost as good as dpkg_t which has -# as much power as sysadm_t... -domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t) - -# hack to allow update-menus/install-menu to manage menus -type install_menu_t, domain, admin, etc_writer; -type install_menu_exec_t, file_type, sysadmfile, exec_type; -var_run_domain(install_menu) - -allow install_menu_t self:unix_stream_socket create_socket_perms; - -type debian_menu_t, file_type, sysadmfile; - -r_dir_file(userdomain, debian_menu_t) -dontaudit install_menu_t sysadm_home_dir_t:dir search; -create_dir_file(install_menu_t, debian_menu_t) -allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms }; -allow install_menu_t self:process signal; -allow install_menu_t proc_t:dir search; -allow install_menu_t proc_t:file r_file_perms; -can_getcon(install_menu_t) -can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t }) -allow install_menu_t { bin_t sbin_t }:dir search; -allow install_menu_t bin_t:lnk_file read; - -# for menus -allow install_menu_t usr_t:file r_file_perms; - -# for /etc/kde3/debian/kde-update-menu.sh -can_exec(install_menu_t, etc_t) - -allow install_menu_t var_t:dir search; -tmp_domain(install_menu) - -create_dir_file(install_menu_t, var_lib_t) -ifdef(`xdm.te', ` -create_dir_file(install_menu_t, xdm_var_lib_t) -') -allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms; -allow install_menu_t { var_spool_t etc_t }:file create_file_perms; -allow install_menu_t self:fifo_file rw_file_perms; -allow install_menu_t etc_runtime_t:file r_file_perms; -allow install_menu_t devtty_t:chr_file rw_file_perms; -allow install_menu_t fs_t:filesystem getattr; - -domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t) -allow dpkg_t install_menu_t:process signal_perms; - -allow install_menu_t privfd:fd use; -uses_shlib(install_menu_t) - -allow install_menu_t self:process { fork sigchld }; - -role system_r types { dpkg_t apt_t install_menu_t }; - -################################# -# -# Rules for the run_deb_t domain. -# -#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t) -#domain_trans(run_deb_t, apt_exec_t, apt_t) -domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t) -domain_auto_trans(initrc_t, apt_exec_t, apt_t) diff --git a/mls/domains/program/unused/ethereal.te b/mls/domains/program/unused/ethereal.te deleted file mode 100644 index a56d3217..00000000 --- a/mls/domains/program/unused/ethereal.te +++ /dev/null @@ -1,48 +0,0 @@ -# DESC - Ethereal -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type tethereal_exec_t, file_type, exec_type, sysadmfile; -type ethereal_exec_t, file_type, exec_type, sysadmfile; - -######################################################## -# Tethereal -# - -# Type for program -type tethereal_t, domain, nscd_client_domain; - -# Transition from sysadm type -domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t) -role sysadm_r types tethereal_t; - -uses_shlib(tethereal_t) -read_locale(tethereal_t) - -# Terminal output -access_terminal(tethereal_t, sysadm) - -# /proc -read_sysctl(tethereal_t) -allow tethereal_t { self proc_t }:dir { read search getattr }; -allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr }; - -# Access root -allow tethereal_t root_t:dir search; - -# Read ethereal files in /usr -allow tethereal_t usr_t:file { read getattr }; - -# /etc/nsswitch.conf -allow tethereal_t etc_t:file { read getattr }; - -# Ethereal sysadm rules -ethereal_networking(tethereal) - -# FIXME: policy is incomplete - -##################################### -# Ethereal (GNOME) policy can be found -# in ethereal_macros.te diff --git a/mls/domains/program/unused/evolution.te b/mls/domains/program/unused/evolution.te deleted file mode 100644 index c8a045e5..00000000 --- a/mls/domains/program/unused/evolution.te +++ /dev/null @@ -1,14 +0,0 @@ -# DESC - Evolution -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type evolution_exec_t, file_type, exec_type, sysadmfile; -type evolution_server_exec_t, file_type, exec_type, sysadmfile; -type evolution_webcal_exec_t, file_type, exec_type, sysadmfile; -type evolution_alarm_exec_t, file_type, exec_type, sysadmfile; -type evolution_exchange_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/evolution_macros.te -bool disable_evolution_trans false; diff --git a/mls/domains/program/unused/exim.te b/mls/domains/program/unused/exim.te deleted file mode 100644 index ccc65551..00000000 --- a/mls/domains/program/unused/exim.te +++ /dev/null @@ -1,309 +0,0 @@ -#DESC Exim - Mail server -# -# Author: David Hampton -# From postfix.te by Russell Coker -# Depends: mta.te -# - -type exim_spool_t, file_type, sysadmfile; -type exim_spool_db_t, file_type, sysadmfile; - - -########## -# Exim daemon -########## -daemon_domain(exim, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog, privhome', nosysadm) -exim_common(exim); -etcdir_domain(exim) -logdir_domain(exim) -######################################## -######################################## -role sysadm_r types exim_t; - -# Server side networking -can_network_tcp(exim_t); -allow exim_t { smtp_port_t amavisd_send_port_t }:tcp_socket name_bind; -# The exim daemon gets to listen to mail coming back from amavisd -# For identd lookups -allow exim_t inetd_child_port_t:tcp_socket name_connect; -allow exim_t self:unix_dgram_socket create_socket_perms; - -# Lock file between exim processes. Exim creates a lock file in /tmp -# that doesn't transition to the exim_tmp_t domain for some reason, -# thus the allow statement. -tmp_domain(exim) -allow exim_t tmp_t:file { getattr read }; - -# Lock files for the actual mail delivery. Exim wants to create a -# 'hitching post' file in the same directory as the delivery file. -# These are the additiona privileges over and above what's defined for -# an mta_delivery_agent. Additional privs for maildir mail files -allow exim_t mail_spool_t:dir remove_name; -allow exim_t mail_spool_t:file { link setattr unlink write rename }; - -# For access to users .forward files -allow exim_t home_dir_type:dir { getattr search }; - -allow exim_t self:capability { dac_read_search net_bind_service }; - -# Create exim spool files, update spool database -create_dir_file(exim_t, exim_spool_t) -rw_dir_file(exim_t, exim_spool_db_t) - -# Start daemon/child processes -can_exec(exim_t, exim_exec_t) - -allow exim_t sbin_t:dir r_dir_perms; - -# Read aliases file -allow exim_t etc_aliases_t:file r_file_perms; - -# -allow exim_t devpts_t:chr_file getattr; - -ifdef(`crond.te', ` -system_crond_entry(exim_exec_t, exim_t) -domain_auto_trans(crond_t, exim_exec_t, exim_t) -allow exim_t system_crond_tmp_t:file { getattr read append }; -#logwatch -allow system_crond_t exim_log_t:file read; -') - -# For squirrelmail -ifdef(`httpd.te', ` -domain_auto_trans(httpd_sys_script_t, exim_exec_t, exim_t) -allow exim_t httpd_t:fd use; -allow exim_t httpd_t:process sigchld; -allow exim_t httpd_log_t:file { append getattr }; -allow exim_t httpd_squirrelmail_t:file { append read }; -allow exim_t httpd_t:fifo_file { read write getattr }; -allow exim_t httpd_t:tcp_socket { read write }; -') - -######################################## -######################################## - - -## -------------------------------------------------- -## exim_ro, exim_ro_net -## -## Many of the subsequent applications call exim for -## the sole purpose of extracting configuration or -## other information. Lock down the permissions on -## these instances to be pretty much read-only -## everything. -## -## One of the applications calls exim only to -## determine whether an address is valid. It does -## this by having exim attempt to deliver an empty -## message, without doing the actual deliver. -## These function are aplit out here to keep all the -## access controls on exim itself in poe part of the -## file. -## -------------------------------------------------- - -define(`exim_ro_base', ` -application_domain($1) -role system_r types $1_t; -read_sysctl($1_t) -r_dir_file($1_t, etc_t) #for nsswitch.conf -r_dir_file($1_t, var_spool_t) -r_dir_file($1_t, exim_spool_t) -allow $1_t devpts_t:chr_file { getattr read write }; -allow $1_t self:capability { dac_override setgid setuid }; -') - -exim_ro_base(exim_ro) -dontaudit exim_ro_t self:unix_stream_socket { connect create }; - -exim_ro_base(exim_ro_net) -can_network(exim_ro_net_t) -general_proc_read_access(exim_ro_net_t) -read_locale(exim_ro_net_t) -allow exim_ro_net_t mail_spool_t:dir search; -allow exim_ro_net_t etc_aliases_t:file r_file_perms; -allow exim_ro_net_t self:unix_stream_socket { create connect }; - - - - -## -------------------------------------------------- -## exim_helper_base -## -## Define the base attributes for an exim helper -## program. -## -------------------------------------------------- -define(`exim_helper_base',` -application_domain($1) -role system_r types $1_t; -can_exec_any($1_t) - -allow $1_t devpts_t:dir search; - -# Needed for perl -general_domain_access($1_t) -general_proc_read_access($1_t) -allow $1_t urandom_device_t:chr_file read; -allow $1_t { devtty_t devpts_t }:chr_file { read write ioctl }; -read_locale($1_t) -allow $1_t sbin_t:dir r_dir_perms; -') - - - - -## -------------------------------------------------- -## exim_helper_script_base -## -------------------------------------------------- -define(`exim_helper_script_base',` -exim_helper_base($1) - -# Needed for bash -allow $1_t { devtty_t devpts_t }:chr_file { read write getattr }; -allow $1_t devpts_t:dir search; -allow $1_t fs_t:filesystem getattr; -rw_dir_create_file($1_t, tmp_t) # Script uses a "here" document -dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab -dontaudit $1_t selinux_config_t:dir { search }; -dontaudit $1_t selinux_config_t:file { getattr read }; # mtab -allow $1_t var_spool_t:dir search; # Needed to traverse to get to /var/spool/exim - -') - - -## -------------------------------------------------- -## exicyclog -## -------------------------------------------------- - -exim_helper_script_base(exicyclog) -allow exicyclog_t self:capability { dac_override setuid setgid }; -create_dir_file(exicyclog_t, exim_log_t) -allow exicyclog_t var_t:dir r_dir_perms; -allow exicyclog_t var_log_t:dir r_dir_perms; -allow exicyclog_t exim_spool_t:dir r_dir_perms; - - - - -## -------------------------------------------------- -## exigrep -## -------------------------------------------------- - -exim_helper_base(exigrep) -allow exigrep_t self:capability dac_override; -r_dir_file(exigrep_t, var_log_t) -r_dir_file(exigrep_t, exim_log_t) - - - - -## -------------------------------------------------- -## exipick -## -------------------------------------------------- - -exim_helper_base(exipick) -domain_auto_trans(exipick_t, exim_exec_t, exim_ro_t) -r_dir_file(exipick_t, var_spool_t) -r_dir_file(exipick_t, exim_spool_t) -allow exipick_t self:capability dac_override; - - - - -## -------------------------------------------------- -## exiqgrep -## -------------------------------------------------- - -exim_helper_base(exiqgrep) -domain_auto_trans(exiqgrep_t, exim_exec_t, exim_ro_t) - - - -application_domain(exim_lock) -role system_r types exim_lock_t; - - -## -------------------------------------------------- -## exiwhat -## 1) Runs exim to extract config info -## 2) Sends a signal to all running exim processes -## 3) Collects the status files they drop in the spool directory -## -------------------------------------------------- - -exim_helper_script_base(exiwhat) -domain_auto_trans(exiwhat_t, exim_exec_t, exim_ro_t) -allow exiwhat_t exim_spool_t:dir { rw_dir_perms }; -allow exiwhat_t exim_spool_t:file { r_file_perms unlink }; - -# killall -r_dir_file(exiwhat_t, exim_t) -r_dir_file(exiwhat_t, selinux_config_t) -allow exiwhat_t exim_t:process signal; -allow exiwhat_t self:capability { dac_override kill sys_nice }; - -dontaudit exiwhat_t file_type:dir search; -dontaudit exiwhat_t file_type:file { getattr read }; - -# rm -allow exiwhat_t devpts_t:chr_file ioctl; - - - - -## -------------------------------------------------- -## exim_check_access -## 1) Runs exim to simulate mail receipt -## 2) Checks on whether the mail address is allowed from the ip address -## -------------------------------------------------- - -exim_helper_script_base(exim_checkaccess) -domain_auto_trans(exim_checkaccess_t, exim_exec_t, exim_ro_net_t) -allow exim_checkaccess_t exim_spool_t:dir { r_dir_perms }; -allow exim_checkaccess_t self:capability dac_override; - - - - - -## -------------------------------------------------- -## exim_helper -## -------------------------------------------------- -application_domain(exim_helper) -domain_auto_trans(exim_helper_t, exim_exec_t, exim_ro_t) -can_exec(exim_helper_t, bin_t) -role system_r types exim_helper_t; -general_domain_access(exim_helper_t) -read_locale(exim_helper_t) - -allow exim_helper_t { devtty_t devpts_t }:chr_file { read write }; - -# Have to walk through /var/log to get to /var/log/exim -allow exim_helper_t var_t:dir r_dir_perms; -r_dir_file(exim_helper_t, exim_log_t) - - - - - - -## -------------------------------------------------- -## exim database maintenance programs -## exim_dump_db, exim_fixdb, exim_tidydb -## -------------------------------------------------- -define(`exim_db_base',` -application_domain($1) -role system_r types $1_t; -read_locale($1_t) -general_proc_read_access($1_t) -allow $1_t devpts_t:chr_file { getattr read write }; -allow $1_t self:capability { dac_override setgid setuid }; -allow $1_t tmp_t:dir { getattr }; -r_dir_file($1_t, var_spool_t) -r_dir_file($1_t, exim_spool_t) -r_dir_file($1_t, exim_spool_db_t) -dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab -') - -exim_db_base(exim_db_ro) -exim_db_base(exim_db_rw) -rw_dir_file(exim_db_rw_t, exim_spool_db_t) diff --git a/mls/domains/program/unused/fontconfig.te b/mls/domains/program/unused/fontconfig.te deleted file mode 100644 index 836470a1..00000000 --- a/mls/domains/program/unused/fontconfig.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# Fontconfig related types -# -# Author: Ivan Gyurdiev -# - -# Look in fontconfig_macros.te diff --git a/mls/domains/program/unused/games.te b/mls/domains/program/unused/games.te deleted file mode 100644 index dee046c0..00000000 --- a/mls/domains/program/unused/games.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC Games - Miscellaneous games -# -# Author: Russell Coker -# X-Debian-Packages: bsdgames -# - -# type for shared data from games -type games_data_t, file_type, sysadmfile; - -# domain games_t is for system operation of games, generic games daemons and -# games recovery scripts, also defines games_exec_t -daemon_domain(games,,nosysadm) -rw_dir_create_file(games_t, games_data_t) -r_dir_file(initrc_t, games_data_t) - -# Run in user_t -bool disable_games_trans false; - -# Everything else is in the x_client_domain macro in -# macros/program/x_client_macros.te. diff --git a/mls/domains/program/unused/gatekeeper.te b/mls/domains/program/unused/gatekeeper.te deleted file mode 100644 index a1b464ef..00000000 --- a/mls/domains/program/unused/gatekeeper.te +++ /dev/null @@ -1,51 +0,0 @@ -#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper -# -# Author: Russell Coker -# X-Debian-Packages: opengate openh323gk -# - -################################# -# -# Rules for the gatekeeper_t domain. -# -# gatekeeper_exec_t is the type of the gk executable. -# -daemon_domain(gatekeeper) - -# for SSP -allow gatekeeper_t urandom_device_t:chr_file read; - -etc_domain(gatekeeper) -allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; -logdir_domain(gatekeeper) - -# Use the network. -can_network_server(gatekeeper_t) -can_ypbind(gatekeeper_t) -allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind; -allow gatekeeper_t self:unix_stream_socket create_socket_perms; - -# for stupid symlinks -tmp_domain(gatekeeper) - -# pthreads wants to know the kernel version -read_sysctl(gatekeeper_t) - -allow gatekeeper_t etc_t:file { getattr read }; - -allow gatekeeper_t etc_t:dir r_dir_perms; -allow gatekeeper_t sbin_t:dir r_dir_perms; - -allow gatekeeper_t self:process setsched; -allow gatekeeper_t self:fifo_file rw_file_perms; - -allow gatekeeper_t proc_t:file read; - -# for local users to run VOIP software -can_udp_send(userdomain, gatekeeper_t) -can_udp_send(gatekeeper_t, userdomain) -can_tcp_connect(gatekeeper_t, userdomain) - -# this is crap, gk wants to create symlinks in /etc every time it starts and -# remove them when it exits. -#allow gatekeeper_t etc_t:dir rw_dir_perms; diff --git a/mls/domains/program/unused/gconf.te b/mls/domains/program/unused/gconf.te deleted file mode 100644 index e4dfa4b6..00000000 --- a/mls/domains/program/unused/gconf.te +++ /dev/null @@ -1,12 +0,0 @@ -# DESC - GConf preference daemon -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type gconfd_exec_t, file_type, exec_type, sysadmfile; - -# Type for /etc files -type gconf_etc_t, file_type, sysadmfile; - -# Everything else is in macros/gconfd_macros.te diff --git a/mls/domains/program/unused/gift.te b/mls/domains/program/unused/gift.te deleted file mode 100644 index 9e9786e4..00000000 --- a/mls/domains/program/unused/gift.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - giFT file sharing tool -# -# Author: Ivan Gyurdiev -# - -type gift_exec_t, file_type, exec_type, sysadmfile; -type giftd_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/program/gift_macros.te diff --git a/mls/domains/program/unused/gnome-pty-helper.te b/mls/domains/program/unused/gnome-pty-helper.te deleted file mode 100644 index 084aa681..00000000 --- a/mls/domains/program/unused/gnome-pty-helper.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC Gnome Terminal - Helper program for GNOME x-terms -# -# Domains for the gnome-pty-helper program. -# X-Debian-Packages: gnome-terminal -# - -# Type for the gnome-pty-helper executable. -type gph_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the gph_domain macro in -# macros/program/gph_macros.te. diff --git a/mls/domains/program/unused/gnome.te b/mls/domains/program/unused/gnome.te deleted file mode 100644 index b45ea8e9..00000000 --- a/mls/domains/program/unused/gnome.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# GNOME related types -# -# Author: Ivan Gyurdiev -# - -# Look in gnome_macros.te diff --git a/mls/domains/program/unused/gnome_vfs.te b/mls/domains/program/unused/gnome_vfs.te deleted file mode 100644 index d4cabb64..00000000 --- a/mls/domains/program/unused/gnome_vfs.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - GNOME VFS Daemon -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type gnome_vfs_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/gnome_vfs_macros.te diff --git a/mls/domains/program/unused/iceauth.te b/mls/domains/program/unused/iceauth.te deleted file mode 100644 index f41ad9e4..00000000 --- a/mls/domains/program/unused/iceauth.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC ICEauth - ICE authority file utility -# -# Domains for the iceauth program. -# -# Author: Ivan Gyurdiev -# -# iceauth_exec_t is the type of the xauth executable. -# -type iceauth_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the iceauth_domain macro in -# macros/program/iceauth_macros.te. diff --git a/mls/domains/program/unused/imazesrv.te b/mls/domains/program/unused/imazesrv.te deleted file mode 100644 index 27bae3f1..00000000 --- a/mls/domains/program/unused/imazesrv.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC Imazesrv - Imaze Server -# -# Author: Torsten Knodt -# based on games.te by Russell Coker -# - -# type for shared data from imazesrv -type imazesrv_data_t, file_type, sysadmfile; -type imazesrv_data_labs_t, file_type, sysadmfile; - -# domain imazesrv_t is for system operation of imazesrv -# also defines imazesrv_exec_t -daemon_domain(imazesrv) -log_domain(imazesrv); - -r_dir_file(imazesrv_t, imazesrv_data_t) - -allow imazesrv_t imaze_port_t:tcp_socket name_bind; -allow imazesrv_t imaze_port_t:udp_socket name_bind; - -create_append_log_file(imazesrv_t,imazesrv_log_t) - -can_network_server(imazesrv_t) - -allow imazesrv_t self:capability net_bind_service; - -r_dir_file(imazesrv_t, etc_t) - -general_domain_access(imazesrv_t) diff --git a/mls/domains/program/unused/ircd.te b/mls/domains/program/unused/ircd.te deleted file mode 100644 index c85390e1..00000000 --- a/mls/domains/program/unused/ircd.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC Ircd - IRC server -# -# Author: Russell Coker -# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu -# - -################################# -# -# Rules for the ircd_t domain. -# -# ircd_exec_t is the type of the slapd executable. -# -daemon_domain(ircd) - -allow ircd_t ircd_port_t:tcp_socket name_bind; - -etcdir_domain(ircd) - -logdir_domain(ircd) - -var_lib_domain(ircd) - -# Use the network. -can_network_server(ircd_t) -can_ypbind(ircd_t) -#allow ircd_t self:fifo_file { read write }; -allow ircd_t self:unix_stream_socket create_socket_perms; -allow ircd_t self:unix_dgram_socket create_socket_perms; - -allow ircd_t devtty_t:chr_file rw_file_perms; - -allow ircd_t sbin_t:dir search; - -allow ircd_t proc_t:file { getattr read }; - -# read config files -allow ircd_t { etc_t etc_runtime_t }:file { getattr read }; -allow ircd_t etc_t:lnk_file read; - -ifdef(`logrotate.te', ` -allow logrotate_t ircd_var_run_t:dir search; -allow logrotate_t ircd_var_run_t:file { getattr read }; -') diff --git a/mls/domains/program/unused/jabberd.te b/mls/domains/program/unused/jabberd.te deleted file mode 100644 index aed3b81b..00000000 --- a/mls/domains/program/unused/jabberd.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC jabberd - Jabber daemon -# -# Author: Colin Walters -# X-Debian-Packages: jabber - -daemon_domain(jabberd) -logdir_domain(jabberd) -var_lib_domain(jabberd) - -allow jabberd_t jabber_client_port_t:tcp_socket name_bind; -allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind; - -allow jabberd_t etc_t:lnk_file read; -allow jabberd_t { etc_t etc_runtime_t }:file { read getattr }; - -# For SSL -allow jabberd_t random_device_t:file r_file_perms; - -can_network_server(jabberd_t) -can_ypbind(jabberd_t) - -allow jabberd_t self:unix_dgram_socket create_socket_perms; -allow jabberd_t self:unix_stream_socket create_socket_perms; -allow jabberd_t self:fifo_file { read write getattr }; - -allow jabberd_t self:capability dac_override; - -# allow any user domain to connect to jabber -can_tcp_connect(userdomain, jabberd_t) diff --git a/mls/domains/program/unused/lcd.te b/mls/domains/program/unused/lcd.te deleted file mode 100644 index 2e2eddf5..00000000 --- a/mls/domains/program/unused/lcd.te +++ /dev/null @@ -1,35 +0,0 @@ -#DESC lcd - program for Cobalt LCD device -# -# Author: Russell Coker -# - -################################# -# -# Rules for the lcd_t domain. -# -# lcd_t is the domain for the lcd program. -# lcd_exec_t is the type of the corresponding program. -# -type lcd_t, domain, privlog; -role sysadm_r types lcd_t; -role system_r types lcd_t; -uses_shlib(lcd_t) -type lcd_exec_t, file_type, sysadmfile, exec_type; -type lcd_device_t, file_type; - -# Transition into this domain when you run this program. -domain_auto_trans(initrc_t, lcd_exec_t, lcd_t) -domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t) - -allow lcd_t lcd_device_t:chr_file rw_file_perms; - -# for /etc/locks/.lcd_lock -lock_domain(lcd) -allow lcd_t etc_t:lnk_file read; -allow lcd_t var_t:dir search; - -# Access the terminal. -allow lcd_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;') -allow lcd_t privfd:fd use; - diff --git a/mls/domains/program/unused/lrrd.te b/mls/domains/program/unused/lrrd.te deleted file mode 100644 index b1916f1c..00000000 --- a/mls/domains/program/unused/lrrd.te +++ /dev/null @@ -1,68 +0,0 @@ -#DESC LRRD - network-wide load graphing -# -# Author: Erich Schubert -# X-Debian-Packages: lrrd-client, lrrd-server -# - -################################# -# -# Rules for the lrrd_t domain. -# -# lrrd_exec_t is the type of the lrrd executable. -# -daemon_domain(lrrd) - -allow lrrd_t lrrd_var_run_t:sock_file create_file_perms; - -etcdir_domain(lrrd) -type lrrd_var_lib_t, file_type, sysadmfile; - -log_domain(lrrd) -tmp_domain(lrrd) - -# has cron jobs -system_crond_entry(lrrd_exec_t, lrrd_t) -allow crond_t lrrd_var_lib_t:dir search; - -# init script -allow initrc_t lrrd_log_t:file { write append setattr ioctl }; - -# allow to drop privileges and renice -allow lrrd_t self:capability { setgid setuid }; -allow lrrd_t self:process { getsched setsched }; - -allow lrrd_t urandom_device_t:chr_file { getattr read }; -allow lrrd_t proc_t:file { getattr read }; -allow lrrd_t usr_t:file { read ioctl }; - -can_exec(lrrd_t, bin_t) -allow lrrd_t bin_t:dir search; -allow lrrd_t usr_t:lnk_file read; - -# Allow access to the lrrd databases -create_dir_file(lrrd_t, lrrd_var_lib_t) -allow lrrd_t var_lib_t:dir search; - -# read config files -r_dir_file(initrc_t, lrrd_etc_t) -allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; -# for accessing the output directory -ifdef(`apache.te', ` -allow lrrd_t httpd_sys_content_t:dir search; -') - -allow lrrd_t etc_t:dir search; - -can_unix_connect(sysadm_t, lrrd_t) -can_unix_connect(lrrd_t, lrrd_t) -can_unix_send(lrrd_t, lrrd_t) -can_network_server(lrrd_t) -can_ypbind(lrrd_t) - -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, lrrd_etc_t) -allow logrotate_t lrrd_var_lib_t:dir search; -allow logrotate_t lrrd_var_run_t:dir search; -allow logrotate_t lrrd_var_run_t:sock_file write; -can_unix_connect(logrotate_t, lrrd_t) -') diff --git a/mls/domains/program/unused/monopd.te b/mls/domains/program/unused/monopd.te deleted file mode 100644 index 3512592f..00000000 --- a/mls/domains/program/unused/monopd.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC MonopD - Monopoly Daemon -# -# Author: Torsten Knodt -# based on the dhcpd_t policy from: -# Russell Coker -# - -################################# -# -# Rules for the monopd_t domain. -# -daemon_domain(monopd) -etc_domain(monopd) -typealias monopd_etc_t alias etc_monopd_t; - -type monopd_share_t, file_type, sysadmfile; -typealias monopd_share_t alias share_monopd_t; - -# Use the network. -can_network_server(monopd_t) -can_ypbind(monopd_t) - -allow monopd_t monopd_port_t:tcp_socket name_bind; - -r_dir_file(monopd_t,share_monopd_t) - -allow monopd_t self:unix_dgram_socket create_socket_perms; -allow monopd_t self:unix_stream_socket create_socket_perms; - -r_dir_file(monopd_t, etc_t) diff --git a/mls/domains/program/unused/mozilla.te b/mls/domains/program/unused/mozilla.te deleted file mode 100644 index f286ea02..00000000 --- a/mls/domains/program/unused/mozilla.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC Netscape - Web browser -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: mozilla -# - -# Type for the netscape, mozilla or other browser executables. -type mozilla_exec_t, file_type, sysadmfile, exec_type; -type mozilla_conf_t, file_type, sysadmfile; - -# Run in user_t -bool disable_mozilla_trans false; - -# Everything else is in the mozilla_domain macro in -# macros/program/mozilla_macros.te. diff --git a/mls/domains/program/unused/mplayer.te b/mls/domains/program/unused/mplayer.te deleted file mode 100644 index 194c8076..00000000 --- a/mls/domains/program/unused/mplayer.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC mplayer - media player -# -# Author: Ivan Gyurdiev -# - -# Type for the mplayer executable. -type mplayer_exec_t, file_type, exec_type, sysadmfile; -type mencoder_exec_t, file_type, exec_type, sysadmfile; -type mplayer_etc_t, file_type, sysadmfile; - -# Allow mplayer executable stack -bool allow_mplayer_execstack false; - -# Everything else is in the mplayer_domain macro in -# macros/program/mplayer_macros.te. diff --git a/mls/domains/program/unused/nagios.te b/mls/domains/program/unused/nagios.te deleted file mode 100644 index 9d540c88..00000000 --- a/mls/domains/program/unused/nagios.te +++ /dev/null @@ -1,90 +0,0 @@ -#DESC Net Saint / NAGIOS - network monitoring server -# -# Author: Russell Coker -# X-Debian-Packages: netsaint, nagios -# Depends: mta.te -# - -################################# -# -# Rules for the nagios_t domain. -# -# nagios_exec_t is the type of the netsaint/nagios executable. -# -daemon_domain(nagios, `, privmail') - -etcdir_domain(nagios) - -logdir_domain(nagios) -allow nagios_t nagios_log_t:fifo_file create_file_perms; -allow initrc_t nagios_log_t:dir rw_dir_perms; - -tmp_domain(nagios) -allow system_mail_t nagios_tmp_t:file { getattr read }; -# for open file handles -dontaudit system_mail_t nagios_etc_t:file read; -dontaudit system_mail_t nagios_log_t:fifo_file read; - -# Use the network. -allow nagios_t self:fifo_file rw_file_perms; -allow nagios_t self:unix_stream_socket create_socket_perms; -allow nagios_t self:unix_dgram_socket create_socket_perms; - -# Use capabilities -allow nagios_t self:capability { dac_override setgid setuid }; -allow nagios_t self:process setpgid; - -allow nagios_t { bin_t sbin_t }:dir search; -allow nagios_t bin_t:lnk_file read; -can_exec(nagios_t, { shell_exec_t bin_t }) - -allow nagios_t proc_t:file { getattr read }; - -can_network_server(nagios_t) -can_ypbind(nagios_t) - -# read config files -allow nagios_t { etc_t etc_runtime_t }:file { getattr read }; -allow nagios_t etc_t:lnk_file read; - -allow nagios_t etc_t:dir r_dir_perms; - -# for ps -r_dir_file(nagios_t, domain) -allow nagios_t boot_t:dir search; -allow nagios_t system_map_t:file { getattr read }; - -# for who -allow nagios_t initrc_var_run_t:file { getattr read lock }; - -system_domain(nagios_cgi) -allow nagios_cgi_t device_t:dir search; -r_dir_file(nagios_cgi_t, nagios_etc_t) -allow nagios_cgi_t var_log_t:dir search; -r_dir_file(nagios_cgi_t, nagios_log_t) -allow nagios_cgi_t self:process { fork signal_perms }; -allow nagios_cgi_t self:fifo_file rw_file_perms; -allow nagios_cgi_t bin_t:dir search; -can_exec(nagios_cgi_t, bin_t) -read_locale(nagios_cgi_t) - -# for ps -allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read }; -r_dir_file(nagios_cgi_t, { proc_t self nagios_t }) -allow nagios_cgi_t boot_t:dir search; -allow nagios_cgi_t system_map_t:file { getattr read }; -dontaudit nagios_cgi_t domain:dir getattr; -allow nagios_cgi_t self:unix_stream_socket create_socket_perms; - -ifdef(`apache.te', ` -r_dir_file(httpd_t, nagios_etc_t) -domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t) -allow nagios_cgi_t httpd_log_t:file append; -') - -ifdef(`ping.te', ` -domain_auto_trans(nagios_t, ping_exec_t, ping_t) -allow nagios_t ping_t:process { sigkill signal }; -dontaudit ping_t nagios_etc_t:file read; -dontaudit ping_t nagios_log_t:fifo_file read; -') diff --git a/mls/domains/program/unused/nessusd.te b/mls/domains/program/unused/nessusd.te deleted file mode 100644 index 65d89e1f..00000000 --- a/mls/domains/program/unused/nessusd.te +++ /dev/null @@ -1,54 +0,0 @@ -#DESC Nessus network scanning daemon -# -# Author: Russell Coker -# X-Debian-Packages: nessus -# - -################################# -# -# Rules for the nessusd_t domain. -# -# nessusd_exec_t is the type of the nessusd executable. -# -daemon_domain(nessusd) - -etc_domain(nessusd) -type nessusd_db_t, file_type, sysadmfile; - -allow nessusd_t nessus_port_t:tcp_socket name_bind; - -#tmp_domain(nessusd) - -# Use the network. -can_network(nessusd_t) -allow nessusd_t port_type:tcp_socket name_connect; -can_ypbind(nessusd_t) -allow nessusd_t self:unix_stream_socket create_socket_perms; -#allow nessusd_t self:unix_dgram_socket create_socket_perms; - -# why ioctl on /dev/urandom? -allow nessusd_t random_device_t:chr_file { getattr read ioctl }; -allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms; -allow nessusd_t self:capability net_raw; - -# for nmap etc -allow nessusd_t { bin_t sbin_t }:dir search; -allow nessusd_t bin_t:lnk_file read; -can_exec(nessusd_t, bin_t) -allow nessusd_t self:fifo_file { getattr read write }; - -# allow user domains to connect to nessusd -can_tcp_connect(userdomain, nessusd_t) - -allow nessusd_t self:process setsched; - -allow nessusd_t proc_t:file { getattr read }; - -# Allow access to the nessusd authentication database -create_dir_file(nessusd_t, nessusd_db_t) -allow nessusd_t var_lib_t:dir r_dir_perms; - -# read config files -allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms; - -logdir_domain(nessusd) diff --git a/mls/domains/program/unused/nrpe.te b/mls/domains/program/unused/nrpe.te deleted file mode 100644 index 87d1a02c..00000000 --- a/mls/domains/program/unused/nrpe.te +++ /dev/null @@ -1,40 +0,0 @@ -# DESC nrpe - Nagios Remote Plugin Execution -# -# Author: Thomas Bleher -# -# Depends: tcpd.te -# X-Debian-Packages: nagios-nrpe-server -# -# This policy assumes that nrpe is called from inetd - -daemon_base_domain(nrpe) -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t) -') -domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t) - -allow nrpe_t urandom_device_t:chr_file { getattr ioctl read }; - -allow nrpe_t self:fifo_file rw_file_perms; -allow nrpe_t self:unix_dgram_socket create_socket_perms; -# use sockets inherited from inetd -allow nrpe_t inetd_t:tcp_socket { ioctl read write }; -allow nrpe_t devtty_t:chr_file { read write }; - -allow nrpe_t self:process setpgid; - -etc_domain(nrpe) -read_locale(nrpe_t) - -# permissions for the scripts executed by nrpe -# -# call shell programs -can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t }) -allow nrpe_t { bin_t sbin_t }:dir search; -# for /bin/sh -allow nrpe_t bin_t:lnk_file read; - -# read /proc/meminfo, /proc/self/mounts and /etc/mtab -allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read }; - -# you will have to add more permissions here, depending on the scripts you call! diff --git a/mls/domains/program/unused/nsd.te b/mls/domains/program/unused/nsd.te deleted file mode 100644 index 2aa35c5a..00000000 --- a/mls/domains/program/unused/nsd.te +++ /dev/null @@ -1,102 +0,0 @@ -#DESC Authoritative only name server -# -# Author: Russell Coker -# X-Debian-Packages: nsd -# -# - -################################# -# -# Rules for the nsd_t domain. -# - -daemon_domain(nsd) - -# a type for nsd.db -type nsd_db_t, file_type, sysadmfile; - -# for zone update cron job -type nsd_crond_t, domain, privlog; -role system_r types nsd_crond_t; -uses_shlib(nsd_crond_t) -can_network_client(nsd_crond_t) -allow nsd_crond_t port_type:tcp_socket name_connect; -can_ypbind(nsd_crond_t) -allow nsd_crond_t self:unix_dgram_socket create_socket_perms; -allow nsd_crond_t self:process { fork signal_perms }; -system_crond_entry(nsd_exec_t, nsd_crond_t) -allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read }; -allow nsd_crond_t proc_t:lnk_file { getattr read }; -allow nsd_crond_t { bin_t sbin_t }:dir search; -can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t }) -allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr; -allow nsd_crond_t bin_t:lnk_file read; -read_locale(nsd_crond_t) -allow nsd_crond_t self:fifo_file rw_file_perms; -# kill capability for root cron job and non-root daemon -allow nsd_crond_t self:capability { dac_override kill }; -allow nsd_crond_t nsd_t:process signal; -dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr }; -dontaudit nsd_crond_t self:capability sys_nice; -dontaudit nsd_crond_t domain:dir search; -allow nsd_crond_t self:process setsched; -can_ps(nsd_crond_t, nsd_t) - -file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file) -allow nsd_crond_t var_lib_t:dir search; - -allow nsd_crond_t nsd_conf_t:file { getattr read ioctl }; -allow nsd_crond_t nsd_zone_t:dir rw_dir_perms; -allow nsd_crond_t proc_t:dir r_dir_perms; -allow nsd_crond_t device_t:dir search; -allow nsd_crond_t devtty_t:chr_file rw_file_perms; -allow nsd_crond_t etc_t:file { getattr read }; -allow nsd_crond_t etc_t:lnk_file read; -allow nsd_crond_t { var_t var_run_t }:dir search; -allow nsd_crond_t nsd_var_run_t:file { getattr read }; - -# for SSP -allow nsd_crond_t urandom_device_t:chr_file read; - -# A type for configuration files of nsd -type nsd_conf_t, file_type, sysadmfile; -# A type for zone files -type nsd_zone_t, file_type, sysadmfile; - -r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t }) -# zone files may be in /var/lib/nsd -allow nsd_t var_lib_t:dir search; -r_dir_file(initrc_t, nsd_conf_t) -allow nsd_t etc_runtime_t:file { getattr read }; -allow nsd_t proc_t:file { getattr read }; -allow nsd_t { sbin_t bin_t }:dir search; -can_exec(nsd_t, { nsd_exec_t bin_t }) - -# Use capabilities. chown is for chowning /var/run/nsd.pid -allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service }; - -allow nsd_t etc_t:{ file lnk_file } { getattr read }; - -# nsd can use network -can_network_server(nsd_t) -can_ypbind(nsd_t) -# allow client access from caching BIND -ifdef(`named.te', ` -can_udp_send(named_t, nsd_t) -can_udp_send(nsd_t, named_t) -can_tcp_connect(named_t, nsd_t) -') - -# if you want to allow all programs to contact the primary name server -#can_udp_send(domain, nsd_t) -#can_udp_send(nsd_t, domain) -#can_tcp_connect(domain, nsd_t) - -# Bind to the named port. -allow nsd_t dns_port_t:udp_socket name_bind; -allow nsd_t dns_port_t:tcp_socket name_bind; - -allow nsd_t self:unix_stream_socket create_stream_socket_perms; -allow nsd_t self:unix_dgram_socket create_socket_perms; - diff --git a/mls/domains/program/unused/nx_server.te b/mls/domains/program/unused/nx_server.te deleted file mode 100644 index a6e723ac..00000000 --- a/mls/domains/program/unused/nx_server.te +++ /dev/null @@ -1,70 +0,0 @@ -# DESC NX - NX Server -# -# Author: Thomas Bleher -# -# Depends: sshd.te -# - -# Type for the nxserver executable, called from ssh -type nx_server_exec_t, file_type, sysadmfile, exec_type; - -# type of the nxserver; userdomain is needed so sshd can transition -type nx_server_t, domain, userdomain; - -# we need an extra role because nxserver is called from sshd -role nx_server_r types nx_server_t; -allow system_r nx_server_r; -domain_trans(sshd_t, nx_server_exec_t, nx_server_t) - -# not really sure if the additional attributes are needed, copied from userdomains -can_create_pty(nx_server, `, userpty_type, user_tty_type') -type_change nx_server_t server_pty:chr_file nx_server_devpts_t; - -uses_shlib(nx_server_t) -read_locale(nx_server_t) - -tmp_domain(nx_server) -var_run_domain(nx_server) - -# nxserver is a shell script --> call other programs -can_exec(nx_server_t, { bin_t shell_exec_t }) -allow nx_server_t self:process { fork sigchld }; -allow nx_server_t self:fifo_file { getattr ioctl read write }; -allow nx_server_t bin_t:dir { getattr read search }; -allow nx_server_t bin_t:lnk_file read; - -r_dir_file(nx_server_t, proc_t) -allow nx_server_t { etc_t etc_runtime_t }:file { getattr read }; - -# we do not actually need this attribute or the types defined here, -# but otherwise we cannot call the ssh_domain-macro -attribute nx_server_file_type; -type nx_server_home_dir_t alias nx_server_home_t; -type nx_server_xauth_home_t; -type nx_server_tty_device_t; -type nx_server_gph_t; -type nx_server_fonts_cache_t; -type nx_server_fonts_t; -type nx_server_fonts_config_t; -type nx_server_gnome_settings_t; - -ssh_domain(nx_server) - -can_network_client(nx_server_t) -allow nx_server_t port_type:tcp_socket name_connect; - -allow nx_server_t devtty_t:chr_file { read write }; -allow nx_server_t sysctl_kernel_t:dir search; -allow nx_server_t sysctl_kernel_t:file { getattr read }; -allow nx_server_t urandom_device_t:chr_file read; -# for reading the config files; maybe a separate type, -# but users need to be able to also read the config -allow nx_server_t usr_t:file { getattr read }; - -dontaudit nx_server_t selinux_config_t:dir search; - -# clients already have create permissions; the nxclient wants to also have unlink rights -allow userdomain xdm_tmp_t:sock_file unlink; -# for a lockfile created by the client process -allow nx_server_t user_tmpfile:file getattr; - diff --git a/mls/domains/program/unused/oav-update.te b/mls/domains/program/unused/oav-update.te deleted file mode 100644 index a9843c68..00000000 --- a/mls/domains/program/unused/oav-update.te +++ /dev/null @@ -1,38 +0,0 @@ -#DESC Oav - Anti-virus update program -# -# Author: Brian May -# X-Debian-Packages: -# - -type oav_update_var_lib_t, file_type, sysadmfile; -type oav_update_exec_t, file_type, sysadmfile, exec_type; -type oav_update_etc_t, file_type, sysadmfile; - -# Derived domain based on the calling user domain and the program. -type oav_update_t, domain, privlog; - -# Transition from the sysadm domain to the derived domain. -role sysadm_r types oav_update_t; -domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t) - -# Transition from the sysadm domain to the derived domain. -role system_r types oav_update_t; -system_crond_entry(oav_update_exec_t, oav_update_t) - -# Uses shared librarys -uses_shlib(oav_update_t) - -# Run helper programs. -can_exec_any(oav_update_t,bin_t) - -# Can read /etc/oav-update/* files -allow oav_update_t oav_update_etc_t:dir r_dir_perms; -allow oav_update_t oav_update_etc_t:file r_file_perms; - -# Can read /var/lib/oav-update/current -allow oav_update_t oav_update_var_lib_t:dir create_dir_perms; -allow oav_update_t oav_update_var_lib_t:file create_file_perms; -allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; - -# Can download via network -can_network_server(oav_update_t) diff --git a/mls/domains/program/unused/openca-ca.te b/mls/domains/program/unused/openca-ca.te deleted file mode 100644 index 411c61de..00000000 --- a/mls/domains/program/unused/openca-ca.te +++ /dev/null @@ -1,134 +0,0 @@ -#DESC OpenCA - Open Certificate Authority -# -# Author: Brian May -# X-Debian-Packages: -# Depends: apache.te -# - -################################# -# -# domain for openCA cgi-bin scripts. -# -# Type that system CGI scripts run as -# -type openca_ca_t, domain; -role system_r types openca_ca_t; -uses_shlib(openca_ca_t) - -# Types that system CGI scripts on the disk are -# labeled with -# -type openca_ca_exec_t, file_type, sysadmfile; - -# When the server starts the script it needs to get the proper context -# -domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t) - -# -# Allow httpd daemon to search /usr/share/openca -# -allow httpd_t openca_usr_share_t:dir { getattr search }; - -################################################################ -# Allow the web server to run scripts and serve pages -############################################################## -allow httpd_t bin_t:file { read execute }; # execute perl - -allow httpd_t openca_ca_exec_t:file {execute getattr read}; -allow httpd_t openca_ca_t:process {signal sigkill sigstop}; -allow httpd_t openca_ca_t:process transition; -allow httpd_t openca_ca_exec_t:dir r_dir_perms; - -################################################################## -# Allow the script to get the file descriptor from the http deamon -# and send sigchild to http deamon -################################################################# -allow openca_ca_t httpd_t:process sigchld; -allow openca_ca_t httpd_t:fd use; -allow openca_ca_t httpd_t:fifo_file {getattr write}; - -############################################ -# Allow scripts to append to http logs -######################################### -allow openca_ca_t httpd_log_t:file { append getattr }; - -############################################################# -# Allow the script access to the library files so it can run -############################################################# -can_exec(openca_ca_t, lib_t) - -######################################################################## -# The script needs to inherit the file descriptor and find the script it -# needs to run -######################################################################## -allow openca_ca_t initrc_t:fd use; -allow openca_ca_t init_t:fd use; -allow openca_ca_t default_t:dir r_dir_perms; -allow openca_ca_t random_device_t:chr_file r_file_perms; - -####################################################################### -# Allow the script to return its output -###################################################################### -#allow openca_ca_t httpd_var_run_t: file rw_file_perms; -allow openca_ca_t null_device_t: chr_file rw_file_perms; -allow openca_ca_t httpd_cache_t: file rw_file_perms; - -########################################################################### -# Allow the script interpreters to run the scripts. So -# the perl executable will be able to run a perl script -######################################################################### -can_exec(openca_ca_t, bin_t) - -############################################################################ -# Allow the script process to search the cgi directory, and users directory -############################################################################## -allow openca_ca_t openca_ca_exec_t:dir search; - -# -# Allow access to writeable files under /etc/openca -# -allow openca_ca_t openca_etc_writeable_t:file create_file_perms; -allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms; - -# -# Allow access to other files under /etc/openca -# -allow openca_ca_t openca_etc_t:file r_file_perms; -allow openca_ca_t openca_etc_t:dir r_dir_perms; - -# -# Allow access to private CA key -# -allow openca_ca_t openca_var_lib_keys_t:file create_file_perms; -allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms; - -# -# Allow access to other /var/lib/openca files -# -allow openca_ca_t openca_var_lib_t:file create_file_perms; -allow openca_ca_t openca_var_lib_t:dir create_dir_perms; - -# -# Allow access to other /usr/share/openca files -# -allow openca_ca_t openca_usr_share_t:file r_file_perms; -allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; -allow openca_ca_t openca_usr_share_t:dir r_dir_perms; - -# /etc/openca standard files -type openca_etc_t, file_type, sysadmfile; - -# /etc/openca template files -type openca_etc_in_t, file_type, sysadmfile; - -# /etc/openca writeable (from CGI script) files -type openca_etc_writeable_t, file_type, sysadmfile; - -# /var/lib/openca -type openca_var_lib_t, file_type, sysadmfile; - -# /var/lib/openca/crypto/keys -type openca_var_lib_keys_t, file_type, sysadmfile; - -# /usr/share/openca/crypto/keys -type openca_usr_share_t, file_type, sysadmfile; diff --git a/mls/domains/program/unused/openvpn.te b/mls/domains/program/unused/openvpn.te deleted file mode 100644 index 0ab13175..00000000 --- a/mls/domains/program/unused/openvpn.te +++ /dev/null @@ -1,39 +0,0 @@ -#DESC OpenVPN - Firewall-friendly SSL-based VPN -# -# Author: Colin Walters -# -######################################## -# - -daemon_domain(openvpn) -etcdir_domain(openvpn) - -allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; - -allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr }; -allow openvpn_t devpts_t:dir { search getattr }; -allow openvpn_t tun_tap_device_t:chr_file rw_file_perms; -allow openvpn_t proc_t:file { getattr read }; - -allow openvpn_t self:unix_dgram_socket create_socket_perms; -allow openvpn_t self:unix_stream_socket create_stream_socket_perms; -allow openvpn_t self:unix_dgram_socket sendto; -allow openvpn_t self:unix_stream_socket connectto; -allow openvpn_t self:capability { net_admin setgid setuid }; -r_dir_file(openvpn_t, sysctl_net_t) - -can_network_server(openvpn_t) -allow openvpn_t openvpn_port_t:udp_socket name_bind; - -# OpenVPN executes a lot of helper programs and scripts -allow openvpn_t { bin_t sbin_t }:dir { search getattr }; -allow openvpn_t bin_t:lnk_file { getattr read }; -can_exec(openvpn_t, { bin_t sbin_t shell_exec_t }) -# Do not transition to ifconfig_t, since then it needs -# permission to access openvpn_t:udp_socket, which seems -# worse. -can_exec(openvpn_t, ifconfig_exec_t) - -# The Fedora init script iterates over /etc/openvpn/*.conf, and -# starts a daemon for each file. -r_dir_file(initrc_t, openvpn_etc_t) diff --git a/mls/domains/program/unused/perdition.te b/mls/domains/program/unused/perdition.te deleted file mode 100644 index b95cb753..00000000 --- a/mls/domains/program/unused/perdition.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC Perdition POP and IMAP proxy -# -# Author: Russell Coker -# X-Debian-Packages: perdition -# - -################################# -# -# Rules for the perdition_t domain. -# -daemon_domain(perdition) - -allow perdition_t pop_port_t:tcp_socket name_bind; - -etc_domain(perdition) - -# Use the network. -can_network_server(perdition_t) -allow perdition_t self:unix_stream_socket create_socket_perms; -allow perdition_t self:unix_dgram_socket create_socket_perms; - -# allow any domain to connect to the proxy -can_tcp_connect(userdomain, perdition_t) - -# Use capabilities -allow perdition_t self:capability { setgid setuid net_bind_service }; - -allow perdition_t etc_t:file { getattr read }; -allow perdition_t etc_t:lnk_file read; diff --git a/mls/domains/program/unused/portslave.te b/mls/domains/program/unused/portslave.te deleted file mode 100644 index 55dfad61..00000000 --- a/mls/domains/program/unused/portslave.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC Portslave - Terminal server software -# -# Author: Russell Coker -# X-Debian-Packages: portslave -# Depends: pppd.te -# - -################################# -# -# Rules for the portslave_t domain. -# -daemon_base_domain(portslave, `, privmail, auth_chkpwd') - -type portslave_etc_t, file_type, sysadmfile; - -general_domain_access(portslave_t) -domain_auto_trans(init_t, portslave_exec_t, portslave_t) -ifdef(`rlogind.te', ` -domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t) -') -ifdef(`inetd.te', ` -domain_auto_trans(inetd_t, portslave_exec_t, portslave_t) -allow portslave_t inetd_t:tcp_socket { getattr read write }; -') - -allow portslave_t { etc_t etc_runtime_t }:file { read getattr }; -read_locale(portslave_t) -r_dir_file(portslave_t, portslave_etc_t) - -allow portslave_t pppd_etc_t:dir r_dir_perms; -allow portslave_t pppd_etc_rw_t:file { getattr read }; - -allow portslave_t proc_t:file { getattr read }; - -allow portslave_t { var_t var_log_t devpts_t }:dir search; - -allow portslave_t devtty_t:chr_file { setattr rw_file_perms }; - -allow portslave_t pppd_secret_t:file r_file_perms; - -can_network_server(portslave_t) -allow portslave_t fs_t:filesystem getattr; -ifdef(`radius.te', ` -can_udp_send(portslave_t, radiusd_t) -can_udp_send(radiusd_t, portslave_t) -') -# for rlogin etc -can_exec(portslave_t, { bin_t ssh_exec_t }) -# net_bind_service for rlogin -allow portslave_t self:capability { net_bind_service sys_tty_config }; -# for ssh -allow portslave_t urandom_device_t:chr_file read; -ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)') - -# for pppd -allow portslave_t self:capability { setuid setgid net_admin fsetid }; -allow portslave_t ppp_device_t:chr_file rw_file_perms; - -# for ~/.ppprc - if it actually exists then you need some policy to read it -allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; - -# for ctlportslave -dontaudit portslave_t self:capability sys_admin; - -file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file) -can_exec(portslave_t, { etc_t shell_exec_t }) - -# Run login in local_login_t domain. -#domain_auto_trans(portslave_t, login_exec_t, local_login_t) - -# Write to /var/run/utmp. -allow portslave_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow portslave_t wtmp_t:file rw_file_perms; - -# Read and write ttys. -allow portslave_t tty_device_t:chr_file { setattr rw_file_perms }; -allow portslave_t ttyfile:chr_file rw_file_perms; - - -lock_domain(portslave) -can_exec(portslave_t, pppd_exec_t) -allow portslave_t { bin_t sbin_t }:dir search; -allow portslave_t bin_t:lnk_file read; diff --git a/mls/domains/program/unused/postgrey.te b/mls/domains/program/unused/postgrey.te deleted file mode 100644 index f60e67bc..00000000 --- a/mls/domains/program/unused/postgrey.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC postgrey - Postfix Grey-listing server -# -# Author: Russell Coker -# X-Debian-Packages: postgrey - -daemon_domain(postgrey) - -allow postgrey_t urandom_device_t:chr_file { getattr read }; - -# for perl -allow postgrey_t { bin_t sbin_t }:dir { getattr search }; -allow postgrey_t usr_t:{ file lnk_file } { getattr read }; -dontaudit postgrey_t usr_t:file ioctl; - -allow postgrey_t { etc_t etc_runtime_t }:file { getattr read }; -etcdir_domain(postgrey) - -can_network_server_tcp(postgrey_t) -can_ypbind(postgrey_t) -allow postgrey_t postgrey_port_t:tcp_socket name_bind; -allow postgrey_t self:unix_dgram_socket create_socket_perms; -allow postgrey_t self:unix_stream_socket create_stream_socket_perms; -allow postgrey_t proc_t:file { getattr read }; - -allow postgrey_t self:capability { chown setgid setuid }; -dontaudit postgrey_t self:capability sys_tty_config; - -var_lib_domain(postgrey) - -allow postgrey_t tmp_t:dir getattr; diff --git a/mls/domains/program/unused/publicfile.te b/mls/domains/program/unused/publicfile.te deleted file mode 100644 index b6a206b0..00000000 --- a/mls/domains/program/unused/publicfile.te +++ /dev/null @@ -1,25 +0,0 @@ -#DESC Publicfile - HTTP and FTP file services -# http://cr.yp.to/publicfile.html -# -# Author: petre rodan -# -# this policy depends on ucspi-tcp -# - -daemon_domain(publicfile) -type publicfile_content_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t) - -ifdef(`ucspi-tcp.te', ` -domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t) -allow publicfile_t utcpserver_t:tcp_socket { read write }; -allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind; -') - -allow publicfile_t initrc_t:tcp_socket { read write }; - -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; - -r_dir_file(publicfile_t, publicfile_content_t) - - diff --git a/mls/domains/program/unused/pxe.te b/mls/domains/program/unused/pxe.te deleted file mode 100644 index 1515593d..00000000 --- a/mls/domains/program/unused/pxe.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC PXE - a server for the PXE network boot protocol -# -# Author: Russell Coker -# X-Debian-Packages: pxe -# - -################################# -# -# Rules for the pxe_t domain. -# -daemon_domain(pxe) - -allow pxe_t pxe_port_t:udp_socket name_bind; - -allow pxe_t etc_t:file { getattr read }; - -allow pxe_t self:capability { chown setgid setuid }; - -allow pxe_t zero_device_t:chr_file rw_file_perms; - -log_domain(pxe) diff --git a/mls/domains/program/unused/pyzor.te b/mls/domains/program/unused/pyzor.te deleted file mode 100644 index b0629adc..00000000 --- a/mls/domains/program/unused/pyzor.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# Pyzor - Pyzor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms. -# Pyzor normally dumps everything into $HOME/.pyzor. By putting the -# following line to the spamassassin config file: -# -# pyzor_options --homedir /etc/pyzor -# -# the various files will be put into appropriate directories. -# (I.E. The log file into /var/log, etc.) This policy will work -# either way. - -########## -# pyzor daemon -########## -daemon_domain(pyzord, `, privlog, nscd_client_domain') -pyzor_base_domain(pyzord) -allow pyzord_t pyzor_port_t:udp_socket name_bind; -home_domain_access(pyzord_t, sysadm, pyzor) -log_domain(pyzord) - -# Read shared daemon/client config file -r_dir_file(pyzord_t, pyzor_etc_t) - -# Write shared daemon/client data dir -allow pyzord_t var_lib_t:dir search; -create_dir_file(pyzord_t, pyzor_var_lib_t) - -########## -# Pyzor query application - from system_r applictions -########## -type pyzor_t, domain, privlog, daemon; -type pyzor_exec_t, file_type, sysadmfile, exec_type; -role system_r types pyzor_t; - -pyzor_base_domain(pyzor) - -# System config/data files -etcdir_domain(pyzor) -var_lib_domain(pyzor) - -########## -########## - -# -# Some spam filters executes the pyzor code directly. Allow them access here. -# -ifdef(`spamd.te',` -domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t); -# pyzor needs access to the email spamassassin is checking -allow pyzor_t spamd_tmp_t:file r_file_perms; -') diff --git a/mls/domains/program/unused/qmail.te b/mls/domains/program/unused/qmail.te deleted file mode 100644 index 6c51cd76..00000000 --- a/mls/domains/program/unused/qmail.te +++ /dev/null @@ -1,197 +0,0 @@ -#DESC Qmail - Mail server -# -# Author: Russell Coker -# X-Debian-Packages: qmail-src qmail -# Depends: inetd.te mta.te -# - - -# Type for files created during execution of qmail. -type qmail_var_run_t, file_type, sysadmfile, pidfile; - -type qmail_etc_t, file_type, sysadmfile; - -allow inetd_t smtp_port_t:tcp_socket name_bind; - -type qmail_exec_t, file_type, sysadmfile, exec_type; -type qmail_spool_t, file_type, sysadmfile; -type var_qmail_t, file_type, sysadmfile; - -define(`qmaild_sub_domain', ` -daemon_sub_domain($1, $2, `$3') -allow $2_t qmail_etc_t:dir { getattr search }; -allow $2_t qmail_etc_t:{ lnk_file file } { getattr read }; -allow $2_t { var_t var_spool_t }:dir search; -allow $2_t console_device_t:chr_file rw_file_perms; -allow $2_t fs_t:filesystem getattr; -') - -################################# -# -# Rules for the qmail_$1_t domain. -# -# qmail_$1_exec_t is the type of the qmail_$1 executables. -# -define(`qmail_daemon_domain', ` -qmaild_sub_domain(qmail_start_t, qmail_$1, `$2') -allow qmail_$1_t qmail_start_t:fifo_file { read write }; -')dnl - - -daemon_base_domain(qmail_start) - -allow qmail_start_t self:capability { setgid setuid }; -allow qmail_start_t { bin_t sbin_t }:dir search; -allow qmail_start_t qmail_etc_t:dir search; -allow qmail_start_t qmail_etc_t:file { getattr read }; -can_exec(qmail_start_t, qmail_start_exec_t) -allow qmail_start_t self:fifo_file { getattr read write }; - -qmail_daemon_domain(lspawn, `, mta_delivery_agent') -allow qmail_lspawn_t self:fifo_file { read write }; -allow qmail_lspawn_t self:capability { setuid setgid }; -allow qmail_lspawn_t self:process { fork signal_perms }; -allow qmail_lspawn_t sbin_t:dir search; -can_exec(qmail_lspawn_t, qmail_exec_t) -allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; -allow qmail_lspawn_t qmail_spool_t:dir search; -allow qmail_lspawn_t qmail_spool_t:file { read getattr }; -allow qmail_lspawn_t etc_t:file { getattr read }; -allow qmail_lspawn_t tmp_t:dir getattr; -dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search }; - -qmail_daemon_domain(send, `, mail_server_sender') -rw_dir_create_file(qmail_send_t, qmail_spool_t) -allow qmail_send_t qmail_spool_t:fifo_file read; -allow qmail_send_t self:process { fork signal_perms }; -allow qmail_send_t self:fifo_file write; -domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t) -allow qmail_send_t sbin_t:dir search; - -qmail_daemon_domain(splogger) -allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; -allow qmail_splogger_t etc_t:lnk_file read; -dontaudit qmail_splogger_t initrc_t:fd use; -read_locale(qmail_splogger_t) - -qmail_daemon_domain(rspawn) -allow qmail_rspawn_t qmail_spool_t:dir search; -allow qmail_rspawn_t qmail_spool_t:file rw_file_perms; -allow qmail_rspawn_t self:process { fork signal_perms }; -allow qmail_rspawn_t self:fifo_file read; -allow qmail_rspawn_t { bin_t sbin_t }:dir search; - -qmaild_sub_domain(qmail_rspawn_t, qmail_remote) -allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read }; -can_network_server(qmail_remote_t) -can_ypbind(qmail_remote_t) -allow qmail_remote_t qmail_spool_t:dir search; -allow qmail_remote_t qmail_spool_t:file rw_file_perms; -allow qmail_remote_t self:tcp_socket create_socket_perms; -allow qmail_remote_t self:udp_socket create_socket_perms; - -qmail_daemon_domain(clean) -allow qmail_clean_t qmail_spool_t:dir rw_dir_perms; -allow qmail_clean_t qmail_spool_t:file { unlink read getattr }; - -# privhome will do until we get a separate maildir type -qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent') -allow qmail_lspawn_t qmail_local_exec_t:file { getattr read }; -allow qmail_local_t self:process { fork signal_perms }; -domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t) -allow qmail_local_t qmail_queue_exec_t:file { getattr read }; -allow qmail_local_t qmail_spool_t:file { ioctl read }; -allow qmail_local_t self:fifo_file write; -allow qmail_local_t sbin_t:dir search; -allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; -allow qmail_local_t etc_t:file { getattr read }; - -# for piping mail to a command -can_exec(qmail_local_t, shell_exec_t) -allow qmail_local_t bin_t:dir search; -allow qmail_local_t bin_t:lnk_file read; -allow qmail_local_t devtty_t:chr_file rw_file_perms; -allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read }; - -ifdef(`tcpd.te', ` -qmaild_sub_domain(tcpd_t, qmail_tcp_env) -# bug -can_exec(tcpd_t, tcpd_exec_t) -', ` -qmaild_sub_domain(inetd_t, qmail_tcp_env) -') -allow qmail_tcp_env_t inetd_t:fd use; -allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr }; -allow qmail_tcp_env_t inetd_t:process sigchld; -allow qmail_tcp_env_t sbin_t:dir search; -can_network_server(qmail_tcp_env_t) -can_ypbind(qmail_tcp_env_t) - -qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd) -allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read }; -can_network_server(qmail_smtpd_t) -can_ypbind(qmail_smtpd_t) -allow qmail_smtpd_t inetd_t:fd use; -allow qmail_smtpd_t inetd_t:tcp_socket { read write }; -allow qmail_smtpd_t inetd_t:process sigchld; -allow qmail_smtpd_t self:process { fork signal_perms }; -allow qmail_smtpd_t self:fifo_file write; -allow qmail_smtpd_t self:tcp_socket create_socket_perms; -allow qmail_smtpd_t sbin_t:dir search; -domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t) -allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read }; - -qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent') -allow qmail_inject_t self:process { fork signal_perms }; -allow qmail_inject_t self:fifo_file write; -allow qmail_inject_t sbin_t:dir search; -role sysadm_r types qmail_inject_t; -in_user_role(qmail_inject_t) - -qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent') -in_user_role(qmail_qread_t) -role sysadm_r types qmail_qread_t; -r_dir_file(qmail_qread_t, qmail_spool_t) -allow qmail_qread_t self:capability dac_override; -allow qmail_qread_t privfd:fd use; - -qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent') -role sysadm_r types qmail_queue_t; -in_user_role(qmail_queue_t) -allow qmail_inject_t qmail_queue_exec_t:file { getattr read }; -rw_dir_create_file(qmail_queue_t, qmail_spool_t) -allow qmail_queue_t qmail_spool_t:fifo_file { read write }; -allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use; -allow qmail_queue_t qmail_lspawn_t:fifo_file write; -allow qmail_queue_t qmail_start_t:fifo_file { read write }; -allow qmail_queue_t privfd:fd use; -allow qmail_queue_t crond_t:fifo_file { read write }; -allow qmail_queue_t inetd_t:fd use; -allow qmail_queue_t inetd_t:tcp_socket { read write }; -allow qmail_queue_t sysadm_t:fd use; -allow qmail_queue_t sysadm_t:fifo_file write; - -allow user_crond_domain qmail_etc_t:dir search; -allow user_crond_domain qmail_etc_t:file { getattr read }; - -qmaild_sub_domain(user_crond_domain, qmail_serialmail) -in_user_role(qmail_serialmail_t) -can_network_server(qmail_serialmail_t) -can_ypbind(qmail_serialmail_t) -can_exec(qmail_serialmail_t, qmail_serialmail_exec_t) -allow qmail_serialmail_t self:process { fork signal_perms }; -allow qmail_serialmail_t proc_t:file { getattr read }; -allow qmail_serialmail_t etc_runtime_t:file { getattr read }; -allow qmail_serialmail_t home_root_t:dir search; -allow qmail_serialmail_t user_home_dir_type:dir { search read getattr }; -rw_dir_create_file(qmail_serialmail_t, user_home_type) -allow qmail_serialmail_t self:fifo_file { read write }; -allow qmail_serialmail_t self:udp_socket create_socket_perms; -allow qmail_serialmail_t self:tcp_socket create_socket_perms; -allow qmail_serialmail_t privfd:fd use; -allow qmail_serialmail_t crond_t:fifo_file { read write ioctl }; -allow qmail_serialmail_t devtty_t:chr_file { read write }; - -# for tcpclient -can_exec(qmail_serialmail_t, bin_t) -allow qmail_serialmail_t bin_t:dir search; diff --git a/mls/domains/program/unused/razor.te b/mls/domains/program/unused/razor.te deleted file mode 100644 index e88bb499..00000000 --- a/mls/domains/program/unused/razor.te +++ /dev/null @@ -1,53 +0,0 @@ -# -# Razor - Vipul's Razor is a distributed, collaborative, spam -# detection and filtering network. -# -# Author: David Hampton -# - -# NOTE: This policy will work with either the ATrpms provided config -# file in /etc/razor, or with the default of dumping everything into -# $HOME/.razor. - -########## -# Razor query application - from system_r applictions -########## -type razor_t, domain, privlog, daemon; -type razor_exec_t, file_type, sysadmfile, exec_type; -role system_r types razor_t; - -razor_base_domain(razor) - -# Razor config file directory. When invoked as razor-admin, it can -# update files in this directory. -etcdir_domain(razor) -create_dir_file(razor_t, razor_etc_t); - -# Shared razor files updated freuently -var_lib_domain(razor) - -# Log files -log_domain(razor) -allow razor_t var_log_t:dir search; -ifdef(`logrotate.te', ` -allow logrotate_t razor_log_t:file r_file_perms; -') - -########## -########## - -# -# Some spam filters executes the razor code directly. Allow them access here. -# -define(`razor_access',` -r_dir_file($1, razor_etc_t) -allow $1 var_log_t:dir search; -allow $1 razor_log_t:file ra_file_perms; -r_dir_file($1, razor_var_lib_t) -r_dir_file($1, sysadm_razor_home_t) -can_network_client_tcp($1, razor_port_t) -allow $1 razor_port_t:tcp_socket name_connect; -') - -ifdef(`spamd.te', `razor_access(spamd_t)'); -ifdef(`amavis.te', `razor_access(amavisd_t)'); diff --git a/mls/domains/program/unused/resmgrd.te b/mls/domains/program/unused/resmgrd.te deleted file mode 100644 index 9224ad37..00000000 --- a/mls/domains/program/unused/resmgrd.te +++ /dev/null @@ -1,25 +0,0 @@ -# DESC resmgrd - resource manager daemon -# -# Author: Thomas Bleher - -daemon_base_domain(resmgrd) -var_run_domain(resmgrd, { file sock_file }) -etc_domain(resmgrd) -read_locale(resmgrd_t) -allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio }; - -allow resmgrd_t etc_t:file { getattr read }; -allow resmgrd_t self:unix_stream_socket create_stream_socket_perms; -allow resmgrd_t self:unix_dgram_socket create_socket_perms; - -# hardware access -allow resmgrd_t device_t:lnk_file { getattr read }; -# not sure if it needs write access, needs to be investigated further... -allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write }; -allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write }; -allow resmgrd_t scanner_device_t:chr_file { getattr }; -# I think a dontaudit should be enough there -dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read }; - -# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te - diff --git a/mls/domains/program/unused/rhgb.te b/mls/domains/program/unused/rhgb.te deleted file mode 100644 index 5d176e9d..00000000 --- a/mls/domains/program/unused/rhgb.te +++ /dev/null @@ -1,100 +0,0 @@ -#DESC rhgb - Red Hat Graphical Boot -# -# Author: Russell Coker -# Depends: xdm.te gnome-pty-helper.te xserver.te - -daemon_base_domain(rhgb) - -allow rhgb_t { bin_t sbin_t }:dir search; -allow rhgb_t bin_t:lnk_file read; - -domain_auto_trans(rhgb_t, shell_exec_t, initrc_t) -domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t) -can_exec(rhgb_t, { bin_t sbin_t gph_exec_t }) - -allow rhgb_t self:unix_stream_socket create_stream_socket_perms; -allow rhgb_t self:fifo_file rw_file_perms; - -# for gnome-pty-helper -gph_domain(rhgb, system) -allow initrc_t rhgb_gph_t:fd use; - -allow rhgb_t proc_t:file { getattr read }; - -allow rhgb_t devtty_t:chr_file { read write }; -allow rhgb_t tty_device_t:chr_file rw_file_perms; - -read_locale(rhgb_t) -allow rhgb_t { etc_t etc_runtime_t }:file { getattr read }; - -# for ramfs file systems -allow rhgb_t ramfs_t:dir { setattr rw_dir_perms }; -allow rhgb_t ramfs_t:sock_file create_file_perms; -allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms; -allow insmod_t ramfs_t:file write; -allow insmod_t rhgb_t:fd use; - -allow rhgb_t ramfs_t:filesystem { mount unmount }; -allow rhgb_t mnt_t:dir { search mounton }; -allow rhgb_t self:capability { sys_admin sys_tty_config }; -dontaudit rhgb_t var_run_t:dir search; - -can_network_client(rhgb_t) -allow rhgb_t port_type:tcp_socket name_connect; -can_ypbind(rhgb_t) - -allow rhgb_t usr_t:{ file lnk_file } { getattr read }; - -# for running setxkbmap -r_dir_file(rhgb_t, xkb_var_lib_t) - -# for localization -allow rhgb_t lib_t:file { getattr read }; - -allow rhgb_t initctl_t:fifo_file write; - -ifdef(`hide_broken_symptoms', ` -# it should not do this -dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search; -')dnl end hide_broken_symptoms - -can_create_pty(rhgb) - -allow rhgb_t self:shm create_shm_perms; -allow xdm_xserver_t rhgb_t:shm rw_shm_perms; - -can_unix_connect(initrc_t, rhgb_t) -tmpfs_domain(rhgb) -allow xdm_xserver_t rhgb_tmpfs_t:file { read write }; - -read_fonts(rhgb_t) - -# for nscd -dontaudit rhgb_t var_t:dir search; - -ifdef(`hide_broken_symptoms', ` -# for a bug in the X server -dontaudit insmod_t xdm_xserver_t:tcp_socket { read write }; -dontaudit insmod_t serial_device:chr_file { read write }; -dontaudit mount_t rhgb_gph_t:fd use; -dontaudit mount_t rhgb_t:unix_stream_socket { read write }; -dontaudit mount_t ptmx_t:chr_file { read write }; -')dnl end hide_broken_symptoms - -ifdef(`firstboot.te', ` -allow rhgb_t firstboot_rw_t:file r_file_perms; -') -allow rhgb_t tmp_t:dir search; -allow rhgb_t xdm_xserver_t:process sigkill; -allow domain rhgb_devpts_t:chr_file { read write }; -ifdef(`fsadm.te', ` -dontaudit fsadm_t ramfs_t:fifo_file write; -') -allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; -dontaudit rhgb_t default_t:file read; - -allow initrc_t ramfs_t:dir search; -allow initrc_t ramfs_t:sock_file write; -allow initrc_t rhgb_t:unix_stream_socket { read write }; - -allow rhgb_t default_t:file { getattr read }; diff --git a/mls/domains/program/unused/rssh.te b/mls/domains/program/unused/rssh.te deleted file mode 100644 index 73bab4a1..00000000 --- a/mls/domains/program/unused/rssh.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC Rssh - Restricted (scp/sftp) only shell -# -# Authors: Colin Walters -# X-Debian-Package: rssh -# - -type rssh_exec_t, file_type, sysadmfile, exec_type; - -ifdef(`ssh.te',` -allow sshd_t rssh_exec_t:file r_file_perms; -') - -# See rssh_macros.te for the rest. diff --git a/mls/domains/program/unused/scannerdaemon.te b/mls/domains/program/unused/scannerdaemon.te deleted file mode 100644 index 6245e8b9..00000000 --- a/mls/domains/program/unused/scannerdaemon.te +++ /dev/null @@ -1,58 +0,0 @@ -#DESC Scannerdaemon - Virus scanner daemon -# -# Author: Brian May -# X-Debian-Packages: -# - -################################# -# -# Rules for the scannerdaemon_t domain. -# -type scannerdaemon_etc_t, file_type, sysadmfile; - -#networking -daemon_domain(scannerdaemon) -can_network_server(scannerdaemon_t) -ifdef(`postfix.te', -`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);') - -# for testing -can_tcp_connect(sysadm_t,scannerdaemon_t) - -# Can create unix sockets -allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms; - -# Access config files (libc6). -allow scannerdaemon_t etc_t:file r_file_perms; -allow scannerdaemon_t etc_t:lnk_file r_file_perms; -allow scannerdaemon_t proc_t:file r_file_perms; -allow scannerdaemon_t etc_runtime_t:file r_file_perms; - -# Access config files (scannerdaemon). -allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms; - -# Access signature files. -ifdef(`oav-update.te',` -allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms; -allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms; -') - -log_domain(scannerdaemon) -ifdef(`logrotate.te', ` -allow logrotate_t scannerdaemon_log_t:file create_file_perms; -') - -# Can run kaffe -# Run helper programs. -can_exec_any(scannerdaemon_t) -allow scannerdaemon_t var_lib_t:dir search; -allow scannerdaemon_t { sbin_t bin_t }:dir search; -allow scannerdaemon_t bin_t:lnk_file read; - -# unknown stuff -allow scannerdaemon_t self:fifo_file { read write }; - -# broken stuff -dontaudit scannerdaemon_t sysadm_home_dir_t:dir search; -dontaudit scannerdaemon_t devtty_t:chr_file { read write }; -dontaudit scannerdaemon_t shadow_t:file { read getattr }; diff --git a/mls/domains/program/unused/snort.te b/mls/domains/program/unused/snort.te deleted file mode 100644 index 24188f67..00000000 --- a/mls/domains/program/unused/snort.te +++ /dev/null @@ -1,33 +0,0 @@ -#DESC Snort - Network sniffer -# -# Author: Shaun Savage -# Modified by Russell Coker -# X-Debian-Packages: snort-common -# - -daemon_domain(snort) - -logdir_domain(snort) -allow snort_t snort_log_t:dir create; -can_network_server(snort_t) -type snort_etc_t, file_type, sysadmfile; - -# Create temporary files. -tmp_domain(snort) - -# use iptable netlink -allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow snort_t self:packet_socket create_socket_perms; -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; - -r_dir_file(snort_t, snort_etc_t) -allow snort_t etc_t:file { getattr read }; -allow snort_t etc_t:lnk_file read; - -allow snort_t self:unix_dgram_socket create_socket_perms; -allow snort_t self:unix_stream_socket create_socket_perms; - -# for start script -allow initrc_t snort_etc_t:file { getattr read }; - -dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read }; diff --git a/mls/domains/program/unused/sound-server.te b/mls/domains/program/unused/sound-server.te deleted file mode 100644 index c84a1faf..00000000 --- a/mls/domains/program/unused/sound-server.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC sound server - for network audio server programs, nasd, yiff, etc -# -# Author: Russell Coker -# - -################################# -# -# Rules for the soundd_t domain. -# -# soundd_exec_t is the type of the soundd executable. -# -daemon_domain(soundd) - -allow soundd_t soundd_port_t:tcp_socket name_bind; - -type etc_soundd_t, file_type, sysadmfile; -type soundd_state_t, file_type, sysadmfile; - -tmp_domain(soundd) -rw_dir_create_file(soundd_t, soundd_state_t) - -allow soundd_t sound_device_t:chr_file rw_file_perms; -allow soundd_t device_t:lnk_file read; - -# Use the network. -can_network_server(soundd_t) -allow soundd_t self:unix_stream_socket create_stream_socket_perms; -allow soundd_t self:unix_dgram_socket create_socket_perms; -# allow any domain to connect to the sound server -can_tcp_connect(userdomain, soundd_t) - -allow soundd_t self:process setpgid; - -# read config files -allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; - -allow soundd_t etc_t:dir r_dir_perms; -r_dir_file(soundd_t, etc_soundd_t) - -# for yiff - probably need some rules for the client support too -allow soundd_t self:shm create_shm_perms; -tmpfs_domain(soundd) diff --git a/mls/domains/program/unused/speedmgmt.te b/mls/domains/program/unused/speedmgmt.te deleted file mode 100644 index 6d399fbd..00000000 --- a/mls/domains/program/unused/speedmgmt.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem -# -# Author: Russell Coker -# - -################################# -# -# Rules for the speedmgmt_t domain. -# -# speedmgmt_exec_t is the type of the speedmgmt executable. -# -daemon_domain(speedmgmt) -tmp_domain(speedmgmt) - -# for accessing USB -allow speedmgmt_t proc_t:dir r_dir_perms; -allow speedmgmt_t usbdevfs_t:file rw_file_perms; -allow speedmgmt_t usbdevfs_t:dir r_dir_perms; - -allow speedmgmt_t usr_t:file r_file_perms; - -allow speedmgmt_t self:unix_dgram_socket create_socket_perms; - -# allow time -allow speedmgmt_t etc_t:dir r_dir_perms; -allow speedmgmt_t etc_t:lnk_file r_file_perms; diff --git a/mls/domains/program/unused/sxid.te b/mls/domains/program/unused/sxid.te deleted file mode 100644 index a96c9877..00000000 --- a/mls/domains/program/unused/sxid.te +++ /dev/null @@ -1,62 +0,0 @@ -#DESC Sxid - SUID/SGID program monitoring -# -# Author: Russell Coker -# X-Debian-Packages: sxid -# - -################################# -# -# Rules for the sxid_t domain. -# -# sxid_exec_t is the type of the sxid executable. -# -daemon_base_domain(sxid, `, privmail') -tmp_domain(sxid) - -allow sxid_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(sxid_exec_t, sxid_t) -') -#allow system_crond_t sxid_log_t:file create_file_perms; - -read_locale(sxid_t) - -can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t }) -allow sxid_t bin_t:lnk_file read; - -log_domain(sxid) - -allow sxid_t file_type:notdevfile_class_set getattr; -allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr; -allow sxid_t ttyfile:chr_file getattr; -allow sxid_t file_type:dir { getattr read search }; -allow sxid_t sysadmfile:file { getattr read }; -dontaudit sxid_t devpts_t:dir r_dir_perms; -allow sxid_t fs_type:dir { getattr read search }; - -# Use the network. -can_network_server(sxid_t) -allow sxid_t self:fifo_file rw_file_perms; -allow sxid_t self:unix_stream_socket create_socket_perms; - -allow sxid_t { proc_t self }:{ file lnk_file } { read getattr }; -read_sysctl(sxid_t) -allow sxid_t devtty_t:chr_file rw_file_perms; - -allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid }; - -ifdef(`mta.te', ` -# sxid leaves an open file handle to /proc/mounts -dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr }; - -# allow mta to read the log files -allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read }; -# stop warnings if mailx is passed a read/write file handle -dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write; -') - -allow logrotate_t sxid_t:file { getattr write }; - -dontaudit sxid_t security_t:dir { getattr read search }; diff --git a/mls/domains/program/unused/thunderbird.te b/mls/domains/program/unused/thunderbird.te deleted file mode 100644 index c640f875..00000000 --- a/mls/domains/program/unused/thunderbird.te +++ /dev/null @@ -1,10 +0,0 @@ -# DESC - Thunderbird -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type thunderbird_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/thunderbird_macros.te -bool disable_thunderbird_trans false; diff --git a/mls/domains/program/unused/tinydns.te b/mls/domains/program/unused/tinydns.te deleted file mode 100644 index a911b89f..00000000 --- a/mls/domains/program/unused/tinydns.te +++ /dev/null @@ -1,58 +0,0 @@ -#DESC TINYDNS - Name server for djbdns -# -# Authors: Matthew J. Fanto -# -# Based off Named policy file written by -# Yuichi Nakamura , -# Russell Coker -# X-Debian-Packages: djbdns-installer djbdns -# -# - -################################# -# -# Rules for the tinydns_t domain. -# -daemon_domain(tinydns) - -can_exec(tinydns_t, tinydns_exec_t) -allow tinydns_t sbin_t:dir search; - -allow tinydns_t self:process setsched; - -# A type for configuration files of tinydns. -type tinydns_conf_t, file_type, sysadmfile; - -# for primary zone files - the data file -type tinydns_zone_t, file_type, sysadmfile; - -allow tinydns_t etc_t:file { getattr read }; -allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read }; - -#tinydns can use network -can_network_server(tinydns_t) -allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind; -# allow UDP transfer to/from any program -can_udp_send(domain, tinydns_t) -can_udp_send(tinydns_t, domain) -# tinydns itself doesn't do zone transfers -# so we do not need to have it tcp_connect - -#read configuration files -r_dir_file(tinydns_t, tinydns_conf_t) - -r_dir_file(tinydns_t, tinydns_zone_t) - -# allow tinydns to create datagram sockets (udp) -# allow tinydns_t self:unix_stream_socket create_stream_socket_perms; -allow tinydns_t self:unix_dgram_socket create_socket_perms; - -# Read /dev/random. -allow tinydns_t device_t:dir r_dir_perms; -allow tinydns_t random_device_t:chr_file r_file_perms; - -# Set own capabilities. -allow tinydns_t self:process setcap; - -# for chmod in start script -dontaudit initrc_t tinydns_var_run_t:dir setattr; diff --git a/mls/domains/program/unused/transproxy.te b/mls/domains/program/unused/transproxy.te deleted file mode 100644 index e34b8043..00000000 --- a/mls/domains/program/unused/transproxy.te +++ /dev/null @@ -1,36 +0,0 @@ -#DESC Transproxy - Transparent proxy for web access -# -# Author: Russell Coker -# X-Debian-Packages: transproxy -# - -################################# -# -# Rules for the transproxy_t domain. -# -# transproxy_exec_t is the type of the transproxy executable. -# -daemon_domain(transproxy) - -# Use the network. -can_network_server_tcp(transproxy_t) -allow transproxy_t transproxy_port_t:tcp_socket name_bind; - -#allow transproxy_t self:fifo_file { read write }; -allow transproxy_t self:unix_stream_socket create_socket_perms; -allow transproxy_t self:unix_dgram_socket create_socket_perms; - -# Use capabilities -allow transproxy_t self:capability { setgid setuid }; -#allow transproxy_t self:process setsched; - -#allow transproxy_t proc_t:file r_file_perms; - -# read config files -allow transproxy_t etc_t:lnk_file read; -allow transproxy_t etc_t:file { read getattr }; - -#allow transproxy_t etc_t:dir r_dir_perms; - -#read_sysctl(transproxy_t) - diff --git a/mls/domains/program/unused/tripwire.te b/mls/domains/program/unused/tripwire.te deleted file mode 100644 index 9ee61e84..00000000 --- a/mls/domains/program/unused/tripwire.te +++ /dev/null @@ -1,139 +0,0 @@ -# DESC tripwire -# -# Author: David Hampton -# - -# NOTE: Tripwire creates temp file in its current working directory. -# This policy does not allow write access to home directories, so -# users will need to either cd to a directory where they have write -# permission, or set the TEMPDIRECTORY variable in the tripwire config -# file. The latter is preferable, as then the file_type_auto_trans -# rules will kick in and label the files as private to tripwire. - - -# Common definitions -type tripwire_report_t, file_type, sysadmfile; -etcdir_domain(tripwire) -var_lib_domain(tripwire) -tmp_domain(tripwire) - - -# Macro for defining tripwire domains -define(`tripwire_domain',` -application_domain($1, `, auth') -role system_r types $1_t; - -# Allow access to common tripwire files -allow $1_t tripwire_etc_t:file r_file_perms; -allow $1_t tripwire_etc_t:dir r_dir_perms; -allow $1_t tripwire_etc_t:lnk_file { getattr read }; -file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file) -allow $1_t tripwire_var_lib_t:dir rw_dir_perms; -file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }') - -allow $1_t self:process { fork sigchld }; -allow $1_t self:capability { setgid setuid dac_override }; - -# Tripwire needs to read all files on the system -general_proc_read_access($1_t) -allow $1_t file_type:dir { search getattr read}; -allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read}; -allow $1_t file_type:fifo_file { getattr }; -allow $1_t device_type:file { getattr read }; -allow $1_t sysctl_t:dir { getattr read }; -allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr; - -# Tripwire report files -create_dir_file($1_t, tripwire_report_t) - -# gethostid()? -allow $1_t self:unix_stream_socket { connect create }; - -# Running editor program (tripwire forks then runs bash which rins editor) -can_exec($1_t, shell_exec_t) -can_exec($1_t, bin_t) -uses_shlib($1_t) - -allow $1_t self:dir search; -allow $1_t self:file { getattr read }; -') - - -########## -########## - -# -# When run by a user -# -tripwire_domain(`tripwire') - -# Running from the command line -allow tripwire_t devpts_t:dir search; -allow tripwire_t devtty_t:chr_file { read write }; -allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms; -allow tripwire_t privfd:fd use; - - -########## -########## - -# -# When run from cron -# -tripwire_domain(`tripwire_crond') -system_crond_entry(tripwire_exec_t, tripwire_crond_t) -domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t) - -# Tripwire uses a temp file in the root home directory -#create_dir_file(tripwire_crond_t, root_t) - - -########## -# Twadmin -########## -application_domain(twadmin) -read_locale(twadmin_t) -create_dir_file(twadmin_t, tripwire_etc_t) - -allow twadmin_t sysadm_tmp_t:file { getattr read write }; - -# Running from the command line -allow twadmin_t sshd_t:fd use; -allow twadmin_t admin_tty_type:chr_file rw_file_perms; - -dontaudit twadmin_t { bin_t sbin_t }:dir search; -dontaudit twadmin_t home_root_t:dir search; -dontaudit twprint_t user_home_dir_t:dir search; - - -########## -# Twprint -########## -application_domain(twprint) -read_locale(twprint_t) -r_dir_file(twprint_t, tripwire_etc_t) -allow twprint_t { var_t var_lib_t }:dir search; -r_dir_file(twprint_t, tripwire_var_lib_t) -r_dir_file(twprint_t, tripwire_report_t) - -# Running from the command line -allow twprint_t sshd_t:fd use; -allow twprint_t admin_tty_type:chr_file rw_file_perms; - -dontaudit twprint_t { bin_t sbin_t }:dir search; -dontaudit twprint_t home_root_t:dir search; - - -########## -# Siggen -########## -application_domain(siggen, `, auth') -read_locale(siggen_t) - -# Need permission to read files -allow siggen_t file_type:dir { search getattr read}; -allow siggen_t file_type:file {getattr read}; - -# Running from the command line -allow siggen_t sshd_t:fd use; -allow siggen_t admin_tty_type:chr_file rw_file_perms; diff --git a/mls/domains/program/unused/tvtime.te b/mls/domains/program/unused/tvtime.te deleted file mode 100644 index fa720218..00000000 --- a/mls/domains/program/unused/tvtime.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC tvtime - a high quality television application -# -# Domains for the tvtime program. -# Author : Dan Walsh -# -# tvtime_exec_t is the type of the tvtime executable. -# -type tvtime_exec_t, file_type, sysadmfile, exec_type; -type tvtime_dir_t, file_type, sysadmfile, pidfile; - -# Everything else is in the tvtime_domain macro in -# macros/program/tvtime_macros.te. diff --git a/mls/domains/program/unused/ucspi-tcp.te b/mls/domains/program/unused/ucspi-tcp.te deleted file mode 100644 index b2eeb5c9..00000000 --- a/mls/domains/program/unused/ucspi-tcp.te +++ /dev/null @@ -1,49 +0,0 @@ -#DESC ucspi-tcp - TCP Server and Client Tools -# -# Author Petre Rodan -# Andy Dustman (rblsmtp-related policy) -# - -# http://cr.yp.to/ucspi-tcp.html - -daemon_base_domain(utcpserver) -can_network(utcpserver_t) - -allow utcpserver_t etc_t:file r_file_perms; -allow utcpserver_t { bin_t sbin_t var_t }:dir search; - -allow utcpserver_t self:capability { net_bind_service setgid setuid }; -allow utcpserver_t self:fifo_file { read write }; -allow utcpserver_t self:process { fork sigchld }; - -allow utcpserver_t port_t:udp_socket name_bind; - -ifdef(`qmail.te', ` -domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t) -allow utcpserver_t smtp_port_t:tcp_socket name_bind; -allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr }; -allow utcpserver_t qmail_etc_t:dir r_dir_perms; -allow utcpserver_t qmail_etc_t:file r_file_perms; -') - -daemon_base_domain(rblsmtpd) -can_network(rblsmtpd_t) - -allow rblsmtpd_t self:process { fork sigchld }; - -allow rblsmtpd_t etc_t:file r_file_perms; -allow rblsmtpd_t { bin_t var_t }:dir search; -allow rblsmtpd_t port_t:udp_socket name_bind; -allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr }; - -ifdef(`qmail.te', ` -domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t) -allow qmail_queue_t rblsmtpd_t:fd use; -') - -ifdef(`daemontools.te', ` -svc_ipc_domain(rblsmtpd_t) -') - -domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t) - diff --git a/mls/domains/program/unused/uml.te b/mls/domains/program/unused/uml.te deleted file mode 100644 index 75ae5012..00000000 --- a/mls/domains/program/unused/uml.te +++ /dev/null @@ -1,14 +0,0 @@ - -# Author: Russell Coker -# -type uml_exec_t, file_type, sysadmfile, exec_type; -type uml_ro_t, file_type, sysadmfile; - -# the main code is in macros/program/uml_macros.te - -daemon_domain(uml_switch) -allow uml_switch_t self:unix_dgram_socket create_socket_perms; -allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; -allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms; -allow initrc_t uml_switch_var_run_t:sock_file setattr; -rw_dir_create_file(initrc_t, uml_switch_var_run_t) diff --git a/mls/domains/program/unused/uml_net.te b/mls/domains/program/unused/uml_net.te deleted file mode 100644 index da3fe345..00000000 --- a/mls/domains/program/unused/uml_net.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC uml_net helper program for user-mode Linux -# -# Author: Russell Coker -# -# WARNING: Do not install this file on any machine that has hostile users. - -type uml_net_t, domain, privlog; -type uml_net_exec_t, file_type, sysadmfile, exec_type; -in_user_role(uml_net_t) -allow uml_net_t self:process { fork signal_perms }; -allow uml_net_t { bin_t sbin_t }:dir search; -allow uml_net_t self:fifo_file { read write }; -allow uml_net_t device_t:dir search; -allow uml_net_t self:udp_socket { create ioctl }; -uses_shlib(uml_net_t) -allow uml_net_t devtty_t:chr_file { read write }; -allow uml_net_t etc_runtime_t:file { getattr read }; -allow uml_net_t etc_t:file { getattr read }; -allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search; -allow uml_net_t proc_t:file { getattr read }; - -# if you want ip_forward to be set then you should set it yourself -dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search; -dontaudit uml_net_t sysctl_net_t:file write; - -dontaudit ifconfig_t uml_net_t:udp_socket { read write }; -dontaudit uml_net_t self:capability sys_module; - -allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl }; -can_exec(uml_net_t, { shell_exec_t sbin_t }) diff --git a/mls/domains/program/unused/uptimed.te b/mls/domains/program/unused/uptimed.te deleted file mode 100644 index 0c9b1c73..00000000 --- a/mls/domains/program/unused/uptimed.te +++ /dev/null @@ -1,37 +0,0 @@ -#DESC uptimed - a uptime daemon -# -# Author: Carsten Grohmann -# -# Date: 19. June 2003 -# - -################################# -# -# General Types -# - -type uptimed_spool_t, file_type, sysadmfile; - -################################# -# -# Rules for the uptimed_t domain. -# -daemon_domain(uptimed, `,privmail') -etc_domain(uptimed) -typealias uptimed_etc_t alias etc_uptimed_t; -file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t) -allow uptimed_t proc_t:file { getattr read }; -read_locale(uptimed_t) -allow uptimed_t uptimed_spool_t:file create_file_perms; -allow uptimed_t self:unix_dgram_socket create_socket_perms; - -# to send mail -can_exec(uptimed_t, shell_exec_t) -allow uptimed_t { bin_t sbin_t }:dir search; -allow uptimed_t bin_t:lnk_file read; -allow uptimed_t etc_runtime_t:file { getattr read }; -allow uptimed_t self:fifo_file { getattr write }; - -# rules for uprecords - it runs in the user context -allow userdomain uptimed_spool_t:dir search; -allow userdomain uptimed_spool_t:file { getattr read }; diff --git a/mls/domains/program/unused/uwimapd.te b/mls/domains/program/unused/uwimapd.te deleted file mode 100644 index f1f58316..00000000 --- a/mls/domains/program/unused/uwimapd.te +++ /dev/null @@ -1,47 +0,0 @@ -#DESC uw-imapd-ssl server -# -# Author: Ed Street -# X-Debian-Packages: uw-imapd (was uw-imapd-ssl) -# Depends: inetd.te -# - -daemon_domain(imapd, `, auth_chkpwd, privhome') -tmp_domain(imapd) - -can_network_server_tcp(imapd_t) -allow imapd_t port_type:tcp_socket name_connect; - -#declare our own services -allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -allow imapd_t pop_port_t:tcp_socket name_bind; - -#declare this a socket from inetd -allow imapd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow imapd_t self:unix_stream_socket create_socket_perms; -domain_auto_trans(inetd_t, imapd_exec_t, imapd_t) -ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)') - -#friendly stuff we dont want to see :) -dontaudit imapd_t bin_t:dir search; - -#read /etc/ for hostname nsswitch.conf -allow imapd_t etc_t:file { getattr read }; - -#socket i/o stuff -allow imapd_t inetd_t:tcp_socket { read write ioctl getattr }; - -#read resolv.conf -allow imapd_t net_conf_t:file { getattr read }; - -#urandom, for ssl -allow imapd_t random_device_t:chr_file read; -allow imapd_t urandom_device_t:chr_file { read getattr }; - -allow imapd_t self:fifo_file rw_file_perms; - -#mail directory -rw_dir_file(imapd_t, mail_spool_t) - -#home directory -allow imapd_t home_root_t:dir search; -allow imapd_t self:file { read getattr }; diff --git a/mls/domains/program/unused/vmware.te b/mls/domains/program/unused/vmware.te deleted file mode 100644 index fcda9b83..00000000 --- a/mls/domains/program/unused/vmware.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC VMWare - Virtual machine -# -# Domains,types and permissions for running VMWare (the program) and for -# running a SELinux system in a VMWare session (the VMWare-tools). -# -# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), -# modifications by NAI Labs. -# -# Domain is for the VMWare admin programs and daemons. -# X-Debian-Packages: -# -# NOTE: The user vmware domain is provided separately in -# macros/program/vmware_macros.te -# -# Next two domains are create by the daemon_domain() macro. -# The vmware_t domain is for running VMWare daemons -# The vmware_exec_t type is for the VMWare daemon and admin programs. -# -# quick hack making it privhome, should have a domain for each user in a macro -daemon_domain(vmware, `, privhome') - -# -# The vmware_user_exec_t type is for the user programs. -# -type vmware_user_exec_t, file_type, sysadmfile, exec_type; - -# Type for vmware devices. -type vmware_device_t, device_type, dev_fs; - -# The sys configuration used for the /etc/vmware configuration files -type vmware_sys_conf_t, file_type, sysadmfile; - -######################################################################### -# Additional rules to start/stop VMWare -# - -# Give init access to VMWare configuration files -allow initrc_t vmware_sys_conf_t:file { ioctl read append }; - -# -# Rules added to kernel_t domain for VMWare to start up -# -# VMWare need access to pcmcia devices for network -ifdef(`cardmgr.te', ` -allow kernel_t cardmgr_var_lib_t:dir { getattr search }; -allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; -') - -# Vmware create network devices -allow kernel_t self:capability net_admin; -allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow kernel_t self:socket create; diff --git a/mls/domains/program/unused/watchdog.te b/mls/domains/program/unused/watchdog.te deleted file mode 100644 index 01ceea88..00000000 --- a/mls/domains/program/unused/watchdog.te +++ /dev/null @@ -1,55 +0,0 @@ -#DESC Watchdog - Software watchdog daemon -# -# Author: Russell Coker -# X-Debian-Packages: watchdog -# - -################################# -# -# Rules for the watchdog_t domain. -# - -daemon_domain(watchdog, `, privmail') -type watchdog_device_t, device_type, dev_fs; - -allow watchdog_t self:process setsched; - -log_domain(watchdog) - -allow watchdog_t etc_t:file r_file_perms; -allow watchdog_t etc_t:lnk_file read; -allow watchdog_t self:unix_dgram_socket create_socket_perms; - -allow watchdog_t proc_t:file r_file_perms; - -allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource }; -allow watchdog_t self:fifo_file rw_file_perms; -allow watchdog_t self:unix_stream_socket create_socket_perms; -can_network(watchdog_t) -allow watchdog_t port_type:tcp_socket name_connect; -can_ypbind(watchdog_t) -allow watchdog_t bin_t:dir search; -allow watchdog_t bin_t:lnk_file read; -allow watchdog_t init_t:process signal; -allow watchdog_t kernel_t:process sigstop; - -allow watchdog_t watchdog_device_t:chr_file { getattr write }; - -# for orderly shutdown -can_exec(watchdog_t, shell_exec_t) -allow watchdog_t domain:process { signal_perms getsession }; -allow watchdog_t self:capability kill; -allow watchdog_t sbin_t:dir search; - -# for updating mtab on umount -file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file) - -allow watchdog_t self:capability { sys_admin net_admin sys_boot }; -allow watchdog_t fixed_disk_device_t:blk_file swapon; -allow watchdog_t { proc_t fs_t }:filesystem unmount; - -# record the fact that we are going down -allow watchdog_t wtmp_t:file append; - -# do not care about saving the random seed -dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read; diff --git a/mls/domains/program/unused/xauth.te b/mls/domains/program/unused/xauth.te deleted file mode 100644 index 6382d77a..00000000 --- a/mls/domains/program/unused/xauth.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC Xauth - X authority file utility -# -# Domains for the xauth program. -# X-Debian-Packages: xbase-clients - -# Author: Russell Coker -# -# xauth_exec_t is the type of the xauth executable. -# -type xauth_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the xauth_domain macro in -# macros/program/xauth_macros.te. diff --git a/mls/domains/program/unused/xdm.te b/mls/domains/program/unused/xdm.te deleted file mode 100644 index e3e9c8da..00000000 --- a/mls/domains/program/unused/xdm.te +++ /dev/null @@ -1,376 +0,0 @@ -#DESC XDM - X Display Manager -# -# Authors: Mark Westerman mark.westerman@westcam.com -# Russell Coker -# X-Debian-Packages: gdm xdm wdm kdm -# Depends: xserver.te -# -# Some wdm-specific changes by Tom Vogt -# -# Some alterations and documentation by Stephen Smalley -# - -################################# -# -# Rules for the xdm_t domain. -# -# xdm_t is the domain of a X Display Manager process -# spawned by getty. -# xdm_exec_t is the type of the [xgkw]dm program -# -daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') - -# for running xdm from init -domain_auto_trans(init_t, xdm_exec_t, xdm_t) - -allow xdm_t xdm_var_run_t:dir setattr; - -# for xdmctl -allow xdm_t xdm_var_run_t:fifo_file create_file_perms; -allow initrc_t xdm_var_run_t:fifo_file unlink; -file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) -file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) - -tmp_domain(xdm, `', `{ file dir sock_file }') -var_lib_domain(xdm) -# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open -# handle of a file inside the dir!!! -allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; -type xsession_exec_t, file_type, sysadmfile, exec_type; -type xdm_rw_etc_t, file_type, sysadmfile; -typealias xdm_rw_etc_t alias etc_xdm_t; - -allow xdm_t default_context_t:dir search; -allow xdm_t default_context_t:{ file lnk_file } { read getattr }; - -can_network(xdm_t) -allow xdm_t port_type:tcp_socket name_connect; -allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; -allow xdm_t self:fifo_file rw_file_perms; - -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:process signal; -can_unix_connect(xdm_t, xdm_xserver_t) -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; -allow xdm_xserver_t xdm_t:process signal; -# for reboot -allow xdm_t initctl_t:fifo_file write; - -# init script wants to check if it needs to update windowmanagerlist -allow initrc_t xdm_rw_etc_t:file { getattr read }; -ifdef(`distro_suse', ` -# set permissions on /tmp/.X11-unix -allow initrc_t xdm_tmp_t:dir setattr; -') - -# -# Use capabilities. -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner }; - -allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl }; - -# Transition to user domains for user sessions. -domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) -allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; -allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; -allow unpriv_userdomain xdm_xserver_t:fd use; -allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; -allow xdm_xserver_t unpriv_userdomain:fd use; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# gnome-session creates socket under /tmp/.ICE-unix/ -allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; -allow unpriv_userdomain xdm_tmp_t:sock_file create; - -# Allow xdm logins as sysadm_r:sysadm_t -bool xdm_sysadm_login false; -if (xdm_sysadm_login) { -domain_trans(xdm_t, xsession_exec_t, sysadm_t) -allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; -allow sysadm_t xdm_xserver_t:shm r_shm_perms; -allow sysadm_t xdm_xserver_t:fd use; -allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t sysadm_t:shm rw_shm_perms; -allow xdm_xserver_t sysadm_t:fd use; -} -can_setexec(xdm_t) - -# Label pid and temporary files with derived types. -rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) -allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; - -# Run helper programs. -allow xdm_t etc_t:file { getattr read }; -allow xdm_t bin_t:dir { getattr search }; -# lib_t is for running cpp -can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) -allow xdm_t { bin_t sbin_t }:lnk_file read; -ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') -ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') -allow xdm_t xdm_xserver_t:process sigkill; -allow xdm_t xdm_xserver_tmp_t:file unlink; - -# Access devices. -allow xdm_t device_t:dir { read search }; -allow xdm_t console_device_t:chr_file setattr; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -allow xdm_t framebuf_device_t:chr_file { getattr setattr }; -allow xdm_t mouse_device_t:chr_file { getattr setattr }; -allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; -allow xdm_t dri_device_t:chr_file rw_file_perms; -allow xdm_t device_t:dir rw_dir_perms; -allow xdm_t agp_device_t:chr_file rw_file_perms; -allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; -allow xdm_t v4l_device_t:chr_file { setattr getattr }; -allow xdm_t scanner_device_t:chr_file { setattr getattr }; -allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; -allow xdm_t device_t:lnk_file read; -can_resmgrd_connect(xdm_t) - -# Access xdm log files. -file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) -allow xdm_t xserver_log_t:dir rw_dir_perms; -allow xdm_t xserver_log_t:dir setattr; -# Access /var/gdm/.gdmfifo. -allow xdm_t xserver_log_t:fifo_file create_file_perms; - -allow xdm_t self:shm create_shm_perms; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; -allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; - -# Remove /tmp/.X11-unix/X0. -allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; -allow xdm_t xdm_xserver_tmp_t:sock_file unlink; - -ifdef(`gpm.te', ` -# Talk to the console mouse server. -allow xdm_t gpmctl_t:sock_file { getattr setattr write }; -allow xdm_t gpm_t:unix_stream_socket connectto; -') - -allow xdm_t sysfs_t:dir search; - -# Update utmp and wtmp. -allow xdm_t initrc_var_run_t: file { read write lock }; -allow xdm_t wtmp_t:file append; - -# Update lastlog. -allow xdm_t lastlog_t:file rw_file_perms; - -# Ask the security server for SIDs for user sessions. -can_getsecurity(xdm_t) - -tmpfs_domain(xdm) - -# Need to further investigate these permissions and -# perhaps define derived types. -allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; -allow xdm_t var_lib_t:file { create write unlink }; - -lock_domain(xdm) - -# Connect to xfs. -ifdef(`xfs.te', ` -allow xdm_t xfs_tmp_t:dir search; -allow xdm_t xfs_tmp_t:sock_file write; -can_unix_connect(xdm_t, xfs_t) -') - -allow xdm_t self:process { setpgid setsched }; -allow xdm_t etc_t:lnk_file read; -allow xdm_t etc_runtime_t:file { getattr read }; - -# wdm has its own config dir /etc/X11/wdm -# this is ugly, daemons should not create files under /etc! -allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; -allow xdm_t xdm_rw_etc_t:file create_file_perms; - -# Signal any user domain. -allow xdm_t userdomain:process signal_perms; - -allow xdm_t proc_t:file { getattr read }; - -read_sysctl(xdm_t) - -# Search /proc for any user domain processes. -allow xdm_t userdomain:dir r_dir_perms; -allow xdm_t userdomain:{ file lnk_file } r_file_perms; - -# Allow xdm access to the user domains -allow xdm_t home_root_t:dir search; -allow xdm_xserver_t home_root_t:dir search; - -# Do not audit denied attempts to access devices. -dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; -dontaudit xdm_t device_t:file_class_set rw_file_perms; -dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; -dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; -dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; -dontaudit xdm_t devpts_t:dir search; - -# Do not audit denied probes of /proc. -dontaudit xdm_t domain:dir r_dir_perms; -dontaudit xdm_t domain:{ file lnk_file } r_file_perms; - -# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... -allow xdm_t usr_t:{ lnk_file file } { getattr read }; - -# Read fonts -read_fonts(xdm_t) - -# Do not audit attempts to write to index files under /usr -dontaudit xdm_t usr_t:file write; - -# Do not audit access to /root -dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# Do not audit attempts to check whether user root has email -dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; -dontaudit xdm_t mail_spool_t:file getattr; - -# Access sound device. -allow xdm_t sound_device_t:chr_file { setattr getattr }; - -# Allow setting of attributes on power management devices. -allow xdm_t power_device_t:chr_file { getattr setattr }; - -# Run the X server in a derived domain. -xserver_domain(xdm) - -ifdef(`rhgb.te', ` -allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file create_file_perms; -allow rhgb_t xdm_xserver_t:process signal; -') - -# Unrestricted inheritance. -allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; - -# Run xkbcomp. -allow xdm_xserver_t var_lib_t:dir search; -allow xdm_xserver_t xkb_var_lib_t:lnk_file read; -can_exec(xdm_xserver_t, xkb_var_lib_t) - -# Insert video drivers. -allow xdm_xserver_t self:capability mknod; -allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; -domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) -allow insmod_t xserver_log_t:file write; -allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; - -# Read /proc/dri/.* -allow xdm_xserver_t proc_t:dir { search read }; - -# Search /var/run. -allow xdm_xserver_t var_run_t:dir search; - -# FIXME: After per user fonts are properly working -# xdm_xserver_t may no longer have any reason -# to read ROLE_home_t - examine this in more detail -# (xauth?) - -# Search home directories. -allow xdm_xserver_t user_home_type:dir search; -allow xdm_xserver_t user_home_type:file { getattr read }; - -if (use_nfs_home_dirs) { -allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; -allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, nfs_t) -} - -if (use_samba_home_dirs) { -allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, cifs_t) -} - -# for .dmrc -allow xdm_t user_home_dir_type:dir { getattr search }; -allow xdm_t user_home_type:file { getattr read }; - -ifdef(`support_polyinstatiation', ` -# xdm_t can polyinstantiate -polyinstantiater(xdm_t) -# xdm needs access for linking .X11-unix to poly /tmp -allow xdm_t polymember:dir { add_name remove_name write }; -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -') - -allow xdm_t mnt_t:dir { getattr read search }; -# -# Wants to delete .xsession-errors file -# -allow xdm_t user_home_type:file unlink; -# -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor -# -ifdef(`pam.te', ` -allow xdm_t pam_var_run_t:dir create_dir_perms; -allow xdm_t pam_var_run_t:file create_file_perms; -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) -can_exec(xdm_t, pam_exec_t) -# For pam_console -rw_dir_create_file(xdm_t, pam_var_console_t) -') - -# Pamconsole/alsa -ifdef(`alsa.te', ` -domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) -') dnl ifdef - -allow xdm_t var_log_t:file { getattr read }; -allow xdm_t self:capability { sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process setrlimit; -allow xdm_t wtmp_t:file { getattr read }; - -domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) -# -# Poweroff wants to create the /poweroff file when run from xdm -# -file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) - -# -# xdm tries to bind to biff_port_t -# -dontaudit xdm_t port_type:tcp_socket name_bind; - -# VNC v4 module in X server -allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; -ifdef(`crack.te', ` -allow xdm_t crack_db_t:file r_file_perms; -') -r_dir_file(xdm_t, selinux_config_t) - -# Run telinit->init to shutdown. -can_exec(xdm_t, init_exec_t) -allow xdm_t self:sem create_sem_perms; - -# Allow gdm to run gdm-binary -can_exec(xdm_t, xdm_exec_t) - -# Supress permission check on .ICE-unix -dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; - -#### Also see xdm_macros.te -ifdef(`use_mcs', ` -range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; -') diff --git a/mls/domains/program/unused/xprint.te b/mls/domains/program/unused/xprint.te deleted file mode 100644 index e1af323e..00000000 --- a/mls/domains/program/unused/xprint.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC X print server -# -# Author: Russell Coker -# X-Debian-Packages: xprt-xprintorg -# - -################################# -# -# Rules for the xprint_t domain. -# -# xprint_exec_t is the type of the xprint executable. -# -daemon_domain(xprint) - -allow initrc_t readable_t:dir r_dir_perms; -allow initrc_t fonts_t:dir r_dir_perms; - -allow xprint_t var_lib_t:dir search; -allow xprint_t fonts_t:dir r_dir_perms; -allow xprint_t fonts_t:file { getattr read }; - -allow xprint_t { bin_t sbin_t }:dir search; -can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t }) -allow xprint_t bin_t:lnk_file { getattr read }; - -allow xprint_t tmp_t:dir { getattr search }; -ifdef(`xdm.te', ` -allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms; -allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms; -') - -# Use the network. -can_network_server(xprint_t) -can_ypbind(xprint_t) -allow xprint_t self:fifo_file rw_file_perms; -allow xprint_t self:unix_stream_socket create_stream_socket_perms; - -allow xprint_t proc_t:file { getattr read }; -allow xprint_t self:file { getattr read }; - -# read config files -allow xprint_t { etc_t etc_runtime_t }:file { getattr read }; -ifdef(`cups.te', ` -allow xprint_t cupsd_etc_t:dir search; -allow xprint_t cupsd_etc_t:file { getattr read }; -') - -r_dir_file(xprint_t, usr_t) - -allow xprint_t urandom_device_t:chr_file { getattr read }; diff --git a/mls/domains/program/unused/xserver.te b/mls/domains/program/unused/xserver.te deleted file mode 100644 index cc2c493e..00000000 --- a/mls/domains/program/unused/xserver.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC XServer - X Server -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: xserver-common xserver-xfree86 -# - -# Type for the executable used to start the X server, e.g. Xwrapper. -type xserver_exec_t, file_type, sysadmfile, exec_type; - -# Type for the X server log file. -type xserver_log_t, file_type, sysadmfile, logfile; - -# type for /var/lib/xkb -type xkb_var_lib_t, file_type, sysadmfile, usercanread; -typealias xkb_var_lib_t alias var_lib_xkb_t; - -# Everything else is in the xserver_domain macro in -# macros/program/xserver_macros.te. - -allow initrc_t xserver_log_t:fifo_file { read write }; diff --git a/mls/domains/program/unused/yam.te b/mls/domains/program/unused/yam.te deleted file mode 100644 index da85a8cf..00000000 --- a/mls/domains/program/unused/yam.te +++ /dev/null @@ -1,149 +0,0 @@ -# DESC yam - Yum/Apt Mirroring -# -# Author: David Hampton -# - - -# -# Yam downloads lots of files, indexes them, and makes them available -# for upload. Define a type for these file. -# -type yam_content_t, file_type, sysadmfile, httpdcontent; - - -# -# Common definitions used by both the command line and the cron -# invocation of yam. -# -define(`yam_common',` - -# Update the content being managed by yam. -create_dir_file($1_t, yam_content_t) - -# Content can also be on ISO image files. -r_dir_file($1_t, iso9660_t) - -# Need to go through /var to get to /var/yam -# Go through /var/www to get to /var/www/yam -allow $1_t var_t:dir { getattr search }; -allow $1_t httpd_sys_content_t:dir { getattr search }; - -# Allow access to locale database, nsswitch, and mtab -read_locale($1_t) -allow $1_t etc_t:file { getattr read }; -allow $1_t etc_runtime_t:file { getattr read }; - -# Python seems to need things from various places -allow $1_t { bin_t sbin_t }:dir { search getattr }; -allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; -allow $1_t bin_t:lnk_file read; - -# Python works fine without reading /proc/meminfo -dontaudit $1_t proc_t:dir search; -dontaudit $1_t proc_t:file { getattr read }; - -# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter -# two here. Run rsync and lftp in the yam_t context so that we dont -# have to give any other programs write access to the yam_t files. -general_domain_access($1_t) -can_exec($1_t, shell_exec_t) -can_exec($1_t, rsync_exec_t) -can_exec($1_t, bin_t) -can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py -ifdef(`mount.te', ` -domain_auto_trans($1_t, mount_exec_t, mount_t) -') - -# Rsync and lftp need to network. They also set files attributes to -# match whats on the remote server. -can_network_client($1_t) -allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect; -allow $1_t self:capability { chown fowner fsetid dac_override }; -allow $1_t self:process execmem; - -# access to sysctl_kernel_t ( proc/sys/kernel/* ) -read_sysctl($1_t) - -# Programs invoked to build package lists need various permissions. -# genpkglist creates tmp files in /var/cache/apt/genpkglist -allow $1_t var_t:file { getattr read write }; -allow $1_t var_t:dir read; -# mktemp -allow $1_t urandom_device_t:chr_file read; -# mv -allow $1_t proc_t:lnk_file read; -allow $1_t selinux_config_t:dir search; -allow $1_t selinux_config_t:file { getattr read }; -') - - -########## -########## - -# -# Runnig yam from the command line -# -application_domain(yam, `, nscd_client_domain') -role system_r types yam_t; -yam_common(yam) -etc_domain(yam) -tmp_domain(yam) - -# Terminal access -allow yam_t devpts_t:dir search; -allow yam_t devtty_t:chr_file { read write }; -allow yam_t sshd_t:fd use; -allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; - -# Reading dotfiles... -allow yam_t sysadm_home_dir_t:dir search; # /root -allow yam_t sysadm_home_t:dir search; # /root/xxx -allow yam_t home_root_t:dir search; # /home -allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user - - -########## -########## - -# -# Running yam from cron -# -application_domain(yam_crond, `, nscd_client_domain') -role system_r types yam_crond_t; -ifdef(`crond.te', ` -system_crond_entry(yam_exec_t, yam_crond_t) -') - -yam_common(yam_crond) -allow yam_crond_t yam_etc_t:file r_file_perms; -file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }') - -allow yam_crond_t devtty_t:chr_file { read write }; - -# Reading dotfiles... -# LFTP uses a directory for its dotfiles -allow yam_crond_t default_t:dir search; - -# Don't know why init tries to read this. -allow initrc_t yam_etc_t:file { getattr read }; - - -########## -########## - -# The whole point of this program is to make updates available on a -# local web server. Allow apache access to these files. -ifdef(`apache.te', ` -r_dir_file(httpd_t, yam_content_t) -') - -ifdef(`webalizer.te', ` -dontaudit webalizer_t yam_content_t:dir search; -') - -# Mount needs access to the yam directories in order to mount the ISO -# files on a loobpack file system. -ifdef(`mount.te', ` -allow mount_t yam_content_t:dir mounton; -allow mount_t yam_content_t:file { read write }; -') diff --git a/mls/domains/program/updfstab.te b/mls/domains/program/updfstab.te deleted file mode 100644 index 82edf3d3..00000000 --- a/mls/domains/program/updfstab.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC updfstab - Red Hat utility to change /etc/fstab -# -# Author: Russell Coker -# - -daemon_base_domain(updfstab, `, fs_domain, etc_writer') - -rw_dir_create_file(updfstab_t, etc_t) -create_dir_file(updfstab_t, mnt_t) - -# Read /dev directories and modify sym-links -allow updfstab_t device_t:dir rw_dir_perms; -allow updfstab_t device_t:lnk_file create_file_perms; - -# Access disk devices. -allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms; -allow updfstab_t removable_device_t:blk_file rw_file_perms; -allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms; - -# for /proc/partitions -allow updfstab_t proc_t:file { getattr read }; - -# for /proc/self/mounts -r_dir_file(updfstab_t, self) - -# for /etc/mtab -allow updfstab_t etc_runtime_t:file { getattr read }; - -read_locale(updfstab_t) - -ifdef(`dbusd.te', ` -dbusd_client(system, updfstab) -allow updfstab_t system_dbusd_t:dbus { send_msg }; -allow initrc_t updfstab_t:dbus send_msg; -allow updfstab_t initrc_t:dbus send_msg; -') - -# not sure what the sysctl_kernel_t file is, or why it wants to write it, so -# I will not allow it -read_sysctl(updfstab_t) -dontaudit updfstab_t sysctl_kernel_t:file write; -allow updfstab_t modules_conf_t:file { getattr read }; -allow updfstab_t sbin_t:dir search; -allow updfstab_t sbin_t:lnk_file read; -allow updfstab_t { var_t var_log_t }:dir search; - -allow updfstab_t kernel_t:fd use; - -allow updfstab_t self:unix_stream_socket create_stream_socket_perms; -allow updfstab_t self:unix_dgram_socket create_socket_perms; - -ifdef(`modutil.te', ` -dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t) -can_exec(updfstab_t, insmod_exec_t) -allow updfstab_t modules_object_t:dir search; -allow updfstab_t modules_dep_t:file { getattr read }; -') - -ifdef(`pamconsole.te', ` -domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t) -') -allow updfstab_t kernel_t:system syslog_console; -allow updfstab_t sysadm_tty_device_t:chr_file { read write }; -allow updfstab_t self:capability dac_override; -dontaudit updfstab_t self:capability sys_admin; - -r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } ) -can_getsecurity(updfstab_t) - -allow updfstab_t { sbin_t bin_t }:dir { search getattr }; -dontaudit updfstab_t devtty_t:chr_file { read write }; -allow updfstab_t self:fifo_file { getattr read write ioctl }; -can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } ) -dontaudit updfstab_t home_root_t:dir { getattr search }; -dontaudit updfstab_t { home_dir_type home_type }:dir search; -allow updfstab_t fs_t:filesystem { getattr }; -allow updfstab_t tmpfs_t:dir getattr; -ifdef(`hald.te', ` -can_unix_connect(updfstab_t, hald_t) -') - diff --git a/mls/domains/program/usbmodules.te b/mls/domains/program/usbmodules.te deleted file mode 100644 index f76f56b5..00000000 --- a/mls/domains/program/usbmodules.te +++ /dev/null @@ -1,35 +0,0 @@ -#DESC USBModules - List kernel modules for USB devices -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the usbmodules_t domain. -# -type usbmodules_t, domain, privlog; -type usbmodules_exec_t, file_type, sysadmfile, exec_type; - -in_user_role(usbmodules_t) -role sysadm_r types usbmodules_t; -role system_r types usbmodules_t; - -domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t) -ifdef(`hotplug.te',` -domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t) -allow usbmodules_t hotplug_etc_t:file r_file_perms; -allow usbmodules_t hotplug_etc_t:dir search; -') -allow usbmodules_t init_t:fd use; -allow usbmodules_t console_device_t:chr_file { read write }; - -uses_shlib(usbmodules_t) - -# allow usb device access -allow usbmodules_t usbdevfs_t:file rw_file_perms; - -allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms; - -# needs etc_t read access for the hotplug config, maybe should have a new type -allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms; diff --git a/mls/domains/program/useradd.te b/mls/domains/program/useradd.te deleted file mode 100644 index 1df38af0..00000000 --- a/mls/domains/program/useradd.te +++ /dev/null @@ -1,108 +0,0 @@ -#DESC Useradd - Manage system user accounts -# -# Authors: Chris Vance David Caplan -# Russell Coker -# X-Debian-Packages: passwd -# - -################################# -# -# Rules for the useradd_t and groupadd_t domains. -# -# useradd_t is the domain of the useradd/userdel programs. -# groupadd_t is for adding groups (can not create home dirs) -# -define(`user_group_add_program', ` -type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain; -role sysadm_r types $1_t; -role system_r types $1_t; - -general_domain_access($1_t) -uses_shlib($1_t) - -type $1_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -domain_auto_trans(initrc_t, $1_exec_t, $1_t) - -# Use capabilities. -allow $1_t self:capability { dac_override chown kill }; - -# Allow access to context for shadow file -can_getsecurity($1_t) - -# Inherit and use descriptors from login. -allow $1_t { init_t privfd }:fd use; - -# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -allow $1_t { bin_t sbin_t }:dir r_dir_perms; -can_exec($1_t, { bin_t sbin_t }) - -# Update /etc/shadow and /etc/passwd -file_type_auto_trans($1_t, etc_t, shadow_t, file) -allow $1_t etc_t:file create_file_perms; - -# some apps ask for these accesses, but seems to work regardless -dontaudit $1_t var_run_t:dir search; -r_dir_file($1_t, selinux_config_t) - -# Set fscreate context. -can_setfscreate($1_t) - -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; - -read_locale($1_t) - -# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, -# but will operate without them. -dontaudit $1_t { device_t var_t var_log_t }:dir search; - -# For userdel and groupadd -allow $1_t fs_t:filesystem getattr; - -# Access terminals. -allow $1_t ttyfile:chr_file rw_file_perms; -allow $1_t ptyfile:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -# for when /root is the cwd -dontaudit $1_t sysadm_home_dir_t:dir search; -nsswitch_domain($1_t) - -allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -') -user_group_add_program(useradd) -allow useradd_t lastlog_t:file { getattr read write }; - -# for getting the number of groups -read_sysctl(useradd_t) - -# Add/remove user home directories -file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) - -# create/delete mail spool file in /var/mail -allow useradd_t var_spool_t:dir search; -allow useradd_t mail_spool_t:dir { search write add_name remove_name }; -allow useradd_t mail_spool_t:file create_file_perms; -# /var/mail is a link to /var/spool/mail -allow useradd_t mail_spool_t:lnk_file read; - -allow useradd_t self:capability { fowner fsetid setuid sys_resource }; -can_exec(useradd_t, shell_exec_t) - -# /usr/bin/userdel locks the user being deleted, allow write access to utmp -allow useradd_t initrc_var_run_t:file { read write lock }; - -user_group_add_program(groupadd) - -dontaudit groupadd_t self:capability fsetid; - -allow groupadd_t self:capability { setuid sys_resource }; -allow groupadd_t self:process setrlimit; -allow groupadd_t initrc_var_run_t:file r_file_perms; -dontaudit groupadd_t initrc_var_run_t:file write; - -allow useradd_t default_context_t:dir search; -allow useradd_t file_context_t:dir search; -allow useradd_t file_context_t:file { getattr read }; -allow useradd_t var_lib_t:dir search; diff --git a/mls/domains/program/userhelper.te b/mls/domains/program/userhelper.te deleted file mode 100644 index cab6c70f..00000000 --- a/mls/domains/program/userhelper.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC Userhelper - SELinux utility to run a shell with a new role -# -# Authors: Dan Walsh (Red Hat) -# Maintained by Dan Walsh -# - -################################# -# -# Rules for the userhelper_t domain. -# -# userhelper_exec_t is the type of the userhelper executable. -# userhelper_conf_t is the type of the userhelper configuration files. -# -type userhelper_exec_t, file_type, exec_type, sysadmfile; -type userhelper_conf_t, file_type, sysadmfile; - -# Everything else is in the userhelper_domain macro in -# macros/program/userhelper_macros.te. - -ifdef(`xdm.te', ` -dontaudit xdm_t userhelper_conf_t:dir search; -') diff --git a/mls/domains/program/usernetctl.te b/mls/domains/program/usernetctl.te deleted file mode 100644 index 6a2c64fd..00000000 --- a/mls/domains/program/usernetctl.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC usernetctl - User network interface configuration helper -# -# Author: Colin Walters - -type usernetctl_exec_t, file_type, sysadmfile, exec_type; - -type usernetctl_t, domain, privfd; - -if (user_net_control) { -domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t) -} else { -can_exec(userdomain, usernetctl_exec_t) -} -in_user_role(usernetctl_t) -role sysadm_r types usernetctl_t; - -define(`usernetctl_transition',` -domain_auto_trans(usernetctl_t, $1_exec_t, $1_t) -in_user_role($1_t) -allow $1_t userpty_type:chr_file { getattr read write }; -') - -ifdef(`ifconfig.te',` -usernetctl_transition(ifconfig) -') -ifdef(`iptables.te',` -usernetctl_transition(iptables) -') -ifdef(`dhcpc.te',` -usernetctl_transition(dhcpc) -allow usernetctl_t dhcp_etc_t:file ra_file_perms; -') -ifdef(`modutil.te',` -usernetctl_transition(insmod) -') -ifdef(`consoletype.te',` -usernetctl_transition(consoletype) -') -ifdef(`hostname.te',` -usernetctl_transition(hostname) -') - -allow usernetctl_t self:capability { setuid setgid dac_override }; - -base_file_read_access(usernetctl_t) -base_pty_perms(usernetctl) -allow usernetctl_t devtty_t:chr_file rw_file_perms; -uses_shlib(usernetctl_t) -read_locale(usernetctl_t) -general_domain_access(usernetctl_t) - -r_dir_file(usernetctl_t, proc_t) -dontaudit usernetctl_t { domain - usernetctl_t }:dir search; - -allow usernetctl_t userpty_type:chr_file rw_file_perms; - -can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t}) -can_exec(usernetctl_t, etc_t) - -r_dir_file(usernetctl_t, etc_t) -allow usernetctl_t { var_t var_run_t }:dir { getattr read search }; -allow usernetctl_t etc_runtime_t:file r_file_perms; -allow usernetctl_t net_conf_t:file r_file_perms; - diff --git a/mls/domains/program/utempter.te b/mls/domains/program/utempter.te deleted file mode 100644 index 92b443fd..00000000 --- a/mls/domains/program/utempter.te +++ /dev/null @@ -1,51 +0,0 @@ -#DESC Utempter - Privileged helper for utmp/wtmp updates -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: -# - -################################# -# -# Rules for the utempter_t domain. -# -# This is the domain for the utempter program. utempter is -# executed by xterm to update utmp and wtmp. -# utempter_exec_t is the type of the utempter binary. -# -type utempter_t, domain, nscd_client_domain; -in_user_role(utempter_t) -role sysadm_r types utempter_t; -uses_shlib(utempter_t) -type utempter_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(userdomain, utempter_exec_t, utempter_t) - -allow utempter_t urandom_device_t:chr_file { getattr read }; - -# Use capabilities. -allow utempter_t self:capability setgid; - -allow utempter_t etc_t:file { getattr read }; - -# Update /var/run/utmp and /var/log/wtmp. -allow utempter_t initrc_var_run_t:file rw_file_perms; -allow utempter_t var_log_t:dir search; -allow utempter_t wtmp_t:file rw_file_perms; - -# dontaudit access to /dev/ptmx. -dontaudit utempter_t ptmx_t:chr_file rw_file_perms; -dontaudit utempter_t sysadm_devpts_t:chr_file { read write }; - -# Allow utemper to write to /tmp/.xses-* -allow utempter_t user_tmpfile:file { getattr write append }; - -# Inherit and use descriptors from login. -allow utempter_t privfd:fd use; -ifdef(`xdm.te', `can_pipe_xdm(utempter_t)') - -allow utempter_t self:unix_stream_socket create_stream_socket_perms; - -# Access terminals. -allow utempter_t ttyfile:chr_file getattr; -allow utempter_t ptyfile:chr_file getattr; -allow utempter_t devpts_t:dir search; -dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write }; diff --git a/mls/domains/program/uucpd.te b/mls/domains/program/uucpd.te deleted file mode 100644 index 05791bd3..00000000 --- a/mls/domains/program/uucpd.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC uucpd - UUCP file transfer daemon -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the uucpd_t domain. -# -# uucpd_exec_t is the type of the uucpd executable. -# - -inetd_child_domain(uucpd, tcp) -type uucpd_rw_t, file_type, sysadmfile; -type uucpd_ro_t, file_type, sysadmfile; -type uucpd_spool_t, file_type, sysadmfile; -create_dir_file(uucpd_t, uucpd_rw_t) -r_dir_file(uucpd_t, uucpd_ro_t) -allow uucpd_t sbin_t:dir search; -can_exec(uucpd_t, sbin_t) -logdir_domain(uucpd) -allow uucpd_t var_spool_t:dir search; -create_dir_file(uucpd_t, uucpd_spool_t) diff --git a/mls/domains/program/vpnc.te b/mls/domains/program/vpnc.te deleted file mode 100644 index 01ddac16..00000000 --- a/mls/domains/program/vpnc.te +++ /dev/null @@ -1,62 +0,0 @@ -#DESC vpnc -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the vpnc_t domain, et al. -# -# vpnc_t is the domain for the vpnc program. -# vpnc_exec_t is the type of the vpnc executable. -# -application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain') - -allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -# Use the network. -can_network(vpnc_t) -allow vpnc_t port_type:tcp_socket name_connect; -allow vpnc_t isakmp_port_t:udp_socket name_bind; - -can_ypbind(vpnc_t) -allow vpnc_t self:socket create_socket_perms; - -# Use capabilities. -allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw }; - -allow vpnc_t devpts_t:dir search; -allow vpnc_t etc_t:file { getattr read }; -allow vpnc_t tun_tap_device_t:chr_file { ioctl read write }; -allow vpnc_t self:rawip_socket create_socket_perms; -allow vpnc_t self:unix_dgram_socket create_socket_perms; -allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms; -allow vpnc_t port_t:udp_socket name_bind; -allow vpnc_t etc_runtime_t:file { getattr read }; -allow vpnc_t proc_t:file { getattr read }; -dontaudit vpnc_t selinux_config_t:dir search; -can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t }) -allow vpnc_t sysctl_net_t:dir search; -allow vpnc_t sysctl_net_t:file write; -allow vpnc_t sbin_t:dir search; -allow vpnc_t bin_t:dir search; -allow vpnc_t bin_t:lnk_file read; -allow vpnc_t self:dir search; -r_dir_file(vpnc_t, proc_t) -r_dir_file(vpnc_t, proc_net_t) -tmp_domain(vpnc) -allow vpnc_t self:fifo_file { getattr ioctl read write }; -allow vpnc_t self:file { getattr read }; -allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file) -allow vpnc_t etc_t:file { execute execute_no_trans ioctl }; -dontaudit vpnc_t home_root_t:dir search; -dontaudit vpnc_t user_home_dir_type:dir search; -var_run_domain(vpnc) -allow vpnc_t userdomain:fd use; -r_dir_file(vpnc_t, sysfs_t) -allow vpnc_t self:process { fork sigchld }; -read_locale(vpnc_t) -read_sysctl(vpnc_t) -allow vpnc_t fs_t:filesystem getattr; diff --git a/mls/domains/program/webalizer.te b/mls/domains/program/webalizer.te deleted file mode 100644 index c1f38bde..00000000 --- a/mls/domains/program/webalizer.te +++ /dev/null @@ -1,51 +0,0 @@ -# DESC webalizer - webalizer -# -# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp) -# -# Depends: apache.te - -application_domain(webalizer, `, nscd_client_domain') -# to use from cron -system_crond_entry(webalizer_exec_t,webalizer_t) -role system_r types webalizer_t; - -##type definision -# type for usage file -type webalizer_usage_t,file_type,sysadmfile; -# type for /var/lib/webalizer -type webalizer_write_t,file_type,sysadmfile; -# type for webalizer.conf -etc_domain(webalizer) - -#read apache log -allow webalizer_t var_log_t:dir r_dir_perms; -r_dir_file(webalizer_t, httpd_log_t) -ifdef(`ftpd.te', ` -allow webalizer_t xferlog_t:file { getattr read }; -') - -#r/w /var/lib/webalizer -var_lib_domain(webalizer) - -#read /var/www/usage -create_dir_file(webalizer_t, httpd_sys_content_t) - -#read system files under /etc -allow webalizer_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale(webalizer_t) - -# can use tmp file -tmp_domain(webalizer) - -# can read /proc -read_sysctl(webalizer_t) -allow webalizer_t proc_t:dir search; -allow webalizer_t proc_t:file r_file_perms; - -# network -can_network_server(webalizer_t) - -#process communication inside webalizer itself -general_domain_access(webalizer_t) - -allow webalizer_t self:capability dac_override; diff --git a/mls/domains/program/winbind.te b/mls/domains/program/winbind.te deleted file mode 100644 index 7b9e5e98..00000000 --- a/mls/domains/program/winbind.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC winbind - Name Service Switch daemon for resolving names from NT servers -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for winbind -# - -daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain') -log_domain(winbind) -tmp_domain(winbind) -allow winbind_t etc_t:file r_file_perms; -allow winbind_t etc_t:lnk_file read; -can_network(winbind_t) -allow winbind_t smbd_port_t:tcp_socket name_connect; -can_resolve(winbind_t) - -ifdef(`samba.te', `', ` -type samba_etc_t, file_type, sysadmfile, usercanread; -type samba_log_t, file_type, sysadmfile, logfile; -type samba_var_t, file_type, sysadmfile; -type samba_secrets_t, file_type, sysadmfile; -') -file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file) -rw_dir_create_file(winbind_t, samba_log_t) -allow winbind_t samba_secrets_t:file rw_file_perms; -allow winbind_t self:unix_dgram_socket create_socket_perms; -allow winbind_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_t urandom_device_t:chr_file { getattr read }; -allow winbind_t self:fifo_file { read write }; -rw_dir_create_file(winbind_t, samba_var_t) -can_kerberos(winbind_t) -allow winbind_t self:netlink_route_socket r_netlink_socket_perms; -allow winbind_t winbind_var_run_t:sock_file create_file_perms; -allow initrc_t winbind_var_run_t:file r_file_perms; - -application_domain(winbind_helper, `, nscd_client_domain') -role system_r types winbind_helper_t; -access_terminal(winbind_helper_t, sysadm) -read_locale(winbind_helper_t) -r_dir_file(winbind_helper_t, samba_etc_t) -r_dir_file(winbind_t, samba_etc_t) -allow winbind_helper_t self:unix_dgram_socket create_socket_perms; -allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_helper_t samba_var_t:dir search; -allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; -can_winbind(winbind_helper_t) -allow winbind_helper_t privfd:fd use; diff --git a/mls/domains/program/xfs.te b/mls/domains/program/xfs.te deleted file mode 100644 index 04302cde..00000000 --- a/mls/domains/program/xfs.te +++ /dev/null @@ -1,49 +0,0 @@ -#DESC XFS - X Font Server -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: xfs -# - -################################# -# -# Rules for the xfs_t domain. -# -# xfs_t is the domain of the X font server. -# xfs_exec_t is the type of the xfs executable. -# -daemon_domain(xfs) - -# for /tmp/.font-unix/fs7100 -ifdef(`distro_debian', ` -type xfs_tmp_t, file_type, sysadmfile, tmpfile; -allow xfs_t tmp_t:dir search; -file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file) -', ` -tmp_domain(xfs, `', `{dir sock_file}') -') - -allow xfs_t { etc_t etc_runtime_t }:file { getattr read }; -allow xfs_t proc_t:file { getattr read }; - -allow xfs_t self:process setpgid; -can_ypbind(xfs_t) - -# Use capabilities. -allow xfs_t self:capability { setgid setuid }; - -# Bind to /tmp/.font-unix/fs-1. -allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; -allow xfs_t self:unix_stream_socket create_stream_socket_perms; -allow xfs_t self:unix_dgram_socket create_socket_perms; - -# Read fonts -read_fonts(xfs_t) - -# Unlink the xfs socket. -allow initrc_t xfs_tmp_t:dir rw_dir_perms; -allow initrc_t xfs_tmp_t:dir rmdir; -allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; -allow initrc_t fonts_t:dir create_dir_perms; -allow initrc_t fonts_t:file create_file_perms; - diff --git a/mls/domains/program/ypbind.te b/mls/domains/program/ypbind.te deleted file mode 100644 index ed7c3f80..00000000 --- a/mls/domains/program/ypbind.te +++ /dev/null @@ -1,44 +0,0 @@ -#DESC Ypbind - NIS/YP -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: nis -# Depends: portmap.te named.te -# - -################################# -# -# Rules for the ypbind_t domain. -# -daemon_domain(ypbind) - -tmp_domain(ypbind) - -# Use capabilities. -allow ypbind_t self:capability { net_bind_service }; -dontaudit ypbind_t self:capability net_admin; - -# Use the network. -can_network(ypbind_t) -allow ypbind_t port_type:tcp_socket name_connect; -allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind; - -allow ypbind_t self:fifo_file rw_file_perms; - -read_sysctl(ypbind_t) - -# Send to portmap and initrc. -can_udp_send(ypbind_t, portmap_t) -can_udp_send(ypbind_t, initrc_t) - -# Read and write /var/yp. -allow ypbind_t var_yp_t:dir rw_dir_perms; -allow ypbind_t var_yp_t:file create_file_perms; -allow initrc_t var_yp_t:dir { getattr read }; -allow ypbind_t etc_t:file { getattr read }; -allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -can_udp_send(initrc_t, ypbind_t) - diff --git a/mls/domains/program/yppasswdd.te b/mls/domains/program/yppasswdd.te deleted file mode 100644 index b7588a2f..00000000 --- a/mls/domains/program/yppasswdd.te +++ /dev/null @@ -1,40 +0,0 @@ -#DESC yppassdd - NIS password update daemon -# -# Authors: Dan Walsh -# Depends: portmap.te -# - -################################# -# -# Rules for the yppasswdd_t domain. -# -daemon_domain(yppasswdd, `, auth_write, privowner') - -# Use capabilities. -allow yppasswdd_t self:capability { net_bind_service }; - -# Use the network. -can_network_server(yppasswdd_t) - -read_sysctl(yppasswdd_t) - -# Send to portmap and initrc. -can_udp_send(yppasswdd_t, portmap_t) -can_udp_send(yppasswdd_t, initrc_t) - -allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; - -allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read }; -allow yppasswdd_t self:unix_dgram_socket create_socket_perms; -allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; -file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file) -allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto }; -can_setfscreate(yppasswdd_t) -allow yppasswdd_t proc_t:file getattr; -allow yppasswdd_t { bin_t sbin_t }:dir search; -allow yppasswdd_t bin_t:lnk_file read; -can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t }) -allow yppasswdd_t self:fifo_file rw_file_perms; -rw_dir_create_file(yppasswdd_t, var_yp_t) diff --git a/mls/domains/program/ypserv.te b/mls/domains/program/ypserv.te deleted file mode 100644 index b9d95fb8..00000000 --- a/mls/domains/program/ypserv.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC Ypserv - NIS/YP -# -# Authors: Dan Walsh -# Depends: portmap.te -# - -################################# -# -# Rules for the ypserv_t domain. -# -daemon_domain(ypserv) - -tmp_domain(ypserv) - -# Use capabilities. -allow ypserv_t self:capability { net_bind_service }; - -# Use the network. -can_network_server(ypserv_t) - -allow ypserv_t self:fifo_file rw_file_perms; - -read_sysctl(ypserv_t) - -# Send to portmap and initrc. -can_udp_send(ypserv_t, portmap_t) -can_udp_send(ypserv_t, initrc_t) - -type ypserv_conf_t, file_type, sysadmfile; - -# Read and write /var/yp. -allow ypserv_t var_yp_t:dir rw_dir_perms; -allow ypserv_t var_yp_t:file create_file_perms; -allow ypserv_t ypserv_conf_t:file { getattr read }; -allow ypserv_t self:unix_dgram_socket create_socket_perms; -allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`rpcd.te', ` -allow rpcd_t ypserv_conf_t:file { getattr read }; -') -allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -can_exec(ypserv_t, bin_t) - -application_domain(ypxfr, `, nscd_client_domain') -can_network_client(ypxfr_t) -allow ypxfr_t etc_t:file { getattr read }; -allow ypxfr_t portmap_port_t:tcp_socket name_connect; -allow ypxfr_t reserved_port_t:tcp_socket name_connect; -dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect; -allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; diff --git a/mls/domains/program/zebra.te b/mls/domains/program/zebra.te deleted file mode 100644 index 0cf4e24f..00000000 --- a/mls/domains/program/zebra.te +++ /dev/null @@ -1,32 +0,0 @@ -#DESC Zebra - BGP server -# -# Author: Russell Coker -# X-Debian-Packages: zebra -# - -daemon_domain(zebra, `, sysctl_net_writer') -type zebra_conf_t, file_type, sysadmfile; -r_dir_file({ initrc_t zebra_t }, zebra_conf_t) - -can_network_server(zebra_t) -can_ypbind(zebra_t) -allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; - -allow zebra_t self:process setcap; -allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw }; -file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file) - -logdir_domain(zebra) - -# /tmp/.bgpd is such a bad idea! -tmp_domain(zebra, `', sock_file) - -allow zebra_t self:unix_dgram_socket create_socket_perms; -allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow zebra_t self:rawip_socket create_socket_perms; -allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -allow zebra_t zebra_port_t:tcp_socket name_bind; - -allow zebra_t proc_t:file { getattr read }; -allow zebra_t { sysctl_t sysctl_net_t }:dir search; -allow zebra_t sysctl_net_t:file rw_file_perms; diff --git a/mls/domains/user.te b/mls/domains/user.te deleted file mode 100644 index d86e5d49..00000000 --- a/mls/domains/user.te +++ /dev/null @@ -1,108 +0,0 @@ -#DESC User - Domains for ordinary users. -# -################################# - -# Booleans for user domains. - -# Allow applications to read untrusted content -# If this is disallowed, Internet content has -# to be manually relabeled for read access to be granted -bool read_untrusted_content false; - -# Allow applications to write untrusted content -# If this is disallowed, no Internet content -# will be stored. -bool write_untrusted_content false; - -# Allow users to read system messages. -bool user_dmesg false; - -# Support NFS home directories -bool use_nfs_home_dirs false; - -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -bool allow_execmem false; - -# Allow making the stack executable via mprotect. -# Also requires allow_execmem. -bool allow_execstack false; - -# Allow making a modified private file mapping executable (text relocation). -bool allow_execmod false; - -# Support SAMBA home directories -bool use_samba_home_dirs false; - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -bool user_tcp_server false; - -# Allow system to run with NIS -bool allow_ypbind false; - -# Allow system to run with kerberos -bool allow_kerberos false; - -# Allow users to rw usb devices -bool user_rw_usb false; - -# Allow users to control network interfaces (also needs USERCTL=true) -bool user_net_control false; - -# Allow regular users direct mouse access -bool user_direct_mouse false; - -# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) -bool user_rw_noexattrfile false; - -# Allow reading of default_t files. -bool read_default_t false; - -# Allow staff_r users to search the sysadm home dir and read -# files (such as ~/.bashrc) -bool staff_read_sysadm_file false; - - -full_user_role(user) - -ifdef(`user_canbe_sysadm', ` -reach_sysadm(user) -role_tty_type_change(user, sysadm) -') - -# Do not add any rules referring to user_t to this file! That will break -# support for multiple user roles. - -# a role for staff that allows seeing all domains and control over the user_t -# domain -full_user_role(staff) - -priv_user(staff) -# if adding new user roles make sure you edit the in_user_role macro in -# macros/user_macros.te to match - -# lots of user programs accidentally search /root, and also the admin often -# logs in as UID=0 domain=user_t... -dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - -# -# Allow the user roles to transition -# into each other. -role_tty_type_change(sysadm, user) -role_tty_type_change(staff, sysadm) -role_tty_type_change(sysadm, staff) -role_tty_type_change(sysadm, secadm) -role_tty_type_change(staff, secadm) - -# "ps aux" and "ls -l /dev/pts" make too much noise without this -dontaudit unpriv_userdomain ptyfile:chr_file getattr; - -# to allow w to display everyone... -bool user_ttyfile_stat false; - -if (user_ttyfile_stat) { -allow userdomain ttyfile:chr_file getattr; -} - diff --git a/mls/file_contexts/distros.fc b/mls/file_contexts/distros.fc deleted file mode 100644 index 33c7f5e1..00000000 --- a/mls/file_contexts/distros.fc +++ /dev/null @@ -1,164 +0,0 @@ -ifdef(`distro_redhat', ` -/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0 -/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0 -/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0 -/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0 -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0 -/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0 -/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0 -/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0 -/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0 -/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0 -/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0 -/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0 -/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0 -/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0 -/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0 -/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0 -/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0 -/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0 -/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0 -/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0 -/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0 -/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0 -# -# /emul/ia32-linux/usr -# -/emul(/.*)? system_u:object_r:usr_t:s0 -/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0 -/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 -/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 -/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0 -# /emul/ia32-linux/lib -/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0 -/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 -# /emul/ia32-linux/bin -/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0 -# /emul/ia32-linux/sbin -/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0 - -ifdef(`dbusd.te', `', ` -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 -') - -# The following are libraries with text relocations in need of execmod permissions -# Some of them should be fixed and removed from this list - -# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv -# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0 -/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0 -/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0 - -# Fedora Extras packages: ladspa, imlib2, ocaml -/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0 - -# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -# Flash plugin, Macromedia -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -# Jai, Sun Microsystems (Jpackage SPRM) -/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0 - -# Java, Sun Microsystems (JPackage SRPM) -/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0 - -/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0 -') - -ifdef(`distro_suse', ` -/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0 -/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0 -/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0 -/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/success -- system_u:object_r:etc_runtime_t:s0 -/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0 -') diff --git a/mls/file_contexts/homedir_template b/mls/file_contexts/homedir_template deleted file mode 100644 index 6c7695ab..00000000 --- a/mls/file_contexts/homedir_template +++ /dev/null @@ -1,21 +0,0 @@ -# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each users home directory, -# and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each users role when role != user_r, and to "user" otherwise. -HOME_ROOT -d system_u:object_r:home_root_t:s0 -HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255 -HOME_DIR/.+ <> -HOME_ROOT/\.journal <> -HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -HOME_ROOT/lost\+found/.* <> -HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0 -HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0 -HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0 -/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0 -/tmp/orbit-USER(-.*)?/linc.* -s <> -/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0 -HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 -HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0 -HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0 -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0 -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 diff --git a/mls/file_contexts/program/NetworkManager.fc b/mls/file_contexts/program/NetworkManager.fc deleted file mode 100644 index cb57584e..00000000 --- a/mls/file_contexts/program/NetworkManager.fc +++ /dev/null @@ -1,2 +0,0 @@ -# NetworkManager -/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t:s0 diff --git a/mls/file_contexts/program/acct.fc b/mls/file_contexts/program/acct.fc deleted file mode 100644 index 78622bd3..00000000 --- a/mls/file_contexts/program/acct.fc +++ /dev/null @@ -1,5 +0,0 @@ -# berkeley process accounting -/sbin/accton -- system_u:object_r:acct_exec_t:s0 -/usr/sbin/accton -- system_u:object_r:acct_exec_t:s0 -/var/account(/.*)? system_u:object_r:acct_data_t:s0 -/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0 diff --git a/mls/file_contexts/program/afs.fc b/mls/file_contexts/program/afs.fc deleted file mode 100644 index fb49f336..00000000 --- a/mls/file_contexts/program/afs.fc +++ /dev/null @@ -1,20 +0,0 @@ -# afs -/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t -/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t -/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t -/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t -/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t -/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t -/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t - -/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t -/usr/afs/etc(/.*)? system_u:object_r:afs_config_t -/usr/afs/local(/.*)? system_u:object_r:afs_config_t -/usr/afs/db -d system_u:object_r:afs_dbdir_t -/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t -/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t -/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t - -/vicepa system_u:object_r:afs_files_t -/vicepb system_u:object_r:afs_files_t -/vicepc system_u:object_r:afs_files_t diff --git a/mls/file_contexts/program/alsa.fc b/mls/file_contexts/program/alsa.fc deleted file mode 100644 index ce568492..00000000 --- a/mls/file_contexts/program/alsa.fc +++ /dev/null @@ -1,3 +0,0 @@ -#DESC ainit - configuration tool for ALSA -/usr/bin/ainit -- system_u:object_r:alsa_exec_t:s0 -/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t:s0 diff --git a/mls/file_contexts/program/amanda.fc b/mls/file_contexts/program/amanda.fc deleted file mode 100644 index 917b41aa..00000000 --- a/mls/file_contexts/program/amanda.fc +++ /dev/null @@ -1,70 +0,0 @@ -# -# Author: Carsten Grohmann -# - -# amanda -/etc/amanda(/.*)? system_u:object_r:amanda_config_t:s0 -/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t:s0 -/etc/amandates system_u:object_r:amanda_amandates_t:s0 -/etc/dumpdates system_u:object_r:amanda_dumpdates_t:s0 -/root/restore -d system_u:object_r:amanda_recover_dir_t:s0 -/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t:s0 -/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t:s0 -/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t:s0 -/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t:s0 -/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t:s0 -/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t:s0 -/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t:s0 -/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t:s0 -/var/lib/amanda -d system_u:object_r:amanda_var_lib_t:s0 -/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t:s0 -/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t:s0 -/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t:s0 -/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t:s0 -/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t:s0 -/var/lib/amanda/index system_u:object_r:amanda_data_t:s0 -/var/log/amanda(/.*)? system_u:object_r:amanda_log_t:s0 diff --git a/mls/file_contexts/program/amavis.fc b/mls/file_contexts/program/amavis.fc deleted file mode 100644 index 366da332..00000000 --- a/mls/file_contexts/program/amavis.fc +++ /dev/null @@ -1,8 +0,0 @@ -# amavis -/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t -/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t -/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t -/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t -/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t -/var/amavis(/.*)? system_u:object_r:amavisd_lib_t -/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t diff --git a/mls/file_contexts/program/anaconda.fc b/mls/file_contexts/program/anaconda.fc deleted file mode 100644 index a0cbc0eb..00000000 --- a/mls/file_contexts/program/anaconda.fc +++ /dev/null @@ -1,5 +0,0 @@ -# -# Anaconda file context -# currently anaconda does not have any file context since it is started during install -# This is a placeholder to stop makefile from complaining -# diff --git a/mls/file_contexts/program/apache.fc b/mls/file_contexts/program/apache.fc deleted file mode 100644 index a3bf8f44..00000000 --- a/mls/file_contexts/program/apache.fc +++ /dev/null @@ -1,61 +0,0 @@ -# apache -HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0 -/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/mason(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/rt3(/.*)? system_u:object_r:httpd_cache_t:s0 -/etc/httpd -d system_u:object_r:httpd_config_t:s0 -/etc/httpd/conf.* system_u:object_r:httpd_config_t:s0 -/etc/httpd/logs system_u:object_r:httpd_log_t:s0 -/etc/httpd/modules system_u:object_r:httpd_modules_t:s0 -/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t:s0 -/etc/vhosts -- system_u:object_r:httpd_config_t:s0 -/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t:s0 -/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t:s0 -/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t:s0 -/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t:s0 -/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t:s0 -/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t:s0 -/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 -/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t:s0 -/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0 -/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t:s0 -/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0 -/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t:s0 -/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/run/apache.* system_u:object_r:httpd_var_run_t:s0 -/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t:s0 -/var/lib/dav(/.*)? system_u:object_r:httpd_var_lib_t:s0 -/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0 -/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t:s0 -/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t:s0 -/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t:s0 -/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t:s0 -/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0 -ifdef(`distro_debian', ` -/var/log/horde2(/.*)? system_u:object_r:httpd_log_t:s0 -') -ifdef(`distro_suse', ` -# suse puts shell scripts there :-( -/usr/share/apache2/[^/]* -- system_u:object_r:bin_t:s0 -/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t:s0 -') -/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t:s0 -/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t:s0 -/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t:s0 -/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t:s0 -ifdef(`targeted_policy', `', ` -/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t:s0 -') -/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t:s0 - diff --git a/mls/file_contexts/program/apmd.fc b/mls/file_contexts/program/apmd.fc deleted file mode 100644 index 6554b526..00000000 --- a/mls/file_contexts/program/apmd.fc +++ /dev/null @@ -1,14 +0,0 @@ -# apmd -/usr/sbin/apmd -- system_u:object_r:apmd_exec_t:s0 -/usr/sbin/acpid -- system_u:object_r:apmd_exec_t:s0 -/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t:s0 -/usr/bin/apm -- system_u:object_r:apm_exec_t:s0 -/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t:s0 -/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t:s0 -/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0 -/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t:s0 -/var/log/acpid -- system_u:object_r:apmd_log_t:s0 -ifdef(`distro_suse', ` -/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t:s0 -') - diff --git a/mls/file_contexts/program/arpwatch.fc b/mls/file_contexts/program/arpwatch.fc deleted file mode 100644 index 48699406..00000000 --- a/mls/file_contexts/program/arpwatch.fc +++ /dev/null @@ -1,4 +0,0 @@ -# arpwatch - keep track of ethernet/ip address pairings -/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t:s0 -/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0 -/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0 diff --git a/mls/file_contexts/program/asterisk.fc b/mls/file_contexts/program/asterisk.fc deleted file mode 100644 index 6f4eb4b2..00000000 --- a/mls/file_contexts/program/asterisk.fc +++ /dev/null @@ -1,7 +0,0 @@ -# asterisk -/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t -/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t -/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t -/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t -/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t -/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t diff --git a/mls/file_contexts/program/audio-entropyd.fc b/mls/file_contexts/program/audio-entropyd.fc deleted file mode 100644 index a8f616a5..00000000 --- a/mls/file_contexts/program/audio-entropyd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t diff --git a/mls/file_contexts/program/auditd.fc b/mls/file_contexts/program/auditd.fc deleted file mode 100644 index d01ff764..00000000 --- a/mls/file_contexts/program/auditd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# auditd -/sbin/auditctl -- system_u:object_r:auditctl_exec_t:s0 -/sbin/auditd -- system_u:object_r:auditd_exec_t:s0 -/var/log/audit.log -- system_u:object_r:auditd_log_t:s15:c0.c255 -/var/log/audit(/.*)? system_u:object_r:auditd_log_t:s15:c0.c255 -/etc/auditd.conf -- system_u:object_r:auditd_etc_t:s0 -/etc/audit.rules -- system_u:object_r:auditd_etc_t:s0 - diff --git a/mls/file_contexts/program/authbind.fc b/mls/file_contexts/program/authbind.fc deleted file mode 100644 index 9fed63e8..00000000 --- a/mls/file_contexts/program/authbind.fc +++ /dev/null @@ -1,3 +0,0 @@ -# authbind -/etc/authbind(/.*)? system_u:object_r:authbind_etc_t -/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t diff --git a/mls/file_contexts/program/automount.fc b/mls/file_contexts/program/automount.fc deleted file mode 100644 index 89521075..00000000 --- a/mls/file_contexts/program/automount.fc +++ /dev/null @@ -1,5 +0,0 @@ -# automount -/usr/sbin/automount -- system_u:object_r:automount_exec_t:s0 -/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t:s0 -/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t:s0 -/etc/auto\..+ -- system_u:object_r:automount_etc_t:s0 diff --git a/mls/file_contexts/program/avahi.fc b/mls/file_contexts/program/avahi.fc deleted file mode 100644 index fa6e00e0..00000000 --- a/mls/file_contexts/program/avahi.fc +++ /dev/null @@ -1,4 +0,0 @@ -#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture -/usr/sbin/avahi-daemon -- system_u:object_r:avahi_exec_t:s0 -/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0 -/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0 diff --git a/mls/file_contexts/program/backup.fc b/mls/file_contexts/program/backup.fc deleted file mode 100644 index ed828092..00000000 --- a/mls/file_contexts/program/backup.fc +++ /dev/null @@ -1,6 +0,0 @@ -# backup -# label programs that do backups to other files on disk (IE a cron job that -# calls tar) in backup_exec_t and label the directory for storing them as -# backup_store_t, Debian uses /var/backups -#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t -/var/backups(/.*)? system_u:object_r:backup_store_t diff --git a/mls/file_contexts/program/bluetooth.fc b/mls/file_contexts/program/bluetooth.fc deleted file mode 100644 index 6c5aac36..00000000 --- a/mls/file_contexts/program/bluetooth.fc +++ /dev/null @@ -1,11 +0,0 @@ -# bluetooth -/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t:s0 -/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t:s0 -/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t:s0 -/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t:s0 -/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0 -/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t:s0 -/var/run/sdp -s system_u:object_r:bluetooth_var_run_t:s0 -/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t:s0 -/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t:s0 -/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t:s0 diff --git a/mls/file_contexts/program/bonobo.fc b/mls/file_contexts/program/bonobo.fc deleted file mode 100644 index 23d22143..00000000 --- a/mls/file_contexts/program/bonobo.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t:s0 diff --git a/mls/file_contexts/program/bootloader.fc b/mls/file_contexts/program/bootloader.fc deleted file mode 100644 index bce2ff81..00000000 --- a/mls/file_contexts/program/bootloader.fc +++ /dev/null @@ -1,11 +0,0 @@ -# bootloader -/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t:s0 -/initrd\.img.* -l system_u:object_r:boot_t:s0 -/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0 -/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0 -/vmlinuz.* -l system_u:object_r:boot_t:s0 -/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0 -/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0 -/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t:s0 -/sbin/ybin.* -- system_u:object_r:bootloader_exec_t:s0 -/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t:s0 diff --git a/mls/file_contexts/program/calamaris.fc b/mls/file_contexts/program/calamaris.fc deleted file mode 100644 index 36d8c87b..00000000 --- a/mls/file_contexts/program/calamaris.fc +++ /dev/null @@ -1,4 +0,0 @@ -# squid -/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t -/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t -/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t diff --git a/mls/file_contexts/program/canna.fc b/mls/file_contexts/program/canna.fc deleted file mode 100644 index aada263e..00000000 --- a/mls/file_contexts/program/canna.fc +++ /dev/null @@ -1,12 +0,0 @@ -# canna.fc -/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t:s0 -/usr/sbin/jserver -- system_u:object_r:canna_exec_t:s0 -/usr/bin/cannaping -- system_u:object_r:canna_exec_t:s0 -/usr/bin/catdic -- system_u:object_r:canna_exec_t:s0 -/var/log/canna(/.*)? system_u:object_r:canna_log_t:s0 -/var/log/wnn(/.*)? system_u:object_r:canna_log_t:s0 -/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t:s0 -/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t:s0 -/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t:s0 -/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t:s0 -/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t:s0 diff --git a/mls/file_contexts/program/cardmgr.fc b/mls/file_contexts/program/cardmgr.fc deleted file mode 100644 index 1dc51875..00000000 --- a/mls/file_contexts/program/cardmgr.fc +++ /dev/null @@ -1,7 +0,0 @@ -# cardmgr -/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t:s0 -/sbin/cardctl -- system_u:object_r:cardctl_exec_t:s0 -/var/run/stab -- system_u:object_r:cardmgr_var_run_t:s0 -/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t:s0 -/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t:s0 -/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t:s0 diff --git a/mls/file_contexts/program/cdrecord.fc b/mls/file_contexts/program/cdrecord.fc deleted file mode 100644 index c29a00cd..00000000 --- a/mls/file_contexts/program/cdrecord.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cdrecord -/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t:s0 - diff --git a/mls/file_contexts/program/certwatch.fc b/mls/file_contexts/program/certwatch.fc deleted file mode 100644 index 8c955ee0..00000000 --- a/mls/file_contexts/program/certwatch.fc +++ /dev/null @@ -1,3 +0,0 @@ -# certwatch.fc -/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t:s0 - diff --git a/mls/file_contexts/program/checkpolicy.fc b/mls/file_contexts/program/checkpolicy.fc deleted file mode 100644 index dddeecfe..00000000 --- a/mls/file_contexts/program/checkpolicy.fc +++ /dev/null @@ -1,2 +0,0 @@ -# checkpolicy -/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t:s0 diff --git a/mls/file_contexts/program/chkpwd.fc b/mls/file_contexts/program/chkpwd.fc deleted file mode 100644 index 5f253f7e..00000000 --- a/mls/file_contexts/program/chkpwd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# chkpwd -/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 -/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0 -ifdef(`distro_suse', ` -/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 -') diff --git a/mls/file_contexts/program/chroot.fc b/mls/file_contexts/program/chroot.fc deleted file mode 100644 index a23cd812..00000000 --- a/mls/file_contexts/program/chroot.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/chroot -- system_u:object_r:chroot_exec_t:s0 diff --git a/mls/file_contexts/program/ciped.fc b/mls/file_contexts/program/ciped.fc deleted file mode 100644 index e3a12a18..00000000 --- a/mls/file_contexts/program/ciped.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t -/etc/cipe/ip-up.* -- system_u:object_r:bin_t -/etc/cipe/ip-down.* -- system_u:object_r:bin_t diff --git a/mls/file_contexts/program/clamav.fc b/mls/file_contexts/program/clamav.fc deleted file mode 100644 index 90c898cb..00000000 --- a/mls/file_contexts/program/clamav.fc +++ /dev/null @@ -1,15 +0,0 @@ -# clamscan -/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t -/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t -/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t -/usr/sbin/clamd -- system_u:object_r:clamd_exec_t -/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t -/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t -/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t -/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t -/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t -/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t -/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t -/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t -/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t -/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t diff --git a/mls/file_contexts/program/clockspeed.fc b/mls/file_contexts/program/clockspeed.fc deleted file mode 100644 index e00cd566..00000000 --- a/mls/file_contexts/program/clockspeed.fc +++ /dev/null @@ -1,11 +0,0 @@ -# clockspeed -/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t -/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t -/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t -/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t -/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t -/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t -/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t - -/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t - diff --git a/mls/file_contexts/program/compat.fc b/mls/file_contexts/program/compat.fc deleted file mode 100644 index d64b892e..00000000 --- a/mls/file_contexts/program/compat.fc +++ /dev/null @@ -1,66 +0,0 @@ -ifdef(`setfiles.te', `', ` -# setfiles -/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t -') - -ifdef(`mount.te', `', ` -# mount -/bin/mount.* -- system_u:object_r:mount_exec_t -/bin/umount.* -- system_u:object_r:mount_exec_t -') -ifdef(`loadkeys.te', `', ` -# loadkeys -/bin/unikeys -- system_u:object_r:loadkeys_exec_t -/bin/loadkeys -- system_u:object_r:loadkeys_exec_t -') -ifdef(`dmesg.te', `', ` -# dmesg -/bin/dmesg -- system_u:object_r:dmesg_exec_t -') -ifdef(`fsadm.te', `', ` -# fs admin utilities -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t -/sbin/e2label -- system_u:object_r:fsadm_exec_t -/sbin/findfs -- system_u:object_r:fsadm_exec_t -/sbin/mkfs -- system_u:object_r:fsadm_exec_t -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t -/sbin/mkswap -- system_u:object_r:fsadm_exec_t -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t -/sbin/fdisk -- system_u:object_r:fsadm_exec_t -/sbin/parted -- system_u:object_r:fsadm_exec_t -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t -/sbin/hdparm -- system_u:object_r:fsadm_exec_t -/sbin/raidstart -- system_u:object_r:fsadm_exec_t -/sbin/mkraid -- system_u:object_r:fsadm_exec_t -/sbin/dmraid -- system_u:object_r:fsadm_exec_t -/sbin/blockdev -- system_u:object_r:fsadm_exec_t -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t -/sbin/lsraid -- system_u:object_r:fsadm_exec_t -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t -/usr/bin/raw -- system_u:object_r:fsadm_exec_t -/sbin/partx -- system_u:object_r:fsadm_exec_t -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t -/sbin/partprobe -- system_u:object_r:fsadm_exec_t -') -ifdef(`lvm.te', `', ` -/sbin/lvm.static -- system_u:object_r:lvm_exec_t -') -ifdef(`kudzu.te', `', ` -# kudzu -/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t -/sbin/kmodule -- system_u:object_r:kudzu_exec_t -') diff --git a/mls/file_contexts/program/comsat.fc b/mls/file_contexts/program/comsat.fc deleted file mode 100644 index 37049010..00000000 --- a/mls/file_contexts/program/comsat.fc +++ /dev/null @@ -1,2 +0,0 @@ -# biff server -/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t:s0 diff --git a/mls/file_contexts/program/consoletype.fc b/mls/file_contexts/program/consoletype.fc deleted file mode 100644 index 1258f578..00000000 --- a/mls/file_contexts/program/consoletype.fc +++ /dev/null @@ -1,2 +0,0 @@ -# consoletype -/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0 diff --git a/mls/file_contexts/program/courier.fc b/mls/file_contexts/program/courier.fc deleted file mode 100644 index 16f6adb1..00000000 --- a/mls/file_contexts/program/courier.fc +++ /dev/null @@ -1,18 +0,0 @@ -# courier pop, imap, and webmail -/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t -/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t -/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t -/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t -/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t -/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t -/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t -/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t -/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t -/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t -/var/run/courier(/.*)? system_u:object_r:courier_var_run_t -/etc/courier(/.*)? system_u:object_r:courier_etc_t diff --git a/mls/file_contexts/program/cpucontrol.fc b/mls/file_contexts/program/cpucontrol.fc deleted file mode 100644 index e7e488a2..00000000 --- a/mls/file_contexts/program/cpucontrol.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cpucontrol -/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t:s0 -/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t:s0 diff --git a/mls/file_contexts/program/cpuspeed.fc b/mls/file_contexts/program/cpuspeed.fc deleted file mode 100644 index 5e91f557..00000000 --- a/mls/file_contexts/program/cpuspeed.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cpuspeed -/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t:s0 -/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t:s0 diff --git a/mls/file_contexts/program/crack.fc b/mls/file_contexts/program/crack.fc deleted file mode 100644 index 18b5371a..00000000 --- a/mls/file_contexts/program/crack.fc +++ /dev/null @@ -1,6 +0,0 @@ -# crack - for password checking -/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t:s0 -/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t:s0 -/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t:s0 -/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t:s0 -/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t:s0 diff --git a/mls/file_contexts/program/crond.fc b/mls/file_contexts/program/crond.fc deleted file mode 100644 index 3ee6ee57..00000000 --- a/mls/file_contexts/program/crond.fc +++ /dev/null @@ -1,34 +0,0 @@ -# crond -/etc/crontab -- system_u:object_r:system_cron_spool_t:s0 -/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0 -/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t:s0 -/usr/sbin/anacron -- system_u:object_r:anacron_exec_t:s0 -/var/spool/cron -d system_u:object_r:cron_spool_t:s0 -/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t:s0 -/var/spool/cron/crontabs/.* -- <> -/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t:s0 -/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t:s0 -/var/spool/cron/[^/]* -- <> -/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t:s0 -/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t:s0 -# fcron -/usr/sbin/fcron -- system_u:object_r:crond_exec_t:s0 -/var/spool/fcron -d system_u:object_r:cron_spool_t:s0 -/var/spool/fcron/.* <> -/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t:s0 -/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t:s0 -/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t:s0 -/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t:s0 -/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t:s0 -# atd -/usr/sbin/atd -- system_u:object_r:crond_exec_t:s0 -/var/spool/at -d system_u:object_r:cron_spool_t:s0 -/var/spool/at/spool -d system_u:object_r:cron_spool_t:s0 -/var/spool/at/[^/]* -- <> -/var/run/atd\.pid -- system_u:object_r:crond_var_run_t:s0 -ifdef(`distro_suse', ` -/usr/lib/cron/run-crons -- system_u:object_r:bin_t:s0 -/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t:s0 -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d system_u:object_r:cron_spool_t:s0 -') diff --git a/mls/file_contexts/program/crontab.fc b/mls/file_contexts/program/crontab.fc deleted file mode 100644 index e0ee3594..00000000 --- a/mls/file_contexts/program/crontab.fc +++ /dev/null @@ -1,3 +0,0 @@ -# crontab -/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t:s0 -/usr/bin/at -- system_u:object_r:crontab_exec_t:s0 diff --git a/mls/file_contexts/program/cups.fc b/mls/file_contexts/program/cups.fc deleted file mode 100644 index fea8ef07..00000000 --- a/mls/file_contexts/program/cups.fc +++ /dev/null @@ -1,46 +0,0 @@ -# cups printing -/etc/cups(/.*)? system_u:object_r:cupsd_etc_t:s0 -/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t:s0 -/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0 -/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/client\.conf -- system_u:object_r:etc_t:s0 -/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0 -/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t:s0 -/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t:s0 -/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t:s0 -/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t:s0 -ifdef(`hald.te', ` -# cupsd_config depends on hald -/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t:s0 -/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t:s0 -/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t:s0 -') -/var/log/cups(/.*)? system_u:object_r:cupsd_log_t:s0 -/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t:s0 -/var/spool/cups(/.*)? system_u:object_r:print_spool_t:s0 -/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t:s0 -/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t:s0 -/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t:s0 -/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t:s0 -/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t:s0 -/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t:s0 -/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t:s0 -/etc/hp(/.*)? system_u:object_r:hplip_etc_t:s0 -/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t:s0 -/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t:s0 -/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t:s0 -/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t:s0 -/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t:s0 -/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t:s0 diff --git a/mls/file_contexts/program/cvs.fc b/mls/file_contexts/program/cvs.fc deleted file mode 100644 index 8aa1edc6..00000000 --- a/mls/file_contexts/program/cvs.fc +++ /dev/null @@ -1,2 +0,0 @@ -# cvs program -/usr/bin/cvs -- system_u:object_r:cvs_exec_t:s0 diff --git a/mls/file_contexts/program/cyrus.fc b/mls/file_contexts/program/cyrus.fc deleted file mode 100644 index f415273b..00000000 --- a/mls/file_contexts/program/cyrus.fc +++ /dev/null @@ -1,5 +0,0 @@ -# cyrus -/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t:s0 -/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t:s0 -/var/spool/imap(/.*)? system_u:object_r:mail_spool_t:s0 diff --git a/mls/file_contexts/program/daemontools.fc b/mls/file_contexts/program/daemontools.fc deleted file mode 100644 index c2642ed5..00000000 --- a/mls/file_contexts/program/daemontools.fc +++ /dev/null @@ -1,54 +0,0 @@ -# daemontools - -/var/service/.* system_u:object_r:svc_svc_t - -# symlinks to /var/service/* -/service(/.*)? system_u:object_r:svc_svc_t - -# supervise scripts -/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t - -# supervise init binaries -# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/* -/usr/bin/svc -- system_u:object_r:svc_start_exec_t -/usr/bin/svscan -- system_u:object_r:svc_start_exec_t -/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t -/usr/bin/svok -- system_u:object_r:svc_start_exec_t -/usr/bin/supervise -- system_u:object_r:svc_start_exec_t - -# starting scripts -/var/service/.*/run.* system_u:object_r:svc_run_exec_t -/var/service/.*/log/run system_u:object_r:svc_run_exec_t - -# configurations -/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t - -# log -/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t - -# programs that impose a given environment to daemons -/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t -/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t -/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t -/usr/bin/envdir -- system_u:object_r:svc_run_exec_t -/usr/bin/setlock -- system_u:object_r:svc_run_exec_t - -# helper programs -/usr/bin/fghack -- system_u:object_r:svc_run_exec_t -/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t - -/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t -# daemontools logger # writes to service/*/log/main/ and /var/log/*/ -/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t - -/sbin/svcinit -- system_u:object_r:initrc_exec_t -/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t - diff --git a/mls/file_contexts/program/dante.fc b/mls/file_contexts/program/dante.fc deleted file mode 100644 index ce7f3353..00000000 --- a/mls/file_contexts/program/dante.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dante -/usr/sbin/sockd -- system_u:object_r:dante_exec_t -/etc/socks(/.*)? system_u:object_r:dante_conf_t -/var/run/sockd.pid -- system_u:object_r:dante_var_run_t diff --git a/mls/file_contexts/program/dbskkd.fc b/mls/file_contexts/program/dbskkd.fc deleted file mode 100644 index 4f2d72fd..00000000 --- a/mls/file_contexts/program/dbskkd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# A dictionary server for the SKK Japanese input method system. -/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t:s0 diff --git a/mls/file_contexts/program/dbusd.fc b/mls/file_contexts/program/dbusd.fc deleted file mode 100644 index ea4e0653..00000000 --- a/mls/file_contexts/program/dbusd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0 -/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t:s0 -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 diff --git a/mls/file_contexts/program/dcc.fc b/mls/file_contexts/program/dcc.fc deleted file mode 100644 index a6b1372a..00000000 --- a/mls/file_contexts/program/dcc.fc +++ /dev/null @@ -1,17 +0,0 @@ -# DCC -/etc/dcc(/.*)? system_u:object_r:dcc_var_t -/etc/dcc/map -- system_u:object_r:dcc_client_map_t -/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t -/usr/bin/cdcc system_u:object_r:cdcc_exec_t -/usr/bin/dccproc system_u:object_r:dcc_client_exec_t -/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t -/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t -/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t -/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t -/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t -/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t -/var/dcc(/.*)? system_u:object_r:dcc_var_t -/var/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc system_u:object_r:dcc_var_run_t -/var/run/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t diff --git a/mls/file_contexts/program/ddclient.fc b/mls/file_contexts/program/ddclient.fc deleted file mode 100644 index 83ee3d2b..00000000 --- a/mls/file_contexts/program/ddclient.fc +++ /dev/null @@ -1,11 +0,0 @@ -# ddclient -/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t -/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t -/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t -/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t -# ddt - Dynamic DNS client -/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t -/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t -/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t -/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t -/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t diff --git a/mls/file_contexts/program/ddcprobe.fc b/mls/file_contexts/program/ddcprobe.fc deleted file mode 100644 index 8879280c..00000000 --- a/mls/file_contexts/program/ddcprobe.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t:s0 diff --git a/mls/file_contexts/program/dhcpc.fc b/mls/file_contexts/program/dhcpc.fc deleted file mode 100644 index e892abe0..00000000 --- a/mls/file_contexts/program/dhcpc.fc +++ /dev/null @@ -1,19 +0,0 @@ -# dhcpcd -/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0 -/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0 -/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t:s0 -/etc/dhclient-script -- system_u:object_r:dhcp_etc_t:s0 -/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t:s0 -/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t:s0 -/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t:s0 -/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t:s0 -/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t:s0 -/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t:s0 -/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t:s0 -/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t:s0 -# pump -/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0 -ifdef(`dhcp_defined', `', ` -/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t:s0 -define(`dhcp_defined') -') diff --git a/mls/file_contexts/program/dhcpd.fc b/mls/file_contexts/program/dhcpd.fc deleted file mode 100644 index a03636f0..00000000 --- a/mls/file_contexts/program/dhcpd.fc +++ /dev/null @@ -1,32 +0,0 @@ -# dhcpd -/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0 -/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0 -/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t:s0 -/var/lib/dhcp([3d])?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 -/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 -ifdef(`dhcp_defined', `', ` -/var/lib/dhcp([3d])? -d system_u:object_r:dhcp_state_t:s0 -define(`dhcp_defined') -') -/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 -/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t:s0 -ifdef(`distro_gentoo', ` -/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0 -/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0 -/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 - -# for the chroot setup -/chroot/dhcp -d system_u:object_r:root_t:s0 -/chroot/dhcp/dev -d system_u:object_r:device_t:s0 -/chroot/dhcp/etc -d system_u:object_r:etc_t:s0 -/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0 -/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0 -/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t:s0 -/chroot/dhcp/var -d system_u:object_r:var_t:s0 -/chroot/dhcp/var/run -d system_u:object_r:var_run_t:s0 -/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t:s0 -/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0 -/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 -/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t:s0 -') - diff --git a/mls/file_contexts/program/dictd.fc b/mls/file_contexts/program/dictd.fc deleted file mode 100644 index b0898631..00000000 --- a/mls/file_contexts/program/dictd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dictd -/etc/dictd\.conf -- system_u:object_r:dictd_etc_t:s0 -/usr/sbin/dictd -- system_u:object_r:dictd_exec_t:s0 -/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t:s0 diff --git a/mls/file_contexts/program/distcc.fc b/mls/file_contexts/program/distcc.fc deleted file mode 100644 index 3ab97979..00000000 --- a/mls/file_contexts/program/distcc.fc +++ /dev/null @@ -1,2 +0,0 @@ -# distcc -/usr/bin/distccd -- system_u:object_r:distccd_exec_t diff --git a/mls/file_contexts/program/djbdns.fc b/mls/file_contexts/program/djbdns.fc deleted file mode 100644 index 6174b9f7..00000000 --- a/mls/file_contexts/program/djbdns.fc +++ /dev/null @@ -1,26 +0,0 @@ -#djbdns -/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t -/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t -/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t - -/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t -/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t -/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t -/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t -/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t -/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t - -/var/tinydns(/.*)? system_u:object_r:svc_svc_t -/var/tinydns/run -- system_u:object_r:svc_run_exec_t -/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t -/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t -/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t -/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t - -/var/axfrdns(/.*)? system_u:object_r:svc_svc_t -/var/axfrdns/run -- system_u:object_r:svc_run_exec_t -/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t -/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t -/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t -/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t - diff --git a/mls/file_contexts/program/dmesg.fc b/mls/file_contexts/program/dmesg.fc deleted file mode 100644 index 938875bc..00000000 --- a/mls/file_contexts/program/dmesg.fc +++ /dev/null @@ -1,2 +0,0 @@ -# dmesg -/bin/dmesg -- system_u:object_r:dmesg_exec_t:s0 diff --git a/mls/file_contexts/program/dmidecode.fc b/mls/file_contexts/program/dmidecode.fc deleted file mode 100644 index 7b02fd53..00000000 --- a/mls/file_contexts/program/dmidecode.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dmidecode -/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t:s0 -/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t:s0 -/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t:s0 diff --git a/mls/file_contexts/program/dnsmasq.fc b/mls/file_contexts/program/dnsmasq.fc deleted file mode 100644 index e1b1c358..00000000 --- a/mls/file_contexts/program/dnsmasq.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dnsmasq -/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t -/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t -/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t diff --git a/mls/file_contexts/program/dovecot.fc b/mls/file_contexts/program/dovecot.fc deleted file mode 100644 index bc45b9d4..00000000 --- a/mls/file_contexts/program/dovecot.fc +++ /dev/null @@ -1,16 +0,0 @@ -# for Dovecot POP and IMAP server -/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t:s0 -/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t:s0 -/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t:s0 -ifdef(`distro_redhat', ` -/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0 -') -ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0 -') -/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0 -/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0 -/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t:s0 -/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0 -/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t:s0 -/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t:s0 diff --git a/mls/file_contexts/program/dpkg.fc b/mls/file_contexts/program/dpkg.fc deleted file mode 100644 index f0f56f62..00000000 --- a/mls/file_contexts/program/dpkg.fc +++ /dev/null @@ -1,49 +0,0 @@ -# dpkg/dselect/apt -/etc/apt(/.*)? system_u:object_r:apt_etc_t -/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t -/usr/bin/apt-cache -- system_u:object_r:apt_exec_t -/usr/bin/apt-config -- system_u:object_r:apt_exec_t -/usr/bin/apt-get -- system_u:object_r:apt_exec_t -/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t -/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t -/usr/bin/dselect -- system_u:object_r:dpkg_exec_t -/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t -/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t -/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t -/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t -/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t -/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t -/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t -/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t -/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t -/usr/share/lintian/.+ -- system_u:object_r:bin_t -/usr/share/kernel-package/.+ -- system_u:object_r:bin_t -/usr/share/smartmontools/selftests -- system_u:object_r:bin_t -/usr/share/bug/[^/]+ -- system_u:object_r:bin_t -/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t -/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t -/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t -/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t -/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t -/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t -/var/lib/kde(/.*)? system_u:object_r:debian_menu_t -/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t -/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t -/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t -/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t -/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t -/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t -/usr/share/dlint/digparse -- system_u:object_r:bin_t -/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t -/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t -/var/lib/defoma(/.*)? system_u:object_r:fonts_t -/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t -/usr/share/intltool-debian/.* -- system_u:object_r:bin_t -/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t -/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t -/usr/share/shorewall/.* -- system_u:object_r:bin_t -/usr/share/reportbug/.* -- system_u:object_r:bin_t -/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t -/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t -/bin/mountpoint -- system_u:object_r:fsadm_exec_t diff --git a/mls/file_contexts/program/ethereal.fc b/mls/file_contexts/program/ethereal.fc deleted file mode 100644 index abe9b020..00000000 --- a/mls/file_contexts/program/ethereal.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t -/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t -HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t diff --git a/mls/file_contexts/program/evolution.fc b/mls/file_contexts/program/evolution.fc deleted file mode 100644 index 1a3bf38e..00000000 --- a/mls/file_contexts/program/evolution.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t -/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t -/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t -/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t -/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t -HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t -HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t -/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t diff --git a/mls/file_contexts/program/exim.fc b/mls/file_contexts/program/exim.fc deleted file mode 100644 index 26f6bac3..00000000 --- a/mls/file_contexts/program/exim.fc +++ /dev/null @@ -1,18 +0,0 @@ -# exim -/usr/sbin/exicyclog -- system_u:object_r:exicyclog_exec_t -/usr/sbin/exigrep -- system_u:object_r:exigrep_exec_t -/usr/sbin/exim_checkaccess -- system_u:object_r:exim_checkaccess_exec_t -/usr/sbin/exim_dumpdb -- system_u:object_r:exim_db_ro_exec_t -/usr/sbin/exim_fixdb -- system_u:object_r:exim_db_rw_exec_t -/usr/sbin/exim_lock -- system_u:object_r:exim_helper_exec_t -/usr/sbin/exim_tidydb -- system_u:object_r:exim_db_rw_exec_t -/usr/sbin/exinext -- system_u:object_r:exim_helper_exec_t -/usr/sbin/exipick -- system_u:object_r:exipick_exec_t -/usr/sbin/exiqgrep -- system_u:object_r:exiqgrep_exec_t -/usr/sbin/exim -- system_u:object_r:exim_exec_t -/usr/sbin/exiwhat -- system_u:object_r:exiwhat_exec_t -/var/spool/exim(/.*)? system_u:object_r:exim_spool_t -/var/spool/exim/db(/.*)? system_u:object_r:exim_spool_db_t -/var/spool/exim/msglog(/.*)? system_u:object_r:exim_log_t -/var/run/exim.pid -- system_u:object_r:exim_var_run_t -/var/log/exim(/.*)? system_u:object_r:exim_log_t diff --git a/mls/file_contexts/program/fetchmail.fc b/mls/file_contexts/program/fetchmail.fc deleted file mode 100644 index 9ac51a2e..00000000 --- a/mls/file_contexts/program/fetchmail.fc +++ /dev/null @@ -1,5 +0,0 @@ -# fetchmail -/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t:s0 -/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t:s0 -/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t:s0 -/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t:s0 diff --git a/mls/file_contexts/program/fingerd.fc b/mls/file_contexts/program/fingerd.fc deleted file mode 100644 index f7ed20dd..00000000 --- a/mls/file_contexts/program/fingerd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# fingerd -/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t:s0 -/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t:s0 -/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0 -/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t:s0 -/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t:s0 diff --git a/mls/file_contexts/program/firstboot.fc b/mls/file_contexts/program/firstboot.fc deleted file mode 100644 index 9a087ed7..00000000 --- a/mls/file_contexts/program/firstboot.fc +++ /dev/null @@ -1,4 +0,0 @@ -# firstboot -/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t:s0 -/usr/share/firstboot system_u:object_r:firstboot_rw_t:s0 -/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t:s0 diff --git a/mls/file_contexts/program/fontconfig.fc b/mls/file_contexts/program/fontconfig.fc deleted file mode 100644 index d8a8dc95..00000000 --- a/mls/file_contexts/program/fontconfig.fc +++ /dev/null @@ -1,4 +0,0 @@ -HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t -HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t -HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t -HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t diff --git a/mls/file_contexts/program/fs_daemon.fc b/mls/file_contexts/program/fs_daemon.fc deleted file mode 100644 index 1e086fd1..00000000 --- a/mls/file_contexts/program/fs_daemon.fc +++ /dev/null @@ -1,4 +0,0 @@ -# fs admin daemons -/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0 -/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t:s0 -/etc/smartd\.conf -- system_u:object_r:etc_runtime_t:s0 diff --git a/mls/file_contexts/program/fsadm.fc b/mls/file_contexts/program/fsadm.fc deleted file mode 100644 index 4601a394..00000000 --- a/mls/file_contexts/program/fsadm.fc +++ /dev/null @@ -1,40 +0,0 @@ -# fs admin utilities -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t:s0 -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0 -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0 -/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0 -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0 -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/parted -- system_u:object_r:fsadm_exec_t:s0 -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dump -- system_u:object_r:fsadm_exec_t:s0 -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0 -/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0 -/sbin/raidautorun -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0 -/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0 -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0 -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0 -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0 -/sbin/partx -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0 -/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t:s0 diff --git a/mls/file_contexts/program/ftpd.fc b/mls/file_contexts/program/ftpd.fc deleted file mode 100644 index 92a8c3eb..00000000 --- a/mls/file_contexts/program/ftpd.fc +++ /dev/null @@ -1,17 +0,0 @@ -# ftpd -/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t:s0 -/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t:s0 -/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0 -/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t:s0 -/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t:s0 -/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t:s0 -/var/log/xferlog.* -- system_u:object_r:xferlog_t:s0 -/var/log/vsftpd.* -- system_u:object_r:xferlog_t:s0 -/var/log/xferreport.* -- system_u:object_r:xferlog_t:s0 -/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0 -/var/ftp(/.*)? system_u:object_r:public_content_t:s0 -/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0 diff --git a/mls/file_contexts/program/games.fc b/mls/file_contexts/program/games.fc deleted file mode 100644 index 3465eeee..00000000 --- a/mls/file_contexts/program/games.fc +++ /dev/null @@ -1,61 +0,0 @@ -# games -/usr/lib/games(/.*)? system_u:object_r:games_exec_t -/var/lib/games(/.*)? system_u:object_r:games_data_t -ifdef(`distro_debian', ` -/usr/games/.* -- system_u:object_r:games_exec_t -/var/games(/.*)? system_u:object_r:games_data_t -', ` -/usr/bin/micq -- system_u:object_r:games_exec_t -/usr/bin/blackjack -- system_u:object_r:games_exec_t -/usr/bin/gataxx -- system_u:object_r:games_exec_t -/usr/bin/glines -- system_u:object_r:games_exec_t -/usr/bin/gnect -- system_u:object_r:games_exec_t -/usr/bin/gnibbles -- system_u:object_r:games_exec_t -/usr/bin/gnobots2 -- system_u:object_r:games_exec_t -/usr/bin/gnome-stones -- system_u:object_r:games_exec_t -/usr/bin/gnomine -- system_u:object_r:games_exec_t -/usr/bin/gnotravex -- system_u:object_r:games_exec_t -/usr/bin/gnotski -- system_u:object_r:games_exec_t -/usr/bin/gtali -- system_u:object_r:games_exec_t -/usr/bin/iagno -- system_u:object_r:games_exec_t -/usr/bin/mahjongg -- system_u:object_r:games_exec_t -/usr/bin/same-gnome -- system_u:object_r:games_exec_t -/usr/bin/sol -- system_u:object_r:games_exec_t -/usr/bin/atlantik -- system_u:object_r:games_exec_t -/usr/bin/kasteroids -- system_u:object_r:games_exec_t -/usr/bin/katomic -- system_u:object_r:games_exec_t -/usr/bin/kbackgammon -- system_u:object_r:games_exec_t -/usr/bin/kbattleship -- system_u:object_r:games_exec_t -/usr/bin/kblackbox -- system_u:object_r:games_exec_t -/usr/bin/kbounce -- system_u:object_r:games_exec_t -/usr/bin/kenolaba -- system_u:object_r:games_exec_t -/usr/bin/kfouleggs -- system_u:object_r:games_exec_t -/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t -/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t -/usr/bin/klickety -- system_u:object_r:games_exec_t -/usr/bin/klines -- system_u:object_r:games_exec_t -/usr/bin/kmahjongg -- system_u:object_r:games_exec_t -/usr/bin/kmines -- system_u:object_r:games_exec_t -/usr/bin/kolf -- system_u:object_r:games_exec_t -/usr/bin/konquest -- system_u:object_r:games_exec_t -/usr/bin/kpat -- system_u:object_r:games_exec_t -/usr/bin/kpoker -- system_u:object_r:games_exec_t -/usr/bin/kreversi -- system_u:object_r:games_exec_t -/usr/bin/ksame -- system_u:object_r:games_exec_t -/usr/bin/kshisen -- system_u:object_r:games_exec_t -/usr/bin/ksirtet -- system_u:object_r:games_exec_t -/usr/bin/ksmiletris -- system_u:object_r:games_exec_t -/usr/bin/ksnake -- system_u:object_r:games_exec_t -/usr/bin/ksokoban -- system_u:object_r:games_exec_t -/usr/bin/kspaceduel -- system_u:object_r:games_exec_t -/usr/bin/ktron -- system_u:object_r:games_exec_t -/usr/bin/ktuberling -- system_u:object_r:games_exec_t -/usr/bin/kwin4 -- system_u:object_r:games_exec_t -/usr/bin/kwin4proc -- system_u:object_r:games_exec_t -/usr/bin/lskat -- system_u:object_r:games_exec_t -/usr/bin/lskatproc -- system_u:object_r:games_exec_t -/usr/bin/Maelstrom -- system_u:object_r:games_exec_t -/usr/bin/civclient.* -- system_u:object_r:games_exec_t -/usr/bin/civserver.* -- system_u:object_r:games_exec_t -')dnl end non-Debian section - diff --git a/mls/file_contexts/program/gatekeeper.fc b/mls/file_contexts/program/gatekeeper.fc deleted file mode 100644 index e51491a3..00000000 --- a/mls/file_contexts/program/gatekeeper.fc +++ /dev/null @@ -1,7 +0,0 @@ -# gatekeeper -/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t -/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t -/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t -/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t -/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t -/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t diff --git a/mls/file_contexts/program/gconf.fc b/mls/file_contexts/program/gconf.fc deleted file mode 100644 index 3ee63e01..00000000 --- a/mls/file_contexts/program/gconf.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t -/etc/gconf(/.*)? system_u:object_r:gconf_etc_t -HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t -HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t -/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t diff --git a/mls/file_contexts/program/getty.fc b/mls/file_contexts/program/getty.fc deleted file mode 100644 index 19b7e649..00000000 --- a/mls/file_contexts/program/getty.fc +++ /dev/null @@ -1,5 +0,0 @@ -# getty -/sbin/.*getty -- system_u:object_r:getty_exec_t:s0 -/etc/mgetty(/.*)? system_u:object_r:getty_etc_t:s0 -/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t:s0 -/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t:s0 diff --git a/mls/file_contexts/program/gift.fc b/mls/file_contexts/program/gift.fc deleted file mode 100644 index 88ed5f21..00000000 --- a/mls/file_contexts/program/gift.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t -/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t -/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t -/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t -HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t diff --git a/mls/file_contexts/program/gnome-pty-helper.fc b/mls/file_contexts/program/gnome-pty-helper.fc deleted file mode 100644 index 24a0b1bc..00000000 --- a/mls/file_contexts/program/gnome-pty-helper.fc +++ /dev/null @@ -1,3 +0,0 @@ -# gnome-pty-helper -/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t -/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t diff --git a/mls/file_contexts/program/gnome.fc b/mls/file_contexts/program/gnome.fc deleted file mode 100644 index 670c86f4..00000000 --- a/mls/file_contexts/program/gnome.fc +++ /dev/null @@ -1,8 +0,0 @@ -# FIXME: add a lot more GNOME folders -HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t -HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t -ifdef(`evolution.te', ` -HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t -') -HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t -HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t diff --git a/mls/file_contexts/program/gnome_vfs.fc b/mls/file_contexts/program/gnome_vfs.fc deleted file mode 100644 index f945d596..00000000 --- a/mls/file_contexts/program/gnome_vfs.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t diff --git a/mls/file_contexts/program/gpg-agent.fc b/mls/file_contexts/program/gpg-agent.fc deleted file mode 100644 index a8a76038..00000000 --- a/mls/file_contexts/program/gpg-agent.fc +++ /dev/null @@ -1,3 +0,0 @@ -# gpg-agent -/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t:s0 -/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t:s0 diff --git a/mls/file_contexts/program/gpg.fc b/mls/file_contexts/program/gpg.fc deleted file mode 100644 index b8207552..00000000 --- a/mls/file_contexts/program/gpg.fc +++ /dev/null @@ -1,7 +0,0 @@ -# gpg -HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0 -/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t:s0 -/usr/bin/kgpg -- system_u:object_r:gpg_exec_t:s0 -/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t:s0 -/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t:s0 - diff --git a/mls/file_contexts/program/gpm.fc b/mls/file_contexts/program/gpm.fc deleted file mode 100644 index 12105182..00000000 --- a/mls/file_contexts/program/gpm.fc +++ /dev/null @@ -1,5 +0,0 @@ -# gpm -/dev/gpmctl -s system_u:object_r:gpmctl_t:s0 -/dev/gpmdata -p system_u:object_r:gpmctl_t:s0 -/usr/sbin/gpm -- system_u:object_r:gpm_exec_t:s0 -/etc/gpm(/.*)? system_u:object_r:gpm_conf_t:s0 diff --git a/mls/file_contexts/program/groupadd.fc b/mls/file_contexts/program/groupadd.fc deleted file mode 100644 index e69de29b..00000000 diff --git a/mls/file_contexts/program/hald.fc b/mls/file_contexts/program/hald.fc deleted file mode 100644 index b57463df..00000000 --- a/mls/file_contexts/program/hald.fc +++ /dev/null @@ -1,6 +0,0 @@ -# hald - hardware information daemon -/usr/sbin/hald -- system_u:object_r:hald_exec_t:s0 -/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t:s0 -/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t:s0 -/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t:s0 -/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t:s0 diff --git a/mls/file_contexts/program/hostname.fc b/mls/file_contexts/program/hostname.fc deleted file mode 100644 index 01a957a7..00000000 --- a/mls/file_contexts/program/hostname.fc +++ /dev/null @@ -1 +0,0 @@ -/bin/hostname -- system_u:object_r:hostname_exec_t:s0 diff --git a/mls/file_contexts/program/hotplug.fc b/mls/file_contexts/program/hotplug.fc deleted file mode 100644 index 05c65041..00000000 --- a/mls/file_contexts/program/hotplug.fc +++ /dev/null @@ -1,13 +0,0 @@ -# hotplug -/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t:s0 -/sbin/hotplug -- system_u:object_r:hotplug_exec_t:s0 -/sbin/netplugd -- system_u:object_r:hotplug_exec_t:s0 -/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t:s0 -/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t:s0 -/etc/netplug\.d(/.*)? system_u:object_r:sbin_t:s0 -/etc/hotplug/.*agent -- system_u:object_r:sbin_t:s0 -/etc/hotplug/.*rc -- system_u:object_r:sbin_t:s0 -/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t:s0 -/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t:s0 -/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t:s0 -/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t:s0 diff --git a/mls/file_contexts/program/howl.fc b/mls/file_contexts/program/howl.fc deleted file mode 100644 index 4546ac1b..00000000 --- a/mls/file_contexts/program/howl.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/nifd -- system_u:object_r:howl_exec_t:s0 -/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t:s0 -/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t:s0 diff --git a/mls/file_contexts/program/hwclock.fc b/mls/file_contexts/program/hwclock.fc deleted file mode 100644 index 9d0d9099..00000000 --- a/mls/file_contexts/program/hwclock.fc +++ /dev/null @@ -1,3 +0,0 @@ -# hwclock -/sbin/hwclock -- system_u:object_r:hwclock_exec_t:s0 -/etc/adjtime -- system_u:object_r:adjtime_t:s0 diff --git a/mls/file_contexts/program/i18n_input.fc b/mls/file_contexts/program/i18n_input.fc deleted file mode 100644 index 66cea53c..00000000 --- a/mls/file_contexts/program/i18n_input.fc +++ /dev/null @@ -1,11 +0,0 @@ -# i18n_input.fc -/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t:s0 -/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t:s0 -/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t:s0 -/usr/bin/httx -- system_u:object_r:i18n_input_exec_t:s0 -/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t:s0 -/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t:s0 -/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t:s0 -/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t:s0 -/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t:s0 -/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t:s0 diff --git a/mls/file_contexts/program/iceauth.fc b/mls/file_contexts/program/iceauth.fc deleted file mode 100644 index 31bf1f3d..00000000 --- a/mls/file_contexts/program/iceauth.fc +++ /dev/null @@ -1,3 +0,0 @@ -# iceauth -/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t -HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t diff --git a/mls/file_contexts/program/ifconfig.fc b/mls/file_contexts/program/ifconfig.fc deleted file mode 100644 index 22d52ed3..00000000 --- a/mls/file_contexts/program/ifconfig.fc +++ /dev/null @@ -1,12 +0,0 @@ -# ifconfig -/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ip -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0 -/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0 -/bin/ip -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ethtool -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t:s0 diff --git a/mls/file_contexts/program/imazesrv.fc b/mls/file_contexts/program/imazesrv.fc deleted file mode 100644 index dae194eb..00000000 --- a/mls/file_contexts/program/imazesrv.fc +++ /dev/null @@ -1,4 +0,0 @@ -# imazesrv -/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t -/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t -/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t diff --git a/mls/file_contexts/program/inetd.fc b/mls/file_contexts/program/inetd.fc deleted file mode 100644 index d066e36f..00000000 --- a/mls/file_contexts/program/inetd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# inetd -/usr/sbin/inetd -- system_u:object_r:inetd_exec_t:s0 -/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t:s0 -/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t:s0 -/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t:s0 -/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t:s0 -/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0 -/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t:s0 diff --git a/mls/file_contexts/program/init.fc b/mls/file_contexts/program/init.fc deleted file mode 100644 index cdf424f3..00000000 --- a/mls/file_contexts/program/init.fc +++ /dev/null @@ -1,3 +0,0 @@ -# init -/dev/initctl -p system_u:object_r:initctl_t:s0 -/sbin/init -- system_u:object_r:init_exec_t:s0 diff --git a/mls/file_contexts/program/initrc.fc b/mls/file_contexts/program/initrc.fc deleted file mode 100644 index 65a1dbaf..00000000 --- a/mls/file_contexts/program/initrc.fc +++ /dev/null @@ -1,48 +0,0 @@ -# init rc scripts -ifdef(`targeted_policy', ` -/etc/X11/prefdm -- system_u:object_r:bin_t:s0 -', ` -/etc/X11/prefdm -- system_u:object_r:initrc_exec_t:s0 -') -/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t:s0 -/etc/init\.d/.* -- system_u:object_r:initrc_exec_t:s0 -/etc/init\.d/functions -- system_u:object_r:etc_t:s0 -/var/run/utmp -- system_u:object_r:initrc_var_run_t:s0 -/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t:s0 -/var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0 -/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t:s0 -ifdef(`distro_suse', ` -/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t:s0 -/var/run/keymap -- system_u:object_r:initrc_var_run_t:s0 -/var/run/numlock-on -- system_u:object_r:initrc_var_run_t:s0 -/var/run/setleds-on -- system_u:object_r:initrc_var_run_t:s0 -/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t:s0 -/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t:s0 -') - -ifdef(`distro_gentoo', ` -/sbin/rc -- system_u:object_r:initrc_exec_t:s0 -/sbin/runscript -- system_u:object_r:initrc_exec_t:s0 -/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t:s0 -/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t:s0 -') - -# run_init -/usr/sbin/run_init -- system_u:object_r:run_init_exec_t:s0 -/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t:s0 -/etc/nologin.* -- system_u:object_r:etc_runtime_t:s0 -/etc/nohotplug -- system_u:object_r:etc_runtime_t:s0 -ifdef(`distro_redhat', ` -/halt -- system_u:object_r:etc_runtime_t:s0 -/fastboot -- system_u:object_r:etc_runtime_t:s0 -/fsckoptions -- system_u:object_r:etc_runtime_t:s0 -/forcefsck -- system_u:object_r:etc_runtime_t:s0 -/poweroff -- system_u:object_r:etc_runtime_t:s0 -/\.autofsck -- system_u:object_r:etc_runtime_t:s0 -/\.autorelabel -- system_u:object_r:etc_runtime_t:s0 -') - diff --git a/mls/file_contexts/program/innd.fc b/mls/file_contexts/program/innd.fc deleted file mode 100644 index c8646ea7..00000000 --- a/mls/file_contexts/program/innd.fc +++ /dev/null @@ -1,50 +0,0 @@ -# innd -/usr/sbin/innd.* -- system_u:object_r:innd_exec_t:s0 -/usr/bin/rpost -- system_u:object_r:innd_exec_t:s0 -/usr/bin/suck -- system_u:object_r:innd_exec_t:s0 -/var/run/innd(/.*)? system_u:object_r:innd_var_run_t:s0 -/etc/news(/.*)? system_u:object_r:innd_etc_t:s0 -/etc/news/boot -- system_u:object_r:innd_exec_t:s0 -/var/spool/news(/.*)? system_u:object_r:news_spool_t:s0 -/var/log/news(/.*)? system_u:object_r:innd_log_t:s0 -/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t:s0 -/var/run/news(/.*)? system_u:object_r:innd_var_run_t:s0 -/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t:s0 -/usr/bin/inews -- system_u:object_r:innd_exec_t:s0 -/usr/bin/rnews -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t:s0 -/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/controlchan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t:s0 diff --git a/mls/file_contexts/program/ipsec.fc b/mls/file_contexts/program/ipsec.fc deleted file mode 100644 index cb4c966b..00000000 --- a/mls/file_contexts/program/ipsec.fc +++ /dev/null @@ -1,32 +0,0 @@ -# IPSEC utilities and daemon. - -/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t:s0 -/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t:s0 -/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t:s0 -/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t:s0 -/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0 -/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t:s0 -/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t:s0 -/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0 -/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0 -/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0 -/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0 -/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0 -/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0 -/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0 -/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0 -/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0 -/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0 -/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0 -/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0 -/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0 -/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t:s0 -/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t:s0 - -# Kame -/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t:s0 -/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0 -/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0 -/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t:s0 -/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t:s0 -/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t:s0 diff --git a/mls/file_contexts/program/iptables.fc b/mls/file_contexts/program/iptables.fc deleted file mode 100644 index c55fd08c..00000000 --- a/mls/file_contexts/program/iptables.fc +++ /dev/null @@ -1,8 +0,0 @@ -# iptables -/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0 -/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0 -/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0 -/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0 -/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0 -/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0 - diff --git a/mls/file_contexts/program/irc.fc b/mls/file_contexts/program/irc.fc deleted file mode 100644 index 586977b2..00000000 --- a/mls/file_contexts/program/irc.fc +++ /dev/null @@ -1,5 +0,0 @@ -# irc clients -/usr/bin/[st]irc -- system_u:object_r:irc_exec_t:s0 -/usr/bin/ircII -- system_u:object_r:irc_exec_t:s0 -/usr/bin/tinyirc -- system_u:object_r:irc_exec_t:s0 -HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0 diff --git a/mls/file_contexts/program/ircd.fc b/mls/file_contexts/program/ircd.fc deleted file mode 100644 index 2ef668cc..00000000 --- a/mls/file_contexts/program/ircd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# ircd - irc server -/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t -/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t -/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t -/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t -/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t diff --git a/mls/file_contexts/program/irqbalance.fc b/mls/file_contexts/program/irqbalance.fc deleted file mode 100644 index 15b5004c..00000000 --- a/mls/file_contexts/program/irqbalance.fc +++ /dev/null @@ -1,2 +0,0 @@ -# irqbalance -/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t:s0 diff --git a/mls/file_contexts/program/jabberd.fc b/mls/file_contexts/program/jabberd.fc deleted file mode 100644 index c614cb89..00000000 --- a/mls/file_contexts/program/jabberd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# jabberd -/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t -/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t -/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t diff --git a/mls/file_contexts/program/java.fc b/mls/file_contexts/program/java.fc deleted file mode 100644 index 0513971d..00000000 --- a/mls/file_contexts/program/java.fc +++ /dev/null @@ -1,2 +0,0 @@ -# java -/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t:s0 diff --git a/mls/file_contexts/program/kerberos.fc b/mls/file_contexts/program/kerberos.fc deleted file mode 100644 index 2faebe03..00000000 --- a/mls/file_contexts/program/kerberos.fc +++ /dev/null @@ -1,20 +0,0 @@ -# MIT Kerberos krbkdc, kadmind -/etc/krb5\.keytab system_u:object_r:krb5_keytab_t:s0 -/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0 -/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0 -/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 -/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 -/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 -/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 -/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t:s0 -/var/log/kadmind\.log system_u:object_r:kadmind_log_t:s0 -/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t:s0 - -# gentoo file locations -/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0 -/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0 -/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 -/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 -/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t:s0 -/var/log/kadmin.log -- system_u:object_r:kadmind_log_t:s0 - diff --git a/mls/file_contexts/program/klogd.fc b/mls/file_contexts/program/klogd.fc deleted file mode 100644 index 5fcdf291..00000000 --- a/mls/file_contexts/program/klogd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# klogd -/sbin/klogd -- system_u:object_r:klogd_exec_t:s0 -/usr/sbin/klogd -- system_u:object_r:klogd_exec_t:s0 -/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t:s0 diff --git a/mls/file_contexts/program/ktalkd.fc b/mls/file_contexts/program/ktalkd.fc deleted file mode 100644 index 33973fdf..00000000 --- a/mls/file_contexts/program/ktalkd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# kde talk daemon -/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t:s0 diff --git a/mls/file_contexts/program/kudzu.fc b/mls/file_contexts/program/kudzu.fc deleted file mode 100644 index 3602a309..00000000 --- a/mls/file_contexts/program/kudzu.fc +++ /dev/null @@ -1,4 +0,0 @@ -# kudzu -(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0 -/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0 -/var/run/Xconfig -- root:object_r:kudzu_var_run_t:s0 diff --git a/mls/file_contexts/program/lcd.fc b/mls/file_contexts/program/lcd.fc deleted file mode 100644 index 4294d442..00000000 --- a/mls/file_contexts/program/lcd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# lcd -/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t diff --git a/mls/file_contexts/program/ldconfig.fc b/mls/file_contexts/program/ldconfig.fc deleted file mode 100644 index 1f82fcfe..00000000 --- a/mls/file_contexts/program/ldconfig.fc +++ /dev/null @@ -1 +0,0 @@ -/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t:s0 diff --git a/mls/file_contexts/program/load_policy.fc b/mls/file_contexts/program/load_policy.fc deleted file mode 100644 index a4c98cee..00000000 --- a/mls/file_contexts/program/load_policy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# load_policy -/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0 -/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0 diff --git a/mls/file_contexts/program/loadkeys.fc b/mls/file_contexts/program/loadkeys.fc deleted file mode 100644 index ebe1cfc5..00000000 --- a/mls/file_contexts/program/loadkeys.fc +++ /dev/null @@ -1,3 +0,0 @@ -# loadkeys -/bin/unikeys -- system_u:object_r:loadkeys_exec_t:s0 -/bin/loadkeys -- system_u:object_r:loadkeys_exec_t:s0 diff --git a/mls/file_contexts/program/lockdev.fc b/mls/file_contexts/program/lockdev.fc deleted file mode 100644 index b917bf74..00000000 --- a/mls/file_contexts/program/lockdev.fc +++ /dev/null @@ -1,2 +0,0 @@ -# lockdev -/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t:s0 diff --git a/mls/file_contexts/program/login.fc b/mls/file_contexts/program/login.fc deleted file mode 100644 index ab8bf1ad..00000000 --- a/mls/file_contexts/program/login.fc +++ /dev/null @@ -1,3 +0,0 @@ -# login -/bin/login -- system_u:object_r:login_exec_t:s0 -/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0 diff --git a/mls/file_contexts/program/logrotate.fc b/mls/file_contexts/program/logrotate.fc deleted file mode 100644 index 85b6ee76..00000000 --- a/mls/file_contexts/program/logrotate.fc +++ /dev/null @@ -1,13 +0,0 @@ -# logrotate -/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t:s0 -/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t:s0 -ifdef(`distro_debian', ` -/usr/bin/savelog -- system_u:object_r:logrotate_exec_t:s0 -/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t:s0 -', ` -/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t:s0 -') -/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t:s0 -/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t:s0 -# using a hard-coded name under /var/tmp is a bug - new version fixes it -/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t:s0 diff --git a/mls/file_contexts/program/lpd.fc b/mls/file_contexts/program/lpd.fc deleted file mode 100644 index da61bf4c..00000000 --- a/mls/file_contexts/program/lpd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# lpd -/dev/printer -s system_u:object_r:printer_t:s0 -/usr/sbin/lpd -- system_u:object_r:lpd_exec_t:s0 -/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t:s0 -/var/spool/lpd(/.*)? system_u:object_r:print_spool_t:s0 -/usr/share/printconf/.* -- system_u:object_r:printconf_t:s0 -/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t:s0 -/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t:s0 diff --git a/mls/file_contexts/program/lpr.fc b/mls/file_contexts/program/lpr.fc deleted file mode 100644 index a2725c71..00000000 --- a/mls/file_contexts/program/lpr.fc +++ /dev/null @@ -1,4 +0,0 @@ -# lp utilities. -/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t:s0 -/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t:s0 -/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t:s0 diff --git a/mls/file_contexts/program/lrrd.fc b/mls/file_contexts/program/lrrd.fc deleted file mode 100644 index 08494fc9..00000000 --- a/mls/file_contexts/program/lrrd.fc +++ /dev/null @@ -1,10 +0,0 @@ -# lrrd -/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t -/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t -/var/log/lrrd.* -- system_u:object_r:lrrd_log_t -/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t -/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t -/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t diff --git a/mls/file_contexts/program/lvm.fc b/mls/file_contexts/program/lvm.fc deleted file mode 100644 index baa6ce1a..00000000 --- a/mls/file_contexts/program/lvm.fc +++ /dev/null @@ -1,69 +0,0 @@ -# lvm -/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t:s0 -/etc/lvm(/.*)? system_u:object_r:lvm_etc_t:s0 -/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t:s0 -/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t:s0 -/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t:s0 -/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t:s0 -/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t:s0 -# LVM creates lock files in /var before /var is mounted -# configure LVM to put lockfiles in /etc/lvm/lock instead -# for this policy to work (unless you have no separate /var) -/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t:s0 -/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t:s0 -/dev/lvm -c system_u:object_r:fixed_disk_device_t:s0 -/dev/mapper/control -c system_u:object_r:lvm_control_t:s0 -/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t:s0 -/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t:s0 -/sbin/e2fsadm -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvchange -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvcreate -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvdisplay -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvextend -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvmchange -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvmsadc -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvmsar -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvreduce -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvremove -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvrename -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvscan -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvchange -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvcreate -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvdata -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvdisplay -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvmove -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvscan -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgchange -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgck -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgcreate -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgdisplay -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgexport -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgextend -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgimport -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgmerge -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgmknodes -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgreduce -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgremove -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgrename -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgscan -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgsplit -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgwrapper -- system_u:object_r:lvm_exec_t:s0 -/sbin/cryptsetup -- system_u:object_r:lvm_exec_t:s0 -/sbin/dmsetup -- system_u:object_r:lvm_exec_t:s0 -/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvm -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvm\.static -- system_u:object_r:lvm_exec_t:s0 -/usr/sbin/lvm -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvresize -- system_u:object_r:lvm_exec_t:s0 -/sbin/lvs -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvremove -- system_u:object_r:lvm_exec_t:s0 -/sbin/pvs -- system_u:object_r:lvm_exec_t:s0 -/sbin/vgs -- system_u:object_r:lvm_exec_t:s0 -/sbin/multipathd -- system_u:object_r:lvm_exec_t:s0 -/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t:s0 -/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t:s0 diff --git a/mls/file_contexts/program/mailman.fc b/mls/file_contexts/program/mailman.fc deleted file mode 100644 index d8d5b4b7..00000000 --- a/mls/file_contexts/program/mailman.fc +++ /dev/null @@ -1,24 +0,0 @@ -# mailman list server -/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t:s0 -/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0 -/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t:s0 -/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t:s0 -/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t:s0 -/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t:s0 - -ifdef(`distro_debian', ` -/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t:s0 -/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0 -/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0 -/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t:s0 -/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t:s0 -') - -ifdef(`distro_redhat', ` -/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t:s0 -/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0 -/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t:s0 -/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t:s0 -/etc/mailman(/.*)? system_u:object_r:mailman_data_t:s0 -/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t:s0 -') diff --git a/mls/file_contexts/program/mdadm.fc b/mls/file_contexts/program/mdadm.fc deleted file mode 100644 index 61ebacd4..00000000 --- a/mls/file_contexts/program/mdadm.fc +++ /dev/null @@ -1,4 +0,0 @@ -# mdadm - manage MD devices aka Linux Software Raid. -/sbin/mdmpd -- system_u:object_r:mdadm_exec_t:s0 -/sbin/mdadm -- system_u:object_r:mdadm_exec_t:s0 -/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t:s0 diff --git a/mls/file_contexts/program/modutil.fc b/mls/file_contexts/program/modutil.fc deleted file mode 100644 index 0c881795..00000000 --- a/mls/file_contexts/program/modutil.fc +++ /dev/null @@ -1,14 +0,0 @@ -# module utilities -/etc/modules\.conf.* -- system_u:object_r:modules_conf_t:s0 -/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0 -/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t:s0 -/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t:s0 -/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t:s0 -/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0 -/sbin/depmod.* -- system_u:object_r:depmod_exec_t:s0 -/sbin/modprobe.* -- system_u:object_r:insmod_exec_t:s0 -/sbin/insmod.* -- system_u:object_r:insmod_exec_t:s0 -/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t:s0 -/sbin/rmmod.* -- system_u:object_r:insmod_exec_t:s0 -/sbin/update-modules -- system_u:object_r:update_modules_exec_t:s0 -/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t:s0 diff --git a/mls/file_contexts/program/monopd.fc b/mls/file_contexts/program/monopd.fc deleted file mode 100644 index 457493e2..00000000 --- a/mls/file_contexts/program/monopd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# monopd -/etc/monopd\.conf -- system_u:object_r:monopd_etc_t -/usr/sbin/monopd -- system_u:object_r:monopd_exec_t -/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t diff --git a/mls/file_contexts/program/mount.fc b/mls/file_contexts/program/mount.fc deleted file mode 100644 index 93b78741..00000000 --- a/mls/file_contexts/program/mount.fc +++ /dev/null @@ -1,3 +0,0 @@ -# mount -/bin/mount.* -- system_u:object_r:mount_exec_t:s0 -/bin/umount.* -- system_u:object_r:mount_exec_t:s0 diff --git a/mls/file_contexts/program/mozilla.fc b/mls/file_contexts/program/mozilla.fc deleted file mode 100644 index 2b533a62..00000000 --- a/mls/file_contexts/program/mozilla.fc +++ /dev/null @@ -1,21 +0,0 @@ -# netscape/mozilla -HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t -/usr/bin/netscape -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t -/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t -/etc/mozpluggerrc system_u:object_r:mozilla_conf_t diff --git a/mls/file_contexts/program/mplayer.fc b/mls/file_contexts/program/mplayer.fc deleted file mode 100644 index 10465aa5..00000000 --- a/mls/file_contexts/program/mplayer.fc +++ /dev/null @@ -1,6 +0,0 @@ -# mplayer -/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t -/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t - -/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t -HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t diff --git a/mls/file_contexts/program/mrtg.fc b/mls/file_contexts/program/mrtg.fc deleted file mode 100644 index ed68c4e0..00000000 --- a/mls/file_contexts/program/mrtg.fc +++ /dev/null @@ -1,7 +0,0 @@ -# mrtg - traffic grapher -/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t:s0 -/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t:s0 -/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t:s0 -/etc/mrtg.* system_u:object_r:mrtg_etc_t:s0 -/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t:s0 -/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t:s0 diff --git a/mls/file_contexts/program/mta.fc b/mls/file_contexts/program/mta.fc deleted file mode 100644 index 68b30e88..00000000 --- a/mls/file_contexts/program/mta.fc +++ /dev/null @@ -1,12 +0,0 @@ -# types for general mail servers -/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t:s0 -/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t:s0 -/etc/aliases -- system_u:object_r:etc_aliases_t:s0 -/etc/aliases\.db -- system_u:object_r:etc_aliases_t:s0 -/var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0 -/var/mail(/.*)? system_u:object_r:mail_spool_t:s0 -ifdef(`postfix.te', `', ` -/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0 -/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t:s0 -') - diff --git a/mls/file_contexts/program/mysqld.fc b/mls/file_contexts/program/mysqld.fc deleted file mode 100644 index 22933da5..00000000 --- a/mls/file_contexts/program/mysqld.fc +++ /dev/null @@ -1,12 +0,0 @@ -# mysql database server -/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0 -/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0 -/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0 -/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0 -/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 -/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0 -/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0 -/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0 -ifdef(`distro_debian', ` -/etc/mysql/debian-start -- system_u:object_r:bin_t:s0 -') diff --git a/mls/file_contexts/program/nagios.fc b/mls/file_contexts/program/nagios.fc deleted file mode 100644 index 6a8a22df..00000000 --- a/mls/file_contexts/program/nagios.fc +++ /dev/null @@ -1,15 +0,0 @@ -# nagios - network monitoring server -/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t -/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t -# nagios -ifdef(`distro_debian', ` -/usr/sbin/nagios -- system_u:object_r:nagios_exec_t -/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t -', ` -/usr/bin/nagios -- system_u:object_r:nagios_exec_t -/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t -') -/etc/nagios(/.*)? system_u:object_r:nagios_etc_t -/var/log/nagios(/.*)? system_u:object_r:nagios_log_t -/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t diff --git a/mls/file_contexts/program/named.fc b/mls/file_contexts/program/named.fc deleted file mode 100644 index b94d6419..00000000 --- a/mls/file_contexts/program/named.fc +++ /dev/null @@ -1,49 +0,0 @@ -# named -ifdef(`distro_redhat', ` -/var/named(/.*)? system_u:object_r:named_zone_t:s0 -/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 -/etc/named\.conf -- system_u:object_r:named_conf_t:s0 -') dnl end distro_redhat - -ifdef(`distro_debian', ` -/etc/bind(/.*)? system_u:object_r:named_zone_t:s0 -/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0 -/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0 -/var/cache/bind(/.*)? system_u:object_r:named_cache_t:s0 -') dnl distro_debian - -/etc/rndc.* -- system_u:object_r:named_conf_t:s0 -/etc/rndc\.key -- system_u:object_r:dnssec_t:s0 -/usr/sbin/named -- system_u:object_r:named_exec_t:s0 -/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t:s0 -/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t:s0 -/var/run/ndc -s system_u:object_r:named_var_run_t:s0 -/var/run/bind(/.*)? system_u:object_r:named_var_run_t:s0 -/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0 -/usr/sbin/lwresd -- system_u:object_r:named_exec_t:s0 -/var/log/named.* -- system_u:object_r:named_log_t:s0 - -ifdef(`distro_redhat', ` -/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 -/var/named/chroot(/.*)? system_u:object_r:named_conf_t:s0 -/var/named/chroot/dev/null -c system_u:object_r:null_device_t:s0 -/var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0 -/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t:s0 -/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t:s0 -/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t:s0 -/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0 -/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0 -/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 -') dnl distro_redhat - -ifdef(`distro_gentoo', ` -/etc/bind(/.*)? system_u:object_r:named_zone_t:s0 -/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0 -/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0 -/var/bind(/.*)? system_u:object_r:named_cache_t:s0 -/var/bind/pri(/.*)? system_u:object_r:named_zone_t:s0 -') dnl distro_gentoo diff --git a/mls/file_contexts/program/nessusd.fc b/mls/file_contexts/program/nessusd.fc deleted file mode 100644 index adec00b2..00000000 --- a/mls/file_contexts/program/nessusd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# nessusd - network scanning server -/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t -/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t -/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t -/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t -/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t diff --git a/mls/file_contexts/program/netutils.fc b/mls/file_contexts/program/netutils.fc deleted file mode 100644 index a6ae5d5f..00000000 --- a/mls/file_contexts/program/netutils.fc +++ /dev/null @@ -1,4 +0,0 @@ -# network utilities -/sbin/arping -- system_u:object_r:netutils_exec_t:s0 -/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t:s0 -/etc/network/ifstate -- system_u:object_r:etc_runtime_t:s0 diff --git a/mls/file_contexts/program/newrole.fc b/mls/file_contexts/program/newrole.fc deleted file mode 100644 index 6b03678a..00000000 --- a/mls/file_contexts/program/newrole.fc +++ /dev/null @@ -1,2 +0,0 @@ -# newrole -/usr/bin/newrole -- system_u:object_r:newrole_exec_t:s0 diff --git a/mls/file_contexts/program/nrpe.fc b/mls/file_contexts/program/nrpe.fc deleted file mode 100644 index 6523cc33..00000000 --- a/mls/file_contexts/program/nrpe.fc +++ /dev/null @@ -1,7 +0,0 @@ -# nrpe -/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t -/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t -ifdef(`nagios.te', `', ` -/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t -') diff --git a/mls/file_contexts/program/nscd.fc b/mls/file_contexts/program/nscd.fc deleted file mode 100644 index aa8af5b0..00000000 --- a/mls/file_contexts/program/nscd.fc +++ /dev/null @@ -1,7 +0,0 @@ -# nscd -/usr/sbin/nscd -- system_u:object_r:nscd_exec_t:s0 -/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t:s0 -/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t:s0 -/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0 -/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0 -/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t:s0 diff --git a/mls/file_contexts/program/nsd.fc b/mls/file_contexts/program/nsd.fc deleted file mode 100644 index 43b49fe1..00000000 --- a/mls/file_contexts/program/nsd.fc +++ /dev/null @@ -1,12 +0,0 @@ -# nsd -/etc/nsd(/.*)? system_u:object_r:nsd_conf_t -/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t -/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t -/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t -/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t -/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t -/usr/sbin/nsd -- system_u:object_r:nsd_exec_t -/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t -/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t -/usr/sbin/zonec -- system_u:object_r:nsd_exec_t -/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t diff --git a/mls/file_contexts/program/ntpd.fc b/mls/file_contexts/program/ntpd.fc deleted file mode 100644 index b9040bb2..00000000 --- a/mls/file_contexts/program/ntpd.fc +++ /dev/null @@ -1,12 +0,0 @@ -/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t:s0 -/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t:s0 -/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t:s0 -/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t:s0 -/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t:s0 -/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t:s0 -/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t:s0 -/var/log/ntp.* -- system_u:object_r:ntpd_log_t:s0 -/var/log/xntpd.* -- system_u:object_r:ntpd_log_t:s0 -/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t:s0 -/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0 -/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0 diff --git a/mls/file_contexts/program/nx_server.fc b/mls/file_contexts/program/nx_server.fc deleted file mode 100644 index d9936465..00000000 --- a/mls/file_contexts/program/nx_server.fc +++ /dev/null @@ -1,5 +0,0 @@ -# nx -/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t -/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t -/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t - diff --git a/mls/file_contexts/program/oav-update.fc b/mls/file_contexts/program/oav-update.fc deleted file mode 100644 index 5e88a02c..00000000 --- a/mls/file_contexts/program/oav-update.fc +++ /dev/null @@ -1,4 +0,0 @@ -/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t -/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t -/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t -/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t diff --git a/mls/file_contexts/program/openca-ca.fc b/mls/file_contexts/program/openca-ca.fc deleted file mode 100644 index 99ddefe6..00000000 --- a/mls/file_contexts/program/openca-ca.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/openca(/.*)? system_u:object_r:openca_etc_t -/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t -/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t -/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t -/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t -/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t -/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t -/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t diff --git a/mls/file_contexts/program/openca-common.fc b/mls/file_contexts/program/openca-common.fc deleted file mode 100644 index b75952f9..00000000 --- a/mls/file_contexts/program/openca-common.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/openca(/.*)? system_u:object_r:openca_etc_t -/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t -/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t -/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t -/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t -/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t -/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t diff --git a/mls/file_contexts/program/openct.fc b/mls/file_contexts/program/openct.fc deleted file mode 100644 index 5f1db4bf..00000000 --- a/mls/file_contexts/program/openct.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/openct-control -- system_u:object_r:openct_exec_t:s0 -/var/run/openct(/.*)? system_u:object_r:openct_var_run_t:s0 diff --git a/mls/file_contexts/program/openvpn.fc b/mls/file_contexts/program/openvpn.fc deleted file mode 100644 index 34b2992f..00000000 --- a/mls/file_contexts/program/openvpn.fc +++ /dev/null @@ -1,4 +0,0 @@ -# OpenVPN - -/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t -/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t diff --git a/mls/file_contexts/program/orbit.fc b/mls/file_contexts/program/orbit.fc deleted file mode 100644 index 9ff0bc86..00000000 --- a/mls/file_contexts/program/orbit.fc +++ /dev/null @@ -1,3 +0,0 @@ -/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0 -/tmp/orbit-USER(-.*)?/linc.* -s <> -/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0 diff --git a/mls/file_contexts/program/pam.fc b/mls/file_contexts/program/pam.fc deleted file mode 100644 index ad51a013..00000000 --- a/mls/file_contexts/program/pam.fc +++ /dev/null @@ -1,3 +0,0 @@ -/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t:s0 -/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t:s0 -/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t:s0 diff --git a/mls/file_contexts/program/pamconsole.fc b/mls/file_contexts/program/pamconsole.fc deleted file mode 100644 index 633977de..00000000 --- a/mls/file_contexts/program/pamconsole.fc +++ /dev/null @@ -1,3 +0,0 @@ -# pam_console_apply -/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t:s0 -/var/run/console(/.*)? system_u:object_r:pam_var_console_t:s0 diff --git a/mls/file_contexts/program/passwd.fc b/mls/file_contexts/program/passwd.fc deleted file mode 100644 index 823f9314..00000000 --- a/mls/file_contexts/program/passwd.fc +++ /dev/null @@ -1,13 +0,0 @@ -# spasswd -/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0 -/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0 -/usr/bin/chsh -- system_u:object_r:chfn_exec_t:s0 -/usr/bin/chfn -- system_u:object_r:chfn_exec_t:s0 -/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0 diff --git a/mls/file_contexts/program/pegasus.fc b/mls/file_contexts/program/pegasus.fc deleted file mode 100644 index f4b9f15c..00000000 --- a/mls/file_contexts/program/pegasus.fc +++ /dev/null @@ -1,9 +0,0 @@ -# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver -/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0 -/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0 -/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0 -/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0 -/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0 -/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0 -/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0 - diff --git a/mls/file_contexts/program/perdition.fc b/mls/file_contexts/program/perdition.fc deleted file mode 100644 index a2d2adba..00000000 --- a/mls/file_contexts/program/perdition.fc +++ /dev/null @@ -1,3 +0,0 @@ -# perdition POP and IMAP proxy -/usr/sbin/perdition -- system_u:object_r:perdition_exec_t -/etc/perdition(/.*)? system_u:object_r:perdition_etc_t diff --git a/mls/file_contexts/program/ping.fc b/mls/file_contexts/program/ping.fc deleted file mode 100644 index a4ed8cb4..00000000 --- a/mls/file_contexts/program/ping.fc +++ /dev/null @@ -1,3 +0,0 @@ -# ping -/bin/ping.* -- system_u:object_r:ping_exec_t:s0 -/usr/sbin/hping2 -- system_u:object_r:ping_exec_t:s0 diff --git a/mls/file_contexts/program/portmap.fc b/mls/file_contexts/program/portmap.fc deleted file mode 100644 index 60da9948..00000000 --- a/mls/file_contexts/program/portmap.fc +++ /dev/null @@ -1,10 +0,0 @@ -# portmap -/sbin/portmap -- system_u:object_r:portmap_exec_t:s0 -ifdef(`distro_debian', ` -/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0 -/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0 -', ` -/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0 -/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0 -') -/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t:s0 diff --git a/mls/file_contexts/program/portslave.fc b/mls/file_contexts/program/portslave.fc deleted file mode 100644 index 873334dd..00000000 --- a/mls/file_contexts/program/portslave.fc +++ /dev/null @@ -1,5 +0,0 @@ -# portslave -/usr/sbin/portslave -- system_u:object_r:portslave_exec_t -/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t -/etc/portslave(/.*)? system_u:object_r:portslave_etc_t -/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t diff --git a/mls/file_contexts/program/postfix.fc b/mls/file_contexts/program/postfix.fc deleted file mode 100644 index 300da75b..00000000 --- a/mls/file_contexts/program/postfix.fc +++ /dev/null @@ -1,59 +0,0 @@ -# postfix -/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0 -ifdef(`distro_redhat', ` -/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0 -/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t:s0 -/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0 -/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t:s0 -/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t:s0 -/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0 -/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0 -/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0 -/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0 -/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0 -/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0 -', ` -/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t:s0 -/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0 -/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t:s0 -/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t:s0 -/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0 -/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0 -/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0 -/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0 -/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0 -/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0 -') -/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0 -/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0 -/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t:s0 -/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0 -/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t:s0 -/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t:s0 -/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0 -/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0 -/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0 -/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0 -/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0 -/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0 -/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0 -/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0 -/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0 -/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0 -/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0 -/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0 -/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0 -/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0 -/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0 diff --git a/mls/file_contexts/program/postgresql.fc b/mls/file_contexts/program/postgresql.fc deleted file mode 100644 index 635a74a2..00000000 --- a/mls/file_contexts/program/postgresql.fc +++ /dev/null @@ -1,20 +0,0 @@ -# postgresql - database server -/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t:s0 -/usr/bin/postgres -- system_u:object_r:postgresql_exec_t:s0 -/usr/bin/initdb -- system_u:object_r:postgresql_exec_t:s0 - -/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0 -/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0 -/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0 -/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0 -/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t:s0 -/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0 -/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t:s0 -/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t:s0 -/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t:s0 -/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0 -/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0 -ifdef(`distro_redhat', ` -/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0 -/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t:s0 -') diff --git a/mls/file_contexts/program/postgrey.fc b/mls/file_contexts/program/postgrey.fc deleted file mode 100644 index 89e43fd0..00000000 --- a/mls/file_contexts/program/postgrey.fc +++ /dev/null @@ -1,5 +0,0 @@ -# postgrey - postfix grey-listing server -/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t -/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t -/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t -/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t diff --git a/mls/file_contexts/program/pppd.fc b/mls/file_contexts/program/pppd.fc deleted file mode 100644 index 87e3cb75..00000000 --- a/mls/file_contexts/program/pppd.fc +++ /dev/null @@ -1,25 +0,0 @@ -# pppd -/usr/sbin/pppd -- system_u:object_r:pppd_exec_t:s0 -/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0 -/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t:s0 -/dev/ppp -c system_u:object_r:ppp_device_t:s0 -/dev/pppox.* -c system_u:object_r:ppp_device_t:s0 -/dev/ippp.* -c system_u:object_r:ppp_device_t:s0 -/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t:s0 -/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t:s0 -/etc/ppp -d system_u:object_r:pppd_etc_t:s0 -/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t:s0 -/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t:s0 -/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t:s0 -/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t:s0 -/var/log/ppp/.* -- system_u:object_r:pppd_log_t:s0 -/etc/ppp/ip-down\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/ip-up\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t:s0 -/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t:s0 -# Fix pptp sockets -/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t:s0 -# Fix /etc/ppp {up,down} family scripts (see man pppd) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t:s0 diff --git a/mls/file_contexts/program/prelink.fc b/mls/file_contexts/program/prelink.fc deleted file mode 100644 index fca98ee5..00000000 --- a/mls/file_contexts/program/prelink.fc +++ /dev/null @@ -1,8 +0,0 @@ -# prelink - prelink ELF shared libraries and binaries to speed up startup time -/usr/sbin/prelink -- system_u:object_r:prelink_exec_t:s0 -ifdef(`distro_debian', ` -/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t:s0 -') -/etc/prelink\.conf -- system_u:object_r:etc_prelink_t:s0 -/var/log/prelink\.log -- system_u:object_r:prelink_log_t:s0 -/etc/prelink\.cache -- system_u:object_r:prelink_cache_t:s0 diff --git a/mls/file_contexts/program/privoxy.fc b/mls/file_contexts/program/privoxy.fc deleted file mode 100644 index d8d56479..00000000 --- a/mls/file_contexts/program/privoxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# privoxy -/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t:s0 -/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t:s0 diff --git a/mls/file_contexts/program/procmail.fc b/mls/file_contexts/program/procmail.fc deleted file mode 100644 index f2315272..00000000 --- a/mls/file_contexts/program/procmail.fc +++ /dev/null @@ -1,2 +0,0 @@ -# procmail -/usr/bin/procmail -- system_u:object_r:procmail_exec_t:s0 diff --git a/mls/file_contexts/program/publicfile.fc b/mls/file_contexts/program/publicfile.fc deleted file mode 100644 index dc32249e..00000000 --- a/mls/file_contexts/program/publicfile.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t -/usr/bin/httpd -- system_u:object_r:publicfile_exec_t -/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t - -# this is the place where online content located -# set this to suit your needs -#/var/www(/.*)? system_u:object_r:publicfile_content_t - diff --git a/mls/file_contexts/program/pxe.fc b/mls/file_contexts/program/pxe.fc deleted file mode 100644 index 165076ae..00000000 --- a/mls/file_contexts/program/pxe.fc +++ /dev/null @@ -1,5 +0,0 @@ -# pxe network boot server -/usr/sbin/pxe -- system_u:object_r:pxe_exec_t -/var/log/pxe\.log -- system_u:object_r:pxe_log_t -/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t - diff --git a/mls/file_contexts/program/pyzor.fc b/mls/file_contexts/program/pyzor.fc deleted file mode 100644 index ff622957..00000000 --- a/mls/file_contexts/program/pyzor.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t -/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t -/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t -/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t -/var/log/pyzord.log -- system_u:object_r:pyzord_log_t -HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t diff --git a/mls/file_contexts/program/qmail.fc b/mls/file_contexts/program/qmail.fc deleted file mode 100644 index 7704ed76..00000000 --- a/mls/file_contexts/program/qmail.fc +++ /dev/null @@ -1,38 +0,0 @@ -# qmail - Debian locations -/etc/qmail(/.*)? system_u:object_r:qmail_etc_t -/var/qmail(/.*)? system_u:object_r:qmail_etc_t -/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t -/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t -/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t -/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t -/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t -/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t -/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t -/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t -/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t -/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t -/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t -/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t -/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t -/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t -/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t -/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t -# qmail - djb locations -/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t -/var/qmail/bin -d system_u:object_r:bin_t -/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t -/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t -/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t -/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t -/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t -/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t -/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t -/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t -/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t -/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t -/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t -/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t -/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t -/var/qmail/rc -- system_u:object_r:bin_t -/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t -/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t diff --git a/mls/file_contexts/program/quota.fc b/mls/file_contexts/program/quota.fc deleted file mode 100644 index 8aa74f1b..00000000 --- a/mls/file_contexts/program/quota.fc +++ /dev/null @@ -1,10 +0,0 @@ -# quota system -/var/lib/quota(/.*)? system_u:object_r:quota_flag_t:s0 -/sbin/quota(check|on) -- system_u:object_r:quota_exec_t:s0 -ifdef(`distro_redhat', ` -/usr/sbin/convertquota -- system_u:object_r:quota_exec_t:s0 -', ` -/sbin/convertquota -- system_u:object_r:quota_exec_t:s0 -') -HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 -/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 diff --git a/mls/file_contexts/program/radius.fc b/mls/file_contexts/program/radius.fc deleted file mode 100644 index e3b9d51b..00000000 --- a/mls/file_contexts/program/radius.fc +++ /dev/null @@ -1,15 +0,0 @@ -# radius -/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t:s0 -/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t:s0 -/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t:s0 -/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t:s0 -/var/log/radius(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/radutmp -- system_u:object_r:radiusd_log_t:s0 -/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t:s0 -/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0 -/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0 -/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t:s0 -/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t:s0 diff --git a/mls/file_contexts/program/radvd.fc b/mls/file_contexts/program/radvd.fc deleted file mode 100644 index ab6bc47c..00000000 --- a/mls/file_contexts/program/radvd.fc +++ /dev/null @@ -1,5 +0,0 @@ -# radvd -/etc/radvd\.conf -- system_u:object_r:radvd_etc_t:s0 -/usr/sbin/radvd -- system_u:object_r:radvd_exec_t:s0 -/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t:s0 -/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t:s0 diff --git a/mls/file_contexts/program/razor.fc b/mls/file_contexts/program/razor.fc deleted file mode 100644 index f3f13469..00000000 --- a/mls/file_contexts/program/razor.fc +++ /dev/null @@ -1,6 +0,0 @@ -# razor -/etc/razor(/.*)? system_u:object_r:razor_etc_t -/usr/bin/razor.* system_u:object_r:razor_exec_t -/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t -/var/log/razor-agent.log system_u:object_r:razor_log_t -HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t diff --git a/mls/file_contexts/program/rdisc.fc b/mls/file_contexts/program/rdisc.fc deleted file mode 100644 index f3ec427a..00000000 --- a/mls/file_contexts/program/rdisc.fc +++ /dev/null @@ -1,2 +0,0 @@ -# rdisc -/sbin/rdisc system_u:object_r:rdisc_exec_t:s0 diff --git a/mls/file_contexts/program/readahead.fc b/mls/file_contexts/program/readahead.fc deleted file mode 100644 index 16362a46..00000000 --- a/mls/file_contexts/program/readahead.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/readahead -- system_u:object_r:readahead_exec_t:s0 diff --git a/mls/file_contexts/program/resmgrd.fc b/mls/file_contexts/program/resmgrd.fc deleted file mode 100644 index bee4680c..00000000 --- a/mls/file_contexts/program/resmgrd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# resmgrd -/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t -/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t -/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t -/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t - diff --git a/mls/file_contexts/program/restorecon.fc b/mls/file_contexts/program/restorecon.fc deleted file mode 100644 index cd62c784..00000000 --- a/mls/file_contexts/program/restorecon.fc +++ /dev/null @@ -1,2 +0,0 @@ -# restorecon -/sbin/restorecon -- system_u:object_r:restorecon_exec_t:s0 diff --git a/mls/file_contexts/program/rhgb.fc b/mls/file_contexts/program/rhgb.fc deleted file mode 100644 index 118972ef..00000000 --- a/mls/file_contexts/program/rhgb.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t diff --git a/mls/file_contexts/program/rlogind.fc b/mls/file_contexts/program/rlogind.fc deleted file mode 100644 index ce68e2c9..00000000 --- a/mls/file_contexts/program/rlogind.fc +++ /dev/null @@ -1,4 +0,0 @@ -# rlogind and telnetd -/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t:s0 -/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t:s0 -/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t:s0 diff --git a/mls/file_contexts/program/roundup.fc b/mls/file_contexts/program/roundup.fc deleted file mode 100644 index 394359f6..00000000 --- a/mls/file_contexts/program/roundup.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t:s0 -/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t:s0 diff --git a/mls/file_contexts/program/rpcd.fc b/mls/file_contexts/program/rpcd.fc deleted file mode 100644 index 916cd25f..00000000 --- a/mls/file_contexts/program/rpcd.fc +++ /dev/null @@ -1,12 +0,0 @@ -# RPC daemons -/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t:s0 -/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t:s0 -/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t:s0 -/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t:s0 -/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t:s0 -/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t:s0 -/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0 -/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t:s0 -/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t:s0 -/etc/exports -- system_u:object_r:exports_t:s0 - diff --git a/mls/file_contexts/program/rpm.fc b/mls/file_contexts/program/rpm.fc deleted file mode 100644 index 494fbcfd..00000000 --- a/mls/file_contexts/program/rpm.fc +++ /dev/null @@ -1,29 +0,0 @@ -# rpm -/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t:s0 -/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t:s0 -/bin/rpm -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/yum -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/apt-get -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/synaptic -- system_u:object_r:rpm_exec_t:s0 -/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t:s0 -/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t:s0 -/var/log/yum\.log -- system_u:object_r:rpm_log_t:s0 -ifdef(`distro_redhat', ` -/usr/sbin/up2date -- system_u:object_r:rpm_exec_t:s0 -/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t:s0 -') -# SuSE -ifdef(`distro_suse', ` -/usr/bin/online_update -- system_u:object_r:rpm_exec_t:s0 -/sbin/yast2 -- system_u:object_r:rpm_exec_t:s0 -/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t:s0 -/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t:s0 -') - -ifdef(`mls_policy', ` -/sbin/cpio -- system_u:object_r:rpm_exec_t:s0 -') diff --git a/mls/file_contexts/program/rshd.fc b/mls/file_contexts/program/rshd.fc deleted file mode 100644 index a7141fef..00000000 --- a/mls/file_contexts/program/rshd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# rshd. -/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t:s0 -/usr/sbin/in\.rexecd -- system_u:object_r:rshd_exec_t:s0 -/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t:s0 diff --git a/mls/file_contexts/program/rssh.fc b/mls/file_contexts/program/rssh.fc deleted file mode 100644 index 16ec3a3b..00000000 --- a/mls/file_contexts/program/rssh.fc +++ /dev/null @@ -1,2 +0,0 @@ -# rssh -/usr/bin/rssh -- system_u:object_r:rssh_exec_t diff --git a/mls/file_contexts/program/rsync.fc b/mls/file_contexts/program/rsync.fc deleted file mode 100644 index edb25f32..00000000 --- a/mls/file_contexts/program/rsync.fc +++ /dev/null @@ -1,3 +0,0 @@ -# rsync program -/usr/bin/rsync -- system_u:object_r:rsync_exec_t:s0 -/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0 diff --git a/mls/file_contexts/program/samba.fc b/mls/file_contexts/program/samba.fc deleted file mode 100644 index 204eb3fe..00000000 --- a/mls/file_contexts/program/samba.fc +++ /dev/null @@ -1,26 +0,0 @@ -# samba scripts -/usr/sbin/smbd -- system_u:object_r:smbd_exec_t:s0 -/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t:s0 -/usr/bin/net -- system_u:object_r:samba_net_exec_t:s0 -/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0 -/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0 -/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0 -/var/lib/samba(/.*)? system_u:object_r:samba_var_t:s0 -/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0 -/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0 -# samba really wants write access to smbpasswd -/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0 -/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0 -/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t:s0 -/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0 -/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0 -/var/spool/samba(/.*)? system_u:object_r:samba_var_t:s0 -ifdef(`mount.te', ` -/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0 -/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0 -') diff --git a/mls/file_contexts/program/saslauthd.fc b/mls/file_contexts/program/saslauthd.fc deleted file mode 100644 index a8275a6e..00000000 --- a/mls/file_contexts/program/saslauthd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# saslauthd -/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t:s0 -/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t:s0 diff --git a/mls/file_contexts/program/scannerdaemon.fc b/mls/file_contexts/program/scannerdaemon.fc deleted file mode 100644 index a43bf877..00000000 --- a/mls/file_contexts/program/scannerdaemon.fc +++ /dev/null @@ -1,4 +0,0 @@ -# scannerdaemon -/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t -/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t -/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t diff --git a/mls/file_contexts/program/screen.fc b/mls/file_contexts/program/screen.fc deleted file mode 100644 index 401072a5..00000000 --- a/mls/file_contexts/program/screen.fc +++ /dev/null @@ -1,5 +0,0 @@ -# screen -/usr/bin/screen -- system_u:object_r:screen_exec_t:s0 -HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0 -/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t:s0 -/var/run/screens?/S-[^/]+/.* <> diff --git a/mls/file_contexts/program/sendmail.fc b/mls/file_contexts/program/sendmail.fc deleted file mode 100644 index 8b9164d9..00000000 --- a/mls/file_contexts/program/sendmail.fc +++ /dev/null @@ -1,13 +0,0 @@ -# sendmail -/etc/mail(/.*)? system_u:object_r:etc_mail_t:s0 -/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0 -/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0 -/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t:s0 -/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t:s0 -ifdef(`distro_redhat', ` -/etc/rc.d/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0 -/var/lock/subsys/sm-client -- system_u:object_r:sendmail_launch_lock_t:s0 -/var/lock/subsys/sendmail -- system_u:object_r:sendmail_launch_lock_t:s0 -', ` -/etc/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0 -') diff --git a/mls/file_contexts/program/setfiles.fc b/mls/file_contexts/program/setfiles.fc deleted file mode 100644 index 45e245be..00000000 --- a/mls/file_contexts/program/setfiles.fc +++ /dev/null @@ -1,3 +0,0 @@ -# setfiles -/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0 - diff --git a/mls/file_contexts/program/slapd.fc b/mls/file_contexts/program/slapd.fc deleted file mode 100644 index 4a5ff0db..00000000 --- a/mls/file_contexts/program/slapd.fc +++ /dev/null @@ -1,19 +0,0 @@ -# slapd - ldap server -/usr/sbin/slapd -- system_u:object_r:slapd_exec_t:s0 -/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t:s0 -/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t:s0 -/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t:s0 -/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t:s0 -/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t:s0 -/var/run/ldapi -s system_u:object_r:slapd_var_run_t:s0 -/opt/(fedora|redhat)-ds(/.*)?/bin/slapd/server/ns-slapd -- system_u:object_r:slapd_exec_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/logs(/.*)? system_u:object_r:slapd_var_run_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/locks(/.*)? system_u:object_r:slapd_lock_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/tmp(/.*)? system_u:object_r:slapd_var_run_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/config(/.*)? system_u:object_r:slapd_var_run_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/db(/.*)? system_u:object_r:slapd_db_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/bak(/.*)? system_u:object_r:slapd_db_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/start-slapd system_u:object_r:initrc_exec_t:s0 -/opt/(fedora|redhat)-ds/slapd-[^/]+/stop-slapd system_u:object_r:initrc_exec_t:s0 -/opt/(fedora|redhat)-ds/alias(/.*)? system_u:object_r:slapd_cert_t:s0 -/opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t:s0 diff --git a/mls/file_contexts/program/slocate.fc b/mls/file_contexts/program/slocate.fc deleted file mode 100644 index 5baa3b2b..00000000 --- a/mls/file_contexts/program/slocate.fc +++ /dev/null @@ -1,4 +0,0 @@ -# locate - file locater -/usr/bin/s?locate -- system_u:object_r:locate_exec_t:s0 -/var/lib/[sm]locate(/.*)? system_u:object_r:locate_var_lib_t:s0 -/etc/updatedb\.conf -- system_u:object_r:locate_etc_t:s0 diff --git a/mls/file_contexts/program/slrnpull.fc b/mls/file_contexts/program/slrnpull.fc deleted file mode 100644 index e05abc85..00000000 --- a/mls/file_contexts/program/slrnpull.fc +++ /dev/null @@ -1,3 +0,0 @@ -# slrnpull -/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t:s0 -/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t:s0 diff --git a/mls/file_contexts/program/snmpd.fc b/mls/file_contexts/program/snmpd.fc deleted file mode 100644 index c81b3fec..00000000 --- a/mls/file_contexts/program/snmpd.fc +++ /dev/null @@ -1,10 +0,0 @@ -# snmpd -/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t:s0 -/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0 -/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0 -/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t:s0 -/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t:s0 -/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t:s0 -/var/run/snmpd -d system_u:object_r:snmpd_var_run_t:s0 -/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t:s0 -/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0 diff --git a/mls/file_contexts/program/snort.fc b/mls/file_contexts/program/snort.fc deleted file mode 100644 index a40670c2..00000000 --- a/mls/file_contexts/program/snort.fc +++ /dev/null @@ -1,4 +0,0 @@ -# SNORT -/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t -/etc/snort(/.*)? system_u:object_r:snort_etc_t -/var/log/snort(/.*)? system_u:object_r:snort_log_t diff --git a/mls/file_contexts/program/sound-server.fc b/mls/file_contexts/program/sound-server.fc deleted file mode 100644 index dfa82455..00000000 --- a/mls/file_contexts/program/sound-server.fc +++ /dev/null @@ -1,8 +0,0 @@ -# sound servers, nas, yiff, etc -/usr/sbin/yiff -- system_u:object_r:soundd_exec_t -/usr/bin/nasd -- system_u:object_r:soundd_exec_t -/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t -/etc/nas(/.*)? system_u:object_r:etc_soundd_t -/etc/yiff(/.*)? system_u:object_r:etc_soundd_t -/var/state/yiff(/.*)? system_u:object_r:soundd_state_t -/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t diff --git a/mls/file_contexts/program/sound.fc b/mls/file_contexts/program/sound.fc deleted file mode 100644 index 4226dc33..00000000 --- a/mls/file_contexts/program/sound.fc +++ /dev/null @@ -1,3 +0,0 @@ -# sound -/bin/aumix-minimal -- system_u:object_r:sound_exec_t:s0 -/etc/\.aumixrc -- system_u:object_r:sound_file_t:s0 diff --git a/mls/file_contexts/program/spamassassin.fc b/mls/file_contexts/program/spamassassin.fc deleted file mode 100644 index 6896485b..00000000 --- a/mls/file_contexts/program/spamassassin.fc +++ /dev/null @@ -1,3 +0,0 @@ -# spamassasin -/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t:s0 -HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0 diff --git a/mls/file_contexts/program/spamc.fc b/mls/file_contexts/program/spamc.fc deleted file mode 100644 index 1168d40c..00000000 --- a/mls/file_contexts/program/spamc.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/spamc -- system_u:object_r:spamc_exec_t:s0 diff --git a/mls/file_contexts/program/spamd.fc b/mls/file_contexts/program/spamd.fc deleted file mode 100644 index 8c9add85..00000000 --- a/mls/file_contexts/program/spamd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/spamd -- system_u:object_r:spamd_exec_t:s0 -/usr/bin/spamd -- system_u:object_r:spamd_exec_t:s0 -/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t:s0 diff --git a/mls/file_contexts/program/speedmgmt.fc b/mls/file_contexts/program/speedmgmt.fc deleted file mode 100644 index 486906e9..00000000 --- a/mls/file_contexts/program/speedmgmt.fc +++ /dev/null @@ -1,2 +0,0 @@ -# speedmgmt -/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t diff --git a/mls/file_contexts/program/squid.fc b/mls/file_contexts/program/squid.fc deleted file mode 100644 index 03f291bd..00000000 --- a/mls/file_contexts/program/squid.fc +++ /dev/null @@ -1,11 +0,0 @@ -# squid -/usr/sbin/squid -- system_u:object_r:squid_exec_t:s0 -/var/cache/squid(/.*)? system_u:object_r:squid_cache_t:s0 -/var/spool/squid(/.*)? system_u:object_r:squid_cache_t:s0 -/var/log/squid(/.*)? system_u:object_r:squid_log_t:s0 -/etc/squid(/.*)? system_u:object_r:squid_conf_t:s0 -/var/run/squid\.pid -- system_u:object_r:squid_var_run_t:s0 -/usr/share/squid(/.*)? system_u:object_r:squid_conf_t:s0 -ifdef(`apache.te', ` -/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t:s0 -') diff --git a/mls/file_contexts/program/ssh-agent.fc b/mls/file_contexts/program/ssh-agent.fc deleted file mode 100644 index 90a4603a..00000000 --- a/mls/file_contexts/program/ssh-agent.fc +++ /dev/null @@ -1,2 +0,0 @@ -# ssh-agent -/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t:s0 diff --git a/mls/file_contexts/program/ssh.fc b/mls/file_contexts/program/ssh.fc deleted file mode 100644 index 4ccba2eb..00000000 --- a/mls/file_contexts/program/ssh.fc +++ /dev/null @@ -1,21 +0,0 @@ -# ssh -/usr/bin/ssh -- system_u:object_r:ssh_exec_t:s0 -/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0 -/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t:s0 -# sshd -/etc/ssh/primes -- system_u:object_r:sshd_key_t:s0 -/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t:s0 -/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t:s0 -/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t:s0 -/usr/sbin/sshd -- system_u:object_r:sshd_exec_t:s0 -/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t:s0 -# subsystems -/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t:s0 -/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t:s0 -ifdef(`distro_suse', ` -/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t:s0 -') -ifdef(`targeted_policy', `', ` -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0 -') diff --git a/mls/file_contexts/program/stunnel.fc b/mls/file_contexts/program/stunnel.fc deleted file mode 100644 index 2f0798c4..00000000 --- a/mls/file_contexts/program/stunnel.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t:s0 -/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t:s0 -/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t:s0 diff --git a/mls/file_contexts/program/su.fc b/mls/file_contexts/program/su.fc deleted file mode 100644 index 8712b4b1..00000000 --- a/mls/file_contexts/program/su.fc +++ /dev/null @@ -1,2 +0,0 @@ -# su -/bin/su -- system_u:object_r:su_exec_t:s0 diff --git a/mls/file_contexts/program/sudo.fc b/mls/file_contexts/program/sudo.fc deleted file mode 100644 index ecaf228a..00000000 --- a/mls/file_contexts/program/sudo.fc +++ /dev/null @@ -1,3 +0,0 @@ -# sudo -/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t:s0 - diff --git a/mls/file_contexts/program/sulogin.fc b/mls/file_contexts/program/sulogin.fc deleted file mode 100644 index bb2bc51d..00000000 --- a/mls/file_contexts/program/sulogin.fc +++ /dev/null @@ -1,2 +0,0 @@ -# sulogin -/sbin/sulogin -- system_u:object_r:sulogin_exec_t:s0 diff --git a/mls/file_contexts/program/swat.fc b/mls/file_contexts/program/swat.fc deleted file mode 100644 index e75e1e3d..00000000 --- a/mls/file_contexts/program/swat.fc +++ /dev/null @@ -1,2 +0,0 @@ -# samba management tool -/usr/sbin/swat -- system_u:object_r:swat_exec_t:s0 diff --git a/mls/file_contexts/program/sxid.fc b/mls/file_contexts/program/sxid.fc deleted file mode 100644 index e9126bca..00000000 --- a/mls/file_contexts/program/sxid.fc +++ /dev/null @@ -1,6 +0,0 @@ -# sxid - ldap server -/usr/bin/sxid -- system_u:object_r:sxid_exec_t -/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t -/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t -/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t -/var/log/setuid.* -- system_u:object_r:sxid_log_t diff --git a/mls/file_contexts/program/syslogd.fc b/mls/file_contexts/program/syslogd.fc deleted file mode 100644 index d0fb0a41..00000000 --- a/mls/file_contexts/program/syslogd.fc +++ /dev/null @@ -1,11 +0,0 @@ -# syslogd -/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0 -/sbin/minilogd -- system_u:object_r:syslogd_exec_t:s0 -/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0 -/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t:s0 -/dev/log -s system_u:object_r:devlog_t:s0 -/var/run/log -s system_u:object_r:devlog_t:s0 -ifdef(`distro_suse', ` -/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t:s0 -') -/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t:s0 diff --git a/mls/file_contexts/program/sysstat.fc b/mls/file_contexts/program/sysstat.fc deleted file mode 100644 index 1b5e5e70..00000000 --- a/mls/file_contexts/program/sysstat.fc +++ /dev/null @@ -1,7 +0,0 @@ -# sysstat and other sar programs -/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t:s0 -/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t:s0 -/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t:s0 -/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t:s0 -/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t:s0 -/var/log/sa(/.*)? system_u:object_r:sysstat_log_t:s0 diff --git a/mls/file_contexts/program/tcpd.fc b/mls/file_contexts/program/tcpd.fc deleted file mode 100644 index 7215d912..00000000 --- a/mls/file_contexts/program/tcpd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# tcpd -/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t:s0 diff --git a/mls/file_contexts/program/telnetd.fc b/mls/file_contexts/program/telnetd.fc deleted file mode 100644 index 15587a2d..00000000 --- a/mls/file_contexts/program/telnetd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# telnetd -/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t:s0 -/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t:s0 diff --git a/mls/file_contexts/program/tftpd.fc b/mls/file_contexts/program/tftpd.fc deleted file mode 100644 index 1e503b90..00000000 --- a/mls/file_contexts/program/tftpd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# tftpd -/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t:s0 -/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t:s0 -/tftpboot(/.*)? system_u:object_r:tftpdir_t:s0 diff --git a/mls/file_contexts/program/thunderbird.fc b/mls/file_contexts/program/thunderbird.fc deleted file mode 100644 index ca373460..00000000 --- a/mls/file_contexts/program/thunderbird.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t -HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t diff --git a/mls/file_contexts/program/timidity.fc b/mls/file_contexts/program/timidity.fc deleted file mode 100644 index 84221fa7..00000000 --- a/mls/file_contexts/program/timidity.fc +++ /dev/null @@ -1,2 +0,0 @@ -# timidity -/usr/bin/timidity -- system_u:object_r:timidity_exec_t:s0 diff --git a/mls/file_contexts/program/tinydns.fc b/mls/file_contexts/program/tinydns.fc deleted file mode 100644 index 10ea1a35..00000000 --- a/mls/file_contexts/program/tinydns.fc +++ /dev/null @@ -1,6 +0,0 @@ -# tinydns -/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t -/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t -/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t -#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t -#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t diff --git a/mls/file_contexts/program/tmpreaper.fc b/mls/file_contexts/program/tmpreaper.fc deleted file mode 100644 index 796037a7..00000000 --- a/mls/file_contexts/program/tmpreaper.fc +++ /dev/null @@ -1,3 +0,0 @@ -# tmpreaper or tmpwatch -/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t:s0 -/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t:s0 diff --git a/mls/file_contexts/program/traceroute.fc b/mls/file_contexts/program/traceroute.fc deleted file mode 100644 index 634dbe94..00000000 --- a/mls/file_contexts/program/traceroute.fc +++ /dev/null @@ -1,6 +0,0 @@ -# traceroute -/bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0 -/bin/tracepath.* -- system_u:object_r:traceroute_exec_t:s0 -/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0 -/usr/bin/lft -- system_u:object_r:traceroute_exec_t:s0 -/usr/bin/nmap -- system_u:object_r:traceroute_exec_t:s0 diff --git a/mls/file_contexts/program/transproxy.fc b/mls/file_contexts/program/transproxy.fc deleted file mode 100644 index 2027eeaf..00000000 --- a/mls/file_contexts/program/transproxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# transproxy - http transperant proxy -/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t -/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t diff --git a/mls/file_contexts/program/tripwire.fc b/mls/file_contexts/program/tripwire.fc deleted file mode 100644 index 88afc341..00000000 --- a/mls/file_contexts/program/tripwire.fc +++ /dev/null @@ -1,9 +0,0 @@ -# tripwire -/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t -/usr/sbin/siggen system_u:object_r:siggen_exec_t -/usr/sbin/tripwire system_u:object_r:tripwire_exec_t -/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t -/usr/sbin/twadmin system_u:object_r:twadmin_exec_t -/usr/sbin/twprint system_u:object_r:twprint_exec_t -/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t -/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t diff --git a/mls/file_contexts/program/tvtime.fc b/mls/file_contexts/program/tvtime.fc deleted file mode 100644 index 0969e966..00000000 --- a/mls/file_contexts/program/tvtime.fc +++ /dev/null @@ -1,3 +0,0 @@ -# tvtime -/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t - diff --git a/mls/file_contexts/program/ucspi-tcp.fc b/mls/file_contexts/program/ucspi-tcp.fc deleted file mode 100644 index 448c1ab4..00000000 --- a/mls/file_contexts/program/ucspi-tcp.fc +++ /dev/null @@ -1,3 +0,0 @@ -#ucspi-tcp -/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t -/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t diff --git a/mls/file_contexts/program/udev.fc b/mls/file_contexts/program/udev.fc deleted file mode 100644 index 0df162f9..00000000 --- a/mls/file_contexts/program/udev.fc +++ /dev/null @@ -1,14 +0,0 @@ -# udev -/sbin/udevsend -- system_u:object_r:udev_exec_t:s0 -/sbin/udev -- system_u:object_r:udev_exec_t:s0 -/sbin/udevd -- system_u:object_r:udev_exec_t:s0 -/sbin/start_udev -- system_u:object_r:udev_exec_t:s0 -/sbin/udevstart -- system_u:object_r:udev_exec_t:s0 -/usr/bin/udevinfo -- system_u:object_r:udev_exec_t:s0 -/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t:s0 -/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t:s0 -/etc/udev/devices/.* system_u:object_r:device_t:s0 -/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t:s0 -/dev/udev\.tbl -- system_u:object_r:udev_tbl_t:s0 -/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t:s0 -/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t:s0 diff --git a/mls/file_contexts/program/uml.fc b/mls/file_contexts/program/uml.fc deleted file mode 100644 index dc1621df..00000000 --- a/mls/file_contexts/program/uml.fc +++ /dev/null @@ -1,4 +0,0 @@ -# User Mode Linux -/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t -/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t -HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t diff --git a/mls/file_contexts/program/uml_net.fc b/mls/file_contexts/program/uml_net.fc deleted file mode 100644 index 67aa1f2f..00000000 --- a/mls/file_contexts/program/uml_net.fc +++ /dev/null @@ -1,3 +0,0 @@ -# User Mode Linux -# WARNING: Do not install this file on any machine that has hostile users. -/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t diff --git a/mls/file_contexts/program/unconfined.fc b/mls/file_contexts/program/unconfined.fc deleted file mode 100644 index 5e289fa6..00000000 --- a/mls/file_contexts/program/unconfined.fc +++ /dev/null @@ -1,3 +0,0 @@ -# Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t:s0 diff --git a/mls/file_contexts/program/updfstab.fc b/mls/file_contexts/program/updfstab.fc deleted file mode 100644 index f6ac1d94..00000000 --- a/mls/file_contexts/program/updfstab.fc +++ /dev/null @@ -1,3 +0,0 @@ -# updfstab -/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t:s0 -/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t:s0 diff --git a/mls/file_contexts/program/uptimed.fc b/mls/file_contexts/program/uptimed.fc deleted file mode 100644 index f80ccb4c..00000000 --- a/mls/file_contexts/program/uptimed.fc +++ /dev/null @@ -1,4 +0,0 @@ -# uptimed -/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t -/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t -/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t diff --git a/mls/file_contexts/program/usbmodules.fc b/mls/file_contexts/program/usbmodules.fc deleted file mode 100644 index 1ab2742a..00000000 --- a/mls/file_contexts/program/usbmodules.fc +++ /dev/null @@ -1,3 +0,0 @@ -# usbmodules -/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0 -/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0 diff --git a/mls/file_contexts/program/useradd.fc b/mls/file_contexts/program/useradd.fc deleted file mode 100644 index c7bb6599..00000000 --- a/mls/file_contexts/program/useradd.fc +++ /dev/null @@ -1,10 +0,0 @@ -#useradd -/usr/sbin/usermod -- system_u:object_r:useradd_exec_t:s0 -/usr/sbin/useradd -- system_u:object_r:useradd_exec_t:s0 -/usr/sbin/userdel -- system_u:object_r:useradd_exec_t:s0 -#groupadd -/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t:s0 -/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t:s0 -/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t:s0 -/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t:s0 -/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t:s0 diff --git a/mls/file_contexts/program/userhelper.fc b/mls/file_contexts/program/userhelper.fc deleted file mode 100644 index 319c82aa..00000000 --- a/mls/file_contexts/program/userhelper.fc +++ /dev/null @@ -1,2 +0,0 @@ -/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t:s0 -/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t:s0 diff --git a/mls/file_contexts/program/usernetctl.fc b/mls/file_contexts/program/usernetctl.fc deleted file mode 100644 index 728a65c6..00000000 --- a/mls/file_contexts/program/usernetctl.fc +++ /dev/null @@ -1,2 +0,0 @@ -# usernetctl -/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t:s0 diff --git a/mls/file_contexts/program/utempter.fc b/mls/file_contexts/program/utempter.fc deleted file mode 100644 index 922bc2a8..00000000 --- a/mls/file_contexts/program/utempter.fc +++ /dev/null @@ -1,2 +0,0 @@ -# utempter -/usr/sbin/utempter -- system_u:object_r:utempter_exec_t:s0 diff --git a/mls/file_contexts/program/uucpd.fc b/mls/file_contexts/program/uucpd.fc deleted file mode 100644 index a359cc36..00000000 --- a/mls/file_contexts/program/uucpd.fc +++ /dev/null @@ -1,5 +0,0 @@ -# uucico program -/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t:s0 -/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t:s0 -/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0 -/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t:s0 diff --git a/mls/file_contexts/program/uwimapd.fc b/mls/file_contexts/program/uwimapd.fc deleted file mode 100644 index 00f90737..00000000 --- a/mls/file_contexts/program/uwimapd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# uw-imapd and uw-imapd-ssl -/usr/sbin/imapd -- system_u:object_r:imapd_exec_t diff --git a/mls/file_contexts/program/vmware.fc b/mls/file_contexts/program/vmware.fc deleted file mode 100644 index d015988c..00000000 --- a/mls/file_contexts/program/vmware.fc +++ /dev/null @@ -1,42 +0,0 @@ -# -# File contexts for VMWare. -# Contributed by Mark Westerman (mark.westerman@westcam.com) -# Changes made by NAI Labs. -# Tested with VMWare 3.1 -# -/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t -/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t - -/dev/vmmon -c system_u:object_r:vmware_device_t -/dev/vmnet.* -c system_u:object_r:vmware_device_t -/dev/plex86 -c system_u:object_r:vmware_device_t - -/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t -/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t - -/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t -/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t - -# -# This is only an example of how to protect vmware session configuration -# files. A general user can execute vmware and start a vmware session -# but the user can not modify the session configuration information -#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t -#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t - -# The rules below assume that the user VMWare virtual disks are in the -# ~/vmware, and the preferences and license files are in ~/.vmware. -# -HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t diff --git a/mls/file_contexts/program/vpnc.fc b/mls/file_contexts/program/vpnc.fc deleted file mode 100644 index 66a62714..00000000 --- a/mls/file_contexts/program/vpnc.fc +++ /dev/null @@ -1,4 +0,0 @@ -# vpnc -/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0 -/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0 -/etc/vpnc/vpnc-script -- system_u:object_r:bin_t:s0 diff --git a/mls/file_contexts/program/watchdog.fc b/mls/file_contexts/program/watchdog.fc deleted file mode 100644 index d7a8c7f5..00000000 --- a/mls/file_contexts/program/watchdog.fc +++ /dev/null @@ -1,5 +0,0 @@ -# watchdog -/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t -/dev/watchdog -c system_u:object_r:watchdog_device_t -/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t -/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t diff --git a/mls/file_contexts/program/webalizer.fc b/mls/file_contexts/program/webalizer.fc deleted file mode 100644 index 7244932f..00000000 --- a/mls/file_contexts/program/webalizer.fc +++ /dev/null @@ -1,3 +0,0 @@ -# -/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t:s0 -/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t:s0 diff --git a/mls/file_contexts/program/winbind.fc b/mls/file_contexts/program/winbind.fc deleted file mode 100644 index b1d9d575..00000000 --- a/mls/file_contexts/program/winbind.fc +++ /dev/null @@ -1,11 +0,0 @@ -/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t:s0 -/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0 -ifdef(`samba.te', `', ` -/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0 -/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0 -/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0 -/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0 -/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0 -') -/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t:s0 -/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t:s0 diff --git a/mls/file_contexts/program/xauth.fc b/mls/file_contexts/program/xauth.fc deleted file mode 100644 index 055fc2f6..00000000 --- a/mls/file_contexts/program/xauth.fc +++ /dev/null @@ -1,4 +0,0 @@ -# xauth -/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t -HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t -HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t diff --git a/mls/file_contexts/program/xdm.fc b/mls/file_contexts/program/xdm.fc deleted file mode 100644 index 16c2d7d5..00000000 --- a/mls/file_contexts/program/xdm.fc +++ /dev/null @@ -1,40 +0,0 @@ -# X Display Manager -/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t -/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t -/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t -/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t -/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t -/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t -/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t -/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t -/var/log/gdm(/.*)? system_u:object_r:xserver_log_t -/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t -/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t -/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t -/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t -/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t -/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t -/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t -/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t -/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t -/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t -/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t -ifdef(`distro_suse', ` -/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t -') - -# -# Additional Xsession scripts -# -/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t -/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t -/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t -/etc/X11/xinit(/.*)? system_u:object_r:bin_t -# -# Rules for kde login -# -/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t -/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t -/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t -/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t -/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t diff --git a/mls/file_contexts/program/xfs.fc b/mls/file_contexts/program/xfs.fc deleted file mode 100644 index dc1881f0..00000000 --- a/mls/file_contexts/program/xfs.fc +++ /dev/null @@ -1,5 +0,0 @@ -# xfs -/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t:s0 -/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t:s0 -/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t:s0 -/usr/bin/xfstt -- system_u:object_r:xfs_exec_t:s0 diff --git a/mls/file_contexts/program/xprint.fc b/mls/file_contexts/program/xprint.fc deleted file mode 100644 index 3c72a774..00000000 --- a/mls/file_contexts/program/xprint.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/Xprt -- system_u:object_r:xprint_exec_t diff --git a/mls/file_contexts/program/xserver.fc b/mls/file_contexts/program/xserver.fc deleted file mode 100644 index 3d48a6fc..00000000 --- a/mls/file_contexts/program/xserver.fc +++ /dev/null @@ -1,17 +0,0 @@ -# X server -/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t -/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t -/var/log/XFree86.* -- system_u:object_r:xserver_log_t -/var/log/Xorg.* -- system_u:object_r:xserver_log_t -/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t -/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t -/tmp/\.X11-unix/.* -s <> -/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t -/tmp/\.ICE-unix/.* -s <> diff --git a/mls/file_contexts/program/yam.fc b/mls/file_contexts/program/yam.fc deleted file mode 100644 index 023b7406..00000000 --- a/mls/file_contexts/program/yam.fc +++ /dev/null @@ -1,5 +0,0 @@ -# yam -/etc/yam.conf -- system_u:object_r:yam_etc_t -/usr/bin/yam system_u:object_r:yam_exec_t -/var/yam(/.*)? system_u:object_r:yam_content_t -/var/www/yam(/.*)? system_u:object_r:yam_content_t diff --git a/mls/file_contexts/program/ypbind.fc b/mls/file_contexts/program/ypbind.fc deleted file mode 100644 index f9f6ff8b..00000000 --- a/mls/file_contexts/program/ypbind.fc +++ /dev/null @@ -1,2 +0,0 @@ -# ypbind -/sbin/ypbind -- system_u:object_r:ypbind_exec_t:s0 diff --git a/mls/file_contexts/program/yppasswdd.fc b/mls/file_contexts/program/yppasswdd.fc deleted file mode 100644 index b70c5a0d..00000000 --- a/mls/file_contexts/program/yppasswdd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# yppasswd -/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t:s0 diff --git a/mls/file_contexts/program/ypserv.fc b/mls/file_contexts/program/ypserv.fc deleted file mode 100644 index 023746f3..00000000 --- a/mls/file_contexts/program/ypserv.fc +++ /dev/null @@ -1,4 +0,0 @@ -# ypserv -/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t:s0 -/usr/lib/yp/.+ -- system_u:object_r:bin_t:s0 -/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t:s0 diff --git a/mls/file_contexts/program/zebra.fc b/mls/file_contexts/program/zebra.fc deleted file mode 100644 index 328f9871..00000000 --- a/mls/file_contexts/program/zebra.fc +++ /dev/null @@ -1,13 +0,0 @@ -# Zebra - BGP daemon -/usr/sbin/zebra -- system_u:object_r:zebra_exec_t:s0 -/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t:s0 -/var/log/zebra(/.*)? system_u:object_r:zebra_log_t:s0 -/etc/zebra(/.*)? system_u:object_r:zebra_conf_t:s0 -/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0 -/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0 -# Quagga -/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0 -/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t:s0 -/etc/quagga(/.*)? system_u:object_r:zebra_conf_t:s0 -/var/log/quagga(/.*)? system_u:object_r:zebra_log_t:s0 -/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t:s0 diff --git a/mls/file_contexts/types.fc b/mls/file_contexts/types.fc deleted file mode 100644 index b80644c5..00000000 --- a/mls/file_contexts/types.fc +++ /dev/null @@ -1,523 +0,0 @@ -# -# This file describes the security contexts to be applied to files -# when the security policy is installed. The setfiles program -# reads this file and labels files accordingly. -# -# Each specification has the form: -# regexp [ -type ] ( context | <> ) -# -# By default, the regexp is an anchored match on both ends (i.e. a -# caret (^) is prepended and a dollar sign ($) is appended automatically). -# This default may be overridden by using .* at the beginning and/or -# end of the regular expression. -# -# The optional type field specifies the file type as shown in the mode -# field by ls, e.g. use -d to match only directories or -- to match only -# regular files. -# -# The value of < may be used to indicate that matching files -# should not be relabeled. -# -# The last matching specification is used. -# -# If there are multiple hard links to a file that match -# different specifications and those specifications indicate -# different security contexts, then a warning is displayed -# but the file is still labeled based on the last matching -# specification other than <>. -# -# Some of the files listed here get re-created during boot and therefore -# need type transition rules to retain the correct type. These files are -# listed here anyway so that if the setfiles program is used on a running -# system it does not relabel them to something we do not want. An example of -# this is /var/run/utmp. -# - -# -# The security context for all files not otherwise specified. -# -/.* system_u:object_r:default_t:s0 - -# -# The root directory. -# -/ -d system_u:object_r:root_t:s0 - -# -# Ordinary user home directories. -# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each users home directory, -# and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each users role when role != user_r, and to "user" otherwise. -# -HOME_ROOT -d system_u:object_r:home_root_t:s0 -HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255 -HOME_DIR/.+ <> - -/root/\.default_contexts -- system_u:object_r:default_context_t:s0 - -# -# Mount points; do not relabel subdirectories, since -# we do not want to change any removable media by default. -/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 -/mnt/[^/]*/.* <> -/media(/[^/]*)? -d system_u:object_r:mnt_t:s0 -/media/[^/]*/.* <> - -# -# /var -# -/var(/.*)? system_u:object_r:var_t:s0 -/var/cache/man(/.*)? system_u:object_r:man_t:s0 -/var/yp(/.*)? system_u:object_r:var_yp_t:s0 -/var/lib(/.*)? system_u:object_r:var_lib_t:s0 -/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t:s0 -/var/lib/abl(/.*)? system_u:object_r:var_auth_t:s0 -/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t:s0 -/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t:s0 -/var/lock(/.*)? system_u:object_r:var_lock_t:s0 -/var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 -/var/tmp/.* <> -/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0 -/var/lib/nfs/rpc_pipefs(/.*)? <> -/var/mailman/bin(/.*)? system_u:object_r:bin_t:s0 -/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t:s0 - -# -# /var/ftp -# -/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0 -/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0 -/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 -/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0 - -# -# /bin -# -/bin(/.*)? system_u:object_r:bin_t:s0 -/bin/tcsh -- system_u:object_r:shell_exec_t:s0 -/bin/bash -- system_u:object_r:shell_exec_t:s0 -/bin/bash2 -- system_u:object_r:shell_exec_t:s0 -/bin/sash -- system_u:object_r:shell_exec_t:s0 -/bin/d?ash -- system_u:object_r:shell_exec_t:s0 -/bin/zsh.* -- system_u:object_r:shell_exec_t:s0 -/usr/sbin/sesh -- system_u:object_r:shell_exec_t:s0 -/bin/ls -- system_u:object_r:ls_exec_t:s0 - -# -# /boot -# -/boot(/.*)? system_u:object_r:boot_t:s0 -/boot/System\.map(-.*)? system_u:object_r:system_map_t:s0 - -# -# /dev -# -/dev(/.*)? system_u:object_r:device_t:s0 -/dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255 -/dev/pts(/.*)? <> -/dev/cpu/.* -c system_u:object_r:cpu_device_t:s0 -/dev/microcode -c system_u:object_r:cpu_device_t:s0 -/dev/MAKEDEV -- system_u:object_r:sbin_t:s0 -/dev/null -c system_u:object_r:null_device_t:s0 -/dev/full -c system_u:object_r:null_device_t:s0 -/dev/zero -c system_u:object_r:zero_device_t:s0 -/dev/console -c system_u:object_r:console_device_t:s0 -/dev/xconsole -p system_u:object_r:xconsole_device_t:s0 -/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t:s15:c0.c255 -/dev/nvram -c system_u:object_r:memory_device_t:s0 -/dev/random -c system_u:object_r:random_device_t:s0 -/dev/urandom -c system_u:object_r:urandom_device_t:s0 -/dev/adb.* -c system_u:object_r:tty_device_t:s0 -/dev/capi.* -c system_u:object_r:tty_device_t:s0 -/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t:s0 -/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t:s0 -/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t:s0 -/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t:s0 -/dev/isdn.* -c system_u:object_r:tty_device_t:s0 -/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0 -/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t:s0 -/dev/cu.* -c system_u:object_r:tty_device_t:s0 -/dev/vcs[^/]* -c system_u:object_r:tty_device_t:s0 -/dev/ip2[^/]* -c system_u:object_r:tty_device_t:s0 -/dev/hvc.* -c system_u:object_r:tty_device_t:s0 -/dev/hvsi.* -c system_u:object_r:tty_device_t:s0 -/dev/ttySG.* -c system_u:object_r:tty_device_t:s0 -/dev/tty -c system_u:object_r:devtty_t:s0 -/dev/lp.* -c system_u:object_r:printer_device_t:s0 -/dev/par.* -c system_u:object_r:printer_device_t:s0 -/dev/usb/lp.* -c system_u:object_r:printer_device_t:s0 -/dev/usblp.* -c system_u:object_r:printer_device_t:s0 -ifdef(`distro_redhat', ` -/dev/root -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -') -/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t:s0 -/dev/rd.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/loop.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/net/.* -c system_u:object_r:tun_tap_device_t:s0 -/dev/ram.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/initrd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/jsfd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/js.* -c system_u:object_r:mouse_device_t:s0 -/dev/jsflash -c system_u:object_r:fixed_disk_device_t:s15:c0.c255 -/dev/xvd.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t:s0 -/dev/usb/rio500 -c system_u:object_r:removable_device_t:s0 -/dev/fd[^/]+ -b system_u:object_r:removable_device_t:s0 -# I think a parallel port disk is a removable device... -/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t:s0 -/dev/p[fg][0-3] -b system_u:object_r:removable_device_t:s0 -/dev/aztcd -b system_u:object_r:removable_device_t:s0 -/dev/bpcd -b system_u:object_r:removable_device_t:s0 -/dev/gscd -b system_u:object_r:removable_device_t:s0 -/dev/hitcd -b system_u:object_r:removable_device_t:s0 -/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0 -/dev/mcdx? -b system_u:object_r:removable_device_t:s0 -/dev/cdu.* -b system_u:object_r:removable_device_t:s0 -/dev/cm20.* -b system_u:object_r:removable_device_t:s0 -/dev/optcd -b system_u:object_r:removable_device_t:s0 -/dev/sbpcd.* -b system_u:object_r:removable_device_t:s0 -/dev/sjcd -b system_u:object_r:removable_device_t:s0 -/dev/sonycd -b system_u:object_r:removable_device_t:s0 -# parallel port ATAPI generic device -/dev/pg[0-3] -c system_u:object_r:removable_device_t:s0 -/dev/rtc -c system_u:object_r:clock_device_t:s0 -/dev/psaux -c system_u:object_r:mouse_device_t:s0 -/dev/atibm -c system_u:object_r:mouse_device_t:s0 -/dev/logibm -c system_u:object_r:mouse_device_t:s0 -/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 -/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t:s0 -/dev/input/event.* -c system_u:object_r:event_device_t:s0 -/dev/input/mice -c system_u:object_r:mouse_device_t:s0 -/dev/input/js.* -c system_u:object_r:mouse_device_t:s0 -/dev/ptmx -c system_u:object_r:ptmx_t:s0 -/dev/sequencer -c system_u:object_r:misc_device_t:s0 -/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t:s0 -/dev/apm_bios -c system_u:object_r:apm_bios_t:s0 -/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t:s0 -/dev/pmu -c system_u:object_r:power_device_t:s0 -/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t:s0 -/dev/winradio. -c system_u:object_r:v4l_device_t:s0 -/dev/vttuner -c system_u:object_r:v4l_device_t:s0 -/dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0 -/dev/adsp -c system_u:object_r:sound_device_t:s0 -/dev/mixer.* -c system_u:object_r:sound_device_t:s0 -/dev/dsp.* -c system_u:object_r:sound_device_t:s0 -/dev/audio.* -c system_u:object_r:sound_device_t:s0 -/dev/r?midi.* -c system_u:object_r:sound_device_t:s0 -/dev/sequencer2 -c system_u:object_r:sound_device_t:s0 -/dev/smpte.* -c system_u:object_r:sound_device_t:s0 -/dev/sndstat -c system_u:object_r:sound_device_t:s0 -/dev/beep -c system_u:object_r:sound_device_t:s0 -/dev/patmgr[01] -c system_u:object_r:sound_device_t:s0 -/dev/mpu401.* -c system_u:object_r:sound_device_t:s0 -/dev/srnd[0-7] -c system_u:object_r:sound_device_t:s0 -/dev/aload.* -c system_u:object_r:sound_device_t:s0 -/dev/amidi.* -c system_u:object_r:sound_device_t:s0 -/dev/amixer.* -c system_u:object_r:sound_device_t:s0 -/dev/snd/.* -c system_u:object_r:sound_device_t:s0 -/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t:s0 -/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t:s0 -/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t:s0 -/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t:s0 -/dev/ht[0-1] -b system_u:object_r:tape_device_t:s0 -/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t:s0 -/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t:s0 -/dev/tape.* -c system_u:object_r:tape_device_t:s0 -ifdef(`distro_suse', ` -/dev/usbscanner -c system_u:object_r:scanner_device_t:s0 -') -/dev/usb/scanner.* -c system_u:object_r:scanner_device_t:s0 -/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t:s0 -/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0 -/dev/usb/tty.* -c system_u:object_r:usbtty_device_t:s0 -/dev/mmetfgrab -c system_u:object_r:scanner_device_t:s0 -/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t:s0 -/dev/dri/.+ -c system_u:object_r:dri_device_t:s0 -/dev/radeon -c system_u:object_r:dri_device_t:s0 -/dev/agpgart -c system_u:object_r:agp_device_t:s0 -/dev/z90crypt -c system_u:object_r:crypt_device_t:s0 - -# -# Misc -# -/proc(/.*)? <> -/sys(/.*)? <> -/selinux(/.*)? <> - -# -# /opt -# -/opt(/.*)? system_u:object_r:usr_t:s0 -/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t:s0 -/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/opt(/.*)?/man(/.*)? system_u:object_r:man_t:s0 -/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t:s0 - -# -# /etc -# -/etc(/.*)? system_u:object_r:etc_t:s0 -/var/db/.*\.db -- system_u:object_r:etc_t:s0 -/etc/\.pwd\.lock -- system_u:object_r:shadow_t:s0 -/etc/passwd\.lock -- system_u:object_r:shadow_t:s0 -/etc/group\.lock -- system_u:object_r:shadow_t:s0 -/etc/shadow.* -- system_u:object_r:shadow_t:s0 -/etc/gshadow.* -- system_u:object_r:shadow_t:s0 -/var/db/shadow.* -- system_u:object_r:shadow_t:s0 -/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t:s0 -/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t:s0 -/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t:s0 -/etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0 -/etc/ioctl\.save -- system_u:object_r:etc_runtime_t:s0 -/etc/mtab -- system_u:object_r:etc_runtime_t:s0 -/etc/motd -- system_u:object_r:etc_runtime_t:s0 -/etc/issue -- system_u:object_r:etc_runtime_t:s0 -/etc/issue\.net -- system_u:object_r:etc_runtime_t:s0 -/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t:s0 -/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t:s0 -/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t:s0 -/etc/asound\.state -- system_u:object_r:etc_runtime_t:s0 -/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t:s0 -ifdef(`distro_gentoo', ` -/etc/profile\.env -- system_u:object_r:etc_runtime_t:s0 -/etc/csh\.env -- system_u:object_r:etc_runtime_t:s0 -/etc/env\.d/.* -- system_u:object_r:etc_runtime_t:s0 -') -/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0 -/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0 -/etc/yp\.conf.* -- system_u:object_r:net_conf_t:s0 -/etc/resolv\.conf.* -- system_u:object_r:net_conf_t:s0 - -/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 -/etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s15:c0.c255 -/etc/selinux/([^/]*/)?users(/.*)? system_u:object_r:selinux_config_t:s15:c0.c255 -/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t:s15:c0.c255 -/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t:s15:c0.c255 -/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 -/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s15:c0.c255 - - -# -# /lib(64)? -# -/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 - -# -# /sbin -# -/sbin(/.*)? system_u:object_r:sbin_t:s0 - -# -# /tmp -# -/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 -/tmp/.* <> - -# -# /usr -# -/usr(/.*)? system_u:object_r:usr_t:s0 -/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/usr/lib/win32/.* -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 -/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 -/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/usr/etc(/.*)? system_u:object_r:etc_t:s0 -/usr/inclu.e(/.*)? system_u:object_r:usr_t:s0 -/usr/libexec(/.*)? system_u:object_r:bin_t:s0 -/usr/src(/.*)? system_u:object_r:src_t:s0 -/usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255 -/usr/tmp/.* <> -/usr/man(/.*)? system_u:object_r:man_t:s0 -/usr/share/man(/.*)? system_u:object_r:man_t:s0 -/usr/share/mc/extfs/.* -- system_u:object_r:bin_t:s0 -/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t:s0 -/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t:s0 -/usr/share/ssl/private(/.*)? system_u:object_r:cert_t:s0 - -# nvidia share libraries -/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -# libGL -/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -ifdef(`distro_debian', ` -/usr/share/selinux(/.*)? system_u:object_r:policy_src_t:s0 -') -ifdef(`distro_gentoo', ` -/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t:s0 -') - -# -# /usr/lib(64)? -# -/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t:s0 -/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t:s0 -/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t:s0 - -# -# /usr/local -# -/usr/local/etc(/.*)? system_u:object_r:etc_t:s0 -/usr/local/src(/.*)? system_u:object_r:src_t:s0 -/usr/local/man(/.*)? system_u:object_r:man_t:s0 -/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 - - -# -# /usr/X11R6/man -# -/usr/X11R6/man(/.*)? system_u:object_r:man_t:s0 - -# -# Fonts dir -# -/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t:s0 -ifdef(`distro_debian', ` -/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t:s0 -') -/usr/share/fonts(/.*)? system_u:object_r:fonts_t:s0 -/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t:s0 -/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t:s0 - -# -# /var/run -# -/var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255 -/var/run/.*\.*pid <> -/var/run/.* system_u:object_r:var_run_t:s0 - -# -# /var/spool -# -/var/spool(/.*)? system_u:object_r:var_spool_t:s0 -/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t:s0 -/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t:s0 - -# -# /var/log -# -/var/log(/.*)? system_u:object_r:var_log_t:s0 -/var/log/wtmp.* -- system_u:object_r:wtmp_t:s0 -/var/log/btmp.* -- system_u:object_r:faillog_t:s0 -/var/log/faillog -- system_u:object_r:faillog_t:s0 -/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t:s0 -/var/log/dmesg -- system_u:object_r:var_log_t:s0 -/var/log/lastlog -- system_u:object_r:lastlog_t:s0 -/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t:s0 -/var/log/syslog -- system_u:object_r:var_log_t:s0 - -# -# Journal files -# -/\.journal <> -/usr/\.journal <> -/boot/\.journal <> -HOME_ROOT/\.journal <> -/var/\.journal <> -/tmp/\.journal <> -/usr/local/\.journal <> - -# -# Lost and found directories. -# -/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/lost\+found/.* <> -/usr/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/usr/lost\+found/.* <> -/boot/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/boot/lost\+found/.* <> -HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -HOME_ROOT/lost\+found/.* <> -/var/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/var/lost\+found/.* <> -/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/tmp/lost\+found/.* <> -/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/var/tmp/lost\+found/.* <> -/usr/local/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255 -/usr/local/lost\+found/.* <> - -# -# system localization -# -/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t:s0 -/usr/share/locale(/.*)? system_u:object_r:locale_t:s0 -/usr/lib/locale(/.*)? system_u:object_r:locale_t:s0 -/etc/localtime -- system_u:object_r:locale_t:s0 -/etc/localtime -l system_u:object_r:etc_t:s0 -/etc/pki(/.*)? system_u:object_r:cert_t:s0 - -# -# Gnu Cash -# -/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0 -/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t:s0 - -# -# Turboprint -# -/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0 -/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t:s0 - -# -# initrd mount point, only used during boot -# -/initrd -d system_u:object_r:root_t:s0 - -# -# The krb5.conf file is always being tested for writability, so -# we defined a type to dontaudit -# -/etc/krb5\.conf -- system_u:object_r:krb5_conf_t:s0 - -# -# Thunderbird -# -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t:s0 - -# -# /srv -# -/srv(/.*)? system_u:object_r:var_t:s0 - -/etc/sysconfig/network-scripts/ifup-.* -- system_u:object_r:bin_t:s0 -/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t:s0 diff --git a/mls/flask/Makefile b/mls/flask/Makefile deleted file mode 100644 index 970b9fed..00000000 --- a/mls/flask/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# flask needs to know where to export the libselinux headers. -LIBSEL ?= ../../libselinux - -# flask needs to know where to export the kernel headers. -LINUXDIR ?= ../../../linux-2.6 - -AWK = awk - -CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ - else if [ -x /bin/bash ]; then echo /bin/bash; \ - else echo sh; fi ; fi) - -FLASK_H_DEPEND = security_classes initial_sids -AV_H_DEPEND = access_vectors - -FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h -AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h -ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) - -all: $(ALL_H_FILES) - -$(FLASK_H_FILES): $(FLASK_H_DEPEND) - $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) - -$(AV_H_FILES): $(AV_H_DEPEND) - $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) - -tolib: all - install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux - install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src - -tokern: all - install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include - -install: all - -relabel: - -clean: - rm -f $(FLASK_H_FILES) - rm -f $(AV_H_FILES) diff --git a/mls/flask/access_vectors b/mls/flask/access_vectors deleted file mode 100644 index dc20463f..00000000 --- a/mls/flask/access_vectors +++ /dev/null @@ -1,608 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - unlink - link - rename - execute - swapon - quotaon - mounton -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - recv_msg - send_msg - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - transition - associate - quotamod - quotaget -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir -} - -class file -inherits file -{ - execute_no_trans - entrypoint - execmod -} - -class lnk_file -inherits file - -class chr_file -inherits file -{ - execute_no_trans - entrypoint - execmod -} - -class blk_file -inherits file - -class sock_file -inherits file - -class fifo_file -inherits file - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - connectto - newconn - acceptfrom - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - enforce_dest -} - -class netif -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto - newconn - acceptfrom -} - -class unix_dgram_socket -inherits socket - - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap -} - - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console -} - -# -# Define the access vector interpretation for controling capabilies -# - -class capability -{ - # The capabilities are defined in include/linux/capability.h - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control -} - - -# -# Define the access vector interpretation for controlling -# changes to passwd information. -# -class passwd -{ - passwd # change another user passwd - chfn # change another user finger info - chsh # change another user shell - rootok # pam_rootok check (skip auth) - crontab # crontab on another user -} - -# -# SE-X Windows stuff -# -class drawable -{ - create - destroy - draw - copy - getattr -} - -class gc -{ - create - free - getattr - setattr -} - -class window -{ - addchild - create - destroy - map - unmap - chstack - chproplist - chprop - listprop - getattr - setattr - setfocus - move - chselection - chparent - ctrllife - enumerate - transparent - mousemotion - clientcomevent - inputevent - drawevent - windowchangeevent - windowchangerequest - serverchangeevent - extensionevent -} - -class font -{ - load - free - getattr - use -} - -class colormap -{ - create - free - install - uninstall - list - read - store - getattr - setattr -} - -class property -{ - create - free - read - write -} - -class cursor -{ - create - createglyph - free - assign - setattr -} - -class xclient -{ - kill -} - -class xinput -{ - lookup - getattr - setattr - setfocus - warppointer - activegrab - passivegrab - ungrab - bell - mousemotion - relabelinput -} - -class xserver -{ - screensaver - gethostlist - sethostlist - getfontpath - setfontpath - getattr - grab - ungrab -} - -class xextension -{ - query - use -} - -# -# Define the access vector interpretation for controlling -# PaX flags -# -class pax -{ - pageexec # Paging based non-executable pages - emutramp # Emulate trampolines - mprotect # Restrict mprotect() - randmmap # Randomize mmap() base - randexec # Randomize ET_EXEC base - segmexec # Segmentation based non-executable pages -} - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_firewall_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv -} - -class netlink_ip6fw_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access and communication through the D-BUS messaging -# system. -# -class dbus -{ - acquire_svc - send_msg -} - -# Define the access vector interpretation for controlling -# access through the name service cache daemon (nscd). -# -class nscd -{ - getpwd - getgrp - gethost - getstat - admin - shmempwd - shmemgrp - shmemhost -} - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket diff --git a/mls/flask/initial_sids b/mls/flask/initial_sids deleted file mode 100644 index 95894eb4..00000000 --- a/mls/flask/initial_sids +++ /dev/null @@ -1,35 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# - -sid kernel -sid security -sid unlabeled -sid fs -sid file -sid file_labels -sid init -sid any_socket -sid port -sid netif -sid netmsg -sid node -sid igmp_packet -sid icmp_socket -sid tcp_socket -sid sysctl_modprobe -sid sysctl -sid sysctl_fs -sid sysctl_kernel -sid sysctl_net -sid sysctl_net_unix -sid sysctl_vm -sid sysctl_dev -sid kmod -sid policy -sid scmp_packet -sid devnull - -# FLASK diff --git a/mls/flask/mkaccess_vector.sh b/mls/flask/mkaccess_vector.sh deleted file mode 100644 index b5da734b..00000000 --- a/mls/flask/mkaccess_vector.sh +++ /dev/null @@ -1,227 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift - -# output files -av_permissions="av_permissions.h" -av_inherit="av_inherit.h" -common_perm_to_string="common_perm_to_string.h" -av_perm_to_string="av_perm_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$av_permissions\" - inheritfile = \"$av_inherit\" - cpermfile = \"$common_perm_to_string\" - avpermfile = \"$av_perm_to_string\" - "' - nextstate = "COMMON_OR_AV"; - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; - printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; - printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; -; - } -/^[ \t]*#/ { - next; - } -$1 == "common" { - if (nextstate != "COMMON_OR_AV") - { - printf("Parse error: Unexpected COMMON definition on line %d\n", NR); - next; - } - - if ($2 in common_defined) - { - printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); - next; - } - common_defined[$2] = 1; - - tclass = $2; - common_name = $2; - permission = 1; - - printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; - - nextstate = "COMMON-OPENBRACKET"; - next; - } -$1 == "class" { - if (nextstate != "COMMON_OR_AV" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - tclass = $2; - - if (tclass in av_defined) - { - printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); - next; - } - av_defined[tclass] = 1; - - inherits = ""; - permission = 1; - - nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "inherits" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); - next; - } - - if (!($2 in common_defined)) - { - printf("COMMON %s is not defined (line %d).\n", $2, NR); - next; - } - - inherits = $2; - permission = common_base[$2]; - - for (combined in common_perms) - { - split(combined,separate, SUBSEP); - if (separate[1] == inherits) - { - inherited_perms[common_perms[combined]] = separate[2]; - } - } - - j = 1; - for (i in inherited_perms) { - ind[j] = i + 0; - j++; - } - n = asort(ind); - for (i = 1; i <= n; i++) { - perm = inherited_perms[ind[i]]; - printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; - spaces = 40 - (length(perm) + length(tclass)); - if (spaces < 1) - spaces = 1; - for (j = 0; j < spaces; j++) - printf(" ") > outfile; - printf("0x%08xUL\n", ind[i]) > outfile; - } - printf("\n") > outfile; - for (i in ind) delete ind[i]; - for (i in inherited_perms) delete inherited_perms[i]; - - printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; - - nextstate = "CLASS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "{" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET" && - nextstate != "COMMON-OPENBRACKET") - { - printf("Parse error: Unexpected { on line %d\n", NR); - next; - } - - if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "COMMON-OPENBRACKET") - nextstate = "COMMON-CLOSEBRACKET"; - } -/[a-z][a-z_]*/ { - if (nextstate != "COMMON-CLOSEBRACKET" && - nextstate != "CLASS-CLOSEBRACKET") - { - printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - if ((common_name,$1) in common_perms) - { - printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); - next; - } - - common_perms[common_name,$1] = permission; - - printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - - printf(" S_(\"%s\")\n", $1) > cpermfile; - } - else - { - if ((tclass,$1) in av_perms) - { - printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); - next; - } - - av_perms[tclass,$1] = permission; - - if (inherits != "") - { - if ((inherits,$1) in common_perms) - { - printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); - next; - } - } - - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - - printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; - } - - spaces = 40 - (length($1) + length(tclass)); - if (spaces < 1) - spaces = 1; - - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; - } -$1 == "}" { - if (nextstate != "CLASS-CLOSEBRACKET" && - nextstate != "COMMON-CLOSEBRACKET") - { - printf("Parse error: Unexpected } on line %d\n", NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - common_base[common_name] = permission; - printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; - } - - printf("\n") > outfile; - - nextstate = "COMMON_OR_AV"; - } -END { - if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") - printf("Parse error: Unexpected end of file\n"); - - }' - -# FLASK diff --git a/mls/flask/mkflask.sh b/mls/flask/mkflask.sh deleted file mode 100644 index 9c847549..00000000 --- a/mls/flask/mkflask.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift 1 - -# output file -output_file="flask.h" -debug_file="class_to_string.h" -debug_file2="initial_sid_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$output_file\" - debugfile = \"$debug_file\" - debugfile2 = \"$debug_file2\" - "' - nextstate = "CLASS"; - - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; - printf("\n/*\n * Security object class definitions\n */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; - printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf(" S_(\"null\")\n") > debugfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; - printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; - printf(" \"null\",\n") > debugfile2; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "CLASS") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - if ($2 in class_found) - { - printf("Duplicate class definition for %s on line %d.\n", $2, NR); - next; - } - class_found[$2] = 1; - - class_value++; - - printf("#define SECCLASS_%s", toupper($2)) > outfile; - for (i = 0; i < 40 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", class_value) > outfile; - - printf(" S_(\"%s\")\n", $2) > debugfile; - } -$1 == "sid" { - if (nextstate == "CLASS") - { - nextstate = "SID"; - printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; - } - - if ($2 in sid_found) - { - printf("Duplicate SID definition for %s on line %d.\n", $2, NR); - next; - } - sid_found[$2] = 1; - sid_value++; - - printf("#define SECINITSID_%s", toupper($2)) > outfile; - for (i = 0; i < 37 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile2; - } -END { - if (nextstate != "SID") - printf("Parse error: Unexpected end of file\n"); - - printf("\n#define SECINITSID_NUM") > outfile; - for (i = 0; i < 34; i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf("\n#endif\n") > outfile; - printf("};\n\n") > debugfile2; - }' - -# FLASK diff --git a/mls/flask/security_classes b/mls/flask/security_classes deleted file mode 100644 index 2669c30b..00000000 --- a/mls/flask/security_classes +++ /dev/null @@ -1,86 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -class security -class process -class system -class capability - -# file-related classes -class filesystem -class file -class dir -class fd -class lnk_file -class chr_file -class blk_file -class sock_file -class fifo_file - -# network-related classes -class socket -class tcp_socket -class udp_socket -class rawip_socket -class node -class netif -class netlink_socket -class packet_socket -class key_socket -class unix_stream_socket -class unix_dgram_socket - -# sysv-ipc-related classes -class sem -class msg -class msgq -class shm -class ipc - -# -# userspace object manager classes -# - -# passwd/chfn/chsh -class passwd - -# SE-X Windows stuff -class drawable -class window -class gc -class font -class colormap -class property -class cursor -class xclient -class xinput -class xserver -class xextension - -# pax flags -class pax - -# extended netlink sockets -class netlink_route_socket -class netlink_firewall_socket -class netlink_tcpdiag_socket -class netlink_nflog_socket -class netlink_xfrm_socket -class netlink_selinux_socket -class netlink_audit_socket -class netlink_ip6fw_socket -class netlink_dnrt_socket - -class dbus -class nscd - -# IPSec association -class association - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket - -# FLASK diff --git a/mls/fs_use b/mls/fs_use deleted file mode 100644 index d8840390..00000000 --- a/mls/fs_use +++ /dev/null @@ -1,33 +0,0 @@ -# -# Define the labeling behavior for inodes in particular filesystem types. -# This information was formerly hardcoded in the SELinux module. - -# Use xattrs for the following filesystem types. -# Requires that a security xattr handler exist for the filesystem. -fs_use_xattr ext2 system_u:object_r:fs_t:s0; -fs_use_xattr ext3 system_u:object_r:fs_t:s0; -fs_use_xattr xfs system_u:object_r:fs_t:s0; -fs_use_xattr jfs system_u:object_r:fs_t:s0; -fs_use_xattr reiserfs system_u:object_r:fs_t:s0; - -# Use the allocating task SID to label inodes in the following filesystem -# types, and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems that represent objects -# like pipes and sockets, so that these objects are labeled with the same -# type as the creating task. -fs_use_task pipefs system_u:object_r:fs_t:s0; -fs_use_task sockfs system_u:object_r:fs_t:s0; - -# Use a transition SID based on the allocating task SID and the -# filesystem SID to label inodes in the following filesystem types, -# and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems like devpts and tmpfs -# where we want to label objects with a derived type. -fs_use_trans devpts system_u:object_r:devpts_t:s0; -fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; -fs_use_trans shm system_u:object_r:tmpfs_t:s0; -fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; - -# The separate genfs_contexts configuration can be used for filesystem -# types that cannot support persistent label mappings or use -# one of the fixed label schemes specified here. diff --git a/mls/genfs_contexts b/mls/genfs_contexts deleted file mode 100644 index b9d5bc2f..00000000 --- a/mls/genfs_contexts +++ /dev/null @@ -1,108 +0,0 @@ -# FLASK - -# -# Security contexts for files in filesystems that -# cannot support xattr or use one of the fixed labeling schemes -# specified in fs_use. -# -# Each specifications has the form: -# genfscon fstype pathname-prefix [ -type ] context -# -# The entry with the longest matching pathname prefix is used. -# / refers to the root directory of the file system, and -# everything is specified relative to this root directory. -# If there is no entry with a matching pathname prefix, then -# the unlabeled initial SID is used. -# -# The optional type field specifies the file type as shown in the mode -# field by ls, e.g. use -c to match only character device files, -b -# to match only block device files. -# -# Except for proc, in 2.6 other filesystems are limited to a single entry (/) -# that covers all entries in the filesystem with a default file context. -# For proc, a pathname can be reliably generated from the proc_dir_entry -# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) -# calls. /proc/PID entries are automatically labeled based on the associated -# process. -# -# Support for other filesystem types requires corresponding code to be -# added to the kernel, either as an xattr handler in the filesystem -# implementation (preferred, and necessary if you want to access the labels -# from userspace) or as logic in the SELinux module. - -# proc (excluding /proc/PID) -genfscon proc / system_u:object_r:proc_t:s0 -genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255 -genfscon proc /kcore system_u:object_r:proc_kcore_t:s15:c0.c255 -genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 -genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 -genfscon proc /net system_u:object_r:proc_net_t:s0 -genfscon proc /sysvipc system_u:object_r:proc_t:s0 -genfscon proc /sys system_u:object_r:sysctl_t:s0 -genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 -genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 -genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 -genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 -genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 -genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 -genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 -genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 -genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 - -# rootfs -genfscon rootfs / system_u:object_r:root_t:s0 - -# sysfs -genfscon sysfs / system_u:object_r:sysfs_t:s0 - -# selinuxfs -genfscon selinuxfs / system_u:object_r:security_t:s0 - -# autofs -genfscon autofs / system_u:object_r:autofs_t:s0 -genfscon automount / system_u:object_r:autofs_t:s0 - -# usbdevfs -genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0 - -# iso9660 -genfscon iso9660 / system_u:object_r:iso9660_t:s0 -genfscon udf / system_u:object_r:iso9660_t:s0 - -# romfs -genfscon romfs / system_u:object_r:romfs_t:s0 -genfscon cramfs / system_u:object_r:romfs_t:s0 - -# ramfs -genfscon ramfs / system_u:object_r:ramfs_t:s0 - -# vfat, msdos -genfscon vfat / system_u:object_r:dosfs_t:s0 -genfscon msdos / system_u:object_r:dosfs_t:s0 -genfscon fat / system_u:object_r:dosfs_t:s0 -genfscon ntfs / system_u:object_r:dosfs_t:s0 - -# samba -genfscon cifs / system_u:object_r:cifs_t:s0 -genfscon smbfs / system_u:object_r:cifs_t:s0 - -# nfs -genfscon nfs / system_u:object_r:nfs_t:s0 -genfscon nfs4 / system_u:object_r:nfs_t:s0 -genfscon afs / system_u:object_r:nfs_t:s0 - -genfscon debugfs / system_u:object_r:debugfs_t:s0 -genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 -genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 -genfscon capifs / system_u:object_r:capifs_t:s0 -genfscon configfs / system_u:object_r:configfs_t:s0 - -# needs more work -genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 -genfscon futexfs / system_u:object_r:futexfs_t:s0 -genfscon bdev / system_u:object_r:bdev_t:s0 -genfscon usbfs / system_u:object_r:usbfs_t:s0 -genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 -genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 -genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 - diff --git a/mls/initial_sid_contexts b/mls/initial_sid_contexts deleted file mode 100644 index 53a3504c..00000000 --- a/mls/initial_sid_contexts +++ /dev/null @@ -1,46 +0,0 @@ -# FLASK - -# -# Define the security context for each initial SID -# sid sidname context - -sid kernel system_u:system_r:kernel_t:s15:c0.c255 -sid security system_u:object_r:security_t:s15:c0.c255 -sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255 -sid fs system_u:object_r:fs_t:s0 -sid file system_u:object_r:file_t:s0 -# Persistent label mapping is gone. This initial SID can be removed. -sid file_labels system_u:object_r:unlabeled_t:s15:c0.c255 -# init_t is still used, but an initial SID is no longer required. -sid init system_u:object_r:unlabeled_t:s15:c0.c255 -# any_socket is no longer used. -sid any_socket system_u:object_r:unlabeled_t:s15:c0.c255 -sid port system_u:object_r:port_t:s0 -sid netif system_u:object_r:netif_t:s0 -# netmsg is no longer used. -sid netmsg system_u:object_r:unlabeled_t:s15:c0.c255 -sid node system_u:object_r:node_t:s0 -# These sockets are now labeled with the kernel SID, -# and do not require their own initial SIDs. -sid igmp_packet system_u:object_r:unlabeled_t:s15:c0.c255 -sid icmp_socket system_u:object_r:unlabeled_t:s15:c0.c255 -sid tcp_socket system_u:object_r:unlabeled_t:s15:c0.c255 -# Most of the sysctl SIDs are now computed at runtime -# from genfs_contexts, so the corresponding initial SIDs -# are no longer required. -sid sysctl_modprobe system_u:object_r:unlabeled_t:s15:c0.c255 -# But we still need the base sysctl initial SID as a default. -sid sysctl system_u:object_r:sysctl_t:s0 -sid sysctl_fs system_u:object_r:unlabeled_t:s15:c0.c255 -sid sysctl_kernel system_u:object_r:unlabeled_t:s15:c0.c255 -sid sysctl_net system_u:object_r:unlabeled_t:s15:c0.c255 -sid sysctl_net_unix system_u:object_r:unlabeled_t:s15:c0.c255 -sid sysctl_vm system_u:object_r:unlabeled_t:s15:c0.c255 -sid sysctl_dev system_u:object_r:unlabeled_t:s15:c0.c255 -# No longer used, can be removed. -sid kmod system_u:object_r:unlabeled_t:s15:c0.c255 -sid policy system_u:object_r:unlabeled_t:s15:c0.c255 -sid scmp_packet system_u:object_r:unlabeled_t:s15:c0.c255 -sid devnull system_u:object_r:null_device_t:s0 - -# FLASK diff --git a/mls/local.users b/mls/local.users deleted file mode 100644 index 6dd04d60..00000000 --- a/mls/local.users +++ /dev/null @@ -1,21 +0,0 @@ -################################## -# -# User configuration. -# -# This file defines additional users recognized by the system security policy. -# Only the user identities defined in this file and the system.users file -# may be used as the user attribute in a security context. -# -# Each user has a set of roles that may be entered by processes -# with the users identity. The syntax of a user declaration is: -# -# user username roles role_set [ level default_level range allowed_range ]; -# -# The MLS default level and allowed range should only be specified if -# MLS was enabled in the policy. - -# sample for administrative user -# user jadmin roles { staff_r sysadm_r system_r }; - -# sample for regular user -#user jdoe roles { user_r }; diff --git a/mls/macros/admin_macros.te b/mls/macros/admin_macros.te deleted file mode 100644 index aaa816e4..00000000 --- a/mls/macros/admin_macros.te +++ /dev/null @@ -1,227 +0,0 @@ -# -# Macros for all admin domains. -# - -# -# admin_domain(domain_prefix) -# -# Define derived types and rules for an administrator domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. If the every_domain() rules are desired, -# then these rules must also be specified separately. -# -undefine(`admin_domain') -define(`admin_domain',` -# Type for home directory. -attribute $1_file_type; -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; -type $1_home_t, file_type, sysadmfile, home_type, $1_file_type; - -# Type and access for pty devices. -can_create_pty($1, `, admin_tty_type') - -# Transition manually for { lnk sock fifo }. The rest is in content macros. -tmp_domain_notrans($1, `, $1_file_type') -file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) -allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; - -# Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type; - -# Inherit rules for ordinary users. -base_user_domain($1) -access_removable_media($1_t) - -allow $1_t self:capability setuid; - -ifdef(`su.te', `su_domain($1)') -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') - -# Let admin stat the shadow file. -allow $1_t shadow_t:file getattr; - -ifdef(`crond.te', ` -allow $1_crond_t var_log_t:file r_file_perms; -') - -# Allow system log read -allow $1_t kernel_t:system syslog_read; - -# Allow autrace -# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv; - -# Use capabilities other than sys_module. -allow $1_t self:capability ~sys_module; - -# Use system operations. -allow $1_t kernel_t:system *; - -# Set password information for other users. -allow $1_t self:passwd { passwd chfn chsh }; - -# Skip authentication when pam_rootok is specified. -allow $1_t self:passwd rootok; - -# Manipulate other user crontab. -allow $1_t self:passwd crontab; -can_getsecurity(sysadm_crontab_t) - -# Change system parameters. -can_sysctl($1_t) - -# Create and use all files that have the sysadmfile attribute. -allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms; -allow $1_t sysadmfile:lnk_file create_lnk_perms; -allow $1_t sysadmfile:dir create_dir_perms; - -# for lsof -allow $1_t mtrr_device_t:file getattr; -allow $1_t fs_type:dir getattr; - -# Access removable devices. -allow $1_t removable_device_t:devfile_class_set rw_file_perms; - -# Communicate with the init process. -allow $1_t initctl_t:fifo_file rw_file_perms; - -# Examine all processes. -can_ps($1_t, domain) - -# allow renice -allow $1_t domain:process setsched; - -# Send signals to all processes. -allow $1_t { domain unlabeled_t }:process signal_perms; - -# Access all user terminals. -allow $1_t tty_device_t:chr_file rw_file_perms; -allow $1_t ttyfile:chr_file rw_file_perms; -allow $1_t ptyfile:chr_file rw_file_perms; -allow $1_t serial_device:chr_file setattr; - -# allow setting up tunnels -allow $1_t tun_tap_device_t:chr_file rw_file_perms; - -# run ls -l /dev -allow $1_t device_t:dir r_dir_perms; -allow $1_t { device_t device_type }:{ chr_file blk_file } getattr; -allow $1_t ptyfile:chr_file getattr; - -# Run programs from staff home directories. -# Not ideal, but typical if users want to login as both sysadm_t or staff_t. -can_exec($1_t, staff_home_t) - -# Run programs from /usr/src. -can_exec($1_t, src_t) - -# Relabel all files. -# Actually this will not allow relabeling ALL files unless you change -# sysadmfile to file_type (and change the assertion in assert.te that -# only auth_write can relabel shadow_t) -allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto }; -allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto }; - -ifdef(`startx.te', ` -ifdef(`xserver.te', ` -# Create files in /tmp/.X11-unix with our X servers derived -# tmp type rather than user_xserver_tmp_t. -file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) -')dnl end xserver.te -')dnl end startx.te - -ifdef(`xdm.te', ` -ifdef(`xauth.te', ` -if (xdm_sysadm_login) { -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -} -can_pipe_xdm($1_t) -')dnl end ifdef xauth.te -')dnl end ifdef xdm.te - -# -# A user who is authorized for sysadm_t may nonetheless have -# a home directory labeled with user_home_t if the user is expected -# to login in either user_t or sysadm_t. Hence, the derived domains -# for programs need to be able to access user_home_t. -# - -# Allow our gph domain to write to .xsession-errors. -ifdef(`gnome-pty-helper.te', ` -allow $1_gph_t user_home_dir_type:dir rw_dir_perms; -allow $1_gph_t user_home_type:file create_file_perms; -') - -# Allow our crontab domain to unlink a user cron spool file. -ifdef(`crontab.te', -`allow $1_crontab_t user_cron_spool_t:file unlink;') - -# for the administrator to run TCP servers directly -can_tcp_connect($1_t, $1_t) -allow $1_t port_t:tcp_socket name_bind; - -# Connect data port to ftpd. -ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') - -# Connect second port to rshd. -ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') - -# -# Allow sysadm to execute quota commands against filesystems and files. -# -allow $1_t fs_type:filesystem quotamod; - -# Grant read and write access to /dev/console. -allow $1_t console_device_t:chr_file rw_file_perms; - -# Allow MAKEDEV to work -allow $1_t device_t:dir rw_dir_perms; -allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; -allow $1_t device_t:lnk_file { create read }; - -# for lsof -allow $1_t domain:socket_class_set getattr; -allow $1_t eventpollfs_t:file getattr; -') - -define(`security_manager_domain', ` - -typeattribute $1 secadmin; -# Allow administrator domains to set the enforcing flag. -can_setenforce($1) - -# Allow administrator domains to set policy booleans. -can_setbool($1) - -# Get security policy decisions. -can_getsecurity($1) - -# Allow administrator domains to set security parameters -can_setsecparam($1) - -# Run admin programs that require different permissions in their own domain. -# These rules were moved into the appropriate program domain file. - -# added by mayerf@tresys.com -# The following rules are temporary until such time that a complete -# policy management infrastructure is in place so that an administrator -# cannot directly manipulate policy files with arbitrary programs. -# -allow $1 secadmfile:file { relabelto relabelfrom create_file_perms }; -allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms }; -allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms }; - -# Set an exec context, e.g. for runcon. -can_setexec($1) - -# Set a context other than the default one for newly created files. -can_setfscreate($1) - -allow $1 self:netlink_audit_socket nlmsg_readpriv; - -') - - diff --git a/mls/macros/base_user_macros.te b/mls/macros/base_user_macros.te deleted file mode 100644 index cecbaf7d..00000000 --- a/mls/macros/base_user_macros.te +++ /dev/null @@ -1,397 +0,0 @@ -# -# Macros for all user login domains. -# - -# -# base_user_domain(domain_prefix) -# -# Define derived types and rules for an ordinary user domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. -# - -# base_user_domain() is also called by the admin_domain() macro -undefine(`base_user_domain') -define(`base_user_domain', ` - -# Type for network-obtained content -type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember; -type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember; - -# Allow user to relabel untrusted content -allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom }; -allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; - -# Read content -read_content($1_t, $1) - -# Write trusted content. This includes proper transition -# for /home, and /tmp, so no other transition is necessary (or allowed) -write_trusted($1_t, $1) - -# Maybe the home directory is networked -network_home($1_t) - -# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted. -# Relabel files in the home directory -file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); -allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto }; -can_setfscreate($1_t) - -ifdef(`ftpd.te' , ` -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -') - -allow $1_t self:capability { setgid chown fowner }; -dontaudit $1_t self:capability { sys_nice fsetid }; - -# $1_r is authorized for $1_t for the initial login domain. -role $1_r types $1_t; -allow system_r $1_r; - -r_dir_file($1_t, usercanread) - -# Grant permissions within the domain. -general_domain_access($1_t) - -if (allow_execmem) { -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -allow $1_t self:process execmem; -} - -if (allow_execmem && allow_execstack) { -# Allow making the stack executable via mprotect. -allow $1_t self:process execstack; -} - -# Allow text relocations on system shared libraries, e.g. libGL. -allow $1_t texrel_shlib_t:file execmod; - -# -# kdeinit wants this access -# -allow $1_t device_t:dir { getattr search }; - -# Find CDROM devices -r_dir_file($1_t, sysctl_dev_t) -# for eject -allow $1_t fixed_disk_device_t:blk_file getattr; - -allow $1_t fs_type:dir getattr; - -allow $1_t event_device_t:chr_file { getattr read ioctl }; - -# open office is looking for the following -allow $1_t dri_device_t:chr_file getattr; -dontaudit $1_t dri_device_t:chr_file rw_file_perms; - -# Supress ls denials: -# getattr() - ls -l -# search_dir() - symlink path resolution -# read_dir() - deep ls: ls parent/... - -dontaudit_getattr($1_t) -dontaudit_search_dir($1_t) -dontaudit_read_dir($1_t) - -# allow ptrace -can_ptrace($1_t, $1_t) - -# Allow user to run restorecon and relabel files -can_getsecurity($1_t) -r_dir_file($1_t, default_context_t) -r_dir_file($1_t, file_context_t) - -allow $1_t usbtty_device_t:chr_file read; - -# GNOME checks for usb and other devices -rw_dir_file($1_t,usbfs_t) - -can_exec($1_t, noexattrfile) -# Bind to a Unix domain socket in /tmp. -allow $1_t $1_tmp_t:unix_stream_socket name_bind; - -# Use the type when relabeling terminal devices. -type_change $1_t tty_device_t:chr_file $1_tty_device_t; - -# Debian login is from shadow utils and does not allow resetting the perms. -# have to fix this! -type_change $1_t ttyfile:chr_file $1_tty_device_t; - -# for running TeX programs -r_dir_file($1_t, tetex_data_t) -can_exec($1_t, tetex_data_t) - -# Use the type when relabeling pty devices. -type_change $1_t server_pty:chr_file $1_devpts_t; - -tmpfs_domain($1) - -ifdef(`cardmgr.te', ` -# to allow monitoring of pcmcia status -allow $1_t cardmgr_var_run_t:file { getattr read }; -') - -# Modify mail spool file. -allow $1_t mail_spool_t:dir r_dir_perms; -allow $1_t mail_spool_t:file rw_file_perms; -allow $1_t mail_spool_t:lnk_file read; - -# -# Allow graphical boot to check battery lifespan -# -ifdef(`apmd.te', ` -allow $1_t apmd_t:unix_stream_socket connectto; -allow $1_t apmd_var_run_t:sock_file write; -') - -# -# Allow the query of filesystem quotas -# -allow $1_t fs_type:filesystem quotaget; - -# Run helper programs. -can_exec_any($1_t) -# Run programs developed by other users in the same domain. -can_exec($1_t, $1_home_t) -can_exec($1_t, $1_tmp_t) - -# Run user programs that require different permissions in their own domain. -# These rules were moved into the individual program domains. - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)') -ifdef(`chkpwd.te', `chkpwd_domain($1)') -ifdef(`fingerd.te', `fingerd_macro($1)') -ifdef(`mta.te', `mail_domain($1)') -ifdef(`exim.te', `exim_user_domain($1)') -ifdef(`crontab.te', `crontab_domain($1)') - -ifdef(`screen.te', `screen_domain($1)') -ifdef(`tvtime.te', `tvtime_domain($1)') -ifdef(`mozilla.te', `mozilla_domain($1)') -ifdef(`thunderbird.te', `thunderbird_domain($1)') -ifdef(`samba.te', `samba_domain($1)') -ifdef(`gpg.te', `gpg_domain($1)') -ifdef(`xauth.te', `xauth_domain($1)') -ifdef(`iceauth.te', `iceauth_domain($1)') -ifdef(`startx.te', `xserver_domain($1)') -ifdef(`lpr.te', `lpr_domain($1)') -ifdef(`ssh.te', `ssh_domain($1)') -ifdef(`irc.te', `irc_domain($1)') -ifdef(`using_spamassassin', `spamassassin_domain($1)') -ifdef(`pyzor.te', `pyzor_domain($1)') -ifdef(`razor.te', `razor_domain($1)') -ifdef(`uml.te', `uml_domain($1)') -ifdef(`cdrecord.te', `cdrecord_domain($1)') -ifdef(`mplayer.te', `mplayer_domains($1)') - -fontconfig_domain($1) - -# GNOME -ifdef(`gnome.te', ` -gnome_domain($1) -ifdef(`games.te', `games_domain($1)') -ifdef(`gift.te', `gift_domains($1)') -ifdef(`evolution.te', `evolution_domains($1)') -ifdef(`ethereal.te', `ethereal_domain($1)') -') - -# ICE communication channel -ice_domain($1, $1) - -# ORBit communication channel (independent of GNOME) -orbit_domain($1, $1) - -# Instantiate a derived domain for user cron jobs. -ifdef(`crond.te', `crond_domain($1)') - -ifdef(`vmware.te', `vmware_domain($1)') - -if (user_direct_mouse) { -# Read the mouse. -allow $1_t mouse_device_t:chr_file r_file_perms; -} -# Access other miscellaneous devices. -allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms; -allow $1_t device_t:lnk_file { getattr read }; - -can_resmgrd_connect($1_t) - -# -# evolution and gnome-session try to create a netlink socket -# -dontaudit $1_t self:netlink_socket create_socket_perms; -dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; - -# Use the network. -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_ypbind($1_t) -can_winbind($1_t) - -ifdef(`pamconsole.te', ` -allow $1_t pam_var_console_t:dir search; -') - -allow $1_t var_lock_t:dir search; - -# Grant permissions to access the system DBus -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -can_network_server_tcp($1_dbusd_t) -allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; - -allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_client($1, $1) -allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_domain($1) -ifdef(`hald.te', ` -allow $1_t hald_t:dbus send_msg; -allow hald_t $1_t:dbus send_msg; -') dnl end ifdef hald.te -') dnl end ifdef dbus.te - -# allow port_t name binding for UDP because it is not very usable otherwise -allow $1_t port_t:udp_socket name_bind; - -# Gnome pannel binds to the following -ifdef(`cups.te', ` -allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; -') - -# for perl -dontaudit $1_t net_conf_t:file ioctl; - -# Communicate within the domain. -can_udp_send($1_t, self) - -# Connect to inetd. -ifdef(`inetd.te', ` -can_tcp_connect($1_t, inetd_t) -can_udp_send($1_t, inetd_t) -can_udp_send(inetd_t, $1_t) -') - -# Connect to portmap. -ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') - -# Inherit and use sockets from inetd -ifdef(`inetd.te', ` -allow $1_t inetd_t:fd use; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;') - -# Very permissive allowing every domain to see every type. -allow $1_t kernel_t:system ipc_info; - -# When the user domain runs ps, there will be a number of access -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit $1_t domain:dir r_dir_perms; -dontaudit $1_t domain:notdevfile_class_set r_file_perms; -dontaudit $1_t domain:process { getattr getsession }; -# -# Cups daemon running as user tries to write /etc/printcap -# -dontaudit $1_t usr_t:file setattr; - -# Use X -x_client_domain($1, $1) - -ifdef(`xserver.te', ` -allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; -') - -ifdef(`xdm.te', ` -# Connect to the X server run by the X Display Manager. -can_unix_connect($1_t, xdm_t) -# certain apps want to read xdm.pid file -r_dir_file($1_t, xdm_var_run_t) -allow $1_t xdm_var_lib_t:file { getattr read }; -allow xdm_t $1_home_dir_t:dir getattr; -ifdef(`xauth.te', ` -file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) -') - -')dnl end ifdef xdm.te - -# Access the sound device. -allow $1_t sound_device_t:chr_file { getattr read write ioctl }; - -# Access the power device. -allow $1_t power_device_t:chr_file { getattr read write ioctl }; - -allow $1_t var_log_t:dir { getattr search }; -dontaudit $1_t logfile:file getattr; - -# Check to see if cdrom is mounted -allow $1_t mnt_t:dir { getattr search }; - -# Get attributes of file systems. -allow $1_t fs_type:filesystem getattr; - -# Read and write /dev/tty and /dev/null. -allow $1_t devtty_t:chr_file rw_file_perms; -allow $1_t null_device_t:chr_file rw_file_perms; -allow $1_t zero_device_t:chr_file { rw_file_perms execute }; -allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms; -# -# Added to allow reading of cdrom -# -allow $1_t rpc_pipefs_t:dir getattr; -allow $1_t nfsd_fs_t:dir getattr; -allow $1_t binfmt_misc_fs_t:dir getattr; - -# /initrd is left mounted, various programs try to look at it -dontaudit $1_t ramfs_t:dir getattr; - -# -# Emacs wants this access -# -allow $1_t wtmp_t:file r_file_perms; -dontaudit $1_t wtmp_t:file write; - -# Read the devpts root directory. -allow $1_t devpts_t:dir r_dir_perms; - -r_dir_file($1_t, src_t) - -# Allow user to read default_t files -# This is different from reading default_t content, -# because it also includes sockets, fifos, and links - -if (read_default_t) { -allow $1_t default_t:dir r_dir_perms; -allow $1_t default_t:notdevfile_class_set r_file_perms; -} - -# Read fonts -read_fonts($1_t, $1) - -read_sysctl($1_t); - -# -# Caused by su - init scripts -# -dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; - -# -# Running ifconfig as a user generates the following -# -dontaudit $1_t self:socket create; -dontaudit $1_t sysctl_net_t:dir search; - -ifdef(`rpcd.te', ` -create_dir_file($1_t, nfsd_rw_t) -') - -')dnl end base_user_domain macro - diff --git a/mls/macros/content_macros.te b/mls/macros/content_macros.te deleted file mode 100644 index fb36d460..00000000 --- a/mls/macros/content_macros.te +++ /dev/null @@ -1,188 +0,0 @@ -# Content access macros - -# FIXME: After nested booleans are supported, replace NFS/CIFS -# w/ read_network_home, and write_network_home macros from global - -# FIXME: If true/false constant booleans are supported, replace -# ugly $3 ifdefs with if(true), if(false)... - -# FIXME: Do we want write to imply read? - -############################################################ -# read_content(domain, role_prefix, bool_prefix) -# -# Allow the given domain to read content. -# Content may be trusted or untrusted, -# Reading anything is subject to a controlling boolean based on bool_prefix. -# Reading untrusted content is additionally subject to read_untrusted_content -# Reading default_t is additionally subject to read_default_t - -define(`read_content', ` - -# Declare controlling boolean -ifelse($3, `', `', ` -ifdef(`$3_read_content_defined', `', ` -define(`$3_read_content_defined') -bool $3_read_content false; -') dnl ifdef -') dnl ifelse - -# Handle nfs home dirs -ifelse($3, `', -`if (use_nfs_home_dirs) { ', -`if ($3_read_content && use_nfs_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -r_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file r_file_perms; -dontaudit $1 nfs_t:dir r_dir_perms; -} - -# Handle samba home dirs -ifelse($3, `', -`if (use_samba_home_dirs) { ', -`if ($3_read_content && use_samba_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -r_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file r_file_perms; -dontaudit $1 cifs_t:dir r_dir_perms; -} - -# Handle removable media, /tmp, and /home -ifelse($3, `', `', -`if ($3_read_content) {') -allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -r_dir_file($1, { $2_tmp_t $2_home_t } ) -ifdef(`mls_policy', `', ` -r_dir_file($1, removable_t) -') - -ifelse($3, `', `', -`} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms; -dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms; -}') - -# Handle default_t content -ifelse($3, `', -`if (read_default_t) { ', -`if ($3_read_content && read_default_t) {') -r_dir_file($1, default_t) -} else { -dontaudit $1 default_t:file r_file_perms; -dontaudit $1 default_t:dir r_dir_perms; -} - -# Handle untrusted content -ifelse($3, `', -`if (read_untrusted_content) { ', -`if ($3_read_content && read_untrusted_content) {') -allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t }) -} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms; -dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms; -} -') dnl read_content - -################################################# -# write_trusted(domain, role_prefix, bool_prefix) -# -# Allow the given domain to write trusted content. -# This is subject to a controlling boolean based -# on bool_prefix. - -define(`write_trusted', ` - -# Declare controlling boolean -ifelse($3, `', `', ` -ifdef(`$3_write_content_defined', `', ` -define(`$3_write_content_defined') -bool $3_write_content false; -') dnl ifdef -') dnl ifelse - -# Handle nfs homedirs -ifelse($3, `', -`if (use_nfs_home_dirs) { ', -`if ($3_write_content && use_nfs_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file create_file_perms; -dontaudit $1 nfs_t:dir create_dir_perms; -} - -# Handle samba homedirs -ifelse($3, `', -`if (use_samba_home_dirs) { ', -`if ($3_write_content && use_samba_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file create_file_perms; -dontaudit $1 cifs_t:dir create_dir_perms; -} - -# Handle /tmp and /home -ifelse($3, `', `', -`if ($3_write_content) {') -allow $1 home_root_t:dir { read getattr search }; -file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file }); -file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file }); -ifelse($3, `', `', -`} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; -dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; -}') - -') dnl write_trusted - -######################################### -# write_untrusted(domain, role_prefix) -# -# Allow the given domain to write untrusted content. -# This is subject to the global boolean write_untrusted. - -define(`write_untrusted', ` - -# Handle nfs homedirs -if (write_untrusted_content && use_nfs_home_dirs) { -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file create_file_perms; -dontaudit $1 nfs_t:dir create_dir_perms; -} - -# Handle samba homedirs -if (write_untrusted_content && use_samba_home_dirs) { -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file create_file_perms; -dontaudit $1 cifs_t:dir create_dir_perms; -} - -# Handle /tmp and /home -if (write_untrusted_content) { -allow $1 home_root_t:dir { read getattr search }; -file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file }) -file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file }) -} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; -dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; -} - -') dnl write_untrusted diff --git a/mls/macros/core_macros.te b/mls/macros/core_macros.te deleted file mode 100644 index 6bae8bf4..00000000 --- a/mls/macros/core_macros.te +++ /dev/null @@ -1,706 +0,0 @@ - -############################## -# -# core macros for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley , Timothy Fraser -# Howard Holm (NSA) -# Russell Coker -# - -################################# -# -# Macros for groups of classes and -# groups of permissions. -# - -# -# All directory and file classes -# -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# All non-directory file classes. -# -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# Non-device file classes. -# -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') - -# -# Device file classes. -# -define(`devfile_class_set', `{ chr_file blk_file }') - -# -# All socket classes. -# -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') - - -# -# Datagram socket classes. -# -define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') - -# -# Stream socket classes. -# -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') - -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') - - -# -# Permissions for getting file attributes. -# -define(`stat_file_perms', `{ getattr }') - -# -# Permissions for executing files. -# -define(`x_file_perms', `{ getattr execute }') - -# -# Permissions for reading files and their attributes. -# -define(`r_file_perms', `{ read getattr lock ioctl }') - -# -# Permissions for reading and executing files. -# -define(`rx_file_perms', `{ read getattr lock execute ioctl }') - -# -# Permissions for reading and writing files and their attributes. -# -define(`rw_file_perms', `{ ioctl read getattr lock write append }') - -# -# Permissions for reading and appending to files. -# -define(`ra_file_perms', `{ ioctl read getattr lock append }') - -# -# Permissions for linking, unlinking and renaming files. -# -define(`link_file_perms', `{ getattr link unlink rename }') - -# -# Permissions for creating lnk_files. -# -define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') - -# -# Permissions for creating and using files. -# -define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') - -# -# Permissions for reading directories and their attributes. -# -define(`r_dir_perms', `{ read getattr lock search ioctl }') - -# -# Permissions for reading and writing directories and their attributes. -# -define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') - -# -# Permissions for reading and adding names to directories. -# -define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') - - -# -# Permissions for creating and using directories. -# -define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') - -# -# Permissions to mount and unmount file systems. -# -define(`mount_fs_perms', `{ mount remount unmount getattr }') - -# -# Permissions for using sockets. -# -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`create_socket_perms', `{ create rw_socket_perms }') - -# -# Permissions for using stream sockets. -# -define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') - -# -# Permissions for creating and using stream sockets. -# -define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') - -# -# Permissions for creating and using sockets. -# -define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') - - -# -# Permissions for creating and using netlink sockets. -# -define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that modify state. -# -define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that observe state. -# -define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') - -# -# Permissions for sending all signals. -# -define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') - -# -# Permissions for sending and receiving network packets. -# -define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') - -# -# Permissions for using System V IPC -# -define(`r_sem_perms', `{ associate getattr read unix_read }') -define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') -define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') -define(`r_msgq_perms', `{ associate getattr read unix_read }') -define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') -define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') -define(`r_shm_perms', `{ associate getattr read unix_read }') -define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') -define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') - -################################# -# -# Macros for type transition rules and -# access vector rules. -# - -# -# Simple combinations for reading and writing both -# directories and files. -# -define(`r_dir_file', ` -allow $1 $2:dir r_dir_perms; -allow $1 $2:file r_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`rw_dir_file', ` -allow $1 $2:dir rw_dir_perms; -allow $1 $2:file rw_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`ra_dir_file', ` -allow $1 $2:dir ra_dir_perms; -allow $1 $2:file ra_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`ra_dir_create_file', ` -allow $1 $2:dir ra_dir_perms; -allow $1 $2:file { create ra_file_perms }; -allow $1 $2:lnk_file { create read getattr }; -') - -define(`rw_dir_create_file', ` -allow $1 $2:dir rw_dir_perms; -allow $1 $2:file create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_dir_file', ` -allow $1 $2:dir create_dir_perms; -allow $1 $2:file create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_dir_notdevfile', ` -allow $1 $2:dir create_dir_perms; -allow $1 $2:{ file sock_file fifo_file } create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_append_log_file', ` -allow $1 $2:dir { read getattr search add_name write }; -allow $1 $2:file { create ioctl getattr setattr append link }; -') - -################################## -# -# can_ps(domain1, domain2) -# -# Authorize domain1 to see /proc entries for domain2 (see it in ps output) -# -define(`can_ps',` -allow $1 $2:dir { search getattr read }; -allow $1 $2:{ file lnk_file } { read getattr }; -allow $1 $2:process getattr; -# We need to suppress this denial because procps tries to access -# /proc/pid/environ and this now triggers a ptrace check in recent kernels -# (2.4 and 2.6). Might want to change procps to not do this, or only if -# running in a privileged domain. -dontaudit $1 $2:process ptrace; -') - -################################## -# -# can_getsecurity(domain) -# -# Authorize a domain to get security policy decisions. -# -define(`can_getsecurity',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } { getattr read }; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user }; -') - -################################## -# -# can_setenforce(domain) -# -# Authorize a domain to set the enforcing flag. -# Due to its sensitivity, always audit this permission. -# -define(`can_setenforce',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -if (!secure_mode_policyload) { -allow $1 security_t:security setenforce; -auditallow $1 security_t:security setenforce; -}dnl end if !secure_mode_policyload -') - -################################## -# -# can_setbool(domain) -# -# Authorize a domain to set a policy boolean. -# Due to its sensitivity, always audit this permission. -# -define(`can_setbool',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -if (!secure_mode_policyload) { -allow $1 security_t:security setbool; -auditallow $1 security_t:security setbool; -}dnl end if !secure_mode_policyload -') - -################################## -# -# can_setsecparam(domain) -# -# Authorize a domain to set security parameters. -# Due to its sensitivity, always audit this permission. -# -define(`can_setsecparam',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setsecparam; -auditallow $1 security_t:security setsecparam; -') - -################################## -# -# can_loadpol(domain) -# -# Authorize a domain to load a policy configuration. -# Due to its sensitivity, always audit this permission. -# -define(`can_loadpol',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 proc_t:file { getattr read }; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -if (!secure_mode_policyload) { -allow $1 security_t:security load_policy; -auditallow $1 security_t:security load_policy; -}dnl end if !secure_mode_policyload -') - -################################# -# -# domain_trans(parent_domain, program_type, child_domain) -# -# Permissions for transitioning to a new domain. -# - -define(`domain_trans',` - -# -# Allow the process to transition to the new domain. -# -allow $1 $3:process transition; - -# -# Do not audit when glibc secure mode is enabled upon the transition. -# -dontaudit $1 $3:process noatsecure; - -# -# Do not audit when signal-related state is cleared upon the transition. -# -dontaudit $1 $3:process siginh; - -# -# Do not audit when resource limits are reset upon the transition. -# -dontaudit $1 $3:process rlimitinh; - -# -# Allow the process to execute the program. -# -allow $1 $2:file { read x_file_perms }; - -# -# Allow the process to reap the new domain. -# -allow $3 $1:process sigchld; - -# -# Allow the new domain to inherit and use file -# descriptions from the creating process and vice versa. -# -allow $3 $1:fd use; -allow $1 $3:fd use; - -# -# Allow the new domain to write back to the old domain via a pipe. -# -allow $3 $1:fifo_file rw_file_perms; - -# -# Allow the new domain to read and execute the program. -# -allow $3 $2:file rx_file_perms; - -# -# Allow the new domain to be entered via the program. -# -allow $3 $2:file entrypoint; -') - -################################# -# -# domain_auto_trans(parent_domain, program_type, child_domain) -# -# Define a default domain transition and allow it. -# -define(`domain_auto_trans',` -domain_trans($1,$2,$3) -type_transition $1 $2:process $3; -') - -################################# -# -# can_ptrace(domain, domain) -# -# Permissions for running ptrace (strace or gdb) on another domain -# -define(`can_ptrace',` -allow $1 $2:process ptrace; -allow $2 $1:process sigchld; -') - -################################# -# -# can_exec(domain, type) -# -# Permissions for executing programs with -# a specified type without changing domains. -# -define(`can_exec',` -allow $1 $2:file { rx_file_perms execute_no_trans }; -') - -# this is an internal macro used by can_create -define(`can_create_internal', ` -ifelse(`$3', `dir', ` -allow $1 $2:$3 create_dir_perms; -', `$3', `lnk_file', ` -allow $1 $2:$3 create_lnk_perms; -', ` -allow $1 $2:$3 create_file_perms; -')dnl end if dir -')dnl end can_create_internal - - -################################# -# -# can_create(domain, file_type, object_class) -# -# Permissions for creating files of the specified type and class -# -define(`can_create', ` -ifelse(regexp($3, `\w'), -1, `', ` -can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1')) - -can_create($1, $2, regexp($3, `\w+\(.*\)', `\1')) -') -') -################################# -# -# file_type_trans(domain, dir_type, file_type) -# -# Permissions for transitioning to a new file type. -# - -define(`file_type_trans',` - -# -# Allow the process to modify the directory. -# -allow $1 $2:dir rw_dir_perms; - -# -# Allow the process to create the file. -# -ifelse(`$4', `', ` -can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }') -', ` -can_create($1, $3, $4) -')dnl end if param 4 specified - -') - -################################# -# -# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class) -# -# the object class will default to notdevfile_class_set if not specified as -# the fourth parameter -# -# Define a default file type transition and allow it. -# -define(`file_type_auto_trans',` -ifelse(`$4', `', ` -file_type_trans($1,$2,$3) -type_transition $1 $2:dir $3; -type_transition $1 $2:notdevfile_class_set $3; -', ` -file_type_trans($1,$2,$3,$4) -type_transition $1 $2:$4 $3; -')dnl end ifelse - -') - - -################################# -# -# can_unix_connect(client, server) -# -# Permissions for establishing a Unix stream connection. -# -define(`can_unix_connect',` -allow $1 $2:unix_stream_socket connectto; -') - -################################# -# -# can_unix_send(sender, receiver) -# -# Permissions for sending Unix datagrams. -# -define(`can_unix_send',` -allow $1 $2:unix_dgram_socket sendto; -') - -################################# -# -# can_tcp_connect(client, server) -# -# Permissions for establishing a TCP connection. -# Irrelevant until we have labeled networking. -# -define(`can_tcp_connect',` -#allow $1 $2:tcp_socket { connectto recvfrom }; -#allow $2 $1:tcp_socket { acceptfrom recvfrom }; -#allow $2 kernel_t:tcp_socket recvfrom; -#allow $1 kernel_t:tcp_socket recvfrom; -') - -################################# -# -# can_udp_send(sender, receiver) -# -# Permissions for sending/receiving UDP datagrams. -# Irrelevant until we have labeled networking. -# -define(`can_udp_send',` -#allow $1 $2:udp_socket sendto; -#allow $2 $1:udp_socket recvfrom; -') - - -################################## -# -# base_pty_perms(domain_prefix) -# -# Base permissions used for can_create_pty() and can_create_other_pty() -# -define(`base_pty_perms', ` -# Access the pty master multiplexer. -allow $1_t ptmx_t:chr_file rw_file_perms; - -allow $1_t devpts_t:filesystem getattr; - -# allow searching /dev/pts -allow $1_t devpts_t:dir { getattr read search }; - -# ignore old BSD pty devices -dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; -') - - -################################## -# -# pty_slave_label(domain_prefix, attributes) -# -# give access to a slave pty but do not allow creating new ptys -# -define(`pty_slave_label', ` -type $1_devpts_t, file_type, sysadmfile, ptyfile $2; - -# Allow the pty to be associated with the file system. -allow $1_devpts_t devpts_t:filesystem associate; - -# Label pty files with a derived type. -type_transition $1_t devpts_t:chr_file $1_devpts_t; - -# allow searching /dev/pts -allow $1_t devpts_t:dir { getattr read search }; - -# Read and write my pty files. -allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; -') - - -################################## -# -# can_create_pty(domain_prefix, attributes) -# -# Permissions for creating ptys. -# -define(`can_create_pty',` -base_pty_perms($1) -pty_slave_label($1, `$2') -') - - -################################## -# -# can_create_other_pty(domain_prefix,other_domain) -# -# Permissions for creating ptys for another domain. -# -define(`can_create_other_pty',` -base_pty_perms($1) -# Label pty files with a derived type. -type_transition $1_t devpts_t:chr_file $2_devpts_t; - -# Read and write pty files. -allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; -') - - -# -# general_domain_access(domain) -# -# Grant permissions within the domain. -# This includes permissions to processes, /proc/PID files, -# file descriptors, pipes, Unix sockets, and System V IPC objects -# labeled with the domain. -# -define(`general_domain_access',` -# Access other processes in the same domain. -# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap. -# These must be granted separately if desired. -allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap}; - -# Access /proc/PID files for processes in the same domain. -allow $1 self:dir r_dir_perms; -allow $1 self:notdevfile_class_set r_file_perms; - -# Access file descriptions, pipes, and sockets -# created by processes in the same domain. -allow $1 self:fd *; -allow $1 self:fifo_file rw_file_perms; -allow $1 self:unix_dgram_socket create_socket_perms; -allow $1 self:unix_stream_socket create_stream_socket_perms; - -# Allow the domain to communicate with other processes in the same domain. -allow $1 self:unix_dgram_socket sendto; -allow $1 self:unix_stream_socket connectto; - -# Access System V IPC objects created by processes in the same domain. -allow $1 self:sem create_sem_perms; -allow $1 self:msg { send receive }; -allow $1 self:msgq create_msgq_perms; -allow $1 self:shm create_shm_perms; -allow $1 unpriv_userdomain:fd use; -# -# Every app is asking for ypbind so I am adding this here, -# eventually this should become can_nsswitch -# -can_ypbind($1) -allow $1 autofs_t:dir { search getattr }; -')dnl end general_domain_access diff --git a/mls/macros/global_macros.te b/mls/macros/global_macros.te deleted file mode 100644 index 277ab498..00000000 --- a/mls/macros/global_macros.te +++ /dev/null @@ -1,772 +0,0 @@ -############################## -# -# Global macros for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# Howard Holm (NSA) -# Russell Coker -# -# -# - -################################## -# -# can_setexec(domain) -# -# Authorize a domain to set its exec context -# (via /proc/pid/attr/exec). -# -define(`can_setexec',` -allow $1 self:process setexec; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################## -# -# can_getcon(domain) -# -# Authorize a domain to get its context -# (via /proc/pid/attr/current). -# -define(`can_getcon',` -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -allow $1 self:process getattr; -') - -################################## -# -# can_setcon(domain) -# -# Authorize a domain to set its current context -# (via /proc/pid/attr/current). -# -define(`can_setcon',` -allow $1 self:process setcurrent; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################## -# read_sysctl(domain) -# -# Permissions for reading sysctl variables. -# If the second parameter is full, allow -# reading of any sysctl variables, else only -# sysctl_kernel_t. -# -define(`read_sysctl', ` -# Read system variables in /sys. -ifelse($2,`full', ` -allow $1 sysctl_type:dir r_dir_perms; -allow $1 sysctl_type:file r_file_perms; -', ` -allow $1 sysctl_t:dir search; -allow $1 sysctl_kernel_t:dir search; -allow $1 sysctl_kernel_t:file { getattr read }; -') - -')dnl read_sysctl - -################################## -# -# can_setfscreate(domain) -# -# Authorize a domain to set its fscreate context -# (via /proc/pid/attr/fscreate). -# -define(`can_setfscreate',` -allow $1 self:process setfscreate; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################# -# -# uses_shlib(domain) -# -# Permissions for using shared libraries. -# -define(`uses_shlib',` -allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; -allow $1 lib_t:lnk_file r_file_perms; -allow $1 ld_so_t:file rx_file_perms; -#allow $1 ld_so_t:file execute_no_trans; -allow $1 ld_so_t:lnk_file r_file_perms; -allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; -allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; -allow $1 texrel_shlib_t:file execmod; -allow $1 ld_so_cache_t:file r_file_perms; -allow $1 device_t:dir search; -allow $1 null_device_t:chr_file rw_file_perms; -') - -################################# -# -# can_exec_any(domain) -# -# Permissions for executing a variety -# of executable types. -# -define(`can_exec_any',` -allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms; -allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read }; -uses_shlib($1) -can_exec($1, etc_t) -can_exec($1, lib_t) -can_exec($1, bin_t) -can_exec($1, sbin_t) -can_exec($1, exec_type) -can_exec($1, ld_so_t) -') - - -################################# -# -# can_sysctl(domain) -# -# Permissions for modifying sysctl parameters. -# -define(`can_sysctl',` -allow $1 sysctl_type:dir r_dir_perms; -allow $1 sysctl_type:file { setattr rw_file_perms }; -') - - -################################## -# -# read_locale(domain) -# -# Permissions for reading the locale data, -# /etc/localtime and the files that it links to -# -define(`read_locale', ` -allow $1 etc_t:lnk_file read; -allow $1 lib_t:file r_file_perms; -r_dir_file($1, locale_t) -') - -define(`can_access_pty', ` -allow $1 devpts_t:dir r_dir_perms; -allow $1 $2_devpts_t:chr_file rw_file_perms; -') - -################################### -# -# access_terminal(domain, typeprefix) -# -# Permissions for accessing the terminal -# -define(`access_terminal', ` -allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; -allow $1 devtty_t:chr_file { read write getattr ioctl }; -can_access_pty($1, $2) -') - -# -# general_proc_read_access(domain) -# -# Grant read/search permissions to most of /proc, excluding -# the /proc/PID directories and the /proc/kmsg and /proc/kcore files. -# The general_domain_access macro grants access to the domain /proc/PID -# directories, but not to other domains. Only permissions to stat -# are granted for /proc/kmsg and /proc/kcore, since these files are more -# sensitive. -# -define(`general_proc_read_access',` -# Read system information files in /proc. -r_dir_file($1, proc_t) -r_dir_file($1, proc_net_t) -allow $1 proc_mdstat_t:file r_file_perms; - -# Stat /proc/kmsg and /proc/kcore. -allow $1 proc_fs:file stat_file_perms; - -# Read system variables in /proc/sys. -read_sysctl($1) -') - -# -# base_file_read_access(domain) -# -# Grant read/search permissions to a few system file types. -# -define(`base_file_read_access',` -# Read /. -allow $1 root_t:dir r_dir_perms; -allow $1 root_t:notdevfile_class_set r_file_perms; - -# Read /home. -allow $1 home_root_t:dir r_dir_perms; - -# Read /usr. -allow $1 usr_t:dir r_dir_perms; -allow $1 usr_t:notdevfile_class_set r_file_perms; - -# Read bin and sbin directories. -allow $1 bin_t:dir r_dir_perms; -allow $1 bin_t:notdevfile_class_set r_file_perms; -allow $1 sbin_t:dir r_dir_perms; -allow $1 sbin_t:notdevfile_class_set r_file_perms; -read_sysctl($1) - -r_dir_file($1, selinux_config_t) - -if (read_default_t) { -# -# Read default_t -#. -allow $1 default_t:dir r_dir_perms; -allow $1 default_t:notdevfile_class_set r_file_perms; -} - -') - -####################### -# daemon_core_rules(domain_prefix, attribs) -# -# Define the core rules for a daemon, used by both daemon_base_domain() and -# init_service_domain(). -# Attribs is the list of attributes which must start with "," if it is not empty -# -# Author: Russell Coker -# -define(`daemon_core_rules', ` -type $1_t, domain, privlog, daemon $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -dontaudit $1_t self:capability sys_tty_config; - -role system_r types $1_t; - -# Inherit and use descriptors from init. -allow $1_t init_t:fd use; -allow $1_t init_t:process sigchld; -allow $1_t self:process { signal_perms fork }; - -uses_shlib($1_t) - -allow $1_t { self proc_t }:dir r_dir_perms; -allow $1_t { self proc_t }:lnk_file { getattr read }; - -allow $1_t device_t:dir r_dir_perms; -ifdef(`udev.te', ` -allow $1_t udev_tdb_t:file r_file_perms; -')dnl end if udev.te -allow $1_t null_device_t:chr_file rw_file_perms; -dontaudit $1_t console_device_t:chr_file rw_file_perms; -dontaudit $1_t unpriv_userdomain:fd use; - -r_dir_file($1_t, sysfs_t) - -allow $1_t autofs_t:dir { search getattr }; -ifdef(`targeted_policy', ` -dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; -dontaudit $1_t root_t:file { getattr read }; -')dnl end if targeted_policy - -')dnl end macro daemon_core_rules - -####################### -# init_service_domain(domain_prefix, attribs) -# -# Define a domain for a program that is run from init -# Attribs is the list of attributes which must start with "," if it is not empty -# -# Author: Russell Coker -# -define(`init_service_domain', ` -daemon_core_rules($1, `$2') -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(init_t, $1_exec_t) -} else { -domain_auto_trans(init_t, $1_exec_t, $1_t) -} -')dnl - -####################### -# daemon_base_domain(domain_prefix, attribs) -# -# Define a daemon domain with a base set of type declarations -# and permissions that are common to most daemons. -# attribs is the list of attributes which must start with "," if it is not empty -# nosysadm may be given as an optional third parameter, to specify that the -# sysadmin should not transition to the domain when directly calling the executable -# -# Author: Russell Coker -# -define(`daemon_base_domain', ` -daemon_core_rules($1, `$2') - -rhgb_domain($1_t) - -read_sysctl($1_t) - -ifdef(`direct_sysadm_daemon', ` -dontaudit $1_t admin_tty_type:chr_file rw_file_perms; -') - -# -# Allows user to define a tunable to disable domain transition -# -ifelse(index(`$2',`transitionbool'), -1, `', ` -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(initrc_t, $1_exec_t) -can_exec(sysadm_t, $1_exec_t) -} else { -') dnl transitionbool -domain_auto_trans(initrc_t, $1_exec_t, $1_t) - -allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; -ifdef(`direct_sysadm_daemon', ` -ifelse(`$3', `nosysadm', `', ` -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; -')dnl end nosysadm -')dnl end direct_sysadm_daemon -ifelse(index(`$2', `transitionbool'), -1, `', ` -} -') dnl end transitionbool -ifdef(`direct_sysadm_daemon', ` -ifelse(`$3', `nosysadm', `', ` -role_transition sysadm_r $1_exec_t system_r; -')dnl end nosysadm -')dnl end direct_sysadm_daemon - -allow $1_t privfd:fd use; -ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') -allow $1_t initrc_devpts_t:chr_file rw_file_perms; -')dnl - -# allow a domain to create its own files under /var/run and to create files -# in directories that are created for it. $2 is an optional list of -# classes to use; default is file. -define(`var_run_domain', ` -type $1_var_run_t, file_type, sysadmfile, pidfile; - -ifelse(`$2', `', ` -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) -', ` -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) -') -allow $1_t var_t:dir search; -allow $1_t $1_var_run_t:dir rw_dir_perms; -') - -####################### -# daemon_domain(domain_prefix, attribs) -# -# see daemon_base_domain for calling details -# daemon_domain defines some additional privileges needed by many domains, -# like pid files and locale support - -define(`daemon_domain', ` -ifdef(`targeted_policy', ` -daemon_base_domain($1, `$2, transitionbool', $3) -', ` -daemon_base_domain($1, `$2', $3) -') -# Create pid file. -allow $1_t var_t:dir { getattr search }; -var_run_domain($1) - -allow $1_t devtty_t:chr_file rw_file_perms; - -# for daemons that look at /root on startup -dontaudit $1_t sysadm_home_dir_t:dir search; - -# for df -allow $1_t fs_type:filesystem getattr; -allow $1_t removable_t:filesystem getattr; - -read_locale($1_t) - -# for localization -allow $1_t lib_t:file { getattr read }; -')dnl end daemon_domain macro - -define(`uses_authbind', -`domain_auto_trans($1, authbind_exec_t, authbind_t) -allow authbind_t $1:process sigchld; -allow authbind_t $1:fd use; -allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; -') - -# define a sub-domain, $1_t is the parent domain, $2 is the name -# of the sub-domain. -# -define(`daemon_sub_domain', ` -# $1 is the parent domain (or domains), $2_t is the child domain, -# and $3 is any attributes to apply to the child -type $2_t, domain, privlog, daemon $3; -type $2_exec_t, file_type, sysadmfile, exec_type; - -role system_r types $2_t; - -ifelse(index(`$3',`transitionbool'), -1, ` - -domain_auto_trans($1, $2_exec_t, $2_t) - -', ` - -bool $2_disable_trans false; - -if (! $2_disable_trans) { -domain_auto_trans($1, $2_exec_t, $2_t) -} - -'); -# Inherit and use descriptors from parent. -allow $2_t $1:fd use; -allow $2_t $1:process sigchld; - -allow $2_t self:process signal_perms; - -uses_shlib($2_t) - -allow $2_t { self proc_t }:dir r_dir_perms; -allow $2_t { self proc_t }:lnk_file read; - -allow $2_t device_t:dir getattr; -') - -# grant access to /tmp -# by default, only plain files and dirs may be stored there. -# This can be overridden with a third parameter -define(`tmp_domain', ` -type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; -ifelse($3, `', -`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', -`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') -') - -# grant access to /tmp. Do not perform an automatic transition. -define(`tmp_domain_notrans', ` -type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; -') - -define(`tmpfs_domain', ` -ifdef(`$1_tmpfs_t_defined',`', ` -define(`$1_tmpfs_t_defined') -type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; -# Use this type when creating tmpfs/shm objects. -file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) -allow $1_tmpfs_t tmpfs_t:filesystem associate; -') -') - -define(`var_lib_domain', ` -type $1_var_lib_t, file_type, sysadmfile; -file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) -allow $1_t $1_var_lib_t:dir rw_dir_perms; -') - -define(`log_domain', ` -type $1_log_t, file_type, sysadmfile, logfile; -file_type_auto_trans($1_t, var_log_t, $1_log_t, file) -') - -define(`logdir_domain', ` -log_domain($1) -allow $1_t $1_log_t:dir { setattr rw_dir_perms }; -') - -define(`etc_domain', ` -type $1_etc_t, file_type, sysadmfile, usercanread; -allow $1_t $1_etc_t:file r_file_perms; -') - -define(`etcdir_domain', ` -etc_domain($1) -allow $1_t $1_etc_t:dir r_dir_perms; -allow $1_t $1_etc_t:lnk_file { getattr read }; -') - -define(`append_log_domain', ` -type $1_log_t, file_type, sysadmfile, logfile; -allow $1_t var_log_t:dir ra_dir_perms; -allow $1_t $1_log_t:file { create ra_file_perms }; -type_transition $1_t var_log_t:file $1_log_t; -') - -define(`append_logdir_domain', ` -append_log_domain($1) -allow $1_t $1_log_t:dir { setattr ra_dir_perms }; -') - -define(`lock_domain', ` -type $1_lock_t, file_type, sysadmfile, lockfile; -file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) -') - -####################### -# application_domain(domain_prefix) -# -# Define a domain with a base set of type declarations -# and permissions that are common to simple applications. -# -# Author: Russell Coker -# -define(`application_domain', ` -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role sysadm_r types $1_t; -ifdef(`targeted_policy', ` -role system_r types $1_t; -') -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -uses_shlib($1_t) -') - -define(`system_domain', ` -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role system_r types $1_t; -uses_shlib($1_t) -allow $1_t etc_t:dir r_dir_perms; -') - -# Dontaudit macros to prevent flooding the log - -define(`dontaudit_getattr', ` -dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; -dontaudit $1 unlabeled_t:dir_file_class_set getattr; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; -')dnl end dontaudit_getattr - -define(`dontaudit_search_dir', ` -dontaudit $1 file_type - secure_file_type:dir search; -dontaudit $1 unlabeled_t:dir search; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; -')dnl end dontaudit_search_dir - -define(`dontaudit_read_dir', ` -dontaudit $1 file_type - secure_file_type:dir read; -dontaudit $1 unlabeled_t:dir read; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; -')dnl end dontaudit_read_dir - -# Define legacy_domain for legacy binaries (java) -# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old -# toolchain. They cause the kernel to automatically start translating all -# read protection requests to read|execute for backward compatibility on -# x86. They will all need execmem and execmod, including execmod to -# shlib_t and ld_so_t unlike non-legacy binaries. - -define(`legacy_domain', ` -allow $1_t self:process { execmem execstack }; -allow $1_t { texrel_shlib_t shlib_t }:file execmod; -allow $1_t ld_so_t:file execmod; -allow $1_t ld_so_cache_t:file execute; -') - - -# Allow domain to perform polyinstantiation functions -# polyinstantiater(domain) - -define(`polyinstantiater', ` - -ifdef(`support_polyinstantiation', ` -# Need to give access to /selinux/member -allow $1 security_t:security compute_member; - -# Need to give access to the directories to be polyinstantiated -allow $1 polydir:dir { getattr mounton add_name create setattr write search }; - -# Need to give access to the polyinstantiated subdirectories -allow $1 polymember:dir {getattr search }; - -# Need to give access to parent directories where original -# is remounted for polyinstantiation aware programs (like gdm) -allow $1 polyparent:dir { getattr mounton }; - -# Need to give permission to create directories where applicable -allow $1 polymember: dir { create setattr }; -allow $1 polydir: dir { write add_name }; -allow $1 self:process setfscreate; -allow $1 polyparent:dir { write add_name }; -# Default type for mountpoints -allow $1 poly_t:dir { create mounton }; - -# Need sys_admin capability for mounting -allow $1 self:capability sys_admin; -')dnl end else support_polyinstantiation - -')dnl end polyinstantiater - -# -# Domain that is allow to read anonymous data off the network -# without providing authentication. -# Also define boolean to allow anonymous writing -# -define(`anonymous_domain', ` -r_dir_file($1_t, { public_content_t public_content_rw_t } ) -bool allow_$1_anon_write false; -if (allow_$1_anon_write) { -create_dir_file($1_t,public_content_rw_t) -} -') -# -# Define a domain that can do anything, so that it is -# effectively unconfined by the SELinux policy. This -# means that it is only restricted by the normal Linux -# protections. Note that you may need to add further rules -# to allow other domains to interact with this domain as expected, -# since this macro only allows the specified domain to act upon -# all other domains and types, not vice versa. -# -define(`unconfined_domain', ` - -typeattribute $1 unrestricted; -typeattribute $1 privuser; - -# Mount/unmount any filesystem. -allow $1 fs_type:filesystem *; - -# Mount/unmount any filesystem with the context= option. -allow $1 file_type:filesystem *; - -# Create/access any file in a labeled filesystem; -allow $1 file_type:{ file chr_file } ~execmod; -allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; -allow $1 sysctl_t:{ dir file } *; -allow $1 device_type:devfile_class_set *; -allow $1 mtrr_device_t:file *; - -# Create/access other files. fs_type is to pick up various -# pseudo filesystem types that are applied to both the filesystem -# and its files. -allow $1 { unlabeled_t fs_type }:dir_file_class_set *; -allow $1 proc_fs:{ dir file } *; - -# For /proc/pid -r_dir_file($1,domain) -# Write access is for setting attributes under /proc/self/attr. -allow $1 self:file rw_file_perms; - -# Read and write sysctls. -can_sysctl($1) - -# Access the network. -allow $1 node_type:node *; -allow $1 netif_type:netif *; -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; -allow $1 port_type:tcp_socket name_connect; - -# Bind to any network address. -allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind; -allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; -allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; - -# Use/sendto/connectto sockets created by any domain. -allow $1 domain:{ socket_class_set socket key_socket } *; - -# Use descriptors and pipes created by any domain. -allow $1 domain:fd use; -allow $1 domain:fifo_file rw_file_perms; - -# Act upon any other process. -allow $1 domain:process ~{ transition dyntransition execmem }; -# Transition to myself, to make get_ordered_context_list happy. -allow $1 self:process transition; - -if (allow_execmem) { -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -allow $1 self:process execmem; -} - -if (allow_execmem && allow_execstack) { -# Allow making the stack executable via mprotect. -allow $1 self:process execstack; -} - -if (allow_execmod) { -# Allow text relocations on system shared libraries, e.g. libGL. -ifdef(`targeted_policy', ` -allow $1 file_type:file execmod; -', ` -allow $1 texrel_shlib_t:file execmod; -allow $1 home_type:file execmod; -') -} - -# Create/access any System V IPC objects. -allow $1 domain:{ sem msgq shm } *; -allow $1 domain:msg { send receive }; - -# Access the security API. -if (!secure_mode_policyload) { -allow $1 security_t:security *; -auditallow $1 security_t:security { load_policy setenforce setbool }; -}dnl end if !secure_mode_policyload - -# Perform certain system operations that lacked individual capabilities. -allow $1 kernel_t:system *; - -# Use any Linux capability. -allow $1 self:capability *; - -# Set user information and skip authentication. -allow $1 self:passwd *; - -# Communicate via dbusd. -allow $1 self:dbus *; -ifdef(`dbusd.te', ` -allow $1 system_dbusd_t:dbus *; -') - -# Get info via nscd. -allow $1 self:nscd *; -ifdef(`nscd.te', ` -allow $1 nscd_t:nscd *; -') - -')dnl end unconfined_domain - - -define(`access_removable_media', ` - -can_exec($1, { removable_t noexattrfile } ) -if (user_rw_noexattrfile) { -create_dir_file($1, noexattrfile) -create_dir_file($1, removable_t) -# Write floppies -allow $1 removable_device_t:blk_file rw_file_perms; -allow $1 usbtty_device_t:chr_file write; -} else { -r_dir_file($1, noexattrfile) -r_dir_file($1, removable_t) -allow $1 removable_device_t:blk_file r_file_perms; -} -allow $1 removable_t:filesystem getattr; - -') - -define(`authentication_domain', ` -can_ypbind($1) -can_kerberos($1) -can_ldap($1) -can_resolve($1) -can_winbind($1) -r_dir_file($1, cert_t) -allow $1 { random_device_t urandom_device_t }:chr_file { getattr read }; -allow $1 self:capability { audit_write audit_control }; -dontaudit $1 shadow_t:file { getattr read }; -allow $1 sbin_t:dir search; -allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow $1 var_lib_t:dir r_dir_perms; -rw_dir_file($1, var_auth_t) -') diff --git a/mls/macros/home_macros.te b/mls/macros/home_macros.te deleted file mode 100644 index e7804256..00000000 --- a/mls/macros/home_macros.te +++ /dev/null @@ -1,139 +0,0 @@ -# Home macros - -################################################ -# network_home(source) -# -# Allows source domain to use a network home -# This includes privileges of create and execute -# as well as the ability to create sockets and fifo - -define(`network_home', ` -allow $1 autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -can_exec($1, nfs_t) -allow $1 nfs_t:{ sock_file fifo_file } create_file_perms; -} - -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -can_exec($1, cifs_t) -allow $1 cifs_t:{ sock_file fifo_file } create_file_perms; -} -') dnl network_home - -################################################ -# write_network_home(source) -# -# Allows source domain to create directories and -# files on network file system - -define(`write_network_home', ` -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; -') dnl write_network_home - -################################################ -# read_network_home(source) -# -# Allows source domain to read directories and -# files on network file system - -define(`read_network_home', ` -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -r_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -r_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; -') dnl read_network_home - -################################################## -# home_domain_ro_access(source, user, app) -# -# Gives source access to the read-only home -# domain of app for the given user type - -define(`home_domain_ro_access', ` -allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; -read_network_home($1) -ifelse($3, `', ` -r_dir_file($1, $2_home_t) -', ` -r_dir_file($1, $2_$3_ro_home_t) -') -') dnl home_domain_ro_access - -################################################# -# home_domain_access(source, user, app) -# -# Gives source full access to the home -# domain of app for the given user type -# -# Requires transition in caller - -define(`home_domain_access', ` -allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; -write_network_home($1) -ifelse($3, `', ` -file_type_auto_trans($1, $2_home_dir_t, $2_home_t) -create_dir_file($1, $2_home_t) -', ` -create_dir_file($1, $2_$3_home_t) -') -') dnl home_domain_access - -#################################################################### -# home_domain (prefix, app) -# -# Creates a domain in the prefix home where an application can -# store its settings. It is accessible by the prefix domain. -# -# Requires transition in caller - -define(`home_domain', ` - -# Declare home domain -type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember; -typealias $1_$2_home_t alias $1_$2_rw_t; - -# User side access -create_dir_file($1_t, $1_$2_home_t) -allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_access($1_$2_t, $1, $2) -') - -#################################################################### -# home_domain_ro (user, app) -# -# Creates a read-only domain in the user home where an application can -# store its settings. It is fully accessible by the user, but -# it is read-only for the application. -# - -define(`home_domain_ro', ` - -# Declare home domain -type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; -typealias $1_$2_ro_home_t alias $1_$2_ro_t; - -# User side access -create_dir_file($1_t, $1_$2_ro_home_t) -allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_ro_access($1_$2_t, $1, $2) -') diff --git a/mls/macros/mini_user_macros.te b/mls/macros/mini_user_macros.te deleted file mode 100644 index 9f7d9940..00000000 --- a/mls/macros/mini_user_macros.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# Macros for all user login domains. -# - -# -# mini_user_domain(domain_prefix) -# -# Define derived types and rules for a minimal privs user domain named -# $1_mini_t which is permitted to be in $1_r role and transition to $1_t. -# -undefine(`mini_user_domain') -define(`mini_user_domain',` -# user_t/$1_t is an unprivileged users domain. -type $1_mini_t, domain, user_mini_domain; - -# for ~/.bash_profile and other files that the mini domain should be allowed -# to read (but not write) -type $1_home_mini_t, file_type, sysadmfile; -allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom }; -allow $1_mini_t $1_home_mini_t:file r_file_perms; - -# $1_r is authorized for $1_mini_t for the initial login domain. -role $1_r types $1_mini_t; -uses_shlib($1_mini_t) -pty_slave_label($1_mini, `, userpty_type, mini_pty_type') - -allow $1_mini_t devtty_t:chr_file rw_file_perms; -allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read }; -dontaudit $1_mini_t proc_t:dir { getattr search }; -allow $1_mini_t self:unix_stream_socket create_socket_perms; -allow $1_mini_t self:fifo_file rw_file_perms; -allow $1_mini_t self:process { fork sigchld setpgid }; -dontaudit $1_mini_t var_t:dir search; -allow $1_mini_t { bin_t sbin_t }:dir search; - -dontaudit $1_mini_t device_t:dir { getattr read }; -dontaudit $1_mini_t devpts_t:dir { getattr read }; -dontaudit $1_mini_t proc_t:lnk_file read; - -can_exec($1_mini_t, bin_t) -allow $1_mini_t { home_root_t $1_home_dir_t }:dir search; -dontaudit $1_mini_t home_root_t:dir getattr; -dontaudit $1_mini_t $1_home_dir_t:dir { getattr read }; -dontaudit $1_mini_t $1_home_t:file { append getattr read write }; - -dontaudit $1_mini_t fs_t:filesystem getattr; - -type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t; -# uncomment this if using mini domains for console logins -#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t; - -type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t; -type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t; - -domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t) -')dnl end mini_user_domain definition - diff --git a/mls/macros/network_macros.te b/mls/macros/network_macros.te deleted file mode 100644 index 3d7bd06a..00000000 --- a/mls/macros/network_macros.te +++ /dev/null @@ -1,191 +0,0 @@ -################################# -# -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`base_can_network',` -# -# Allow the domain to create and use $2 sockets. -# Other kinds of sockets must be separately authorized for use. -allow $1 self:$2_socket connected_socket_perms; - -# -# Allow the domain to send or receive using any network interface. -# netif_type is a type attribute for all network interface types. -# -allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv }; - -# -# Allow the domain to send to or receive from any node. -# node_type is a type attribute for all node types. -# -allow $1 node_type:node { $2_send rawip_send }; -allow $1 node_type:node { $2_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any port. -# port_type is a type attribute for all port types. -# -ifelse($3, `', ` -allow $1 port_type:$2_socket { send_msg recv_msg }; -', ` -allow $1 $3:$2_socket { send_msg recv_msg }; -') - -# XXX Allow binding to any node type. Remove once -# individual rules have been added to all domains that -# bind sockets. -allow $1 node_type:$2_socket node_bind; -# -# Allow access to network files including /etc/resolv.conf -# -allow $1 net_conf_t:file r_file_perms; -')dnl end can_network definition - -################################# -# -# can_network_server_tcp(domain) -# -# Permissions for accessing a tcp network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_server_tcp',` -base_can_network($1, tcp, `$2') -allow $1 self:tcp_socket { listen accept }; -') - -################################# -# -# can_network_client_tcp(domain) -# -# Permissions for accessing a tcp network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_client_tcp',` -base_can_network($1, tcp, `$2') -allow $1 self:tcp_socket { connect }; -') - -################################# -# -# can_network_tcp(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_tcp',` - -can_network_server_tcp($1, `$2') -can_network_client_tcp($1, `$2') - -') - -################################# -# -# can_network_udp(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_udp',` -base_can_network($1, udp, `$2') -allow $1 self:udp_socket { connect }; -') - -################################# -# -# can_network_server(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_server',` - -can_network_server_tcp($1, `$2') -can_network_udp($1, `$2') - -')dnl end can_network_server definition - - -################################# -# -# can_network_client(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_client',` - -can_network_client_tcp($1, `$2') -can_network_udp($1, `$2') - -')dnl end can_network_client definition - -################################# -# -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network',` - -can_network_tcp($1, `$2') -can_network_udp($1, `$2') - -ifdef(`mount.te', ` -# -# Allow the domain to send NFS client requests via the socket -# created by mount. -# -allow $1 mount_t:udp_socket rw_socket_perms; -') - -')dnl end can_network definition - -define(`can_resolve',` -can_network_client($1, `dns_port_t') -allow $1 dns_port_t:tcp_socket name_connect; -') - -define(`can_portmap',` -can_network_client($1, `portmap_port_t') -allow $1 portmap_port_t:tcp_socket name_connect; -') - -define(`can_ldap',` -can_network_client_tcp($1, `ldap_port_t') -allow $1 ldap_port_t:tcp_socket name_connect; -') - -define(`can_winbind',` -ifdef(`winbind.te', ` -allow $1 winbind_var_run_t:dir { getattr search }; -allow $1 winbind_t:unix_stream_socket connectto; -allow $1 winbind_var_run_t:sock_file { getattr read write }; -') -') - - -################################# -# -# nsswitch_domain(domain) -# -# Permissions for looking up uid/username mapping via nsswitch -# -define(`nsswitch_domain', ` -can_resolve($1) -can_ypbind($1) -can_ldap($1) -can_winbind($1) -') diff --git a/mls/macros/program/apache_macros.te b/mls/macros/program/apache_macros.te deleted file mode 100644 index a1422bec..00000000 --- a/mls/macros/program/apache_macros.te +++ /dev/null @@ -1,205 +0,0 @@ - -define(`apache_domain', ` - -#This type is for webpages -# -type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable; - -# This type is used for .htaccess files -# -type httpd_$1_htaccess_t, file_type, sysadmfile, customizable; -allow httpd_t httpd_$1_htaccess_t: file r_file_perms; - -# This type is used for executable scripts files -# -type httpd_$1_script_exec_t, file_type, sysadmfile, customizable; - -# Type that CGI scripts run as -type httpd_$1_script_t, domain, privmail, nscd_client_domain; -role system_r types httpd_$1_script_t; -uses_shlib(httpd_$1_script_t) - -if (httpd_enable_cgi) { -domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; -allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; -allow httpd_t httpd_$1_script_exec_t:file r_file_perms; - -allow httpd_$1_script_t httpd_t:fd use; -allow httpd_$1_script_t httpd_t:process sigchld; - -allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl }; -allow httpd_$1_script_t usr_t:lnk_file { getattr read }; - -allow httpd_$1_script_t self:process { fork signal_perms }; - -allow httpd_$1_script_t devtty_t:chr_file { getattr read write }; -allow httpd_$1_script_t urandom_device_t:chr_file { getattr read }; -allow httpd_$1_script_t etc_runtime_t:file { getattr read }; -read_locale(httpd_$1_script_t) -allow httpd_$1_script_t fs_t:filesystem getattr; -allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -allow httpd_$1_script_t { self proc_t }:file r_file_perms; -allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; -allow httpd_$1_script_t { self proc_t }:lnk_file read; - -allow httpd_$1_script_t device_t:dir { getattr search }; -allow httpd_$1_script_t null_device_t:chr_file rw_file_perms; -} - -if (httpd_enable_cgi && httpd_can_network_connect) { -can_network_client(httpd_$1_script_t) -allow httpd_$1_script_t port_type:tcp_socket name_connect; -} - -ifdef(`ypbind.te', ` -if (httpd_enable_cgi && allow_ypbind) { -uncond_can_ypbind(httpd_$1_script_t) -} -') -# The following are the only areas that -# scripts can read, read/write, or append to -# -type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; -type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; -type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; -file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) - -######################################################### -# Permissions for running child processes and scripts -########################################################## -allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; - -domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -allow httpd_$1_script_t httpd_t:fifo_file write; - -allow httpd_$1_script_t self:fifo_file rw_file_perms; - -allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms; - -########################################################################### -# Allow the script interpreters to run the scripts. So -# the perl executable will be able to run a perl script -######################################################################### -allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms; -can_exec_any(httpd_$1_script_t) - -allow httpd_$1_script_t etc_t:file { getattr read }; -dontaudit httpd_$1_script_t selinux_config_t:dir search; - -############################################################################ -# Allow the script process to search the cgi directory, and users directory -############################################################################## -allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; -can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -allow httpd_$1_script_t home_root_t:dir { getattr search }; -allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; - -############################################################################# -# Allow the scripts to read, read/write, append to the specified directories -# or files -############################################################################ -read_fonts(httpd_$1_script_t) -r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) -create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) -allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms; -ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) -anonymous_domain(httpd_$1_script) - -if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -create_dir_file(httpd_$1_script_t, httpdcontent) -can_exec(httpd_$1_script_t, httpdcontent) -} - -# -# If a user starts a script by hand it gets the proper context -# -ifdef(`targeted_policy', `', ` -if (httpd_enable_cgi) { -domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) -} -') -role sysadm_r types httpd_$1_script_t; - -dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; -dontaudit httpd_$1_script_t sysctl_t:dir search; - -############################################ -# Allow scripts to append to http logs -######################################### -allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search; -allow httpd_$1_script_t httpd_log_t:file { getattr append }; - -# apache should set close-on-exec -dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - -################################################################ -# Allow the web server to run scripts and serve pages -############################################################## -if (httpd_builtin_scripting) { -r_dir_file(httpd_t, httpd_$1_script_ro_t) -create_dir_file(httpd_t, httpd_$1_script_rw_t) -allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; -ra_dir_file(httpd_t, httpd_$1_script_ra_t) -r_dir_file(httpd_t, httpd_$1_content_t) -} - -') -define(`apache_user_domain', ` - -apache_domain($1) - -typeattribute httpd_$1_content_t $1_file_type; - -if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) -} - -if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -# If a user starts a script by hand it gets the proper context -domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) -} -role $1_r types httpd_$1_script_t; - -####################################### -# Allow user to create or edit web content -######################################### - -create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) -allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; - -###################################################################### -# Allow the user to create htaccess files -##################################################################### - -allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; - -######################################################################### -# Allow user to create files or directories -# that scripts are able to read, write, or append to -########################################################################### - -create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }) -allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom }; - -# allow accessing files/dirs below the users home dir -if (httpd_enable_homedirs) { -allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; -ifdef(`nfs_home_dirs', ` -r_dir_file(httpd_$1_script_t, nfs_t) -')dnl end if nfs_home_dirs -} -ifdef(`crond.te', ` -create_dir_file($1_crond_t, httpd_$1_content_t) -') - -ifdef(`ftpd.te', ` -if (ftp_home_dir) { -create_dir_file(ftpd_t, httpd_$1_content_t) -} -') - - -') diff --git a/mls/macros/program/bonobo_macros.te b/mls/macros/program/bonobo_macros.te deleted file mode 100644 index 4c3fdac5..00000000 --- a/mls/macros/program/bonobo_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Bonobo -# -# Author: Ivan Gyurdiev -# -# bonobo_domain(role_prefix) - invoke per role -# bonobo_client(app_prefix, role_prefix) - invoke per client app -# bonobo_connect(type1_prefix, type2_prefix) - -# connect two bonobo clients, the channel is bidirectional - -###################### - -define(`bonobo_domain', ` - -# Protect against double inclusion for faster compile -ifdef(`bonobo_domain_$1', `', ` -define(`bonobo_domain_$1') - -# Type for daemon -type $1_bonobo_t, domain, nscd_client_domain; - -# Transition from caller -domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t) -role $1_r types $1_bonobo_t; - -# Shared libraries, gconv-modules -uses_shlib($1_bonobo_t) -allow $1_bonobo_t lib_t:file r_file_perms; - -read_locale($1_bonobo_t) -read_sysctl($1_bonobo_t) - -# Session management -# FIXME: More specific context is needed for gnome-session -ice_connect($1_bonobo, $1) - -# nsswitch.conf -allow $1_bonobo_t etc_t:file { read getattr }; - -# Fork to start apps -allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal }; -allow $1_bonobo_t self:fifo_file rw_file_perms; - -# ??? -allow $1_bonobo_t root_t:dir search; -allow $1_bonobo_t home_root_t:dir search; -allow $1_bonobo_t $1_home_dir_t:dir search; - -# libexec ??? -allow $1_bonobo_t bin_t:dir search; - -# ORBit sockets for bonobo -orbit_domain($1_bonobo, $1) - -# Bonobo can launch evolution -ifdef(`evolution.te', ` -domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t) -domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t) -domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t) -domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t) -') - -# Bonobo can launch GNOME vfs daemon -ifdef(`gnome_vfs.te', ` -domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t) -') - -# Transition to ROLE_t on bin_t apps -# FIXME: The goal is to get rid of this rule, as it -# defeats the purpose of a separate domain. It is only -# here temporarily, since bonobo runs as ROLE_t by default anyway -domain_auto_trans($1_bonobo_t, bin_t, $1_t) - -can_pipe_xdm($1_bonobo_t) - -') dnl ifdef bonobo_domain_args -') dnl bonobo_domain - -##################### - -define(`bonobo_client', ` - -# Protect against double inclusion for faster compile -ifdef(`bonobo_client_$1_$2', `', ` -define(`bonobo_client_$1_$2') -# Connect over bonobo -bonobo_connect($1, $2_gconfd, $1) - -# Create ORBit sockets -orbit_domain($1, $2) - -# Connect to bonobo -orbit_connect($1, $2_bonobo) -orbit_connect($2_bonobo, $1) - -# Lock /tmp/bonobo-activation-register.lock -# Stat /tmp/bonobo-activation-server.ior -# FIXME: this should probably be of type $2_bonobo.. -# Note that this is file, not sock_file -allow $1_t $2_orbit_tmp_t:file { getattr read write lock }; - -domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t) - -') dnl ifdef bonobo_client_args -') dnl bonobo_client - -##################### - -define(`bonobo_connect', ` - -# FIXME: Should there be a macro for unidirectional conn. ? - -orbit_connect($1, $2) -orbit_connect($2, $1) - -') dnl bonobo_connect diff --git a/mls/macros/program/cdrecord_macros.te b/mls/macros/program/cdrecord_macros.te deleted file mode 100644 index 72d3f4fd..00000000 --- a/mls/macros/program/cdrecord_macros.te +++ /dev/null @@ -1,53 +0,0 @@ -# macros for the cdrecord domain -# Author: Thomas Bleher - -define(`cdrecord_domain', ` -type $1_cdrecord_t, domain, privlog; - -domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t) - -# The user role is authorized for this domain. -role $1_r types $1_cdrecord_t; - -uses_shlib($1_cdrecord_t) -read_locale($1_cdrecord_t) - -# allow ps to show cdrecord and allow the user to kill it -can_ps($1_t, $1_cdrecord_t) -allow $1_t $1_cdrecord_t:process signal; - -# write to the user domain tty. -access_terminal($1_cdrecord_t, $1) -allow $1_cdrecord_t privfd:fd use; - -allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; - -allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; -allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -can_resmgrd_connect($1_cdrecord_t) - -read_content($1_cdrecord_t, $1, cdrecord) - -allow $1_cdrecord_t etc_t:file { getattr read }; - -# allow searching for cdrom-drive -allow $1_cdrecord_t device_t:dir r_dir_perms; -allow $1_cdrecord_t device_t:lnk_file { getattr read }; - -# allow cdrecord to write the CD -allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl }; -allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; - -allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; -can_access_pty($1_cdrecord_t, $1) -allow $1_cdrecord_t $1_home_t:dir search; -allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms; -allow $1_cdrecord_t $1_home_t:file r_file_perms; -if (use_nfs_home_dirs) { -allow $1_cdrecord_t mnt_t:dir search; -r_dir_file($1_cdrecord_t, nfs_t) -} -') - diff --git a/mls/macros/program/chkpwd_macros.te b/mls/macros/program/chkpwd_macros.te deleted file mode 100644 index 2151d852..00000000 --- a/mls/macros/program/chkpwd_macros.te +++ /dev/null @@ -1,72 +0,0 @@ -# -# Macros for chkpwd domains. -# - -# -# chkpwd_domain(domain_prefix) -# -# Define a derived domain for the *_chkpwd program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/su.te. -# -undefine(`chkpwd_domain') -ifdef(`chkpwd.te', ` -define(`chkpwd_domain',` -# Derived domain based on the calling user domain and the program. -type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; - -role $1_r types $1_chkpwd_t; - -# read /selinux/mls -allow $1_chkpwd_t security_t:dir search; -allow $1_chkpwd_t security_t:file read; -# is_selinux_enabled -allow $1_chkpwd_t proc_t:file read; - -can_getcon($1_chkpwd_t) -authentication_domain($1_chkpwd_t) - -ifelse($1, system, ` -domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) -dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; -authentication_domain(auth_chkpwd) -', ` -domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) - -# Write to the user domain tty. -access_terminal($1_chkpwd_t, $1) - -allow $1_chkpwd_t privfd:fd use; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') -') - -uses_shlib($1_chkpwd_t) -allow $1_chkpwd_t etc_t:file { getattr read }; -allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; -allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; -read_locale($1_chkpwd_t) - -# Use capabilities. -allow $1_chkpwd_t self:capability setuid; -r_dir_file($1_chkpwd_t, selinux_config_t) - -# for nscd -ifdef(`nscd.te', `', ` -dontaudit $1_chkpwd_t var_t:dir search; -') - -dontaudit $1_chkpwd_t fs_t:filesystem getattr; -') - -', ` - -define(`chkpwd_domain',`') - -') diff --git a/mls/macros/program/chroot_macros.te b/mls/macros/program/chroot_macros.te deleted file mode 100644 index 47ca86ba..00000000 --- a/mls/macros/program/chroot_macros.te +++ /dev/null @@ -1,131 +0,0 @@ - -# macro for chroot environments -# Author Russell Coker - -# chroot(initial_domain, basename, role, tty_device_type) -define(`chroot', ` - -ifelse(`$1', `initrc', ` -define(`chroot_role', `system_r') -define(`chroot_tty_device', `{ console_device_t admin_tty_type }') -define(`chroot_mount_domain', `mount_t') -define(`chroot_fd_use', `{ privfd init_t }') -', ` -define(`chroot_role', `$1_r') -define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }') -define(`chroot_fd_use', `privfd') - -# allow mounting /proc and /dev -ifdef(`$1_mount_def', `', ` -mount_domain($1, $1_mount) -role chroot_role types $1_mount_t; -') -define(`chroot_mount_domain', `$1_mount_t') -ifdef(`ssh.te', ` -can_tcp_connect($1_ssh_t, $2_t) -')dnl end ssh -')dnl end ifelse initrc - -# types for read-only and read-write files in the chroot -type $2_ro_t, file_type, sysadmfile, home_type, user_home_type; -type $2_rw_t, file_type, sysadmfile, home_type, user_home_type; -# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t -# when you execute it -type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type; - -allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton }; -allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton }; - -# entry point for $2_super_t -type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type; -# $2_t is the base domain, has full access to $2_rw_t files -type $2_t, domain; -# $2_super_t is the super-chroot domain, can also write to $2_ro_t -# but still can not access outside the chroot -type $2_super_t, domain; -allow $2_super_t chroot_tty_device:chr_file rw_file_perms; - -ifdef(`$1_chroot_def', `', ` -dnl can not have this defined twice -define(`$1_chroot_def') - -allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount }; - -# $1_chroot_t is the domain for /usr/sbin/chroot -type $1_chroot_t, domain; - -# allow $1_chroot_t to write to the tty device -allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms; -allow $1_chroot_t chroot_fd_use:fd use; -allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use; - -role chroot_role types $1_chroot_t; -uses_shlib($1_chroot_t) -allow $1_chroot_t self:capability sys_chroot; -allow $1_t $1_chroot_t:dir { search getattr read }; -allow $1_t $1_chroot_t:{ file lnk_file } { read getattr }; -domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t) -allow $1_chroot_t fs_t:filesystem getattr; -')dnl End conditional - -role chroot_role types { $2_t $2_super_t }; - -# allow ps to show processes and allow killing them -allow $1_t { $2_super_t $2_t }:dir { search getattr read }; -allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr }; -allow $1_t { $2_super_t $2_t }:process signal_perms; -allow $2_super_t $2_t:dir { search getattr read }; -allow $2_super_t $2_t:{ file lnk_file } { read getattr }; -allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace }; -allow $1_t $2_super_t:process { signal_perms ptrace }; -allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace }; - -allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr; -allow { $2_super_t $2_t } device_t:dir { search getattr }; -allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms; -allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms; -allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config }; -allow $2_super_t self:capability sys_ptrace; - -can_tcp_connect($2_super_t, $2_t) -allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms; - -# quiet ps and killall -dontaudit { $2_super_t $2_t } domain:dir { search getattr }; - -# allow $2_t to write to the owner tty device (should remove this) -allow $2_t chroot_tty_device:chr_file { read write }; - -r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($2_super_t, { $2_ro_t $2_super_entry_t }) -create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -# $2_super_t transitions to $2_t when it executes -# any file that $2_t can write -domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t) -allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read; -r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t }) -create_dir_notdevfile($2_t, $2_rw_t) -allow $2_t $2_rw_t:fifo_file create_file_perms; -allow $2_t $2_ro_t:fifo_file rw_file_perms; -allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms; -create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($1_t, { $2_ro_t $2_dropdown_t }) -domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t) -domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t) -allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto }; -general_proc_read_access({ $2_t $2_super_t }) -general_domain_access({ $2_t $2_super_t }) -can_create_pty($2) -can_create_pty($2_super) -can_network({ $2_t $2_super_t }) -allow { $2_t $2_super_t } port_type:tcp_socket name_connect; -allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms; -allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton; -allow { $2_t $2_super_t } self:capability { dac_override kill }; - -undefine(`chroot_role') -undefine(`chroot_tty_device') -undefine(`chroot_mount_domain') -undefine(`chroot_fd_use') -') diff --git a/mls/macros/program/clamav_macros.te b/mls/macros/program/clamav_macros.te deleted file mode 100644 index bc159304..00000000 --- a/mls/macros/program/clamav_macros.te +++ /dev/null @@ -1,58 +0,0 @@ -# -# Macros for clamscan -# -# Author: Brian May -# - -# -# can_clamd_connect(domain_prefix) -# -# Define a domain that can access clamd -# -define(`can_clamd_connect',` -allow $1_t clamd_var_run_t:dir search; -allow $1_t clamd_var_run_t:sock_file write; -allow $1_t clamd_sock_t:sock_file write; -can_unix_connect($1_t, clamd_t) -') - -# clamscan_domain(domain_prefix) -# -# Define a derived domain for the clamscan program when executed -# -define(`clamscan_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_clamscan_t, domain, privlog; - -# Uses shared librarys -uses_shlib($1_clamscan_t) -allow $1_clamscan_t fs_t:filesystem getattr; -r_dir_file($1_clamscan_t, etc_t) -read_locale($1_clamscan_t) - -# Access virus signatures -allow $1_clamscan_t var_lib_t:dir search; -r_dir_file($1_clamscan_t, clamav_var_lib_t) - -# Allow temp files -tmp_domain($1_clamscan) - -# Why is this required? -allow $1_clamscan_t proc_t:dir r_dir_perms; -allow $1_clamscan_t proc_t:file r_file_perms; -read_sysctl($1_clamscan_t) -allow $1_clamscan_t self:unix_stream_socket { connect create read write }; -') - -define(`user_clamscan_domain',` -clamscan_domain($1) -role $1_r types $1_clamscan_t; -domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t) -access_terminal($1_clamscan_t, $1) -r_dir_file($1_clamscan_t,$1_home_t); -r_dir_file($1_clamscan_t,$1_home_dir_t); -allow $1_clamscan_t $1_home_t:file r_file_perms; -allow $1_clamscan_t privfd:fd use; -ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;') -') - diff --git a/mls/macros/program/crond_macros.te b/mls/macros/program/crond_macros.te deleted file mode 100644 index 5e61d7d1..00000000 --- a/mls/macros/program/crond_macros.te +++ /dev/null @@ -1,126 +0,0 @@ -# -# Macros for crond domains. -# - -# -# Authors: Jonathan Crowley (MITRE) , -# Stephen Smalley and Timothy Fraser -# Russell Coker -# - -# -# crond_domain(domain_prefix) -# -# Define a derived domain for cron jobs executed by crond on behalf -# of a user domain. These domains are separate from the top-level domain -# defined for the crond daemon and the domain defined for system cron jobs, -# which are specified in domains/program/crond.te. -# -undefine(`crond_domain') -define(`crond_domain',` -# Derived domain for user cron jobs, user user_crond_domain if not system -ifelse(`system', `$1', ` -type $1_crond_t, domain, privlog, privmail, nscd_client_domain; -', ` -type $1_crond_t, domain, user_crond_domain; - -# Access user files and dirs. -allow $1_crond_t home_root_t:dir search; -file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) - -# Run scripts in user home directory and access shared libs. -can_exec($1_crond_t, $1_home_t) - -file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) -') -r_dir_file($1_crond_t, selinux_config_t) - -# Type of user crontabs once moved to cron spool. -type $1_cron_spool_t, file_type, sysadmfile; - -ifdef(`fcron.te', ` -allow crond_t $1_cron_spool_t:file create_file_perms; -') - -allow $1_crond_t urandom_device_t:chr_file { getattr read }; - -allow $1_crond_t usr_t:file { getattr ioctl read }; -allow $1_crond_t usr_t:lnk_file read; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via execve_secure. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -domain_trans(crond_t, shell_exec_t, $1_crond_t) - -ifdef(`mta.te', ` -domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) -allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; - -# $1_mail_t should only be reading from the cron fifo not needing to write -dontaudit $1_mail_t crond_t:fifo_file write; -allow mta_user_agent $1_crond_t:fd use; -') - -# The user role is authorized for this domain. -role $1_r types $1_crond_t; - -# This domain is granted permissions common to most domains. -can_network($1_crond_t) -allow $1_crond_t port_type:tcp_socket name_connect; -can_ypbind($1_crond_t) -r_dir_file($1_crond_t, self) -allow $1_crond_t self:fifo_file rw_file_perms; -allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; -allow $1_crond_t self:unix_dgram_socket create_socket_perms; -allow $1_crond_t etc_runtime_t:file { getattr read }; -allow $1_crond_t self:process { fork signal_perms setsched }; -allow $1_crond_t proc_t:dir r_dir_perms; -allow $1_crond_t proc_t:file { getattr read ioctl }; -read_locale($1_crond_t) -read_sysctl($1_crond_t) -allow $1_crond_t var_spool_t:dir search; -allow $1_crond_t fs_type:filesystem getattr; - -allow $1_crond_t devtty_t:chr_file { read write }; -allow $1_crond_t var_t:dir r_dir_perms; -allow $1_crond_t var_t:file { getattr read ioctl }; -allow $1_crond_t var_log_t:dir search; - -# Use capabilities. -allow $1_crond_t self:capability dac_override; - -# Inherit and use descriptors from initrc - I think this is wrong -#allow $1_crond_t initrc_t:fd use; - -# -# Since crontab files are not directly executed, -# crond must ensure that the crontab file has -# a type that is appropriate for the domain of -# the user cron job. It performs an entrypoint -# permission check for this purpose. -# -allow $1_crond_t $1_cron_spool_t:file entrypoint; - -# Run helper programs. -can_exec_any($1_crond_t) - -# ps does not need to access /boot when run from cron -dontaudit $1_crond_t boot_t:dir search; -# quiet other ps operations -dontaudit $1_crond_t domain:dir { getattr search }; -# for nscd -dontaudit $1_crond_t var_run_t:dir search; -') - -# When system_crond_t domain executes a type $1 executable then transition to -# domain $2, allow $2 to interact with crond_t as well. -define(`system_crond_entry', ` -ifdef(`crond.te', ` -domain_auto_trans(system_crond_t, $1, $2) -allow $2 crond_t:fifo_file { getattr read write ioctl }; -# a rule for privfd may make this obsolete -allow $2 crond_t:fd use; -allow $2 crond_t:process sigchld; -')dnl end ifdef -')dnl end system_crond_entry diff --git a/mls/macros/program/crontab_macros.te b/mls/macros/program/crontab_macros.te deleted file mode 100644 index a18d80f4..00000000 --- a/mls/macros/program/crontab_macros.te +++ /dev/null @@ -1,102 +0,0 @@ -# -# Macros for crontab domains. -# - -# -# Authors: Jonathan Crowley (MITRE) -# Revised by Stephen Smalley -# - -# -# crontab_domain(domain_prefix) -# -# Define a derived domain for the crontab program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/crontab.te. -# -undefine(`crontab_domain') -define(`crontab_domain',` -# Derived domain based on the calling user domain and the program. -type $1_crontab_t, domain, privlog; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) - -can_ps($1_t, $1_crontab_t) - -# for ^Z -allow $1_t $1_crontab_t:process signal; - -# The user role is authorized for this domain. -role $1_r types $1_crontab_t; - -uses_shlib($1_crontab_t) -allow $1_crontab_t etc_t:file { getattr read }; -allow $1_crontab_t self:unix_stream_socket create_socket_perms; -allow $1_crontab_t self:unix_dgram_socket create_socket_perms; -read_locale($1_crontab_t) - -# Use capabilities dac_override is to create the file in the directory -# under /tmp -allow $1_crontab_t self:capability { setuid setgid chown dac_override }; - -# Type for temporary files. -file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) - -# Use the type when creating files in /var/spool/cron. -allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; -allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; -file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) -allow $1_crontab_t self:process { fork signal_perms }; -ifdef(`fcron.te', ` -# fcron wants an instant update of a crontab change for the administrator -# also crontab does a security check for crontab -u -ifelse(`$1', `sysadm', ` -allow $1_crontab_t crond_t:process signal; -can_setfscreate($1_crontab_t) -', ` -dontaudit $1_crontab_t crond_t:process signal; -')dnl end ifelse -')dnl end ifdef fcron - -# for the checks used by crontab -u -dontaudit $1_crontab_t security_t:dir search; -allow $1_crontab_t proc_t:dir search; -allow $1_crontab_t proc_t:{ file lnk_file } { getattr read }; -allow $1_crontab_t selinux_config_t:dir search; -allow $1_crontab_t selinux_config_t:file { getattr read }; -dontaudit $1_crontab_t self:dir search; - -# crontab signals crond by updating the mtime on the spooldir -allow $1_crontab_t cron_spool_t:dir setattr; -# Allow crond to read those crontabs in cron spool. -allow crond_t $1_cron_spool_t:file r_file_perms; - -# Run helper programs as $1_t -allow $1_crontab_t { bin_t sbin_t }:dir search; -allow $1_crontab_t bin_t:lnk_file read; -domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) - -# Read user crontabs -allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; -allow $1_crontab_t $1_home_t:file r_file_perms; -dontaudit $1_crontab_t $1_home_dir_t:dir write; - -# Access the cron log file. -allow $1_crontab_t crond_log_t:file r_file_perms; -allow $1_crontab_t crond_log_t:file append; - -# Access terminals. -allow $1_crontab_t device_t:dir search; -access_terminal($1_crontab_t, $1); - -allow $1_crontab_t fs_t:filesystem getattr; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') -allow $1_crontab_t privfd:fd use; - -dontaudit $1_crontab_t var_run_t:dir search; -') diff --git a/mls/macros/program/daemontools_macros.te b/mls/macros/program/daemontools_macros.te deleted file mode 100644 index 94c4f8e7..00000000 --- a/mls/macros/program/daemontools_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -ifdef(`daemontools.te', ` - -define(`svc_ipc_domain',` -allow $1 svc_start_t:process sigchld; -allow $1 svc_start_t:fd use; -allow $1 svc_start_t:fifo_file { read write getattr }; -allow svc_start_t $1:process signal; -') - -') dnl ifdef daemontools - diff --git a/mls/macros/program/dbusd_macros.te b/mls/macros/program/dbusd_macros.te deleted file mode 100644 index 2e542a0a..00000000 --- a/mls/macros/program/dbusd_macros.te +++ /dev/null @@ -1,90 +0,0 @@ -# -# Macros for Dbus -# -# Author: Colin Walters - -# dbusd_domain(domain_prefix) -# -# Define a derived domain for the DBus daemon. - -define(`dbusd_domain', ` -ifelse(`system', `$1',` -daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm') -# For backwards compatibility -typealias system_dbusd_t alias dbusd_t; -type etc_dbusd_t, file_type, sysadmfile; -',` -type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr; -role $1_r types $1_dbusd_t; -domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t) -read_locale($1_dbusd_t) -allow $1_t $1_dbusd_t:process { sigkill signal }; -allow $1_dbusd_t self:process { sigkill signal }; -dontaudit $1_dbusd_t var_t:dir { getattr search }; -')dnl end ifelse system - -base_file_read_access($1_dbusd_t) -uses_shlib($1_dbusd_t) -allow $1_dbusd_t etc_t:file { getattr read }; -r_dir_file($1_dbusd_t, etc_dbusd_t) -tmp_domain($1_dbusd) -allow $1_dbusd_t self:process fork; -can_pipe_xdm($1_dbusd_t) - -allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; -allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; - -allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; -allow $1_dbusd_t self:file { getattr read write }; -allow $1_dbusd_t proc_t:file read; - -can_getsecurity($1_dbusd_t) -r_dir_file($1_dbusd_t, default_context_t) -allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; - -ifdef(`pamconsole.te', ` -r_dir_file($1_dbusd_t, pam_var_console_t) -') - -allow $1_dbusd_t self:dbus { send_msg acquire_svc }; - -')dnl end dbusd_domain definition - -# dbusd_client(dbus_type, domain_prefix) -# Example: dbusd_client_domain(system, user) -# -# Define a new derived domain for connecting to dbus_type -# from domain_prefix_t. -undefine(`dbusd_client') -define(`dbusd_client',` - -ifdef(`dbusd.te',` -# Derived type used for connection -type $2_dbusd_$1_t; -type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; - -# SE-DBus specific permissions -allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - -# For connecting to the bus -allow $2_t $1_dbusd_t:unix_stream_socket connectto; - -ifelse(`system', `$1', ` -allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; -allow { $2_t } system_dbusd_var_run_t:sock_file write; -',`') dnl endif system -') dnl endif dbusd.te -') - -# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) -# Example: can_dbusd_converse(system, hald, updfstab) -# Example: can_dbusd_converse(session, user, user) -define(`can_dbusd_converse',`') -ifdef(`dbusd.te',` -undefine(`can_dbusd_converse') -define(`can_dbusd_converse',` -allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg }; -allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg }; -') dnl endif dbusd.te -') diff --git a/mls/macros/program/ethereal_macros.te b/mls/macros/program/ethereal_macros.te deleted file mode 100644 index 36f1a966..00000000 --- a/mls/macros/program/ethereal_macros.te +++ /dev/null @@ -1,82 +0,0 @@ -# DESC - Ethereal -# -# Author: Ivan Gyurdiev -# - -############################################################# -# ethereal_networking(app_prefix) - -# restricted ethereal rules (sysadm only) -# - -define(`ethereal_networking', ` - -# Create various types of sockets -allow $1_t self:netlink_route_socket create_netlink_socket_perms; -allow $1_t self:udp_socket create_socket_perms; -allow $1_t self:packet_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:tcp_socket create_socket_perms; - -allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid }; - -# Resolve names via DNS -can_resolve($1_t) - -') dnl ethereal_networking - -######################################################## -# Ethereal (GNOME) -# - -define(`ethereal_domain', ` - -# Type for program -type $1_ethereal_t, domain, nscd_client_domain; - -# Transition from sysadm type -domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t) -role $1_r types $1_ethereal_t; - -# Manual transition from userhelper -ifdef(`userhelper.te', ` -allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure }; -allow $1_ethereal_t userhelperdomain:fd use; -allow $1_ethereal_t userhelperdomain:process sigchld; -') dnl userhelper - -# X, GNOME -x_client_domain($1_ethereal, $1) -gnome_application($1_ethereal, $1) -gnome_file_dialog($1_ethereal, $1) - -# Why does it write this? -ifdef(`snmpd.te', ` -dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; -') - -# /home/.ethereal -home_domain($1, ethereal) -file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir) - -# Enable restricted networking rules for sysadm - this is shared w/ tethereal -ifelse($1, `sysadm', ` -ethereal_networking($1_ethereal) - -# Ethereal tries to write to user terminal -dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write }; -dontaudit sysadm_ethereal_t unpriv_userdomain:fd use; -', `') - -# Store temporary files -tmp_domain($1_ethereal) - -# Re-execute itself (why?) -can_exec($1_ethereal_t, ethereal_exec_t) -allow $1_ethereal_t sbin_t:dir search; - -# Supress .local denials until properly implemented -dontaudit $1_ethereal_t $1_home_t:dir search; - -# FIXME: policy is incomplete - -') dnl ethereal_domain diff --git a/mls/macros/program/evolution_macros.te b/mls/macros/program/evolution_macros.te deleted file mode 100644 index 37fc0879..00000000 --- a/mls/macros/program/evolution_macros.te +++ /dev/null @@ -1,234 +0,0 @@ -# -# Evolution -# -# Author: Ivan Gyurdiev -# - -################################################ -# evolution_common(app_prefix,role_prefix) -# -define(`evolution_common', ` - -# Gnome common stuff -gnome_application($1, $2) - -# Stat root -allow $1_t root_t:dir search; - -# Access null device -allow $1_t null_device_t:chr_file rw_file_perms; - -# FIXME: suppress access to .local/.icons/.themes until properly implemented -dontaudit $1_t $2_home_t:dir r_dir_perms; - -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -dontaudit $1_t $2_home_t:file r_file_perms; - -') dnl evolution_common - -####################################### -# evolution_data_server(role_prefix) -# - -define(`evolution_data_server', ` - -# Type for daemon -type $1_evolution_server_t, domain, nscd_client_domain; - -# Transition from user type -if (! disable_evolution_trans) { -domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t) -} -role $1_r types $1_evolution_server_t; - -# Evolution common stuff -evolution_common($1_evolution_server, $1) - -# Access evolution home -home_domain_access($1_evolution_server_t, $1, evolution) - -# Talks to exchange -bonobo_connect($1_evolution_server, $1_evolution_exchange) - -can_exec($1_evolution_server_t, shell_exec_t) - -# Obtain weather data via http (read server name from xml file in /usr) -allow $1_evolution_server_t usr_t:file r_file_perms; -can_resolve($1_evolution_server_t) -can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } ) -allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect; - -# Talk to ldap (address book) -can_network_client_tcp($1_evolution_server_t, ldap_port_t) -allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect; - -# Look in /etc/pki -r_dir_file($1_evolution_server_t, cert_t) - -') dnl evolution_data_server - -####################################### -# evolution_webcal(role_prefix) -# - -define(`evolution_webcal', ` - -# Type for program -type $1_evolution_webcal_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -role $1_r types $1_evolution_webcal_t; - -# X/evolution common stuff -x_client_domain($1_evolution_webcal, $1) -evolution_common($1_evolution_webcal, $1) - -# Search home directory (?) -allow $1_evolution_webcal_t $1_home_dir_t:dir search; - -# Networking capability - connect to website and handle ics link -# FIXME: is this necessary ? -can_resolve($1_evolution_webcal_t); -can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } ) -allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect; - -') dnl evolution_webcal - -####################################### -# evolution_alarm(role_prefix) -# -define(`evolution_alarm', ` - -# Type for program -type $1_evolution_alarm_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t) -role $1_r types $1_evolution_alarm_t; - -# Common evolution stuff, X -evolution_common($1_evolution_alarm, $1) -x_client_domain($1_evolution_alarm, $1) - -# Connect to exchange, e-d-s -bonobo_connect($1_evolution_alarm, $1_evolution_server) -bonobo_connect($1_evolution_alarm, $1_evolution_exchange) - -# Access evolution home -home_domain_access($1_evolution_alarm_t, $1, evolution) - -') dnl evolution_alarm - -######################################## -# evolution_exchange(role_prefix) -# -define(`evolution_exchange', ` - -# Type for program -type $1_evolution_exchange_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t) -role $1_r types $1_evolution_exchange_t; - -# Common evolution stuff, X -evolution_common($1_evolution_exchange, $1) -x_client_domain($1_evolution_exchange, $1) - -# Access evolution home -home_domain_access($1_evolution_exchange_t, $1, evolution) - -# /tmp/.exchange-$USER -tmp_domain($1_evolution_exchange) - -# Allow netstat -allow $1_evolution_exchange_t bin_t:dir search; -can_exec($1_evolution_exchange_t, bin_t) -r_dir_file($1_evolution_exchange_t, proc_net_t) -allow $1_evolution_exchange_t sysctl_net_t:dir search; -allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms; - -# Clock applet talks to exchange (FIXME: Needs policy) -bonobo_connect($1, $1_evolution_exchange) - -# FIXME: policy incomplete - -') dnl evolution_exchange - -####################################### -# evolution_domain(role_prefix) -# - -define(`evolution_domain', ` - -# Type for program -type $1_evolution_t, domain, nscd_client_domain, privlog; - -# Transition from user type -domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t) -role $1_r types $1_evolution_t; - -# X, mail, evolution common stuff -x_client_domain($1_evolution, $1) -mail_client_domain($1_evolution, $1) -gnome_file_dialog($1_evolution, $1) -evolution_common($1_evolution, $1) - -# Connect to e-d-s, exchange, alarm -bonobo_connect($1_evolution, $1_evolution_server) -bonobo_connect($1_evolution, $1_evolution_exchange) -bonobo_connect($1_evolution, $1_evolution_alarm) - -# Access .evolution -home_domain($1, evolution) - -# Store passwords in .gnome2_private -gnome_private_store($1_evolution, $1) - -# Run various programs -allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms; -allow $1_evolution_t { self bin_t }:lnk_file r_file_perms; - -### Junk mail filtering (start spamd) -ifdef(`spamd.te', ` -# Start the spam daemon -domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t) -role $1_r types spamd_t; - -# Write pid file and socket in ~/.evolution/cache/tmp -file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file }) - -# Allow evolution to signal the daemon -# FIXME: Now evolution can read spamd temp files -allow $1_evolution_t spamd_tmp_t:file r_file_perms; -allow $1_evolution_t spamd_t:process signal; -dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr; -') dnl spamd.te - -### Junk mail filtering (start spamc) -ifdef(`spamc.te', ` -domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t) - -# Allow connection to spamd socket above -allow $1_spamc_t $1_evolution_home_t:dir search; -') dnl spamc.te - -### Junk mail filtering (start spamassassin) -ifdef(`spamassassin.te', ` -domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t) -') dnl spamassasin.te - -') dnl evolution_domain - -################################# -# evolution_domains(role_prefix) - -define(`evolution_domains', ` -evolution_domain($1) -evolution_data_server($1) -evolution_webcal($1) -evolution_alarm($1) -evolution_exchange($1) -') dnl end evolution_domains diff --git a/mls/macros/program/exim_macros.te b/mls/macros/program/exim_macros.te deleted file mode 100644 index 610ca152..00000000 --- a/mls/macros/program/exim_macros.te +++ /dev/null @@ -1,75 +0,0 @@ -#DESC Exim - Mail server -# -# Author: David Hampton -# From postfix.te by Russell Coker -# Depends: mta.te -# - -########## -# Permissions common to the exim daemon, and exim invoked by a user to -# send a file -########## -define(`exim_common',` - -# Networking - All instances need to talk to other mail hosts and -# amavisd -can_network_tcp($1_t); -allow $1_t smtp_port_t:tcp_socket name_connect; -## can_network_client_tcp($1_t, smtp_port_t); -## ifdef(`amavis.te', ` -## can_network_client_tcp($1_t, amavisd_recv_port_t); -## allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg }; -## ') -can_resolve($1_t); - -# Exim forks children to do its work. -general_domain_access($1_t) - -# Certs and SSL -r_dir_file($1_t, cert_t) -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -general_proc_read_access($1_t) -read_locale($1_t) - -allow $1_t etc_t:file { getattr read }; -allow $1_t sbin_t:dir search; -allow $1_t tmp_t:dir getattr; -allow $1_t self:fifo_file { read write }; -can_exec($1_t, exim_exec_t) -allow $1_t self:capability { chown fowner dac_override setgid setuid }; -allow $1_t self:process setrlimit; - -# Have to walk through /var/xxx to get to /var/xxx/exim -allow $1_t var_log_t:dir search; -allow $1_t var_spool_t:dir search; - -# Exim creates a spool file per message -create_dir_file($1_t, exim_spool_t); -# It also creates a log file per message -create_dir_file($1_t, exim_log_t); -# The database is modified by every message -allow $1_t exim_spool_db_t:dir search; -allow $1_t exim_spool_db_t:file rw_file_perms; - -# Checking the existence of mailman lists -allow $1_t mailman_data_t:file getattr; - -# Trying to read mtab -dontaudit $1_t etc_runtime_t:file { getattr read }; -') - - -define(`exim_user_domain',` -######################################## -######################################## -application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog'); -in_user_role(exim_$1_t) -domain_auto_trans($1_t, exim_exec_t, exim_$1_t) -exim_common(exim_$1) -role $1_r types exim_$1_t; -allow exim_$1_t $1_tmp_t:file { getattr read }; -allow exim_$1_t $1_devpts_t:chr_file rw_file_perms; -allow exim_$1_t sshd_t:fd use; -') - diff --git a/mls/macros/program/fingerd_macros.te b/mls/macros/program/fingerd_macros.te deleted file mode 100644 index fd56ca7f..00000000 --- a/mls/macros/program/fingerd_macros.te +++ /dev/null @@ -1,15 +0,0 @@ -# -# Macro for fingerd -# -# Author: Russell Coker -# - -# -# fingerd_macro(domain_prefix) -# -# allow fingerd to create a fingerlog file in the user home dir -# -define(`fingerd_macro', ` -type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type; -file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) -') diff --git a/mls/macros/program/fontconfig_macros.te b/mls/macros/program/fontconfig_macros.te deleted file mode 100644 index 7f4a56d3..00000000 --- a/mls/macros/program/fontconfig_macros.te +++ /dev/null @@ -1,52 +0,0 @@ -# -# Fontconfig related types -# -# Author: Ivan Gyurdiev -# -# fontconfig_domain(role_prefix) - create fontconfig domain -# -# read_fonts(domain, role_prefix) - -# allow domain to read fonts, optionally per/user -# - -define(`fontconfig_domain', ` - -type $1_fonts_t, file_type, $1_file_type, sysadmfile; -type $1_fonts_config_t, file_type, $1_file_type, sysadmfile; -type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile; - -create_dir_file($1_t, $1_fonts_t) -allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom }; - -create_dir_file($1_t, $1_fonts_config_t) -allow $1_t $1_fonts_config_t:file { relabelto relabelfrom }; - -# For startup relabel -allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; - -') dnl fontconfig_domain - -#################### - -define(`read_fonts', ` - -# Read global fonts and font config -r_dir_file($1, fonts_t) -r_dir_file($1, etc_t) - -ifelse(`$2', `', `', ` - -# Manipulate the global font cache -create_dir_file($1, $2_fonts_cache_t) - -# Read per user fonts and font config -r_dir_file($1, $2_fonts_t) -r_dir_file($1, $2_fonts_config_t) - -# There are some fonts in .gnome2 -ifdef(`gnome.te', ` -allow $1 $2_gnome_settings_t:dir { getattr search }; -') - -') dnl ifelse -') dnl read_fonts diff --git a/mls/macros/program/games_domain.te b/mls/macros/program/games_domain.te deleted file mode 100644 index d4c1d053..00000000 --- a/mls/macros/program/games_domain.te +++ /dev/null @@ -1,89 +0,0 @@ -#DESC games -# -# Macros for games -# -# -# Authors: Dan Walsh -# -# -# games_domain(domain_prefix) -# -# -define(`games_domain', ` - -type $1_games_t, domain, nscd_client_domain; - -# Type transition -if (! disable_games_trans) { -domain_auto_trans($1_t, games_exec_t, $1_games_t) -} -can_exec($1_games_t, games_exec_t) -role $1_r types $1_games_t; - -can_create_pty($1_games) - -# X access, GNOME, /tmp files -x_client_domain($1_games, $1) -tmp_domain($1_games, `', { dir notdevfile_class_set }) -gnome_application($1_games, $1) -gnome_file_dialog($1_games, $1) - -# Games seem to need this -if (allow_execmem) { -allow $1_games_t self:process execmem; -} - -allow $1_games_t texrel_shlib_t:file execmod; -allow $1_games_t var_t:dir { search getattr }; -rw_dir_create_file($1_games_t, games_data_t) -allow $1_games_t sound_device_t:chr_file rw_file_perms; -can_udp_send($1_games_t, $1_games_t) -can_tcp_connect($1_games_t, $1_games_t) - -# Access /home/user/.gnome2 -# FIXME: Change to use per app types -create_dir_file($1_games_t, $1_gnome_settings_t) - -# FIXME: why is this necessary - ORBit? -# ORBit works differently now -create_dir_file($1_games_t, $1_tmp_t) -allow $1_games_t $1_tmp_t:sock_file create_file_perms; -can_unix_connect($1_t, $1_games_t) -can_unix_connect($1_games_t, $1_t) - -ifdef(`xdm.te', ` -allow $1_games_t xdm_tmp_t:dir rw_dir_perms; -allow $1_games_t xdm_tmp_t:sock_file create_file_perms; -allow $1_games_t xdm_var_lib_t:file { getattr read }; -')dnl end if xdm.te - -allow $1_games_t var_lib_t:dir search; -r_dir_file($1_games_t, man_t) -allow $1_games_t { proc_t self }:dir search; -allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr }; -ifdef(`mozilla.te', ` -dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; -') -allow $1_games_t event_device_t:chr_file getattr; -allow $1_games_t mouse_device_t:chr_file getattr; - -allow $1_games_t self:file { getattr read }; -allow $1_games_t self:sem create_sem_perms; - -allow $1_games_t { bin_t sbin_t }:dir { getattr search }; -can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t }) -allow $1_games_t bin_t:lnk_file read; - -dontaudit $1_games_t var_run_t:dir search; -dontaudit $1_games_t initrc_var_run_t:file { read write }; -dontaudit $1_games_t var_log_t:dir search; - -can_network($1_games_t) -allow $1_games_t port_t:tcp_socket name_bind; -allow $1_games_t port_t:tcp_socket name_connect; - -# Suppress .icons denial until properly implemented -dontaudit $1_games_t $1_home_t:dir read; - -')dnl end macro definition - diff --git a/mls/macros/program/gconf_macros.te b/mls/macros/program/gconf_macros.te deleted file mode 100644 index 6f97ca33..00000000 --- a/mls/macros/program/gconf_macros.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# GConfd daemon -# -# Author: Ivan Gyurdiev -# - -####################################### -# gconfd_domain(role_prefix) -# - -define(`gconfd_domain', ` - -# Type for daemon -type $1_gconfd_t, domain, nscd_client_domain, privlog; - -gnome_application($1_gconfd, $1) - -# Transition from user type -domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t) -role $1_r types $1_gconfd_t; - -allow $1_gconfd_t self:process { signal getsched }; - -# Access .gconfd and .gconf -home_domain($1, gconfd) -file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir) - -# Access /etc/gconf -r_dir_file($1_gconfd_t, gconf_etc_t) - -# /tmp/gconfd-USER -tmp_domain($1_gconfd) - -can_pipe_xdm($1_gconfd_t) -ifdef(`xdm.te', ` -allow xdm_t $1_gconfd_t:process signal; -') - -') dnl gconf_domain - -##################################### -# gconf_client(prefix, role_prefix) -# - -define(`gconf_client', ` - -# Launch the daemon if necessary -domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t) - -# Connect over bonobo -bonobo_connect($1, $2_gconfd) - -# Read lock/ior -allow $1_t $2_gconfd_tmp_t:dir { getattr search }; -allow $1_t $2_gconfd_tmp_t:file { getattr read }; - -') dnl gconf_client diff --git a/mls/macros/program/gift_macros.te b/mls/macros/program/gift_macros.te deleted file mode 100644 index d8e39e2f..00000000 --- a/mls/macros/program/gift_macros.te +++ /dev/null @@ -1,104 +0,0 @@ -# -# Macros for giFT -# -# Author: Ivan Gyurdiev -# -# gift_domains(domain_prefix) -# declares a domain for giftui and giftd - -######################### -# gift_domain(user) # -######################### - -define(`gift_domain', ` - -# Type transition -type $1_gift_t, domain, nscd_client_domain; -domain_auto_trans($1_t, gift_exec_t, $1_gift_t) -role $1_r types $1_gift_t; - -# X access, Home files, GNOME, /tmp -x_client_domain($1_gift, $1) -gnome_application($1_gift, $1) -home_domain($1, gift) -file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_gift_t) -allow $1_t $1_gift_t:process signal_perms; - -# Launch gift daemon -allow $1_gift_t bin_t:dir search; -domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) - -# Connect to gift daemon -can_network_client_tcp($1_gift_t, giftd_port_t) -allow $1_gift_t giftd_port_t:tcp_socket name_connect; - -# Read /proc/meminfo -allow $1_gift_t proc_t:dir search; -allow $1_gift_t proc_t:file { getattr read }; - -# giftui looks in .icons, .themes. -dontaudit $1_gift_t $1_home_t:dir { getattr read search }; -dontaudit $1_gift_t $1_home_t:file { getattr read }; - -') dnl gift_domain - -########################## -# giftd_domain(user) # -########################## - -define(`giftd_domain', ` - -type $1_giftd_t, domain; - -# Transition from user type -domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t) -role $1_r types $1_giftd_t; - -# Self permissions, allow fork -allow $1_giftd_t self:process { fork signal sigchld setsched }; -allow $1_giftd_t self:unix_stream_socket create_socket_perms; - -read_sysctl($1_giftd_t) -read_locale($1_giftd_t) -uses_shlib($1_giftd_t) -access_terminal($1_giftd_t, $1) - -# Read /proc/meminfo -allow $1_giftd_t proc_t:dir search; -allow $1_giftd_t proc_t:file { getattr read }; - -# Read /etc/mtab -allow $1_giftd_t etc_runtime_t:file { getattr read }; - -# Access home domain -home_domain_access($1_giftd_t, $1, gift) -file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) - -# Serve content on various p2p networks. Ports can be random. -can_network_server($1_giftd_t) -allow $1_giftd_t self:udp_socket listen; -allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind; - -# Connect to various p2p networks. Ports can be random. -can_network_client($1_giftd_t) -allow $1_giftd_t port_type:tcp_socket name_connect; - -# Plugins -r_dir_file($1_giftd_t, usr_t) - -# Connect to xdm -can_pipe_xdm($1_giftd_t) - -') dnl giftd_domain - -########################## -# gift_domains(user) # -########################## - -define(`gift_domains', ` -gift_domain($1) -giftd_domain($1) -') dnl gift_domains diff --git a/mls/macros/program/gnome_macros.te b/mls/macros/program/gnome_macros.te deleted file mode 100644 index 5d31af51..00000000 --- a/mls/macros/program/gnome_macros.te +++ /dev/null @@ -1,115 +0,0 @@ -# -# GNOME related types -# -# Author: Ivan Gyurdiev -# -# gnome_domain(role_prefix) - create GNOME domain (run for each role) -# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps -# gnome_file_dialog(role_prefix) - gnome file dialog rules -# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private - -define(`gnome_domain', ` - -# Types for .gnome2 and .gnome2_private. -# For backwards compatibility, allow unrestricted -# access from ROLE_t. However, content inside -# *should* be labeled per application eventually. -# For .gnome2_private, use the private_store macro below. - -type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile; -create_dir_file($1_t, $1_gnome_settings_t) -allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto }; - -type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile; -create_dir_file($1_t, $1_gnome_secret_t) -allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto }; - -# GConf domain -gconfd_domain($1) -gconf_client($1, $1) - -# Bonobo-activation-server -bonobo_domain($1) -bonobo_client($1, $1) - -# GNOME vfs daemon -gnome_vfs_domain($1) -gnome_vfs_client($1, $1) - -# ICE is necessary for session management -ice_domain($1, $1) - -') - -################################# - -define(`gnome_application', ` - -# If launched from a terminal -access_terminal($1_t, $2) - -# Forking is generally okay -allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork }; -allow $1_t self:fifo_file rw_file_perms; - -# Shlib, locale, sysctl, proc -uses_shlib($1_t) -read_locale($1_t) -read_sysctl($1_t) - -allow $1_t { self proc_t }:dir { search read getattr }; -allow $1_t { self proc_t }:{ file lnk_file } { read getattr }; - -# Most gnome apps use bonobo -bonobo_client($1, $2) - -# Within-process bonobo-activation of components -bonobo_connect($1, $1) - -# Session management happens over ICE -# FIXME: More specific context is needed for gnome-session -ice_connect($1, $2) - -# Most talk to GConf -gconf_client($1, $2) - -# Allow getattr/read/search of .gnome2 and .gnome2_private -# Reading files should *not* be allowed - instead, more specific -# types should be created to handle such requests -allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms; - -# Access /etc/mtab, /etc/nsswitch.conf -allow $1_t etc_t:file { read getattr }; -allow $1_t etc_runtime_t:file { read getattr }; - -# Themes, gtkrc -allow $1_t usr_t:{ file lnk_file } r_file_perms; - -') dnl gnome_application - -################################ - -define(`gnome_file_dialog', ` - -# GNOME Open/Save As dialogs -dontaudit_getattr($1_t) -dontaudit_search_dir($1_t) - -# Bonobo connection to gnome_vfs daemon -bonobo_connect($1, $2_gnome_vfs) - -') dnl gnome_file_dialog - -################################ - -define(`gnome_private_store', ` - -# Type for storing secret data -# (different from home, not directly accessible from ROLE_t) -type $1_secret_t, file_type, $2_file_type, sysadmfile; - -# Put secret files in .gnome2_private -file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file); -allow $2_t $1_secret_t:file unlink; - -') dnl gnome_private_store diff --git a/mls/macros/program/gnome_vfs_macros.te b/mls/macros/program/gnome_vfs_macros.te deleted file mode 100644 index 8ff5c28a..00000000 --- a/mls/macros/program/gnome_vfs_macros.te +++ /dev/null @@ -1,55 +0,0 @@ -# -# GNOME VFS daemon -# -# Author: Ivan Gyurdiev -# - -####################################### -# gnome_vfs_domain(role_prefix) -# - -define(`gnome_vfs_domain', ` - -# Type for daemon -type $1_gnome_vfs_t, domain, nscd_client_domain; - -# GNOME, dbus -gnome_application($1_gnome_vfs, $1) -dbusd_client(system, $1_gnome_vfs) -allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg; -ifdef(`hald.te', ` -allow $1_gnome_vfs_t hald_t:dbus send_msg; -allow hald_t $1_gnome_vfs_t:dbus send_msg; -') - -# Transition from user type -domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t) -role $1_r types $1_gnome_vfs_t; - -# Stat top level directories on mount_points (check free space?) -allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr; - -# Search path to /home (??) -allow $1_gnome_vfs_t home_root_t:dir search; -allow $1_gnome_vfs_t $1_home_dir_t:dir search; - -# Search path to rpc_pipefs mount point (??) -allow $1_gnome_vfs_t var_lib_nfs_t:dir search; -allow $1_gnome_vfs_t var_lib_t:dir search; - -# Search libexec (??) -allow $1_gnome_vfs_t bin_t:dir search; -can_exec($1_gnome_vfs_t, bin_t) - -') dnl gnome_vfs_domain - -##################################### -# gnome_vfs_client(prefix, role_prefix) -# - -define(`gnome_vfs_client', ` - -# Connect over bonobo -bonobo_connect($1, $2_gnome_vfs) - -') dnl gnome_vfs_client diff --git a/mls/macros/program/gpg_agent_macros.te b/mls/macros/program/gpg_agent_macros.te deleted file mode 100644 index f7ad8b04..00000000 --- a/mls/macros/program/gpg_agent_macros.te +++ /dev/null @@ -1,125 +0,0 @@ -# -# Macros for gpg agent -# -# Author: Thomas Bleher -# -# -# gpg_agent_domain(domain_prefix) -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gpg-agent.te. -# -define(`gpg_agent_domain',` -# Define a derived domain for the gpg-agent program when executed -# by a user domain. -# Derived domain based on the calling user domain and the program. -type $1_gpg_agent_t, domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) - -# The user role is authorized for this domain. -role $1_r types $1_gpg_agent_t; - -allow $1_gpg_agent_t privfd:fd use; - -# Write to the user domain tty. -access_terminal($1_gpg_agent_t, $1) - -# Allow the user shell to signal the gpg-agent program. -allow $1_t $1_gpg_agent_t:process { signal sigkill }; -# allow ps to show gpg-agent -can_ps($1_t, $1_gpg_agent_t) - -uses_shlib($1_gpg_agent_t) -read_locale($1_gpg_agent_t) - -# rlimit: gpg-agent wants to prevent coredumps -allow $1_gpg_agent_t self:process { setrlimit fork sigchld }; - -allow $1_gpg_agent_t { self proc_t }:dir search; -allow $1_gpg_agent_t { self proc_t }:lnk_file read; - -allow $1_gpg_agent_t device_t:dir { getattr read }; - -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; -create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) -if (use_nfs_home_dirs) { -create_dir_file($1_gpg_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_gpg_agent_t, cifs_t) -} - -allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms; -allow $1_gpg_agent_t self:fifo_file { getattr read write }; - -# create /tmp files -tmp_domain($1_gpg_agent, `', `{ file dir sock_file }') - -# gpg connect -allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; -allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; -can_unix_connect($1_gpg_t, $1_gpg_agent_t) - -# policy for pinentry -# =================== -# we need to allow gpg-agent to call pinentry so it can get the passphrase -# from the user. -# Please note that I didnt use the x_client_domain-macro as it gives too -# much permissions -type $1_gpg_pinentry_t, domain; -role $1_r types $1_gpg_pinentry_t; - -allow $1_gpg_agent_t bin_t:dir search; -domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) - -uses_shlib($1_gpg_pinentry_t) -read_locale($1_gpg_pinentry_t) - -allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; - -ifdef(`xdm.te', ` -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; -can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) -')dnl end ig xdm.te - -read_fonts($1_gpg_pinentry_t, $1) -# read kde font cache -allow $1_gpg_pinentry_t usr_t:file { getattr read }; - -allow $1_gpg_pinentry_t { proc_t self }:dir search; -allow $1_gpg_pinentry_t { proc_t self }:lnk_file read; -# read /proc/meminfo -allow $1_gpg_pinentry_t proc_t:file read; - -allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; - -# for .Xauthority -allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; -allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; -# wants to put some lock files into the user home dir, seems to work fine without -dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; -dontaudit $1_gpg_pinentry_t $1_home_t:file write; -if (use_nfs_home_dirs) { -allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; -allow $1_gpg_pinentry_t nfs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t nfs_t:file write; -} -if (use_samba_home_dirs) { -allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; -allow $1_gpg_pinentry_t cifs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t cifs_t:file write; -} - -# read /etc/X11/qtrc -allow $1_gpg_pinentry_t etc_t:file { getattr read }; - -dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search }; - -')dnl end if gpg_agent diff --git a/mls/macros/program/gpg_macros.te b/mls/macros/program/gpg_macros.te deleted file mode 100644 index 9dba8f7c..00000000 --- a/mls/macros/program/gpg_macros.te +++ /dev/null @@ -1,113 +0,0 @@ -# -# Macros for gpg and pgp -# -# Author: Russell Coker -# -# based on the work of: -# Stephen Smalley and Timothy Fraser -# - -# -# gpg_domain(domain_prefix) -# -# Define a derived domain for the gpg/pgp program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gpg.te. -# -define(`gpg_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_gpg_t, domain, privlog; -type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) -role $1_r types $1_gpg_t; - -can_network($1_gpg_t) -allow $1_gpg_t port_type:tcp_socket name_connect; -can_ypbind($1_gpg_t) - -# for a bug in kmail -dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write }; - -allow $1_gpg_t device_t:dir r_dir_perms; -allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -allow $1_gpg_t etc_t:file r_file_perms; - -allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms; -allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - -access_terminal($1_gpg_t, $1) -ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') - -# Inherit and use descriptors -allow $1_gpg_t { privfd $1_t }:fd use; -allow { $1_t $1_gpg_t } $1_gpg_t:process signal; - -# setrlimit is for ulimit -c 0 -allow $1_gpg_t self:process { setrlimit setcap setpgid }; - -# allow ps to show gpg -can_ps($1_t, $1_gpg_t) - -uses_shlib($1_gpg_t) - -# Access .gnupg -rw_dir_create_file($1_gpg_t, $1_gpg_secret_t) - -# Read content to encrypt/decrypt/sign -read_content($1_gpg_t, $1) - -# Write content to encrypt/decrypt/sign -write_trusted($1_gpg_t, $1) - -allow $1_gpg_t self:capability { ipc_lock setuid }; - -allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; -allow $1_gpg_t fs_t:filesystem getattr; -allow $1_gpg_t usr_t:file r_file_perms; -read_locale($1_gpg_t) - -dontaudit $1_gpg_t var_t:dir search; - -ifdef(`gpg-agent.te', `gpg_agent_domain($1)') - -# for helper programs (which automatically fetch keys) -# Note: this is only tested with the hkp interface. If you use eg the -# mail interface you will likely need additional permissions. -type $1_gpg_helper_t, domain; -role $1_r types $1_gpg_helper_t; - -domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) -uses_shlib($1_gpg_helper_t) - -# allow gpg to fork so it can call the helpers -allow $1_gpg_t self:process { fork sigchld }; -allow $1_gpg_t self:fifo_file { getattr read write }; - -dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; -if (use_nfs_home_dirs) { -dontaudit $1_gpg_helper_t nfs_t:file { read write }; -} -if (use_samba_home_dirs) { -dontaudit $1_gpg_helper_t cifs_t:file { read write }; -} - -# communicate with the user -allow $1_gpg_helper_t $1_t:fd use; -allow $1_gpg_helper_t $1_t:fifo_file write; -# get keys from the network -can_network_client($1_gpg_helper_t) -allow $1_gpg_helper_t port_type:tcp_socket name_connect; -allow $1_gpg_helper_t etc_t:file { getattr read }; -allow $1_gpg_helper_t urandom_device_t:chr_file read; -allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -# for nscd -dontaudit $1_gpg_helper_t var_t:dir search; - -can_pipe_xdm($1_gpg_t) - -')dnl end gpg_domain definition diff --git a/mls/macros/program/gph_macros.te b/mls/macros/program/gph_macros.te deleted file mode 100644 index d784fcc3..00000000 --- a/mls/macros/program/gph_macros.te +++ /dev/null @@ -1,85 +0,0 @@ -# -# Macros for gnome-pty-helper domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# gph_domain(domain_prefix, role_prefix) -# -# Define a derived domain for the gnome-pty-helper program when -# executed by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gnome-pty-helper.te. -# -# The *_gph_t domains are for the gnome_pty_helper program. -# This program is executed by gnome-terminal to handle -# updates to utmp and wtmp. In this regard, it is similar -# to utempter. However, unlike utempter, gnome-pty-helper -# also creates the pty file for the terminal program. -# There is one *_gph_t domain for each user domain. -# -undefine(`gph_domain') -define(`gph_domain',` -# Derived domain based on the calling user domain and the program. -type $1_gph_t, domain, gphdomain, nscd_client_domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gph_exec_t, $1_gph_t) - -# The user role is authorized for this domain. -role $2_r types $1_gph_t; - -# This domain is granted permissions common to most domains. -uses_shlib($1_gph_t) - -# Use capabilities. -allow $1_gph_t self:capability { chown fsetid setgid setuid }; - -# Update /var/run/utmp and /var/log/wtmp. -allow $1_gph_t { var_t var_run_t }:dir search; -allow $1_gph_t initrc_var_run_t:file rw_file_perms; -allow $1_gph_t wtmp_t:file rw_file_perms; - -# Allow gph to rw to stream sockets of appropriate user type. -# (Need this so gnome-pty-helper can pass pty fd to parent -# gnome-terminal which is running in a user domain.) -allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms; - -allow $1_gph_t self:unix_stream_socket create_stream_socket_perms; - -# Allow user domain to use pty fd from gnome-pty-helper. -allow $1_t $1_gph_t:fd use; - -# Use the network, e.g. for NIS lookups. -can_resolve($1_gph_t) -can_ypbind($1_gph_t) - -allow $1_gph_t etc_t:file { getattr read }; - -# Added by David A. Wheeler: -# Allow gnome-pty-helper to update /var/log/lastlog -# (the gnome-pty-helper in Red Hat Linux 7.1 does this): -allow $1_gph_t lastlog_t:file rw_file_perms; -allow $1_gph_t var_log_t:dir search; -allow $1_t $1_gph_t:process signal; - -ifelse($2, `system', ` -# Create ptys for the system -can_create_other_pty($1_gph, initrc) -', ` -# Create ptys for the user domain. -can_create_other_pty($1_gph, $1) - -# Read and write the users tty. -allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms; - -# Allow gnome-pty-helper to write the .xsession-errors file. -allow $1_gph_t home_root_t:dir search; -allow $1_gph_t $1_home_t:dir { search add_name }; -allow $1_gph_t $1_home_t:file { create write }; -')dnl end ifelse system -')dnl end macro diff --git a/mls/macros/program/i18n_input_macros.te b/mls/macros/program/i18n_input_macros.te deleted file mode 100644 index 58699fc8..00000000 --- a/mls/macros/program/i18n_input_macros.te +++ /dev/null @@ -1,21 +0,0 @@ -# -# Macros for i18n_input -# - -# -# Authors: Dan Walsh -# - -# -# i18n_input_domain(domain) -# -ifdef(`i18n_input.te', ` -define(`i18n_input_domain', ` -allow i18n_input_t $1_home_dir_t:dir { getattr search }; -r_dir_file(i18n_input_t, $1_home_t) -if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) } -if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) } -') -') - - diff --git a/mls/macros/program/ice_macros.te b/mls/macros/program/ice_macros.te deleted file mode 100644 index b3734963..00000000 --- a/mls/macros/program/ice_macros.te +++ /dev/null @@ -1,38 +0,0 @@ -# -# ICE related types -# -# Author: Ivan Gyurdiev -# -# ice_domain(prefix, role) - create ICE sockets -# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets - -define(`ice_domain', ` -ifdef(`$1_ice_tmp_t_defined',`', ` -define(`$1_ice_tmp_t_defined') - -# Type for ICE sockets -type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile; -file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t) - -# Create the sockets -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; - -# FIXME: How does iceauth tie in? - -') -') - -# FIXME: Should this be bidirectional? -# Adding only unidirectional for now. - -define(`ice_connect', ` - -# Read .ICEauthority file -allow $1_t $2_iceauth_home_t:file { read getattr }; - -can_unix_connect($1_t, $2_t) -allow $1_t ice_tmp_t:dir r_dir_perms; -allow $1_t $2_ice_tmp_t:sock_file { read write }; -allow $1_t $2_t:unix_stream_socket { read write }; -') diff --git a/mls/macros/program/iceauth_macros.te b/mls/macros/program/iceauth_macros.te deleted file mode 100644 index cc7e804c..00000000 --- a/mls/macros/program/iceauth_macros.te +++ /dev/null @@ -1,40 +0,0 @@ -# -# Macros for iceauth domains. -# -# Author: Ivan Gyurdiev -# -# iceauth_domain(domain_prefix) - -define(`iceauth_domain',` - -# Program type -type $1_iceauth_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t) -role $1_r types $1_iceauth_t; - -# Store .ICEauthority files -home_domain($1, iceauth) -file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file) - -# Supress xdm trying to restore .ICEauthority permissions -ifdef(`xdm.te', ` -dontaudit xdm_t $1_iceauth_home_t:file r_file_perms; -') - -# /root -allow $1_iceauth_t root_t:dir search; - -# Terminal output -access_terminal($1_iceauth_t, $1) - -uses_shlib($1_iceauth_t) - -# ??? -allow $1_iceauth_t etc_t:dir search; -allow $1_iceauth_t usr_t:dir search; - -# FIXME: policy is incomplete - -')dnl end xauth_domain macro diff --git a/mls/macros/program/inetd_macros.te b/mls/macros/program/inetd_macros.te deleted file mode 100644 index e5c4eed2..00000000 --- a/mls/macros/program/inetd_macros.te +++ /dev/null @@ -1,97 +0,0 @@ -################################# -# -# Rules for the $1_t domain. -# -# $1_t is a general domain for daemons started -# by inetd that do not have their own individual domains yet. -# $1_exec_t is the type of the corresponding -# programs. -# -define(`inetd_child_domain', ` -type $1_t, domain, privlog, nscd_client_domain; -role system_r types $1_t; - -# -# Allows user to define a tunable to disable domain transition -# -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(initrc_t, $1_exec_t) -can_exec(sysadm_t, $1_exec_t) -} else { -domain_auto_trans(inetd_t, $1_exec_t, $1_t) -allow inetd_t $1_t:process sigkill; -} - -can_network_server($1_t) -can_ypbind($1_t) -uses_shlib($1_t) -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_socket_perms; -allow $1_t self:fifo_file rw_file_perms; -type $1_exec_t, file_type, sysadmfile, exec_type; -read_locale($1_t) -allow $1_t device_t:dir search; -allow $1_t proc_t:dir search; -allow $1_t proc_t:{ file lnk_file } { getattr read }; -allow $1_t self:process { fork signal_perms }; -allow $1_t fs_t:filesystem getattr; - -read_sysctl($1_t) - -allow $1_t etc_t:file { getattr read }; - -tmp_domain($1) -allow $1_t var_t:dir search; -var_run_domain($1) - -# Inherit and use descriptors from inetd. -allow $1_t inetd_t:fd use; - -# for identd -allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow $1_t self:capability { setuid setgid }; -allow $1_t home_root_t:dir search; -allow $1_t self:dir search; -allow $1_t self:{ lnk_file file } { getattr read }; -can_kerberos($1_t) -allow $1_t urandom_device_t:chr_file r_file_perms; -# Use sockets inherited from inetd. -ifelse($2, `', ` -allow inetd_t $1_port_t:udp_socket name_bind; -allow $1_t inetd_t:udp_socket rw_socket_perms; -allow inetd_t $1_port_t:tcp_socket name_bind; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') -ifelse($2, tcp, ` -allow inetd_t $1_port_t:tcp_socket name_bind; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') -ifelse($2, udp, ` -allow inetd_t $1_port_t:udp_socket name_bind; -allow $1_t inetd_t:udp_socket rw_socket_perms; -') -r_dir_file($1_t, proc_net_t) -') -define(`remote_login_daemon', ` -inetd_child_domain($1) - -# Execute /bin/login on a new PTY -allow $1_t { bin_t sbin_t }:dir search; -domain_auto_trans($1_t, login_exec_t, remote_login_t) -can_create_pty($1, `, server_pty, userpty_type') -allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ; - -# Append to /var/log/wtmp. -allow $1_t var_log_t:dir search; -allow $1_t wtmp_t:file rw_file_perms; -allow $1_t initrc_var_run_t:file rw_file_perms; - -# Allow reading of /etc/issue.net -allow $1_t etc_runtime_t:file r_file_perms; - -# Allow krb5 $1 to use fork and open /dev/tty for use -allow $1_t userpty_type:chr_file setattr; -allow $1_t devtty_t:chr_file rw_file_perms; -dontaudit $1_t selinux_config_t:dir search; -') diff --git a/mls/macros/program/irc_macros.te b/mls/macros/program/irc_macros.te deleted file mode 100644 index 3adaef78..00000000 --- a/mls/macros/program/irc_macros.te +++ /dev/null @@ -1,85 +0,0 @@ -# -# Macros for irc domains. -# - -# -# Author: Russell Coker -# - -# -# irc_domain(domain_prefix) -# -# Define a derived domain for the irc program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/irc.te. -# -undefine(`irc_domain') -ifdef(`irc.te', ` -define(`irc_domain',` - -# Home domain -home_domain($1, irc) -file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir) - -# Derived domain based on the calling user domain and the program. -type $1_irc_t, domain; -type $1_irc_exec_t, file_type, sysadmfile, $1_file_type; - -allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t) - -# The user role is authorized for this domain. -role $1_r types $1_irc_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;') - -# allow ps to show irc -can_ps($1_t, $1_irc_t) -allow $1_t $1_irc_t:process signal; - -# Use the network. -can_network_client($1_irc_t) -allow $1_irc_t port_type:tcp_socket name_connect; -can_ypbind($1_irc_t) - -allow $1_irc_t usr_t:file { getattr read }; - -access_terminal($1_irc_t, $1) -uses_shlib($1_irc_t) -allow $1_irc_t etc_t:file { read getattr }; -read_locale($1_irc_t) -allow $1_irc_t fs_t:filesystem getattr; -allow $1_irc_t var_t:dir search; -allow $1_irc_t device_t:dir search; -allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; -allow $1_irc_t privfd:fd use; -allow $1_irc_t proc_t:dir search; -allow $1_irc_t { self proc_t }:lnk_file read; -allow $1_irc_t self:dir search; -dontaudit $1_irc_t var_run_t:dir search; - -# allow utmp access -allow $1_irc_t initrc_var_run_t:file { getattr read }; -dontaudit $1_irc_t initrc_var_run_t:file lock; - -# access files under /tmp -file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t) - -ifdef(`ircd.te', ` -can_tcp_connect($1_irc_t, ircd_t) -')dnl end ifdef irc.te -')dnl end macro definition - -', ` - -define(`irc_domain',`') - -')dnl end ifdef irc.te diff --git a/mls/macros/program/java_macros.te b/mls/macros/program/java_macros.te deleted file mode 100644 index 874d6dc3..00000000 --- a/mls/macros/program/java_macros.te +++ /dev/null @@ -1,93 +0,0 @@ -# -# Authors: Dan Walsh -# -# Macros for javaplugin (java plugin) domains. -# -# -# javaplugin_domain(domain_prefix, role) -# -# Define a derived domain for the javaplugin program when executed by -# a web browser. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/java.te. -# -define(`javaplugin_domain',` -type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool; - -# The user role is authorized for this domain. -role $2_r types $1_javaplugin_t; -domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) - -allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms; -# Unrestricted inheritance from the caller. -allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -allow $1_javaplugin_t $1_t:process signull; - -can_unix_connect($1_javaplugin_t, $1_t) -allow $1_javaplugin_t $1_t:unix_stream_socket { read write }; - -# This domain is granted permissions common to most domains (including can_net) -can_network_client($1_javaplugin_t) -allow $1_javaplugin_t port_type:tcp_socket name_connect; -can_ypbind($1_javaplugin_t) -allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; -allow $1_javaplugin_t self:fifo_file rw_file_perms; -allow $1_javaplugin_t etc_runtime_t:file { getattr read }; -allow $1_javaplugin_t fs_t:filesystem getattr; -r_dir_file($1_javaplugin_t, { proc_t proc_net_t }) -allow $1_javaplugin_t self:dir search; -allow $1_javaplugin_t self:lnk_file read; -allow $1_javaplugin_t self:file { getattr read }; - -read_sysctl($1_javaplugin_t) -allow $1_javaplugin_t sysctl_vm_t:dir search; - -tmp_domain($1_javaplugin) -read_fonts($1_javaplugin_t, $2) -r_dir_file($1_javaplugin_t,{ usr_t etc_t }) - -# Search bin directory under javaplugin for javaplugin executable -allow $1_javaplugin_t bin_t:dir search; -can_exec($1_javaplugin_t, java_exec_t) - -# libdeploy.so legacy -allow $1_javaplugin_t texrel_shlib_t:file execmod; -if (allow_execmem) { -allow $1_javaplugin_t self:process execmem; -} - -# Connect to X server -x_client_domain($1_javaplugin, $2) - -uses_shlib($1_javaplugin_t) -read_locale($1_javaplugin_t) -rw_dir_file($1_javaplugin_t, $1_home_t) - -if (allow_java_execstack) { -legacy_domain($1_javaplugin) -allow $1_javaplugin_t lib_t:file execute; -allow $1_javaplugin_t locale_t:file execute; -allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; -allow $1_javaplugin_t fonts_t:file execute; -allow $1_javaplugin_t sound_device_t:chr_file execute; -} - -allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms; - -allow $1_javaplugin_t home_root_t:dir { getattr search }; -file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t) -allow $1_javaplugin_t $2_xauth_home_t:file { getattr read }; -allow $1_javaplugin_t $2_tmp_t:sock_file write; -allow $1_javaplugin_t $2_t:fd use; - -allow $1_javaplugin_t var_t:dir getattr; -allow $1_javaplugin_t var_lib_t:dir { getattr search }; - -dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write }; -dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write }; -dontaudit $1_javaplugin_t devtty_t:chr_file { read write }; -dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; -dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; - -') diff --git a/mls/macros/program/kerberos_macros.te b/mls/macros/program/kerberos_macros.te deleted file mode 100644 index 91850d3c..00000000 --- a/mls/macros/program/kerberos_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -define(`can_kerberos',` -ifdef(`kerberos.te',` -if (allow_kerberos) { -can_network_client($1, `kerberos_port_t') -allow $1 kerberos_port_t:tcp_socket name_connect; -can_resolve($1) -} -') dnl kerberos.te -dontaudit $1 krb5_conf_t:file write; -allow $1 krb5_conf_t:file { getattr read }; -') diff --git a/mls/macros/program/lockdev_macros.te b/mls/macros/program/lockdev_macros.te deleted file mode 100644 index 28f7c01f..00000000 --- a/mls/macros/program/lockdev_macros.te +++ /dev/null @@ -1,46 +0,0 @@ -# -# Macros for lockdev domains. -# - -# -# Authors: Daniel Walsh -# - -# -# lockdev_domain(domain_prefix) -# -# Define a derived domain for the lockdev programs when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/lockdev.te. -# -undefine(`lockdev_domain') -define(`lockdev_domain',` -# Derived domain based on the calling user domain and the program -type $1_lockdev_t, domain, privlog; -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t) - -# The user role is authorized for this domain. -role $1_r types $1_lockdev_t; -# Use capabilities. -allow $1_lockdev_t self:capability setgid; -allow $1_lockdev_t $1_t:process signull; - -allow $1_lockdev_t var_t:dir search; - -lock_domain($1_lockdev) - -r_dir_file($1_lockdev_t, lockfile) - -allow $1_lockdev_t device_t:dir search; -allow $1_lockdev_t null_device_t:chr_file rw_file_perms; -access_terminal($1_lockdev_t, $1) -dontaudit $1_lockdev_t root_t:dir search; - -uses_shlib($1_lockdev_t) -allow $1_lockdev_t fs_t:filesystem getattr; - -')dnl end macro definition - diff --git a/mls/macros/program/login_macros.te b/mls/macros/program/login_macros.te deleted file mode 100644 index 0d0993c7..00000000 --- a/mls/macros/program/login_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -# Macros for login type programs (/bin/login, sshd, etc). -# -# Author: Russell Coker -# - -define(`login_spawn_domain', ` -domain_trans($1_t, shell_exec_t, $2) - -# Signal the user domains. -allow $1_t $2:process signal; -') diff --git a/mls/macros/program/lpr_macros.te b/mls/macros/program/lpr_macros.te deleted file mode 100644 index d8b3b312..00000000 --- a/mls/macros/program/lpr_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Macros for lpr domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# lpr_domain(domain_prefix) -# -# Define a derived domain for the lpr/lpq/lprm programs when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/lpr.te. -# -undefine(`lpr_domain') -define(`lpr_domain',` -# Derived domain based on the calling user domain and the program -type $1_lpr_t, domain, privlog, nscd_client_domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t) - -allow $1_t $1_lpr_t:process signull; - -# allow using shared objects, accessing root dir, etc -uses_shlib($1_lpr_t) - -read_locale($1_lpr_t) - -# The user role is authorized for this domain. -role $1_r types $1_lpr_t; - -# This domain is granted permissions common to most domains (including can_net) -can_network_client($1_lpr_t) -allow $1_lpr_t port_type:tcp_socket name_connect; -can_ypbind($1_lpr_t) - -# Use capabilities. -allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown }; - -allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; - -# for lpd config files (should have a new type) -r_dir_file($1_lpr_t, etc_t) - -# for test print -r_dir_file($1_lpr_t, usr_t) -ifdef(`lpd.te', ` -r_dir_file($1_lpr_t, printconf_t) -') - -tmp_domain($1_lpr) - -# Type for spool files. -type $1_print_spool_t, file_type, sysadmfile; -# Use this type when creating files in /var/spool/lpd and /var/spool/cups. -file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) -allow $1_lpr_t var_spool_t:dir search; - -# for /dev/null -allow $1_lpr_t device_t:dir search; - -# Access the terminal. -access_terminal($1_lpr_t, $1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') -allow $1_lpr_t privfd:fd use; - -# Read user files. -read_content(sysadm_lpr_t, $1) -read_content($1_lpr_t, $1) - -# Read and write shared files in the spool directory. -allow $1_lpr_t print_spool_t:file rw_file_perms; - -# lpr can run in lightweight mode, without a local print spooler. If the -# lpd policy is present, grant some permissions for this domain and the lpd -# domain to interact. -ifdef(`lpd.te', ` -allow $1_lpr_t { var_t var_run_t }:dir search; -allow $1_lpr_t lpd_var_run_t:dir search; -allow $1_lpr_t lpd_var_run_t:sock_file write; - -# Allow lpd to read, rename, and unlink spool files. -allow lpd_t $1_print_spool_t:file r_file_perms; -allow lpd_t $1_print_spool_t:file link_file_perms; - -# Connect to lpd via a Unix domain socket. -allow $1_lpr_t printer_t:sock_file rw_file_perms; -can_unix_connect($1_lpr_t, lpd_t) -dontaudit $1_lpr_t $1_t:unix_stream_socket { read write }; - -# Connect to lpd via a TCP socket. -can_tcp_connect($1_lpr_t, lpd_t) - -allow $1_lpr_t fs_t:filesystem getattr; -# Send SIGHUP to lpd. -allow $1_lpr_t lpd_t:process signal; - -')dnl end if lpd.te - -ifdef(`xdm.te', ` -can_pipe_xdm($1_lpr_t) -') - -ifdef(`cups.te', ` -allow { $1_lpr_t $1_t } cupsd_etc_t:dir search; -allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; -can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) -')dnl end ifdef cups.te - -')dnl end macro definition - diff --git a/mls/macros/program/mail_client_macros.te b/mls/macros/program/mail_client_macros.te deleted file mode 100644 index da22a620..00000000 --- a/mls/macros/program/mail_client_macros.te +++ /dev/null @@ -1,68 +0,0 @@ -# -# Shared macro for mail clients -# -# Author: Ivan Gyurdiev -# - -######################################## -# mail_client_domain(client, role_prefix) -# - -define(`mail_client_domain', ` - -# Allow netstat -# Startup shellscripts -allow $1_t bin_t:dir r_dir_perms; -allow $1_t bin_t:lnk_file r_file_perms; -can_exec($1_t, bin_t) -r_dir_file($1_t, proc_net_t) -allow $1_t sysctl_net_t:dir search; - -# Allow DNS -can_resolve($1_t) - -# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) -can_ypbind($1_t) -can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }) -allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect; - -# Allow printing the mail -ifdef(`cups.te',` -allow $1_t cupsd_etc_t:dir r_dir_perms; -allow $1_t cupsd_rw_etc_t:file r_file_perms; -') -ifdef(`lpr.te', ` -domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t) -') - -# Attachments -read_content($1_t, $2, mail) - -# Save mail -write_untrusted($1_t, $2) - -# Encrypt mail -ifdef(`gpg.te', ` -domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t) -allow $1_t $2_gpg_t:process signal; -') - -# Start links in web browser -ifdef(`mozilla.te', ` -can_exec($1_t, shell_exec_t) -domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t) -') -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -allow $1_t system_dbusd_t:dbus send_msg; -dbusd_client($2, $1) -allow $1_t $2_dbusd_t:dbus send_msg; -ifdef(`cups.te', ` -allow cupsd_t $1_t:dbus send_msg; -') -') -# Allow the user domain to signal/ps. -can_ps($2_t, $1_t) -allow $2_t $1_t:process signal_perms; - -') diff --git a/mls/macros/program/mount_macros.te b/mls/macros/program/mount_macros.te deleted file mode 100644 index 0aa05778..00000000 --- a/mls/macros/program/mount_macros.te +++ /dev/null @@ -1,90 +0,0 @@ -# -# Macros for mount -# -# Author: Brian May -# Extended by Russell Coker -# - -# -# mount_domain(domain_prefix,dst_domain_prefix) -# -# Define a derived domain for the mount program for anyone. -# -define(`mount_domain', ` -# -# Rules for the $2_t domain, used by the $1_t domain. -# -# $2_t is the domain for the mount process. -# -# This macro will not be included by all users and it may be included twice if -# called from other macros, so we need protection for this do not call this -# macro if $2_def is defined -define(`$2_def', `') -# -type $2_t, domain, privlog $3, nscd_client_domain; - -allow $2_t sysfs_t:dir search; - -uses_shlib($2_t) - -role $1_r types $2_t; -# when mount is run by $1 goto $2_t domain -domain_auto_trans($1_t, mount_exec_t, $2_t) - -allow $2_t proc_t:dir search; -allow $2_t proc_t:file { getattr read }; - -# -# Allow mounting of cdrom by user -# -allow $2_t device_type:blk_file getattr; - -tmp_domain($2) - -# Use capabilities. -allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; - -allow $2_t self:unix_stream_socket create_socket_perms; - -# Create and modify /etc/mtab. -file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) - -allow $2_t etc_t:file { getattr read }; - -read_locale($2_t) - -allow $2_t home_root_t:dir search; -allow $2_t $1_home_dir_t:dir search; -allow $2_t noexattrfile:filesystem { mount unmount }; -allow $2_t fs_t:filesystem getattr; -allow $2_t removable_t:filesystem { mount unmount }; -allow $2_t mnt_t:dir { mounton search }; -allow $2_t sbin_t:dir search; - -# Access the terminal. -access_terminal($2_t, $1) -ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;') -allow $2_t var_t:dir search; -allow $2_t var_run_t:dir search; - -ifdef(`distro_redhat',` -ifdef(`pamconsole.te',` -r_dir_file($2_t,pam_var_console_t) -# mount config by default sets fscontext=removable_t -allow $2_t dosfs_t:filesystem relabelfrom; -') dnl end pamconsole.te -') dnl end distro_redhat -') dnl end mount_domain - -# mount_loopback_privs(domain_prefix,dst_domain_prefix) -# -# Add loopback mounting privileges to a particular derived -# mount domain. -# -define(`mount_loopback_privs',` -type $1_$2_source_t, file_type, sysadmfile, $1_file_type; -allow $1_t $1_$2_source_t:file create_file_perms; -allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; -allow $2_t $1_$2_source_t:file rw_file_perms; -') - diff --git a/mls/macros/program/mozilla_macros.te b/mls/macros/program/mozilla_macros.te deleted file mode 100644 index cc8afb0f..00000000 --- a/mls/macros/program/mozilla_macros.te +++ /dev/null @@ -1,157 +0,0 @@ -# -# Macros for mozilla/mozilla (or other browser) domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# mozilla_domain(domain_prefix) -# -# Define a derived domain for the mozilla/mozilla program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/mozilla.te. -# - -# FIXME: Rules were removed to centralize policy in a gnome_app macro -# A similar thing might be necessary for mozilla compiled without GNOME -# support (is this possible?). - -define(`mozilla_domain',` - -type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog; - -# Type transition -if (! disable_mozilla_trans) { -domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t) -} -role $1_r types $1_mozilla_t; - -# X access, Home files -home_domain($1, mozilla) -x_client_domain($1_mozilla, $1) - -# GNOME integration -ifdef(`gnome.te', ` -gnome_application($1_mozilla, $1) -gnome_file_dialog($1_mozilla, $1) -') - -# Look for plugins -allow $1_mozilla_t bin_t:dir { getattr read search }; - -# Browse the web, connect to printer -can_resolve($1_mozilla_t) -can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } ) -allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect; - -# Should not need other ports -dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind }; - -allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; -dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms; - -# Unrestricted inheritance from the caller. -allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh }; -allow $1_mozilla_t $1_t:process signull; - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_mozilla_t) -allow $1_t $1_mozilla_t:process signal_perms; - -# Access /proc, sysctl -allow $1_mozilla_t proc_t:dir search; -allow $1_mozilla_t proc_t:file { getattr read }; -allow $1_mozilla_t proc_t:lnk_file read; -allow $1_mozilla_t sysctl_net_t:dir search; -allow $1_mozilla_t sysctl_t:dir search; - -# /var/lib -allow $1_mozilla_t var_lib_t:dir search; -allow $1_mozilla_t var_lib_t:file { getattr read }; - -# Self permissions -allow $1_mozilla_t self:socket create_socket_perms; -allow $1_mozilla_t self:file { getattr read }; -allow $1_mozilla_t self:sem create_sem_perms; - -# for bash - old mozilla binary -can_exec($1_mozilla_t, mozilla_exec_t) -can_exec($1_mozilla_t, shell_exec_t) -can_exec($1_mozilla_t, bin_t) -allow $1_mozilla_t bin_t:lnk_file read; -allow $1_mozilla_t device_t:dir r_dir_perms; -allow $1_mozilla_t self:dir search; -allow $1_mozilla_t self:lnk_file read; -r_dir_file($1_mozilla_t, proc_net_t) - -# interacting with gstreamer -r_dir_file($1_mozilla_t, var_t) - -# Uploads, local html -read_content($1_mozilla_t, $1, mozilla) - -# Save web pages -write_untrusted($1_mozilla_t, $1) - -# Mozpluggerrc -allow $1_mozilla_t mozilla_conf_t:file r_file_perms; - -######### Java plugin -ifdef(`java.te', ` -javaplugin_domain($1_mozilla, $1) -') dnl java.te - -######### Print web content -ifdef(`cups.te', ` -allow $1_mozilla_t cupsd_etc_t:dir search; -allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; -') -ifdef(`lpr.te', ` -domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t) -dontaudit $1_lpr_t $1_mozilla_home_t:file { read write }; -dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write }; -') dnl if lpr.te - -######### Launch mplayer -ifdef(`mplayer.te', ` -domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) -dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; -dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; -dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; -')dnl end if mplayer.te - -######### Launch email client, and make webcal links work -ifdef(`evolution.te', ` -domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) -domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -') dnl if evolution.te - -ifdef(`thunderbird.te', ` -domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t) -') dnl if evolution.te - -if (allow_execmem) { -allow $1_mozilla_t self:process { execmem execstack }; -} -allow $1_mozilla_t texrel_shlib_t:file execmod; - -ifdef(`dbusd.te', ` -dbusd_client(system, $1_mozilla) -allow $1_mozilla_t system_dbusd_t:dbus send_msg; -ifdef(`cups.te', ` -allow cupsd_t $1_mozilla_t:dbus send_msg; -') -') - -ifdef(`apache.te', ` -ifelse($1, sysadm, `', ` -r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) -') -') - -')dnl end mozilla macro - diff --git a/mls/macros/program/mplayer_macros.te b/mls/macros/program/mplayer_macros.te deleted file mode 100644 index 6d067578..00000000 --- a/mls/macros/program/mplayer_macros.te +++ /dev/null @@ -1,159 +0,0 @@ -# -# Macros for mplayer -# -# Author: Ivan Gyurdiev -# -# mplayer_domains(user) declares domains for mplayer, gmplayer, -# and mencoder - -##################################################### -# mplayer_common(role_prefix, mplayer_domain) # -##################################################### - -define(`mplayer_common',` - -# Read global config -r_dir_file($1_$2_t, mplayer_etc_t) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_$2_t) -allow $1_t $1_$2_t:process signal_perms; - -# Read data in /usr/share (fonts, icons..) -r_dir_file($1_$2_t, usr_t) - -# Read /proc files and directories -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -allow $1_$2_t proc_t:dir search; -allow $1_$2_t proc_t:file { getattr read }; - -# Sysctl on kernel version -read_sysctl($1_$2_t) - -# Allow ps, shared libs, locale, terminal access -can_ps($1_t, $1_$2_t) -uses_shlib($1_$2_t) -read_locale($1_$2_t) -access_terminal($1_$2_t, $1) - -# Required for win32 binary loader -allow $1_$2_t zero_device_t:chr_file { read write execute }; -if (allow_execmem) { -allow $1_$2_t self:process execmem; -} - -if (allow_execmod) { -allow $1_$2_t zero_device_t:chr_file execmod; -} -allow $1_$2_t texrel_shlib_t:file execmod; - -# Access to DVD/CD/V4L -allow $1_$2_t device_t:dir r_dir_perms; -allow $1_$2_t device_t:lnk_file { getattr read }; -allow $1_$2_t removable_device_t:blk_file { getattr read }; -allow $1_$2_t v4l_device_t:chr_file { getattr read }; - -# Legacy domain issues -if (allow_mplayer_execstack) { -legacy_domain($1_$2) -allow $1_$2_t lib_t:file execute; -allow $1_$2_t locale_t:file execute; -allow $1_$2_t sound_device_t:chr_file execute; -} -') - -################################### -# mplayer_domain(role_prefix) # -################################### - -define(`mplayer_domain',` - -type $1_mplayer_t, domain, nscd_client_domain; - -# Type transition -domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t) -role $1_r types $1_mplayer_t; - -# Home access, X access -home_domain($1, mplayer) -x_client_domain($1_mplayer, $1) - -# Mplayer common stuff -mplayer_common($1, mplayer) - -# Fork -allow $1_mplayer_t self:process { fork signal_perms getsched }; -allow $1_mplayer_t self:fifo_file rw_file_perms; - -# Audio, alsa.conf -allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; -allow $1_mplayer_t etc_t:file { getattr read }; -r_dir_file($1_mplayer_t, alsa_etc_rw_t); - -# RTC clock -allow $1_mplayer_t clock_device_t:chr_file { ioctl read }; - -# Legacy domain issues -if (allow_mplayer_execstack) { -allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute; -} - -#======gmplayer gui==========# -# File dialogs -dontaudit_getattr($1_mplayer_t) -dontaudit_read_dir($1_mplayer_t) -dontaudit_search_dir($1_mplayer_t) - -# Unfortunately the ancient file dialog starts in / -allow $1_mplayer_t home_root_t:dir read; - -# Read /etc/mtab -allow $1_mplayer_t etc_runtime_t:file { read getattr }; - -# Run bash/sed (??) -allow $1_mplayer_t bin_t:dir search; -allow $1_mplayer_t bin_t:lnk_file read; -can_exec($1_mplayer_t, bin_t) -can_exec($1_mplayer_t, shell_exec_t) -#============================# - -# Read songs -read_content($1_mplayer_t, $1) - -') dnl end mplayer_domain - -################################### -# mencoder_domain(role_prefix) # -################################### - -define(`mencoder_domain',` - -type $1_mencoder_t, domain; - -# Type transition -domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t) -role $1_r types $1_mencoder_t; - -# Access mplayer home domain -home_domain_access($1_mencoder_t, $1, mplayer) - -# Mplayer common stuff -mplayer_common($1, mencoder) - -# Read content to encode -read_content($1_mencoder_t, $1) - -# Save encoded files -write_trusted($1_mencoder_t, $1) - -') dnl end mencoder_domain - -############################# -# mplayer_domains(role) # -############################# - -define(`mplayer_domains', ` -mplayer_domain($1) -mencoder_domain($1) -') dnl end mplayer_domains - diff --git a/mls/macros/program/mta_macros.te b/mls/macros/program/mta_macros.te deleted file mode 100644 index b221f541..00000000 --- a/mls/macros/program/mta_macros.te +++ /dev/null @@ -1,121 +0,0 @@ -# Macros for MTA domains. -# - -# -# Author: Russell Coker -# Based on the work of: Stephen Smalley -# Timothy Fraser -# - -# -# mail_domain(domain_prefix) -# -# Define a derived domain for the sendmail program when executed by -# a user domain to send outgoing mail. These domains are separate and -# independent of the domain used for the sendmail daemon process. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/mta.te. -# -undefine(`mail_domain') -define(`mail_domain',` -# Derived domain based on the calling user domain and the program. -type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain; - -ifdef(`sendmail.te', ` -sendmail_user_domain($1) -') - -can_exec($1_mail_t, sendmail_exec_t) -allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; - -# The user role is authorized for this domain. -role $1_r types $1_mail_t; - -uses_shlib($1_mail_t) -can_network_client_tcp($1_mail_t) -allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect; -can_resolve($1_mail_t) -can_ypbind($1_mail_t) -allow $1_mail_t self:unix_dgram_socket create_socket_perms; -allow $1_mail_t self:unix_stream_socket create_socket_perms; - -read_locale($1_mail_t) -read_sysctl($1_mail_t) -allow $1_mail_t device_t:dir search; -allow $1_mail_t { var_t var_spool_t }:dir search; -allow $1_mail_t self:process { fork signal_perms setrlimit }; -allow $1_mail_t sbin_t:dir search; - -# It wants to check for nscd -dontaudit $1_mail_t var_run_t:dir search; - -# Use capabilities -allow $1_mail_t self:capability { setuid setgid chown }; - -# Execute procmail. -can_exec($1_mail_t, bin_t) -ifdef(`procmail.te',` -can_exec($1_mail_t, procmail_exec_t)') - -ifelse(`$1', `system', ` -# Transition from a system domain to the derived domain. -domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) -allow privmail sendmail_exec_t:lnk_file { getattr read }; - -ifdef(`crond.te', ` -# Read cron temporary files. -allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; -allow mta_user_agent system_crond_tmp_t:file { read getattr }; -') -can_access_pty(system_mail_t, initrc) - -', ` -# For when the user wants to send mail via port 25 localhost -can_tcp_connect($1_t, mail_server_domain) - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) -allow $1_t sendmail_exec_t:lnk_file { getattr read }; - -# Read user temporary files. -allow $1_mail_t $1_tmp_t:file r_file_perms; -dontaudit $1_mail_t $1_tmp_t:file append; -ifdef(`postfix.te', ` -# postfix seems to need write access if the file handle is opened read/write -allow $1_mail_t $1_tmp_t:file write; -')dnl end if postfix - -allow mta_user_agent $1_tmp_t:file { read getattr }; - -# Write to the user domain tty. -access_terminal(mta_user_agent, $1) -access_terminal($1_mail_t, $1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') -allow $1_mail_t privfd:fd use; - -# Create dead.letter in user home directories. -file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) - -if (use_samba_home_dirs) { -rw_dir_create_file($1_mail_t, cifs_t) -} - -# if you do not want to allow dead.letter then use the following instead -#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; -#allow $1_mail_t $1_home_t:file r_file_perms; - -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) -')dnl end if system - -allow $1_mail_t etc_t:file { getattr read }; -ifdef(`qmail.te', ` -allow $1_mail_t qmail_etc_t:dir search; -allow $1_mail_t qmail_etc_t:{ file lnk_file } read; -')dnl end if qmail - -') diff --git a/mls/macros/program/newrole_macros.te b/mls/macros/program/newrole_macros.te deleted file mode 100644 index 0d522822..00000000 --- a/mls/macros/program/newrole_macros.te +++ /dev/null @@ -1,97 +0,0 @@ -# Authors: Anthony Colatrella (NSA) Stephen Smalley -# Russell Coker - -# This macro defines the rules for a newrole like program, it is used by -# newrole.te and sudo.te, but may be used by other policy at some later time. - -define(`newrole_domain', ` -# Rules for the $1_t domain. -# -# $1_t is the domain for the program. -# $1_exec_t is the type of the executable. -# -type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; -in_user_role($1_t) -role sysadm_r types $1_t; - -general_domain_access($1_t); - -uses_shlib($1_t) -read_locale($1_t) -read_sysctl($1_t) - -allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read }; - -# for when the user types "exec newrole" at the command line -allow $1_t privfd:process sigchld; - -# Inherit descriptors from the current session. -allow $1_t privfd:fd use; - -# Execute /sbin/pwdb_chkpwd to check the password. -allow $1_t sbin_t:dir r_dir_perms; - -# Execute shells -allow $1_t bin_t:dir r_dir_perms; -allow $1_t bin_t:lnk_file read; -allow $1_t shell_exec_t:file r_file_perms; - -allow $1_t urandom_device_t:chr_file { getattr read }; - -# Allow $1_t to transition to user domains. -domain_trans($1_t, shell_exec_t, unpriv_userdomain) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_t, shell_exec_t, sysadm_t) -} - -can_setexec($1_t) - -allow $1_t autofs_t:dir search; - -# Use capabilities. -allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override }; - -# Read the devpts root directory. -allow $1_t devpts_t:dir r_dir_perms; - -# Read the /etc/security/default_type file -r_dir_file($1_t, default_context_t) -r_dir_file($1_t, selinux_config_t) -allow $1_t etc_t:file r_file_perms; - -# Read /var. -r_dir_file($1_t, var_t) - -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; - -# Relabel terminals. -allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Access terminals. -allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -ifdef(`distro_debian', ` -# for /etc/alternatives -allow $1_t etc_t:lnk_file read; -') - -# -# Allow newrole to obtain contexts to relabel TTYs -# -can_getsecurity($1_t) - -allow $1_t fs_t:filesystem getattr; - -# for some PAM modules and for cwd -dontaudit $1_t { home_root_t home_type }:dir search; - -allow $1_t proc_t:dir search; -allow $1_t proc_t:file { getattr read }; - -# for when the network connection is killed -dontaudit unpriv_userdomain $1_t:process signal; -') diff --git a/mls/macros/program/orbit_macros.te b/mls/macros/program/orbit_macros.te deleted file mode 100644 index b2dd5d16..00000000 --- a/mls/macros/program/orbit_macros.te +++ /dev/null @@ -1,44 +0,0 @@ -# -# ORBit related types -# -# Author: Ivan Gyurdiev -# -# orbit_domain(prefix, role_prefix) - create ORBit sockets -# orbit_connect(type1_prefix, type2_prefix) -# - allow communication through ORBit sockets from type1 to type2 - -define(`orbit_domain', ` - -# Protect against double inclusion for speed and correctness -ifdef(`orbit_domain_$1_$2', `', ` -define(`orbit_domain_$1_$2') - -# Relabel directory (startup script) -allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto }; - -# Type for ORBit sockets -type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile; -file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t) -allow $1_t tmp_t:dir { read search getattr }; - -# Create the sockets -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; - -# Use random device(s) -allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl }; - -# Why do they do that? -dontaudit $1_t $2_orbit_tmp_t:dir setattr; - -') dnl ifdef orbit_domain_args -') dnl orbit_domain - -########################## - -define(`orbit_connect', ` - -can_unix_connect($1_t, $2_t) -allow $1_t $2_orbit_tmp_t:sock_file write; - -') dnl orbit_connect diff --git a/mls/macros/program/pyzor_macros.te b/mls/macros/program/pyzor_macros.te deleted file mode 100644 index af67d30a..00000000 --- a/mls/macros/program/pyzor_macros.te +++ /dev/null @@ -1,69 +0,0 @@ -# -# Pyzor - Pyzor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -########## -# common definitions for pyzord and all flavors of pyzor -########## -define(`pyzor_base_domain',` - -# Networking -can_network_client_tcp($1_t, http_port_t); -can_network_udp($1_t, pyzor_port_t); -can_resolve($1_t); - -general_proc_read_access($1_t) - -tmp_domain($1) - -allow $1_t bin_t:dir { getattr search }; -allow $1_t bin_t:file getattr; -allow $1_t lib_t:file { getattr read }; -allow $1_t { var_t var_lib_t var_run_t }:dir search; -uses_shlib($1_t) - -# Python does a getattr on this file -allow $1_t pyzor_exec_t:file getattr; - -# mktemp and other randoms -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -# Allow access to various files in the /etc/directory including mtab -# and nsswitch -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) -') - - -# -# Define a user domain for a pyzor -# -# Note: expects to be called with an argument of user, sysadm - -define(`pyzor_domain',` -type $1_pyzor_t, domain, privlog, nscd_client_domain; -role $1_r types $1_pyzor_t; -domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t) - -pyzor_base_domain($1_pyzor) - -# Per-user config/data files -home_domain($1, pyzor) -file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir) - -# System config files -r_dir_file($1_pyzor_t, pyzor_etc_t) - -# System data files -r_dir_file($1_pyzor_t, pyzor_var_lib_t); - -allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms; - -# Allow pyzor to be run by hand. Needed by any action other than -# invocation from a spam filter. -can_access_pty($1_pyzor_t, $1) -allow $1_pyzor_t sshd_t:fd use; -') diff --git a/mls/macros/program/razor_macros.te b/mls/macros/program/razor_macros.te deleted file mode 100644 index e4c7c559..00000000 --- a/mls/macros/program/razor_macros.te +++ /dev/null @@ -1,75 +0,0 @@ -# -# Razor - Razor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -########## -# common definitions for razord and all flavors of razor -########## -define(`razor_base_domain',` - -# Razor is one executable and several symlinks -allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; - -# Networking -can_network_client_tcp($1_t, razor_port_t) -can_resolve($1_t); - -general_proc_read_access($1_t) - -# Read system config file -r_dir_file($1_t, razor_etc_t) - -# Update razor common files -file_type_auto_trans($1_t, var_log_t, razor_log_t, file) -create_dir_file($1_t, razor_log_t) -allow $1_t var_lib_t:dir search; -create_dir_file($1_t, razor_var_lib_t) - -allow $1_t bin_t:dir { getattr search }; -allow $1_t bin_t:file getattr; -allow $1_t lib_t:file { getattr read }; -allow $1_t { var_t var_run_t }:dir search; -uses_shlib($1_t) - -# Razor forks other programs to do part of its work. -general_domain_access($1_t) -can_exec($1_t, bin_t) - -# mktemp and other randoms -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -# Allow access to various files in the /etc/directory including mtab -# and nsswitch -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) -') - - -# -# Define a user domain for a razor -# -# Note: expects to be called with an argument of user, sysadm - -define(`razor_domain',` -type $1_razor_t, domain, privlog, nscd_client_domain; -role $1_r types $1_razor_t; -domain_auto_trans($1_t, razor_exec_t, $1_razor_t) - -razor_base_domain($1_razor) - -# Per-user config/data files -home_domain($1, razor) -file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir) - -tmp_domain($1_razor) - -allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; - -# Allow razor to be run by hand. Needed by any action other than -# invocation from a spam filter. -can_access_pty($1_razor_t, $1) -allow $1_razor_t sshd_t:fd use; -') diff --git a/mls/macros/program/resmgrd_macros.te b/mls/macros/program/resmgrd_macros.te deleted file mode 100644 index ec0ac60a..00000000 --- a/mls/macros/program/resmgrd_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -# Macro for resmgrd - -define(`can_resmgrd_connect', ` -ifdef(`resmgrd.te', ` -allow $1 resmgrd_t:unix_stream_socket connectto; -allow $1 { var_t var_run_t }:dir search; -allow $1 resmgrd_var_run_t:sock_file write; -allow $1 resmgrd_t:fd use; -') -') - diff --git a/mls/macros/program/rhgb_macros.te b/mls/macros/program/rhgb_macros.te deleted file mode 100644 index 9700fba2..00000000 --- a/mls/macros/program/rhgb_macros.te +++ /dev/null @@ -1,8 +0,0 @@ - -define(`rhgb_domain', ` -ifdef(`rhgb.te', ` -allow $1 rhgb_t:process sigchld; -allow $1 rhgb_t:fd use; -allow $1 rhgb_t:fifo_file { read write }; -')dnl end ifdef -') diff --git a/mls/macros/program/rssh_macros.te b/mls/macros/program/rssh_macros.te deleted file mode 100644 index 33fbdb58..00000000 --- a/mls/macros/program/rssh_macros.te +++ /dev/null @@ -1,58 +0,0 @@ -# -# Macros for Rssh domains -# -# Author: Colin Walters -# - -# -# rssh_domain(domain_prefix) -# -# Define a specific rssh domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/rssh.te. -# -undefine(`rssh_domain') -ifdef(`rssh.te', ` -define(`rssh_domain',` -type rssh_$1_t, domain, userdomain, privlog, privfd; -role rssh_$1_r types rssh_$1_t; -allow system_r rssh_$1_r; - -type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type; -type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type; - -general_domain_access(rssh_$1_t); -uses_shlib(rssh_$1_t); -base_file_read_access(rssh_$1_t); -allow rssh_$1_t var_t:dir r_dir_perms; -r_dir_file(rssh_$1_t, etc_t); -allow rssh_$1_t etc_runtime_t:file { getattr read }; -r_dir_file(rssh_$1_t, locale_t); -can_exec(rssh_$1_t, bin_t); - -allow rssh_$1_t proc_t:dir { getattr search }; -allow rssh_$1_t proc_t:lnk_file { getattr read }; - -r_dir_file(rssh_$1_t, rssh_$1_ro_t); -create_dir_file(rssh_$1_t, rssh_$1_rw_t); - -can_create_pty(rssh_$1, `, userpty_type, user_tty_type') -# Use the type when relabeling pty devices. -type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t; - -ifdef(`ssh.te',` -allow rssh_$1_t sshd_t:fd use; -allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms; -allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms; -# For reading /home/user/.ssh -r_dir_file(sshd_t, rssh_$1_ro_t); -domain_trans(sshd_t, rssh_exec_t, rssh_$1_t); -') -') - -', ` - -define(`rssh_domain',`') - -') diff --git a/mls/macros/program/run_program_macros.te b/mls/macros/program/run_program_macros.te deleted file mode 100644 index c98bbee7..00000000 --- a/mls/macros/program/run_program_macros.te +++ /dev/null @@ -1,73 +0,0 @@ - -# $1 is the source domain (or domains), $2 is the source role (or roles) and $3 -# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is -# normally sysadm_r. $4 is the type of program to run and $5 is the domain to -# transition to. -# sample usage: -# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t) -# -# if you have several users who run the same run_init type program for -# different purposes (think of a run_db program used by several database -# administrators to start several databases) then you can list all the source -# domains in $1, all the source roles in $2, but you may not want to list all -# types of programs to run in $4 and target domains in $5 (as that may permit -# entering a domain from the wrong type). In such a situation just specify -# one value for each of $4 and $5 and have some rules such as the following: -# domain_trans(run_whatever_t, whatever_exec_t, whatever_t) - -define(`run_program', ` -type run_$3_exec_t, file_type, exec_type, sysadmfile; - -# domain for program to run in, needs to change role (priv_system_role), change -# identity to system_u (privuser), log failures to syslog (privlog) and -# authenticate users -type run_$3_t, domain, priv_system_role, privuser, privlog; -domain_auto_trans($1, run_$3_exec_t, run_$3_t) -role $2 types run_$3_t; - -domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t) -dontaudit run_$3_t shadow_t:file getattr; - -# for utmp -allow run_$3_t initrc_var_run_t:file rw_file_perms; -allow run_$3_t admin_tty_type:chr_file rw_file_perms; - -dontaudit run_$3_t devpts_t:dir { getattr read }; -dontaudit run_$3_t device_t:dir read; - -# for auth_chkpwd -dontaudit run_$3_t shadow_t:file read; -allow run_$3_t self:process { fork sigchld }; -allow run_$3_t self:fifo_file rw_file_perms; -allow run_$3_t self:capability setuid; -allow run_$3_t self:lnk_file read; - -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_$3_t file_type:dir search; -dontaudit run_$3_t self:capability { dac_override dac_read_search }; - -allow run_$3_t bin_t:lnk_file read; -can_exec(run_$3_t, { bin_t shell_exec_t }) -ifdef(`chkpwd.te', ` -can_exec(run_$3_t, chkpwd_exec_t) -') - -domain_trans(run_$3_t, $4, $5) -can_setexec(run_$3_t) - -allow run_$3_t privfd:fd use; -uses_shlib(run_$3_t) -allow run_$3_t lib_t:file { getattr read }; -can_getsecurity(run_$3_t) -r_dir_file(run_$3_t,selinux_config_t) -r_dir_file(run_$3_t,default_context_t) -allow run_$3_t self:unix_stream_socket create_socket_perms; -allow run_$3_t self:unix_dgram_socket create_socket_perms; -allow run_$3_t etc_t:file { getattr read }; -read_locale(run_$3_t) -allow run_$3_t fs_t:filesystem getattr; -allow run_$3_t { bin_t sbin_t }:dir search; -dontaudit run_$3_t device_t:dir { getattr search }; -') diff --git a/mls/macros/program/samba_macros.te b/mls/macros/program/samba_macros.te deleted file mode 100644 index d7667845..00000000 --- a/mls/macros/program/samba_macros.te +++ /dev/null @@ -1,30 +0,0 @@ -# -# Macros for samba domains. -# - -# -# Authors: Dan Walsh -# - -# -# samba_domain(domain_prefix) -# -# Define a derived domain for the samba program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/samba.te. -# -undefine(`samba_domain') -ifdef(`samba.te', ` -define(`samba_domain',` -if ( samba_enable_home_dirs ) { -allow smbd_t home_root_t:dir r_dir_perms; -file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t) -dontaudit smbd_t $1_file_type:dir_file_class_set getattr; -} -') -', ` -define(`samba_domain',`') - -')dnl end if samba.te diff --git a/mls/macros/program/screen_macros.te b/mls/macros/program/screen_macros.te deleted file mode 100644 index e81a90a5..00000000 --- a/mls/macros/program/screen_macros.te +++ /dev/null @@ -1,113 +0,0 @@ -# -# Macros for screen domains. -# - -# -# Author: Russell Coker -# Based on the work of Stephen Smalley -# and Timothy Fraser -# - -# -# screen_domain(domain_prefix) -# -# Define a derived domain for the screen program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/screen.te. -# -undefine(`screen_domain') -ifdef(`screen.te', ` -define(`screen_domain',` -# Derived domain based on the calling user domain and the program. -type $1_screen_t, domain, privlog, privfd, nscd_client_domain; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, screen_exec_t, $1_screen_t) - -tmp_domain($1_screen, `', `{ dir file fifo_file }') -base_file_read_access($1_screen_t) -# The user role is authorized for this domain. -role $1_r types $1_screen_t; - -uses_shlib($1_screen_t) - -# for SSP -allow $1_screen_t urandom_device_t:chr_file read; - -# Revert to the user domain when a shell is executed. -domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t) -domain_auto_trans($1_screen_t, $1_home_t, $1_t) -if (use_nfs_home_dirs) { -domain_auto_trans($1_screen_t, nfs_t, $1_t) -} -if (use_samba_home_dirs) { -domain_auto_trans($1_screen_t, cifs_t, $1_t) -} - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;') - -home_domain_ro($1, screen) - -allow $1_screen_t privfd:fd use; - -# Write to utmp. -allow $1_screen_t initrc_var_run_t:file rw_file_perms; -ifdef(`utempter.te', ` -dontaudit $1_screen_t utempter_exec_t:file execute; -') - -# create pty devices -can_create_other_pty($1_screen, $1) -allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_screen_t device_t:dir { getattr read }; - -allow $1_screen_t fs_t:filesystem getattr; - -# Create fifo -allow $1_screen_t var_t:dir search; -file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) -type $1_screen_var_run_t, file_type, sysadmfile, pidfile; -file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) - -allow $1_screen_t self:process { fork signal_perms }; -allow $1_t $1_screen_t:process signal; -allow $1_screen_t $1_t:process signal; -allow $1_screen_t self:capability { setuid setgid fsetid }; - -dontaudit $1_screen_t shadow_t:file read; - -allow $1_screen_t tmp_t:dir search; -can_network($1_screen_t) -allow $1_screen_t port_type:tcp_socket name_connect; -can_ypbind($1_screen_t) - -# get stats -allow $1_screen_t proc_t:dir search; -allow $1_screen_t proc_t:file { getattr read }; -allow $1_screen_t proc_t:lnk_file read; -allow $1_screen_t etc_t:{ file lnk_file } { read getattr }; -allow $1_screen_t self:dir { search read }; -allow $1_screen_t self:lnk_file read; -allow $1_screen_t device_t:dir search; -allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; - -# Internal screen networking -allow $1_screen_t self:fd use; -allow $1_screen_t self:unix_stream_socket create_socket_perms; -allow $1_screen_t self:unix_dgram_socket create_socket_perms; - -allow $1_screen_t bin_t:dir search; -allow $1_screen_t bin_t:lnk_file read; -read_locale($1_screen_t) - -dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; -')dnl end screen_domain - -', ` - -define(`screen_domain',`') - -') diff --git a/mls/macros/program/sendmail_macros.te b/mls/macros/program/sendmail_macros.te deleted file mode 100644 index 540e0a25..00000000 --- a/mls/macros/program/sendmail_macros.te +++ /dev/null @@ -1,56 +0,0 @@ -# -# Macros for sendmail domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# - -# -# sendmail_user_domain(domain_prefix) -# -# Define a derived domain for the sendmail program when executed by -# a user domain to send outgoing mail. These domains are separate and -# independent of the domain used for the sendmail daemon process. -# -undefine(`sendmail_user_domain') -define(`sendmail_user_domain', ` - -# Use capabilities -allow $1_mail_t self:capability net_bind_service; - -tmp_domain($1_mail) - -# Write to /var/spool/mail and /var/spool/mqueue. -allow $1_mail_t mail_spool_t:dir rw_dir_perms; -allow $1_mail_t mail_spool_t:file create_file_perms; -allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; -allow $1_mail_t mqueue_spool_t:file create_file_perms; - -# Write to /var/log/sendmail.st -file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t) - -allow $1_mail_t etc_mail_t:dir { getattr search }; - -allow $1_mail_t { var_t var_spool_t }:dir getattr; - -allow $1_mail_t etc_runtime_t:file { getattr read }; - -# Check available space. -allow $1_mail_t fs_t:filesystem getattr; - -allow $1_mail_t sysctl_kernel_t:dir search; - -ifelse(`$1', `sysadm', ` -allow $1_mail_t proc_t:dir { getattr search }; -allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; -dontaudit $1_mail_t proc_net_t:dir search; -allow $1_mail_t sysctl_kernel_t:file { getattr read }; -allow $1_mail_t etc_runtime_t:file { getattr read }; -', ` -dontaudit $1_mail_t proc_t:dir search; -dontaudit $1_mail_t sysctl_kernel_t:file read; -')dnl end if sysadm -') - diff --git a/mls/macros/program/slocate_macros.te b/mls/macros/program/slocate_macros.te deleted file mode 100644 index 115022b0..00000000 --- a/mls/macros/program/slocate_macros.te +++ /dev/null @@ -1,64 +0,0 @@ -# -# Macros for locate domains. -# - -# -# Author: Russell Coker -# - -# -# locate_domain(domain_prefix) -# -# Define a derived domain for the locate program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/locate.te. -# -undefine(`locate_domain') -ifdef(`slocate.te', ` -define(`locate_domain',` -# Derived domain based on the calling user domain and the program. -type $1_locate_t, domain; - -allow $1_locate_t self:process signal; - -allow $1_locate_t etc_t:file { getattr read }; -allow $1_locate_t self:unix_stream_socket create_socket_perms; -r_dir_file($1_locate_t,locate_var_lib_t) -allow $1_locate_t var_lib_t:dir search; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, locate_exec_t, $1_locate_t) - -# The user role is authorized for this domain. -role $1_r types $1_locate_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', ` -allow $1_locate_t $1_gph_t:fd use; -') - -allow $1_locate_t privfd:fd use; - -# allow ps to show locate -can_ps($1_t, $1_locate_t) -allow $1_t $1_locate_t:process signal; - -uses_shlib($1_locate_t) -access_terminal($1_locate_t, $1) - -allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search }; -allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read }; - -base_file_read_access($1_locate_t) -r_dir_file($1_locate_t, { etc_t lib_t var_t }) -dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms; -dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read }; -') - -', ` - -define(`locate_domain',`') - -') diff --git a/mls/macros/program/spamassassin_macros.te b/mls/macros/program/spamassassin_macros.te deleted file mode 100644 index c85cfc78..00000000 --- a/mls/macros/program/spamassassin_macros.te +++ /dev/null @@ -1,128 +0,0 @@ -# -# Macros for spamassassin domains. -# -# Author: Colin Walters - -# spamassassin_domain(domain_prefix) -# -# Define derived domains for various spamassassin tools when executed -# by a user domain. -# -# The type declarations for the executable types of these programs are -# provided separately in domains/program/spamassassin.te and -# domains/program/spamc.te. -# -undefine(`spamassassin_domain') -ifdef(`spamassassin.te', `define(`using_spamassassin', `')') -ifdef(`spamd.te', `define(`using_spamassassin', `')') -ifdef(`spamc.te', `define(`using_spamassassin', `')') - -ifdef(`using_spamassassin',` - -####### -# Macros used internally in these spamassassin macros. -# - -### -# Define a domain for a spamassassin-like program (spamc/spamassassin). -# -# Note: most of this should really be in a generic macro like -# base_user_program($1, foo) -define(`spamassassin_program_domain',` -type $1_$2_t, domain, privlog $3; -domain_auto_trans($1_t, $2_exec_t, $1_$2_t) - -role $1_r types $1_$2_t; -general_domain_access($1_$2_t) - -base_file_read_access($1_$2_t) -r_dir_file($1_$2_t, etc_t) -ifdef(`sendmail.te', ` -r_dir_file($1_$2_t, etc_mail_t) -') -allow $1_$2_t etc_runtime_t:file r_file_perms; -uses_shlib($1_$2_t) -read_locale($1_$2_t) -dontaudit $1_$2_t var_t:dir search; -tmp_domain($1_$2) -allow $1_$2_t privfd:fd use; -allow $1_$2_t userpty_type:chr_file rw_file_perms; -') dnl end spamassassin_program_domain - -### -# Give privileges to a domain for accessing ~/.spamassassin -# and a few other misc things like /dev/random. -# This is granted to /usr/bin/spamassassin and -# /usr/sbin/spamd, but NOT spamc (because it does not need it). -# -define(`spamassassin_agent_privs',` -allow $1 home_root_t:dir r_dir_perms; -file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t) -create_dir_file($1, $2_spamassassin_home_t) - -allow $1 urandom_device_t:chr_file r_file_perms; -') - -####### -# Define the main spamassassin macro. This itself creates a -# domain for /usr/bin/spamassassin, and also spamc/spamd if -# applicable. -# -define(`spamassassin_domain',` -spamassassin_program_domain($1, spamassassin) - -# For perl libraries. -allow $1_spamassassin_t lib_t:file rx_file_perms; -# Ignore perl digging in /proc and /var. -dontaudit $1_spamassassin_t proc_t:dir search; -dontaudit $1_spamassassin_t proc_t:lnk_file read; -dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; - -# For ~/.spamassassin -home_domain($1, spamassassin) -file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir) - -spamassassin_agent_privs($1_spamassassin_t, $1) - -can_resolve($1_spamassassin_t) -# set tunable if you have spamassassin do DNS lookups -if (spamassasin_can_network) { -can_network($1_spamassassin_t) -allow $1_spamassassin_t port_type:tcp_socket name_connect; -} -if (spamassasin_can_network && allow_ypbind) { -uncond_can_ypbind($1_spamassassin_t) -} -### -# Define the domain for /usr/bin/spamc -# -ifdef(`spamc.te',` -spamassassin_program_domain($1, spamc, `, nscd_client_domain') -can_network($1_spamc_t) -allow $1_spamc_t port_type:tcp_socket name_connect; -can_ypbind($1_spamc_t) - -# Allow connecting to a local spamd -ifdef(`spamd.te',` -can_tcp_connect($1_spamc_t, spamd_t) -can_unix_connect($1_spamc_t, spamd_t) -allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; -') dnl endif spamd.te -') dnl endif spamc.te - -### -# Define the domain for /usr/sbin/spamd -# -ifdef(`spamd.te',` - -spamassassin_agent_privs(spamd_t, $1) - -') dnl endif spamd.te - -') dnl end spamassassin_domain - -', ` - -define(`spamassassin_domain',`') - -') diff --git a/mls/macros/program/ssh_agent_macros.te b/mls/macros/program/ssh_agent_macros.te deleted file mode 100644 index 7215f5c5..00000000 --- a/mls/macros/program/ssh_agent_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Macros for ssh agent -# - -# -# Author: Thomas Bleher -# - -# -# ssh_agent_domain(domain_prefix) -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/ssh-agent.te. -# -define(`ssh_agent_domain',` -# Define a derived domain for the ssh-agent program when executed -# by a user domain. -# Derived domain based on the calling user domain and the program. -type $1_ssh_agent_t, domain, privlog; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) - -# The user role is authorized for this domain. -role $1_r types $1_ssh_agent_t; - -allow $1_ssh_agent_t privfd:fd use; - -# Write to the user domain tty. -access_terminal($1_ssh_agent_t, $1) - -# Allow the user shell to signal the ssh program. -allow $1_t $1_ssh_agent_t:process signal; -# allow ps to show ssh -can_ps($1_t, $1_ssh_agent_t) - -can_ypbind($1_ssh_agent_t) -if (use_nfs_home_dirs) { -allow $1_ssh_agent_t autofs_t:dir { search getattr }; -rw_dir_create_file($1_ssh_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -rw_dir_create_file($1_ssh_agent_t, cifs_t) -} - -uses_shlib($1_ssh_agent_t) -read_locale($1_ssh_agent_t) - -allow $1_ssh_agent_t proc_t:dir search; -dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; -dontaudit $1_ssh_agent_t selinux_config_t:dir search; -dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr }; -read_sysctl($1_ssh_agent_t) - -# Access the ssh temporary files. Should we have an own type here -# to which only ssh, ssh-agent and ssh-add have access? -allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; -file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) -allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; -allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; - -allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; -allow $1_ssh_agent_t self:capability setgid; - -# access the random devices -allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -# for ssh-add -can_unix_connect($1_t, $1_ssh_agent_t) - -# transition back to normal privs upon exec -domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t) -if (use_nfs_home_dirs) { -domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t) -} -if (use_samba_home_dirs) { -domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t) -} -allow $1_ssh_agent_t bin_t:dir search; - -# allow reading of /usr/bin/X11 (is a symlink) -allow $1_ssh_agent_t bin_t:lnk_file read; - -allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; - -allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; - -allow $1_ssh_t $1_tmp_t:sock_file write; -allow $1_ssh_t $1_t:unix_stream_socket connectto; -allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; - -ifdef(`xdm.te', ` -can_pipe_xdm($1_ssh_agent_t) - -# kdm: sigchld -allow $1_ssh_agent_t xdm_t:process sigchld; -') - -# -# Allow command to ssh-agent > ~/.ssh_agent -# -allow $1_ssh_agent_t $1_home_t:file rw_file_perms; -allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms; - -allow $1_ssh_agent_t etc_runtime_t:file { getattr read }; -allow $1_ssh_agent_t etc_t:file { getattr read }; -allow $1_ssh_agent_t lib_t:file { getattr read }; - -allow $1_ssh_agent_t self:dir search; -allow $1_ssh_agent_t self:file { getattr read }; - -# Allow the ssh program to communicate with ssh-agent. -allow $1_ssh_t $1_tmp_t:sock_file write; -allow $1_ssh_t $1_t:unix_stream_socket connectto; -allow $1_ssh_t sshd_t:unix_stream_socket connectto; -')dnl end if ssh_agent - diff --git a/mls/macros/program/ssh_macros.te b/mls/macros/program/ssh_macros.te deleted file mode 100644 index 0f6549f8..00000000 --- a/mls/macros/program/ssh_macros.te +++ /dev/null @@ -1,168 +0,0 @@ -# -# Macros for ssh domains. -# - -# -# Authors: Stephen Smalley -# Russell Coker -# Thomas Bleher -# - -# -# ssh_domain(domain_prefix) -# -# Define a derived domain for the ssh program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/ssh.te. -# -undefine(`ssh_domain') -ifdef(`ssh.te', ` -define(`ssh_domain',` -# Derived domain based on the calling user domain and the program. -type $1_ssh_t, domain, privlog, nscd_client_domain; -type $1_home_ssh_t, file_type, $1_file_type, sysadmfile; - -allow $1_ssh_t autofs_t:dir { search getattr }; -if (use_nfs_home_dirs) { -create_dir_file($1_ssh_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_ssh_t, cifs_t) -} - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) - -# The user role is authorized for this domain. -role $1_r types $1_ssh_t; - -# Grant permissions within the domain. -general_domain_access($1_ssh_t) - -# Use descriptors created by sshd -allow $1_ssh_t privfd:fd use; - -uses_shlib($1_ssh_t) -read_locale($1_ssh_t) - -# Get attributes of file systems. -allow $1_ssh_t fs_type:filesystem getattr; - -base_file_read_access($1_ssh_t) - -# Read /var. -r_dir_file($1_ssh_t, var_t) - -# Read /var/run, /var/log. -allow $1_ssh_t var_run_t:dir r_dir_perms; -allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; -allow $1_ssh_t var_log_t:dir r_dir_perms; -allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms; - -# Read /etc. -r_dir_file($1_ssh_t, etc_t) -allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow $1_ssh_t device_t:dir r_dir_perms; -allow $1_ssh_t device_t:lnk_file r_file_perms; - -# Read /dev/urandom. -allow $1_ssh_t urandom_device_t:chr_file r_file_perms; - -# Read and write /dev/null. -allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms; - -# Grant permissions needed to create TCP and UDP sockets and -# to access the network. -can_network_client_tcp($1_ssh_t) -allow $1_ssh_t ssh_port_t:tcp_socket name_connect; -can_resolve($1_ssh_t) -can_ypbind($1_ssh_t) -can_kerberos($1_ssh_t) - -# for port forwarding -if (user_tcp_server) { -allow $1_ssh_t port_t:tcp_socket name_bind; -} - -# Use capabilities. -allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; - -# run helper programs - needed eg for x11-ssh-askpass -can_exec($1_ssh_t, { shell_exec_t bin_t }) - -# Read the ssh key file. -allow $1_ssh_t sshd_key_t:file r_file_perms; - -# Access the ssh temporary files. -file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t) -allow $1_ssh_t $1_tmp_t:dir r_dir_perms; - -# for rsync -allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms; - -# Access the users .ssh directory. -file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir) -file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file) -allow $1_t $1_home_ssh_t:sock_file create_file_perms; -allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms; -allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read }; -dontaudit $1_ssh_t $1_home_t:dir { getattr search }; -r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) -rw_dir_create_file($1_t, $1_home_ssh_t) - -# for /bin/sh used to execute xauth -dontaudit $1_ssh_t proc_t:dir search; -dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') - -# Write to the user domain tty. -access_terminal($1_ssh_t, $1) - -# Allow the user shell to signal the ssh program. -allow $1_t $1_ssh_t:process signal; -# allow ps to show ssh -can_ps($1_t, $1_ssh_t) - -# Connect to X server -x_client_domain($1_ssh, $1) - -ifdef(`ssh-agent.te', ` -ssh_agent_domain($1) -')dnl end if ssh_agent.te - -#allow ssh to access keys stored on removable media -# Should we have a boolean around this? -allow $1_ssh_t mnt_t:dir search; -r_dir_file($1_ssh_t, removable_t) - -type $1_ssh_keysign_t, domain, nscd_client_domain; -role $1_r types $1_ssh_keysign_t; - -if (allow_ssh_keysign) { -domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) -allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; -allow $1_ssh_keysign_t self:capability { setgid setuid }; -allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms; -uses_shlib($1_ssh_keysign_t) -dontaudit $1_ssh_keysign_t selinux_config_t:dir search; -dontaudit $1_ssh_keysign_t proc_t:dir search; -dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read }; -allow $1_ssh_keysign_t usr_t:dir search; -allow $1_ssh_keysign_t etc_t:file { getattr read }; -allow $1_ssh_keysign_t self:dir search; -allow $1_ssh_keysign_t self:file { getattr read }; -allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; -} - -')dnl end macro definition -', ` - -define(`ssh_domain',`') - -')dnl end if ssh.te diff --git a/mls/macros/program/su_macros.te b/mls/macros/program/su_macros.te deleted file mode 100644 index 206f58ef..00000000 --- a/mls/macros/program/su_macros.te +++ /dev/null @@ -1,188 +0,0 @@ -# -# Macros for su domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# su_domain(domain_prefix) -# -# Define a derived domain for the su program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/su.te. -# - -undefine(`su_restricted_domain') -undefine(`su_mini_domain') -undefine(`su_domain') -ifdef(`su.te', ` - -define(`su_restricted_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; -ifdef(`support_polyinstantiation', ` -typeattribute $1_su_t mlsfileread; -typeattribute $1_su_t mlsfilewrite; -typeattribute $1_su_t mlsfileupgrade; -typeattribute $1_su_t mlsfiledowngrade; -typeattribute $1_su_t mlsprocsetsl; -') - -# for SSP -allow $1_su_t urandom_device_t:chr_file { getattr read }; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, su_exec_t, $1_su_t) - -allow $1_su_t sbin_t:dir search; - -uses_shlib($1_su_t) -allow $1_su_t etc_t:file { getattr read }; -read_locale($1_su_t) -read_sysctl($1_su_t) -allow $1_su_t self:unix_dgram_socket { connect create write }; -allow $1_su_t self:unix_stream_socket create_stream_socket_perms; -allow $1_su_t self:fifo_file rw_file_perms; -allow $1_su_t proc_t:dir search; -allow $1_su_t proc_t:lnk_file read; -r_dir_file($1_su_t, self) -allow $1_su_t proc_t:file read; -allow $1_su_t self:process { setsched setrlimit }; -allow $1_su_t device_t:dir search; -allow $1_su_t self:process { fork sigchld }; -nsswitch_domain($1_su_t) -r_dir_file($1_su_t, selinux_config_t) - -dontaudit $1_su_t shadow_t:file { getattr read }; -dontaudit $1_su_t home_root_t:dir search; -dontaudit $1_su_t init_t:fd use; -allow $1_su_t var_lib_t:dir search; -allow $1_t $1_su_t:process signal; - -ifdef(`crond.te', ` -allow $1_su_t crond_t:fifo_file read; -') - -# Use capabilities. -allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write }; -dontaudit $1_su_t self:capability sys_tty_config; -# -# Caused by su - init scripts -# -dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - -# By default, revert to the calling domain when a shell is executed. -domain_auto_trans($1_su_t, shell_exec_t, $1_t) -allow $1_su_t bin_t:dir search; -allow $1_su_t bin_t:lnk_file read; - -# But also allow transitions to unprivileged user domains. -domain_trans($1_su_t, shell_exec_t, unpriv_userdomain) -can_setexec($1_su_t) - -# Get security decisions -can_getsecurity($1_su_t) -r_dir_file($1_su_t, default_context_t) - -allow $1_su_t privfd:fd use; - -# Write to utmp. -allow $1_su_t { var_t var_run_t }:dir search; -allow $1_su_t initrc_var_run_t:file rw_file_perms; -can_kerberos($1_su_t) - -ifdef(`chkpwd.te', ` -domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) -') - -allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - -') dnl end su_restricted_domain - -define(`su_mini_domain', ` -su_restricted_domain($1,$1) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_su_t, shell_exec_t, sysadm_t) -} - -# Relabel ttys and ptys. -allow $1_su_t device_t:dir { getattr read search }; -allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Close and re-open ttys and ptys to get the fd into the correct domain. -allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; - -')dnl end su_mini_domain - -define(`su_domain', ` -su_mini_domain($1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') - -# The user role is authorized for this domain. -role $1_r types $1_su_t; - -# Write to the user domain tty. -access_terminal($1_su_t, $1) - -allow $1_su_t { home_root_t $1_home_dir_t }:dir search; -allow $1_su_t $1_home_t:file create_file_perms; -ifdef(`user_canbe_sysadm', ` -allow $1_su_t home_dir_type:dir { search write }; -', ` -dontaudit $1_su_t home_dir_type:dir { search write }; -') - -allow $1_su_t autofs_t:dir { search getattr }; -if (use_nfs_home_dirs) { -allow $1_su_t nfs_t:dir search; -} -if (use_samba_home_dirs) { -allow $1_su_t cifs_t:dir search; -} - -ifdef(`support_polyinstantiation', ` -# Su can polyinstantiate -polyinstantiater($1_su_t) -# Su has to unmount polyinstantiated directories (like home) -# that should not be polyinstantiated under the new user -allow $1_su_t fs_t:filesystem unmount; -# Su needs additional permission to mount over a previous mount -allow $1_su_t polymember:dir mounton; -') - -# Modify .Xauthority file (via xauth program). -ifdef(`xauth.te', ` -file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) -file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) -file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) -domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) -') - -ifdef(`cyrus.te', ` -allow $1_su_t cyrus_var_lib_t:dir search; -') -ifdef(`ssh.te', ` -# Access sshd cookie files. -allow $1_su_t sshd_tmp_t:dir rw_dir_perms; -allow $1_su_t sshd_tmp_t:file rw_file_perms; -file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) -') - -allow $1_su_t var_lib_t:dir search; -dontaudit $1_su_t init_t:fd use; -')dnl end su_domain - -', ` - -define(`su_domain',`') - -') - diff --git a/mls/macros/program/sudo_macros.te b/mls/macros/program/sudo_macros.te deleted file mode 100644 index b2b4e1cb..00000000 --- a/mls/macros/program/sudo_macros.te +++ /dev/null @@ -1,34 +0,0 @@ -# Authors: Dan Walsh, Russell Coker -# Maintained by Dan Walsh -define(`sudo_domain',` -newrole_domain($1_sudo, `, privuser') - -# By default, revert to the calling domain when a shell is executed. -domain_auto_trans($1_sudo_t, shell_exec_t, $1_t) - -ifdef(`mta.te', ` -domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms; -') - -allow $1_sudo_t self:capability sys_resource; - -allow $1_sudo_t self:process setrlimit; - -ifdef(`pam.te', ` -allow $1_sudo_t pam_var_run_t:dir create_dir_perms; -allow $1_sudo_t pam_var_run_t:file create_file_perms; -') - -allow $1_sudo_t initrc_var_run_t:file rw_file_perms; -allow $1_sudo_t sysctl_t:dir search; -allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr; -allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read }; -read_sysctl($1_sudo_t) - -allow $1_sudo_t var_run_t:dir search; -r_dir_file($1_sudo_t, default_context_t) -rw_dir_create_file($1_sudo_t, $1_tmp_t) -rw_dir_create_file($1_sudo_t, $1_home_t) -domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t) -') diff --git a/mls/macros/program/thunderbird_macros.te b/mls/macros/program/thunderbird_macros.te deleted file mode 100644 index 2c0711d1..00000000 --- a/mls/macros/program/thunderbird_macros.te +++ /dev/null @@ -1,60 +0,0 @@ -# -# Thunderbird -# -# Author: Ivan Gyurdiev -# - -####################################### -# thunderbird_domain(role_prefix) -# - -# FIXME: Rules were removed to centralize policy in a gnome_app macro -# A similar thing might be necessary for mozilla compiled without GNOME -# support (is this possible?). - -define(`thunderbird_domain', ` - -# Type for program -type $1_thunderbird_t, domain, nscd_client_domain; - -# Transition from user type -if (! disable_thunderbird_trans) { -domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t) -} -role $1_r types $1_thunderbird_t; - -# FIXME: Why does it try to do that? -dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute }; - -# Why is thunderbird looking in .mozilla ? -# FIXME: there are legitimate uses of invoking the browser - about -> release notes -dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search; - -# .kde/....gtkrc -# FIXME: support properly -dontaudit $1_thunderbird_t $1_home_t:file { getattr read }; - -# X, mail common stuff -x_client_domain($1_thunderbird, $1) -mail_client_domain($1_thunderbird, $1) - -allow $1_thunderbird_t self:process signull; -allow $1_thunderbird_t fs_t:filesystem getattr; - -# GNOME support -ifdef(`gnome.te', ` -gnome_application($1_thunderbird, $1) -gnome_file_dialog($1_thunderbird, $1) -allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; -') - -# Access ~/.thunderbird -home_domain($1, thunderbird) - -# RSS feeds -can_network_client_tcp($1_thunderbird_t, http_port_t) -allow $1_thunderbird_t http_port_t:tcp_socket name_connect; - -allow $1_thunderbird_t self:process { execheap execmem execstack }; - -') diff --git a/mls/macros/program/tvtime_macros.te b/mls/macros/program/tvtime_macros.te deleted file mode 100644 index d965ae1e..00000000 --- a/mls/macros/program/tvtime_macros.te +++ /dev/null @@ -1,64 +0,0 @@ -# -# Macros for tvtime domains. -# - -# -# Author: Dan Walsh -# - -# -# tvtime_domain(domain_prefix) -# -# Define a derived domain for the tvtime program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/tvtime.te. -# -undefine(`tvtime_domain') -ifdef(`tvtime.te', ` -define(`tvtime_domain',` - -# Type transition -type $1_tvtime_t, domain, nscd_client_domain; -domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t) -role $1_r types $1_tvtime_t; - -# X access, Home files -home_domain($1, tvtime) -file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir) -x_client_domain($1_tvtime, $1) - -uses_shlib($1_tvtime_t) -read_locale($1_tvtime_t) -read_sysctl($1_tvtime_t) -access_terminal($1_tvtime_t, $1) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_tvtime_t) -allow $1_t $1_tvtime_t:process signal_perms; - -# Read /etc/tvtime -allow $1_tvtime_t etc_t:file { getattr read }; - -# Tmp files -tmp_domain($1_tvtime, `', `{ file dir fifo_file }') - -allow $1_tvtime_t urandom_device_t:chr_file read; -allow $1_tvtime_t clock_device_t:chr_file { ioctl read }; -allow $1_tvtime_t kernel_t:system ipc_info; -allow $1_tvtime_t sound_device_t:chr_file { ioctl read }; -allow $1_tvtime_t $1_home_t:dir { getattr read search }; -allow $1_tvtime_t $1_home_t:file { getattr read }; -allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; -allow $1_tvtime_t self:process setsched; -allow $1_tvtime_t usr_t:file { getattr read }; - -')dnl end tvtime_domain - -', ` - -define(`tvtime_domain',`') - -') - diff --git a/mls/macros/program/uml_macros.te b/mls/macros/program/uml_macros.te deleted file mode 100644 index bc635f86..00000000 --- a/mls/macros/program/uml_macros.te +++ /dev/null @@ -1,137 +0,0 @@ -# -# Macros for uml domains. -# - -# -# Author: Russell Coker -# - -# -# uml_domain(domain_prefix) -# -# Define a derived domain for the uml program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/uml.te. -# -undefine(`uml_domain') -ifdef(`uml.te', ` -define(`uml_domain',` - -# Derived domain based on the calling user domain and the program. -type $1_uml_t, domain; -type $1_uml_exec_t, file_type, sysadmfile, $1_file_type; -type $1_uml_ro_t, file_type, sysadmfile, $1_file_type; -type $1_uml_rw_t, file_type, sysadmfile, $1_file_type; - -# for X -ifdef(`startx.te', ` -ifelse($1, sysadm, `', ` -ifdef(`xdm.te', ` -allow $1_uml_t xdm_xserver_tmp_t:dir search; -')dnl end if xdm.te -allow $1_uml_t $1_xserver_tmp_t:sock_file write; -can_unix_connect($1_uml_t, $1_xserver_t) -')dnl end ifelse sysadm -')dnl end ifdef startx - -allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms }; -allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms }; -allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms }; -allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms }; -r_dir_file($1_t, uml_ro_t) - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t) -can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) - -# The user role is authorized for this domain. -role $1_r types $1_uml_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;') - -# allow ps, ptrace, signal -can_ps($1_t, $1_uml_t) -can_ptrace($1_t, $1_uml_t) -allow $1_t $1_uml_t:process signal_perms; - -# allow the UML thing to happen -allow $1_uml_t self:process { fork signal_perms ptrace }; -can_create_pty($1_uml) -allow $1_uml_t root_t:dir search; -tmp_domain($1_uml) -can_exec($1_uml_t, $1_uml_tmp_t) -tmpfs_domain($1_uml) -can_exec($1_uml_t, $1_uml_tmpfs_t) -create_dir_file($1_t, $1_uml_tmp_t) -allow $1_t $1_uml_tmp_t:sock_file create_file_perms; -allow $1_uml_t self:fifo_file rw_file_perms; -allow $1_uml_t fs_t:filesystem getattr; - -allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl }; - -ifdef(`uml_net.te', ` -# for uml_net -domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) -allow uml_net_t $1_uml_t:unix_stream_socket { read write }; -allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; -dontaudit uml_net_t privfd:fd use; -can_access_pty(uml_net_t, $1_uml) -dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; -')dnl end ifdef uml_net.te - -# for mconsole -allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto; -allow $1_uml_t $1_t:unix_dgram_socket sendto; - -# Use the network. -can_network($1_uml_t) -allow $1_uml_t port_type:tcp_socket name_connect; -can_ypbind($1_uml_t) - -# for xterm -uses_shlib($1_uml_t) -can_exec($1_uml_t, { bin_t sbin_t lib_t }) -allow $1_uml_t { bin_t sbin_t }:dir search; -allow $1_uml_t etc_t:file { getattr read }; -dontaudit $1_uml_t etc_runtime_t:file read; -can_tcp_connect($1_uml_t, sshd_t) -ifdef(`xauth.te', ` -allow $1_uml_t $1_xauth_home_t:file { getattr read }; -') -allow $1_uml_t var_run_t:dir search; -allow $1_uml_t initrc_var_run_t:file { getattr read }; -dontaudit $1_uml_t initrc_var_run_t:file { write lock }; - -allow $1_uml_t device_t:dir search; -allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; -allow $1_uml_t self:unix_dgram_socket create_socket_perms; -allow $1_uml_t privfd:fd use; -allow $1_uml_t proc_t:dir search; -allow $1_uml_t proc_t:file { getattr read }; - -# for SKAS - need something better -allow $1_uml_t proc_t:file write; - -# Write to the user domain tty. -access_terminal($1_uml_t, $1) - -# access config files -allow $1_uml_t home_root_t:dir search; -file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t) -r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t }) - -# putting uml data under /var is usual... -allow $1_uml_t var_t:dir search; -')dnl end macro definition - -', ` - -define(`uml_domain',`') - -') diff --git a/mls/macros/program/userhelper_macros.te b/mls/macros/program/userhelper_macros.te deleted file mode 100644 index 2c715d37..00000000 --- a/mls/macros/program/userhelper_macros.te +++ /dev/null @@ -1,142 +0,0 @@ -#DESC Userhelper - SELinux utility to run a shell with a new role -# -# Authors: Dan Walsh (Red Hat) -# Maintained by Dan Walsh -# - -# -# userhelper_domain(domain_prefix) -# -# Define a derived domain for the userhelper/userhelper program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/userhelper.te. -# -define(`userhelper_domain',` -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain; - -in_user_role($1_userhelper_t) -role sysadm_r types $1_userhelper_t; - -ifelse($1, sysadm, ` -typealias sysadm_userhelper_t alias userhelper_t; -domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t) -') - -general_domain_access($1_userhelper_t); - -uses_shlib($1_userhelper_t) -read_locale($1_userhelper_t) -read_sysctl($1_userhelper_t) - -# for when the user types "exec userhelper" at the command line -allow $1_userhelper_t privfd:process sigchld; - -domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t) - -# Inherit descriptors from the current session. -allow $1_userhelper_t { init_t privfd }:fd use; - -can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t }) - -# Execute shells -allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms; -allow $1_userhelper_t { sbin_t bin_t }:lnk_file read; -allow $1_userhelper_t shell_exec_t:file r_file_perms; - -# By default, revert to the calling domain when a program is executed. -domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t) - -# Allow $1_userhelper_t to transition to user domains. -domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain) -if (!secure_mode) { - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t) -} -can_setexec($1_userhelper_t) - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -# Allow transitioning to rpm_t, for up2date -allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure }; -') -') - -# Use capabilities. -allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; - -# Write to utmp. -file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file) - -# Read the devpts root directory. -allow $1_userhelper_t devpts_t:dir r_dir_perms; - -# Read the /etc/security/default_type file -allow $1_userhelper_t etc_t:file r_file_perms; - -# Read /var. -r_dir_file($1_userhelper_t, var_t) - -# Read /dev directories and any symbolic links. -allow $1_userhelper_t device_t:dir r_dir_perms; - -# Relabel terminals. -allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Access terminals. -allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;') - -# -# Allow $1_userhelper to obtain contexts to relabel TTYs -# -can_getsecurity($1_userhelper_t) - -allow $1_userhelper_t fs_t:filesystem getattr; - -# for some PAM modules and for cwd -allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search; - -allow $1_userhelper_t proc_t:dir search; -allow $1_userhelper_t proc_t:file { getattr read }; - -# for when the network connection is killed -dontaudit unpriv_userdomain $1_userhelper_t:process signal; - -allow $1_userhelper_t userhelper_conf_t:file rw_file_perms; -allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; - -ifdef(`pam.te', ` -allow $1_userhelper_t pam_var_run_t:dir create_dir_perms; -allow $1_userhelper_t pam_var_run_t:file create_file_perms; -') - -allow $1_userhelper_t urandom_device_t:chr_file { getattr read }; - -allow $1_userhelper_t autofs_t:dir search; -role system_r types $1_userhelper_t; -r_dir_file($1_userhelper_t, nfs_t) - -ifdef(`xdm.te', ` -can_pipe_xdm($1_userhelper_t) -allow $1_userhelper_t xdm_var_run_t:dir search; -') - -r_dir_file($1_userhelper_t, selinux_config_t) -r_dir_file($1_userhelper_t, default_context_t) - -ifdef(`xauth.te', ` -domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) -allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; -') - -ifdef(`pamconsole.te', ` -allow $1_userhelper_t pam_var_console_t:dir { search }; -') - -ifdef(`mozilla.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') - -')dnl end userhelper macro diff --git a/mls/macros/program/vmware_macros.te b/mls/macros/program/vmware_macros.te deleted file mode 100644 index bb0914a5..00000000 --- a/mls/macros/program/vmware_macros.te +++ /dev/null @@ -1,128 +0,0 @@ -# Macro for vmware -# -# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), -# modifications by NAI Labs. -# -# Turned into a macro by Thomas Bleher -# -# vmware_domain(domain_prefix) -# -# Define a derived domain for the vmware program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/vmware.te. This file also -# implements a separate domain vmware_t. -# - -define(`vmware_domain', ` - -# Domain for the user applications to run in. -type $1_vmware_t, domain, privmem; - -role $1_r types $1_vmware_t; - -# The user file type is for files created when the user is running VMWare -type $1_vmware_file_t, $1_file_type, file_type, sysadmfile; - -# The user file type for the VMWare configuration files -type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile; - -############################################################# -# User rules for running VMWare -# -# Transition to VMWare user domain -domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t) -can_exec($1_vmware_t, vmware_user_exec_t) -uses_shlib($1_vmware_t) -var_run_domain($1_vmware) - -general_domain_access($1_vmware_t); - -# Capabilities needed by VMWare for the user execution. This seems a -# bit too much, so be careful. -allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; - -# Access to ttys -allow $1_vmware_t vmware_device_t:chr_file rw_file_perms; -allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_vmware_t privfd:fd use; - -# Access /proc -r_dir_file($1_vmware_t, proc_t) -allow $1_vmware_t proc_net_t:dir search; -allow $1_vmware_t proc_net_t:file { getattr read }; - -# Access to some files in the user home directory -r_dir_file($1_vmware_t, $1_home_t) - -# Access to runtime files for user -allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; -allow $1_vmware_t $1_vmware_file_t:file create_file_perms; -allow $1_vmware_t $1_vmware_conf_t:file create_file_perms; - -# Allow read access to /etc/vmware and /usr/lib/vmware configuration files -r_dir_file($1_vmware_t, vmware_sys_conf_t) - -# Allow $1_vmware_t to read/write files in the tmp dir -tmp_domain($1_vmware) -allow $1_vmware_t $1_vmware_tmp_t:file execute; - -# Allow read access to several paths -r_dir_file($1_vmware_t, etc_t) -allow $1_vmware_t etc_runtime_t:file r_file_perms; -allow $1_vmware_t device_t:dir r_dir_perms; -allow $1_vmware_t var_t:dir r_dir_perms; -allow $1_vmware_t tmpfs_t:file rw_file_perms; - -# Allow vmware to write to ~/.vmware -rw_dir_create_file($1_vmware_t, $1_vmware_file_t) - -# -# This is bad; VMWare needs execute permission to the .cfg file for the -# configuration to run. -# -allow $1_vmware_t $1_vmware_conf_t:file execute; - -# Access X11 config files -allow $1_vmware_t lib_t:file r_file_perms; - -# Access components of VMWare in /usr/lib/vmware/bin by default -allow $1_vmware_t bin_t:dir r_dir_perms; - -# Allow access to lp port (Need to create an lp device domain ) -allow $1_vmware_t device_t:chr_file r_file_perms; - -# Allow access to /dev/mem -allow $1_vmware_t memory_device_t:chr_file { read write }; - -# Allow access to mouse -allow $1_vmware_t mouse_device_t:chr_file r_file_perms; - -# Allow access the sound device -allow $1_vmware_t sound_device_t:chr_file { ioctl write }; - -# Allow removable media and devices -allow $1_vmware_t removable_device_t:blk_file r_file_perms; -allow $1_vmware_t device_t:lnk_file read; - -# Allow access to the real time clock device -allow $1_vmware_t clock_device_t:chr_file read; - -# Allow to attach to Xserver, and Xserver to attach back -ifdef(`gnome-pty-helper.te', ` -allow $1_vmware_t $1_gph_t:fd use; -') -ifdef(`startx.te', ` -allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write }; -allow $1_vmware_t $1_xserver_tmp_t:dir search; -allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto; -allow $1_xserver_t $1_vmware_t:shm r_shm_perms; -allow $1_xserver_t $1_vmware_t:fd use; -') - -# Allow filesystem read access -allow $1_vmware_t fs_t:filesystem getattr; - -') - diff --git a/mls/macros/program/x_client_macros.te b/mls/macros/program/x_client_macros.te deleted file mode 100644 index adce9f0f..00000000 --- a/mls/macros/program/x_client_macros.te +++ /dev/null @@ -1,96 +0,0 @@ -# -# Macros for X client programs -# - -# -# Author: Russell Coker -# Based on the work of Stephen Smalley -# and Timothy Fraser -# - -# Allows clients to write to the X server's shm -bool allow_write_xshm false; - -define(`xsession_domain', ` - -# Connect to xserver -can_unix_connect($1_t, $2_xserver_t) - -# Read /tmp/.X0-lock -allow $1_t $2_xserver_tmp_t:file { getattr read }; - -# Signal Xserver -allow $1_t $2_xserver_t:process signal; - -# Xserver read/write client shm -allow $2_xserver_t $1_t:fd use; -allow $2_xserver_t $1_t:shm rw_shm_perms; -allow $2_xserver_t $1_tmpfs_t:file rw_file_perms; - -# Client read xserver shm -allow $1_t $2_xserver_t:fd use; -allow $1_t $2_xserver_t:shm r_shm_perms; -allow $1_t $2_xserver_tmpfs_t:file r_file_perms; - -# Client write xserver shm -if (allow_write_xshm) { -allow $1_t $2_xserver_t:shm rw_shm_perms; -allow $1_t $2_xserver_tmpfs_t:file rw_file_perms; -} - -') - -# -# x_client_domain(client, role) -# -# Defines common X access rules for the client domain -# -define(`x_client_domain',` - -# Create socket to communicate with X server -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms }; - -# Read .Xauthority file -ifdef(`xauth.te',` -allow $1_t home_root_t:dir { search getattr }; -allow $1_t $2_home_dir_t:dir { search getattr }; -allow $1_t $2_xauth_home_t:file { getattr read }; -') - -# for .xsession-errors -dontaudit $1_t $2_home_t:file write; - -# for X over a ssh tunnel -ifdef(`ssh.te', ` -can_tcp_connect($1_t, sshd_t) -') - -# Use a separate type for tmpfs/shm pseudo files. -tmpfs_domain($1) -allow $1_t self:shm create_shm_perms; - -# allow X client to read all font files -read_fonts($1_t, $2) - -# Allow connections to X server. -ifdef(`xserver.te', ` -allow $1_t tmp_t:dir search; - -ifdef(`xdm.te', ` -xsession_domain($1, xdm) - -# for when /tmp/.X11-unix is created by the system -can_pipe_xdm($1_t) -allow $1_t xdm_tmp_t:dir search; -allow $1_t xdm_tmp_t:sock_file { read write }; -dontaudit $1_t xdm_t:tcp_socket { read write }; -') - -ifdef(`startx.te', ` -xsession_domain($1, $2) -')dnl end startx - -')dnl end xserver - -')dnl end x_client macro diff --git a/mls/macros/program/xauth_macros.te b/mls/macros/program/xauth_macros.te deleted file mode 100644 index ca7a5ee0..00000000 --- a/mls/macros/program/xauth_macros.te +++ /dev/null @@ -1,83 +0,0 @@ -# -# Macros for xauth domains. -# - -# -# Author: Russell Coker -# - -# -# xauth_domain(domain_prefix) -# -# Define a derived domain for the xauth program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/xauth.te. -# -undefine(`xauth_domain') -ifdef(`xauth.te', ` -define(`xauth_domain',` -# Derived domain based on the calling user domain and the program. -type $1_xauth_t, domain; - -allow $1_xauth_t self:process signal; - -home_domain($1, xauth) -file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file) - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t) -ifdef(`ssh.te', ` -domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t) -allow $1_xauth_t sshd_t:fifo_file { getattr read }; -dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write }; -allow $1_xauth_t sshd_t:process sigchld; -')dnl end if ssh - -# The user role is authorized for this domain. -role $1_r types $1_xauth_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', ` -allow $1_xauth_t $1_gph_t:fd use; -') - -allow $1_xauth_t privfd:fd use; -allow $1_xauth_t ptmx_t:chr_file { read write }; - -# allow ps to show xauth -can_ps($1_t, $1_xauth_t) -allow $1_t $1_xauth_t:process signal; - -uses_shlib($1_xauth_t) - -# allow DNS lookups... -can_resolve($1_xauth_t) -can_ypbind($1_xauth_t) -ifdef(`named.te', ` -can_udp_send($1_xauth_t, named_t) -can_udp_send(named_t, $1_xauth_t) -')dnl end if named.te - -allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; -allow $1_xauth_t etc_t:file { getattr read }; -allow $1_xauth_t fs_t:filesystem getattr; - -# Write to the user domain tty. -access_terminal($1_xauth_t, $1) - -# Scan /var/run. -allow $1_xauth_t var_t:dir search; -allow $1_xauth_t var_run_t:dir search; - -tmp_domain($1_xauth) -allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; - -')dnl end xauth_domain macro - -', ` - -define(`xauth_domain',`') - -')dnl end if xauth.te diff --git a/mls/macros/program/xdm_macros.te b/mls/macros/program/xdm_macros.te deleted file mode 100644 index bea127f4..00000000 --- a/mls/macros/program/xdm_macros.te +++ /dev/null @@ -1,13 +0,0 @@ -######################################## -# -# can_pipe_xdm(domain) -# -# Allow communication to xdm over a pipe -# - -define(`can_pipe_xdm', ` -ifdef(`xdm.te', ` -allow $1 xdm_t:fd use; -allow $1 xdm_t:fifo_file { getattr read write ioctl }; -') -') dnl can_pipe_xdm diff --git a/mls/macros/program/xserver_macros.te b/mls/macros/program/xserver_macros.te deleted file mode 100644 index e2eaf824..00000000 --- a/mls/macros/program/xserver_macros.te +++ /dev/null @@ -1,274 +0,0 @@ -# -# Macros for X server domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################# -# -# xserver_domain(domain_prefix) -# -# Define a derived domain for the X server when executed -# by a user domain (e.g. via startx). See the xdm_t domain -# in domains/program/xdm.te if using an X Display Manager. -# -# The type declarations for the executable type for this program -# and the log type are provided separately in domains/program/xserver.te. -# -# FIXME! The X server requires far too many privileges. -# -undefine(`xserver_domain') -ifdef(`xserver.te', ` - -define(`xserver_domain',` -# Derived domain based on the calling user domain and the program. -ifdef(`distro_redhat', ` -type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain; -allow $1_xserver_t sysctl_modprobe_t:file { getattr read }; -ifdef(`rpm.te', ` -allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; -allow $1_xserver_t rpm_tmpfs_t:file { read write }; -allow $1_xserver_t rpm_t:fd use; -') - -', ` -type $1_xserver_t, domain, privlog, privmem, nscd_client_domain; -') - -# for SSP -allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl }; - -# Transition from the user domain to this domain. -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) -') -', ` -domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t) -')dnl end ifelse xdm -can_exec($1_xserver_t, xserver_exec_t) - -uses_shlib($1_xserver_t) - -allow $1_xserver_t texrel_shlib_t:file execmod; - -can_network($1_xserver_t) -allow $1_xserver_t port_type:tcp_socket name_connect; -can_ypbind($1_xserver_t) -allow $1_xserver_t xserver_port_t:tcp_socket name_bind; - -# for access within the domain -general_domain_access($1_xserver_t) - -allow $1_xserver_t self:process execmem; -# Until the X module loader is fixed. -allow $1_xserver_t self:process execheap; - -allow $1_xserver_t etc_runtime_t:file { getattr read }; - -ifelse($1, xdm, ` -# The system role is authorised for the xdm and initrc domains -role system_r types xdm_xserver_t; - -allow xdm_xserver_t init_t:fd use; - -dontaudit xdm_xserver_t home_dir_type:dir { read search }; - -# Read all global and per user fonts -read_fonts($1_xserver_t, sysadm) -read_fonts($1_xserver_t, staff) -read_fonts($1_xserver_t, user) - -', ` -# The user role is authorized for this domain. -role $1_r types $1_xserver_t; - -allow $1_xserver_t getty_t:fd use; -allow $1_xserver_t local_login_t:fd use; -allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - -allow $1_xserver_t $1_tmpfs_t:file rw_file_perms; -allow $1_t $1_xserver_tmpfs_t:file rw_file_perms; - -can_unix_connect($1_t, $1_xserver_t) - -# Read fonts -read_fonts($1_xserver_t, $1) - -# Access the home directory. -allow $1_xserver_t home_root_t:dir search; -allow $1_xserver_t $1_home_dir_t:dir { getattr search }; - -ifdef(`xauth.te', ` -domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) -allow $1_xserver_t $1_xauth_home_t:file { getattr read }; -', ` -allow $1_xserver_t $1_home_t:file { getattr read }; -')dnl end ifdef xauth -ifdef(`userhelper.te', ` -allow $1_xserver_t userhelper_conf_t:dir search; -')dnl end ifdef userhelper -')dnl end ifelse xdm - -allow $1_xserver_t self:process setsched; - -allow $1_xserver_t fs_t:filesystem getattr; - -# Xorg wants to check if kernel is tainted -read_sysctl($1_xserver_t) - -# Use capabilities. -# allow setuid/setgid for the wrapper program to change UID -# sys_rawio is for iopl access - should not be needed for frame-buffer -# sys_admin, locking shared mem? chowning IPC message queues or semaphores? -# admin of APM bios? -# sys_nice is so that the X server can set a negative nice value -allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -allow $1_xserver_t nfs_t:dir { getattr search }; - -# memory_device_t access is needed if not using the frame buffer -#dontaudit $1_xserver_t memory_device_t:chr_file read; -allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute }; -# net_bind_service is needed if you want your X server to allow TCP connections -# from other hosts, EG an XDM serving a network of X terms -# if you want good security you do not want this -# not sure why some people want chown, fsetid, and sys_tty_config. -#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config }; -dontaudit $1_xserver_t self:capability chown; - -# for nscd -dontaudit $1_xserver_t var_run_t:dir search; - -allow $1_xserver_t mtrr_device_t:file rw_file_perms; -allow $1_xserver_t apm_bios_t:chr_file rw_file_perms; -allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms; -allow $1_xserver_t device_t:lnk_file { getattr read }; -allow $1_xserver_t devtty_t:chr_file rw_file_perms; -allow $1_xserver_t zero_device_t:chr_file { read write execute }; - -# Type for temporary files. -tmp_domain($1_xserver, `', `{ dir file sock_file }') -file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) - -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -allow xdm_t $1_xserver_t:process signal; -can_unix_connect(xdm_t, xdm_xserver_t) -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_xserver_t xdm_t:process signal; -allow xdm_xserver_t xdm_t:shm rw_shm_perms; -allow xdm_t xdm_xserver_t:shm rw_shm_perms; -dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; -') -', ` -allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; -allow $1_t xdm_xserver_t:unix_stream_socket connectto; -allow $1_t $1_xserver_t:process signal; - -# Allow the user domain to connect to the X server. -can_unix_connect($1_t, $1_xserver_t) -allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms; -allow $1_t $1_xserver_tmp_t:dir r_dir_perms; -ifdef(`xdm.te', ` -allow $1_t xdm_tmp_t:sock_file unlink; -allow $1_xserver_t xdm_var_run_t:dir search; -') - -# Signal the user domain. -allow $1_xserver_t $1_t:process signal; - -# Communicate via System V shared memory. -allow $1_xserver_t $1_t:shm rw_shm_perms; -allow $1_t $1_xserver_t:shm rw_shm_perms; -allow $1_xserver_t initrc_t:shm rw_shm_perms; - -')dnl end ifelse xdm - -# Create files in /var/log with the xserver_log_t type. -allow $1_xserver_t var_t:dir search; -file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file) -allow $1_xserver_t xserver_log_t:dir r_dir_perms; - -# Access AGP device. -allow $1_xserver_t agp_device_t:chr_file rw_file_perms; - -# for other device nodes such as the NVidia binary-only driver -allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms; - -# Access /proc/mtrr -allow $1_xserver_t proc_t:file rw_file_perms; -allow $1_xserver_t proc_t:lnk_file { getattr read }; - -# Access /proc/sys/dev -allow $1_xserver_t sysctl_dev_t:dir search; -allow $1_xserver_t sysctl_dev_t:file { getattr read }; -# Access /proc/bus/pci -allow $1_xserver_t proc_t:dir r_dir_perms; - -# Create and access /dev/dri devices. -allow $1_xserver_t device_t:dir { create setattr }; -file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file) -# brought on by rhgb -allow $1_xserver_t mnt_t:dir search; - -allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms }; - -# Run helper programs in $1_xserver_t. -allow $1_xserver_t { bin_t sbin_t }:dir search; -allow $1_xserver_t etc_t:{ file lnk_file } { getattr read }; -allow $1_xserver_t bin_t:lnk_file read; -can_exec($1_xserver_t, { bin_t shell_exec_t }) - -# Connect to xfs. -ifdef(`xfs.te', ` -can_unix_connect($1_xserver_t, xfs_t) -allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; -allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; - -# Bind to the X server socket in /tmp. -allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind; -') - -read_locale($1_xserver_t) - -# Type for tmpfs/shm files. -tmpfs_domain($1_xserver) -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -allow xdm_xserver_t xdm_t:shm rw_shm_perms; -allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; -') -', ` -allow $1_xserver_t $1_t:shm rw_shm_perms; -rw_dir_file($1_xserver_t, $1_tmpfs_t) -')dnl end ifelse xdm - - -r_dir_file($1_xserver_t,sysfs_t) - -# Use the mouse. -allow $1_xserver_t mouse_device_t:chr_file rw_file_perms; -# Allow xserver to read events - the synaptics touchpad -# driver reads raw events -allow $1_xserver_t event_device_t:chr_file rw_file_perms; -ifdef(`pamconsole.te', ` -allow $1_xserver_t pam_var_console_t:dir search; -') -dontaudit $1_xserver_t selinux_config_t:dir search; - -allow $1_xserver_t var_lib_t:dir search; -rw_dir_create_file($1_xserver_t, xkb_var_lib_t) - -')dnl end macro definition - -', ` - -define(`xserver_domain',`') - -') - diff --git a/mls/macros/program/ypbind_macros.te b/mls/macros/program/ypbind_macros.te deleted file mode 100644 index 04a8f1db..00000000 --- a/mls/macros/program/ypbind_macros.te +++ /dev/null @@ -1,19 +0,0 @@ -define(`uncond_can_ypbind', ` -can_network($1) -r_dir_file($1,var_yp_t) -allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; -allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect; -dontaudit $1 self:capability net_bind_service; -dontaudit $1 reserved_port_type:tcp_socket name_connect; -dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; -') - -define(`can_ypbind', ` -ifdef(`ypbind.te', ` -if (allow_ypbind) { -uncond_can_ypbind($1) -} else { -dontaudit $1 var_yp_t:dir search; -} -') dnl ypbind.te -') dnl can_ypbind diff --git a/mls/macros/user_macros.te b/mls/macros/user_macros.te deleted file mode 100644 index 5575e640..00000000 --- a/mls/macros/user_macros.te +++ /dev/null @@ -1,326 +0,0 @@ -# -# Macros for all user login domains. -# - -# role_tty_type_change(starting_role, ending_role) -# -# change from role $1_r to $2_r and relabel tty appropriately -# - -undefine(`role_tty_type_change') -define(`role_tty_type_change', ` -allow $1_r $2_r; -type_change $2_t $1_devpts_t:chr_file $2_devpts_t; -type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; -# avoid annoying messages on terminal hangup -dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; -') - -# -# reach_sysadm(user) -# -# Reach sysadm_t via programs like userhelper/sudo/su -# - -undefine(`reach_sysadm') -define(`reach_sysadm', ` -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') -ifdef(`su.te', ` -su_domain($1) -# When an ordinary user domain runs su, su may try to -# update the /root/.Xauthority file, and the user shell may -# try to update the shell history. This is not allowed, but -# we dont need to audit it. -dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; -') dnl ifdef su.te -ifdef(`xauth.te', ` -file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) -ifdef(`userhelper.te', ` -file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) -') dnl userhelper.te -') dnl xauth.te -') dnl reach_sysadm - -# -# priv_user(user) -# -# Privileged user domain -# - -undefine(`priv_user') -define(`priv_user', ` -# Reach sysadm_t -reach_sysadm($1) - -# Read file_contexts for rpm and get security decisions. -r_dir_file($1_t, file_context_t) -can_getsecurity($1_t) - -# Signal and see information about unprivileged user domains. -allow $1_t unpriv_userdomain:process signal_perms; -can_ps($1_t, unpriv_userdomain) -allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; - -# Read /root files if boolean is enabled. -if (staff_read_sysadm_file) { -allow $1_t sysadm_home_dir_t:dir { getattr search }; -allow $1_t sysadm_home_t:file { getattr read }; -} - -') dnl priv_user - -# -# user_domain(domain_prefix) -# -# Define derived types and rules for an ordinary user domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. -# - -# user_domain() is also called by the admin_domain() macro -undefine(`user_domain') -define(`user_domain', ` -# Use capabilities - -# Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir; -type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember; - -# Transition manually for { lnk sock fifo }. The rest is in content macros. -tmp_domain_notrans($1, `, user_tmpfile, $1_file_type') -file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) -allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; - -ifdef(`support_polyinstantiation', ` -type_member $1_t tmp_t:dir $1_tmp_t; -type_member $1_t $1_home_dir_t:dir $1_home_t; -') - -base_user_domain($1) -ifdef(`mls_policy', `', ` -access_removable_media($1_t) -') - -# do not allow privhome access to sysadm_home_dir_t -file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) - -allow $1_t boot_t:dir { getattr search }; -dontaudit $1_t boot_t:lnk_file read; -dontaudit $1_t boot_t:file read; -allow $1_t system_map_t:file { getattr read }; - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -ifelse($1, sysadm, `',` -ifdef(`apache.te', `apache_user_domain($1)') -ifdef(`i18n_input.te', `i18n_input_domain($1)') -ifdef(`spamd.te', `home_domain_ro_access(spamd_t, $1)') -') -ifdef(`slocate.te', `locate_domain($1)') -ifdef(`lockdev.te', `lockdev_domain($1)') - -can_kerberos($1_t) -# allow port_t name binding for UDP because it is not very usable otherwise -allow $1_t port_t:udp_socket name_bind; - -# -# Need the following rule to allow users to run vpnc -# -ifdef(`xserver.te', ` -allow $1_t xserver_port_t:tcp_socket name_bind; -') - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -if (user_tcp_server) { -allow $1_t port_t:tcp_socket name_bind; -} -# port access is audited even if dac would not have allowed it, so dontaudit it here -dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind; - -# Allow system log read -if (user_dmesg) { -allow $1_t kernel_t:system syslog_read; -} else { -# else do not log it -dontaudit $1_t kernel_t:system syslog_read; -} - -# Allow read access to utmp. -allow $1_t initrc_var_run_t:file { getattr read lock }; -# The library functions always try to open read-write first, -# then fall back to read-only if it fails. -# Do not audit write denials to utmp to avoid the noise. -dontaudit $1_t initrc_var_run_t:file write; - - -# do not audit read on disk devices -dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; - -ifdef(`xdm.te', ` -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -# -# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp -# -dontaudit xdm_t $1_home_t:file rw_file_perms; -')dnl end ifdef xdm.te - -ifdef(`ftpd.te', ` -if (ftp_home_dir) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -')dnl end ifdef ftpd - - -')dnl end user_domain macro - - -########################################################################### -# -# Domains for ordinary users. -# -undefine(`limited_user_role') -define(`limited_user_role', ` -# user_t/$1_t is an unprivileged users domain. -type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd; - -#Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; -# Type and access for pty devices. -can_create_pty($1, `, userpty_type, user_tty_type') - -# Access ttys. -allow $1_t privfd:fd use; -allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - -# Grant read/search permissions to some of /proc. -r_dir_file($1_t, proc_t) -# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead -r_dir_file($1_t, proc_net_t) - -base_file_read_access($1_t) - -# Execute from the system shared libraries. -uses_shlib($1_t) - -# Read /etc. -r_dir_file($1_t, etc_t) -allow $1_t etc_runtime_t:file r_file_perms; -allow $1_t etc_runtime_t:lnk_file { getattr read }; - -allow $1_t self:process { fork sigchld setpgid signal_perms }; - -# read localization information -read_locale($1_t) - -read_sysctl($1_t) -can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t }) - -allow $1_t self:dir search; -allow $1_t self:file { getattr read }; -allow $1_t self:fifo_file rw_file_perms; - -allow $1_t self:lnk_file read; -allow $1_t self:unix_stream_socket create_socket_perms; -allow $1_t urandom_device_t:chr_file { getattr read }; -dontaudit $1_t { var_spool_t var_log_t }:dir search; - -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; -allow $1_t device_t:lnk_file { getattr read }; -allow $1_t devtty_t:chr_file { read write }; - -') - -undefine(`full_user_role') -define(`full_user_role', ` - -limited_user_role($1) - -typeattribute $1_t web_client_domain; - -attribute $1_file_type; - -ifdef(`useradd.te', ` -# Useradd relabels /etc/skel files so needs these privs -allow useradd_t $1_file_type:dir create_dir_perms; -allow useradd_t $1_file_type:notdevfile_class_set create_file_perms; -') - -can_exec($1_t, usr_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_t readable_t:dir r_dir_perms; -allow $1_t readable_t:notdevfile_class_set r_file_perms; - -# Stat lost+found. -allow $1_t lost_found_t:dir getattr; - -# Read /var, /var/spool, /var/run. -r_dir_file($1_t, var_t) -# what about pipes and sockets under /var/spool? -r_dir_file($1_t, var_spool_t) -r_dir_file($1_t, var_run_t) -allow $1_t var_lib_t:dir r_dir_perms; -allow $1_t var_lib_t:file { getattr read }; - -# for running depmod as part of the kernel packaging process -allow $1_t modules_conf_t:file { getattr read }; - -# Read man directories and files. -r_dir_file($1_t, man_t) - -# Allow users to rw usb devices -if (user_rw_usb) { -rw_dir_create_file($1_t,usbdevfs_t) -} else { -r_dir_file($1_t,usbdevfs_t) -} - -r_dir_file($1_t,sysfs_t) - -# Do not audit write denials to /etc/ld.so.cache. -dontaudit $1_t ld_so_cache_t:file write; - -# $1_t is also granted permissions specific to user domains. -user_domain($1) - -dontaudit $1_t sysadm_home_t:file { read append }; - -ifdef(`syslogd.te', ` -# Some programs that are left in $1_t will try to connect -# to syslogd, but we do not want to let them generate log messages. -# Do not audit. -dontaudit $1_t devlog_t:sock_file { read write }; -dontaudit $1_t syslogd_t:unix_dgram_socket sendto; -') - -# Stop warnings about access to /dev/console -dontaudit $1_t init_t:fd use; -dontaudit $1_t initrc_t:fd use; -allow $1_t initrc_t:fifo_file write; - -# -# Rules used to associate a homedir as a mountpoint -# -allow $1_home_t self:filesystem associate; -allow $1_file_type $1_home_t:filesystem associate; -') - -undefine(`in_user_role') -define(`in_user_role', ` -role user_r types $1; -role staff_r types $1; -') - diff --git a/mls/mcs b/mls/mcs deleted file mode 100644 index 8a04ae85..00000000 --- a/mls/mcs +++ /dev/null @@ -1,162 +0,0 @@ -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -# MCS is single-sensitivity. -# -sensitivity s0; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; -category c24; category c25; category c26; category c27; -category c28; category c29; category c30; category c31; -category c32; category c33; category c34; category c35; -category c36; category c37; category c38; category c39; -category c40; category c41; category c42; category c43; -category c44; category c45; category c46; category c47; -category c48; category c49; category c50; category c51; -category c52; category c53; category c54; category c55; -category c56; category c57; category c58; category c59; -category c60; category c61; category c62; category c63; -category c64; category c65; category c66; category c67; -category c68; category c69; category c70; category c71; -category c72; category c73; category c74; category c75; -category c76; category c77; category c78; category c79; -category c80; category c81; category c82; category c83; -category c84; category c85; category c86; category c87; -category c88; category c89; category c90; category c91; -category c92; category c93; category c94; category c95; -category c96; category c97; category c98; category c99; -category c100; category c101; category c102; category c103; -category c104; category c105; category c106; category c107; -category c108; category c109; category c110; category c111; -category c112; category c113; category c114; category c115; -category c116; category c117; category c118; category c119; -category c120; category c121; category c122; category c123; -category c124; category c125; category c126; category c127; -category c128; category c129; category c130; category c131; -category c132; category c133; category c134; category c135; -category c136; category c137; category c138; category c139; -category c140; category c141; category c142; category c143; -category c144; category c145; category c146; category c147; -category c148; category c149; category c150; category c151; -category c152; category c153; category c154; category c155; -category c156; category c157; category c158; category c159; -category c160; category c161; category c162; category c163; -category c164; category c165; category c166; category c167; -category c168; category c169; category c170; category c171; -category c172; category c173; category c174; category c175; -category c176; category c177; category c178; category c179; -category c180; category c181; category c182; category c183; -category c184; category c185; category c186; category c187; -category c188; category c189; category c190; category c191; -category c192; category c193; category c194; category c195; -category c196; category c197; category c198; category c199; -category c200; category c201; category c202; category c203; -category c204; category c205; category c206; category c207; -category c208; category c209; category c210; category c211; -category c212; category c213; category c214; category c215; -category c216; category c217; category c218; category c219; -category c220; category c221; category c222; category c223; -category c224; category c225; category c226; category c227; -category c228; category c229; category c230; category c231; -category c232; category c233; category c234; category c235; -category c236; category c237; category c238; category c239; -category c240; category c241; category c242; category c243; -category c244; category c245; category c246; category c247; -category c248; category c249; category c250; category c251; -category c252; category c253; category c254; category c255; - - -# -# Each MCS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; - -# -# Define the MCS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MCS policy for the file classes -# -# Constrain file access so that the high range of the process dominates -# the high range of the file. We use the high range of the process so -# that processes can always simply run at s0. -# -# Only files are constrained by MCS at this stage. -# -mlsconstrain file { write setattr append unlink link rename - create ioctl lock execute } (h1 dom h2); - -mlsconstrain file { read } ((h1 dom h2) or - ( t1 == mlsfileread )); - - -# new file labels must be dominated by the relabeling subject's clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } - ( h1 dom h2 ); - -define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append -link unlink rename relabelfrom relabelto }') - -define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink -rename search add_name remove_name reparent write rmdir relabelfrom -relabelto }') - -# XXX -# -# For some reason, we need to reference the mlsfileread attribute -# or we get a build error. Below is a dummy entry to do this. -mlsconstrain xextension query ( t1 == mlsfileread ); - diff --git a/mls/mls b/mls/mls deleted file mode 100644 index c7d04efa..00000000 --- a/mls/mls +++ /dev/null @@ -1,665 +0,0 @@ -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -sensitivity s0; -sensitivity s1; -sensitivity s2; -sensitivity s3; -sensitivity s4; -sensitivity s5; -sensitivity s6; -sensitivity s7; -sensitivity s8; -sensitivity s9; -sensitivity s10; -sensitivity s11; -sensitivity s12; -sensitivity s13; -sensitivity s14; -sensitivity s15; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; -category c24; category c25; category c26; category c27; -category c28; category c29; category c30; category c31; -category c32; category c33; category c34; category c35; -category c36; category c37; category c38; category c39; -category c40; category c41; category c42; category c43; -category c44; category c45; category c46; category c47; -category c48; category c49; category c50; category c51; -category c52; category c53; category c54; category c55; -category c56; category c57; category c58; category c59; -category c60; category c61; category c62; category c63; -category c64; category c65; category c66; category c67; -category c68; category c69; category c70; category c71; -category c72; category c73; category c74; category c75; -category c76; category c77; category c78; category c79; -category c80; category c81; category c82; category c83; -category c84; category c85; category c86; category c87; -category c88; category c89; category c90; category c91; -category c92; category c93; category c94; category c95; -category c96; category c97; category c98; category c99; -category c100; category c101; category c102; category c103; -category c104; category c105; category c106; category c107; -category c108; category c109; category c110; category c111; -category c112; category c113; category c114; category c115; -category c116; category c117; category c118; category c119; -category c120; category c121; category c122; category c123; -category c124; category c125; category c126; category c127; -category c128; category c129; category c130; category c131; -category c132; category c133; category c134; category c135; -category c136; category c137; category c138; category c139; -category c140; category c141; category c142; category c143; -category c144; category c145; category c146; category c147; -category c148; category c149; category c150; category c151; -category c152; category c153; category c154; category c155; -category c156; category c157; category c158; category c159; -category c160; category c161; category c162; category c163; -category c164; category c165; category c166; category c167; -category c168; category c169; category c170; category c171; -category c172; category c173; category c174; category c175; -category c176; category c177; category c178; category c179; -category c180; category c181; category c182; category c183; -category c184; category c185; category c186; category c187; -category c188; category c189; category c190; category c191; -category c192; category c193; category c194; category c195; -category c196; category c197; category c198; category c199; -category c200; category c201; category c202; category c203; -category c204; category c205; category c206; category c207; -category c208; category c209; category c210; category c211; -category c212; category c213; category c214; category c215; -category c216; category c217; category c218; category c219; -category c220; category c221; category c222; category c223; -category c224; category c225; category c226; category c227; -category c228; category c229; category c230; category c231; -category c232; category c233; category c234; category c235; -category c236; category c237; category c238; category c239; -category c240; category c241; category c242; category c243; -category c244; category c245; category c246; category c247; -category c248; category c249; category c250; category c251; -category c252; category c253; category c254; category c255; - - -# -# Each MLS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; -level s1:c0.c255; -level s2:c0.c255; -level s3:c0.c255; -level s4:c0.c255; -level s5:c0.c255; -level s6:c0.c255; -level s7:c0.c255; -level s8:c0.c255; -level s9:c0.c255; -level s10:c0.c255; -level s11:c0.c255; -level s12:c0.c255; -level s13:c0.c255; -level s14:c0.c255; -level s15:c0.c255; - - -# -# Define the MLS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MLS policy for the file classes -# - -# make sure these file classes are "single level" -mlsconstrain { file lnk_file fifo_file } { create relabelto } - ( l2 eq h2 ); - -# new file labels must be dominated by the relabeling subject's clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto - ( h1 dom h2 ); - -# the file "read" ops (note the check is dominance of the low level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir search - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -# the "single level" file "write" ops -mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# the "ranged" file "write" ops -mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir { add_name remove_name reparent rmdir } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } -# -# { file chr_file } { execute_no_trans entrypoint execmod } - -# the file upgrade/downgrade rule -mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } - ((( l1 eq l2 ) or - (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( h1 eq h2 ) or - (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); - -# create can also require the upgrade/downgrade checks if the creating process -# has used setfscreate (note that both the high and low level of the object -# default to the process' sensitivity level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create - ((( l1 eq l2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( l1 eq h2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); - - - - -# -# MLS policy for the filesystem class -# - -# new filesystem labels must be dominated by the relabeling subject's clearance -mlsconstrain filesystem relabelto - ( h1 dom h2 ); - -# the filesystem "read" ops (implicit single level) -mlsconstrain filesystem { getattr quotaget } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread )); - -# all the filesystem "write" ops (implicit single level) -mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite )); - -# these access vectors have no MLS restrictions -# filesystem { transition associate } - - - - -# -# MLS policy for the socket classes -# - -# new socket labels must be dominated by the relabeling subject's clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto - ( h1 dom h2 ); - -# the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -# the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )); - -# these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } -# -# { tcp_socket udp_socket rawip_socket } node_bind -# -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } -# -# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write -# - - - - -# -# MLS policy for the ipc classes -# - -# the ipc "read" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { getattr read unix_read } - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -mlsconstrain msg receive - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -# the ipc "write" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msgq enqueue - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain shm lock - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msg send - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -# these access vectors have no MLS restrictions -# { ipc sem msgq shm } associate - - - - -# -# MLS policy for the fd class -# - -# these access vectors have no MLS restrictions -# fd use - - - - -# -# MLS policy for the network object classes -# - -# the netif/node "read" ops (implicit single level socket doing the read) -# (note the check is dominance of the low level) -mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv } - (( l1 dom l2 ) or ( t1 == mlsnetrecvall )); - -# the netif/node "write" ops (implicit single level socket doing the write) -mlsconstrain { netif node } { tcp_send udp_send rawip_send } - (( l1 dom l2 ) and ( l1 domby h2 )); - -# these access vectors have no MLS restrictions -# { netif node } { enforce_dest } - - - - -# -# MLS policy for the process class -# - -# new process labels must be dominated by the relabeling subject's clearance -# and sensitivity level changes require privilege -mlsconstrain process transition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or - (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); -mlsconstrain process dyntransition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); - -# all the process "read" ops -mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } - (( l1 dom l2 ) or - (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsprocread )); - -# all the process "write" ops (note the check is equality on the low level) -mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } - (( l1 eq l2 ) or - (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsprocwrite )); - -# these access vectors have no MLS restrictions -# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem } - - - - -# -# MLS policy for the security class -# - -# these access vectors have no MLS restrictions -# security * - - - - -# -# MLS policy for the system class -# - -# these access vectors have no MLS restrictions -# system * - - - - -# -# MLS policy for the capability class -# - -# these access vectors have no MLS restrictions -# capability * - - - - -# -# MLS policy for the passwd class -# - -# these access vectors have no MLS restrictions -# passwd * - - - - -# -# MLS policy for the drawable class -# - -# the drawable "read" ops (implicit single level) -mlsconstrain drawable { getattr copy } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the drawable "write" ops (implicit single level) -mlsconstrain drawable { create destroy draw copy } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the gc class -# - -# the gc "read" ops (implicit single level) -mlsconstrain gc getattr - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the gc "write" ops (implicit single level) -mlsconstrain gc { create free setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the window class -# - -# the window "read" ops (implicit single level) -mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the window "write" ops (implicit single level) -mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# window { map unmap } - - - - -# -# MLS policy for the font class -# - -# the font "read" ops (implicit single level) -mlsconstrain font { load getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the font "write" ops (implicit single level) -mlsconstrain font free - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -# these access vectors have no MLS restrictions -# font use - - - - -# -# MLS policy for the colormap class -# - -# the colormap "read" ops (implicit single level) -mlsconstrain colormap { list read getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadcolormap ) or - ( t1 == mlsxwinread )); - -# the colormap "write" ops (implicit single level) -mlsconstrain colormap { create free install uninstall store setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritecolormap ) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the property class -# - -# the property "read" ops (implicit single level) -mlsconstrain property { read } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadproperty ) or - ( t1 == mlsxwinread )); - -# the property "write" ops (implicit single level) -mlsconstrain property { create free write } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwriteproperty ) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the cursor class -# - -# the cursor "write" ops (implicit single level) -mlsconstrain cursor { create createglyph free assign setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xclient class -# - -# the xclient "write" ops (implicit single level) -mlsconstrain xclient kill - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xinput class -# - -# these access vectors have no MLS restrictions -# xinput ~{ relabelinput setattr } - -# the xinput "write" ops (implicit single level) -mlsconstrain xinput { setattr relabelinput } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritexinput ) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xserver class -# - -# these access vectors have no MLS restrictions -# xserver * - - - - -# -# MLS policy for the xextension class -# - -# these access vectors have no MLS restrictions -# xextension { query use } - - -# -# MLS policy for the pax class -# - -# these access vectors have no MLS restrictions -# pax { pageexec emutramp mprotect randmmap randexec segmexec } - - - - -# -# MLS policy for the dbus class -# - -# these access vectors have no MLS restrictions -# dbus { acquire_svc send_msg } - - - - -# -# MLS policy for the nscd class -# - -# these access vectors have no MLS restrictions -# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } - - - - -# -# MLS policy for the association class -# - -# these access vectors have no MLS restrictions -# association { sendto recvfrom } - diff --git a/mls/net_contexts b/mls/net_contexts deleted file mode 100644 index c15f9947..00000000 --- a/mls/net_contexts +++ /dev/null @@ -1,251 +0,0 @@ -# FLASK - -# -# Security contexts for network entities -# If no context is specified, then a default initial SID is used. -# - -# Modified by Reino Wallin -# Multi NIC, and IPSEC features - -# Modified by Russell Coker -# ifdefs to encapsulate domains, and many additional port contexts - -# -# Port numbers (default = initial SID "port") -# -# protocol number context -# protocol low-high context -# -portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 -portcon udp 7 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 -portcon udp 9 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 -portcon udp 13 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 -portcon udp 19 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 -portcon udp 37 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 113 system_u:object_r:auth_port_t:s0 -portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 -portcon udp 891 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 -portcon udp 892 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 -portcon tcp 21 system_u:object_r:ftp_port_t:s0 -portcon tcp 22 system_u:object_r:ssh_port_t:s0 -portcon tcp 23 system_u:object_r:telnetd_port_t:s0 - -portcon tcp 25 system_u:object_r:smtp_port_t:s0 -portcon tcp 465 system_u:object_r:smtp_port_t:s0 -portcon tcp 587 system_u:object_r:smtp_port_t:s0 - -portcon udp 500 system_u:object_r:isakmp_port_t:s0 -portcon udp 53 system_u:object_r:dns_port_t:s0 -portcon tcp 53 system_u:object_r:dns_port_t:s0 - -portcon udp 67 system_u:object_r:dhcpd_port_t:s0 -portcon udp 647 system_u:object_r:dhcpd_port_t:s0 -portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 -portcon udp 847 system_u:object_r:dhcpd_port_t:s0 -portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 -portcon udp 68 system_u:object_r:dhcpc_port_t:s0 -portcon udp 70 system_u:object_r:gopher_port_t:s0 -portcon tcp 70 system_u:object_r:gopher_port_t:s0 - -portcon udp 69 system_u:object_r:tftp_port_t:s0 -portcon tcp 79 system_u:object_r:fingerd_port_t:s0 - -portcon tcp 80 system_u:object_r:http_port_t:s0 -portcon tcp 443 system_u:object_r:http_port_t:s0 -portcon tcp 488 system_u:object_r:http_port_t:s0 -portcon tcp 8008 system_u:object_r:http_port_t:s0 -portcon tcp 8090 system_u:object_r:http_port_t:s0 - -portcon tcp 106 system_u:object_r:pop_port_t:s0 -portcon tcp 109 system_u:object_r:pop_port_t:s0 -portcon tcp 110 system_u:object_r:pop_port_t:s0 -portcon tcp 143 system_u:object_r:pop_port_t:s0 -portcon tcp 220 system_u:object_r:pop_port_t:s0 -portcon tcp 993 system_u:object_r:pop_port_t:s0 -portcon tcp 995 system_u:object_r:pop_port_t:s0 -portcon tcp 1109 system_u:object_r:pop_port_t:s0 - -portcon udp 111 system_u:object_r:portmap_port_t:s0 -portcon tcp 111 system_u:object_r:portmap_port_t:s0 - -portcon tcp 119 system_u:object_r:innd_port_t:s0 -portcon udp 123 system_u:object_r:ntp_port_t:s0 - -portcon tcp 137 system_u:object_r:smbd_port_t:s0 -portcon udp 137 system_u:object_r:nmbd_port_t:s0 -portcon tcp 138 system_u:object_r:smbd_port_t:s0 -portcon udp 138 system_u:object_r:nmbd_port_t:s0 -portcon tcp 139 system_u:object_r:smbd_port_t:s0 -portcon udp 139 system_u:object_r:nmbd_port_t:s0 -portcon tcp 445 system_u:object_r:smbd_port_t:s0 - -portcon udp 161 system_u:object_r:snmp_port_t:s0 -portcon udp 162 system_u:object_r:snmp_port_t:s0 -portcon tcp 199 system_u:object_r:snmp_port_t:s0 -portcon udp 512 system_u:object_r:comsat_port_t:s0 - -portcon tcp 389 system_u:object_r:ldap_port_t:s0 -portcon udp 389 system_u:object_r:ldap_port_t:s0 -portcon tcp 636 system_u:object_r:ldap_port_t:s0 -portcon udp 636 system_u:object_r:ldap_port_t:s0 - -portcon tcp 513 system_u:object_r:rlogind_port_t:s0 -portcon tcp 514 system_u:object_r:rsh_port_t:s0 - -portcon tcp 515 system_u:object_r:printer_port_t:s0 -portcon udp 514 system_u:object_r:syslogd_port_t:s0 -portcon udp 517 system_u:object_r:ktalkd_port_t:s0 -portcon udp 518 system_u:object_r:ktalkd_port_t:s0 -portcon tcp 631 system_u:object_r:ipp_port_t:s0 -portcon udp 631 system_u:object_r:ipp_port_t:s0 -portcon tcp 88 system_u:object_r:kerberos_port_t:s0 -portcon udp 88 system_u:object_r:kerberos_port_t:s0 -portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 -portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 -portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 -portcon tcp 750 system_u:object_r:kerberos_port_t:s0 -portcon udp 750 system_u:object_r:kerberos_port_t:s0 -portcon tcp 783 system_u:object_r:spamd_port_t:s0 -portcon tcp 540 system_u:object_r:uucpd_port_t:s0 -portcon tcp 2401 system_u:object_r:cvs_port_t:s0 -portcon udp 2401 system_u:object_r:cvs_port_t:s0 -portcon tcp 873 system_u:object_r:rsync_port_t:s0 -portcon udp 873 system_u:object_r:rsync_port_t:s0 -portcon tcp 901 system_u:object_r:swat_port_t:s0 -portcon tcp 953 system_u:object_r:rndc_port_t:s0 -portcon tcp 1213 system_u:object_r:giftd_port_t:s0 -portcon tcp 1241 system_u:object_r:nessus_port_t:s0 -portcon tcp 1234 system_u:object_r:monopd_port_t:s0 -portcon udp 1645 system_u:object_r:radius_port_t:s0 -portcon udp 1646 system_u:object_r:radacct_port_t:s0 -portcon udp 1812 system_u:object_r:radius_port_t:s0 -portcon udp 1813 system_u:object_r:radacct_port_t:s0 -portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 -portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 -portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 -portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 -portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 -portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 -portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 -portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 -portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 -portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 -portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 -portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 -portcon udp 2427 system_u:object_r:asterisk_port_t:s0 -portcon udp 2727 system_u:object_r:asterisk_port_t:s0 -portcon udp 4569 system_u:object_r:asterisk_port_t:s0 -portcon udp 5060 system_u:object_r:asterisk_port_t:s0 -portcon tcp 2000 system_u:object_r:mail_port_t:s0 -portcon tcp 2601 system_u:object_r:zebra_port_t:s0 -portcon tcp 2605 system_u:object_r:zebra_port_t:s0 -portcon tcp 2628 system_u:object_r:dict_port_t:s0 -portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 -portcon tcp 3632 system_u:object_r:distccd_port_t:s0 -portcon udp 4011 system_u:object_r:pxe_port_t:s0 -portcon udp 5000 system_u:object_r:openvpn_port_t:s0 -portcon tcp 5323 system_u:object_r:imaze_port_t:s0 -portcon udp 5323 system_u:object_r:imaze_port_t:s0 -portcon tcp 5335 system_u:object_r:howl_port_t:s0 -portcon udp 5353 system_u:object_r:howl_port_t:s0 -portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 -portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 -portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 -portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 -portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 5703 system_u:object_r:ptal_port_t:s0 -portcon tcp 9290 system_u:object_r:hplip_port_t:s0 -portcon tcp 9291 system_u:object_r:hplip_port_t:s0 -portcon tcp 9292 system_u:object_r:hplip_port_t:s0 -portcon tcp 50000 system_u:object_r:hplip_port_t:s0 -portcon tcp 50002 system_u:object_r:hplip_port_t:s0 -portcon tcp 5900 system_u:object_r:vnc_port_t:s0 -portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 -portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 -portcon tcp 6000 system_u:object_r:xserver_port_t:s0 -portcon tcp 6001 system_u:object_r:xserver_port_t:s0 -portcon tcp 6002 system_u:object_r:xserver_port_t:s0 -portcon tcp 6003 system_u:object_r:xserver_port_t:s0 -portcon tcp 6004 system_u:object_r:xserver_port_t:s0 -portcon tcp 6005 system_u:object_r:xserver_port_t:s0 -portcon tcp 6006 system_u:object_r:xserver_port_t:s0 -portcon tcp 6007 system_u:object_r:xserver_port_t:s0 -portcon tcp 6008 system_u:object_r:xserver_port_t:s0 -portcon tcp 6009 system_u:object_r:xserver_port_t:s0 -portcon tcp 6010 system_u:object_r:xserver_port_t:s0 -portcon tcp 6011 system_u:object_r:xserver_port_t:s0 -portcon tcp 6012 system_u:object_r:xserver_port_t:s0 -portcon tcp 6013 system_u:object_r:xserver_port_t:s0 -portcon tcp 6014 system_u:object_r:xserver_port_t:s0 -portcon tcp 6015 system_u:object_r:xserver_port_t:s0 -portcon tcp 6016 system_u:object_r:xserver_port_t:s0 -portcon tcp 6017 system_u:object_r:xserver_port_t:s0 -portcon tcp 6018 system_u:object_r:xserver_port_t:s0 -portcon tcp 6019 system_u:object_r:xserver_port_t:s0 -portcon tcp 6667 system_u:object_r:ircd_port_t:s0 -portcon tcp 8000 system_u:object_r:soundd_port_t:s0 -# 9433 is for YIFF -portcon tcp 9433 system_u:object_r:soundd_port_t:s0 -portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 -portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 -portcon udp 3130 system_u:object_r:http_cache_port_t:s0 -# 8118 is for privoxy -portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 - -portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 -portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 -portcon udp 10080 system_u:object_r:amanda_port_t:s0 -portcon tcp 10080 system_u:object_r:amanda_port_t:s0 -portcon udp 10081 system_u:object_r:amanda_port_t:s0 -portcon tcp 10081 system_u:object_r:amanda_port_t:s0 -portcon tcp 10082 system_u:object_r:amanda_port_t:s0 -portcon tcp 10083 system_u:object_r:amanda_port_t:s0 -portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 - -portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 -portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 -portcon tcp 3310 system_u:object_r:clamd_port_t:s0 -portcon udp 6276 system_u:object_r:dcc_port_t:s0 -portcon udp 6277 system_u:object_r:dcc_port_t:s0 -portcon udp 24441 system_u:object_r:pyzor_port_t:s0 -portcon tcp 2703 system_u:object_r:razor_port_t:s0 -portcon tcp 8021 system_u:object_r:zope_port_t:s0 - -# Defaults for reserved ports. Earlier portcon entries take precedence; -# these entries just cover any remaining reserved ports not otherwise -# declared or omitted due to removal of a domain. -portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 -portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 - -# Network interfaces (default = initial SID "netif" and "netmsg") -# -# interface netif_context default_msg_context -# -netifcon lo system_u:object_r:netif_lo_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0 - -# Nodes (default = initial SID "node") -# -# address mask context -# -nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t:s0 - s15:c0.c255 -nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t:s0 -nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t:s0 -nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t:s0 -nodecon ff00:: ff00:: system_u:object_r:node_multicast_t:s0 -nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t:s0 -nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t:s0 -nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t:s0 -nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t:s0 - -# FLASK diff --git a/mls/rbac b/mls/rbac deleted file mode 100644 index 708f70d5..00000000 --- a/mls/rbac +++ /dev/null @@ -1,33 +0,0 @@ -################################################ -# -# Role-based access control (RBAC) configuration. -# - -# The RBAC configuration was originally centralized in this -# file, but has been decomposed into individual role declarations, -# role allow rules, and role transition rules throughout the TE -# configuration to support easy removal or adding of domains without -# modifying a centralized file each time. This also allowed the macros -# to properly instantiate role declarations and rules for domains. -# Hence, this file is largely unused, except for miscellaneous -# role allow rules. - -######################################## -# -# Role allow rules. -# -# A role allow rule specifies the allowable -# transitions between roles on an execve. -# If no rule is specified, then the change in -# roles will not be permitted. Additional -# controls over role transitions based on the -# type of the process may be specified through -# the constraints file. -# -# The syntax of a role allow rule is: -# allow current_role new_role ; -# -# Allow the admin role to transition to the system -# role for run_init. -# -allow sysadm_r system_r; diff --git a/mls/tunables/distro.tun b/mls/tunables/distro.tun deleted file mode 100644 index 00b6eca5..00000000 --- a/mls/tunables/distro.tun +++ /dev/null @@ -1,14 +0,0 @@ -# Distro-specific customizations. - -# Comment out all but the one that matches your distro. -# The policy .te files can then wrap distro-specific customizations with -# appropriate ifdefs. - - -define(`distro_redhat') - -dnl define(`distro_suse') - -dnl define(`distro_gentoo') - -dnl define(`distro_debian') diff --git a/mls/tunables/tunable.tun b/mls/tunables/tunable.tun deleted file mode 100644 index 35dd15e9..00000000 --- a/mls/tunables/tunable.tun +++ /dev/null @@ -1,35 +0,0 @@ -# Allow rpm to run unconfined. -define(`unlimitedRPM') - -# Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') - -# Allow rc scripts to run unconfined, including any daemon -# started by an rc script that does not have a domain transition -# explicitly defined. -dnl define(`unlimitedRC') - -# Allow sysadm_t to directly start daemons -dnl define(`direct_sysadm_daemon') - -# Do not allow sysadm_t to be in the security manager domain -define(`separate_secadm') - -# Do not audit things that we know to be broken but which -# are not security risks -define(`hide_broken_symptoms') - -# Allow user_r to reach sysadm_r via su, sudo, or userhelper. -# Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') - -# Allow xinetd to run unconfined, including any services it starts -# that do not have a domain transition explicitly defined. -dnl define(`unlimitedInetd') - -# for ndc_t to be used for restart shell scripts -dnl define(`ndc_shell_script') - -# Enable Polyinstantiation support -dnl define(`support_polyinstatiation') -define(`mls_policy') diff --git a/mls/types/device.te b/mls/types/device.te deleted file mode 100644 index aee0a4cb..00000000 --- a/mls/types/device.te +++ /dev/null @@ -1,163 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Device types -# - -# -# device_t is the type of /dev. -# -type device_t, file_type, mount_point, dev_fs; - -# -# null_device_t is the type of /dev/null. -# -type null_device_t, device_type, dev_fs, mlstrustedobject; - -# -# zero_device_t is the type of /dev/zero. -# -type zero_device_t, device_type, dev_fs, mlstrustedobject; - -# -# console_device_t is the type of /dev/console. -# -type console_device_t, device_type, dev_fs; - -# -# xconsole_device_t is the type of /dev/xconsole -type xconsole_device_t, file_type, dev_fs; - -# -# memory_device_t is the type of /dev/kmem, -# /dev/mem, and /dev/port. -# -type memory_device_t, device_type, dev_fs; - -# -# random_device_t is the type of /dev/random -# urandom_device_t is the type of /dev/urandom -# -type random_device_t, device_type, dev_fs; -type urandom_device_t, device_type, dev_fs; - -# -# devtty_t is the type of /dev/tty. -# -type devtty_t, device_type, dev_fs, mlstrustedobject; - -# -# tty_device_t is the type of /dev/*tty* -# -type tty_device_t, serial_device, device_type, dev_fs; - -# -# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] -type bsdpty_device_t, device_type, dev_fs; - -# -# usbtty_device_t is the type of /dev/usr/tty* -# -type usbtty_device_t, serial_device, device_type, dev_fs; - -# -# printer_device_t is the type for printer devices -# -type printer_device_t, device_type, dev_fs; - -# -# fixed_disk_device_t is the type of -# /dev/hd* and /dev/sd*. -# -type fixed_disk_device_t, device_type, dev_fs; - -# -# scsi_generic_device_t is the type of /dev/sg* -# it gives access to ALL SCSI devices (both fixed and removable) -# -type scsi_generic_device_t, device_type, dev_fs; - -# -# removable_device_t is the type of -# /dev/scd* and /dev/fd*. -# -type removable_device_t, device_type, dev_fs; - -# -# clock_device_t is the type of -# /dev/rtc. -# -type clock_device_t, device_type, dev_fs; - -# -# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* -# -type tun_tap_device_t, device_type, dev_fs; - -# -# misc_device_t is the type of miscellaneous devices. -# XXX: FIXME! Appropriate access to these devices need to be identified. -# -type misc_device_t, device_type, dev_fs; - -# -# A more general type for mouse devices. -# -type mouse_device_t, device_type, dev_fs; - -# -# For generic /dev/input/event* event devices -# -type event_device_t, device_type, dev_fs; - -# -# Not sure what these devices are for, but X wants access to them. -# -type agp_device_t, device_type, dev_fs; -type dri_device_t, device_type, dev_fs; - -# Type for sound devices. -type sound_device_t, device_type, dev_fs; - -# Type for /dev/ppp. -type ppp_device_t, device_type, dev_fs; - -# Type for frame buffer /dev/fb/* -type framebuf_device_t, device_type, dev_fs; - -# Type for /dev/.devfsd -type devfs_control_t, device_type, dev_fs; - -# Type for /dev/cpu/mtrr and /proc/mtrr -type mtrr_device_t, device_type, dev_fs, proc_fs; - -# Type for /dev/pmu -type power_device_t, device_type, dev_fs; - -# Type for /dev/apm_bios -type apm_bios_t, device_type, dev_fs; - -# Type for v4l -type v4l_device_t, device_type, dev_fs; - -# tape drives -type tape_device_t, device_type, dev_fs; - -# scanners -type scanner_device_t, device_type, dev_fs; - -# cpu control devices /dev/cpu/0/* -type cpu_device_t, device_type, dev_fs; - -# for other device nodes such as the NVidia binary-only driver -type xserver_misc_device_t, device_type, dev_fs; - -# for the IBM zSeries z90crypt hardware ssl accelorator -type crypt_device_t, device_type, dev_fs; - - - - diff --git a/mls/types/devpts.te b/mls/types/devpts.te deleted file mode 100644 index c6982ac3..00000000 --- a/mls/types/devpts.te +++ /dev/null @@ -1,23 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Devpts types -# - -# -# ptmx_t is the type for /dev/ptmx. -# -type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject; - -# -# devpts_t is the type of the devpts file system and -# the type of the root directory of the file system. -# -type devpts_t, mount_point, fs_type; - -ifdef(`targeted_policy', ` -typeattribute devpts_t ttyfile; -') diff --git a/mls/types/file.te b/mls/types/file.te deleted file mode 100644 index fc03dcd8..00000000 --- a/mls/types/file.te +++ /dev/null @@ -1,326 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -####################################### -# -# General file-related types -# - -# -# unlabeled_t is the type of unlabeled objects. -# Objects that have no known labeling information or that -# have labels that are no longer valid are treated as having this type. -# -type unlabeled_t, sysadmfile; - -# -# fs_t is the default type for conventional filesystems. -# -type fs_t, fs_type; - -# needs more work -type eventpollfs_t, fs_type; -type futexfs_t, fs_type; -type bdev_t, fs_type; -type usbfs_t, mount_point, fs_type; -type nfsd_fs_t, fs_type; -type rpc_pipefs_t, fs_type; -type binfmt_misc_fs_t, mount_point, fs_type; - -# -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). -# -type file_t, file_type, mount_point, sysadmfile; - -# default_t is the default type for files that do not -# match any specification in the file_contexts configuration -# other than the generic /.* specification. -type default_t, file_type, mount_point, sysadmfile; - -# -# root_t is the type for the root directory. -# -type root_t, file_type, mount_point, polyparent, sysadmfile; - -# -# mnt_t is the type for mount points such as /mnt/cdrom -type mnt_t, file_type, mount_point, sysadmfile; - -# -# home_root_t is the type for the directory where user home directories -# are created -# -type home_root_t, file_type, mount_point, polyparent, sysadmfile; - -# -# lost_found_t is the type for the lost+found directories. -# -type lost_found_t, file_type, sysadmfile; - -# -# boot_t is the type for files in /boot, -# including the kernel. -# -type boot_t, file_type, mount_point, sysadmfile; -# system_map_t is for the system.map files in /boot -type system_map_t, file_type, sysadmfile; - -# -# boot_runtime_t is the type for /boot/kernel.h, -# which is automatically generated at boot time. -# only for red hat -type boot_runtime_t, file_type, sysadmfile; - -# -# tmp_t is the type of /tmp and /var/tmp. -# -type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile; - -# -# etc_t is the type of the system etc directories. -# -type etc_t, file_type, sysadmfile; - -# etc_mail_t is the type of /etc/mail. -type etc_mail_t, file_type, sysadmfile, usercanread; - -# -# shadow_t is the type of the /etc/shadow file -# -type shadow_t, file_type, secure_file_type; -allow auth shadow_t:file { getattr read }; - -# -# ld_so_cache_t is the type of /etc/ld.so.cache. -# -type ld_so_cache_t, file_type, sysadmfile; - -# -# etc_runtime_t is the type of various -# files in /etc that are automatically -# generated during initialization. -# -type etc_runtime_t, file_type, sysadmfile; - -# -# fonts_runtime_t is the type of various -# fonts files in /usr that are automatically -# generated during initialization. -# -type fonts_t, file_type, sysadmfile, usercanread; - -# -# etc_aliases_t is the type of the aliases database. -# -type etc_aliases_t, file_type, sysadmfile; - -# net_conf_t is the type of the /etc/resolv.conf file. -# all DHCP clients and PPP need write access to this file. -type net_conf_t, file_type, sysadmfile; - -# -# lib_t is the type of files in the system lib directories. -# -type lib_t, file_type, sysadmfile; - -# -# shlib_t is the type of shared objects in the system lib -# directories. -# -ifdef(`targeted_policy', ` -typealias lib_t alias shlib_t; -', ` -type shlib_t, file_type, sysadmfile; -') - -# -# texrel_shlib_t is the type of shared objects in the system lib -# directories, which require text relocation. -# -ifdef(`targeted_policy', ` -typealias lib_t alias texrel_shlib_t; -', ` -type texrel_shlib_t, file_type, sysadmfile; -') - -# ld_so_t is the type of the system dynamic loaders. -# -type ld_so_t, file_type, sysadmfile; - -# -# bin_t is the type of files in the system bin directories. -# -type bin_t, file_type, sysadmfile; - -# -# cert_t is the type of files in the system certs directories. -# -type cert_t, file_type, sysadmfile, secure_file_type; - -# -# ls_exec_t is the type of the ls program. -# -type ls_exec_t, file_type, exec_type, sysadmfile; - -# -# shell_exec_t is the type of user shells such as /bin/bash. -# -type shell_exec_t, file_type, exec_type, sysadmfile; - -# -# sbin_t is the type of files in the system sbin directories. -# -type sbin_t, file_type, sysadmfile; - -# -# usr_t is the type for /usr. -# -type usr_t, file_type, mount_point, sysadmfile; - -# -# src_t is the type of files in the system src directories. -# -type src_t, file_type, mount_point, sysadmfile; - -# -# var_t is the type for /var. -# -type var_t, file_type, mount_point, sysadmfile; - -# -# Types for subdirectories of /var. -# -type var_run_t, file_type, sysadmfile; -type var_log_t, file_type, sysadmfile, logfile; -typealias var_log_t alias crond_log_t; -type faillog_t, file_type, sysadmfile, logfile; -type var_lock_t, file_type, sysadmfile, lockfile; -type var_lib_t, mount_point, file_type, sysadmfile; -type var_auth_t, file_type, sysadmfile; -# for /var/{spool,lib}/texmf index files -type tetex_data_t, file_type, sysadmfile, tmpfile; -type var_spool_t, file_type, sysadmfile, tmpfile; -type var_yp_t, file_type, sysadmfile; - -# Type for /var/log/ksyms. -type var_log_ksyms_t, file_type, sysadmfile, logfile; - -# Type for /var/log/lastlog. -type lastlog_t, file_type, sysadmfile, logfile; - -# Type for /var/lib/nfs. -type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread; - -# -# wtmp_t is the type of /var/log/wtmp. -# -type wtmp_t, file_type, sysadmfile, logfile; - -# -# cron_spool_t is the type for /var/spool/cron. -# -type cron_spool_t, file_type, sysadmfile; - -# -# print_spool_t is the type for /var/spool/lpd and /var/spool/cups. -# -type print_spool_t, file_type, sysadmfile, tmpfile; - -# -# mail_spool_t is the type for /var/spool/mail. -# -type mail_spool_t, file_type, sysadmfile; - -# -# mqueue_spool_t is the type for /var/spool/mqueue. -# -type mqueue_spool_t, file_type, sysadmfile; - -# -# man_t is the type for the man directories. -# -type man_t, file_type, sysadmfile; -typealias man_t alias catman_t; - -# -# readable_t is a general type for -# files that are readable by all domains. -# -type readable_t, file_type, sysadmfile; - -# -# Base type for the tests directory. -# -type test_file_t, file_type, sysadmfile; - -# -# poly_t is the type for the polyinstantiated directories. -# -type poly_t, file_type, sysadmfile; - -# -# swapfile_t is for swap files -# -type swapfile_t, file_type, sysadmfile; - -# -# locale_t is the type for system localization -# -type locale_t, file_type, sysadmfile; - -# -# Allow each file type to be associated with -# the default file system type. -# -allow { file_type device_type ttyfile } fs_t:filesystem associate; - -type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; -allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; -allow { logfile tmpfile home_type } tmp_t:filesystem associate; -ifdef(`distro_redhat', ` -allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; -') - -type autofs_t, fs_type, noexattrfile, sysadmfile; -type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile; -type sysfs_t, mount_point, fs_type, sysadmfile; -type iso9660_t, fs_type, noexattrfile, sysadmfile; -type romfs_t, fs_type, sysadmfile; -type ramfs_t, fs_type, sysadmfile; -type dosfs_t, fs_type, noexattrfile, sysadmfile; -type hugetlbfs_t, mount_point, fs_type, sysadmfile; -typealias file_t alias mqueue_t; - -# udev_runtime_t is the type of the udev table file -type udev_runtime_t, file_type, sysadmfile; - -# krb5_conf_t is the type of the /etc/krb5.conf file -type krb5_conf_t, file_type, sysadmfile; - -type cifs_t, fs_type, noexattrfile, sysadmfile; -type debugfs_t, fs_type, sysadmfile; -type configfs_t, fs_type, sysadmfile; -type inotifyfs_t, fs_type, sysadmfile; -type capifs_t, fs_type, sysadmfile; - -# removable_t is the default type of all removable media -type removable_t, file_type, sysadmfile, usercanread; -allow file_type removable_t:filesystem associate; -allow file_type noexattrfile:filesystem associate; - -# Type for anonymous FTP data, used by ftp and rsync -type public_content_t, file_type, sysadmfile, customizable; -type public_content_rw_t, file_type, sysadmfile, customizable; -typealias public_content_t alias ftpd_anon_t; -typealias public_content_rw_t alias ftpd_anon_rw_t; - -# type for /tmp/.ICE-unix -type ice_tmp_t, file_type, sysadmfile, tmpfile; - -# type for /usr/share/hwdata -type hwdata_t, file_type, sysadmfile; -allow { fs_type file_type } self:filesystem associate; - diff --git a/mls/types/network.te b/mls/types/network.te deleted file mode 100644 index c5965fd3..00000000 --- a/mls/types/network.te +++ /dev/null @@ -1,179 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# Modified by Reino Wallin -# Multi NIC, and IPSEC features - -# Modified by Russell Coker -# Move port types to their respective domains, add ifdefs, other cleanups. - -type xserver_port_t, port_type; -# -# Defines used by the te files need to be defined outside of net_constraints -# -type rsh_port_t, port_type, reserved_port_type; -type dns_port_t, port_type, reserved_port_type; -type smtp_port_t, port_type, reserved_port_type; -type dhcpd_port_t, port_type, reserved_port_type; -type smbd_port_t, port_type, reserved_port_type; -type nmbd_port_t, port_type, reserved_port_type; -type http_cache_port_t, port_type; -type http_port_t, port_type, reserved_port_type; -type ipp_port_t, port_type, reserved_port_type; -type gopher_port_t, port_type, reserved_port_type; -type isakmp_port_t, port_type, reserved_port_type; - -allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect; -type pop_port_t, port_type, reserved_port_type; - -type ftp_port_t, port_type, reserved_port_type; -type ftp_data_port_t, port_type, reserved_port_type; - -############################################ -# -# Network types -# - -# -# mail_port_t is for generic mail ports shared by different mail servers -# -type mail_port_t, port_type; - -# -# Ports used to communicate with kerberos server -# -type kerberos_port_t, port_type, reserved_port_type; -type kerberos_admin_port_t, port_type, reserved_port_type; - -# -# Ports used to communicate with portmap server -# -type portmap_port_t, port_type, reserved_port_type; - -# -# Ports used to communicate with ldap server -# -type ldap_port_t, port_type, reserved_port_type; - -# -# port_t is the default type of INET port numbers. -# The *_port_t types are used for specific port -# numbers in net_contexts or net_contexts.mls. -# -type port_t, port_type; - -# reserved_port_t is the default type for INET reserved ports -# that are not otherwise mapped to a specific port type. -type reserved_port_t, port_type; - -# -# netif_t is the default type of network interfaces. -# The netif_*_t types are used for specific network -# interfaces in net_contexts or net_contexts.mls. -# -type netif_t, netif_type; -type netif_lo_t, netif_type; - - -# -# node_t is the default type of network nodes. -# The node_*_t types are used for specific network -# nodes in net_contexts or net_contexts.mls. -# -type node_t, node_type; -type node_lo_t, node_type; -type node_internal_t, node_type; -type node_inaddr_any_t, node_type; -type node_unspec_t, node_type; -type node_link_local_t, node_type; -type node_site_local_t, node_type; -type node_multicast_t, node_type; -type node_mapped_ipv4_t, node_type; -type node_compat_ipv4_t, node_type; - -# Kernel-generated traffic, e.g. ICMP replies. -allow kernel_t netif_type:netif { rawip_send rawip_recv }; -allow kernel_t node_type:node { rawip_send rawip_recv }; - -# Kernel-generated traffic, e.g. TCP resets. -allow kernel_t netif_type:netif { tcp_send tcp_recv }; -allow kernel_t node_type:node { tcp_send tcp_recv }; -type radius_port_t, port_type; -type radacct_port_t, port_type; -type rndc_port_t, port_type, reserved_port_type; -type tftp_port_t, port_type, reserved_port_type; -type printer_port_t, port_type, reserved_port_type; -type mysqld_port_t, port_type; -type postgresql_port_t, port_type; -type ptal_port_t, port_type; -type howl_port_t, port_type; -type dict_port_t, port_type; -type syslogd_port_t, port_type, reserved_port_type; -type spamd_port_t, port_type, reserved_port_type; -type ssh_port_t, port_type, reserved_port_type; -type pxe_port_t, port_type; -type amanda_port_t, port_type; -type fingerd_port_t, port_type, reserved_port_type; -type dhcpc_port_t, port_type, reserved_port_type; -type ntp_port_t, port_type, reserved_port_type; -type stunnel_port_t, port_type; -type zebra_port_t, port_type; -type i18n_input_port_t, port_type; -type vnc_port_t, port_type; -type pegasus_http_port_t, port_type; -type pegasus_https_port_t, port_type; -type openvpn_port_t, port_type; -type clamd_port_t, port_type; -type transproxy_port_t, port_type; -type clockspeed_port_t, port_type; -type pyzor_port_t, port_type; -type postgrey_port_t, port_type; -type asterisk_port_t, port_type; -type utcpserver_port_t, port_type; -type nessus_port_t, port_type; -type razor_port_t, port_type; -type distccd_port_t, port_type; -type socks_port_t, port_type; -type gatekeeper_port_t, port_type; -type dcc_port_t, port_type; -type lrrd_port_t, port_type; -type jabber_client_port_t, port_type; -type jabber_interserver_port_t, port_type; -type ircd_port_t, port_type; -type giftd_port_t, port_type; -type soundd_port_t, port_type; -type imaze_port_t, port_type; -type monopd_port_t, port_type; -# Differentiate between the port where amavisd receives mail, and the -# port where it returns cleaned mail back to the MTA. -type amavisd_recv_port_t, port_type; -type amavisd_send_port_t, port_type; -type innd_port_t, port_type, reserved_port_type; -type snmp_port_t, port_type, reserved_port_type; -type biff_port_t, port_type, reserved_port_type; -type hplip_port_t, port_type; - -#inetd_child_ports - -type rlogind_port_t, port_type, reserved_port_type; -type telnetd_port_t, port_type, reserved_port_type; -type comsat_port_t, port_type, reserved_port_type; -type cvs_port_t, port_type; -type dbskkd_port_t, port_type; -type inetd_child_port_t, port_type, reserved_port_type; -type ktalkd_port_t, port_type, reserved_port_type; -type rsync_port_t, port_type, reserved_port_type; -type uucpd_port_t, port_type, reserved_port_type; -type swat_port_t, port_type, reserved_port_type; -type zope_port_t, port_type; -type auth_port_t, port_type, reserved_port_type; - -# afs ports - -type afs_fs_port_t, port_type; -type afs_pt_port_t, port_type; -type afs_vl_port_t, port_type; -type afs_ka_port_t, port_type; -type afs_bos_port_t, port_type; - diff --git a/mls/types/nfs.te b/mls/types/nfs.te deleted file mode 100644 index e6dd6e0e..00000000 --- a/mls/types/nfs.te +++ /dev/null @@ -1,21 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################# -# -# NFS types -# - -# -# nfs_t is the default type for NFS file systems -# and their files. -# The nfs_*_t types are used for specific NFS -# servers in net_contexts or net_contexts.mls. -# -type nfs_t, mount_point, fs_type; - -# -# Allow NFS files to be associated with an NFS file system. -# -allow file_type nfs_t:filesystem associate; diff --git a/mls/types/procfs.te b/mls/types/procfs.te deleted file mode 100644 index 20703ac5..00000000 --- a/mls/types/procfs.te +++ /dev/null @@ -1,50 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Procfs types -# - -# -# proc_t is the type of /proc. -# proc_kmsg_t is the type of /proc/kmsg. -# proc_kcore_t is the type of /proc/kcore. -# proc_mdstat_t is the type of /proc/mdstat. -# proc_net_t is the type of /proc/net. -# -type proc_t, fs_type, mount_point, proc_fs; -type proc_kmsg_t, proc_fs; -type proc_kcore_t, proc_fs; -type proc_mdstat_t, proc_fs; -type proc_net_t, proc_fs; - -# -# sysctl_t is the type of /proc/sys. -# sysctl_fs_t is the type of /proc/sys/fs. -# sysctl_kernel_t is the type of /proc/sys/kernel. -# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe. -# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug. -# sysctl_net_t is the type of /proc/sys/net. -# sysctl_net_unix_t is the type of /proc/sys/net/unix. -# sysctl_vm_t is the type of /proc/sys/vm. -# sysctl_dev_t is the type of /proc/sys/dev. -# sysctl_rpc_t is the type of /proc/net/rpc. -# -# These types are applied to both the entries in -# /proc/sys and the corresponding sysctl parameters. -# -type sysctl_t, mount_point, sysctl_type; -type sysctl_fs_t, sysctl_type; -type sysctl_kernel_t, sysctl_type; -type sysctl_modprobe_t, sysctl_type; -type sysctl_hotplug_t, sysctl_type; -type sysctl_net_t, sysctl_type; -type sysctl_net_unix_t, sysctl_type; -type sysctl_vm_t, sysctl_type; -type sysctl_dev_t, sysctl_type; -type sysctl_rpc_t, sysctl_type; -type sysctl_irq_t, sysctl_type; - - diff --git a/mls/types/security.te b/mls/types/security.te deleted file mode 100644 index cc1574f8..00000000 --- a/mls/types/security.te +++ /dev/null @@ -1,60 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Security types -# - -# -# security_t is the target type when checking -# the permissions in the security class. It is also -# applied to selinuxfs inodes. -# -type security_t, mount_point, fs_type, mlstrustedobject; -dontaudit domain security_t:dir search; -dontaudit domain security_t:file { getattr read }; - -# -# policy_config_t is the type of /etc/security/selinux/* -# the security server policy configuration. -# -type policy_config_t, file_type, secadmfile; -# Since libselinux attempts to read these by default, most domains -# do not need it. -dontaudit domain selinux_config_t:dir search; -dontaudit domain selinux_config_t:file { getattr read }; - -# -# policy_src_t is the type of the policy source -# files. -# -type policy_src_t, file_type, secadmfile; - - -# -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* -# -type default_context_t, file_type, login_contexts, secadmfile; - -# -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files -# -type file_context_t, file_type, secadmfile; - -# -# no_access_t is the type for objects that should -# only be accessed administratively. -# -type no_access_t, file_type, sysadmfile; - -# -# selinux_config_t is the type applied to -# /etc/selinux/config -# -type selinux_config_t, file_type, secadmfile; - - diff --git a/mls/types/x.te b/mls/types/x.te deleted file mode 100644 index 0cee3145..00000000 --- a/mls/types/x.te +++ /dev/null @@ -1,32 +0,0 @@ -# -# Authors: Eamon Walsh -# - -####################################### -# -# Types for the SELinux-enabled X Window System -# - -# -# X protocol extension types. The SELinux extension in the X server -# has a hardcoded table that maps actual extension names to these types. -# -type accelgraphics_ext_t, xextension; -type debug_ext_t, xextension; -type font_ext_t, xextension; -type input_ext_t, xextension; -type screensaver_ext_t, xextension; -type security_ext_t, xextension; -type shmem_ext_t, xextension; -type std_ext_t, xextension; -type sync_ext_t, xextension; -type unknown_ext_t, xextension; -type video_ext_t, xextension; -type windowmgr_ext_t, xextension; - -# -# X property types. The SELinux extension in the X server has a -# hardcoded table that maps actual extension names to these types. -# -type wm_property_t, xproperty; -type unknown_property_t, xproperty; diff --git a/mls/users b/mls/users deleted file mode 100644 index 058c5fb0..00000000 --- a/mls/users +++ /dev/null @@ -1,57 +0,0 @@ -################################## -# -# User configuration. -# -# This file defines each user recognized by the system security policy. -# Only the user identities defined in this file may be used as the -# user attribute in a security context. -# -# Each user has a set of roles that may be entered by processes -# with the users identity. The syntax of a user declaration is: -# -# user username roles role_set [ level default_level range allowed_range ] level s0 range s0 - s15:c0.c255; -# -# The MLS default level and allowed range should only be specified if -# MLS was enabled in the policy. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system_u, -# and a user process should never be assigned the system_u user -# identity. -# -user system_u roles system_r level s0 range s0 - s15:c0.c255; - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -user user_u roles { user_r } level s0 range s0 - s0; - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# - -# The sysadm_r user also needs to be permitted system_r if we are to allow -# direct execution of daemons -user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255; - -# sample for administrative user -#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255; - -# sample for regular user -#user jdoe roles { user_r } level s0 range s0 - s15:c0.c255; - -# -# The following users correspond to special Unix identities -# -ifdef(`nx_server.te', ` -user nx roles nx_server_r level s0 range s0 - s15:c0.c255; -') diff --git a/strict/COPYING b/strict/COPYING deleted file mode 100644 index 5b6e7c66..00000000 --- a/strict/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/strict/ChangeLog b/strict/ChangeLog deleted file mode 100644 index db9833c5..00000000 --- a/strict/ChangeLog +++ /dev/null @@ -1,391 +0,0 @@ -1.27.1 2005-09-15 - * Merged small patches from Russell Coker for the apostrophe, - dhcpc, fsadm, and setfiles policy. - * Merged a patch from Russell Coker with some minor fixes to a - multitude of policy files. - * Merged patch from Dan Walsh from August 15th. Adds certwatch - policy. Adds mcs support to Makefile. Adds mcs file which - defines sensitivities and categories for the MSC policy. Creates - an authentication_domain macro in global_macros.te for domains - that use pam_authentication. Creates the anonymous_domain macro - so that the ftpd, rsync, httpd, and smbd domains can share the - ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to - start isolating individual ethernet devices. Changes vpnc from a - daemon to an application_domain. Adds audit_control capability to - crond_t. Adds dac_override and dac_read_search capabilities to - fsadm_t to allow the manipulation of removable media. Adds - read_sysctl macro to the base_passwd_domain macro. Adds rules to - allow alsa_t to communicate with userspace. Allows networkmanager - to communicate with isakmp_port and to use vpnc. For targeted - policy, removes transitions of sysadm_t to apm_t, backup_t, - bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t. - Makes other minor cleanups and fixes. - -1.26 2005-09-06 - * Updated version for release. - -1.25.4 2005-08-10 - * Merged small patches from Russell Coker for the restorecon, - kudzu, lvm, radvd, and spamassasin policies. - * Added fs_use_trans rule for mqueue from Mark Gebhart to support - the work he has done on providing SELinux support for mqueue. - * Merged a patch from Dan Walsh. Removes the user_can_mount - tunable. Adds disable_evolution_trans and disable_thunderbird_trans - booleans. Adds the nscd_client_domain attribute to insmod_t. - Removes the user_ping boolean from targeted policy. Adds - hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts. - Adds the isakmp_port for vpnc. Creates the pptp daemon domain. - Allows getty to run sbin_t for pppd. Allows initrc to write to - default_t for booting. Allows Hotplug_t sys_rawio for prism54 - card at boot. Other minor fixes. - -1.25.3 2005-07-18 - * Merged patch from Dan Walsh. Adds auth_bool attribute to allow - domains to have read access to shadow_t. Creates pppd_can_insmod - boolean to control the loading of modem kernel modules. Allows - nfs to export noexattrfile types. Allows unix_chpwd to access - cert files and random devices for encryption purposes. Other - minor cleanups and fixes. - -1.25.2 2005-07-11 - * Merged patch from Dan Walsh. Added allow_ptrace boolean to - allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the - audit_control and audit_write capabilities. Stops targeted policy - from transitioning from unconfined_t to netutils. Allows cupsd to - audit messages. Gives prelink the execheap, execmem, and execstack - permissions by default. Adds can_winbind boolean and functions to - better handle samba and winbind communications. Eliminates - allow_execmod checks around texrel_shlib_t libraries. Other minor - cleanups and fixes. - -1.25.1 2005-07-05 - * Moved role_tty_type_change, reach_sysadm, and priv_user macros - from user.te to user_macros.te as suggested by Steve. - * Modified admin_domain macro so autrace would work and removed - privuser attribute for dhcpc as suggested by Russell Coker. - * Merged rather large patch from Dan Walsh. Moves - targeted/strict/mls policies closer together. Adds local.te for - users to customize. Includes minor fixes to auditd, cups, - cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch - that defines all ports in network.te. Ports are always defined - now, no ifdefs are used in network.te. Also includes Ivan - Gyurdiev's user home directory policy patches. These patches add - alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs, - iceauth, orbit, and thunderbird policy. They create read_content, - write_trusted, and write_untrusted macros in content.te. They - create network_home, write_network_home, read_network_home, - base_domain_ro_access, home_domain_access, home_domain, and - home_domain_ro macros in home_macros.te. They also create - $3_read_content, $3_write_content, and write_untrusted booleans. - -1.24 2005-06-20 - * Updated version for release. - -1.23.18 2005-05-31 - * Merged minor fixes to pppd.fc and courier.te by Russell Coker. - * Removed devfsd policy as suggested by Russell Coker. - * Merged patch from Dan Walsh. Includes beginnings of Ivan - Gyurdiev's Font Config policy. Don't transition to fsadm_t from - unconfined_t (sysadm_t) in targeted policy. Add support for - debugfs in modutil. Allow automount to create and delete - directories in /root and /home dirs. Move can_ypbind to - chkpwd_macro.te. Allow useradd to create additional files and - types via the skell mechanism. Other minor cleanups and fixes. - -1.23.17 2005-05-23 - * Merged minor fixes by Petre Rodan to the daemontools, dante, - gpg, kerberos, and ucspi-tcp policies. - * Merged minor fixes by Russell Coker to the bluetooth, crond, - initrc, postfix, and udev policies. Modifies constraints so that - newaliases can be run. Modifies types.fc so that objects in - lost+found directories will not be relabled. - * Modified fc rules for nvidia. - * Added Chad Sellers policy for polyinstantiation support, which - creates the polydir, polyparent, and polymember attributes. Also - added the support_polyinstantiation tunable. - * Merged patch from Dan Walsh. Includes mount_point attribute, - read_font macros and some other policy fixes from Ivan Gyurdiev. - Adds privkmsg and secadmfile attributes and ddcprobe policy. - Removes the use_syslogng boolean. Many other minor fixes. - -1.23.16 2005-05-13 - * Added rdisc policy from Russell Coker. - * Merged minor fix to named policy by Petre Rodan. - * Merged minor fixes to policy from Russell Coker for kudzu, - named, screen, setfiles, telnet, and xdm. - * Merged minor fix to Makefile from Russell Coker. - -1.23.15 2005-05-06 - * Added tripwire and yam policy from David Hampton. - * Merged minor fixes to amavid and a clarification to the - httpdcontent attribute comments from David Hampton. - * Merged patch from Dan Walsh. Includes fixes for restorecon, - games, and postfix from Russell Coker. Adds support for debugfs. - Restores support for reiserfs. Allows udev to work with tmpfs_t - before /dev is labled. Removes transition from sysadm_t - (unconfined_t) to ifconfig_t for the targeted policy. Other minor - cleanups and fixes. - -1.23.14 2005-04-29 - * Added afs policy from Andrew Reisse. - * Merged patch from Lorenzo Hernández García-Hierro which defines - execstack and execheap permissions. The patch excludes these - permissions from general_domain_access and updates the macros for - X, legacy binaries, users, and unconfined domains. - * Added nlmsg_relay permisison where netlink_audit_socket class is - used. Added nlmsg_readpriv permission to auditd_t and auditctl_t. - * Merged some minor cleanups from Russell Coker and David Hampton. - * Merged patch from Dan Walsh. Many changes made to allow - targeted policy to run closer to strict and now almost all of - non-userspace is protected via SELinux. Kernel is now in - unconfined_domain for targeted and runs as root:system_r:kernel_t. - Added transitionbool to daemon_sub_domain, mainly to turn off - httpd_suexec transitioning. Implemented web_client_domain - name_connect rules. Added yp support for cups. Now the real - hotplug, udev, initial_sid_contexts are used for the targeted - policy. Other minor cleanups and fixes. Auditd fixes by Paul - Moore. - -1.23.13 2005-04-22 - * Merged more changes from Dan Walsh to initrc_t for removal of - unconfined_domain. - * Merged Dan Walsh's split of auditd policy into auditd_t for the - audit daemon and auditctl_t for the autoctl program. - * Added use of name_connect to uncond_can_ypbind macro by Dan - Walsh. - * Merged other cleanup and fixes by Dan Walsh. - -1.23.12 2005-04-20 - * Merged Dan Walsh's Netlink changes to handle new auditing pam - modules. - * Merged Dan Walsh's patch removing the sysadmfile attribute from - policy files to separate sysadm_t from secadm_t. - * Added CVS and uucpd policy from Dan Walsh. - * Cleanup by Dan Walsh to handle turning off unlimitedRC. - * Merged Russell Coker's fixes to ntpd, postgrey, and named - policy. - * Cleanup of chkpwd_domain and added permissions to su_domain - macro due to pam changes to support audit. - * Added nlmsg_relay and nlmsg_readpriv permissions to the - netlink_audit_socket class. - -1.23.11 2005-04-14 - * Merged Dan Walsh's separation of the security manager and system - administrator. - * Removed screensaver.te as suggested by Thomas Bleher - * Cleanup of typealiases that are no longer used by Thomas Bleher. - * Cleanup of fc files and additional rules for SuSE by Thomas - Bleher. - * Merged changes to auditd and named policy by Russell Coker. - * Merged MLS change from Darrel Goeddel to support the policy - hierarchy patch. - -1.23.10 2005-04-08 - * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te - -1.23.9 2005-04-07 - * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup - of x_client apps. - * Added dmidecode policy from Ivan Gyurdiev. - -1.23.8 2005-04-05 - * Added netlink_kobject_uevent_socket class. - * Removed empty files pump.te and pump.fc. - * Added NetworkManager policy from Dan Walsh. - * Merged Dan Walsh's major restructuring of Apache's policy. - -1.23.7 2005-04-04 - * Merged David Hampton's amavis and clamav cleanups. - * Added David Hampton's dcc, pyzor, and razor policy. - -1.23.6 2005-04-01 - * Merged cleanup of the Makefile and other stuff from Dan Walsh. - Dan's patch includes some desktop changes from Ivan Gyurdiev. - * Merged Thomas Bleher's patches which increase the usage of - lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to - DOMAIN_var_lib_t, and removes use of notdevfile_class_set where - possible. - * Merged Greg Norris's cleanup of fetchmail. - -1.23.5 2005-03-23 - * Added name_connect support from Dan Walsh. - * Added httpd_unconfined_t from Dan Walsh. - * Merged cleanup of assert.te to allow unresticted full access - from Dan Walsh. - -1.23.4 2005-03-21 - * Merged diffs from Dan Walsh: - * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan - Gyurdiev. - * Added syslogng support to syslog.te. - -1.23.3 2005-03-15 - * Added policy for nx_server from Thomas Bleher. - * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and - publicfile from Petre Rodan. - -1.23.2 2005-03-14 - * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's - gift policy. - * Made sysadm_r the first role for root, so root's home will be labled - as sysadm_home_dir_t instead of staff_home_dir_t. - * Modified fs_use and Makefile to reflect jfs now supporting security - xattrs. - -1.23.1 2005-03-10 - * Merged diffs from Dan Walsh. Dan's patch includes Ivan - Gyurdiev's cleanup of homedir macros and more extensive use of - read_sysctl() - -1.22 2005-03-09 - * Updated version for release. - -1.21 2005-02-24 - * Added secure_file_type attribute from Dan Walsh - * Added access_terminal() macro from Ivan Gyurdiev - * Updated capability access vector for audit capabilities. - * Added mlsconvert Makefile target to help generate MLS policies - (see selinux-doc/README.MLS for instructions). - * Changed policy Makefile to still generate policy.18 as well, - and use it for make load if the kernel doesn't support 19. - * Merged enhanced MLS support from Darrel Goeddel (TCS). - * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris. - * Merged man pages from Dan Walsh. - -1.20 2005-01-04 - * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and - Petre Rodan. - * Merged can_create() macro used for file_type_{,auto_}trans() - from Thomas Bleher. - * Merged dante and stunnel policy by Petre Rodan. - * Merged $1_file_type attribute from Thomas Bleher. - * Merged network_macros from Dan Walsh. - -1.18 2004-10-25 - * Merged diffs from Russell Coker and Dan Walsh. - * Merged mkflask and mkaccess_vector patches from Ulrich Drepper. - * Added reserved_port_t type and portcon entries to map all other - reserved ports to this type. - * Added distro_ prefix to distro tunables to avoid conflicts. - * Merged diffs from Russell Coker. - -1.16 2004-08-16 - * Added nscd definitions. - * Converted many tunables to policy booleans. - * Added crontab permission. - * Merged diffs from Dan Walsh. - This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well. - * Merged diffs from Russell Coker. - * Adjusted constraints for crond restart. - * Merged dbus/userspace object manager policy from Colin Walters. - * Merged dbus definitions from Matthew Rickard. - * Merged dnsmasq policy from Greg Norris. - * Merged gpg-agent policy from Thomas Bleher. - -1.14 2004-06-28 - * Removed vmware-config.pl from vmware.fc. - * Added crond entry to root_default_contexts. - * Merged patch from Dan Walsh. - * Merged mdadm and postfix changes from Colin Walters. - * Merged reiserfs and rpm changes from Russell Coker. - * Merged runaway .* glob fix from Valdis Kletnieks. - * Merged diff from Dan Walsh. - * Merged fine-grained netlink classes and permissions. - * Merged changes for new /etc/selinux layout. - * Changed mkaccess_vector.sh to provide stable order. - * Merged diff from Dan Walsh. - * Fix restorecon path in restorecon.fc. - * Merged pax class and access vector definition from Joshua Brindle. - -1.12 2004-05-12 - * Added targeted policy. - * Merged atd/at into crond/crontab domains. - * Exclude bind mounts from relabeling to avoid aliasing. - * Removed some obsolete types and remapped their initial SIDs to unlabeled. - * Added SE-X related security classes and policy framework. - * Added devnull initial SID and context. - * Merged diffs from Fedora policy. - -1.10 2004-04-07 - * Merged ipv6 support from James Morris of RedHat. - * Merged policy diffs from Dan Walsh. - * Updated call to genhomedircon to reflect new usage. - * Merged policy diffs from Dan Walsh and Russell Coker. - * Removed config-users and config-services per Dan's request. - -1.8 2004-03-09 - * Merged genhomedircon patch from Karl MacMillan of Tresys. - * Added restorecon domain. - * Added unconfined_domain macro. - * Added default_t for /.* file_contexts entry and replaced some - uses of file_t with default_t in the policy. - * Added su_restricted_domain() macro and use it for initrc_t. - * Merged policy diffs from Dan Walsh and Russell Coker. - These included a merge of an earlier patch by Chris PeBenito - to rename the etc types to be consistent with other types. - -1.6 2004-02-18 - * Merged xfs support from Chris PeBenito. - * Merged conditional rules for ping.te. - * Defined setbool permission, added can_setbool macro. - * Partial network policy cleanup. - * Merged with Russell Coker's policy. - * Renamed netscape macro and domain to mozilla and renamed - ipchains domain to iptables for consistency with Russell. - * Merged rhgb macro and domain from Russell Coker. - * Merged tunable.te from Russell Coker. - Only define direct_sysadm_daemon by default in our copy. - * Added rootok permission to passwd class. - * Merged Makefile change from Dan Walsh to generate /home - file_contexts entries for staff users. - * Added automatic role and domain transitions for init scripts and - daemons. Added an optional third argument (nosysadm) to - daemon_domain to omit the direct transition from sysadm_r when - the same executable is also used as an application, in which - case the daemon must be restarted via the init script to obtain - the proper security context. Added system_r to the authorized roles - for admin users at least until support for automatic user identity - transitions exist so that a transition to system_u can be provided - transparently. - * Added support to su domain for using pam_selinux. - Added entries to default_contexts for the su domains to - provide reasonable defaults. Removed user_su_t. - * Tighten restriction on user identity and role transitions in constraints. - * Merged macro for newrole-like domains from Russell Coker. - * Merged stub dbusd domain from Russell Coker. - * Merged stub prelink domain from Dan Walsh. - * Merged updated userhelper and config tool domains from Dan Walsh. - * Added send_msg/recv_msg permissions to can_network macro. - * Merged patch by Chris PeBenito for sshd subsystems. - * Merged patch by Chris PeBenito for passing class to var_run_domain. - * Merged patch by Yuichi Nakamura for append_log_domain macros. - * Merged patch by Chris PeBenito for rpc_pipefs labeling. - * Merged patch by Colin Walters to apply m4 once so that - source file info is preserved for checkpolicy. - -1.4 2003-12-01 - * Merged patches from Russell Coker. - * Revised networking permissions. - * Added new node_bind permission. - * Added new siginh, rlimitinh, and setrlimit permissions. - * Added proc_t:file read permission for new is_selinux_enabled logic. - * Added failsafe_context configuration file to appconfig. - * Moved newrules.pl to policycoreutils, renamed to audit2allow. - * Merged newrules.pl patch from Yuichi Nakamura. - -1.2 2003-09-30 - * More policy merging with Russell Coker. - * Transferred newrules.pl script from the old SELinux. - * Merged MLS configuration patch from Karl MacMillan of Tresys. - * Limit staff_t to reading /proc entries for unpriv_userdomain. - * Updated Makefile and spec file to allow non-root builds, - based on patch by Paul Nasrat. - -1.1 2003-08-13 - * Merged Makefile check-all and te-includes patches from Colin Walters. - * Merged x-debian-packages.patch from Colin Walters. - * Folded read permission into domain_trans. - -1.0 2003-07-11 - * Initial public release. - diff --git a/strict/Makefile b/strict/Makefile deleted file mode 100644 index fac8cabf..00000000 --- a/strict/Makefile +++ /dev/null @@ -1,366 +0,0 @@ -# -# Makefile for the security policy. -# -# Targets: -# -# install - compile and install the policy configuration, and context files. -# load - compile, install, and load the policy configuration. -# reload - compile, install, and load/reload the policy configuration. -# relabel - relabel filesystems based on the file contexts configuration. -# policy - compile the policy configuration locally for testing/development. -# -# The default target is 'install'. -# - -# Set to y if MLS is enabled in the policy. -MLS=n - -# Set to y if MCS is enabled in the policy -MCS=n - -FLASKDIR = flask/ -PREFIX = /usr -BINDIR = $(PREFIX)/bin -SBINDIR = $(PREFIX)/sbin -LOADPOLICY = $(SBINDIR)/load_policy -CHECKPOLICY = $(BINDIR)/checkpolicy -GENHOMEDIRCON = $(SBINDIR)/genhomedircon -SETFILES = $(SBINDIR)/setfiles -VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') -PREVERS := 19 -KERNVERS := $(shell cat /selinux/policyvers) -POLICYVER := policy.$(VERS) -TOPDIR = $(DESTDIR)/etc/selinux -TYPE=strict -ifeq ($(MLS),y) -TYPE=mls -endif -ifeq ($(MCS),y) -TYPE=mcs -endif - -INSTALLDIR = $(TOPDIR)/$(TYPE) -POLICYPATH = $(INSTALLDIR)/policy -SRCPATH = $(INSTALLDIR)/src -USERPATH = $(INSTALLDIR)/users -CONTEXTPATH = $(INSTALLDIR)/contexts -LOADPATH = $(POLICYPATH)/$(POLICYVER) -FCPATH = $(CONTEXTPATH)/files/file_contexts -HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template - -ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) -ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) -ALL_TYPES := $(wildcard types/*.te) -ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) -ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te -TE_RBAC_FILES := $(ALLTEFILES) rbac -ALL_TUNABLES := $(wildcard tunables/*.tun ) -USER_FILES := users -POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) -ifeq ($(MLS),y) -POLICYFILES += mls -CHECKPOLMLS += -M -endif -ifeq ($(MCS), y) -POLICYFILES += mcs -CHECKPOLMLS += -M -endif -DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts -POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) -POLICYFILES += $(USER_FILES) -POLICYFILES += constraints -POLICYFILES += $(DEFCONTEXTFILES) -CONTEXTFILES = $(DEFCONTEXTFILES) -POLICY_DIRS = domains domains/program domains/misc macros macros/program - -UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) - -FC = file_contexts/file_contexts -HOMEDIR_TEMPLATE = file_contexts/homedir_template -FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) -CONTEXTFILES += $(FCFILES) - -APPDIR=$(CONTEXTPATH) -APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media -CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media - -ROOTFILES = $(addprefix $(APPDIR)/users/,root) - -all: policy - -tmp/valid_fc: $(LOADPATH) $(FC) - @echo "Validating file contexts files ..." - $(SETFILES) -q -c $(LOADPATH) $(FC) - @touch tmp/valid_fc - -install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users - -$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf - @mkdir -p $(USERPATH) - @echo "# " > tmp/system.users - @echo "# Do not edit this file. " >> tmp/system.users - @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users - @echo "# Please edit local.users to make local changes." >> tmp/system.users - @echo "#" >> tmp/system.users - @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users - install -m 644 tmp/system.users $@ - -$(USERPATH)/local.users: local.users - @mkdir -p $(USERPATH) - install -b -m 644 $< $@ - -$(CONTEXTPATH)/files/media: appconfig/media - @mkdir -p $(CONTEXTPATH)/files/ - install -m 644 $< $@ - -$(APPDIR)/default_contexts: appconfig/default_contexts - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/removable_context: appconfig/removable_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/customizable_types: policy.conf - @mkdir -p $(APPDIR) - @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types - install -m 644 tmp/customizable_types $@ - -$(APPDIR)/port_types: policy.conf - @mkdir -p $(APPDIR) - @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types - install -m 644 tmp/port_types $@ - -$(APPDIR)/default_type: appconfig/default_type - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/userhelper_context: appconfig/userhelper_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/initrc_context: appconfig/initrc_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/failsafe_context: appconfig/failsafe_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/dbus_contexts: appconfig/dbus_contexts - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/users/root: appconfig/root_default_contexts - @mkdir -p $(APPDIR)/users - install -m 644 $< $@ - -$(LOADPATH): policy.conf $(CHECKPOLICY) - @echo "Compiling policy ..." - @mkdir -p $(POLICYPATH) - $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf -ifneq ($(VERS),$(PREVERS)) - $(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf -endif - -# Note: Can't use install, so not sure how to deal with mode, user, and group -# other than by default. - -policy: $(POLICYVER) - -$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) - $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf - @echo "Validating file contexts files ..." - $(SETFILES) -q -c $(POLICYVER) $(FC) - -reload tmp/load: $(LOADPATH) - @echo "Loading Policy ..." -ifeq ($(VERS), $(KERNVERS)) - $(LOADPOLICY) $(LOADPATH) -else - $(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS) -endif - touch tmp/load - -load: tmp/load $(FCPATH) - -enableaudit: policy.conf - grep -v dontaudit policy.conf > policy.audit - mv policy.audit policy.conf - -policy.conf: $(POLICYFILES) $(POLICY_DIRS) - @echo "Building policy.conf ..." - @mkdir -p tmp - m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp - @mv $@.tmp $@ - -install-src: - rm -rf $(SRCPATH)/policy.old - -mv $(SRCPATH)/policy $(SRCPATH)/policy.old - @mkdir -p $(SRCPATH)/policy - cp -R . $(SRCPATH)/policy - -tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program - @mkdir -p tmp - ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp - ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp - mv $@.tmp $@ - -FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';` - -checklabels: $(SETFILES) - $(SETFILES) -v -n $(FC) $(FILESYSTEMS) - -restorelabels: $(SETFILES) - $(SETFILES) -v $(FC) $(FILESYSTEMS) - -relabel: $(FC) $(SETFILES) - $(SETFILES) $(FC) $(FILESYSTEMS) - -file_contexts/misc: - @mkdir -p file_contexts/misc - -$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types - @echo "Installing file contexts files..." - @mkdir -p $(CONTEXTPATH)/files - install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) - install -m 644 $(FC) $(FCPATH) - @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) - -$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd - @echo "Building file contexts files..." - @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp - @grep -v -e HOME -e ROLE -e USER $@.tmp > $@ - @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE) - @-rm $@.tmp - -# Create a tags-file for the policy: -# we need exuberant ctags; unfortunately it is named differently on different distros, sigh... -pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs -CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme -ifeq ($(strip $(CTAGS)),) -CTAGS := $(call pathsearch,ctags) # suse naming scheme -endif - -tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te) - @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) - @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \ - --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \ - --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ - --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \ - --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ - --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ - -clean: - rm -f policy.conf $(POLICYVER) - rm -f tags - rm -f tmp/* - rm -f $(FC) - rm -f flask/*.h -# for the policy regression tester - find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \ - -# Policy regression tester. -# Written by Colin Walters -cur_te = $(filter-out %/,$(subst /,/ ,$@)) - -TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES)) - -define compute_depends - export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //') -endef - - -ifeq ($(TE_DEPENDS_DEFINED),) -ifeq ($(MAKECMDGOALS),check-all) - GENRULES := $(TESTED_TE_FILES) - export TE_DEPENDS_DEFINED := yes -else - # Handle the case where checkunused/blah.te is run directly. - ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),) - GENRULES := $(TESTED_TE_FILES) - export TE_DEPENDS_DEFINED := yes - endif -endif -endif - -# Test for a new enough version of GNU Make. -$(eval have_eval := yes) -ifneq ($(GENRULES),) - ifeq ($(have_eval),) -$(error Need GNU Make 3.80 or better!) -Need GNU Make 3.80 or better - endif -endif -$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f)))) - -PHONIES := - -define compute_presymlinks -PHONIES += presymlink/$(1) -presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1))) - @if ! test -L domains/program/$(1); then \ - cd domains/program && ln -s unused/$(1) .; \ - fi -endef - -# Compute dependencies. -$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f)))) - -PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) -$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : - @$(MAKE) -s clean - -$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/% - @if test -n "$(TE_DEPENDS_$(cur_te))"; then \ - echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \ - fi - @echo "Testing $(cur_te)..."; - @if ! make -s policy 1>/dev/null; then \ - echo "Testing $(cur_te)...FAILED"; \ - exit 1; \ - fi; - @echo "Testing $(cur_te)...success."; \ - -check-all: - @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \ - $(MAKE) --no-print-directory $$goal; \ - done - -.PHONY: clean $(PHONIES) - -mlsconvert: - @for file in $(CONTEXTFILES); do \ - echo "Converting $$file"; \ - sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @for file in $(USER_FILES); do \ - echo "Converting $$file"; \ - sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts - @echo "Enabling MLS in the Makefile" - @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new - @mv Makefile.new Makefile - @echo "Done" - -mcsconvert: - @for file in $(CONTEXTFILES); do \ - echo "Converting $$file"; \ - sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @for file in $(USER_FILES); do \ - echo "Converting $$file"; \ - sed -r -e 's/\;/ level s0 range s0;/' $$file | \ - sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \ - mv $$file.new $$file; \ - done - @sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts - @echo "Enabling MCS in the Makefile" - @sed "s/MCS=y/MCS=y/" Makefile > Makefile.new - @mv Makefile.new Makefile - @echo "Done" - diff --git a/strict/README b/strict/README deleted file mode 100644 index 6818b66d..00000000 --- a/strict/README +++ /dev/null @@ -1,125 +0,0 @@ -The Makefile targets are: -policy - compile the policy configuration. -install - compile and install the policy configuration. -load - compile, install, and load the policy configuration. -relabel - relabel the filesystem. -check-all - check individual additional policy files in domains/program/unused. -checkunused/FILE.te - check individual file FILE from domains/program/unused. - -If you have configured MLS into your module, then set MLS=y in the -Makefile prior to building the policy. Of course, you must have also -built checkpolicy with MLS enabled. - -Three of the configuration files are independent of the particular -security policy: -1) flask/security_classes - - This file has a simple declaration for each security class. - The corresponding symbol definitions are in the automatically - generated header file . - -2) flask/initial_sids - - This file has a simple declaration for each initial SID. - The corresponding symbol definitions are in the automatically - generated header file . - -3) access_vectors - - This file defines the access vectors. Common prefixes for - access vectors may be defined at the beginning of the file. - After the common prefixes are defined, an access vector - may be defined for each security class. - The corresponding symbol definitions are in the automatically - generated header file . - -In addition to being read by the security server, these configuration -files are used during the kernel build to automatically generate -symbol definitions used by the kernel for security classes, initial -SIDs and permissions. Since the symbol definitions generated from -these files are used during the kernel build, the values of existing -security classes and permissions may not be modified by load_policy. -However, new classes may be appended to the list of classes and new -permissions may be appended to the list of permissions associated with -each access vector definition. - -The policy-dependent configuration files are: -1) tmp/all.te - - This file defines the Type Enforcement (TE) configuration. - This file is automatically generated from a collection of files. - - The macros subdirectory contains a collection of m4 macro definitions - used by the TE configuration. The global_macros.te file contains global - macros used throughout the configuration for common groupings of classes - and permissions and for common sets of rules. The user_macros.te file - contains macros used in defining user domains. The admin_macros.te file - contains macros used in defining admin domains. The macros/program - subdirectory contains macros that are used to instantiate derived domains - for certain programs that encode information about both the calling user - domain and the program, permitting the policy to maintain separation - between different instances of the program. - - The types subdirectory contains several files with declarations for - general types (types not associated with a particular domain) and - some rules defining relationships among those types. Related types - are grouped together into each file in this directory, e.g. all - device type declarations are in the device.te file. - - The domains subdirectory contains several files and directories - with declarations and rules for each domain. User domains are defined in - user.te. Administrator domains are defined in admin.te. Domains for - specific programs, including both system daemons and other programs, are - in the .te files within the domains/program subdirectory. The domains/misc - subdirectory is for miscellaneous domains such as the kernel domain and - the kernel module loader domain. - - The assert.te file contains assertions that are checked after evaluating - the entire TE configuration. - -2) rbac - - This file defines the Role-Based Access Control (RBAC) configuration. - -3) mls - - This file defines the Multi-Level Security (MLS) configuration. - -4) users - - This file defines the users recognized by the security policy. - -5) constraints - - This file defines additional constraints on permissions - in the form of boolean expressions that must be satisfied in order - for specified permissions to be granted. These constraints - are used to further refine the type enforcement tables and - the role allow rules. Typically, these constraints are used - to restrict changes in user identity or role to certain domains. - -6) initial_sid_contexts - - This file defines the security context for each initial SID. - A security context consists of a user identity, a role, a type and - optionally a MLS range if the MLS policy is enabled. If left unspecified, - the high MLS level defaults to the low MLS level. The syntax of a valid - security context is: - - user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]] - -7) fs_use - - This file defines the labeling behavior for inodes in particular - filesystem types. - -8) genfs_contexts - - This file defines security contexts for files in filesystems that - cannot support persistent label mappings or use one of the fixed - labeling schemes specified in fs_use. - -8) net_contexts - - This file defines the security contexts of network objects - such as ports, interfaces, and nodes. - -9) file_contexts/{types.fc,program/*.fc} - These files define the security contexts for persistent files. - -It is possible to test the security server functions on a given policy -configuration by running the checkpolicy program with the -d option. -This program is built from the same sources as the security server -component of the kernel, so it may be used both to verify that a -policy configuration will load successfully and to determine how the -security server would respond if it were using that policy -configuration. A menu-based interface is provided for calling any of -the security server functions after the policy is loaded. diff --git a/strict/VERSION b/strict/VERSION deleted file mode 100644 index 08002f86..00000000 --- a/strict/VERSION +++ /dev/null @@ -1 +0,0 @@ -1.27.1 diff --git a/strict/appconfig/dbus_contexts b/strict/appconfig/dbus_contexts deleted file mode 100644 index 116e684f..00000000 --- a/strict/appconfig/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/strict/appconfig/default_contexts b/strict/appconfig/default_contexts deleted file mode 100644 index e778f506..00000000 --- a/strict/appconfig/default_contexts +++ /dev/null @@ -1,12 +0,0 @@ -system_r:sulogin_t sysadm_r:sysadm_t -system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -system_r:remote_login_t user_r:user_t staff_r:staff_t -system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t -system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t -system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t -staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t -user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t diff --git a/strict/appconfig/default_type b/strict/appconfig/default_type deleted file mode 100644 index af878bd7..00000000 --- a/strict/appconfig/default_type +++ /dev/null @@ -1,4 +0,0 @@ -secadm_r:secadm_t -sysadm_r:sysadm_t -staff_r:staff_t -user_r:user_t diff --git a/strict/appconfig/failsafe_context b/strict/appconfig/failsafe_context deleted file mode 100644 index 2f96c9fd..00000000 --- a/strict/appconfig/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -sysadm_r:sysadm_t diff --git a/strict/appconfig/initrc_context b/strict/appconfig/initrc_context deleted file mode 100644 index 7fcf70bd..00000000 --- a/strict/appconfig/initrc_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:initrc_t diff --git a/strict/appconfig/media b/strict/appconfig/media deleted file mode 100644 index de2a6527..00000000 --- a/strict/appconfig/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t -floppy system_u:object_r:removable_device_t -disk system_u:object_r:fixed_disk_device_t diff --git a/strict/appconfig/removable_context b/strict/appconfig/removable_context deleted file mode 100644 index d4921f03..00000000 --- a/strict/appconfig/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t diff --git a/strict/appconfig/root_default_contexts b/strict/appconfig/root_default_contexts deleted file mode 100644 index acdcc08e..00000000 --- a/strict/appconfig/root_default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t -staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -# -# Uncomment if you want to automatically login as sysadm_r -# -#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --git a/strict/appconfig/userhelper_context b/strict/appconfig/userhelper_context deleted file mode 100644 index 081e93b4..00000000 --- a/strict/appconfig/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:sysadm_r:sysadm_t diff --git a/strict/assert.te b/strict/assert.te deleted file mode 100644 index 02b2878c..00000000 --- a/strict/assert.te +++ /dev/null @@ -1,156 +0,0 @@ -############################## -# -# Assertions for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################## -# -# Access vector assertions. -# -# An access vector assertion specifies permissions that should not be in -# an access vector based on a source type, a target type, and a class. -# If any of the specified permissions are in the corresponding access -# vector, then the policy compiler will reject the policy configuration. -# Currently, there is only one kind of access vector assertion, neverallow, -# but support for the other kinds of vectors could be easily added. Access -# vector assertions use the same syntax as access vector rules. -# - -# -# Verify that every type that can be entered by -# a domain is also tagged as a domain. -# -neverallow domain ~domain:process { transition dyntransition }; - -# -# Verify that only the insmod_t and kernel_t domains -# have the sys_module capability. -# -neverallow {domain -privsysmod -unrestricted } self:capability sys_module; - -# -# Verify that executable types, the system dynamic loaders, and the -# system shared libraries can only be modified by administrators. -# -neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename }; -neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto; - -# -# Verify that only appropriate domains can access /etc/shadow -neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr; -neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms; - -# -# Verify that only appropriate domains can write to /etc (IE mess with -# /etc/passwd) -neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms; -neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms; -neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms }; - -# -# Verify that other system software can only be modified by administrators. -# -neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename }; -neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename }; - -# -# Verify that only certain domains have access to the raw disk devices. -# -neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append }; - -# -# Verify that only the X server and klogd have access to memory devices. -# -neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append }; - -# -# Verify that only domains with the privlog attribute can actually syslog -# -neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append }; - -# -# Verify that /proc/kmsg is only accessible to klogd. -# -neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms; - -# -# Verify that /proc/kcore is inaccessible. -# - -neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms; - -# -# Verify that sysctl variables are only changeable -# by initrc and administrators. -# -neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append }; -neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append }; -neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append }; -neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append }; - -# -# Verify that certain domains are limited to only being -# entered by their entrypoint types and to only executing -# the dynamic loader without a transition to another domain. -# - -define(`assert_execute', ` - ifelse($#, 0, , - $#, 1, - ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'', - `assert_execute($1) assert_execute(shift($@))')') - -ifdef(`getty.te', `assert_execute(getty)') -ifdef(`klogd.te', `assert_execute(klogd)') -ifdef(`tcpd.te', `assert_execute(tcpd)') -ifdef(`portmap.te', `assert_execute(portmap)') -ifdef(`syslogd.te', `assert_execute(syslogd)') -ifdef(`rpcd.te', `assert_execute(rpcd)') -ifdef(`rlogind.te', `assert_execute(rlogind)') -ifdef(`ypbind.te', `assert_execute(ypbind)') -ifdef(`xfs.te', `assert_execute(xfs)') -ifdef(`gpm.te', `assert_execute(gpm)') -ifdef(`ifconfig.te', `assert_execute(ifconfig)') -ifdef(`iptables.te', `assert_execute(iptables)') - -ifdef(`login.te', ` -neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint; -neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans; -') - -# -# Verify that the passwd domain can only be entered by its -# entrypoint type and can only execute the dynamic loader -# and the ordinary passwd program without a transition to another domain. -# -ifdef(`passwd.te', ` -neverallow passwd_t ~passwd_exec_t:file entrypoint; -neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint; -neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans; -') - -# -# Verify that only the admin domains and initrc_t have setenforce. -# -neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce; - -# -# Verify that only the kernel and load_policy_t have load_policy. -# - -neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy; - -# -# for gross mistakes in policy -neverallow * domain:dir ~r_dir_perms; -neverallow * domain:file_class_set ~rw_file_perms; -neverallow { domain unlabeled_t } file_type:process *; -neverallow ~{ domain unlabeled_t } *:process *; diff --git a/strict/attrib.te b/strict/attrib.te deleted file mode 100644 index 459e7cc6..00000000 --- a/strict/attrib.te +++ /dev/null @@ -1,484 +0,0 @@ -# -# Declarations for type attributes. -# - -# A type attribute can be used to identify a set of types with a similar -# property. Each type can have any number of attributes, and each -# attribute can be associated with any number of types. Attributes are -# explicitly declared here, and can then be associated with particular -# types in type declarations. Attribute names can then be used throughout -# the configuration to express the set of types that are associated with -# the attribute. Except for the MLS attributes, attributes have no implicit -# meaning to SELinux. The meaning of all other attributes are completely -# defined through their usage within the configuration, but should be -# documented here as comments preceding the attribute declaration. - -##################### -# Attributes for MLS: -# - -attribute mlsfileread; -attribute mlsfilereadtoclr; -attribute mlsfilewrite; -attribute mlsfilewritetoclr; -attribute mlsfileupgrade; -attribute mlsfiledowngrade; - -attribute mlsnetread; -attribute mlsnetreadtoclr; -attribute mlsnetwrite; -attribute mlsnetwritetoclr; -attribute mlsnetupgrade; -attribute mlsnetdowngrade; -attribute mlsnetrecvall; - -attribute mlsipcread; -attribute mlsipcreadtoclr; -attribute mlsipcwrite; -attribute mlsipcwritetoclr; - -attribute mlsprocread; -attribute mlsprocreadtoclr; -attribute mlsprocwrite; -attribute mlsprocwritetoclr; -attribute mlsprocsetsl; - -attribute mlsxwinread; -attribute mlsxwinreadtoclr; -attribute mlsxwinwrite; -attribute mlsxwinwritetoclr; -attribute mlsxwinupgrade; -attribute mlsxwindowngrade; - -attribute mlstrustedobject; - -attribute privrangetrans; -attribute mlsrangetrans; - -######################### -# Attributes for domains: -# - -# The domain attribute identifies every type that can be -# assigned to a process. This attribute is used in TE rules -# that should be applied to all domains, e.g. permitting -# init to kill all processes. -attribute domain; - -# The daemon attribute identifies domains for system processes created via -# the daemon_domain, daemon_base_domain, and init_service_domain macros. -attribute daemon; - -# The privuser attribute identifies every domain that can -# change its SELinux user identity. This attribute is used -# in the constraints configuration. NOTE: This attribute -# is not required for domains that merely change the Linux -# uid attributes, only for domains that must change the -# SELinux user identity. Also note that this attribute makes -# no sense without the privrole attribute. -attribute privuser; - -# The privrole attribute identifies every domain that can -# change its SELinux role. This attribute is used in the -# constraints configuration. -attribute privrole; - -# The userspace_objmgr attribute identifies every domain -# which enforces its own policy. -attribute userspace_objmgr; - -# The priv_system_role attribute identifies every domain that can -# change role from a user role to system_r role, and identity from a user -# identity to system_u. It is used in the constraints configuration. -attribute priv_system_role; - -# The privowner attribute identifies every domain that can -# assign a different SELinux user identity to a file, or that -# can create a file with an identity that is not the same as the -# process identity. This attribute is used in the constraints -# configuration. -attribute privowner; - -# The privlog attribute identifies every domain that can -# communicate with syslogd through its Unix domain socket. -# There is an assertion that other domains can not do it, -# and an allow rule to permit it -attribute privlog; - -# The privmodule attribute identifies every domain that can run -# modprobe, there is an assertion that other domains can not do it, -# and an allow rule to permit it -attribute privmodule; - -# The privsysmod attribute identifies every domain that can have the -# sys_module capability -attribute privsysmod; - -# The privmem attribute identifies every domain that can -# access kernel memory devices. -# This attribute is used in the TE assertions to verify -# that such access is limited to domains that are explicitly -# tagged with this attribute. -attribute privmem; - -# The privkmsg attribute identifies every domain that can -# read kernel messages (/proc/kmsg) -# This attribute is used in the TE assertions to verify -# that such access is limited to domains that are explicitly -# tagged with this attribute. -attribute privkmsg; - -# The privfd attribute identifies every domain that should have -# file handles inherited widely (IE sshd_t and getty_t). -attribute privfd; - -# The privhome attribute identifies every domain that can create files under -# regular user home directories in the regular context (IE act on behalf of -# a user in writing regular files) -attribute privhome; - -# The auth attribute identifies every domain that needs -# to read /etc/shadow, and grants the permission. -attribute auth; - -# The auth_bool attribute identifies every domain that can -# read /etc/shadow if its boolean is set; -attribute auth_bool; - -# The auth_write attribute identifies every domain that can have write or -# relabel access to /etc/shadow, but does not grant it. -attribute auth_write; - -# The auth_chkpwd attribute identifies every system domain that can -# authenticate users by running unix_chkpwd -attribute auth_chkpwd; - -# The change_context attribute identifies setfiles_t, restorecon_t, and other -# system domains that change the context of most/all files on the system -attribute change_context; - -# The etc_writer attribute identifies every domain that can write to etc_t -attribute etc_writer; - -# The sysctl_kernel_writer attribute identifies domains that can write to -# sysctl_kernel_t, in addition the admin attribute is permitted write access -attribute sysctl_kernel_writer; - -# the sysctl_net_writer attribute identifies domains that can write to -# sysctl_net_t files. -attribute sysctl_net_writer; - -# The sysctl_type attribute identifies every type that is assigned -# to a sysctl entry. This can be used in allow rules to grant -# permissions to all sysctl entries without enumerating each individual -# type, but should be used with care. -attribute sysctl_type; - -# The admin attribute identifies every administrator domain. -# It is used in TE assertions when verifying that only administrator -# domains have certain permissions. -# This attribute is presently associated with sysadm_t and -# certain administrator utility domains. -# XXX The use of this attribute should be reviewed for consistency. -# XXX Might want to partition into several finer-grained attributes -# XXX used in different assertions within assert.te. -attribute admin; - -# The secadmin attribute identifies every security administrator domain. -# It is used in TE assertions when verifying that only administrator -# domains have certain permissions. -# This attribute is presently associated with sysadm_t and secadm_t -attribute secadmin; - -# The userdomain attribute identifies every user domain, presently -# user_t and sysadm_t. It is used in TE rules that should be applied -# to all user domains. -attribute userdomain; - -# for a small domain that can only be used for newrole -attribute user_mini_domain; - -# pty for the mini domain -attribute mini_pty_type; - -# pty created by a server such as sshd -attribute server_pty; - -# attribute for all non-administrative devpts types -attribute userpty_type; - -# The user_tty_type identifies every type for a tty or pty owned by an -# unpriviledged user -attribute user_tty_type; - -# The admin_tty_type identifies every type for a tty or pty owned by a -# priviledged user -attribute admin_tty_type; - -# The user_crond_domain attribute identifies every user_crond domain, presently -# user_crond_t and sysadm_crond_t. It is used in TE rules that should be -# applied to all user domains. -attribute user_crond_domain; - -# The unpriv_userdomain identifies non-administrative users (default user_t) -attribute unpriv_userdomain; - -# This attribute is for the main user home directory for unpriv users -attribute user_home_dir_type; - -# The gphdomain attribute identifies every gnome-pty-helper derived -# domain. It is used in TE rules to permit inheritance and use of -# descriptors created by these domains. -attribute gphdomain; - -# The fs_domain identifies every domain that may directly access a fixed disk -attribute fs_domain; - -# This attribute is for all domains for the userhelper program. -attribute userhelperdomain; - -############################ -# Attributes for file types: -# - -# The file_type attribute identifies all types assigned to files -# in persistent filesystems. It is used in TE rules to permit -# the association of all such file types with persistent filesystem -# types, and to permit certain domains to access all such types as -# appropriate. -attribute file_type; - -# The secure_file_type attribute identifies files -# which will be treated with a higer level of security. -# Most domains will be prevented from manipulating files in this domain -attribute secure_file_type; - -# The device_type attribute identifies all types assigned to device nodes -attribute device_type; - -# The proc_fs attribute identifies all types that may be assigned to -# files under /proc. -attribute proc_fs; - -# The dev_fs attribute identifies all types that may be assigned to -# files, sockets, or pipes under /dev. -attribute dev_fs; - -# The sysadmfile attribute identifies all types assigned to files -# that should be completely accessible to administrators. It is used -# in TE rules to grant such access for administrator domains. -attribute sysadmfile; - -# The secadmfile attribute identifies all types assigned to files -# that should be only accessible to security administrators. It is used -# in TE rules to grant such access for security administrator domains. -attribute secadmfile; - -# The fs_type attribute identifies all types assigned to filesystems -# (not limited to persistent filesystems). -# It is used in TE rules to permit certain domains to mount -# any filesystem and to permit most domains to obtain the -# overall filesystem statistics. -attribute fs_type; - -# The mount_point attribute identifies all types that can serve -# as a mount point (for the mount binary). It is used in the mount -# policy to grant mounton permission, and in other domains to grant -# getattr permission over all the mount points. -attribute mount_point; - -# The exec_type attribute identifies all types assigned -# to entrypoint executables for domains. This attribute is -# used in TE rules and assertions that should be applied to all -# such executables. -attribute exec_type; - -# The tmpfile attribute identifies all types assigned to temporary -# files. This attribute is used in TE rules to grant certain -# domains the ability to remove all such files (e.g. init, crond). -attribute tmpfile; - -# The user_tmpfile attribute identifies all types associated with temporary -# files for unpriv_userdomain domains. -attribute user_tmpfile; - -# for the user_xserver_tmp_t etc -attribute xserver_tmpfile; - -# The tmpfsfile attribute identifies all types defined for tmpfs -# type transitions. -# It is used in TE rules to grant certain domains the ability to -# access all such files. -attribute tmpfsfile; - -# The home_type attribute identifies all types assigned to home -# directories. This attribute is used in TE rules to grant certain -# domains the ability to access all home directory types. -attribute home_type; - -# This attribute is for the main user home directory /home/user, to -# distinguish it from sub-dirs. Often you want a process to be able to -# read the user home directory but not read the regular directories under it. -attribute home_dir_type; - -# The ttyfile attribute identifies all types assigned to ttys. -# It is used in TE rules to grant certain domains the ability to -# access all ttys. -attribute ttyfile; - -# The ptyfile attribute identifies all types assigned to ptys. -# It is used in TE rules to grant certain domains the ability to -# access all ptys. -attribute ptyfile; - -# The pidfile attribute identifies all types assigned to pid files. -# It is used in TE rules to grant certain domains the ability to -# access all such files. -attribute pidfile; - - -############################ -# Attributes for network types: -# - -# The socket_type attribute identifies all types assigned to -# kernel-created sockets. Ordinary sockets are assigned the -# domain of the creating process. -# XXX This attribute is unused. Remove? -attribute socket_type; - -# Identifies all types assigned to port numbers to control binding. -attribute port_type; - -# Identifies all types assigned to reserved port (<1024) numbers to control binding. -attribute reserved_port_type; - -# Identifies all types assigned to network interfaces to control -# operations on the interface (XXX obsolete, not supported via LSM) -# and to control traffic sent or received on the interface. -attribute netif_type; - -# Identifies all default types assigned to packets received -# on network interfaces. -attribute netmsg_type; - -# Identifies all types assigned to network nodes/hosts to control -# traffic sent to or received from the node. -attribute node_type; - -# Identifier for log files or directories that only exist for log files. -attribute logfile; - -# Identifier for lock files (/var/lock/*) or directories that only exist for -# lock files. -attribute lockfile; - - - -############################## -# Attributes for security policy types: -# - -# The login_contexts attribute idenitifies the files used -# to define default contexts for login types (e.g., login, cron). -attribute login_contexts; - -# Identifier for a domain used by "sendmail -t" (IE user_mail_t, -# sysadm_mail_t, etc) -attribute user_mail_domain; - -# Identifies domains that can transition to system_mail_t -attribute privmail; - -# Type for non-sysadm home directory -attribute user_home_type; - -# For domains that are part of a mail server and need to read user files and -# fifos, and inherit file handles to enable user email to get to the mail -# spool -attribute mta_user_agent; - -# For domains that are part of a mail server for delivering messages to the -# user -attribute mta_delivery_agent; - -# For domains that make outbound TCP port 25 connections to send mail from the -# mail server. -attribute mail_server_sender; - -# For a mail server process that takes TCP connections on port 25 -attribute mail_server_domain; - -# For web clients such as netscape and squid -attribute web_client_domain; - -# For X Window System server domains -attribute xserver; - -# For X Window System client domains -attribute xclient; - -# For X Window System protocol extensions -attribute xextension; - -# For X Window System property types -attribute xproperty; - -# -# For file systems that do not have extended attributes but need to be -# r/w by users -# -attribute noexattrfile; - -# -# For filetypes that the usercan read -# -attribute usercanread; - -# -# For serial devices -# -attribute serial_device; - -# Attribute to designate unrestricted access -attribute unrestricted; - -# Attribute to designate can transition to unconfined_t -attribute unconfinedtrans; - -# For clients of nscd. -attribute nscd_client_domain; - -# For clients of nscd that can use shmem interface. -attribute nscd_shmem_domain; - -# For labeling of content for httpd. This attribute is only used by -# the httpd_unified domain, which says treat all httpdcontent the -# same. If you want content to be served in a "non-unified" system -# you must specifically add "r_dir_file(httpd_t, your_content_t)" to -# your policy. -attribute httpdcontent; - -# For labeling of domains whos transition can be disabled -attribute transitionbool; - -# For labeling of file_context domains which users can change files to rather -# then the default file context. These file_context can survive a relabeling -# of the file system. -attribute customizable; - -############################## -# Attributes for polyinstatiation support: -# - -# For labeling types that are to be polyinstantiated -attribute polydir; - -# And for labeling the parent directories of those polyinstantiated directories -# This is necessary for remounting the original in the parent to give -# security aware apps access -attribute polyparent; - -# And labeling for the member directories -attribute polymember; - diff --git a/strict/constraints b/strict/constraints deleted file mode 100644 index 46a98757..00000000 --- a/strict/constraints +++ /dev/null @@ -1,83 +0,0 @@ -# -# Define m4 macros for the constraints -# - -# -# Define the constraints -# -# constrain class_set perm_set expression ; -# -# validatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for validatetrans) -# | r3 op names (NOTE: this is only available for validatetrans) -# | t3 op names (NOTE: this is only available for validatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name# -# - -# -# Restrict the ability to transition to other users -# or roles to a few privileged types. -# - -constrain process transition - ( u1 == u2 or ( t1 == privuser and t2 == userdomain ) -ifdef(`crond.te', ` - or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) -') -ifdef(`userhelper.te', - `or (t1 == userhelperdomain)') - or (t1 == priv_system_role and u2 == system_u ) - ); - -constrain process transition - ( r1 == r2 or ( t1 == privrole and t2 == userdomain ) -ifdef(`crond.te', ` - or (t1 == crond_t and t2 == user_crond_domain) -') -ifdef(`userhelper.te', - `or (t1 == userhelperdomain)') -ifdef(`postfix.te', ` -ifdef(`direct_sysadm_daemon', - `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') -') - or (t1 == priv_system_role and r2 == system_r ) - ); - -constrain process dyntransition - ( u1 == u2 and r1 == r2); - -# -# Restrict the ability to label objects with other -# user identities to a few privileged types. -# - -constrain dir_file_class_set { create relabelto relabelfrom } - ( u1 == u2 or t1 == privowner ); - -constrain socket_class_set { create relabelto relabelfrom } - ( u1 == u2 or t1 == privowner ); diff --git a/strict/domains/admin.te b/strict/domains/admin.te deleted file mode 100644 index bc29a78c..00000000 --- a/strict/domains/admin.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC Admin - Domains for administrators. -# -################################# - -# sysadm_t is the system administrator domain. -type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain -ifdef(`direct_sysadm_daemon', `, priv_system_role') -; dnl end of sysadm_t type declaration - -allow privhome home_root_t:dir { getattr search }; - -# system_r is authorized for sysadm_t for single-user mode. -role system_r types sysadm_t; - -general_proc_read_access(sysadm_t) - -# sysadm_t is also granted permissions specific to administrator domains. -admin_domain(sysadm) - -# for su -allow sysadm_t userdomain:fd use; - -ifdef(`separate_secadm', `', ` -security_manager_domain(sysadm_t) -') - -# Add/remove user home directories -file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) - -limited_user_role(secadm) -typeattribute secadm_t admin; -role secadm_r types secadm_t; -security_manager_domain(secadm_t) -r_dir_file(secadm_t, { var_t var_log_t }) - -typeattribute secadm_tty_device_t admin_tty_type; -typeattribute secadm_devpts_t admin_tty_type; - -bool allow_ptrace false; - -if (allow_ptrace) { -can_ptrace(sysadm_t, domain) -} diff --git a/strict/domains/misc/auth-net.te b/strict/domains/misc/auth-net.te deleted file mode 100644 index e954a9bf..00000000 --- a/strict/domains/misc/auth-net.te +++ /dev/null @@ -1,3 +0,0 @@ -#DESC Policy for using network servers for authenticating users (IE PAM-LDAP) - -can_network(auth) diff --git a/strict/domains/misc/fcron.te b/strict/domains/misc/fcron.te deleted file mode 100644 index 57209be9..00000000 --- a/strict/domains/misc/fcron.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC fcron - additions to cron policy for a more powerful cron program -# -# Domain for fcron, a more powerful cron program. -# -# Needs cron.te installed. -# -# Author: Russell Coker - -# Use capabilities. -allow crond_t self:capability { dac_override dac_read_search }; - -# differences between r_dir_perms and rw_dir_perms -allow crond_t cron_spool_t:dir { add_name remove_name write }; - -ifdef(`mta.te', ` -# not sure why we need write access, but Postfix does not work without it -# I will have to change fcron to avoid the need for this -allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr }; -') - -ifdef(`distro_debian', ` -can_exec(dpkg_t, crontab_exec_t) -file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file) -') - -rw_dir_create_file(crond_t, cron_spool_t) -can_setfscreate(crond_t) - -# for /var/run/fcron.fifo -file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file) diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te deleted file mode 100644 index c0d017c3..00000000 --- a/strict/domains/misc/kernel.te +++ /dev/null @@ -1,75 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################# -# -# Rules for the kernel_t domain. -# - -# -# kernel_t is the domain of kernel threads. -# It is also the target type when checking permissions in the system class. -# -type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ; -role system_r types kernel_t; -general_domain_access(kernel_t) -general_proc_read_access(kernel_t) -base_file_read_access(kernel_t) -uses_shlib(kernel_t) -can_exec(kernel_t, shell_exec_t) - -# Use capabilities. -allow kernel_t self:capability *; - -r_dir_file(kernel_t, sysfs_t) -allow kernel_t { usbfs_t usbdevfs_t }:dir search; - -# Run init in the init_t domain. -domain_auto_trans(kernel_t, init_exec_t, init_t) - -ifdef(`mls_policy', ` -# run init with maximum MLS range -range_transition kernel_t init_exec_t s0 - s9:c0.c255; -') - -# Share state with the init process. -allow kernel_t init_t:process share; - -# Mount and unmount file systems. -allow kernel_t fs_type:filesystem mount_fs_perms; - -# Send signal to any process. -allow kernel_t domain:process signal; -allow kernel_t domain:dir search; - -# Access the console. -allow kernel_t device_t:dir search; -allow kernel_t console_device_t:chr_file rw_file_perms; - -# Access the initrd filesystem. -allow kernel_t file_t:chr_file rw_file_perms; -can_exec(kernel_t, file_t) -ifdef(`chroot.te', ` -can_exec(kernel_t, chroot_exec_t) -') -allow kernel_t self:capability sys_chroot; - -allow kernel_t { unlabeled_t root_t file_t }:dir mounton; -allow kernel_t unlabeled_t:fifo_file rw_file_perms; -allow kernel_t file_t:dir rw_dir_perms; -allow kernel_t file_t:blk_file create_file_perms; -allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; - -# Lookup the policy. -allow kernel_t policy_config_t:dir r_dir_perms; - -# Load the policy configuration. -can_loadpol(kernel_t) - -# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. -can_exec(kernel_t, bin_t) - -ifdef(`targeted_policy', ` -unconfined_domain(kernel_t) -') diff --git a/strict/domains/misc/local.te b/strict/domains/misc/local.te deleted file mode 100644 index cedba3c4..00000000 --- a/strict/domains/misc/local.te +++ /dev/null @@ -1,5 +0,0 @@ -# Local customization of existing policy should be done in this file. -# If you are creating brand new policy for a new "target" domain, you -# need to create a type enforcement (.te) file in domains/program -# and a file context (.fc) file in file_context/program. - diff --git a/strict/domains/misc/startx.te b/strict/domains/misc/startx.te deleted file mode 100644 index 16c4910f..00000000 --- a/strict/domains/misc/startx.te +++ /dev/null @@ -1,7 +0,0 @@ -#DESC startx - policy for running an X server from a user domain -# -# Author: Russell Coker -# - -# Everything is in the macro files - diff --git a/strict/domains/misc/userspace_objmgr.te b/strict/domains/misc/userspace_objmgr.te deleted file mode 100644 index ae3b2055..00000000 --- a/strict/domains/misc/userspace_objmgr.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC Userspace Object Managers -# -################################# - -# Get our own security context. -can_getcon(userspace_objmgr) -# Get security decisions via selinuxfs. -can_getsecurity(userspace_objmgr) -# Read /etc/selinux -r_dir_file(userspace_objmgr, { selinux_config_t default_context_t }) -# Receive notifications of policy reloads and enforcing status changes. -allow userspace_objmgr self:netlink_selinux_socket { create bind read }; - diff --git a/strict/domains/misc/xclient.te b/strict/domains/misc/xclient.te deleted file mode 100644 index ae4552f3..00000000 --- a/strict/domains/misc/xclient.te +++ /dev/null @@ -1,14 +0,0 @@ -# -# Authors: Eamon Walsh -# - -####################################### -# -# Domains for the SELinux-enabled X Window System -# - -# -# Domain for all non-local X clients -# -type remote_xclient_t, domain; -in_user_role(remote_xclient_t) diff --git a/strict/domains/program/NetworkManager.te b/strict/domains/program/NetworkManager.te deleted file mode 100644 index e4efdd6d..00000000 --- a/strict/domains/program/NetworkManager.te +++ /dev/null @@ -1,112 +0,0 @@ -#DESC NetworkManager - -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the NetworkManager_t domain. -# -# NetworkManager_t is the domain for the NetworkManager daemon. -# NetworkManager_exec_t is the type of the NetworkManager executable. -# -daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' ) - -can_network(NetworkManager_t) -allow NetworkManager_t port_type:tcp_socket name_connect; -allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind; -allow NetworkManager_t dhcpc_t:process signal; - -can_ypbind(NetworkManager_t) -uses_shlib(NetworkManager_t) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock}; - -allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -allow NetworkManager_t self:process { setcap getsched }; -allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket create_socket_perms; -allow NetworkManager_t self:file { getattr read }; -allow NetworkManager_t self:packet_socket create_socket_perms; -allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; - - -# -# Communicate with Caching Name Server -# -ifdef(`named.te', ` -allow NetworkManager_t named_zone_t:dir search; -rw_dir_create_file(NetworkManager_t, named_cache_t) -domain_auto_trans(NetworkManager_t, named_exec_t, named_t) -allow named_t NetworkManager_t:udp_socket { read write }; -allow named_t NetworkManager_t:netlink_route_socket { read write }; -allow NetworkManager_t named_t:process signal; -allow named_t NetworkManager_t:packet_socket { read write }; -') - -allow NetworkManager_t selinux_config_t:dir search; -allow NetworkManager_t selinux_config_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, NetworkManager) -allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow NetworkManager_t self:dbus send_msg; -ifdef(`hald.te', ` -allow NetworkManager_t hald_t:dbus send_msg; -allow hald_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t initrc_t:dbus send_msg; -allow initrc_t NetworkManager_t:dbus send_msg; -ifdef(`targeted_policy', ` -allow NetworkManager_t unconfined_t:dbus send_msg; -allow unconfined_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t userdomain:dbus send_msg; -allow userdomain NetworkManager_t:dbus send_msg; -') - -allow NetworkManager_t usr_t:file { getattr read }; - -ifdef(`ifconfig.te', ` -domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - -allow NetworkManager_t { sbin_t bin_t }:dir search; -allow NetworkManager_t bin_t:lnk_file read; -can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) - -# in /etc created by NetworkManager will be labelled net_conf_t. -file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) - -allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; -allow NetworkManager_t proc_t:file { getattr read }; -r_dir_file(NetworkManager_t, proc_net_t) - -allow NetworkManager_t { domain -unrestricted }:dir search; -allow NetworkManager_t { domain -unrestricted }:file { getattr read }; -dontaudit NetworkManager_t unrestricted:dir search; -dontaudit NetworkManager_t unrestricted:file { getattr read }; - -allow NetworkManager_t howl_t:process signal; -allow NetworkManager_t initrc_var_run_t:file { getattr read }; - -domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) -allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; -# allow vpnc connections -allow NetworkManager_t self:rawip_socket create_socket_perms; -allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms; - -domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) -domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) -ifdef(`vpnc.te', ` -domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) -') - -ifdef(`dhcpc.te', ` -allow NetworkManager_t dhcp_state_t:dir search; -allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; -') -allow NetworkManager_t var_lib_t:dir search; -dontaudit NetworkManager_t user_tty_type:chr_file { read write }; -dontaudit NetworkManager_t security_t:dir search; diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te deleted file mode 100644 index bbb4fdc9..00000000 --- a/strict/domains/program/acct.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Acct - BSD process accounting -# -# Author: Russell Coker -# X-Debian-Packages: acct -# - -################################# -# -# Rules for the acct_t domain. -# -# acct_exec_t is the type of the acct executable. -# -daemon_base_domain(acct) -ifdef(`crond.te', ` -system_crond_entry(acct_exec_t, acct_t) - -# for monthly cron job -file_type_auto_trans(acct_t, var_log_t, wtmp_t, file) -') - -# for SSP -allow acct_t urandom_device_t:chr_file read; - -type acct_data_t, file_type, logfile, sysadmfile; - -# not sure why we need this, the command "last" is reported as using it -dontaudit acct_t self:capability kill; - -# gzip needs chown capability for some reason -allow acct_t self:capability { chown fsetid sys_pacct }; - -allow acct_t var_t:dir { getattr search }; -rw_dir_create_file(acct_t, acct_data_t) - -can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t }) -allow acct_t { bin_t sbin_t }:dir search; -allow acct_t bin_t:lnk_file read; - -read_locale(acct_t) - -allow acct_t fs_t:filesystem getattr; - -allow acct_t self:unix_stream_socket create_socket_perms; - -allow acct_t self:fifo_file { read write getattr }; - -allow acct_t { self proc_t }:file { read getattr }; - -read_sysctl(acct_t) - -dontaudit acct_t sysadm_home_dir_t:dir { getattr search }; - -# for nscd -dontaudit acct_t var_run_t:dir search; - - -allow acct_t devtty_t:chr_file { read write }; - -allow acct_t { etc_t etc_runtime_t }:file { read getattr }; - -ifdef(`logrotate.te', ` -domain_auto_trans(logrotate_t, acct_exec_t, acct_t) -rw_dir_create_file(logrotate_t, acct_data_t) -can_exec(logrotate_t, acct_data_t) -') - diff --git a/strict/domains/program/alsa.te b/strict/domains/program/alsa.te deleted file mode 100644 index ab804751..00000000 --- a/strict/domains/program/alsa.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC ainit - configuration tool for ALSA -# -# Author: Dan Walsh -# -# -type alsa_t, domain, privlog, daemon; -type alsa_exec_t, file_type, sysadmfile, exec_type; -uses_shlib(alsa_t) -allow alsa_t { unpriv_userdomain self }:sem create_sem_perms; -allow alsa_t { unpriv_userdomain self }:shm create_shm_perms; -allow alsa_t self:unix_stream_socket create_stream_socket_perms; -allow alsa_t self:unix_dgram_socket create_socket_perms; -allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write }; -allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms }; - -type alsa_etc_rw_t, file_type, sysadmfile, usercanread; -rw_dir_create_file(alsa_t,alsa_etc_rw_t) -allow alsa_t self:capability { setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; -allow alsa_t devpts_t:chr_file { read write }; -allow alsa_t etc_t:file { getattr read }; -domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t) -role system_r types alsa_t; -read_locale(alsa_t) diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te deleted file mode 100644 index 4b63f5f4..00000000 --- a/strict/domains/program/amanda.te +++ /dev/null @@ -1,284 +0,0 @@ -#DESC Amanda - Automated backup program -# -# This policy file sets the rigths for amanda client started by inetd_t -# and amrecover -# -# X-Debian-Packages: amanda-common amanda-server -# Depends: inetd.te -# Author : Carsten Grohmann -# -# License : GPL -# -# last change: 27. August 2002 -# -# state : complete and tested -# -# Hints : -# - amanda.fc is the appendant file context file -# - If you use amrecover please extract the files and directories to the -# directory speficified in amanda.fc as type amanda_recover_dir_t. -# - The type amanda_user_exec_t is defined to label the files but not used. -# This configuration works only as an client and a amanda client does not need -# this programs. -# -# Enhancements/Corrections: -# - set tighter permissions to /bin/tar instead bin_t - -############################################################################## -# AMANDA CLIENT DECLARATIONS -############################################################################## - -# General declarations -###################### - -type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain; -role system_r types amanda_t; - -# type for the amanda executables -type amanda_exec_t, file_type, sysadmfile, exec_type; - -# type for the amanda executables started by inetd -type amanda_inetd_exec_t, file_type, sysadmfile, exec_type; - -# type for amanda configurations files -type amanda_config_t, file_type, sysadmfile; - -# type for files in /usr/lib/amanda -type amanda_usr_lib_t, file_type, sysadmfile; - -# type for all files in /var/lib/amanda -type amanda_var_lib_t, file_type, sysadmfile; - -# type for all files in /var/lib/amanda/gnutar-lists/ -type amanda_gnutarlists_t, file_type, sysadmfile; - -# type for user startable files -type amanda_user_exec_t, file_type, sysadmfile, exec_type; - -# type for same awk and other scripts -type amanda_script_exec_t, file_type, sysadmfile, exec_type; - -# type for the shell configuration files -type amanda_shellconfig_t, file_type, sysadmfile; - -tmp_domain(amanda) - -# type for /etc/amandates -type amanda_amandates_t, file_type, sysadmfile; - -# type for /etc/dumpdates -type amanda_dumpdates_t, file_type, sysadmfile; - -# type for amanda data -type amanda_data_t, file_type, sysadmfile; - -# Domain transitions -#################### - -domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t) - - -################## -# File permissions -################## - -# configuration files -> read only -allow amanda_t amanda_config_t:file { getattr read }; - -# access to amanda_amandates_t -allow amanda_t amanda_amandates_t:file { getattr lock read write }; - -# access to amanda_dumpdates_t -allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; - -# access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file { read write }; - -# access to proc_t -allow amanda_t proc_t:file { getattr read }; - -# access to etc_t and similar -allow amanda_t etc_t:file { getattr read }; -allow amanda_t etc_runtime_t:file { getattr read }; - -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) -rw_dir_create_file(amanda_t, amanda_gnutarlists_t) - -# access to device_t and similar -allow amanda_t devtty_t:chr_file { read write }; - -# access to fs_t -allow amanda_t fs_t:filesystem getattr; - -# access to sysctl_kernel_t ( proc/sys/kernel/* ) -read_sysctl(amanda_t) - -##################### -# process permissions -##################### - -# Allow to use shared libs -uses_shlib(amanda_t) - -# Allow to execute a amanda executable file -allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read }; - -# Allow to run a shell -allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read }; - -# access to bin_t (tar) -allow amanda_t bin_t:file { execute execute_no_trans }; - -allow amanda_t self:capability { chown dac_override setuid }; -allow amanda_t self:process { fork sigchld setpgid signal }; -allow amanda_t self:dir search; -allow amanda_t self:file { getattr read }; - - -################################### -# Network and process communication -################################### - -can_network_server(amanda_t); -can_ypbind(amanda_t); -can_exec(amanda_t, sbin_t); - -allow amanda_t self:fifo_file { getattr read write ioctl lock }; -allow amanda_t self:unix_stream_socket create_stream_socket_perms; -allow amanda_t self:unix_dgram_socket create_socket_perms; - - -########################## -# Communication with inetd -########################## - -allow amanda_t inetd_t:udp_socket { read write }; - - -################### -# inetd permissions -################### - -allow inetd_t amanda_usr_lib_t:dir search; - - -######################## -# Access to to save data -######################## - -# access to user_home_t -allow amanda_t user_home_type:file { getattr read }; - -############################################################################## -# AMANDA RECOVER DECLARATIONS -############################################################################## - - -# General declarations -###################### - -# type for amrecover -type amanda_recover_t, domain; -role sysadm_r types amanda_recover_t; -role system_r types amanda_recover_t; - -# exec types for amrecover -type amanda_recover_exec_t, file_type, sysadmfile, exec_type; - -# type for recover files ( restored data ) -type amanda_recover_dir_t, file_type, sysadmfile; -file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t) - -# domain transsition -domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t) - -# file type auto trans to write debug messages -file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t) - - -# amanda recover process permissions -#################################### - -uses_shlib(amanda_recover_t) -allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; -can_exec(amanda_recover_t, shell_exec_t) -allow amanda_recover_t privfd:fd use; - - -# amrecover network and process communication -############################################# - -can_network(amanda_recover_t); -allow amanda_recover_t amanda_port_t:tcp_socket name_connect; -can_ypbind(amanda_recover_t); -read_locale(amanda_recover_t); - -allow amanda_recover_t self:fifo_file { getattr ioctl read write }; -allow amanda_recover_t self:unix_stream_socket { connect create read write }; -allow amanda_recover_t var_log_t:dir search; -rw_dir_create_file(amanda_recover_t, amanda_log_t) - -# amrecover file permissions -############################ - -# access to etc_t and similar -allow amanda_recover_t etc_t:dir search; -allow amanda_recover_t etc_t:file { getattr read }; -allow amanda_recover_t etc_runtime_t:file { getattr read }; - -# access to amanda_recover_dir_t -allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write }; -allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink }; - -# access to var_t and var_run_t -allow amanda_recover_t var_t:dir search; -allow amanda_recover_t var_run_t:dir search; - -# access to proc_t -allow amanda_recover_t proc_t:dir search; -allow amanda_recover_t proc_t:file { getattr read }; - -# access to sysctl_kernel_t -read_sysctl(amanda_recover_t) - -# access to dev_t and similar -allow amanda_recover_t device_t:dir search; -allow amanda_recover_t devtty_t:chr_file { read write }; -allow amanda_recover_t null_device_t:chr_file { getattr write }; - -# access to bin_t -allow amanda_recover_t bin_t:file { execute execute_no_trans }; - -# access to sysadm_home_t and sysadm_home_dir_t to start amrecover -# in the sysadm home directory -allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr }; - -# access to use sysadm_tty_device_t (/dev/tty?) -allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write }; - -# access to amanda_tmp_t and tmp_t -allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write }; -allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink }; -allow amanda_recover_t tmp_t:dir search; - -# -# Rules to allow amanda to be run as a service in xinetd -# -allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind; - -#amanda needs to look at fs_type directories to decide whether it should backup -allow amanda_t { fs_type file_type }:dir {getattr read search }; -allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read }; -allow amanda_t device_type:{ blk_file chr_file } getattr; -allow amanda_t fixed_disk_device_t:blk_file read; -domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t) - -allow amanda_t file_type:sock_file getattr; -logdir_domain(amanda) - -dontaudit amanda_t proc_t:lnk_file read; -dontaudit amanda_t unlabeled_t:file getattr; -#amanda wants to check attributes on fifo_files -allow amanda_t file_type:fifo_file getattr; diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te deleted file mode 100644 index 175947d2..00000000 --- a/strict/domains/program/anaconda.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Anaconda - Red Hat Installation program -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the anaconda_t domain. -# -# anaconda_t is the domain of the installation program -# -type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer; -role system_r types anaconda_t; -unconfined_domain(anaconda_t) - -role system_r types ldconfig_t; -domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) - -# Run other rc scripts in the anaconda_t domain. -domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) - -ifdef(`dmesg.te', ` -domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t) -') - -ifdef(`distro_redhat', ` -file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file) -') - -ifdef(`rpm.te', ` -# Access /var/lib/rpm. -domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) -') - -file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file) - -ifdef(`udev.te', ` -domain_auto_trans(anaconda_t, udev_exec_t, udev_t) -') - -ifdef(`ssh-agent.te', ` -role system_r types sysadm_ssh_agent_t; -domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') -ifdef(`passwd.te', ` -domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t) -') diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te deleted file mode 100644 index 116069bd..00000000 --- a/strict/domains/program/apache.te +++ /dev/null @@ -1,409 +0,0 @@ -#DESC Apache - Web server -# -# X-Debian-Packages: apache2-common apache -# -############################################################################### -# -# Policy file for running the Apache web server -# -# NOTES: -# This policy will work with SUEXEC enabled as part of the Apache -# configuration. However, the user CGI scripts will run under the -# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the -# of the creating user. -# -# The user CGI scripts must be labeled with the httpd_$1_script_exec_t -# type, and the directory containing the scripts should also be labeled -# with these types. This policy allows user_r role to perform that -# relabeling. If it is desired that only sysadm_r should be able to relabel -# the user CGI scripts, then relabel rule for user_r should be removed. -# -############################################################################### - -define(`httpd_home_dirs', ` -r_dir_file(httpd_t, $1) -r_dir_file(httpd_suexec_t, $1) -can_exec(httpd_suexec_t, $1) -') - -bool httpd_unified false; - -# Allow httpd to use built in scripting (usually php) -bool httpd_builtin_scripting false; - -# Allow httpd cgi support -bool httpd_enable_cgi false; - -# Allow httpd to read home directories -bool httpd_enable_homedirs false; - -# Run SSI execs in system CGI script domain. -bool httpd_ssi_exec false; - -# Allow http daemon to communicate with the TTY -bool httpd_tty_comm false; - -# Allow http daemon to tcp connect -bool httpd_can_network_connect false; - -######################################################### -# Apache types -######################################################### -# httpd_config_t is the type given to the configuration -# files for apache /etc/httpd/conf -# -type httpd_config_t, file_type, sysadmfile; - -# httpd_modules_t is the type given to module files (libraries) -# that come with Apache /etc/httpd/modules and /usr/lib/apache -# -type httpd_modules_t, file_type, sysadmfile; - -# httpd_cache_t is the type given to the /var/cache/httpd -# directory and the files under that directory -# -type httpd_cache_t, file_type, sysadmfile; - -# httpd_exec_t is the type give to the httpd executable. -# -daemon_domain(httpd, `, privmail, nscd_client_domain') - -append_logdir_domain(httpd) -#can read /etc/httpd/logs -allow httpd_t httpd_log_t:lnk_file read; - -# For /etc/init.d/apache2 reload -can_tcp_connect(httpd_t, httpd_t) - -can_tcp_connect(web_client_domain, httpd_t) - -can_exec(httpd_t, httpd_exec_t) -file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file) - -general_domain_access(httpd_t) - -allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read }; - -read_sysctl(httpd_t) - -allow httpd_t crypt_device_t:chr_file rw_file_perms; - -# for modules that want to access /etc/mtab and /proc/meminfo -allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; - -uses_shlib(httpd_t) -allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; -allow httpd_t usr_t:lnk_file { getattr read }; - -# for apache2 memory mapped files -var_lib_domain(httpd) - -# for tomcat -r_dir_file(httpd_t, var_lib_t) - -# execute perl -allow httpd_t { bin_t sbin_t }:dir r_dir_perms; -can_exec(httpd_t, { bin_t sbin_t }) -allow httpd_t bin_t:lnk_file read; - -######################################## -# Set up networking -######################################## - -can_network_server(httpd_t) -can_kerberos(httpd_t) -can_resolve(httpd_t) -nsswitch_domain(httpd_t) -allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; -# allow httpd to connect to mysql/posgresql -allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect; -# allow httpd to work as a relay -allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; - -if (httpd_can_network_connect) { -can_network_client(httpd_t) -allow httpd_t port_type:tcp_socket name_connect; -} - -########################################## -# Legacy: remove when it's fixed # -# Allow libphp5.so with text relocations # -########################################## -allow httpd_t texrel_shlib_t:file execmod; - -######################################### -# Allow httpd to search users directories -######################################### -allow httpd_t home_root_t:dir { getattr search }; -dontaudit httpd_t sysadm_home_dir_t:dir getattr; - -############################################################################ -# Allow the httpd_t the capability to bind to a port and various other stuff -############################################################################ -allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -dontaudit httpd_t self:capability net_admin; - -################################################# -# Allow the httpd_t to read the web servers config files -################################################### -r_dir_file(httpd_t, httpd_config_t) -# allow logrotate to read the config files for restart -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, httpd_config_t) -domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t) -allow logrotate_t httpd_t:process signull; -') -r_dir_file(initrc_t, httpd_config_t) -################################################## - -############################### -# Allow httpd_t to put files in /var/cache/httpd etc -############################## -create_dir_file(httpd_t, httpd_cache_t) - -############################### -# Allow httpd_t to access the tmpfs file system -############################## -tmpfs_domain(httpd) - -##################### -# Allow httpd_t to access -# libraries for its modules -############################### -allow httpd_t httpd_modules_t:file rx_file_perms; -allow httpd_t httpd_modules_t:dir r_dir_perms; -allow httpd_t httpd_modules_t:lnk_file r_file_perms; - -###################################################################### -# Allow initrc_t to access the Apache modules directory. -###################################################################### -allow initrc_t httpd_modules_t:dir r_dir_perms; - -############################################## -# Allow httpd_t to have access to files -# such as nisswitch.conf -# need ioctl for php -############################################### -allow httpd_t etc_t:file { read getattr ioctl }; -allow httpd_t etc_t:lnk_file { getattr read }; - -# setup the system domain for system CGI scripts -apache_domain(sys) -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -# Run SSI execs in system CGI script domain. -if (httpd_ssi_exec) { -domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) -} -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -################################################## -# -# PHP Directives -################################################## - -type httpd_php_exec_t, file_type, sysadmfile, exec_type; -type httpd_php_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) - -# The system role is authorized for this domain. -role system_r types httpd_php_t; - -general_domain_access(httpd_php_t) -uses_shlib(httpd_php_t) -can_exec(httpd_php_t, lib_t) - -# allow php to read and append to apache logfiles -allow httpd_php_t httpd_log_t:file ra_file_perms; - -# access to /tmp -tmp_domain(httpd) -tmp_domain(httpd_php) - -# Creation of lock files for apache2 -lock_domain(httpd) - -# Allow apache to used public_content_t -anonymous_domain(httpd) - -# connect to mysql -ifdef(`mysqld.te', ` -can_unix_connect(httpd_php_t, mysqld_t) -can_unix_connect(httpd_t, mysqld_t) -can_unix_connect(httpd_sys_script_t, mysqld_t) -allow httpd_php_t mysqld_var_run_t:dir search; -allow httpd_php_t mysqld_var_run_t:sock_file write; -allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search; -allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms; -allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms; -') -allow httpd_t bin_t:dir search; -allow httpd_t sbin_t:dir search; -allow httpd_t httpd_log_t:dir remove_name; - -read_fonts(httpd_t) - -allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; - -allow httpd_t autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs && httpd_enable_homedirs) { -httpd_home_dirs(nfs_t) -} -if (use_samba_home_dirs && httpd_enable_homedirs) { -httpd_home_dirs(cifs_t) -} - -# -# Allow users to mount additional directories as http_source -# -allow httpd_t mnt_t:dir r_dir_perms; - -ifdef(`targeted_policy', ` -typealias httpd_sys_content_t alias httpd_user_content_t; -typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; - -if (httpd_enable_homedirs) { -allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search }; -} -') dnl targeted policy - -# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context -typealias httpd_sys_content_t alias httpd_sysadm_content_t; - -ifdef(`distro_redhat', ` -# -# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat -# This is a bug but it still exists in FC2 -# -typealias httpd_log_t alias httpd_runtime_t; -allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; -dontaudit httpd_t httpd_runtime_t:file ioctl; -') dnl distro_redhat -# -# Customer reported the following -# -ifdef(`snmpd.te', ` -dontaudit httpd_t snmpd_var_lib_t:dir search; -dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; -', ` -dontaudit httpd_t usr_t:dir write; -') - -application_domain(httpd_helper) -role system_r types httpd_helper_t; -domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) -allow httpd_helper_t httpd_config_t:file { getattr read }; -allow httpd_helper_t httpd_log_t:file { append }; - -######################################## -# When the admin starts the server, the server wants to access -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are dontaudited here. -################################################## - -if (httpd_tty_comm) { -allow { httpd_t httpd_helper_t } devpts_t:dir search; -ifdef(`targeted_policy', ` -allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms; -') -allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms; -} else { -dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; -} - -read_sysctl(httpd_sys_script_t) -allow httpd_sys_script_t var_lib_t:dir search; -dontaudit httpd_t selinux_config_t:dir search; -r_dir_file(httpd_t, cert_t) - -# -# unconfined domain for apache scripts. Only to be used as a last resort -# -type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable; -type httpd_unconfined_script_t, domain, nscd_client_domain; -role system_r types httpd_unconfined_script_t; -unconfined_domain(httpd_unconfined_script_t) - -# The following are types for SUEXEC,which runs user scripts as their -# own user ID -# -daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool') -allow httpd_t httpd_suexec_exec_t:file { getattr read }; - -######################################################### -# Permissions for running child processes and scripts -########################################################## - -allow httpd_suexec_t self:capability { setuid setgid }; - -dontaudit httpd_suexec_t var_run_t:dir search; -allow httpd_suexec_t { var_t var_log_t }:dir search; -allow httpd_suexec_t home_root_t:dir search; - -allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; -allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; -allow httpd_suexec_t httpd_t:fifo_file getattr; -allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; - -allow httpd_suexec_t etc_t:file { getattr read }; -read_locale(httpd_suexec_t) -read_sysctl(httpd_suexec_t) -allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; - -# for shell scripts -allow httpd_suexec_t bin_t:dir search; -allow httpd_suexec_t bin_t:lnk_file read; -can_exec(httpd_suexec_t, { bin_t shell_exec_t }) - -if (httpd_can_network_connect) { -can_network(httpd_suexec_t) -allow httpd_suexec_t port_type:tcp_socket name_connect; -} - -can_ypbind(httpd_suexec_t) -allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; - -allow httpd_suexec_t autofs_t:dir { search getattr }; -tmp_domain(httpd_suexec) - -if (httpd_enable_cgi && httpd_unified) { -domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) -') -} -if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) { -domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) -create_dir_file(httpd_t, httpdcontent) -} -if (httpd_enable_cgi) { -domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; -allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; -} - -# -# Types for squirrelmail -# -type httpd_squirrelmail_t, file_type, sysadmfile; -create_dir_file(httpd_t, httpd_squirrelmail_t) -allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; -# File Type of squirrelmail attachments -type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; -allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; -create_dir_file(httpd_t, squirrelmail_spool_t) -r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) - -ifdef(`mta.te', ` -# apache should set close-on-exec -dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; -dontaudit system_mail_t httpd_log_t:file { append getattr }; -allow system_mail_t httpd_squirrelmail_t:file { append read }; -dontaudit system_mail_t httpd_t:tcp_socket { read write }; -') diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te deleted file mode 100644 index 8394e24f..00000000 --- a/strict/domains/program/apmd.te +++ /dev/null @@ -1,155 +0,0 @@ -#DESC Apmd - Automatic Power Management daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: apmd -# - -################################# -# -# Rules for the apmd_t domain. -# -daemon_domain(apmd, `, privmodule, nscd_client_domain') - -# for SSP -allow apmd_t urandom_device_t:chr_file read; - -type apm_t, domain, privlog; -type apm_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, apm_exec_t, apm_t) -') -uses_shlib(apm_t) -allow apm_t privfd:fd use; -allow apm_t admin_tty_type:chr_file rw_file_perms; -allow apm_t device_t:dir search; -allow apm_t self:capability { dac_override sys_admin }; -allow apm_t proc_t:dir search; -allow apm_t proc_t:file r_file_perms; -allow apm_t fs_t:filesystem getattr; -allow apm_t apm_bios_t:chr_file rw_file_perms; -role sysadm_r types apm_t; -role system_r types apm_t; - -allow apmd_t device_t:lnk_file read; -allow apmd_t proc_t:file { getattr read write }; -can_sysctl(apmd_t) -allow apmd_t sysfs_t:file write; - -allow apmd_t self:unix_dgram_socket create_socket_perms; -allow apmd_t self:unix_stream_socket create_stream_socket_perms; -allow apmd_t self:fifo_file rw_file_perms; -allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read }; -allow apmd_t etc_t:lnk_file read; - -# acpid wants a socket -file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) - -# acpid also has a logfile -log_domain(apmd) -tmp_domain(apmd) - -ifdef(`distro_suse', ` -var_lib_domain(apmd) -') - -allow apmd_t self:file { getattr read ioctl }; -allow apmd_t self:process getsession; - -# Use capabilities. -allow apmd_t self:capability { sys_admin sys_nice sys_time kill }; - -# controlling an orderly resume of PCMCIA requires creating device -# nodes 254,{0,1,2} for some reason. -allow apmd_t self:capability mknod; - -# Access /dev/apm_bios. -allow apmd_t apm_bios_t:chr_file rw_file_perms; - -# Run helper programs. -can_exec_any(apmd_t) - -# apmd calls hwclock.sh on suspend and resume -allow apmd_t clock_device_t:chr_file r_file_perms; -ifdef(`hwclock.te', ` -domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) -allow apmd_t adjtime_t:file rw_file_perms; -allow hwclock_t apmd_log_t:file append; -allow hwclock_t apmd_t:unix_stream_socket { read write }; -') - - -# to quiet fuser and ps -# setuid for fuser, dac* for ps -dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; -dontaudit apmd_t domain:socket_class_set getattr; -dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; -dontaudit apmd_t device_type:devfile_class_set getattr; -dontaudit apmd_t home_type:dir { search getattr }; -dontaudit apmd_t domain:key_socket getattr; -dontaudit apmd_t domain:dir search; - -ifdef(`distro_redhat', ` -can_exec(apmd_t, apmd_var_run_t) -# for /var/lock/subsys/network -lock_domain(apmd) - -# ifconfig_exec_t needs to be run in its own domain for Red Hat -ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)') -ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)') -ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)') -', ` -# for ifconfig which is run all the time -dontaudit apmd_t sysctl_t:dir search; -') - -ifdef(`udev.te', ` -allow apmd_t udev_t:file { getattr read }; -allow apmd_t udev_t:lnk_file { getattr read }; -') -# -# apmd tells the machine to shutdown requires the following -# -allow apmd_t initctl_t:fifo_file write; -allow apmd_t initrc_var_run_t:file { read write lock }; - -# -# Allow it to run killof5 and pidof -# -typeattribute apmd_t unrestricted; -r_dir_file(apmd_t, domain) - -# Same for apm/acpid scripts -domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) -ifdef(`consoletype.te', ` -allow consoletype_t apmd_t:fd use; -allow consoletype_t apmd_t:fifo_file write; -') -ifdef(`mount.te', `allow mount_t apmd_t:fd use;') -ifdef(`crond.te', ` -domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) -allow apmd_t crond_t:fifo_file { getattr read write ioctl }; -') - -ifdef(`mta.te', ` -domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) -') - -# for a find /dev operation that gets /dev/shm -dontaudit apmd_t tmpfs_t:dir r_dir_perms; -dontaudit apmd_t selinux_config_t:dir search; -allow apmd_t user_tty_type:chr_file rw_file_perms; -# Access /dev/apm_bios. -allow initrc_t apm_bios_t:chr_file { setattr getattr read }; - -ifdef(`logrotate.te', ` -allow apmd_t logrotate_t:fd use; -')dnl end if logrotate.te -allow apmd_t devpts_t:dir { getattr search }; -allow apmd_t security_t:dir search; -allow apmd_t usr_t:dir search; -r_dir_file(apmd_t, hwdata_t) -ifdef(`targeted_policy', ` -unconfined_domain(apmd_t) -') - diff --git a/strict/domains/program/arpwatch.te b/strict/domains/program/arpwatch.te deleted file mode 100644 index 3065800c..00000000 --- a/strict/domains/program/arpwatch.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC arpwatch - keep track of ethernet/ip address pairings -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the arpwatch_t domain. -# -# arpwatch_exec_t is the type of the arpwatch executable. -# -daemon_domain(arpwatch, `, privmail') - -# for files created by arpwatch -type arpwatch_data_t, file_type, sysadmfile; -create_dir_file(arpwatch_t,arpwatch_data_t) -tmp_domain(arpwatch) - -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; - -can_network_server(arpwatch_t) -allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; -allow arpwatch_t self:udp_socket create_socket_perms; -allow arpwatch_t self:unix_dgram_socket create_socket_perms; -allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; - -allow arpwatch_t { sbin_t var_lib_t }:dir search; -allow arpwatch_t sbin_t:lnk_file read; -r_dir_file(arpwatch_t, etc_t) -r_dir_file(arpwatch_t, usr_t) -can_ypbind(arpwatch_t) - -ifdef(`qmail.te', ` -allow arpwatch_t bin_t:dir search; -') - -ifdef(`distro_gentoo', ` -allow initrc_t arpwatch_data_t:dir { add_name write }; -allow initrc_t arpwatch_data_t:file create; -')dnl end distro_gentoo - -# why is mail delivered to a directory of type arpwatch_data_t? -allow mta_delivery_agent arpwatch_data_t:dir search; -allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; -ifdef(`hide_broken_symptoms', ` -dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; -') diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te deleted file mode 100644 index 3dd15a7b..00000000 --- a/strict/domains/program/auditd.te +++ /dev/null @@ -1,69 +0,0 @@ -#DESC auditd - System auditing daemon -# -# Authors: Colin Walters -# -# Some fixes by Paul Moore -# -define(`audit_manager_domain', ` -allow $1 auditd_etc_t:file rw_file_perms; -create_dir_file($1, auditd_log_t) -domain_auto_trans($1, auditctl_exec_t, auditctl_t) -') - -daemon_domain(auditd) - -allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditd_t self:unix_dgram_socket create_socket_perms; -allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; -allow auditd_t self:process setsched; -allow auditd_t self:file { getattr read write }; -allow auditd_t etc_t:file { getattr read }; - -# Do not use logdir_domain since this is a security file -type auditd_log_t, file_type, secure_file_type; -allow auditd_t var_log_t:dir search; -rw_dir_create_file(auditd_t, auditd_log_t) - -can_exec(auditd_t, init_exec_t) -allow auditd_t initctl_t:fifo_file write; - -ifdef(`targeted_policy', ` -dontaudit auditd_t unconfined_t:fifo_file read; -') - -type auditctl_t, domain, privlog; -type auditctl_exec_t, file_type, exec_type, sysadmfile; -uses_shlib(auditctl_t) -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditctl_t self:capability { audit_write audit_control }; -allow auditctl_t etc_t:file { getattr read }; -allow auditctl_t admin_tty_type:chr_file rw_file_perms; - -type auditd_etc_t, file_type, secure_file_type; -allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms; -allow initrc_t auditd_etc_t:file r_file_perms; - -role secadm_r types auditctl_t; -role sysadm_r types auditctl_t; -audit_manager_domain(secadm_t) - -ifdef(`targeted_policy', `', ` -ifdef(`separate_secadm', `', ` -audit_manager_domain(sysadm_t) -') -') - -role system_r types auditctl_t; -domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t) - -dontaudit auditctl_t local_login_t:fd use; -allow auditctl_t proc_t:dir search; -allow auditctl_t sysctl_kernel_t:dir search; -allow auditctl_t sysctl_kernel_t:file { getattr read }; -dontaudit auditctl_t init_t:fd use; -allow auditctl_t initrc_devpts_t:chr_file { read write }; -allow auditctl_t privfd:fd use; - - -allow auditd_t sbin_t:dir search; -can_exec(auditd_t, sbin_t) diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te deleted file mode 100644 index d1bb20ea..00000000 --- a/strict/domains/program/automount.te +++ /dev/null @@ -1,79 +0,0 @@ -#DESC Automount - Automount daemon -# -# Authors: Stephen Smalley -# Modified by Russell Coker -# X-Debian-Packages: amd am-utils autofs -# - -################################# -# -# Rules for the automount_t domain. -# -daemon_domain(automount) - -etc_domain(automount) - -# for SSP -allow automount_t urandom_device_t:chr_file read; - -# for if the mount point is not labelled -allow automount_t file_t:dir getattr; -allow automount_t default_t:dir getattr; - -allow automount_t autofs_t:dir { create_dir_perms ioctl }; -allow automount_t fs_type:dir getattr; - -allow automount_t { etc_t etc_runtime_t }:file { getattr read }; -allow automount_t proc_t:file { getattr read }; -allow automount_t self:process { getpgid setpgid setsched }; -allow automount_t self:capability { sys_nice dac_override }; -allow automount_t self:unix_stream_socket create_socket_perms; -allow automount_t self:unix_dgram_socket create_socket_perms; - -# because config files can be shell scripts -can_exec(automount_t, { etc_t automount_etc_t }) - -can_network_server(automount_t) -can_resolve(automount_t) -can_ypbind(automount_t) -can_ldap(automount_t) - -ifdef(`fsadm.te', ` -domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t) -') - -lock_domain(automount) - -tmp_domain(automount) -allow automount_t self:fifo_file rw_file_perms; - -# Run mount in the mount_t domain. -domain_auto_trans(automount_t, mount_exec_t, mount_t) -allow mount_t autofs_t:dir { search mounton read }; -allow mount_t automount_tmp_t:dir mounton; - -ifdef(`apmd.te', -`domain_auto_trans(apmd_t, automount_exec_t, automount_t) -can_exec(automount_t, bin_t)') - -allow automount_t { bin_t sbin_t }:dir search; -can_exec(automount_t, mount_exec_t) -can_exec(automount_t, shell_exec_t) - -allow mount_t autofs_t:dir getattr; -dontaudit automount_t var_t:dir write; - -allow userdomain autofs_t:dir r_dir_perms; -allow kernel_t autofs_t:dir { getattr ioctl read search }; - -allow automount_t { boot_t home_root_t }:dir getattr; -allow automount_t mnt_t:dir { getattr search }; - -can_exec(initrc_t, automount_etc_t) - -# Allow automount to create and delete directories in / and /home -file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir) - -allow automount_t var_lib_t:dir search; -allow automount_t var_lib_nfs_t:dir search; - diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te deleted file mode 100644 index c25544d4..00000000 --- a/strict/domains/program/bluetooth.te +++ /dev/null @@ -1,107 +0,0 @@ -#DESC Bluetooth -# -# Authors: Dan Walsh -# RH-Packages: Bluetooth -# - -################################# -# -# Rules for the bluetooth_t domain. -# -daemon_domain(bluetooth) - -file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) -file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) - -tmp_domain(bluetooth) -var_lib_domain(bluetooth) - -# Use capabilities. -allow bluetooth_t self:file read; -allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; -allow bluetooth_t self:process getsched; -allow bluetooth_t proc_t:file { getattr read }; - -allow bluetooth_t self:shm create_shm_perms; - -lock_domain(bluetooth) - -# Use the network. -can_network(bluetooth_t) -can_ypbind(bluetooth_t) -ifdef(`dbusd.te', ` -dbusd_client(system, bluetooth) -allow bluetooth_t system_dbusd_t:dbus send_msg; -') -allow bluetooth_t self:socket create_stream_socket_perms; - -allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; - -dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write }; - -# bluetooth_conf_t is the type of the /etc/bluetooth dir. -type bluetooth_conf_t, file_type, sysadmfile; -type bluetooth_conf_rw_t, file_type, sysadmfile; - -# Read /etc/bluetooth -allow bluetooth_t bluetooth_conf_t:dir search; -allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; -#/usr/sbin/hid2hci causes the following -allow initrc_t usbfs_t:file { getattr read }; -allow bluetooth_t usbfs_t:dir r_dir_perms; -allow bluetooth_t usbfs_t:file rw_file_perms; -allow bluetooth_t bin_t:dir search; -can_exec(bluetooth_t, { bin_t shell_exec_t }) -allow bluetooth_t bin_t:lnk_file read; - -#Handle bluetooth serial devices -allow bluetooth_t tty_device_t:chr_file rw_file_perms; -allow bluetooth_t self:fifo_file rw_file_perms; -allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(bluetooth_t, fonts_t) -allow bluetooth_t urandom_device_t:chr_file r_file_perms; -allow bluetooth_t usr_t:file { getattr read }; - -application_domain(bluetooth_helper, `, nscd_client_domain') -domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) -role system_r types bluetooth_helper_t; -read_locale(bluetooth_helper_t) -typeattribute bluetooth_helper_t unrestricted; -r_dir_file(bluetooth_helper_t, domain) -allow bluetooth_helper_t bin_t:dir { getattr search }; -can_exec(bluetooth_helper_t, { bin_t shell_exec_t }) -allow bluetooth_helper_t bin_t:lnk_file read; -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:fifo_file rw_file_perms; -allow bluetooth_helper_t self:process fork; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; -allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(bluetooth_helper_t, fonts_t) -r_dir_file(bluetooth_helper_t, proc_t) -read_sysctl(bluetooth_helper_t) -allow bluetooth_helper_t tmp_t:dir search; -allow bluetooth_helper_t usr_t:file { getattr read }; -allow bluetooth_helper_t home_dir_type:dir search; -ifdef(`xserver.te', ` -allow bluetooth_helper_t xserver_log_t:dir search; -allow bluetooth_helper_t xserver_log_t:file { getattr read }; -') -ifdef(`targeted_policy', ` -allow bluetooth_helper_t tmp_t:sock_file { read write }; -allow bluetooth_helper_t tmpfs_t:file { read write }; -allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; -allow bluetooth_t unconfined_t:dbus send_msg; -allow unconfined_t bluetooth_t:dbus send_msg; -', ` -ifdef(`xdm.te', ` -allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; -') -allow bluetooth_t unpriv_userdomain:dbus send_msg; -allow unpriv_userdomain bluetooth_t:dbus send_msg; -') -allow bluetooth_helper_t bluetooth_t:socket { read write }; - -dontaudit bluetooth_helper_t default_t:dir { read search }; -dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write }; diff --git a/strict/domains/program/bonobo.te b/strict/domains/program/bonobo.te deleted file mode 100644 index c23f1d2f..00000000 --- a/strict/domains/program/bonobo.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - Bonobo Activation Server -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type bonobo_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/bonobo_macros.te diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te deleted file mode 100644 index 37e1c19e..00000000 --- a/strict/domains/program/bootloader.te +++ /dev/null @@ -1,167 +0,0 @@ -#DESC Bootloader - Lilo boot loader/manager -# -# Author: Russell Coker -# X-Debian-Packages: lilo -# - -################################# -# -# Rules for the bootloader_t domain. -# -# bootloader_exec_t is the type of the bootloader executable. -# -type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin'); -type bootloader_exec_t, file_type, sysadmfile, exec_type; -etc_domain(bootloader) - -role sysadm_r types bootloader_t; -role system_r types bootloader_t; - -allow bootloader_t var_t:dir search; -create_append_log_file(bootloader_t, var_log_t) -allow bootloader_t var_log_t:file write; - -# for nscd -dontaudit bootloader_t var_run_t:dir search; - -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) -') -allow bootloader_t { initrc_t privfd }:fd use; - -tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file }) - -read_locale(bootloader_t) - -# for tune2fs -file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file) - -# for /vmlinuz sym link -allow bootloader_t root_t:lnk_file read; - -# lilo would need read access to get BIOS data -allow bootloader_t proc_kcore_t:file getattr; - -allow bootloader_t { etc_t device_t }:dir r_dir_perms; -allow bootloader_t etc_t:file r_file_perms; -allow bootloader_t etc_t:lnk_file read; -allow bootloader_t initctl_t:fifo_file getattr; -uses_shlib(bootloader_t) - -ifdef(`distro_debian', ` -allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; -allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; -allow bootloader_t boot_t:file relabelfrom; -allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; -allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; -allow bootloader_t usr_t:lnk_file read; -allow bootloader_t tmpfs_t:dir r_dir_perms; -allow bootloader_t initrc_var_run_t:dir r_dir_perms; -allow bootloader_t var_lib_t:dir search; -allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; -allow bootloader_t dpkg_var_lib_t:file { getattr read }; -# for /usr/share/initrd-tools/scripts -can_exec(bootloader_t, usr_t) -') - -allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; -dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms; -allow bootloader_t device_t:lnk_file { getattr read }; - -# LVM2 / Device Mapper's /dev/mapper/control -# maybe we should change the labeling for this -ifdef(`lvm.te', ` -allow bootloader_t lvm_control_t:chr_file rw_file_perms; -domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) -allow lvm_t bootloader_tmp_t:file rw_file_perms; -r_dir_file(bootloader_t, lvm_etc_t) -') - -# uncomment the following line if you use "lilo -p" -#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); - -can_exec_any(bootloader_t) -allow bootloader_t shell_exec_t:lnk_file read; -allow bootloader_t { bin_t sbin_t }:dir search; -allow bootloader_t { bin_t sbin_t }:lnk_file read; - -allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms; -allow bootloader_t modules_object_t:dir r_dir_perms; -ifdef(`distro_redhat', ` -allow bootloader_t modules_object_t:lnk_file { getattr read }; -') - -# for ldd -ifdef(`fsadm.te', ` -allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans }; -') -ifdef(`modutil.te', ` -allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans }; -') - -dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search; - -allow bootloader_t boot_t:dir { create rw_dir_perms }; -allow bootloader_t boot_t:file create_file_perms; -allow bootloader_t boot_t:lnk_file create_lnk_perms; - -allow bootloader_t load_policy_exec_t:file { getattr read }; - -allow bootloader_t random_device_t:chr_file { getattr read }; - -ifdef(`distro_redhat', ` -# for mke2fs -domain_auto_trans(bootloader_t, mount_exec_t, mount_t); -allow mount_t bootloader_tmp_t:dir mounton; - -# new file system defaults to file_t, granting file_t access is still bad. -allow bootloader_t file_t:dir create_dir_perms; -allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; -allow bootloader_t file_t:lnk_file create_lnk_perms; -allow bootloader_t self:unix_stream_socket create_socket_perms; -allow bootloader_t boot_runtime_t:file { read getattr unlink }; - -# for memlock -allow bootloader_t zero_device_t:chr_file { getattr read }; -allow bootloader_t self:capability ipc_lock; -') - -allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; -# allow bootloader to get attributes of any device node -allow bootloader_t { device_type ttyfile }:chr_file getattr; -allow bootloader_t device_type:blk_file getattr; -dontaudit bootloader_t devpts_t:dir create_dir_perms; - -allow bootloader_t self:process { fork signal_perms }; -allow bootloader_t self:lnk_file read; -allow bootloader_t self:dir search; -allow bootloader_t self:file { getattr read }; -allow bootloader_t self:fifo_file rw_file_perms; - -allow bootloader_t fs_t:filesystem getattr; - -allow bootloader_t proc_t:dir { getattr search }; -allow bootloader_t proc_t:file r_file_perms; -allow bootloader_t proc_t:lnk_file { getattr read }; -allow bootloader_t proc_mdstat_t:file r_file_perms; -allow bootloader_t self:dir { getattr search read }; -read_sysctl(bootloader_t) -allow bootloader_t etc_runtime_t:file r_file_perms; - -allow bootloader_t devtty_t:chr_file rw_file_perms; -allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; -allow bootloader_t initrc_t:fifo_file { read write }; - -# for reading BIOS data -allow bootloader_t memory_device_t:chr_file r_file_perms; - -allow bootloader_t policy_config_t:dir { search read }; -allow bootloader_t policy_config_t:file { getattr read }; - -allow bootloader_t lib_t:file { getattr read }; -allow bootloader_t sysfs_t:dir getattr; -allow bootloader_t urandom_device_t:chr_file read; -allow bootloader_t { usr_t var_t }:file { getattr read }; -r_dir_file(bootloader_t, src_t) -dontaudit bootloader_t selinux_config_t:dir search; -dontaudit bootloader_t sysctl_t:dir search; diff --git a/strict/domains/program/canna.te b/strict/domains/program/canna.te deleted file mode 100644 index feb4e52f..00000000 --- a/strict/domains/program/canna.te +++ /dev/null @@ -1,46 +0,0 @@ -#DESC canna - A Japanese character set input system. -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the canna_t domain. -# -daemon_domain(canna) - -file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file) - -logdir_domain(canna) -var_lib_domain(canna) - -allow canna_t self:capability { setgid setuid net_bind_service }; -allow canna_t tmp_t:dir { search }; -allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; -allow canna_t self:unix_dgram_socket create_stream_socket_perms; -allow canna_t etc_t:file { getattr read }; -allow canna_t usr_t:file { getattr read }; - -allow canna_t proc_t:file r_file_perms; -allow canna_t etc_runtime_t:file r_file_perms; -allow canna_t canna_var_lib_t:dir create; - -rw_dir_create_file(canna_t, canna_var_lib_t) - -can_network_tcp(canna_t) -allow canna_t port_type:tcp_socket name_connect; -can_ypbind(canna_t) - -allow userdomain canna_var_run_t:dir search; -allow userdomain canna_var_run_t:sock_file write; -can_unix_connect(userdomain, canna_t) - -ifdef(`i18n_input.te', ` -allow i18n_input_t canna_var_run_t:dir search; -allow i18n_input_t canna_var_run_t:sock_file write; -can_unix_connect(i18n_input_t, canna_t) -') - -dontaudit canna_t kernel_t:fd use; -dontaudit canna_t root_t:file read; diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te deleted file mode 100644 index 8f789886..00000000 --- a/strict/domains/program/cardmgr.te +++ /dev/null @@ -1,90 +0,0 @@ -#DESC Cardmgr - PCMCIA control programs -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: pcmcia-cs -# - -################################# -# -# Rules for the cardmgr_t domain. -# -daemon_domain(cardmgr, `, privmodule') - -# for SSP -allow cardmgr_t urandom_device_t:chr_file read; - -type cardctl_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) -') -role sysadm_r types cardmgr_t; -allow cardmgr_t admin_tty_type:chr_file { read write }; - -allow cardmgr_t sysfs_t:dir search; -allow cardmgr_t home_root_t:dir search; - -# Use capabilities (net_admin for route), setuid for cardctl -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; - -# for /etc/resolv.conf -file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file) - -allow cardmgr_t etc_runtime_t:file { getattr read }; - -allow cardmgr_t modules_object_t:dir search; -allow cardmgr_t self:unix_dgram_socket create_socket_perms; -allow cardmgr_t self:unix_stream_socket create_socket_perms; -allow cardmgr_t self:fifo_file rw_file_perms; - -# Create stab file -var_lib_domain(cardmgr) - -# for /var/lib/misc/pcmcia-scheme -# would be better to have it in a different type if I knew how it was created.. -allow cardmgr_t var_lib_t:file { getattr read }; - -# Create device files in /tmp. -type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs; -file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) - -# Create symbolic links in /dev. -type cardmgr_lnk_t, file_type, sysadmfile; -file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file) - -# Run a shell, normal commands, /etc/pcmcia scripts. -can_exec_any(cardmgr_t) -allow cardmgr_t etc_t:lnk_file read; - -# Run ifconfig. -domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t) -allow ifconfig_t cardmgr_t:fd use; - -allow cardmgr_t proc_t:file { getattr read ioctl }; - -# Read /proc/PID directories for all domains (for fuser). -can_ps(cardmgr_t, domain -unrestricted) -dontaudit cardmgr_t unrestricted:dir search; - -allow cardmgr_t device_type:{ chr_file blk_file } getattr; -allow cardmgr_t ttyfile:chr_file getattr; -dontaudit cardmgr_t ptyfile:chr_file getattr; -dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; -dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; -dontaudit cardmgr_t proc_kmsg_t:file getattr; - -allow cardmgr_t tty_device_t:chr_file rw_file_perms; - -ifdef(`apmd.te', ` -domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) -') - -ifdef(`hide_broken_symptoms', ` -dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; -dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; -') -ifdef(`hald.te', ` -rw_dir_file(hald_t, cardmgr_var_run_t) -allow hald_t cardmgr_var_run_t:chr_file create_file_perms; -') -allow cardmgr_t device_t:lnk_file { getattr read }; diff --git a/strict/domains/program/cdrecord.te b/strict/domains/program/cdrecord.te deleted file mode 100644 index 6460090d..00000000 --- a/strict/domains/program/cdrecord.te +++ /dev/null @@ -1,10 +0,0 @@ -# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master -# -# Author: Thomas Bleher - -# Type for the cdrecord excutable. -type cdrecord_exec_t, file_type, sysadmfile, exec_type; - -# everything else is in the cdrecord_domain macros in -# macros/program/cdrecord_macros.te. - diff --git a/strict/domains/program/certwatch.te b/strict/domains/program/certwatch.te deleted file mode 100644 index 2abb1685..00000000 --- a/strict/domains/program/certwatch.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC certwatch - generate SSL certificate expiry warnings -# -# Domains for the certwatch process -# Authors: Dan Walsh , -# -application_domain(certwatch) -role system_r types certwatch_t; -r_dir_file(certwatch_t, cert_t) -can_exec(certwatch_t, httpd_modules_t) -system_crond_entry(certwatch_exec_t, certwatch_t) -read_locale(certwatch_t) diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te deleted file mode 100644 index 0cfa5a08..00000000 --- a/strict/domains/program/checkpolicy.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Checkpolicy - SELinux policy compliler -# -# Authors: Frank Mayer, mayerf@tresys.com -# X-Debian-Packages: checkpolicy -# - -########################### -# -# checkpolicy_t is the domain type for checkpolicy -# checkpolicy_exec_t if file type for the executable - -type checkpolicy_t, domain; -role sysadm_r types checkpolicy_t; -role system_r types checkpolicy_t; -role secadm_r types checkpolicy_t; - -type checkpolicy_exec_t, file_type, exec_type, sysadmfile; - -########################## -# -# Rules - -domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t) - -# able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir rw_dir_perms; -allow checkpolicy_t policy_config_t:file create_file_perms; - -########################### -# constrain what checkpolicy can use as source files -# - -# only allow read of policy source files -allow checkpolicy_t policy_src_t:dir r_dir_perms; -allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms; - -# allow test policies to be created in src directories -file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) - -# directory search permissions for path to source and binary policy files -allow checkpolicy_t root_t:dir search; -allow checkpolicy_t etc_t:dir search; - -# Read the devpts root directory. -allow checkpolicy_t devpts_t:dir r_dir_perms; -ifdef(`sshd.te', -`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') - -# Other access -allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; -uses_shlib(checkpolicy_t) -allow checkpolicy_t self:capability dac_override; - -########################## -# Allow users to execute checkpolicy without a domain transition -# so it can be used without privilege to write real binary policy file -can_exec(unpriv_userdomain, checkpolicy_exec_t) - -allow checkpolicy_t { userdomain privfd }:fd use; - -allow checkpolicy_t fs_t:filesystem getattr; -allow checkpolicy_t console_device_t:chr_file { read write }; -allow checkpolicy_t init_t:fd use; -allow checkpolicy_t selinux_config_t:dir search; diff --git a/strict/domains/program/chkpwd.te b/strict/domains/program/chkpwd.te deleted file mode 100644 index 22ac7f2d..00000000 --- a/strict/domains/program/chkpwd.te +++ /dev/null @@ -1,18 +0,0 @@ -#DESC Chkpwd - PAM password checking programs -# X-Debian-Packages: libpam-modules -# -# Domains for the /sbin/.*_chkpwd utilities. -# - -# -# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables. -# -type chkpwd_exec_t, file_type, sysadmfile, exec_type; - -chkpwd_domain(system) -dontaudit system_chkpwd_t privfd:fd use; -role sysadm_r types system_chkpwd_t; -in_user_role(system_chkpwd_t) - -# Everything else is in the chkpwd_domain macro in -# macros/program/chkpwd_macros.te. diff --git a/strict/domains/program/chroot.te b/strict/domains/program/chroot.te deleted file mode 100644 index 8992c660..00000000 --- a/strict/domains/program/chroot.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC Chroot - Establish chroot environments -# -# Author: Russell Coker -# X-Debian-Packages: -# -type chroot_exec_t, file_type, sysadmfile, exec_type; - -# For a chroot environment named potato that can be entered from user_t (so -# the user can run an old version of Debian in a chroot), with the possibility -# of user_devpts_t or user_tty_device_t being the controlling tty type for -# administration. This also defines a mount_domain for the user (so they can -# mount file systems). -#chroot(user, potato) -# For a chroot environment named apache that can be entered from initrc_t for -# running a different version of apache. -# initrc is a special case, uses the system_r role (usually appends "_r" to -# the base name of the parent domain), and has sysadm_devpts_t and -# sysadm_tty_device_t for the controlling terminal -#chroot(initrc, apache) - -# the main code is in macros/program/chroot_macros.te diff --git a/strict/domains/program/comsat.te b/strict/domains/program/comsat.te deleted file mode 100644 index cd0e3f93..00000000 --- a/strict/domains/program/comsat.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC comsat - biff server -# -# Author: Dan Walsh -# Depends: inetd.te -# - -################################# -# -# Rules for the comsat_t domain. -# -# comsat_exec_t is the type of the comsat executable. -# - -inetd_child_domain(comsat, udp) -allow comsat_t initrc_var_run_t:file r_file_perms; -dontaudit comsat_t initrc_var_run_t:file write; -allow comsat_t mail_spool_t:dir r_dir_perms; -allow comsat_t mail_spool_t:lnk_file read; -allow comsat_t var_spool_t:dir search; -dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te deleted file mode 100644 index b1cc1266..00000000 --- a/strict/domains/program/consoletype.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC consoletype - determine the type of a console device -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the consoletype_t domain. -# -# consoletype_t is the domain for the consoletype program. -# consoletype_exec_t is the type of the corresponding program. -# -type consoletype_t, domain, mlsfileread, mlsfilewrite; -type consoletype_exec_t, file_type, sysadmfile, exec_type; - -role system_r types consoletype_t; - -uses_shlib(consoletype_t) -general_domain_access(consoletype_t) - -ifdef(`targeted_policy', `', ` -domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t) - -ifdef(`xdm.te', ` -domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) -allow consoletype_t xdm_tmp_t:file { read write }; -') - -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t) -') -') - -allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms; - -allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; - -# Use capabilities. -allow consoletype_t self:capability sys_admin; - -allow consoletype_t console_device_t:chr_file { getattr ioctl read write }; -allow consoletype_t initrc_t:fifo_file write; -allow consoletype_t nfs_t:file write; -allow consoletype_t sysadm_t:fifo_file rw_file_perms; - -ifdef(`lpd.te', ` -allow consoletype_t printconf_t:file { getattr read }; -') - -ifdef(`pam.te', ` -allow consoletype_t pam_var_run_t:file { getattr read }; -') -ifdef(`distro_redhat', ` -allow consoletype_t tmpfs_t:chr_file rw_file_perms; -') -ifdef(`firstboot.te', ` -allow consoletype_t firstboot_t:fifo_file write; -') -dontaudit consoletype_t proc_t:dir search; -dontaudit consoletype_t proc_t:file read; -dontaudit consoletype_t root_t:file read; -allow consoletype_t crond_t:fifo_file { read getattr ioctl }; -allow consoletype_t system_crond_t:fd use; -allow consoletype_t fs_t:filesystem getattr; diff --git a/strict/domains/program/cpucontrol.te b/strict/domains/program/cpucontrol.te deleted file mode 100644 index 23a13b75..00000000 --- a/strict/domains/program/cpucontrol.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU -# -# Author: Russell Coker -# - -type cpucontrol_conf_t, file_type, sysadmfile; - -daemon_base_domain(cpucontrol) - -# Access cpu devices. -allow cpucontrol_t cpu_device_t:chr_file rw_file_perms; -allow cpucontrol_t device_t:lnk_file { getattr read }; -allow initrc_t cpu_device_t:chr_file getattr; - -allow cpucontrol_t self:capability sys_rawio; - -r_dir_file(cpucontrol_t, cpucontrol_conf_t) diff --git a/strict/domains/program/cpuspeed.te b/strict/domains/program/cpuspeed.te deleted file mode 100644 index b80f7054..00000000 --- a/strict/domains/program/cpuspeed.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC cpuspeed - domain for microcode_ctl, powernowd, etc -# -# Authors: Russell Coker -# Thomas Bleher -# - -daemon_base_domain(cpuspeed) -read_locale(cpuspeed_t) - -allow cpuspeed_t sysfs_t:dir search; -allow cpuspeed_t sysfs_t:file rw_file_perms; -allow cpuspeed_t proc_t:dir r_dir_perms; -allow cpuspeed_t proc_t:file { getattr read }; -allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read }; - -allow cpuspeed_t self:process setsched; -allow cpuspeed_t self:unix_dgram_socket create_socket_perms; diff --git a/strict/domains/program/crack.te b/strict/domains/program/crack.te deleted file mode 100644 index 1706f6ec..00000000 --- a/strict/domains/program/crack.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Crack - Password cracking application -# -# Author: Russell Coker -# X-Debian-Packages: crack -# - -################################# -# -# Rules for the crack_t domain. -# -# crack_exec_t is the type of the crack executable. -# -system_domain(crack) -ifdef(`crond.te', ` -system_crond_entry(crack_exec_t, crack_t) -') - -# for SSP -allow crack_t urandom_device_t:chr_file read; - -type crack_db_t, file_type, sysadmfile, usercanread; -allow crack_t var_t:dir search; -rw_dir_create_file(crack_t, crack_db_t) - -allow crack_t device_t:dir search; -allow crack_t devtty_t:chr_file rw_file_perms; -allow crack_t self:fifo_file { read write getattr }; - -tmp_domain(crack) - -# for dictionaries -allow crack_t usr_t:file { getattr read }; - -can_exec(crack_t, bin_t) -allow crack_t { bin_t sbin_t }:dir search; - -allow crack_t self:process { fork signal_perms }; - -allow crack_t proc_t:dir { read search }; -allow crack_t proc_t:file { read getattr }; - -# read config files -allow crack_t { etc_t etc_runtime_t }:file { getattr read }; -allow crack_t etc_t:dir r_dir_perms; - -allow crack_t fs_t:filesystem getattr; - -dontaudit crack_t sysadm_home_dir_t:dir { getattr search }; diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te deleted file mode 100644 index 46493487..00000000 --- a/strict/domains/program/crond.te +++ /dev/null @@ -1,214 +0,0 @@ -#DESC Crond - Crond daemon -# -# Domains for the top-level crond daemon process and -# for system cron jobs. The domains for user cron jobs -# are in macros/program/crond_macros.te. -# -# X-Debian-Packages: cron -# Authors: Jonathan Crowley (MITRE) , -# Stephen Smalley and Timothy Fraser -# - -# NB The constraints file has some entries for crond_t, this makes it -# different from all other domains... - -# Domain for crond. It needs auth_chkpwd to check for locked accounts. -daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain') - -# This domain is granted permissions common to most domains (including can_net) -general_domain_access(crond_t) - -# Type for the anacron executable. -type anacron_exec_t, file_type, sysadmfile, exec_type; - -# Type for temporary files. -tmp_domain(crond) - -crond_domain(system) - -allow system_crond_t proc_mdstat_t:file { getattr read }; -allow system_crond_t proc_t:lnk_file read; -allow system_crond_t proc_t:filesystem getattr; -allow system_crond_t usbdevfs_t:filesystem getattr; - -ifdef(`mta.te', ` -allow mta_user_agent system_crond_t:fd use; -') - -# read files in /etc -allow system_crond_t etc_t:file r_file_perms; -allow system_crond_t etc_runtime_t:file { getattr read }; - -allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; - -read_locale(crond_t) - -# Use capabilities. -allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control }; -dontaudit crond_t self:capability sys_resource; - -# Get security policy decisions. -can_getsecurity(crond_t) - -# for finding binaries and /bin/sh -allow crond_t { bin_t sbin_t }:dir search; -allow crond_t { bin_t sbin_t }:lnk_file read; - -# Read from /var/spool/cron. -allow crond_t var_lib_t:dir search; -allow crond_t var_spool_t:dir r_dir_perms; -allow crond_t cron_spool_t:dir r_dir_perms; -allow crond_t cron_spool_t:file r_file_perms; - -# Read /etc/security/default_contexts. -r_dir_file(crond_t, default_context_t) - -allow crond_t etc_t:file { getattr read }; -allow crond_t etc_t:lnk_file read; - -allow crond_t default_t:dir search; - -# crond tries to search /root. Not sure why. -allow crond_t sysadm_home_dir_t:dir r_dir_perms; - -# to search /home -allow crond_t home_root_t:dir { getattr search }; -allow crond_t user_home_dir_type:dir r_dir_perms; - -# Run a shell. -can_exec(crond_t, shell_exec_t) - -ifdef(`distro_redhat', ` -# Run the rpm program in the rpm_t domain. Allow creation of RPM log files -# via redirection of standard out. -ifdef(`rpm.te', ` -allow crond_t rpm_log_t: file create_file_perms; - -system_crond_entry(rpm_exec_t, rpm_t) -allow system_crond_t rpm_log_t:file create_file_perms; -#read ahead wants to read this -allow initrc_t system_cron_spool_t:file { getattr read }; -') -') - -allow system_crond_t var_log_t:file r_file_perms; - - -# Set exec context. -can_setexec(crond_t) - -# Transition to this domain for anacron as well. -# Still need to study anacron. -domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) - -# Inherit and use descriptors from init for anacron. -allow system_crond_t init_t:fd use; - -# Inherit and use descriptors from initrc for anacron. -allow system_crond_t initrc_t:fd use; -can_access_pty(system_crond_t, initrc) - -# Use capabilities. -allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; - -allow crond_t urandom_device_t:chr_file { getattr read }; - -# Read the system crontabs. -allow system_crond_t system_cron_spool_t:file r_file_perms; - -allow crond_t system_cron_spool_t:dir r_dir_perms; -allow crond_t system_cron_spool_t:file r_file_perms; - -# Read from /var/spool/cron. -allow system_crond_t cron_spool_t:dir r_dir_perms; -allow system_crond_t cron_spool_t:file r_file_perms; - -# Write to /var/lib/slocate.db. -allow system_crond_t var_lib_t:dir rw_dir_perms; -allow system_crond_t var_lib_t:file create_file_perms; - -# Update whatis files. -allow system_crond_t man_t:dir create_dir_perms; -allow system_crond_t man_t:file create_file_perms; -allow system_crond_t man_t:lnk_file read; - -# Write /var/lock/makewhatis.lock. -lock_domain(system_crond) - -# for if /var/mail is a symlink -allow { system_crond_t crond_t } mail_spool_t:lnk_file read; -allow crond_t mail_spool_t:dir search; - -ifdef(`mta.te', ` -r_dir_file(system_mail_t, crond_tmp_t) -') - -# Stat any file and search any directory for find. -allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr; -allow system_crond_t device_type:{ chr_file blk_file } getattr; -allow system_crond_t file_type:dir { read search getattr }; - -# Create temporary files. -type system_crond_tmp_t, file_type, sysadmfile, tmpfile; -file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t) - -# /sbin/runlevel ask for w access to utmp, but will operate -# correctly without it. Do not audit write denials to utmp. -# /sbin/runlevel needs lock access however -dontaudit system_crond_t initrc_var_run_t:file write; -allow system_crond_t initrc_var_run_t:file { getattr read lock }; - -# Access other spool directories like -# /var/spool/anacron and /var/spool/slrnpull. -allow system_crond_t var_spool_t:file create_file_perms; -allow system_crond_t var_spool_t:dir rw_dir_perms; - -# Do not audit attempts to search unlabeled directories (e.g. slocate). -dontaudit system_crond_t unlabeled_t:dir r_dir_perms; -dontaudit system_crond_t unlabeled_t:file r_file_perms; - -# -# reading /var/spool/cron/mailman -# -allow crond_t var_spool_t:file { getattr read }; -allow system_crond_t devpts_t:filesystem getattr; -allow system_crond_t sysfs_t:filesystem getattr; -allow system_crond_t tmpfs_t:filesystem getattr; -allow system_crond_t rpc_pipefs_t:filesystem getattr; - -# -# These rules are here to allow system cron jobs to su -# -ifdef(`su.te', ` -su_restricted_domain(system_crond,system) -role system_r types system_crond_su_t; -allow system_crond_su_t crond_t:fifo_file ioctl; -') -allow system_crond_t self:passwd rootok; -# -# prelink tells init to restart it self, we either need to allow or dontaudit -# -allow system_crond_t initctl_t:fifo_file write; -dontaudit userdomain system_crond_t:fd use; - -r_dir_file(crond_t, selinux_config_t) - -# Allow system cron jobs to relabel filesystem for restoring file contexts. -bool cron_can_relabel false; -if (cron_can_relabel) { -domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) -} else { -r_dir_file(system_crond_t, file_context_t) -can_getsecurity(system_crond_t) -} -dontaudit system_crond_t removable_t:filesystem getattr; -# -# Required for webalizer -# -dontaudit crond_t self:capability sys_tty_config; -ifdef(`apache.te', ` -allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; -allow system_crond_t httpd_modules_t:lnk_file read; -# Needed for certwatch -can_exec(system_crond_t, httpd_modules_t) -') diff --git a/strict/domains/program/crontab.te b/strict/domains/program/crontab.te deleted file mode 100644 index 48b5fcca..00000000 --- a/strict/domains/program/crontab.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC Crontab - Crontab manipulation programs -# -# Domains for the crontab program. -# -# X-Debian-Packages: cron -# - -# Type for the crontab executable. -type crontab_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the crontab_domain macro in -# macros/program/crontab_macros.te. diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te deleted file mode 100644 index a152ac31..00000000 --- a/strict/domains/program/cups.te +++ /dev/null @@ -1,321 +0,0 @@ -#DESC Cups - Common Unix Printing System -# -# Created cups policy from lpd policy: Russell Coker -# X-Debian-Packages: cupsys cupsys-client cupsys-bsd -# Depends: lpd.te lpr.te - -################################# -# -# Rules for the cupsd_t domain. -# -# cupsd_t is the domain of cupsd. -# cupsd_exec_t is the type of the cupsd executable. -# -daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain') -etcdir_domain(cupsd) -type cupsd_rw_etc_t, file_type, sysadmfile, usercanread; - -can_network(cupsd_t) -allow cupsd_t port_type:tcp_socket name_connect; -logdir_domain(cupsd) - -tmp_domain(cupsd, `', { file dir fifo_file }) - -allow cupsd_t devpts_t:dir search; - -allow cupsd_t device_t:lnk_file read; -allow cupsd_t printer_device_t:chr_file rw_file_perms; -allow cupsd_t urandom_device_t:chr_file { getattr read }; -dontaudit cupsd_t random_device_t:chr_file ioctl; - -# temporary solution, we need something better -allow cupsd_t serial_device:chr_file rw_file_perms; - -r_dir_file(cupsd_t, usbdevfs_t) -r_dir_file(cupsd_t, usbfs_t) - -ifdef(`logrotate.te', ` -domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) -') - -ifdef(`inetd.te', ` -allow inetd_t printer_port_t:tcp_socket name_bind; -domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t) -') - -# write to spool -allow cupsd_t var_spool_t:dir search; - -# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong -file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file) -allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms }; -allow cupsd_t cupsd_etc_t:file setattr; -allow cupsd_t cupsd_etc_t:dir setattr; - -allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl }; -can_exec(cupsd_t, initrc_exec_t) -allow cupsd_t proc_t:file r_file_perms; -allow cupsd_t proc_t:dir r_dir_perms; -allow cupsd_t self:file { getattr read }; -read_sysctl(cupsd_t) -allow cupsd_t sysctl_dev_t:dir search; -allow cupsd_t sysctl_dev_t:file { getattr read }; - -# for /etc/printcap -dontaudit cupsd_t etc_t:file write; - -# allow cups to execute its backend scripts -can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search; -allow cupsd_t cupsd_exec_t:lnk_file read; -allow cupsd_t reserved_port_t:tcp_socket name_bind; -dontaudit cupsd_t reserved_port_type:tcp_socket name_bind; - -allow cupsd_t self:unix_stream_socket create_socket_perms; -allow cupsd_t self:unix_dgram_socket create_socket_perms; -allow cupsd_t self:fifo_file rw_file_perms; - -# Use capabilities. -allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write }; -dontaudit cupsd_t self:capability net_admin; - -# -# /usr/lib/cups/backend/serial needs sys_admin -# Need new context to run under??? -allow cupsd_t self:capability sys_admin; - -allow cupsd_t self:process setsched; - -# for /var/lib/defoma -allow cupsd_t var_lib_t:dir search; -r_dir_file(cupsd_t, readable_t) - -# Bind to the cups/ipp port (631). -allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind; - -can_tcp_connect(web_client_domain, cupsd_t) -can_tcp_connect(cupsd_t, cupsd_t) - -# Send to portmap. -ifdef(`portmap.te', ` -can_udp_send(cupsd_t, portmap_t) -can_udp_send(portmap_t, cupsd_t) -') - -# Write to /var/spool/cups. -allow cupsd_t print_spool_t:dir { setattr rw_dir_perms }; -allow cupsd_t print_spool_t:file create_file_perms; -allow cupsd_t print_spool_t:file rw_file_perms; - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -allow cupsd_t { bin_t sbin_t }:dir { search getattr }; -allow cupsd_t bin_t:lnk_file read; -can_exec(cupsd_t, { shell_exec_t bin_t sbin_t }) - -# They will also invoke ghostscript, which needs to read fonts -read_fonts(cupsd_t) - -# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -allow cupsd_t lib_t:file { read getattr }; - -# read python modules -allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl }; - -# -# lots of errors generated requiring the following -# -allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms }; - -# -# Satisfy readahead -# -allow initrc_t cupsd_log_t:file { getattr read }; -r_dir_file(cupsd_t, var_t) - -r_dir_file(cupsd_t, usercanread) -ifdef(`samba.te', ` -rw_dir_file(cupsd_t, samba_var_t) -allow smbd_t cupsd_etc_t:dir search; -') - -ifdef(`pam.te', ` -dontaudit cupsd_t pam_var_run_t:file { getattr read }; -') -dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; -# PTAL -daemon_domain(ptal) -etcdir_domain(ptal) - -file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t) -allow ptal_t self:capability { chown sys_rawio }; -allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ptal_t self:unix_stream_socket { listen accept }; -can_network_server_tcp(ptal_t) -allow ptal_t ptal_port_t:tcp_socket name_bind; -allow userdomain ptal_t:unix_stream_socket connectto; -allow userdomain ptal_var_run_t:sock_file write; -allow userdomain ptal_var_run_t:dir search; -allow ptal_t self:fifo_file rw_file_perms; -allow ptal_t device_t:dir read; -allow ptal_t printer_device_t:chr_file rw_file_perms; -allow initrc_t printer_device_t:chr_file getattr; -allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(ptal_t, usbdevfs_t) -rw_dir_file(ptal_t, usbfs_t) -allow cupsd_t ptal_var_run_t:sock_file { write setattr }; -allow cupsd_t ptal_t:unix_stream_socket connectto; -allow cupsd_t ptal_var_run_t:dir search; -dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - -allow initrc_t ptal_var_run_t:dir rmdir; -allow initrc_t ptal_var_run_t:fifo_file unlink; - - -# HPLIP -daemon_domain(hplip) -etcdir_domain(hplip) -allow hplip_t etc_t:file r_file_perms; -allow hplip_t etc_runtime_t:file { read getattr }; -allow hplip_t printer_device_t:chr_file rw_file_perms; -allow cupsd_t hplip_var_run_t:file { read getattr }; -allow hplip_t cupsd_etc_t:dir search; -can_network(hplip_t) -allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect; -allow hplip_t hplip_port_t:tcp_socket name_bind; - -# Uses networking to talk to the daemons -allow hplip_t self:unix_dgram_socket create_socket_perms; -allow hplip_t self:unix_stream_socket create_socket_perms; -allow hplip_t self:rawip_socket create_socket_perms; - -# for python -can_exec(hplip_t, bin_t) -allow hplip_t { sbin_t bin_t }:dir search; -allow hplip_t self:file { getattr read }; -allow hplip_t proc_t:file r_file_perms; -allow hplip_t urandom_device_t:chr_file { getattr read }; -allow hplip_t usr_t:{ file lnk_file } r_file_perms; -allow hplip_t devpts_t:dir search; -allow hplip_t devpts_t:chr_file { getattr ioctl }; - - -dontaudit cupsd_t selinux_config_t:dir search; -dontaudit cupsd_t selinux_config_t:file { getattr read }; - -allow cupsd_t printconf_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, cupsd) -allow cupsd_t system_dbusd_t:dbus send_msg; -allow cupsd_t userdomain:dbus send_msg; -') - -# CUPS configuration daemon -daemon_domain(cupsd_config, `, nscd_client_domain') - -allow cupsd_config_t devpts_t:dir search; -allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -') -allow cupsd_config_t initrc_exec_t:file getattr; -')dnl end distro_redhat - -allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read }; -allow cupsd_config_t self:file { getattr read }; - -allow cupsd_config_t proc_t:file { getattr read }; -allow cupsd_config_t cupsd_var_run_t:file { getattr read }; -allow cupsd_config_t cupsd_t:process { signal }; -allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; -can_ps(cupsd_config_t, cupsd_t) - -allow cupsd_config_t self:capability { chown sys_tty_config }; - -rw_dir_create_file(cupsd_config_t, cupsd_etc_t) -rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) -file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file) -allow cupsd_config_t var_t:lnk_file read; - -can_network_tcp(cupsd_config_t) -can_ypbind(cupsd_config_t) -allow cupsd_config_t port_type:tcp_socket name_connect; -can_tcp_connect(cupsd_config_t, cupsd_t) -allow cupsd_config_t self:fifo_file rw_file_perms; - -allow cupsd_config_t self:unix_stream_socket create_socket_perms; -allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -ifdef(`dbusd.te', ` -dbusd_client(system, cupsd_config) -allow cupsd_config_t userdomain:dbus send_msg; -allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; -allow userdomain cupsd_config_t:dbus send_msg; -')dnl end if dbusd.te - -ifdef(`hald.te', ` - -ifdef(`dbusd.te', ` -allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg; -allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; -')dnl end if dbusd.te - -allow hald_t cupsd_config_t:process signal; -domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t) - -') dnl end if hald.te - - -can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t }) -ifdef(`hostname.te', ` -can_exec(cupsd_t, hostname_exec_t) -can_exec(cupsd_config_t, hostname_exec_t) -') -allow cupsd_config_t { bin_t sbin_t }:dir { search getattr }; -allow cupsd_config_t { bin_t sbin_t }:lnk_file read; -# killall causes the following -dontaudit cupsd_config_t domain:dir { getattr search }; -dontaudit cupsd_config_t selinux_config_t:dir search; - -can_exec(cupsd_config_t, cupsd_config_exec_t) - -allow cupsd_config_t usr_t:file { getattr read }; -allow cupsd_config_t var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -allow cupsd_config_t printconf_t:file { getattr read }; - -allow cupsd_config_t urandom_device_t:chr_file { getattr read }; - -ifdef(`logrotate.te', ` -allow cupsd_config_t logrotate_t:fd use; -')dnl end if logrotate.te -allow cupsd_config_t system_crond_t:fd use; -allow cupsd_config_t crond_t:fifo_file r_file_perms; -allow cupsd_t crond_t:fifo_file read; -allow cupsd_t crond_t:fd use; - -# Alternatives asks for this -allow cupsd_config_t initrc_exec_t:file getattr; -ifdef(`targeted_policy', ` -can_unix_connect(cupsd_t, initrc_t) -allow cupsd_t initrc_t:dbus send_msg; -allow initrc_t cupsd_t:dbus send_msg; -allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; -allow unconfined_t cupsd_config_t:dbus send_msg; -allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; -') -typealias printer_port_t alias cupsd_lpd_port_t; -inetd_child_domain(cupsd_lpd) -allow inetd_t printer_port_t:tcp_socket name_bind; -r_dir_file(cupsd_lpd_t, cupsd_etc_t) -r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t) -allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect; -ifdef(`use_mcs', ` -range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; -') - diff --git a/strict/domains/program/cvs.te b/strict/domains/program/cvs.te deleted file mode 100644 index 3f3e63c2..00000000 --- a/strict/domains/program/cvs.te +++ /dev/null @@ -1,31 +0,0 @@ -#DESC cvs - Concurrent Versions System -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the cvs_t domain. -# -# cvs_exec_t is the type of the cvs executable. -# - -inetd_child_domain(cvs, tcp) -typeattribute cvs_t privmail; -typeattribute cvs_t auth_chkpwd; - -type cvs_data_t, file_type, sysadmfile, customizable; -create_dir_file(cvs_t, cvs_data_t) -can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) -allow cvs_t bin_t:dir search; -allow cvs_t { bin_t sbin_t }:lnk_file read; -allow cvs_t etc_runtime_t:file { getattr read }; -allow system_mail_t cvs_data_t:file { getattr read }; -dontaudit cvs_t devtty_t:chr_file { read write }; -ifdef(`kerberos.te', ` -# Allow kerberos to work -allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; -dontaudit cvs_t krb5_conf_t:file write; -') - diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te deleted file mode 100644 index a423235a..00000000 --- a/strict/domains/program/cyrus.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC cyrus-imapd -# -# Authors: Dan Walsh -# - -# cyrusd_exec_t is the type of the cyrusd executable. -# cyrusd_key_t is the type of the cyrus private key files -daemon_domain(cyrus) - -general_domain_access(cyrus_t) -file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file) - -type cyrus_var_lib_t, file_type, sysadmfile; - -allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -allow cyrus_t self:process setrlimit; - -can_network(cyrus_t) -allow cyrus_t port_type:tcp_socket name_connect; -can_ypbind(cyrus_t) -can_exec(cyrus_t, bin_t) -allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; -allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; -allow cyrus_t etc_t:file { getattr read }; -allow cyrus_t lib_t:file { execute execute_no_trans getattr read }; -read_locale(cyrus_t) -read_sysctl(cyrus_t) -tmp_domain(cyrus) -allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind; -allow cyrus_t proc_t:dir search; -allow cyrus_t proc_t:file { getattr read }; -allow cyrus_t sysadm_devpts_t:chr_file { read write }; - -allow cyrus_t var_lib_t:dir search; - -allow cyrus_t etc_runtime_t:file { read getattr }; -ifdef(`crond.te', ` -system_crond_entry(cyrus_exec_t, cyrus_t) -allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms; -allow system_crond_t cyrus_var_lib_t:file create_file_perms; -') -create_dir_file(cyrus_t, mail_spool_t) -allow cyrus_t var_spool_t:dir search; - -ifdef(`saslauthd.te', ` -allow cyrus_t saslauthd_var_run_t:dir search; -allow cyrus_t saslauthd_var_run_t:sock_file { read write }; -allow cyrus_t saslauthd_t:unix_stream_socket { connectto }; -') - -r_dir_file(cyrus_t, cert_t) -allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr }; diff --git a/strict/domains/program/dbskkd.te b/strict/domains/program/dbskkd.te deleted file mode 100644 index e75d90b9..00000000 --- a/strict/domains/program/dbskkd.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC dbskkd - A dictionary server for the SKK Japanese input method system. -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the dbskkd_t domain. -# -# dbskkd_exec_t is the type of the dbskkd executable. -# -# Depends: inetd.te - -inetd_child_domain(dbskkd) diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te deleted file mode 100644 index acad4def..00000000 --- a/strict/domains/program/dbusd.te +++ /dev/null @@ -1,27 +0,0 @@ -#DESC dbus-daemon-1 server for dbus desktop bus protocol -# -# Author: Russell Coker - -dbusd_domain(system) - -allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; - -ifdef(`pamconsole.te', ` -r_dir_file(system_dbusd_t, pam_var_console_t) -') - -# dac_override: /var/run/dbus is owned by messagebus on Debian -allow system_dbusd_t self:capability { dac_override setgid setuid }; -nsswitch_domain(system_dbusd_t) - -# I expect we need more than this - -allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; -allow initrc_t system_dbusd_t:unix_stream_socket connectto; -allow initrc_t system_dbusd_var_run_t:sock_file write; - -can_exec(system_dbusd_t, sbin_t) -allow system_dbusd_t self:fifo_file { read write }; -allow system_dbusd_t self:unix_stream_socket connectto; -allow system_dbusd_t self:unix_stream_socket connectto; -allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/strict/domains/program/ddcprobe.te b/strict/domains/program/ddcprobe.te deleted file mode 100644 index 40871266..00000000 --- a/strict/domains/program/ddcprobe.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC ddcprobe - output ddcprobe results from kudzu -# -# Author: dan walsh -# - -type ddcprobe_t, domain, privmem; -type ddcprobe_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types ddcprobe_t; -role system_r types ddcprobe_t; -domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t) - -uses_shlib(ddcprobe_t) - -# Allow terminal access -access_terminal(ddcprobe_t, sysadm) - -# Allow ddcprobe to read /dev/mem -allow ddcprobe_t memory_device_t:chr_file read; -allow ddcprobe_t memory_device_t:chr_file { execute write }; -allow ddcprobe_t self:process execmem; -allow ddcprobe_t zero_device_t:chr_file { execute read }; - -allow ddcprobe_t proc_t:dir search; -allow ddcprobe_t proc_t:file { getattr read }; -can_exec(ddcprobe_t, sbin_t) -allow ddcprobe_t user_tty_type:chr_file rw_file_perms; -allow ddcprobe_t userdomain:fd use; -read_sysctl(ddcprobe_t) -allow ddcprobe_t urandom_device_t:chr_file { getattr read }; -allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms; -allow ddcprobe_t self:capability { sys_rawio sys_admin }; - -allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read }; -allow ddcprobe_t kudzu_exec_t:file getattr; -allow ddcprobe_t lib_t:file { getattr read }; -read_locale(ddcprobe_t) -allow ddcprobe_t modules_object_t:dir search; -allow ddcprobe_t modules_dep_t:file { getattr read }; -allow ddcprobe_t usr_t:file { getattr read }; -allow ddcprobe_t kernel_t:system syslog_console; diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te deleted file mode 100644 index 2fff8f57..00000000 --- a/strict/domains/program/dhcpc.te +++ /dev/null @@ -1,166 +0,0 @@ -#DESC DHCPC - DHCP client -# -# Authors: Wayne Salamon (NAI Labs) -# Russell Coker -# X-Debian-Packages: pump dhcp-client udhcpc -# - -################################# -# -# Rules for the dhcpc_t domain. -# -# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP -# network configurator daemon started by /etc/sysconfig/network-scripts -# rc scripts, runs in this domain. -# dhcpc_exec_t is the type of the dhcpcd executable. -# The dhcpc_t can be used for other DHCPC related files as well. -# -daemon_domain(dhcpc) - -# for SSP -allow dhcpc_t urandom_device_t:chr_file read; - -can_network(dhcpc_t) -allow dhcpc_t port_type:tcp_socket name_connect; -can_ypbind(dhcpc_t) -allow dhcpc_t self:unix_dgram_socket create_socket_perms; -allow dhcpc_t self:unix_stream_socket create_socket_perms; -allow dhcpc_t self:fifo_file rw_file_perms; - -allow dhcpc_t devpts_t:dir search; - -# for localization -allow dhcpc_t lib_t:file { getattr read }; - -ifdef(`consoletype.te', ` -domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t) -') -ifdef(`nscd.te', ` -domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t) -allow dhcpc_t nscd_var_run_t:file { getattr read }; -') -ifdef(`cardmgr.te', ` -domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) -allow cardmgr_t dhcpc_var_run_t:file { getattr read }; -allow cardmgr_t dhcpc_t:process signal_perms; -allow cardmgr_t dhcpc_var_run_t:file unlink; -allow dhcpc_t cardmgr_dev_t:chr_file { read write }; -') -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) -allow hotplug_t dhcpc_t:process signal_perms; -allow hotplug_t dhcpc_var_run_t:file { getattr read }; -allow hotplug_t dhcp_etc_t:file rw_file_perms; -allow dhcpc_t hotplug_etc_t:dir { getattr search }; -ifdef(`distro_redhat', ` -domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t) -') -')dnl end hotplug.te - -# for the dhcp client to run ping to check IP addresses -ifdef(`ping.te', ` -domain_auto_trans(dhcpc_t, ping_exec_t, ping_t) -ifdef(`hotplug.te', ` -allow ping_t hotplug_t:fd use; -') dnl end if hotplug -ifdef(`cardmgr.te', ` -allow ping_t cardmgr_t:fd use; -') dnl end if cardmgr -', ` -allow dhcpc_t self:capability setuid; -allow dhcpc_t self:rawip_socket create_socket_perms; -') dnl end if ping - -ifdef(`dhcpd.te', `', ` -type dhcp_state_t, file_type, sysadmfile; -type dhcp_etc_t, file_type, sysadmfile, usercanread; -') -type dhcpc_state_t, file_type, sysadmfile; - -allow dhcpc_t etc_t:lnk_file read; -allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read }; -allow dhcpc_t proc_net_t:dir search; -allow dhcpc_t { proc_t proc_net_t }:file { getattr read }; -allow dhcpc_t self:file { getattr read }; -read_sysctl(dhcpc_t) -allow dhcpc_t userdomain:fd use; -ifdef(`run_init.te', ` -allow dhcpc_t run_init_t:fd use; -') - -# Use capabilities -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; - -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit dhcpc_t self:capability { dac_read_search sys_module }; - -# for udp port 68 -allow dhcpc_t dhcpc_port_t:udp_socket name_bind; - -# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files -# in /etc created by dhcpcd will be labelled net_conf_t. -file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file) - -# Allow access to the dhcpc file types -r_dir_file(dhcpc_t, dhcp_etc_t) -allow dhcpc_t sbin_t:dir search; -can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t }) -ifdef(`distro_redhat', ` -can_exec(dhcpc_t, etc_t) -allow initrc_t dhcp_etc_t:file rw_file_perms; -') -ifdef(`ifconfig.te', ` -domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - - -tmp_domain(dhcpc) - -# Allow dhcpc_t to use packet sockets -allow dhcpc_t self:packet_socket create_socket_perms; -allow dhcpc_t var_lib_t:dir search; -file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -allow dhcpc_t dhcp_state_t:file { getattr read }; - -allow dhcpc_t bin_t:dir { getattr search }; -allow dhcpc_t bin_t:lnk_file read; -can_exec(dhcpc_t, { bin_t shell_exec_t }) - -ifdef(`hostname.te', ` -domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t) -') -dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms; -allow dhcpc_t { userdomain kernel_t }:fd use; - -allow dhcpc_t home_root_t:dir search; -allow initrc_t dhcpc_state_t:file { getattr read }; -dontaudit dhcpc_t var_lock_t:dir search; -allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; -dontaudit dhcpc_t domain:dir getattr; -allow dhcpc_t initrc_var_run_t:file rw_file_perms; -# -# dhclient sometimes starts ypbind and ntdp -# -can_exec(dhcpc_t, initrc_exec_t) -ifdef(`ypbind.te', ` -domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) -allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; -allow dhcpc_t ypbind_t:process signal; -') -ifdef(`ntpd.te', ` -domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) -') -role sysadm_r types dhcpc_t; -domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t) -ifdef(`dbusd.te', ` -dbusd_client(system, dhcpc) -domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) -allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow dhcpc_t self:dbus send_msg; -allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; -allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; -ifdef(`unconfined.te', ` -allow unconfined_t dhcpc_t:dbus send_msg; -allow dhcpc_t unconfined_t:dbus send_msg; -') -') diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te deleted file mode 100644 index e276af2c..00000000 --- a/strict/domains/program/dhcpd.te +++ /dev/null @@ -1,78 +0,0 @@ -#DESC DHCPD - DHCP server -# -# Author: Russell Coker -# based on the dhcpc_t policy from: -# Wayne Salamon (NAI Labs) -# X-Debian-Packages: dhcp dhcp3-server -# - -################################# -# -# Rules for the dhcpd_t domain. -# -# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP -# server daemon rc scripts, runs in this domain. -# dhcpd_exec_t is the type of the dhcpdd executable. -# The dhcpd_t can be used for other DHCPC related files as well. -# -daemon_domain(dhcpd, `, nscd_client_domain') - -# for UDP port 4011 -allow dhcpd_t pxe_port_t:udp_socket name_bind; - -type dhcp_etc_t, file_type, sysadmfile, usercanread; - -# Use the network. -can_network(dhcpd_t) -allow dhcpd_t port_type:tcp_socket name_connect; -allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind; -can_ypbind(dhcpd_t) -allow dhcpd_t self:unix_dgram_socket create_socket_perms; -allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; - -allow dhcpd_t var_lib_t:dir search; - -allow dhcpd_t devtty_t:chr_file { read write }; - -# Use capabilities -allow dhcpd_t self:capability { net_raw net_bind_service }; -dontaudit dhcpd_t self:capability net_admin; - -# Allow access to the dhcpd file types -type dhcp_state_t, file_type, sysadmfile; -type dhcpd_state_t, file_type, sysadmfile; -allow dhcpd_t dhcp_etc_t:file { read getattr }; -allow dhcpd_t dhcp_etc_t:dir search; -file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file) - -allow dhcpd_t etc_t:lnk_file read; -allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms; - -# Allow dhcpd_t programs to execute themselves and bin_t (uname etc) -can_exec(dhcpd_t, { dhcpd_exec_t bin_t }) - -# Allow dhcpd_t to use packet sockets -allow dhcpd_t self:packet_socket create_socket_perms; -allow dhcpd_t self:rawip_socket create_socket_perms; - -# allow to run utilities and scripts -allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms; -allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms; -allow dhcpd_t self:fifo_file { read write getattr }; - -# allow reading /proc -allow dhcpd_t proc_t:{ file lnk_file } r_file_perms; -tmp_domain(dhcpd) - -ifdef(`distro_gentoo', ` -allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -allow initrc_t dhcpd_state_t:file setattr; -') -r_dir_file(dhcpd_t, usr_t) -allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms; - -ifdef(`named.te', ` -allow dhcpd_t { named_conf_t named_zone_t }:dir search; -allow dhcpd_t dnssec_t:file { getattr read }; -') diff --git a/strict/domains/program/dictd.te b/strict/domains/program/dictd.te deleted file mode 100644 index d610d073..00000000 --- a/strict/domains/program/dictd.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Dictd - Dictionary daemon -# -# Authors: Russell Coker -# X-Debian-Packages: dictd -# - -################################# -# -# Rules for the dictd_t domain. -# -# dictd_exec_t is the type of the dictd executable. -# -daemon_base_domain(dictd) -type dictd_var_lib_t, file_type, sysadmfile; -typealias dictd_var_lib_t alias var_lib_dictd_t; -etc_domain(dictd) - -# for checking for nscd -dontaudit dictd_t var_run_t:dir search; - -# read config files -allow dictd_t { etc_t etc_runtime_t }:file r_file_perms; - -read_locale(dictd_t) - -allow dictd_t { var_t var_lib_t }:dir search; -allow dictd_t dictd_var_lib_t:dir r_dir_perms; -allow dictd_t dictd_var_lib_t:file r_file_perms; - -allow dictd_t self:capability { setuid setgid }; - -allow dictd_t usr_t:file r_file_perms; - -allow dictd_t self:process { setpgid fork sigchld }; - -allow dictd_t proc_t:file r_file_perms; - -allow dictd_t dict_port_t:tcp_socket name_bind; - -allow dictd_t devtty_t:chr_file rw_file_perms; - -allow dictd_t self:unix_stream_socket create_stream_socket_perms; - -can_network_server(dictd_t) -can_ypbind(dictd_t) -can_tcp_connect(userdomain, dictd_t) - -allow dictd_t fs_t:filesystem getattr; diff --git a/strict/domains/program/dmesg.te b/strict/domains/program/dmesg.te deleted file mode 100644 index 9f9392e1..00000000 --- a/strict/domains/program/dmesg.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC dmesg - control kernel ring buffer -# -# Author: Dan Walsh dwalsh@redhat.com -# -# X-Debian-Packages: util-linux - -################################# -# -# Rules for the dmesg_t domain. -# -# dmesg_exec_t is the type of the dmesg executable. -# -# while sysadm_t has the sys_admin capability there is no point in using -# dmesg_t when run from sysadm_t, so we use nosysadm. -# -daemon_base_domain(dmesg, , `nosysadm') - -# -# Rules used for dmesg -# -allow dmesg_t self:capability sys_admin; -allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod }; -allow dmesg_t admin_tty_type:chr_file { getattr read write }; -allow dmesg_t sysadm_tty_device_t:chr_file ioctl; -allow dmesg_t var_log_t:file { getattr write }; -read_locale(dmesg_t) - -# for when /usr is not mounted -dontaudit dmesg_t file_t:dir search; diff --git a/strict/domains/program/dmidecode.te b/strict/domains/program/dmidecode.te deleted file mode 100644 index 05b93f79..00000000 --- a/strict/domains/program/dmidecode.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC dmidecode - decodes DMI data for x86/ia64 bioses -# -# Author: Ivan Gyurdiev -# - -type dmidecode_t, domain, privmem; -type dmidecode_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types dmidecode_t; -role system_r types dmidecode_t; -domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t) - -uses_shlib(dmidecode_t) - -# Allow terminal access -access_terminal(dmidecode_t, sysadm) - -# Allow dmidecode to read /dev/mem -allow dmidecode_t memory_device_t:chr_file read; - -allow dmidecode_t self:capability sys_rawio; diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te deleted file mode 100644 index eb7a30ec..00000000 --- a/strict/domains/program/dovecot.te +++ /dev/null @@ -1,75 +0,0 @@ -#DESC Dovecot POP and IMAP servers -# -# Author: Russell Coker -# X-Debian-Packages: dovecot-imapd, dovecot-pop3d - -# -# Main dovecot daemon -# -daemon_domain(dovecot, `, privhome') -etc_domain(dovecot); - -allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; - -can_exec(dovecot_t, dovecot_exec_t) - -type dovecot_cert_t, file_type, sysadmfile; -type dovecot_passwd_t, file_type, sysadmfile; -type dovecot_spool_t, file_type, sysadmfile; - -allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; -allow dovecot_t self:process setrlimit; -can_network_tcp(dovecot_t) -allow dovecot_t port_type:tcp_socket name_connect; -can_ypbind(dovecot_t) -allow dovecot_t self:unix_dgram_socket create_socket_perms; -allow dovecot_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(dovecot_t, self) - -allow dovecot_t etc_t:file { getattr read }; -allow dovecot_t initrc_var_run_t:file getattr; -allow dovecot_t bin_t:dir { getattr search }; -can_exec(dovecot_t, bin_t) - -allow dovecot_t pop_port_t:tcp_socket name_bind; -allow dovecot_t urandom_device_t:chr_file { getattr read }; -allow dovecot_t cert_t:dir search; -r_dir_file(dovecot_t, dovecot_cert_t) -r_dir_file(dovecot_t, cert_t) - -allow dovecot_t { self proc_t }:file { getattr read }; -allow dovecot_t self:fifo_file rw_file_perms; - -can_kerberos(dovecot_t) - -allow dovecot_t tmp_t:dir search; -rw_dir_create_file(dovecot_t, mail_spool_t) - - -create_dir_file(dovecot_t, dovecot_spool_t) -create_dir_file(mta_delivery_agent, dovecot_spool_t) -allow dovecot_t mail_spool_t:lnk_file read; -allow dovecot_t var_spool_t:dir { search }; - -# -# Dovecot auth daemon -# -daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd') -can_ldap(dovecot_auth_t) -can_ypbind(dovecot_auth_t) -can_kerberos(dovecot_auth_t) -can_resolve(dovecot_auth_t) -allow dovecot_auth_t self:process { fork signal_perms }; -allow dovecot_auth_t self:capability { setgid setuid }; -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -allow dovecot_auth_t self:fifo_file rw_file_perms; -allow dovecot_auth_t urandom_device_t:chr_file { getattr read }; -allow dovecot_auth_t etc_t:file { getattr read }; -allow dovecot_auth_t { self proc_t }:file { getattr read }; -read_locale(dovecot_auth_t) -read_sysctl(dovecot_auth_t) -allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; -dontaudit dovecot_auth_t selinux_config_t:dir search; - diff --git a/strict/domains/program/ethereal.te b/strict/domains/program/ethereal.te deleted file mode 100644 index a56d3217..00000000 --- a/strict/domains/program/ethereal.te +++ /dev/null @@ -1,48 +0,0 @@ -# DESC - Ethereal -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type tethereal_exec_t, file_type, exec_type, sysadmfile; -type ethereal_exec_t, file_type, exec_type, sysadmfile; - -######################################################## -# Tethereal -# - -# Type for program -type tethereal_t, domain, nscd_client_domain; - -# Transition from sysadm type -domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t) -role sysadm_r types tethereal_t; - -uses_shlib(tethereal_t) -read_locale(tethereal_t) - -# Terminal output -access_terminal(tethereal_t, sysadm) - -# /proc -read_sysctl(tethereal_t) -allow tethereal_t { self proc_t }:dir { read search getattr }; -allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr }; - -# Access root -allow tethereal_t root_t:dir search; - -# Read ethereal files in /usr -allow tethereal_t usr_t:file { read getattr }; - -# /etc/nsswitch.conf -allow tethereal_t etc_t:file { read getattr }; - -# Ethereal sysadm rules -ethereal_networking(tethereal) - -# FIXME: policy is incomplete - -##################################### -# Ethereal (GNOME) policy can be found -# in ethereal_macros.te diff --git a/strict/domains/program/evolution.te b/strict/domains/program/evolution.te deleted file mode 100644 index c8a045e5..00000000 --- a/strict/domains/program/evolution.te +++ /dev/null @@ -1,14 +0,0 @@ -# DESC - Evolution -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type evolution_exec_t, file_type, exec_type, sysadmfile; -type evolution_server_exec_t, file_type, exec_type, sysadmfile; -type evolution_webcal_exec_t, file_type, exec_type, sysadmfile; -type evolution_alarm_exec_t, file_type, exec_type, sysadmfile; -type evolution_exchange_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/evolution_macros.te -bool disable_evolution_trans false; diff --git a/strict/domains/program/fetchmail.te b/strict/domains/program/fetchmail.te deleted file mode 100644 index 225f08ea..00000000 --- a/strict/domains/program/fetchmail.te +++ /dev/null @@ -1,32 +0,0 @@ -#DESC fetchmail - remote-mail retrieval utility -# -# Author: Greg Norris -# X-Debian-Packages: fetchmail -# Depends: mta.te -# -# Note: This policy is only required when running fetchmail in daemon mode. - -################################# -# -# Rules for the fetchmail_t domain. -# -daemon_domain(fetchmail); -type fetchmail_etc_t, file_type, sysadmfile; -type fetchmail_uidl_cache_t, file_type, sysadmfile; - -# misc. requirements -allow fetchmail_t self:process setrlimit; - -# network-related goodies -can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t }) -can_network_udp(fetchmail_t, dns_port_t) -allow fetchmail_t port_type:tcp_socket name_connect; - -allow fetchmail_t self:unix_dgram_socket create_socket_perms; -allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; - -# file access -allow fetchmail_t etc_t:file r_file_perms; -allow fetchmail_t fetchmail_etc_t:file r_file_perms; -allow fetchmail_t mail_spool_t:dir search; -file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file) diff --git a/strict/domains/program/fingerd.te b/strict/domains/program/fingerd.te deleted file mode 100644 index 73fee16b..00000000 --- a/strict/domains/program/fingerd.te +++ /dev/null @@ -1,80 +0,0 @@ -#DESC Fingerd - Finger daemon -# -# Author: Russell Coker -# X-Debian-Packages: fingerd cfingerd efingerd ffingerd -# - -################################# -# -# Rules for the fingerd_t domain. -# -# fingerd_exec_t is the type of the fingerd executable. -# -daemon_domain(fingerd) - -etcdir_domain(fingerd) - -allow fingerd_t etc_t:lnk_file read; -allow fingerd_t { etc_t etc_runtime_t }:file { read getattr }; - -log_domain(fingerd) -system_crond_entry(fingerd_exec_t, fingerd_t) -ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)') - -allow fingerd_t fingerd_port_t:tcp_socket name_bind; -ifdef(`inetd.te', ` -allow inetd_t fingerd_port_t:tcp_socket name_bind; -# can be run from inetd -domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t) -allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl }; -') -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t) -') - -allow fingerd_t self:capability { setgid setuid }; -# for gzip from logrotate -dontaudit fingerd_t self:capability fsetid; - -# cfingerd runs shell scripts -allow fingerd_t { bin_t sbin_t }:dir search; -allow fingerd_t bin_t:lnk_file read; -can_exec(fingerd_t, { shell_exec_t bin_t sbin_t }) -allow fingerd_t devtty_t:chr_file { read write }; - -allow fingerd_t { ttyfile ptyfile }:chr_file getattr; - -# Use the network. -can_network_server(fingerd_t) -can_ypbind(fingerd_t) - -allow fingerd_t self:unix_dgram_socket create_socket_perms; -allow fingerd_t self:unix_stream_socket create_socket_perms; -allow fingerd_t self:fifo_file { read write getattr }; - -# allow any user domain to connect to the finger server -can_tcp_connect(userdomain, fingerd_t) - -# for .finger, .plan. etc -allow fingerd_t { home_root_t user_home_dir_type }:dir search; -# should really have a different type for .plan etc -allow fingerd_t user_home_type:file { getattr read }; -# stop it accessing sub-directories, prevents checking a Maildir for new mail, -# have to change this when we create a type for Maildir -dontaudit fingerd_t user_home_t:dir search; - -# for mail -allow fingerd_t { var_spool_t mail_spool_t }:dir search; -allow fingerd_t mail_spool_t:file getattr; -allow fingerd_t mail_spool_t:lnk_file read; - -# see who is logged in and when users last logged in -allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr }; -dontaudit fingerd_t initrc_var_run_t:file lock; -allow fingerd_t devpts_t:dir search; -allow fingerd_t ptyfile:chr_file getattr; - -allow fingerd_t proc_t:file { read getattr }; - -# for date command -read_sysctl(fingerd_t) diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te deleted file mode 100644 index e07bc432..00000000 --- a/strict/domains/program/firstboot.te +++ /dev/null @@ -1,131 +0,0 @@ -#DESC firstboot -# -# Author: Dan Walsh -# X-Debian-Packages: firstboot -# - -################################# -# -# Rules for the firstboot_t domain. -# -# firstboot_exec_t is the type of the firstboot executable. -# -application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer') -type firstboot_rw_t, file_type, sysadmfile; -role system_r types firstboot_t; - -ifdef(`xserver.te', ` -domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') - -etc_domain(firstboot) - -allow firstboot_t proc_t:file r_file_perms; - -allow firstboot_t urandom_device_t:chr_file { getattr read }; -allow firstboot_t proc_t:file { getattr read write }; - -domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t) -file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file) - -can_exec_any(firstboot_t) -ifdef(`useradd.te',` -domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t) -domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t) -') -allow firstboot_t etc_runtime_t:file { getattr read }; - -r_dir_file(firstboot_t, etc_t) - -allow firstboot_t firstboot_rw_t:dir create_dir_perms; -allow firstboot_t firstboot_rw_t:file create_file_perms; -allow firstboot_t self:fifo_file { getattr read write }; -allow firstboot_t self:process { fork sigchld }; -allow firstboot_t self:unix_stream_socket { connect create }; -allow firstboot_t initrc_exec_t:file { getattr read }; -allow firstboot_t initrc_var_run_t:file r_file_perms; -allow firstboot_t lib_t:file { getattr read }; -allow firstboot_t local_login_t:fd use; -read_locale(firstboot_t) - -allow firstboot_t proc_t:dir search; -allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms; -allow firstboot_t usr_t:file r_file_perms; - -allow firstboot_t etc_t:file write; - -# Allow write to utmp file -allow firstboot_t initrc_var_run_t:file write; - -ifdef(`samba.te', ` -rw_dir_file(firstboot_t, samba_etc_t) -') - -dontaudit firstboot_t shadow_t:file getattr; - -role system_r types initrc_t; -#role_transition firstboot_r initrc_exec_t system_r; -domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t) - -allow firstboot_t self:passwd rootok; - -ifdef(`userhelper.te', ` -role system_r types sysadm_userhelper_t; -domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) -') - -ifdef(`consoletype.te', ` -allow consoletype_t devtty_t:chr_file { read write }; -allow consoletype_t etc_t:file { getattr read }; -allow consoletype_t firstboot_t:fd use; -') - -allow firstboot_t etc_t:{ file lnk_file } create_file_perms; - -allow firstboot_t self:capability { dac_override setgid }; -allow firstboot_t self:dir search; -allow firstboot_t self:file { read write }; -allow firstboot_t self:lnk_file read; -can_setfscreate(firstboot_t) -allow firstboot_t krb5_conf_t:file rw_file_perms; - -allow firstboot_t modules_conf_t:file { getattr read }; -allow firstboot_t modules_dep_t:file { getattr read }; -allow firstboot_t modules_object_t:dir search; -allow firstboot_t port_t:tcp_socket { recv_msg send_msg }; -allow firstboot_t proc_t:lnk_file read; - -can_getsecurity(firstboot_t) - -dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition }; -read_sysctl(firstboot_t) - -allow firstboot_t var_run_t:dir getattr; -allow firstboot_t var_t:dir getattr; -ifdef(`hostname.te', ` -allow hostname_t devtty_t:chr_file { read write }; -allow hostname_t firstboot_t:fd use; -') -ifdef(`iptables.te', ` -allow iptables_t devtty_t:chr_file { read write }; -allow iptables_t firstboot_t:fd use; -allow iptables_t firstboot_t:fifo_file write; -') -can_network_server(firstboot_t) -can_ypbind(firstboot_t) -ifdef(`printconf.te', ` -can_exec(firstboot_t, printconf_t) -') -create_dir_file(firstboot_t, var_t) -# Add/remove user home directories -file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t) - -# -# The big hammer -# -unconfined_domain(firstboot_t) -ifdef(`targeted_policy', ` -allow firstboot_t unconfined_t:process transition; -') - diff --git a/strict/domains/program/fontconfig.te b/strict/domains/program/fontconfig.te deleted file mode 100644 index 836470a1..00000000 --- a/strict/domains/program/fontconfig.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# Fontconfig related types -# -# Author: Ivan Gyurdiev -# - -# Look in fontconfig_macros.te diff --git a/strict/domains/program/fs_daemon.te b/strict/domains/program/fs_daemon.te deleted file mode 100644 index 05c98a9f..00000000 --- a/strict/domains/program/fs_daemon.te +++ /dev/null @@ -1,28 +0,0 @@ -#DESC file system daemons -# -# Author: Russell Coker -# X-Debian-Packages: smartmontools - -daemon_domain(fsdaemon, `, fs_domain, privmail') -allow fsdaemon_t self:unix_dgram_socket create_socket_perms; -allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; - -# for config -allow fsdaemon_t etc_t:file { getattr read }; - -allow fsdaemon_t device_t:dir read; -allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms; -allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; -allow fsdaemon_t etc_runtime_t:file { getattr read }; - -allow fsdaemon_t proc_mdstat_t:file { getattr read }; - -can_exec_any(fsdaemon_t) -allow fsdaemon_t self:fifo_file rw_file_perms; -can_network_udp(fsdaemon_t) -tmp_domain(fsdaemon) -allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read }; - -dontaudit fsdaemon_t devpts_t:dir search; -allow fsdaemon_t proc_t:file { getattr read }; -dontaudit system_mail_t fixed_disk_device_t:blk_file read; diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te deleted file mode 100644 index 1d01c3da..00000000 --- a/strict/domains/program/fsadm.te +++ /dev/null @@ -1,123 +0,0 @@ -#DESC Fsadm - Disk and file system administration -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount -# - -################################# -# -# Rules for the fsadm_t domain. -# -# fsadm_t is the domain for disk and file system -# administration. -# fsadm_exec_t is the type of the corresponding programs. -# -type fsadm_t, domain, privlog, fs_domain, mlsfileread; -role system_r types fsadm_t; -role sysadm_r types fsadm_t; - -general_domain_access(fsadm_t) - -# for swapon -r_dir_file(fsadm_t, sysfs_t) - -# Read system information files in /proc. -r_dir_file(fsadm_t, proc_t) - -# Read system variables in /proc/sys -read_sysctl(fsadm_t) - -# for /dev/shm -allow fsadm_t tmpfs_t:dir { getattr search }; -allow fsadm_t tmpfs_t:file { read write }; - -base_file_read_access(fsadm_t) - -# Read /etc. -r_dir_file(fsadm_t, etc_t) - -# Read module-related files. -allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow fsadm_t device_t:dir r_dir_perms; -allow fsadm_t device_t:lnk_file r_file_perms; - -uses_shlib(fsadm_t) - -type fsadm_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) -') -tmp_domain(fsadm) - -# remount file system to apply changes -allow fsadm_t fs_t:filesystem remount; - -allow fsadm_t fs_t:filesystem getattr; - -# mkreiserfs needs this -allow fsadm_t proc_t:filesystem getattr; - -# mkreiserfs and other programs need this for UUID -allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; - -# Use capabilities. ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; - -# Write to /etc/mtab. -file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) - -# Inherit and use descriptors from init. -allow fsadm_t init_t:fd use; - -# Run other fs admin programs in the fsadm_t domain. -can_exec(fsadm_t, fsadm_exec_t) - -# Access disk devices. -allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; -allow fsadm_t removable_device_t:devfile_class_set rw_file_perms; -allow fsadm_t scsi_generic_device_t:chr_file r_file_perms; - -# Access lost+found. -allow fsadm_t lost_found_t:dir create_dir_perms; -allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; -allow fsadm_t lost_found_t:lnk_file create_lnk_perms; - -allow fsadm_t file_t:dir { search read getattr rmdir create }; - -# Recreate /mnt/cdrom. -allow fsadm_t mnt_t:dir { search read getattr rmdir create }; - -# Recreate /dev/cdrom. -allow fsadm_t device_t:dir rw_dir_perms; -allow fsadm_t device_t:lnk_file { unlink create }; - -# Enable swapping to devices and files -allow fsadm_t swapfile_t:file { getattr swapon }; -allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; - -# Allow console log change (updfstab) -allow fsadm_t kernel_t:system syslog_console; - -# Access terminals. -can_access_pty(fsadm_t, initrc) -allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') -allow fsadm_t privfd:fd use; - -read_locale(fsadm_t) - -# for smartctl cron jobs -system_crond_entry(fsadm_exec_t, fsadm_t) - -# Access to /initrd devices -allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; -allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; -allow fsadm_t usbfs_t:dir { getattr search }; -allow fsadm_t ramfs_t:fifo_file rw_file_perms; -allow fsadm_t device_type:chr_file getattr; - -# for tune2fs -allow fsadm_t file_type:dir { getattr search }; diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te deleted file mode 100644 index b20252bd..00000000 --- a/strict/domains/program/ftpd.te +++ /dev/null @@ -1,116 +0,0 @@ -#DESC Ftpd - Ftp daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd -# - -################################# -# -# Rules for the ftpd_t domain -# -daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain') -etc_domain(ftpd) - -can_network(ftpd_t) -allow ftpd_t port_type:tcp_socket name_connect; -allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow ftpd_t self:unix_stream_socket create_socket_perms; -allow ftpd_t self:process { getcap setcap setsched setrlimit }; -allow ftpd_t self:fifo_file rw_file_perms; - -allow ftpd_t bin_t:dir search; -can_exec(ftpd_t, bin_t) -allow ftpd_t bin_t:lnk_file read; -read_sysctl(ftpd_t) - -allow ftpd_t urandom_device_t:chr_file { getattr read }; - -ifdef(`crond.te', ` -system_crond_entry(ftpd_exec_t, ftpd_t) -allow system_crond_t xferlog_t:file r_file_perms; -can_exec(ftpd_t, { sbin_t shell_exec_t }) -allow ftpd_t usr_t:file { getattr read }; -ifdef(`logrotate.te', ` -can_exec(ftpd_t, logrotate_exec_t) -')dnl end if logrotate.te -')dnl end if crond.te - -allow ftpd_t ftp_data_port_t:tcp_socket name_bind; -allow ftpd_t port_t:tcp_socket name_bind; - -# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally -type ftpd_lock_t, file_type, sysadmfile, lockfile; - -# Allow ftpd to run directly without inetd. -bool ftpd_is_daemon false; -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file) -allow ftpd_t ftp_port_t:tcp_socket name_bind; -can_tcp_connect(userdomain, ftpd_t) -# Allows it to check exec privs on daemon -allow inetd_t ftpd_exec_t:file x_file_perms; -} -ifdef(`inetd.te', ` -if (!ftpd_is_daemon) { -ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') -domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) - -# Use sockets inherited from inetd. -allow ftpd_t inetd_t:fd use; -allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Send SIGCHLD to inetd on death. -allow ftpd_t inetd_t:process sigchld; -} -') dnl end inetd.te - -# Access shared memory tmpfs instance. -tmpfs_domain(ftpd) - -# Use capabilities. -allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; - -# Append to /var/log/wtmp. -allow ftpd_t wtmp_t:file { getattr append }; -#kerberized ftp requires the following -allow ftpd_t wtmp_t:file { write lock }; - -# Create and modify /var/log/xferlog. -type xferlog_t, file_type, sysadmfile, logfile; -file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file) - -# Execute /bin/ls (can comment this out for proftpd) -# also may need rules to allow tar etc... -can_exec(ftpd_t, ls_exec_t) - -allow initrc_t ftpd_etc_t:file { getattr read }; -allow ftpd_t { etc_t etc_runtime_t }:file { getattr read }; -allow ftpd_t proc_t:file { getattr read }; - -dontaudit ftpd_t sysadm_home_dir_t:dir getattr; -dontaudit ftpd_t selinux_config_t:dir search; -allow ftpd_t autofs_t:dir search; -allow ftpd_t self:file { getattr read }; -tmp_domain(ftpd) - -# Allow ftp to read/write files in the user home directories. -bool ftp_home_dir false; - -if (ftp_home_dir) { -# allow access to /home -allow ftpd_t home_root_t:dir r_dir_perms; -create_dir_file(ftpd_t, home_type) -ifdef(`targeted_policy', ` -file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t) -') -} -if (use_nfs_home_dirs && ftp_home_dir) { - r_dir_file(ftpd_t, nfs_t) -} -if (use_samba_home_dirs && ftp_home_dir) { - r_dir_file(ftpd_t, cifs_t) -} -dontaudit ftpd_t selinux_config_t:dir search; -anonymous_domain(ftpd) - diff --git a/strict/domains/program/games.te b/strict/domains/program/games.te deleted file mode 100644 index dee046c0..00000000 --- a/strict/domains/program/games.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC Games - Miscellaneous games -# -# Author: Russell Coker -# X-Debian-Packages: bsdgames -# - -# type for shared data from games -type games_data_t, file_type, sysadmfile; - -# domain games_t is for system operation of games, generic games daemons and -# games recovery scripts, also defines games_exec_t -daemon_domain(games,,nosysadm) -rw_dir_create_file(games_t, games_data_t) -r_dir_file(initrc_t, games_data_t) - -# Run in user_t -bool disable_games_trans false; - -# Everything else is in the x_client_domain macro in -# macros/program/x_client_macros.te. diff --git a/strict/domains/program/gconf.te b/strict/domains/program/gconf.te deleted file mode 100644 index e4dfa4b6..00000000 --- a/strict/domains/program/gconf.te +++ /dev/null @@ -1,12 +0,0 @@ -# DESC - GConf preference daemon -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type gconfd_exec_t, file_type, exec_type, sysadmfile; - -# Type for /etc files -type gconf_etc_t, file_type, sysadmfile; - -# Everything else is in macros/gconfd_macros.te diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te deleted file mode 100644 index 7899aecf..00000000 --- a/strict/domains/program/getty.te +++ /dev/null @@ -1,61 +0,0 @@ -#DESC Getty - Manage ttys -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty -# - -################################# -# -# Rules for the getty_t domain. -# -init_service_domain(getty, `, privfd') - -etcdir_domain(getty) - -allow getty_t console_device_t:chr_file setattr; - -tmp_domain(getty) -log_domain(getty) - -allow getty_t { etc_t etc_runtime_t }:file { getattr read }; -allow getty_t etc_t:lnk_file read; -allow getty_t self:process { getpgid getsession }; -allow getty_t self:unix_dgram_socket create_socket_perms; -allow getty_t self:unix_stream_socket create_socket_perms; - -# Use capabilities. -allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; - -read_locale(getty_t) - -# Run login in local_login_t domain. -allow getty_t { sbin_t bin_t }:dir search; -domain_auto_trans(getty_t, login_exec_t, local_login_t) - -# Write to /var/run/utmp. -allow getty_t { var_t var_run_t }:dir search; -allow getty_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow getty_t wtmp_t:file rw_file_perms; - -# Chown, chmod, read and write ttys. -allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; -allow getty_t ttyfile:chr_file { setattr rw_file_perms }; -dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; - -# for error condition handling -allow getty_t fs_t:filesystem getattr; - -lock_domain(getty) -r_dir_file(getty_t, sysfs_t) -# for mgetty -var_run_domain(getty) -allow getty_t self:capability { fowner fsetid }; - -# -# getty needs to be able to run pppd -# -ifdef(`pppd.te', ` -domain_auto_trans(getty_t, pppd_exec_t, pppd_t) -') diff --git a/strict/domains/program/gnome-pty-helper.te b/strict/domains/program/gnome-pty-helper.te deleted file mode 100644 index 084aa681..00000000 --- a/strict/domains/program/gnome-pty-helper.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC Gnome Terminal - Helper program for GNOME x-terms -# -# Domains for the gnome-pty-helper program. -# X-Debian-Packages: gnome-terminal -# - -# Type for the gnome-pty-helper executable. -type gph_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the gph_domain macro in -# macros/program/gph_macros.te. diff --git a/strict/domains/program/gnome.te b/strict/domains/program/gnome.te deleted file mode 100644 index b45ea8e9..00000000 --- a/strict/domains/program/gnome.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# GNOME related types -# -# Author: Ivan Gyurdiev -# - -# Look in gnome_macros.te diff --git a/strict/domains/program/gnome_vfs.te b/strict/domains/program/gnome_vfs.te deleted file mode 100644 index d4cabb64..00000000 --- a/strict/domains/program/gnome_vfs.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - GNOME VFS Daemon -# -# Author: Ivan Gyurdiev -# - -# Type for executable -type gnome_vfs_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/gnome_vfs_macros.te diff --git a/strict/domains/program/gpg-agent.te b/strict/domains/program/gpg-agent.te deleted file mode 100644 index 2942c6c7..00000000 --- a/strict/domains/program/gpg-agent.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC gpg-agent - agent to securely store gpg-keys -# -# Author: Thomas Bleher -# - -# Type for the gpg-agent executable. -type gpg_agent_exec_t, file_type, exec_type, sysadmfile; - -# type for the pinentry executable -type pinentry_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the gpg_agent_domain macro in -# macros/program/gpg_agent_macros.te. diff --git a/strict/domains/program/gpg.te b/strict/domains/program/gpg.te deleted file mode 100644 index b9cadb5f..00000000 --- a/strict/domains/program/gpg.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC GPG - Gnu Privacy Guard (PGP replacement) -# -# Authors: Russell Coker -# X-Debian-Packages: gnupg -# - -# Type for gpg or pgp executables. -type gpg_exec_t, file_type, sysadmfile, exec_type; -type gpg_helper_exec_t, file_type, sysadmfile, exec_type; - -allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search; -allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; - -# Everything else is in the gpg_domain macro in -# macros/program/gpg_macros.te. diff --git a/strict/domains/program/gpm.te b/strict/domains/program/gpm.te deleted file mode 100644 index ff81d697..00000000 --- a/strict/domains/program/gpm.te +++ /dev/null @@ -1,45 +0,0 @@ -#DESC Gpm - General Purpose Mouse driver -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: gpm -# - -################################# -# -# Rules for the gpm_t domain. -# -# gpm_t is the domain of the console mouse server. -# gpm_exec_t is the type of the console mouse server program. -# gpmctl_t is the type of the Unix domain socket or pipe created -# by the console mouse server. -# -daemon_domain(gpm) - -type gpmctl_t, file_type, sysadmfile, dev_fs; - -tmp_domain(gpm) - -# Allow to read the /etc/gpm/ conf files -type gpm_conf_t, file_type, sysadmfile; -r_dir_file(gpm_t, gpm_conf_t) - -# Use capabilities. -allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config }; - -# Create and bind to /dev/gpmctl. -file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file }) -allow gpm_t gpmctl_t:unix_stream_socket name_bind; -allow gpm_t self:unix_dgram_socket create_socket_perms; -allow gpm_t self:unix_stream_socket create_stream_socket_perms; - -# Read and write ttys. -allow gpm_t tty_device_t:chr_file rw_file_perms; - -# Access the mouse. -allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms; -allow gpm_t device_t:lnk_file { getattr read }; - -read_locale(gpm_t) - -allow initrc_t gpmctl_t:sock_file setattr; - diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te deleted file mode 100644 index a51709a2..00000000 --- a/strict/domains/program/hald.te +++ /dev/null @@ -1,104 +0,0 @@ -#DESC hald - server for device info -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the hald_t domain. -# -# hald_exec_t is the type of the hald executable. -# -daemon_domain(hald, `, fs_domain, nscd_client_domain') - -can_exec_any(hald_t) - -allow hald_t { etc_t etc_runtime_t }:file { getattr read }; -allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow hald_t self:unix_dgram_socket create_socket_perms; - -ifdef(`dbusd.te', ` -allow hald_t system_dbusd_t:dbus { acquire_svc send_msg }; -dbusd_client(system, hald) -allow hald_t self:dbus send_msg; -') - -allow hald_t self:file { getattr read }; -allow hald_t proc_t:file rw_file_perms; - -allow hald_t { bin_t sbin_t }:dir search; -allow hald_t self:fifo_file rw_file_perms; -allow hald_t usr_t:file { getattr read }; -allow hald_t bin_t:file getattr; - -# For backwards compatibility with older kernels -allow hald_t self:netlink_socket create_socket_perms; - -allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; -allow hald_t self:netlink_route_socket r_netlink_socket_perms; -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; -can_network_server(hald_t) -can_ypbind(hald_t) - -allow hald_t device_t:lnk_file read; -allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl }; -allow hald_t removable_device_t:blk_file write; -allow hald_t event_device_t:chr_file { getattr read ioctl }; -allow hald_t printer_device_t:chr_file rw_file_perms; -allow hald_t urandom_device_t:chr_file read; -allow hald_t mouse_device_t:chr_file r_file_perms; -allow hald_t device_type:chr_file getattr; - -can_getsecurity(hald_t) - -ifdef(`updfstab.te', ` -domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) -allow updfstab_t hald_t:dbus send_msg; -allow hald_t updfstab_t:dbus send_msg; -') -ifdef(`udev.te', ` -domain_auto_trans(hald_t, udev_exec_t, udev_t) -allow udev_t hald_t:unix_dgram_socket sendto; -allow hald_t udev_tbl_t:file { getattr read }; -') - -ifdef(`hotplug.te', ` -r_dir_file(hald_t, hotplug_etc_t) -') -allow hald_t fs_type:dir { search getattr }; -allow hald_t usbfs_t:dir r_dir_perms; -allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms; -allow hald_t bin_t:lnk_file read; -r_dir_file(hald_t, { selinux_config_t default_context_t } ) -allow hald_t initrc_t:dbus send_msg; -allow initrc_t hald_t:dbus send_msg; -allow hald_t etc_runtime_t:file rw_file_perms; -allow hald_t var_lib_t:dir search; -allow hald_t device_t:dir create_dir_perms; -allow hald_t device_t:chr_file create_file_perms; -tmp_domain(hald) -allow hald_t mnt_t:dir search; -r_dir_file(hald_t, proc_net_t) - -# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket -ifdef(`apmd.te', ` -allow hald_t apmd_var_run_t:sock_file write; -allow hald_t apmd_t:unix_stream_socket connectto; -') - -# For /usr/libexec/hald-probe-smbios -domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t) - -# ?? -ifdef(`lvm.te', ` -allow hald_t lvm_control_t:chr_file r_file_perms; -') -ifdef(`targeted_policy', ` -allow unconfined_t hald_t:dbus send_msg; -allow hald_t unconfined_t:dbus send_msg; -') -ifdef(`mount.te', ` -domain_auto_trans(hald_t, mount_exec_t, mount_t) -') -r_dir_file(hald_t, hwdata_t) diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te deleted file mode 100644 index 2138baf5..00000000 --- a/strict/domains/program/hostname.te +++ /dev/null @@ -1,28 +0,0 @@ -#DESC hostname - show or set the system host name -# -# Author: Russell Coker -# X-Debian-Packages: hostname - -# for setting the hostname -daemon_core_rules(hostname, , nosysadm) -allow hostname_t self:capability sys_admin; -allow hostname_t etc_t:file { getattr read }; - -allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; -read_locale(hostname_t) -can_resolve(hostname_t) -allow hostname_t userdomain:fd use; -dontaudit hostname_t kernel_t:fd use; -allow hostname_t net_conf_t:file { getattr read }; -allow hostname_t self:unix_stream_socket create_stream_socket_perms; -dontaudit hostname_t var_t:dir search; -allow hostname_t fs_t:filesystem getattr; - -# for when /usr is not mounted -dontaudit hostname_t file_t:dir search; - -ifdef(`distro_redhat', ` -allow hostname_t tmpfs_t:chr_file rw_file_perms; -') -can_access_pty(hostname_t, initrc) -allow hostname_t initrc_t:fd use; diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te deleted file mode 100644 index a6d8fbe2..00000000 --- a/strict/domains/program/hotplug.te +++ /dev/null @@ -1,163 +0,0 @@ -#DESC Hotplug - Hardware event manager -# -# Author: Russell Coker -# X-Debian-Packages: hotplug -# - -################################# -# -# Rules for the hotplug_t domain. -# -# hotplug_exec_t is the type of the hotplug executable. -# -ifdef(`unlimitedUtils', ` -daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain') -', ` -daemon_domain(hotplug, `, privmodule, nscd_client_domain') -') - -etcdir_domain(hotplug) - -allow hotplug_t self:fifo_file { read write getattr ioctl }; -allow hotplug_t self:unix_dgram_socket create_socket_perms; -allow hotplug_t self:unix_stream_socket create_socket_perms; -allow hotplug_t self:udp_socket create_socket_perms; - -read_sysctl(hotplug_t) -allow hotplug_t sysctl_net_t:dir r_dir_perms; -allow hotplug_t sysctl_net_t:file { getattr read }; - -# get info from /proc -r_dir_file(hotplug_t, proc_t) -allow hotplug_t self:file { getattr read ioctl }; - -allow hotplug_t devtty_t:chr_file rw_file_perms; - -allow hotplug_t device_t:dir r_dir_perms; - -# for SSP -allow hotplug_t urandom_device_t:chr_file read; - -allow hotplug_t { bin_t sbin_t }:dir search; -allow hotplug_t { bin_t sbin_t }:lnk_file read; -can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t }) -ifdef(`hostname.te', ` -can_exec(hotplug_t, hostname_exec_t) -dontaudit hostname_t hotplug_t:fd use; -') -ifdef(`netutils.te', ` -ifdef(`distro_redhat', ` -# for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t) - -allow hotplug_t tmpfs_t:dir search; -allow hotplug_t tmpfs_t:chr_file rw_file_perms; -')dnl end if distro_redhat -')dnl end if netutils.te - -allow initrc_t usbdevfs_t:file { getattr read ioctl }; -allow initrc_t modules_dep_t:file { getattr read ioctl }; -r_dir_file(hotplug_t, usbdevfs_t) -allow hotplug_t usbfs_t:dir r_dir_perms; -allow hotplug_t usbfs_t:file { getattr read }; - -# read config files -allow hotplug_t etc_t:dir r_dir_perms; -allow hotplug_t etc_t:{ file lnk_file } r_file_perms; - -allow hotplug_t kernel_t:process { sigchld setpgid }; - -ifdef(`distro_redhat', ` -allow hotplug_t var_lock_t:dir search; -allow hotplug_t var_lock_t:file getattr; -') - -ifdef(`hald.te', ` -allow hotplug_t hald_t:unix_dgram_socket sendto; -allow hald_t hotplug_etc_t:dir search; -allow hald_t hotplug_etc_t:file { getattr read }; -') - -# for killall -allow hotplug_t self:process { getsession getattr }; -allow hotplug_t self:file getattr; - -domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t) -ifdef(`mount.te', ` -domain_auto_trans(hotplug_t, mount_exec_t, mount_t) -') -domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t) -ifdef(`updfstab.te', ` -domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) -') - -# init scripts run /etc/hotplug/usb.rc -domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t) -allow initrc_t hotplug_etc_t:dir r_dir_perms; - -ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)') - -r_dir_file(hotplug_t, modules_object_t) -allow hotplug_t modules_dep_t:file { getattr read ioctl }; - -# for lsmod -dontaudit hotplug_t self:capability { sys_module sys_admin }; - -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit hotplug_t self:capability { dac_override dac_read_search }; - -ifdef(`fsadm.te', ` -domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) -') - -allow hotplug_t var_log_t:dir search; - -# for ps -dontaudit hotplug_t domain:dir { getattr search }; -dontaudit hotplug_t { init_t kernel_t }:file read; -ifdef(`initrc.te', ` -can_ps(hotplug_t, initrc_t) -') - -# for when filesystems are not mounted early in the boot -dontaudit hotplug_t file_t:dir { search getattr }; - -# kernel threads inherit from shared descriptor table used by init -dontaudit hotplug_t initctl_t:fifo_file { read write }; - -# Read /usr/lib/gconv/.* -allow hotplug_t lib_t:file { getattr read }; - -allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -allow hotplug_t sysfs_t:dir { getattr read search write }; -allow hotplug_t sysfs_t:file rw_file_perms; -allow hotplug_t sysfs_t:lnk_file { getattr read }; -r_dir_file(hotplug_t, hwdata_t) -allow hotplug_t udev_runtime_t:file rw_file_perms; -ifdef(`lpd.te', ` -allow hotplug_t printer_device_t:chr_file setattr; -') -allow hotplug_t fixed_disk_device_t:blk_file setattr; -allow hotplug_t removable_device_t:blk_file setattr; -allow hotplug_t sound_device_t:chr_file setattr; - -ifdef(`udev.te', ` -domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t) -') - -file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file) - -can_network_server(hotplug_t) -can_ypbind(hotplug_t) -dbusd_client(system, hotplug) - -# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q -domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t) -ifdef(`mta.te', ` -domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) -') - -allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr }; -allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; - -dontaudit hotplug_t selinux_config_t:dir search; diff --git a/strict/domains/program/howl.te b/strict/domains/program/howl.te deleted file mode 100644 index ccb2fb1f..00000000 --- a/strict/domains/program/howl.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC howl - port of Apple Rendezvous multicast DNS -# -# Author: Russell Coker -# - -daemon_domain(howl, `, privsysmod') -r_dir_file(howl_t, proc_net_t) -can_network_server(howl_t) -can_ypbind(howl_t) -allow howl_t self:unix_dgram_socket create_socket_perms; -allow howl_t self:capability { kill net_admin sys_module }; - -allow howl_t self:fifo_file rw_file_perms; - -allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; - -allow howl_t self:unix_dgram_socket create_socket_perms; - -allow howl_t etc_t:file { getattr read }; -allow howl_t initrc_var_run_t:file rw_file_perms; - diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te deleted file mode 100644 index dab39eec..00000000 --- a/strict/domains/program/hwclock.te +++ /dev/null @@ -1,49 +0,0 @@ -#DESC Hwclock - Hardware clock manager -# -# Author: David A. Wheeler -# Russell Coker -# X-Debian-Packages: util-linux -# - -################################# -# -# Rules for the hwclock_t domain. -# This domain moves time information between the "hardware clock" -# (which runs when the system is off) and the "system clock", -# and it stores adjustment values in /etc/adjtime so that errors in the -# hardware clock are corrected. -# Note that any errors from this domain are NOT recorded by the system logger, -# because the system logger isnt running when this domain is active. -# -daemon_base_domain(hwclock) -role sysadm_r types hwclock_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) -') -type adjtime_t, file_type, sysadmfile; -allow hwclock_t fs_t:filesystem getattr; - -read_locale(hwclock_t) - -# Give hwclock the capabilities it requires. dac_override is a surprise, -# but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; - -# Allow hwclock to set the hardware clock. -allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms }; - -# Allow hwclock to store & retrieve correction factors. -allow hwclock_t adjtime_t:file { setattr rw_file_perms }; - -# Read and write console and ttys. -allow hwclock_t tty_device_t:chr_file rw_file_perms; -allow hwclock_t ttyfile:chr_file rw_file_perms; -allow hwclock_t ptyfile:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') - -read_locale(hwclock_t) - -# for when /usr is not mounted -dontaudit hwclock_t file_t:dir search; -allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -r_dir_file(hwclock_t, etc_t) diff --git a/strict/domains/program/i18n_input.te b/strict/domains/program/i18n_input.te deleted file mode 100644 index cdff6cac..00000000 --- a/strict/domains/program/i18n_input.te +++ /dev/null @@ -1,33 +0,0 @@ -# i18n_input.te -# Security Policy for IIIMF htt server -# Date: 2004, 12th April (Monday) - -# Establish i18n_input as a daemon -daemon_domain(i18n_input) - -can_exec(i18n_input_t, i18n_input_exec_t) -can_network(i18n_input_t) -allow i18n_input_t port_type:tcp_socket name_connect; -can_ypbind(i18n_input_t) - -can_tcp_connect(userdomain, i18n_input_t) -can_unix_connect(i18n_input_t, initrc_t) - -allow i18n_input_t self:fifo_file rw_file_perms; -allow i18n_input_t i18n_input_port_t:tcp_socket name_bind; - -allow i18n_input_t self:capability { kill setgid setuid }; -allow i18n_input_t self:process { setsched setpgid }; - -allow i18n_input_t { bin_t sbin_t }:dir search; -can_exec(i18n_input_t, bin_t) - -allow i18n_input_t etc_t:file r_file_perms; -allow i18n_input_t self:unix_dgram_socket create_socket_perms; -allow i18n_input_t self:unix_stream_socket create_stream_socket_perms; -allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; -allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; -allow i18n_input_t usr_t:file { getattr read }; -allow i18n_input_t home_root_t:dir search; -allow i18n_input_t etc_runtime_t:file { getattr read }; -allow i18n_input_t proc_t:file { getattr read }; diff --git a/strict/domains/program/iceauth.te b/strict/domains/program/iceauth.te deleted file mode 100644 index f41ad9e4..00000000 --- a/strict/domains/program/iceauth.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC ICEauth - ICE authority file utility -# -# Domains for the iceauth program. -# -# Author: Ivan Gyurdiev -# -# iceauth_exec_t is the type of the xauth executable. -# -type iceauth_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the iceauth_domain macro in -# macros/program/iceauth_macros.te. diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te deleted file mode 100644 index 6cccc32d..00000000 --- a/strict/domains/program/ifconfig.te +++ /dev/null @@ -1,74 +0,0 @@ -#DESC Ifconfig - Configure network interfaces -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: net-tools -# - -################################# -# -# Rules for the ifconfig_t domain. -# -# ifconfig_t is the domain for the ifconfig program. -# ifconfig_exec_t is the type of the corresponding program. -# -type ifconfig_t, domain, privlog, privmodule; -type ifconfig_exec_t, file_type, sysadmfile, exec_type; - -role system_r types ifconfig_t; -role sysadm_r types ifconfig_t; - -uses_shlib(ifconfig_t) -general_domain_access(ifconfig_t) - -domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) -') - -# for /sbin/ip -allow ifconfig_t self:packet_socket create_socket_perms; -allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms; -allow ifconfig_t self:tcp_socket { create ioctl }; -allow ifconfig_t etc_t:file { getattr read }; - -allow ifconfig_t self:socket create_socket_perms; - -# Use capabilities. -allow ifconfig_t self:capability { net_raw net_admin }; -dontaudit ifconfig_t self:capability sys_module; -allow ifconfig_t self:capability sys_tty_config; - -# Inherit and use descriptors from init. -allow ifconfig_t { kernel_t init_t }:fd use; - -# Access /proc -r_dir_file(ifconfig_t, proc_t) -r_dir_file(ifconfig_t, proc_net_t) - -allow ifconfig_t privfd:fd use; -allow ifconfig_t run_init_t:fd use; - -# Create UDP sockets, necessary when called from dhcpc -allow ifconfig_t self:udp_socket create_socket_perms; - -# Access terminals. -can_access_pty(ifconfig_t, initrc) -allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') - -allow ifconfig_t tun_tap_device_t:chr_file { read write }; - -# ifconfig attempts to search some sysctl entries. -# Do not audit those attempts; comment out these rules if it is desired to -# see the denials. -allow ifconfig_t { sysctl_t sysctl_net_t }:dir search; - -allow ifconfig_t fs_t:filesystem getattr; - -read_locale(ifconfig_t) -allow ifconfig_t lib_t:file { getattr read }; - -rhgb_domain(ifconfig_t) -allow ifconfig_t userdomain:fd use; -dontaudit ifconfig_t root_t:file read; -r_dir_file(ifconfig_t, sysfs_t) diff --git a/strict/domains/program/inetd.te b/strict/domains/program/inetd.te deleted file mode 100644 index 5c88ab35..00000000 --- a/strict/domains/program/inetd.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Inetd - Internet services daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# re-written with daemon_domain by Russell Coker -# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd -# - -################################# -# -# Rules for the inetd_t domain and -# the inetd_child_t domain. -# - -daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) - -can_network(inetd_t) -allow inetd_t port_type:tcp_socket name_connect; -allow inetd_t self:unix_dgram_socket create_socket_perms; -allow inetd_t self:unix_stream_socket create_socket_perms; -allow inetd_t self:fifo_file rw_file_perms; -allow inetd_t etc_t:file { getattr read ioctl }; -allow inetd_t self:process setsched; - -log_domain(inetd) -tmp_domain(inetd) - -# Use capabilities. -allow inetd_t self:capability { setuid setgid net_bind_service }; - -# allow any domain to connect to inetd -can_tcp_connect(userdomain, inetd_t) - -# Run each daemon with a defined domain in its own domain. -# These rules have been moved to the individual target domain .te files. - -# Run other daemons in the inetd_child_t domain. -allow inetd_t { bin_t sbin_t }:dir search; -allow inetd_t sbin_t:lnk_file read; - -# Bind to the telnet, ftp, rlogin and rsh ports. -ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;') -ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') -ifdef(`talk.te', ` -allow inetd_t talk_port_t:tcp_socket name_bind; -allow inetd_t ntalk_port_t:tcp_socket name_bind; -') - -allow inetd_t auth_port_t:tcp_socket name_bind; -# Communicate with the portmapper. -ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') - - -inetd_child_domain(inetd_child) -allow inetd_child_t proc_net_t:dir search; -allow inetd_child_t proc_net_t:file { getattr read }; - -ifdef(`unconfined.te', ` -domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t) -') - -ifdef(`unlimitedInetd', ` -unconfined_domain(inetd_t) -') - diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te deleted file mode 100644 index 185e0baa..00000000 --- a/strict/domains/program/init.te +++ /dev/null @@ -1,147 +0,0 @@ -#DESC Init - Process initialization -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysvinit -# - -################################# -# -# Rules for the init_t domain. -# -# init_t is the domain of the init process. -# init_exec_t is the type of the init program. -# initctl_t is the type of the named pipe created -# by init during initialization. This pipe is used -# to communicate with init. -# -type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite; -role system_r types init_t; -uses_shlib(init_t); -type init_exec_t, file_type, sysadmfile, exec_type; -type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject; - -# for init to determine whether SE Linux is active so it can know whether to -# activate it -allow init_t security_t:dir search; -allow init_t security_t:file { getattr read }; - -# for mount points -allow init_t file_t:dir search; - -# Use capabilities. -allow init_t self:capability ~sys_module; - -# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. -domain_auto_trans(init_t, initrc_exec_t, initrc_t) - -# Run the shell in the sysadm_t domain for single-user mode. -domain_auto_trans(init_t, shell_exec_t, sysadm_t) - -# Run /sbin/update in the init_t domain. -can_exec(init_t, sbin_t) - -# Run init. -can_exec(init_t, init_exec_t) - -# Run chroot from initrd scripts. -ifdef(`chroot.te', ` -can_exec(init_t, chroot_exec_t) -') - -# Create /dev/initctl. -file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) -ifdef(`distro_redhat', ` -file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file) -') - -# Create ioctl.save. -file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) - -# Update /etc/ld.so.cache -allow init_t ld_so_cache_t:file rw_file_perms; - -# Allow access to log files -allow init_t var_t:dir search; -allow init_t var_log_t:dir search; -allow init_t var_log_t:file rw_file_perms; - -read_locale(init_t) - -# Create unix sockets -allow init_t self:unix_dgram_socket create_socket_perms; -allow init_t self:unix_stream_socket create_socket_perms; -allow init_t self:fifo_file rw_file_perms; - -# Permissions required for system startup -allow init_t { bin_t sbin_t }:dir r_dir_perms; -allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; - -# allow init to fork -allow init_t self:process { fork sigchld }; - -# Modify utmp. -allow init_t var_run_t:file rw_file_perms; -allow init_t initrc_var_run_t:file { setattr rw_file_perms }; -can_unix_connect(init_t, initrc_t) - -# For /var/run/shutdown.pid. -var_run_domain(init) - -# Shutdown permissions -r_dir_file(init_t, proc_t) -r_dir_file(init_t, self) -allow init_t devpts_t:dir r_dir_perms; - -# Modify wtmp. -allow init_t wtmp_t:file rw_file_perms; - -# Kill all processes. -allow init_t domain:process signal_perms; - -# Allow all processes to send SIGCHLD to init. -allow domain init_t:process { sigchld signull }; - -# If you load a new policy that removes active domains, processes can -# get stuck if you do not allow unlabeled processes to signal init -# If you load an incompatible policy, you should probably reboot, -# since you may have compromised system security. -allow unlabeled_t init_t:process sigchld; - -# for loading policy -allow init_t policy_config_t:file r_file_perms; - -# Set booleans. -can_setbool(init_t) - -# Read and write the console and ttys. -allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms; -ifdef(`distro_redhat', ` -allow init_t tmpfs_t:chr_file rw_file_perms; -') -allow init_t ttyfile:chr_file rw_file_perms; -allow init_t ptyfile:chr_file rw_file_perms; - -# Run system executables. -can_exec(init_t,bin_t) -ifdef(`consoletype.te', ` -can_exec(init_t, consoletype_exec_t) -') - -# Run /etc/X11/prefdm. -can_exec(init_t,etc_t) - -allow init_t lib_t:file { getattr read }; - -allow init_t devtty_t:chr_file { read write }; -allow init_t ramfs_t:dir search; -allow init_t ramfs_t:sock_file write; -r_dir_file(init_t, sysfs_t) - -r_dir_file(init_t, selinux_config_t) - -# file descriptors inherited from the rootfs. -dontaudit init_t root_t:{ file chr_file } { read write }; -ifdef(`targeted_policy', ` -unconfined_domain(init_t) -') - diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te deleted file mode 100644 index c66d876a..00000000 --- a/strict/domains/program/initrc.te +++ /dev/null @@ -1,339 +0,0 @@ -#DESC Initrc - System initialization scripts -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysvinit policycoreutils -# - -################################# -# -# Rules for the initrc_t domain. -# -# initrc_t is the domain of the init rc scripts. -# initrc_exec_t is the type of the init program. -# -# do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite; - -role system_r types initrc_t; -uses_shlib(initrc_t); -can_network(initrc_t) -allow initrc_t port_type:tcp_socket name_connect; -can_ypbind(initrc_t) -type initrc_exec_t, file_type, sysadmfile, exec_type; - -# for halt to down interfaces -allow initrc_t self:udp_socket create_socket_perms; - -# read files in /etc/init.d -allow initrc_t etc_t:lnk_file r_file_perms; - -read_locale(initrc_t) - -r_dir_file(initrc_t, usr_t) - -# Read system information files in /proc. -r_dir_file(initrc_t, { proc_t proc_net_t }) -allow initrc_t proc_mdstat_t:file { getattr read }; - -# Allow IPC with self -allow initrc_t self:unix_dgram_socket create_socket_perms; -allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow initrc_t self:fifo_file rw_file_perms; - -# Read the root directory of a usbdevfs filesystem, and -# the devices and drivers files. Permit stating of the -# device nodes, but nothing else. -allow initrc_t usbdevfs_t:dir r_dir_perms; -allow initrc_t usbdevfs_t:lnk_file r_file_perms; -allow initrc_t usbdevfs_t:file getattr; -allow initrc_t usbfs_t:dir r_dir_perms; -allow initrc_t usbfs_t:file getattr; - -# allow initrc to fork and renice itself -allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched }; - -# Can create ptys for open_init_pty -can_create_pty(initrc) - -tmp_domain(initrc) -# -# Some initscripts generate scripts that they need to execute (ldap) -# -can_exec(initrc_t, initrc_tmp_t) - -var_run_domain(initrc) -allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; -allow initrc_t var_run_t:dir { create rmdir }; - -ifdef(`distro_debian', ` -allow initrc_t { etc_t device_t }:dir setattr; - -# for storing state under /dev/shm -allow initrc_t tmpfs_t:dir setattr; -file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) -file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) -allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; -') - -allow initrc_t framebuf_device_t:chr_file r_file_perms; - -# Use capabilities. -allow initrc_t self:capability ~{ sys_admin sys_module }; - -# Use system operations. -allow initrc_t kernel_t:system *; - -# Set values in /proc/sys. -can_sysctl(initrc_t) - -# Run helper programs in the initrc_t domain. -allow initrc_t {bin_t sbin_t }:dir r_dir_perms; -allow initrc_t {bin_t sbin_t }:lnk_file read; -can_exec(initrc_t, etc_t) -can_exec(initrc_t, lib_t) -can_exec(initrc_t, bin_t) -can_exec(initrc_t, sbin_t) -can_exec(initrc_t, exec_type) -# -# These rules are here to allow init scripts to su -# -ifdef(`su.te', ` -su_restricted_domain(initrc,system) -role system_r types initrc_su_t; -') -allow initrc_t self:passwd rootok; - -# read /lib/modules -allow initrc_t modules_object_t:dir { search read }; - -# Read conf.modules. -allow initrc_t modules_conf_t:file r_file_perms; - -# Run other rc scripts in the initrc_t domain. -can_exec(initrc_t, initrc_exec_t) - -# Run init (telinit) in the initrc_t domain. -can_exec(initrc_t, init_exec_t) - -# Communicate with the init process. -allow initrc_t initctl_t:fifo_file rw_file_perms; - -# Read /proc/PID directories for all domains. -r_dir_file(initrc_t, domain) -allow initrc_t domain:process { getattr getsession }; - -# Mount and unmount file systems. -allow initrc_t fs_type:filesystem mount_fs_perms; -allow initrc_t file_t:dir { read search getattr mounton }; - -# during boot up initrc needs to do the following -allow initrc_t default_t:dir { write read search getattr mounton }; - -# rhgb-console writes to ramfs -allow initrc_t ramfs_t:fifo_file write; - -# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. -file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) - -# Update /etc/ld.so.cache. -allow initrc_t ld_so_cache_t:file rw_file_perms; - -# Update /var/log/wtmp and /var/log/dmesg. -allow initrc_t wtmp_t:file { setattr rw_file_perms }; -allow initrc_t var_log_t:dir rw_dir_perms; -allow initrc_t var_log_t:file create_file_perms; -allow initrc_t lastlog_t:file { setattr rw_file_perms }; -allow initrc_t logfile:file { read append }; - -# remove old locks -allow initrc_t lockfile:dir rw_dir_perms; -allow initrc_t lockfile:file { getattr unlink }; - -# Access /var/lib/random-seed. -allow initrc_t var_lib_t:file rw_file_perms; -allow initrc_t var_lib_t:file unlink; - -# Create lock file. -allow initrc_t var_lock_t:dir create_dir_perms; -allow initrc_t var_lock_t:file create_file_perms; - -# Set the clock. -allow initrc_t clock_device_t:devfile_class_set rw_file_perms; - -# Kill all processes. -allow initrc_t domain:process signal_perms; - -# Write to /dev/urandom. -allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms; - -# for cryptsetup -allow initrc_t fixed_disk_device_t:blk_file getattr; - -# Set device ownerships/modes. -allow initrc_t framebuf_device_t:chr_file setattr; -allow initrc_t misc_device_t:devfile_class_set setattr; -allow initrc_t device_t:devfile_class_set setattr; -allow initrc_t fixed_disk_device_t:devfile_class_set setattr; -allow initrc_t removable_device_t:devfile_class_set setattr; -allow initrc_t device_t:lnk_file read; -allow initrc_t xconsole_device_t:fifo_file setattr; - -# Stat any file. -allow initrc_t file_type:notdevfile_class_set getattr; -allow initrc_t file_type:dir { search getattr }; - -# Read and write console and ttys. -allow initrc_t devtty_t:chr_file rw_file_perms; -allow initrc_t console_device_t:chr_file rw_file_perms; -allow initrc_t tty_device_t:chr_file rw_file_perms; -allow initrc_t ttyfile:chr_file rw_file_perms; -allow initrc_t ptyfile:chr_file rw_file_perms; - -# Reset tty labels. -allow initrc_t ttyfile:chr_file relabelfrom; -allow initrc_t tty_device_t:chr_file relabelto; - -ifdef(`distro_redhat', ` -# Create and read /boot/kernel.h and /boot/System.map. -# Redhat systems typically create this file at boot time. -allow initrc_t boot_t:lnk_file rw_file_perms; -file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) - -allow initrc_t tmpfs_t:chr_file rw_file_perms; -allow initrc_t tmpfs_t:dir r_dir_perms; - -# Allow initrc domain to set the enforcing flag. -can_setenforce(initrc_t) - -# -# readahead asks for these -# -allow initrc_t etc_aliases_t:file { getattr read }; -allow initrc_t var_lib_nfs_t:file { getattr read }; - -# for /halt /.autofsck and other flag files -file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) - -file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) -allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; -allow initrc_t self:capability sys_admin; -allow initrc_t device_t:dir create; -# wants to delete /poweroff and other files -allow initrc_t root_t:file unlink; -# wants to read /.fonts directory -allow initrc_t default_t:file { getattr read }; -ifdef(`xserver.te', ` -# wants to cleanup xserver log dir -allow initrc_t xserver_log_t:dir rw_dir_perms; -allow initrc_t xserver_log_t:file unlink; -') -')dnl end distro_redhat - -allow initrc_t system_map_t:{ file lnk_file } r_file_perms; -allow initrc_t var_spool_t:file rw_file_perms; - -# Allow access to the sysadm TTYs. Note that this will give access to the -# TTYs to any process in the initrc_t domain. Therefore, daemons and such -# started from init should be placed in their own domain. -allow initrc_t admin_tty_type:chr_file rw_file_perms; - -# Access sound device and files. -allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; - -# Read user home directories. -allow initrc_t { home_root_t home_type }:dir r_dir_perms; -allow initrc_t home_type:file r_file_perms; - -# Read and unlink /var/run/*.pid files. -allow initrc_t pidfile:file { getattr read unlink }; - -# for system start scripts -allow initrc_t pidfile:dir { rmdir rw_dir_perms }; -allow initrc_t pidfile:sock_file unlink; - -rw_dir_create_file(initrc_t, var_lib_t) - -# allow start scripts to clean /tmp -allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir }; -allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink }; - -# for lsof which is used by alsa shutdown -dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; -dontaudit initrc_t proc_kmsg_t:file getattr; - -################################# -# -# Rules for the run_init_t domain. -# -ifdef(`targeted_policy', ` -type run_init_exec_t, file_type, sysadmfile, exec_type; -type run_init_t, domain; -domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) -allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; -allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; -typeattribute initrc_t privuser; -domain_trans(initrc_t, shell_exec_t, unconfined_t) -allow initrc_t unconfined_t:system syslog_mod; -', ` -run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) -') -allow initrc_t privfd:fd use; - -# Transition to system_r:initrc_t upon executing init scripts. -ifdef(`direct_sysadm_daemon', ` -role_transition sysadm_r initrc_exec_t system_r; -domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) -') - -# -# Shutting down xinet causes these -# -# Fam -dontaudit initrc_t device_t:dir { read write }; -# Rsync -dontaudit initrc_t mail_spool_t:lnk_file read; - -allow initrc_t sysfs_t:dir { getattr read search }; -allow initrc_t sysfs_t:file { getattr read write }; -allow initrc_t sysfs_t:lnk_file { getattr read }; -allow initrc_t udev_runtime_t:file rw_file_perms; -allow initrc_t device_type:chr_file setattr; -allow initrc_t binfmt_misc_fs_t:dir { getattr search }; -allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; - -# for lsof in shutdown scripts -can_kerberos(initrc_t) - -# -# Wants to remove udev.tbl -# -allow initrc_t device_t:dir rw_dir_perms; -allow initrc_t device_t:lnk_file unlink; - -r_dir_file(initrc_t,selinux_config_t) - -ifdef(`unlimitedRC', ` -unconfined_domain(initrc_t) -') -# -# initrc script does a cat /selinux/enforce -# -allow initrc_t security_t:dir { getattr search }; -allow initrc_t security_t:file { getattr read }; - -# init script state -type initrc_state_t, file_type, sysadmfile; -create_dir_file(initrc_t,initrc_state_t) - -ifdef(`distro_gentoo', ` -# Gentoo integrated run_init+open_init_pty-runscript: -domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) -') -allow initrc_t self:netlink_route_socket r_netlink_socket_perms; -allow initrc_t device_t:lnk_file create_file_perms; -ifdef(`dbusd.te', ` -allow initrc_t system_dbusd_var_run_t:sock_file write; -') - -# Slapd needs to read cert files from its initscript -r_dir_file(initrc_t, cert_t) diff --git a/strict/domains/program/innd.te b/strict/domains/program/innd.te deleted file mode 100644 index 25047dfb..00000000 --- a/strict/domains/program/innd.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC INN - InterNetNews server -# -# Author: Faye Coker -# X-Debian-Packages: inn -# -################################ - -# Types for the server port and news spool. -# -type news_spool_t, file_type, sysadmfile; - - -# need privmail attribute so innd can access system_mail_t -daemon_domain(innd, `, privmail') - -# allow innd to create files and directories of type news_spool_t -create_dir_file(innd_t, news_spool_t) - -# allow user domains to read files and directories these types -r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t }) - -can_exec(initrc_t, innd_etc_t) -can_exec(innd_t, { innd_exec_t bin_t shell_exec_t }) -ifdef(`hostname.te', ` -can_exec(innd_t, hostname_exec_t) -') - -allow innd_t var_spool_t:dir { getattr search }; - -can_network(innd_t) -allow innd_t port_type:tcp_socket name_connect; -can_ypbind(innd_t) - -can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) -allow innd_t self:unix_dgram_socket create_socket_perms; -allow innd_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(innd_t, self) - -allow innd_t self:fifo_file rw_file_perms; -allow innd_t innd_port_t:tcp_socket name_bind; - -allow innd_t self:capability { dac_override kill setgid setuid net_bind_service }; -allow innd_t self:process setsched; - -allow innd_t { bin_t sbin_t }:dir search; -allow innd_t usr_t:lnk_file read; -allow innd_t usr_t:file { getattr read ioctl }; -allow innd_t lib_t:file ioctl; -allow innd_t etc_t:file { getattr read }; -allow innd_t { proc_t etc_runtime_t }:file { getattr read }; -allow innd_t urandom_device_t:chr_file read; - -allow innd_t innd_var_run_t:sock_file create_file_perms; - -# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type -etcdir_domain(innd) - -# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that -# it can write to -logdir_domain(innd) - -# allow innd read-write directory permissions to /var/lib/news. -var_lib_domain(innd) - -ifdef(`crond.te', ` -system_crond_entry(innd_exec_t, innd_t) -allow system_crond_t innd_etc_t:file { getattr read }; -rw_dir_create_file(system_crond_t, innd_log_t) -rw_dir_create_file(system_crond_t, innd_var_run_t) -') - -ifdef(`syslogd.te', ` -allow syslogd_t innd_log_t:dir search; -allow syslogd_t innd_log_t:file create_file_perms; -') - -allow innd_t self:file { getattr read }; -dontaudit innd_t selinux_config_t:dir { search }; -allow system_crond_t innd_etc_t:file { getattr read }; -allow innd_t bin_t:lnk_file { read }; -allow innd_t sbin_t:lnk_file { read }; diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te deleted file mode 100644 index ea45a367..00000000 --- a/strict/domains/program/ipsec.te +++ /dev/null @@ -1,229 +0,0 @@ -#DESC ipsec - TCP/IP encryption -# -# Authors: Mark Westerman mark.westerman@westcam.com -# massively butchered by paul krumviede -# further massaged by Chris Vance -# X-Debian-Packages: freeswan -# -######################################## -# -# Rules for the ipsec_t domain. -# -# a domain for things that need access to the PF_KEY socket -daemon_base_domain(ipsec, `, privlog') - -# type for ipsec configuration file(s) - not for keys -type ipsec_conf_file_t, file_type, sysadmfile; - -# type for file(s) containing ipsec keys - RSA or preshared -type ipsec_key_file_t, file_type, sysadmfile; - -# type for runtime files, including pluto.ctl -# lots of strange stuff for the ipsec_var_run_t - need to check it -var_run_domain(ipsec) - -type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain; -type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) -file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file) -file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file) -file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file) - -allow ipsec_mgmt_t modules_object_t:dir search; -allow ipsec_mgmt_t modules_object_t:file getattr; - -allow ipsec_t self:capability { net_admin net_bind_service }; -allow ipsec_t self:process signal; -allow ipsec_t etc_t:lnk_file read; - -domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t) - -# Inherit and use descriptors from init. -# allow access (for, e.g., klipsdebug) to console -allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms; -allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use; - -# I do not know where this pesky pipe is... -allow ipsec_t initrc_t:fifo_file write; - -r_dir_file(ipsec_t, ipsec_conf_file_t) -r_dir_file(ipsec_t, ipsec_key_file_t) -allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; -rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t) - -allow ipsec_t self:key_socket { create write read setopt }; - -# for lsof -allow sysadm_t ipsec_t:key_socket getattr; - -# the ipsec wrapper wants to run /usr/bin/logger (should we put -# it in its own domain?) -can_exec(ipsec_mgmt_t, bin_t) -# logger, running in ipsec_mgmt_t needs to use sockets -allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms; -allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms; - -# also need to run things like whack and shell scripts -can_exec(ipsec_mgmt_t, ipsec_exec_t) -can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) -allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -can_exec(ipsec_mgmt_t, shell_exec_t) -can_exec(ipsec_t, shell_exec_t) -can_exec(ipsec_t, bin_t) -can_exec(ipsec_t, ipsec_mgmt_exec_t) -# now for a icky part... -# pluto runs an updown script (by calling popen()!); as this is by default -# a shell script, we need to find a way to make things work without -# letting all sorts of stuff possibly be run... -# so try flipping back into the ipsec_mgmt_t domain -domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t) -allow ipsec_mgmt_t ipsec_t:fd use; - -# the default updown script wants to run route -can_exec(ipsec_mgmt_t, sbin_t) -allow ipsec_mgmt_t sbin_t:lnk_file read; -allow ipsec_mgmt_t self:capability { net_admin dac_override }; - -# need access to /proc/sys/net/ipsec/icmp -allow ipsec_mgmt_t sysctl_t:file write; -allow ipsec_mgmt_t sysctl_net_t:dir search; -allow ipsec_mgmt_t sysctl_net_t:file { write setattr }; - -# whack needs to be able to read/write pluto.ctl -allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; -# and it wants to connect to a socket... -allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; -allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; - -# allow system administrator to use the ipsec script to look -# at things (e.g., ipsec auto --status) -# probably should create an ipsec_admin role for this kind of thing -can_exec(sysadm_t, ipsec_mgmt_exec_t) -allow sysadm_t ipsec_t:unix_stream_socket connectto; - -# _realsetup needs to be able to cat /var/run/pluto.pid, -# run ps on that pid, and delete the file -allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms; - -allow ipsec_mgmt_t boot_t:dir search; -allow ipsec_mgmt_t system_map_t:file { read getattr }; - -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit ipsec_mgmt_t domain:dir r_dir_perms; - -# suppress audit messages about unnecessary socket access -dontaudit ipsec_mgmt_t domain:key_socket { read write }; -dontaudit ipsec_mgmt_t domain:udp_socket { read write }; - -# from rbac -role system_r types { ipsec_t ipsec_mgmt_t }; - -# from initrc.te -domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) -domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t) - - -########## The following rules were added by cvance@tislabs.com ########## - -# allow pluto and startup scripts to access /dev/urandom -allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms; - -# allow pluto to access /proc/net/ipsec_eroute; -general_proc_read_access(ipsec_t) -general_proc_read_access(ipsec_mgmt_t) - -# allow pluto to search the root directory (not sure why, but mostly harmless) -# Are these all really necessary? -allow ipsec_t var_t:dir search; -allow ipsec_t bin_t:dir search; -allow ipsec_t device_t:dir { getattr search }; -allow ipsec_mgmt_t device_t:dir { getattr search read }; -dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr; -dontaudit ipsec_mgmt_t devpts_t:dir getattr; -allow ipsec_mgmt_t etc_t:lnk_file read; -allow ipsec_mgmt_t var_t:dir search; -allow ipsec_mgmt_t sbin_t:dir search; -allow ipsec_mgmt_t bin_t:dir search; -allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read }; - -# Startup scripts -# use libraries -uses_shlib({ ipsec_t ipsec_mgmt_t }) -# Read and write /dev/tty -allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms; -# fork -allow ipsec_mgmt_t self:process fork; -# startup script runs /bin/gawk with a pipe -allow ipsec_mgmt_t self:fifo_file rw_file_perms; -# read /etc/mtab Why? -allow ipsec_mgmt_t etc_runtime_t:file { read getattr }; -# read link for /bin/sh -allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read; - -# -allow ipsec_mgmt_t self:process { sigchld signal setrlimit }; - -# Allow read/write access to /var/run/pluto.ctl -allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write }; - -# Pluto needs network access -can_network_server(ipsec_t) -can_ypbind(ipsec_t) -allow ipsec_t self:unix_dgram_socket create_socket_perms; - -# for sleep -allow ipsec_mgmt_t fs_t:filesystem getattr; - -# for the start script -can_exec(ipsec_mgmt_t, etc_t) - -# allow access to /etc/localtime -allow ipsec_mgmt_t etc_t:file { read getattr }; -allow ipsec_t etc_t:file { read getattr }; - -# allow access to /dev/null -allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms; -allow ipsec_t null_device_t:chr_file rw_file_perms; - -# Allow scripts to use /var/lock/subsys/ipsec -lock_domain(ipsec_mgmt) - -# allow tncfg to create sockets -allow ipsec_mgmt_t self:udp_socket { create ioctl }; - -#When running ipsec auto --up -allow ipsec_t self:process { fork sigchld }; -allow ipsec_t self:fifo_file { read getattr }; - -# ideally it would not need this. It wants to write to /root/.rnd -file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) - -allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl }; -allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; -allow ipsec_mgmt_t self:lnk_file read; - -allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search }; -read_locale(ipsec_mgmt_t) -var_run_domain(ipsec_mgmt) -dontaudit ipsec_mgmt_t default_t:dir getattr; -dontaudit ipsec_mgmt_t default_t:file getattr; -allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; -allow ipsec_mgmt_t self:key_socket { create setopt }; -can_exec(ipsec_mgmt_t, initrc_exec_t) -allow ipsec_t self:netlink_xfrm_socket create_socket_perms; -allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; -read_locale(ipsec_t) -ifdef(`consoletype.te', ` -can_exec(ipsec_mgmt_t, consoletype_exec_t ) -') -dontaudit ipsec_mgmt_t selinux_config_t:dir search; -dontaudit ipsec_t ttyfile:chr_file { read write }; -allow ipsec_t self:capability { dac_override dac_read_search }; -allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind; -allow ipsec_mgmt_t dev_fs:file_class_set getattr; -dontaudit ipsec_mgmt_t device_t:lnk_file read; -allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms; -allow ipsec_mgmt_t sysctl_net_t:file { getattr read }; -rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t) -rw_dir_create_file(initrc_t, ipsec_var_run_t) -allow initrc_t ipsec_conf_file_t:file { getattr read ioctl }; diff --git a/strict/domains/program/iptables.te b/strict/domains/program/iptables.te deleted file mode 100644 index 8d83280c..00000000 --- a/strict/domains/program/iptables.te +++ /dev/null @@ -1,63 +0,0 @@ -#DESC Ipchains - IP packet filter administration -# -# Authors: Justin Smith -# Russell Coker -# X-Debian-Packages: ipchains iptables -# - -# -# Rules for the iptables_t domain. -# -daemon_base_domain(iptables, `, privmodule') -role sysadm_r types iptables_t; -domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) - -ifdef(`modutil.te', ` -# for modprobe -allow iptables_t sbin_t:dir search; -allow iptables_t sbin_t:lnk_file read; -') - -read_locale(iptables_t) - -# to allow rules to be saved on reboot -allow iptables_t initrc_tmp_t:file rw_file_perms; - -domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t) -allow iptables_t var_t:dir search; -var_run_domain(iptables) - -allow iptables_t self:process { fork signal_perms }; - -allow iptables_t { sysctl_t sysctl_kernel_t }:dir search; -allow iptables_t sysctl_modprobe_t:file { getattr read }; - -tmp_domain(iptables) - -# for iptables -L -allow iptables_t self:unix_stream_socket create_socket_perms; -can_resolve(iptables_t) -can_ypbind(iptables_t) - -allow iptables_t iptables_exec_t:file execute_no_trans; -allow iptables_t self:capability { net_admin net_raw }; -allow iptables_t self:rawip_socket create_socket_perms; - -allow iptables_t etc_t:file { getattr read }; - -allow iptables_t fs_t:filesystem getattr; -allow iptables_t { userdomain kernel_t }:fd use; - -# Access terminals. -allow iptables_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') - -allow iptables_t proc_t:file { getattr read }; -allow iptables_t proc_net_t:dir search; -allow iptables_t proc_net_t:file { read getattr }; - -# system-config-network appends to /var/log -allow iptables_t var_log_t:file append; -ifdef(`firstboot.te', ` -allow iptables_t firstboot_t:fifo_file write; -') diff --git a/strict/domains/program/irc.te b/strict/domains/program/irc.te deleted file mode 100644 index 50c11227..00000000 --- a/strict/domains/program/irc.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC Irc - IRC client -# -# Domains for the irc program. -# X-Debian-Packages: tinyirc ircii - -# -# irc_exec_t is the type of the irc executable. -# -type irc_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the irc_domain macro in -# macros/program/irc_macros.te. diff --git a/strict/domains/program/irqbalance.te b/strict/domains/program/irqbalance.te deleted file mode 100644 index 35be1924..00000000 --- a/strict/domains/program/irqbalance.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC IRQBALANCE - IRQ balance daemon -# -# Author: Ulrich Drepper -# - -################################# -# -# Rules for the irqbalance_t domain. -# -daemon_domain(irqbalance) - -# irqbalance needs access to /proc. -allow irqbalance_t proc_t:file { read getattr }; -allow irqbalance_t sysctl_irq_t:dir r_dir_perms; -allow irqbalance_t sysctl_irq_t:file rw_file_perms; diff --git a/strict/domains/program/java.te b/strict/domains/program/java.te deleted file mode 100644 index dfd03723..00000000 --- a/strict/domains/program/java.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC Java VM -# -# Authors: Dan Walsh -# X-Debian-Packages: java -# - -# Type for the netscape, java or other browser executables. -type java_exec_t, file_type, sysadmfile, exec_type; - -# Allow java executable stack -bool allow_java_execstack false; - -# Everything else is in the java_domain macro in -# macros/program/java_macros.te. diff --git a/strict/domains/program/kerberos.te b/strict/domains/program/kerberos.te deleted file mode 100644 index 19cc3c49..00000000 --- a/strict/domains/program/kerberos.te +++ /dev/null @@ -1,91 +0,0 @@ -#DESC Kerberos5 - MIT Kerberos5 -# supports krb5kdc and kadmind daemons -# kinit, kdestroy, klist clients -# ksu support not complete -# -# includes rules for OpenSSH daemon compiled with both -# kerberos5 and SELinux support -# -# Not supported : telnetd, ftpd, kprop/kpropd daemons -# -# Author: Kerry Thompson -# Modified by Colin Walters -# - -################################# -# -# Rules for the krb5kdc_t,kadmind_t domains. -# -daemon_domain(krb5kdc) -daemon_domain(kadmind) - -can_exec(krb5kdc_t, krb5kdc_exec_t) -can_exec(kadmind_t, kadmind_exec_t) - -# types for general configuration files in /etc -type krb5_keytab_t, file_type, sysadmfile, secure_file_type; - -# types for KDC configs and principal file(s) -type krb5kdc_conf_t, file_type, sysadmfile; -type krb5kdc_principal_t, file_type, sysadmfile; - -# Use capabilities. Surplus capabilities may be allowed. -allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice }; -allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice }; - -# krb5kdc and kadmind can use network -can_network_server( { krb5kdc_t kadmind_t } ) -can_ypbind( { krb5kdc_t kadmind_t } ) - -# allow UDP transfer to/from any program -can_udp_send(kerberos_port_t, krb5kdc_t) -can_udp_send(krb5kdc_t, kerberos_port_t) -can_tcp_connect(kerberos_port_t, krb5kdc_t) -can_tcp_connect(kerberos_admin_port_t, kadmind_t) - -# Bind to the kerberos, kerberos-adm ports. -allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; -allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; -allow kadmind_t reserved_port_t:tcp_socket name_bind; -dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; - -# -# Rules for Kerberos5 KDC daemon -allow krb5kdc_t self:unix_dgram_socket create_socket_perms; -allow krb5kdc_t self:unix_stream_socket create_socket_perms; -allow kadmind_t self:unix_stream_socket create_socket_perms; -allow krb5kdc_t krb5kdc_conf_t:dir search; -allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; -allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; -dontaudit krb5kdc_t krb5kdc_principal_t:file write; -allow krb5kdc_t locale_t:file { getattr read }; -dontaudit krb5kdc_t krb5kdc_conf_t:file write; -allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search }; -allow { kadmind_t krb5kdc_t } etc_t:file { getattr read }; -allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms; -dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write; -tmp_domain(krb5kdc) -log_domain(krb5kdc) -allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read }; -allow kadmind_t random_device_t:chr_file { getattr read }; -allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t proc_t:dir r_dir_perms; -allow krb5kdc_t proc_t:file { getattr read }; - -# -# Rules for Kerberos5 Kadmin daemon -allow kadmind_t self:unix_dgram_socket { connect create write }; -allow kadmind_t krb5kdc_conf_t:dir search; -allow kadmind_t krb5kdc_conf_t:file r_file_perms; -allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; -read_locale(kadmind_t) -dontaudit kadmind_t krb5kdc_conf_t:file write; -tmp_domain(kadmind) -log_domain(kadmind) - -# -# Allow user programs to talk to KDC -allow krb5kdc_t userdomain:udp_socket recvfrom; -allow userdomain krb5kdc_t:udp_socket recvfrom; -allow initrc_t krb5_conf_t:file ioctl; diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te deleted file mode 100644 index dd0b79cc..00000000 --- a/strict/domains/program/klogd.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Klogd - Kernel log daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: klogd -# - -################################# -# -# Rules for the klogd_t domain. -# -daemon_domain(klogd, `, privmem, privkmsg, mlsfileread') - -tmp_domain(klogd) -allow klogd_t proc_t:dir r_dir_perms; -allow klogd_t proc_t:lnk_file r_file_perms; -allow klogd_t proc_t:file { getattr read }; -allow klogd_t self:dir r_dir_perms; -allow klogd_t self:lnk_file r_file_perms; - -# read /etc/nsswitch.conf -allow klogd_t etc_t:lnk_file read; -allow klogd_t etc_t:file r_file_perms; - -read_locale(klogd_t) - -allow klogd_t etc_runtime_t:file { getattr read }; - -# Create unix sockets -allow klogd_t self:unix_dgram_socket create_socket_perms; - -# Use the sys_admin and sys_rawio capabilities. -allow klogd_t self:capability { sys_admin sys_rawio }; -dontaudit klogd_t self:capability sys_resource; - - -# Read /proc/kmsg and /dev/mem. -allow klogd_t proc_kmsg_t:file r_file_perms; -allow klogd_t memory_device_t:chr_file r_file_perms; - -# Control syslog and console logging -allow klogd_t kernel_t:system { syslog_mod syslog_console }; - -# Read /boot/System.map* -allow klogd_t system_map_t:file r_file_perms; -allow klogd_t boot_t:dir r_dir_perms; -ifdef(`targeted_policy', ` -allow klogd_t unconfined_t:system syslog_mod; -') diff --git a/strict/domains/program/ktalkd.te b/strict/domains/program/ktalkd.te deleted file mode 100644 index 7ae0109c..00000000 --- a/strict/domains/program/ktalkd.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC ktalkd - KDE version of the talk server -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the ktalkd_t domain. -# -# ktalkd_exec_t is the type of the ktalkd executable. -# - -inetd_child_domain(ktalkd, udp) diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te deleted file mode 100644 index 149b2221..00000000 --- a/strict/domains/program/kudzu.te +++ /dev/null @@ -1,115 +0,0 @@ -#DESC kudzu - Red Hat utility to recognise new hardware -# -# Author: Russell Coker -# - -daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem') - -read_locale(kudzu_t) - -# for /etc/sysconfig/hwconf - probably need a new type -allow kudzu_t etc_runtime_t:file rw_file_perms; - -# for kmodule -if (allow_execmem) { -allow kudzu_t self:process execmem; -} -allow kudzu_t zero_device_t:chr_file rx_file_perms; -allow kudzu_t memory_device_t:chr_file { read write execute }; - -allow kudzu_t ramfs_t:dir search; -allow kudzu_t ramfs_t:sock_file write; -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -allow kudzu_t modules_conf_t:file { getattr read unlink rename }; -allow kudzu_t modules_object_t:dir r_dir_perms; -allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; -allow kudzu_t mouse_device_t:chr_file { read write }; -allow kudzu_t proc_net_t:dir r_dir_perms; -allow kudzu_t { proc_net_t proc_t }:file { getattr read }; -allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; -allow kudzu_t scsi_generic_device_t:chr_file r_file_perms; -allow kudzu_t { bin_t sbin_t }:dir { getattr search }; -allow kudzu_t { bin_t sbin_t }:lnk_file read; -read_sysctl(kudzu_t) -allow kudzu_t sysctl_dev_t:dir { getattr search read }; -allow kudzu_t sysctl_dev_t:file { getattr read }; -allow kudzu_t sysctl_kernel_t:file write; -allow kudzu_t usbdevfs_t:dir search; -allow kudzu_t usbdevfs_t:file { getattr read }; -allow kudzu_t usbfs_t:dir search; -allow kudzu_t usbfs_t:file { getattr read }; -var_run_domain(kudzu) -allow kudzu_t kernel_t:system syslog_console; -allow kudzu_t self:udp_socket { create ioctl }; -allow kudzu_t var_lock_t:dir search; -allow kudzu_t devpts_t:dir search; - -# so it can write messages to the console -allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms; - -role sysadm_r types kudzu_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t) -') -ifdef(`anaconda.te', ` -domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) -') - -allow kudzu_t sysadm_home_dir_t:dir search; -rw_dir_create_file(kudzu_t, etc_t) - -rw_dir_create_file(kudzu_t, mnt_t) -can_exec(kudzu_t, { bin_t sbin_t init_exec_t }) -# Read /usr/lib/gconv/gconv-modules.* -allow kudzu_t lib_t:file { read getattr }; -# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux -allow kudzu_t usr_t:file { read getattr }; -r_dir_file(kudzu_t, hwdata_t) - -# Communicate with rhgb-client. -allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow kudzu_t self:unix_dgram_socket create_socket_perms; - -ifdef(`rhgb.te', ` -allow kudzu_t rhgb_t:unix_stream_socket connectto; -') - -allow kudzu_t self:file { getattr read }; -allow kudzu_t self:fifo_file rw_file_perms; -ifdef(`gpm.te', ` -allow kudzu_t gpmctl_t:sock_file getattr; -') - -can_exec(kudzu_t, shell_exec_t) - -# Write to /proc/sys/kernel/hotplug. Why? -allow kudzu_t sysctl_hotplug_t:file { read write }; - -allow kudzu_t sysfs_t:dir { getattr read search }; -allow kudzu_t sysfs_t:file { getattr read }; -allow kudzu_t sysfs_t:lnk_file read; -file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file) -allow kudzu_t tape_device_t:chr_file r_file_perms; -tmp_domain(kudzu, `', `{ file dir chr_file }') - -# for file systems that are not yet mounted -dontaudit kudzu_t file_t:dir search; -ifdef(`lpd.te', ` -allow kudzu_t printconf_t:file { getattr read }; -') -ifdef(`cups.te', ` -allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; -') -dontaudit kudzu_t src_t:dir search; -ifdef(`xserver.te', ` -allow kudzu_t xserver_exec_t:file getattr; -') - -ifdef(`userhelper.te', ` -role system_r types sysadm_userhelper_t; -domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) -') - -allow kudzu_t initrc_t:unix_stream_socket connectto; -allow kudzu_t net_conf_t:file { getattr read }; - diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te deleted file mode 100644 index fbb76886..00000000 --- a/strict/domains/program/ldconfig.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC Ldconfig - Configure dynamic linker bindings -# -# Author: Russell Coker -# X-Debian-Packages: libc6 -# - -################################# -# -# Rules for the ldconfig_t domain. -# -type ldconfig_t, domain, privlog, etc_writer; -type ldconfig_exec_t, file_type, sysadmfile, exec_type; - -role sysadm_r types ldconfig_t; -role system_r types ldconfig_t; - -domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t) -dontaudit ldconfig_t device_t:dir search; -can_access_pty(ldconfig_t, initrc) -allow ldconfig_t admin_tty_type:chr_file rw_file_perms; -allow ldconfig_t privfd:fd use; - -uses_shlib(ldconfig_t) - -file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) -allow ldconfig_t lib_t:dir rw_dir_perms; -allow ldconfig_t lib_t:lnk_file create_lnk_perms; - -allow ldconfig_t userdomain:fd use; -# unlink for when /etc/ld.so.cache is mislabeled -allow ldconfig_t etc_t:file { getattr read unlink }; -allow ldconfig_t etc_t:lnk_file read; - -allow ldconfig_t fs_t:filesystem getattr; -allow ldconfig_t tmp_t:dir search; - -ifdef(`apache.te', ` -# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway -dontaudit ldconfig_t httpd_modules_t:dir search; -') - -allow ldconfig_t { var_t var_lib_t }:dir search; -allow ldconfig_t proc_t:file { getattr read }; -ifdef(`hide_broken_symptoms', ` -ifdef(`unconfined.te',` -dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; -'); -')dnl end hide_broken_symptoms -ifdef(`targeted_policy', ` -allow ldconfig_t lib_t:file r_file_perms; -unconfined_domain(ldconfig_t) -') diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te deleted file mode 100644 index 7ff7a61c..00000000 --- a/strict/domains/program/load_policy.te +++ /dev/null @@ -1,61 +0,0 @@ -#DESC LoadPolicy - SELinux policy loading utilities -# -# Authors: Frank Mayer, mayerf@tresys.com -# X-Debian-Packages: policycoreutils -# - -########################### -# load_policy_t is the domain type for load_policy -# load_policy_exec_t is the file type for the executable - - -type load_policy_t, domain; -role sysadm_r types load_policy_t; -role secadm_r types load_policy_t; -role system_r types load_policy_t; - -type load_policy_exec_t, file_type, exec_type, sysadmfile; - -########################## -# -# Rules - -domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t) - -allow load_policy_t console_device_t:chr_file { read write }; - -# Reload the policy configuration (sysadm_t no longer has this ability) -can_loadpol(load_policy_t) - -# Reset policy boolean values. -can_setbool(load_policy_t) - - -########################### -# constrain from where load_policy can load a policy, specifically -# policy_config_t files -# - -# only allow read of policy config files -allow load_policy_t policy_src_t:dir search; -r_dir_file(load_policy_t, policy_config_t) -r_dir_file(load_policy_t, selinux_config_t) - -# directory search permissions for path to binary policy files -allow load_policy_t root_t:dir search; -allow load_policy_t etc_t:dir search; - -# for mcs.conf -allow load_policy_t etc_t:file { getattr read }; - -# Other access -can_access_pty(load_policy_t, initrc) -allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; -uses_shlib(load_policy_t) -allow load_policy_t self:capability dac_override; - -allow load_policy_t { userdomain privfd initrc_t }:fd use; - -allow load_policy_t fs_t:filesystem getattr; - -read_locale(load_policy_t) diff --git a/strict/domains/program/loadkeys.te b/strict/domains/program/loadkeys.te deleted file mode 100644 index 09597624..00000000 --- a/strict/domains/program/loadkeys.te +++ /dev/null @@ -1,45 +0,0 @@ -#DESC loadkeys - for changing to unicode at login time -# -# Author: Russell Coker -# -# X-Debian-Packages: console-tools - -# -# loadkeys_exec_t is the type of the wrapper -# -type loadkeys_exec_t, file_type, sysadmfile, exec_type; - -can_exec(initrc_t, loadkeys_exec_t) - -# Derived domain based on the calling user domain and the program. -type loadkeys_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t) - -uses_shlib(loadkeys_t) -dontaudit loadkeys_t proc_t:dir search; -allow loadkeys_t proc_t:file { getattr read }; -allow loadkeys_t self:process { fork sigchld }; - -allow loadkeys_t self:fifo_file rw_file_perms; -allow loadkeys_t bin_t:dir search; -allow loadkeys_t bin_t:lnk_file read; -can_exec(loadkeys_t, { shell_exec_t bin_t }) - -read_locale(loadkeys_t) - -dontaudit loadkeys_t etc_runtime_t:file { getattr read }; - -# Use capabilities. -allow loadkeys_t self:capability { setuid sys_tty_config }; - -allow loadkeys_t local_login_t:fd use; -allow loadkeys_t devtty_t:chr_file rw_file_perms; - -# The user role is authorized for this domain. -in_user_role(loadkeys_t) - -# Write to the user domain tty. -allow loadkeys_t ttyfile:chr_file rw_file_perms; - diff --git a/strict/domains/program/lockdev.te b/strict/domains/program/lockdev.te deleted file mode 100644 index adb2a775..00000000 --- a/strict/domains/program/lockdev.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC Lockdev - libblockdev helper application -# -# Authors: Daniel Walsh -# - - -# Type for the lockdev -type lockdev_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the lockdev_domain macro in -# macros/program/lockdev_macros.te. diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te deleted file mode 100644 index 289879b4..00000000 --- a/strict/domains/program/login.te +++ /dev/null @@ -1,234 +0,0 @@ -#DESC Login - Local/remote login utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# Macroised by Russell Coker -# X-Debian-Packages: login -# - -################################# -# -# Rules for the local_login_t domain -# and the remote_login_t domain. -# - -# $1 is the name of the domain (local or remote) -define(`login_domain', ` -type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; -role system_r types $1_login_t; - -dontaudit $1_login_t shadow_t:file { getattr read }; - -general_domain_access($1_login_t); - -# Read system information files in /proc. -r_dir_file($1_login_t, proc_t) - -base_file_read_access($1_login_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_login_t readable_t:dir r_dir_perms; -allow $1_login_t readable_t:notdevfile_class_set r_file_perms; - -# Read /var, /var/spool -allow $1_login_t { var_t var_spool_t }:dir search; - -# for when /var/mail is a sym-link -allow $1_login_t var_t:lnk_file read; - -# Read /etc. -r_dir_file($1_login_t, etc_t) -allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms; - -read_locale($1_login_t) - -# for SSP/ProPolice -allow $1_login_t urandom_device_t:chr_file { getattr read }; - -# Read executable types. -allow $1_login_t exec_type:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow $1_login_t device_t:dir r_dir_perms; -allow $1_login_t device_t:lnk_file r_file_perms; - -uses_shlib($1_login_t); - -tmp_domain($1_login) - -ifdef(`pam.te', ` -can_exec($1_login_t, pam_exec_t) -') - -ifdef(`pamconsole.te', ` -rw_dir_create_file($1_login_t, pam_var_console_t) -domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t) -') - -ifdef(`alsa.te', ` -domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) -') - -# Use capabilities -allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow $1_login_t self:process setrlimit; -dontaudit $1_login_t sysfs_t:dir search; - -# Set exec context. -can_setexec($1_login_t) - -allow $1_login_t autofs_t:dir { search read getattr }; -allow $1_login_t mnt_t:dir r_dir_perms; - -if (use_nfs_home_dirs) { -r_dir_file($1_login_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file($1_login_t, cifs_t) -} - -# Login can polyinstantiate -polyinstantiater($1_login_t) - -# FIXME: what is this for? -ifdef(`xdm.te', ` -allow xdm_t $1_login_t:process signull; -') - -ifdef(`crack.te', ` -allow $1_login_t crack_db_t:file r_file_perms; -') - -# Permit login to search the user home directories. -allow $1_login_t home_root_t:dir search; -allow $1_login_t home_dir_type:dir search; - -# Write to /var/run/utmp. -allow $1_login_t var_run_t:dir search; -allow $1_login_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow $1_login_t var_log_t:dir search; -allow $1_login_t wtmp_t:file rw_file_perms; - -# Write to /var/log/lastlog. -allow $1_login_t lastlog_t:file rw_file_perms; - -# Write to /var/log/btmp -allow $1_login_t faillog_t:file { lock append read write }; - -# Search for mail spool file. -allow $1_login_t mail_spool_t:dir r_dir_perms; -allow $1_login_t mail_spool_t:file getattr; -allow $1_login_t mail_spool_t:lnk_file read; - -# Get security policy decisions. -can_getsecurity($1_login_t) - -# allow read access to default_contexts in /etc/security -allow $1_login_t default_context_t:file r_file_perms; -allow $1_login_t default_context_t:dir search; -r_dir_file($1_login_t, selinux_config_t) - -allow $1_login_t mouse_device_t:chr_file { getattr setattr }; - -ifdef(`targeted_policy',` -unconfined_domain($1_login_t) -domain_auto_trans($1_login_t, shell_exec_t, unconfined_t) -') - -')dnl end login_domain macro -################################# -# -# Rules for the local_login_t domain. -# -# local_login_t is the domain of a login process -# spawned by getty. -# -# remote_login_t is the domain of a login process -# spawned by rlogind. -# -# login_exec_t is the type of the login program -# -type login_exec_t, file_type, sysadmfile, exec_type; - -login_domain(local) - -# But also permit other user domains to be entered by login. -login_spawn_domain(local_login, userdomain) - -# Do not audit denied attempts to access devices. -dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; -dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; -dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr }; -dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr }; -dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; -dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t removable_device_t:chr_file { getattr setattr }; -dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; - -# Do not audit denied attempts to access /mnt. -dontaudit local_login_t mnt_t:dir r_dir_perms; - - -# Create lock file. -lock_domain(local_login) - -# Read and write ttys. -allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; -allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; - -# Relabel ttys. -allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; -allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; - -ifdef(`gpm.te', -`allow local_login_t gpmctl_t:sock_file { getattr setattr };') - -# Allow setting of attributes on sound devices. -allow local_login_t sound_device_t:chr_file { getattr setattr }; - -# Allow setting of attributes on power management devices. -allow local_login_t power_device_t:chr_file { getattr setattr }; -dontaudit local_login_t init_t:fd use; - -################################# -# -# Rules for the remote_login_t domain. -# - -login_domain(remote) - -# Only permit unprivileged user domains to be entered via rlogin, -# since very weak authentication is used. -login_spawn_domain(remote_login, unpriv_userdomain) - -allow remote_login_t userpty_type:chr_file { setattr write }; - -# Use the pty created by rlogind. -ifdef(`rlogind.te', ` -can_access_pty(remote_login_t, rlogind) -# Relabel ptys created by rlogind. -allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto }; -') - -# Use the pty created by telnetd. -ifdef(`telnetd.te', ` -can_access_pty(remote_login_t, telnetd) -# Relabel ptys created by telnetd. -allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto }; -') - -allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; -allow remote_login_t fs_t:filesystem { getattr }; - -# Allow remote login to resolve host names (passed in via the -h switch) -can_resolve(remote_login_t) - -ifdef(`use_mcs', ` -ifdef(`getty.te', ` -range_transition getty_t login_exec_t s0 - s0:c0.c255; -') -') diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te deleted file mode 100644 index d568a5f3..00000000 --- a/strict/domains/program/logrotate.te +++ /dev/null @@ -1,150 +0,0 @@ -#DESC Logrotate - Rotate log files -# -# Authors: Stephen Smalley Timothy Fraser -# Russell Coker -# X-Debian-Packages: logrotate -# Depends: crond.te -# - -################################# -# -# Rules for the logrotate_t domain. -# -# logrotate_t is the domain for the logrotate program. -# logrotate_exec_t is the type of the corresponding program. -# -type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain; -role system_r types logrotate_t; -role sysadm_r types logrotate_t; -uses_shlib(logrotate_t) -general_domain_access(logrotate_t) -type logrotate_exec_t, file_type, sysadmfile, exec_type; - -system_crond_entry(logrotate_exec_t, logrotate_t) -allow logrotate_t cron_spool_t:dir search; -allow crond_t logrotate_var_lib_t:dir search; -domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t) -allow logrotate_t self:unix_stream_socket create_socket_perms; -allow logrotate_t devtty_t:chr_file rw_file_perms; - -ifdef(`distro_debian', ` -allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; -# for savelog -can_exec(logrotate_t, logrotate_exec_t) -') - -# for perl -allow logrotate_t usr_t:file { getattr read ioctl }; -allow logrotate_t usr_t:lnk_file read; - -# access files in /etc -allow logrotate_t etc_t:file { getattr read ioctl }; -allow logrotate_t etc_t:lnk_file { getattr read }; -allow logrotate_t etc_runtime_t:file r_file_perms; - -# it should not require this -allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; - -# create lock files -lock_domain(logrotate) - -# Create temporary files. -tmp_domain(logrotate) -can_exec(logrotate_t, logrotate_tmp_t) - -# Run helper programs. -allow logrotate_t { bin_t sbin_t }:dir r_dir_perms; -allow logrotate_t { bin_t sbin_t }:lnk_file read; -can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t }) - -# Read PID files. -allow logrotate_t pidfile:file r_file_perms; - -# Read /proc/PID directories for all domains. -read_sysctl(logrotate_t) -allow logrotate_t proc_t:dir r_dir_perms; -allow logrotate_t proc_t:{ file lnk_file } r_file_perms; -allow logrotate_t domain:notdevfile_class_set r_file_perms; -allow logrotate_t domain:dir r_dir_perms; -allow logrotate_t exec_type:file getattr; - -# Read /dev directories and any symbolic links. -allow logrotate_t device_t:dir r_dir_perms; -allow logrotate_t device_t:lnk_file r_file_perms; - -# Signal processes. -allow logrotate_t domain:process signal; - -# Modify /var/log and other log dirs. -allow logrotate_t var_t:dir r_dir_perms; -allow logrotate_t logfile:dir rw_dir_perms; -allow logrotate_t logfile:lnk_file read; - -# Create, rename, and truncate log files. -allow logrotate_t logfile:file create_file_perms; -allow logrotate_t wtmp_t:file create_file_perms; -ifdef(`squid.te', ` -allow squid_t { system_crond_t crond_t }:fd use; -allow squid_t crond_t:fifo_file { read write }; -allow squid_t system_crond_t:fifo_file write; -allow squid_t self:capability kill; -') - -# Set a context other than the default one for newly created files. -can_setfscreate(logrotate_t) - -# Change ownership on log files. -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; -# for mailx -dontaudit logrotate_t self:capability { setuid setgid }; - -ifdef(`mta.te', ` -allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; -') - -# Access /var/run -allow logrotate_t var_run_t:dir r_dir_perms; - -# for /var/lib/logrotate.status and /var/lib/logcheck -var_lib_domain(logrotate) -allow logrotate_t logrotate_var_lib_t:dir create; - -# Write to /var/spool/slrnpull - should be moved into its own type. -create_dir_file(logrotate_t, var_spool_t) - -allow logrotate_t urandom_device_t:chr_file { getattr read }; - -# Access terminals. -allow logrotate_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;') -allow logrotate_t privfd:fd use; - -# for /var/backups on Debian -ifdef(`backup.te', ` -rw_dir_create_file(logrotate_t, backup_store_t) -') - -read_locale(logrotate_t) - -allow logrotate_t fs_t:filesystem getattr; -can_exec(logrotate_t, shell_exec_t) -ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)') -can_exec(logrotate_t,logfile) -allow logrotate_t net_conf_t:file { getattr read }; - -ifdef(`consoletype.te', ` -can_exec(logrotate_t, consoletype_exec_t) -dontaudit consoletype_t logrotate_t:fd use; -') - -allow logrotate_t syslogd_t:unix_dgram_socket sendto; - -domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) - -# Supress libselinux initialization denials -dontaudit logrotate_t selinux_config_t:dir search; -dontaudit logrotate_t selinux_config_t:file { read getattr }; - -# Allow selinux_getenforce -allow logrotate_t security_t:dir search; -allow logrotate_t security_t:file { getattr read }; diff --git a/strict/domains/program/lpd.te b/strict/domains/program/lpd.te deleted file mode 100644 index 76cd44dd..00000000 --- a/strict/domains/program/lpd.te +++ /dev/null @@ -1,161 +0,0 @@ -#DESC Lpd - Print server -# -# Authors: Stephen Smalley and Timothy Fraser -# Modified by David A. Wheeler for LPRng (Red Hat 7.1) -# Modified by Russell Coker -# X-Debian-Packages: lpr -# - -################################# -# -# Rules for the lpd_t domain. -# -# lpd_t is the domain of lpd. -# lpd_exec_t is the type of the lpd executable. -# printer_t is the type of the Unix domain socket created -# by lpd. -# -daemon_domain(lpd) - -allow lpd_t lpd_var_run_t:sock_file create_file_perms; - -read_fonts(lpd_t) - -type printer_t, file_type, sysadmfile, dev_fs; - -type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf. - -tmp_domain(lpd); - -# for postscript include files -allow lpd_t usr_t:{ file lnk_file } { getattr read }; - -# Allow checkpc to access the lpd spool so it can check & fix it. -# This requires that /usr/sbin/checkpc have type checkpc_t. -type checkpc_t, domain, privlog; -role system_r types checkpc_t; -uses_shlib(checkpc_t) -can_network_client(checkpc_t) -allow checkpc_t port_type:tcp_socket name_connect; -can_ypbind(checkpc_t) -log_domain(checkpc) -type checkpc_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t) -domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t) -role sysadm_r types checkpc_t; -allow checkpc_t admin_tty_type:chr_file { read write }; -allow checkpc_t privfd:fd use; -ifdef(`crond.te', ` -system_crond_entry(checkpc_exec_t, checkpc_t) -') -allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process { fork signal_perms }; - -allow checkpc_t proc_t:dir search; -allow checkpc_t proc_t:lnk_file read; -allow checkpc_t proc_t:file { getattr read }; -r_dir_file(checkpc_t, self) -allow checkpc_t self:unix_stream_socket create_socket_perms; - -allow checkpc_t { etc_t etc_runtime_t }:file { getattr read }; -allow checkpc_t etc_t:lnk_file read; - -allow checkpc_t { var_t var_spool_t }:dir { getattr search }; -allow checkpc_t print_spool_t:file { rw_file_perms unlink }; -allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; -allow checkpc_t device_t:dir search; -allow checkpc_t printer_device_t:chr_file { getattr append }; -allow checkpc_t devtty_t:chr_file rw_file_perms; -allow checkpc_t initrc_devpts_t:chr_file rw_file_perms; - -# Allow access to /dev/console through the fd: -allow checkpc_t init_t:fd use; - -# This is less desirable, but checkpc demands /bin/bash and /bin/chown: -allow checkpc_t { bin_t sbin_t }:dir search; -allow checkpc_t bin_t:lnk_file read; -can_exec(checkpc_t, shell_exec_t) -can_exec(checkpc_t, bin_t) - -# bash wants access to /proc/meminfo -allow lpd_t proc_t:file { getattr read }; - -# gs-gnu wants to read some sysctl entries, it seems to work without though -dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search; - -# for defoma -r_dir_file(lpd_t, var_lib_t) - -allow checkpc_t var_run_t:dir search; -allow checkpc_t lpd_var_run_t:dir { search getattr }; - -# This is needed to permit chown to read /var/spool/lpd/lp. -# This is opens up security more than necessary; this means that ANYTHING -# running in the initrc_t domain can read the printer spool directory. -# Perhaps executing /etc/rc.d/init.d/lpd should transition -# to domain lpd_t, instead of waiting for executing lpd. -allow initrc_t print_spool_t:dir read; - -# for defoma -r_dir_file(lpd_t, readable_t) - -# Use capabilities. -allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; - -# Use the network. -can_network_server(lpd_t) -can_ypbind(lpd_t) -allow lpd_t self:fifo_file rw_file_perms; -allow lpd_t self:unix_stream_socket create_stream_socket_perms; -allow lpd_t self:unix_dgram_socket create_socket_perms; - -allow lpd_t self:file { getattr read }; -allow lpd_t etc_runtime_t:file { getattr read }; - -# Bind to the printer port. -allow lpd_t printer_port_t:tcp_socket name_bind; - -# Send to portmap. -ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)') - -ifdef(`ypbind.te', -`# Connect to ypbind. -can_tcp_connect(lpd_t, ypbind_t)') - -# Create and bind to /dev/printer. -file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file) -allow lpd_t printer_t:unix_stream_socket name_bind; -allow lpd_t printer_t:unix_dgram_socket name_bind; -allow lpd_t printer_device_t:chr_file rw_file_perms; - -# Write to /var/spool/lpd. -allow lpd_t var_spool_t:dir search; -allow lpd_t print_spool_t:dir rw_dir_perms; -allow lpd_t print_spool_t:file create_file_perms; -allow lpd_t print_spool_t:file rw_file_perms; - -# Execute filter scripts. -# can_exec(lpd_t, print_spool_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -allow lpd_t bin_t:dir search; -allow lpd_t bin_t:lnk_file read; -can_exec(lpd_t, { bin_t sbin_t shell_exec_t }) - -# lpd must be able to execute the filter utilities in /usr/share/printconf. -can_exec(lpd_t, printconf_t) -allow lpd_t printconf_t:file rx_file_perms; -allow lpd_t printconf_t:dir { getattr search read }; - -# config files for lpd are of type etc_t, probably should change this -allow lpd_t etc_t:file { getattr read }; -allow lpd_t etc_t:lnk_file read; - -# checkpc needs similar permissions. -allow checkpc_t printconf_t:file getattr; -allow checkpc_t printconf_t:dir { getattr search read }; - -# Read printconf files. -allow initrc_t printconf_t:dir r_dir_perms; -allow initrc_t printconf_t:file r_file_perms; - diff --git a/strict/domains/program/lpr.te b/strict/domains/program/lpr.te deleted file mode 100644 index d8ec0c02..00000000 --- a/strict/domains/program/lpr.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC Lpr - Print client -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: lpr lprng -# - - -# Type for the lpr, lpq, and lprm executables. -type lpr_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the lpr_domain macro in -# macros/program/lpr_macros.te. diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te deleted file mode 100644 index b2e47eb9..00000000 --- a/strict/domains/program/lvm.te +++ /dev/null @@ -1,139 +0,0 @@ -#DESC LVM - Linux Volume Manager -# -# Author: Michael Kaufman -# X-Debian-Packages: lvm10 lvm2 lvm-common -# - -################################# -# -# Rules for the lvm_t domain. -# -# lvm_t is the domain for LVM administration. -# lvm_exec_t is the type of the corresponding programs. -# lvm_etc_t is for read-only LVM configuration files. -# lvm_metadata_t is the type of LVM metadata files in /etc that are -# modified at runtime. -# -type lvm_vg_t, file_type, sysadmfile; -type lvm_metadata_t, file_type, sysadmfile; -type lvm_control_t, device_type, dev_fs; -etcdir_domain(lvm) -lock_domain(lvm) -allow lvm_t lvm_lock_t:dir rw_dir_perms; - -# needs privowner because it assigns the identity system_u to device nodes -# but runs as the identity of the sysadmin -daemon_base_domain(lvm, `, fs_domain, privowner') -role sysadm_r types lvm_t; -domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t) - -# LVM will complain a lot if it cannot set its priority. -allow lvm_t self:process setsched; - -allow lvm_t self:fifo_file rw_file_perms; -allow lvm_t self:unix_dgram_socket create_socket_perms; - -r_dir_file(lvm_t, proc_t) -allow lvm_t self:file rw_file_perms; - -# Read system variables in /proc/sys -read_sysctl(lvm_t) - -# Read /sys/block. Device mapper metadata is kept there. -r_dir_file(lvm_t, sysfs_t) - -allow lvm_t fs_t:filesystem getattr; - -# Read configuration files in /etc. -allow lvm_t { etc_t etc_runtime_t }:file { getattr read }; - -# LVM creates block devices in /dev/mapper or /dev/ -# depending on its version -file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file) - -# LVM(2) needs to create directores (/dev/mapper, /dev/) -# and links from /dev/ to /dev/mapper/- -allow lvm_t device_t:dir create_dir_perms; -allow lvm_t device_t:lnk_file create_lnk_perms; - -# /lib/lvm- holds the actual LVM binaries (and symlinks) -allow lvm_t lvm_exec_t:dir search; -allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms; - -tmp_domain(lvm) -allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl }; - -# DAC overrides and mknod for modifying /dev entries (vgmknodes) -allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod }; - -# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d -file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file) - -allow lvm_t lvm_metadata_t:dir rw_dir_perms; - -# Inherit and use descriptors from init. -allow lvm_t init_t:fd use; - -# LVM is split into many individual binaries -can_exec(lvm_t, lvm_exec_t) - -# Access raw devices and old /dev/lvm (c 109,0). Is this needed? -allow lvm_t fixed_disk_device_t:chr_file create_file_perms; - -# relabel devices -allow lvm_t { default_context_t file_context_t }:dir search; -allow lvm_t file_context_t:file { getattr read }; -can_getsecurity(lvm_t) -allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; -allow lvm_t device_t:lnk_file { relabelfrom relabelto }; - -# Access terminals. -allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; -allow lvm_t devtty_t:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;') -allow lvm_t privfd:fd use; -allow lvm_t devpts_t:dir { search getattr read }; - -read_locale(lvm_t) - -# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... -dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read }; -dontaudit lvm_t ttyfile:chr_file getattr; -dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr; -dontaudit lvm_t devpts_t:dir { getattr read }; -dontaudit lvm_t xconsole_device_t:fifo_file getattr; - -ifdef(`gpm.te', ` -dontaudit lvm_t gpmctl_t:sock_file getattr; -') -dontaudit lvm_t initctl_t:fifo_file getattr; -allow lvm_t sbin_t:dir search; -dontaudit lvm_t sbin_t:file { getattr read }; -allow lvm_t lvm_control_t:chr_file rw_file_perms; -allow initrc_t lvm_control_t:chr_file { getattr read unlink }; -allow initrc_t device_t:chr_file create; -var_run_domain(lvm) - -# for when /usr is not mounted -dontaudit lvm_t file_t:dir search; - -allow lvm_t tmpfs_t:dir r_dir_perms; -r_dir_file(lvm_t, selinux_config_t) - -# it has no reason to need this -dontaudit lvm_t proc_kcore_t:file getattr; -allow lvm_t var_t:dir { search getattr }; -allow lvm_t ramfs_t:filesystem unmount; - -# cluster LVM daemon -daemon_domain(clvmd) -can_network(clvmd_t) -can_ypbind(clvmd_t) -allow clvmd_t self:capability net_bind_service; -allow clvmd_t self:socket create_socket_perms; -allow clvmd_t self:fifo_file { read write }; -allow clvmd_t self:file { getattr read }; -allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow clvmd_t reserved_port_t:tcp_socket name_bind; -dontaudit clvmd_t reserved_port_type:tcp_socket name_bind; -dontaudit clvmd_t selinux_config_t:dir search; diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te deleted file mode 100644 index 72fe6a75..00000000 --- a/strict/domains/program/mailman.te +++ /dev/null @@ -1,113 +0,0 @@ -#DESC Mailman - GNU Mailman mailing list manager -# -# Author: Russell Coker -# X-Debian-Packages: mailman - -type mailman_data_t, file_type, sysadmfile; -type mailman_archive_t, file_type, sysadmfile; - -type mailman_log_t, file_type, sysadmfile, logfile; -type mailman_lock_t, file_type, sysadmfile, lockfile; - -define(`mailman_domain', ` -type mailman_$1_t, domain, privlog $2; -type mailman_$1_exec_t, file_type, sysadmfile, exec_type; -role system_r types mailman_$1_t; -file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file) -allow mailman_$1_t mailman_log_t:dir rw_dir_perms; -create_dir_file(mailman_$1_t, mailman_data_t) -uses_shlib(mailman_$1_t) -can_exec_any(mailman_$1_t) -read_sysctl(mailman_$1_t) -allow mailman_$1_t proc_t:dir search; -allow mailman_$1_t proc_t:file { read getattr }; -allow mailman_$1_t var_lib_t:dir r_dir_perms; -allow mailman_$1_t var_lib_t:lnk_file read; -allow mailman_$1_t device_t:dir search; -allow mailman_$1_t etc_runtime_t:file { read getattr }; -read_locale(mailman_$1_t) -file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file) -allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; -allow mailman_$1_t fs_t:filesystem getattr; -can_network(mailman_$1_t) -allow mailman_$1_t smtp_port_t:tcp_socket name_connect; -can_ypbind(mailman_$1_t) -allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; -allow mailman_$1_t var_t:dir r_dir_perms; -tmp_domain(mailman_$1) -') - -mailman_domain(queue, `, auth_chkpwd, nscd_client_domain') -can_tcp_connect(mailman_queue_t, mail_server_domain) - -can_exec(mailman_queue_t, su_exec_t) -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:fifo_file rw_file_perms; -dontaudit mailman_queue_t var_run_t:dir search; -allow mailman_queue_t proc_t:lnk_file { getattr read }; - -# for su -dontaudit mailman_queue_t selinux_config_t:dir search; -allow mailman_queue_t self:dir search; -allow mailman_queue_t self:file { getattr read }; -allow mailman_queue_t self:unix_dgram_socket create_socket_perms; -allow mailman_queue_t self:lnk_file { getattr read }; - -# some of the following could probably be changed to dontaudit, someone who -# knows mailman well should test this out and send the changes -allow mailman_queue_t sysadm_home_dir_t:dir { getattr search }; - -mailman_domain(mail) -dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write }; -allow mailman_mail_t mta_delivery_agent:fd use; -ifdef(`qmail.te', ` -allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; -# do we really need this? -allow mailman_mail_t qmail_lspawn_t:fifo_file write; -') - -create_dir_file(mailman_queue_t, mailman_archive_t) - -ifdef(`apache.te', ` -mailman_domain(cgi) -can_tcp_connect(mailman_cgi_t, mail_server_domain) - -domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t) -# should have separate types for public and private archives -r_dir_file(httpd_t, mailman_archive_t) -create_dir_file(mailman_cgi_t, mailman_archive_t) -allow httpd_t mailman_data_t:dir { getattr search }; - -dontaudit mailman_cgi_t httpd_log_t:file append; -allow httpd_t mailman_cgi_t:process signal; -allow mailman_cgi_t httpd_t:process sigchld; -allow mailman_cgi_t httpd_t:fd use; -allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl }; -allow mailman_cgi_t httpd_sys_script_t:dir search; -allow mailman_cgi_t devtty_t:chr_file { read write }; -allow mailman_cgi_t self:process { fork sigchld }; -allow mailman_cgi_t var_spool_t:dir search; -') - -allow mta_delivery_agent mailman_data_t:dir search; -allow mta_delivery_agent mailman_data_t:lnk_file read; -allow initrc_t mailman_data_t:lnk_file read; -allow initrc_t mailman_data_t:dir r_dir_perms; -domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t) -ifdef(`direct_sysadm_daemon', ` -domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t) -') -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - -system_crond_entry(mailman_queue_exec_t, mailman_queue_t) -allow mailman_queue_t devtty_t:chr_file { read write }; -allow mailman_queue_t self:process { fork signal sigchld }; -allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; - -# so MTA can access /var/lib/mailman/mail/wrapper -allow mta_delivery_agent var_lib_t:dir search; - -# Handle mailman log files -rw_dir_create_file(logrotate_t, mailman_log_t) -allow logrotate_t mailman_data_t:dir search; -can_exec(logrotate_t, mailman_mail_exec_t) diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te deleted file mode 100644 index 47f82e2d..00000000 --- a/strict/domains/program/mdadm.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC mdadm - Linux RAID tool -# -# Author: Colin Walters -# - -daemon_base_domain(mdadm, `, fs_domain, privmail') -role sysadm_r types mdadm_t; - -allow initrc_t mdadm_var_run_t:file create_file_perms; - -# Kernel filesystem permissions -r_dir_file(mdadm_t, proc_t) -allow mdadm_t proc_mdstat_t:file rw_file_perms; -read_sysctl(mdadm_t) -r_dir_file(mdadm_t, sysfs_t) - -# Configuration -allow mdadm_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale(mdadm_t) - -# Linux capabilities -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; - -# Helper program access -can_exec(mdadm_t, { bin_t sbin_t }) - -# RAID block device access -allow mdadm_t fixed_disk_device_t:blk_file create_file_perms; -allow mdadm_t device_t:lnk_file { getattr read }; - -# Ignore attempts to read every device file -dontaudit mdadm_t device_type:{ chr_file blk_file } getattr; -dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr }; -dontaudit mdadm_t devpts_t:dir r_dir_perms; - -# Ignore attempts to read/write sysadmin tty -dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms; - -# Other random ignores -dontaudit mdadm_t tmpfs_t:dir r_dir_perms; -dontaudit mdadm_t initctl_t:fifo_file getattr; -var_run_domain(mdadm) -allow mdadm_t var_t:dir { getattr search }; diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te deleted file mode 100644 index f69f2bbc..00000000 --- a/strict/domains/program/modutil.te +++ /dev/null @@ -1,236 +0,0 @@ -#DESC Modutil - Dynamic module utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: modutils -# - -################################# -# -# Rules for the module utility domains. -# -type modules_dep_t, file_type, sysadmfile; -type modules_conf_t, file_type, sysadmfile; -type modules_object_t, file_type, sysadmfile; - - -ifdef(`IS_INITRD', `', ` -################################# -# -# Rules for the depmod_t domain. -# -type depmod_t, domain; -role system_r types depmod_t; -role sysadm_r types depmod_t; - -uses_shlib(depmod_t) - -r_dir_file(depmod_t, src_t) - -type depmod_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(initrc_t, depmod_exec_t, depmod_t) -allow depmod_t { bin_t sbin_t }:dir search; -can_exec(depmod_t, depmod_exec_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) -') - -# Inherit and use descriptors from init and login programs. -allow depmod_t { init_t privfd }:fd use; - -allow depmod_t { etc_t etc_runtime_t }:file { getattr read }; -allow depmod_t { device_t proc_t }:dir search; -allow depmod_t proc_t:file { getattr read }; -allow depmod_t fs_t:filesystem getattr; - -# read system.map -allow depmod_t boot_t:dir search; -allow depmod_t boot_t:file { getattr read }; -allow depmod_t system_map_t:file { getattr read }; - -# Read conf.modules. -allow depmod_t modules_conf_t:file r_file_perms; - -# Create modules.dep. -file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file) - -# Read module objects. -allow depmod_t modules_object_t:dir r_dir_perms; -allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; -allow depmod_t modules_object_t:file unlink; - -# Access terminals. -can_access_pty(depmod_t, initrc) -allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') - -# Read System.map from home directories. -allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; -r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) -')dnl end IS_INITRD - -################################# -# -# Rules for the insmod_t domain. -# - -type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain -; -role system_r types insmod_t; -role sysadm_r types insmod_t; - -ifdef(`unlimitedUtils', ` -unconfined_domain(insmod_t) -') -can_ypbind(insmod_t) -uses_shlib(insmod_t) -read_locale(insmod_t) - -# for SSP -allow insmod_t urandom_device_t:chr_file read; -allow insmod_t lib_t:file { getattr read }; - -allow insmod_t { bin_t sbin_t }:dir search; -allow insmod_t { bin_t sbin_t }:lnk_file read; - -allow insmod_t self:dir search; -allow insmod_t self:lnk_file read; - -allow insmod_t usr_t:file { getattr read }; - -allow insmod_t privfd:fd use; -can_access_pty(insmod_t, initrc) -allow insmod_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;') - -allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; - -allow insmod_t sound_device_t:chr_file { read ioctl write }; -allow insmod_t zero_device_t:chr_file read; -allow insmod_t memory_device_t:chr_file rw_file_perms; - -# Read module config and dependency information -allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; - -# Read module objects. -r_dir_file(insmod_t, modules_object_t) -# for locking -allow insmod_t modules_object_t:file write; - -allow insmod_t { var_t var_log_t }:dir search; -ifdef(`xserver.te', ` -allow insmod_t xserver_log_t:file getattr; -allow insmod_t xserver_misc_device_t:chr_file { read write }; -') -rw_dir_create_file(insmod_t, var_log_ksyms_t) -allow insmod_t { etc_t etc_runtime_t }:file { getattr read }; - -allow insmod_t self:udp_socket create_socket_perms; -allow insmod_t self:unix_dgram_socket create_socket_perms; -allow insmod_t self:unix_stream_socket create_stream_socket_perms; -allow insmod_t self:rawip_socket create_socket_perms; -allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config }; -allow insmod_t domain:process signal; -allow insmod_t self:process { fork signal_perms }; -allow insmod_t device_t:dir search; -allow insmod_t etc_runtime_t:file { getattr read }; - -# for loading modules at boot time -allow insmod_t { init_t initrc_t }:fd use; -allow insmod_t initrc_t:fifo_file { getattr read write }; - -allow insmod_t fs_t:filesystem getattr; -allow insmod_t sysfs_t:dir search; -allow insmod_t { usbfs_t usbdevfs_t }:dir search; -allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount; -r_dir_file(insmod_t, debugfs_t) - -# Rules for /proc/sys/kernel/tainted -read_sysctl(insmod_t) -allow insmod_t proc_t:dir search; -allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; - -allow insmod_t proc_t:file rw_file_perms; -allow insmod_t proc_t:lnk_file read; - -# Write to /proc/mtrr. -allow insmod_t mtrr_device_t:file write; - -# Read /proc/sys/kernel/hotplug. -allow insmod_t sysctl_hotplug_t:file { getattr read }; - -allow insmod_t device_t:dir read; -allow insmod_t devpts_t:dir { getattr search }; - -type insmod_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(privmodule, insmod_exec_t, insmod_t) -can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t }) -allow insmod_t devtty_t:chr_file rw_file_perms; -allow insmod_t privmodule:process sigchld; -dontaudit sysadm_t self:capability sys_module; - -ifdef(`mount.te', ` -# Run mount in the mount_t domain. -domain_auto_trans(insmod_t, mount_exec_t, mount_t) -') -# for when /var is not mounted early in the boot -dontaudit insmod_t file_t:dir search; - -# for nscd -dontaudit insmod_t var_run_t:dir search; - -ifdef(`crond.te', ` -rw_dir_create_file(system_crond_t, var_log_ksyms_t) -') - -ifdef(`IS_INITRD', `', ` -################################# -# -# Rules for the update_modules_t domain. -# -type update_modules_t, domain, privlog; -type update_modules_exec_t, file_type, exec_type, sysadmfile; - -role system_r types update_modules_t; -role sysadm_r types update_modules_t; - -domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t) -allow update_modules_t privfd:fd use; -allow update_modules_t init_t:fd use; - -allow update_modules_t device_t:dir { getattr search }; -allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; -can_access_pty(update_modules_t, initrc) -allow update_modules_t admin_tty_type:chr_file rw_file_perms; - -can_exec(update_modules_t, insmod_exec_t) -allow update_modules_t urandom_device_t:chr_file { getattr read }; - -dontaudit update_modules_t sysadm_home_dir_t:dir search; - -uses_shlib(update_modules_t) -read_locale(update_modules_t) -allow update_modules_t lib_t:file { getattr read }; -allow update_modules_t self:process { fork sigchld }; -allow update_modules_t self:fifo_file rw_file_perms; -allow update_modules_t self:file { getattr read }; -allow update_modules_t modules_dep_t:file rw_file_perms; -file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file) -domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) -can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t }) -allow update_modules_t { sbin_t bin_t }:lnk_file read; -allow update_modules_t { sbin_t bin_t }:dir search; -allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms; -allow update_modules_t etc_t:lnk_file read; -allow update_modules_t fs_t:filesystem getattr; - -allow update_modules_t proc_t:dir search; -allow update_modules_t proc_t:file r_file_perms; -allow update_modules_t { self proc_t }:lnk_file read; -read_sysctl(update_modules_t) -allow update_modules_t self:dir search; -allow update_modules_t self:unix_stream_socket create_socket_perms; - -file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file) - -tmp_domain(update_modules) -')dnl end IS_INITRD diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te deleted file mode 100644 index e78f7fed..00000000 --- a/strict/domains/program/mount.te +++ /dev/null @@ -1,91 +0,0 @@ -#DESC Mount - Filesystem mount utilities -# -# Macros for mount -# -# Author: Brian May -# X-Debian-Packages: mount -# -# based on the work of: -# Mark Westerman mark.westerman@csoconline.com -# - -type mount_exec_t, file_type, sysadmfile, exec_type; - -mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite') -mount_loopback_privs(sysadm, mount) -role sysadm_r types mount_t; -role system_r types mount_t; - -can_access_pty(mount_t, initrc) -allow mount_t console_device_t:chr_file { read write }; - -domain_auto_trans(initrc_t, mount_exec_t, mount_t) -allow mount_t init_t:fd use; -allow mount_t privfd:fd use; - -allow mount_t self:capability { dac_override ipc_lock sys_tty_config }; -allow mount_t self:process { fork signal_perms }; - -allow mount_t file_type:dir search; - -# Access disk devices. -allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms; -allow mount_t removable_device_t:devfile_class_set rw_file_perms; -allow mount_t device_t:lnk_file read; - -# for when /etc/mtab loses its type -allow mount_t file_t:file { getattr read unlink }; - -# Mount, remount and unmount file systems. -allow mount_t fs_type:filesystem mount_fs_perms; -allow mount_t mount_point:dir mounton; -allow mount_t nfs_t:dir search; -allow mount_t sysctl_t:dir search; - -allow mount_t root_t:filesystem unmount; - -can_portmap(mount_t) - -ifdef(`portmap.te', ` -# for nfs -can_network(mount_t) -allow mount_t port_type:tcp_socket name_connect; -can_ypbind(mount_t) -allow mount_t port_t:{ tcp_socket udp_socket } name_bind; -allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -can_udp_send(mount_t, portmap_t) -can_udp_send(portmap_t, mount_t) -allow mount_t rpc_pipefs_t:dir search; -') -dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind; - -# -# required for mount.smbfs -# -allow mount_t sbin_t:lnk_file { getattr read }; - -rhgb_domain(mount_t) - -# for localization -allow mount_t lib_t:file { getattr read }; -allow mount_t autofs_t:dir read; -allow mount_t fs_type:filesystem relabelfrom; -# -# This rule needs to be generalized. Only admin, initrc should have it. -# -allow mount_t file_type:filesystem { unmount mount relabelto }; - -allow mount_t mnt_t:dir getattr; -dontaudit mount_t kernel_t:fd use; -allow mount_t userdomain:fd use; -can_exec(mount_t, { sbin_t bin_t }) -allow mount_t device_t:dir r_dir_perms; -allow mount_t tmpfs_t:chr_file { read write }; - -# tries to read /init -dontaudit mount_t root_t:file { getattr read }; - -allow kernel_t mount_t:tcp_socket { read write }; -allow mount_t self:capability { setgid setuid }; -allow user_t mount_t:tcp_socket write; -allow mount_t proc_t:lnk_file read; diff --git a/strict/domains/program/mozilla.te b/strict/domains/program/mozilla.te deleted file mode 100644 index f286ea02..00000000 --- a/strict/domains/program/mozilla.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC Netscape - Web browser -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: mozilla -# - -# Type for the netscape, mozilla or other browser executables. -type mozilla_exec_t, file_type, sysadmfile, exec_type; -type mozilla_conf_t, file_type, sysadmfile; - -# Run in user_t -bool disable_mozilla_trans false; - -# Everything else is in the mozilla_domain macro in -# macros/program/mozilla_macros.te. diff --git a/strict/domains/program/mplayer.te b/strict/domains/program/mplayer.te deleted file mode 100644 index 194c8076..00000000 --- a/strict/domains/program/mplayer.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC mplayer - media player -# -# Author: Ivan Gyurdiev -# - -# Type for the mplayer executable. -type mplayer_exec_t, file_type, exec_type, sysadmfile; -type mencoder_exec_t, file_type, exec_type, sysadmfile; -type mplayer_etc_t, file_type, sysadmfile; - -# Allow mplayer executable stack -bool allow_mplayer_execstack false; - -# Everything else is in the mplayer_domain macro in -# macros/program/mplayer_macros.te. diff --git a/strict/domains/program/mrtg.te b/strict/domains/program/mrtg.te deleted file mode 100644 index e44889d4..00000000 --- a/strict/domains/program/mrtg.te +++ /dev/null @@ -1,100 +0,0 @@ -#DESC MRTG - Network traffic graphing -# -# Author: Russell Coker -# X-Debian-Packages: mrtg -# - -################################# -# -# Rules for the mrtg_t domain. -# -# mrtg_exec_t is the type of the mrtg executable. -# -daemon_base_domain(mrtg) - -allow mrtg_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(mrtg_exec_t, mrtg_t) -allow system_crond_t mrtg_log_t:dir rw_dir_perms; -allow system_crond_t mrtg_log_t:file { create append getattr }; -') - -allow mrtg_t usr_t:{ file lnk_file } { getattr read }; -dontaudit mrtg_t usr_t:file ioctl; - -logdir_domain(mrtg) -etcdir_domain(mrtg) -typealias mrtg_etc_t alias etc_mrtg_t; -type mrtg_var_lib_t, file_type, sysadmfile; -typealias mrtg_var_lib_t alias var_lib_mrtg_t; -type mrtg_lock_t, file_type, sysadmfile, lockfile; -r_dir_file(mrtg_t, lib_t) - -# Use the network. -can_network_client(mrtg_t) -allow mrtg_t port_type:tcp_socket name_connect; -can_ypbind(mrtg_t) - -allow mrtg_t self:fifo_file { getattr read write ioctl }; -allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms; -allow mrtg_t urandom_device_t:chr_file { getattr read }; -allow mrtg_t self:unix_stream_socket create_socket_perms; -ifdef(`apache.te', ` -rw_dir_create_file(mrtg_t, httpd_sys_content_t) -') - -can_exec(mrtg_t, { shell_exec_t bin_t sbin_t }) -allow mrtg_t { bin_t sbin_t }:dir { getattr search }; -allow mrtg_t bin_t:lnk_file read; -allow mrtg_t var_t:dir { getattr search }; - -ifdef(`snmpd.te', ` -can_udp_send(mrtg_t, snmpd_t) -can_udp_send(snmpd_t, mrtg_t) -r_dir_file(mrtg_t, snmpd_var_lib_t) -') - -allow mrtg_t proc_net_t:dir search; -allow mrtg_t { proc_t proc_net_t }:file { read getattr }; -dontaudit mrtg_t proc_t:file ioctl; - -allow mrtg_t { var_lock_t var_lib_t }:dir search; -rw_dir_create_file(mrtg_t, mrtg_var_lib_t) -rw_dir_create_file(mrtg_t, mrtg_lock_t) -ifdef(`distro_redhat', ` -file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file) -') - -# read config files -allow mrtg_t etc_t:file { read getattr }; -dontaudit mrtg_t mrtg_etc_t:dir write; -dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; -read_locale(mrtg_t) - -# for /.autofsck -dontaudit mrtg_t root_t:file getattr; - -dontaudit mrtg_t security_t:dir getattr; - -read_sysctl(mrtg_t) - -# for uptime -allow mrtg_t var_run_t:dir search; -allow mrtg_t initrc_var_run_t:file { getattr read }; -dontaudit mrtg_t initrc_var_run_t:file { write lock }; -allow mrtg_t etc_runtime_t:file { getattr read }; - -allow mrtg_t tmp_t:dir getattr; - -# should not need this! -dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; -dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; -ifdef(`quota.te', ` -dontaudit mrtg_t quota_db_t:file getattr; -') -dontaudit mrtg_t root_t:lnk_file getattr; - -allow mrtg_t self:capability { setgid setuid }; -ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)') -allow mrtg_t var_spool_t:dir search; diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te deleted file mode 100644 index 89a7bb91..00000000 --- a/strict/domains/program/mta.te +++ /dev/null @@ -1,78 +0,0 @@ -#DESC MTA - Mail agents -# -# Author: Russell Coker -# X-Debian-Packages: postfix exim sendmail sendmail-wide -# -# policy for all mail servers, including allowing user to send mail from the -# command-line and for cron jobs to use sendmail -t - -# -# sendmail_exec_t is the type of /usr/sbin/sendmail -# -# define sendmail_exec_t if sendmail.te does not do it for us -ifdef(`sendmail.te', `', ` -type sendmail_exec_t, file_type, exec_type, sysadmfile; -') - -# create a system_mail_t domain for daemons, init scripts, etc when they run -# "mail user@domain" -mail_domain(system) - -ifdef(`targeted_policy', ` -# rules are currently defined in sendmail.te, but it is not included in -# targeted policy. We could move these rules permanantly here. -ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') -allow system_mail_t self:dir search; -allow system_mail_t self:lnk_file read; -r_dir_file(system_mail_t, { proc_t proc_net_t }) -allow system_mail_t fs_t:filesystem getattr; -allow system_mail_t { var_t var_spool_t }:dir getattr; -create_dir_file(system_mail_t, mqueue_spool_t) -create_dir_file(system_mail_t, mail_spool_t) -allow system_mail_t mail_spool_t:fifo_file rw_file_perms; -allow system_mail_t etc_mail_t:file { getattr read }; -', ` -ifdef(`sendmail.te', ` -# sendmail has an ugly design, the one process parses input from the user and -# then does system things with it. -domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) -', ` -domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t) -') -allow initrc_t sendmail_exec_t:lnk_file { getattr read }; - -# allow the sysadmin to do "mail someone < /home/user/whatever" -allow sysadm_mail_t user_home_dir_type:dir search; -r_dir_file(sysadm_mail_t, user_home_type) -') -# for a mail server process that does things in response to a user command -allow mta_user_agent userdomain:process sigchld; -allow mta_user_agent { userdomain privfd }:fd use; -ifdef(`crond.te', ` -allow mta_user_agent crond_t:process sigchld; -') -allow mta_user_agent sysadm_t:fifo_file { read write }; - -allow { system_mail_t mta_user_agent } privmail:fd use; -allow { system_mail_t mta_user_agent } privmail:process sigchld; -allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; -allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; - -allow mta_delivery_agent home_root_t:dir { getattr search }; - -# for /var/spool/mail -ra_dir_create_file(mta_delivery_agent, mail_spool_t) - -# for piping mail to a command -can_exec(mta_delivery_agent, shell_exec_t) -allow mta_delivery_agent bin_t:dir search; -allow mta_delivery_agent bin_t:lnk_file read; -allow mta_delivery_agent devtty_t:chr_file rw_file_perms; -allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; - -allow system_mail_t etc_runtime_t:file { getattr read }; -allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read }; -ifdef(`targeted_policy', ` -typealias system_mail_t alias sysadm_mail_t; -') - diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te deleted file mode 100644 index 2047b44c..00000000 --- a/strict/domains/program/mysqld.te +++ /dev/null @@ -1,94 +0,0 @@ -#DESC Mysqld - Database server -# -# Author: Russell Coker -# X-Debian-Packages: mysql-server -# - -################################# -# -# Rules for the mysqld_t domain. -# -# mysqld_exec_t is the type of the mysqld executable. -# -daemon_domain(mysqld, `, nscd_client_domain') - -allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect }; - -allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; - -etcdir_domain(mysqld) -type mysqld_db_t, file_type, sysadmfile; - -log_domain(mysqld) - -# for temporary tables -tmp_domain(mysqld) - -allow mysqld_t usr_t:file { getattr read }; - -allow mysqld_t self:fifo_file { read write }; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -allow initrc_t mysqld_t:unix_stream_socket connectto; -allow initrc_t mysqld_var_run_t:sock_file write; - -allow initrc_t mysqld_log_t:file { write append setattr ioctl }; - -allow mysqld_t self:capability { dac_override setgid setuid net_bind_service }; -allow mysqld_t self:process { setsched getsched }; - -allow mysqld_t proc_t:file { getattr read }; - -# Allow access to the mysqld databases -create_dir_file(mysqld_t, mysqld_db_t) -allow mysqld_t var_lib_t:dir { getattr search }; - -can_network(mysqld_t) -can_ypbind(mysqld_t) - -# read config files -r_dir_file(initrc_t, mysqld_etc_t) -allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; - -allow mysqld_t etc_t:dir search; - -read_sysctl(mysqld_t) - -can_unix_connect(sysadm_t, mysqld_t) - -# for /root/.my.cnf - should not be needed -allow mysqld_t sysadm_home_dir_t:dir search; -allow mysqld_t sysadm_home_t:file { read getattr }; - -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, mysqld_etc_t) -allow logrotate_t mysqld_db_t:dir search; -allow logrotate_t mysqld_var_run_t:dir search; -allow logrotate_t mysqld_var_run_t:sock_file write; -can_unix_connect(logrotate_t, mysqld_t) -') - -ifdef(`daemontools.te', ` -domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) -allow svc_start_t mysqld_t:process signal; -svc_ipc_domain(mysqld_t) -')dnl end ifdef daemontools - -ifdef(`distro_redhat', ` -allow initrc_t mysqld_db_t:dir create_dir_perms; - -# because Fedora has the sock_file in the database directory -file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) -') -ifdef(`targeted_policy', `', ` -bool allow_user_mysql_connect false; - -if (allow_user_mysql_connect) { -allow userdomain mysqld_var_run_t:dir search; -allow userdomain mysqld_var_run_t:sock_file write; -} -') - -allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`crond.te', ` -allow system_crond_t mysqld_etc_t:file { getattr read }; -') diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te deleted file mode 100644 index b3d9508a..00000000 --- a/strict/domains/program/named.te +++ /dev/null @@ -1,171 +0,0 @@ -#DESC BIND - Name server -# -# Authors: Yuichi Nakamura , -# Russell Coker -# X-Debian-Packages: bind bind9 -# -# - -################################# -# -# Rules for the named_t domain. -# - -daemon_domain(named, `, nscd_client_domain') -tmp_domain(named) - -type named_checkconf_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t) - -# For /var/run/ndc used in BIND 8 -file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) - -# ndc_t is the domain for the ndc program -type ndc_t, domain, privlog, nscd_client_domain; -role sysadm_r types ndc_t; -role system_r types ndc_t; - -ifdef(`targeted_policy', ` -dontaudit ndc_t root_t:file { getattr read }; -dontaudit ndc_t unlabeled_t:file { getattr read }; -') - -can_exec(named_t, named_exec_t) -allow named_t sbin_t:dir search; - -allow named_t self:process { setsched setcap setrlimit }; - -# A type for configuration files of named. -type named_conf_t, file_type, sysadmfile, mount_point; - -# for primary zone files -type named_zone_t, file_type, sysadmfile; - -# for secondary zone files -type named_cache_t, file_type, sysadmfile; - -# for DNSSEC key files -type dnssec_t, file_type, sysadmfile, secure_file_type; -allow { ndc_t named_t } dnssec_t:file { getattr read }; - -# Use capabilities. Surplus capabilities may be allowed. -allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; - -allow named_t etc_t:file { getattr read }; -allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; - -#Named can use network -can_network(named_t) -allow named_t port_type:tcp_socket name_connect; -can_ypbind(named_t) -# allow UDP transfer to/from any program -can_udp_send(domain, named_t) -can_udp_send(named_t, domain) -can_tcp_connect(domain, named_t) -log_domain(named) - -# Bind to the named port. -allow named_t dns_port_t:udp_socket name_bind; -allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; - -bool named_write_master_zones false; - -#read configuration files -r_dir_file(named_t, named_conf_t) - -if (named_write_master_zones) { -#create and modify zone files -create_dir_file(named_t, named_zone_t) -} -#read zone files -r_dir_file(named_t, named_zone_t) - -#write cache for secondary zones -rw_dir_create_file(named_t, named_cache_t) - -allow named_t self:unix_stream_socket create_stream_socket_perms; -allow named_t self:unix_dgram_socket create_socket_perms; -allow named_t self:netlink_route_socket r_netlink_socket_perms; - -# Read sysctl kernel variables. -read_sysctl(named_t) - -# Read /proc/cpuinfo and /proc/net -r_dir_file(named_t, proc_t) -r_dir_file(named_t, proc_net_t) - -# Read /dev/random. -allow named_t device_t:dir r_dir_perms; -allow named_t random_device_t:chr_file r_file_perms; - -# Use a pipe created by self. -allow named_t self:fifo_file rw_file_perms; - -# Enable named dbus support: -ifdef(`dbusd.te', ` -dbusd_client(system, named) -domain_auto_trans(system_dbusd_t, named_exec_t, named_t) -allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow named_t self:dbus send_msg; -') - -# Set own capabilities. -#A type for /usr/sbin/ndc -type ndc_exec_t, file_type,sysadmfile, exec_type; -domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) -uses_shlib(ndc_t) -can_network_client_tcp(ndc_t) -allow ndc_t rndc_port_t:tcp_socket name_connect; -can_ypbind(ndc_t) -can_resolve(ndc_t) -read_locale(ndc_t) -can_tcp_connect(ndc_t, named_t) - -ifdef(`distro_redhat', ` -# for /etc/rndc.key -allow { ndc_t initrc_t } named_conf_t:dir search; -# Allow init script to cp localtime to named_conf_t -allow initrc_t named_conf_t:file { setattr write }; -allow initrc_t named_conf_t:dir create_dir_perms; -') -allow { ndc_t initrc_t } named_conf_t:file { getattr read }; - -allow ndc_t etc_t:dir r_dir_perms; -allow ndc_t etc_t:file r_file_perms; -allow ndc_t self:unix_stream_socket create_stream_socket_perms; -allow ndc_t self:unix_stream_socket connect; -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t var_t:dir search; -allow ndc_t var_run_t:dir search; -allow ndc_t named_var_run_t:sock_file rw_file_perms; -allow ndc_t named_t:unix_stream_socket connectto; -allow ndc_t { privfd init_t }:fd use; -# seems to need read as well for some reason -allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write }; -allow ndc_t fs_t:filesystem getattr; - -# Read sysctl kernel variables. -read_sysctl(ndc_t) - -allow ndc_t self:process { fork signal_perms }; -allow ndc_t self:fifo_file { read write getattr ioctl }; -allow ndc_t named_zone_t:dir search; - -# for chmod in start script -dontaudit initrc_t named_var_run_t:dir setattr; - -# for ndc_t to be used for restart shell scripts -ifdef(`ndc_shell_script', ` -system_crond_entry(ndc_exec_t, ndc_t) -allow ndc_t devtty_t:chr_file { read write ioctl }; -allow ndc_t etc_runtime_t:file { getattr read }; -allow ndc_t proc_t:dir search; -allow ndc_t proc_t:file { getattr read }; -can_exec(ndc_t, { bin_t sbin_t shell_exec_t }) -allow ndc_t named_var_run_t:file getattr; -allow ndc_t named_zone_t:dir { read getattr }; -allow ndc_t named_zone_t:file getattr; -dontaudit ndc_t sysadm_home_t:dir { getattr search read }; -') -allow ndc_t self:netlink_route_socket r_netlink_socket_perms; -dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl }; diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te deleted file mode 100644 index 8dcbdf11..00000000 --- a/strict/domains/program/netutils.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Netutils - Network utilities -# -# Authors: Stephen Smalley -# X-Debian-Packages: netbase iputils arping tcpdump -# - -# -# Rules for the netutils_t domain. -# This domain is for network utilities that require access to -# special protocol families. -# -type netutils_t, domain, privlog; -type netutils_exec_t, file_type, sysadmfile, exec_type; -role system_r types netutils_t; -role sysadm_r types netutils_t; - -uses_shlib(netutils_t) -can_network(netutils_t) -allow netutils_t port_type:tcp_socket name_connect; -can_ypbind(netutils_t) -tmp_domain(netutils) - -domain_auto_trans(initrc_t, netutils_exec_t, netutils_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) -') - -# Inherit and use descriptors from init. -allow netutils_t { userdomain init_t }:fd use; - -allow netutils_t self:process { fork signal_perms }; - -# Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { net_admin net_raw setuid setgid }; - -# Create and use netlink sockets. -allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; - -# Create and use packet sockets. -allow netutils_t self:packet_socket create_socket_perms; - -# Create and use UDP sockets. -allow netutils_t self:udp_socket create_socket_perms; - -# Create and use TCP sockets. -allow netutils_t self:tcp_socket create_socket_perms; - -allow netutils_t self:unix_stream_socket create_socket_perms; - -# Read certain files in /etc -allow netutils_t etc_t:file r_file_perms; -read_locale(netutils_t) - -allow netutils_t fs_t:filesystem getattr; - -# Access terminals. -allow netutils_t privfd:fd use; -can_access_pty(netutils_t, initrc) -allow netutils_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') -allow netutils_t proc_t:dir search; - -# for nscd -dontaudit netutils_t var_t:dir search; diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te deleted file mode 100644 index 207274d9..00000000 --- a/strict/domains/program/newrole.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC Newrole - SELinux utility to run a shell with a new role -# -# Authors: Anthony Colatrella (NSA) -# Maintained by Stephen Smalley -# X-Debian-Packages: policycoreutils -# - -# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t -bool secure_mode false; - -type newrole_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(userdomain, newrole_exec_t, newrole_t) - -newrole_domain(newrole) - -# Write to utmp. -allow newrole_t var_run_t:dir r_dir_perms; -allow newrole_t initrc_var_run_t:file rw_file_perms; - -role secadm_r types newrole_t; - -ifdef(`targeted_policy', ` -typeattribute newrole_t unconfinedtrans; -') diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te deleted file mode 100644 index 8e899c74..00000000 --- a/strict/domains/program/nscd.te +++ /dev/null @@ -1,79 +0,0 @@ -#DESC NSCD - Name service cache daemon cache lookup of user-name -# -# Author: Russell Coker -# X-Debian-Packages: nscd -# -define(`nscd_socket_domain', ` -can_unix_connect($1, nscd_t) -allow $1 nscd_var_run_t:sock_file rw_file_perms; -allow $1 { var_run_t var_t }:dir search; -allow $1 nscd_t:nscd { getpwd getgrp gethost }; -dontaudit $1 nscd_t:fd use; -dontaudit $1 nscd_var_run_t:dir { search getattr }; -dontaudit $1 nscd_var_run_t:file { getattr read }; -dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -') -################################# -# -# Rules for the nscd_t domain. -# -# nscd is both the client program and the daemon. -daemon_domain(nscd, `, userspace_objmgr') - -allow nscd_t etc_t:file r_file_perms; -allow nscd_t etc_t:lnk_file read; -can_network_client(nscd_t) -allow nscd_t port_type:tcp_socket name_connect; -can_ypbind(nscd_t) - -file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) - -allow nscd_t self:unix_stream_socket create_stream_socket_perms; - -nscd_socket_domain(nscd_client_domain) -nscd_socket_domain(daemon) - -# Clients that are allowed to map the database via a fd obtained from nscd. -nscd_socket_domain(nscd_shmem_domain) -allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms; -allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost }; -# Receive fd from nscd and map the backing file with read access. -allow nscd_shmem_domain nscd_t:fd use; - -# For client program operation, invoked from sysadm_t. -# Transition occurs to nscd_t due to direct_sysadm_daemon. -allow nscd_t self:nscd { admin getstat }; -allow nscd_t admin_tty_type:chr_file rw_file_perms; - -read_sysctl(nscd_t) -allow nscd_t self:process { getattr setsched }; -allow nscd_t self:unix_dgram_socket create_socket_perms; -allow nscd_t self:fifo_file { read write }; -allow nscd_t self:capability { kill setgid setuid net_bind_service }; - -# for when /etc/passwd has just been updated and has the wrong type -allow nscd_t shadow_t:file getattr; - -dontaudit nscd_t sysadm_home_dir_t:dir search; - -ifdef(`winbind.te', ` -# -# Handle winbind for samba, Might only be needed for targeted policy -# -allow nscd_t winbind_var_run_t:sock_file { read write getattr }; -can_unix_connect(nscd_t, winbind_t) -allow nscd_t samba_var_t:dir search; -allow nscd_t winbind_var_run_t:dir { getattr search }; -') - -r_dir_file(nscd_t, selinux_config_t) -can_getsecurity(nscd_t) -allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_route_socket r_netlink_socket_perms; -allow nscd_t tmp_t:dir { search getattr }; -allow nscd_t tmp_t:lnk_file read; -allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; -log_domain(nscd) -r_dir_file(nscd_t, cert_t) -allow nscd_t tun_tap_device_t:chr_file { read write }; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te deleted file mode 100644 index 9916a6a4..00000000 --- a/strict/domains/program/ntpd.te +++ /dev/null @@ -1,88 +0,0 @@ -#DESC NTPD - Time synchronisation daemon -# -# Author: Russell Coker -# X-Debian-Packages: ntp ntp-simple -# - -################################# -# -# Rules for the ntpd_t domain. -# -daemon_domain(ntpd, `, nscd_client_domain') -type ntp_drift_t, file_type, sysadmfile; - -type ntpdate_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) - -logdir_domain(ntpd) - -allow ntpd_t var_lib_t:dir r_dir_perms; -allow ntpd_t usr_t:file r_file_perms; -# reading /usr/share/ssl/cert.pem requires -allow ntpd_t usr_t:lnk_file read; -allow ntpd_t ntp_drift_t:dir rw_dir_perms; -allow ntpd_t ntp_drift_t:file create_file_perms; - -# for SSP -allow ntpd_t urandom_device_t:chr_file { getattr read }; - -# sys_resource and setrlimit is for locking memory -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { fsetid net_admin }; -allow ntpd_t self:process { setcap setsched setrlimit }; -# ntpdate wants sys_nice - -# for some reason it creates a file in /tmp -tmp_domain(ntpd) - -allow ntpd_t etc_t:dir r_dir_perms; -allow ntpd_t etc_t:file { read getattr }; - -# Use the network. -can_network(ntpd_t) -allow ntpd_t ntp_port_t:tcp_socket name_connect; -can_ypbind(ntpd_t) -allow ntpd_t ntp_port_t:udp_socket name_bind; -allow sysadm_t ntp_port_t:udp_socket name_bind; -allow ntpd_t self:unix_dgram_socket create_socket_perms; -allow ntpd_t self:unix_stream_socket create_socket_perms; -allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; - -# so the start script can change firewall entries -allow initrc_t net_conf_t:file { getattr read ioctl }; - -# for cron jobs -# system_crond_t is not right, cron is not doing what it should -ifdef(`crond.te', ` -system_crond_entry(ntpdate_exec_t, ntpd_t) -') - -can_exec(ntpd_t, initrc_exec_t) -allow ntpd_t self:fifo_file { read write getattr }; -allow ntpd_t etc_runtime_t:file r_file_perms; -can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t }) -allow ntpd_t { sbin_t bin_t }:dir search; -allow ntpd_t bin_t:lnk_file read; -read_sysctl(ntpd_t); -allow ntpd_t proc_t:file r_file_perms; -allow ntpd_t sysadm_home_dir_t:dir r_dir_perms; -allow ntpd_t self:file { getattr read }; -dontaudit ntpd_t domain:dir search; -ifdef(`logrotate.te', ` -can_exec(ntpd_t, logrotate_exec_t) -') - -allow ntpd_t devtty_t:chr_file rw_file_perms; - -can_udp_send(ntpd_t, sysadm_t) -can_udp_send(sysadm_t, ntpd_t) -can_udp_send(ntpd_t, ntpd_t) -ifdef(`firstboot.te', ` -dontaudit ntpd_t firstboot_t:fd use; -') -ifdef(`winbind.te', ` -allow ntpd_t winbind_var_run_t:dir r_dir_perms; -allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; -') -# For clock devices like wwvb1 -allow ntpd_t device_t:lnk_file read; diff --git a/strict/domains/program/openct.te b/strict/domains/program/openct.te deleted file mode 100644 index 244fc2fb..00000000 --- a/strict/domains/program/openct.te +++ /dev/null @@ -1,16 +0,0 @@ -#DESC openct - read files in page cache -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for openct -# - -daemon_domain(openct) -# -# openct asks for these -# -rw_dir_file(openct_t, usbfs_t) -allow openct_t etc_t:file r_file_perms; diff --git a/strict/domains/program/orbit.te b/strict/domains/program/orbit.te deleted file mode 100644 index dad353b7..00000000 --- a/strict/domains/program/orbit.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# ORBit related types -# -# Author: Ivan Gyurdiev -# - -# Look in orbit_macros.te diff --git a/strict/domains/program/pam.te b/strict/domains/program/pam.te deleted file mode 100644 index 2d712229..00000000 --- a/strict/domains/program/pam.te +++ /dev/null @@ -1,45 +0,0 @@ -#DESC Pam - PAM -# X-Debian-Packages: -# -# /sbin/pam_timestamp_check -type pam_exec_t, file_type, exec_type, sysadmfile; -type pam_t, domain, privlog, nscd_client_domain; -general_domain_access(pam_t); - -type pam_var_run_t, file_type, sysadmfile; -allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; -allow pam_t pam_var_run_t:file { getattr read unlink }; - -role system_r types pam_t; -in_user_role(pam_t) -domain_auto_trans(userdomain, pam_exec_t, pam_t) - -uses_shlib(pam_t) -# Read the devpts root directory. -allow pam_t devpts_t:dir r_dir_perms; - -# Access terminals. -allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') - -allow pam_t proc_t:dir search; -allow pam_t proc_t:{ lnk_file file } { getattr read }; - -# Read the /etc/nsswitch file -allow pam_t etc_t:file r_file_perms; - -# Read /var/run. -allow pam_t { var_t var_run_t }:dir r_dir_perms; -tmp_domain(pam) - -allow pam_t local_login_t:fd use; -dontaudit pam_t self:capability sys_tty_config; - -allow initrc_t pam_var_run_t:dir rw_dir_perms; -allow initrc_t pam_var_run_t:file { getattr read unlink }; -dontaudit pam_t initrc_var_run_t:file rw_file_perms; - -# Supress xdm denial -ifdef(`xdm.te', ` -dontaudit pam_t xdm_t:fd use; -') dnl ifdef diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te deleted file mode 100644 index 11c19947..00000000 --- a/strict/domains/program/pamconsole.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC Pamconsole - PAM console -# X-Debian-Packages: -# -# pam_console_apply - -daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread') - -type pam_var_console_t, file_type, sysadmfile; - -allow pam_console_t etc_t:file { getattr read ioctl }; -allow pam_console_t self:unix_stream_socket create_stream_socket_perms; - -# Read /etc/mtab -allow pam_console_t etc_runtime_t:file { read getattr }; - -# Read /proc/meminfo -allow pam_console_t proc_t:file { read getattr }; - -allow pam_console_t self:capability { chown fowner fsetid }; - -# Allow access to /dev/console through the fd: -allow pam_console_t console_device_t:chr_file { read write setattr }; -allow pam_console_t { kernel_t init_t }:fd use; - -# for /var/run/console.lock checking -allow pam_console_t { var_t var_run_t }:dir search; -r_dir_file(pam_console_t, pam_var_console_t) -dontaudit pam_console_t pam_var_console_t:file write; - -# Allow to set attributes on /dev entries -allow pam_console_t device_t:dir { getattr read }; -allow pam_console_t device_t:lnk_file { getattr read }; -# mouse_device_t is for joy sticks -allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; -allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr }; - -allow pam_console_t mnt_t:dir r_dir_perms; - -ifdef(`gpm.te', ` -allow pam_console_t gpmctl_t:sock_file { getattr setattr }; -') -ifdef(`hotplug.te', ` -dontaudit pam_console_t hotplug_etc_t:dir search; -allow pam_console_t hotplug_t:fd use; -') -ifdef(`xdm.te', ` -allow pam_console_t xdm_var_run_t:file { getattr read }; -') -allow initrc_t pam_var_console_t:dir rw_dir_perms; -allow initrc_t pam_var_console_t:file unlink; -allow pam_console_t file_context_t:file { getattr read }; -nsswitch_domain(pam_console_t) diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te deleted file mode 100644 index 30d7f860..00000000 --- a/strict/domains/program/passwd.te +++ /dev/null @@ -1,156 +0,0 @@ -#DESC Passwd - Password utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: passwd -# - -################################# -# -# Rules for the passwd_t domain. -# -define(`base_passwd_domain', ` -type $1_t, domain, privlog, $2; - -# for SSP -allow $1_t urandom_device_t:chr_file read; - -allow $1_t self:process setrlimit; - -general_domain_access($1_t); -uses_shlib($1_t); - -# Inherit and use descriptors from login. -allow $1_t privfd:fd use; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -read_locale($1_t) - -allow $1_t fs_t:filesystem getattr; - -# allow checking if a shell is executable -allow $1_t shell_exec_t:file execute; - -# Obtain contexts -can_getsecurity($1_t) - -allow $1_t etc_t:file create_file_perms; - -# read /etc/mtab -allow $1_t etc_runtime_t:file { getattr read }; - -# Allow etc_t symlinks for /etc/alternatives on Debian. -allow $1_t etc_t:lnk_file read; - -# Use capabilities. -allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; - -# Access terminals. -allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms; -allow $1_t devtty_t:chr_file rw_file_perms; - -dontaudit $1_t devpts_t:dir getattr; - -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -dontaudit $1_t initrc_var_run_t:file { read write }; - -# user generally runs this from their home directory, so do not audit a search -# on user home dir -dontaudit $1_t { user_home_dir_type user_home_type }:dir search; - -# When the wrong current passwd is entered, passwd, for some reason, -# attempts to access /proc and /dev, but handles failure appropriately. So -# do not audit those denials. -dontaudit $1_t { proc_t device_t }:dir { search read }; - -allow $1_t device_t:dir getattr; -read_sysctl($1_t) -') - -################################# -# -# Rules for the passwd_t domain. -# -define(`passwd_domain', ` -base_passwd_domain($1, `auth_write, privowner') -# Update /etc/shadow and /etc/passwd -file_type_auto_trans($1_t, etc_t, shadow_t, file) -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; -can_setfscreate($1_t) -') - -passwd_domain(passwd) -passwd_domain(sysadm_passwd) -base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner') -can_setfscreate(chfn_t) - -# can exec /sbin/unix_chkpwd -allow chfn_t { bin_t sbin_t }:dir search; - -# uses unix_chkpwd for checking passwords -dontaudit chfn_t shadow_t:file read; -allow chfn_t etc_t:dir rw_dir_perms; -allow chfn_t etc_t:file create_file_perms; -allow chfn_t proc_t:file { getattr read }; -allow chfn_t self:file write; - -in_user_role(passwd_t) -in_user_role(chfn_t) -role sysadm_r types passwd_t; -role sysadm_r types sysadm_passwd_t; -role sysadm_r types chfn_t; -role system_r types passwd_t; -role system_r types chfn_t; - -type admin_passwd_exec_t, file_type, sysadmfile; -type passwd_exec_t, file_type, sysadmfile, exec_type; -type chfn_exec_t, file_type, sysadmfile, exec_type; - -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t) -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) -domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) - -dontaudit chfn_t var_t:dir search; - -ifdef(`crack.te', ` -allow passwd_t var_t:dir search; -dontaudit passwd_t var_run_t:dir search; -allow passwd_t crack_db_t:dir r_dir_perms; -allow passwd_t crack_db_t:file r_file_perms; -', ` -dontaudit passwd_t var_t:dir search; -') - -# allow vipw to exec the editor -allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; -allow sysadm_passwd_t bin_t:lnk_file read; -can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) -r_dir_file(sysadm_passwd_t, usr_t) - -# allow vipw to create temporary files under /var/tmp/vi.recover -allow sysadm_passwd_t var_t:dir search; -tmp_domain(sysadm_passwd) -# for vipw - vi looks in the root home directory for config -dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; -# for /etc/alternatives/vi -allow sysadm_passwd_t etc_t:lnk_file read; - -# for nscd lookups -dontaudit sysadm_passwd_t var_run_t:dir search; - -# for /proc/meminfo -allow sysadm_passwd_t proc_t:file { getattr read }; - -dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search; -dontaudit sysadm_passwd_t devpts_t:dir search; - -# make sure that getcon succeeds -allow passwd_t userdomain:dir search; -allow passwd_t userdomain:file { getattr read }; -allow passwd_t userdomain:process getattr; - -allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -ifdef(`targeted_policy', ` -role system_r types sysadm_passwd_t; -') diff --git a/strict/domains/program/pegasus.te b/strict/domains/program/pegasus.te deleted file mode 100644 index e2b557e2..00000000 --- a/strict/domains/program/pegasus.te +++ /dev/null @@ -1,37 +0,0 @@ -#DESC pegasus - The Open Group Pegasus CIM/WBEM Server -# -# Author: Jason Vas Dias -# Package: tog-pegasus -# -################################# -# -# Rules for the pegasus domain -# -daemon_domain(pegasus, `, nscd_client_domain, auth') -type pegasus_data_t, file_type, sysadmfile; -type pegasus_conf_t, file_type, sysadmfile; -type pegasus_mof_t, file_type, sysadmfile; -type pegasus_conf_exec_t, file_type, exec_type, sysadmfile; -allow pegasus_t self:capability { dac_override net_bind_service audit_write }; -can_network_tcp(pegasus_t); -nsswitch_domain(pegasus_t); -allow pegasus_t pegasus_var_run_t:sock_file { create setattr }; -allow pegasus_t self:unix_dgram_socket create_socket_perms; -allow pegasus_t self:unix_stream_socket create_stream_socket_perms; -allow pegasus_t self:file { read getattr }; -allow pegasus_t self:fifo_file rw_file_perms; -allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect }; -allow pegasus_t proc_t:file { getattr read }; -allow pegasus_t sysctl_vm_t:dir search; -allow pegasus_t initrc_var_run_t:file { read write lock }; -allow pegasus_t urandom_device_t:chr_file { getattr read }; -r_dir_file(pegasus_t, etc_t) -r_dir_file(pegasus_t, var_lib_t) -r_dir_file(pegasus_t, pegasus_mof_t) -rw_dir_create_file(pegasus_t, pegasus_conf_t) -rw_dir_create_file(pegasus_t, pegasus_data_t) -rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t) -allow pegasus_t shadow_t:file { getattr read }; -dontaudit pegasus_t selinux_config_t:dir search; - diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te deleted file mode 100644 index 6461c51a..00000000 --- a/strict/domains/program/ping.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Ping - Send ICMP messages to network hosts -# -# Author: David A. Wheeler -# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 -# - -################################# -# -# Rules for the ping_t domain. -# -# ping_t is the domain for the ping program. -# ping_exec_t is the type of the corresponding program. -# -type ping_t, domain, privlog, nscd_client_domain; -role sysadm_r types ping_t; -role system_r types ping_t; -in_user_role(ping_t) -type ping_exec_t, file_type, sysadmfile, exec_type; - -ifdef(`targeted_policy', ` - allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms; -', ` -bool user_ping false; - -if (user_ping) { - domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) - # allow access to the terminal - allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; - ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') -} -') - -# Transition into this domain when you run this program. -domain_auto_trans(sysadm_t, ping_exec_t, ping_t) -domain_auto_trans(initrc_t, ping_exec_t, ping_t) - -uses_shlib(ping_t) -can_network_client(ping_t) -can_resolve(ping_t) -allow ping_t dns_port_t:tcp_socket name_connect; -can_ypbind(ping_t) -allow ping_t etc_t:file { getattr read }; -allow ping_t self:unix_stream_socket create_socket_perms; - -# Let ping create raw ICMP packets. -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; - -# Use capabilities. -allow ping_t self:capability { net_raw setuid }; - -# Access the terminal. -allow ping_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') -allow ping_t privfd:fd use; -dontaudit ping_t fs_t:filesystem getattr; - -# it tries to access /var/run -dontaudit ping_t var_t:dir search; -dontaudit ping_t devtty_t:chr_file { read write }; -dontaudit ping_t self:capability sys_tty_config; -ifdef(`hide_broken_symptoms', ` -dontaudit ping_t init_t:fd use; -') - diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te deleted file mode 100644 index 54cad6fa..00000000 --- a/strict/domains/program/portmap.te +++ /dev/null @@ -1,71 +0,0 @@ -#DESC Portmap - Maintain RPC program number map -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: portmap -# - - - -################################# -# -# Rules for the portmap_t domain. -# -daemon_domain(portmap, `, nscd_client_domain') - -can_network(portmap_t) -allow portmap_t port_type:tcp_socket name_connect; -can_ypbind(portmap_t) -allow portmap_t self:unix_dgram_socket create_socket_perms; -allow portmap_t self:unix_stream_socket create_stream_socket_perms; - -tmp_domain(portmap) - -allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; - -# portmap binds to arbitary ports -allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; -allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind; - -allow portmap_t etc_t:file { getattr read }; - -# Send to ypbind, initrc, rpc.statd, xinetd. -ifdef(`ypbind.te', -`can_udp_send(portmap_t, ypbind_t)') -can_udp_send(portmap_t, { initrc_t init_t }) -can_udp_send(init_t, portmap_t) -ifdef(`rpcd.te', -`can_udp_send(portmap_t, rpcd_t)') -ifdef(`inetd.te', -`can_udp_send(portmap_t, inetd_t)') -ifdef(`lpd.te', -`can_udp_send(portmap_t, lpd_t)') -ifdef(`tcpd.te', ` -can_udp_send(tcpd_t, portmap_t) -') -can_udp_send(portmap_t, kernel_t) -can_udp_send(kernel_t, portmap_t) -can_udp_send(sysadm_t, portmap_t) -can_udp_send(portmap_t, sysadm_t) - -# Use capabilities -allow portmap_t self:capability { net_bind_service setuid setgid }; -allow portmap_t self:netlink_route_socket r_netlink_socket_perms; - -application_domain(portmap_helper) -role system_r types portmap_helper_t; -domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) -dontaudit portmap_helper_t self:capability { net_admin }; -allow portmap_helper_t self:capability { net_bind_service }; -allow portmap_helper_t initrc_var_run_t:file rw_file_perms; -file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) -allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; -can_network(portmap_helper_t) -allow portmap_helper_t port_type:tcp_socket name_connect; -can_ypbind(portmap_helper_t) -dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; -allow portmap_helper_t etc_t:file { getattr read }; -dontaudit portmap_helper_t { userdomain privfd }:fd use; -allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te deleted file mode 100644 index 5d24e5f4..00000000 --- a/strict/domains/program/postfix.te +++ /dev/null @@ -1,356 +0,0 @@ -#DESC Postfix - Mail server -# -# Author: Russell Coker -# X-Debian-Packages: postfix -# Depends: mta.te -# - -# Type for files created during execution of postfix. -type postfix_var_run_t, file_type, sysadmfile, pidfile; - -type postfix_etc_t, file_type, sysadmfile; -type postfix_exec_t, file_type, sysadmfile, exec_type; -type postfix_public_t, file_type, sysadmfile; -type postfix_private_t, file_type, sysadmfile; -type postfix_spool_t, file_type, sysadmfile; -type postfix_spool_maildrop_t, file_type, sysadmfile; -type postfix_spool_flush_t, file_type, sysadmfile; -type postfix_prng_t, file_type, sysadmfile; - -# postfix needs this for newaliases -allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; - -################################# -# -# Rules for the postfix_$1_t domain. -# -# postfix_$1_exec_t is the type of the postfix_$1 executables. -# -define(`postfix_domain', ` -daemon_core_rules(postfix_$1, `$2') -allow postfix_$1_t self:process setpgid; -allow postfix_$1_t postfix_master_t:process sigchld; -allow postfix_master_t postfix_$1_t:process signal; - -allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; -allow postfix_$1_t postfix_etc_t:file r_file_perms; -read_locale(postfix_$1_t) -allow postfix_$1_t etc_t:file { getattr read }; -allow postfix_$1_t self:unix_dgram_socket create_socket_perms; -allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; -allow postfix_$1_t self:unix_stream_socket connectto; - -allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; -allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; -allow postfix_$1_t shell_exec_t:file rx_file_perms; -allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; -allow postfix_$1_t postfix_exec_t:file rx_file_perms; -allow postfix_$1_t devtty_t:chr_file rw_file_perms; -allow postfix_$1_t etc_runtime_t:file r_file_perms; -allow postfix_$1_t proc_t:dir r_dir_perms; -allow postfix_$1_t proc_t:file r_file_perms; -allow postfix_$1_t postfix_exec_t:dir r_dir_perms; -allow postfix_$1_t fs_t:filesystem getattr; -allow postfix_$1_t proc_net_t:dir search; -allow postfix_$1_t proc_net_t:file { getattr read }; -can_exec(postfix_$1_t, postfix_$1_exec_t) -r_dir_file(postfix_$1_t, cert_t) -allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr }; - -allow postfix_$1_t tmp_t:dir getattr; - -file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file) - -read_sysctl(postfix_$1_t) - -')dnl end postfix_domain - -ifdef(`crond.te', -`allow system_mail_t crond_t:tcp_socket { read write create };') - -postfix_domain(master, `, mail_server_domain') -rhgb_domain(postfix_master_t) - -# for a find command -dontaudit postfix_master_t security_t:dir search; - -read_sysctl(postfix_master_t) - -domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) -allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; - -ifdef(`direct_sysadm_daemon', ` - -domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) -allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; -role_transition sysadm_r postfix_master_exec_t system_r; -allow postfix_master_t postfix_etc_t:file rw_file_perms; -dontaudit postfix_master_t admin_tty_type:chr_file { read write }; -allow postfix_master_t devpts_t:dir search; - -domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) -allow system_mail_t sysadm_t:process sigchld; -allow system_mail_t privfd:fd use; - -')dnl end direct_sysadm_daemon - -allow postfix_master_t privfd:fd use; -ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') -allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; - -# postfix does a "find" on startup for some reason - keep it quiet -dontaudit postfix_master_t selinux_config_t:dir search; -can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) -ifdef(`distro_redhat', ` -# compatability for old default main.cf -file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) -# for newer main.cf that uses /etc/aliases -file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t) -') -file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) -allow postfix_master_t sendmail_exec_t:file r_file_perms; -allow postfix_master_t sbin_t:lnk_file { getattr read }; -ifdef(`pppd.te', ` -domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) -') -can_exec(postfix_master_t, { ls_exec_t sbin_t }) -allow postfix_master_t self:fifo_file rw_file_perms; -allow postfix_master_t usr_t:file r_file_perms; -can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) -# chown is to set the correct ownership of queue dirs -allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -allow postfix_master_t postfix_public_t:fifo_file create_file_perms; -allow postfix_master_t postfix_public_t:sock_file create_file_perms; -allow postfix_master_t postfix_public_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:sock_file create_file_perms; -allow postfix_master_t postfix_private_t:fifo_file create_file_perms; -can_network(postfix_master_t) -allow postfix_master_t port_type:tcp_socket name_connect; -can_ypbind(postfix_master_t) -allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind; -allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; -allow postfix_master_t postfix_prng_t:file getattr; -allow postfix_master_t privfd:fd use; -allow postfix_master_t etc_aliases_t:file rw_file_perms; - -ifdef(`saslauthd.te',` -allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; -allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; -can_unix_connect(postfix_smtpd_t,saslauthd_t) -') - -create_dir_file(postfix_master_t, postfix_spool_flush_t) -allow postfix_master_t postfix_prng_t:file rw_file_perms; -# for ls to get the current context -allow postfix_master_t self:file { getattr read }; - -# allow access to deferred queue and allow removing bogus incoming entries -allow postfix_master_t postfix_spool_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_t:file create_file_perms; - -dontaudit postfix_master_t man_t:dir search; - -define(`postfix_server_domain', ` -postfix_domain($1, `$2') -domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) -allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow postfix_$1_t self:capability { setuid setgid dac_override }; -can_network_client(postfix_$1_t) -allow postfix_$1_t port_type:tcp_socket name_connect; -can_ypbind(postfix_$1_t) -') - -postfix_server_domain(smtp, `, mail_server_sender') -allow postfix_smtp_t postfix_spool_t:file rw_file_perms; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; -allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; -# if you have two different mail servers on the same host let them talk via -# SMTP, also if one mail server wants to talk to itself then allow it and let -# the SMTP protocol sort it out (SE Linux is not to prevent mail server -# misconfiguration) -can_tcp_connect(postfix_smtp_t, mail_server_domain) - -postfix_server_domain(smtpd) -allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; -allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; -# for OpenSSL certificates -r_dir_file(postfix_smtpd_t,usr_t) -allow postfix_smtpd_t etc_aliases_t:file r_file_perms; -allow postfix_smtpd_t self:file { getattr read }; - -# for prng_exch -allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; -allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; - -postfix_server_domain(local, `, mta_delivery_agent') -ifdef(`procmail.te', ` -domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) -# for a bug in the postfix local program -dontaudit procmail_t postfix_local_t:tcp_socket { read write }; -dontaudit procmail_t postfix_master_t:fd use; -') -allow postfix_local_t etc_aliases_t:file r_file_perms; -allow postfix_local_t self:fifo_file rw_file_perms; -allow postfix_local_t self:process { setsched setrlimit }; -allow postfix_local_t postfix_spool_t:file rw_file_perms; -# for .forward - maybe we need a new type for it? -allow postfix_local_t postfix_private_t:dir search; -allow postfix_local_t postfix_private_t:sock_file rw_file_perms; -allow postfix_local_t postfix_master_t:unix_stream_socket connectto; -allow postfix_local_t postfix_public_t:dir search; -allow postfix_local_t postfix_public_t:sock_file write; -can_exec(postfix_local_t, shell_exec_t) - -define(`postfix_public_domain',` -postfix_server_domain($1) -allow postfix_$1_t postfix_public_t:dir search; -') - -postfix_public_domain(cleanup) -create_dir_file(postfix_cleanup_t, postfix_spool_t) -allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; -allow postfix_cleanup_t postfix_private_t:dir search; -allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; -allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; -allow postfix_cleanup_t self:process setrlimit; - -allow user_mail_domain postfix_spool_t:dir r_dir_perms; -allow user_mail_domain postfix_etc_t:dir r_dir_perms; -allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; -allow user_mail_domain self:capability dac_override; - -define(`postfix_user_domain', ` -postfix_domain($1, `$2') -domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) -in_user_role(postfix_$1_t) -role sysadm_r types postfix_$1_t; -allow postfix_$1_t userdomain:process sigchld; -allow postfix_$1_t userdomain:fifo_file { write getattr }; -allow postfix_$1_t { userdomain privfd }:fd use; -allow postfix_$1_t self:capability dac_override; -') - -postfix_user_domain(postqueue) -allow postfix_postqueue_t postfix_public_t:dir search; -allow postfix_postqueue_t postfix_public_t:fifo_file getattr; -allow postfix_postqueue_t self:udp_socket { create ioctl }; -allow postfix_postqueue_t self:tcp_socket create; -allow postfix_master_t postfix_postqueue_exec_t:file getattr; -domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -allow postfix_postqueue_t initrc_t:process sigchld; -allow postfix_postqueue_t initrc_t:fd use; - -# to write the mailq output, it really should not need read access! -allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; -ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;') - -# wants to write to /var/spool/postfix/public/showq -allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; -allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; -# write to /var/spool/postfix/public/qmgr -allow postfix_postqueue_t postfix_public_t:fifo_file write; -dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; - -postfix_user_domain(showq) -# the following auto_trans is usually in postfix server domain -domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -can_resolve(postfix_showq_t) -r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) -domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) -allow postfix_showq_t self:capability { setuid setgid }; -allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; -allow postfix_showq_t postfix_spool_t:file r_file_perms; -allow postfix_showq_t self:tcp_socket create_socket_perms; -allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; -dontaudit postfix_showq_t net_conf_t:file r_file_perms; - -postfix_user_domain(postdrop, `, mta_user_agent') -allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; -allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; -allow postfix_postdrop_t postfix_public_t:dir search; -allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; -dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; -dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; -allow postfix_master_t postfix_postdrop_exec_t:file getattr; -ifdef(`crond.te', -`allow postfix_postdrop_t { crond_t system_crond_t }:fd use; -allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') -# usually it does not need a UDP socket -allow postfix_postdrop_t self:udp_socket create_socket_perms; -allow postfix_postdrop_t self:tcp_socket create; -allow postfix_postdrop_t self:capability sys_resource; - -postfix_public_domain(pickup) -allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; -allow postfix_pickup_t postfix_private_t:dir search; -allow postfix_pickup_t postfix_private_t:sock_file write; -allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; -allow postfix_pickup_t self:tcp_socket create_socket_perms; - -postfix_public_domain(qmgr) -allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_qmgr_t postfix_public_t:sock_file write; -allow postfix_qmgr_t postfix_private_t:dir search; -allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; -allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; - -# for /var/spool/postfix/active -create_dir_file(postfix_qmgr_t, postfix_spool_t) - -postfix_public_domain(bounce) -type postfix_spool_bounce_t, file_type, sysadmfile; -create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) -create_dir_file(postfix_bounce_t, postfix_spool_t) -allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr; -allow postfix_bounce_t self:capability dac_read_search; -allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t self:tcp_socket create_socket_perms; - -r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t) - -postfix_public_domain(pipe) -allow postfix_pipe_t postfix_spool_t:dir search; -allow postfix_pipe_t postfix_spool_t:file rw_file_perms; -allow postfix_pipe_t self:fifo_file { read write }; -allow postfix_pipe_t postfix_private_t:dir search; -allow postfix_pipe_t postfix_private_t:sock_file write; -ifdef(`procmail.te', ` -domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) -') -ifdef(`sendmail.te', ` -r_dir_file(sendmail_t, postfix_etc_t) -allow sendmail_t postfix_spool_t:dir search; -') - -# Program for creating database files -application_domain(postfix_map) -base_file_read_access(postfix_map_t) -allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; -tmp_domain(postfix_map) -create_dir_file(postfix_map_t, postfix_etc_t) -allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; -dontaudit postfix_map_t proc_t:dir { getattr read search }; -dontaudit postfix_map_t local_login_t:fd use; -allow postfix_master_t postfix_map_exec_t:file rx_file_perms; -read_locale(postfix_map_t) -allow postfix_map_t self:capability setgid; -allow postfix_map_t self:unix_dgram_socket create_socket_perms; -dontaudit postfix_map_t var_t:dir search; -can_network_server(postfix_map_t) -allow postfix_map_t port_type:tcp_socket name_connect; -allow postfix_local_t mail_spool_t:dir { remove_name }; -allow postfix_local_t mail_spool_t:file { unlink }; -can_exec(postfix_local_t, bin_t) diff --git a/strict/domains/program/postgresql.te b/strict/domains/program/postgresql.te deleted file mode 100644 index a86d9d49..00000000 --- a/strict/domains/program/postgresql.te +++ /dev/null @@ -1,138 +0,0 @@ -#DESC Postgresql - Database server -# -# Author: Russell Coker -# X-Debian-Packages: postgresql -# - -################################# -# -# Rules for the postgresql_t domain. -# -# postgresql_exec_t is the type of the postgresql executable. -# -daemon_domain(postgresql) -allow initrc_t postgresql_exec_t:lnk_file read; -allow postgresql_t usr_t:file { getattr read }; - -allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; - -ifdef(`distro_debian', ` -can_exec(postgresql_t, initrc_exec_t) -# gross hack -domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) -can_exec(postgresql_t, dpkg_exec_t) -') - -dontaudit postgresql_t sysadm_home_dir_t:dir search; - -# quiet ps and killall -dontaudit postgresql_t domain:dir { getattr search }; - -# for currect directory of scripts -allow postgresql_t { var_spool_t cron_spool_t }:dir search; - -# capability kill is for shutdown script -allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config }; -dontaudit postgresql_t self:capability sys_admin; - -etcdir_domain(postgresql) -type postgresql_db_t, file_type, sysadmfile; - -logdir_domain(postgresql) - -ifdef(`crond.te', ` -# allow crond to find /usr/lib/postgresql/bin/do.maintenance -allow crond_t postgresql_db_t:dir search; -system_crond_entry(postgresql_exec_t, postgresql_t) -') - -tmp_domain(postgresql, `', `{ dir file sock_file }') -file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) - -# Use the network. -can_network(postgresql_t) -can_ypbind(postgresql_t) -allow postgresql_t self:fifo_file { getattr read write ioctl }; -allow postgresql_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(postgresql_t, self) -allow postgresql_t self:unix_dgram_socket create_socket_perms; - -allow postgresql_t self:shm create_shm_perms; - -ifdef(`targeted_policy', `', ` -bool allow_user_postgresql_connect false; - -if (allow_user_postgresql_connect) { -# allow any user domain to connect to the database server -can_tcp_connect(userdomain, postgresql_t) -allow userdomain postgresql_t:unix_stream_socket connectto; -allow userdomain postgresql_var_run_t:sock_file write; -allow userdomain postgresql_tmp_t:sock_file write; -} -') -ifdef(`consoletype.te', ` -can_exec(postgresql_t, consoletype_exec_t) -') - -ifdef(`hostname.te', ` -can_exec(postgresql_t, hostname_exec_t) -') - -allow postgresql_t postgresql_port_t:tcp_socket name_bind; -allow postgresql_t auth_port_t:tcp_socket name_connect; - -allow postgresql_t { proc_t self }:file { getattr read }; - -# Allow access to the postgresql databases -create_dir_file(postgresql_t, postgresql_db_t) -file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t) -allow postgresql_t var_lib_t:dir { getattr search }; - -# because postgresql start scripts are broken and put the pid file in the DB -# directory -rw_dir_file(initrc_t, postgresql_db_t) - -# read config files -allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; -r_dir_file(initrc_t, postgresql_etc_t) - -allow postgresql_t etc_t:dir rw_dir_perms; - -read_sysctl(postgresql_t) - -allow postgresql_t devtty_t:chr_file { read write }; -allow postgresql_t devpts_t:dir search; - -allow postgresql_t { bin_t sbin_t }:dir search; -allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; - -allow postgresql_t self:sem create_sem_perms; - -allow postgresql_t initrc_var_run_t:file { getattr read lock }; -dontaudit postgresql_t selinux_config_t:dir search; -allow postgresql_t mail_spool_t:dir search; -lock_domain(postgresql) -can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) -ifdef(`apache.te', ` -# -# Allow httpd to work with postgresql -# -allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; -can_unix_connect(httpd_t, postgresql_t) -') - -ifdef(`distro_gentoo', ` -# "su - postgres ..." is called from initrc_t -allow initrc_su_t postgresql_db_t:dir search; -allow postgresql_t initrc_su_t:process sigchld; -dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; -') - -dontaudit postgresql_t home_root_t:dir search; -can_kerberos(postgresql_t) -allow postgresql_t urandom_device_t:chr_file { getattr read }; - -if (allow_execmem) { -allow postgresql_t self:process execmem; -} diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te deleted file mode 100644 index 8499da71..00000000 --- a/strict/domains/program/pppd.te +++ /dev/null @@ -1,148 +0,0 @@ -#DESC PPPD - PPP daemon -# -# Author: Russell Coker -# X-Debian-Packages: ppp -# - -################################# -# -# Rules for the pppd_t domain, et al. -# -# pppd_t is the domain for the pppd program. -# pppd_exec_t is the type of the pppd executable. -# pppd_secret_t is the type of the pap and chap password files -# -bool pppd_for_user false; - -daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain') -type pppd_secret_t, file_type, sysadmfile; - -# Define a separate type for /etc/ppp -etcdir_domain(pppd) -# Define a separate type for writable files under /etc/ppp -type pppd_etc_rw_t, file_type, sysadmfile; -# Automatically label newly created files under /etc/ppp with this type -file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - -# for SSP -allow pppd_t urandom_device_t:chr_file read; - -allow pppd_t sysfs_t:dir search; - -log_domain(pppd) - -# Use the network. -can_network_server(pppd_t) -can_ypbind(pppd_t) - -# Use capabilities. -allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module }; -lock_domain(pppd) - -# Access secret files -allow pppd_t pppd_secret_t:file r_file_perms; - -ifdef(`postfix.te', ` -allow pppd_t postfix_etc_t:dir search; -allow pppd_t postfix_etc_t:file r_file_perms; -allow pppd_t postfix_master_exec_t:file { getattr read }; -allow postfix_postqueue_t pppd_t:fd use; -allow postfix_postqueue_t pppd_t:process sigchld; -') - -# allow running ip-up and ip-down scripts and running chat. -can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t }) -allow pppd_t { bin_t sbin_t }:dir search; -allow pppd_t { sbin_t bin_t }:lnk_file read; -allow ifconfig_t pppd_t:fd use; - -# Access /dev/ppp. -allow pppd_t ppp_device_t:chr_file rw_file_perms; -allow pppd_t devtty_t:chr_file { read write }; - -allow pppd_t self:unix_dgram_socket create_socket_perms; -allow pppd_t self:unix_stream_socket create_socket_perms; - -allow pppd_t proc_t:dir search; -allow pppd_t proc_t:{ file lnk_file } r_file_perms; -allow pppd_t proc_net_t:dir { read search }; -allow pppd_t proc_net_t:file r_file_perms; - -allow pppd_t etc_runtime_t:file r_file_perms; - -allow pppd_t self:socket create_socket_perms; - -allow pppd_t tty_device_t:chr_file { setattr rw_file_perms }; - -allow pppd_t devpts_t:dir search; - -# for scripts -allow pppd_t self:fifo_file rw_file_perms; -allow pppd_t etc_t:lnk_file read; - -# for ~/.ppprc - if it actually exists then you need some policy to read it -allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; - -in_user_role(pppd_t) -if (pppd_for_user) { -# Run pppd in pppd_t by default for user -domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t) -allow unpriv_userdomain pppd_t:process signal; -} - -# for pppoe -can_create_pty(pppd) -allow pppd_t self:file { read getattr }; - -allow pppd_t self:packet_socket create_socket_perms; - -file_type_auto_trans(pppd_t, etc_t, net_conf_t, file) -tmp_domain(pppd) -allow pppd_t sysctl_net_t:dir search; -allow pppd_t sysctl_net_t:file r_file_perms; -allow pppd_t self:netlink_route_socket r_netlink_socket_perms; -allow pppd_t initrc_var_run_t:file r_file_perms; -dontaudit pppd_t initrc_var_run_t:file { lock write }; - -# pppd needs to load kernel modules for certain modems -bool pppd_can_insmod false; -if (pppd_can_insmod) { -ifdef(`modutil.te', ` -domain_auto_trans(pppd_t, insmod_exec_t, insmod_t) -') -} - -daemon_domain(pptp, `, nscd_client_domain') -can_network_client_tcp(pptp_t) -allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect; -can_exec(pptp_t, hostname_exec_t) -domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) -allow pptp_t self:rawip_socket create_socket_perms; -allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow pptp_t self:unix_dgram_socket create_socket_perms; -can_exec(pptp_t, pppd_etc_rw_t) -allow pptp_t devpts_t:chr_file ioctl; -r_dir_file(pptp_t, pppd_etc_rw_t) -r_dir_file(pptp_t, pppd_etc_t) -allow pptp_t devpts_t:dir search; -allow pppd_t devpts_t:chr_file ioctl; -allow pppd_t pptp_t:process signal; -allow pptp_t self:capability net_raw; -allow pptp_t self:fifo_file { read write }; -allow pptp_t ptmx_t:chr_file rw_file_perms; -log_domain(pptp) - -# Fix sockets -allow pptp_t pptp_var_run_t:sock_file create_file_perms; - -# Allow pptp to append to pppd log files -allow pptp_t pppd_log_t:file append; - -ifdef(`named.te', ` -dontaudit ndc_t pppd_t:fd use; -') - -# Allow /etc/ppp/ip-{up,down} to run most anything -type pppd_script_exec_t, file_type, sysadmfile; -domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) -allow pppd_t initrc_t:process noatsecure; diff --git a/strict/domains/program/prelink.te b/strict/domains/program/prelink.te deleted file mode 100644 index 3ffa0d7b..00000000 --- a/strict/domains/program/prelink.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC PRELINK - Security Enhanced version of the GNU Prelink -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the prelink_t domain. -# -# prelink_exec_t is the type of the prelink executable. -# -daemon_base_domain(prelink, `, admin, privowner') - -allow prelink_t self:process { execheap execmem execstack }; -allow prelink_t texrel_shlib_t:file execmod; -allow prelink_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(prelink_exec_t, prelink_t) -allow system_crond_t prelink_log_t:dir rw_dir_perms; -allow system_crond_t prelink_log_t:file create_file_perms; -allow system_crond_t prelink_cache_t:file { getattr read unlink }; -allow prelink_t crond_log_t:file append; -') - -logdir_domain(prelink) -type etc_prelink_t, file_type, sysadmfile; -type var_lock_prelink_t, file_type, sysadmfile, lockfile; - -allow prelink_t etc_prelink_t:file { getattr read }; -allow prelink_t file_type:dir rw_dir_perms; -allow prelink_t file_type:lnk_file r_file_perms; -allow prelink_t file_type:file getattr; -allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom }; -allow prelink_t ld_so_t:file execute_no_trans; - -allow prelink_t self:capability { chown dac_override fowner fsetid }; -allow prelink_t self:fifo_file rw_file_perms; -allow prelink_t self:file { getattr read }; -dontaudit prelink_t sysctl_kernel_t:dir search; -dontaudit prelink_t sysctl_t:dir search; -allow prelink_t etc_runtime_t:file { getattr read }; -read_locale(prelink_t) -allow prelink_t urandom_device_t:chr_file read; -allow prelink_t proc_t:file { getattr read }; -# -# prelink_cache_t is the type of /etc/prelink.cache. -# -type prelink_cache_t, file_type, sysadmfile; -file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file) diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te deleted file mode 100644 index b8a522df..00000000 --- a/strict/domains/program/privoxy.te +++ /dev/null @@ -1,27 +0,0 @@ -#DESC privoxy - privacy enhancing proxy -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the privoxy_t domain. -# -daemon_domain(privoxy, `, web_client_domain') - -logdir_domain(privoxy) - -# Use capabilities. -allow privoxy_t self:capability net_bind_service; - -# Use the network. -can_network_tcp(privoxy_t) -can_ypbind(privoxy_t) -can_resolve(privoxy_t) -allow privoxy_t http_cache_port_t:tcp_socket name_bind; -allow privoxy_t etc_t:file { getattr read }; -allow privoxy_t self:capability { setgid setuid }; -allow privoxy_t self:unix_stream_socket create_socket_perms ; -allow privoxy_t admin_tty_type:chr_file { read write }; - diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te deleted file mode 100644 index fbf044d8..00000000 --- a/strict/domains/program/procmail.te +++ /dev/null @@ -1,89 +0,0 @@ -#DESC Procmail - Mail delivery agent for mail servers -# -# Author: Russell Coker -# X-Debian-Packages: procmail -# - -################################# -# -# Rules for the procmail_t domain. -# -# procmail_exec_t is the type of the procmail executable. -# -# privhome only works until we define a different type for maildir -type procmail_t, domain, privlog, privhome, nscd_client_domain; -type procmail_exec_t, file_type, sysadmfile, exec_type; - -role system_r types procmail_t; - -uses_shlib(procmail_t) -allow procmail_t device_t:dir search; -can_network_server(procmail_t) -nsswitch_domain(procmail_t) - -allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; - -allow procmail_t etc_t:dir r_dir_perms; -allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; -allow procmail_t etc_t:lnk_file read; -read_locale(procmail_t) -read_sysctl(procmail_t) - -allow procmail_t sysctl_t:dir search; - -allow procmail_t self:process { setsched fork sigchld signal }; -dontaudit procmail_t sbin_t:dir { getattr search }; -can_exec(procmail_t, { bin_t shell_exec_t }) -allow procmail_t bin_t:dir { getattr search }; -allow procmail_t bin_t:lnk_file read; -allow procmail_t self:fifo_file rw_file_perms; - -allow procmail_t self:unix_stream_socket create_socket_perms; -allow procmail_t self:unix_dgram_socket create_socket_perms; - -# for /var/mail -rw_dir_create_file(procmail_t, mail_spool_t) - -allow procmail_t var_t:dir { getattr search }; -allow procmail_t var_spool_t:dir r_dir_perms; - -allow procmail_t fs_t:filesystem getattr; -allow procmail_t { self proc_t }:dir search; -allow procmail_t proc_t:file { getattr read }; -allow procmail_t { self proc_t }:lnk_file read; - -# for if /var/mail is a symlink to /var/spool/mail -#allow procmail_t mail_spool_t:lnk_file r_file_perms; - -# for spamassasin -allow procmail_t usr_t:file { getattr ioctl read }; -ifdef(`spamassassin.te', ` -can_exec(procmail_t, spamassassin_exec_t) -can_resolve(procmail_t) -allow procmail_t port_t:udp_socket name_bind; -allow procmail_t tmp_t:dir getattr; -') -ifdef(`targeted_policy', ` -can_resolve(procmail_t) -allow procmail_t port_t:udp_socket name_bind; -allow procmail_t tmp_t:dir getattr; -') - -# Search /var/run. -allow procmail_t var_run_t:dir { getattr search }; - -# Do not audit attempts to access /root. -dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; - -allow procmail_t devtty_t:chr_file { read write }; - -allow procmail_t urandom_device_t:chr_file { getattr read }; - -ifdef(`sendmail.te', ` -r_dir_file(procmail_t, etc_mail_t) -allow procmail_t sendmail_t:tcp_socket { read write }; -') - -ifdef(`hide_broken_symptoms', ` -dontaudit procmail_t mqueue_spool_t:file { getattr read write }; -') diff --git a/strict/domains/program/quota.te b/strict/domains/program/quota.te deleted file mode 100644 index 73740535..00000000 --- a/strict/domains/program/quota.te +++ /dev/null @@ -1,59 +0,0 @@ -#DESC Quota - File system quota management utilities -# -# Author: Russell Coker -# X-Debian-Packages: quota quotatool -# - -################################# -# -# Rules for the quota_t domain. -# -# needs auth attribute because it has read access to shadow_t because checkquota -# is buggy -daemon_base_domain(quota, `, auth, fs_domain') - -# so the administrator can run quotacheck -domain_auto_trans(sysadm_t, quota_exec_t, quota_t) -role sysadm_r types quota_t; -allow quota_t admin_tty_type:chr_file { read write }; - -type quota_flag_t, file_type, sysadmfile; -type quota_db_t, file_type, sysadmfile; - -rw_dir_create_file(initrc_t, quota_flag_t) - -allow quota_t fs_t:filesystem { getattr quotaget quotamod remount }; -# quotacheck creates new quota_db_t files -file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) -# for some reason it wants dac_override not dac_read_search -allow quota_t self:capability { sys_admin dac_override }; -allow quota_t file_type:{ fifo_file sock_file } getattr; -allow quota_t file_t:file quotaon; - -# for quotacheck -allow quota_t file_type:dir r_dir_perms; -# The following line is apparently necessary, although read and -# ioctl seem to be more than should be required. -allow quota_t file_type:file { getattr read ioctl }; -allow quota_t file_type:{ fifo_file sock_file } getattr; -allow quota_t file_type:lnk_file { read getattr }; -allow quota_t device_type:{ chr_file blk_file } getattr; - -allow quota_t fixed_disk_device_t:blk_file { getattr read }; - -# for /quota.* -allow quota_t quota_db_t:file { read write }; -dontaudit unpriv_userdomain quota_db_t:file getattr; -allow quota_t quota_db_t:file quotaon; - -# Read /etc/mtab. -allow quota_t etc_runtime_t:file { read getattr }; - -allow quota_t device_t:dir r_dir_perms; -allow quota_t fixed_disk_device_t:blk_file getattr; -allow quota_t boot_t:dir r_dir_perms; -allow quota_t sysctl_t:dir { getattr search }; - -allow quota_t initrc_devpts_t:chr_file rw_file_perms; - -allow quota_t proc_t:file getattr; diff --git a/strict/domains/program/radius.te b/strict/domains/program/radius.te deleted file mode 100644 index 5d029236..00000000 --- a/strict/domains/program/radius.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC RADIUS - Radius server -# -# Author: Russell Coker -# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius -# - -################################# -# -# Rules for the radiusd_t domain. -# -# radiusd_exec_t is the type of the radiusd executable. -# -daemon_domain(radiusd, `, auth') - -etcdir_domain(radiusd) - -system_crond_entry(radiusd_exec_t, radiusd_t) - -allow radiusd_t self:process setsched; - -allow radiusd_t proc_t:file { read getattr }; - -dontaudit radiusd_t sysadm_home_dir_t:dir getattr; - -# allow pthreads to read kernel version -read_sysctl(radiusd_t) - -# read config files -allow radiusd_t etc_t:dir r_dir_perms; -allow radiusd_t { etc_t etc_runtime_t }:file { read getattr }; -allow radiusd_t etc_t:lnk_file read; - -# write log files -logdir_domain(radiusd) -allow radiusd_t radiusd_log_t:dir create; - -allow radiusd_t usr_t:file r_file_perms; - -can_exec(radiusd_t, lib_t) -can_exec(radiusd_t, { bin_t shell_exec_t }) -allow radiusd_t { bin_t sbin_t }:dir search; -allow radiusd_t bin_t:lnk_file read; - -allow radiusd_t devtty_t:chr_file { read write }; -allow radiusd_t self:fifo_file rw_file_perms; -# fsetid is for gzip which needs it when run from scripts -# gzip also needs chown access to preserve GID for radwtmp files -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; - -can_network_server(radiusd_t) -can_ypbind(radiusd_t) -allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; - -# for RADIUS proxy port -allow radiusd_t port_t:udp_socket name_bind; - -ifdef(`snmpd.te', ` -can_tcp_connect(radiusd_t, snmpd_t) -') -ifdef(`logrotate.te', ` -can_exec(radiusd_t, logrotate_exec_t) -') -can_udp_send(sysadm_t, radiusd_t) -can_udp_send(radiusd_t, sysadm_t) - -allow radiusd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/strict/domains/program/radvd.te b/strict/domains/program/radvd.te deleted file mode 100644 index 868ef8bf..00000000 --- a/strict/domains/program/radvd.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC Radv - IPv6 route advisory daemon -# -# Author: Russell Coker -# X-Debian-Packages: radvd -# - -################################# -# -# Rules for the radvd_t domain. -# -daemon_domain(radvd) - -etc_domain(radvd) -allow radvd_t etc_t:file { getattr read }; - -allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms; - -allow radvd_t self:capability { setgid setuid net_raw }; -allow radvd_t self:{ unix_dgram_socket rawip_socket } create; -allow radvd_t self:unix_stream_socket create_socket_perms; - -can_network_server(radvd_t) -can_ypbind(radvd_t) - -allow radvd_t { proc_t proc_net_t }:dir r_dir_perms; -allow radvd_t { proc_t proc_net_t }:file { getattr read }; -allow radvd_t etc_t:lnk_file read; - -allow radvd_t sysctl_net_t:file r_file_perms; -allow radvd_t sysctl_net_t:dir r_dir_perms; diff --git a/strict/domains/program/rdisc.te b/strict/domains/program/rdisc.te deleted file mode 100644 index 79331fab..00000000 --- a/strict/domains/program/rdisc.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC rdisc - network router discovery daemon -# -# Author: Russell Coker - -daemon_base_domain(rdisc) -allow rdisc_t self:unix_stream_socket create_stream_socket_perms; -allow rdisc_t self:rawip_socket create_socket_perms; -allow rdisc_t self:udp_socket create_socket_perms; -allow rdisc_t self:capability net_raw; - -can_network_udp(rdisc_t) - -allow rdisc_t etc_t:file { getattr read }; diff --git a/strict/domains/program/readahead.te b/strict/domains/program/readahead.te deleted file mode 100644 index dde8e379..00000000 --- a/strict/domains/program/readahead.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC readahead - read files in page cache -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for readahead -# - -daemon_domain(readahead) -# -# readahead asks for these -# -allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read }; -allow readahead_t { file_type -secure_file_type }:dir r_dir_perms; -dontaudit readahead_t shadow_t:file { getattr read }; -allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr; -dontaudit readahead_t file_type:sock_file getattr; -allow readahead_t proc_t:file { getattr read }; -dontaudit readahead_t device_type:blk_file read; diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te deleted file mode 100644 index 52fff2f0..00000000 --- a/strict/domains/program/restorecon.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC restorecon - Restore or check the context of a file -# -# Authors: Russell Coker -# X-Debian-Packages: policycoreutils -# - -################################# -# -# Rules for the restorecon_t domain. -# -# restorecon_exec_t is the type of the restorecon executable. -# -# needs auth_write attribute because it has relabelfrom/relabelto -# access to shadow_t -type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; -type restorecon_exec_t, file_type, sysadmfile, exec_type; - -role system_r types restorecon_t; -role sysadm_r types restorecon_t; -role secadm_r types restorecon_t; - -can_access_pty(restorecon_t, initrc) -allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl }; - -domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t) -allow restorecon_t { userdomain init_t privfd }:fd use; - -uses_shlib(restorecon_t) -allow restorecon_t self:capability { dac_override dac_read_search fowner }; - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that restorecon can not be run! -allow restorecon_t lib_t:file { read execute }; - -# Get security policy decisions. -can_getsecurity(restorecon_t) - -r_dir_file(restorecon_t, policy_config_t) - -allow restorecon_t file_type:dir r_dir_perms; -allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto }; -allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom }; -allow restorecon_t unlabeled_t:dir read; -allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto }; -ifdef(`distro_redhat', ` -allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; -') -ifdef(`dpkg.te', ` -domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) -') - -allow restorecon_t ptyfile:chr_file getattr; - -allow restorecon_t fs_t:filesystem getattr; - -allow restorecon_t etc_runtime_t:file { getattr read }; -allow restorecon_t etc_t:file { getattr read }; -allow restorecon_t proc_t:file { getattr read }; -dontaudit restorecon_t proc_t:lnk_file { getattr read }; - -allow restorecon_t device_t:file { read write }; -allow restorecon_t kernel_t:fd use; -allow restorecon_t kernel_t:fifo_file { read write }; -allow restorecon_t kernel_t:unix_dgram_socket { read write }; -r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) -allow restorecon_t autofs_t:dir search; diff --git a/strict/domains/program/rhgb.te b/strict/domains/program/rhgb.te deleted file mode 100644 index 5d176e9d..00000000 --- a/strict/domains/program/rhgb.te +++ /dev/null @@ -1,100 +0,0 @@ -#DESC rhgb - Red Hat Graphical Boot -# -# Author: Russell Coker -# Depends: xdm.te gnome-pty-helper.te xserver.te - -daemon_base_domain(rhgb) - -allow rhgb_t { bin_t sbin_t }:dir search; -allow rhgb_t bin_t:lnk_file read; - -domain_auto_trans(rhgb_t, shell_exec_t, initrc_t) -domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t) -can_exec(rhgb_t, { bin_t sbin_t gph_exec_t }) - -allow rhgb_t self:unix_stream_socket create_stream_socket_perms; -allow rhgb_t self:fifo_file rw_file_perms; - -# for gnome-pty-helper -gph_domain(rhgb, system) -allow initrc_t rhgb_gph_t:fd use; - -allow rhgb_t proc_t:file { getattr read }; - -allow rhgb_t devtty_t:chr_file { read write }; -allow rhgb_t tty_device_t:chr_file rw_file_perms; - -read_locale(rhgb_t) -allow rhgb_t { etc_t etc_runtime_t }:file { getattr read }; - -# for ramfs file systems -allow rhgb_t ramfs_t:dir { setattr rw_dir_perms }; -allow rhgb_t ramfs_t:sock_file create_file_perms; -allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms; -allow insmod_t ramfs_t:file write; -allow insmod_t rhgb_t:fd use; - -allow rhgb_t ramfs_t:filesystem { mount unmount }; -allow rhgb_t mnt_t:dir { search mounton }; -allow rhgb_t self:capability { sys_admin sys_tty_config }; -dontaudit rhgb_t var_run_t:dir search; - -can_network_client(rhgb_t) -allow rhgb_t port_type:tcp_socket name_connect; -can_ypbind(rhgb_t) - -allow rhgb_t usr_t:{ file lnk_file } { getattr read }; - -# for running setxkbmap -r_dir_file(rhgb_t, xkb_var_lib_t) - -# for localization -allow rhgb_t lib_t:file { getattr read }; - -allow rhgb_t initctl_t:fifo_file write; - -ifdef(`hide_broken_symptoms', ` -# it should not do this -dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search; -')dnl end hide_broken_symptoms - -can_create_pty(rhgb) - -allow rhgb_t self:shm create_shm_perms; -allow xdm_xserver_t rhgb_t:shm rw_shm_perms; - -can_unix_connect(initrc_t, rhgb_t) -tmpfs_domain(rhgb) -allow xdm_xserver_t rhgb_tmpfs_t:file { read write }; - -read_fonts(rhgb_t) - -# for nscd -dontaudit rhgb_t var_t:dir search; - -ifdef(`hide_broken_symptoms', ` -# for a bug in the X server -dontaudit insmod_t xdm_xserver_t:tcp_socket { read write }; -dontaudit insmod_t serial_device:chr_file { read write }; -dontaudit mount_t rhgb_gph_t:fd use; -dontaudit mount_t rhgb_t:unix_stream_socket { read write }; -dontaudit mount_t ptmx_t:chr_file { read write }; -')dnl end hide_broken_symptoms - -ifdef(`firstboot.te', ` -allow rhgb_t firstboot_rw_t:file r_file_perms; -') -allow rhgb_t tmp_t:dir search; -allow rhgb_t xdm_xserver_t:process sigkill; -allow domain rhgb_devpts_t:chr_file { read write }; -ifdef(`fsadm.te', ` -dontaudit fsadm_t ramfs_t:fifo_file write; -') -allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; -dontaudit rhgb_t default_t:file read; - -allow initrc_t ramfs_t:dir search; -allow initrc_t ramfs_t:sock_file write; -allow initrc_t rhgb_t:unix_stream_socket { read write }; - -allow rhgb_t default_t:file { getattr read }; diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te deleted file mode 100644 index 88af4e4f..00000000 --- a/strict/domains/program/rlogind.te +++ /dev/null @@ -1,40 +0,0 @@ -#DESC Rlogind - Remote login daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: rsh-client rsh-redone-client -# Depends: inetd.te -# - -################################# -# -# Rules for the rlogind_t domain. -# -remote_login_daemon(rlogind) -typeattribute rlogind_t auth_chkpwd; - -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t) -') - -# for /usr/lib/telnetlogin -can_exec(rlogind_t, rlogind_exec_t) - -# Use capabilities. -allow rlogind_t self:capability { net_bind_service }; - -# Run login in remote_login_t. -allow remote_login_t inetd_t:fd use; -allow remote_login_t inetd_t:tcp_socket rw_file_perms; - -# Send SIGCHLD to inetd on death. -allow rlogind_t inetd_t:process sigchld; - -allow rlogind_t home_dir_type:dir search; -allow rlogind_t home_type:file { getattr read }; -allow rlogind_t self:file { getattr read }; -allow rlogind_t default_t:dir search; -typealias rlogind_port_t alias rlogin_port_t; -read_sysctl(rlogind_t); -ifdef(`kerberos.te', ` -allow rlogind_t krb5_keytab_t:file { getattr read }; -') diff --git a/strict/domains/program/roundup.te b/strict/domains/program/roundup.te deleted file mode 100644 index 4c3e97a2..00000000 --- a/strict/domains/program/roundup.te +++ /dev/null @@ -1,29 +0,0 @@ -# Roundup Issue Tracking System -# -# Authors: W. Michael Petullo and Timothy Fraser -# Russell Coker -# Depends: portmap.te -# X-Debian-Packages: nfs-common -# - -################################# -# -# Rules for the rpcd_t and nfsd_t domain. -# -define(`rpc_domain', ` -ifdef(`targeted_policy', ` -daemon_base_domain($1, `, transitionbool') -', ` -daemon_base_domain($1) -') -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_ypbind($1_t) -allow $1_t { etc_runtime_t etc_t }:file { getattr read }; -read_locale($1_t) -allow $1_t self:capability net_bind_service; -dontaudit $1_t self:capability net_admin; - -allow $1_t var_t:dir { getattr search }; -allow $1_t var_lib_t:dir search; -allow $1_t var_lib_nfs_t:dir create_dir_perms; -allow $1_t var_lib_nfs_t:file create_file_perms; -# do not log when it tries to bind to a port belonging to another domain -dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -allow $1_t self:netlink_route_socket r_netlink_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -# bind to arbitary unused ports -allow $1_t port_t:{ tcp_socket udp_socket } name_bind; -allow $1_t sysctl_rpc_t:dir search; -allow $1_t sysctl_rpc_t:file rw_file_perms; -') - -type exports_t, file_type, sysadmfile; -dontaudit userdomain exports_t:file getattr; - -# rpcd_t is the domain of rpc daemons. -# rpcd_exec_t is the type of rpc daemon programs. -# -rpc_domain(rpcd) -var_run_domain(rpcd) -allow rpcd_t rpcd_var_run_t:dir setattr; - -# for rpc.rquotad -allow rpcd_t sysctl_t:dir r_dir_perms; -allow rpcd_t self:fifo_file rw_file_perms; - -# rpcd_t needs to talk to the portmap_t domain -can_udp_send(rpcd_t, portmap_t) - -allow initrc_t exports_t:file r_file_perms; -ifdef(`distro_redhat', ` -allow rpcd_t self:capability { chown dac_override setgid setuid }; -# for /etc/rc.d/init.d/nfs to create /etc/exports -allow initrc_t exports_t:file write; -') - -allow rpcd_t self:file { getattr read }; - -# nfs kernel server needs kernel UDP access. It is less risky and painful -# to just give it everything. -can_network_server(kernel_t) -#can_udp_send(kernel_t, rpcd_t) -#can_udp_send(rpcd_t, kernel_t) - -rpc_domain(nfsd) -domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t) -role sysadm_r types nfsd_t; - -# for /proc/fs/nfs/exports - should we have a new type? -allow nfsd_t proc_t:file r_file_perms; -allow nfsd_t proc_net_t:dir search; -allow nfsd_t exports_t:file { getattr read }; - -allow nfsd_t nfsd_fs_t:filesystem mount; -allow nfsd_t nfsd_fs_t:dir search; -allow nfsd_t nfsd_fs_t:file rw_file_perms; -allow initrc_t sysctl_rpc_t:dir search; -allow initrc_t sysctl_rpc_t:file rw_file_perms; - -type nfsd_rw_t, file_type, sysadmfile, usercanread; -type nfsd_ro_t, file_type, sysadmfile, usercanread; - -bool nfs_export_all_rw false; - -if(nfs_export_all_rw) { -allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; -r_dir_file(kernel_t, noexattrfile) -create_dir_file(kernel_t,{ file_type -shadow_t }) -} - -dontaudit kernel_t shadow_t:file getattr; - -bool nfs_export_all_ro false; - -if(nfs_export_all_ro) { -allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; -r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t }) -} - -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; -create_dir_file(kernel_t, nfsd_rw_t); -r_dir_file(kernel_t, nfsd_ro_t); - -allow kernel_t nfsd_t:udp_socket rw_socket_perms; -can_udp_send(kernel_t, nfsd_t) -can_udp_send(nfsd_t, kernel_t) - -# does not really need this, but it is easier to just allow it -allow nfsd_t var_run_t:dir search; - -allow nfsd_t self:capability { sys_admin sys_resource }; -allow nfsd_t fs_type:filesystem getattr; - -can_udp_send(nfsd_t, portmap_t) -can_udp_send(portmap_t, nfsd_t) - -can_tcp_connect(nfsd_t, portmap_t) - -# for exportfs and rpc.mountd -allow nfsd_t tmp_t:dir getattr; - -r_dir_file(rpcd_t, rpc_pipefs_t) -allow rpcd_t rpc_pipefs_t:sock_file { read write }; -dontaudit rpcd_t selinux_config_t:dir { search }; -allow rpcd_t proc_net_t:dir search; - - -rpc_domain(gssd) -can_kerberos(gssd_t) -ifdef(`kerberos.te', ` -allow gssd_t krb5_keytab_t:file r_file_perms; -') -allow gssd_t urandom_device_t:chr_file { getattr read }; -r_dir_file(gssd_t, tmp_t) -tmp_domain(gssd) -allow gssd_t self:fifo_file { read write }; -r_dir_file(gssd_t, proc_net_t) -allow gssd_t rpc_pipefs_t:dir r_dir_perms; -allow gssd_t rpc_pipefs_t:sock_file { read write }; -allow gssd_t rpc_pipefs_t:file r_file_perms; -allow gssd_t self:capability { dac_override dac_read_search setuid }; -allow nfsd_t devtty_t:chr_file rw_file_perms; -allow rpcd_t devtty_t:chr_file rw_file_perms; - -bool allow_gssd_read_tmp true; -if (allow_gssd_read_tmp) { -ifdef(`targeted_policy', ` -r_dir_file(gssd_t, tmp_t) -', ` -r_dir_file(gssd_t, user_tmpfile) -') -} diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te deleted file mode 100644 index 8405e84f..00000000 --- a/strict/domains/program/rpm.te +++ /dev/null @@ -1,260 +0,0 @@ -#DESC RPM - Red Hat package management -# -# X-Debian-Packages: -################################# -# -# Rules for running the Redhat Package Manager (RPM) tools. -# -# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm -# rpm_exec_t is the type of the rpm executables. -# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*) -# rpm_var_lib_t is the type for rpm files in /var/lib -# -type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd; -role system_r types rpm_t; -uses_shlib(rpm_t) -type rpm_exec_t, file_type, sysadmfile, exec_type; - -general_domain_access(rpm_t) -can_ps(rpm_t, domain) -allow rpm_t self:process setrlimit; -system_crond_entry(rpm_exec_t, rpm_t) -role sysadm_r types rpm_t; -domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t) - -type rpm_file_t, file_type, sysadmfile; - -tmp_domain(rpm) - -tmpfs_domain(rpm) - -log_domain(rpm) - -can_network(rpm_t) -allow rpm_t port_type:tcp_socket name_connect; -can_ypbind(rpm_t) - -# Allow the rpm domain to execute other programs -can_exec_any(rpm_t) - -# Capabilties needed by rpm utils -allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod }; - -# Access /var/lib/rpm files -var_lib_domain(rpm) -allow userdomain var_lib_t:dir { getattr search }; -r_dir_file(userdomain, rpm_var_lib_t) -r_dir_file(rpm_t, proc_t) - -allow rpm_t sysfs_t:dir r_dir_perms; -allow rpm_t usbdevfs_t:dir r_dir_perms; - -# for installing kernel packages -allow rpm_t fixed_disk_device_t:blk_file { getattr read }; - -# Access terminals. -allow rpm_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;') -allow rpm_t privfd:fd use; -allow rpm_t devtty_t:chr_file rw_file_perms; - -domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t) -domain_auto_trans(rpm_t, initrc_exec_t, initrc_t) - -ifdef(`cups.te', ` -r_dir_file(cupsd_t, rpm_var_lib_t) -allow cupsd_t initrc_exec_t:file { getattr read }; -domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t) -') - -# for a bug in rm -dontaudit initrc_t pidfile:file write; - -# bash tries to access a block device in the initrd -dontaudit initrc_t unlabeled_t:blk_file getattr; - -# bash tries ioctl for some reason -dontaudit initrc_t pidfile:file ioctl; - -allow rpm_t autofs_t:dir { search getattr }; -allow rpm_t autofs_t:filesystem getattr; -allow rpm_script_t autofs_t:dir { search getattr }; -allow rpm_t devpts_t:dir { setattr r_dir_perms }; -allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr; -dontaudit rpm_t security_t:filesystem getattr; -can_getcon(rpm_t) -can_setfscreate(rpm_t) -can_setexec(rpm_t) -read_sysctl(rpm_t) -general_domain_access(rpm_script_t) - -# read/write/create any files in the system -allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto }; -allow rpm_t { file_type - shadow_t }:dir create_dir_perms; -allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; -allow rpm_t sysfs_t:filesystem getattr; -allow rpm_t tmpfs_t:filesystem getattr; -dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; -# needs rw permission to the directory for an rpm package that includes a mount -# point -allow rpm_t fs_type:dir { setattr rw_dir_perms }; -allow rpm_t fs_type:filesystem getattr; - -# allow compiling and loading new policy -create_dir_file(rpm_t, { policy_src_t policy_config_t }) - -can_getsecurity({ rpm_t rpm_script_t }) -dontaudit rpm_t shadow_t:file { getattr read }; -allow rpm_t urandom_device_t:chr_file read; -allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; -allow rpm_t ttyfile:chr_file unlink; -allow rpm_script_t tty_device_t:chr_file getattr; -allow rpm_script_t devpts_t:dir search; -allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms; - -allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms; - -type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role; -# policy for rpm scriptlet -role system_r types rpm_script_t; -uses_shlib(rpm_script_t) -read_locale(rpm_script_t) - -can_ps(rpm_script_t, domain) - -ifdef(`lpd.te', ` -can_exec(rpm_script_t, printconf_t) -') - -read_sysctl(rpm_script_t) - -type rpm_script_exec_t, file_type, sysadmfile, exec_type; - -role sysadm_r types rpm_script_t; -domain_trans(rpm_t, shell_exec_t, rpm_script_t) -ifdef(`hide_broken_symptoms', ` -ifdef(`pamconsole.te', ` -domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) -') -') - -tmp_domain(rpm_script) - -tmpfs_domain(rpm_script) - -# Allow the rpm domain to execute other programs -can_exec_any(rpm_script_t) - -# Capabilties needed by rpm scripts utils -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; - -# ideally we would not need this -allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms; -allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms; -allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms; - -# for kernel package installation -ifdef(`mount.te', ` -allow mount_t rpm_t:fifo_file rw_file_perms; -') - -# Commonly used from postinst scripts -ifdef(`consoletype.te', ` -allow consoletype_t rpm_t:fifo_file r_file_perms; -') -ifdef(`crond.te', ` -allow crond_t rpm_t:fifo_file r_file_perms; -') - -allow rpm_script_t proc_t:dir r_dir_perms; -allow rpm_script_t proc_t:{ file lnk_file } r_file_perms; - -allow rpm_script_t devtty_t:chr_file rw_file_perms; -allow rpm_script_t devpts_t:dir r_dir_perms; -allow rpm_script_t admin_tty_type:chr_file rw_file_perms; -allow rpm_script_t etc_runtime_t:file { getattr read }; -allow rpm_script_t privfd:fd use; -allow rpm_script_t rpm_tmp_t:file { getattr read ioctl }; - -allow rpm_script_t urandom_device_t:chr_file read; - -ifdef(`ssh-agent.te', ` -domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') - -ifdef(`useradd.te', ` -domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t) -domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t) -role system_r types { useradd_t groupadd_t }; -allow { useradd_t groupadd_t } rpm_t:fd use; -allow { useradd_t groupadd_t } rpm_t:fifo_file { read write }; -') - -domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t) - -domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t) -domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t) -role sysadm_r types initrc_t; -domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t) -ifdef(`bootloader.te', ` -domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t) -allow bootloader_t rpm_t:fifo_file rw_file_perms; -') - -domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t) - -rw_dir_file(rpm_script_t, nfs_t) -allow rpm_script_t nfs_t:filesystem getattr; - -allow rpm_script_t fs_t:filesystem { getattr mount unmount }; -allow rpm_script_t rpm_script_tmp_t:dir mounton; -can_exec(rpm_script_t, usr_t) -can_exec(rpm_script_t, sbin_t) - -allow rpm_t mount_t:tcp_socket write; -create_dir_file(rpm_t, nfs_t) -allow rpm_t { removable_t nfs_t }:filesystem getattr; - -allow rpm_script_t userdomain:fd use; - -allow domain rpm_t:fifo_file r_file_perms; -allow domain rpm_t:fd use; - -ifdef(`ssh.te', ` -allow sshd_t rpm_script_t:fd use; -allow sshd_t rpm_t:fd use; -') - -dontaudit rpm_script_t shadow_t:file getattr; -allow rpm_script_t sysfs_t:dir r_dir_perms; - -ifdef(`prelink.te', ` -domain_auto_trans(rpm_t, prelink_exec_t, prelink_t) -') - -allow rpm_t rpc_pipefs_t:dir search; -allow rpm_script_t init_t:dir search; - -type rpmbuild_exec_t, file_type, sysadmfile, exec_type; -type rpmbuild_t, domain; -allow rpmbuild_t policy_config_t:dir search; -allow rpmbuild_t policy_src_t:dir search; -allow rpmbuild_t policy_src_t:file { getattr read }; -can_getsecurity(rpmbuild_t) - -allow rpm_script_t domain:process { signal signull }; - -# Access /var/lib/rpm. -allow initrc_t rpm_var_lib_t:dir rw_dir_perms; -allow initrc_t rpm_var_lib_t:file create_file_perms; - -ifdef(`unlimitedRPM', ` -typeattribute rpm_t auth_write; -unconfined_domain(rpm_t) -typeattribute rpm_script_t auth_write; -unconfined_domain(rpm_script_t) -') -if (allow_execmem) { -allow rpm_script_t self:process execmem; -} - diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te deleted file mode 100644 index 39976c59..00000000 --- a/strict/domains/program/rshd.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC RSHD - RSH daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: rsh-server rsh-redone-server -# Depends: inetd.te -# - -################################# -# -# Rules for the rshd_t domain. -# -daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole') - -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t) -') - -# Use sockets inherited from inetd. -allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Use capabilities. -allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override}; - -# Use the network. -can_network_server(rshd_t) -allow rshd_t rsh_port_t:tcp_socket name_bind; - -allow rshd_t etc_t:file { getattr read }; -read_locale(rshd_t) -allow rshd_t self:unix_dgram_socket create_socket_perms; -allow rshd_t self:unix_stream_socket create_stream_socket_perms; -allow rshd_t { home_root_t home_dir_type }:dir { search getattr }; -can_kerberos(rshd_t) -allow rshd_t { bin_t sbin_t tmp_t}:dir { search }; -allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms; -ifdef(`rlogind.te', ` -allow rshd_t rlogind_tmp_t:file rw_file_perms; -') -allow rshd_t urandom_device_t:chr_file { getattr read }; - -# Read the user's .rhosts file. -allow rshd_t home_type:file r_file_perms ; - -# Random reasons -can_getsecurity(rshd_t) -can_setexec(rshd_t) -r_dir_file(rshd_t, selinux_config_t) -r_dir_file(rshd_t, default_context_t) -read_sysctl(rshd_t); - -if (use_nfs_home_dirs) { -r_dir_file(rshd_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file(rshd_t, cifs_t) -} - -allow rshd_t self:process { fork signal setsched setpgid }; -allow rshd_t self:fifo_file rw_file_perms; - -ifdef(`targeted_policy', ` -unconfined_domain(rshd_t) -domain_auto_trans(rshd_t,shell_exec_t,unconfined_t) -') diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te deleted file mode 100644 index bed52a3f..00000000 --- a/strict/domains/program/rsync.te +++ /dev/null @@ -1,18 +0,0 @@ -#DESC rsync - flexible replacement for rcp -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the rsync_t domain. -# -# rsync_exec_t is the type of the rsync executable. -# - -inetd_child_domain(rsync) -type rsync_data_t, file_type, sysadmfile; -r_dir_file(rsync_t, rsync_data_t) -anonymous_domain(rsync) -allow rsync_t self:capability sys_chroot; diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te deleted file mode 100644 index 4193f733..00000000 --- a/strict/domains/program/samba.te +++ /dev/null @@ -1,225 +0,0 @@ -#DESC SAMBA - SMB file server -# -# Author: Ryan Bergauer (bergauer@rice.edu) -# X-Debian-Packages: samba -# - -################################# -# -# Declarations for Samba -# - -daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain') -daemon_domain(nmbd) -type samba_etc_t, file_type, sysadmfile, usercanread; -type samba_log_t, file_type, sysadmfile, logfile; -type samba_var_t, file_type, sysadmfile; -type samba_share_t, file_type, sysadmfile, customizable; -type samba_secrets_t, file_type, sysadmfile; - -# for /var/run/samba/messages.tdb -allow smbd_t nmbd_var_run_t:file rw_file_perms; - -allow smbd_t self:process setrlimit; - -# not sure why it needs this -tmp_domain(smbd) - -# Allow samba to search mnt_t for potential mounted dirs -allow smbd_t mnt_t:dir r_dir_perms; - -ifdef(`crond.te', ` -allow system_crond_t samba_etc_t:file { read getattr lock }; -allow system_crond_t samba_log_t:file { read getattr lock }; -#allow system_crond_t samba_secrets_t:file { read getattr lock }; -') - -################################# -# -# Rules for the smbd_t domain. -# - -# Permissions normally found in every_domain. -general_domain_access(smbd_t) -general_proc_read_access(smbd_t) - -allow smbd_t smbd_port_t:tcp_socket name_bind; - -# Use capabilities. -allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search }; - -# Use the network. -can_network(smbd_t) -nsswitch_domain(smbd_t) -can_kerberos(smbd_t) -allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect; - -allow smbd_t urandom_device_t:chr_file { getattr read }; - -# Permissions for Samba files in /etc/samba -# either allow read access to the directory or allow the auto_trans rule to -# allow creation of the secrets.tdb file and the MACHINE.SID file -#allow smbd_t samba_etc_t:dir { search getattr }; -file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file) - -allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms; - -# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba -allow smbd_t var_lib_t:dir search; -create_dir_file(smbd_t, samba_var_t) - -# Needed for shared printers -allow smbd_t var_spool_t:dir search; - -# Permissions to write log files. -allow smbd_t samba_log_t:file { create ra_file_perms }; -allow smbd_t var_log_t:dir search; -allow smbd_t samba_log_t:dir ra_dir_perms; -dontaudit smbd_t samba_log_t:dir remove_name; - -ifdef(`hide_broken_symptoms', ` -dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr; -dontaudit smbd_t devpts_t:dir getattr; -') -allow smbd_t fs_t:filesystem quotaget; - -allow smbd_t usr_t:file { getattr read }; - -# Access Samba shares. -create_dir_file(smbd_t, samba_share_t) -anonymous_domain(smbd) - -ifdef(`logrotate.te', ` -# the application should be changed -can_exec(logrotate_t, samba_log_t) -') -################################# -# -# Rules for the nmbd_t domain. -# - -# Permissions normally found in every_domain. -general_domain_access(nmbd_t) -general_proc_read_access(nmbd_t) - -allow nmbd_t nmbd_port_t:udp_socket name_bind; - -# Use capabilities. -allow nmbd_t self:capability net_bind_service; - -# Use the network. -can_network_server(nmbd_t) - -# Permissions for Samba files in /etc/samba -allow nmbd_t samba_etc_t:file { getattr read }; -allow nmbd_t samba_etc_t:dir { search getattr }; - -# Permissions for Samba cache files in /var/cache/samba -allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search }; -allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; - -allow nmbd_t usr_t:file { getattr read }; - -# Permissions to write log files. -allow nmbd_t samba_log_t:file { create ra_file_perms }; -allow nmbd_t var_log_t:dir search; -allow nmbd_t samba_log_t:dir ra_dir_perms; -allow nmbd_t etc_t:file { getattr read }; -ifdef(`cups.te', ` -allow smbd_t cupsd_rw_etc_t:file { getattr read }; -') -# Needed for winbindd -allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms; - -# Support Samba sharing of home directories -bool samba_enable_home_dirs false; - -ifdef(`mount.te', ` -# -# Domain for running smbmount -# - -# Derive from app. domain. Transition from mount. -application_domain(smbmount, `, fs_domain, nscd_client_domain') -domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t) - -# Capabilities -# FIXME: is all of this really necessary? -allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; - -# Access samba config -allow smbmount_t samba_etc_t:file r_file_perms; -allow smbmount_t samba_etc_t:dir r_dir_perms; -allow initrc_t samba_etc_t:file rw_file_perms; - -# Write samba log -allow smbmount_t samba_log_t:file create_file_perms; -allow smbmount_t samba_log_t:dir r_dir_perms; - -# Write stuff in var -allow smbmount_t var_log_t:dir r_dir_perms; -rw_dir_create_file(smbmount_t, samba_var_t) - -# Access mtab -file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file) - -# Read nsswitch.conf -allow smbmount_t etc_t:file r_file_perms; - -# Networking -can_network(smbmount_t) -allow smbmount_t port_type:tcp_socket name_connect; -can_ypbind(smbmount_t) -allow smbmount_t self:unix_dgram_socket create_socket_perms; -allow smbmount_t self:unix_stream_socket create_socket_perms; -allow kernel_t smbmount_t:tcp_socket { read write }; -allow userdomain smbmount_t:tcp_socket write; - -# Proc -# FIXME: is this necessary? -r_dir_file(smbmount_t, proc_t) - -# Fork smbmnt -allow smbmount_t bin_t:dir r_dir_perms; -can_exec(smbmount_t, smbmount_exec_t) -allow smbmount_t self:process { fork signal_perms }; - -# Mount -allow smbmount_t cifs_t:filesystem mount_fs_perms; -allow smbmount_t cifs_t:dir r_dir_perms; -allow smbmount_t mnt_t:dir r_dir_perms; -allow smbmount_t mnt_t:dir mounton; - -# Terminal -read_locale(smbmount_t) -access_terminal(smbmount_t, sysadm) -allow smbmount_t userdomain:fd use; -allow smbmount_t local_login_t:fd use; -') -# Derive from app. domain. Transition from mount. -application_domain(samba_net, `, nscd_client_domain') -role system_r types samba_net_t; -in_user_role(samba_net_t) -file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file) -read_locale(samba_net_t) -allow samba_net_t samba_etc_t:file r_file_perms; -r_dir_file(samba_net_t, samba_var_t) -can_network_udp(samba_net_t) -access_terminal(samba_net_t, sysadm) -allow samba_net_t self:unix_dgram_socket create_socket_perms; -allow samba_net_t self:unix_stream_socket create_stream_socket_perms; -rw_dir_create_file(samba_net_t, samba_var_t) -allow samba_net_t etc_t:file { getattr read }; -can_network_client(samba_net_t) -allow samba_net_t smbd_port_t:tcp_socket name_connect; -can_ldap(samba_net_t) -can_kerberos(samba_net_t) -allow samba_net_t urandom_device_t:chr_file r_file_perms; -allow samba_net_t proc_t:dir search; -allow samba_net_t proc_t:lnk_file read; -allow samba_net_t self:dir search; -allow samba_net_t self:file read; -allow samba_net_t self:process signal; -tmp_domain(samba_net) -dontaudit samba_net_t sysadm_home_dir_t:dir search; -allow samba_net_t privfd:fd use; diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te deleted file mode 100644 index 8786dd10..00000000 --- a/strict/domains/program/saslauthd.te +++ /dev/null @@ -1,41 +0,0 @@ -#DESC saslauthd - Authentication daemon for SASL -# -# Author: Colin Walters -# - -daemon_domain(saslauthd, `, auth_chkpwd, auth_bool') - -allow saslauthd_t self:fifo_file { read write }; -allow saslauthd_t self:unix_dgram_socket create_socket_perms; -allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; -allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; -allow saslauthd_t var_lib_t:dir search; - -allow saslauthd_t etc_t:dir { getattr search }; -allow saslauthd_t etc_t:file r_file_perms; -allow saslauthd_t net_conf_t:file r_file_perms; - -allow saslauthd_t self:file r_file_perms; -allow saslauthd_t proc_t:file { getattr read }; - -allow saslauthd_t urandom_device_t:chr_file { getattr read }; - -# Needs investigation -dontaudit saslauthd_t home_root_t:dir getattr; -can_network_client_tcp(saslauthd_t) -allow saslauthd_t pop_port_t:tcp_socket name_connect; - -bool allow_saslauthd_read_shadow false; - -if (allow_saslauthd_read_shadow) { -allow saslauthd_t shadow_t:file r_file_perms; -} -dontaudit saslauthd_t selinux_config_t:dir search; -dontaudit saslauthd_t selinux_config_t:file { getattr read }; - - -dontaudit saslauthd_t initrc_t:unix_stream_socket connectto; -ifdef(`mysqld.te', ` -allow saslauthd_t mysqld_db_t:dir search; -allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms; -') diff --git a/strict/domains/program/screen.te b/strict/domains/program/screen.te deleted file mode 100644 index e9be1a09..00000000 --- a/strict/domains/program/screen.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC screen - Program to detach sessions -# -# X-Debian-Packages: screen -# Domains for the screen program. - -# -# screen_exec_t is the type of the screen executable. -# -type screen_exec_t, file_type, sysadmfile, exec_type; -type screen_dir_t, file_type, sysadmfile, pidfile; - -# Everything else is in the screen_domain macro in -# macros/program/screen_macros.te. diff --git a/strict/domains/program/sendmail.te b/strict/domains/program/sendmail.te deleted file mode 100644 index 2ee8d2df..00000000 --- a/strict/domains/program/sendmail.te +++ /dev/null @@ -1,112 +0,0 @@ -#DESC Sendmail - Mail server -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sendmail sendmail-wide -# Depends: mta.te -# - -################################# -# -# Rules for the sendmail_t domain. -# -# sendmail_t is the domain for the sendmail -# daemon started by the init rc scripts. -# - -# etc_mail_t is the type of /etc/mail. -type etc_mail_t, file_type, sysadmfile, usercanread; - -daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm) - -tmp_domain(sendmail) -logdir_domain(sendmail) - -# Use capabilities -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; - -# Use the network. -can_network(sendmail_t) -allow sendmail_t port_type:tcp_socket name_connect; -can_ypbind(sendmail_t) - -allow sendmail_t self:unix_stream_socket create_stream_socket_perms; -allow sendmail_t self:unix_dgram_socket create_socket_perms; -allow sendmail_t self:fifo_file rw_file_perms; - -# Bind to the SMTP port. -allow sendmail_t smtp_port_t:tcp_socket name_bind; - -allow sendmail_t etc_t:file { getattr read }; - -# Write to /etc/aliases and /etc/mail. -allow sendmail_t etc_aliases_t:file { setattr rw_file_perms }; -# -# Need this transition to create /etc/aliases.db -# -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t) -') -') - -allow sendmail_t etc_mail_t:dir rw_dir_perms; -allow sendmail_t etc_mail_t:file create_file_perms; -# for the start script to run make -C /etc/mail -allow initrc_t etc_mail_t:dir rw_dir_perms; -allow initrc_t etc_mail_t:file create_file_perms; -allow system_mail_t initrc_t:fd use; -allow system_mail_t initrc_t:fifo_file write; - -# Write to /var/spool/mail and /var/spool/mqueue. -allow sendmail_t var_spool_t:dir { getattr search }; -allow sendmail_t mail_spool_t:dir rw_dir_perms; -allow sendmail_t mail_spool_t:file create_file_perms; -allow sendmail_t mqueue_spool_t:dir rw_dir_perms; -allow sendmail_t mqueue_spool_t:file create_file_perms; -allow sendmail_t urandom_device_t:chr_file { getattr read }; - -# Read /usr/lib/sasl2/.* -allow sendmail_t lib_t:file { getattr read }; - -# When sendmail runs as user_mail_domain, it needs some extra permissions -# to update /etc/mail/statistics. -allow user_mail_domain etc_mail_t:file rw_file_perms; - -# Silently deny attempts to access /root. -dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; - -# Run procmail in its own domain, if defined. -ifdef(`procmail.te',` -domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t) -domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) -allow sendmail_t bin_t:dir { getattr search }; -') - -read_sysctl(sendmail_t) -read_sysctl(system_mail_t) - -allow system_mail_t etc_mail_t:dir { getattr search }; -allow system_mail_t etc_runtime_t:file { getattr read }; -allow system_mail_t proc_t:dir search; -allow system_mail_t proc_t:file { getattr read }; -allow system_mail_t proc_t:lnk_file read; -dontaudit system_mail_t proc_net_t:dir search; -allow system_mail_t fs_t:filesystem getattr; -allow system_mail_t self:dir { getattr search }; -allow system_mail_t var_t:dir getattr; -allow system_mail_t var_spool_t:dir getattr; -dontaudit system_mail_t userpty_type:chr_file { getattr read write }; - -# sendmail -q -allow system_mail_t mqueue_spool_t:dir rw_dir_perms; -allow system_mail_t mqueue_spool_t:file create_file_perms; - -ifdef(`crond.te', ` -dontaudit system_mail_t system_crond_tmp_t:file append; -') -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; - -# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console -allow sendmail_t initrc_var_run_t:file { getattr read }; -dontaudit sendmail_t initrc_var_run_t:file { lock write }; - diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te deleted file mode 100644 index 85bcd4ce..00000000 --- a/strict/domains/program/setfiles.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Setfiles - SELinux filesystem labeling utilities -# -# Authors: Russell Coker -# X-Debian-Packages: policycoreutils -# - -################################# -# -# Rules for the setfiles_t domain. -# -# setfiles_exec_t is the type of the setfiles executable. -# -# needs auth_write attribute because it has relabelfrom/relabelto -# access to shadow_t -type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; -type setfiles_exec_t, file_type, sysadmfile, exec_type; - -role system_r types setfiles_t; -role sysadm_r types setfiles_t; -role secadm_r types setfiles_t; - -ifdef(`distro_redhat', ` -domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t) -') -can_access_pty(hostname_t, initrc) -allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl }; - -allow setfiles_t self:unix_dgram_socket create_socket_perms; - -domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t) -allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; - -uses_shlib(setfiles_t) -allow setfiles_t self:capability { dac_override dac_read_search fowner }; - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that setfiles can not be run! -allow setfiles_t lib_t:file { read execute }; - -# Get security policy decisions. -can_getsecurity(setfiles_t) - -r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }) - -allow setfiles_t file_type:dir r_dir_perms; -allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom }; -allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto; -allow setfiles_t unlabeled_t:dir read; -allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto }; -allow setfiles_t { ttyfile ptyfile }:chr_file getattr; -# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal -dontaudit setfiles_t ttyfile:chr_file relabelfrom; - -allow setfiles_t fs_t:filesystem getattr; -allow setfiles_t fs_type:dir r_dir_perms; - -read_locale(setfiles_t) - -allow setfiles_t etc_runtime_t:file { getattr read }; -allow setfiles_t etc_t:file { getattr read }; -allow setfiles_t proc_t:file { getattr read }; -dontaudit setfiles_t proc_t:lnk_file { getattr read }; - -# for config files in a home directory -allow setfiles_t home_type:file r_file_perms; -dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom; diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te deleted file mode 100644 index dd9e416f..00000000 --- a/strict/domains/program/slapd.te +++ /dev/null @@ -1,61 +0,0 @@ -#DESC Slapd - OpenLDAP server -# -# Author: Russell Coker -# X-Debian-Packages: slapd -# - -################################# -# -# Rules for the slapd_t domain. -# -# slapd_exec_t is the type of the slapd executable. -# -daemon_domain(slapd) - -allow slapd_t ldap_port_t:tcp_socket name_bind; - -etc_domain(slapd) -type slapd_db_t, file_type, sysadmfile; -type slapd_replog_t, file_type, sysadmfile; - -tmp_domain(slapd) - -# Use the network. -can_network(slapd_t) -allow slapd_t port_type:tcp_socket name_connect; -can_ypbind(slapd_t) -allow slapd_t self:fifo_file { read write }; -allow slapd_t self:unix_stream_socket create_socket_perms; -allow slapd_t self:unix_dgram_socket create_socket_perms; -# allow any domain to connect to the LDAP server -can_tcp_connect(domain, slapd_t) - -# Use capabilities should not need kill... -allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search }; -allow slapd_t self:process setsched; - -allow slapd_t proc_t:file r_file_perms; - -# Allow access to the slapd databases -create_dir_file(slapd_t, slapd_db_t) -allow initrc_t slapd_db_t:dir r_dir_perms; -allow slapd_t var_lib_t:dir r_dir_perms; - -# Allow access to write the replication log (should tighten this) -create_dir_file(slapd_t, slapd_replog_t) - -# read config files -allow slapd_t etc_t:{ file lnk_file } { getattr read }; -allow slapd_t etc_runtime_t:file { getattr read }; - -# for startup script -allow initrc_t slapd_etc_t:file { getattr read }; - -allow slapd_t etc_t:dir r_dir_perms; - -read_sysctl(slapd_t) - -allow slapd_t usr_t:file { read getattr }; -allow slapd_t urandom_device_t:chr_file { getattr read }; -allow slapd_t self:netlink_route_socket r_netlink_socket_perms; -r_dir_file(slapd_t, cert_t) diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te deleted file mode 100644 index 8512aabd..00000000 --- a/strict/domains/program/slocate.te +++ /dev/null @@ -1,77 +0,0 @@ -#DESC LOCATE - Security Enhanced version of the GNU Locate -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the locate_t domain. -# -# locate_exec_t is the type of the locate executable. -# -daemon_base_domain(locate) -role system_r types locate_t; -role sysadm_r types locate_t; -allow locate_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(locate_exec_t, locate_t) -allow system_crond_t locate_log_t:dir rw_dir_perms; -allow system_crond_t locate_log_t:file { create append getattr }; -allow system_crond_t locate_etc_t:file { getattr read }; -') - -allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; - -allow locate_t { fs_type file_type }:dir r_dir_perms; -dontaudit locate_t sysctl_t:dir getattr; -allow locate_t file_type:lnk_file r_file_perms; -allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; -dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; -dontaudit locate_t security_t:dir getattr; -dontaudit locate_t shadow_t:file getattr; - -allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr; -allow locate_t unlabeled_t:dir_file_class_set getattr; -allow locate_t unlabeled_t:dir read; - -logdir_domain(locate) -etcdir_domain(locate) - -type locate_var_lib_t, file_type, sysadmfile; -typealias locate_var_lib_t alias var_lib_locate_t; - -create_dir_file(locate_t, locate_var_lib_t) -dontaudit locate_t sysadmfile:file getattr; - -allow locate_t proc_t:file { getattr read }; -allow locate_t self:unix_stream_socket create_socket_perms; -# -# Need to be able to exec renice -# -can_exec(locate_t, bin_t) - -dontaudit locate_t rpc_pipefs_t:dir r_dir_perms; -dontaudit locate_t rpc_pipefs_t:file getattr; - -# -# Read Mtab file -# -allow locate_t etc_runtime_t:file { getattr read }; - -# -# Read nsswitch file -# -allow locate_t etc_t:file { getattr read }; -dontaudit locate_t self:capability dac_override; -allow locate_t self:capability dac_read_search; - -# sysadm_t runs locate in his own domain. -# We use a type alias to simplify the rest of the policy, -# which often refers to $1_locate_t for the user domains. -typealias sysadm_t alias sysadm_locate_t; - -allow locate_t userdomain:fd use; -ifdef(`cardmgr.te', ` -allow locate_t cardmgr_var_run_t:chr_file getattr; -') diff --git a/strict/domains/program/slrnpull.te b/strict/domains/program/slrnpull.te deleted file mode 100644 index 25edb933..00000000 --- a/strict/domains/program/slrnpull.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC slrnpull -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the slrnpull_t domain. -# -# slrnpull_exec_t is the type of the slrnpull executable. -# -daemon_domain(slrnpull) -type slrnpull_spool_t, file_type, sysadmfile; - -log_domain(slrnpull) - -ifdef(`logrotate.te', ` -create_dir_file(logrotate_t, slrnpull_spool_t) -') -system_crond_entry(slrnpull_exec_t, slrnpull_t) -allow userdomain slrnpull_spool_t:dir search; -rw_dir_create_file(slrnpull_t, slrnpull_spool_t) -allow slrnpull_t var_spool_t:dir search; -allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te deleted file mode 100644 index ea75c8d6..00000000 --- a/strict/domains/program/snmpd.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC SNMPD - Simple Network Management Protocol daemon -# -# Author: Russell Coker -# X-Debian-Packages: snmpd -# - -################################# -# -# Rules for the snmpd_t domain. -# -daemon_domain(snmpd, `, nscd_client_domain') - -#temp -allow snmpd_t var_t:dir getattr; - -can_network_server(snmpd_t) -can_ypbind(snmpd_t) - -allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; - -etc_domain(snmpd) - -# for the .index file -var_lib_domain(snmpd) -file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file }) -file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file) -allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; - -log_domain(snmpd) -# for /usr/share/snmp/mibs -allow snmpd_t usr_t:file { getattr read }; - -can_udp_send(sysadm_t, snmpd_t) -can_udp_send(snmpd_t, sysadm_t) - -allow snmpd_t self:unix_dgram_socket create_socket_perms; -allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -allow snmpd_t etc_t:lnk_file read; -allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms; -allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config }; - -allow snmpd_t proc_t:dir search; -allow snmpd_t proc_t:file r_file_perms; -allow snmpd_t self:file { getattr read }; -allow snmpd_t self:fifo_file rw_file_perms; -allow snmpd_t { bin_t sbin_t }:dir search; -can_exec(snmpd_t, { bin_t sbin_t shell_exec_t }) - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -r_dir_file(snmpd_t, rpm_var_lib_t) -dontaudit snmpd_t rpm_var_lib_t:dir write; -dontaudit snmpd_t rpm_var_lib_t:file write; -') -') - -allow snmpd_t home_root_t:dir search; -allow snmpd_t initrc_var_run_t:file r_file_perms; -dontaudit snmpd_t initrc_var_run_t:file write; -dontaudit snmpd_t rpc_pipefs_t:dir getattr; -allow snmpd_t rpc_pipefs_t:dir getattr; -read_sysctl(snmpd_t) -allow snmpd_t sysctl_net_t:dir search; -allow snmpd_t sysctl_net_t:file { getattr read }; - -dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read }; -allow snmpd_t sysfs_t:dir { getattr read search }; -ifdef(`amanda.te', ` -dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; -') -ifdef(`cupsd.te', ` -allow snmpd_t cupsd_rw_etc_t:file { getattr read }; -') -allow snmpd_t var_lib_nfs_t:dir search; - -# needed in order to retrieve net traffic data -allow snmpd_t proc_net_t:dir search; -allow snmpd_t proc_net_t:file r_file_perms; - -allow snmpd_t domain:dir { getattr search }; -allow snmpd_t domain:file { getattr read }; -allow snmpd_t domain:process signull; - -dontaudit snmpd_t selinux_config_t:dir search; diff --git a/strict/domains/program/sound.te b/strict/domains/program/sound.te deleted file mode 100644 index 01f7355b..00000000 --- a/strict/domains/program/sound.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC Sound - Sound utilities -# -# Authors: Mark Westerman -# X-Debian-Packages: esound -# -################################# -# -# Rules for the sound_t domain. -# -daemon_base_domain(sound) -type sound_file_t, file_type, sysadmfile; -allow initrc_t sound_file_t:file { getattr read }; -allow sound_t sound_file_t:file rw_file_perms; - -# Use capabilities. -# Commented out by default. -#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override }; -dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override }; - -# Read and write the sound device. -allow sound_t sound_device_t:chr_file rw_file_perms; - -# Read and write ttys. -allow sound_t sysadm_tty_device_t:chr_file rw_file_perms; -read_locale(sound_t) -allow initrc_t sound_file_t:file { setattr write }; diff --git a/strict/domains/program/spamassassin.te b/strict/domains/program/spamassassin.te deleted file mode 100644 index d08eaa30..00000000 --- a/strict/domains/program/spamassassin.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC Spamassassin -# -# Author: Colin Walters -# X-Debian-Packages: spamassassin -# - -type spamassassin_exec_t, file_type, sysadmfile, exec_type; - -bool spamassasin_can_network false; - -# Everything else is in spamassassin_macros.te. diff --git a/strict/domains/program/spamc.te b/strict/domains/program/spamc.te deleted file mode 100644 index 9b49fbf0..00000000 --- a/strict/domains/program/spamc.te +++ /dev/null @@ -1,10 +0,0 @@ -#DESC Spamc - Spamassassin client -# -# Author: Colin Walters -# X-Debian-Packages: spamc -# Depends: spamassassin.te -# - -type spamc_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in spamassassin_macros.te. diff --git a/strict/domains/program/spamd.te b/strict/domains/program/spamd.te deleted file mode 100644 index 01283ca4..00000000 --- a/strict/domains/program/spamd.te +++ /dev/null @@ -1,71 +0,0 @@ -#DESC Spamd - Spamassassin daemon -# -# Author: Colin Walters -# X-Debian-Packages: spamassassin -# Depends: spamassassin.te -# - -daemon_domain(spamd) - -tmp_domain(spamd) - -allow spamd_t spamd_port_t:tcp_socket name_bind; - -general_domain_access(spamd_t) -uses_shlib(spamd_t) -can_ypbind(spamd_t) -read_sysctl(spamd_t) - -# Various Perl bits -allow spamd_t lib_t:file rx_file_perms; -dontaudit spamd_t shadow_t:file { getattr read }; -dontaudit spamd_t initrc_var_run_t:file { read write lock }; -dontaudit spamd_t sysadm_home_dir_t:dir getattr; - -can_network_server(spamd_t) -allow spamd_t self:capability net_bind_service; - -allow spamd_t proc_t:file { getattr read }; - -# Spamassassin, when run as root and using per-user config files, -# setuids to the user running spamc. Comment this if you are not -# using this ability. -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; - -allow spamd_t { bin_t sbin_t }:dir { getattr search }; -can_exec(spamd_t, bin_t) - -ifdef(`sendmail.te', ` -allow spamd_t etc_mail_t:dir { getattr read search }; -allow spamd_t etc_mail_t:file { getattr ioctl read }; -') -allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read }; - -ifdef(`amavis.te', ` -# for bayes tokens -allow spamd_t var_lib_t:dir { getattr search }; -rw_dir_create_file(spamd_t, amavisd_lib_t) -') - -allow spamd_t usr_t:file { getattr ioctl read }; -allow spamd_t usr_t:lnk_file { getattr read }; -allow spamd_t urandom_device_t:chr_file { getattr read }; - -system_crond_entry(spamd_exec_t, spamd_t) - -allow spamd_t autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs) { -allow spamd_t nfs_t:dir rw_dir_perms; -allow spamd_t nfs_t:file create_file_perms; -} - -if (use_samba_home_dirs) { -allow spamd_t cifs_t:dir rw_dir_perms; -allow spamd_t cifs_t:file create_file_perms; -} - -allow spamd_t home_root_t:dir getattr; -allow spamd_t user_home_dir_type:dir { search getattr }; - - diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te deleted file mode 100644 index 1727186b..00000000 --- a/strict/domains/program/squid.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC Squid - Web cache -# -# Author: Russell Coker -# X-Debian-Packages: squid -# - -################################# -# -# Rules for the squid_t domain. -# -# squid_t is the domain the squid process runs in -ifdef(`apache.te',` -can_tcp_connect(squid_t, httpd_t) -') -bool squid_connect_any false; -daemon_domain(squid, `, web_client_domain, nscd_client_domain') -type squid_conf_t, file_type, sysadmfile; -general_domain_access(squid_t) -allow { squid_t initrc_t } squid_conf_t:file r_file_perms; -allow squid_t squid_conf_t:dir r_dir_perms; -allow squid_t squid_conf_t:lnk_file read; - -logdir_domain(squid) -rw_dir_create_file(initrc_t, squid_log_t) - -allow squid_t usr_t:file { getattr read }; - -# type for /var/cache/squid -type squid_cache_t, file_type, sysadmfile; - -allow squid_t self:capability { setgid setuid net_bind_service dac_override }; -allow squid_t { etc_t etc_runtime_t }:file r_file_perms; -allow squid_t etc_t:lnk_file read; -allow squid_t self:unix_stream_socket create_socket_perms; -allow squid_t self:unix_dgram_socket create_socket_perms; -allow squid_t self:fifo_file rw_file_perms; - -read_sysctl(squid_t) - -allow squid_t devtty_t:chr_file rw_file_perms; - -allow squid_t { self proc_t }:file { read getattr }; - -# for when we use /var/spool/cache -allow squid_t var_spool_t:dir search; - -# Grant permissions to create, access, and delete cache files. -# No type transitions required, as the files inherit the parent directory type. -create_dir_file(squid_t, squid_cache_t) -ifdef(`logrotate.te', -`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)') -ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') - -# Use the network -can_network(squid_t) -if (squid_connect_any) { -allow squid_t port_type:tcp_socket name_connect; -} -can_ypbind(squid_t) -can_tcp_connect(web_client_domain, squid_t) - -# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) -allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind; -allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; - -# to allow running programs from /usr/lib/squid (IE unlinkd) -# also allow exec()ing itself -can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } ) -allow squid_t { bin_t sbin_t }:dir search; -allow squid_t { bin_t sbin_t }:lnk_file read; - -dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr; -ifdef(`targeted_policy', ` -dontaudit squid_t tty_device_t:chr_file { read write }; -') -allow squid_t urandom_device_t:chr_file { getattr read }; - -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -r_dir_file(squid_t, cert_t) -ifdef(`winbind.te', ` -domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) -allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; -allow winbind_helper_t squid_log_t:file ra_file_perms; -') diff --git a/strict/domains/program/ssh-agent.te b/strict/domains/program/ssh-agent.te deleted file mode 100644 index f2e3d84c..00000000 --- a/strict/domains/program/ssh-agent.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC ssh-agent - agent to securely store ssh-keys -# -# Authors: Thomas Bleher -# -# X-Debian-Packages: ssh -# - -# Type for the ssh-agent executable. -type ssh_agent_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the ssh_agent_domain macro in -# macros/program/ssh_agent_macros.te. - diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te deleted file mode 100644 index 367e4c73..00000000 --- a/strict/domains/program/ssh.te +++ /dev/null @@ -1,237 +0,0 @@ -#DESC SSH - SSH daemon -# -# Authors: Anthony Colatrella (NSA) -# Stephen Smalley -# Russell Coker -# X-Debian-Packages: ssh -# - -# Allow ssh logins as sysadm_r:sysadm_t -bool ssh_sysadm_login false; - -# allow host key based authentication -bool allow_ssh_keysign false; - -ifdef(`inetd.te', ` -# Allow ssh to run from inetd instead of as a daemon. -bool run_ssh_inetd false; -') - -# sshd_exec_t is the type of the sshd executable. -# sshd_key_t is the type of the ssh private key files -type sshd_exec_t, file_type, exec_type, sysadmfile; -type sshd_key_t, file_type, sysadmfile; - -define(`sshd_program_domain', ` -# privowner is for changing the identity on the terminal device -# privfd is for passing the terminal file handle to the user process -# auth_chkpwd is for running unix_chkpwd and unix_verify. -type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; -can_exec($1_t, sshd_exec_t) -r_dir_file($1_t, self) -role system_r types $1_t; -dontaudit $1_t shadow_t:file { getattr read }; -uses_shlib($1_t) -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:fifo_file rw_file_perms; -allow $1_t self:process { fork sigchld signal setsched setrlimit }; - -dontaudit $1_t self:lnk_file read; - -# do not allow statfs() -dontaudit $1_t fs_type:filesystem getattr; - -allow $1_t bin_t:dir search; -allow $1_t bin_t:lnk_file read; - -# for sshd subsystems, such as sftp-server. -allow $1_t bin_t:file getattr; - -# Read /var. -allow $1_t var_t:dir { getattr search }; - -# Read /var/log. -allow $1_t var_log_t:dir search; - -# Read /etc. -allow $1_t etc_t:dir search; -# ioctl is for pam_console -dontaudit $1_t etc_t:file ioctl; -allow $1_t etc_t:file { getattr read }; -allow $1_t etc_t:lnk_file { getattr read }; -allow $1_t etc_runtime_t:file { getattr read }; - -# Read and write /dev/tty and /dev/null. -allow $1_t devtty_t:chr_file rw_file_perms; -allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms; - -# Read /dev/urandom -allow $1_t urandom_device_t:chr_file { getattr read }; - -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_kerberos($1_t) - -allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -allow $1_t { home_root_t home_dir_type }:dir { search getattr }; -if (use_nfs_home_dirs) { -allow $1_t autofs_t:dir { search getattr }; -allow $1_t nfs_t:dir { search getattr }; -allow $1_t nfs_t:file { getattr read }; -} - -if (use_samba_home_dirs) { -allow $1_t cifs_t:dir { search getattr }; -allow $1_t cifs_t:file { getattr read }; -} - -# Set exec context. -can_setexec($1_t) - -# Update utmp. -allow $1_t initrc_var_run_t:file rw_file_perms; - -# Update wtmp. -allow $1_t wtmp_t:file rw_file_perms; - -# Get security policy decisions. -can_getsecurity($1_t) - -# Allow read access to login context -r_dir_file( $1_t, default_context_t) - -# Access key files -allow $1_t sshd_key_t:file { getattr read }; - -# Update /var/log/lastlog. -allow $1_t lastlog_t:file rw_file_perms; - -read_locale($1_t) -read_sysctl($1_t) - -# Can create ptys -can_create_pty($1, `, server_pty') -allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom }; -dontaudit sshd_t userpty_type:chr_file relabelfrom; - -allow $1_t faillog_t:file { append getattr }; -allow $1_t sbin_t:file getattr; - -# Allow checking users mail at login -allow $1_t { var_spool_t mail_spool_t }:dir search; -allow $1_t mail_spool_t:lnk_file read; -allow $1_t mail_spool_t:file getattr; -')dnl end sshd_program_domain - -# macro for defining which domains a sshd can spawn -# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the -# type of the pty for the child -define(`sshd_spawn_domain', ` -login_spawn_domain($1, $2) -ifdef(`xauth.te', ` -domain_trans($1_t, xauth_exec_t, $2) -') - -# Relabel and access ptys created by sshd -# ioctl is necessary for logout() processing for utmp entry and for w to -# display the tty. -# some versions of sshd on the new SE Linux require setattr -allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr }; - -# inheriting stream sockets is needed for "ssh host command" as no pty -# is allocated -allow $2 $1_t:unix_stream_socket rw_stream_socket_perms; -')dnl end sshd_spawn_domain definition - -################################# -# -# Rules for the sshd_t domain, et al. -# -# sshd_t is the domain for the sshd program. -# sshd_extern_t is the domain for ssh from outside our network -# -sshd_program_domain(sshd) -if (ssh_sysadm_login) { -allow sshd_t devpts_t:dir r_dir_perms; -sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type }) -} else { -sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type) -} - -# for X forwarding -allow sshd_t xserver_port_t:tcp_socket name_bind; - -r_dir_file(sshd_t, selinux_config_t) -sshd_program_domain(sshd_extern) -sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type) - -# for when the network connection breaks after running newrole -r sysadm_r -dontaudit sshd_t sysadm_devpts_t:chr_file setattr; - -ifdef(`inetd.te', ` -if (run_ssh_inetd) { -allow inetd_t ssh_port_t:tcp_socket name_bind; -domain_auto_trans(inetd_t, sshd_exec_t, sshd_t) -domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) -allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms; -allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search }; -allow { sshd_t sshd_extern_t } self:process signal; -} else { -') -can_access_pty({ sshd_t sshd_extern_t }, initrc) -allow { sshd_t sshd_extern_t } self:capability net_bind_service; -allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind; - -# for port forwarding -can_tcp_connect(userdomain, sshd_t) - -domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) -domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) -dontaudit initrc_t sshd_key_t:file { getattr read }; - -# Inherit and use descriptors from init. -allow { sshd_t sshd_extern_t } init_t:fd use; -ifdef(`inetd.te', ` -} -') - -# Create /var/run/sshd.pid -var_run_domain(sshd) -var_run_domain(sshd_extern) - -ifdef(`direct_sysadm_daemon', ` -# Direct execution by sysadm_r. -domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) -role_transition sysadm_r sshd_exec_t system_r; -') - -undefine(`sshd_program_domain') - -# so a tunnel can point to another ssh tunnel... -can_tcp_connect(sshd_t, sshd_t) - -tmp_domain(sshd, `', { dir file sock_file }) -ifdef(`pam.te', ` -can_exec(sshd_t, pam_exec_t) -') - -# ssh_keygen_t is the type of the ssh-keygen program when run at install time -# and by sysadm_t -daemon_base_domain(ssh_keygen) -allow ssh_keygen_t etc_t:file { getattr read }; -file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file) - -# Type for the ssh executable. -type ssh_exec_t, file_type, exec_type, sysadmfile; -type ssh_keysign_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in the ssh_domain macro in -# macros/program/ssh_macros.te. - -allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; -allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write }; -allow ssh_keygen_t urandom_device_t:chr_file { getattr read }; -ifdef(`use_mcs', ` -range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -') diff --git a/strict/domains/program/stunnel.te b/strict/domains/program/stunnel.te deleted file mode 100644 index 4dbfcec8..00000000 --- a/strict/domains/program/stunnel.te +++ /dev/null @@ -1,33 +0,0 @@ -# DESC: selinux policy for stunnel -# -# Author: petre rodan -# -ifdef(`distro_gentoo', ` - -daemon_domain(stunnel) - -can_network(stunnel_t) -allow stunnel_t port_type:tcp_socket name_connect; - -allow stunnel_t self:capability { setgid setuid sys_chroot }; -allow stunnel_t self:fifo_file { read write }; -allow stunnel_t self:tcp_socket { read write }; -allow stunnel_t self:unix_stream_socket { connect create }; - -r_dir_file(stunnel_t, etc_t) -', ` -inetd_child_domain(stunnel, tcp) -allow stunnel_t self:capability sys_chroot; - -bool stunnel_is_daemon false; -if (stunnel_is_daemon) { -# Policy to run stunnel as a daemon should go here. -allow stunnel_t self:tcp_socket rw_stream_socket_perms; -allow stunnel_t stunnel_port_t:tcp_socket name_bind; -} -') - -type stunnel_etc_t, file_type, sysadmfile; -r_dir_file(stunnel_t, stunnel_etc_t) -allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; - diff --git a/strict/domains/program/su.te b/strict/domains/program/su.te deleted file mode 100644 index 6d39909c..00000000 --- a/strict/domains/program/su.te +++ /dev/null @@ -1,23 +0,0 @@ -#DESC Su - Run shells with substitute user and group -# -# Domains for the su program. -# X-Debian-Packages: login - -# -# su_exec_t is the type of the su executable. -# -type su_exec_t, file_type, sysadmfile; - -allow sysadm_su_t user_home_dir_type:dir search; - -# Everything else is in the su_domain macro in -# macros/program/su_macros.te. - -ifdef(`use_mcs', ` -ifdef(`targeted_policy', ` -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t) -can_exec(sysadm_su_t, bin_t) -rw_dir_create_file(sysadm_su_t, home_dir_type) -') -') diff --git a/strict/domains/program/sudo.te b/strict/domains/program/sudo.te deleted file mode 100644 index a1fad31f..00000000 --- a/strict/domains/program/sudo.te +++ /dev/null @@ -1,11 +0,0 @@ -#DESC sudo - execute a command as another user -# -# Authors: Dan Walsh, Russell Coker -# Maintained by Dan Walsh -# - -# Type for the sudo executable. -type sudo_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the sudo_domain macro in -# macros/program/sudo_macros.te. diff --git a/strict/domains/program/sulogin.te b/strict/domains/program/sulogin.te deleted file mode 100644 index 0bed085e..00000000 --- a/strict/domains/program/sulogin.te +++ /dev/null @@ -1,56 +0,0 @@ -#DESC sulogin - Single-User login -# -# Authors: Dan Walsh -# -# X-Debian-Packages: sysvinit - -################################# -# -# Rules for the sulogin_t domain -# - -type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth; -type sulogin_exec_t, file_type, exec_type, sysadmfile; -role system_r types sulogin_t; - -general_domain_access(sulogin_t) - -domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t) -allow sulogin_t initrc_t:process getpgid; -uses_shlib(sulogin_t) - -# suse and debian do not use pam with sulogin... -ifdef(`distro_suse', ` -define(`sulogin_no_pam', `') -') -ifdef(`distro_debian', ` -define(`sulogin_no_pam', `') -') - -ifdef(`sulogin_no_pam', ` -domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) -allow sulogin_t init_t:process getpgid; -allow sulogin_t self:capability sys_tty_config; -', ` -domain_trans(sulogin_t, shell_exec_t, sysadm_t) -allow sulogin_t shell_exec_t:file r_file_perms; - -can_setexec(sulogin_t) -can_getsecurity(sulogin_t) -') - -r_dir_file(sulogin_t, etc_t) - -allow sulogin_t bin_t:dir r_dir_perms; -r_dir_file(sulogin_t, proc_t) -allow sulogin_t root_t:dir search; - -allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; -allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; -allow sulogin_t default_context_t:dir search; -allow sulogin_t default_context_t:file { getattr read }; - -r_dir_file(sulogin_t, selinux_config_t) - -# because file systems are not mounted -dontaudit sulogin_t file_t:dir search; diff --git a/strict/domains/program/swat.te b/strict/domains/program/swat.te deleted file mode 100644 index aa94d2f1..00000000 --- a/strict/domains/program/swat.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC swat - Samba Web Administration Tool -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the swat_t domain. -# -# swat_exec_t is the type of the swat executable. -# - -inetd_child_domain(swat) diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te deleted file mode 100644 index be427ecd..00000000 --- a/strict/domains/program/syslogd.te +++ /dev/null @@ -1,109 +0,0 @@ -#DESC Syslogd - System log daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysklogd syslog-ng -# - -################################# -# -# Rules for the syslogd_t domain. -# -# syslogd_t is the domain of syslogd. -# syslogd_exec_t is the type of the syslogd executable. -# devlog_t is the type of the Unix domain socket created -# by syslogd. -# -ifdef(`klogd.te', ` -daemon_domain(syslogd, `, privkmsg, nscd_client_domain') -', ` -daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain') -') - -# can_network is for the UDP socket -can_network_udp(syslogd_t) -can_ypbind(syslogd_t) - -r_dir_file(syslogd_t, sysfs_t) - -type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject; - -# if something can log to syslog they should be able to log to the console -allow privlog console_device_t:chr_file { ioctl read write getattr }; - -tmp_domain(syslogd) - -# read files in /etc -allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms; - -# Use capabilities. -allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config }; - -# Modify/create log files. -create_append_log_file(syslogd_t, var_log_t) - -# Create and bind to /dev/log or /var/run/log. -file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) -ifdef(`distro_suse', ` -# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel -file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) -') -allow syslogd_t self:unix_dgram_socket create_socket_perms; -allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -allow syslogd_t self:fifo_file rw_file_perms; -allow syslogd_t devlog_t:unix_stream_socket name_bind; -allow syslogd_t devlog_t:unix_dgram_socket name_bind; -# log to the xconsole -allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; - -# Domains with the privlog attribute may log to syslogd. -allow privlog devlog_t:sock_file rw_file_perms; -can_unix_send(privlog,syslogd_t) -can_unix_connect(privlog,syslogd_t) -# allow /dev/log to be a link elsewhere for chroot setup -allow privlog devlog_t:lnk_file read; - -ifdef(`crond.te', ` -# for daemon re-start -allow system_crond_t syslogd_t:lnk_file read; -') - -ifdef(`logrotate.te', ` -allow logrotate_t syslogd_exec_t:file r_file_perms; -') - -# for sending messages to logged in users -allow syslogd_t initrc_var_run_t:file { read lock }; -dontaudit syslogd_t initrc_var_run_t:file write; -allow syslogd_t ttyfile:chr_file { getattr write }; - -# -# Special case to handle crashes -# -allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; - -# Allow syslog to a terminal -allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; - -# Allow name_bind for remote logging -allow syslogd_t syslogd_port_t:udp_socket name_bind; -# -# /initrd is not umounted before minilog starts -# -dontaudit syslogd_t file_t:dir search; -allow syslogd_t { tmpfs_t devpts_t }:dir search; -dontaudit syslogd_t unlabeled_t:file { getattr read }; -dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; -allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`targeted_policy', ` -allow syslogd_t var_run_t:fifo_file { ioctl read write }; -') - -# Allow access to /proc/kmsg for syslog-ng -allow syslogd_t proc_t:dir search; -allow syslogd_t proc_kmsg_t:file { getattr read }; -allow syslogd_t kernel_t:system { syslog_mod syslog_console }; -allow syslogd_t self:capability { sys_admin chown fsetid }; -allow syslogd_t var_log_t:dir { create setattr }; -allow syslogd_t syslogd_port_t:tcp_socket name_bind; -allow syslogd_t rsh_port_t:tcp_socket name_connect; diff --git a/strict/domains/program/sysstat.te b/strict/domains/program/sysstat.te deleted file mode 100644 index f01da4ce..00000000 --- a/strict/domains/program/sysstat.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC Sysstat - Sar and similar programs -# -# Authors: Russell Coker -# X-Debian-Packages: sysstat -# - -################################# -# -# Rules for the sysstat_t domain. -# -# sysstat_exec_t is the type of the sysstat executable. -# -type sysstat_t, domain, privlog; -type sysstat_exec_t, file_type, sysadmfile, exec_type; - -role system_r types sysstat_t; - -allow sysstat_t device_t:dir search; - -allow sysstat_t self:process { sigchld fork }; - -#for date -can_exec(sysstat_t, { sysstat_exec_t bin_t }) -allow sysstat_t bin_t:dir r_dir_perms; -dontaudit sysstat_t sbin_t:dir search; - -dontaudit sysstat_t self:capability sys_admin; -allow sysstat_t self:capability sys_resource; - -allow sysstat_t devtty_t:chr_file rw_file_perms; - -allow sysstat_t urandom_device_t:chr_file read; - -# for mtab -allow sysstat_t etc_runtime_t:file { read getattr }; -# for fstab -allow sysstat_t etc_t:file { read getattr }; - -dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms; - -allow sysstat_t self:fifo_file rw_file_perms; - -# Type for files created during execution of sysstatd. -logdir_domain(sysstat) -allow sysstat_t var_t:dir search; - -allow sysstat_t etc_t:dir r_dir_perms; -read_locale(sysstat_t) - -allow sysstat_t fs_t:filesystem getattr; - -# get info from /proc -allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms; -allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr }; - -domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t) -allow sysstat_t init_t:fd use; -allow sysstat_t console_device_t:chr_file { read write }; - -uses_shlib(sysstat_t) - -system_crond_entry(sysstat_exec_t, sysstat_t) -allow system_crond_t sysstat_log_t:dir { write remove_name add_name }; -allow system_crond_t sysstat_log_t:file create_file_perms; -allow sysstat_t initrc_devpts_t:chr_file { read write }; diff --git a/strict/domains/program/tcpd.te b/strict/domains/program/tcpd.te deleted file mode 100644 index af135be5..00000000 --- a/strict/domains/program/tcpd.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC Tcpd - Access control facilities from internet services -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: tcpd -# Depends: inetd.te -# - -################################# -# -# Rules for the tcpd_t domain. -# -type tcpd_t, domain, privlog; -role system_r types tcpd_t; -uses_shlib(tcpd_t) -type tcpd_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t) - -allow tcpd_t fs_t:filesystem getattr; - -# no good reason for this, probably nscd -dontaudit tcpd_t var_t:dir search; - -can_network_server(tcpd_t) -can_ypbind(tcpd_t) -allow tcpd_t self:unix_dgram_socket create_socket_perms; -allow tcpd_t self:unix_stream_socket create_socket_perms; -allow tcpd_t etc_t:file { getattr read }; -read_locale(tcpd_t) - -tmp_domain(tcpd) - -# Use sockets inherited from inetd. -allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Run each daemon with a defined domain in its own domain. -# These rules have been moved to each target domain .te file. - -# Run other daemons in the inetd_child_t domain. -allow tcpd_t { bin_t sbin_t }:dir search; -domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t) - -allow tcpd_t device_t:dir search; diff --git a/strict/domains/program/telnetd.te b/strict/domains/program/telnetd.te deleted file mode 100644 index bbbb2c19..00000000 --- a/strict/domains/program/telnetd.te +++ /dev/null @@ -1,10 +0,0 @@ -# telnet server daemon -# - -################################# -# -# Rules for the telnetd_t domain -# - -remote_login_daemon(telnetd) -typealias telnetd_port_t alias telnet_port_t; diff --git a/strict/domains/program/tftpd.te b/strict/domains/program/tftpd.te deleted file mode 100644 index c7499871..00000000 --- a/strict/domains/program/tftpd.te +++ /dev/null @@ -1,41 +0,0 @@ -#DESC TFTP - UDP based file server for boot loaders -# -# Author: Russell Coker -# X-Debian-Packages: tftpd atftpd -# Depends: inetd.te -# - -################################# -# -# Rules for the tftpd_t domain. -# -# tftpd_exec_t is the type of the tftpd executable. -# -daemon_domain(tftpd) - -# tftpdir_t is the type of files in the /tftpboot directories. -type tftpdir_t, file_type, sysadmfile; -r_dir_file(tftpd_t, tftpdir_t) - -domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t) - -# Use the network. -can_network_udp(tftpd_t) -allow tftpd_t tftp_port_t:udp_socket name_bind; -ifdef(`inetd.te', ` -allow inetd_t tftp_port_t:udp_socket name_bind; -') -allow tftpd_t self:unix_dgram_socket create_socket_perms; -allow tftpd_t self:unix_stream_socket create_stream_socket_perms; - -# allow any domain to connect to the TFTP server -allow tftpd_t inetd_t:udp_socket rw_socket_perms; - -# Use capabilities -allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot }; - -allow tftpd_t etc_t:dir r_dir_perms; -allow tftpd_t etc_t:file r_file_perms; - -allow tftpd_t var_t:dir r_dir_perms; -allow tftpd_t var_t:{ file lnk_file } r_file_perms; diff --git a/strict/domains/program/thunderbird.te b/strict/domains/program/thunderbird.te deleted file mode 100644 index c640f875..00000000 --- a/strict/domains/program/thunderbird.te +++ /dev/null @@ -1,10 +0,0 @@ -# DESC - Thunderbird -# -# Author: Ivan Gyurdiev -# - -# Type for executables -type thunderbird_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/thunderbird_macros.te -bool disable_thunderbird_trans false; diff --git a/strict/domains/program/timidity.te b/strict/domains/program/timidity.te deleted file mode 100644 index e007d3f0..00000000 --- a/strict/domains/program/timidity.te +++ /dev/null @@ -1,34 +0,0 @@ -# DESC timidity - MIDI to WAV converter and player -# -# Author: Thomas Bleher -# -# Note: You only need this policy if you want to run timidity as a server - -daemon_base_domain(timidity) -can_network_server(timidity_t) - -allow timidity_t device_t:lnk_file read; - -# read /usr/share/alsa/alsa.conf -allow timidity_t usr_t:file { getattr read }; -# read /etc/esd.conf and /proc/cpuinfo -allow timidity_t { etc_t proc_t }:file { getattr read }; -# read libartscbackend.la - should these be shlib_t? -allow timidity_t lib_t:file { getattr read }; - -allow timidity_t sound_device_t:chr_file { read write ioctl }; - -# stupid timidity won't start if it can't search its current directory. -# allow this so /etc/init.d/alsasound start works from /root -allow timidity_t sysadm_home_dir_t:dir search; - -allow timidity_t tmp_t:dir search; -tmpfs_domain(timidity) - -allow timidity_t self:shm create_shm_perms; - -allow timidity_t self:unix_stream_socket create_stream_socket_perms; - -allow timidity_t devpts_t:dir search; -allow timidity_t self:capability { dac_override dac_read_search }; -allow timidity_t self:process getsched; diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te deleted file mode 100644 index 2373a502..00000000 --- a/strict/domains/program/tmpreaper.te +++ /dev/null @@ -1,33 +0,0 @@ -#DESC Tmpreaper - Monitor and maintain temporary files -# -# Author: Russell Coker -# X-Debian-Packages: tmpreaper -# - -################################# -# -# Rules for the tmpreaper_t domain. -# -type tmpreaper_t, domain, privlog; -type tmpreaper_exec_t, file_type, sysadmfile, exec_type; - -role system_r types tmpreaper_t; - -system_crond_entry(tmpreaper_exec_t, tmpreaper_t) -uses_shlib(tmpreaper_t) -# why does it need setattr? -allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir }; -allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink }; -allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink }; -allow tmpreaper_t self:process { fork sigchld }; -allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; -allow tmpreaper_t fs_t:filesystem getattr; - -r_dir_file(tmpreaper_t, etc_t) -allow tmpreaper_t var_t:dir { getattr search }; -r_dir_file(tmpreaper_t, var_lib_t) -allow tmpreaper_t device_t:dir { getattr search }; -allow tmpreaper_t urandom_device_t:chr_file { getattr read }; - -read_locale(tmpreaper_t) - diff --git a/strict/domains/program/traceroute.te b/strict/domains/program/traceroute.te deleted file mode 100644 index af25e20d..00000000 --- a/strict/domains/program/traceroute.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Traceroute - Display network routes -# -# Author: Russell Coker -# based on the work of David A. Wheeler -# X-Debian-Packages: traceroute lft -# - -################################# -# -# Rules for the traceroute_t domain. -# -# traceroute_t is the domain for the traceroute program. -# traceroute_exec_t is the type of the corresponding program. -# -type traceroute_t, domain, privlog, nscd_client_domain; -role sysadm_r types traceroute_t; -role system_r types traceroute_t; -# for user_ping: -in_user_role(traceroute_t) -uses_shlib(traceroute_t) -can_network_client(traceroute_t) -allow traceroute_t port_type:tcp_socket name_connect; -can_ypbind(traceroute_t) -allow traceroute_t node_t:rawip_socket node_bind; -type traceroute_exec_t, file_type, sysadmfile, exec_type; - -# Transition into this domain when you run this program. -domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t) -domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) - -allow traceroute_t etc_t:file { getattr read }; - -# Use capabilities. -allow traceroute_t self:capability { net_admin net_raw setuid setgid }; - -allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow traceroute_t self:unix_stream_socket create_socket_perms; -allow traceroute_t device_t:dir search; - -# for lft -allow traceroute_t self:packet_socket create_socket_perms; -r_dir_file(traceroute_t, proc_t) -r_dir_file(traceroute_t, proc_net_t) - -# Access the terminal. -allow traceroute_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') -allow traceroute_t privfd:fd use; - -# dont need this -dontaudit traceroute_t fs_t:filesystem getattr; -dontaudit traceroute_t var_t:dir search; - -ifdef(`ping.te', ` -if (user_ping) { - domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) - # allow access to the terminal - allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; -} -') -#rules needed for nmap -allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms; -allow traceroute_t usr_t:file { getattr read }; -read_locale(traceroute_t) -dontaudit traceroute_t userdomain:dir search; diff --git a/strict/domains/program/tvtime.te b/strict/domains/program/tvtime.te deleted file mode 100644 index fa720218..00000000 --- a/strict/domains/program/tvtime.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC tvtime - a high quality television application -# -# Domains for the tvtime program. -# Author : Dan Walsh -# -# tvtime_exec_t is the type of the tvtime executable. -# -type tvtime_exec_t, file_type, sysadmfile, exec_type; -type tvtime_dir_t, file_type, sysadmfile, pidfile; - -# Everything else is in the tvtime_domain macro in -# macros/program/tvtime_macros.te. diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te deleted file mode 100644 index cc5f7d45..00000000 --- a/strict/domains/program/udev.te +++ /dev/null @@ -1,152 +0,0 @@ -#DESC udev - Linux configurable dynamic device naming support -# -# Author: Dan Walsh dwalsh@redhat.com -# - -################################# -# -# Rules for the udev_t domain. -# -# udev_exec_t is the type of the udev executable. -# -daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite') - -general_domain_access(udev_t) - -if (allow_execmem) { -# for alsactl -allow udev_t self:process execmem; -} - -etc_domain(udev) -type udev_helper_exec_t, file_type, sysadmfile, exec_type; -can_exec_any(udev_t) - -# -# Rules used for udev -# -type udev_tdb_t, file_type, sysadmfile, dev_fs; -typealias udev_tdb_t alias udev_tbl_t; -file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice }; -allow udev_t self:file { getattr read }; -allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; -allow udev_t self:unix_dgram_socket create_socket_perms; -allow udev_t self:fifo_file rw_file_perms; -allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; -allow udev_t device_t:file { unlink rw_file_perms }; -allow udev_t device_t:sock_file create_file_perms; -allow udev_t device_t:lnk_file create_lnk_perms; -allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -ifdef(`distro_redhat', ` -allow udev_t tmpfs_t:dir create_dir_perms; -allow udev_t tmpfs_t:{ sock_file file } create_file_perms; -allow udev_t tmpfs_t:lnk_file create_lnk_perms; -allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -allow udev_t tmpfs_t:dir search; - -# for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(udev_t, netutils_exec_t, netutils_t) -') -allow udev_t etc_t:file { getattr read ioctl }; -allow udev_t { bin_t sbin_t }:dir r_dir_perms; -allow udev_t { sbin_t bin_t }:lnk_file read; -allow udev_t bin_t:lnk_file read; -can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) -can_exec(udev_t, udev_exec_t) -rw_dir_file(udev_t, sysfs_t) -allow udev_t sysadm_tty_device_t:chr_file { read write }; - -# to read the file_contexts file -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } ) - -allow udev_t policy_config_t:dir search; -allow udev_t proc_t:file { getattr read ioctl }; -allow udev_t proc_kcore_t:file getattr; - -# Get security policy decisions. -can_getsecurity(udev_t) - -# set file system create context -can_setfscreate(udev_t) - -allow udev_t kernel_t:fd use; -allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; -allow udev_t kernel_t:process signal; - -allow udev_t initrc_var_run_t:file r_file_perms; -dontaudit udev_t initrc_var_run_t:file write; - -domain_auto_trans(kernel_t, udev_exec_t, udev_t) -domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t) -ifdef(`hide_broken_symptoms', ` -dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; -') -allow udev_t devpts_t:dir { getattr search }; -allow udev_t etc_runtime_t:file { getattr read }; -ifdef(`xdm.te', ` -allow udev_t xdm_var_run_t:file { getattr read }; -') - -ifdef(`hotplug.te', ` -r_dir_file(udev_t, hotplug_etc_t) -') -allow udev_t var_log_t:dir search; - -ifdef(`consoletype.te', ` -can_exec(udev_t, consoletype_exec_t) -') -ifdef(`pamconsole.te', ` -allow udev_t pam_var_console_t:dir search; -allow udev_t pam_var_console_t:file { getattr read }; -domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) -') -allow udev_t var_lock_t:dir search; -allow udev_t var_lock_t:file getattr; -domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t) -ifdef(`hide_broken_symptoms', ` -dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; -') - -dontaudit udev_t file_t:dir search; -ifdef(`dhcpc.te', ` -domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) -') - -allow udev_t udev_helper_exec_t:dir r_dir_perms; - -dbusd_client(system, udev) - -allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms }; -allow udev_t sysctl_dev_t:dir search; -allow udev_t mnt_t:dir search; -allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read }; -allow udev_t self:rawip_socket create_socket_perms; -dontaudit udev_t domain:dir r_dir_perms; -dontaudit udev_t ttyfile:chr_file unlink; -ifdef(`hotplug.te', ` -r_dir_file(udev_t, hotplug_var_run_t) -') -r_dir_file(udev_t, modules_object_t) -# -# Udev is now writing dhclient-eth*.conf* files. -# -ifdef(`dhcpd.te', `define(`use_dhcp')') -ifdef(`dhcpc.te', `define(`use_dhcp')') -ifdef(`use_dhcp', ` -allow udev_t dhcp_etc_t:file rw_file_perms; -file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file) -') -r_dir_file(udev_t, domain) -allow udev_t modules_dep_t:file r_file_perms; - -nsswitch_domain(udev_t) - -ifdef(`unlimitedUtils', ` -unconfined_domain(udev_t) -') -dontaudit hostname_t udev_t:fd use; -ifdef(`use_mcs', ` -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; -range_transition initrc_t udev_exec_t s0 - s0:c0.c255; -') diff --git a/strict/domains/program/uml.te b/strict/domains/program/uml.te deleted file mode 100644 index 75ae5012..00000000 --- a/strict/domains/program/uml.te +++ /dev/null @@ -1,14 +0,0 @@ - -# Author: Russell Coker -# -type uml_exec_t, file_type, sysadmfile, exec_type; -type uml_ro_t, file_type, sysadmfile; - -# the main code is in macros/program/uml_macros.te - -daemon_domain(uml_switch) -allow uml_switch_t self:unix_dgram_socket create_socket_perms; -allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; -allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms; -allow initrc_t uml_switch_var_run_t:sock_file setattr; -rw_dir_create_file(initrc_t, uml_switch_var_run_t) diff --git a/strict/domains/program/unconfined.te b/strict/domains/program/unconfined.te deleted file mode 100644 index 9497a3ce..00000000 --- a/strict/domains/program/unconfined.te +++ /dev/null @@ -1,15 +0,0 @@ -#DESC Unconfined - Use to essentially disable SELinux for a particular program -# This domain will be useful as a workaround for e.g. third-party daemon software -# that has no policy, until one can be written for it. -# -# To use, label the executable with unconfined_exec_t, e.g.: -# chcon -t unconfined_exec_t /usr/local/bin/appsrv -# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc - -type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write; -type unconfined_exec_t, file_type, sysadmfile, exec_type; -role sysadm_r types unconfined_t; -domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t) -role system_r types unconfined_t; -domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t) -unconfined_domain(unconfined_t) diff --git a/strict/domains/program/unused/afs.te b/strict/domains/program/unused/afs.te deleted file mode 100644 index 8bcab3bc..00000000 --- a/strict/domains/program/unused/afs.te +++ /dev/null @@ -1,166 +0,0 @@ -# -# Policy for AFS server -# - -type afs_files_t, file_type; -type afs_config_t, file_type, sysadmfile; -type afs_logfile_t, file_type, logfile; -type afs_dbdir_t, file_type; - -allow afs_files_t afs_files_t:filesystem associate; -# df should show sizes -allow sysadm_t afs_files_t:filesystem getattr; - -# -# Macros for defining AFS server domains -# - -define(`afs_server_domain',` -type afs_$1server_t, domain $2; -type afs_$1server_exec_t, file_type, sysadmfile; - -role system_r types afs_$1server_t; - -allow afs_$1server_t afs_config_t:file r_file_perms; -allow afs_$1server_t afs_config_t:dir r_dir_perms; -allow afs_$1server_t afs_logfile_t:file create_file_perms; -allow afs_$1server_t afs_logfile_t:dir create_dir_perms; -allow afs_$1server_t afs_$1_port_t:udp_socket name_bind; -uses_shlib(afs_$1server_t) -can_network(afs_$1server_t) -read_locale(afs_$1server_t) - -dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms; -dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms; -dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms; -') - -define(`afs_under_bos',` -domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t) -allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms; -allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms; -allow afs_$1server_t net_conf_t:file r_file_perms; -allow afs_bosserver_t afs_$1server_t:process signal_perms; -') - -define(`afs_server_db',` -type afs_$1_db_t, file_type; - -allow afs_$1server_t afs_$1_db_t:file create_file_perms; -file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file); -') - - -# -# bosserver -# - -afs_server_domain(`bos') -base_file_read_access(afs_bosserver_t) - -domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t) - -allow afs_bosserver_t self:process { fork setsched signal_perms }; -allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms }; -allow afs_bosserver_t afs_dbdir_t:dir { search read getattr }; -allow afs_bosserver_t afs_config_t:file create_file_perms; -allow afs_bosserver_t afs_config_t:dir create_dir_perms; - -allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms; -allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms; -allow afs_bosserver_t device_t:dir r_dir_perms; - -# allow sysadm to use bos -allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto }; - -# -# fileserver, volserver, and salvager -# - -afs_server_domain(`fs',`,privlog') -afs_under_bos(`fs') - -base_file_read_access(afs_fsserver_t) -file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t) - -allow afs_fsserver_t self:process { fork sigchld setsched signal_perms }; -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; -allow afs_fsserver_t self:fifo_file { rw_file_perms }; -can_exec(afs_fsserver_t, afs_fsserver_exec_t) -allow afs_fsserver_t afs_files_t:file create_file_perms; -allow afs_fsserver_t afs_files_t:dir create_dir_perms; -allow afs_fsserver_t afs_config_t:file create_file_perms; -allow afs_fsserver_t afs_config_t:dir create_dir_perms; - -allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind; -allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr; - -allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms; -allow afs_fsserver_t device_t:dir r_dir_perms; -allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms; -allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms; - -allow afs_fsserver_t proc_t:dir r_dir_perms; -allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms; -allow afs_fsserver_t { self proc_t } : dir r_dir_perms; - -# fs communicates with other servers -allow afs_fsserver_t self:unix_dgram_socket create_socket_perms; -allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom }; -allow afs_fsserver_t self:udp_socket { sendto recvfrom }; -allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom }; -allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto }; - -dontaudit afs_fsserver_t self:capability fsetid; -dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms; -dontaudit afs_fsserver_t initrc_t:fd use; -dontaudit afs_fsserver_t mnt_t:dir search; - - -# -# kaserver -# - -afs_server_domain(`ka') -afs_under_bos(`ka') -afs_server_db(`ka') - -base_file_read_access(afs_kaserver_t) - -allow afs_kaserver_t kerberos_port_t:udp_socket name_bind; -allow afs_kaserver_t self:capability { net_bind_service }; -allow afs_kaserver_t afs_config_t:file create_file_perms; -allow afs_kaserver_t afs_config_t:dir rw_dir_perms; - -# allow sysadm to use kas -allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto }; - - -# -# ptserver -# - -afs_server_domain(`pt') -afs_under_bos(`pt') -afs_server_db(`pt') - -# allow users to use pts -allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom }; -allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto }; -allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom }; - - -# -# vlserver -# - -afs_server_domain(`vl') -afs_under_bos(`vl') -afs_server_db(`vl') - -allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom }; -allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto }; -allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom }; diff --git a/strict/domains/program/unused/amavis.te b/strict/domains/program/unused/amavis.te deleted file mode 100644 index 1e1752f5..00000000 --- a/strict/domains/program/unused/amavis.te +++ /dev/null @@ -1,117 +0,0 @@ -#DESC Amavis - Anti-virus -# -# Author: Brian May -# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper -# Depends: clamav.te -# - -################################# -# -# Rules for the amavisd_t domain. -# -type amavisd_etc_t, file_type, sysadmfile; -type amavisd_lib_t, file_type, sysadmfile; - -# Virus and spam found and quarantined. -type amavisd_quarantine_t, file_type, sysadmfile, tmpfile; - -daemon_domain(amavisd) -tmp_domain(amavisd) - -allow initrc_t amavisd_etc_t:file { getattr read }; -allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink }; -allow initrc_t amavisd_lib_t:file unlink; -allow initrc_t amavisd_var_run_t:dir setattr; -allow amavisd_t self:capability { chown dac_override setgid setuid }; -dontaudit amavisd_t self:capability sys_tty_config; - -allow amavisd_t usr_t:{ file lnk_file } { getattr read }; -dontaudit amavisd_t usr_t:file ioctl; - -# networking -can_network_server_tcp(amavisd_t, amavisd_recv_port_t) -allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind; -allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect; -# The next line doesn't work right so drop the port specification. -#can_network_client_tcp(amavisd_t, amavisd_send_port_t) -can_network_client_tcp(amavisd_t) -allow amavisd_t amavisd_send_port_t:tcp_socket name_connect; -can_resolve(amavisd_t); -can_ypbind(amavisd_t); -can_tcp_connect(mail_server_sender, amavisd_t); -can_tcp_connect(amavisd_t, mail_server_domain) - -ifdef(`scannerdaemon.te', ` -can_tcp_connect(amavisd_t, scannerdaemon_t); -allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms; -allow scannerdaemon_t amavisd_lib_t:file r_file_perms; -') - -ifdef(`clamav.te', ` -clamscan_domain(amavisd) -role system_r types amavisd_clamscan_t; -domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t) -allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms; -allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms; -can_clamd_connect(amavisd) -allow clamd_t amavisd_lib_t:dir r_dir_perms; -allow clamd_t amavisd_lib_t:file r_file_perms; -') - -# DCC -ifdef(`dcc.te', ` -allow dcc_client_t amavisd_lib_t:file r_file_perms; -') - -# Pyzor -ifdef(`pyzor.te',` -domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t) -#allow pyzor_t amavisd_data_t:dir search; -# Pyzor creates a temp file adjacent to the working file. -create_dir_file(pyzor_t, amavisd_lib_t); -') - -# SpamAssassin is executed from within amavisd, but needs to read its -# config -ifdef(`spamd.te', ` -r_dir_file(amavisd_t, etc_mail_t) -') - -# Can create unix sockets -allow amavisd_t self:unix_stream_socket create_stream_socket_perms; -allow amavisd_t self:unix_dgram_socket create_socket_perms; -allow amavisd_t self:fifo_file getattr; - -read_locale(amavisd_t) - -# Access config files (amavisd). -allow amavisd_t amavisd_etc_t:file r_file_perms; - -log_domain(amavisd) - -# Access amavisd var/lib files. -create_dir_file(amavisd_t, amavisd_lib_t) - -# Access amavisd quarantined files. -create_dir_file(amavisd_t, amavisd_quarantine_t) - -# Run helper programs. -can_exec_any(amavisd_t,bin_t) -allow amavisd_t bin_t:dir { getattr search }; -allow amavisd_t sbin_t:dir search; -allow amavisd_t var_lib_t:dir search; - -# allow access to files for scanning (required for amavis): -allow clamd_t self:capability { dac_override dac_read_search }; - -# unknown stuff -allow amavisd_t self:fifo_file { ioctl read write }; -allow amavisd_t { random_device_t urandom_device_t }:chr_file read; -allow amavisd_t proc_t:file { getattr read }; -allow amavisd_t etc_runtime_t:file { getattr read }; - -# broken stuff -dontaudit amavisd_t sysadm_home_dir_t:dir search; -dontaudit amavisd_t shadow_t:file { getattr read }; -dontaudit amavisd_t sysadm_devpts_t:chr_file { read write }; - diff --git a/strict/domains/program/unused/asterisk.te b/strict/domains/program/unused/asterisk.te deleted file mode 100644 index 7ae5ffc9..00000000 --- a/strict/domains/program/unused/asterisk.te +++ /dev/null @@ -1,56 +0,0 @@ -#DESC Asterisk IP telephony server -# -# Author: Russell Coker -# -# X-Debian-Packages: asterisk - -daemon_domain(asterisk) -allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms; -allow initrc_t asterisk_var_run_t:fifo_file unlink; - -allow asterisk_t self:process setsched; -allow asterisk_t self:fifo_file rw_file_perms; - -allow asterisk_t proc_t:file { getattr read }; - -allow asterisk_t { bin_t sbin_t }:dir search; -allow asterisk_t bin_t:lnk_file read; -can_exec(asterisk_t, bin_t) - -etcdir_domain(asterisk) -logdir_domain(asterisk) -var_lib_domain(asterisk) - -allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind; - -# for VOIP voice channels. -allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind; - -allow asterisk_t device_t:lnk_file read; -allow asterisk_t sound_device_t:chr_file rw_file_perms; - -type asterisk_spool_t, file_type, sysadmfile; -create_dir_file(asterisk_t, asterisk_spool_t) -allow asterisk_t var_spool_t:dir search; - -# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm -# are labeled usr_t -allow asterisk_t usr_t:file r_file_perms; - -can_network_server(asterisk_t) -can_ypbind(asterisk_t) -allow asterisk_t etc_t:file { getattr read }; - -allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow asterisk_t self:sem create_sem_perms; -allow asterisk_t self:shm create_shm_perms; - -# dac_override for /var/run/asterisk -allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; - -# for shutdown -dontaudit asterisk_t self:capability sys_tty_config; - -tmpfs_domain(asterisk) -tmp_domain(asterisk) diff --git a/strict/domains/program/unused/audio-entropyd.te b/strict/domains/program/unused/audio-entropyd.te deleted file mode 100644 index 216108a0..00000000 --- a/strict/domains/program/unused/audio-entropyd.te +++ /dev/null @@ -1,12 +0,0 @@ -#DESC audio-entropyd - Generate entropy from audio input -# -# Author: Chris PeBenito -# - -daemon_domain(entropyd) - -allow entropyd_t self:capability { ipc_lock sys_admin }; - -allow entropyd_t random_device_t:chr_file rw_file_perms; -allow entropyd_t device_t:dir r_dir_perms; -allow entropyd_t sound_device_t:chr_file r_file_perms; diff --git a/strict/domains/program/unused/authbind.te b/strict/domains/program/unused/authbind.te deleted file mode 100644 index 6aabc3eb..00000000 --- a/strict/domains/program/unused/authbind.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC Authbind - Program to bind to low ports as non-root -# -# Authors: Russell Coker -# X-Debian-Packages: authbind -# - -################################# -# -# Rules for the authbind_t domain. -# -# authbind_exec_t is the type of the authbind executable. -# -type authbind_t, domain, privlog; -type authbind_exec_t, file_type, sysadmfile, exec_type; - -role system_r types authbind_t; - -etcdir_domain(authbind) - -can_exec(authbind_t, authbind_etc_t) -allow authbind_t etc_t:dir r_dir_perms; - -uses_shlib(authbind_t) - -allow authbind_t self:capability net_bind_service; - -allow authbind_t domain:fd use; - -allow authbind_t console_device_t:chr_file { read write }; diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te deleted file mode 100644 index 628527d8..00000000 --- a/strict/domains/program/unused/backup.te +++ /dev/null @@ -1,62 +0,0 @@ -#DESC Backup - Backup scripts -# -# Author: Russell Coker -# X-Debian-Packages: dpkg -# - -################################# -# -# Rules for the backup_t domain. -# -type backup_t, domain, privlog, auth; -type backup_exec_t, file_type, sysadmfile, exec_type; - -type backup_store_t, file_type, sysadmfile; - -role system_r types backup_t; -role sysadm_r types backup_t; - -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, backup_exec_t, backup_t) -') -allow backup_t privfd:fd use; -ifdef(`crond.te', ` -system_crond_entry(backup_exec_t, backup_t) -rw_dir_create_file(system_crond_t, backup_store_t) -') - -# for SSP -allow backup_t urandom_device_t:chr_file read; - -can_network_client(backup_t) -allow backup_t port_type:tcp_socket name_connect; -can_ypbind(backup_t) -uses_shlib(backup_t) - -allow backup_t devtty_t:chr_file rw_file_perms; - -allow backup_t { file_type fs_type }:dir r_dir_perms; -allow backup_t file_type:{ file lnk_file } r_file_perms; -allow backup_t file_type:{ sock_file fifo_file } getattr; -allow backup_t { device_t device_type ttyfile }:chr_file getattr; -allow backup_t { device_t device_type }:blk_file getattr; -allow backup_t var_t:file create_file_perms; - -allow backup_t proc_t:dir r_dir_perms; -allow backup_t proc_t:file r_file_perms; -allow backup_t proc_t:lnk_file { getattr read }; -read_sysctl(backup_t) - -allow backup_t self:fifo_file rw_file_perms; -allow backup_t self:process { signal sigchld fork }; -allow backup_t self:capability dac_override; - -rw_dir_file(backup_t, backup_store_t) -allow backup_t backup_store_t:file { create setattr }; - -allow backup_t fs_t:filesystem getattr; - -allow backup_t self:unix_stream_socket create_socket_perms; - -can_exec(backup_t, bin_t) -ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)') diff --git a/strict/domains/program/unused/calamaris.te b/strict/domains/program/unused/calamaris.te deleted file mode 100644 index 1bfce369..00000000 --- a/strict/domains/program/unused/calamaris.te +++ /dev/null @@ -1,72 +0,0 @@ -#DESC Calamaris - Squid log analysis -# -# Author: Russell Coker -# X-Debian-Packages: calamaris -# Depends: squid.te -# - -################################# -# -# Rules for the calamaris_t domain. -# -# calamaris_t is the domain the calamaris process runs in - -system_domain(calamaris, `, privmail') - -ifdef(`crond.te', ` -system_crond_entry(calamaris_exec_t, calamaris_t) -') - -allow calamaris_t { var_t var_run_t }:dir { getattr search }; -allow calamaris_t squid_log_t:dir search; -allow calamaris_t squid_log_t:file { getattr read }; -allow calamaris_t { usr_t lib_t }:file { getattr read }; -allow calamaris_t usr_t:lnk_file { getattr read }; -dontaudit calamaris_t usr_t:file ioctl; - -type calamaris_www_t, file_type, sysadmfile; -ifdef(`apache.te', ` -allow calamaris_t httpd_sys_content_t:dir search; -') -rw_dir_create_file(calamaris_t, calamaris_www_t) - -# for when squid has a different UID -allow calamaris_t self:capability dac_override; - -logdir_domain(calamaris) - -allow calamaris_t device_t:dir search; -allow calamaris_t devtty_t:chr_file { read write }; - -allow calamaris_t urandom_device_t:chr_file { getattr read }; - -allow calamaris_t self:process { fork signal_perms setsched }; -read_sysctl(calamaris_t) -allow calamaris_t proc_t:dir search; -allow calamaris_t proc_t:file { getattr read }; -allow calamaris_t { proc_t self }:lnk_file read; -allow calamaris_t self:dir search; - -allow calamaris_t { bin_t sbin_t }:dir search; -allow calamaris_t bin_t:lnk_file read; -allow calamaris_t etc_runtime_t:file { getattr read }; -allow calamaris_t self:fifo_file { getattr read write ioctl }; -read_locale(calamaris_t) - -can_exec(calamaris_t, bin_t) -allow calamaris_t self:unix_stream_socket create_stream_socket_perms; -allow calamaris_t self:udp_socket create_socket_perms; -allow calamaris_t etc_t:file { getattr read }; -allow calamaris_t etc_t:lnk_file read; -dontaudit calamaris_t etc_t:file ioctl; -dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search }; -can_network_server(calamaris_t) -can_ypbind(calamaris_t) -ifdef(`named.te', ` -can_udp_send(calamaris_t, named_t) -can_udp_send(named_t, calamaris_t) -') - -ifdef(`apache.te', ` -r_dir_file(httpd_t, calamaris_www_t) -') diff --git a/strict/domains/program/unused/ciped.te b/strict/domains/program/unused/ciped.te deleted file mode 100644 index 6fddf977..00000000 --- a/strict/domains/program/unused/ciped.te +++ /dev/null @@ -1,32 +0,0 @@ - - -daemon_base_domain(ciped) - -# for SSP -allow ciped_t urandom_device_t:chr_file read; - -# cipe uses the afs3-bos port (udp 7007) -allow ciped_t afs_bos_port_t:udp_socket name_bind; - -can_network_udp(ciped_t) -can_ypbind(ciped_t) - -allow ciped_t devpts_t:dir search; -allow ciped_t devtty_t:chr_file { read write }; -allow ciped_t etc_runtime_t:file { getattr read }; -allow ciped_t etc_t:file { getattr read }; -allow ciped_t proc_t:file { getattr read }; -allow ciped_t { bin_t sbin_t }:dir { getattr search read }; -allow ciped_t bin_t:lnk_file read; -can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t }) -allow ciped_t self:fifo_file rw_file_perms; - -read_locale(ciped_t) - -allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; -allow ciped_t self:unix_dgram_socket create_socket_perms; -allow ciped_t self:unix_stream_socket create_socket_perms; - -allow ciped_t random_device_t:chr_file { getattr read }; - -dontaudit ciped_t var_t:dir search; diff --git a/strict/domains/program/unused/clamav.te b/strict/domains/program/unused/clamav.te deleted file mode 100644 index 3ef34eeb..00000000 --- a/strict/domains/program/unused/clamav.te +++ /dev/null @@ -1,147 +0,0 @@ -#DESC CLAM - Anti-virus program -# -# Author: Brian May -# X-Debian-Packages: clamav -# - -################################# -# -# Rules for the clamscan_t domain. -# - -# Virus database -type clamav_var_lib_t, file_type, sysadmfile; - -# clamscan_t is the domain of the clamscan virus scanner -type clamscan_exec_t, file_type, sysadmfile, exec_type; - -########## -########## - -# -# Freshclam -# - -daemon_base_domain(freshclam, `, web_client_domain') -read_locale(freshclam_t) - -# not sure why it needs this -read_sysctl(freshclam_t) - -can_network_client_tcp(freshclam_t, http_port_t); -allow freshclam_t http_port_t:tcp_socket name_connect; -can_resolve(freshclam_t) -can_ypbind(freshclam_t) - -# Access virus signatures -allow freshclam_t { var_t var_lib_t }:dir search; -rw_dir_create_file(freshclam_t, clamav_var_lib_t) - -allow freshclam_t devtty_t:chr_file { read write }; -allow freshclam_t devpts_t:dir search; -allow freshclam_t etc_t:file { getattr read }; -allow freshclam_t proc_t:file { getattr read }; - -allow freshclam_t urandom_device_t:chr_file { getattr read }; -dontaudit freshclam_t urandom_device_t:chr_file ioctl; - -# for nscd -dontaudit freshclam_t var_run_t:dir search; - -# setuid/getuid used (although maybe not required...) -allow freshclam_t self:capability { setgid setuid }; - -allow freshclam_t sbin_t:dir search; - -# Allow notification to daemon that virus database has changed -can_clamd_connect(freshclam) - -allow freshclam_t etc_runtime_t:file { read getattr }; -allow freshclam_t self:unix_stream_socket create_stream_socket_perms; -allow freshclam_t self:unix_dgram_socket create_socket_perms; -allow freshclam_t self:fifo_file rw_file_perms; - -# Log files for freshclam executable -logdir_domain(freshclam) -allow initrc_t freshclam_log_t:file append; - -# Pid files for freshclam -allow initrc_t clamd_var_run_t:file { create setattr }; - -system_crond_entry(freshclam_exec_t, freshclam_t) -domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t) - -domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t) -role sysadm_r types freshclam_t; - -create_dir_file(freshclam_t, clamd_var_run_t) - -########## -########## - -# -# Clamscan -# - -# macros/program/clamav_macros.te. -user_clamscan_domain(sysadm) - -########## -########## - -# -# Clamd -# - -type clamd_sock_t, file_type, sysadmfile; - -# clamd executable -daemon_domain(clamd) - -tmp_domain(clamd) - -# The dir containing the clamd log files is labelled freshclam_t -logdir_domain(clamd) -allow clamd_t freshclam_log_t:dir search; - -allow clamd_t self:capability { kill setgid setuid dac_override }; - -# Give the clamd local communications socket a unique type -ifdef(`distro_debian', ` -file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file) -') -ifdef(`distro_redhat', ` -file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file) -') - -# Clamd can be configured to listen on a TCP port. -can_network_server_tcp(clamd_t, clamd_port_t) -allow clamd_t clamd_port_t:tcp_socket name_bind; -can_resolve(clamd_t); - -allow clamd_t var_lib_t:dir search; -r_dir_file(clamd_t, clamav_var_lib_t) -r_dir_file(clamd_t, etc_t) -# allow access /proc/sys/kernel/version -read_sysctl(clamd_t) -allow clamd_t self:unix_stream_socket create_stream_socket_perms; -allow clamd_t self:unix_dgram_socket create_stream_socket_perms; -allow clamd_t self:fifo_file rw_file_perms; - -allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl; - - -########## -########## - -# -# Interaction with external programs -# - -ifdef(`amavis.te',` -allow amavisd_t clamd_var_run_t:dir search; -allow amavisd_t clamd_t:unix_stream_socket connectto; -allow amavisd_t clamd_sock_t:sock_file write; -') - diff --git a/strict/domains/program/unused/clockspeed.te b/strict/domains/program/unused/clockspeed.te deleted file mode 100644 index f79c3144..00000000 --- a/strict/domains/program/unused/clockspeed.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC clockspeed - Simple network time protocol client -# -# Author Petre Rodan -# - -daemon_base_domain(clockspeed) -var_lib_domain(clockspeed) -can_network(clockspeed_t) -allow clockspeed_t port_type:tcp_socket name_connect; -read_locale(clockspeed_t) - -allow clockspeed_t self:capability { sys_time net_bind_service }; -allow clockspeed_t self:unix_dgram_socket create_socket_perms; -allow clockspeed_t self:unix_stream_socket create_socket_perms; -allow clockspeed_t clockspeed_port_t:udp_socket name_bind; -allow clockspeed_t domain:packet_socket recvfrom; - -allow clockspeed_t var_t:dir search; -allow clockspeed_t clockspeed_var_lib_t:file create_file_perms; -allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms; - -# sysadm can play with clockspeed -role sysadm_r types clockspeed_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t) -') diff --git a/strict/domains/program/unused/courier.te b/strict/domains/program/unused/courier.te deleted file mode 100644 index 75e42d38..00000000 --- a/strict/domains/program/unused/courier.te +++ /dev/null @@ -1,139 +0,0 @@ -#DESC Courier - POP and IMAP servers -# -# Author: Russell Coker -# X-Debian-Packages: courier-base -# - -# Type for files created during execution of courier. -type courier_var_run_t, file_type, sysadmfile, pidfile; -type courier_var_lib_t, file_type, sysadmfile; - -type courier_etc_t, file_type, sysadmfile; - -# allow start scripts to read the config -allow initrc_t courier_etc_t:file r_file_perms; - -type courier_exec_t, file_type, sysadmfile, exec_type; -type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type; - -define(`courier_domain', ` -################################# -# -# Rules for the courier_$1_t domain. -# -# courier_$1_exec_t is the type of the courier_$1 executables. -# -daemon_base_domain(courier_$1, `$2') - -allow courier_$1_t var_run_t:dir search; -rw_dir_create_file(courier_$1_t, courier_var_run_t) -allow courier_$1_t courier_var_run_t:sock_file create_file_perms; - -# allow it to read config files etc -allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms; -allow courier_$1_t courier_etc_t:file r_file_perms; -allow courier_$1_t etc_t:dir r_dir_perms; -allow courier_$1_t etc_t:file r_file_perms; - -# execute scripts etc -allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms; -allow courier_$1_t bin_t:dir r_dir_perms; -allow courier_$1_t fs_t:filesystem getattr; - -# set process group and allow permissions over-ride -allow courier_$1_t self:process setpgid; -allow courier_$1_t self:capability dac_override; - -# Use the network. -can_network_server(courier_$1_t) -allow courier_$1_t self:fifo_file { read write getattr }; -allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; -allow courier_$1_t self:unix_dgram_socket create_socket_perms; - -allow courier_$1_t null_device_t:chr_file rw_file_perms; - -# allow it to log to /dev/tty -allow courier_$1_t devtty_t:chr_file rw_file_perms; - -allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms; -allow courier_$1_t usr_t:dir r_dir_perms; -allow courier_$1_t root_t:dir r_dir_perms; -can_exec(courier_$1_t, courier_$1_exec_t) -can_exec(courier_$1_t, bin_t) -allow courier_$1_t bin_t:dir search; - -allow courier_$1_t proc_t:dir r_dir_perms; -allow courier_$1_t proc_t:file r_file_perms; - -')dnl - -courier_domain(authdaemon, `, auth_chkpwd') -allow courier_authdaemon_t sbin_t:dir search; -allow courier_authdaemon_t lib_t:file { read getattr }; -allow courier_authdaemon_t tmp_t:dir getattr; -allow courier_authdaemon_t self:file { getattr read }; -read_locale(courier_authdaemon_t) -can_exec(courier_authdaemon_t, courier_exec_t) -dontaudit courier_authdaemon_t selinux_config_t:dir search; - -# for SSP -allow courier_authdaemon_t urandom_device_t:chr_file read; - -# should not be needed! -allow courier_authdaemon_t home_root_t:dir search; -allow courier_authdaemon_t user_home_dir_type:dir search; -dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search; -allow courier_authdaemon_t self:unix_stream_socket connectto; -allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; - -courier_domain(tcpd) -allow courier_tcpd_t self:capability { kill net_bind_service }; -allow courier_tcpd_t pop_port_t:tcp_socket name_bind; -allow courier_tcpd_t sbin_t:dir search; -allow courier_tcpd_t var_lib_t:dir search; -# for TLS -allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -read_locale(courier_tcpd_t) -can_exec(courier_tcpd_t, courier_exec_t) -allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:process sigchld; - -can_tcp_connect(userdomain, courier_tcpd_t) -rw_dir_create_file(courier_tcpd_t, courier_var_lib_t) - -# domain for pop and imap -courier_domain(pop) -read_locale(courier_pop_t) -domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) -allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) -allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; -allow courier_pop_t courier_authdaemon_t:process sigchld; -domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) - -# inherits file handle - should it? -allow courier_pop_t courier_var_lib_t:file { read write }; - -# do the actual work (read the Maildir) -# imap needs to write files -allow courier_pop_t home_root_t:dir { getattr search }; -allow courier_pop_t user_home_dir_type:dir { getattr search }; -# pop does not need to create subdirs, IMAP does -#rw_dir_create_file(courier_pop_t, user_home_type) -create_dir_file(courier_pop_t, user_home_type) - -# for calendaring -courier_domain(pcp) - -allow courier_pcp_t self:capability { setuid setgid }; -allow courier_pcp_t random_device_t:chr_file r_file_perms; - -# for webmail -courier_domain(sqwebmail) -ifdef(`crond.te', ` -system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t) -') -read_sysctl(courier_sqwebmail_t) diff --git a/strict/domains/program/unused/daemontools.te b/strict/domains/program/unused/daemontools.te deleted file mode 100644 index b24a58cd..00000000 --- a/strict/domains/program/unused/daemontools.te +++ /dev/null @@ -1,203 +0,0 @@ -#DESC Daemontools - Tools for managing UNIX services -# -# Author: Petre Rodan -# with the help of Chris PeBenito, Russell Coker and Tad Glines -# - -# -# selinux policy for daemontools -# http://cr.yp.to/daemontools.html -# -# thanks for D. J. Bernstein and the NSA team for the great software -# they provide -# - -############################################################## -# type definitions - -type svc_conf_t, file_type, sysadmfile; -type svc_log_t, file_type, sysadmfile; -type svc_svc_t, file_type, sysadmfile; - - -############################################################## -# Macros -define(`svc_filedir_domain', ` -create_dir_file($1, svc_svc_t) -file_type_auto_trans($1, svc_svc_t, svc_svc_t); -') - -############################################################## -# the domains -daemon_base_domain(svc_script) -svc_filedir_domain(svc_script_t) - -# part started by initrc_t -daemon_base_domain(svc_start) -domain_auto_trans(init_t, svc_start_exec_t, svc_start_t) -svc_filedir_domain(svc_start_t) - -# also get here from svc_script_t -domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t) - -# the domain for /service/*/run and /service/*/log/run -daemon_sub_domain(svc_start_t, svc_run) -r_dir_file(svc_run_t, svc_conf_t) - -# the logger -daemon_sub_domain(svc_run_t, svc_multilog) -file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file); - -###### -# rules for all those domains - -# sysadm can tweak svc_run_exec_t files -allow sysadm_t svc_run_exec_t:file create_file_perms; - -# run_init can control svc_script_t and svc_start_t domains -domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t) -domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t) -allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint; -svc_filedir_domain(initrc_t) - -# svc_start_t -allow svc_start_t self:fifo_file rw_file_perms; -allow svc_start_t self:capability kill; -allow svc_start_t self:unix_stream_socket create_socket_perms; - -allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms; -allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; -allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms; -allow svc_start_t { var_t var_run_t }:dir search; -can_exec(svc_start_t, bin_t) -can_exec(svc_start_t, shell_exec_t) -allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans }; -allow svc_start_t svc_run_t:process signal; -dontaudit svc_start_t proc_t:file r_file_perms; -dontaudit svc_start_t devtty_t:chr_file { read write }; - -# svc script -allow svc_script_t self:capability sys_admin; -allow svc_script_t self:fifo_file { getattr read write }; -allow svc_script_t self:file r_file_perms; -allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms; -allow svc_script_t bin_t:lnk_file r_file_perms; -can_exec(svc_script_t, bin_t) -can_exec(svc_script_t, shell_exec_t) -allow svc_script_t proc_t:file r_file_perms; -allow svc_script_t shell_exec_t:file rx_file_perms; -allow svc_script_t devtty_t:chr_file rw_file_perms; -allow svc_script_t etc_runtime_t:file r_file_perms; -allow svc_script_t svc_run_exec_t:file r_file_perms; -allow svc_script_t svc_script_exec_t:file execute_no_trans; -allow svc_script_t sysctl_kernel_t:dir r_dir_perms; -allow svc_script_t sysctl_kernel_t:file r_file_perms; - -# svc_run_t -allow svc_run_t self:capability { setgid setuid chown fsetid }; -allow svc_run_t self:fifo_file rw_file_perms; -allow svc_run_t self:file r_file_perms; -allow svc_run_t self:process { fork setrlimit }; -allow svc_run_t self:unix_stream_socket create_stream_socket_perms; -allow svc_run_t svc_svc_t:dir r_dir_perms; -allow svc_run_t svc_svc_t:file r_file_perms; -allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans }; -allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms; -allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms; -allow svc_run_t { var_t var_run_t }:dir search; -can_exec(svc_run_t, etc_t) -can_exec(svc_run_t, lib_t) -can_exec(svc_run_t, bin_t) -can_exec(svc_run_t, sbin_t) -can_exec(svc_run_t, ls_exec_t) -can_exec(svc_run_t, shell_exec_t) -allow svc_run_t devtty_t:chr_file rw_file_perms; -allow svc_run_t etc_runtime_t:file r_file_perms; -allow svc_run_t exec_type:{ file lnk_file } getattr; -allow svc_run_t init_t:fd use; -allow svc_run_t initrc_t:fd use; -allow svc_run_t proc_t:file r_file_perms; -allow svc_run_t sysctl_t:dir search; -allow svc_run_t sysctl_kernel_t:dir r_dir_perms; -allow svc_run_t sysctl_kernel_t:file r_file_perms; -allow svc_run_t var_lib_t:dir r_dir_perms; - -# multilog creates /service/*/log/status -allow svc_multilog_t svc_svc_t:dir { read search }; -allow svc_multilog_t svc_svc_t:file { append write }; -# writes to /var/log/*/* -allow svc_multilog_t var_t:dir search; -allow svc_multilog_t var_log_t:dir create_dir_perms; -allow svc_multilog_t var_log_t:file create_file_perms; -# misc -allow svc_multilog_t init_t:fd use; -allow svc_start_t svc_multilog_t:process signal; -svc_ipc_domain(svc_multilog_t) - -################################################################ -# scripts that can be started by daemontools -# keep it sorted please. - -ifdef(`apache.te', ` -domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t) -svc_ipc_domain(httpd_t) -dontaudit httpd_t svc_svc_t:dir { search }; -') - -ifdef(`clamav.te', ` -domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t) -svc_ipc_domain(clamd_t) -') - -ifdef(`clockspeed.te', ` -domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t) -svc_ipc_domain(clockspeed_t) -r_dir_file(svc_run_t, clockspeed_var_lib_t) -allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr }; -') - -ifdef(`dante.te', ` -domain_auto_trans( svc_run_t, dante_exec_t, dante_t); -svc_ipc_domain(dante_t) -') - -ifdef(`publicfile.te', ` -svc_ipc_domain(publicfile_t) -') - -ifdef(`qmail.te', ` -allow svc_run_t qmail_start_exec_t:file rx_file_perms; -domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t) -r_dir_file(svc_run_t, qmail_etc_t) -svc_ipc_domain(qmail_send_t) -svc_ipc_domain(qmail_start_t) -svc_ipc_domain(qmail_queue_t) -svc_ipc_domain(qmail_smtpd_t) -') - -ifdef(`rsyncd.te', ` -domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t) -svc_ipc_domain(rsyncd_t) -') - -ifdef(`spamd.te', ` -domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t) -svc_ipc_domain(spamd_t) -') - -ifdef(`ssh.te', ` -domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t) -svc_ipc_domain(sshd_t) -') - -ifdef(`stunnel.te', ` -domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t) -svc_ipc_domain(stunnel_t) -') - -ifdef(`ucspi-tcp.te', ` -domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t) -allow svc_run_t utcpserver_t:process { signal }; -svc_ipc_domain(utcpserver_t) -') - diff --git a/strict/domains/program/unused/dante.te b/strict/domains/program/unused/dante.te deleted file mode 100644 index 70885abb..00000000 --- a/strict/domains/program/unused/dante.te +++ /dev/null @@ -1,23 +0,0 @@ -#DESC dante - socks daemon -# -# Author: petre rodan -# - -type dante_conf_t, file_type, sysadmfile; - -daemon_domain(dante) -can_network_server(dante_t) - -allow dante_t self:fifo_file { read write }; -allow dante_t self:capability { setuid setgid }; -allow dante_t self:unix_dgram_socket { connect create write }; -allow dante_t self:unix_stream_socket { connect create read setopt write }; -allow dante_t self:tcp_socket connect; - -allow dante_t socks_port_t:tcp_socket name_bind; - -allow dante_t { etc_t etc_runtime_t }:file r_file_perms; -r_dir_file(dante_t, dante_conf_t) - -allow dante_t initrc_var_run_t:file { getattr write }; - diff --git a/strict/domains/program/unused/dcc.te b/strict/domains/program/unused/dcc.te deleted file mode 100644 index 598d929d..00000000 --- a/strict/domains/program/unused/dcc.te +++ /dev/null @@ -1,252 +0,0 @@ -# -# DCC - Distributed Checksum Clearinghouse -# Author: David Hampton -# -# -# NOTE: DCC has writeable files in /etc/dcc that should probably be in -# /var/lib/dcc. For now this policy supports both directories being -# writable. - -# Files common to all dcc programs -type dcc_client_map_t, file_type, sysadmfile; -type dcc_var_t, file_type, sysadmfile; -type dcc_var_run_t, file_type, sysadmfile; - - -########## -########## - -# -# common to all dcc variants -# -define(`dcc_common',` -# Access files in /var/dcc. The map file can be updated -r_dir_file($1_t, dcc_var_t) -allow $1_t dcc_client_map_t:file rw_file_perms; - -# Read mtab, nsswitch and locale -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) - -#Networking -can_resolve($1_t) -ifelse($2, `server', ` -can_network_udp($1_t) -', ` -can_network_udp($1_t, `dcc_port_t') -') -allow $1_t self:unix_dgram_socket create_socket_perms; - -# Create private temp files -tmp_domain($1) - -# Triggered by a call to gethostid(2) in dcc client libs -allow $1_t self:unix_stream_socket { connect create }; - -allow $1_t sysadm_su_t:process { sigchld }; -allow $1_t dcc_script_t:fd use; - -dontaudit $1_t kernel_t:fd use; -dontaudit $1_t root_t:file read; -') - -allow initrc_t dcc_var_run_t:dir rw_dir_perms; - - -########## -########## - -# -# dccd - Server daemon that can be accessed over the net -# -daemon_domain(dccd, `, privlog, nscd_client_domain') -dcc_common(dccd, server); - -# Runs the dbclean program -allow dccd_t bin_t:dir search; -domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) - -# The daemon needs to listen on the dcc ports -allow dccd_t dcc_port_t:udp_socket name_bind; - -# Updating dcc_db, flod, ... -create_dir_file(dccd_t, dcc_var_t); - -allow dccd_t self:capability net_admin; -allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; - -# Reading /proc/meminfo -allow dccd_t proc_t:file { getattr read }; - - -# -# cdcc - control dcc daemon -# -application_domain(cdcc, `, nscd_client_domain') -role system_r types cdcc_t; -dcc_common(cdcc) - -# suid program -allow cdcc_t self:capability setuid; - -# Running from the command line -allow cdcc_t sshd_t:fd use; -allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms; - - - -########## -########## - -# -# DCC Clients -# - -# -# dccifd - Spamassassin and general MTA persistent client -# -daemon_domain(dccifd, `, privlog, nscd_client_domain') -dcc_common(dccifd); -file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file) - -# Allow the domain to communicate with other processes -allow dccifd_t self:unix_stream_socket create_stream_socket_perms; - -# Updating dcc_db, flod, ... -create_dir_notdevfile(dccifd_t, dcc_var_t); - -# Updating map, ... -allow dccifd_t dcc_client_map_t:file rw_file_perms; - -# dccifd communications socket -type dccifd_sock_t, file_type, sysadmfile; -file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file) - -# Reading /proc/meminfo -allow dccifd_t proc_t:file { getattr read }; - - -# -# dccm - sendmail milter client -# -daemon_domain(dccm, `, privlog, nscd_client_domain') -dcc_common(dccm); -file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file) - -# Allow the domain to communicate with other processes -allow dccm_t self:unix_stream_socket create_stream_socket_perms; - -# Updating map, ... -create_dir_notdevfile(dccm_t, dcc_var_t); -allow dccm_t dcc_client_map_t:file rw_file_perms; - -# dccm communications socket -type dccm_sock_t, file_type, sysadmfile; -file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file) - - -# -# dccproc - dcc procmail interface -# -application_domain(dcc_client, `, privlog, nscd_client_domain') -role system_r types dcc_client_t; -dcc_common(dcc_client) - -# suid program -allow dcc_client_t self:capability setuid; - -# Running from the command line -allow dcc_client_t sshd_t:fd use; -allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms; - - -########## -########## - -# -# DCC Utilities -# - -# -# dbclean - database cleanup tool -# -application_domain(dcc_dbclean, `, nscd_client_domain') -role system_r types dcc_dbclean_t; -dcc_common(dcc_dbclean) - -# Updating various files. -create_dir_file(dcc_dbclean_t, dcc_var_t); - -# wants to look at /proc/meminfo -allow dcc_dbclean_t proc_t:dir search; -allow dcc_dbclean_t proc_t:file { getattr read }; - -# Running from the command line -allow dcc_dbclean_t sshd_t:fd use; -allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms; - -########## -########## - -# -# DCC Startup scripts -# -# These are shell sccripts that start/stop/restart the various dcc -# programs. -# -init_service_domain(dcc_script, `, nscd_client_domain') -general_domain_access(dcc_script_t) -general_proc_read_access(dcc_script_t) -can_exec_any(dcc_script_t) -dcc_common(dcc_script) - -# Allow calling the script from an init script (initrt_t) or from -# rc.local (staff_t) -domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t) - -# Start up the daemon process. These scripts run 'su' to change to -# the dcc user (even though the default dcc user is root). -allow dcc_script_t self:capability setuid; -su_restricted_domain(dcc_script, system) -role system_r types dcc_script_su_t; -domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t) -domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t) -domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t) - -# Stop the daemon process -allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal }; - -# Access various DCC files -allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search }; -allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read }; - -allow { dcc_script_t dcc_script_su_t } initrc_t:fd use; -allow { dcc_script_t dcc_script_su_t } devpts_t:dir search; -allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms; -allow dcc_script_t devtty_t:chr_file { read write }; -allow dcc_script_su_t sysadm_home_dir_t:dir search; -allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition }; -allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto }; - -dontaudit dcc_script_su_t kernel_t:fd use; -dontaudit dcc_script_su_t root_t:file read; -dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search }; - -allow sysadm_t dcc_script_t:fd use; - -########## -########## - -# -# External spam checkers need to run and/or talk to DCC -# -define(`access_dcc',` -domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t); -allow $1_t dcc_var_t:dir search; -allow $1_t dccifd_sock_t:sock_file { getattr write }; -allow $1_t dccifd_t:unix_stream_socket connectto; -allow $1_t dcc_script_t:unix_stream_socket connectto; -') - -ifdef(`amavis.te',`access_dcc(amavisd)') -ifdef(`spamd.te',`access_dcc(spamd)') diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te deleted file mode 100644 index 29255f31..00000000 --- a/strict/domains/program/unused/ddclient.te +++ /dev/null @@ -1,44 +0,0 @@ -#DESC ddclient - Update dynamic IP address at DynDNS.org -# -# Author: Greg Norris -# X-Debian-Packages: ddclient -# - -################################# -# -# Rules for the ddclient_t domain. -# -daemon_domain(ddclient); -type ddclient_etc_t, file_type, sysadmfile; -type ddclient_var_t, file_type, sysadmfile; -log_domain(ddclient) -var_lib_domain(ddclient) - -base_file_read_access(ddclient_t) -can_exec(ddclient_t, { shell_exec_t bin_t }) - -# ddclient can be launched by pppd -ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)') - -# misc. requirements -allow ddclient_t self:fifo_file rw_file_perms; -allow ddclient_t self:socket create_socket_perms; -allow ddclient_t etc_t:file { getattr read }; -allow ddclient_t etc_runtime_t:file r_file_perms; -allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans }; -allow ddclient_t urandom_device_t:chr_file read; -general_proc_read_access(ddclient_t) -allow ddclient_t sysctl_net_t:dir search; - -# network-related goodies -can_network_client(ddclient_t) -allow ddclient_t port_type:tcp_socket name_connect; -allow ddclient_t self:unix_dgram_socket create_socket_perms; -allow ddclient_t self:unix_stream_socket create_socket_perms; - -# allow access to ddclient.conf and ddclient.cache -allow ddclient_t ddclient_etc_t:file r_file_perms; -file_type_auto_trans(ddclient_t, var_t, ddclient_var_t) -dontaudit ddclient_t devpts_t:dir search; -dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms; -dontaudit httpd_t selinux_config_t:dir search; diff --git a/strict/domains/program/unused/distcc.te b/strict/domains/program/unused/distcc.te deleted file mode 100644 index 56034f93..00000000 --- a/strict/domains/program/unused/distcc.te +++ /dev/null @@ -1,34 +0,0 @@ -#DESC distcc - Distributed compiler daemon -# -# Author: Chris PeBenito -# - -daemon_domain(distccd) -can_network_server(distccd_t) -can_ypbind(distccd_t) -log_domain(distccd) -tmp_domain(distccd) - -allow distccd_t distccd_port_t:tcp_socket name_bind; -allow distccd_t self:capability { setgid setuid }; - -# distccd can renice -allow distccd_t self:process setsched; - -# compiler stuff -allow distccd_t { bin_t sbin_t }:dir { search getattr }; -allow distccd_t { bin_t sbin_t }:lnk_file { getattr read }; -can_exec(distccd_t,bin_t) -can_exec(distccd_t,lib_t) - -# comm stuff -allow distccd_t net_conf_t:file r_file_perms; -allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write }; -allow distccd_t self:fifo_file { read write getattr }; - -# config access -allow distccd_t { etc_t etc_runtime_t }:file r_file_perms; -allow distccd_t proc_t:file r_file_perms; - -allow distccd_t var_t:dir search; -allow distccd_t admin_tty_type:chr_file { ioctl read write }; diff --git a/strict/domains/program/unused/djbdns.te b/strict/domains/program/unused/djbdns.te deleted file mode 100644 index 3e113956..00000000 --- a/strict/domains/program/unused/djbdns.te +++ /dev/null @@ -1,46 +0,0 @@ -# DESC selinux policy for djbdns -# http://cr.yp.to/djbdns.html -# -# Author: petre rodan -# -# this policy depends on ucspi-tcp and daemontools policies -# - -ifdef(`daemontools.te', ` -ifdef(`ucspi-tcp.te', ` - -define(`djbdns_daemon_domain', ` -type djbdns_$1_conf_t, file_type, sysadmfile; -daemon_domain(djbdns_$1) -domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t) -svc_ipc_domain(djbdns_$1_t) -can_network(djbdns_$1_t) -allow djbdns_$1_t port_type:tcp_socket name_connect; -allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind; -allow djbdns_$1_t port_t:udp_socket name_bind; -r_dir_file(djbdns_$1_t, djbdns_$1_conf_t) -allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; -allow djbdns_$1_t svc_svc_t:dir r_dir_perms; -') - -define(`djbdns_tcpserver_domain', ` -type djbdns_$1_conf_t, file_type, sysadmfile; -daemon_domain(djbdns_$1) -domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t) -svc_ipc_domain(djbdns_$1_t) -allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind; -r_dir_file(djbdns_$1_t, djbdns_$1_conf_t) -allow djbdns_$1_t utcpserver_t:tcp_socket { read write }; -') - -djbdns_daemon_domain(dnscache) -# read seed file -allow djbdns_dnscache_t svc_svc_t:file r_file_perms; - -djbdns_daemon_domain(tinydns) - -djbdns_tcpserver_domain(axfrdns) -r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t) - -') dnl ifdef ucspi-tcp.te -') dnl ifdef daemontools.te diff --git a/strict/domains/program/unused/dnsmasq.te b/strict/domains/program/unused/dnsmasq.te deleted file mode 100644 index bdef592c..00000000 --- a/strict/domains/program/unused/dnsmasq.te +++ /dev/null @@ -1,38 +0,0 @@ -#DESC dnsmasq - DNS forwarder and DHCP server -# -# Author: Greg Norris -# X-Debian-Packages: dnsmasq -# - -################################# -# -# Rules for the dnsmasq_t domain. -# -daemon_domain(dnsmasq); -type dnsmasq_lease_t, file_type, sysadmfile; - -# misc. requirements -allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw }; -allow dnsmasq_t urandom_device_t:chr_file read; - -# network-related goodies -can_network_server(dnsmasq_t) -can_ypbind(dnsmasq_t) -allow dnsmasq_t self:packet_socket create_socket_perms; -allow dnsmasq_t self:rawip_socket create_socket_perms; -allow dnsmasq_t self:unix_dgram_socket create_socket_perms; -allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms; - -# UDP ports 53 and 67 -allow dnsmasq_t dhcpd_port_t:udp_socket name_bind; -allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind; - -# By default, dnsmasq binds to the wildcard address to listen for DNS requests. -# Comment out the following entry if you do not want to allow this behaviour. -allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind; - -# allow access to dnsmasq.conf -allow dnsmasq_t etc_t:file r_file_perms; - -# dhcp leases -file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file) diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te deleted file mode 100644 index 4feb5085..00000000 --- a/strict/domains/program/unused/dpkg.te +++ /dev/null @@ -1,414 +0,0 @@ -#DESC Dpkg - Debian package manager -# -# Author: Russell Coker -# X-Debian-Packages: dpkg -# - -################################# -# -# Rules for the dpkg_t domain. -# -type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule; -type dpkg_exec_t, file_type, sysadmfile, exec_type; -type dpkg_var_lib_t, file_type, sysadmfile; -type dpkg_etc_t, file_type, sysadmfile, usercanread; -type dpkg_lock_t, file_type, sysadmfile; -type debconf_cache_t, file_type, sysadmfile; - -tmp_domain(dpkg) -can_setfscreate(dpkg_t) -can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t }) - -ifdef(`load_policy.te', ` -domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t) -') -ifdef(`rlogind.te', ` -# for ssh -can_exec(dpkg_t, rlogind_exec_t) -') -can_exec(dpkg_t, { init_exec_t etc_t }) -ifdef(`hostname.te', ` -can_exec(dpkg_t, hostname_exec_t) -') -ifdef(`mta.te', ` -allow system_mail_t dpkg_tmp_t:file { getattr read }; -') -ifdef(`logrotate.te', ` -allow logrotate_t dpkg_var_lib_t:file create_file_perms; -') - -# for open office -can_exec(dpkg_t, usr_t) - -allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read; - -# for upgrading policycoreutils and loading policy -allow dpkg_t security_t:dir { getattr search }; -allow dpkg_t security_t:file { getattr read }; - -ifdef(`setfiles.te', -`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)') -ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)') -ifdef(`modutil.te', ` -domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t) -domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t) - -# for touch -allow initrc_t modules_dep_t:file write; -') -ifdef(`ipsec.te', ` -allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use; -allow ipsec_mgmt_t dpkg_t:fifo_file write; -allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write }; -allow ipsec_t dpkg_t:fifo_file { read write }; -domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t) -') -ifdef(`cardmgr.te', ` -allow cardmgr_t dpkg_t:fd use; -allow cardmgr_t dpkg_t:fifo_file write; -domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) -# for start-stop-daemon -allow dpkg_t cardmgr_t:process signull; -') -ifdef(`mount.te', ` -domain_auto_trans(dpkg_t, mount_exec_t, mount_t) -') -ifdef(`mozilla.te', ` -# hate to do this, for mozilla install scripts -can_exec(dpkg_t, mozilla_exec_t) -') -ifdef(`postfix.te', ` -domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t) -') -ifdef(`apache.te', ` -domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t) -') -ifdef(`named.te', ` -file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file) -') -ifdef(`nsd.te', ` -allow nsd_crond_t initrc_t:fd use; -allow nsd_crond_t initrc_devpts_t:chr_file { read write }; -domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t) -') -# because the syslogd package is broken and does not use the start scripts -ifdef(`klogd.te', ` -domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t) -') -ifdef(`syslogd.te', ` -domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t) -allow system_crond_t syslogd_t:dir search; -allow system_crond_t syslogd_t:file { getattr read }; -allow system_crond_t syslogd_t:process signal; -') -# mysqld is broken too -ifdef(`mysqld.te', ` -domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t) -can_unix_connect(dpkg_t, mysqld_t) -allow mysqld_t dpkg_tmp_t:file { getattr read }; -') -ifdef(`postgresql.te', ` -# because postgresql postinst creates scripts in /tmp and then runs them -# also the init scripts do more than they should -allow { initrc_t postgresql_t } dpkg_tmp_t:file write; -# for "touch" when it tries to create the log file -# this works for upgrades, maybe we should allow create access for first install -allow initrc_t postgresql_log_t:file { write setattr }; -# for dumpall -can_exec(postgresql_t, postgresql_db_t) -') -ifdef(`sysstat.te', ` -domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t) -') -ifdef(`rpcd.te', ` -allow rpcd_t dpkg_t:fd use; -allow rpcd_t dpkg_t:fifo_file { read write }; -') -ifdef(`load_policy.te', ` -allow load_policy_t initrc_t:fifo_file { read write }; -') -ifdef(`checkpolicy.te', ` -domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t) -role system_r types checkpolicy_t; -allow checkpolicy_t initrc_t:fd use; -allow checkpolicy_t initrc_t:fifo_file write; -allow checkpolicy_t initrc_devpts_t:chr_file { read write }; -') -ifdef(`amavis.te', ` -r_dir_file(initrc_t, dpkg_var_lib_t) -') -ifdef(`nessusd.te', ` -domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t) -') -ifdef(`crack.te', ` -allow crack_t initrc_t:fd use; -domain_auto_trans(dpkg_t, crack_exec_t, crack_t) -') -ifdef(`xdm.te', ` -domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t) -') -ifdef(`clamav.te', ` -domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t) -') -ifdef(`squid.te', ` -domain_auto_trans(dpkg_t, squid_exec_t, squid_t) -') -ifdef(`useradd.te', ` -domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t) -domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t) -role system_r types { useradd_t groupadd_t }; -') -ifdef(`passwd.te', ` -domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t) -') -ifdef(`ldconfig.te', ` -domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t) -') -ifdef(`portmap.te', ` -# for pmap_dump -domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t) -') - -# for apt -type apt_t, domain, admin, privmail, web_client_domain; -type apt_exec_t, file_type, sysadmfile, exec_type; -type apt_var_lib_t, file_type, sysadmfile; -type var_cache_apt_t, file_type, sysadmfile; -etcdir_domain(apt) -type apt_rw_etc_t, file_type, sysadmfile; -tmp_domain(apt, `', `{ dir file lnk_file }') -can_exec(apt_t, apt_tmp_t) -ifdef(`crond.te', ` -allow system_crond_t apt_etc_t:file { getattr read }; -') - -rw_dir_create_file(apt_t, apt_rw_etc_t) - -allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search }; - -dontaudit apt_t var_log_t:dir getattr; -dontaudit apt_t var_run_t:dir search; - -# for rc files such as ~/.less -r_dir_file(apt_t, sysadm_home_t) -allow apt_t sysadm_home_dir_t:dir { search getattr }; - -allow apt_t bin_t:lnk_file r_file_perms; - -rw_dir_create_file(apt_t, debconf_cache_t) -r_dir_file(userdomain, debconf_cache_t) - -# for python -read_sysctl(apt_t) -read_sysctl(dpkg_t) - -allow dpkg_t console_device_t:chr_file rw_file_perms; - -allow apt_t self:unix_stream_socket create_socket_perms; - -allow dpkg_t domain:dir r_dir_perms; -allow dpkg_t domain:{ file lnk_file } r_file_perms; - -# for shared objects that are not yet labelled (upgrades) -allow { apt_t dpkg_t } lib_t:file execute; - -# when dpkg runs postinst scripts run them in initrc_t domain so that the -# daemons are started in the correct context -domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t) - -ifdef(`bootloader.te', ` -domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t) -# for mkinitrd -can_exec(bootloader_t, dpkg_exec_t) -# for lilo to run dpkg -allow bootloader_t dpkg_etc_t:file { getattr read }; -') - -# for kernel-image postinst -dontaudit dpkg_t fixed_disk_device_t:blk_file read; - -# for /usr/lib/dpkg/controllib.pl calling getpwnam(3) -dontaudit dpkg_t shadow_t:file { getattr read }; - -# allow user domains to execute dpkg -allow userdomain dpkg_exec_t:dir r_dir_perms; -can_exec(userdomain, { dpkg_exec_t apt_exec_t }) - -# allow everyone to read dpkg database -allow userdomain var_lib_t:dir search; -r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t }) - -# for /var/lib/dpkg/lock -rw_dir_create_file(apt_t, dpkg_var_lib_t) - -ifdef(`crond.te', ` -rw_dir_create_file(system_crond_t, dpkg_var_lib_t) -allow system_crond_t dpkg_etc_t:file r_file_perms; - -# for Debian cron job -create_dir_file(system_crond_t, tetex_data_t) -can_exec(dpkg_t, tetex_data_t) -') - -r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t }) -allow install_menu_t initrc_t:fifo_file { read write }; -allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms; -can_exec(sysadm_t, dpkg_etc_t) - -# Inherit and use descriptors from open_init_pty -allow { apt_t dpkg_t install_menu_t } initrc_t:fd use; -dontaudit dpkg_t privfd:fd use; -allow { apt_t dpkg_t install_menu_t } devpts_t:dir search; -allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms; - -allow ifconfig_t dpkg_t:fd use; -allow ifconfig_t dpkg_t:fifo_file { read write }; - -uses_shlib({ dpkg_t apt_t }) -allow dpkg_t proc_t:dir r_dir_perms; -allow dpkg_t proc_t:{ file lnk_file } r_file_perms; -allow dpkg_t fs_t:filesystem getattr; - -allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable }; - -# for fgconsole - need policy for it -allow dpkg_t self:capability sys_tty_config; - -allow dpkg_t self:unix_dgram_socket create_socket_perms; -allow dpkg_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(dpkg_t, self) -allow dpkg_t self:unix_dgram_socket sendto; -allow dpkg_t self:unix_stream_socket connect; - -allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms; -allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms; - -# dpkg really needs to be able to kill any process, unfortunate but true -allow dpkg_t domain:process signal; -allow dpkg_t sysadm_t:process sigchld; -allow dpkg_t self:process { setpgid signal_perms fork getsched }; - -# read/write/create any files in the system -allow dpkg_t sysadmfile:dir create_dir_perms; -allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms; -allow dpkg_t sysadmfile:lnk_file create_lnk_perms; -allow dpkg_t device_type:{ chr_file blk_file } getattr; -dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; -allow dpkg_t proc_kmsg_t:file getattr; -allow dpkg_t fs_type:dir getattr; - -# allow compiling and loading new policy -create_dir_file(dpkg_t, { policy_src_t policy_config_t }) - -# change to the apt_t domain on exec from dpkg_t (dselect) -domain_auto_trans(dpkg_t, apt_exec_t, apt_t) - -# allow apt to change /var/lib/apt files -allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms; -allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms; - -# allow apt to create /usr/lib/site-python/DebianControlParser.pyc -rw_dir_create_file(apt_t, lib_t) - -# for apt-listbugs -allow apt_t usr_t:file { getattr read ioctl }; -allow apt_t usr_t:lnk_file read; - -# allow /var/cache/apt/archives to be owned by non-root -allow apt_t self:capability { chown dac_override fowner fsetid }; - -can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t }) -allow apt_t { bin_t sbin_t }:dir search; -allow apt_t self:process { signal sigchld fork }; -allow apt_t sysadm_t:process sigchld; -can_network({ apt_t dpkg_t }) -allow { apt_t dpkg_t } port_type:tcp_socket name_connect; -can_ypbind({ apt_t dpkg_t }) - -allow { apt_t dpkg_t } var_t:dir { search getattr }; -dontaudit apt_t { fs_type file_type }:dir getattr; -allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms; - -allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms }; - -# for /proc/meminfo and for "ps" -allow apt_t { proc_t apt_t }:dir r_dir_perms; -allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms; -allow apt_t self:fifo_file rw_file_perms; -allow dpkg_t self:fifo_file rw_file_perms; - -allow apt_t etc_t:dir r_dir_perms; -allow apt_t etc_t:file r_file_perms; -allow apt_t etc_t:lnk_file read; -read_locale(apt_t) -r_dir_file(userdomain, apt_etc_t) - -# apt wants to check available disk space -allow apt_t fs_t:filesystem getattr; -allow apt_t etc_runtime_t:file r_file_perms; - -# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you -# have apt run dpkg. -# This means that getting apt_t access is almost as good as dpkg_t which has -# as much power as sysadm_t... -domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t) - -# hack to allow update-menus/install-menu to manage menus -type install_menu_t, domain, admin, etc_writer; -type install_menu_exec_t, file_type, sysadmfile, exec_type; -var_run_domain(install_menu) - -allow install_menu_t self:unix_stream_socket create_socket_perms; - -type debian_menu_t, file_type, sysadmfile; - -r_dir_file(userdomain, debian_menu_t) -dontaudit install_menu_t sysadm_home_dir_t:dir search; -create_dir_file(install_menu_t, debian_menu_t) -allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms }; -allow install_menu_t self:process signal; -allow install_menu_t proc_t:dir search; -allow install_menu_t proc_t:file r_file_perms; -can_getcon(install_menu_t) -can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t }) -allow install_menu_t { bin_t sbin_t }:dir search; -allow install_menu_t bin_t:lnk_file read; - -# for menus -allow install_menu_t usr_t:file r_file_perms; - -# for /etc/kde3/debian/kde-update-menu.sh -can_exec(install_menu_t, etc_t) - -allow install_menu_t var_t:dir search; -tmp_domain(install_menu) - -create_dir_file(install_menu_t, var_lib_t) -ifdef(`xdm.te', ` -create_dir_file(install_menu_t, xdm_var_lib_t) -') -allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms; -allow install_menu_t { var_spool_t etc_t }:file create_file_perms; -allow install_menu_t self:fifo_file rw_file_perms; -allow install_menu_t etc_runtime_t:file r_file_perms; -allow install_menu_t devtty_t:chr_file rw_file_perms; -allow install_menu_t fs_t:filesystem getattr; - -domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t) -allow dpkg_t install_menu_t:process signal_perms; - -allow install_menu_t privfd:fd use; -uses_shlib(install_menu_t) - -allow install_menu_t self:process { fork sigchld }; - -role system_r types { dpkg_t apt_t install_menu_t }; - -################################# -# -# Rules for the run_deb_t domain. -# -#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t) -#domain_trans(run_deb_t, apt_exec_t, apt_t) -domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t) -domain_auto_trans(initrc_t, apt_exec_t, apt_t) diff --git a/strict/domains/program/unused/gatekeeper.te b/strict/domains/program/unused/gatekeeper.te deleted file mode 100644 index a1b464ef..00000000 --- a/strict/domains/program/unused/gatekeeper.te +++ /dev/null @@ -1,51 +0,0 @@ -#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper -# -# Author: Russell Coker -# X-Debian-Packages: opengate openh323gk -# - -################################# -# -# Rules for the gatekeeper_t domain. -# -# gatekeeper_exec_t is the type of the gk executable. -# -daemon_domain(gatekeeper) - -# for SSP -allow gatekeeper_t urandom_device_t:chr_file read; - -etc_domain(gatekeeper) -allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; -logdir_domain(gatekeeper) - -# Use the network. -can_network_server(gatekeeper_t) -can_ypbind(gatekeeper_t) -allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind; -allow gatekeeper_t self:unix_stream_socket create_socket_perms; - -# for stupid symlinks -tmp_domain(gatekeeper) - -# pthreads wants to know the kernel version -read_sysctl(gatekeeper_t) - -allow gatekeeper_t etc_t:file { getattr read }; - -allow gatekeeper_t etc_t:dir r_dir_perms; -allow gatekeeper_t sbin_t:dir r_dir_perms; - -allow gatekeeper_t self:process setsched; -allow gatekeeper_t self:fifo_file rw_file_perms; - -allow gatekeeper_t proc_t:file read; - -# for local users to run VOIP software -can_udp_send(userdomain, gatekeeper_t) -can_udp_send(gatekeeper_t, userdomain) -can_tcp_connect(gatekeeper_t, userdomain) - -# this is crap, gk wants to create symlinks in /etc every time it starts and -# remove them when it exits. -#allow gatekeeper_t etc_t:dir rw_dir_perms; diff --git a/strict/domains/program/unused/gift.te b/strict/domains/program/unused/gift.te deleted file mode 100644 index 9e9786e4..00000000 --- a/strict/domains/program/unused/gift.te +++ /dev/null @@ -1,9 +0,0 @@ -# DESC - giFT file sharing tool -# -# Author: Ivan Gyurdiev -# - -type gift_exec_t, file_type, exec_type, sysadmfile; -type giftd_exec_t, file_type, exec_type, sysadmfile; - -# Everything else is in macros/program/gift_macros.te diff --git a/strict/domains/program/unused/imazesrv.te b/strict/domains/program/unused/imazesrv.te deleted file mode 100644 index 27bae3f1..00000000 --- a/strict/domains/program/unused/imazesrv.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC Imazesrv - Imaze Server -# -# Author: Torsten Knodt -# based on games.te by Russell Coker -# - -# type for shared data from imazesrv -type imazesrv_data_t, file_type, sysadmfile; -type imazesrv_data_labs_t, file_type, sysadmfile; - -# domain imazesrv_t is for system operation of imazesrv -# also defines imazesrv_exec_t -daemon_domain(imazesrv) -log_domain(imazesrv); - -r_dir_file(imazesrv_t, imazesrv_data_t) - -allow imazesrv_t imaze_port_t:tcp_socket name_bind; -allow imazesrv_t imaze_port_t:udp_socket name_bind; - -create_append_log_file(imazesrv_t,imazesrv_log_t) - -can_network_server(imazesrv_t) - -allow imazesrv_t self:capability net_bind_service; - -r_dir_file(imazesrv_t, etc_t) - -general_domain_access(imazesrv_t) diff --git a/strict/domains/program/unused/ircd.te b/strict/domains/program/unused/ircd.te deleted file mode 100644 index c85390e1..00000000 --- a/strict/domains/program/unused/ircd.te +++ /dev/null @@ -1,43 +0,0 @@ -#DESC Ircd - IRC server -# -# Author: Russell Coker -# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu -# - -################################# -# -# Rules for the ircd_t domain. -# -# ircd_exec_t is the type of the slapd executable. -# -daemon_domain(ircd) - -allow ircd_t ircd_port_t:tcp_socket name_bind; - -etcdir_domain(ircd) - -logdir_domain(ircd) - -var_lib_domain(ircd) - -# Use the network. -can_network_server(ircd_t) -can_ypbind(ircd_t) -#allow ircd_t self:fifo_file { read write }; -allow ircd_t self:unix_stream_socket create_socket_perms; -allow ircd_t self:unix_dgram_socket create_socket_perms; - -allow ircd_t devtty_t:chr_file rw_file_perms; - -allow ircd_t sbin_t:dir search; - -allow ircd_t proc_t:file { getattr read }; - -# read config files -allow ircd_t { etc_t etc_runtime_t }:file { getattr read }; -allow ircd_t etc_t:lnk_file read; - -ifdef(`logrotate.te', ` -allow logrotate_t ircd_var_run_t:dir search; -allow logrotate_t ircd_var_run_t:file { getattr read }; -') diff --git a/strict/domains/program/unused/jabberd.te b/strict/domains/program/unused/jabberd.te deleted file mode 100644 index aed3b81b..00000000 --- a/strict/domains/program/unused/jabberd.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC jabberd - Jabber daemon -# -# Author: Colin Walters -# X-Debian-Packages: jabber - -daemon_domain(jabberd) -logdir_domain(jabberd) -var_lib_domain(jabberd) - -allow jabberd_t jabber_client_port_t:tcp_socket name_bind; -allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind; - -allow jabberd_t etc_t:lnk_file read; -allow jabberd_t { etc_t etc_runtime_t }:file { read getattr }; - -# For SSL -allow jabberd_t random_device_t:file r_file_perms; - -can_network_server(jabberd_t) -can_ypbind(jabberd_t) - -allow jabberd_t self:unix_dgram_socket create_socket_perms; -allow jabberd_t self:unix_stream_socket create_socket_perms; -allow jabberd_t self:fifo_file { read write getattr }; - -allow jabberd_t self:capability dac_override; - -# allow any user domain to connect to jabber -can_tcp_connect(userdomain, jabberd_t) diff --git a/strict/domains/program/unused/lcd.te b/strict/domains/program/unused/lcd.te deleted file mode 100644 index 2e2eddf5..00000000 --- a/strict/domains/program/unused/lcd.te +++ /dev/null @@ -1,35 +0,0 @@ -#DESC lcd - program for Cobalt LCD device -# -# Author: Russell Coker -# - -################################# -# -# Rules for the lcd_t domain. -# -# lcd_t is the domain for the lcd program. -# lcd_exec_t is the type of the corresponding program. -# -type lcd_t, domain, privlog; -role sysadm_r types lcd_t; -role system_r types lcd_t; -uses_shlib(lcd_t) -type lcd_exec_t, file_type, sysadmfile, exec_type; -type lcd_device_t, file_type; - -# Transition into this domain when you run this program. -domain_auto_trans(initrc_t, lcd_exec_t, lcd_t) -domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t) - -allow lcd_t lcd_device_t:chr_file rw_file_perms; - -# for /etc/locks/.lcd_lock -lock_domain(lcd) -allow lcd_t etc_t:lnk_file read; -allow lcd_t var_t:dir search; - -# Access the terminal. -allow lcd_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;') -allow lcd_t privfd:fd use; - diff --git a/strict/domains/program/unused/lrrd.te b/strict/domains/program/unused/lrrd.te deleted file mode 100644 index b1916f1c..00000000 --- a/strict/domains/program/unused/lrrd.te +++ /dev/null @@ -1,68 +0,0 @@ -#DESC LRRD - network-wide load graphing -# -# Author: Erich Schubert -# X-Debian-Packages: lrrd-client, lrrd-server -# - -################################# -# -# Rules for the lrrd_t domain. -# -# lrrd_exec_t is the type of the lrrd executable. -# -daemon_domain(lrrd) - -allow lrrd_t lrrd_var_run_t:sock_file create_file_perms; - -etcdir_domain(lrrd) -type lrrd_var_lib_t, file_type, sysadmfile; - -log_domain(lrrd) -tmp_domain(lrrd) - -# has cron jobs -system_crond_entry(lrrd_exec_t, lrrd_t) -allow crond_t lrrd_var_lib_t:dir search; - -# init script -allow initrc_t lrrd_log_t:file { write append setattr ioctl }; - -# allow to drop privileges and renice -allow lrrd_t self:capability { setgid setuid }; -allow lrrd_t self:process { getsched setsched }; - -allow lrrd_t urandom_device_t:chr_file { getattr read }; -allow lrrd_t proc_t:file { getattr read }; -allow lrrd_t usr_t:file { read ioctl }; - -can_exec(lrrd_t, bin_t) -allow lrrd_t bin_t:dir search; -allow lrrd_t usr_t:lnk_file read; - -# Allow access to the lrrd databases -create_dir_file(lrrd_t, lrrd_var_lib_t) -allow lrrd_t var_lib_t:dir search; - -# read config files -r_dir_file(initrc_t, lrrd_etc_t) -allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; -# for accessing the output directory -ifdef(`apache.te', ` -allow lrrd_t httpd_sys_content_t:dir search; -') - -allow lrrd_t etc_t:dir search; - -can_unix_connect(sysadm_t, lrrd_t) -can_unix_connect(lrrd_t, lrrd_t) -can_unix_send(lrrd_t, lrrd_t) -can_network_server(lrrd_t) -can_ypbind(lrrd_t) - -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, lrrd_etc_t) -allow logrotate_t lrrd_var_lib_t:dir search; -allow logrotate_t lrrd_var_run_t:dir search; -allow logrotate_t lrrd_var_run_t:sock_file write; -can_unix_connect(logrotate_t, lrrd_t) -') diff --git a/strict/domains/program/unused/monopd.te b/strict/domains/program/unused/monopd.te deleted file mode 100644 index 3512592f..00000000 --- a/strict/domains/program/unused/monopd.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC MonopD - Monopoly Daemon -# -# Author: Torsten Knodt -# based on the dhcpd_t policy from: -# Russell Coker -# - -################################# -# -# Rules for the monopd_t domain. -# -daemon_domain(monopd) -etc_domain(monopd) -typealias monopd_etc_t alias etc_monopd_t; - -type monopd_share_t, file_type, sysadmfile; -typealias monopd_share_t alias share_monopd_t; - -# Use the network. -can_network_server(monopd_t) -can_ypbind(monopd_t) - -allow monopd_t monopd_port_t:tcp_socket name_bind; - -r_dir_file(monopd_t,share_monopd_t) - -allow monopd_t self:unix_dgram_socket create_socket_perms; -allow monopd_t self:unix_stream_socket create_socket_perms; - -r_dir_file(monopd_t, etc_t) diff --git a/strict/domains/program/unused/nagios.te b/strict/domains/program/unused/nagios.te deleted file mode 100644 index 9d540c88..00000000 --- a/strict/domains/program/unused/nagios.te +++ /dev/null @@ -1,90 +0,0 @@ -#DESC Net Saint / NAGIOS - network monitoring server -# -# Author: Russell Coker -# X-Debian-Packages: netsaint, nagios -# Depends: mta.te -# - -################################# -# -# Rules for the nagios_t domain. -# -# nagios_exec_t is the type of the netsaint/nagios executable. -# -daemon_domain(nagios, `, privmail') - -etcdir_domain(nagios) - -logdir_domain(nagios) -allow nagios_t nagios_log_t:fifo_file create_file_perms; -allow initrc_t nagios_log_t:dir rw_dir_perms; - -tmp_domain(nagios) -allow system_mail_t nagios_tmp_t:file { getattr read }; -# for open file handles -dontaudit system_mail_t nagios_etc_t:file read; -dontaudit system_mail_t nagios_log_t:fifo_file read; - -# Use the network. -allow nagios_t self:fifo_file rw_file_perms; -allow nagios_t self:unix_stream_socket create_socket_perms; -allow nagios_t self:unix_dgram_socket create_socket_perms; - -# Use capabilities -allow nagios_t self:capability { dac_override setgid setuid }; -allow nagios_t self:process setpgid; - -allow nagios_t { bin_t sbin_t }:dir search; -allow nagios_t bin_t:lnk_file read; -can_exec(nagios_t, { shell_exec_t bin_t }) - -allow nagios_t proc_t:file { getattr read }; - -can_network_server(nagios_t) -can_ypbind(nagios_t) - -# read config files -allow nagios_t { etc_t etc_runtime_t }:file { getattr read }; -allow nagios_t etc_t:lnk_file read; - -allow nagios_t etc_t:dir r_dir_perms; - -# for ps -r_dir_file(nagios_t, domain) -allow nagios_t boot_t:dir search; -allow nagios_t system_map_t:file { getattr read }; - -# for who -allow nagios_t initrc_var_run_t:file { getattr read lock }; - -system_domain(nagios_cgi) -allow nagios_cgi_t device_t:dir search; -r_dir_file(nagios_cgi_t, nagios_etc_t) -allow nagios_cgi_t var_log_t:dir search; -r_dir_file(nagios_cgi_t, nagios_log_t) -allow nagios_cgi_t self:process { fork signal_perms }; -allow nagios_cgi_t self:fifo_file rw_file_perms; -allow nagios_cgi_t bin_t:dir search; -can_exec(nagios_cgi_t, bin_t) -read_locale(nagios_cgi_t) - -# for ps -allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read }; -r_dir_file(nagios_cgi_t, { proc_t self nagios_t }) -allow nagios_cgi_t boot_t:dir search; -allow nagios_cgi_t system_map_t:file { getattr read }; -dontaudit nagios_cgi_t domain:dir getattr; -allow nagios_cgi_t self:unix_stream_socket create_socket_perms; - -ifdef(`apache.te', ` -r_dir_file(httpd_t, nagios_etc_t) -domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t) -allow nagios_cgi_t httpd_log_t:file append; -') - -ifdef(`ping.te', ` -domain_auto_trans(nagios_t, ping_exec_t, ping_t) -allow nagios_t ping_t:process { sigkill signal }; -dontaudit ping_t nagios_etc_t:file read; -dontaudit ping_t nagios_log_t:fifo_file read; -') diff --git a/strict/domains/program/unused/nessusd.te b/strict/domains/program/unused/nessusd.te deleted file mode 100644 index 65d89e1f..00000000 --- a/strict/domains/program/unused/nessusd.te +++ /dev/null @@ -1,54 +0,0 @@ -#DESC Nessus network scanning daemon -# -# Author: Russell Coker -# X-Debian-Packages: nessus -# - -################################# -# -# Rules for the nessusd_t domain. -# -# nessusd_exec_t is the type of the nessusd executable. -# -daemon_domain(nessusd) - -etc_domain(nessusd) -type nessusd_db_t, file_type, sysadmfile; - -allow nessusd_t nessus_port_t:tcp_socket name_bind; - -#tmp_domain(nessusd) - -# Use the network. -can_network(nessusd_t) -allow nessusd_t port_type:tcp_socket name_connect; -can_ypbind(nessusd_t) -allow nessusd_t self:unix_stream_socket create_socket_perms; -#allow nessusd_t self:unix_dgram_socket create_socket_perms; - -# why ioctl on /dev/urandom? -allow nessusd_t random_device_t:chr_file { getattr read ioctl }; -allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms; -allow nessusd_t self:capability net_raw; - -# for nmap etc -allow nessusd_t { bin_t sbin_t }:dir search; -allow nessusd_t bin_t:lnk_file read; -can_exec(nessusd_t, bin_t) -allow nessusd_t self:fifo_file { getattr read write }; - -# allow user domains to connect to nessusd -can_tcp_connect(userdomain, nessusd_t) - -allow nessusd_t self:process setsched; - -allow nessusd_t proc_t:file { getattr read }; - -# Allow access to the nessusd authentication database -create_dir_file(nessusd_t, nessusd_db_t) -allow nessusd_t var_lib_t:dir r_dir_perms; - -# read config files -allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms; - -logdir_domain(nessusd) diff --git a/strict/domains/program/unused/nrpe.te b/strict/domains/program/unused/nrpe.te deleted file mode 100644 index 87d1a02c..00000000 --- a/strict/domains/program/unused/nrpe.te +++ /dev/null @@ -1,40 +0,0 @@ -# DESC nrpe - Nagios Remote Plugin Execution -# -# Author: Thomas Bleher -# -# Depends: tcpd.te -# X-Debian-Packages: nagios-nrpe-server -# -# This policy assumes that nrpe is called from inetd - -daemon_base_domain(nrpe) -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t) -') -domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t) - -allow nrpe_t urandom_device_t:chr_file { getattr ioctl read }; - -allow nrpe_t self:fifo_file rw_file_perms; -allow nrpe_t self:unix_dgram_socket create_socket_perms; -# use sockets inherited from inetd -allow nrpe_t inetd_t:tcp_socket { ioctl read write }; -allow nrpe_t devtty_t:chr_file { read write }; - -allow nrpe_t self:process setpgid; - -etc_domain(nrpe) -read_locale(nrpe_t) - -# permissions for the scripts executed by nrpe -# -# call shell programs -can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t }) -allow nrpe_t { bin_t sbin_t }:dir search; -# for /bin/sh -allow nrpe_t bin_t:lnk_file read; - -# read /proc/meminfo, /proc/self/mounts and /etc/mtab -allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read }; - -# you will have to add more permissions here, depending on the scripts you call! diff --git a/strict/domains/program/unused/nsd.te b/strict/domains/program/unused/nsd.te deleted file mode 100644 index 2aa35c5a..00000000 --- a/strict/domains/program/unused/nsd.te +++ /dev/null @@ -1,102 +0,0 @@ -#DESC Authoritative only name server -# -# Author: Russell Coker -# X-Debian-Packages: nsd -# -# - -################################# -# -# Rules for the nsd_t domain. -# - -daemon_domain(nsd) - -# a type for nsd.db -type nsd_db_t, file_type, sysadmfile; - -# for zone update cron job -type nsd_crond_t, domain, privlog; -role system_r types nsd_crond_t; -uses_shlib(nsd_crond_t) -can_network_client(nsd_crond_t) -allow nsd_crond_t port_type:tcp_socket name_connect; -can_ypbind(nsd_crond_t) -allow nsd_crond_t self:unix_dgram_socket create_socket_perms; -allow nsd_crond_t self:process { fork signal_perms }; -system_crond_entry(nsd_exec_t, nsd_crond_t) -allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read }; -allow nsd_crond_t proc_t:lnk_file { getattr read }; -allow nsd_crond_t { bin_t sbin_t }:dir search; -can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t }) -allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr; -allow nsd_crond_t bin_t:lnk_file read; -read_locale(nsd_crond_t) -allow nsd_crond_t self:fifo_file rw_file_perms; -# kill capability for root cron job and non-root daemon -allow nsd_crond_t self:capability { dac_override kill }; -allow nsd_crond_t nsd_t:process signal; -dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr }; -dontaudit nsd_crond_t self:capability sys_nice; -dontaudit nsd_crond_t domain:dir search; -allow nsd_crond_t self:process setsched; -can_ps(nsd_crond_t, nsd_t) - -file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file) -allow nsd_crond_t var_lib_t:dir search; - -allow nsd_crond_t nsd_conf_t:file { getattr read ioctl }; -allow nsd_crond_t nsd_zone_t:dir rw_dir_perms; -allow nsd_crond_t proc_t:dir r_dir_perms; -allow nsd_crond_t device_t:dir search; -allow nsd_crond_t devtty_t:chr_file rw_file_perms; -allow nsd_crond_t etc_t:file { getattr read }; -allow nsd_crond_t etc_t:lnk_file read; -allow nsd_crond_t { var_t var_run_t }:dir search; -allow nsd_crond_t nsd_var_run_t:file { getattr read }; - -# for SSP -allow nsd_crond_t urandom_device_t:chr_file read; - -# A type for configuration files of nsd -type nsd_conf_t, file_type, sysadmfile; -# A type for zone files -type nsd_zone_t, file_type, sysadmfile; - -r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t }) -# zone files may be in /var/lib/nsd -allow nsd_t var_lib_t:dir search; -r_dir_file(initrc_t, nsd_conf_t) -allow nsd_t etc_runtime_t:file { getattr read }; -allow nsd_t proc_t:file { getattr read }; -allow nsd_t { sbin_t bin_t }:dir search; -can_exec(nsd_t, { nsd_exec_t bin_t }) - -# Use capabilities. chown is for chowning /var/run/nsd.pid -allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service }; - -allow nsd_t etc_t:{ file lnk_file } { getattr read }; - -# nsd can use network -can_network_server(nsd_t) -can_ypbind(nsd_t) -# allow client access from caching BIND -ifdef(`named.te', ` -can_udp_send(named_t, nsd_t) -can_udp_send(nsd_t, named_t) -can_tcp_connect(named_t, nsd_t) -') - -# if you want to allow all programs to contact the primary name server -#can_udp_send(domain, nsd_t) -#can_udp_send(nsd_t, domain) -#can_tcp_connect(domain, nsd_t) - -# Bind to the named port. -allow nsd_t dns_port_t:udp_socket name_bind; -allow nsd_t dns_port_t:tcp_socket name_bind; - -allow nsd_t self:unix_stream_socket create_stream_socket_perms; -allow nsd_t self:unix_dgram_socket create_socket_perms; - diff --git a/strict/domains/program/unused/nx_server.te b/strict/domains/program/unused/nx_server.te deleted file mode 100644 index a6e723ac..00000000 --- a/strict/domains/program/unused/nx_server.te +++ /dev/null @@ -1,70 +0,0 @@ -# DESC NX - NX Server -# -# Author: Thomas Bleher -# -# Depends: sshd.te -# - -# Type for the nxserver executable, called from ssh -type nx_server_exec_t, file_type, sysadmfile, exec_type; - -# type of the nxserver; userdomain is needed so sshd can transition -type nx_server_t, domain, userdomain; - -# we need an extra role because nxserver is called from sshd -role nx_server_r types nx_server_t; -allow system_r nx_server_r; -domain_trans(sshd_t, nx_server_exec_t, nx_server_t) - -# not really sure if the additional attributes are needed, copied from userdomains -can_create_pty(nx_server, `, userpty_type, user_tty_type') -type_change nx_server_t server_pty:chr_file nx_server_devpts_t; - -uses_shlib(nx_server_t) -read_locale(nx_server_t) - -tmp_domain(nx_server) -var_run_domain(nx_server) - -# nxserver is a shell script --> call other programs -can_exec(nx_server_t, { bin_t shell_exec_t }) -allow nx_server_t self:process { fork sigchld }; -allow nx_server_t self:fifo_file { getattr ioctl read write }; -allow nx_server_t bin_t:dir { getattr read search }; -allow nx_server_t bin_t:lnk_file read; - -r_dir_file(nx_server_t, proc_t) -allow nx_server_t { etc_t etc_runtime_t }:file { getattr read }; - -# we do not actually need this attribute or the types defined here, -# but otherwise we cannot call the ssh_domain-macro -attribute nx_server_file_type; -type nx_server_home_dir_t alias nx_server_home_t; -type nx_server_xauth_home_t; -type nx_server_tty_device_t; -type nx_server_gph_t; -type nx_server_fonts_cache_t; -type nx_server_fonts_t; -type nx_server_fonts_config_t; -type nx_server_gnome_settings_t; - -ssh_domain(nx_server) - -can_network_client(nx_server_t) -allow nx_server_t port_type:tcp_socket name_connect; - -allow nx_server_t devtty_t:chr_file { read write }; -allow nx_server_t sysctl_kernel_t:dir search; -allow nx_server_t sysctl_kernel_t:file { getattr read }; -allow nx_server_t urandom_device_t:chr_file read; -# for reading the config files; maybe a separate type, -# but users need to be able to also read the config -allow nx_server_t usr_t:file { getattr read }; - -dontaudit nx_server_t selinux_config_t:dir search; - -# clients already have create permissions; the nxclient wants to also have unlink rights -allow userdomain xdm_tmp_t:sock_file unlink; -# for a lockfile created by the client process -allow nx_server_t user_tmpfile:file getattr; - diff --git a/strict/domains/program/unused/oav-update.te b/strict/domains/program/unused/oav-update.te deleted file mode 100644 index a9843c68..00000000 --- a/strict/domains/program/unused/oav-update.te +++ /dev/null @@ -1,38 +0,0 @@ -#DESC Oav - Anti-virus update program -# -# Author: Brian May -# X-Debian-Packages: -# - -type oav_update_var_lib_t, file_type, sysadmfile; -type oav_update_exec_t, file_type, sysadmfile, exec_type; -type oav_update_etc_t, file_type, sysadmfile; - -# Derived domain based on the calling user domain and the program. -type oav_update_t, domain, privlog; - -# Transition from the sysadm domain to the derived domain. -role sysadm_r types oav_update_t; -domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t) - -# Transition from the sysadm domain to the derived domain. -role system_r types oav_update_t; -system_crond_entry(oav_update_exec_t, oav_update_t) - -# Uses shared librarys -uses_shlib(oav_update_t) - -# Run helper programs. -can_exec_any(oav_update_t,bin_t) - -# Can read /etc/oav-update/* files -allow oav_update_t oav_update_etc_t:dir r_dir_perms; -allow oav_update_t oav_update_etc_t:file r_file_perms; - -# Can read /var/lib/oav-update/current -allow oav_update_t oav_update_var_lib_t:dir create_dir_perms; -allow oav_update_t oav_update_var_lib_t:file create_file_perms; -allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; - -# Can download via network -can_network_server(oav_update_t) diff --git a/strict/domains/program/unused/openca-ca.te b/strict/domains/program/unused/openca-ca.te deleted file mode 100644 index 411c61de..00000000 --- a/strict/domains/program/unused/openca-ca.te +++ /dev/null @@ -1,134 +0,0 @@ -#DESC OpenCA - Open Certificate Authority -# -# Author: Brian May -# X-Debian-Packages: -# Depends: apache.te -# - -################################# -# -# domain for openCA cgi-bin scripts. -# -# Type that system CGI scripts run as -# -type openca_ca_t, domain; -role system_r types openca_ca_t; -uses_shlib(openca_ca_t) - -# Types that system CGI scripts on the disk are -# labeled with -# -type openca_ca_exec_t, file_type, sysadmfile; - -# When the server starts the script it needs to get the proper context -# -domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t) - -# -# Allow httpd daemon to search /usr/share/openca -# -allow httpd_t openca_usr_share_t:dir { getattr search }; - -################################################################ -# Allow the web server to run scripts and serve pages -############################################################## -allow httpd_t bin_t:file { read execute }; # execute perl - -allow httpd_t openca_ca_exec_t:file {execute getattr read}; -allow httpd_t openca_ca_t:process {signal sigkill sigstop}; -allow httpd_t openca_ca_t:process transition; -allow httpd_t openca_ca_exec_t:dir r_dir_perms; - -################################################################## -# Allow the script to get the file descriptor from the http deamon -# and send sigchild to http deamon -################################################################# -allow openca_ca_t httpd_t:process sigchld; -allow openca_ca_t httpd_t:fd use; -allow openca_ca_t httpd_t:fifo_file {getattr write}; - -############################################ -# Allow scripts to append to http logs -######################################### -allow openca_ca_t httpd_log_t:file { append getattr }; - -############################################################# -# Allow the script access to the library files so it can run -############################################################# -can_exec(openca_ca_t, lib_t) - -######################################################################## -# The script needs to inherit the file descriptor and find the script it -# needs to run -######################################################################## -allow openca_ca_t initrc_t:fd use; -allow openca_ca_t init_t:fd use; -allow openca_ca_t default_t:dir r_dir_perms; -allow openca_ca_t random_device_t:chr_file r_file_perms; - -####################################################################### -# Allow the script to return its output -###################################################################### -#allow openca_ca_t httpd_var_run_t: file rw_file_perms; -allow openca_ca_t null_device_t: chr_file rw_file_perms; -allow openca_ca_t httpd_cache_t: file rw_file_perms; - -########################################################################### -# Allow the script interpreters to run the scripts. So -# the perl executable will be able to run a perl script -######################################################################### -can_exec(openca_ca_t, bin_t) - -############################################################################ -# Allow the script process to search the cgi directory, and users directory -############################################################################## -allow openca_ca_t openca_ca_exec_t:dir search; - -# -# Allow access to writeable files under /etc/openca -# -allow openca_ca_t openca_etc_writeable_t:file create_file_perms; -allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms; - -# -# Allow access to other files under /etc/openca -# -allow openca_ca_t openca_etc_t:file r_file_perms; -allow openca_ca_t openca_etc_t:dir r_dir_perms; - -# -# Allow access to private CA key -# -allow openca_ca_t openca_var_lib_keys_t:file create_file_perms; -allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms; - -# -# Allow access to other /var/lib/openca files -# -allow openca_ca_t openca_var_lib_t:file create_file_perms; -allow openca_ca_t openca_var_lib_t:dir create_dir_perms; - -# -# Allow access to other /usr/share/openca files -# -allow openca_ca_t openca_usr_share_t:file r_file_perms; -allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; -allow openca_ca_t openca_usr_share_t:dir r_dir_perms; - -# /etc/openca standard files -type openca_etc_t, file_type, sysadmfile; - -# /etc/openca template files -type openca_etc_in_t, file_type, sysadmfile; - -# /etc/openca writeable (from CGI script) files -type openca_etc_writeable_t, file_type, sysadmfile; - -# /var/lib/openca -type openca_var_lib_t, file_type, sysadmfile; - -# /var/lib/openca/crypto/keys -type openca_var_lib_keys_t, file_type, sysadmfile; - -# /usr/share/openca/crypto/keys -type openca_usr_share_t, file_type, sysadmfile; diff --git a/strict/domains/program/unused/openvpn.te b/strict/domains/program/unused/openvpn.te deleted file mode 100644 index 0ab13175..00000000 --- a/strict/domains/program/unused/openvpn.te +++ /dev/null @@ -1,39 +0,0 @@ -#DESC OpenVPN - Firewall-friendly SSL-based VPN -# -# Author: Colin Walters -# -######################################## -# - -daemon_domain(openvpn) -etcdir_domain(openvpn) - -allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; - -allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr }; -allow openvpn_t devpts_t:dir { search getattr }; -allow openvpn_t tun_tap_device_t:chr_file rw_file_perms; -allow openvpn_t proc_t:file { getattr read }; - -allow openvpn_t self:unix_dgram_socket create_socket_perms; -allow openvpn_t self:unix_stream_socket create_stream_socket_perms; -allow openvpn_t self:unix_dgram_socket sendto; -allow openvpn_t self:unix_stream_socket connectto; -allow openvpn_t self:capability { net_admin setgid setuid }; -r_dir_file(openvpn_t, sysctl_net_t) - -can_network_server(openvpn_t) -allow openvpn_t openvpn_port_t:udp_socket name_bind; - -# OpenVPN executes a lot of helper programs and scripts -allow openvpn_t { bin_t sbin_t }:dir { search getattr }; -allow openvpn_t bin_t:lnk_file { getattr read }; -can_exec(openvpn_t, { bin_t sbin_t shell_exec_t }) -# Do not transition to ifconfig_t, since then it needs -# permission to access openvpn_t:udp_socket, which seems -# worse. -can_exec(openvpn_t, ifconfig_exec_t) - -# The Fedora init script iterates over /etc/openvpn/*.conf, and -# starts a daemon for each file. -r_dir_file(initrc_t, openvpn_etc_t) diff --git a/strict/domains/program/unused/perdition.te b/strict/domains/program/unused/perdition.te deleted file mode 100644 index b95cb753..00000000 --- a/strict/domains/program/unused/perdition.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC Perdition POP and IMAP proxy -# -# Author: Russell Coker -# X-Debian-Packages: perdition -# - -################################# -# -# Rules for the perdition_t domain. -# -daemon_domain(perdition) - -allow perdition_t pop_port_t:tcp_socket name_bind; - -etc_domain(perdition) - -# Use the network. -can_network_server(perdition_t) -allow perdition_t self:unix_stream_socket create_socket_perms; -allow perdition_t self:unix_dgram_socket create_socket_perms; - -# allow any domain to connect to the proxy -can_tcp_connect(userdomain, perdition_t) - -# Use capabilities -allow perdition_t self:capability { setgid setuid net_bind_service }; - -allow perdition_t etc_t:file { getattr read }; -allow perdition_t etc_t:lnk_file read; diff --git a/strict/domains/program/unused/portslave.te b/strict/domains/program/unused/portslave.te deleted file mode 100644 index 55dfad61..00000000 --- a/strict/domains/program/unused/portslave.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC Portslave - Terminal server software -# -# Author: Russell Coker -# X-Debian-Packages: portslave -# Depends: pppd.te -# - -################################# -# -# Rules for the portslave_t domain. -# -daemon_base_domain(portslave, `, privmail, auth_chkpwd') - -type portslave_etc_t, file_type, sysadmfile; - -general_domain_access(portslave_t) -domain_auto_trans(init_t, portslave_exec_t, portslave_t) -ifdef(`rlogind.te', ` -domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t) -') -ifdef(`inetd.te', ` -domain_auto_trans(inetd_t, portslave_exec_t, portslave_t) -allow portslave_t inetd_t:tcp_socket { getattr read write }; -') - -allow portslave_t { etc_t etc_runtime_t }:file { read getattr }; -read_locale(portslave_t) -r_dir_file(portslave_t, portslave_etc_t) - -allow portslave_t pppd_etc_t:dir r_dir_perms; -allow portslave_t pppd_etc_rw_t:file { getattr read }; - -allow portslave_t proc_t:file { getattr read }; - -allow portslave_t { var_t var_log_t devpts_t }:dir search; - -allow portslave_t devtty_t:chr_file { setattr rw_file_perms }; - -allow portslave_t pppd_secret_t:file r_file_perms; - -can_network_server(portslave_t) -allow portslave_t fs_t:filesystem getattr; -ifdef(`radius.te', ` -can_udp_send(portslave_t, radiusd_t) -can_udp_send(radiusd_t, portslave_t) -') -# for rlogin etc -can_exec(portslave_t, { bin_t ssh_exec_t }) -# net_bind_service for rlogin -allow portslave_t self:capability { net_bind_service sys_tty_config }; -# for ssh -allow portslave_t urandom_device_t:chr_file read; -ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)') - -# for pppd -allow portslave_t self:capability { setuid setgid net_admin fsetid }; -allow portslave_t ppp_device_t:chr_file rw_file_perms; - -# for ~/.ppprc - if it actually exists then you need some policy to read it -allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; - -# for ctlportslave -dontaudit portslave_t self:capability sys_admin; - -file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file) -can_exec(portslave_t, { etc_t shell_exec_t }) - -# Run login in local_login_t domain. -#domain_auto_trans(portslave_t, login_exec_t, local_login_t) - -# Write to /var/run/utmp. -allow portslave_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow portslave_t wtmp_t:file rw_file_perms; - -# Read and write ttys. -allow portslave_t tty_device_t:chr_file { setattr rw_file_perms }; -allow portslave_t ttyfile:chr_file rw_file_perms; - - -lock_domain(portslave) -can_exec(portslave_t, pppd_exec_t) -allow portslave_t { bin_t sbin_t }:dir search; -allow portslave_t bin_t:lnk_file read; diff --git a/strict/domains/program/unused/postgrey.te b/strict/domains/program/unused/postgrey.te deleted file mode 100644 index f60e67bc..00000000 --- a/strict/domains/program/unused/postgrey.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC postgrey - Postfix Grey-listing server -# -# Author: Russell Coker -# X-Debian-Packages: postgrey - -daemon_domain(postgrey) - -allow postgrey_t urandom_device_t:chr_file { getattr read }; - -# for perl -allow postgrey_t { bin_t sbin_t }:dir { getattr search }; -allow postgrey_t usr_t:{ file lnk_file } { getattr read }; -dontaudit postgrey_t usr_t:file ioctl; - -allow postgrey_t { etc_t etc_runtime_t }:file { getattr read }; -etcdir_domain(postgrey) - -can_network_server_tcp(postgrey_t) -can_ypbind(postgrey_t) -allow postgrey_t postgrey_port_t:tcp_socket name_bind; -allow postgrey_t self:unix_dgram_socket create_socket_perms; -allow postgrey_t self:unix_stream_socket create_stream_socket_perms; -allow postgrey_t proc_t:file { getattr read }; - -allow postgrey_t self:capability { chown setgid setuid }; -dontaudit postgrey_t self:capability sys_tty_config; - -var_lib_domain(postgrey) - -allow postgrey_t tmp_t:dir getattr; diff --git a/strict/domains/program/unused/publicfile.te b/strict/domains/program/unused/publicfile.te deleted file mode 100644 index b6a206b0..00000000 --- a/strict/domains/program/unused/publicfile.te +++ /dev/null @@ -1,25 +0,0 @@ -#DESC Publicfile - HTTP and FTP file services -# http://cr.yp.to/publicfile.html -# -# Author: petre rodan -# -# this policy depends on ucspi-tcp -# - -daemon_domain(publicfile) -type publicfile_content_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t) - -ifdef(`ucspi-tcp.te', ` -domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t) -allow publicfile_t utcpserver_t:tcp_socket { read write }; -allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind; -') - -allow publicfile_t initrc_t:tcp_socket { read write }; - -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; - -r_dir_file(publicfile_t, publicfile_content_t) - - diff --git a/strict/domains/program/unused/pxe.te b/strict/domains/program/unused/pxe.te deleted file mode 100644 index 1515593d..00000000 --- a/strict/domains/program/unused/pxe.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC PXE - a server for the PXE network boot protocol -# -# Author: Russell Coker -# X-Debian-Packages: pxe -# - -################################# -# -# Rules for the pxe_t domain. -# -daemon_domain(pxe) - -allow pxe_t pxe_port_t:udp_socket name_bind; - -allow pxe_t etc_t:file { getattr read }; - -allow pxe_t self:capability { chown setgid setuid }; - -allow pxe_t zero_device_t:chr_file rw_file_perms; - -log_domain(pxe) diff --git a/strict/domains/program/unused/pyzor.te b/strict/domains/program/unused/pyzor.te deleted file mode 100644 index b0629adc..00000000 --- a/strict/domains/program/unused/pyzor.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# Pyzor - Pyzor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms. -# Pyzor normally dumps everything into $HOME/.pyzor. By putting the -# following line to the spamassassin config file: -# -# pyzor_options --homedir /etc/pyzor -# -# the various files will be put into appropriate directories. -# (I.E. The log file into /var/log, etc.) This policy will work -# either way. - -########## -# pyzor daemon -########## -daemon_domain(pyzord, `, privlog, nscd_client_domain') -pyzor_base_domain(pyzord) -allow pyzord_t pyzor_port_t:udp_socket name_bind; -home_domain_access(pyzord_t, sysadm, pyzor) -log_domain(pyzord) - -# Read shared daemon/client config file -r_dir_file(pyzord_t, pyzor_etc_t) - -# Write shared daemon/client data dir -allow pyzord_t var_lib_t:dir search; -create_dir_file(pyzord_t, pyzor_var_lib_t) - -########## -# Pyzor query application - from system_r applictions -########## -type pyzor_t, domain, privlog, daemon; -type pyzor_exec_t, file_type, sysadmfile, exec_type; -role system_r types pyzor_t; - -pyzor_base_domain(pyzor) - -# System config/data files -etcdir_domain(pyzor) -var_lib_domain(pyzor) - -########## -########## - -# -# Some spam filters executes the pyzor code directly. Allow them access here. -# -ifdef(`spamd.te',` -domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t); -# pyzor needs access to the email spamassassin is checking -allow pyzor_t spamd_tmp_t:file r_file_perms; -') diff --git a/strict/domains/program/unused/qmail.te b/strict/domains/program/unused/qmail.te deleted file mode 100644 index 6c51cd76..00000000 --- a/strict/domains/program/unused/qmail.te +++ /dev/null @@ -1,197 +0,0 @@ -#DESC Qmail - Mail server -# -# Author: Russell Coker -# X-Debian-Packages: qmail-src qmail -# Depends: inetd.te mta.te -# - - -# Type for files created during execution of qmail. -type qmail_var_run_t, file_type, sysadmfile, pidfile; - -type qmail_etc_t, file_type, sysadmfile; - -allow inetd_t smtp_port_t:tcp_socket name_bind; - -type qmail_exec_t, file_type, sysadmfile, exec_type; -type qmail_spool_t, file_type, sysadmfile; -type var_qmail_t, file_type, sysadmfile; - -define(`qmaild_sub_domain', ` -daemon_sub_domain($1, $2, `$3') -allow $2_t qmail_etc_t:dir { getattr search }; -allow $2_t qmail_etc_t:{ lnk_file file } { getattr read }; -allow $2_t { var_t var_spool_t }:dir search; -allow $2_t console_device_t:chr_file rw_file_perms; -allow $2_t fs_t:filesystem getattr; -') - -################################# -# -# Rules for the qmail_$1_t domain. -# -# qmail_$1_exec_t is the type of the qmail_$1 executables. -# -define(`qmail_daemon_domain', ` -qmaild_sub_domain(qmail_start_t, qmail_$1, `$2') -allow qmail_$1_t qmail_start_t:fifo_file { read write }; -')dnl - - -daemon_base_domain(qmail_start) - -allow qmail_start_t self:capability { setgid setuid }; -allow qmail_start_t { bin_t sbin_t }:dir search; -allow qmail_start_t qmail_etc_t:dir search; -allow qmail_start_t qmail_etc_t:file { getattr read }; -can_exec(qmail_start_t, qmail_start_exec_t) -allow qmail_start_t self:fifo_file { getattr read write }; - -qmail_daemon_domain(lspawn, `, mta_delivery_agent') -allow qmail_lspawn_t self:fifo_file { read write }; -allow qmail_lspawn_t self:capability { setuid setgid }; -allow qmail_lspawn_t self:process { fork signal_perms }; -allow qmail_lspawn_t sbin_t:dir search; -can_exec(qmail_lspawn_t, qmail_exec_t) -allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; -allow qmail_lspawn_t qmail_spool_t:dir search; -allow qmail_lspawn_t qmail_spool_t:file { read getattr }; -allow qmail_lspawn_t etc_t:file { getattr read }; -allow qmail_lspawn_t tmp_t:dir getattr; -dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search }; - -qmail_daemon_domain(send, `, mail_server_sender') -rw_dir_create_file(qmail_send_t, qmail_spool_t) -allow qmail_send_t qmail_spool_t:fifo_file read; -allow qmail_send_t self:process { fork signal_perms }; -allow qmail_send_t self:fifo_file write; -domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t) -allow qmail_send_t sbin_t:dir search; - -qmail_daemon_domain(splogger) -allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; -allow qmail_splogger_t etc_t:lnk_file read; -dontaudit qmail_splogger_t initrc_t:fd use; -read_locale(qmail_splogger_t) - -qmail_daemon_domain(rspawn) -allow qmail_rspawn_t qmail_spool_t:dir search; -allow qmail_rspawn_t qmail_spool_t:file rw_file_perms; -allow qmail_rspawn_t self:process { fork signal_perms }; -allow qmail_rspawn_t self:fifo_file read; -allow qmail_rspawn_t { bin_t sbin_t }:dir search; - -qmaild_sub_domain(qmail_rspawn_t, qmail_remote) -allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read }; -can_network_server(qmail_remote_t) -can_ypbind(qmail_remote_t) -allow qmail_remote_t qmail_spool_t:dir search; -allow qmail_remote_t qmail_spool_t:file rw_file_perms; -allow qmail_remote_t self:tcp_socket create_socket_perms; -allow qmail_remote_t self:udp_socket create_socket_perms; - -qmail_daemon_domain(clean) -allow qmail_clean_t qmail_spool_t:dir rw_dir_perms; -allow qmail_clean_t qmail_spool_t:file { unlink read getattr }; - -# privhome will do until we get a separate maildir type -qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent') -allow qmail_lspawn_t qmail_local_exec_t:file { getattr read }; -allow qmail_local_t self:process { fork signal_perms }; -domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t) -allow qmail_local_t qmail_queue_exec_t:file { getattr read }; -allow qmail_local_t qmail_spool_t:file { ioctl read }; -allow qmail_local_t self:fifo_file write; -allow qmail_local_t sbin_t:dir search; -allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; -allow qmail_local_t etc_t:file { getattr read }; - -# for piping mail to a command -can_exec(qmail_local_t, shell_exec_t) -allow qmail_local_t bin_t:dir search; -allow qmail_local_t bin_t:lnk_file read; -allow qmail_local_t devtty_t:chr_file rw_file_perms; -allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read }; - -ifdef(`tcpd.te', ` -qmaild_sub_domain(tcpd_t, qmail_tcp_env) -# bug -can_exec(tcpd_t, tcpd_exec_t) -', ` -qmaild_sub_domain(inetd_t, qmail_tcp_env) -') -allow qmail_tcp_env_t inetd_t:fd use; -allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr }; -allow qmail_tcp_env_t inetd_t:process sigchld; -allow qmail_tcp_env_t sbin_t:dir search; -can_network_server(qmail_tcp_env_t) -can_ypbind(qmail_tcp_env_t) - -qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd) -allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read }; -can_network_server(qmail_smtpd_t) -can_ypbind(qmail_smtpd_t) -allow qmail_smtpd_t inetd_t:fd use; -allow qmail_smtpd_t inetd_t:tcp_socket { read write }; -allow qmail_smtpd_t inetd_t:process sigchld; -allow qmail_smtpd_t self:process { fork signal_perms }; -allow qmail_smtpd_t self:fifo_file write; -allow qmail_smtpd_t self:tcp_socket create_socket_perms; -allow qmail_smtpd_t sbin_t:dir search; -domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t) -allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read }; - -qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent') -allow qmail_inject_t self:process { fork signal_perms }; -allow qmail_inject_t self:fifo_file write; -allow qmail_inject_t sbin_t:dir search; -role sysadm_r types qmail_inject_t; -in_user_role(qmail_inject_t) - -qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent') -in_user_role(qmail_qread_t) -role sysadm_r types qmail_qread_t; -r_dir_file(qmail_qread_t, qmail_spool_t) -allow qmail_qread_t self:capability dac_override; -allow qmail_qread_t privfd:fd use; - -qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent') -role sysadm_r types qmail_queue_t; -in_user_role(qmail_queue_t) -allow qmail_inject_t qmail_queue_exec_t:file { getattr read }; -rw_dir_create_file(qmail_queue_t, qmail_spool_t) -allow qmail_queue_t qmail_spool_t:fifo_file { read write }; -allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use; -allow qmail_queue_t qmail_lspawn_t:fifo_file write; -allow qmail_queue_t qmail_start_t:fifo_file { read write }; -allow qmail_queue_t privfd:fd use; -allow qmail_queue_t crond_t:fifo_file { read write }; -allow qmail_queue_t inetd_t:fd use; -allow qmail_queue_t inetd_t:tcp_socket { read write }; -allow qmail_queue_t sysadm_t:fd use; -allow qmail_queue_t sysadm_t:fifo_file write; - -allow user_crond_domain qmail_etc_t:dir search; -allow user_crond_domain qmail_etc_t:file { getattr read }; - -qmaild_sub_domain(user_crond_domain, qmail_serialmail) -in_user_role(qmail_serialmail_t) -can_network_server(qmail_serialmail_t) -can_ypbind(qmail_serialmail_t) -can_exec(qmail_serialmail_t, qmail_serialmail_exec_t) -allow qmail_serialmail_t self:process { fork signal_perms }; -allow qmail_serialmail_t proc_t:file { getattr read }; -allow qmail_serialmail_t etc_runtime_t:file { getattr read }; -allow qmail_serialmail_t home_root_t:dir search; -allow qmail_serialmail_t user_home_dir_type:dir { search read getattr }; -rw_dir_create_file(qmail_serialmail_t, user_home_type) -allow qmail_serialmail_t self:fifo_file { read write }; -allow qmail_serialmail_t self:udp_socket create_socket_perms; -allow qmail_serialmail_t self:tcp_socket create_socket_perms; -allow qmail_serialmail_t privfd:fd use; -allow qmail_serialmail_t crond_t:fifo_file { read write ioctl }; -allow qmail_serialmail_t devtty_t:chr_file { read write }; - -# for tcpclient -can_exec(qmail_serialmail_t, bin_t) -allow qmail_serialmail_t bin_t:dir search; diff --git a/strict/domains/program/unused/razor.te b/strict/domains/program/unused/razor.te deleted file mode 100644 index e88bb499..00000000 --- a/strict/domains/program/unused/razor.te +++ /dev/null @@ -1,53 +0,0 @@ -# -# Razor - Vipul's Razor is a distributed, collaborative, spam -# detection and filtering network. -# -# Author: David Hampton -# - -# NOTE: This policy will work with either the ATrpms provided config -# file in /etc/razor, or with the default of dumping everything into -# $HOME/.razor. - -########## -# Razor query application - from system_r applictions -########## -type razor_t, domain, privlog, daemon; -type razor_exec_t, file_type, sysadmfile, exec_type; -role system_r types razor_t; - -razor_base_domain(razor) - -# Razor config file directory. When invoked as razor-admin, it can -# update files in this directory. -etcdir_domain(razor) -create_dir_file(razor_t, razor_etc_t); - -# Shared razor files updated freuently -var_lib_domain(razor) - -# Log files -log_domain(razor) -allow razor_t var_log_t:dir search; -ifdef(`logrotate.te', ` -allow logrotate_t razor_log_t:file r_file_perms; -') - -########## -########## - -# -# Some spam filters executes the razor code directly. Allow them access here. -# -define(`razor_access',` -r_dir_file($1, razor_etc_t) -allow $1 var_log_t:dir search; -allow $1 razor_log_t:file ra_file_perms; -r_dir_file($1, razor_var_lib_t) -r_dir_file($1, sysadm_razor_home_t) -can_network_client_tcp($1, razor_port_t) -allow $1 razor_port_t:tcp_socket name_connect; -') - -ifdef(`spamd.te', `razor_access(spamd_t)'); -ifdef(`amavis.te', `razor_access(amavisd_t)'); diff --git a/strict/domains/program/unused/resmgrd.te b/strict/domains/program/unused/resmgrd.te deleted file mode 100644 index 9224ad37..00000000 --- a/strict/domains/program/unused/resmgrd.te +++ /dev/null @@ -1,25 +0,0 @@ -# DESC resmgrd - resource manager daemon -# -# Author: Thomas Bleher - -daemon_base_domain(resmgrd) -var_run_domain(resmgrd, { file sock_file }) -etc_domain(resmgrd) -read_locale(resmgrd_t) -allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio }; - -allow resmgrd_t etc_t:file { getattr read }; -allow resmgrd_t self:unix_stream_socket create_stream_socket_perms; -allow resmgrd_t self:unix_dgram_socket create_socket_perms; - -# hardware access -allow resmgrd_t device_t:lnk_file { getattr read }; -# not sure if it needs write access, needs to be investigated further... -allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write }; -allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write }; -allow resmgrd_t scanner_device_t:chr_file { getattr }; -# I think a dontaudit should be enough there -dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read }; - -# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te - diff --git a/strict/domains/program/unused/rssh.te b/strict/domains/program/unused/rssh.te deleted file mode 100644 index 73bab4a1..00000000 --- a/strict/domains/program/unused/rssh.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC Rssh - Restricted (scp/sftp) only shell -# -# Authors: Colin Walters -# X-Debian-Package: rssh -# - -type rssh_exec_t, file_type, sysadmfile, exec_type; - -ifdef(`ssh.te',` -allow sshd_t rssh_exec_t:file r_file_perms; -') - -# See rssh_macros.te for the rest. diff --git a/strict/domains/program/unused/scannerdaemon.te b/strict/domains/program/unused/scannerdaemon.te deleted file mode 100644 index 6245e8b9..00000000 --- a/strict/domains/program/unused/scannerdaemon.te +++ /dev/null @@ -1,58 +0,0 @@ -#DESC Scannerdaemon - Virus scanner daemon -# -# Author: Brian May -# X-Debian-Packages: -# - -################################# -# -# Rules for the scannerdaemon_t domain. -# -type scannerdaemon_etc_t, file_type, sysadmfile; - -#networking -daemon_domain(scannerdaemon) -can_network_server(scannerdaemon_t) -ifdef(`postfix.te', -`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);') - -# for testing -can_tcp_connect(sysadm_t,scannerdaemon_t) - -# Can create unix sockets -allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms; - -# Access config files (libc6). -allow scannerdaemon_t etc_t:file r_file_perms; -allow scannerdaemon_t etc_t:lnk_file r_file_perms; -allow scannerdaemon_t proc_t:file r_file_perms; -allow scannerdaemon_t etc_runtime_t:file r_file_perms; - -# Access config files (scannerdaemon). -allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms; - -# Access signature files. -ifdef(`oav-update.te',` -allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms; -allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms; -') - -log_domain(scannerdaemon) -ifdef(`logrotate.te', ` -allow logrotate_t scannerdaemon_log_t:file create_file_perms; -') - -# Can run kaffe -# Run helper programs. -can_exec_any(scannerdaemon_t) -allow scannerdaemon_t var_lib_t:dir search; -allow scannerdaemon_t { sbin_t bin_t }:dir search; -allow scannerdaemon_t bin_t:lnk_file read; - -# unknown stuff -allow scannerdaemon_t self:fifo_file { read write }; - -# broken stuff -dontaudit scannerdaemon_t sysadm_home_dir_t:dir search; -dontaudit scannerdaemon_t devtty_t:chr_file { read write }; -dontaudit scannerdaemon_t shadow_t:file { read getattr }; diff --git a/strict/domains/program/unused/seuser.te b/strict/domains/program/unused/seuser.te deleted file mode 100644 index dc877428..00000000 --- a/strict/domains/program/unused/seuser.te +++ /dev/null @@ -1,148 +0,0 @@ -#DESC SE Linux User Manager (seuser) -#DEPENDS checkpolicy.te load_policy.te -# -# Authors: don.patterson@tresys.com, mayerf@tresys.com -# Additions: wsalamon@tislabs.com, dac@tresys.com - -# - -################################# -# -# Rules for the seuser_t domain. -# -# seuser_t is the domain of the seuser application when it is executed. -# seuser_conf_t is the type of the seuser configuration file. -# seuser_exec_t is the type of the seuser executable. -# seuser_tmp_t is the type of the temporary file(s) created by seuser. -# -############################################## -# Define types, and typical rules including -# access to execute and transition -############################################## - -# Defined seuser types -type seuser_t, domain, privhome ; -type seuser_conf_t, file_type, sysadmfile ; -type seuser_exec_t, file_type, sysadmfile, exec_type ; -tmp_domain(seuser) - -# Authorize roles -role sysadm_r types seuser_t ; - -# Allow sysadm_t to run with privilege -domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t) - -# Grant the new domain permissions to many common operations -# FIX: Should be more resticted than this. -#every_domain(seuser_t) -allow seuser_t self:process { fork sigchld }; -allow seuser_t self:fifo_file read; -allow seuser_t self:unix_stream_socket {create connect}; -allow seuser_t self:dir search; -allow seuser_t self:file { read getattr }; - -allow seuser_t etc_t:dir search; -allow seuser_t etc_t:{lnk_file file} { read getattr}; -read_locale(seuser_t) -allow seuser_t { var_run_t var_t}:dir search; - -uses_shlib(seuser_t) - -allow seuser_t devtty_t:chr_file {read write }; -allow seuser_t proc_t:dir search; -allow seuser_t proc_t:{lnk_file file} { getattr read }; - -allow seuser_t root_t:dir search; -allow seuser_t staff_home_dir_t:dir search; -allow seuser_t home_root_t:dir { getattr search }; -allow seuser_t staff_home_dir_t:dir getattr; -allow seuser_t default_t:file {read getattr}; - -allow seuser_t bin_t:dir { getattr search read} ; -allow seuser_t bin_t:lnk_file { read getattr }; -allow seuser_t sbin_t:dir search; - -# Inherit and use descriptors from login. -allow seuser_t privfd:fd use; - -############################################### - -# Use capabilities to self -allow seuser_t self:capability { dac_override setuid setgid } ; - -# Grant the seuser domain ability to change passwords for a user. -allow seuser_t self:passwd { passwd chfn chsh } ; - -# Read permissions for seuser.conf file -allow seuser_t seuser_conf_t:file r_file_perms ; - - -################################################################### -# Policy section: Define the ability to change and load policies -################################################################### - -# seuser_t domain needs to transition to the checkpolicy and loadpolicy -# domains in order to install and load new policies. -domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t) -domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t) - -# allow load_policy and checkpolicy domains access to seuser_tmp_t -# files in order for their stdout/stderr able to be put into -# seuser's tmp files. -# -# Since both these domains carefully try to limit where the -# assoicated program can read from, we won't use the standard -# rw_file_perm macro, but instead only grant the minimum needed -# to redirect output, write and getattr. -allow checkpolicy_t seuser_tmp_t:file { getattr write } ; -allow load_policy_t seuser_tmp_t:file { getattr write } ; -allow useradd_t seuser_tmp_t:file { getattr write } ; - - -# FIX: Temporarily allow seuser_t permissions for executing programs with a -# bint_t type without changing domains. We have to give seuser_t the following -# access because we use the policy make process to build new plicy.conf files. -# At some point, a new policy management infrastructure should remove the ability -# to modify policy source files with arbitrary progams -# -can_exec(seuser_t, bin_t) -can_exec(seuser_t, shell_exec_t) - - -# Read/write permission to the login context files in /etc/security -allow seuser_t login_contexts:file create_file_perms ; - -# Read/write permission to the policy source and its' directory -allow seuser_t policy_src_t:dir create_dir_perms ; -allow seuser_t policy_src_t:file create_file_perms ; - -# Allow search and stat for policy_config_t -allow seuser_t policy_config_t:dir { search getattr } ; -allow seuser_t policy_config_t:file stat_file_perms; - - -#ifdef(`xserver.te', ` -############################################################ -# Xserver section - To support our GUI interface, -############################################################ -# Permission to create files in /tmp/.X11-Unix -#allow seuser_t sysadm_xserver_tmp_t:dir search ; -#allow seuser_t sysadm_xserver_tmp_t:sock_file write ; -#allow seuser_t user_xserver_tmp_t:dir search ; -#allow seuser_t user_xserver_tmp_t:sock_file write ; - -# Permission to establish a Unix stream connection to X server -#can_unix_connect(seuser_t, user_xserver_t) -#can_unix_connect(seuser_t, sysadm_xserver_t) -#') -ifdef(`xdm.te', ` -can_unix_connect(seuser_t, xdm_xserver_t) -') - -# seuser_t domain needs execute access to the library files so that it can run. -can_exec(seuser_t, lib_t) - -# Access ttys -allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ; -allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ; - diff --git a/strict/domains/program/unused/snort.te b/strict/domains/program/unused/snort.te deleted file mode 100644 index 24188f67..00000000 --- a/strict/domains/program/unused/snort.te +++ /dev/null @@ -1,33 +0,0 @@ -#DESC Snort - Network sniffer -# -# Author: Shaun Savage -# Modified by Russell Coker -# X-Debian-Packages: snort-common -# - -daemon_domain(snort) - -logdir_domain(snort) -allow snort_t snort_log_t:dir create; -can_network_server(snort_t) -type snort_etc_t, file_type, sysadmfile; - -# Create temporary files. -tmp_domain(snort) - -# use iptable netlink -allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow snort_t self:packet_socket create_socket_perms; -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; - -r_dir_file(snort_t, snort_etc_t) -allow snort_t etc_t:file { getattr read }; -allow snort_t etc_t:lnk_file read; - -allow snort_t self:unix_dgram_socket create_socket_perms; -allow snort_t self:unix_stream_socket create_socket_perms; - -# for start script -allow initrc_t snort_etc_t:file { getattr read }; - -dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read }; diff --git a/strict/domains/program/unused/sound-server.te b/strict/domains/program/unused/sound-server.te deleted file mode 100644 index c84a1faf..00000000 --- a/strict/domains/program/unused/sound-server.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC sound server - for network audio server programs, nasd, yiff, etc -# -# Author: Russell Coker -# - -################################# -# -# Rules for the soundd_t domain. -# -# soundd_exec_t is the type of the soundd executable. -# -daemon_domain(soundd) - -allow soundd_t soundd_port_t:tcp_socket name_bind; - -type etc_soundd_t, file_type, sysadmfile; -type soundd_state_t, file_type, sysadmfile; - -tmp_domain(soundd) -rw_dir_create_file(soundd_t, soundd_state_t) - -allow soundd_t sound_device_t:chr_file rw_file_perms; -allow soundd_t device_t:lnk_file read; - -# Use the network. -can_network_server(soundd_t) -allow soundd_t self:unix_stream_socket create_stream_socket_perms; -allow soundd_t self:unix_dgram_socket create_socket_perms; -# allow any domain to connect to the sound server -can_tcp_connect(userdomain, soundd_t) - -allow soundd_t self:process setpgid; - -# read config files -allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms; - -allow soundd_t etc_t:dir r_dir_perms; -r_dir_file(soundd_t, etc_soundd_t) - -# for yiff - probably need some rules for the client support too -allow soundd_t self:shm create_shm_perms; -tmpfs_domain(soundd) diff --git a/strict/domains/program/unused/speedmgmt.te b/strict/domains/program/unused/speedmgmt.te deleted file mode 100644 index 6d399fbd..00000000 --- a/strict/domains/program/unused/speedmgmt.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem -# -# Author: Russell Coker -# - -################################# -# -# Rules for the speedmgmt_t domain. -# -# speedmgmt_exec_t is the type of the speedmgmt executable. -# -daemon_domain(speedmgmt) -tmp_domain(speedmgmt) - -# for accessing USB -allow speedmgmt_t proc_t:dir r_dir_perms; -allow speedmgmt_t usbdevfs_t:file rw_file_perms; -allow speedmgmt_t usbdevfs_t:dir r_dir_perms; - -allow speedmgmt_t usr_t:file r_file_perms; - -allow speedmgmt_t self:unix_dgram_socket create_socket_perms; - -# allow time -allow speedmgmt_t etc_t:dir r_dir_perms; -allow speedmgmt_t etc_t:lnk_file r_file_perms; diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te deleted file mode 100644 index a96c9877..00000000 --- a/strict/domains/program/unused/sxid.te +++ /dev/null @@ -1,62 +0,0 @@ -#DESC Sxid - SUID/SGID program monitoring -# -# Author: Russell Coker -# X-Debian-Packages: sxid -# - -################################# -# -# Rules for the sxid_t domain. -# -# sxid_exec_t is the type of the sxid executable. -# -daemon_base_domain(sxid, `, privmail') -tmp_domain(sxid) - -allow sxid_t fs_t:filesystem getattr; - -ifdef(`crond.te', ` -system_crond_entry(sxid_exec_t, sxid_t) -') -#allow system_crond_t sxid_log_t:file create_file_perms; - -read_locale(sxid_t) - -can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t }) -allow sxid_t bin_t:lnk_file read; - -log_domain(sxid) - -allow sxid_t file_type:notdevfile_class_set getattr; -allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr; -allow sxid_t ttyfile:chr_file getattr; -allow sxid_t file_type:dir { getattr read search }; -allow sxid_t sysadmfile:file { getattr read }; -dontaudit sxid_t devpts_t:dir r_dir_perms; -allow sxid_t fs_type:dir { getattr read search }; - -# Use the network. -can_network_server(sxid_t) -allow sxid_t self:fifo_file rw_file_perms; -allow sxid_t self:unix_stream_socket create_socket_perms; - -allow sxid_t { proc_t self }:{ file lnk_file } { read getattr }; -read_sysctl(sxid_t) -allow sxid_t devtty_t:chr_file rw_file_perms; - -allow sxid_t self:capability { dac_override dac_read_search fsetid }; -dontaudit sxid_t self:capability { setuid setgid }; - -ifdef(`mta.te', ` -# sxid leaves an open file handle to /proc/mounts -dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr }; - -# allow mta to read the log files -allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read }; -# stop warnings if mailx is passed a read/write file handle -dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write; -') - -allow logrotate_t sxid_t:file { getattr write }; - -dontaudit sxid_t security_t:dir { getattr read search }; diff --git a/strict/domains/program/unused/tinydns.te b/strict/domains/program/unused/tinydns.te deleted file mode 100644 index a911b89f..00000000 --- a/strict/domains/program/unused/tinydns.te +++ /dev/null @@ -1,58 +0,0 @@ -#DESC TINYDNS - Name server for djbdns -# -# Authors: Matthew J. Fanto -# -# Based off Named policy file written by -# Yuichi Nakamura , -# Russell Coker -# X-Debian-Packages: djbdns-installer djbdns -# -# - -################################# -# -# Rules for the tinydns_t domain. -# -daemon_domain(tinydns) - -can_exec(tinydns_t, tinydns_exec_t) -allow tinydns_t sbin_t:dir search; - -allow tinydns_t self:process setsched; - -# A type for configuration files of tinydns. -type tinydns_conf_t, file_type, sysadmfile; - -# for primary zone files - the data file -type tinydns_zone_t, file_type, sysadmfile; - -allow tinydns_t etc_t:file { getattr read }; -allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read }; - -#tinydns can use network -can_network_server(tinydns_t) -allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind; -# allow UDP transfer to/from any program -can_udp_send(domain, tinydns_t) -can_udp_send(tinydns_t, domain) -# tinydns itself doesn't do zone transfers -# so we do not need to have it tcp_connect - -#read configuration files -r_dir_file(tinydns_t, tinydns_conf_t) - -r_dir_file(tinydns_t, tinydns_zone_t) - -# allow tinydns to create datagram sockets (udp) -# allow tinydns_t self:unix_stream_socket create_stream_socket_perms; -allow tinydns_t self:unix_dgram_socket create_socket_perms; - -# Read /dev/random. -allow tinydns_t device_t:dir r_dir_perms; -allow tinydns_t random_device_t:chr_file r_file_perms; - -# Set own capabilities. -allow tinydns_t self:process setcap; - -# for chmod in start script -dontaudit initrc_t tinydns_var_run_t:dir setattr; diff --git a/strict/domains/program/unused/transproxy.te b/strict/domains/program/unused/transproxy.te deleted file mode 100644 index e34b8043..00000000 --- a/strict/domains/program/unused/transproxy.te +++ /dev/null @@ -1,36 +0,0 @@ -#DESC Transproxy - Transparent proxy for web access -# -# Author: Russell Coker -# X-Debian-Packages: transproxy -# - -################################# -# -# Rules for the transproxy_t domain. -# -# transproxy_exec_t is the type of the transproxy executable. -# -daemon_domain(transproxy) - -# Use the network. -can_network_server_tcp(transproxy_t) -allow transproxy_t transproxy_port_t:tcp_socket name_bind; - -#allow transproxy_t self:fifo_file { read write }; -allow transproxy_t self:unix_stream_socket create_socket_perms; -allow transproxy_t self:unix_dgram_socket create_socket_perms; - -# Use capabilities -allow transproxy_t self:capability { setgid setuid }; -#allow transproxy_t self:process setsched; - -#allow transproxy_t proc_t:file r_file_perms; - -# read config files -allow transproxy_t etc_t:lnk_file read; -allow transproxy_t etc_t:file { read getattr }; - -#allow transproxy_t etc_t:dir r_dir_perms; - -#read_sysctl(transproxy_t) - diff --git a/strict/domains/program/unused/tripwire.te b/strict/domains/program/unused/tripwire.te deleted file mode 100644 index 9ee61e84..00000000 --- a/strict/domains/program/unused/tripwire.te +++ /dev/null @@ -1,139 +0,0 @@ -# DESC tripwire -# -# Author: David Hampton -# - -# NOTE: Tripwire creates temp file in its current working directory. -# This policy does not allow write access to home directories, so -# users will need to either cd to a directory where they have write -# permission, or set the TEMPDIRECTORY variable in the tripwire config -# file. The latter is preferable, as then the file_type_auto_trans -# rules will kick in and label the files as private to tripwire. - - -# Common definitions -type tripwire_report_t, file_type, sysadmfile; -etcdir_domain(tripwire) -var_lib_domain(tripwire) -tmp_domain(tripwire) - - -# Macro for defining tripwire domains -define(`tripwire_domain',` -application_domain($1, `, auth') -role system_r types $1_t; - -# Allow access to common tripwire files -allow $1_t tripwire_etc_t:file r_file_perms; -allow $1_t tripwire_etc_t:dir r_dir_perms; -allow $1_t tripwire_etc_t:lnk_file { getattr read }; -file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file) -allow $1_t tripwire_var_lib_t:dir rw_dir_perms; -file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }') - -allow $1_t self:process { fork sigchld }; -allow $1_t self:capability { setgid setuid dac_override }; - -# Tripwire needs to read all files on the system -general_proc_read_access($1_t) -allow $1_t file_type:dir { search getattr read}; -allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read}; -allow $1_t file_type:fifo_file { getattr }; -allow $1_t device_type:file { getattr read }; -allow $1_t sysctl_t:dir { getattr read }; -allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr; - -# Tripwire report files -create_dir_file($1_t, tripwire_report_t) - -# gethostid()? -allow $1_t self:unix_stream_socket { connect create }; - -# Running editor program (tripwire forks then runs bash which rins editor) -can_exec($1_t, shell_exec_t) -can_exec($1_t, bin_t) -uses_shlib($1_t) - -allow $1_t self:dir search; -allow $1_t self:file { getattr read }; -') - - -########## -########## - -# -# When run by a user -# -tripwire_domain(`tripwire') - -# Running from the command line -allow tripwire_t devpts_t:dir search; -allow tripwire_t devtty_t:chr_file { read write }; -allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms; -allow tripwire_t privfd:fd use; - - -########## -########## - -# -# When run from cron -# -tripwire_domain(`tripwire_crond') -system_crond_entry(tripwire_exec_t, tripwire_crond_t) -domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t) - -# Tripwire uses a temp file in the root home directory -#create_dir_file(tripwire_crond_t, root_t) - - -########## -# Twadmin -########## -application_domain(twadmin) -read_locale(twadmin_t) -create_dir_file(twadmin_t, tripwire_etc_t) - -allow twadmin_t sysadm_tmp_t:file { getattr read write }; - -# Running from the command line -allow twadmin_t sshd_t:fd use; -allow twadmin_t admin_tty_type:chr_file rw_file_perms; - -dontaudit twadmin_t { bin_t sbin_t }:dir search; -dontaudit twadmin_t home_root_t:dir search; -dontaudit twprint_t user_home_dir_t:dir search; - - -########## -# Twprint -########## -application_domain(twprint) -read_locale(twprint_t) -r_dir_file(twprint_t, tripwire_etc_t) -allow twprint_t { var_t var_lib_t }:dir search; -r_dir_file(twprint_t, tripwire_var_lib_t) -r_dir_file(twprint_t, tripwire_report_t) - -# Running from the command line -allow twprint_t sshd_t:fd use; -allow twprint_t admin_tty_type:chr_file rw_file_perms; - -dontaudit twprint_t { bin_t sbin_t }:dir search; -dontaudit twprint_t home_root_t:dir search; - - -########## -# Siggen -########## -application_domain(siggen, `, auth') -read_locale(siggen_t) - -# Need permission to read files -allow siggen_t file_type:dir { search getattr read}; -allow siggen_t file_type:file {getattr read}; - -# Running from the command line -allow siggen_t sshd_t:fd use; -allow siggen_t admin_tty_type:chr_file rw_file_perms; diff --git a/strict/domains/program/unused/ucspi-tcp.te b/strict/domains/program/unused/ucspi-tcp.te deleted file mode 100644 index b2eeb5c9..00000000 --- a/strict/domains/program/unused/ucspi-tcp.te +++ /dev/null @@ -1,49 +0,0 @@ -#DESC ucspi-tcp - TCP Server and Client Tools -# -# Author Petre Rodan -# Andy Dustman (rblsmtp-related policy) -# - -# http://cr.yp.to/ucspi-tcp.html - -daemon_base_domain(utcpserver) -can_network(utcpserver_t) - -allow utcpserver_t etc_t:file r_file_perms; -allow utcpserver_t { bin_t sbin_t var_t }:dir search; - -allow utcpserver_t self:capability { net_bind_service setgid setuid }; -allow utcpserver_t self:fifo_file { read write }; -allow utcpserver_t self:process { fork sigchld }; - -allow utcpserver_t port_t:udp_socket name_bind; - -ifdef(`qmail.te', ` -domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t) -allow utcpserver_t smtp_port_t:tcp_socket name_bind; -allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr }; -allow utcpserver_t qmail_etc_t:dir r_dir_perms; -allow utcpserver_t qmail_etc_t:file r_file_perms; -') - -daemon_base_domain(rblsmtpd) -can_network(rblsmtpd_t) - -allow rblsmtpd_t self:process { fork sigchld }; - -allow rblsmtpd_t etc_t:file r_file_perms; -allow rblsmtpd_t { bin_t var_t }:dir search; -allow rblsmtpd_t port_t:udp_socket name_bind; -allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr }; - -ifdef(`qmail.te', ` -domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t) -allow qmail_queue_t rblsmtpd_t:fd use; -') - -ifdef(`daemontools.te', ` -svc_ipc_domain(rblsmtpd_t) -') - -domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t) - diff --git a/strict/domains/program/unused/uml_net.te b/strict/domains/program/unused/uml_net.te deleted file mode 100644 index da3fe345..00000000 --- a/strict/domains/program/unused/uml_net.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC uml_net helper program for user-mode Linux -# -# Author: Russell Coker -# -# WARNING: Do not install this file on any machine that has hostile users. - -type uml_net_t, domain, privlog; -type uml_net_exec_t, file_type, sysadmfile, exec_type; -in_user_role(uml_net_t) -allow uml_net_t self:process { fork signal_perms }; -allow uml_net_t { bin_t sbin_t }:dir search; -allow uml_net_t self:fifo_file { read write }; -allow uml_net_t device_t:dir search; -allow uml_net_t self:udp_socket { create ioctl }; -uses_shlib(uml_net_t) -allow uml_net_t devtty_t:chr_file { read write }; -allow uml_net_t etc_runtime_t:file { getattr read }; -allow uml_net_t etc_t:file { getattr read }; -allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search; -allow uml_net_t proc_t:file { getattr read }; - -# if you want ip_forward to be set then you should set it yourself -dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search; -dontaudit uml_net_t sysctl_net_t:file write; - -dontaudit ifconfig_t uml_net_t:udp_socket { read write }; -dontaudit uml_net_t self:capability sys_module; - -allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl }; -can_exec(uml_net_t, { shell_exec_t sbin_t }) diff --git a/strict/domains/program/unused/uptimed.te b/strict/domains/program/unused/uptimed.te deleted file mode 100644 index 0c9b1c73..00000000 --- a/strict/domains/program/unused/uptimed.te +++ /dev/null @@ -1,37 +0,0 @@ -#DESC uptimed - a uptime daemon -# -# Author: Carsten Grohmann -# -# Date: 19. June 2003 -# - -################################# -# -# General Types -# - -type uptimed_spool_t, file_type, sysadmfile; - -################################# -# -# Rules for the uptimed_t domain. -# -daemon_domain(uptimed, `,privmail') -etc_domain(uptimed) -typealias uptimed_etc_t alias etc_uptimed_t; -file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t) -allow uptimed_t proc_t:file { getattr read }; -read_locale(uptimed_t) -allow uptimed_t uptimed_spool_t:file create_file_perms; -allow uptimed_t self:unix_dgram_socket create_socket_perms; - -# to send mail -can_exec(uptimed_t, shell_exec_t) -allow uptimed_t { bin_t sbin_t }:dir search; -allow uptimed_t bin_t:lnk_file read; -allow uptimed_t etc_runtime_t:file { getattr read }; -allow uptimed_t self:fifo_file { getattr write }; - -# rules for uprecords - it runs in the user context -allow userdomain uptimed_spool_t:dir search; -allow userdomain uptimed_spool_t:file { getattr read }; diff --git a/strict/domains/program/unused/uwimapd.te b/strict/domains/program/unused/uwimapd.te deleted file mode 100644 index f1f58316..00000000 --- a/strict/domains/program/unused/uwimapd.te +++ /dev/null @@ -1,47 +0,0 @@ -#DESC uw-imapd-ssl server -# -# Author: Ed Street -# X-Debian-Packages: uw-imapd (was uw-imapd-ssl) -# Depends: inetd.te -# - -daemon_domain(imapd, `, auth_chkpwd, privhome') -tmp_domain(imapd) - -can_network_server_tcp(imapd_t) -allow imapd_t port_type:tcp_socket name_connect; - -#declare our own services -allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -allow imapd_t pop_port_t:tcp_socket name_bind; - -#declare this a socket from inetd -allow imapd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow imapd_t self:unix_stream_socket create_socket_perms; -domain_auto_trans(inetd_t, imapd_exec_t, imapd_t) -ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)') - -#friendly stuff we dont want to see :) -dontaudit imapd_t bin_t:dir search; - -#read /etc/ for hostname nsswitch.conf -allow imapd_t etc_t:file { getattr read }; - -#socket i/o stuff -allow imapd_t inetd_t:tcp_socket { read write ioctl getattr }; - -#read resolv.conf -allow imapd_t net_conf_t:file { getattr read }; - -#urandom, for ssl -allow imapd_t random_device_t:chr_file read; -allow imapd_t urandom_device_t:chr_file { read getattr }; - -allow imapd_t self:fifo_file rw_file_perms; - -#mail directory -rw_dir_file(imapd_t, mail_spool_t) - -#home directory -allow imapd_t home_root_t:dir search; -allow imapd_t self:file { read getattr }; diff --git a/strict/domains/program/unused/watchdog.te b/strict/domains/program/unused/watchdog.te deleted file mode 100644 index 01ceea88..00000000 --- a/strict/domains/program/unused/watchdog.te +++ /dev/null @@ -1,55 +0,0 @@ -#DESC Watchdog - Software watchdog daemon -# -# Author: Russell Coker -# X-Debian-Packages: watchdog -# - -################################# -# -# Rules for the watchdog_t domain. -# - -daemon_domain(watchdog, `, privmail') -type watchdog_device_t, device_type, dev_fs; - -allow watchdog_t self:process setsched; - -log_domain(watchdog) - -allow watchdog_t etc_t:file r_file_perms; -allow watchdog_t etc_t:lnk_file read; -allow watchdog_t self:unix_dgram_socket create_socket_perms; - -allow watchdog_t proc_t:file r_file_perms; - -allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource }; -allow watchdog_t self:fifo_file rw_file_perms; -allow watchdog_t self:unix_stream_socket create_socket_perms; -can_network(watchdog_t) -allow watchdog_t port_type:tcp_socket name_connect; -can_ypbind(watchdog_t) -allow watchdog_t bin_t:dir search; -allow watchdog_t bin_t:lnk_file read; -allow watchdog_t init_t:process signal; -allow watchdog_t kernel_t:process sigstop; - -allow watchdog_t watchdog_device_t:chr_file { getattr write }; - -# for orderly shutdown -can_exec(watchdog_t, shell_exec_t) -allow watchdog_t domain:process { signal_perms getsession }; -allow watchdog_t self:capability kill; -allow watchdog_t sbin_t:dir search; - -# for updating mtab on umount -file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file) - -allow watchdog_t self:capability { sys_admin net_admin sys_boot }; -allow watchdog_t fixed_disk_device_t:blk_file swapon; -allow watchdog_t { proc_t fs_t }:filesystem unmount; - -# record the fact that we are going down -allow watchdog_t wtmp_t:file append; - -# do not care about saving the random seed -dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read; diff --git a/strict/domains/program/unused/xprint.te b/strict/domains/program/unused/xprint.te deleted file mode 100644 index e1af323e..00000000 --- a/strict/domains/program/unused/xprint.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC X print server -# -# Author: Russell Coker -# X-Debian-Packages: xprt-xprintorg -# - -################################# -# -# Rules for the xprint_t domain. -# -# xprint_exec_t is the type of the xprint executable. -# -daemon_domain(xprint) - -allow initrc_t readable_t:dir r_dir_perms; -allow initrc_t fonts_t:dir r_dir_perms; - -allow xprint_t var_lib_t:dir search; -allow xprint_t fonts_t:dir r_dir_perms; -allow xprint_t fonts_t:file { getattr read }; - -allow xprint_t { bin_t sbin_t }:dir search; -can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t }) -allow xprint_t bin_t:lnk_file { getattr read }; - -allow xprint_t tmp_t:dir { getattr search }; -ifdef(`xdm.te', ` -allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms; -allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms; -') - -# Use the network. -can_network_server(xprint_t) -can_ypbind(xprint_t) -allow xprint_t self:fifo_file rw_file_perms; -allow xprint_t self:unix_stream_socket create_stream_socket_perms; - -allow xprint_t proc_t:file { getattr read }; -allow xprint_t self:file { getattr read }; - -# read config files -allow xprint_t { etc_t etc_runtime_t }:file { getattr read }; -ifdef(`cups.te', ` -allow xprint_t cupsd_etc_t:dir search; -allow xprint_t cupsd_etc_t:file { getattr read }; -') - -r_dir_file(xprint_t, usr_t) - -allow xprint_t urandom_device_t:chr_file { getattr read }; diff --git a/strict/domains/program/unused/yam.te b/strict/domains/program/unused/yam.te deleted file mode 100644 index da85a8cf..00000000 --- a/strict/domains/program/unused/yam.te +++ /dev/null @@ -1,149 +0,0 @@ -# DESC yam - Yum/Apt Mirroring -# -# Author: David Hampton -# - - -# -# Yam downloads lots of files, indexes them, and makes them available -# for upload. Define a type for these file. -# -type yam_content_t, file_type, sysadmfile, httpdcontent; - - -# -# Common definitions used by both the command line and the cron -# invocation of yam. -# -define(`yam_common',` - -# Update the content being managed by yam. -create_dir_file($1_t, yam_content_t) - -# Content can also be on ISO image files. -r_dir_file($1_t, iso9660_t) - -# Need to go through /var to get to /var/yam -# Go through /var/www to get to /var/www/yam -allow $1_t var_t:dir { getattr search }; -allow $1_t httpd_sys_content_t:dir { getattr search }; - -# Allow access to locale database, nsswitch, and mtab -read_locale($1_t) -allow $1_t etc_t:file { getattr read }; -allow $1_t etc_runtime_t:file { getattr read }; - -# Python seems to need things from various places -allow $1_t { bin_t sbin_t }:dir { search getattr }; -allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; -allow $1_t bin_t:lnk_file read; - -# Python works fine without reading /proc/meminfo -dontaudit $1_t proc_t:dir search; -dontaudit $1_t proc_t:file { getattr read }; - -# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter -# two here. Run rsync and lftp in the yam_t context so that we dont -# have to give any other programs write access to the yam_t files. -general_domain_access($1_t) -can_exec($1_t, shell_exec_t) -can_exec($1_t, rsync_exec_t) -can_exec($1_t, bin_t) -can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py -ifdef(`mount.te', ` -domain_auto_trans($1_t, mount_exec_t, mount_t) -') - -# Rsync and lftp need to network. They also set files attributes to -# match whats on the remote server. -can_network_client($1_t) -allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect; -allow $1_t self:capability { chown fowner fsetid dac_override }; -allow $1_t self:process execmem; - -# access to sysctl_kernel_t ( proc/sys/kernel/* ) -read_sysctl($1_t) - -# Programs invoked to build package lists need various permissions. -# genpkglist creates tmp files in /var/cache/apt/genpkglist -allow $1_t var_t:file { getattr read write }; -allow $1_t var_t:dir read; -# mktemp -allow $1_t urandom_device_t:chr_file read; -# mv -allow $1_t proc_t:lnk_file read; -allow $1_t selinux_config_t:dir search; -allow $1_t selinux_config_t:file { getattr read }; -') - - -########## -########## - -# -# Runnig yam from the command line -# -application_domain(yam, `, nscd_client_domain') -role system_r types yam_t; -yam_common(yam) -etc_domain(yam) -tmp_domain(yam) - -# Terminal access -allow yam_t devpts_t:dir search; -allow yam_t devtty_t:chr_file { read write }; -allow yam_t sshd_t:fd use; -allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; - -# Reading dotfiles... -allow yam_t sysadm_home_dir_t:dir search; # /root -allow yam_t sysadm_home_t:dir search; # /root/xxx -allow yam_t home_root_t:dir search; # /home -allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user - - -########## -########## - -# -# Running yam from cron -# -application_domain(yam_crond, `, nscd_client_domain') -role system_r types yam_crond_t; -ifdef(`crond.te', ` -system_crond_entry(yam_exec_t, yam_crond_t) -') - -yam_common(yam_crond) -allow yam_crond_t yam_etc_t:file r_file_perms; -file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }') - -allow yam_crond_t devtty_t:chr_file { read write }; - -# Reading dotfiles... -# LFTP uses a directory for its dotfiles -allow yam_crond_t default_t:dir search; - -# Don't know why init tries to read this. -allow initrc_t yam_etc_t:file { getattr read }; - - -########## -########## - -# The whole point of this program is to make updates available on a -# local web server. Allow apache access to these files. -ifdef(`apache.te', ` -r_dir_file(httpd_t, yam_content_t) -') - -ifdef(`webalizer.te', ` -dontaudit webalizer_t yam_content_t:dir search; -') - -# Mount needs access to the yam directories in order to mount the ISO -# files on a loobpack file system. -ifdef(`mount.te', ` -allow mount_t yam_content_t:dir mounton; -allow mount_t yam_content_t:file { read write }; -') diff --git a/strict/domains/program/updfstab.te b/strict/domains/program/updfstab.te deleted file mode 100644 index 82edf3d3..00000000 --- a/strict/domains/program/updfstab.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC updfstab - Red Hat utility to change /etc/fstab -# -# Author: Russell Coker -# - -daemon_base_domain(updfstab, `, fs_domain, etc_writer') - -rw_dir_create_file(updfstab_t, etc_t) -create_dir_file(updfstab_t, mnt_t) - -# Read /dev directories and modify sym-links -allow updfstab_t device_t:dir rw_dir_perms; -allow updfstab_t device_t:lnk_file create_file_perms; - -# Access disk devices. -allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms; -allow updfstab_t removable_device_t:blk_file rw_file_perms; -allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms; - -# for /proc/partitions -allow updfstab_t proc_t:file { getattr read }; - -# for /proc/self/mounts -r_dir_file(updfstab_t, self) - -# for /etc/mtab -allow updfstab_t etc_runtime_t:file { getattr read }; - -read_locale(updfstab_t) - -ifdef(`dbusd.te', ` -dbusd_client(system, updfstab) -allow updfstab_t system_dbusd_t:dbus { send_msg }; -allow initrc_t updfstab_t:dbus send_msg; -allow updfstab_t initrc_t:dbus send_msg; -') - -# not sure what the sysctl_kernel_t file is, or why it wants to write it, so -# I will not allow it -read_sysctl(updfstab_t) -dontaudit updfstab_t sysctl_kernel_t:file write; -allow updfstab_t modules_conf_t:file { getattr read }; -allow updfstab_t sbin_t:dir search; -allow updfstab_t sbin_t:lnk_file read; -allow updfstab_t { var_t var_log_t }:dir search; - -allow updfstab_t kernel_t:fd use; - -allow updfstab_t self:unix_stream_socket create_stream_socket_perms; -allow updfstab_t self:unix_dgram_socket create_socket_perms; - -ifdef(`modutil.te', ` -dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t) -can_exec(updfstab_t, insmod_exec_t) -allow updfstab_t modules_object_t:dir search; -allow updfstab_t modules_dep_t:file { getattr read }; -') - -ifdef(`pamconsole.te', ` -domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t) -') -allow updfstab_t kernel_t:system syslog_console; -allow updfstab_t sysadm_tty_device_t:chr_file { read write }; -allow updfstab_t self:capability dac_override; -dontaudit updfstab_t self:capability sys_admin; - -r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } ) -can_getsecurity(updfstab_t) - -allow updfstab_t { sbin_t bin_t }:dir { search getattr }; -dontaudit updfstab_t devtty_t:chr_file { read write }; -allow updfstab_t self:fifo_file { getattr read write ioctl }; -can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } ) -dontaudit updfstab_t home_root_t:dir { getattr search }; -dontaudit updfstab_t { home_dir_type home_type }:dir search; -allow updfstab_t fs_t:filesystem { getattr }; -allow updfstab_t tmpfs_t:dir getattr; -ifdef(`hald.te', ` -can_unix_connect(updfstab_t, hald_t) -') - diff --git a/strict/domains/program/usbmodules.te b/strict/domains/program/usbmodules.te deleted file mode 100644 index f76f56b5..00000000 --- a/strict/domains/program/usbmodules.te +++ /dev/null @@ -1,35 +0,0 @@ -#DESC USBModules - List kernel modules for USB devices -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the usbmodules_t domain. -# -type usbmodules_t, domain, privlog; -type usbmodules_exec_t, file_type, sysadmfile, exec_type; - -in_user_role(usbmodules_t) -role sysadm_r types usbmodules_t; -role system_r types usbmodules_t; - -domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t) -ifdef(`hotplug.te',` -domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t) -allow usbmodules_t hotplug_etc_t:file r_file_perms; -allow usbmodules_t hotplug_etc_t:dir search; -') -allow usbmodules_t init_t:fd use; -allow usbmodules_t console_device_t:chr_file { read write }; - -uses_shlib(usbmodules_t) - -# allow usb device access -allow usbmodules_t usbdevfs_t:file rw_file_perms; - -allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms; - -# needs etc_t read access for the hotplug config, maybe should have a new type -allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms; diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te deleted file mode 100644 index 1df38af0..00000000 --- a/strict/domains/program/useradd.te +++ /dev/null @@ -1,108 +0,0 @@ -#DESC Useradd - Manage system user accounts -# -# Authors: Chris Vance David Caplan -# Russell Coker -# X-Debian-Packages: passwd -# - -################################# -# -# Rules for the useradd_t and groupadd_t domains. -# -# useradd_t is the domain of the useradd/userdel programs. -# groupadd_t is for adding groups (can not create home dirs) -# -define(`user_group_add_program', ` -type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain; -role sysadm_r types $1_t; -role system_r types $1_t; - -general_domain_access($1_t) -uses_shlib($1_t) - -type $1_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -domain_auto_trans(initrc_t, $1_exec_t, $1_t) - -# Use capabilities. -allow $1_t self:capability { dac_override chown kill }; - -# Allow access to context for shadow file -can_getsecurity($1_t) - -# Inherit and use descriptors from login. -allow $1_t { init_t privfd }:fd use; - -# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -allow $1_t { bin_t sbin_t }:dir r_dir_perms; -can_exec($1_t, { bin_t sbin_t }) - -# Update /etc/shadow and /etc/passwd -file_type_auto_trans($1_t, etc_t, shadow_t, file) -allow $1_t etc_t:file create_file_perms; - -# some apps ask for these accesses, but seems to work regardless -dontaudit $1_t var_run_t:dir search; -r_dir_file($1_t, selinux_config_t) - -# Set fscreate context. -can_setfscreate($1_t) - -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; - -read_locale($1_t) - -# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, -# but will operate without them. -dontaudit $1_t { device_t var_t var_log_t }:dir search; - -# For userdel and groupadd -allow $1_t fs_t:filesystem getattr; - -# Access terminals. -allow $1_t ttyfile:chr_file rw_file_perms; -allow $1_t ptyfile:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -# for when /root is the cwd -dontaudit $1_t sysadm_home_dir_t:dir search; -nsswitch_domain($1_t) - -allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -') -user_group_add_program(useradd) -allow useradd_t lastlog_t:file { getattr read write }; - -# for getting the number of groups -read_sysctl(useradd_t) - -# Add/remove user home directories -file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) - -# create/delete mail spool file in /var/mail -allow useradd_t var_spool_t:dir search; -allow useradd_t mail_spool_t:dir { search write add_name remove_name }; -allow useradd_t mail_spool_t:file create_file_perms; -# /var/mail is a link to /var/spool/mail -allow useradd_t mail_spool_t:lnk_file read; - -allow useradd_t self:capability { fowner fsetid setuid sys_resource }; -can_exec(useradd_t, shell_exec_t) - -# /usr/bin/userdel locks the user being deleted, allow write access to utmp -allow useradd_t initrc_var_run_t:file { read write lock }; - -user_group_add_program(groupadd) - -dontaudit groupadd_t self:capability fsetid; - -allow groupadd_t self:capability { setuid sys_resource }; -allow groupadd_t self:process setrlimit; -allow groupadd_t initrc_var_run_t:file r_file_perms; -dontaudit groupadd_t initrc_var_run_t:file write; - -allow useradd_t default_context_t:dir search; -allow useradd_t file_context_t:dir search; -allow useradd_t file_context_t:file { getattr read }; -allow useradd_t var_lib_t:dir search; diff --git a/strict/domains/program/userhelper.te b/strict/domains/program/userhelper.te deleted file mode 100644 index cab6c70f..00000000 --- a/strict/domains/program/userhelper.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC Userhelper - SELinux utility to run a shell with a new role -# -# Authors: Dan Walsh (Red Hat) -# Maintained by Dan Walsh -# - -################################# -# -# Rules for the userhelper_t domain. -# -# userhelper_exec_t is the type of the userhelper executable. -# userhelper_conf_t is the type of the userhelper configuration files. -# -type userhelper_exec_t, file_type, exec_type, sysadmfile; -type userhelper_conf_t, file_type, sysadmfile; - -# Everything else is in the userhelper_domain macro in -# macros/program/userhelper_macros.te. - -ifdef(`xdm.te', ` -dontaudit xdm_t userhelper_conf_t:dir search; -') diff --git a/strict/domains/program/usernetctl.te b/strict/domains/program/usernetctl.te deleted file mode 100644 index 6a2c64fd..00000000 --- a/strict/domains/program/usernetctl.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC usernetctl - User network interface configuration helper -# -# Author: Colin Walters - -type usernetctl_exec_t, file_type, sysadmfile, exec_type; - -type usernetctl_t, domain, privfd; - -if (user_net_control) { -domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t) -} else { -can_exec(userdomain, usernetctl_exec_t) -} -in_user_role(usernetctl_t) -role sysadm_r types usernetctl_t; - -define(`usernetctl_transition',` -domain_auto_trans(usernetctl_t, $1_exec_t, $1_t) -in_user_role($1_t) -allow $1_t userpty_type:chr_file { getattr read write }; -') - -ifdef(`ifconfig.te',` -usernetctl_transition(ifconfig) -') -ifdef(`iptables.te',` -usernetctl_transition(iptables) -') -ifdef(`dhcpc.te',` -usernetctl_transition(dhcpc) -allow usernetctl_t dhcp_etc_t:file ra_file_perms; -') -ifdef(`modutil.te',` -usernetctl_transition(insmod) -') -ifdef(`consoletype.te',` -usernetctl_transition(consoletype) -') -ifdef(`hostname.te',` -usernetctl_transition(hostname) -') - -allow usernetctl_t self:capability { setuid setgid dac_override }; - -base_file_read_access(usernetctl_t) -base_pty_perms(usernetctl) -allow usernetctl_t devtty_t:chr_file rw_file_perms; -uses_shlib(usernetctl_t) -read_locale(usernetctl_t) -general_domain_access(usernetctl_t) - -r_dir_file(usernetctl_t, proc_t) -dontaudit usernetctl_t { domain - usernetctl_t }:dir search; - -allow usernetctl_t userpty_type:chr_file rw_file_perms; - -can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t}) -can_exec(usernetctl_t, etc_t) - -r_dir_file(usernetctl_t, etc_t) -allow usernetctl_t { var_t var_run_t }:dir { getattr read search }; -allow usernetctl_t etc_runtime_t:file r_file_perms; -allow usernetctl_t net_conf_t:file r_file_perms; - diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te deleted file mode 100644 index 92b443fd..00000000 --- a/strict/domains/program/utempter.te +++ /dev/null @@ -1,51 +0,0 @@ -#DESC Utempter - Privileged helper for utmp/wtmp updates -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: -# - -################################# -# -# Rules for the utempter_t domain. -# -# This is the domain for the utempter program. utempter is -# executed by xterm to update utmp and wtmp. -# utempter_exec_t is the type of the utempter binary. -# -type utempter_t, domain, nscd_client_domain; -in_user_role(utempter_t) -role sysadm_r types utempter_t; -uses_shlib(utempter_t) -type utempter_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(userdomain, utempter_exec_t, utempter_t) - -allow utempter_t urandom_device_t:chr_file { getattr read }; - -# Use capabilities. -allow utempter_t self:capability setgid; - -allow utempter_t etc_t:file { getattr read }; - -# Update /var/run/utmp and /var/log/wtmp. -allow utempter_t initrc_var_run_t:file rw_file_perms; -allow utempter_t var_log_t:dir search; -allow utempter_t wtmp_t:file rw_file_perms; - -# dontaudit access to /dev/ptmx. -dontaudit utempter_t ptmx_t:chr_file rw_file_perms; -dontaudit utempter_t sysadm_devpts_t:chr_file { read write }; - -# Allow utemper to write to /tmp/.xses-* -allow utempter_t user_tmpfile:file { getattr write append }; - -# Inherit and use descriptors from login. -allow utempter_t privfd:fd use; -ifdef(`xdm.te', `can_pipe_xdm(utempter_t)') - -allow utempter_t self:unix_stream_socket create_stream_socket_perms; - -# Access terminals. -allow utempter_t ttyfile:chr_file getattr; -allow utempter_t ptyfile:chr_file getattr; -allow utempter_t devpts_t:dir search; -dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write }; diff --git a/strict/domains/program/uucpd.te b/strict/domains/program/uucpd.te deleted file mode 100644 index 05791bd3..00000000 --- a/strict/domains/program/uucpd.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC uucpd - UUCP file transfer daemon -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the uucpd_t domain. -# -# uucpd_exec_t is the type of the uucpd executable. -# - -inetd_child_domain(uucpd, tcp) -type uucpd_rw_t, file_type, sysadmfile; -type uucpd_ro_t, file_type, sysadmfile; -type uucpd_spool_t, file_type, sysadmfile; -create_dir_file(uucpd_t, uucpd_rw_t) -r_dir_file(uucpd_t, uucpd_ro_t) -allow uucpd_t sbin_t:dir search; -can_exec(uucpd_t, sbin_t) -logdir_domain(uucpd) -allow uucpd_t var_spool_t:dir search; -create_dir_file(uucpd_t, uucpd_spool_t) diff --git a/strict/domains/program/vmware.te b/strict/domains/program/vmware.te deleted file mode 100644 index fcda9b83..00000000 --- a/strict/domains/program/vmware.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC VMWare - Virtual machine -# -# Domains,types and permissions for running VMWare (the program) and for -# running a SELinux system in a VMWare session (the VMWare-tools). -# -# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), -# modifications by NAI Labs. -# -# Domain is for the VMWare admin programs and daemons. -# X-Debian-Packages: -# -# NOTE: The user vmware domain is provided separately in -# macros/program/vmware_macros.te -# -# Next two domains are create by the daemon_domain() macro. -# The vmware_t domain is for running VMWare daemons -# The vmware_exec_t type is for the VMWare daemon and admin programs. -# -# quick hack making it privhome, should have a domain for each user in a macro -daemon_domain(vmware, `, privhome') - -# -# The vmware_user_exec_t type is for the user programs. -# -type vmware_user_exec_t, file_type, sysadmfile, exec_type; - -# Type for vmware devices. -type vmware_device_t, device_type, dev_fs; - -# The sys configuration used for the /etc/vmware configuration files -type vmware_sys_conf_t, file_type, sysadmfile; - -######################################################################### -# Additional rules to start/stop VMWare -# - -# Give init access to VMWare configuration files -allow initrc_t vmware_sys_conf_t:file { ioctl read append }; - -# -# Rules added to kernel_t domain for VMWare to start up -# -# VMWare need access to pcmcia devices for network -ifdef(`cardmgr.te', ` -allow kernel_t cardmgr_var_lib_t:dir { getattr search }; -allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; -') - -# Vmware create network devices -allow kernel_t self:capability net_admin; -allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow kernel_t self:socket create; diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te deleted file mode 100644 index 01ddac16..00000000 --- a/strict/domains/program/vpnc.te +++ /dev/null @@ -1,62 +0,0 @@ -#DESC vpnc -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the vpnc_t domain, et al. -# -# vpnc_t is the domain for the vpnc program. -# vpnc_exec_t is the type of the vpnc executable. -# -application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain') - -allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -# Use the network. -can_network(vpnc_t) -allow vpnc_t port_type:tcp_socket name_connect; -allow vpnc_t isakmp_port_t:udp_socket name_bind; - -can_ypbind(vpnc_t) -allow vpnc_t self:socket create_socket_perms; - -# Use capabilities. -allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw }; - -allow vpnc_t devpts_t:dir search; -allow vpnc_t etc_t:file { getattr read }; -allow vpnc_t tun_tap_device_t:chr_file { ioctl read write }; -allow vpnc_t self:rawip_socket create_socket_perms; -allow vpnc_t self:unix_dgram_socket create_socket_perms; -allow vpnc_t self:unix_stream_socket create_socket_perms; -allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms; -allow vpnc_t port_t:udp_socket name_bind; -allow vpnc_t etc_runtime_t:file { getattr read }; -allow vpnc_t proc_t:file { getattr read }; -dontaudit vpnc_t selinux_config_t:dir search; -can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t }) -allow vpnc_t sysctl_net_t:dir search; -allow vpnc_t sysctl_net_t:file write; -allow vpnc_t sbin_t:dir search; -allow vpnc_t bin_t:dir search; -allow vpnc_t bin_t:lnk_file read; -allow vpnc_t self:dir search; -r_dir_file(vpnc_t, proc_t) -r_dir_file(vpnc_t, proc_net_t) -tmp_domain(vpnc) -allow vpnc_t self:fifo_file { getattr ioctl read write }; -allow vpnc_t self:file { getattr read }; -allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file) -allow vpnc_t etc_t:file { execute execute_no_trans ioctl }; -dontaudit vpnc_t home_root_t:dir search; -dontaudit vpnc_t user_home_dir_type:dir search; -var_run_domain(vpnc) -allow vpnc_t userdomain:fd use; -r_dir_file(vpnc_t, sysfs_t) -allow vpnc_t self:process { fork sigchld }; -read_locale(vpnc_t) -read_sysctl(vpnc_t) -allow vpnc_t fs_t:filesystem getattr; diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te deleted file mode 100644 index c1f38bde..00000000 --- a/strict/domains/program/webalizer.te +++ /dev/null @@ -1,51 +0,0 @@ -# DESC webalizer - webalizer -# -# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp) -# -# Depends: apache.te - -application_domain(webalizer, `, nscd_client_domain') -# to use from cron -system_crond_entry(webalizer_exec_t,webalizer_t) -role system_r types webalizer_t; - -##type definision -# type for usage file -type webalizer_usage_t,file_type,sysadmfile; -# type for /var/lib/webalizer -type webalizer_write_t,file_type,sysadmfile; -# type for webalizer.conf -etc_domain(webalizer) - -#read apache log -allow webalizer_t var_log_t:dir r_dir_perms; -r_dir_file(webalizer_t, httpd_log_t) -ifdef(`ftpd.te', ` -allow webalizer_t xferlog_t:file { getattr read }; -') - -#r/w /var/lib/webalizer -var_lib_domain(webalizer) - -#read /var/www/usage -create_dir_file(webalizer_t, httpd_sys_content_t) - -#read system files under /etc -allow webalizer_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale(webalizer_t) - -# can use tmp file -tmp_domain(webalizer) - -# can read /proc -read_sysctl(webalizer_t) -allow webalizer_t proc_t:dir search; -allow webalizer_t proc_t:file r_file_perms; - -# network -can_network_server(webalizer_t) - -#process communication inside webalizer itself -general_domain_access(webalizer_t) - -allow webalizer_t self:capability dac_override; diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te deleted file mode 100644 index 7b9e5e98..00000000 --- a/strict/domains/program/winbind.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC winbind - Name Service Switch daemon for resolving names from NT servers -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for winbind -# - -daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain') -log_domain(winbind) -tmp_domain(winbind) -allow winbind_t etc_t:file r_file_perms; -allow winbind_t etc_t:lnk_file read; -can_network(winbind_t) -allow winbind_t smbd_port_t:tcp_socket name_connect; -can_resolve(winbind_t) - -ifdef(`samba.te', `', ` -type samba_etc_t, file_type, sysadmfile, usercanread; -type samba_log_t, file_type, sysadmfile, logfile; -type samba_var_t, file_type, sysadmfile; -type samba_secrets_t, file_type, sysadmfile; -') -file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file) -rw_dir_create_file(winbind_t, samba_log_t) -allow winbind_t samba_secrets_t:file rw_file_perms; -allow winbind_t self:unix_dgram_socket create_socket_perms; -allow winbind_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_t urandom_device_t:chr_file { getattr read }; -allow winbind_t self:fifo_file { read write }; -rw_dir_create_file(winbind_t, samba_var_t) -can_kerberos(winbind_t) -allow winbind_t self:netlink_route_socket r_netlink_socket_perms; -allow winbind_t winbind_var_run_t:sock_file create_file_perms; -allow initrc_t winbind_var_run_t:file r_file_perms; - -application_domain(winbind_helper, `, nscd_client_domain') -role system_r types winbind_helper_t; -access_terminal(winbind_helper_t, sysadm) -read_locale(winbind_helper_t) -r_dir_file(winbind_helper_t, samba_etc_t) -r_dir_file(winbind_t, samba_etc_t) -allow winbind_helper_t self:unix_dgram_socket create_socket_perms; -allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_helper_t samba_var_t:dir search; -allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; -can_winbind(winbind_helper_t) -allow winbind_helper_t privfd:fd use; diff --git a/strict/domains/program/xauth.te b/strict/domains/program/xauth.te deleted file mode 100644 index 6382d77a..00000000 --- a/strict/domains/program/xauth.te +++ /dev/null @@ -1,13 +0,0 @@ -#DESC Xauth - X authority file utility -# -# Domains for the xauth program. -# X-Debian-Packages: xbase-clients - -# Author: Russell Coker -# -# xauth_exec_t is the type of the xauth executable. -# -type xauth_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in the xauth_domain macro in -# macros/program/xauth_macros.te. diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te deleted file mode 100644 index e3e9c8da..00000000 --- a/strict/domains/program/xdm.te +++ /dev/null @@ -1,376 +0,0 @@ -#DESC XDM - X Display Manager -# -# Authors: Mark Westerman mark.westerman@westcam.com -# Russell Coker -# X-Debian-Packages: gdm xdm wdm kdm -# Depends: xserver.te -# -# Some wdm-specific changes by Tom Vogt -# -# Some alterations and documentation by Stephen Smalley -# - -################################# -# -# Rules for the xdm_t domain. -# -# xdm_t is the domain of a X Display Manager process -# spawned by getty. -# xdm_exec_t is the type of the [xgkw]dm program -# -daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') - -# for running xdm from init -domain_auto_trans(init_t, xdm_exec_t, xdm_t) - -allow xdm_t xdm_var_run_t:dir setattr; - -# for xdmctl -allow xdm_t xdm_var_run_t:fifo_file create_file_perms; -allow initrc_t xdm_var_run_t:fifo_file unlink; -file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file) -file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir) - -tmp_domain(xdm, `', `{ file dir sock_file }') -var_lib_domain(xdm) -# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open -# handle of a file inside the dir!!! -allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xdm_xserver_t xdm_var_lib_t:dir search; -allow xdm_xserver_t xdm_var_run_t:file { getattr read }; -type xsession_exec_t, file_type, sysadmfile, exec_type; -type xdm_rw_etc_t, file_type, sysadmfile; -typealias xdm_rw_etc_t alias etc_xdm_t; - -allow xdm_t default_context_t:dir search; -allow xdm_t default_context_t:{ file lnk_file } { read getattr }; - -can_network(xdm_t) -allow xdm_t port_type:tcp_socket name_connect; -allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; -allow xdm_t self:fifo_file rw_file_perms; - -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:process signal; -can_unix_connect(xdm_t, xdm_xserver_t) -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; -allow xdm_xserver_t xdm_t:process signal; -# for reboot -allow xdm_t initctl_t:fifo_file write; - -# init script wants to check if it needs to update windowmanagerlist -allow initrc_t xdm_rw_etc_t:file { getattr read }; -ifdef(`distro_suse', ` -# set permissions on /tmp/.X11-unix -allow initrc_t xdm_tmp_t:dir setattr; -') - -# -# Use capabilities. -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner }; - -allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl }; - -# Transition to user domains for user sessions. -domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain) -allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto; -allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms; -allow unpriv_userdomain xdm_xserver_t:fd use; -allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms; -allow xdm_xserver_t unpriv_userdomain:fd use; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# gnome-session creates socket under /tmp/.ICE-unix/ -allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms; -allow unpriv_userdomain xdm_tmp_t:sock_file create; - -# Allow xdm logins as sysadm_r:sysadm_t -bool xdm_sysadm_login false; -if (xdm_sysadm_login) { -domain_trans(xdm_t, xsession_exec_t, sysadm_t) -allow sysadm_t xdm_xserver_t:unix_stream_socket connectto; -allow sysadm_t xdm_xserver_t:shm r_shm_perms; -allow sysadm_t xdm_xserver_t:fd use; -allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t sysadm_t:shm rw_shm_perms; -allow xdm_xserver_t sysadm_t:fd use; -} -can_setexec(xdm_t) - -# Label pid and temporary files with derived types. -rw_dir_create_file(xdm_xserver_t, xdm_tmp_t) -allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms; - -# Run helper programs. -allow xdm_t etc_t:file { getattr read }; -allow xdm_t bin_t:dir { getattr search }; -# lib_t is for running cpp -can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t }) -allow xdm_t { bin_t sbin_t }:lnk_file read; -ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)') -ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)') -allow xdm_t xdm_xserver_t:process sigkill; -allow xdm_t xdm_xserver_tmp_t:file unlink; - -# Access devices. -allow xdm_t device_t:dir { read search }; -allow xdm_t console_device_t:chr_file setattr; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -allow xdm_t framebuf_device_t:chr_file { getattr setattr }; -allow xdm_t mouse_device_t:chr_file { getattr setattr }; -allow xdm_t apm_bios_t:chr_file { setattr getattr read write }; -allow xdm_t dri_device_t:chr_file rw_file_perms; -allow xdm_t device_t:dir rw_dir_perms; -allow xdm_t agp_device_t:chr_file rw_file_perms; -allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr }; -allow xdm_t v4l_device_t:chr_file { setattr getattr }; -allow xdm_t scanner_device_t:chr_file { setattr getattr }; -allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr }; -allow xdm_t device_t:lnk_file read; -can_resmgrd_connect(xdm_t) - -# Access xdm log files. -file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file) -allow xdm_t xserver_log_t:dir rw_dir_perms; -allow xdm_t xserver_log_t:dir setattr; -# Access /var/gdm/.gdmfifo. -allow xdm_t xserver_log_t:fifo_file create_file_perms; - -allow xdm_t self:shm create_shm_perms; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms; -allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use; -allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read }; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms; -allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use; - -# Remove /tmp/.X11-unix/X0. -allow xdm_t xdm_xserver_tmp_t:dir { remove_name write }; -allow xdm_t xdm_xserver_tmp_t:sock_file unlink; - -ifdef(`gpm.te', ` -# Talk to the console mouse server. -allow xdm_t gpmctl_t:sock_file { getattr setattr write }; -allow xdm_t gpm_t:unix_stream_socket connectto; -') - -allow xdm_t sysfs_t:dir search; - -# Update utmp and wtmp. -allow xdm_t initrc_var_run_t: file { read write lock }; -allow xdm_t wtmp_t:file append; - -# Update lastlog. -allow xdm_t lastlog_t:file rw_file_perms; - -# Ask the security server for SIDs for user sessions. -can_getsecurity(xdm_t) - -tmpfs_domain(xdm) - -# Need to further investigate these permissions and -# perhaps define derived types. -allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; -allow xdm_t var_lib_t:file { create write unlink }; - -lock_domain(xdm) - -# Connect to xfs. -ifdef(`xfs.te', ` -allow xdm_t xfs_tmp_t:dir search; -allow xdm_t xfs_tmp_t:sock_file write; -can_unix_connect(xdm_t, xfs_t) -') - -allow xdm_t self:process { setpgid setsched }; -allow xdm_t etc_t:lnk_file read; -allow xdm_t etc_runtime_t:file { getattr read }; - -# wdm has its own config dir /etc/X11/wdm -# this is ugly, daemons should not create files under /etc! -allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; -allow xdm_t xdm_rw_etc_t:file create_file_perms; - -# Signal any user domain. -allow xdm_t userdomain:process signal_perms; - -allow xdm_t proc_t:file { getattr read }; - -read_sysctl(xdm_t) - -# Search /proc for any user domain processes. -allow xdm_t userdomain:dir r_dir_perms; -allow xdm_t userdomain:{ file lnk_file } r_file_perms; - -# Allow xdm access to the user domains -allow xdm_t home_root_t:dir search; -allow xdm_xserver_t home_root_t:dir search; - -# Do not audit denied attempts to access devices. -dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms}; -dontaudit xdm_t device_t:file_class_set rw_file_perms; -dontaudit xdm_t misc_device_t:file_class_set rw_file_perms; -dontaudit xdm_t removable_device_t:file_class_set rw_file_perms; -dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms; -dontaudit xdm_t devpts_t:dir search; - -# Do not audit denied probes of /proc. -dontaudit xdm_t domain:dir r_dir_perms; -dontaudit xdm_t domain:{ file lnk_file } r_file_perms; - -# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... -allow xdm_t usr_t:{ lnk_file file } { getattr read }; - -# Read fonts -read_fonts(xdm_t) - -# Do not audit attempts to write to index files under /usr -dontaudit xdm_t usr_t:file write; - -# Do not audit access to /root -dontaudit xdm_t sysadm_home_dir_t:dir { getattr search }; - -# Do not audit user access to the X log files due to file handle inheritance -dontaudit unpriv_userdomain xserver_log_t:file { write append }; - -# Do not audit attempts to check whether user root has email -dontaudit xdm_t { var_spool_t mail_spool_t }:dir search; -dontaudit xdm_t mail_spool_t:file getattr; - -# Access sound device. -allow xdm_t sound_device_t:chr_file { setattr getattr }; - -# Allow setting of attributes on power management devices. -allow xdm_t power_device_t:chr_file { getattr setattr }; - -# Run the X server in a derived domain. -xserver_domain(xdm) - -ifdef(`rhgb.te', ` -allow xdm_xserver_t ramfs_t:dir rw_dir_perms; -allow xdm_xserver_t ramfs_t:file create_file_perms; -allow rhgb_t xdm_xserver_t:process signal; -') - -# Unrestricted inheritance. -allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh }; - -# Run xkbcomp. -allow xdm_xserver_t var_lib_t:dir search; -allow xdm_xserver_t xkb_var_lib_t:lnk_file read; -can_exec(xdm_xserver_t, xkb_var_lib_t) - -# Insert video drivers. -allow xdm_xserver_t self:capability mknod; -allow xdm_xserver_t sysctl_modprobe_t:file { getattr read }; -domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t) -allow insmod_t xserver_log_t:file write; -allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; - -# Read /proc/dri/.* -allow xdm_xserver_t proc_t:dir { search read }; - -# Search /var/run. -allow xdm_xserver_t var_run_t:dir search; - -# FIXME: After per user fonts are properly working -# xdm_xserver_t may no longer have any reason -# to read ROLE_home_t - examine this in more detail -# (xauth?) - -# Search home directories. -allow xdm_xserver_t user_home_type:dir search; -allow xdm_xserver_t user_home_type:file { getattr read }; - -if (use_nfs_home_dirs) { -allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr }; -allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, nfs_t) -} - -if (use_samba_home_dirs) { -allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms; -allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms; -can_exec(xdm_t, cifs_t) -} - -# for .dmrc -allow xdm_t user_home_dir_type:dir { getattr search }; -allow xdm_t user_home_type:file { getattr read }; - -ifdef(`support_polyinstatiation', ` -# xdm_t can polyinstantiate -polyinstantiater(xdm_t) -# xdm needs access for linking .X11-unix to poly /tmp -allow xdm_t polymember:dir { add_name remove_name write }; -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -') - -allow xdm_t mnt_t:dir { getattr read search }; -# -# Wants to delete .xsession-errors file -# -allow xdm_t user_home_type:file unlink; -# -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor -# -ifdef(`pam.te', ` -allow xdm_t pam_var_run_t:dir create_dir_perms; -allow xdm_t pam_var_run_t:file create_file_perms; -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t) -can_exec(xdm_t, pam_exec_t) -# For pam_console -rw_dir_create_file(xdm_t, pam_var_console_t) -') - -# Pamconsole/alsa -ifdef(`alsa.te', ` -domain_auto_trans(xdm_t, alsa_exec_t, alsa_t) -') dnl ifdef - -allow xdm_t var_log_t:file { getattr read }; -allow xdm_t self:capability { sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process setrlimit; -allow xdm_t wtmp_t:file { getattr read }; - -domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t) -# -# Poweroff wants to create the /poweroff file when run from xdm -# -file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) - -# -# xdm tries to bind to biff_port_t -# -dontaudit xdm_t port_type:tcp_socket name_bind; - -# VNC v4 module in X server -allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; -ifdef(`crack.te', ` -allow xdm_t crack_db_t:file r_file_perms; -') -r_dir_file(xdm_t, selinux_config_t) - -# Run telinit->init to shutdown. -can_exec(xdm_t, init_exec_t) -allow xdm_t self:sem create_sem_perms; - -# Allow gdm to run gdm-binary -can_exec(xdm_t, xdm_exec_t) - -# Supress permission check on .ICE-unix -dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; - -#### Also see xdm_macros.te -ifdef(`use_mcs', ` -range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; -') diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te deleted file mode 100644 index 04302cde..00000000 --- a/strict/domains/program/xfs.te +++ /dev/null @@ -1,49 +0,0 @@ -#DESC XFS - X Font Server -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: xfs -# - -################################# -# -# Rules for the xfs_t domain. -# -# xfs_t is the domain of the X font server. -# xfs_exec_t is the type of the xfs executable. -# -daemon_domain(xfs) - -# for /tmp/.font-unix/fs7100 -ifdef(`distro_debian', ` -type xfs_tmp_t, file_type, sysadmfile, tmpfile; -allow xfs_t tmp_t:dir search; -file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file) -', ` -tmp_domain(xfs, `', `{dir sock_file}') -') - -allow xfs_t { etc_t etc_runtime_t }:file { getattr read }; -allow xfs_t proc_t:file { getattr read }; - -allow xfs_t self:process setpgid; -can_ypbind(xfs_t) - -# Use capabilities. -allow xfs_t self:capability { setgid setuid }; - -# Bind to /tmp/.font-unix/fs-1. -allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; -allow xfs_t self:unix_stream_socket create_stream_socket_perms; -allow xfs_t self:unix_dgram_socket create_socket_perms; - -# Read fonts -read_fonts(xfs_t) - -# Unlink the xfs socket. -allow initrc_t xfs_tmp_t:dir rw_dir_perms; -allow initrc_t xfs_tmp_t:dir rmdir; -allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; -allow initrc_t fonts_t:dir create_dir_perms; -allow initrc_t fonts_t:file create_file_perms; - diff --git a/strict/domains/program/xserver.te b/strict/domains/program/xserver.te deleted file mode 100644 index cc2c493e..00000000 --- a/strict/domains/program/xserver.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC XServer - X Server -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: xserver-common xserver-xfree86 -# - -# Type for the executable used to start the X server, e.g. Xwrapper. -type xserver_exec_t, file_type, sysadmfile, exec_type; - -# Type for the X server log file. -type xserver_log_t, file_type, sysadmfile, logfile; - -# type for /var/lib/xkb -type xkb_var_lib_t, file_type, sysadmfile, usercanread; -typealias xkb_var_lib_t alias var_lib_xkb_t; - -# Everything else is in the xserver_domain macro in -# macros/program/xserver_macros.te. - -allow initrc_t xserver_log_t:fifo_file { read write }; diff --git a/strict/domains/program/ypbind.te b/strict/domains/program/ypbind.te deleted file mode 100644 index ed7c3f80..00000000 --- a/strict/domains/program/ypbind.te +++ /dev/null @@ -1,44 +0,0 @@ -#DESC Ypbind - NIS/YP -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: nis -# Depends: portmap.te named.te -# - -################################# -# -# Rules for the ypbind_t domain. -# -daemon_domain(ypbind) - -tmp_domain(ypbind) - -# Use capabilities. -allow ypbind_t self:capability { net_bind_service }; -dontaudit ypbind_t self:capability net_admin; - -# Use the network. -can_network(ypbind_t) -allow ypbind_t port_type:tcp_socket name_connect; -allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind; - -allow ypbind_t self:fifo_file rw_file_perms; - -read_sysctl(ypbind_t) - -# Send to portmap and initrc. -can_udp_send(ypbind_t, portmap_t) -can_udp_send(ypbind_t, initrc_t) - -# Read and write /var/yp. -allow ypbind_t var_yp_t:dir rw_dir_perms; -allow ypbind_t var_yp_t:file create_file_perms; -allow initrc_t var_yp_t:dir { getattr read }; -allow ypbind_t etc_t:file { getattr read }; -allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -can_udp_send(initrc_t, ypbind_t) - diff --git a/strict/domains/program/yppasswdd.te b/strict/domains/program/yppasswdd.te deleted file mode 100644 index b7588a2f..00000000 --- a/strict/domains/program/yppasswdd.te +++ /dev/null @@ -1,40 +0,0 @@ -#DESC yppassdd - NIS password update daemon -# -# Authors: Dan Walsh -# Depends: portmap.te -# - -################################# -# -# Rules for the yppasswdd_t domain. -# -daemon_domain(yppasswdd, `, auth_write, privowner') - -# Use capabilities. -allow yppasswdd_t self:capability { net_bind_service }; - -# Use the network. -can_network_server(yppasswdd_t) - -read_sysctl(yppasswdd_t) - -# Send to portmap and initrc. -can_udp_send(yppasswdd_t, portmap_t) -can_udp_send(yppasswdd_t, initrc_t) - -allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; - -allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read }; -allow yppasswdd_t self:unix_dgram_socket create_socket_perms; -allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; -file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file) -allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto }; -can_setfscreate(yppasswdd_t) -allow yppasswdd_t proc_t:file getattr; -allow yppasswdd_t { bin_t sbin_t }:dir search; -allow yppasswdd_t bin_t:lnk_file read; -can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t }) -allow yppasswdd_t self:fifo_file rw_file_perms; -rw_dir_create_file(yppasswdd_t, var_yp_t) diff --git a/strict/domains/program/ypserv.te b/strict/domains/program/ypserv.te deleted file mode 100644 index 1ecc731d..00000000 --- a/strict/domains/program/ypserv.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC Ypserv - NIS/YP -# -# Authors: Dan Walsh -# Depends: portmap.te -# - -################################# -# -# Rules for the ypserv_t domain. -# -daemon_domain(ypserv) - -tmp_domain(ypserv) - -# Use capabilities. -allow ypserv_t self:capability { net_bind_service }; - -# Use the network. -can_network_server(ypserv_t) - -allow ypserv_t self:fifo_file rw_file_perms; - -read_sysctl(ypserv_t) - -# Send to portmap and initrc. -can_udp_send(ypserv_t, portmap_t) -can_udp_send(ypserv_t, initrc_t) - -type ypserv_conf_t, file_type, sysadmfile; - -# Read and write /var/yp. -allow ypserv_t var_yp_t:dir rw_dir_perms; -allow ypserv_t var_yp_t:file create_file_perms; -allow ypserv_t ypserv_conf_t:file { getattr read }; -allow ypserv_t self:unix_dgram_socket create_socket_perms; -allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`rpcd.te', ` -allow rpcd_t ypserv_conf_t:file { getattr read }; -') -allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -can_exec(ypserv_t, bin_t) diff --git a/strict/domains/program/zebra.te b/strict/domains/program/zebra.te deleted file mode 100644 index 640c6211..00000000 --- a/strict/domains/program/zebra.te +++ /dev/null @@ -1,32 +0,0 @@ -#DESC Zebra - BGP server -# -# Author: Russell Coker -# X-Debian-Packages: zebra -# - -daemon_domain(zebra, `, sysctl_net_writer') -type zebra_conf_t, file_type, sysadmfile; -r_dir_file({ initrc_t zebra_t }, zebra_conf_t) - -can_network_server(zebra_t) -can_ypbind(zebra_t) -allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; - -allow zebra_t self:process setcap; -allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw }; -file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file) - -logdir_domain(zebra) - -# /tmp/.bgpd is such a bad idea! -tmp_domain(zebra, `', sock_file) - -allow zebra_t self:unix_dgram_socket create_socket_perms; -allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow zebra_t self:rawip_socket create_socket_perms; -allow zebra_t self:netlink_route_socket r_netlink_socket_perms; -allow zebra_t zebra_port_t:tcp_socket name_bind; - -allow zebra_t proc_t:file { getattr read }; -allow zebra_t { sysctl_t sysctl_net_t }:dir search; -allow zebra_t sysctl_net_t:file rw_file_perms; diff --git a/strict/domains/user.te b/strict/domains/user.te deleted file mode 100644 index d86e5d49..00000000 --- a/strict/domains/user.te +++ /dev/null @@ -1,108 +0,0 @@ -#DESC User - Domains for ordinary users. -# -################################# - -# Booleans for user domains. - -# Allow applications to read untrusted content -# If this is disallowed, Internet content has -# to be manually relabeled for read access to be granted -bool read_untrusted_content false; - -# Allow applications to write untrusted content -# If this is disallowed, no Internet content -# will be stored. -bool write_untrusted_content false; - -# Allow users to read system messages. -bool user_dmesg false; - -# Support NFS home directories -bool use_nfs_home_dirs false; - -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -bool allow_execmem false; - -# Allow making the stack executable via mprotect. -# Also requires allow_execmem. -bool allow_execstack false; - -# Allow making a modified private file mapping executable (text relocation). -bool allow_execmod false; - -# Support SAMBA home directories -bool use_samba_home_dirs false; - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -bool user_tcp_server false; - -# Allow system to run with NIS -bool allow_ypbind false; - -# Allow system to run with kerberos -bool allow_kerberos false; - -# Allow users to rw usb devices -bool user_rw_usb false; - -# Allow users to control network interfaces (also needs USERCTL=true) -bool user_net_control false; - -# Allow regular users direct mouse access -bool user_direct_mouse false; - -# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY) -bool user_rw_noexattrfile false; - -# Allow reading of default_t files. -bool read_default_t false; - -# Allow staff_r users to search the sysadm home dir and read -# files (such as ~/.bashrc) -bool staff_read_sysadm_file false; - - -full_user_role(user) - -ifdef(`user_canbe_sysadm', ` -reach_sysadm(user) -role_tty_type_change(user, sysadm) -') - -# Do not add any rules referring to user_t to this file! That will break -# support for multiple user roles. - -# a role for staff that allows seeing all domains and control over the user_t -# domain -full_user_role(staff) - -priv_user(staff) -# if adding new user roles make sure you edit the in_user_role macro in -# macros/user_macros.te to match - -# lots of user programs accidentally search /root, and also the admin often -# logs in as UID=0 domain=user_t... -dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - -# -# Allow the user roles to transition -# into each other. -role_tty_type_change(sysadm, user) -role_tty_type_change(staff, sysadm) -role_tty_type_change(sysadm, staff) -role_tty_type_change(sysadm, secadm) -role_tty_type_change(staff, secadm) - -# "ps aux" and "ls -l /dev/pts" make too much noise without this -dontaudit unpriv_userdomain ptyfile:chr_file getattr; - -# to allow w to display everyone... -bool user_ttyfile_stat false; - -if (user_ttyfile_stat) { -allow userdomain ttyfile:chr_file getattr; -} - diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc deleted file mode 100644 index 6024f6ad..00000000 --- a/strict/file_contexts/distros.fc +++ /dev/null @@ -1,164 +0,0 @@ -ifdef(`distro_redhat', ` -/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t -/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t -/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t -/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t -/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t -/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t -/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t -/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t -/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t -/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t -/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t -/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t -/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t -/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t -/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t -/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t -/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t -/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t -/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t -/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t -/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t -/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t -/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t -/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t -/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t -/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t -/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t -/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t -/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t -/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t -/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t -/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t -/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t -/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t -/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t -/etc/rhgb(/.*)? -d system_u:object_r:mnt_t -/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t -# -# /emul/ia32-linux/usr -# -/emul(/.*)? system_u:object_r:usr_t -/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t -/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t -/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t -/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t -/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t -/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t -# /emul/ia32-linux/lib -/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t -/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t -# /emul/ia32-linux/bin -/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t -# /emul/ia32-linux/sbin -/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t - -ifdef(`dbusd.te', `', ` -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t -') - -# The following are libraries with text relocations in need of execmod permissions -# Some of them should be fixed and removed from this list - -# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv -# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t -/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t -/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t -/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t -/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program(/.*)? system_u:object_r:bin_t -/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t -/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t - -# Fedora Extras packages: ladspa, imlib2, ocaml -/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t - -# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t - -# Flash plugin, Macromedia -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t -/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t - -# Jai, Sun Microsystems (Jpackage SPRM) -/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t -/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t -/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t - -# Java, Sun Microsystems (JPackage SRPM) -/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t - -/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t -/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t -') - -ifdef(`distro_suse', ` -/var/lib/samba/bin/.+ system_u:object_r:bin_t -/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t -/usr/lib/samba/classic/.* -- system_u:object_r:bin_t -/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/success -- system_u:object_r:etc_runtime_t -/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t -') diff --git a/strict/file_contexts/program/NetworkManager.fc b/strict/file_contexts/program/NetworkManager.fc deleted file mode 100644 index 99ea03d1..00000000 --- a/strict/file_contexts/program/NetworkManager.fc +++ /dev/null @@ -1,2 +0,0 @@ -# NetworkManager -/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t diff --git a/strict/file_contexts/program/acct.fc b/strict/file_contexts/program/acct.fc deleted file mode 100644 index 7616d8b5..00000000 --- a/strict/file_contexts/program/acct.fc +++ /dev/null @@ -1,5 +0,0 @@ -# berkeley process accounting -/sbin/accton -- system_u:object_r:acct_exec_t -/usr/sbin/accton -- system_u:object_r:acct_exec_t -/var/account(/.*)? system_u:object_r:acct_data_t -/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t diff --git a/strict/file_contexts/program/afs.fc b/strict/file_contexts/program/afs.fc deleted file mode 100644 index fb49f336..00000000 --- a/strict/file_contexts/program/afs.fc +++ /dev/null @@ -1,20 +0,0 @@ -# afs -/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t -/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t -/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t -/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t -/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t -/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t -/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t - -/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t -/usr/afs/etc(/.*)? system_u:object_r:afs_config_t -/usr/afs/local(/.*)? system_u:object_r:afs_config_t -/usr/afs/db -d system_u:object_r:afs_dbdir_t -/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t -/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t -/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t - -/vicepa system_u:object_r:afs_files_t -/vicepb system_u:object_r:afs_files_t -/vicepc system_u:object_r:afs_files_t diff --git a/strict/file_contexts/program/alsa.fc b/strict/file_contexts/program/alsa.fc deleted file mode 100644 index 837b071c..00000000 --- a/strict/file_contexts/program/alsa.fc +++ /dev/null @@ -1,3 +0,0 @@ -#DESC ainit - configuration tool for ALSA -/usr/bin/ainit -- system_u:object_r:alsa_exec_t -/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t diff --git a/strict/file_contexts/program/amanda.fc b/strict/file_contexts/program/amanda.fc deleted file mode 100644 index 09dd2fec..00000000 --- a/strict/file_contexts/program/amanda.fc +++ /dev/null @@ -1,70 +0,0 @@ -# -# Author: Carsten Grohmann -# - -# amanda -/etc/amanda(/.*)? system_u:object_r:amanda_config_t -/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t -/etc/amandates system_u:object_r:amanda_amandates_t -/etc/dumpdates system_u:object_r:amanda_dumpdates_t -/root/restore -d system_u:object_r:amanda_recover_dir_t -/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t -/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t -/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t -/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t -/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t -/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t -/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t -/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t -/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t -/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t -/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t -/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t -/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t -/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t -/var/lib/amanda -d system_u:object_r:amanda_var_lib_t -/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t -/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t -/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t -/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t -/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t -/var/lib/amanda/index system_u:object_r:amanda_data_t -/var/log/amanda(/.*)? system_u:object_r:amanda_log_t diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc deleted file mode 100644 index 366da332..00000000 --- a/strict/file_contexts/program/amavis.fc +++ /dev/null @@ -1,8 +0,0 @@ -# amavis -/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t -/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t -/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t -/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t -/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t -/var/amavis(/.*)? system_u:object_r:amavisd_lib_t -/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t diff --git a/strict/file_contexts/program/anaconda.fc b/strict/file_contexts/program/anaconda.fc deleted file mode 100644 index a0cbc0eb..00000000 --- a/strict/file_contexts/program/anaconda.fc +++ /dev/null @@ -1,5 +0,0 @@ -# -# Anaconda file context -# currently anaconda does not have any file context since it is started during install -# This is a placeholder to stop makefile from complaining -# diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc deleted file mode 100644 index 96c5b3a6..00000000 --- a/strict/file_contexts/program/apache.fc +++ /dev/null @@ -1,58 +0,0 @@ -# apache -HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t -/var/www(/.*)? system_u:object_r:httpd_sys_content_t -/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t -/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t -/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t -/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t -/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t -/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t -/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t -/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t -/etc/httpd -d system_u:object_r:httpd_config_t -/etc/httpd/conf.* system_u:object_r:httpd_config_t -/etc/httpd/logs system_u:object_r:httpd_log_t -/etc/httpd/modules system_u:object_r:httpd_modules_t -/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t -/etc/vhosts -- system_u:object_r:httpd_config_t -/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t -/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t -/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t -/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t -/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t -/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t -/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t -/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t -/var/log/httpd(/.*)? system_u:object_r:httpd_log_t -/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t -/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t -/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t -/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t -/var/run/apache.* system_u:object_r:httpd_var_run_t -/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t -/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t -/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t -/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t -/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t -/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t -/var/run/gcache_port -s system_u:object_r:httpd_var_run_t -ifdef(`distro_debian', ` -/var/log/horde2(/.*)? system_u:object_r:httpd_log_t -') -ifdef(`distro_suse', ` -# suse puts shell scripts there :-( -/usr/share/apache2/[^/]* -- system_u:object_r:bin_t -/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t -') -/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t -/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t -/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t -/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t -/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t -/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t -/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t -ifdef(`targeted_policy', `', ` -/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t -') -/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t - diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc deleted file mode 100644 index 9e6ce0d3..00000000 --- a/strict/file_contexts/program/apmd.fc +++ /dev/null @@ -1,14 +0,0 @@ -# apmd -/usr/sbin/apmd -- system_u:object_r:apmd_exec_t -/usr/sbin/acpid -- system_u:object_r:apmd_exec_t -/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t -/usr/bin/apm -- system_u:object_r:apm_exec_t -/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t -/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t -/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t -/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t -/var/log/acpid -- system_u:object_r:apmd_log_t -ifdef(`distro_suse', ` -/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t -') - diff --git a/strict/file_contexts/program/arpwatch.fc b/strict/file_contexts/program/arpwatch.fc deleted file mode 100644 index 5b2aa5ac..00000000 --- a/strict/file_contexts/program/arpwatch.fc +++ /dev/null @@ -1,4 +0,0 @@ -# arpwatch - keep track of ethernet/ip address pairings -/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t -/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t -/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t diff --git a/strict/file_contexts/program/asterisk.fc b/strict/file_contexts/program/asterisk.fc deleted file mode 100644 index 6f4eb4b2..00000000 --- a/strict/file_contexts/program/asterisk.fc +++ /dev/null @@ -1,7 +0,0 @@ -# asterisk -/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t -/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t -/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t -/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t -/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t -/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t diff --git a/strict/file_contexts/program/audio-entropyd.fc b/strict/file_contexts/program/audio-entropyd.fc deleted file mode 100644 index a8f616a5..00000000 --- a/strict/file_contexts/program/audio-entropyd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t diff --git a/strict/file_contexts/program/auditd.fc b/strict/file_contexts/program/auditd.fc deleted file mode 100644 index a87077be..00000000 --- a/strict/file_contexts/program/auditd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# auditd -/sbin/auditctl -- system_u:object_r:auditctl_exec_t -/sbin/auditd -- system_u:object_r:auditd_exec_t -/var/log/audit.log -- system_u:object_r:auditd_log_t -/var/log/audit(/.*)? system_u:object_r:auditd_log_t -/etc/auditd.conf -- system_u:object_r:auditd_etc_t -/etc/audit.rules -- system_u:object_r:auditd_etc_t - diff --git a/strict/file_contexts/program/authbind.fc b/strict/file_contexts/program/authbind.fc deleted file mode 100644 index 9fed63e8..00000000 --- a/strict/file_contexts/program/authbind.fc +++ /dev/null @@ -1,3 +0,0 @@ -# authbind -/etc/authbind(/.*)? system_u:object_r:authbind_etc_t -/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t diff --git a/strict/file_contexts/program/automount.fc b/strict/file_contexts/program/automount.fc deleted file mode 100644 index f7b56f74..00000000 --- a/strict/file_contexts/program/automount.fc +++ /dev/null @@ -1,5 +0,0 @@ -# automount -/usr/sbin/automount -- system_u:object_r:automount_exec_t -/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t -/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t -/etc/auto\..+ -- system_u:object_r:automount_etc_t diff --git a/strict/file_contexts/program/backup.fc b/strict/file_contexts/program/backup.fc deleted file mode 100644 index ed828092..00000000 --- a/strict/file_contexts/program/backup.fc +++ /dev/null @@ -1,6 +0,0 @@ -# backup -# label programs that do backups to other files on disk (IE a cron job that -# calls tar) in backup_exec_t and label the directory for storing them as -# backup_store_t, Debian uses /var/backups -#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t -/var/backups(/.*)? system_u:object_r:backup_store_t diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc deleted file mode 100644 index da6b0564..00000000 --- a/strict/file_contexts/program/bluetooth.fc +++ /dev/null @@ -1,11 +0,0 @@ -# bluetooth -/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t -/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t -/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t -/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t -/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t -/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t -/var/run/sdp -s system_u:object_r:bluetooth_var_run_t -/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t -/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t -/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t diff --git a/strict/file_contexts/program/bonobo.fc b/strict/file_contexts/program/bonobo.fc deleted file mode 100644 index 9c27b250..00000000 --- a/strict/file_contexts/program/bonobo.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t diff --git a/strict/file_contexts/program/bootloader.fc b/strict/file_contexts/program/bootloader.fc deleted file mode 100644 index 90f8e85b..00000000 --- a/strict/file_contexts/program/bootloader.fc +++ /dev/null @@ -1,11 +0,0 @@ -# bootloader -/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t -/initrd\.img.* -l system_u:object_r:boot_t -/sbin/lilo.* -- system_u:object_r:bootloader_exec_t -/sbin/grub.* -- system_u:object_r:bootloader_exec_t -/vmlinuz.* -l system_u:object_r:boot_t -/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t -/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t -/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t -/sbin/ybin.* -- system_u:object_r:bootloader_exec_t -/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t diff --git a/strict/file_contexts/program/calamaris.fc b/strict/file_contexts/program/calamaris.fc deleted file mode 100644 index 36d8c87b..00000000 --- a/strict/file_contexts/program/calamaris.fc +++ /dev/null @@ -1,4 +0,0 @@ -# squid -/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t -/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t -/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t diff --git a/strict/file_contexts/program/canna.fc b/strict/file_contexts/program/canna.fc deleted file mode 100644 index 4b207a8d..00000000 --- a/strict/file_contexts/program/canna.fc +++ /dev/null @@ -1,12 +0,0 @@ -# canna.fc -/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t -/usr/sbin/jserver -- system_u:object_r:canna_exec_t -/usr/bin/cannaping -- system_u:object_r:canna_exec_t -/usr/bin/catdic -- system_u:object_r:canna_exec_t -/var/log/canna(/.*)? system_u:object_r:canna_log_t -/var/log/wnn(/.*)? system_u:object_r:canna_log_t -/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t -/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t -/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t -/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t -/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t diff --git a/strict/file_contexts/program/cardmgr.fc b/strict/file_contexts/program/cardmgr.fc deleted file mode 100644 index 2e4b109d..00000000 --- a/strict/file_contexts/program/cardmgr.fc +++ /dev/null @@ -1,7 +0,0 @@ -# cardmgr -/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t -/sbin/cardctl -- system_u:object_r:cardctl_exec_t -/var/run/stab -- system_u:object_r:cardmgr_var_run_t -/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t -/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t -/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t diff --git a/strict/file_contexts/program/cdrecord.fc b/strict/file_contexts/program/cdrecord.fc deleted file mode 100644 index d03d3bc4..00000000 --- a/strict/file_contexts/program/cdrecord.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cdrecord -/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t - diff --git a/strict/file_contexts/program/certwatch.fc b/strict/file_contexts/program/certwatch.fc deleted file mode 100644 index 20bb8caf..00000000 --- a/strict/file_contexts/program/certwatch.fc +++ /dev/null @@ -1,3 +0,0 @@ -# certwatch.fc -/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t - diff --git a/strict/file_contexts/program/checkpolicy.fc b/strict/file_contexts/program/checkpolicy.fc deleted file mode 100644 index 8c0c7323..00000000 --- a/strict/file_contexts/program/checkpolicy.fc +++ /dev/null @@ -1,2 +0,0 @@ -# checkpolicy -/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t diff --git a/strict/file_contexts/program/chkpwd.fc b/strict/file_contexts/program/chkpwd.fc deleted file mode 100644 index 444e3e55..00000000 --- a/strict/file_contexts/program/chkpwd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# chkpwd -/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t -/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t -ifdef(`distro_suse', ` -/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t -') diff --git a/strict/file_contexts/program/chroot.fc b/strict/file_contexts/program/chroot.fc deleted file mode 100644 index aa61acc2..00000000 --- a/strict/file_contexts/program/chroot.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/chroot -- system_u:object_r:chroot_exec_t diff --git a/strict/file_contexts/program/ciped.fc b/strict/file_contexts/program/ciped.fc deleted file mode 100644 index e3a12a18..00000000 --- a/strict/file_contexts/program/ciped.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t -/etc/cipe/ip-up.* -- system_u:object_r:bin_t -/etc/cipe/ip-down.* -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc deleted file mode 100644 index 90c898cb..00000000 --- a/strict/file_contexts/program/clamav.fc +++ /dev/null @@ -1,15 +0,0 @@ -# clamscan -/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t -/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t -/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t -/usr/sbin/clamd -- system_u:object_r:clamd_exec_t -/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t -/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t -/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t -/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t -/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t -/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t -/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t -/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t -/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t -/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t diff --git a/strict/file_contexts/program/clockspeed.fc b/strict/file_contexts/program/clockspeed.fc deleted file mode 100644 index e00cd566..00000000 --- a/strict/file_contexts/program/clockspeed.fc +++ /dev/null @@ -1,11 +0,0 @@ -# clockspeed -/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t -/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t -/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t -/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t -/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t -/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t -/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t - -/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t - diff --git a/strict/file_contexts/program/compat.fc b/strict/file_contexts/program/compat.fc deleted file mode 100644 index ba15f45c..00000000 --- a/strict/file_contexts/program/compat.fc +++ /dev/null @@ -1,62 +0,0 @@ -ifdef(`setfiles.te', `', ` -# setfiles -/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t -') - -ifdef(`mount.te', `', ` -# mount -/bin/mount.* -- system_u:object_r:mount_exec_t -/bin/umount.* -- system_u:object_r:mount_exec_t -') -ifdef(`loadkeys.te', `', ` -# loadkeys -/bin/unikeys -- system_u:object_r:loadkeys_exec_t -/bin/loadkeys -- system_u:object_r:loadkeys_exec_t -') -ifdef(`dmesg.te', `', ` -# dmesg -/bin/dmesg -- system_u:object_r:dmesg_exec_t -') -ifdef(`fsadm.te', `', ` -# fs admin utilities -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t -/sbin/e2label -- system_u:object_r:fsadm_exec_t -/sbin/findfs -- system_u:object_r:fsadm_exec_t -/sbin/mkfs -- system_u:object_r:fsadm_exec_t -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t -/sbin/mkswap -- system_u:object_r:fsadm_exec_t -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t -/sbin/fdisk -- system_u:object_r:fsadm_exec_t -/sbin/parted -- system_u:object_r:fsadm_exec_t -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t -/sbin/hdparm -- system_u:object_r:fsadm_exec_t -/sbin/raidstart -- system_u:object_r:fsadm_exec_t -/sbin/mkraid -- system_u:object_r:fsadm_exec_t -/sbin/blockdev -- system_u:object_r:fsadm_exec_t -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t -/sbin/lsraid -- system_u:object_r:fsadm_exec_t -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t -/usr/bin/raw -- system_u:object_r:fsadm_exec_t -/sbin/partx -- system_u:object_r:fsadm_exec_t -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t -/sbin/partprobe -- system_u:object_r:fsadm_exec_t -') -ifdef(`kudzu.te', `', ` -# kudzu -/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t -/sbin/kmodule -- system_u:object_r:kudzu_exec_t -') diff --git a/strict/file_contexts/program/comsat.fc b/strict/file_contexts/program/comsat.fc deleted file mode 100644 index 7026d563..00000000 --- a/strict/file_contexts/program/comsat.fc +++ /dev/null @@ -1,2 +0,0 @@ -# biff server -/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t diff --git a/strict/file_contexts/program/consoletype.fc b/strict/file_contexts/program/consoletype.fc deleted file mode 100644 index f310f37a..00000000 --- a/strict/file_contexts/program/consoletype.fc +++ /dev/null @@ -1,2 +0,0 @@ -# consoletype -/sbin/consoletype -- system_u:object_r:consoletype_exec_t diff --git a/strict/file_contexts/program/courier.fc b/strict/file_contexts/program/courier.fc deleted file mode 100644 index 16f6adb1..00000000 --- a/strict/file_contexts/program/courier.fc +++ /dev/null @@ -1,18 +0,0 @@ -# courier pop, imap, and webmail -/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t -/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t -/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t -/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t -/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t -/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t -/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t -/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t -/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t -/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t -/var/run/courier(/.*)? system_u:object_r:courier_var_run_t -/etc/courier(/.*)? system_u:object_r:courier_etc_t diff --git a/strict/file_contexts/program/cpucontrol.fc b/strict/file_contexts/program/cpucontrol.fc deleted file mode 100644 index e2275c6d..00000000 --- a/strict/file_contexts/program/cpucontrol.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cpucontrol -/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t -/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t diff --git a/strict/file_contexts/program/cpuspeed.fc b/strict/file_contexts/program/cpuspeed.fc deleted file mode 100644 index 60d84657..00000000 --- a/strict/file_contexts/program/cpuspeed.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cpuspeed -/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t -/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc deleted file mode 100644 index 7d991366..00000000 --- a/strict/file_contexts/program/crack.fc +++ /dev/null @@ -1,6 +0,0 @@ -# crack - for password checking -/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t -/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t -/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t -/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t -/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t diff --git a/strict/file_contexts/program/crond.fc b/strict/file_contexts/program/crond.fc deleted file mode 100644 index 3a466592..00000000 --- a/strict/file_contexts/program/crond.fc +++ /dev/null @@ -1,34 +0,0 @@ -# crond -/etc/crontab -- system_u:object_r:system_cron_spool_t -/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t -/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t -/usr/sbin/anacron -- system_u:object_r:anacron_exec_t -/var/spool/cron -d system_u:object_r:cron_spool_t -/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t -/var/spool/cron/crontabs/.* -- <> -/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t -/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t -/var/spool/cron/[^/]* -- <> -/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t -/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t -# fcron -/usr/sbin/fcron -- system_u:object_r:crond_exec_t -/var/spool/fcron -d system_u:object_r:cron_spool_t -/var/spool/fcron/.* <> -/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t -/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t -/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t -/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t -/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t -# atd -/usr/sbin/atd -- system_u:object_r:crond_exec_t -/var/spool/at -d system_u:object_r:cron_spool_t -/var/spool/at/spool -d system_u:object_r:cron_spool_t -/var/spool/at/[^/]* -- <> -/var/run/atd\.pid -- system_u:object_r:crond_var_run_t -ifdef(`distro_suse', ` -/usr/lib/cron/run-crons -- system_u:object_r:bin_t -/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d system_u:object_r:cron_spool_t -') diff --git a/strict/file_contexts/program/crontab.fc b/strict/file_contexts/program/crontab.fc deleted file mode 100644 index 5c186998..00000000 --- a/strict/file_contexts/program/crontab.fc +++ /dev/null @@ -1,3 +0,0 @@ -# crontab -/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t -/usr/bin/at -- system_u:object_r:crontab_exec_t diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc deleted file mode 100644 index 26ae56f6..00000000 --- a/strict/file_contexts/program/cups.fc +++ /dev/null @@ -1,46 +0,0 @@ -# cups printing -/etc/cups(/.*)? system_u:object_r:cupsd_etc_t -/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t -/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t -/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t -/etc/cups/client\.conf -- system_u:object_r:etc_t -/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t -/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t -/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t -/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t -/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t -/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t -/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t -/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t -/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t -/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t -ifdef(`hald.te', ` -# cupsd_config depends on hald -/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t -/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t -/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t -') -/var/log/cups(/.*)? system_u:object_r:cupsd_log_t -/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t -/var/spool/cups(/.*)? system_u:object_r:print_spool_t -/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t -/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t -/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t -/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t -/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t -/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t -/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t -/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t -/etc/hp(/.*)? system_u:object_r:hplip_etc_t -/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t -/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t -/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t -/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t -/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t -/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t diff --git a/strict/file_contexts/program/cvs.fc b/strict/file_contexts/program/cvs.fc deleted file mode 100644 index ce38032e..00000000 --- a/strict/file_contexts/program/cvs.fc +++ /dev/null @@ -1,2 +0,0 @@ -# cvs program -/usr/bin/cvs -- system_u:object_r:cvs_exec_t diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc deleted file mode 100644 index 71a90263..00000000 --- a/strict/file_contexts/program/cyrus.fc +++ /dev/null @@ -1,5 +0,0 @@ -# cyrus -/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t -/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t -/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t -/var/spool/imap(/.*)? system_u:object_r:mail_spool_t diff --git a/strict/file_contexts/program/daemontools.fc b/strict/file_contexts/program/daemontools.fc deleted file mode 100644 index c2642ed5..00000000 --- a/strict/file_contexts/program/daemontools.fc +++ /dev/null @@ -1,54 +0,0 @@ -# daemontools - -/var/service/.* system_u:object_r:svc_svc_t - -# symlinks to /var/service/* -/service(/.*)? system_u:object_r:svc_svc_t - -# supervise scripts -/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t - -# supervise init binaries -# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/* -/usr/bin/svc -- system_u:object_r:svc_start_exec_t -/usr/bin/svscan -- system_u:object_r:svc_start_exec_t -/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t -/usr/bin/svok -- system_u:object_r:svc_start_exec_t -/usr/bin/supervise -- system_u:object_r:svc_start_exec_t - -# starting scripts -/var/service/.*/run.* system_u:object_r:svc_run_exec_t -/var/service/.*/log/run system_u:object_r:svc_run_exec_t - -# configurations -/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t - -# log -/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t - -# programs that impose a given environment to daemons -/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t -/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t -/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t -/usr/bin/envdir -- system_u:object_r:svc_run_exec_t -/usr/bin/setlock -- system_u:object_r:svc_run_exec_t - -# helper programs -/usr/bin/fghack -- system_u:object_r:svc_run_exec_t -/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t - -/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t -# daemontools logger # writes to service/*/log/main/ and /var/log/*/ -/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t - -/sbin/svcinit -- system_u:object_r:initrc_exec_t -/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t - diff --git a/strict/file_contexts/program/dante.fc b/strict/file_contexts/program/dante.fc deleted file mode 100644 index ce7f3353..00000000 --- a/strict/file_contexts/program/dante.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dante -/usr/sbin/sockd -- system_u:object_r:dante_exec_t -/etc/socks(/.*)? system_u:object_r:dante_conf_t -/var/run/sockd.pid -- system_u:object_r:dante_var_run_t diff --git a/strict/file_contexts/program/dbskkd.fc b/strict/file_contexts/program/dbskkd.fc deleted file mode 100644 index 77ff4f15..00000000 --- a/strict/file_contexts/program/dbskkd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# A dictionary server for the SKK Japanese input method system. -/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t diff --git a/strict/file_contexts/program/dbusd.fc b/strict/file_contexts/program/dbusd.fc deleted file mode 100644 index 9f56c335..00000000 --- a/strict/file_contexts/program/dbusd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t -/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t diff --git a/strict/file_contexts/program/dcc.fc b/strict/file_contexts/program/dcc.fc deleted file mode 100644 index a6b1372a..00000000 --- a/strict/file_contexts/program/dcc.fc +++ /dev/null @@ -1,17 +0,0 @@ -# DCC -/etc/dcc(/.*)? system_u:object_r:dcc_var_t -/etc/dcc/map -- system_u:object_r:dcc_client_map_t -/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t -/usr/bin/cdcc system_u:object_r:cdcc_exec_t -/usr/bin/dccproc system_u:object_r:dcc_client_exec_t -/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t -/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t -/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t -/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t -/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t -/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t -/var/dcc(/.*)? system_u:object_r:dcc_var_t -/var/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc system_u:object_r:dcc_var_run_t -/var/run/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t diff --git a/strict/file_contexts/program/ddclient.fc b/strict/file_contexts/program/ddclient.fc deleted file mode 100644 index 83ee3d2b..00000000 --- a/strict/file_contexts/program/ddclient.fc +++ /dev/null @@ -1,11 +0,0 @@ -# ddclient -/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t -/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t -/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t -/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t -# ddt - Dynamic DNS client -/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t -/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t -/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t -/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t -/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t diff --git a/strict/file_contexts/program/ddcprobe.fc b/strict/file_contexts/program/ddcprobe.fc deleted file mode 100644 index 43133496..00000000 --- a/strict/file_contexts/program/ddcprobe.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc deleted file mode 100644 index a035faa6..00000000 --- a/strict/file_contexts/program/dhcpc.fc +++ /dev/null @@ -1,19 +0,0 @@ -# dhcpcd -/etc/dhcpc.* system_u:object_r:dhcp_etc_t -/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t -/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t -/etc/dhclient-script -- system_u:object_r:dhcp_etc_t -/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t -/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t -/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t -/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t -/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t -/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t -/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t -/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t -# pump -/sbin/pump -- system_u:object_r:dhcpc_exec_t -ifdef(`dhcp_defined', `', ` -/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t -define(`dhcp_defined') -') diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc deleted file mode 100644 index d26d56dd..00000000 --- a/strict/file_contexts/program/dhcpd.fc +++ /dev/null @@ -1,34 +0,0 @@ -# dhcpd -/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t -/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t -/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t -/var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t -/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t -ifdef(`dhcp_defined', `', ` -/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t -define(`dhcp_defined') -') - -ifdef(`distro_gentoo', ` -/etc/dhcp -d system_u:object_r:dhcp_etc_t -/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t -/var/lib/dhcp -d system_u:object_r:dhcp_state_t -/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t -/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t -/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t - -# for the chroot setup -/chroot/dhcp -d system_u:object_r:root_t -/chroot/dhcp/dev -d system_u:object_r:device_t -/chroot/dhcp/etc -d system_u:object_r:etc_t -/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t -/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t -/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t -/chroot/dhcp/var -d system_u:object_r:var_t -/chroot/dhcp/var/run -d system_u:object_r:var_run_t -/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t -/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t -/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t -/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t -') - diff --git a/strict/file_contexts/program/dictd.fc b/strict/file_contexts/program/dictd.fc deleted file mode 100644 index 0d97d0a2..00000000 --- a/strict/file_contexts/program/dictd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dictd -/etc/dictd\.conf -- system_u:object_r:dictd_etc_t -/usr/sbin/dictd -- system_u:object_r:dictd_exec_t -/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t diff --git a/strict/file_contexts/program/distcc.fc b/strict/file_contexts/program/distcc.fc deleted file mode 100644 index 3ab97979..00000000 --- a/strict/file_contexts/program/distcc.fc +++ /dev/null @@ -1,2 +0,0 @@ -# distcc -/usr/bin/distccd -- system_u:object_r:distccd_exec_t diff --git a/strict/file_contexts/program/djbdns.fc b/strict/file_contexts/program/djbdns.fc deleted file mode 100644 index 6174b9f7..00000000 --- a/strict/file_contexts/program/djbdns.fc +++ /dev/null @@ -1,26 +0,0 @@ -#djbdns -/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t -/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t -/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t - -/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t -/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t -/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t -/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t -/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t -/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t - -/var/tinydns(/.*)? system_u:object_r:svc_svc_t -/var/tinydns/run -- system_u:object_r:svc_run_exec_t -/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t -/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t -/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t -/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t - -/var/axfrdns(/.*)? system_u:object_r:svc_svc_t -/var/axfrdns/run -- system_u:object_r:svc_run_exec_t -/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t -/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t -/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t -/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t - diff --git a/strict/file_contexts/program/dmesg.fc b/strict/file_contexts/program/dmesg.fc deleted file mode 100644 index 2df5752a..00000000 --- a/strict/file_contexts/program/dmesg.fc +++ /dev/null @@ -1,2 +0,0 @@ -# dmesg -/bin/dmesg -- system_u:object_r:dmesg_exec_t diff --git a/strict/file_contexts/program/dmidecode.fc b/strict/file_contexts/program/dmidecode.fc deleted file mode 100644 index b5ce71b4..00000000 --- a/strict/file_contexts/program/dmidecode.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dmidecode -/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t -/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t -/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t diff --git a/strict/file_contexts/program/dnsmasq.fc b/strict/file_contexts/program/dnsmasq.fc deleted file mode 100644 index e1b1c358..00000000 --- a/strict/file_contexts/program/dnsmasq.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dnsmasq -/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t -/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t -/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t diff --git a/strict/file_contexts/program/dovecot.fc b/strict/file_contexts/program/dovecot.fc deleted file mode 100644 index 75a65dd6..00000000 --- a/strict/file_contexts/program/dovecot.fc +++ /dev/null @@ -1,16 +0,0 @@ -# for Dovecot POP and IMAP server -/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t -/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t -/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t -ifdef(`distro_redhat', ` -/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t -') -ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t -') -/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t -/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t -/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t -/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t -/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t -/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t diff --git a/strict/file_contexts/program/dpkg.fc b/strict/file_contexts/program/dpkg.fc deleted file mode 100644 index f0f56f62..00000000 --- a/strict/file_contexts/program/dpkg.fc +++ /dev/null @@ -1,49 +0,0 @@ -# dpkg/dselect/apt -/etc/apt(/.*)? system_u:object_r:apt_etc_t -/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t -/usr/bin/apt-cache -- system_u:object_r:apt_exec_t -/usr/bin/apt-config -- system_u:object_r:apt_exec_t -/usr/bin/apt-get -- system_u:object_r:apt_exec_t -/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t -/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t -/usr/bin/dselect -- system_u:object_r:dpkg_exec_t -/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t -/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t -/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t -/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t -/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t -/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t -/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t -/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t -/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t -/usr/share/lintian/.+ -- system_u:object_r:bin_t -/usr/share/kernel-package/.+ -- system_u:object_r:bin_t -/usr/share/smartmontools/selftests -- system_u:object_r:bin_t -/usr/share/bug/[^/]+ -- system_u:object_r:bin_t -/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t -/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t -/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t -/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t -/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t -/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t -/var/lib/kde(/.*)? system_u:object_r:debian_menu_t -/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t -/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t -/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t -/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t -/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t -/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t -/usr/share/dlint/digparse -- system_u:object_r:bin_t -/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t -/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t -/var/lib/defoma(/.*)? system_u:object_r:fonts_t -/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t -/usr/share/intltool-debian/.* -- system_u:object_r:bin_t -/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t -/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t -/usr/share/shorewall/.* -- system_u:object_r:bin_t -/usr/share/reportbug/.* -- system_u:object_r:bin_t -/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t -/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t -/bin/mountpoint -- system_u:object_r:fsadm_exec_t diff --git a/strict/file_contexts/program/ethereal.fc b/strict/file_contexts/program/ethereal.fc deleted file mode 100644 index ba1af85d..00000000 --- a/strict/file_contexts/program/ethereal.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t -/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t -HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t diff --git a/strict/file_contexts/program/evolution.fc b/strict/file_contexts/program/evolution.fc deleted file mode 100644 index 1a3bf38e..00000000 --- a/strict/file_contexts/program/evolution.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t -/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t -/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t -/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t -/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t -HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t -HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t -/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t diff --git a/strict/file_contexts/program/fetchmail.fc b/strict/file_contexts/program/fetchmail.fc deleted file mode 100644 index 5186172f..00000000 --- a/strict/file_contexts/program/fetchmail.fc +++ /dev/null @@ -1,5 +0,0 @@ -# fetchmail -/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t -/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t -/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t -/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t diff --git a/strict/file_contexts/program/fingerd.fc b/strict/file_contexts/program/fingerd.fc deleted file mode 100644 index 59cc062a..00000000 --- a/strict/file_contexts/program/fingerd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# fingerd -/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t -/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t -/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t -/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t -/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t diff --git a/strict/file_contexts/program/firstboot.fc b/strict/file_contexts/program/firstboot.fc deleted file mode 100644 index ae3179dc..00000000 --- a/strict/file_contexts/program/firstboot.fc +++ /dev/null @@ -1,4 +0,0 @@ -# firstboot -/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t -/usr/share/firstboot system_u:object_r:firstboot_rw_t -/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t diff --git a/strict/file_contexts/program/fontconfig.fc b/strict/file_contexts/program/fontconfig.fc deleted file mode 100644 index d8a8dc95..00000000 --- a/strict/file_contexts/program/fontconfig.fc +++ /dev/null @@ -1,4 +0,0 @@ -HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t -HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t -HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t -HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t diff --git a/strict/file_contexts/program/fs_daemon.fc b/strict/file_contexts/program/fs_daemon.fc deleted file mode 100644 index 19ac5313..00000000 --- a/strict/file_contexts/program/fs_daemon.fc +++ /dev/null @@ -1,4 +0,0 @@ -# fs admin daemons -/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t -/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t -/etc/smartd\.conf -- system_u:object_r:etc_runtime_t diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc deleted file mode 100644 index 9b815374..00000000 --- a/strict/file_contexts/program/fsadm.fc +++ /dev/null @@ -1,40 +0,0 @@ -# fs admin utilities -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t -/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t -/sbin/e2label -- system_u:object_r:fsadm_exec_t -/sbin/findfs -- system_u:object_r:fsadm_exec_t -/sbin/mkfs -- system_u:object_r:fsadm_exec_t -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t -/sbin/mkswap -- system_u:object_r:fsadm_exec_t -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t -/sbin/fdisk -- system_u:object_r:fsadm_exec_t -/sbin/parted -- system_u:object_r:fsadm_exec_t -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t -/sbin/dump -- system_u:object_r:fsadm_exec_t -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t -/sbin/hdparm -- system_u:object_r:fsadm_exec_t -/sbin/raidstart -- system_u:object_r:fsadm_exec_t -/sbin/raidautorun -- system_u:object_r:fsadm_exec_t -/sbin/mkraid -- system_u:object_r:fsadm_exec_t -/sbin/blockdev -- system_u:object_r:fsadm_exec_t -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t -/sbin/lsraid -- system_u:object_r:fsadm_exec_t -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t -/usr/bin/raw -- system_u:object_r:fsadm_exec_t -/sbin/partx -- system_u:object_r:fsadm_exec_t -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t -/sbin/partprobe -- system_u:object_r:fsadm_exec_t -/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc deleted file mode 100644 index c75f7f19..00000000 --- a/strict/file_contexts/program/ftpd.fc +++ /dev/null @@ -1,17 +0,0 @@ -# ftpd -/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t -/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t -/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t -/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t -/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t -/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t -/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t -/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t -/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t -/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t -/var/log/xferlog.* -- system_u:object_r:xferlog_t -/var/log/vsftpd.* -- system_u:object_r:xferlog_t -/var/log/xferreport.* -- system_u:object_r:xferlog_t -/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t -/var/ftp(/.*)? system_u:object_r:public_content_t -/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t diff --git a/strict/file_contexts/program/games.fc b/strict/file_contexts/program/games.fc deleted file mode 100644 index 3465eeee..00000000 --- a/strict/file_contexts/program/games.fc +++ /dev/null @@ -1,61 +0,0 @@ -# games -/usr/lib/games(/.*)? system_u:object_r:games_exec_t -/var/lib/games(/.*)? system_u:object_r:games_data_t -ifdef(`distro_debian', ` -/usr/games/.* -- system_u:object_r:games_exec_t -/var/games(/.*)? system_u:object_r:games_data_t -', ` -/usr/bin/micq -- system_u:object_r:games_exec_t -/usr/bin/blackjack -- system_u:object_r:games_exec_t -/usr/bin/gataxx -- system_u:object_r:games_exec_t -/usr/bin/glines -- system_u:object_r:games_exec_t -/usr/bin/gnect -- system_u:object_r:games_exec_t -/usr/bin/gnibbles -- system_u:object_r:games_exec_t -/usr/bin/gnobots2 -- system_u:object_r:games_exec_t -/usr/bin/gnome-stones -- system_u:object_r:games_exec_t -/usr/bin/gnomine -- system_u:object_r:games_exec_t -/usr/bin/gnotravex -- system_u:object_r:games_exec_t -/usr/bin/gnotski -- system_u:object_r:games_exec_t -/usr/bin/gtali -- system_u:object_r:games_exec_t -/usr/bin/iagno -- system_u:object_r:games_exec_t -/usr/bin/mahjongg -- system_u:object_r:games_exec_t -/usr/bin/same-gnome -- system_u:object_r:games_exec_t -/usr/bin/sol -- system_u:object_r:games_exec_t -/usr/bin/atlantik -- system_u:object_r:games_exec_t -/usr/bin/kasteroids -- system_u:object_r:games_exec_t -/usr/bin/katomic -- system_u:object_r:games_exec_t -/usr/bin/kbackgammon -- system_u:object_r:games_exec_t -/usr/bin/kbattleship -- system_u:object_r:games_exec_t -/usr/bin/kblackbox -- system_u:object_r:games_exec_t -/usr/bin/kbounce -- system_u:object_r:games_exec_t -/usr/bin/kenolaba -- system_u:object_r:games_exec_t -/usr/bin/kfouleggs -- system_u:object_r:games_exec_t -/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t -/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t -/usr/bin/klickety -- system_u:object_r:games_exec_t -/usr/bin/klines -- system_u:object_r:games_exec_t -/usr/bin/kmahjongg -- system_u:object_r:games_exec_t -/usr/bin/kmines -- system_u:object_r:games_exec_t -/usr/bin/kolf -- system_u:object_r:games_exec_t -/usr/bin/konquest -- system_u:object_r:games_exec_t -/usr/bin/kpat -- system_u:object_r:games_exec_t -/usr/bin/kpoker -- system_u:object_r:games_exec_t -/usr/bin/kreversi -- system_u:object_r:games_exec_t -/usr/bin/ksame -- system_u:object_r:games_exec_t -/usr/bin/kshisen -- system_u:object_r:games_exec_t -/usr/bin/ksirtet -- system_u:object_r:games_exec_t -/usr/bin/ksmiletris -- system_u:object_r:games_exec_t -/usr/bin/ksnake -- system_u:object_r:games_exec_t -/usr/bin/ksokoban -- system_u:object_r:games_exec_t -/usr/bin/kspaceduel -- system_u:object_r:games_exec_t -/usr/bin/ktron -- system_u:object_r:games_exec_t -/usr/bin/ktuberling -- system_u:object_r:games_exec_t -/usr/bin/kwin4 -- system_u:object_r:games_exec_t -/usr/bin/kwin4proc -- system_u:object_r:games_exec_t -/usr/bin/lskat -- system_u:object_r:games_exec_t -/usr/bin/lskatproc -- system_u:object_r:games_exec_t -/usr/bin/Maelstrom -- system_u:object_r:games_exec_t -/usr/bin/civclient.* -- system_u:object_r:games_exec_t -/usr/bin/civserver.* -- system_u:object_r:games_exec_t -')dnl end non-Debian section - diff --git a/strict/file_contexts/program/gatekeeper.fc b/strict/file_contexts/program/gatekeeper.fc deleted file mode 100644 index e51491a3..00000000 --- a/strict/file_contexts/program/gatekeeper.fc +++ /dev/null @@ -1,7 +0,0 @@ -# gatekeeper -/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t -/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t -/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t -/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t -/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t -/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t diff --git a/strict/file_contexts/program/gconf.fc b/strict/file_contexts/program/gconf.fc deleted file mode 100644 index 3ee63e01..00000000 --- a/strict/file_contexts/program/gconf.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t -/etc/gconf(/.*)? system_u:object_r:gconf_etc_t -HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t -HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t -/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc deleted file mode 100644 index 0da4b32a..00000000 --- a/strict/file_contexts/program/getty.fc +++ /dev/null @@ -1,5 +0,0 @@ -# getty -/sbin/.*getty -- system_u:object_r:getty_exec_t -/etc/mgetty(/.*)? system_u:object_r:getty_etc_t -/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t -/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t diff --git a/strict/file_contexts/program/gift.fc b/strict/file_contexts/program/gift.fc deleted file mode 100644 index 88ed5f21..00000000 --- a/strict/file_contexts/program/gift.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t -/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t -/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t -/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t -HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t diff --git a/strict/file_contexts/program/gnome-pty-helper.fc b/strict/file_contexts/program/gnome-pty-helper.fc deleted file mode 100644 index 24a0b1bc..00000000 --- a/strict/file_contexts/program/gnome-pty-helper.fc +++ /dev/null @@ -1,3 +0,0 @@ -# gnome-pty-helper -/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t -/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t diff --git a/strict/file_contexts/program/gnome.fc b/strict/file_contexts/program/gnome.fc deleted file mode 100644 index 670c86f4..00000000 --- a/strict/file_contexts/program/gnome.fc +++ /dev/null @@ -1,8 +0,0 @@ -# FIXME: add a lot more GNOME folders -HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t -HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t -ifdef(`evolution.te', ` -HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t -') -HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t -HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t diff --git a/strict/file_contexts/program/gnome_vfs.fc b/strict/file_contexts/program/gnome_vfs.fc deleted file mode 100644 index f945d596..00000000 --- a/strict/file_contexts/program/gnome_vfs.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t diff --git a/strict/file_contexts/program/gpg-agent.fc b/strict/file_contexts/program/gpg-agent.fc deleted file mode 100644 index bb25b636..00000000 --- a/strict/file_contexts/program/gpg-agent.fc +++ /dev/null @@ -1,3 +0,0 @@ -# gpg-agent -/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t -/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc deleted file mode 100644 index 650df0cf..00000000 --- a/strict/file_contexts/program/gpg.fc +++ /dev/null @@ -1,7 +0,0 @@ -# gpg -HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t -/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t -/usr/bin/kgpg -- system_u:object_r:gpg_exec_t -/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t -/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t - diff --git a/strict/file_contexts/program/gpm.fc b/strict/file_contexts/program/gpm.fc deleted file mode 100644 index b6818819..00000000 --- a/strict/file_contexts/program/gpm.fc +++ /dev/null @@ -1,5 +0,0 @@ -# gpm -/dev/gpmctl -s system_u:object_r:gpmctl_t -/dev/gpmdata -p system_u:object_r:gpmctl_t -/usr/sbin/gpm -- system_u:object_r:gpm_exec_t -/etc/gpm(/.*)? system_u:object_r:gpm_conf_t diff --git a/strict/file_contexts/program/groupadd.fc b/strict/file_contexts/program/groupadd.fc deleted file mode 100644 index e69de29b..00000000 diff --git a/strict/file_contexts/program/hald.fc b/strict/file_contexts/program/hald.fc deleted file mode 100644 index ca142cf1..00000000 --- a/strict/file_contexts/program/hald.fc +++ /dev/null @@ -1,6 +0,0 @@ -# hald - hardware information daemon -/usr/sbin/hald -- system_u:object_r:hald_exec_t -/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t -/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t -/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t -/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/hostname.fc b/strict/file_contexts/program/hostname.fc deleted file mode 100644 index 685e74e7..00000000 --- a/strict/file_contexts/program/hostname.fc +++ /dev/null @@ -1 +0,0 @@ -/bin/hostname -- system_u:object_r:hostname_exec_t diff --git a/strict/file_contexts/program/hotplug.fc b/strict/file_contexts/program/hotplug.fc deleted file mode 100644 index 78f844b3..00000000 --- a/strict/file_contexts/program/hotplug.fc +++ /dev/null @@ -1,13 +0,0 @@ -# hotplug -/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t -/sbin/hotplug -- system_u:object_r:hotplug_exec_t -/sbin/netplugd -- system_u:object_r:hotplug_exec_t -/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t -/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t -/etc/netplug\.d(/.*)? system_u:object_r:sbin_t -/etc/hotplug/.*agent -- system_u:object_r:sbin_t -/etc/hotplug/.*rc -- system_u:object_r:sbin_t -/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t -/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t -/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t -/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t diff --git a/strict/file_contexts/program/howl.fc b/strict/file_contexts/program/howl.fc deleted file mode 100644 index bbdb03fb..00000000 --- a/strict/file_contexts/program/howl.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/nifd -- system_u:object_r:howl_exec_t -/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t -/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t diff --git a/strict/file_contexts/program/hwclock.fc b/strict/file_contexts/program/hwclock.fc deleted file mode 100644 index 2193e159..00000000 --- a/strict/file_contexts/program/hwclock.fc +++ /dev/null @@ -1,3 +0,0 @@ -# hwclock -/sbin/hwclock -- system_u:object_r:hwclock_exec_t -/etc/adjtime -- system_u:object_r:adjtime_t diff --git a/strict/file_contexts/program/i18n_input.fc b/strict/file_contexts/program/i18n_input.fc deleted file mode 100644 index 5403e2b3..00000000 --- a/strict/file_contexts/program/i18n_input.fc +++ /dev/null @@ -1,11 +0,0 @@ -# i18n_input.fc -/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t -/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t -/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t -/usr/bin/httx -- system_u:object_r:i18n_input_exec_t -/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t -/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t -/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t -/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t -/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t -/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t diff --git a/strict/file_contexts/program/iceauth.fc b/strict/file_contexts/program/iceauth.fc deleted file mode 100644 index 31bf1f3d..00000000 --- a/strict/file_contexts/program/iceauth.fc +++ /dev/null @@ -1,3 +0,0 @@ -# iceauth -/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t -HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t diff --git a/strict/file_contexts/program/ifconfig.fc b/strict/file_contexts/program/ifconfig.fc deleted file mode 100644 index 547558e1..00000000 --- a/strict/file_contexts/program/ifconfig.fc +++ /dev/null @@ -1,12 +0,0 @@ -# ifconfig -/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t -/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t -/sbin/ip -- system_u:object_r:ifconfig_exec_t -/sbin/tc -- system_u:object_r:ifconfig_exec_t -/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t -/bin/ip -- system_u:object_r:ifconfig_exec_t -/sbin/ethtool -- system_u:object_r:ifconfig_exec_t -/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t -/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t -/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t -/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t diff --git a/strict/file_contexts/program/imazesrv.fc b/strict/file_contexts/program/imazesrv.fc deleted file mode 100644 index dae194eb..00000000 --- a/strict/file_contexts/program/imazesrv.fc +++ /dev/null @@ -1,4 +0,0 @@ -# imazesrv -/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t -/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t -/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t diff --git a/strict/file_contexts/program/inetd.fc b/strict/file_contexts/program/inetd.fc deleted file mode 100644 index 64b8c6c5..00000000 --- a/strict/file_contexts/program/inetd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# inetd -/usr/sbin/inetd -- system_u:object_r:inetd_exec_t -/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t -/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t -/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t -/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t -/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t -/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t diff --git a/strict/file_contexts/program/init.fc b/strict/file_contexts/program/init.fc deleted file mode 100644 index 6342ad46..00000000 --- a/strict/file_contexts/program/init.fc +++ /dev/null @@ -1,3 +0,0 @@ -# init -/dev/initctl -p system_u:object_r:initctl_t -/sbin/init -- system_u:object_r:init_exec_t diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc deleted file mode 100644 index 45ea6cfc..00000000 --- a/strict/file_contexts/program/initrc.fc +++ /dev/null @@ -1,48 +0,0 @@ -# init rc scripts -ifdef(`targeted_policy', ` -/etc/X11/prefdm -- system_u:object_r:bin_t -', ` -/etc/X11/prefdm -- system_u:object_r:initrc_exec_t -') -/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t -/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t -/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t -/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t -/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t -/etc/init\.d/.* -- system_u:object_r:initrc_exec_t -/etc/init\.d/functions -- system_u:object_r:etc_t -/var/run/utmp -- system_u:object_r:initrc_var_run_t -/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t -/var/run/random-seed -- system_u:object_r:initrc_var_run_t -/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t -ifdef(`distro_suse', ` -/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t -/var/run/keymap -- system_u:object_r:initrc_var_run_t -/var/run/numlock-on -- system_u:object_r:initrc_var_run_t -/var/run/setleds-on -- system_u:object_r:initrc_var_run_t -/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t -/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t -') - -ifdef(`distro_gentoo', ` -/sbin/rc -- system_u:object_r:initrc_exec_t -/sbin/runscript -- system_u:object_r:initrc_exec_t -/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t -/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t -') - -# run_init -/usr/sbin/run_init -- system_u:object_r:run_init_exec_t -/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t -/etc/nologin.* -- system_u:object_r:etc_runtime_t -/etc/nohotplug -- system_u:object_r:etc_runtime_t -ifdef(`distro_redhat', ` -/halt -- system_u:object_r:etc_runtime_t -/fastboot -- system_u:object_r:etc_runtime_t -/fsckoptions -- system_u:object_r:etc_runtime_t -/forcefsck -- system_u:object_r:etc_runtime_t -/poweroff -- system_u:object_r:etc_runtime_t -/\.autofsck -- system_u:object_r:etc_runtime_t -/\.autorelabel -- system_u:object_r:etc_runtime_t -') - diff --git a/strict/file_contexts/program/innd.fc b/strict/file_contexts/program/innd.fc deleted file mode 100644 index f0413f9e..00000000 --- a/strict/file_contexts/program/innd.fc +++ /dev/null @@ -1,49 +0,0 @@ -# innd -/usr/sbin/innd.* -- system_u:object_r:innd_exec_t -/usr/bin/rpost -- system_u:object_r:innd_exec_t -/usr/bin/suck -- system_u:object_r:innd_exec_t -/var/run/innd(/.*)? system_u:object_r:innd_var_run_t -/etc/news(/.*)? system_u:object_r:innd_etc_t -/etc/news/boot -- system_u:object_r:innd_exec_t -/var/spool/news(/.*)? system_u:object_r:news_spool_t -/var/log/news(/.*)? system_u:object_r:innd_log_t -/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t -/var/run/news(/.*)? system_u:object_r:innd_var_run_t -/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t -/usr/bin/inews -- system_u:object_r:innd_exec_t -/usr/bin/rnews -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t -/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc deleted file mode 100644 index e915b75f..00000000 --- a/strict/file_contexts/program/ipsec.fc +++ /dev/null @@ -1,32 +0,0 @@ -# IPSEC utilities and daemon. - -/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t -/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t -/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t -/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t -/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t -/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t -/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t -/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t -/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t -/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t -/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t -/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t -/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t -/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t - -# Kame -/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t -/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t -/sbin/setkey -- system_u:object_r:ipsec_exec_t -/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t -/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t -/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t diff --git a/strict/file_contexts/program/iptables.fc b/strict/file_contexts/program/iptables.fc deleted file mode 100644 index 3dcde2e7..00000000 --- a/strict/file_contexts/program/iptables.fc +++ /dev/null @@ -1,8 +0,0 @@ -# iptables -/sbin/ipchains.* -- system_u:object_r:iptables_exec_t -/sbin/iptables.* -- system_u:object_r:iptables_exec_t -/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t -/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t -/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t -/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t - diff --git a/strict/file_contexts/program/irc.fc b/strict/file_contexts/program/irc.fc deleted file mode 100644 index 9f52efb2..00000000 --- a/strict/file_contexts/program/irc.fc +++ /dev/null @@ -1,5 +0,0 @@ -# irc clients -/usr/bin/[st]irc -- system_u:object_r:irc_exec_t -/usr/bin/ircII -- system_u:object_r:irc_exec_t -/usr/bin/tinyirc -- system_u:object_r:irc_exec_t -HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t diff --git a/strict/file_contexts/program/ircd.fc b/strict/file_contexts/program/ircd.fc deleted file mode 100644 index 2ef668cc..00000000 --- a/strict/file_contexts/program/ircd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# ircd - irc server -/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t -/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t -/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t -/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t -/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t diff --git a/strict/file_contexts/program/irqbalance.fc b/strict/file_contexts/program/irqbalance.fc deleted file mode 100644 index c8494912..00000000 --- a/strict/file_contexts/program/irqbalance.fc +++ /dev/null @@ -1,2 +0,0 @@ -# irqbalance -/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t diff --git a/strict/file_contexts/program/jabberd.fc b/strict/file_contexts/program/jabberd.fc deleted file mode 100644 index c614cb89..00000000 --- a/strict/file_contexts/program/jabberd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# jabberd -/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t -/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t -/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t diff --git a/strict/file_contexts/program/java.fc b/strict/file_contexts/program/java.fc deleted file mode 100644 index 8edf85b2..00000000 --- a/strict/file_contexts/program/java.fc +++ /dev/null @@ -1,2 +0,0 @@ -# java -/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t diff --git a/strict/file_contexts/program/kerberos.fc b/strict/file_contexts/program/kerberos.fc deleted file mode 100644 index 050ecb32..00000000 --- a/strict/file_contexts/program/kerberos.fc +++ /dev/null @@ -1,20 +0,0 @@ -# MIT Kerberos krbkdc, kadmind -/etc/krb5\.keytab system_u:object_r:krb5_keytab_t -/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t -/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t -/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t -/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t -/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t -/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t -/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t -/var/log/kadmind\.log system_u:object_r:kadmind_log_t -/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t - -# gentoo file locations -/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t -/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t -/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t -/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t -/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t -/var/log/kadmin.log -- system_u:object_r:kadmind_log_t - diff --git a/strict/file_contexts/program/klogd.fc b/strict/file_contexts/program/klogd.fc deleted file mode 100644 index c06679de..00000000 --- a/strict/file_contexts/program/klogd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# klogd -/sbin/klogd -- system_u:object_r:klogd_exec_t -/usr/sbin/klogd -- system_u:object_r:klogd_exec_t -/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t diff --git a/strict/file_contexts/program/ktalkd.fc b/strict/file_contexts/program/ktalkd.fc deleted file mode 100644 index 525c7a24..00000000 --- a/strict/file_contexts/program/ktalkd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# kde talk daemon -/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t diff --git a/strict/file_contexts/program/kudzu.fc b/strict/file_contexts/program/kudzu.fc deleted file mode 100644 index c75870a7..00000000 --- a/strict/file_contexts/program/kudzu.fc +++ /dev/null @@ -1,4 +0,0 @@ -# kudzu -/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t -/sbin/kmodule -- system_u:object_r:kudzu_exec_t -/var/run/Xconfig -- root:object_r:kudzu_var_run_t diff --git a/strict/file_contexts/program/lcd.fc b/strict/file_contexts/program/lcd.fc deleted file mode 100644 index 4294d442..00000000 --- a/strict/file_contexts/program/lcd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# lcd -/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t diff --git a/strict/file_contexts/program/ldconfig.fc b/strict/file_contexts/program/ldconfig.fc deleted file mode 100644 index 040a60aa..00000000 --- a/strict/file_contexts/program/ldconfig.fc +++ /dev/null @@ -1 +0,0 @@ -/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t diff --git a/strict/file_contexts/program/load_policy.fc b/strict/file_contexts/program/load_policy.fc deleted file mode 100644 index 5a8981c3..00000000 --- a/strict/file_contexts/program/load_policy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# load_policy -/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t -/sbin/load_policy -- system_u:object_r:load_policy_exec_t diff --git a/strict/file_contexts/program/loadkeys.fc b/strict/file_contexts/program/loadkeys.fc deleted file mode 100644 index f440f3c3..00000000 --- a/strict/file_contexts/program/loadkeys.fc +++ /dev/null @@ -1,3 +0,0 @@ -# loadkeys -/bin/unikeys -- system_u:object_r:loadkeys_exec_t -/bin/loadkeys -- system_u:object_r:loadkeys_exec_t diff --git a/strict/file_contexts/program/lockdev.fc b/strict/file_contexts/program/lockdev.fc deleted file mode 100644 index 9185bec5..00000000 --- a/strict/file_contexts/program/lockdev.fc +++ /dev/null @@ -1,2 +0,0 @@ -# lockdev -/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t diff --git a/strict/file_contexts/program/login.fc b/strict/file_contexts/program/login.fc deleted file mode 100644 index 2f0ea0c4..00000000 --- a/strict/file_contexts/program/login.fc +++ /dev/null @@ -1,3 +0,0 @@ -# login -/bin/login -- system_u:object_r:login_exec_t -/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t diff --git a/strict/file_contexts/program/logrotate.fc b/strict/file_contexts/program/logrotate.fc deleted file mode 100644 index a7c9ea3c..00000000 --- a/strict/file_contexts/program/logrotate.fc +++ /dev/null @@ -1,13 +0,0 @@ -# logrotate -/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t -/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t -ifdef(`distro_debian', ` -/usr/bin/savelog -- system_u:object_r:logrotate_exec_t -/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t -', ` -/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t -') -/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t -/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t -# using a hard-coded name under /var/tmp is a bug - new version fixes it -/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t diff --git a/strict/file_contexts/program/lpd.fc b/strict/file_contexts/program/lpd.fc deleted file mode 100644 index eb9f8d98..00000000 --- a/strict/file_contexts/program/lpd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# lpd -/dev/printer -s system_u:object_r:printer_t -/usr/sbin/lpd -- system_u:object_r:lpd_exec_t -/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t -/var/spool/lpd(/.*)? system_u:object_r:print_spool_t -/usr/share/printconf/.* -- system_u:object_r:printconf_t -/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t -/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t diff --git a/strict/file_contexts/program/lpr.fc b/strict/file_contexts/program/lpr.fc deleted file mode 100644 index 618ddcc2..00000000 --- a/strict/file_contexts/program/lpr.fc +++ /dev/null @@ -1,4 +0,0 @@ -# lp utilities. -/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t -/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t -/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t diff --git a/strict/file_contexts/program/lrrd.fc b/strict/file_contexts/program/lrrd.fc deleted file mode 100644 index 08494fc9..00000000 --- a/strict/file_contexts/program/lrrd.fc +++ /dev/null @@ -1,10 +0,0 @@ -# lrrd -/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t -/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t -/var/log/lrrd.* -- system_u:object_r:lrrd_log_t -/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t -/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t -/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc deleted file mode 100644 index 648beb05..00000000 --- a/strict/file_contexts/program/lvm.fc +++ /dev/null @@ -1,69 +0,0 @@ -# lvm -/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t -/etc/lvm(/.*)? system_u:object_r:lvm_etc_t -/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t -/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t -/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t -/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t -/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t -# LVM creates lock files in /var before /var is mounted -# configure LVM to put lockfiles in /etc/lvm/lock instead -# for this policy to work (unless you have no separate /var) -/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t -/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t -/dev/lvm -c system_u:object_r:fixed_disk_device_t -/dev/mapper/control -c system_u:object_r:lvm_control_t -/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t -/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t -/sbin/e2fsadm -- system_u:object_r:lvm_exec_t -/sbin/lvchange -- system_u:object_r:lvm_exec_t -/sbin/lvcreate -- system_u:object_r:lvm_exec_t -/sbin/lvdisplay -- system_u:object_r:lvm_exec_t -/sbin/lvextend -- system_u:object_r:lvm_exec_t -/sbin/lvmchange -- system_u:object_r:lvm_exec_t -/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t -/sbin/lvmsadc -- system_u:object_r:lvm_exec_t -/sbin/lvmsar -- system_u:object_r:lvm_exec_t -/sbin/lvreduce -- system_u:object_r:lvm_exec_t -/sbin/lvremove -- system_u:object_r:lvm_exec_t -/sbin/lvrename -- system_u:object_r:lvm_exec_t -/sbin/lvscan -- system_u:object_r:lvm_exec_t -/sbin/pvchange -- system_u:object_r:lvm_exec_t -/sbin/pvcreate -- system_u:object_r:lvm_exec_t -/sbin/pvdata -- system_u:object_r:lvm_exec_t -/sbin/pvdisplay -- system_u:object_r:lvm_exec_t -/sbin/pvmove -- system_u:object_r:lvm_exec_t -/sbin/pvscan -- system_u:object_r:lvm_exec_t -/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t -/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t -/sbin/vgchange -- system_u:object_r:lvm_exec_t -/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t -/sbin/vgck -- system_u:object_r:lvm_exec_t -/sbin/vgcreate -- system_u:object_r:lvm_exec_t -/sbin/vgdisplay -- system_u:object_r:lvm_exec_t -/sbin/vgexport -- system_u:object_r:lvm_exec_t -/sbin/vgextend -- system_u:object_r:lvm_exec_t -/sbin/vgimport -- system_u:object_r:lvm_exec_t -/sbin/vgmerge -- system_u:object_r:lvm_exec_t -/sbin/vgmknodes -- system_u:object_r:lvm_exec_t -/sbin/vgreduce -- system_u:object_r:lvm_exec_t -/sbin/vgremove -- system_u:object_r:lvm_exec_t -/sbin/vgrename -- system_u:object_r:lvm_exec_t -/sbin/vgscan -- system_u:object_r:lvm_exec_t -/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t -/sbin/vgsplit -- system_u:object_r:lvm_exec_t -/sbin/vgwrapper -- system_u:object_r:lvm_exec_t -/sbin/cryptsetup -- system_u:object_r:lvm_exec_t -/sbin/dmsetup -- system_u:object_r:lvm_exec_t -/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t -/sbin/lvm -- system_u:object_r:lvm_exec_t -/sbin/lvm\.static -- system_u:object_r:lvm_exec_t -/usr/sbin/lvm -- system_u:object_r:lvm_exec_t -/sbin/lvresize -- system_u:object_r:lvm_exec_t -/sbin/lvs -- system_u:object_r:lvm_exec_t -/sbin/pvremove -- system_u:object_r:lvm_exec_t -/sbin/pvs -- system_u:object_r:lvm_exec_t -/sbin/vgs -- system_u:object_r:lvm_exec_t -/sbin/multipathd -- system_u:object_r:lvm_exec_t -/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t -/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t diff --git a/strict/file_contexts/program/mailman.fc b/strict/file_contexts/program/mailman.fc deleted file mode 100644 index 68fa8dd6..00000000 --- a/strict/file_contexts/program/mailman.fc +++ /dev/null @@ -1,24 +0,0 @@ -# mailman list server -/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t -/var/log/mailman(/.*)? system_u:object_r:mailman_log_t -/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t -/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t -/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t -/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t - -ifdef(`distro_debian', ` -/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t -/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t -/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t -/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t -/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t -') - -ifdef(`distro_redhat', ` -/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t -/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t -/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t -/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t -/etc/mailman(/.*)? system_u:object_r:mailman_data_t -/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t -') diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc deleted file mode 100644 index 6f295ca7..00000000 --- a/strict/file_contexts/program/mdadm.fc +++ /dev/null @@ -1,4 +0,0 @@ -# mdadm - manage MD devices aka Linux Software Raid. -/sbin/mdmpd -- system_u:object_r:mdadm_exec_t -/sbin/mdadm -- system_u:object_r:mdadm_exec_t -/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t diff --git a/strict/file_contexts/program/modutil.fc b/strict/file_contexts/program/modutil.fc deleted file mode 100644 index 8fd81e12..00000000 --- a/strict/file_contexts/program/modutil.fc +++ /dev/null @@ -1,14 +0,0 @@ -# module utilities -/etc/modules\.conf.* -- system_u:object_r:modules_conf_t -/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t -/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t -/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t -/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t -/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t -/sbin/depmod.* -- system_u:object_r:depmod_exec_t -/sbin/modprobe.* -- system_u:object_r:insmod_exec_t -/sbin/insmod.* -- system_u:object_r:insmod_exec_t -/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t -/sbin/rmmod.* -- system_u:object_r:insmod_exec_t -/sbin/update-modules -- system_u:object_r:update_modules_exec_t -/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t diff --git a/strict/file_contexts/program/monopd.fc b/strict/file_contexts/program/monopd.fc deleted file mode 100644 index 457493e2..00000000 --- a/strict/file_contexts/program/monopd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# monopd -/etc/monopd\.conf -- system_u:object_r:monopd_etc_t -/usr/sbin/monopd -- system_u:object_r:monopd_exec_t -/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t diff --git a/strict/file_contexts/program/mount.fc b/strict/file_contexts/program/mount.fc deleted file mode 100644 index 7b1ca140..00000000 --- a/strict/file_contexts/program/mount.fc +++ /dev/null @@ -1,3 +0,0 @@ -# mount -/bin/mount.* -- system_u:object_r:mount_exec_t -/bin/umount.* -- system_u:object_r:mount_exec_t diff --git a/strict/file_contexts/program/mozilla.fc b/strict/file_contexts/program/mozilla.fc deleted file mode 100644 index 2b533a62..00000000 --- a/strict/file_contexts/program/mozilla.fc +++ /dev/null @@ -1,21 +0,0 @@ -# netscape/mozilla -HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t -/usr/bin/netscape -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t -/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t -/etc/mozpluggerrc system_u:object_r:mozilla_conf_t diff --git a/strict/file_contexts/program/mplayer.fc b/strict/file_contexts/program/mplayer.fc deleted file mode 100644 index 10465aa5..00000000 --- a/strict/file_contexts/program/mplayer.fc +++ /dev/null @@ -1,6 +0,0 @@ -# mplayer -/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t -/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t - -/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t -HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t diff --git a/strict/file_contexts/program/mrtg.fc b/strict/file_contexts/program/mrtg.fc deleted file mode 100644 index adfecff5..00000000 --- a/strict/file_contexts/program/mrtg.fc +++ /dev/null @@ -1,7 +0,0 @@ -# mrtg - traffic grapher -/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t -/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t -/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t -/etc/mrtg.* system_u:object_r:mrtg_etc_t -/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t -/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t diff --git a/strict/file_contexts/program/mta.fc b/strict/file_contexts/program/mta.fc deleted file mode 100644 index 88aa3f63..00000000 --- a/strict/file_contexts/program/mta.fc +++ /dev/null @@ -1,12 +0,0 @@ -# types for general mail servers -/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t -/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t -/etc/aliases -- system_u:object_r:etc_aliases_t -/etc/aliases\.db -- system_u:object_r:etc_aliases_t -/var/spool/mail(/.*)? system_u:object_r:mail_spool_t -/var/mail(/.*)? system_u:object_r:mail_spool_t -ifdef(`postfix.te', `', ` -/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t -/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t -') - diff --git a/strict/file_contexts/program/mysqld.fc b/strict/file_contexts/program/mysqld.fc deleted file mode 100644 index 0ad8746d..00000000 --- a/strict/file_contexts/program/mysqld.fc +++ /dev/null @@ -1,12 +0,0 @@ -# mysql database server -/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t -/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t -/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t -/var/log/mysql.* -- system_u:object_r:mysqld_log_t -/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t -/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t -/etc/my\.cnf -- system_u:object_r:mysqld_etc_t -/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t -ifdef(`distro_debian', ` -/etc/mysql/debian-start -- system_u:object_r:bin_t -') diff --git a/strict/file_contexts/program/nagios.fc b/strict/file_contexts/program/nagios.fc deleted file mode 100644 index 6a8a22df..00000000 --- a/strict/file_contexts/program/nagios.fc +++ /dev/null @@ -1,15 +0,0 @@ -# nagios - network monitoring server -/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t -/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t -# nagios -ifdef(`distro_debian', ` -/usr/sbin/nagios -- system_u:object_r:nagios_exec_t -/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t -', ` -/usr/bin/nagios -- system_u:object_r:nagios_exec_t -/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t -') -/etc/nagios(/.*)? system_u:object_r:nagios_etc_t -/var/log/nagios(/.*)? system_u:object_r:nagios_log_t -/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t diff --git a/strict/file_contexts/program/named.fc b/strict/file_contexts/program/named.fc deleted file mode 100644 index edcbe3ee..00000000 --- a/strict/file_contexts/program/named.fc +++ /dev/null @@ -1,49 +0,0 @@ -# named -ifdef(`distro_redhat', ` -/var/named(/.*)? system_u:object_r:named_zone_t -/var/named/slaves(/.*)? system_u:object_r:named_cache_t -/var/named/data(/.*)? system_u:object_r:named_cache_t -/etc/named\.conf -- system_u:object_r:named_conf_t -') dnl end distro_redhat - -ifdef(`distro_debian', ` -/etc/bind(/.*)? system_u:object_r:named_zone_t -/etc/bind/named\.conf -- system_u:object_r:named_conf_t -/etc/bind/rndc\.key -- system_u:object_r:dnssec_t -/var/cache/bind(/.*)? system_u:object_r:named_cache_t -') dnl distro_debian - -/etc/rndc.* -- system_u:object_r:named_conf_t -/etc/rndc\.key -- system_u:object_r:dnssec_t -/usr/sbin/named -- system_u:object_r:named_exec_t -/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t -/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t -/var/run/ndc -s system_u:object_r:named_var_run_t -/var/run/bind(/.*)? system_u:object_r:named_var_run_t -/var/run/named(/.*)? system_u:object_r:named_var_run_t -/usr/sbin/lwresd -- system_u:object_r:named_exec_t -/var/log/named.* -- system_u:object_r:named_log_t - -ifdef(`distro_redhat', ` -/var/named/named\.ca -- system_u:object_r:named_conf_t -/var/named/chroot(/.*)? system_u:object_r:named_conf_t -/var/named/chroot/dev/null -c system_u:object_r:null_device_t -/var/named/chroot/dev/random -c system_u:object_r:random_device_t -/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t -/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t -/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t -/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t -/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t -/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t -/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t -/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t -/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t -') dnl distro_redhat - -ifdef(`distro_gentoo', ` -/etc/bind(/.*)? system_u:object_r:named_zone_t -/etc/bind/named\.conf -- system_u:object_r:named_conf_t -/etc/bind/rndc\.key -- system_u:object_r:dnssec_t -/var/bind(/.*)? system_u:object_r:named_cache_t -/var/bind/pri(/.*)? system_u:object_r:named_zone_t -') dnl distro_gentoo diff --git a/strict/file_contexts/program/nessusd.fc b/strict/file_contexts/program/nessusd.fc deleted file mode 100644 index adec00b2..00000000 --- a/strict/file_contexts/program/nessusd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# nessusd - network scanning server -/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t -/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t -/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t -/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t -/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t diff --git a/strict/file_contexts/program/netutils.fc b/strict/file_contexts/program/netutils.fc deleted file mode 100644 index 7aa06940..00000000 --- a/strict/file_contexts/program/netutils.fc +++ /dev/null @@ -1,4 +0,0 @@ -# network utilities -/sbin/arping -- system_u:object_r:netutils_exec_t -/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t -/etc/network/ifstate -- system_u:object_r:etc_runtime_t diff --git a/strict/file_contexts/program/newrole.fc b/strict/file_contexts/program/newrole.fc deleted file mode 100644 index 5535bdef..00000000 --- a/strict/file_contexts/program/newrole.fc +++ /dev/null @@ -1,2 +0,0 @@ -# newrole -/usr/bin/newrole -- system_u:object_r:newrole_exec_t diff --git a/strict/file_contexts/program/nrpe.fc b/strict/file_contexts/program/nrpe.fc deleted file mode 100644 index 6523cc33..00000000 --- a/strict/file_contexts/program/nrpe.fc +++ /dev/null @@ -1,7 +0,0 @@ -# nrpe -/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t -/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t -ifdef(`nagios.te', `', ` -/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t -') diff --git a/strict/file_contexts/program/nscd.fc b/strict/file_contexts/program/nscd.fc deleted file mode 100644 index 5c39b461..00000000 --- a/strict/file_contexts/program/nscd.fc +++ /dev/null @@ -1,7 +0,0 @@ -# nscd -/usr/sbin/nscd -- system_u:object_r:nscd_exec_t -/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t -/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t -/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t -/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t -/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t diff --git a/strict/file_contexts/program/nsd.fc b/strict/file_contexts/program/nsd.fc deleted file mode 100644 index 43b49fe1..00000000 --- a/strict/file_contexts/program/nsd.fc +++ /dev/null @@ -1,12 +0,0 @@ -# nsd -/etc/nsd(/.*)? system_u:object_r:nsd_conf_t -/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t -/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t -/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t -/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t -/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t -/usr/sbin/nsd -- system_u:object_r:nsd_exec_t -/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t -/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t -/usr/sbin/zonec -- system_u:object_r:nsd_exec_t -/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t diff --git a/strict/file_contexts/program/ntpd.fc b/strict/file_contexts/program/ntpd.fc deleted file mode 100644 index 84dd7b93..00000000 --- a/strict/file_contexts/program/ntpd.fc +++ /dev/null @@ -1,12 +0,0 @@ -/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t -/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t -/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t -/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t -/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t -/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t -/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t -/var/log/ntp.* -- system_u:object_r:ntpd_log_t -/var/log/xntpd.* -- system_u:object_r:ntpd_log_t -/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t -/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t -/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t diff --git a/strict/file_contexts/program/nx_server.fc b/strict/file_contexts/program/nx_server.fc deleted file mode 100644 index d9936465..00000000 --- a/strict/file_contexts/program/nx_server.fc +++ /dev/null @@ -1,5 +0,0 @@ -# nx -/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t -/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t -/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t - diff --git a/strict/file_contexts/program/oav-update.fc b/strict/file_contexts/program/oav-update.fc deleted file mode 100644 index 5e88a02c..00000000 --- a/strict/file_contexts/program/oav-update.fc +++ /dev/null @@ -1,4 +0,0 @@ -/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t -/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t -/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t -/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t diff --git a/strict/file_contexts/program/openca-ca.fc b/strict/file_contexts/program/openca-ca.fc deleted file mode 100644 index 99ddefe6..00000000 --- a/strict/file_contexts/program/openca-ca.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/openca(/.*)? system_u:object_r:openca_etc_t -/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t -/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t -/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t -/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t -/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t -/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t -/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t diff --git a/strict/file_contexts/program/openca-common.fc b/strict/file_contexts/program/openca-common.fc deleted file mode 100644 index b75952f9..00000000 --- a/strict/file_contexts/program/openca-common.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/openca(/.*)? system_u:object_r:openca_etc_t -/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t -/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t -/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t -/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t -/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t -/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t diff --git a/strict/file_contexts/program/openct.fc b/strict/file_contexts/program/openct.fc deleted file mode 100644 index 43d656e6..00000000 --- a/strict/file_contexts/program/openct.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/openct-control -- system_u:object_r:openct_exec_t -/var/run/openct(/.*)? system_u:object_r:openct_var_run_t diff --git a/strict/file_contexts/program/openvpn.fc b/strict/file_contexts/program/openvpn.fc deleted file mode 100644 index 34b2992f..00000000 --- a/strict/file_contexts/program/openvpn.fc +++ /dev/null @@ -1,4 +0,0 @@ -# OpenVPN - -/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t -/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t diff --git a/strict/file_contexts/program/orbit.fc b/strict/file_contexts/program/orbit.fc deleted file mode 100644 index 4afbc83a..00000000 --- a/strict/file_contexts/program/orbit.fc +++ /dev/null @@ -1,3 +0,0 @@ -/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t -/tmp/orbit-USER(-.*)?/linc.* -s <> -/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t diff --git a/strict/file_contexts/program/pam.fc b/strict/file_contexts/program/pam.fc deleted file mode 100644 index 7209276e..00000000 --- a/strict/file_contexts/program/pam.fc +++ /dev/null @@ -1,3 +0,0 @@ -/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t -/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t -/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t diff --git a/strict/file_contexts/program/pamconsole.fc b/strict/file_contexts/program/pamconsole.fc deleted file mode 100644 index 75c8c55c..00000000 --- a/strict/file_contexts/program/pamconsole.fc +++ /dev/null @@ -1,3 +0,0 @@ -# pam_console_apply -/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t -/var/run/console(/.*)? system_u:object_r:pam_var_console_t diff --git a/strict/file_contexts/program/passwd.fc b/strict/file_contexts/program/passwd.fc deleted file mode 100644 index e8d3d065..00000000 --- a/strict/file_contexts/program/passwd.fc +++ /dev/null @@ -1,13 +0,0 @@ -# spasswd -/usr/bin/passwd -- system_u:object_r:passwd_exec_t -/usr/bin/chage -- system_u:object_r:passwd_exec_t -/usr/bin/chsh -- system_u:object_r:chfn_exec_t -/usr/bin/chfn -- system_u:object_r:chfn_exec_t -/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t -/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t -/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t -/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t -/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t -/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t -/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t -/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t diff --git a/strict/file_contexts/program/pegasus.fc b/strict/file_contexts/program/pegasus.fc deleted file mode 100644 index d81b968b..00000000 --- a/strict/file_contexts/program/pegasus.fc +++ /dev/null @@ -1,11 +0,0 @@ -# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver -/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t -/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t -/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t -/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t -/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t -/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t -/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t -/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t -/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t -/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t diff --git a/strict/file_contexts/program/perdition.fc b/strict/file_contexts/program/perdition.fc deleted file mode 100644 index a2d2adba..00000000 --- a/strict/file_contexts/program/perdition.fc +++ /dev/null @@ -1,3 +0,0 @@ -# perdition POP and IMAP proxy -/usr/sbin/perdition -- system_u:object_r:perdition_exec_t -/etc/perdition(/.*)? system_u:object_r:perdition_etc_t diff --git a/strict/file_contexts/program/ping.fc b/strict/file_contexts/program/ping.fc deleted file mode 100644 index f37874f1..00000000 --- a/strict/file_contexts/program/ping.fc +++ /dev/null @@ -1,3 +0,0 @@ -# ping -/bin/ping.* -- system_u:object_r:ping_exec_t -/usr/sbin/hping2 -- system_u:object_r:ping_exec_t diff --git a/strict/file_contexts/program/portmap.fc b/strict/file_contexts/program/portmap.fc deleted file mode 100644 index 4417c85a..00000000 --- a/strict/file_contexts/program/portmap.fc +++ /dev/null @@ -1,10 +0,0 @@ -# portmap -/sbin/portmap -- system_u:object_r:portmap_exec_t -ifdef(`distro_debian', ` -/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t -/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t -', ` -/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t -/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t -') -/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t diff --git a/strict/file_contexts/program/portslave.fc b/strict/file_contexts/program/portslave.fc deleted file mode 100644 index 873334dd..00000000 --- a/strict/file_contexts/program/portslave.fc +++ /dev/null @@ -1,5 +0,0 @@ -# portslave -/usr/sbin/portslave -- system_u:object_r:portslave_exec_t -/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t -/etc/portslave(/.*)? system_u:object_r:portslave_etc_t -/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc deleted file mode 100644 index 0e96508e..00000000 --- a/strict/file_contexts/program/postfix.fc +++ /dev/null @@ -1,59 +0,0 @@ -# postfix -/etc/postfix(/.*)? system_u:object_r:postfix_etc_t -ifdef(`distro_redhat', ` -/etc/postfix/aliases.* system_u:object_r:etc_aliases_t -/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t -/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t -/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t -/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t -/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t -/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t -/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t -/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t -/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t -/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t -/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t -/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t -', ` -/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t -/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t -/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t -/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t -/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t -/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t -/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t -/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t -/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t -/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t -/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t -/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t -') -/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t -/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t -/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t -/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t -/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t -/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t -/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t -/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t -/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t -/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t -/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t -/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t -/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t -/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t -/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t -/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t -/var/spool/postfix/pid -d system_u:object_r:var_run_t -/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t -/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t -/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t -/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t -/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t -/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t -/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t -/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t -/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t -/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t -/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t -/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc deleted file mode 100644 index dc644c1e..00000000 --- a/strict/file_contexts/program/postgresql.fc +++ /dev/null @@ -1,20 +0,0 @@ -# postgresql - database server -/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t -/usr/bin/postgres -- system_u:object_r:postgresql_exec_t -/usr/bin/initdb -- system_u:object_r:postgresql_exec_t - -/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t -/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t -/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t -/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t -/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t -/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t -/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t -/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t -/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t -/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t -/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t -ifdef(`distro_redhat', ` -/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t -/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t -') diff --git a/strict/file_contexts/program/postgrey.fc b/strict/file_contexts/program/postgrey.fc deleted file mode 100644 index 89e43fd0..00000000 --- a/strict/file_contexts/program/postgrey.fc +++ /dev/null @@ -1,5 +0,0 @@ -# postgrey - postfix grey-listing server -/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t -/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t -/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t -/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc deleted file mode 100644 index 02ae6683..00000000 --- a/strict/file_contexts/program/pppd.fc +++ /dev/null @@ -1,25 +0,0 @@ -# pppd -/usr/sbin/pppd -- system_u:object_r:pppd_exec_t -/usr/sbin/pptp -- system_u:object_r:pptp_exec_t -/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t -/dev/ppp -c system_u:object_r:ppp_device_t -/dev/pppox.* -c system_u:object_r:ppp_device_t -/dev/ippp.* -c system_u:object_r:ppp_device_t -/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t -/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t -/etc/ppp -d system_u:object_r:pppd_etc_t -/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t -/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t -/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t -/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t -/var/log/ppp/.* -- system_u:object_r:pppd_log_t -/etc/ppp/ip-down\..* -- system_u:object_r:bin_t -/etc/ppp/ip-up\..* -- system_u:object_r:bin_t -/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t -/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t -/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t -/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t -# Fix pptp sockets -/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t -# Fix /etc/ppp {up,down} family scripts (see man pppd) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t diff --git a/strict/file_contexts/program/prelink.fc b/strict/file_contexts/program/prelink.fc deleted file mode 100644 index 331e315e..00000000 --- a/strict/file_contexts/program/prelink.fc +++ /dev/null @@ -1,8 +0,0 @@ -# prelink - prelink ELF shared libraries and binaries to speed up startup time -/usr/sbin/prelink -- system_u:object_r:prelink_exec_t -ifdef(`distro_debian', ` -/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t -') -/etc/prelink\.conf -- system_u:object_r:etc_prelink_t -/var/log/prelink\.log -- system_u:object_r:prelink_log_t -/etc/prelink\.cache -- system_u:object_r:prelink_cache_t diff --git a/strict/file_contexts/program/privoxy.fc b/strict/file_contexts/program/privoxy.fc deleted file mode 100644 index 84427ab9..00000000 --- a/strict/file_contexts/program/privoxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# privoxy -/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t -/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t diff --git a/strict/file_contexts/program/procmail.fc b/strict/file_contexts/program/procmail.fc deleted file mode 100644 index 543602db..00000000 --- a/strict/file_contexts/program/procmail.fc +++ /dev/null @@ -1,2 +0,0 @@ -# procmail -/usr/bin/procmail -- system_u:object_r:procmail_exec_t diff --git a/strict/file_contexts/program/publicfile.fc b/strict/file_contexts/program/publicfile.fc deleted file mode 100644 index dc32249e..00000000 --- a/strict/file_contexts/program/publicfile.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t -/usr/bin/httpd -- system_u:object_r:publicfile_exec_t -/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t - -# this is the place where online content located -# set this to suit your needs -#/var/www(/.*)? system_u:object_r:publicfile_content_t - diff --git a/strict/file_contexts/program/pxe.fc b/strict/file_contexts/program/pxe.fc deleted file mode 100644 index 165076ae..00000000 --- a/strict/file_contexts/program/pxe.fc +++ /dev/null @@ -1,5 +0,0 @@ -# pxe network boot server -/usr/sbin/pxe -- system_u:object_r:pxe_exec_t -/var/log/pxe\.log -- system_u:object_r:pxe_log_t -/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t - diff --git a/strict/file_contexts/program/pyzor.fc b/strict/file_contexts/program/pyzor.fc deleted file mode 100644 index ff622957..00000000 --- a/strict/file_contexts/program/pyzor.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t -/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t -/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t -/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t -/var/log/pyzord.log -- system_u:object_r:pyzord_log_t -HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t diff --git a/strict/file_contexts/program/qmail.fc b/strict/file_contexts/program/qmail.fc deleted file mode 100644 index 7704ed76..00000000 --- a/strict/file_contexts/program/qmail.fc +++ /dev/null @@ -1,38 +0,0 @@ -# qmail - Debian locations -/etc/qmail(/.*)? system_u:object_r:qmail_etc_t -/var/qmail(/.*)? system_u:object_r:qmail_etc_t -/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t -/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t -/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t -/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t -/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t -/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t -/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t -/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t -/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t -/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t -/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t -/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t -/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t -/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t -/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t -/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t -# qmail - djb locations -/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t -/var/qmail/bin -d system_u:object_r:bin_t -/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t -/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t -/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t -/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t -/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t -/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t -/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t -/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t -/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t -/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t -/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t -/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t -/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t -/var/qmail/rc -- system_u:object_r:bin_t -/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t -/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t diff --git a/strict/file_contexts/program/quota.fc b/strict/file_contexts/program/quota.fc deleted file mode 100644 index f91f1a43..00000000 --- a/strict/file_contexts/program/quota.fc +++ /dev/null @@ -1,10 +0,0 @@ -# quota system -/var/lib/quota(/.*)? system_u:object_r:quota_flag_t -/sbin/quota(check|on) -- system_u:object_r:quota_exec_t -ifdef(`distro_redhat', ` -/usr/sbin/convertquota -- system_u:object_r:quota_exec_t -', ` -/sbin/convertquota -- system_u:object_r:quota_exec_t -') -HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t -/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t diff --git a/strict/file_contexts/program/radius.fc b/strict/file_contexts/program/radius.fc deleted file mode 100644 index bd25d6d7..00000000 --- a/strict/file_contexts/program/radius.fc +++ /dev/null @@ -1,15 +0,0 @@ -# radius -/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t -/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t -/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t -/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t -/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t -/var/log/radius(/.*)? system_u:object_r:radiusd_log_t -/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t -/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t -/var/log/radutmp -- system_u:object_r:radiusd_log_t -/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t -/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t -/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t -/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t -/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t diff --git a/strict/file_contexts/program/radvd.fc b/strict/file_contexts/program/radvd.fc deleted file mode 100644 index 50003830..00000000 --- a/strict/file_contexts/program/radvd.fc +++ /dev/null @@ -1,5 +0,0 @@ -# radvd -/etc/radvd\.conf -- system_u:object_r:radvd_etc_t -/usr/sbin/radvd -- system_u:object_r:radvd_exec_t -/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t -/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t diff --git a/strict/file_contexts/program/razor.fc b/strict/file_contexts/program/razor.fc deleted file mode 100644 index f3f13469..00000000 --- a/strict/file_contexts/program/razor.fc +++ /dev/null @@ -1,6 +0,0 @@ -# razor -/etc/razor(/.*)? system_u:object_r:razor_etc_t -/usr/bin/razor.* system_u:object_r:razor_exec_t -/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t -/var/log/razor-agent.log system_u:object_r:razor_log_t -HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t diff --git a/strict/file_contexts/program/rdisc.fc b/strict/file_contexts/program/rdisc.fc deleted file mode 100644 index d3f9dcfb..00000000 --- a/strict/file_contexts/program/rdisc.fc +++ /dev/null @@ -1,2 +0,0 @@ -# rdisc -/sbin/rdisc system_u:object_r:rdisc_exec_t diff --git a/strict/file_contexts/program/readahead.fc b/strict/file_contexts/program/readahead.fc deleted file mode 100644 index 0755fefa..00000000 --- a/strict/file_contexts/program/readahead.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/readahead -- system_u:object_r:readahead_exec_t diff --git a/strict/file_contexts/program/resmgrd.fc b/strict/file_contexts/program/resmgrd.fc deleted file mode 100644 index bee4680c..00000000 --- a/strict/file_contexts/program/resmgrd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# resmgrd -/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t -/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t -/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t -/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t - diff --git a/strict/file_contexts/program/restorecon.fc b/strict/file_contexts/program/restorecon.fc deleted file mode 100644 index 6509a117..00000000 --- a/strict/file_contexts/program/restorecon.fc +++ /dev/null @@ -1,2 +0,0 @@ -# restorecon -/sbin/restorecon -- system_u:object_r:restorecon_exec_t diff --git a/strict/file_contexts/program/rhgb.fc b/strict/file_contexts/program/rhgb.fc deleted file mode 100644 index 118972ef..00000000 --- a/strict/file_contexts/program/rhgb.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t diff --git a/strict/file_contexts/program/rlogind.fc b/strict/file_contexts/program/rlogind.fc deleted file mode 100644 index bc733192..00000000 --- a/strict/file_contexts/program/rlogind.fc +++ /dev/null @@ -1,4 +0,0 @@ -# rlogind and telnetd -/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t -/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t -/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t diff --git a/strict/file_contexts/program/roundup.fc b/strict/file_contexts/program/roundup.fc deleted file mode 100644 index 99b2700b..00000000 --- a/strict/file_contexts/program/roundup.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t -/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t diff --git a/strict/file_contexts/program/rpcd.fc b/strict/file_contexts/program/rpcd.fc deleted file mode 100644 index 60bb3f3e..00000000 --- a/strict/file_contexts/program/rpcd.fc +++ /dev/null @@ -1,12 +0,0 @@ -# RPC daemons -/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t -/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t -/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t -/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t -/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t -/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t -/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t -/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t -/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t -/etc/exports -- system_u:object_r:exports_t - diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc deleted file mode 100644 index c659e65f..00000000 --- a/strict/file_contexts/program/rpm.fc +++ /dev/null @@ -1,29 +0,0 @@ -# rpm -/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t -/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t -/bin/rpm -- system_u:object_r:rpm_exec_t -/usr/bin/yum -- system_u:object_r:rpm_exec_t -/usr/bin/apt-get -- system_u:object_r:rpm_exec_t -/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t -/usr/bin/synaptic -- system_u:object_r:rpm_exec_t -/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t -/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t -/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t -/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t -/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t -/var/log/yum\.log -- system_u:object_r:rpm_log_t -ifdef(`distro_redhat', ` -/usr/sbin/up2date -- system_u:object_r:rpm_exec_t -/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t -') -# SuSE -ifdef(`distro_suse', ` -/usr/bin/online_update -- system_u:object_r:rpm_exec_t -/sbin/yast2 -- system_u:object_r:rpm_exec_t -/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t -/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t -') - -ifdef(`mls_policy', ` -/sbin/cpio -- system_u:object_r:rpm_exec_t -') diff --git a/strict/file_contexts/program/rshd.fc b/strict/file_contexts/program/rshd.fc deleted file mode 100644 index 7f3be6de..00000000 --- a/strict/file_contexts/program/rshd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# rshd. -/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t -/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t diff --git a/strict/file_contexts/program/rssh.fc b/strict/file_contexts/program/rssh.fc deleted file mode 100644 index 16ec3a3b..00000000 --- a/strict/file_contexts/program/rssh.fc +++ /dev/null @@ -1,2 +0,0 @@ -# rssh -/usr/bin/rssh -- system_u:object_r:rssh_exec_t diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc deleted file mode 100644 index 9bce3d55..00000000 --- a/strict/file_contexts/program/rsync.fc +++ /dev/null @@ -1,3 +0,0 @@ -# rsync program -/usr/bin/rsync -- system_u:object_r:rsync_exec_t -/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t diff --git a/strict/file_contexts/program/samba.fc b/strict/file_contexts/program/samba.fc deleted file mode 100644 index 5ac7c2f1..00000000 --- a/strict/file_contexts/program/samba.fc +++ /dev/null @@ -1,26 +0,0 @@ -# samba scripts -/usr/sbin/smbd -- system_u:object_r:smbd_exec_t -/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t -/usr/bin/net -- system_u:object_r:samba_net_exec_t -/etc/samba(/.*)? system_u:object_r:samba_etc_t -/var/log/samba(/.*)? system_u:object_r:samba_log_t -/var/cache/samba(/.*)? system_u:object_r:samba_var_t -/var/lib/samba(/.*)? system_u:object_r:samba_var_t -/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t -/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t -# samba really wants write access to smbpasswd -/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t -/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t -/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t -/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t -/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t -/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t -/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t -/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t -/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t -/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t -/var/spool/samba(/.*)? system_u:object_r:samba_var_t -ifdef(`mount.te', ` -/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t -/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t -') diff --git a/strict/file_contexts/program/saslauthd.fc b/strict/file_contexts/program/saslauthd.fc deleted file mode 100644 index 7b2460e1..00000000 --- a/strict/file_contexts/program/saslauthd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# saslauthd -/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t -/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t diff --git a/strict/file_contexts/program/scannerdaemon.fc b/strict/file_contexts/program/scannerdaemon.fc deleted file mode 100644 index a43bf877..00000000 --- a/strict/file_contexts/program/scannerdaemon.fc +++ /dev/null @@ -1,4 +0,0 @@ -# scannerdaemon -/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t -/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t -/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t diff --git a/strict/file_contexts/program/screen.fc b/strict/file_contexts/program/screen.fc deleted file mode 100644 index 0e6e78d6..00000000 --- a/strict/file_contexts/program/screen.fc +++ /dev/null @@ -1,5 +0,0 @@ -# screen -/usr/bin/screen -- system_u:object_r:screen_exec_t -HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t -/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t -/var/run/screens?/S-[^/]+/.* <> diff --git a/strict/file_contexts/program/sendmail.fc b/strict/file_contexts/program/sendmail.fc deleted file mode 100644 index 0fce2efb..00000000 --- a/strict/file_contexts/program/sendmail.fc +++ /dev/null @@ -1,6 +0,0 @@ -# sendmail -/etc/mail(/.*)? system_u:object_r:etc_mail_t -/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t -/var/log/mail(/.*)? system_u:object_r:sendmail_log_t -/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t -/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t diff --git a/strict/file_contexts/program/setfiles.fc b/strict/file_contexts/program/setfiles.fc deleted file mode 100644 index c2477638..00000000 --- a/strict/file_contexts/program/setfiles.fc +++ /dev/null @@ -1,3 +0,0 @@ -# setfiles -/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t - diff --git a/strict/file_contexts/program/seuser.fc b/strict/file_contexts/program/seuser.fc deleted file mode 100644 index 0c7f71b7..00000000 --- a/strict/file_contexts/program/seuser.fc +++ /dev/null @@ -1,4 +0,0 @@ -# seuser -/usr/bin/seuser -- system_u:object_r:seuser_exec_t -/usr/apol/seuser\.conf system_u:object_r:seuser_conf_t - diff --git a/strict/file_contexts/program/slapd.fc b/strict/file_contexts/program/slapd.fc deleted file mode 100644 index 956f441c..00000000 --- a/strict/file_contexts/program/slapd.fc +++ /dev/null @@ -1,7 +0,0 @@ -# slapd - ldap server -/usr/sbin/slapd -- system_u:object_r:slapd_exec_t -/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t -/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t -/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t -/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t -/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t diff --git a/strict/file_contexts/program/slocate.fc b/strict/file_contexts/program/slocate.fc deleted file mode 100644 index 1796c778..00000000 --- a/strict/file_contexts/program/slocate.fc +++ /dev/null @@ -1,4 +0,0 @@ -# locate - file locater -/usr/bin/slocate -- system_u:object_r:locate_exec_t -/var/lib/slocate(/.*)? system_u:object_r:locate_var_lib_t -/etc/updatedb\.conf -- system_u:object_r:locate_etc_t diff --git a/strict/file_contexts/program/slrnpull.fc b/strict/file_contexts/program/slrnpull.fc deleted file mode 100644 index 4c0d36c7..00000000 --- a/strict/file_contexts/program/slrnpull.fc +++ /dev/null @@ -1,3 +0,0 @@ -# slrnpull -/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t -/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t diff --git a/strict/file_contexts/program/snmpd.fc b/strict/file_contexts/program/snmpd.fc deleted file mode 100644 index fcad8622..00000000 --- a/strict/file_contexts/program/snmpd.fc +++ /dev/null @@ -1,10 +0,0 @@ -# snmpd -/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t -/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t -/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t -/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t -/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t -/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t -/var/run/snmpd -d system_u:object_r:snmpd_var_run_t -/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t -/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t diff --git a/strict/file_contexts/program/snort.fc b/strict/file_contexts/program/snort.fc deleted file mode 100644 index a40670c2..00000000 --- a/strict/file_contexts/program/snort.fc +++ /dev/null @@ -1,4 +0,0 @@ -# SNORT -/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t -/etc/snort(/.*)? system_u:object_r:snort_etc_t -/var/log/snort(/.*)? system_u:object_r:snort_log_t diff --git a/strict/file_contexts/program/sound-server.fc b/strict/file_contexts/program/sound-server.fc deleted file mode 100644 index dfa82455..00000000 --- a/strict/file_contexts/program/sound-server.fc +++ /dev/null @@ -1,8 +0,0 @@ -# sound servers, nas, yiff, etc -/usr/sbin/yiff -- system_u:object_r:soundd_exec_t -/usr/bin/nasd -- system_u:object_r:soundd_exec_t -/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t -/etc/nas(/.*)? system_u:object_r:etc_soundd_t -/etc/yiff(/.*)? system_u:object_r:etc_soundd_t -/var/state/yiff(/.*)? system_u:object_r:soundd_state_t -/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t diff --git a/strict/file_contexts/program/sound.fc b/strict/file_contexts/program/sound.fc deleted file mode 100644 index 5e6b0d1e..00000000 --- a/strict/file_contexts/program/sound.fc +++ /dev/null @@ -1,3 +0,0 @@ -# sound -/bin/aumix-minimal -- system_u:object_r:sound_exec_t -/etc/\.aumixrc -- system_u:object_r:sound_file_t diff --git a/strict/file_contexts/program/spamassassin.fc b/strict/file_contexts/program/spamassassin.fc deleted file mode 100644 index a85b8b19..00000000 --- a/strict/file_contexts/program/spamassassin.fc +++ /dev/null @@ -1,3 +0,0 @@ -# spamassasin -/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t -HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t diff --git a/strict/file_contexts/program/spamc.fc b/strict/file_contexts/program/spamc.fc deleted file mode 100644 index bf5d0336..00000000 --- a/strict/file_contexts/program/spamc.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/spamc -- system_u:object_r:spamc_exec_t diff --git a/strict/file_contexts/program/spamd.fc b/strict/file_contexts/program/spamd.fc deleted file mode 100644 index c2f6ee63..00000000 --- a/strict/file_contexts/program/spamd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/spamd -- system_u:object_r:spamd_exec_t -/usr/bin/spamd -- system_u:object_r:spamd_exec_t -/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t diff --git a/strict/file_contexts/program/speedmgmt.fc b/strict/file_contexts/program/speedmgmt.fc deleted file mode 100644 index 486906e9..00000000 --- a/strict/file_contexts/program/speedmgmt.fc +++ /dev/null @@ -1,2 +0,0 @@ -# speedmgmt -/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t diff --git a/strict/file_contexts/program/squid.fc b/strict/file_contexts/program/squid.fc deleted file mode 100644 index 36fb201d..00000000 --- a/strict/file_contexts/program/squid.fc +++ /dev/null @@ -1,8 +0,0 @@ -# squid -/usr/sbin/squid -- system_u:object_r:squid_exec_t -/var/cache/squid(/.*)? system_u:object_r:squid_cache_t -/var/spool/squid(/.*)? system_u:object_r:squid_cache_t -/var/log/squid(/.*)? system_u:object_r:squid_log_t -/etc/squid(/.*)? system_u:object_r:squid_conf_t -/var/run/squid\.pid -- system_u:object_r:squid_var_run_t -/usr/share/squid(/.*)? system_u:object_r:squid_conf_t diff --git a/strict/file_contexts/program/ssh-agent.fc b/strict/file_contexts/program/ssh-agent.fc deleted file mode 100644 index 512eb47a..00000000 --- a/strict/file_contexts/program/ssh-agent.fc +++ /dev/null @@ -1,2 +0,0 @@ -# ssh-agent -/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t diff --git a/strict/file_contexts/program/ssh.fc b/strict/file_contexts/program/ssh.fc deleted file mode 100644 index 3cd1d0cc..00000000 --- a/strict/file_contexts/program/ssh.fc +++ /dev/null @@ -1,21 +0,0 @@ -# ssh -/usr/bin/ssh -- system_u:object_r:ssh_exec_t -/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t -/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t -# sshd -/etc/ssh/primes -- system_u:object_r:sshd_key_t -/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t -/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t -/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t -/usr/sbin/sshd -- system_u:object_r:sshd_exec_t -/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t -# subsystems -/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t -/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t -/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t -ifdef(`distro_suse', ` -/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t -') -ifdef(`targeted_policy', `', ` -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t -') diff --git a/strict/file_contexts/program/stunnel.fc b/strict/file_contexts/program/stunnel.fc deleted file mode 100644 index b48384a8..00000000 --- a/strict/file_contexts/program/stunnel.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t -/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t -/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t diff --git a/strict/file_contexts/program/su.fc b/strict/file_contexts/program/su.fc deleted file mode 100644 index 1413dfe0..00000000 --- a/strict/file_contexts/program/su.fc +++ /dev/null @@ -1,2 +0,0 @@ -# su -/bin/su -- system_u:object_r:su_exec_t diff --git a/strict/file_contexts/program/sudo.fc b/strict/file_contexts/program/sudo.fc deleted file mode 100644 index d7338946..00000000 --- a/strict/file_contexts/program/sudo.fc +++ /dev/null @@ -1,3 +0,0 @@ -# sudo -/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t - diff --git a/strict/file_contexts/program/sulogin.fc b/strict/file_contexts/program/sulogin.fc deleted file mode 100644 index eb719dcf..00000000 --- a/strict/file_contexts/program/sulogin.fc +++ /dev/null @@ -1,2 +0,0 @@ -# sulogin -/sbin/sulogin -- system_u:object_r:sulogin_exec_t diff --git a/strict/file_contexts/program/swat.fc b/strict/file_contexts/program/swat.fc deleted file mode 100644 index 721c229c..00000000 --- a/strict/file_contexts/program/swat.fc +++ /dev/null @@ -1,2 +0,0 @@ -# samba management tool -/usr/sbin/swat -- system_u:object_r:swat_exec_t diff --git a/strict/file_contexts/program/sxid.fc b/strict/file_contexts/program/sxid.fc deleted file mode 100644 index e9126bca..00000000 --- a/strict/file_contexts/program/sxid.fc +++ /dev/null @@ -1,6 +0,0 @@ -# sxid - ldap server -/usr/bin/sxid -- system_u:object_r:sxid_exec_t -/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t -/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t -/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t -/var/log/setuid.* -- system_u:object_r:sxid_log_t diff --git a/strict/file_contexts/program/syslogd.fc b/strict/file_contexts/program/syslogd.fc deleted file mode 100644 index 7a017208..00000000 --- a/strict/file_contexts/program/syslogd.fc +++ /dev/null @@ -1,11 +0,0 @@ -# syslogd -/sbin/syslogd -- system_u:object_r:syslogd_exec_t -/sbin/minilogd -- system_u:object_r:syslogd_exec_t -/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t -/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t -/dev/log -s system_u:object_r:devlog_t -/var/run/log -s system_u:object_r:devlog_t -ifdef(`distro_suse', ` -/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t -') -/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t diff --git a/strict/file_contexts/program/sysstat.fc b/strict/file_contexts/program/sysstat.fc deleted file mode 100644 index 2637b68b..00000000 --- a/strict/file_contexts/program/sysstat.fc +++ /dev/null @@ -1,7 +0,0 @@ -# sysstat and other sar programs -/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t -/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t -/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t -/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t -/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t -/var/log/sa(/.*)? system_u:object_r:sysstat_log_t diff --git a/strict/file_contexts/program/tcpd.fc b/strict/file_contexts/program/tcpd.fc deleted file mode 100644 index 2e84aa86..00000000 --- a/strict/file_contexts/program/tcpd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# tcpd -/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t diff --git a/strict/file_contexts/program/telnetd.fc b/strict/file_contexts/program/telnetd.fc deleted file mode 100644 index 6b998d10..00000000 --- a/strict/file_contexts/program/telnetd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# telnetd -/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t -/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t diff --git a/strict/file_contexts/program/tftpd.fc b/strict/file_contexts/program/tftpd.fc deleted file mode 100644 index f8bf2441..00000000 --- a/strict/file_contexts/program/tftpd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# tftpd -/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t -/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t -/tftpboot(/.*)? system_u:object_r:tftpdir_t diff --git a/strict/file_contexts/program/thunderbird.fc b/strict/file_contexts/program/thunderbird.fc deleted file mode 100644 index ca373460..00000000 --- a/strict/file_contexts/program/thunderbird.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t -HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t diff --git a/strict/file_contexts/program/timidity.fc b/strict/file_contexts/program/timidity.fc deleted file mode 100644 index 2b44dcec..00000000 --- a/strict/file_contexts/program/timidity.fc +++ /dev/null @@ -1,2 +0,0 @@ -# timidity -/usr/bin/timidity -- system_u:object_r:timidity_exec_t diff --git a/strict/file_contexts/program/tinydns.fc b/strict/file_contexts/program/tinydns.fc deleted file mode 100644 index 10ea1a35..00000000 --- a/strict/file_contexts/program/tinydns.fc +++ /dev/null @@ -1,6 +0,0 @@ -# tinydns -/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t -/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t -/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t -#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t -#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t diff --git a/strict/file_contexts/program/tmpreaper.fc b/strict/file_contexts/program/tmpreaper.fc deleted file mode 100644 index d8ed96e4..00000000 --- a/strict/file_contexts/program/tmpreaper.fc +++ /dev/null @@ -1,3 +0,0 @@ -# tmpreaper or tmpwatch -/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t -/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t diff --git a/strict/file_contexts/program/traceroute.fc b/strict/file_contexts/program/traceroute.fc deleted file mode 100644 index 66a6c5fc..00000000 --- a/strict/file_contexts/program/traceroute.fc +++ /dev/null @@ -1,6 +0,0 @@ -# traceroute -/bin/traceroute.* -- system_u:object_r:traceroute_exec_t -/bin/tracepath.* -- system_u:object_r:traceroute_exec_t -/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t -/usr/bin/lft -- system_u:object_r:traceroute_exec_t -/usr/bin/nmap -- system_u:object_r:traceroute_exec_t diff --git a/strict/file_contexts/program/transproxy.fc b/strict/file_contexts/program/transproxy.fc deleted file mode 100644 index 2027eeaf..00000000 --- a/strict/file_contexts/program/transproxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# transproxy - http transperant proxy -/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t -/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t diff --git a/strict/file_contexts/program/tripwire.fc b/strict/file_contexts/program/tripwire.fc deleted file mode 100644 index 88afc341..00000000 --- a/strict/file_contexts/program/tripwire.fc +++ /dev/null @@ -1,9 +0,0 @@ -# tripwire -/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t -/usr/sbin/siggen system_u:object_r:siggen_exec_t -/usr/sbin/tripwire system_u:object_r:tripwire_exec_t -/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t -/usr/sbin/twadmin system_u:object_r:twadmin_exec_t -/usr/sbin/twprint system_u:object_r:twprint_exec_t -/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t -/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t diff --git a/strict/file_contexts/program/tvtime.fc b/strict/file_contexts/program/tvtime.fc deleted file mode 100644 index 0969e966..00000000 --- a/strict/file_contexts/program/tvtime.fc +++ /dev/null @@ -1,3 +0,0 @@ -# tvtime -/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t - diff --git a/strict/file_contexts/program/ucspi-tcp.fc b/strict/file_contexts/program/ucspi-tcp.fc deleted file mode 100644 index 448c1ab4..00000000 --- a/strict/file_contexts/program/ucspi-tcp.fc +++ /dev/null @@ -1,3 +0,0 @@ -#ucspi-tcp -/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t -/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t diff --git a/strict/file_contexts/program/udev.fc b/strict/file_contexts/program/udev.fc deleted file mode 100644 index 0b6c7191..00000000 --- a/strict/file_contexts/program/udev.fc +++ /dev/null @@ -1,14 +0,0 @@ -# udev -/sbin/udevsend -- system_u:object_r:udev_exec_t -/sbin/udev -- system_u:object_r:udev_exec_t -/sbin/udevd -- system_u:object_r:udev_exec_t -/sbin/start_udev -- system_u:object_r:udev_exec_t -/sbin/udevstart -- system_u:object_r:udev_exec_t -/usr/bin/udevinfo -- system_u:object_r:udev_exec_t -/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t -/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t -/etc/udev/devices/.* system_u:object_r:device_t -/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t -/dev/udev\.tbl -- system_u:object_r:udev_tbl_t -/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t -/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t diff --git a/strict/file_contexts/program/uml.fc b/strict/file_contexts/program/uml.fc deleted file mode 100644 index dc1621df..00000000 --- a/strict/file_contexts/program/uml.fc +++ /dev/null @@ -1,4 +0,0 @@ -# User Mode Linux -/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t -/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t -HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t diff --git a/strict/file_contexts/program/uml_net.fc b/strict/file_contexts/program/uml_net.fc deleted file mode 100644 index 67aa1f2f..00000000 --- a/strict/file_contexts/program/uml_net.fc +++ /dev/null @@ -1,3 +0,0 @@ -# User Mode Linux -# WARNING: Do not install this file on any machine that has hostile users. -/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t diff --git a/strict/file_contexts/program/unconfined.fc b/strict/file_contexts/program/unconfined.fc deleted file mode 100644 index c3a6c121..00000000 --- a/strict/file_contexts/program/unconfined.fc +++ /dev/null @@ -1,3 +0,0 @@ -# Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t diff --git a/strict/file_contexts/program/updfstab.fc b/strict/file_contexts/program/updfstab.fc deleted file mode 100644 index dec049f3..00000000 --- a/strict/file_contexts/program/updfstab.fc +++ /dev/null @@ -1,3 +0,0 @@ -# updfstab -/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t -/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t diff --git a/strict/file_contexts/program/uptimed.fc b/strict/file_contexts/program/uptimed.fc deleted file mode 100644 index f80ccb4c..00000000 --- a/strict/file_contexts/program/uptimed.fc +++ /dev/null @@ -1,4 +0,0 @@ -# uptimed -/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t -/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t -/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t diff --git a/strict/file_contexts/program/usbmodules.fc b/strict/file_contexts/program/usbmodules.fc deleted file mode 100644 index 52e03a48..00000000 --- a/strict/file_contexts/program/usbmodules.fc +++ /dev/null @@ -1,3 +0,0 @@ -# usbmodules -/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t -/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t diff --git a/strict/file_contexts/program/useradd.fc b/strict/file_contexts/program/useradd.fc deleted file mode 100644 index b29351b6..00000000 --- a/strict/file_contexts/program/useradd.fc +++ /dev/null @@ -1,10 +0,0 @@ -#useradd -/usr/sbin/usermod -- system_u:object_r:useradd_exec_t -/usr/sbin/useradd -- system_u:object_r:useradd_exec_t -/usr/sbin/userdel -- system_u:object_r:useradd_exec_t -#groupadd -/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t -/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t -/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t -/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t -/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t diff --git a/strict/file_contexts/program/userhelper.fc b/strict/file_contexts/program/userhelper.fc deleted file mode 100644 index 8623456b..00000000 --- a/strict/file_contexts/program/userhelper.fc +++ /dev/null @@ -1,2 +0,0 @@ -/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t -/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t diff --git a/strict/file_contexts/program/usernetctl.fc b/strict/file_contexts/program/usernetctl.fc deleted file mode 100644 index b9ef00f6..00000000 --- a/strict/file_contexts/program/usernetctl.fc +++ /dev/null @@ -1,2 +0,0 @@ -# usernetctl -/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t diff --git a/strict/file_contexts/program/utempter.fc b/strict/file_contexts/program/utempter.fc deleted file mode 100644 index 4e6670ac..00000000 --- a/strict/file_contexts/program/utempter.fc +++ /dev/null @@ -1,2 +0,0 @@ -# utempter -/usr/sbin/utempter -- system_u:object_r:utempter_exec_t diff --git a/strict/file_contexts/program/uucpd.fc b/strict/file_contexts/program/uucpd.fc deleted file mode 100644 index db5a2576..00000000 --- a/strict/file_contexts/program/uucpd.fc +++ /dev/null @@ -1,5 +0,0 @@ -# uucico program -/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t -/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t -/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t -/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t diff --git a/strict/file_contexts/program/uwimapd.fc b/strict/file_contexts/program/uwimapd.fc deleted file mode 100644 index 00f90737..00000000 --- a/strict/file_contexts/program/uwimapd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# uw-imapd and uw-imapd-ssl -/usr/sbin/imapd -- system_u:object_r:imapd_exec_t diff --git a/strict/file_contexts/program/vmware.fc b/strict/file_contexts/program/vmware.fc deleted file mode 100644 index d015988c..00000000 --- a/strict/file_contexts/program/vmware.fc +++ /dev/null @@ -1,42 +0,0 @@ -# -# File contexts for VMWare. -# Contributed by Mark Westerman (mark.westerman@westcam.com) -# Changes made by NAI Labs. -# Tested with VMWare 3.1 -# -/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t -/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t - -/dev/vmmon -c system_u:object_r:vmware_device_t -/dev/vmnet.* -c system_u:object_r:vmware_device_t -/dev/plex86 -c system_u:object_r:vmware_device_t - -/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t -/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t - -/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t -/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t - -# -# This is only an example of how to protect vmware session configuration -# files. A general user can execute vmware and start a vmware session -# but the user can not modify the session configuration information -#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t -#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t - -# The rules below assume that the user VMWare virtual disks are in the -# ~/vmware, and the preferences and license files are in ~/.vmware. -# -HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t diff --git a/strict/file_contexts/program/vpnc.fc b/strict/file_contexts/program/vpnc.fc deleted file mode 100644 index afaea760..00000000 --- a/strict/file_contexts/program/vpnc.fc +++ /dev/null @@ -1,4 +0,0 @@ -# vpnc -/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t -/sbin/vpnc -- system_u:object_r:vpnc_exec_t -/etc/vpnc/vpnc-script -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/watchdog.fc b/strict/file_contexts/program/watchdog.fc deleted file mode 100644 index d7a8c7f5..00000000 --- a/strict/file_contexts/program/watchdog.fc +++ /dev/null @@ -1,5 +0,0 @@ -# watchdog -/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t -/dev/watchdog -c system_u:object_r:watchdog_device_t -/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t -/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t diff --git a/strict/file_contexts/program/webalizer.fc b/strict/file_contexts/program/webalizer.fc deleted file mode 100644 index 5c11bcfb..00000000 --- a/strict/file_contexts/program/webalizer.fc +++ /dev/null @@ -1,3 +0,0 @@ -# -/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t -/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t diff --git a/strict/file_contexts/program/winbind.fc b/strict/file_contexts/program/winbind.fc deleted file mode 100644 index 9486f91b..00000000 --- a/strict/file_contexts/program/winbind.fc +++ /dev/null @@ -1,11 +0,0 @@ -/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t -/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t -ifdef(`samba.te', `', ` -/var/log/samba(/.*)? system_u:object_r:samba_log_t -/etc/samba(/.*)? system_u:object_r:samba_etc_t -/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t -/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t -/var/cache/samba(/.*)? system_u:object_r:samba_var_t -') -/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t -/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t diff --git a/strict/file_contexts/program/xauth.fc b/strict/file_contexts/program/xauth.fc deleted file mode 100644 index 055fc2f6..00000000 --- a/strict/file_contexts/program/xauth.fc +++ /dev/null @@ -1,4 +0,0 @@ -# xauth -/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t -HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t -HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc deleted file mode 100644 index 16c2d7d5..00000000 --- a/strict/file_contexts/program/xdm.fc +++ /dev/null @@ -1,40 +0,0 @@ -# X Display Manager -/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t -/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t -/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t -/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t -/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t -/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t -/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t -/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t -/var/log/gdm(/.*)? system_u:object_r:xserver_log_t -/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t -/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t -/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t -/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t -/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t -/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t -/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t -/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t -/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t -/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t -/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t -ifdef(`distro_suse', ` -/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t -') - -# -# Additional Xsession scripts -# -/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t -/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t -/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t -/etc/X11/xinit(/.*)? system_u:object_r:bin_t -# -# Rules for kde login -# -/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t -/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t -/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t -/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t -/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t diff --git a/strict/file_contexts/program/xfs.fc b/strict/file_contexts/program/xfs.fc deleted file mode 100644 index 9edae3f9..00000000 --- a/strict/file_contexts/program/xfs.fc +++ /dev/null @@ -1,5 +0,0 @@ -# xfs -/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t -/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t -/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t -/usr/bin/xfstt -- system_u:object_r:xfs_exec_t diff --git a/strict/file_contexts/program/xprint.fc b/strict/file_contexts/program/xprint.fc deleted file mode 100644 index 3c72a774..00000000 --- a/strict/file_contexts/program/xprint.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/Xprt -- system_u:object_r:xprint_exec_t diff --git a/strict/file_contexts/program/xserver.fc b/strict/file_contexts/program/xserver.fc deleted file mode 100644 index 3d48a6fc..00000000 --- a/strict/file_contexts/program/xserver.fc +++ /dev/null @@ -1,17 +0,0 @@ -# X server -/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t -/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t -/var/log/XFree86.* -- system_u:object_r:xserver_log_t -/var/log/Xorg.* -- system_u:object_r:xserver_log_t -/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t -/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t -/tmp/\.X11-unix/.* -s <> -/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t -/tmp/\.ICE-unix/.* -s <> diff --git a/strict/file_contexts/program/yam.fc b/strict/file_contexts/program/yam.fc deleted file mode 100644 index 023b7406..00000000 --- a/strict/file_contexts/program/yam.fc +++ /dev/null @@ -1,5 +0,0 @@ -# yam -/etc/yam.conf -- system_u:object_r:yam_etc_t -/usr/bin/yam system_u:object_r:yam_exec_t -/var/yam(/.*)? system_u:object_r:yam_content_t -/var/www/yam(/.*)? system_u:object_r:yam_content_t diff --git a/strict/file_contexts/program/ypbind.fc b/strict/file_contexts/program/ypbind.fc deleted file mode 100644 index c700d92f..00000000 --- a/strict/file_contexts/program/ypbind.fc +++ /dev/null @@ -1,2 +0,0 @@ -# ypbind -/sbin/ypbind -- system_u:object_r:ypbind_exec_t diff --git a/strict/file_contexts/program/yppasswdd.fc b/strict/file_contexts/program/yppasswdd.fc deleted file mode 100644 index e390bd82..00000000 --- a/strict/file_contexts/program/yppasswdd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# yppasswd -/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc deleted file mode 100644 index 519a5a40..00000000 --- a/strict/file_contexts/program/ypserv.fc +++ /dev/null @@ -1,4 +0,0 @@ -# ypserv -/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t -/usr/lib/yp/.+ -- system_u:object_r:bin_t -/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t diff --git a/strict/file_contexts/program/zebra.fc b/strict/file_contexts/program/zebra.fc deleted file mode 100644 index e524355c..00000000 --- a/strict/file_contexts/program/zebra.fc +++ /dev/null @@ -1,13 +0,0 @@ -# Zebra - BGP daemon -/usr/sbin/zebra -- system_u:object_r:zebra_exec_t -/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t -/var/log/zebra(/.*)? system_u:object_r:zebra_log_t -/etc/zebra(/.*)? system_u:object_r:zebra_conf_t -/var/run/\.zserv -s system_u:object_r:zebra_var_run_t -/var/run/\.zebra -s system_u:object_r:zebra_var_run_t -# Quagga -/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t -/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t -/etc/quagga(/.*)? system_u:object_r:zebra_conf_t -/var/log/quagga(/.*)? system_u:object_r:zebra_log_t -/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc deleted file mode 100644 index d8fe1b6c..00000000 --- a/strict/file_contexts/types.fc +++ /dev/null @@ -1,515 +0,0 @@ -# -# This file describes the security contexts to be applied to files -# when the security policy is installed. The setfiles program -# reads this file and labels files accordingly. -# -# Each specification has the form: -# regexp [ -type ] ( context | <> ) -# -# By default, the regexp is an anchored match on both ends (i.e. a -# caret (^) is prepended and a dollar sign ($) is appended automatically). -# This default may be overridden by using .* at the beginning and/or -# end of the regular expression. -# -# The optional type field specifies the file type as shown in the mode -# field by ls, e.g. use -d to match only directories or -- to match only -# regular files. -# -# The value of < may be used to indicate that matching files -# should not be relabeled. -# -# The last matching specification is used. -# -# If there are multiple hard links to a file that match -# different specifications and those specifications indicate -# different security contexts, then a warning is displayed -# but the file is still labeled based on the last matching -# specification other than <>. -# -# Some of the files listed here get re-created during boot and therefore -# need type transition rules to retain the correct type. These files are -# listed here anyway so that if the setfiles program is used on a running -# system it does not relabel them to something we do not want. An example of -# this is /var/run/utmp. -# - -# -# The security context for all files not otherwise specified. -# -/.* system_u:object_r:default_t - -# -# The root directory. -# -/ -d system_u:object_r:root_t - -# -# Ordinary user home directories. -# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each users home directory, -# and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each users role when role != user_r, and to "user" otherwise. -# -HOME_ROOT -d system_u:object_r:home_root_t -HOME_DIR -d system_u:object_r:ROLE_home_dir_t -HOME_DIR/.+ system_u:object_r:ROLE_home_t - -/root/\.default_contexts -- system_u:object_r:default_context_t - -# -# Mount points; do not relabel subdirectories, since -# we do not want to change any removable media by default. -/mnt(/[^/]*)? -d system_u:object_r:mnt_t -/mnt/[^/]*/.* <> -/media(/[^/]*)? -d system_u:object_r:mnt_t -/media/[^/]*/.* <> - -# -# /var -# -/var(/.*)? system_u:object_r:var_t -/var/cache/man(/.*)? system_u:object_r:man_t -/var/yp(/.*)? system_u:object_r:var_yp_t -/var/lib(/.*)? system_u:object_r:var_lib_t -/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t -/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t -/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t -/var/lock(/.*)? system_u:object_r:var_lock_t -/var/tmp -d system_u:object_r:tmp_t -/var/tmp/.* <> -/var/tmp/vi\.recover -d system_u:object_r:tmp_t -/var/lib/nfs/rpc_pipefs(/.*)? <> -/var/mailman/bin(/.*)? system_u:object_r:bin_t -/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t - -# -# /var/ftp -# -/var/ftp/bin(/.*)? system_u:object_r:bin_t -/var/ftp/bin/ls -- system_u:object_r:ls_exec_t -/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t -/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t -/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/var/ftp/etc(/.*)? system_u:object_r:etc_t - -# -# /bin -# -/bin(/.*)? system_u:object_r:bin_t -/bin/tcsh -- system_u:object_r:shell_exec_t -/bin/bash -- system_u:object_r:shell_exec_t -/bin/bash2 -- system_u:object_r:shell_exec_t -/bin/sash -- system_u:object_r:shell_exec_t -/bin/d?ash -- system_u:object_r:shell_exec_t -/bin/zsh.* -- system_u:object_r:shell_exec_t -/usr/sbin/sesh -- system_u:object_r:shell_exec_t -/bin/ls -- system_u:object_r:ls_exec_t - -# -# /boot -# -/boot(/.*)? system_u:object_r:boot_t -/boot/System\.map(-.*)? system_u:object_r:system_map_t - -# -# /dev -# -/dev(/.*)? system_u:object_r:device_t -/dev/pts(/.*)? <> -/dev/cpu/.* -c system_u:object_r:cpu_device_t -/dev/microcode -c system_u:object_r:cpu_device_t -/dev/MAKEDEV -- system_u:object_r:sbin_t -/dev/null -c system_u:object_r:null_device_t -/dev/full -c system_u:object_r:null_device_t -/dev/zero -c system_u:object_r:zero_device_t -/dev/console -c system_u:object_r:console_device_t -/dev/xconsole -p system_u:object_r:xconsole_device_t -/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t -/dev/nvram -c system_u:object_r:memory_device_t -/dev/random -c system_u:object_r:random_device_t -/dev/urandom -c system_u:object_r:urandom_device_t -/dev/adb.* -c system_u:object_r:tty_device_t -/dev/capi.* -c system_u:object_r:tty_device_t -/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t -/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t -/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t -/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t -/dev/isdn.* -c system_u:object_r:tty_device_t -/dev/.*tty[^/]* -c system_u:object_r:tty_device_t -/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t -/dev/cu.* -c system_u:object_r:tty_device_t -/dev/vcs[^/]* -c system_u:object_r:tty_device_t -/dev/ip2[^/]* -c system_u:object_r:tty_device_t -/dev/hvc.* -c system_u:object_r:tty_device_t -/dev/hvsi.* -c system_u:object_r:tty_device_t -/dev/ttySG.* -c system_u:object_r:tty_device_t -/dev/tty -c system_u:object_r:devtty_t -/dev/lp.* -c system_u:object_r:printer_device_t -/dev/par.* -c system_u:object_r:printer_device_t -/dev/usb/lp.* -c system_u:object_r:printer_device_t -/dev/usblp.* -c system_u:object_r:printer_device_t -ifdef(`distro_redhat', ` -/dev/root -b system_u:object_r:fixed_disk_device_t -') -/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t -/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t -/dev/rd.* -b system_u:object_r:fixed_disk_device_t -/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t -/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t -/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t -/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t -/dev/loop.* -b system_u:object_r:fixed_disk_device_t -/dev/net/.* -c system_u:object_r:tun_tap_device_t -/dev/ram.* -b system_u:object_r:fixed_disk_device_t -/dev/rawctl -c system_u:object_r:fixed_disk_device_t -/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t -/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t -/dev/initrd -b system_u:object_r:fixed_disk_device_t -/dev/jsfd -b system_u:object_r:fixed_disk_device_t -/dev/js.* -c system_u:object_r:mouse_device_t -/dev/jsflash -c system_u:object_r:fixed_disk_device_t -/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t -/dev/usb/rio500 -c system_u:object_r:removable_device_t -/dev/fd[^/]+ -b system_u:object_r:removable_device_t -# I think a parallel port disk is a removable device... -/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t -/dev/p[fg][0-3] -b system_u:object_r:removable_device_t -/dev/aztcd -b system_u:object_r:removable_device_t -/dev/bpcd -b system_u:object_r:removable_device_t -/dev/gscd -b system_u:object_r:removable_device_t -/dev/hitcd -b system_u:object_r:removable_device_t -/dev/pcd[0-3] -b system_u:object_r:removable_device_t -/dev/mcdx? -b system_u:object_r:removable_device_t -/dev/cdu.* -b system_u:object_r:removable_device_t -/dev/cm20.* -b system_u:object_r:removable_device_t -/dev/optcd -b system_u:object_r:removable_device_t -/dev/sbpcd.* -b system_u:object_r:removable_device_t -/dev/sjcd -b system_u:object_r:removable_device_t -/dev/sonycd -b system_u:object_r:removable_device_t -# parallel port ATAPI generic device -/dev/pg[0-3] -c system_u:object_r:removable_device_t -/dev/rtc -c system_u:object_r:clock_device_t -/dev/psaux -c system_u:object_r:mouse_device_t -/dev/atibm -c system_u:object_r:mouse_device_t -/dev/logibm -c system_u:object_r:mouse_device_t -/dev/.*mouse.* -c system_u:object_r:mouse_device_t -/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t -/dev/input/event.* -c system_u:object_r:event_device_t -/dev/input/mice -c system_u:object_r:mouse_device_t -/dev/input/js.* -c system_u:object_r:mouse_device_t -/dev/ptmx -c system_u:object_r:ptmx_t -/dev/sequencer -c system_u:object_r:misc_device_t -/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t -/dev/apm_bios -c system_u:object_r:apm_bios_t -/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t -/dev/pmu -c system_u:object_r:power_device_t -/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t -/dev/winradio. -c system_u:object_r:v4l_device_t -/dev/vttuner -c system_u:object_r:v4l_device_t -/dev/tlk[0-3] -c system_u:object_r:v4l_device_t -/dev/adsp -c system_u:object_r:sound_device_t -/dev/mixer.* -c system_u:object_r:sound_device_t -/dev/dsp.* -c system_u:object_r:sound_device_t -/dev/audio.* -c system_u:object_r:sound_device_t -/dev/r?midi.* -c system_u:object_r:sound_device_t -/dev/sequencer2 -c system_u:object_r:sound_device_t -/dev/smpte.* -c system_u:object_r:sound_device_t -/dev/sndstat -c system_u:object_r:sound_device_t -/dev/beep -c system_u:object_r:sound_device_t -/dev/patmgr[01] -c system_u:object_r:sound_device_t -/dev/mpu401.* -c system_u:object_r:sound_device_t -/dev/srnd[0-7] -c system_u:object_r:sound_device_t -/dev/aload.* -c system_u:object_r:sound_device_t -/dev/amidi.* -c system_u:object_r:sound_device_t -/dev/amixer.* -c system_u:object_r:sound_device_t -/dev/snd/.* -c system_u:object_r:sound_device_t -/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t -/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t -/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t -/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t -/dev/ht[0-1] -b system_u:object_r:tape_device_t -/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t -/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t -/dev/tape.* -c system_u:object_r:tape_device_t -ifdef(`distro_suse', ` -/dev/usbscanner -c system_u:object_r:scanner_device_t -') -/dev/usb/scanner.* -c system_u:object_r:scanner_device_t -/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t -/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t -/dev/usb/tty.* -c system_u:object_r:usbtty_device_t -/dev/mmetfgrab -c system_u:object_r:scanner_device_t -/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t -/dev/dri/.+ -c system_u:object_r:dri_device_t -/dev/radeon -c system_u:object_r:dri_device_t -/dev/agpgart -c system_u:object_r:agp_device_t -/dev/z90crypt -c system_u:object_r:crypt_device_t - -# -# Misc -# -/proc(/.*)? <> -/sys(/.*)? <> -/selinux(/.*)? <> - -# -# /opt -# -/opt(/.*)? system_u:object_r:usr_t -/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t -/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t -/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t -/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t -/opt(/.*)?/man(/.*)? system_u:object_r:man_t -/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t - -# -# /etc -# -/etc(/.*)? system_u:object_r:etc_t -/var/db/.*\.db -- system_u:object_r:etc_t -/etc/\.pwd\.lock -- system_u:object_r:shadow_t -/etc/passwd\.lock -- system_u:object_r:shadow_t -/etc/group\.lock -- system_u:object_r:shadow_t -/etc/shadow.* -- system_u:object_r:shadow_t -/etc/gshadow.* -- system_u:object_r:shadow_t -/var/db/shadow.* -- system_u:object_r:shadow_t -/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t -/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t -/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t -/etc/HOSTNAME -- system_u:object_r:etc_runtime_t -/etc/ioctl\.save -- system_u:object_r:etc_runtime_t -/etc/mtab -- system_u:object_r:etc_runtime_t -/etc/motd -- system_u:object_r:etc_runtime_t -/etc/issue -- system_u:object_r:etc_runtime_t -/etc/issue\.net -- system_u:object_r:etc_runtime_t -/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t -/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t -/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t -/etc/asound\.state -- system_u:object_r:etc_runtime_t -/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t -ifdef(`distro_gentoo', ` -/etc/profile\.env -- system_u:object_r:etc_runtime_t -/etc/csh\.env -- system_u:object_r:etc_runtime_t -/etc/env\.d/.* -- system_u:object_r:etc_runtime_t -') -/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t -/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t -/etc/yp\.conf.* -- system_u:object_r:net_conf_t -/etc/resolv\.conf.* -- system_u:object_r:net_conf_t - -/etc/selinux(/.*)? system_u:object_r:selinux_config_t -/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t -/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t -/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t -/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t - - -# -# /lib(64)? -# -/lib(64)?(/.*)? system_u:object_r:lib_t -/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t - -# -# /sbin -# -/sbin(/.*)? system_u:object_r:sbin_t - -# -# /tmp -# -/tmp -d system_u:object_r:tmp_t -/tmp/.* <> - -# -# /usr -# -/usr(/.*)? system_u:object_r:usr_t -/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t -/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/usr/lib/win32/.* -- system_u:object_r:shlib_t -/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t -/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t -/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t -/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t -/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t -/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t -/usr/etc(/.*)? system_u:object_r:etc_t -/usr/inclu.e(/.*)? system_u:object_r:usr_t -/usr/libexec(/.*)? system_u:object_r:bin_t -/usr/src(/.*)? system_u:object_r:src_t -/usr/tmp -d system_u:object_r:tmp_t -/usr/tmp/.* <> -/usr/man(/.*)? system_u:object_r:man_t -/usr/share/man(/.*)? system_u:object_r:man_t -/usr/share/mc/extfs/.* -- system_u:object_r:bin_t -/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t -/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t -/usr/share/ssl/private(/.*)? system_u:object_r:cert_t - -# nvidia share libraries -/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t -/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t -/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t - -# libGL -/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t - -ifdef(`distro_debian', ` -/usr/share/selinux(/.*)? system_u:object_r:policy_src_t -') -ifdef(`distro_gentoo', ` -/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t -') - -# -# /usr/lib(64)? -# -/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t -/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t -/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t - -# -# /usr/local -# -/usr/local/etc(/.*)? system_u:object_r:etc_t -/usr/local/src(/.*)? system_u:object_r:src_t -/usr/local/man(/.*)? system_u:object_r:man_t -/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t -/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t - - -# -# /usr/X11R6/man -# -/usr/X11R6/man(/.*)? system_u:object_r:man_t - -# -# Fonts dir -# -/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t -ifdef(`distro_debian', ` -/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t -') -/usr/share/fonts(/.*)? system_u:object_r:fonts_t -/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t -/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t - -# -# /var/run -# -/var/run(/.*)? system_u:object_r:var_run_t -/var/run/.*\.*pid <> - -# -# /var/spool -# -/var/spool(/.*)? system_u:object_r:var_spool_t -/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t -/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t - -# -# /var/log -# -/var/log(/.*)? system_u:object_r:var_log_t -/var/log/wtmp.* -- system_u:object_r:wtmp_t -/var/log/btmp.* -- system_u:object_r:faillog_t -/var/log/faillog -- system_u:object_r:faillog_t -/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t -/var/log/dmesg -- system_u:object_r:var_log_t -/var/log/lastlog -- system_u:object_r:lastlog_t -/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t -/var/log/syslog -- system_u:object_r:var_log_t - -# -# Journal files -# -/\.journal <> -/usr/\.journal <> -/boot/\.journal <> -HOME_ROOT/\.journal <> -/var/\.journal <> -/tmp/\.journal <> -/usr/local/\.journal <> - -# -# Lost and found directories. -# -/lost\+found -d system_u:object_r:lost_found_t -/lost\+found/.* <> -/usr/lost\+found -d system_u:object_r:lost_found_t -/usr/lost\+found/.* <> -/boot/lost\+found -d system_u:object_r:lost_found_t -/boot/lost\+found/.* <> -HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t -HOME_ROOT/lost\+found/.* <> -/var/lost\+found -d system_u:object_r:lost_found_t -/var/lost\+found/.* <> -/tmp/lost\+found -d system_u:object_r:lost_found_t -/tmp/lost\+found/.* <> -/var/tmp/lost\+found -d system_u:object_r:lost_found_t -/var/tmp/lost\+found/.* <> -/usr/local/lost\+found -d system_u:object_r:lost_found_t -/usr/local/lost\+found/.* <> - -# -# system localization -# -/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t -/usr/share/locale(/.*)? system_u:object_r:locale_t -/usr/lib/locale(/.*)? system_u:object_r:locale_t -/etc/localtime -- system_u:object_r:locale_t -/etc/localtime -l system_u:object_r:etc_t -/etc/pki(/.*)? system_u:object_r:cert_t - -# -# Gnu Cash -# -/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t -/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t - -# -# Turboprint -# -/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t -/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t - -# -# initrd mount point, only used during boot -# -/initrd -d system_u:object_r:root_t - -# -# The krb5.conf file is always being tested for writability, so -# we defined a type to dontaudit -# -/etc/krb5\.conf -- system_u:object_r:krb5_conf_t - -# -# Thunderbird -# -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t -/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t -/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t -/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t - -# -# /srv -# -/srv(/.*)? system_u:object_r:var_t - diff --git a/strict/flask/Makefile b/strict/flask/Makefile deleted file mode 100644 index 970b9fed..00000000 --- a/strict/flask/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# flask needs to know where to export the libselinux headers. -LIBSEL ?= ../../libselinux - -# flask needs to know where to export the kernel headers. -LINUXDIR ?= ../../../linux-2.6 - -AWK = awk - -CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ - else if [ -x /bin/bash ]; then echo /bin/bash; \ - else echo sh; fi ; fi) - -FLASK_H_DEPEND = security_classes initial_sids -AV_H_DEPEND = access_vectors - -FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h -AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h -ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) - -all: $(ALL_H_FILES) - -$(FLASK_H_FILES): $(FLASK_H_DEPEND) - $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) - -$(AV_H_FILES): $(AV_H_DEPEND) - $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) - -tolib: all - install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux - install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src - -tokern: all - install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include - -install: all - -relabel: - -clean: - rm -f $(FLASK_H_FILES) - rm -f $(AV_H_FILES) diff --git a/strict/flask/access_vectors b/strict/flask/access_vectors deleted file mode 100644 index dc20463f..00000000 --- a/strict/flask/access_vectors +++ /dev/null @@ -1,608 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - unlink - link - rename - execute - swapon - quotaon - mounton -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - recv_msg - send_msg - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - transition - associate - quotamod - quotaget -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir -} - -class file -inherits file -{ - execute_no_trans - entrypoint - execmod -} - -class lnk_file -inherits file - -class chr_file -inherits file -{ - execute_no_trans - entrypoint - execmod -} - -class blk_file -inherits file - -class sock_file -inherits file - -class fifo_file -inherits file - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - connectto - newconn - acceptfrom - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - enforce_dest -} - -class netif -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto - newconn - acceptfrom -} - -class unix_dgram_socket -inherits socket - - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap -} - - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console -} - -# -# Define the access vector interpretation for controling capabilies -# - -class capability -{ - # The capabilities are defined in include/linux/capability.h - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control -} - - -# -# Define the access vector interpretation for controlling -# changes to passwd information. -# -class passwd -{ - passwd # change another user passwd - chfn # change another user finger info - chsh # change another user shell - rootok # pam_rootok check (skip auth) - crontab # crontab on another user -} - -# -# SE-X Windows stuff -# -class drawable -{ - create - destroy - draw - copy - getattr -} - -class gc -{ - create - free - getattr - setattr -} - -class window -{ - addchild - create - destroy - map - unmap - chstack - chproplist - chprop - listprop - getattr - setattr - setfocus - move - chselection - chparent - ctrllife - enumerate - transparent - mousemotion - clientcomevent - inputevent - drawevent - windowchangeevent - windowchangerequest - serverchangeevent - extensionevent -} - -class font -{ - load - free - getattr - use -} - -class colormap -{ - create - free - install - uninstall - list - read - store - getattr - setattr -} - -class property -{ - create - free - read - write -} - -class cursor -{ - create - createglyph - free - assign - setattr -} - -class xclient -{ - kill -} - -class xinput -{ - lookup - getattr - setattr - setfocus - warppointer - activegrab - passivegrab - ungrab - bell - mousemotion - relabelinput -} - -class xserver -{ - screensaver - gethostlist - sethostlist - getfontpath - setfontpath - getattr - grab - ungrab -} - -class xextension -{ - query - use -} - -# -# Define the access vector interpretation for controlling -# PaX flags -# -class pax -{ - pageexec # Paging based non-executable pages - emutramp # Emulate trampolines - mprotect # Restrict mprotect() - randmmap # Randomize mmap() base - randexec # Randomize ET_EXEC base - segmexec # Segmentation based non-executable pages -} - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_firewall_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv -} - -class netlink_ip6fw_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access and communication through the D-BUS messaging -# system. -# -class dbus -{ - acquire_svc - send_msg -} - -# Define the access vector interpretation for controlling -# access through the name service cache daemon (nscd). -# -class nscd -{ - getpwd - getgrp - gethost - getstat - admin - shmempwd - shmemgrp - shmemhost -} - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket diff --git a/strict/flask/initial_sids b/strict/flask/initial_sids deleted file mode 100644 index 95894eb4..00000000 --- a/strict/flask/initial_sids +++ /dev/null @@ -1,35 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# - -sid kernel -sid security -sid unlabeled -sid fs -sid file -sid file_labels -sid init -sid any_socket -sid port -sid netif -sid netmsg -sid node -sid igmp_packet -sid icmp_socket -sid tcp_socket -sid sysctl_modprobe -sid sysctl -sid sysctl_fs -sid sysctl_kernel -sid sysctl_net -sid sysctl_net_unix -sid sysctl_vm -sid sysctl_dev -sid kmod -sid policy -sid scmp_packet -sid devnull - -# FLASK diff --git a/strict/flask/mkaccess_vector.sh b/strict/flask/mkaccess_vector.sh deleted file mode 100644 index b5da734b..00000000 --- a/strict/flask/mkaccess_vector.sh +++ /dev/null @@ -1,227 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift - -# output files -av_permissions="av_permissions.h" -av_inherit="av_inherit.h" -common_perm_to_string="common_perm_to_string.h" -av_perm_to_string="av_perm_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$av_permissions\" - inheritfile = \"$av_inherit\" - cpermfile = \"$common_perm_to_string\" - avpermfile = \"$av_perm_to_string\" - "' - nextstate = "COMMON_OR_AV"; - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; - printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; - printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; -; - } -/^[ \t]*#/ { - next; - } -$1 == "common" { - if (nextstate != "COMMON_OR_AV") - { - printf("Parse error: Unexpected COMMON definition on line %d\n", NR); - next; - } - - if ($2 in common_defined) - { - printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); - next; - } - common_defined[$2] = 1; - - tclass = $2; - common_name = $2; - permission = 1; - - printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; - - nextstate = "COMMON-OPENBRACKET"; - next; - } -$1 == "class" { - if (nextstate != "COMMON_OR_AV" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - tclass = $2; - - if (tclass in av_defined) - { - printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); - next; - } - av_defined[tclass] = 1; - - inherits = ""; - permission = 1; - - nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "inherits" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); - next; - } - - if (!($2 in common_defined)) - { - printf("COMMON %s is not defined (line %d).\n", $2, NR); - next; - } - - inherits = $2; - permission = common_base[$2]; - - for (combined in common_perms) - { - split(combined,separate, SUBSEP); - if (separate[1] == inherits) - { - inherited_perms[common_perms[combined]] = separate[2]; - } - } - - j = 1; - for (i in inherited_perms) { - ind[j] = i + 0; - j++; - } - n = asort(ind); - for (i = 1; i <= n; i++) { - perm = inherited_perms[ind[i]]; - printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; - spaces = 40 - (length(perm) + length(tclass)); - if (spaces < 1) - spaces = 1; - for (j = 0; j < spaces; j++) - printf(" ") > outfile; - printf("0x%08xUL\n", ind[i]) > outfile; - } - printf("\n") > outfile; - for (i in ind) delete ind[i]; - for (i in inherited_perms) delete inherited_perms[i]; - - printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; - - nextstate = "CLASS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "{" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET" && - nextstate != "COMMON-OPENBRACKET") - { - printf("Parse error: Unexpected { on line %d\n", NR); - next; - } - - if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "COMMON-OPENBRACKET") - nextstate = "COMMON-CLOSEBRACKET"; - } -/[a-z][a-z_]*/ { - if (nextstate != "COMMON-CLOSEBRACKET" && - nextstate != "CLASS-CLOSEBRACKET") - { - printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - if ((common_name,$1) in common_perms) - { - printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); - next; - } - - common_perms[common_name,$1] = permission; - - printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - - printf(" S_(\"%s\")\n", $1) > cpermfile; - } - else - { - if ((tclass,$1) in av_perms) - { - printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); - next; - } - - av_perms[tclass,$1] = permission; - - if (inherits != "") - { - if ((inherits,$1) in common_perms) - { - printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); - next; - } - } - - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - - printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; - } - - spaces = 40 - (length($1) + length(tclass)); - if (spaces < 1) - spaces = 1; - - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; - } -$1 == "}" { - if (nextstate != "CLASS-CLOSEBRACKET" && - nextstate != "COMMON-CLOSEBRACKET") - { - printf("Parse error: Unexpected } on line %d\n", NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - common_base[common_name] = permission; - printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; - } - - printf("\n") > outfile; - - nextstate = "COMMON_OR_AV"; - } -END { - if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") - printf("Parse error: Unexpected end of file\n"); - - }' - -# FLASK diff --git a/strict/flask/mkflask.sh b/strict/flask/mkflask.sh deleted file mode 100644 index 9c847549..00000000 --- a/strict/flask/mkflask.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift 1 - -# output file -output_file="flask.h" -debug_file="class_to_string.h" -debug_file2="initial_sid_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$output_file\" - debugfile = \"$debug_file\" - debugfile2 = \"$debug_file2\" - "' - nextstate = "CLASS"; - - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; - printf("\n/*\n * Security object class definitions\n */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; - printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf(" S_(\"null\")\n") > debugfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; - printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; - printf(" \"null\",\n") > debugfile2; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "CLASS") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - if ($2 in class_found) - { - printf("Duplicate class definition for %s on line %d.\n", $2, NR); - next; - } - class_found[$2] = 1; - - class_value++; - - printf("#define SECCLASS_%s", toupper($2)) > outfile; - for (i = 0; i < 40 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", class_value) > outfile; - - printf(" S_(\"%s\")\n", $2) > debugfile; - } -$1 == "sid" { - if (nextstate == "CLASS") - { - nextstate = "SID"; - printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; - } - - if ($2 in sid_found) - { - printf("Duplicate SID definition for %s on line %d.\n", $2, NR); - next; - } - sid_found[$2] = 1; - sid_value++; - - printf("#define SECINITSID_%s", toupper($2)) > outfile; - for (i = 0; i < 37 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile2; - } -END { - if (nextstate != "SID") - printf("Parse error: Unexpected end of file\n"); - - printf("\n#define SECINITSID_NUM") > outfile; - for (i = 0; i < 34; i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf("\n#endif\n") > outfile; - printf("};\n\n") > debugfile2; - }' - -# FLASK diff --git a/strict/flask/security_classes b/strict/flask/security_classes deleted file mode 100644 index 2669c30b..00000000 --- a/strict/flask/security_classes +++ /dev/null @@ -1,86 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -class security -class process -class system -class capability - -# file-related classes -class filesystem -class file -class dir -class fd -class lnk_file -class chr_file -class blk_file -class sock_file -class fifo_file - -# network-related classes -class socket -class tcp_socket -class udp_socket -class rawip_socket -class node -class netif -class netlink_socket -class packet_socket -class key_socket -class unix_stream_socket -class unix_dgram_socket - -# sysv-ipc-related classes -class sem -class msg -class msgq -class shm -class ipc - -# -# userspace object manager classes -# - -# passwd/chfn/chsh -class passwd - -# SE-X Windows stuff -class drawable -class window -class gc -class font -class colormap -class property -class cursor -class xclient -class xinput -class xserver -class xextension - -# pax flags -class pax - -# extended netlink sockets -class netlink_route_socket -class netlink_firewall_socket -class netlink_tcpdiag_socket -class netlink_nflog_socket -class netlink_xfrm_socket -class netlink_selinux_socket -class netlink_audit_socket -class netlink_ip6fw_socket -class netlink_dnrt_socket - -class dbus -class nscd - -# IPSec association -class association - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket - -# FLASK diff --git a/strict/fs_use b/strict/fs_use deleted file mode 100644 index 1dec5356..00000000 --- a/strict/fs_use +++ /dev/null @@ -1,33 +0,0 @@ -# -# Define the labeling behavior for inodes in particular filesystem types. -# This information was formerly hardcoded in the SELinux module. - -# Use xattrs for the following filesystem types. -# Requires that a security xattr handler exist for the filesystem. -fs_use_xattr ext2 system_u:object_r:fs_t; -fs_use_xattr ext3 system_u:object_r:fs_t; -fs_use_xattr xfs system_u:object_r:fs_t; -fs_use_xattr jfs system_u:object_r:fs_t; -fs_use_xattr reiserfs system_u:object_r:fs_t; - -# Use the allocating task SID to label inodes in the following filesystem -# types, and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems that represent objects -# like pipes and sockets, so that these objects are labeled with the same -# type as the creating task. -fs_use_task pipefs system_u:object_r:fs_t; -fs_use_task sockfs system_u:object_r:fs_t; - -# Use a transition SID based on the allocating task SID and the -# filesystem SID to label inodes in the following filesystem types, -# and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems like devpts and tmpfs -# where we want to label objects with a derived type. -fs_use_trans devpts system_u:object_r:devpts_t; -fs_use_trans tmpfs system_u:object_r:tmpfs_t; -fs_use_trans shm system_u:object_r:tmpfs_t; -fs_use_trans mqueue system_u:object_r:tmpfs_t; - -# The separate genfs_contexts configuration can be used for filesystem -# types that cannot support persistent label mappings or use -# one of the fixed label schemes specified here. diff --git a/strict/genfs_contexts b/strict/genfs_contexts deleted file mode 100644 index 11c16d44..00000000 --- a/strict/genfs_contexts +++ /dev/null @@ -1,107 +0,0 @@ -# FLASK - -# -# Security contexts for files in filesystems that -# cannot support xattr or use one of the fixed labeling schemes -# specified in fs_use. -# -# Each specifications has the form: -# genfscon fstype pathname-prefix [ -type ] context -# -# The entry with the longest matching pathname prefix is used. -# / refers to the root directory of the file system, and -# everything is specified relative to this root directory. -# If there is no entry with a matching pathname prefix, then -# the unlabeled initial SID is used. -# -# The optional type field specifies the file type as shown in the mode -# field by ls, e.g. use -c to match only character device files, -b -# to match only block device files. -# -# Except for proc, in 2.6 other filesystems are limited to a single entry (/) -# that covers all entries in the filesystem with a default file context. -# For proc, a pathname can be reliably generated from the proc_dir_entry -# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) -# calls. /proc/PID entries are automatically labeled based on the associated -# process. -# -# Support for other filesystem types requires corresponding code to be -# added to the kernel, either as an xattr handler in the filesystem -# implementation (preferred, and necessary if you want to access the labels -# from userspace) or as logic in the SELinux module. - -# proc (excluding /proc/PID) -genfscon proc / system_u:object_r:proc_t -genfscon proc /kmsg system_u:object_r:proc_kmsg_t -genfscon proc /kcore system_u:object_r:proc_kcore_t -genfscon proc /mdstat system_u:object_r:proc_mdstat_t -genfscon proc /mtrr system_u:object_r:mtrr_device_t -genfscon proc /net system_u:object_r:proc_net_t -genfscon proc /sysvipc system_u:object_r:proc_t -genfscon proc /sys system_u:object_r:sysctl_t -genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t -genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t -genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t -genfscon proc /sys/net system_u:object_r:sysctl_net_t -genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t -genfscon proc /sys/vm system_u:object_r:sysctl_vm_t -genfscon proc /sys/dev system_u:object_r:sysctl_dev_t -genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t -genfscon proc /irq system_u:object_r:sysctl_irq_t - -# rootfs -genfscon rootfs / system_u:object_r:root_t - -# sysfs -genfscon sysfs / system_u:object_r:sysfs_t - -# selinuxfs -genfscon selinuxfs / system_u:object_r:security_t - -# autofs -genfscon autofs / system_u:object_r:autofs_t -genfscon automount / system_u:object_r:autofs_t - -# usbdevfs -genfscon usbdevfs / system_u:object_r:usbdevfs_t - -# iso9660 -genfscon iso9660 / system_u:object_r:iso9660_t -genfscon udf / system_u:object_r:iso9660_t - -# romfs -genfscon romfs / system_u:object_r:romfs_t -genfscon cramfs / system_u:object_r:romfs_t - -# ramfs -genfscon ramfs / system_u:object_r:ramfs_t - -# vfat, msdos -genfscon vfat / system_u:object_r:dosfs_t -genfscon msdos / system_u:object_r:dosfs_t -genfscon fat / system_u:object_r:dosfs_t -genfscon ntfs / system_u:object_r:dosfs_t - -# samba -genfscon cifs / system_u:object_r:cifs_t -genfscon smbfs / system_u:object_r:cifs_t - -# nfs -genfscon nfs / system_u:object_r:nfs_t -genfscon nfs4 / system_u:object_r:nfs_t -genfscon afs / system_u:object_r:nfs_t - -genfscon debugfs / system_u:object_r:debugfs_t -genfscon inotifyfs / system_u:object_r:inotifyfs_t -genfscon hugetlbfs / system_u:object_r:hugetlbfs_t -genfscon capifs / system_u:object_r:capifs_t - -# needs more work -genfscon eventpollfs / system_u:object_r:eventpollfs_t -genfscon futexfs / system_u:object_r:futexfs_t -genfscon bdev / system_u:object_r:bdev_t -genfscon usbfs / system_u:object_r:usbfs_t -genfscon nfsd / system_u:object_r:nfsd_fs_t -genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t -genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t - diff --git a/strict/initial_sid_contexts b/strict/initial_sid_contexts deleted file mode 100644 index e276f3f5..00000000 --- a/strict/initial_sid_contexts +++ /dev/null @@ -1,46 +0,0 @@ -# FLASK - -# -# Define the security context for each initial SID -# sid sidname context - -sid kernel system_u:system_r:kernel_t -sid security system_u:object_r:security_t -sid unlabeled system_u:object_r:unlabeled_t -sid fs system_u:object_r:fs_t -sid file system_u:object_r:file_t -# Persistent label mapping is gone. This initial SID can be removed. -sid file_labels system_u:object_r:unlabeled_t -# init_t is still used, but an initial SID is no longer required. -sid init system_u:object_r:unlabeled_t -# any_socket is no longer used. -sid any_socket system_u:object_r:unlabeled_t -sid port system_u:object_r:port_t -sid netif system_u:object_r:netif_t -# netmsg is no longer used. -sid netmsg system_u:object_r:unlabeled_t -sid node system_u:object_r:node_t -# These sockets are now labeled with the kernel SID, -# and do not require their own initial SIDs. -sid igmp_packet system_u:object_r:unlabeled_t -sid icmp_socket system_u:object_r:unlabeled_t -sid tcp_socket system_u:object_r:unlabeled_t -# Most of the sysctl SIDs are now computed at runtime -# from genfs_contexts, so the corresponding initial SIDs -# are no longer required. -sid sysctl_modprobe system_u:object_r:unlabeled_t -# But we still need the base sysctl initial SID as a default. -sid sysctl system_u:object_r:sysctl_t -sid sysctl_fs system_u:object_r:unlabeled_t -sid sysctl_kernel system_u:object_r:unlabeled_t -sid sysctl_net system_u:object_r:unlabeled_t -sid sysctl_net_unix system_u:object_r:unlabeled_t -sid sysctl_vm system_u:object_r:unlabeled_t -sid sysctl_dev system_u:object_r:unlabeled_t -# No longer used, can be removed. -sid kmod system_u:object_r:unlabeled_t -sid policy system_u:object_r:unlabeled_t -sid scmp_packet system_u:object_r:unlabeled_t -sid devnull system_u:object_r:null_device_t - -# FLASK diff --git a/strict/local.users b/strict/local.users deleted file mode 100644 index 6dd04d60..00000000 --- a/strict/local.users +++ /dev/null @@ -1,21 +0,0 @@ -################################## -# -# User configuration. -# -# This file defines additional users recognized by the system security policy. -# Only the user identities defined in this file and the system.users file -# may be used as the user attribute in a security context. -# -# Each user has a set of roles that may be entered by processes -# with the users identity. The syntax of a user declaration is: -# -# user username roles role_set [ level default_level range allowed_range ]; -# -# The MLS default level and allowed range should only be specified if -# MLS was enabled in the policy. - -# sample for administrative user -# user jadmin roles { staff_r sysadm_r system_r }; - -# sample for regular user -#user jdoe roles { user_r }; diff --git a/strict/macros/admin_macros.te b/strict/macros/admin_macros.te deleted file mode 100644 index aaa816e4..00000000 --- a/strict/macros/admin_macros.te +++ /dev/null @@ -1,227 +0,0 @@ -# -# Macros for all admin domains. -# - -# -# admin_domain(domain_prefix) -# -# Define derived types and rules for an administrator domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. If the every_domain() rules are desired, -# then these rules must also be specified separately. -# -undefine(`admin_domain') -define(`admin_domain',` -# Type for home directory. -attribute $1_file_type; -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; -type $1_home_t, file_type, sysadmfile, home_type, $1_file_type; - -# Type and access for pty devices. -can_create_pty($1, `, admin_tty_type') - -# Transition manually for { lnk sock fifo }. The rest is in content macros. -tmp_domain_notrans($1, `, $1_file_type') -file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) -allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; - -# Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type; - -# Inherit rules for ordinary users. -base_user_domain($1) -access_removable_media($1_t) - -allow $1_t self:capability setuid; - -ifdef(`su.te', `su_domain($1)') -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') - -# Let admin stat the shadow file. -allow $1_t shadow_t:file getattr; - -ifdef(`crond.te', ` -allow $1_crond_t var_log_t:file r_file_perms; -') - -# Allow system log read -allow $1_t kernel_t:system syslog_read; - -# Allow autrace -# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv; - -# Use capabilities other than sys_module. -allow $1_t self:capability ~sys_module; - -# Use system operations. -allow $1_t kernel_t:system *; - -# Set password information for other users. -allow $1_t self:passwd { passwd chfn chsh }; - -# Skip authentication when pam_rootok is specified. -allow $1_t self:passwd rootok; - -# Manipulate other user crontab. -allow $1_t self:passwd crontab; -can_getsecurity(sysadm_crontab_t) - -# Change system parameters. -can_sysctl($1_t) - -# Create and use all files that have the sysadmfile attribute. -allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms; -allow $1_t sysadmfile:lnk_file create_lnk_perms; -allow $1_t sysadmfile:dir create_dir_perms; - -# for lsof -allow $1_t mtrr_device_t:file getattr; -allow $1_t fs_type:dir getattr; - -# Access removable devices. -allow $1_t removable_device_t:devfile_class_set rw_file_perms; - -# Communicate with the init process. -allow $1_t initctl_t:fifo_file rw_file_perms; - -# Examine all processes. -can_ps($1_t, domain) - -# allow renice -allow $1_t domain:process setsched; - -# Send signals to all processes. -allow $1_t { domain unlabeled_t }:process signal_perms; - -# Access all user terminals. -allow $1_t tty_device_t:chr_file rw_file_perms; -allow $1_t ttyfile:chr_file rw_file_perms; -allow $1_t ptyfile:chr_file rw_file_perms; -allow $1_t serial_device:chr_file setattr; - -# allow setting up tunnels -allow $1_t tun_tap_device_t:chr_file rw_file_perms; - -# run ls -l /dev -allow $1_t device_t:dir r_dir_perms; -allow $1_t { device_t device_type }:{ chr_file blk_file } getattr; -allow $1_t ptyfile:chr_file getattr; - -# Run programs from staff home directories. -# Not ideal, but typical if users want to login as both sysadm_t or staff_t. -can_exec($1_t, staff_home_t) - -# Run programs from /usr/src. -can_exec($1_t, src_t) - -# Relabel all files. -# Actually this will not allow relabeling ALL files unless you change -# sysadmfile to file_type (and change the assertion in assert.te that -# only auth_write can relabel shadow_t) -allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto }; -allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto }; - -ifdef(`startx.te', ` -ifdef(`xserver.te', ` -# Create files in /tmp/.X11-unix with our X servers derived -# tmp type rather than user_xserver_tmp_t. -file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) -')dnl end xserver.te -')dnl end startx.te - -ifdef(`xdm.te', ` -ifdef(`xauth.te', ` -if (xdm_sysadm_login) { -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -} -can_pipe_xdm($1_t) -')dnl end ifdef xauth.te -')dnl end ifdef xdm.te - -# -# A user who is authorized for sysadm_t may nonetheless have -# a home directory labeled with user_home_t if the user is expected -# to login in either user_t or sysadm_t. Hence, the derived domains -# for programs need to be able to access user_home_t. -# - -# Allow our gph domain to write to .xsession-errors. -ifdef(`gnome-pty-helper.te', ` -allow $1_gph_t user_home_dir_type:dir rw_dir_perms; -allow $1_gph_t user_home_type:file create_file_perms; -') - -# Allow our crontab domain to unlink a user cron spool file. -ifdef(`crontab.te', -`allow $1_crontab_t user_cron_spool_t:file unlink;') - -# for the administrator to run TCP servers directly -can_tcp_connect($1_t, $1_t) -allow $1_t port_t:tcp_socket name_bind; - -# Connect data port to ftpd. -ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') - -# Connect second port to rshd. -ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') - -# -# Allow sysadm to execute quota commands against filesystems and files. -# -allow $1_t fs_type:filesystem quotamod; - -# Grant read and write access to /dev/console. -allow $1_t console_device_t:chr_file rw_file_perms; - -# Allow MAKEDEV to work -allow $1_t device_t:dir rw_dir_perms; -allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; -allow $1_t device_t:lnk_file { create read }; - -# for lsof -allow $1_t domain:socket_class_set getattr; -allow $1_t eventpollfs_t:file getattr; -') - -define(`security_manager_domain', ` - -typeattribute $1 secadmin; -# Allow administrator domains to set the enforcing flag. -can_setenforce($1) - -# Allow administrator domains to set policy booleans. -can_setbool($1) - -# Get security policy decisions. -can_getsecurity($1) - -# Allow administrator domains to set security parameters -can_setsecparam($1) - -# Run admin programs that require different permissions in their own domain. -# These rules were moved into the appropriate program domain file. - -# added by mayerf@tresys.com -# The following rules are temporary until such time that a complete -# policy management infrastructure is in place so that an administrator -# cannot directly manipulate policy files with arbitrary programs. -# -allow $1 secadmfile:file { relabelto relabelfrom create_file_perms }; -allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms }; -allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms }; - -# Set an exec context, e.g. for runcon. -can_setexec($1) - -# Set a context other than the default one for newly created files. -can_setfscreate($1) - -allow $1 self:netlink_audit_socket nlmsg_readpriv; - -') - - diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te deleted file mode 100644 index 4c5b36a6..00000000 --- a/strict/macros/base_user_macros.te +++ /dev/null @@ -1,396 +0,0 @@ -# -# Macros for all user login domains. -# - -# -# base_user_domain(domain_prefix) -# -# Define derived types and rules for an ordinary user domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. -# - -# base_user_domain() is also called by the admin_domain() macro -undefine(`base_user_domain') -define(`base_user_domain', ` - -# Type for network-obtained content -type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember; -type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember; - -# Allow user to relabel untrusted content -allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom }; -allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; - -# Read content -read_content($1_t, $1) - -# Write trusted content. This includes proper transition -# for /home, and /tmp, so no other transition is necessary (or allowed) -write_trusted($1_t, $1) - -# Maybe the home directory is networked -network_home($1_t) - -# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted. -# Relabel files in the home directory -file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); -allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto }; -can_setfscreate($1_t) - -ifdef(`ftpd.te' , ` -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -') - -allow $1_t self:capability { setgid chown fowner }; -dontaudit $1_t self:capability { sys_nice fsetid }; - -# $1_r is authorized for $1_t for the initial login domain. -role $1_r types $1_t; -allow system_r $1_r; - -r_dir_file($1_t, usercanread) - -# Grant permissions within the domain. -general_domain_access($1_t) - -if (allow_execmem) { -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -allow $1_t self:process execmem; -} - -if (allow_execmem && allow_execstack) { -# Allow making the stack executable via mprotect. -allow $1_t self:process execstack; -} - -# Allow text relocations on system shared libraries, e.g. libGL. -allow $1_t texrel_shlib_t:file execmod; - -# -# kdeinit wants this access -# -allow $1_t device_t:dir { getattr search }; - -# Find CDROM devices -r_dir_file($1_t, sysctl_dev_t) -# for eject -allow $1_t fixed_disk_device_t:blk_file getattr; - -allow $1_t fs_type:dir getattr; - -allow $1_t event_device_t:chr_file { getattr read ioctl }; - -# open office is looking for the following -allow $1_t dri_device_t:chr_file getattr; -dontaudit $1_t dri_device_t:chr_file rw_file_perms; - -# Supress ls denials: -# getattr() - ls -l -# search_dir() - symlink path resolution -# read_dir() - deep ls: ls parent/... - -dontaudit_getattr($1_t) -dontaudit_search_dir($1_t) -dontaudit_read_dir($1_t) - -# allow ptrace -can_ptrace($1_t, $1_t) - -# Allow user to run restorecon and relabel files -can_getsecurity($1_t) -r_dir_file($1_t, default_context_t) -r_dir_file($1_t, file_context_t) - -allow $1_t usbtty_device_t:chr_file read; - -# GNOME checks for usb and other devices -rw_dir_file($1_t,usbfs_t) - -can_exec($1_t, noexattrfile) -# Bind to a Unix domain socket in /tmp. -allow $1_t $1_tmp_t:unix_stream_socket name_bind; - -# Use the type when relabeling terminal devices. -type_change $1_t tty_device_t:chr_file $1_tty_device_t; - -# Debian login is from shadow utils and does not allow resetting the perms. -# have to fix this! -type_change $1_t ttyfile:chr_file $1_tty_device_t; - -# for running TeX programs -r_dir_file($1_t, tetex_data_t) -can_exec($1_t, tetex_data_t) - -# Use the type when relabeling pty devices. -type_change $1_t server_pty:chr_file $1_devpts_t; - -tmpfs_domain($1) - -ifdef(`cardmgr.te', ` -# to allow monitoring of pcmcia status -allow $1_t cardmgr_var_run_t:file { getattr read }; -') - -# Modify mail spool file. -allow $1_t mail_spool_t:dir r_dir_perms; -allow $1_t mail_spool_t:file rw_file_perms; -allow $1_t mail_spool_t:lnk_file read; - -# -# Allow graphical boot to check battery lifespan -# -ifdef(`apmd.te', ` -allow $1_t apmd_t:unix_stream_socket connectto; -allow $1_t apmd_var_run_t:sock_file write; -') - -# -# Allow the query of filesystem quotas -# -allow $1_t fs_type:filesystem quotaget; - -# Run helper programs. -can_exec_any($1_t) -# Run programs developed by other users in the same domain. -can_exec($1_t, $1_home_t) -can_exec($1_t, $1_tmp_t) - -# Run user programs that require different permissions in their own domain. -# These rules were moved into the individual program domains. - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)') -ifdef(`chkpwd.te', `chkpwd_domain($1)') -ifdef(`fingerd.te', `fingerd_macro($1)') -ifdef(`mta.te', `mail_domain($1)') -ifdef(`crontab.te', `crontab_domain($1)') - -ifdef(`screen.te', `screen_domain($1)') -ifdef(`tvtime.te', `tvtime_domain($1)') -ifdef(`mozilla.te', `mozilla_domain($1)') -ifdef(`thunderbird.te', `thunderbird_domain($1)') -ifdef(`samba.te', `samba_domain($1)') -ifdef(`gpg.te', `gpg_domain($1)') -ifdef(`xauth.te', `xauth_domain($1)') -ifdef(`iceauth.te', `iceauth_domain($1)') -ifdef(`startx.te', `xserver_domain($1)') -ifdef(`lpr.te', `lpr_domain($1)') -ifdef(`ssh.te', `ssh_domain($1)') -ifdef(`irc.te', `irc_domain($1)') -ifdef(`using_spamassassin', `spamassassin_domain($1)') -ifdef(`pyzor.te', `pyzor_domain($1)') -ifdef(`razor.te', `razor_domain($1)') -ifdef(`uml.te', `uml_domain($1)') -ifdef(`cdrecord.te', `cdrecord_domain($1)') -ifdef(`mplayer.te', `mplayer_domains($1)') - -fontconfig_domain($1) - -# GNOME -ifdef(`gnome.te', ` -gnome_domain($1) -ifdef(`games.te', `games_domain($1)') -ifdef(`gift.te', `gift_domains($1)') -ifdef(`evolution.te', `evolution_domains($1)') -ifdef(`ethereal.te', `ethereal_domain($1)') -') - -# ICE communication channel -ice_domain($1, $1) - -# ORBit communication channel (independent of GNOME) -orbit_domain($1, $1) - -# Instantiate a derived domain for user cron jobs. -ifdef(`crond.te', `crond_domain($1)') - -ifdef(`vmware.te', `vmware_domain($1)') - -if (user_direct_mouse) { -# Read the mouse. -allow $1_t mouse_device_t:chr_file r_file_perms; -} -# Access other miscellaneous devices. -allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms; -allow $1_t device_t:lnk_file { getattr read }; - -can_resmgrd_connect($1_t) - -# -# evolution and gnome-session try to create a netlink socket -# -dontaudit $1_t self:netlink_socket create_socket_perms; -dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; - -# Use the network. -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_ypbind($1_t) -can_winbind($1_t) - -ifdef(`pamconsole.te', ` -allow $1_t pam_var_console_t:dir search; -') - -allow $1_t var_lock_t:dir search; - -# Grant permissions to access the system DBus -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -can_network_server_tcp($1_dbusd_t) -allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; - -allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_client($1, $1) -allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_domain($1) -ifdef(`hald.te', ` -allow $1_t hald_t:dbus send_msg; -allow hald_t $1_t:dbus send_msg; -') dnl end ifdef hald.te -') dnl end ifdef dbus.te - -# allow port_t name binding for UDP because it is not very usable otherwise -allow $1_t port_t:udp_socket name_bind; - -# Gnome pannel binds to the following -ifdef(`cups.te', ` -allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; -') - -# for perl -dontaudit $1_t net_conf_t:file ioctl; - -# Communicate within the domain. -can_udp_send($1_t, self) - -# Connect to inetd. -ifdef(`inetd.te', ` -can_tcp_connect($1_t, inetd_t) -can_udp_send($1_t, inetd_t) -can_udp_send(inetd_t, $1_t) -') - -# Connect to portmap. -ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') - -# Inherit and use sockets from inetd -ifdef(`inetd.te', ` -allow $1_t inetd_t:fd use; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;') - -# Very permissive allowing every domain to see every type. -allow $1_t kernel_t:system ipc_info; - -# When the user domain runs ps, there will be a number of access -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit $1_t domain:dir r_dir_perms; -dontaudit $1_t domain:notdevfile_class_set r_file_perms; -dontaudit $1_t domain:process { getattr getsession }; -# -# Cups daemon running as user tries to write /etc/printcap -# -dontaudit $1_t usr_t:file setattr; - -# Use X -x_client_domain($1, $1) - -ifdef(`xserver.te', ` -allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; -') - -ifdef(`xdm.te', ` -# Connect to the X server run by the X Display Manager. -can_unix_connect($1_t, xdm_t) -# certain apps want to read xdm.pid file -r_dir_file($1_t, xdm_var_run_t) -allow $1_t xdm_var_lib_t:file { getattr read }; -allow xdm_t $1_home_dir_t:dir getattr; -ifdef(`xauth.te', ` -file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) -') - -')dnl end ifdef xdm.te - -# Access the sound device. -allow $1_t sound_device_t:chr_file { getattr read write ioctl }; - -# Access the power device. -allow $1_t power_device_t:chr_file { getattr read write ioctl }; - -allow $1_t var_log_t:dir { getattr search }; -dontaudit $1_t logfile:file getattr; - -# Check to see if cdrom is mounted -allow $1_t mnt_t:dir { getattr search }; - -# Get attributes of file systems. -allow $1_t fs_type:filesystem getattr; - -# Read and write /dev/tty and /dev/null. -allow $1_t devtty_t:chr_file rw_file_perms; -allow $1_t null_device_t:chr_file rw_file_perms; -allow $1_t zero_device_t:chr_file { rw_file_perms execute }; -allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms; -# -# Added to allow reading of cdrom -# -allow $1_t rpc_pipefs_t:dir getattr; -allow $1_t nfsd_fs_t:dir getattr; -allow $1_t binfmt_misc_fs_t:dir getattr; - -# /initrd is left mounted, various programs try to look at it -dontaudit $1_t ramfs_t:dir getattr; - -# -# Emacs wants this access -# -allow $1_t wtmp_t:file r_file_perms; -dontaudit $1_t wtmp_t:file write; - -# Read the devpts root directory. -allow $1_t devpts_t:dir r_dir_perms; - -r_dir_file($1_t, src_t) - -# Allow user to read default_t files -# This is different from reading default_t content, -# because it also includes sockets, fifos, and links - -if (read_default_t) { -allow $1_t default_t:dir r_dir_perms; -allow $1_t default_t:notdevfile_class_set r_file_perms; -} - -# Read fonts -read_fonts($1_t, $1) - -read_sysctl($1_t); - -# -# Caused by su - init scripts -# -dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; - -# -# Running ifconfig as a user generates the following -# -dontaudit $1_t self:socket create; -dontaudit $1_t sysctl_net_t:dir search; - -ifdef(`rpcd.te', ` -create_dir_file($1_t, nfsd_rw_t) -') - -')dnl end base_user_domain macro - diff --git a/strict/macros/content_macros.te b/strict/macros/content_macros.te deleted file mode 100644 index fb36d460..00000000 --- a/strict/macros/content_macros.te +++ /dev/null @@ -1,188 +0,0 @@ -# Content access macros - -# FIXME: After nested booleans are supported, replace NFS/CIFS -# w/ read_network_home, and write_network_home macros from global - -# FIXME: If true/false constant booleans are supported, replace -# ugly $3 ifdefs with if(true), if(false)... - -# FIXME: Do we want write to imply read? - -############################################################ -# read_content(domain, role_prefix, bool_prefix) -# -# Allow the given domain to read content. -# Content may be trusted or untrusted, -# Reading anything is subject to a controlling boolean based on bool_prefix. -# Reading untrusted content is additionally subject to read_untrusted_content -# Reading default_t is additionally subject to read_default_t - -define(`read_content', ` - -# Declare controlling boolean -ifelse($3, `', `', ` -ifdef(`$3_read_content_defined', `', ` -define(`$3_read_content_defined') -bool $3_read_content false; -') dnl ifdef -') dnl ifelse - -# Handle nfs home dirs -ifelse($3, `', -`if (use_nfs_home_dirs) { ', -`if ($3_read_content && use_nfs_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -r_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file r_file_perms; -dontaudit $1 nfs_t:dir r_dir_perms; -} - -# Handle samba home dirs -ifelse($3, `', -`if (use_samba_home_dirs) { ', -`if ($3_read_content && use_samba_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -r_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file r_file_perms; -dontaudit $1 cifs_t:dir r_dir_perms; -} - -# Handle removable media, /tmp, and /home -ifelse($3, `', `', -`if ($3_read_content) {') -allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -r_dir_file($1, { $2_tmp_t $2_home_t } ) -ifdef(`mls_policy', `', ` -r_dir_file($1, removable_t) -') - -ifelse($3, `', `', -`} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms; -dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms; -}') - -# Handle default_t content -ifelse($3, `', -`if (read_default_t) { ', -`if ($3_read_content && read_default_t) {') -r_dir_file($1, default_t) -} else { -dontaudit $1 default_t:file r_file_perms; -dontaudit $1 default_t:dir r_dir_perms; -} - -# Handle untrusted content -ifelse($3, `', -`if (read_untrusted_content) { ', -`if ($3_read_content && read_untrusted_content) {') -allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t }) -} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms; -dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms; -} -') dnl read_content - -################################################# -# write_trusted(domain, role_prefix, bool_prefix) -# -# Allow the given domain to write trusted content. -# This is subject to a controlling boolean based -# on bool_prefix. - -define(`write_trusted', ` - -# Declare controlling boolean -ifelse($3, `', `', ` -ifdef(`$3_write_content_defined', `', ` -define(`$3_write_content_defined') -bool $3_write_content false; -') dnl ifdef -') dnl ifelse - -# Handle nfs homedirs -ifelse($3, `', -`if (use_nfs_home_dirs) { ', -`if ($3_write_content && use_nfs_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file create_file_perms; -dontaudit $1 nfs_t:dir create_dir_perms; -} - -# Handle samba homedirs -ifelse($3, `', -`if (use_samba_home_dirs) { ', -`if ($3_write_content && use_samba_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file create_file_perms; -dontaudit $1 cifs_t:dir create_dir_perms; -} - -# Handle /tmp and /home -ifelse($3, `', `', -`if ($3_write_content) {') -allow $1 home_root_t:dir { read getattr search }; -file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file }); -file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file }); -ifelse($3, `', `', -`} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; -dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; -}') - -') dnl write_trusted - -######################################### -# write_untrusted(domain, role_prefix) -# -# Allow the given domain to write untrusted content. -# This is subject to the global boolean write_untrusted. - -define(`write_untrusted', ` - -# Handle nfs homedirs -if (write_untrusted_content && use_nfs_home_dirs) { -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file create_file_perms; -dontaudit $1 nfs_t:dir create_dir_perms; -} - -# Handle samba homedirs -if (write_untrusted_content && use_samba_home_dirs) { -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file create_file_perms; -dontaudit $1 cifs_t:dir create_dir_perms; -} - -# Handle /tmp and /home -if (write_untrusted_content) { -allow $1 home_root_t:dir { read getattr search }; -file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file }) -file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file }) -} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; -dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; -} - -') dnl write_untrusted diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te deleted file mode 100644 index 4a5900a2..00000000 --- a/strict/macros/core_macros.te +++ /dev/null @@ -1,700 +0,0 @@ - -############################## -# -# core macros for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley , Timothy Fraser -# Howard Holm (NSA) -# Russell Coker -# - -################################# -# -# Macros for groups of classes and -# groups of permissions. -# - -# -# All directory and file classes -# -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# All non-directory file classes. -# -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# Non-device file classes. -# -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') - -# -# Device file classes. -# -define(`devfile_class_set', `{ chr_file blk_file }') - -# -# All socket classes. -# -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') - - -# -# Datagram socket classes. -# -define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') - -# -# Stream socket classes. -# -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') - -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') - - -# -# Permissions for getting file attributes. -# -define(`stat_file_perms', `{ getattr }') - -# -# Permissions for executing files. -# -define(`x_file_perms', `{ getattr execute }') - -# -# Permissions for reading files and their attributes. -# -define(`r_file_perms', `{ read getattr lock ioctl }') - -# -# Permissions for reading and executing files. -# -define(`rx_file_perms', `{ read getattr lock execute ioctl }') - -# -# Permissions for reading and writing files and their attributes. -# -define(`rw_file_perms', `{ ioctl read getattr lock write append }') - -# -# Permissions for reading and appending to files. -# -define(`ra_file_perms', `{ ioctl read getattr lock append }') - -# -# Permissions for linking, unlinking and renaming files. -# -define(`link_file_perms', `{ getattr link unlink rename }') - -# -# Permissions for creating lnk_files. -# -define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') - -# -# Permissions for creating and using files. -# -define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') - -# -# Permissions for reading directories and their attributes. -# -define(`r_dir_perms', `{ read getattr lock search ioctl }') - -# -# Permissions for reading and writing directories and their attributes. -# -define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') - -# -# Permissions for reading and adding names to directories. -# -define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') - - -# -# Permissions for creating and using directories. -# -define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') - -# -# Permissions to mount and unmount file systems. -# -define(`mount_fs_perms', `{ mount remount unmount getattr }') - -# -# Permissions for using sockets. -# -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`create_socket_perms', `{ create rw_socket_perms }') - -# -# Permissions for using stream sockets. -# -define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') - -# -# Permissions for creating and using stream sockets. -# -define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') - -# -# Permissions for creating and using sockets. -# -define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') - - -# -# Permissions for creating and using netlink sockets. -# -define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that modify state. -# -define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that observe state. -# -define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') - -# -# Permissions for sending all signals. -# -define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') - -# -# Permissions for sending and receiving network packets. -# -define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') - -# -# Permissions for using System V IPC -# -define(`r_sem_perms', `{ associate getattr read unix_read }') -define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') -define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') -define(`r_msgq_perms', `{ associate getattr read unix_read }') -define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') -define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') -define(`r_shm_perms', `{ associate getattr read unix_read }') -define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') -define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') - -################################# -# -# Macros for type transition rules and -# access vector rules. -# - -# -# Simple combinations for reading and writing both -# directories and files. -# -define(`r_dir_file', ` -allow $1 $2:dir r_dir_perms; -allow $1 $2:file r_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`rw_dir_file', ` -allow $1 $2:dir rw_dir_perms; -allow $1 $2:file rw_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`ra_dir_file', ` -allow $1 $2:dir ra_dir_perms; -allow $1 $2:file ra_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`ra_dir_create_file', ` -allow $1 $2:dir ra_dir_perms; -allow $1 $2:file { create ra_file_perms }; -allow $1 $2:lnk_file { create read getattr }; -') - -define(`rw_dir_create_file', ` -allow $1 $2:dir rw_dir_perms; -allow $1 $2:file create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_dir_file', ` -allow $1 $2:dir create_dir_perms; -allow $1 $2:file create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_dir_notdevfile', ` -allow $1 $2:dir create_dir_perms; -allow $1 $2:{ file sock_file fifo_file } create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_append_log_file', ` -allow $1 $2:dir { read getattr search add_name write }; -allow $1 $2:file { create ioctl getattr setattr append link }; -') - -################################## -# -# can_ps(domain1, domain2) -# -# Authorize domain1 to see /proc entries for domain2 (see it in ps output) -# -define(`can_ps',` -allow $1 $2:dir { search getattr read }; -allow $1 $2:{ file lnk_file } { read getattr }; -allow $1 $2:process getattr; -# We need to suppress this denial because procps tries to access -# /proc/pid/environ and this now triggers a ptrace check in recent kernels -# (2.4 and 2.6). Might want to change procps to not do this, or only if -# running in a privileged domain. -dontaudit $1 $2:process ptrace; -') - -################################## -# -# can_getsecurity(domain) -# -# Authorize a domain to get security policy decisions. -# -define(`can_getsecurity',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } { getattr read }; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user }; -') - -################################## -# -# can_setenforce(domain) -# -# Authorize a domain to set the enforcing flag. -# Due to its sensitivity, always audit this permission. -# -define(`can_setenforce',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setenforce; -auditallow $1 security_t:security setenforce; -') - -################################## -# -# can_setbool(domain) -# -# Authorize a domain to set a policy boolean. -# Due to its sensitivity, always audit this permission. -# -define(`can_setbool',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setbool; -auditallow $1 security_t:security setbool; -') - -################################## -# -# can_setsecparam(domain) -# -# Authorize a domain to set security parameters. -# Due to its sensitivity, always audit this permission. -# -define(`can_setsecparam',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setsecparam; -auditallow $1 security_t:security setsecparam; -') - -################################## -# -# can_loadpol(domain) -# -# Authorize a domain to load a policy configuration. -# Due to its sensitivity, always audit this permission. -# -define(`can_loadpol',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 proc_t:file { getattr read }; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security load_policy; -auditallow $1 security_t:security load_policy; -') - -################################# -# -# domain_trans(parent_domain, program_type, child_domain) -# -# Permissions for transitioning to a new domain. -# - -define(`domain_trans',` - -# -# Allow the process to transition to the new domain. -# -allow $1 $3:process transition; - -# -# Do not audit when glibc secure mode is enabled upon the transition. -# -dontaudit $1 $3:process noatsecure; - -# -# Do not audit when signal-related state is cleared upon the transition. -# -dontaudit $1 $3:process siginh; - -# -# Do not audit when resource limits are reset upon the transition. -# -dontaudit $1 $3:process rlimitinh; - -# -# Allow the process to execute the program. -# -allow $1 $2:file { read x_file_perms }; - -# -# Allow the process to reap the new domain. -# -allow $3 $1:process sigchld; - -# -# Allow the new domain to inherit and use file -# descriptions from the creating process and vice versa. -# -allow $3 $1:fd use; -allow $1 $3:fd use; - -# -# Allow the new domain to write back to the old domain via a pipe. -# -allow $3 $1:fifo_file rw_file_perms; - -# -# Allow the new domain to read and execute the program. -# -allow $3 $2:file rx_file_perms; - -# -# Allow the new domain to be entered via the program. -# -allow $3 $2:file entrypoint; -') - -################################# -# -# domain_auto_trans(parent_domain, program_type, child_domain) -# -# Define a default domain transition and allow it. -# -define(`domain_auto_trans',` -domain_trans($1,$2,$3) -type_transition $1 $2:process $3; -') - -################################# -# -# can_ptrace(domain, domain) -# -# Permissions for running ptrace (strace or gdb) on another domain -# -define(`can_ptrace',` -allow $1 $2:process ptrace; -allow $2 $1:process sigchld; -') - -################################# -# -# can_exec(domain, type) -# -# Permissions for executing programs with -# a specified type without changing domains. -# -define(`can_exec',` -allow $1 $2:file { rx_file_perms execute_no_trans }; -') - -# this is an internal macro used by can_create -define(`can_create_internal', ` -ifelse(`$3', `dir', ` -allow $1 $2:$3 create_dir_perms; -', `$3', `lnk_file', ` -allow $1 $2:$3 create_lnk_perms; -', ` -allow $1 $2:$3 create_file_perms; -')dnl end if dir -')dnl end can_create_internal - - -################################# -# -# can_create(domain, file_type, object_class) -# -# Permissions for creating files of the specified type and class -# -define(`can_create', ` -ifelse(regexp($3, `\w'), -1, `', ` -can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1')) - -can_create($1, $2, regexp($3, `\w+\(.*\)', `\1')) -') -') -################################# -# -# file_type_trans(domain, dir_type, file_type) -# -# Permissions for transitioning to a new file type. -# - -define(`file_type_trans',` - -# -# Allow the process to modify the directory. -# -allow $1 $2:dir rw_dir_perms; - -# -# Allow the process to create the file. -# -ifelse(`$4', `', ` -can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }') -', ` -can_create($1, $3, $4) -')dnl end if param 4 specified - -') - -################################# -# -# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class) -# -# the object class will default to notdevfile_class_set if not specified as -# the fourth parameter -# -# Define a default file type transition and allow it. -# -define(`file_type_auto_trans',` -ifelse(`$4', `', ` -file_type_trans($1,$2,$3) -type_transition $1 $2:dir $3; -type_transition $1 $2:notdevfile_class_set $3; -', ` -file_type_trans($1,$2,$3,$4) -type_transition $1 $2:$4 $3; -')dnl end ifelse - -') - - -################################# -# -# can_unix_connect(client, server) -# -# Permissions for establishing a Unix stream connection. -# -define(`can_unix_connect',` -allow $1 $2:unix_stream_socket connectto; -') - -################################# -# -# can_unix_send(sender, receiver) -# -# Permissions for sending Unix datagrams. -# -define(`can_unix_send',` -allow $1 $2:unix_dgram_socket sendto; -') - -################################# -# -# can_tcp_connect(client, server) -# -# Permissions for establishing a TCP connection. -# Irrelevant until we have labeled networking. -# -define(`can_tcp_connect',` -#allow $1 $2:tcp_socket { connectto recvfrom }; -#allow $2 $1:tcp_socket { acceptfrom recvfrom }; -#allow $2 kernel_t:tcp_socket recvfrom; -#allow $1 kernel_t:tcp_socket recvfrom; -') - -################################# -# -# can_udp_send(sender, receiver) -# -# Permissions for sending/receiving UDP datagrams. -# Irrelevant until we have labeled networking. -# -define(`can_udp_send',` -#allow $1 $2:udp_socket sendto; -#allow $2 $1:udp_socket recvfrom; -') - - -################################## -# -# base_pty_perms(domain_prefix) -# -# Base permissions used for can_create_pty() and can_create_other_pty() -# -define(`base_pty_perms', ` -# Access the pty master multiplexer. -allow $1_t ptmx_t:chr_file rw_file_perms; - -allow $1_t devpts_t:filesystem getattr; - -# allow searching /dev/pts -allow $1_t devpts_t:dir { getattr read search }; - -# ignore old BSD pty devices -dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; -') - - -################################## -# -# pty_slave_label(domain_prefix, attributes) -# -# give access to a slave pty but do not allow creating new ptys -# -define(`pty_slave_label', ` -type $1_devpts_t, file_type, sysadmfile, ptyfile $2; - -# Allow the pty to be associated with the file system. -allow $1_devpts_t devpts_t:filesystem associate; - -# Label pty files with a derived type. -type_transition $1_t devpts_t:chr_file $1_devpts_t; - -# allow searching /dev/pts -allow $1_t devpts_t:dir { getattr read search }; - -# Read and write my pty files. -allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; -') - - -################################## -# -# can_create_pty(domain_prefix, attributes) -# -# Permissions for creating ptys. -# -define(`can_create_pty',` -base_pty_perms($1) -pty_slave_label($1, `$2') -') - - -################################## -# -# can_create_other_pty(domain_prefix,other_domain) -# -# Permissions for creating ptys for another domain. -# -define(`can_create_other_pty',` -base_pty_perms($1) -# Label pty files with a derived type. -type_transition $1_t devpts_t:chr_file $2_devpts_t; - -# Read and write pty files. -allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; -') - - -# -# general_domain_access(domain) -# -# Grant permissions within the domain. -# This includes permissions to processes, /proc/PID files, -# file descriptors, pipes, Unix sockets, and System V IPC objects -# labeled with the domain. -# -define(`general_domain_access',` -# Access other processes in the same domain. -# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap. -# These must be granted separately if desired. -allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap}; - -# Access /proc/PID files for processes in the same domain. -allow $1 self:dir r_dir_perms; -allow $1 self:notdevfile_class_set r_file_perms; - -# Access file descriptions, pipes, and sockets -# created by processes in the same domain. -allow $1 self:fd *; -allow $1 self:fifo_file rw_file_perms; -allow $1 self:unix_dgram_socket create_socket_perms; -allow $1 self:unix_stream_socket create_stream_socket_perms; - -# Allow the domain to communicate with other processes in the same domain. -allow $1 self:unix_dgram_socket sendto; -allow $1 self:unix_stream_socket connectto; - -# Access System V IPC objects created by processes in the same domain. -allow $1 self:sem create_sem_perms; -allow $1 self:msg { send receive }; -allow $1 self:msgq create_msgq_perms; -allow $1 self:shm create_shm_perms; -allow $1 unpriv_userdomain:fd use; -# -# Every app is asking for ypbind so I am adding this here, -# eventually this should become can_nsswitch -# -can_ypbind($1) -allow $1 autofs_t:dir { search getattr }; -')dnl end general_domain_access diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te deleted file mode 100644 index 54dce1dc..00000000 --- a/strict/macros/global_macros.te +++ /dev/null @@ -1,761 +0,0 @@ -############################## -# -# Global macros for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# Howard Holm (NSA) -# Russell Coker -# -# -# - -################################## -# -# can_setexec(domain) -# -# Authorize a domain to set its exec context -# (via /proc/pid/attr/exec). -# -define(`can_setexec',` -allow $1 self:process setexec; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################## -# -# can_getcon(domain) -# -# Authorize a domain to get its context -# (via /proc/pid/attr/current). -# -define(`can_getcon',` -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -allow $1 self:process getattr; -') - -################################## -# -# can_setcon(domain) -# -# Authorize a domain to set its current context -# (via /proc/pid/attr/current). -# -define(`can_setcon',` -allow $1 self:process setcurrent; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################## -# read_sysctl(domain) -# -# Permissions for reading sysctl variables. -# If the second parameter is full, allow -# reading of any sysctl variables, else only -# sysctl_kernel_t. -# -define(`read_sysctl', ` -# Read system variables in /sys. -ifelse($2,`full', ` -allow $1 sysctl_type:dir r_dir_perms; -allow $1 sysctl_type:file r_file_perms; -', ` -allow $1 sysctl_t:dir search; -allow $1 sysctl_kernel_t:dir search; -allow $1 sysctl_kernel_t:file { getattr read }; -') - -')dnl read_sysctl - -################################## -# -# can_setfscreate(domain) -# -# Authorize a domain to set its fscreate context -# (via /proc/pid/attr/fscreate). -# -define(`can_setfscreate',` -allow $1 self:process setfscreate; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################# -# -# uses_shlib(domain) -# -# Permissions for using shared libraries. -# -define(`uses_shlib',` -allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; -allow $1 lib_t:lnk_file r_file_perms; -allow $1 ld_so_t:file rx_file_perms; -#allow $1 ld_so_t:file execute_no_trans; -allow $1 ld_so_t:lnk_file r_file_perms; -allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; -allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; -allow $1 texrel_shlib_t:file execmod; -allow $1 ld_so_cache_t:file r_file_perms; -allow $1 device_t:dir search; -allow $1 null_device_t:chr_file rw_file_perms; -') - -################################# -# -# can_exec_any(domain) -# -# Permissions for executing a variety -# of executable types. -# -define(`can_exec_any',` -allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms; -allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read }; -uses_shlib($1) -can_exec($1, etc_t) -can_exec($1, lib_t) -can_exec($1, bin_t) -can_exec($1, sbin_t) -can_exec($1, exec_type) -can_exec($1, ld_so_t) -') - - -################################# -# -# can_sysctl(domain) -# -# Permissions for modifying sysctl parameters. -# -define(`can_sysctl',` -allow $1 sysctl_type:dir r_dir_perms; -allow $1 sysctl_type:file { setattr rw_file_perms }; -') - - -################################## -# -# read_locale(domain) -# -# Permissions for reading the locale data, -# /etc/localtime and the files that it links to -# -define(`read_locale', ` -allow $1 etc_t:lnk_file read; -allow $1 lib_t:file r_file_perms; -r_dir_file($1, locale_t) -') - -define(`can_access_pty', ` -allow $1 devpts_t:dir r_dir_perms; -allow $1 $2_devpts_t:chr_file rw_file_perms; -') - -################################### -# -# access_terminal(domain, typeprefix) -# -# Permissions for accessing the terminal -# -define(`access_terminal', ` -allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; -allow $1 devtty_t:chr_file { read write getattr ioctl }; -can_access_pty($1, $2) -') - -# -# general_proc_read_access(domain) -# -# Grant read/search permissions to most of /proc, excluding -# the /proc/PID directories and the /proc/kmsg and /proc/kcore files. -# The general_domain_access macro grants access to the domain /proc/PID -# directories, but not to other domains. Only permissions to stat -# are granted for /proc/kmsg and /proc/kcore, since these files are more -# sensitive. -# -define(`general_proc_read_access',` -# Read system information files in /proc. -r_dir_file($1, proc_t) -r_dir_file($1, proc_net_t) -allow $1 proc_mdstat_t:file r_file_perms; - -# Stat /proc/kmsg and /proc/kcore. -allow $1 proc_fs:file stat_file_perms; - -# Read system variables in /proc/sys. -read_sysctl($1) -') - -# -# base_file_read_access(domain) -# -# Grant read/search permissions to a few system file types. -# -define(`base_file_read_access',` -# Read /. -allow $1 root_t:dir r_dir_perms; -allow $1 root_t:notdevfile_class_set r_file_perms; - -# Read /home. -allow $1 home_root_t:dir r_dir_perms; - -# Read /usr. -allow $1 usr_t:dir r_dir_perms; -allow $1 usr_t:notdevfile_class_set r_file_perms; - -# Read bin and sbin directories. -allow $1 bin_t:dir r_dir_perms; -allow $1 bin_t:notdevfile_class_set r_file_perms; -allow $1 sbin_t:dir r_dir_perms; -allow $1 sbin_t:notdevfile_class_set r_file_perms; -read_sysctl($1) - -r_dir_file($1, selinux_config_t) - -if (read_default_t) { -# -# Read default_t -#. -allow $1 default_t:dir r_dir_perms; -allow $1 default_t:notdevfile_class_set r_file_perms; -} - -') - -####################### -# daemon_core_rules(domain_prefix, attribs) -# -# Define the core rules for a daemon, used by both daemon_base_domain() and -# init_service_domain(). -# Attribs is the list of attributes which must start with "," if it is not empty -# -# Author: Russell Coker -# -define(`daemon_core_rules', ` -type $1_t, domain, privlog, daemon $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -dontaudit $1_t self:capability sys_tty_config; - -role system_r types $1_t; - -# Inherit and use descriptors from init. -allow $1_t init_t:fd use; -allow $1_t init_t:process sigchld; -allow $1_t self:process { signal_perms fork }; - -uses_shlib($1_t) - -allow $1_t { self proc_t }:dir r_dir_perms; -allow $1_t { self proc_t }:lnk_file { getattr read }; - -allow $1_t device_t:dir r_dir_perms; -ifdef(`udev.te', ` -allow $1_t udev_tdb_t:file r_file_perms; -')dnl end if udev.te -allow $1_t null_device_t:chr_file rw_file_perms; -dontaudit $1_t console_device_t:chr_file rw_file_perms; -dontaudit $1_t unpriv_userdomain:fd use; - -r_dir_file($1_t, sysfs_t) - -allow $1_t autofs_t:dir { search getattr }; -ifdef(`targeted_policy', ` -dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; -dontaudit $1_t root_t:file { getattr read }; -')dnl end if targeted_policy - -')dnl end macro daemon_core_rules - -####################### -# init_service_domain(domain_prefix, attribs) -# -# Define a domain for a program that is run from init -# Attribs is the list of attributes which must start with "," if it is not empty -# -# Author: Russell Coker -# -define(`init_service_domain', ` -daemon_core_rules($1, `$2') - -domain_auto_trans(init_t, $1_exec_t, $1_t) -')dnl - -####################### -# daemon_base_domain(domain_prefix, attribs) -# -# Define a daemon domain with a base set of type declarations -# and permissions that are common to most daemons. -# attribs is the list of attributes which must start with "," if it is not empty -# nosysadm may be given as an optional third parameter, to specify that the -# sysadmin should not transition to the domain when directly calling the executable -# -# Author: Russell Coker -# -define(`daemon_base_domain', ` -daemon_core_rules($1, `$2') - -rhgb_domain($1_t) - -read_sysctl($1_t) - -ifdef(`direct_sysadm_daemon', ` -dontaudit $1_t admin_tty_type:chr_file rw_file_perms; -') - -# -# Allows user to define a tunable to disable domain transition -# -ifelse(index(`$2',`transitionbool'), -1, `', ` -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(initrc_t, $1_exec_t) -can_exec(sysadm_t, $1_exec_t) -} else { -') dnl transitionbool -domain_auto_trans(initrc_t, $1_exec_t, $1_t) -allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; -ifdef(`direct_sysadm_daemon', ` -ifelse(`$3', `nosysadm', `', ` -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; -')dnl end direct_sysadm_daemon -')dnl end nosysadm -ifelse(index(`$2', `transitionbool'), -1, `', ` -} -') dnl end transitionbool -ifdef(`direct_sysadm_daemon', ` -ifelse(`$3', `nosysadm', `', ` -role_transition sysadm_r $1_exec_t system_r; -')dnl end nosysadm -')dnl end direct_sysadm_daemon - -allow $1_t privfd:fd use; -ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') -allow $1_t initrc_devpts_t:chr_file rw_file_perms; -')dnl - -# allow a domain to create its own files under /var/run and to create files -# in directories that are created for it. $2 is an optional list of -# classes to use; default is file. -define(`var_run_domain', ` -type $1_var_run_t, file_type, sysadmfile, pidfile; - -ifelse(`$2', `', ` -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) -', ` -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) -') -allow $1_t var_t:dir search; -allow $1_t $1_var_run_t:dir rw_dir_perms; -') - -####################### -# daemon_domain(domain_prefix, attribs) -# -# see daemon_base_domain for calling details -# daemon_domain defines some additional privileges needed by many domains, -# like pid files and locale support - -define(`daemon_domain', ` -ifdef(`targeted_policy', ` -daemon_base_domain($1, `$2, transitionbool', $3) -', ` -daemon_base_domain($1, `$2', $3) -') -# Create pid file. -allow $1_t var_t:dir { getattr search }; -var_run_domain($1) - -allow $1_t devtty_t:chr_file rw_file_perms; - -# for daemons that look at /root on startup -dontaudit $1_t sysadm_home_dir_t:dir search; - -# for df -allow $1_t fs_type:filesystem getattr; -allow $1_t removable_t:filesystem getattr; - -read_locale($1_t) - -# for localization -allow $1_t lib_t:file { getattr read }; -')dnl end daemon_domain macro - -define(`uses_authbind', -`domain_auto_trans($1, authbind_exec_t, authbind_t) -allow authbind_t $1:process sigchld; -allow authbind_t $1:fd use; -allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; -') - -# define a sub-domain, $1_t is the parent domain, $2 is the name -# of the sub-domain. -# -define(`daemon_sub_domain', ` -# $1 is the parent domain (or domains), $2_t is the child domain, -# and $3 is any attributes to apply to the child -type $2_t, domain, privlog, daemon $3; -type $2_exec_t, file_type, sysadmfile, exec_type; - -role system_r types $2_t; - -ifelse(index(`$3',`transitionbool'), -1, ` - -domain_auto_trans($1, $2_exec_t, $2_t) - -', ` - -bool $2_disable_trans false; - -if (! $2_disable_trans) { -domain_auto_trans($1, $2_exec_t, $2_t) -} - -'); -# Inherit and use descriptors from parent. -allow $2_t $1:fd use; -allow $2_t $1:process sigchld; - -allow $2_t self:process signal_perms; - -uses_shlib($2_t) - -allow $2_t { self proc_t }:dir r_dir_perms; -allow $2_t { self proc_t }:lnk_file read; - -allow $2_t device_t:dir getattr; -') - -# grant access to /tmp -# by default, only plain files and dirs may be stored there. -# This can be overridden with a third parameter -define(`tmp_domain', ` -type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; -ifelse($3, `', -`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', -`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') -') - -# grant access to /tmp. Do not perform an automatic transition. -define(`tmp_domain_notrans', ` -type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; -') - -define(`tmpfs_domain', ` -ifdef(`$1_tmpfs_t_defined',`', ` -define(`$1_tmpfs_t_defined') -type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; -# Use this type when creating tmpfs/shm objects. -file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) -allow $1_tmpfs_t tmpfs_t:filesystem associate; -') -') - -define(`var_lib_domain', ` -type $1_var_lib_t, file_type, sysadmfile; -file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) -allow $1_t $1_var_lib_t:dir rw_dir_perms; -') - -define(`log_domain', ` -type $1_log_t, file_type, sysadmfile, logfile; -file_type_auto_trans($1_t, var_log_t, $1_log_t, file) -') - -define(`logdir_domain', ` -log_domain($1) -allow $1_t $1_log_t:dir { setattr rw_dir_perms }; -') - -define(`etc_domain', ` -type $1_etc_t, file_type, sysadmfile, usercanread; -allow $1_t $1_etc_t:file r_file_perms; -') - -define(`etcdir_domain', ` -etc_domain($1) -allow $1_t $1_etc_t:dir r_dir_perms; -allow $1_t $1_etc_t:lnk_file { getattr read }; -') - -define(`append_log_domain', ` -type $1_log_t, file_type, sysadmfile, logfile; -allow $1_t var_log_t:dir ra_dir_perms; -allow $1_t $1_log_t:file { create ra_file_perms }; -type_transition $1_t var_log_t:file $1_log_t; -') - -define(`append_logdir_domain', ` -append_log_domain($1) -allow $1_t $1_log_t:dir { setattr ra_dir_perms }; -') - -define(`lock_domain', ` -type $1_lock_t, file_type, sysadmfile, lockfile; -file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) -') - -####################### -# application_domain(domain_prefix) -# -# Define a domain with a base set of type declarations -# and permissions that are common to simple applications. -# -# Author: Russell Coker -# -define(`application_domain', ` -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role sysadm_r types $1_t; -ifdef(`targeted_policy', ` -role system_r types $1_t; -') -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -uses_shlib($1_t) -') - -define(`system_domain', ` -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role system_r types $1_t; -uses_shlib($1_t) -allow $1_t etc_t:dir r_dir_perms; -') - -# Dontaudit macros to prevent flooding the log - -define(`dontaudit_getattr', ` -dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; -dontaudit $1 unlabeled_t:dir_file_class_set getattr; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; -')dnl end dontaudit_getattr - -define(`dontaudit_search_dir', ` -dontaudit $1 file_type - secure_file_type:dir search; -dontaudit $1 unlabeled_t:dir search; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; -')dnl end dontaudit_search_dir - -define(`dontaudit_read_dir', ` -dontaudit $1 file_type - secure_file_type:dir read; -dontaudit $1 unlabeled_t:dir read; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; -')dnl end dontaudit_read_dir - -# Define legacy_domain for legacy binaries (java) -# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old -# toolchain. They cause the kernel to automatically start translating all -# read protection requests to read|execute for backward compatibility on -# x86. They will all need execmem and execmod, including execmod to -# shlib_t and ld_so_t unlike non-legacy binaries. - -define(`legacy_domain', ` -allow $1_t self:process { execmem execstack }; -allow $1_t { texrel_shlib_t shlib_t }:file execmod; -allow $1_t ld_so_t:file execmod; -allow $1_t ld_so_cache_t:file execute; -') - - -# Allow domain to perform polyinstantiation functions -# polyinstantiater(domain) - -define(`polyinstantiater', ` - -ifdef(`support_polyinstantiation', ` -# Need to give access to /selinux/member -allow $1 security_t:security compute_member; - -# Need to give access to the directories to be polyinstantiated -allow $1 polydir:dir { getattr mounton add_name create setattr write search }; - -# Need to give access to the polyinstantiated subdirectories -allow $1 polymember:dir {getattr search }; - -# Need to give access to parent directories where original -# is remounted for polyinstantiation aware programs (like gdm) -allow $1 polyparent:dir { getattr mounton }; - -# Need to give permission to create directories where applicable -allow $1 polymember: dir { create setattr }; -allow $1 polydir: dir { write add_name }; -allow $1 self:process setfscreate; -allow $1 polyparent:dir { write add_name }; -# Default type for mountpoints -allow $1 poly_t:dir { create mounton }; - -# Need sys_admin capability for mounting -allow $1 self:capability sys_admin; -')dnl end else support_polyinstantiation - -')dnl end polyinstantiater - -# -# Domain that is allow to read anonymous data off the network -# without providing authentication. -# Also define boolean to allow anonymous writing -# -define(`anonymous_domain', ` -r_dir_file($1_t, { public_content_t public_content_rw_t } ) -bool allow_$1_anon_write false; -if (allow_$1_anon_write) { -create_dir_file($1_t,public_content_rw_t) -} -') -# -# Define a domain that can do anything, so that it is -# effectively unconfined by the SELinux policy. This -# means that it is only restricted by the normal Linux -# protections. Note that you may need to add further rules -# to allow other domains to interact with this domain as expected, -# since this macro only allows the specified domain to act upon -# all other domains and types, not vice versa. -# -define(`unconfined_domain', ` - -typeattribute $1 unrestricted; -typeattribute $1 privuser; - -# Mount/unmount any filesystem. -allow $1 fs_type:filesystem *; - -# Mount/unmount any filesystem with the context= option. -allow $1 file_type:filesystem *; - -# Create/access any file in a labeled filesystem; -allow $1 file_type:{ file chr_file } ~execmod; -allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; -allow $1 sysctl_t:{ dir file } *; -allow $1 device_type:devfile_class_set *; -allow $1 mtrr_device_t:file *; - -# Create/access other files. fs_type is to pick up various -# pseudo filesystem types that are applied to both the filesystem -# and its files. -allow $1 { unlabeled_t fs_type }:dir_file_class_set *; -allow $1 proc_fs:{ dir file } *; - -# For /proc/pid -r_dir_file($1,domain) -# Write access is for setting attributes under /proc/self/attr. -allow $1 self:file rw_file_perms; - -# Read and write sysctls. -can_sysctl($1) - -# Access the network. -allow $1 node_type:node *; -allow $1 netif_type:netif *; -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; -allow $1 port_type:tcp_socket name_connect; - -# Bind to any network address. -allow $1 port_type:{ tcp_socket udp_socket } name_bind; -allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; -allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; - -# Use/sendto/connectto sockets created by any domain. -allow $1 domain:{ socket_class_set socket key_socket } *; - -# Use descriptors and pipes created by any domain. -allow $1 domain:fd use; -allow $1 domain:fifo_file rw_file_perms; - -# Act upon any other process. -allow $1 domain:process ~{ transition dyntransition execmem }; -# Transition to myself, to make get_ordered_context_list happy. -allow $1 self:process transition; - -if (allow_execmem) { -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -allow $1 self:process execmem; -} - -if (allow_execmem && allow_execstack) { -# Allow making the stack executable via mprotect. -allow $1 self:process execstack; -} - -if (allow_execmod) { -# Allow text relocations on system shared libraries, e.g. libGL. -ifdef(`targeted_policy', ` -allow $1 file_type:file execmod; -', ` -allow $1 texrel_shlib_t:file execmod; -allow $1 home_type:file execmod; -') -} - -# Create/access any System V IPC objects. -allow $1 domain:{ sem msgq shm } *; -allow $1 domain:msg { send receive }; - -# Access the security API. -allow $1 security_t:security *; -auditallow $1 security_t:security { load_policy setenforce setbool }; - -# Perform certain system operations that lacked individual capabilities. -allow $1 kernel_t:system *; - -# Use any Linux capability. -allow $1 self:capability *; - -# Set user information and skip authentication. -allow $1 self:passwd *; - -# Communicate via dbusd. -allow $1 self:dbus *; -ifdef(`dbusd.te', ` -allow $1 system_dbusd_t:dbus *; -') - -# Get info via nscd. -allow $1 self:nscd *; -ifdef(`nscd.te', ` -allow $1 nscd_t:nscd *; -') - -')dnl end unconfined_domain - - -define(`access_removable_media', ` - -can_exec($1, { removable_t noexattrfile } ) -if (user_rw_noexattrfile) { -create_dir_file($1, noexattrfile) -create_dir_file($1, removable_t) -# Write floppies -allow $1 removable_device_t:blk_file rw_file_perms; -allow $1 usbtty_device_t:chr_file write; -} else { -r_dir_file($1, noexattrfile) -r_dir_file($1, removable_t) -allow $1 removable_device_t:blk_file r_file_perms; -} -allow $1 removable_t:filesystem getattr; - -') - -define(`authentication_domain', ` -can_ypbind($1) -can_kerberos($1) -can_ldap($1) -can_resolve($1) -can_winbind($1) -r_dir_file($1, cert_t) -allow $1 { random_device_t urandom_device_t }:chr_file { getattr read }; -allow $1 self:capability { audit_write audit_control }; -dontaudit $1 shadow_t:file { getattr read }; -') diff --git a/strict/macros/home_macros.te b/strict/macros/home_macros.te deleted file mode 100644 index 033b32f8..00000000 --- a/strict/macros/home_macros.te +++ /dev/null @@ -1,130 +0,0 @@ -# Home macros - -################################################ -# network_home(source) -# -# Allows source domain to use a network home -# This includes privileges of create and execute -# as well as the ability to create sockets and fifo - -define(`network_home', ` -allow $1 autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -can_exec($1, nfs_t) -allow $1 nfs_t:{ sock_file fifo_file } create_file_perms; -} - -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -can_exec($1, cifs_t) -allow $1 cifs_t:{ sock_file fifo_file } create_file_perms; -} -') dnl network_home - -################################################ -# write_network_home(source) -# -# Allows source domain to create directories and -# files on network file system - -define(`write_network_home', ` -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; -') dnl write_network_home - -################################################ -# read_network_home(source) -# -# Allows source domain to read directories and -# files on network file system - -define(`read_network_home', ` -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -r_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -r_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; -') dnl read_network_home - -################################################## -# home_domain_ro_access(source, user, app) -# -# Gives source access to the read-only home -# domain of app for the given user type - -define(`home_domain_ro_access', ` -allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; -read_network_home($1) -r_dir_file($1, $2_$3_ro_home_t) -') dnl home_domain_ro_access - -################################################# -# home_domain_access(source, user, app) -# -# Gives source full access to the home -# domain of app for the given user type -# -# Requires transition in caller - -define(`home_domain_access', ` -allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; -write_network_home($1) -create_dir_file($1, $2_$3_home_t) -') dnl home_domain_access - -#################################################################### -# home_domain (prefix, app) -# -# Creates a domain in the prefix home where an application can -# store its settings. It is accessible by the prefix domain. -# -# Requires transition in caller - -define(`home_domain', ` - -# Declare home domain -type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember; -typealias $1_$2_home_t alias $1_$2_rw_t; - -# User side access -create_dir_file($1_t, $1_$2_home_t) -allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_access($1_$2_t, $1, $2) -') - -#################################################################### -# home_domain_ro (user, app) -# -# Creates a read-only domain in the user home where an application can -# store its settings. It is fully accessible by the user, but -# it is read-only for the application. -# - -define(`home_domain_ro', ` - -# Declare home domain -type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; -typealias $1_$2_ro_home_t alias $1_$2_ro_t; - -# User side access -create_dir_file($1_t, $1_$2_ro_home_t) -allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_ro_access($1_$2_t, $1, $2) -') diff --git a/strict/macros/mini_user_macros.te b/strict/macros/mini_user_macros.te deleted file mode 100644 index 9f7d9940..00000000 --- a/strict/macros/mini_user_macros.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# Macros for all user login domains. -# - -# -# mini_user_domain(domain_prefix) -# -# Define derived types and rules for a minimal privs user domain named -# $1_mini_t which is permitted to be in $1_r role and transition to $1_t. -# -undefine(`mini_user_domain') -define(`mini_user_domain',` -# user_t/$1_t is an unprivileged users domain. -type $1_mini_t, domain, user_mini_domain; - -# for ~/.bash_profile and other files that the mini domain should be allowed -# to read (but not write) -type $1_home_mini_t, file_type, sysadmfile; -allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom }; -allow $1_mini_t $1_home_mini_t:file r_file_perms; - -# $1_r is authorized for $1_mini_t for the initial login domain. -role $1_r types $1_mini_t; -uses_shlib($1_mini_t) -pty_slave_label($1_mini, `, userpty_type, mini_pty_type') - -allow $1_mini_t devtty_t:chr_file rw_file_perms; -allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read }; -dontaudit $1_mini_t proc_t:dir { getattr search }; -allow $1_mini_t self:unix_stream_socket create_socket_perms; -allow $1_mini_t self:fifo_file rw_file_perms; -allow $1_mini_t self:process { fork sigchld setpgid }; -dontaudit $1_mini_t var_t:dir search; -allow $1_mini_t { bin_t sbin_t }:dir search; - -dontaudit $1_mini_t device_t:dir { getattr read }; -dontaudit $1_mini_t devpts_t:dir { getattr read }; -dontaudit $1_mini_t proc_t:lnk_file read; - -can_exec($1_mini_t, bin_t) -allow $1_mini_t { home_root_t $1_home_dir_t }:dir search; -dontaudit $1_mini_t home_root_t:dir getattr; -dontaudit $1_mini_t $1_home_dir_t:dir { getattr read }; -dontaudit $1_mini_t $1_home_t:file { append getattr read write }; - -dontaudit $1_mini_t fs_t:filesystem getattr; - -type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t; -# uncomment this if using mini domains for console logins -#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t; - -type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t; -type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t; - -domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t) -')dnl end mini_user_domain definition - diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te deleted file mode 100644 index 8e8b05a4..00000000 --- a/strict/macros/network_macros.te +++ /dev/null @@ -1,190 +0,0 @@ -################################# -# -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`base_can_network',` -# -# Allow the domain to create and use $2 sockets. -# Other kinds of sockets must be separately authorized for use. -allow $1 self:$2_socket connected_socket_perms; - -# -# Allow the domain to send or receive using any network interface. -# netif_type is a type attribute for all network interface types. -# -allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv }; -# -# Allow the domain to send to or receive from any node. -# node_type is a type attribute for all node types. -# -allow $1 node_type:node { $2_send rawip_send }; -allow $1 node_type:node { $2_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any port. -# port_type is a type attribute for all port types. -# -ifelse($3, `', ` -allow $1 port_type:$2_socket { send_msg recv_msg }; -', ` -allow $1 $3:$2_socket { send_msg recv_msg }; -') - -# XXX Allow binding to any node type. Remove once -# individual rules have been added to all domains that -# bind sockets. -allow $1 node_type:$2_socket node_bind; -# -# Allow access to network files including /etc/resolv.conf -# -allow $1 net_conf_t:file r_file_perms; -')dnl end can_network definition - -################################# -# -# can_network_server_tcp(domain) -# -# Permissions for accessing a tcp network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_server_tcp',` -base_can_network($1, tcp, `$2') -allow $1 self:tcp_socket { listen accept }; -') - -################################# -# -# can_network_client_tcp(domain) -# -# Permissions for accessing a tcp network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_client_tcp',` -base_can_network($1, tcp, `$2') -allow $1 self:tcp_socket { connect }; -') - -################################# -# -# can_network_tcp(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_tcp',` - -can_network_server_tcp($1, `$2') -can_network_client_tcp($1, `$2') - -') - -################################# -# -# can_network_udp(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_udp',` -base_can_network($1, udp, `$2') -allow $1 self:udp_socket { connect }; -') - -################################# -# -# can_network_server(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_server',` - -can_network_server_tcp($1, `$2') -can_network_udp($1, `$2') - -')dnl end can_network_server definition - - -################################# -# -# can_network_client(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_client',` - -can_network_client_tcp($1, `$2') -can_network_udp($1, `$2') - -')dnl end can_network_client definition - -################################# -# -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network',` - -can_network_tcp($1, `$2') -can_network_udp($1, `$2') - -ifdef(`mount.te', ` -# -# Allow the domain to send NFS client requests via the socket -# created by mount. -# -allow $1 mount_t:udp_socket rw_socket_perms; -') - -')dnl end can_network definition - -define(`can_resolve',` -can_network_client($1, `dns_port_t') -allow $1 dns_port_t:tcp_socket name_connect; -') - -define(`can_portmap',` -can_network_client($1, `portmap_port_t') -allow $1 portmap_port_t:tcp_socket name_connect; -') - -define(`can_ldap',` -can_network_client_tcp($1, `ldap_port_t') -allow $1 ldap_port_t:tcp_socket name_connect; -') - -define(`can_winbind',` -ifdef(`winbind.te', ` -allow $1 winbind_var_run_t:dir { getattr search }; -allow $1 winbind_t:unix_stream_socket connectto; -allow $1 winbind_var_run_t:sock_file { getattr read write }; -') -') - - -################################# -# -# nsswitch_domain(domain) -# -# Permissions for looking up uid/username mapping via nsswitch -# -define(`nsswitch_domain', ` -can_resolve($1) -can_ypbind($1) -can_ldap($1) -can_winbind($1) -') diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te deleted file mode 100644 index ea98391d..00000000 --- a/strict/macros/program/apache_macros.te +++ /dev/null @@ -1,197 +0,0 @@ - -define(`apache_domain', ` - -#This type is for webpages -# -type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable; - -# This type is used for .htaccess files -# -type httpd_$1_htaccess_t, file_type, sysadmfile, customizable; -allow httpd_t httpd_$1_htaccess_t: file r_file_perms; - -# This type is used for executable scripts files -# -type httpd_$1_script_exec_t, file_type, sysadmfile, customizable; - -# Type that CGI scripts run as -type httpd_$1_script_t, domain, privmail, nscd_client_domain; -role system_r types httpd_$1_script_t; -uses_shlib(httpd_$1_script_t) - -if (httpd_enable_cgi) { -domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; -allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; -allow httpd_t httpd_$1_script_exec_t:file r_file_perms; - -allow httpd_$1_script_t httpd_t:fd use; -allow httpd_$1_script_t httpd_t:process sigchld; - -allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl }; -allow httpd_$1_script_t usr_t:lnk_file { getattr read }; - -allow httpd_$1_script_t self:process { fork signal_perms }; - -allow httpd_$1_script_t devtty_t:chr_file { getattr read write }; -allow httpd_$1_script_t urandom_device_t:chr_file { getattr read }; -allow httpd_$1_script_t etc_runtime_t:file { getattr read }; -read_locale(httpd_$1_script_t) -allow httpd_$1_script_t fs_t:filesystem getattr; -allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; - -allow httpd_$1_script_t { self proc_t }:file r_file_perms; -allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; -allow httpd_$1_script_t { self proc_t }:lnk_file read; - -allow httpd_$1_script_t device_t:dir { getattr search }; -allow httpd_$1_script_t null_device_t:chr_file rw_file_perms; -} - -if (httpd_enable_cgi && httpd_can_network_connect) { -can_network(httpd_$1_script_t) -allow httpd_$1_script_t port_type:tcp_socket name_connect; -} - -ifdef(`ypbind.te', ` -if (httpd_enable_cgi && allow_ypbind) { -uncond_can_ypbind(httpd_$1_script_t) -} -') -# The following are the only areas that -# scripts can read, read/write, or append to -# -type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; -type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; -type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; -file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) - -######################################################### -# Permissions for running child processes and scripts -########################################################## -allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; - -domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -allow httpd_$1_script_t httpd_t:fifo_file write; - -allow httpd_$1_script_t self:fifo_file rw_file_perms; - -allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms; - -########################################################################### -# Allow the script interpreters to run the scripts. So -# the perl executable will be able to run a perl script -######################################################################### -can_exec_any(httpd_$1_script_t) - -allow httpd_$1_script_t etc_t:file { getattr read }; -dontaudit httpd_$1_script_t selinux_config_t:dir search; - -############################################################################ -# Allow the script process to search the cgi directory, and users directory -############################################################################## -allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; -can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -allow httpd_$1_script_t home_root_t:dir { getattr search }; -allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; - -############################################################################# -# Allow the scripts to read, read/write, append to the specified directories -# or files -############################################################################ -read_fonts(httpd_$1_script_t) -r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) -create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) -allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms; -ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) -anonymous_domain(httpd_$1_script) - -if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -create_dir_file(httpd_$1_script_t, httpdcontent) -can_exec(httpd_$1_script_t, httpdcontent) -} - -# -# If a user starts a script by hand it gets the proper context -# -ifdef(`targeted_policy', `', ` -if (httpd_enable_cgi) { -domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) -} -') -role sysadm_r types httpd_$1_script_t; - -dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; -dontaudit httpd_$1_script_t sysctl_t:dir search; - -############################################ -# Allow scripts to append to http logs -######################################### -allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search; -allow httpd_$1_script_t httpd_log_t:file { getattr append }; - -# apache should set close-on-exec -dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - -################################################################ -# Allow the web server to run scripts and serve pages -############################################################## -if (httpd_builtin_scripting) { -r_dir_file(httpd_t, httpd_$1_script_ro_t) -create_dir_file(httpd_t, httpd_$1_script_rw_t) -allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; -ra_dir_file(httpd_t, httpd_$1_script_ra_t) -r_dir_file(httpd_t, httpd_$1_content_t) -} - -') -define(`apache_user_domain', ` - -apache_domain($1) - -typeattribute httpd_$1_content_t $1_file_type; - -if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) -} - -if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -# If a user starts a script by hand it gets the proper context -domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) -} -role $1_r types httpd_$1_script_t; - -####################################### -# Allow user to create or edit web content -######################################### - -create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) -allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; - -###################################################################### -# Allow the user to create htaccess files -##################################################################### - -allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; - -######################################################################### -# Allow user to create files or directories -# that scripts are able to read, write, or append to -########################################################################### - -create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }) -allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom }; - -# allow accessing files/dirs below the users home dir -if (httpd_enable_homedirs) { -allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; -ifdef(`nfs_home_dirs', ` -r_dir_file(httpd_$1_script_t, nfs_t) -')dnl end if nfs_home_dirs -} -ifdef(`crond.te', ` -create_dir_file($1_crond_t, httpd_$1_content_t) -') - -') diff --git a/strict/macros/program/bonobo_macros.te b/strict/macros/program/bonobo_macros.te deleted file mode 100644 index e76cf3a1..00000000 --- a/strict/macros/program/bonobo_macros.te +++ /dev/null @@ -1,119 +0,0 @@ -# -# Bonobo -# -# Author: Ivan Gyurdiev -# -# bonobo_domain(role_prefix) - invoke per role -# bonobo_client(app_prefix, role_prefix) - invoke per client app -# bonobo_connect(type1_prefix, type2_prefix) - -# connect two bonobo clients, the channel is bidirectional - -###################### - -define(`bonobo_domain', ` - -# Protect against double inclusion for faster compile -ifdef(`bonobo_domain_$1', `', ` -define(`bonobo_domain_$1') - -# Type for daemon -type $1_bonobo_t, domain, nscd_client_domain; - -# Transition from caller -domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t) -role $1_r types $1_bonobo_t; - -# Shared libraries, gconv-modules -uses_shlib($1_bonobo_t) -allow $1_bonobo_t lib_t:file r_file_perms; - -read_locale($1_bonobo_t) -read_sysctl($1_bonobo_t) - -# Session management -# FIXME: More specific context is needed for gnome-session -ice_connect($1_bonobo, $1) - -# nsswitch.conf -allow $1_bonobo_t etc_t:file { read getattr }; - -# Fork to start apps -allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal }; -allow $1_bonobo_t self:fifo_file rw_file_perms; - -# ??? -allow $1_bonobo_t root_t:dir search; -allow $1_bonobo_t home_root_t:dir search; -allow $1_bonobo_t $1_home_dir_t:dir search; - -# libexec ??? -allow $1_bonobo_t bin_t:dir search; - -# ORBit sockets for bonobo -orbit_domain($1_bonobo, $1) - -# Bonobo can launch evolution -ifdef(`evolution.te', ` -domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t) -domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t) -domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t) -domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t) -') - -# Bonobo can launch GNOME vfs daemon -ifdef(`gnome_vfs.te', ` -domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t) -') - -# Transition to ROLE_t on bin_t apps -# FIXME: The goal is to get rid of this rule, as it -# defeats the purpose of a separate domain. It is only -# here temporarily, since bonobo runs as ROLE_t by default anyway -domain_auto_trans($1_bonobo_t, bin_t, $1_t) - -ifdef(`xdm.te', ` -can_pipe_xdm($1_bonobo_t) -') - -') dnl ifdef bonobo_domain_args -') dnl bonobo_domain - -##################### - -define(`bonobo_client', ` - -# Protect against double inclusion for faster compile -ifdef(`bonobo_client_$1_$2', `', ` -define(`bonobo_client_$1_$2') -# Connect over bonobo -bonobo_connect($1, $2_gconfd, $1) - -# Create ORBit sockets -orbit_domain($1, $2) - -# Connect to bonobo -orbit_connect($1, $2_bonobo) -orbit_connect($2_bonobo, $1) - -# Lock /tmp/bonobo-activation-register.lock -# Stat /tmp/bonobo-activation-server.ior -# FIXME: this should probably be of type $2_bonobo.. -# Note that this is file, not sock_file -allow $1_t $2_orbit_tmp_t:file { getattr read write lock }; - -domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t) - -') dnl ifdef bonobo_client_args -') dnl bonobo_client - -##################### - -define(`bonobo_connect', ` - -# FIXME: Should there be a macro for unidirectional conn. ? - -orbit_connect($1, $2) -orbit_connect($2, $1) - -') dnl bonobo_connect diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te deleted file mode 100644 index fc1fc951..00000000 --- a/strict/macros/program/cdrecord_macros.te +++ /dev/null @@ -1,49 +0,0 @@ -# macros for the cdrecord domain -# Author: Thomas Bleher - -define(`cdrecord_domain', ` -type $1_cdrecord_t, domain, privlog; - -domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t) - -# The user role is authorized for this domain. -role $1_r types $1_cdrecord_t; - -uses_shlib($1_cdrecord_t) -read_locale($1_cdrecord_t) - -# allow ps to show cdrecord and allow the user to kill it -can_ps($1_t, $1_cdrecord_t) -allow $1_t $1_cdrecord_t:process signal; - -# write to the user domain tty. -access_terminal($1_cdrecord_t, $1) -allow $1_cdrecord_t privfd:fd use; - -allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; - -allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; -allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -can_resmgrd_connect($1_cdrecord_t) - -read_content($1_cdrecord_t, $1, cdrecord) - -allow $1_cdrecord_t etc_t:file { getattr read }; - -# allow searching for cdrom-drive -allow $1_cdrecord_t device_t:dir r_dir_perms; -allow $1_cdrecord_t device_t:lnk_file { getattr read }; - -# allow cdrecord to write the CD -allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl }; -allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; - -allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; -can_access_pty($1_cdrecord_t, $1) -allow $1_cdrecord_t $1_home_t:dir search; -allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms; -allow $1_cdrecord_t $1_home_t:file r_file_perms; -') - diff --git a/strict/macros/program/chkpwd_macros.te b/strict/macros/program/chkpwd_macros.te deleted file mode 100644 index 34f19485..00000000 --- a/strict/macros/program/chkpwd_macros.te +++ /dev/null @@ -1,74 +0,0 @@ -# -# Macros for chkpwd domains. -# - -# -# chkpwd_domain(domain_prefix) -# -# Define a derived domain for the *_chkpwd program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/su.te. -# -undefine(`chkpwd_domain') -ifdef(`chkpwd.te', ` -define(`chkpwd_domain',` -# Derived domain based on the calling user domain and the program. -type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; - -role $1_r types $1_chkpwd_t; - -# is_selinux_enabled -allow $1_chkpwd_t proc_t:file read; - -can_getcon($1_chkpwd_t) -authentication_domain($1_chkpwd_t) - -ifelse($1, system, ` -domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) -allow auth_chkpwd sbin_t:dir search; -allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; -authentication_domain(auth_chkpwd) -', ` -domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) -allow $1_t sbin_t:dir search; -allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -# Write to the user domain tty. -access_terminal($1_chkpwd_t, $1) - -allow $1_chkpwd_t privfd:fd use; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') -') - -uses_shlib($1_chkpwd_t) -allow $1_chkpwd_t etc_t:file { getattr read }; -allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; -allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; -read_locale($1_chkpwd_t) - -# Use capabilities. -allow $1_chkpwd_t self:capability setuid; -r_dir_file($1_chkpwd_t, selinux_config_t) - -# for nscd -ifdef(`nscd.te', `', ` -dontaudit $1_chkpwd_t var_t:dir search; -') - -dontaudit $1_chkpwd_t fs_t:filesystem getattr; -') - -', ` - -define(`chkpwd_domain',`') - -') diff --git a/strict/macros/program/chroot_macros.te b/strict/macros/program/chroot_macros.te deleted file mode 100644 index 47ca86ba..00000000 --- a/strict/macros/program/chroot_macros.te +++ /dev/null @@ -1,131 +0,0 @@ - -# macro for chroot environments -# Author Russell Coker - -# chroot(initial_domain, basename, role, tty_device_type) -define(`chroot', ` - -ifelse(`$1', `initrc', ` -define(`chroot_role', `system_r') -define(`chroot_tty_device', `{ console_device_t admin_tty_type }') -define(`chroot_mount_domain', `mount_t') -define(`chroot_fd_use', `{ privfd init_t }') -', ` -define(`chroot_role', `$1_r') -define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }') -define(`chroot_fd_use', `privfd') - -# allow mounting /proc and /dev -ifdef(`$1_mount_def', `', ` -mount_domain($1, $1_mount) -role chroot_role types $1_mount_t; -') -define(`chroot_mount_domain', `$1_mount_t') -ifdef(`ssh.te', ` -can_tcp_connect($1_ssh_t, $2_t) -')dnl end ssh -')dnl end ifelse initrc - -# types for read-only and read-write files in the chroot -type $2_ro_t, file_type, sysadmfile, home_type, user_home_type; -type $2_rw_t, file_type, sysadmfile, home_type, user_home_type; -# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t -# when you execute it -type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type; - -allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton }; -allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton }; - -# entry point for $2_super_t -type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type; -# $2_t is the base domain, has full access to $2_rw_t files -type $2_t, domain; -# $2_super_t is the super-chroot domain, can also write to $2_ro_t -# but still can not access outside the chroot -type $2_super_t, domain; -allow $2_super_t chroot_tty_device:chr_file rw_file_perms; - -ifdef(`$1_chroot_def', `', ` -dnl can not have this defined twice -define(`$1_chroot_def') - -allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount }; - -# $1_chroot_t is the domain for /usr/sbin/chroot -type $1_chroot_t, domain; - -# allow $1_chroot_t to write to the tty device -allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms; -allow $1_chroot_t chroot_fd_use:fd use; -allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use; - -role chroot_role types $1_chroot_t; -uses_shlib($1_chroot_t) -allow $1_chroot_t self:capability sys_chroot; -allow $1_t $1_chroot_t:dir { search getattr read }; -allow $1_t $1_chroot_t:{ file lnk_file } { read getattr }; -domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t) -allow $1_chroot_t fs_t:filesystem getattr; -')dnl End conditional - -role chroot_role types { $2_t $2_super_t }; - -# allow ps to show processes and allow killing them -allow $1_t { $2_super_t $2_t }:dir { search getattr read }; -allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr }; -allow $1_t { $2_super_t $2_t }:process signal_perms; -allow $2_super_t $2_t:dir { search getattr read }; -allow $2_super_t $2_t:{ file lnk_file } { read getattr }; -allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace }; -allow $1_t $2_super_t:process { signal_perms ptrace }; -allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace }; - -allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr; -allow { $2_super_t $2_t } device_t:dir { search getattr }; -allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms; -allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms; -allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config }; -allow $2_super_t self:capability sys_ptrace; - -can_tcp_connect($2_super_t, $2_t) -allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms; - -# quiet ps and killall -dontaudit { $2_super_t $2_t } domain:dir { search getattr }; - -# allow $2_t to write to the owner tty device (should remove this) -allow $2_t chroot_tty_device:chr_file { read write }; - -r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($2_super_t, { $2_ro_t $2_super_entry_t }) -create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -# $2_super_t transitions to $2_t when it executes -# any file that $2_t can write -domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t) -allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read; -r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t }) -create_dir_notdevfile($2_t, $2_rw_t) -allow $2_t $2_rw_t:fifo_file create_file_perms; -allow $2_t $2_ro_t:fifo_file rw_file_perms; -allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms; -create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($1_t, { $2_ro_t $2_dropdown_t }) -domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t) -domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t) -allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto }; -general_proc_read_access({ $2_t $2_super_t }) -general_domain_access({ $2_t $2_super_t }) -can_create_pty($2) -can_create_pty($2_super) -can_network({ $2_t $2_super_t }) -allow { $2_t $2_super_t } port_type:tcp_socket name_connect; -allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms; -allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton; -allow { $2_t $2_super_t } self:capability { dac_override kill }; - -undefine(`chroot_role') -undefine(`chroot_tty_device') -undefine(`chroot_mount_domain') -undefine(`chroot_fd_use') -') diff --git a/strict/macros/program/clamav_macros.te b/strict/macros/program/clamav_macros.te deleted file mode 100644 index bc159304..00000000 --- a/strict/macros/program/clamav_macros.te +++ /dev/null @@ -1,58 +0,0 @@ -# -# Macros for clamscan -# -# Author: Brian May -# - -# -# can_clamd_connect(domain_prefix) -# -# Define a domain that can access clamd -# -define(`can_clamd_connect',` -allow $1_t clamd_var_run_t:dir search; -allow $1_t clamd_var_run_t:sock_file write; -allow $1_t clamd_sock_t:sock_file write; -can_unix_connect($1_t, clamd_t) -') - -# clamscan_domain(domain_prefix) -# -# Define a derived domain for the clamscan program when executed -# -define(`clamscan_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_clamscan_t, domain, privlog; - -# Uses shared librarys -uses_shlib($1_clamscan_t) -allow $1_clamscan_t fs_t:filesystem getattr; -r_dir_file($1_clamscan_t, etc_t) -read_locale($1_clamscan_t) - -# Access virus signatures -allow $1_clamscan_t var_lib_t:dir search; -r_dir_file($1_clamscan_t, clamav_var_lib_t) - -# Allow temp files -tmp_domain($1_clamscan) - -# Why is this required? -allow $1_clamscan_t proc_t:dir r_dir_perms; -allow $1_clamscan_t proc_t:file r_file_perms; -read_sysctl($1_clamscan_t) -allow $1_clamscan_t self:unix_stream_socket { connect create read write }; -') - -define(`user_clamscan_domain',` -clamscan_domain($1) -role $1_r types $1_clamscan_t; -domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t) -access_terminal($1_clamscan_t, $1) -r_dir_file($1_clamscan_t,$1_home_t); -r_dir_file($1_clamscan_t,$1_home_dir_t); -allow $1_clamscan_t $1_home_t:file r_file_perms; -allow $1_clamscan_t privfd:fd use; -ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;') -') - diff --git a/strict/macros/program/crond_macros.te b/strict/macros/program/crond_macros.te deleted file mode 100644 index 5e61d7d1..00000000 --- a/strict/macros/program/crond_macros.te +++ /dev/null @@ -1,126 +0,0 @@ -# -# Macros for crond domains. -# - -# -# Authors: Jonathan Crowley (MITRE) , -# Stephen Smalley and Timothy Fraser -# Russell Coker -# - -# -# crond_domain(domain_prefix) -# -# Define a derived domain for cron jobs executed by crond on behalf -# of a user domain. These domains are separate from the top-level domain -# defined for the crond daemon and the domain defined for system cron jobs, -# which are specified in domains/program/crond.te. -# -undefine(`crond_domain') -define(`crond_domain',` -# Derived domain for user cron jobs, user user_crond_domain if not system -ifelse(`system', `$1', ` -type $1_crond_t, domain, privlog, privmail, nscd_client_domain; -', ` -type $1_crond_t, domain, user_crond_domain; - -# Access user files and dirs. -allow $1_crond_t home_root_t:dir search; -file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) - -# Run scripts in user home directory and access shared libs. -can_exec($1_crond_t, $1_home_t) - -file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) -') -r_dir_file($1_crond_t, selinux_config_t) - -# Type of user crontabs once moved to cron spool. -type $1_cron_spool_t, file_type, sysadmfile; - -ifdef(`fcron.te', ` -allow crond_t $1_cron_spool_t:file create_file_perms; -') - -allow $1_crond_t urandom_device_t:chr_file { getattr read }; - -allow $1_crond_t usr_t:file { getattr ioctl read }; -allow $1_crond_t usr_t:lnk_file read; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via execve_secure. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -domain_trans(crond_t, shell_exec_t, $1_crond_t) - -ifdef(`mta.te', ` -domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) -allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; - -# $1_mail_t should only be reading from the cron fifo not needing to write -dontaudit $1_mail_t crond_t:fifo_file write; -allow mta_user_agent $1_crond_t:fd use; -') - -# The user role is authorized for this domain. -role $1_r types $1_crond_t; - -# This domain is granted permissions common to most domains. -can_network($1_crond_t) -allow $1_crond_t port_type:tcp_socket name_connect; -can_ypbind($1_crond_t) -r_dir_file($1_crond_t, self) -allow $1_crond_t self:fifo_file rw_file_perms; -allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; -allow $1_crond_t self:unix_dgram_socket create_socket_perms; -allow $1_crond_t etc_runtime_t:file { getattr read }; -allow $1_crond_t self:process { fork signal_perms setsched }; -allow $1_crond_t proc_t:dir r_dir_perms; -allow $1_crond_t proc_t:file { getattr read ioctl }; -read_locale($1_crond_t) -read_sysctl($1_crond_t) -allow $1_crond_t var_spool_t:dir search; -allow $1_crond_t fs_type:filesystem getattr; - -allow $1_crond_t devtty_t:chr_file { read write }; -allow $1_crond_t var_t:dir r_dir_perms; -allow $1_crond_t var_t:file { getattr read ioctl }; -allow $1_crond_t var_log_t:dir search; - -# Use capabilities. -allow $1_crond_t self:capability dac_override; - -# Inherit and use descriptors from initrc - I think this is wrong -#allow $1_crond_t initrc_t:fd use; - -# -# Since crontab files are not directly executed, -# crond must ensure that the crontab file has -# a type that is appropriate for the domain of -# the user cron job. It performs an entrypoint -# permission check for this purpose. -# -allow $1_crond_t $1_cron_spool_t:file entrypoint; - -# Run helper programs. -can_exec_any($1_crond_t) - -# ps does not need to access /boot when run from cron -dontaudit $1_crond_t boot_t:dir search; -# quiet other ps operations -dontaudit $1_crond_t domain:dir { getattr search }; -# for nscd -dontaudit $1_crond_t var_run_t:dir search; -') - -# When system_crond_t domain executes a type $1 executable then transition to -# domain $2, allow $2 to interact with crond_t as well. -define(`system_crond_entry', ` -ifdef(`crond.te', ` -domain_auto_trans(system_crond_t, $1, $2) -allow $2 crond_t:fifo_file { getattr read write ioctl }; -# a rule for privfd may make this obsolete -allow $2 crond_t:fd use; -allow $2 crond_t:process sigchld; -')dnl end ifdef -')dnl end system_crond_entry diff --git a/strict/macros/program/crontab_macros.te b/strict/macros/program/crontab_macros.te deleted file mode 100644 index 50d5ee5d..00000000 --- a/strict/macros/program/crontab_macros.te +++ /dev/null @@ -1,102 +0,0 @@ -# -# Macros for crontab domains. -# - -# -# Authors: Jonathan Crowley (MITRE) -# Revised by Stephen Smalley -# - -# -# crontab_domain(domain_prefix) -# -# Define a derived domain for the crontab program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/crontab.te. -# -undefine(`crontab_domain') -define(`crontab_domain',` -# Derived domain based on the calling user domain and the program. -type $1_crontab_t, domain, privlog; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) - -can_ps($1_t, $1_crontab_t) - -# for ^Z -allow $1_t $1_crontab_t:process signal; - -# The user role is authorized for this domain. -role $1_r types $1_crontab_t; - -uses_shlib($1_crontab_t) -allow $1_crontab_t etc_t:file { getattr read }; -allow $1_crontab_t self:unix_stream_socket create_socket_perms; -allow $1_crontab_t self:unix_dgram_socket create_socket_perms; -read_locale($1_crontab_t) - -# Use capabilities dac_override is to create the file in the directory -# under /tmp -allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override }; - -# Type for temporary files. -file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) - -# Use the type when creating files in /var/spool/cron. -allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; -allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; -file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) -allow $1_crontab_t self:process { fork signal_perms }; -ifdef(`fcron.te', ` -# fcron wants an instant update of a crontab change for the administrator -# also crontab does a security check for crontab -u -ifelse(`$1', `sysadm', ` -allow $1_crontab_t crond_t:process signal; -can_setfscreate($1_crontab_t) -', ` -dontaudit $1_crontab_t crond_t:process signal; -')dnl end ifelse -')dnl end ifdef fcron - -# for the checks used by crontab -u -dontaudit $1_crontab_t security_t:dir search; -allow $1_crontab_t proc_t:dir search; -allow $1_crontab_t proc_t:{ file lnk_file } { getattr read }; -allow $1_crontab_t selinux_config_t:dir search; -allow $1_crontab_t selinux_config_t:file { getattr read }; -dontaudit $1_crontab_t self:dir search; - -# crontab signals crond by updating the mtime on the spooldir -allow $1_crontab_t cron_spool_t:dir setattr; -# Allow crond to read those crontabs in cron spool. -allow crond_t $1_cron_spool_t:file r_file_perms; - -# Run helper programs as $1_t -allow $1_crontab_t { bin_t sbin_t }:dir search; -allow $1_crontab_t bin_t:lnk_file read; -domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) - -# Read user crontabs -allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; -allow $1_crontab_t $1_home_t:file r_file_perms; -dontaudit $1_crontab_t $1_home_dir_t:dir write; - -# Access the cron log file. -allow $1_crontab_t crond_log_t:file r_file_perms; -allow $1_crontab_t crond_log_t:file append; - -# Access terminals. -allow $1_crontab_t device_t:dir search; -access_terminal($1_crontab_t, $1); - -allow $1_crontab_t fs_t:filesystem getattr; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') -allow $1_crontab_t privfd:fd use; - -dontaudit $1_crontab_t var_run_t:dir search; -') diff --git a/strict/macros/program/daemontools_macros.te b/strict/macros/program/daemontools_macros.te deleted file mode 100644 index 94c4f8e7..00000000 --- a/strict/macros/program/daemontools_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -ifdef(`daemontools.te', ` - -define(`svc_ipc_domain',` -allow $1 svc_start_t:process sigchld; -allow $1 svc_start_t:fd use; -allow $1 svc_start_t:fifo_file { read write getattr }; -allow svc_start_t $1:process signal; -') - -') dnl ifdef daemontools - diff --git a/strict/macros/program/dbusd_macros.te b/strict/macros/program/dbusd_macros.te deleted file mode 100644 index 600ac419..00000000 --- a/strict/macros/program/dbusd_macros.te +++ /dev/null @@ -1,91 +0,0 @@ -# -# Macros for Dbus -# -# Author: Colin Walters - -# dbusd_domain(domain_prefix) -# -# Define a derived domain for the DBus daemon. - -define(`dbusd_domain', ` -ifelse(`system', `$1',` -daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm') -# For backwards compatibility -typealias system_dbusd_t alias dbusd_t; -type etc_dbusd_t, file_type, sysadmfile; -',` -type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr; -role $1_r types $1_dbusd_t; -domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t) -read_locale($1_dbusd_t) -allow $1_t $1_dbusd_t:process { sigkill signal }; -allow $1_dbusd_t self:process { sigkill signal }; -dontaudit $1_dbusd_t var_t:dir { getattr search }; -')dnl end ifelse system - -base_file_read_access($1_dbusd_t) -uses_shlib($1_dbusd_t) -allow $1_dbusd_t etc_t:file { getattr read }; -r_dir_file($1_dbusd_t, etc_dbusd_t) -tmp_domain($1_dbusd) -allow $1_dbusd_t self:process fork; -ifdef(`xdm.te', ` -can_pipe_xdm($1_dbusd_t) -') - -allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; -allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; - -allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; -allow $1_dbusd_t self:file { getattr read write }; -allow $1_dbusd_t proc_t:file read; - -can_getsecurity($1_dbusd_t) -r_dir_file($1_dbusd_t, default_context_t) -allow system_dbusd_t self:netlink_selinux_socket create_socket_perms; - -ifdef(`pamconsole.te', ` -r_dir_file($1_dbusd_t, pam_var_console_t) -') - -allow $1_dbusd_t self:dbus { send_msg acquire_svc }; - -')dnl end dbusd_domain definition - -# dbusd_client(dbus_type, domain_prefix) -# Example: dbusd_client_domain(system, user) -# -# Define a new derived domain for connecting to dbus_type -# from domain_prefix_t. -undefine(`dbusd_client') -define(`dbusd_client',` - -ifdef(`dbusd.te',` -# Derived type used for connection -type $2_dbusd_$1_t; -type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; - -# SE-DBus specific permissions -allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - -# For connecting to the bus -allow $2_t $1_dbusd_t:unix_stream_socket connectto; - -') dnl endif dbusd.te -ifelse(`system', `$1', ` -allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; -allow { $2_t } system_dbusd_var_run_t:sock_file write; -',`') dnl endif system -') - -# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) -# Example: can_dbusd_converse(system, hald, updfstab) -# Example: can_dbusd_converse(session, user, user) -define(`can_dbusd_converse',`') -ifdef(`dbusd.te',` -undefine(`can_dbusd_converse') -define(`can_dbusd_converse',` -allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg }; -allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg }; -') dnl endif dbusd.te -') diff --git a/strict/macros/program/ethereal_macros.te b/strict/macros/program/ethereal_macros.te deleted file mode 100644 index 36f1a966..00000000 --- a/strict/macros/program/ethereal_macros.te +++ /dev/null @@ -1,82 +0,0 @@ -# DESC - Ethereal -# -# Author: Ivan Gyurdiev -# - -############################################################# -# ethereal_networking(app_prefix) - -# restricted ethereal rules (sysadm only) -# - -define(`ethereal_networking', ` - -# Create various types of sockets -allow $1_t self:netlink_route_socket create_netlink_socket_perms; -allow $1_t self:udp_socket create_socket_perms; -allow $1_t self:packet_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:tcp_socket create_socket_perms; - -allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid }; - -# Resolve names via DNS -can_resolve($1_t) - -') dnl ethereal_networking - -######################################################## -# Ethereal (GNOME) -# - -define(`ethereal_domain', ` - -# Type for program -type $1_ethereal_t, domain, nscd_client_domain; - -# Transition from sysadm type -domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t) -role $1_r types $1_ethereal_t; - -# Manual transition from userhelper -ifdef(`userhelper.te', ` -allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure }; -allow $1_ethereal_t userhelperdomain:fd use; -allow $1_ethereal_t userhelperdomain:process sigchld; -') dnl userhelper - -# X, GNOME -x_client_domain($1_ethereal, $1) -gnome_application($1_ethereal, $1) -gnome_file_dialog($1_ethereal, $1) - -# Why does it write this? -ifdef(`snmpd.te', ` -dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; -') - -# /home/.ethereal -home_domain($1, ethereal) -file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir) - -# Enable restricted networking rules for sysadm - this is shared w/ tethereal -ifelse($1, `sysadm', ` -ethereal_networking($1_ethereal) - -# Ethereal tries to write to user terminal -dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write }; -dontaudit sysadm_ethereal_t unpriv_userdomain:fd use; -', `') - -# Store temporary files -tmp_domain($1_ethereal) - -# Re-execute itself (why?) -can_exec($1_ethereal_t, ethereal_exec_t) -allow $1_ethereal_t sbin_t:dir search; - -# Supress .local denials until properly implemented -dontaudit $1_ethereal_t $1_home_t:dir search; - -# FIXME: policy is incomplete - -') dnl ethereal_domain diff --git a/strict/macros/program/evolution_macros.te b/strict/macros/program/evolution_macros.te deleted file mode 100644 index 37fc0879..00000000 --- a/strict/macros/program/evolution_macros.te +++ /dev/null @@ -1,234 +0,0 @@ -# -# Evolution -# -# Author: Ivan Gyurdiev -# - -################################################ -# evolution_common(app_prefix,role_prefix) -# -define(`evolution_common', ` - -# Gnome common stuff -gnome_application($1, $2) - -# Stat root -allow $1_t root_t:dir search; - -# Access null device -allow $1_t null_device_t:chr_file rw_file_perms; - -# FIXME: suppress access to .local/.icons/.themes until properly implemented -dontaudit $1_t $2_home_t:dir r_dir_perms; - -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -dontaudit $1_t $2_home_t:file r_file_perms; - -') dnl evolution_common - -####################################### -# evolution_data_server(role_prefix) -# - -define(`evolution_data_server', ` - -# Type for daemon -type $1_evolution_server_t, domain, nscd_client_domain; - -# Transition from user type -if (! disable_evolution_trans) { -domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t) -} -role $1_r types $1_evolution_server_t; - -# Evolution common stuff -evolution_common($1_evolution_server, $1) - -# Access evolution home -home_domain_access($1_evolution_server_t, $1, evolution) - -# Talks to exchange -bonobo_connect($1_evolution_server, $1_evolution_exchange) - -can_exec($1_evolution_server_t, shell_exec_t) - -# Obtain weather data via http (read server name from xml file in /usr) -allow $1_evolution_server_t usr_t:file r_file_perms; -can_resolve($1_evolution_server_t) -can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } ) -allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect; - -# Talk to ldap (address book) -can_network_client_tcp($1_evolution_server_t, ldap_port_t) -allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect; - -# Look in /etc/pki -r_dir_file($1_evolution_server_t, cert_t) - -') dnl evolution_data_server - -####################################### -# evolution_webcal(role_prefix) -# - -define(`evolution_webcal', ` - -# Type for program -type $1_evolution_webcal_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -role $1_r types $1_evolution_webcal_t; - -# X/evolution common stuff -x_client_domain($1_evolution_webcal, $1) -evolution_common($1_evolution_webcal, $1) - -# Search home directory (?) -allow $1_evolution_webcal_t $1_home_dir_t:dir search; - -# Networking capability - connect to website and handle ics link -# FIXME: is this necessary ? -can_resolve($1_evolution_webcal_t); -can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } ) -allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect; - -') dnl evolution_webcal - -####################################### -# evolution_alarm(role_prefix) -# -define(`evolution_alarm', ` - -# Type for program -type $1_evolution_alarm_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t) -role $1_r types $1_evolution_alarm_t; - -# Common evolution stuff, X -evolution_common($1_evolution_alarm, $1) -x_client_domain($1_evolution_alarm, $1) - -# Connect to exchange, e-d-s -bonobo_connect($1_evolution_alarm, $1_evolution_server) -bonobo_connect($1_evolution_alarm, $1_evolution_exchange) - -# Access evolution home -home_domain_access($1_evolution_alarm_t, $1, evolution) - -') dnl evolution_alarm - -######################################## -# evolution_exchange(role_prefix) -# -define(`evolution_exchange', ` - -# Type for program -type $1_evolution_exchange_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t) -role $1_r types $1_evolution_exchange_t; - -# Common evolution stuff, X -evolution_common($1_evolution_exchange, $1) -x_client_domain($1_evolution_exchange, $1) - -# Access evolution home -home_domain_access($1_evolution_exchange_t, $1, evolution) - -# /tmp/.exchange-$USER -tmp_domain($1_evolution_exchange) - -# Allow netstat -allow $1_evolution_exchange_t bin_t:dir search; -can_exec($1_evolution_exchange_t, bin_t) -r_dir_file($1_evolution_exchange_t, proc_net_t) -allow $1_evolution_exchange_t sysctl_net_t:dir search; -allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms; - -# Clock applet talks to exchange (FIXME: Needs policy) -bonobo_connect($1, $1_evolution_exchange) - -# FIXME: policy incomplete - -') dnl evolution_exchange - -####################################### -# evolution_domain(role_prefix) -# - -define(`evolution_domain', ` - -# Type for program -type $1_evolution_t, domain, nscd_client_domain, privlog; - -# Transition from user type -domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t) -role $1_r types $1_evolution_t; - -# X, mail, evolution common stuff -x_client_domain($1_evolution, $1) -mail_client_domain($1_evolution, $1) -gnome_file_dialog($1_evolution, $1) -evolution_common($1_evolution, $1) - -# Connect to e-d-s, exchange, alarm -bonobo_connect($1_evolution, $1_evolution_server) -bonobo_connect($1_evolution, $1_evolution_exchange) -bonobo_connect($1_evolution, $1_evolution_alarm) - -# Access .evolution -home_domain($1, evolution) - -# Store passwords in .gnome2_private -gnome_private_store($1_evolution, $1) - -# Run various programs -allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms; -allow $1_evolution_t { self bin_t }:lnk_file r_file_perms; - -### Junk mail filtering (start spamd) -ifdef(`spamd.te', ` -# Start the spam daemon -domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t) -role $1_r types spamd_t; - -# Write pid file and socket in ~/.evolution/cache/tmp -file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file }) - -# Allow evolution to signal the daemon -# FIXME: Now evolution can read spamd temp files -allow $1_evolution_t spamd_tmp_t:file r_file_perms; -allow $1_evolution_t spamd_t:process signal; -dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr; -') dnl spamd.te - -### Junk mail filtering (start spamc) -ifdef(`spamc.te', ` -domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t) - -# Allow connection to spamd socket above -allow $1_spamc_t $1_evolution_home_t:dir search; -') dnl spamc.te - -### Junk mail filtering (start spamassassin) -ifdef(`spamassassin.te', ` -domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t) -') dnl spamassasin.te - -') dnl evolution_domain - -################################# -# evolution_domains(role_prefix) - -define(`evolution_domains', ` -evolution_domain($1) -evolution_data_server($1) -evolution_webcal($1) -evolution_alarm($1) -evolution_exchange($1) -') dnl end evolution_domains diff --git a/strict/macros/program/fingerd_macros.te b/strict/macros/program/fingerd_macros.te deleted file mode 100644 index fd56ca7f..00000000 --- a/strict/macros/program/fingerd_macros.te +++ /dev/null @@ -1,15 +0,0 @@ -# -# Macro for fingerd -# -# Author: Russell Coker -# - -# -# fingerd_macro(domain_prefix) -# -# allow fingerd to create a fingerlog file in the user home dir -# -define(`fingerd_macro', ` -type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type; -file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) -') diff --git a/strict/macros/program/fontconfig_macros.te b/strict/macros/program/fontconfig_macros.te deleted file mode 100644 index 7f4a56d3..00000000 --- a/strict/macros/program/fontconfig_macros.te +++ /dev/null @@ -1,52 +0,0 @@ -# -# Fontconfig related types -# -# Author: Ivan Gyurdiev -# -# fontconfig_domain(role_prefix) - create fontconfig domain -# -# read_fonts(domain, role_prefix) - -# allow domain to read fonts, optionally per/user -# - -define(`fontconfig_domain', ` - -type $1_fonts_t, file_type, $1_file_type, sysadmfile; -type $1_fonts_config_t, file_type, $1_file_type, sysadmfile; -type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile; - -create_dir_file($1_t, $1_fonts_t) -allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom }; - -create_dir_file($1_t, $1_fonts_config_t) -allow $1_t $1_fonts_config_t:file { relabelto relabelfrom }; - -# For startup relabel -allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; - -') dnl fontconfig_domain - -#################### - -define(`read_fonts', ` - -# Read global fonts and font config -r_dir_file($1, fonts_t) -r_dir_file($1, etc_t) - -ifelse(`$2', `', `', ` - -# Manipulate the global font cache -create_dir_file($1, $2_fonts_cache_t) - -# Read per user fonts and font config -r_dir_file($1, $2_fonts_t) -r_dir_file($1, $2_fonts_config_t) - -# There are some fonts in .gnome2 -ifdef(`gnome.te', ` -allow $1 $2_gnome_settings_t:dir { getattr search }; -') - -') dnl ifelse -') dnl read_fonts diff --git a/strict/macros/program/games_domain.te b/strict/macros/program/games_domain.te deleted file mode 100644 index d4c1d053..00000000 --- a/strict/macros/program/games_domain.te +++ /dev/null @@ -1,89 +0,0 @@ -#DESC games -# -# Macros for games -# -# -# Authors: Dan Walsh -# -# -# games_domain(domain_prefix) -# -# -define(`games_domain', ` - -type $1_games_t, domain, nscd_client_domain; - -# Type transition -if (! disable_games_trans) { -domain_auto_trans($1_t, games_exec_t, $1_games_t) -} -can_exec($1_games_t, games_exec_t) -role $1_r types $1_games_t; - -can_create_pty($1_games) - -# X access, GNOME, /tmp files -x_client_domain($1_games, $1) -tmp_domain($1_games, `', { dir notdevfile_class_set }) -gnome_application($1_games, $1) -gnome_file_dialog($1_games, $1) - -# Games seem to need this -if (allow_execmem) { -allow $1_games_t self:process execmem; -} - -allow $1_games_t texrel_shlib_t:file execmod; -allow $1_games_t var_t:dir { search getattr }; -rw_dir_create_file($1_games_t, games_data_t) -allow $1_games_t sound_device_t:chr_file rw_file_perms; -can_udp_send($1_games_t, $1_games_t) -can_tcp_connect($1_games_t, $1_games_t) - -# Access /home/user/.gnome2 -# FIXME: Change to use per app types -create_dir_file($1_games_t, $1_gnome_settings_t) - -# FIXME: why is this necessary - ORBit? -# ORBit works differently now -create_dir_file($1_games_t, $1_tmp_t) -allow $1_games_t $1_tmp_t:sock_file create_file_perms; -can_unix_connect($1_t, $1_games_t) -can_unix_connect($1_games_t, $1_t) - -ifdef(`xdm.te', ` -allow $1_games_t xdm_tmp_t:dir rw_dir_perms; -allow $1_games_t xdm_tmp_t:sock_file create_file_perms; -allow $1_games_t xdm_var_lib_t:file { getattr read }; -')dnl end if xdm.te - -allow $1_games_t var_lib_t:dir search; -r_dir_file($1_games_t, man_t) -allow $1_games_t { proc_t self }:dir search; -allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr }; -ifdef(`mozilla.te', ` -dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; -') -allow $1_games_t event_device_t:chr_file getattr; -allow $1_games_t mouse_device_t:chr_file getattr; - -allow $1_games_t self:file { getattr read }; -allow $1_games_t self:sem create_sem_perms; - -allow $1_games_t { bin_t sbin_t }:dir { getattr search }; -can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t }) -allow $1_games_t bin_t:lnk_file read; - -dontaudit $1_games_t var_run_t:dir search; -dontaudit $1_games_t initrc_var_run_t:file { read write }; -dontaudit $1_games_t var_log_t:dir search; - -can_network($1_games_t) -allow $1_games_t port_t:tcp_socket name_bind; -allow $1_games_t port_t:tcp_socket name_connect; - -# Suppress .icons denial until properly implemented -dontaudit $1_games_t $1_home_t:dir read; - -')dnl end macro definition - diff --git a/strict/macros/program/gconf_macros.te b/strict/macros/program/gconf_macros.te deleted file mode 100644 index 5f34ea7a..00000000 --- a/strict/macros/program/gconf_macros.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# GConfd daemon -# -# Author: Ivan Gyurdiev -# - -####################################### -# gconfd_domain(role_prefix) -# - -define(`gconfd_domain', ` - -# Type for daemon -type $1_gconfd_t, domain, nscd_client_domain, privlog; - -gnome_application($1_gconfd, $1) - -# Transition from user type -domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t) -role $1_r types $1_gconfd_t; - -allow $1_gconfd_t self:process { signal getsched }; - -# Access .gconfd and .gconf -home_domain($1, gconfd) -file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir) - -# Access /etc/gconf -r_dir_file($1_gconfd_t, gconf_etc_t) - -# /tmp/gconfd-USER -tmp_domain($1_gconfd) - -ifdef(`xdm.te', ` -can_pipe_xdm($1_gconfd_t) -allow xdm_t $1_gconfd_t:process signal; -') - -') dnl gconf_domain - -##################################### -# gconf_client(prefix, role_prefix) -# - -define(`gconf_client', ` - -# Launch the daemon if necessary -domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t) - -# Connect over bonobo -bonobo_connect($1, $2_gconfd) - -# Read lock/ior -allow $1_t $2_gconfd_tmp_t:dir { getattr search }; -allow $1_t $2_gconfd_tmp_t:file { getattr read }; - -') dnl gconf_client diff --git a/strict/macros/program/gift_macros.te b/strict/macros/program/gift_macros.te deleted file mode 100644 index c75a0617..00000000 --- a/strict/macros/program/gift_macros.te +++ /dev/null @@ -1,106 +0,0 @@ -# -# Macros for giFT -# -# Author: Ivan Gyurdiev -# -# gift_domains(domain_prefix) -# declares a domain for giftui and giftd - -######################### -# gift_domain(user) # -######################### - -define(`gift_domain', ` - -# Type transition -type $1_gift_t, domain, nscd_client_domain; -domain_auto_trans($1_t, gift_exec_t, $1_gift_t) -role $1_r types $1_gift_t; - -# X access, Home files, GNOME, /tmp -x_client_domain($1_gift, $1) -gnome_application($1_gift, $1) -home_domain($1, gift) -file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_gift_t) -allow $1_t $1_gift_t:process signal_perms; - -# Launch gift daemon -allow $1_gift_t bin_t:dir search; -domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) - -# Connect to gift daemon -can_network_client_tcp($1_gift_t, giftd_port_t) -allow $1_gift_t giftd_port_t:tcp_socket name_connect; - -# Read /proc/meminfo -allow $1_gift_t proc_t:dir search; -allow $1_gift_t proc_t:file { getattr read }; - -# giftui looks in .icons, .themes. -dontaudit $1_gift_t $1_home_t:dir { getattr read search }; -dontaudit $1_gift_t $1_home_t:file { getattr read }; - -') dnl gift_domain - -########################## -# giftd_domain(user) # -########################## - -define(`giftd_domain', ` - -type $1_giftd_t, domain; - -# Transition from user type -domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t) -role $1_r types $1_giftd_t; - -# Self permissions, allow fork -allow $1_giftd_t self:process { fork signal sigchld setsched }; -allow $1_giftd_t self:unix_stream_socket create_socket_perms; - -read_sysctl($1_giftd_t) -read_locale($1_giftd_t) -uses_shlib($1_giftd_t) -access_terminal($1_giftd_t, $1) - -# Read /proc/meminfo -allow $1_giftd_t proc_t:dir search; -allow $1_giftd_t proc_t:file { getattr read }; - -# Read /etc/mtab -allow $1_giftd_t etc_runtime_t:file { getattr read }; - -# Access home domain -home_domain_access($1_giftd_t, $1, gift) -file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) - -# Serve content on various p2p networks. Ports can be random. -can_network_server($1_giftd_t) -allow $1_giftd_t self:udp_socket listen; -allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind; - -# Connect to various p2p networks. Ports can be random. -can_network_client($1_giftd_t) -allow $1_giftd_t port_type:tcp_socket name_connect; - -# Plugins -r_dir_file($1_giftd_t, usr_t) - -# Connect to xdm -ifdef(`xdm.te', ` -can_pipe_xdm($1_giftd_t) -') - -') dnl giftd_domain - -########################## -# gift_domains(user) # -########################## - -define(`gift_domains', ` -gift_domain($1) -giftd_domain($1) -') dnl gift_domains diff --git a/strict/macros/program/gnome_macros.te b/strict/macros/program/gnome_macros.te deleted file mode 100644 index 5d31af51..00000000 --- a/strict/macros/program/gnome_macros.te +++ /dev/null @@ -1,115 +0,0 @@ -# -# GNOME related types -# -# Author: Ivan Gyurdiev -# -# gnome_domain(role_prefix) - create GNOME domain (run for each role) -# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps -# gnome_file_dialog(role_prefix) - gnome file dialog rules -# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private - -define(`gnome_domain', ` - -# Types for .gnome2 and .gnome2_private. -# For backwards compatibility, allow unrestricted -# access from ROLE_t. However, content inside -# *should* be labeled per application eventually. -# For .gnome2_private, use the private_store macro below. - -type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile; -create_dir_file($1_t, $1_gnome_settings_t) -allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto }; - -type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile; -create_dir_file($1_t, $1_gnome_secret_t) -allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto }; - -# GConf domain -gconfd_domain($1) -gconf_client($1, $1) - -# Bonobo-activation-server -bonobo_domain($1) -bonobo_client($1, $1) - -# GNOME vfs daemon -gnome_vfs_domain($1) -gnome_vfs_client($1, $1) - -# ICE is necessary for session management -ice_domain($1, $1) - -') - -################################# - -define(`gnome_application', ` - -# If launched from a terminal -access_terminal($1_t, $2) - -# Forking is generally okay -allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork }; -allow $1_t self:fifo_file rw_file_perms; - -# Shlib, locale, sysctl, proc -uses_shlib($1_t) -read_locale($1_t) -read_sysctl($1_t) - -allow $1_t { self proc_t }:dir { search read getattr }; -allow $1_t { self proc_t }:{ file lnk_file } { read getattr }; - -# Most gnome apps use bonobo -bonobo_client($1, $2) - -# Within-process bonobo-activation of components -bonobo_connect($1, $1) - -# Session management happens over ICE -# FIXME: More specific context is needed for gnome-session -ice_connect($1, $2) - -# Most talk to GConf -gconf_client($1, $2) - -# Allow getattr/read/search of .gnome2 and .gnome2_private -# Reading files should *not* be allowed - instead, more specific -# types should be created to handle such requests -allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms; - -# Access /etc/mtab, /etc/nsswitch.conf -allow $1_t etc_t:file { read getattr }; -allow $1_t etc_runtime_t:file { read getattr }; - -# Themes, gtkrc -allow $1_t usr_t:{ file lnk_file } r_file_perms; - -') dnl gnome_application - -################################ - -define(`gnome_file_dialog', ` - -# GNOME Open/Save As dialogs -dontaudit_getattr($1_t) -dontaudit_search_dir($1_t) - -# Bonobo connection to gnome_vfs daemon -bonobo_connect($1, $2_gnome_vfs) - -') dnl gnome_file_dialog - -################################ - -define(`gnome_private_store', ` - -# Type for storing secret data -# (different from home, not directly accessible from ROLE_t) -type $1_secret_t, file_type, $2_file_type, sysadmfile; - -# Put secret files in .gnome2_private -file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file); -allow $2_t $1_secret_t:file unlink; - -') dnl gnome_private_store diff --git a/strict/macros/program/gnome_vfs_macros.te b/strict/macros/program/gnome_vfs_macros.te deleted file mode 100644 index 8ff5c28a..00000000 --- a/strict/macros/program/gnome_vfs_macros.te +++ /dev/null @@ -1,55 +0,0 @@ -# -# GNOME VFS daemon -# -# Author: Ivan Gyurdiev -# - -####################################### -# gnome_vfs_domain(role_prefix) -# - -define(`gnome_vfs_domain', ` - -# Type for daemon -type $1_gnome_vfs_t, domain, nscd_client_domain; - -# GNOME, dbus -gnome_application($1_gnome_vfs, $1) -dbusd_client(system, $1_gnome_vfs) -allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg; -ifdef(`hald.te', ` -allow $1_gnome_vfs_t hald_t:dbus send_msg; -allow hald_t $1_gnome_vfs_t:dbus send_msg; -') - -# Transition from user type -domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t) -role $1_r types $1_gnome_vfs_t; - -# Stat top level directories on mount_points (check free space?) -allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr; - -# Search path to /home (??) -allow $1_gnome_vfs_t home_root_t:dir search; -allow $1_gnome_vfs_t $1_home_dir_t:dir search; - -# Search path to rpc_pipefs mount point (??) -allow $1_gnome_vfs_t var_lib_nfs_t:dir search; -allow $1_gnome_vfs_t var_lib_t:dir search; - -# Search libexec (??) -allow $1_gnome_vfs_t bin_t:dir search; -can_exec($1_gnome_vfs_t, bin_t) - -') dnl gnome_vfs_domain - -##################################### -# gnome_vfs_client(prefix, role_prefix) -# - -define(`gnome_vfs_client', ` - -# Connect over bonobo -bonobo_connect($1, $2_gnome_vfs) - -') dnl gnome_vfs_client diff --git a/strict/macros/program/gpg_agent_macros.te b/strict/macros/program/gpg_agent_macros.te deleted file mode 100644 index f7ad8b04..00000000 --- a/strict/macros/program/gpg_agent_macros.te +++ /dev/null @@ -1,125 +0,0 @@ -# -# Macros for gpg agent -# -# Author: Thomas Bleher -# -# -# gpg_agent_domain(domain_prefix) -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gpg-agent.te. -# -define(`gpg_agent_domain',` -# Define a derived domain for the gpg-agent program when executed -# by a user domain. -# Derived domain based on the calling user domain and the program. -type $1_gpg_agent_t, domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) - -# The user role is authorized for this domain. -role $1_r types $1_gpg_agent_t; - -allow $1_gpg_agent_t privfd:fd use; - -# Write to the user domain tty. -access_terminal($1_gpg_agent_t, $1) - -# Allow the user shell to signal the gpg-agent program. -allow $1_t $1_gpg_agent_t:process { signal sigkill }; -# allow ps to show gpg-agent -can_ps($1_t, $1_gpg_agent_t) - -uses_shlib($1_gpg_agent_t) -read_locale($1_gpg_agent_t) - -# rlimit: gpg-agent wants to prevent coredumps -allow $1_gpg_agent_t self:process { setrlimit fork sigchld }; - -allow $1_gpg_agent_t { self proc_t }:dir search; -allow $1_gpg_agent_t { self proc_t }:lnk_file read; - -allow $1_gpg_agent_t device_t:dir { getattr read }; - -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; -create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) -if (use_nfs_home_dirs) { -create_dir_file($1_gpg_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_gpg_agent_t, cifs_t) -} - -allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms; -allow $1_gpg_agent_t self:fifo_file { getattr read write }; - -# create /tmp files -tmp_domain($1_gpg_agent, `', `{ file dir sock_file }') - -# gpg connect -allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; -allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; -can_unix_connect($1_gpg_t, $1_gpg_agent_t) - -# policy for pinentry -# =================== -# we need to allow gpg-agent to call pinentry so it can get the passphrase -# from the user. -# Please note that I didnt use the x_client_domain-macro as it gives too -# much permissions -type $1_gpg_pinentry_t, domain; -role $1_r types $1_gpg_pinentry_t; - -allow $1_gpg_agent_t bin_t:dir search; -domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) - -uses_shlib($1_gpg_pinentry_t) -read_locale($1_gpg_pinentry_t) - -allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; - -ifdef(`xdm.te', ` -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; -can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) -')dnl end ig xdm.te - -read_fonts($1_gpg_pinentry_t, $1) -# read kde font cache -allow $1_gpg_pinentry_t usr_t:file { getattr read }; - -allow $1_gpg_pinentry_t { proc_t self }:dir search; -allow $1_gpg_pinentry_t { proc_t self }:lnk_file read; -# read /proc/meminfo -allow $1_gpg_pinentry_t proc_t:file read; - -allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; - -# for .Xauthority -allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; -allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; -# wants to put some lock files into the user home dir, seems to work fine without -dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; -dontaudit $1_gpg_pinentry_t $1_home_t:file write; -if (use_nfs_home_dirs) { -allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; -allow $1_gpg_pinentry_t nfs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t nfs_t:file write; -} -if (use_samba_home_dirs) { -allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; -allow $1_gpg_pinentry_t cifs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t cifs_t:file write; -} - -# read /etc/X11/qtrc -allow $1_gpg_pinentry_t etc_t:file { getattr read }; - -dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search }; - -')dnl end if gpg_agent diff --git a/strict/macros/program/gpg_macros.te b/strict/macros/program/gpg_macros.te deleted file mode 100644 index a836ed65..00000000 --- a/strict/macros/program/gpg_macros.te +++ /dev/null @@ -1,115 +0,0 @@ -# -# Macros for gpg and pgp -# -# Author: Russell Coker -# -# based on the work of: -# Stephen Smalley and Timothy Fraser -# - -# -# gpg_domain(domain_prefix) -# -# Define a derived domain for the gpg/pgp program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gpg.te. -# -define(`gpg_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_gpg_t, domain, privlog; -type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) -role $1_r types $1_gpg_t; - -can_network($1_gpg_t) -allow $1_gpg_t port_type:tcp_socket name_connect; -can_ypbind($1_gpg_t) - -# for a bug in kmail -dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write }; - -allow $1_gpg_t device_t:dir r_dir_perms; -allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -allow $1_gpg_t etc_t:file r_file_perms; - -allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms; -allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - -access_terminal($1_gpg_t, $1) -ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') - -# Inherit and use descriptors -allow $1_gpg_t { privfd $1_t }:fd use; -allow { $1_t $1_gpg_t } $1_gpg_t:process signal; - -# setrlimit is for ulimit -c 0 -allow $1_gpg_t self:process { setrlimit setcap setpgid }; - -# allow ps to show gpg -can_ps($1_t, $1_gpg_t) - -uses_shlib($1_gpg_t) - -# Access .gnupg -rw_dir_create_file($1_gpg_t, $1_gpg_secret_t) - -# Read content to encrypt/decrypt/sign -read_content($1_gpg_t, $1) - -# Write content to encrypt/decrypt/sign -write_trusted($1_gpg_t, $1) - -allow $1_gpg_t self:capability { ipc_lock setuid }; - -allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; -allow $1_gpg_t fs_t:filesystem getattr; -allow $1_gpg_t usr_t:file r_file_perms; -read_locale($1_gpg_t) - -dontaudit $1_gpg_t var_t:dir search; - -ifdef(`gpg-agent.te', `gpg_agent_domain($1)') - -# for helper programs (which automatically fetch keys) -# Note: this is only tested with the hkp interface. If you use eg the -# mail interface you will likely need additional permissions. -type $1_gpg_helper_t, domain; -role $1_r types $1_gpg_helper_t; - -domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) -uses_shlib($1_gpg_helper_t) - -# allow gpg to fork so it can call the helpers -allow $1_gpg_t self:process { fork sigchld }; -allow $1_gpg_t self:fifo_file { getattr read write }; - -dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; -if (use_nfs_home_dirs) { -dontaudit $1_gpg_helper_t nfs_t:file { read write }; -} -if (use_samba_home_dirs) { -dontaudit $1_gpg_helper_t cifs_t:file { read write }; -} - -# communicate with the user -allow $1_gpg_helper_t $1_t:fd use; -allow $1_gpg_helper_t $1_t:fifo_file write; -# get keys from the network -can_network_client($1_gpg_helper_t) -allow $1_gpg_helper_t port_type:tcp_socket name_connect; -allow $1_gpg_helper_t etc_t:file { getattr read }; -allow $1_gpg_helper_t urandom_device_t:chr_file read; -allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -# for nscd -dontaudit $1_gpg_helper_t var_t:dir search; - -ifdef(`xdm.te', ` -can_pipe_xdm($1_gpg_t) -') - -')dnl end gpg_domain definition diff --git a/strict/macros/program/gph_macros.te b/strict/macros/program/gph_macros.te deleted file mode 100644 index d784fcc3..00000000 --- a/strict/macros/program/gph_macros.te +++ /dev/null @@ -1,85 +0,0 @@ -# -# Macros for gnome-pty-helper domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# gph_domain(domain_prefix, role_prefix) -# -# Define a derived domain for the gnome-pty-helper program when -# executed by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gnome-pty-helper.te. -# -# The *_gph_t domains are for the gnome_pty_helper program. -# This program is executed by gnome-terminal to handle -# updates to utmp and wtmp. In this regard, it is similar -# to utempter. However, unlike utempter, gnome-pty-helper -# also creates the pty file for the terminal program. -# There is one *_gph_t domain for each user domain. -# -undefine(`gph_domain') -define(`gph_domain',` -# Derived domain based on the calling user domain and the program. -type $1_gph_t, domain, gphdomain, nscd_client_domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gph_exec_t, $1_gph_t) - -# The user role is authorized for this domain. -role $2_r types $1_gph_t; - -# This domain is granted permissions common to most domains. -uses_shlib($1_gph_t) - -# Use capabilities. -allow $1_gph_t self:capability { chown fsetid setgid setuid }; - -# Update /var/run/utmp and /var/log/wtmp. -allow $1_gph_t { var_t var_run_t }:dir search; -allow $1_gph_t initrc_var_run_t:file rw_file_perms; -allow $1_gph_t wtmp_t:file rw_file_perms; - -# Allow gph to rw to stream sockets of appropriate user type. -# (Need this so gnome-pty-helper can pass pty fd to parent -# gnome-terminal which is running in a user domain.) -allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms; - -allow $1_gph_t self:unix_stream_socket create_stream_socket_perms; - -# Allow user domain to use pty fd from gnome-pty-helper. -allow $1_t $1_gph_t:fd use; - -# Use the network, e.g. for NIS lookups. -can_resolve($1_gph_t) -can_ypbind($1_gph_t) - -allow $1_gph_t etc_t:file { getattr read }; - -# Added by David A. Wheeler: -# Allow gnome-pty-helper to update /var/log/lastlog -# (the gnome-pty-helper in Red Hat Linux 7.1 does this): -allow $1_gph_t lastlog_t:file rw_file_perms; -allow $1_gph_t var_log_t:dir search; -allow $1_t $1_gph_t:process signal; - -ifelse($2, `system', ` -# Create ptys for the system -can_create_other_pty($1_gph, initrc) -', ` -# Create ptys for the user domain. -can_create_other_pty($1_gph, $1) - -# Read and write the users tty. -allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms; - -# Allow gnome-pty-helper to write the .xsession-errors file. -allow $1_gph_t home_root_t:dir search; -allow $1_gph_t $1_home_t:dir { search add_name }; -allow $1_gph_t $1_home_t:file { create write }; -')dnl end ifelse system -')dnl end macro diff --git a/strict/macros/program/i18n_input_macros.te b/strict/macros/program/i18n_input_macros.te deleted file mode 100644 index 58699fc8..00000000 --- a/strict/macros/program/i18n_input_macros.te +++ /dev/null @@ -1,21 +0,0 @@ -# -# Macros for i18n_input -# - -# -# Authors: Dan Walsh -# - -# -# i18n_input_domain(domain) -# -ifdef(`i18n_input.te', ` -define(`i18n_input_domain', ` -allow i18n_input_t $1_home_dir_t:dir { getattr search }; -r_dir_file(i18n_input_t, $1_home_t) -if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) } -if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) } -') -') - - diff --git a/strict/macros/program/ice_macros.te b/strict/macros/program/ice_macros.te deleted file mode 100644 index b3734963..00000000 --- a/strict/macros/program/ice_macros.te +++ /dev/null @@ -1,38 +0,0 @@ -# -# ICE related types -# -# Author: Ivan Gyurdiev -# -# ice_domain(prefix, role) - create ICE sockets -# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets - -define(`ice_domain', ` -ifdef(`$1_ice_tmp_t_defined',`', ` -define(`$1_ice_tmp_t_defined') - -# Type for ICE sockets -type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile; -file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t) - -# Create the sockets -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; - -# FIXME: How does iceauth tie in? - -') -') - -# FIXME: Should this be bidirectional? -# Adding only unidirectional for now. - -define(`ice_connect', ` - -# Read .ICEauthority file -allow $1_t $2_iceauth_home_t:file { read getattr }; - -can_unix_connect($1_t, $2_t) -allow $1_t ice_tmp_t:dir r_dir_perms; -allow $1_t $2_ice_tmp_t:sock_file { read write }; -allow $1_t $2_t:unix_stream_socket { read write }; -') diff --git a/strict/macros/program/iceauth_macros.te b/strict/macros/program/iceauth_macros.te deleted file mode 100644 index cc7e804c..00000000 --- a/strict/macros/program/iceauth_macros.te +++ /dev/null @@ -1,40 +0,0 @@ -# -# Macros for iceauth domains. -# -# Author: Ivan Gyurdiev -# -# iceauth_domain(domain_prefix) - -define(`iceauth_domain',` - -# Program type -type $1_iceauth_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t) -role $1_r types $1_iceauth_t; - -# Store .ICEauthority files -home_domain($1, iceauth) -file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file) - -# Supress xdm trying to restore .ICEauthority permissions -ifdef(`xdm.te', ` -dontaudit xdm_t $1_iceauth_home_t:file r_file_perms; -') - -# /root -allow $1_iceauth_t root_t:dir search; - -# Terminal output -access_terminal($1_iceauth_t, $1) - -uses_shlib($1_iceauth_t) - -# ??? -allow $1_iceauth_t etc_t:dir search; -allow $1_iceauth_t usr_t:dir search; - -# FIXME: policy is incomplete - -')dnl end xauth_domain macro diff --git a/strict/macros/program/inetd_macros.te b/strict/macros/program/inetd_macros.te deleted file mode 100644 index e5c4eed2..00000000 --- a/strict/macros/program/inetd_macros.te +++ /dev/null @@ -1,97 +0,0 @@ -################################# -# -# Rules for the $1_t domain. -# -# $1_t is a general domain for daemons started -# by inetd that do not have their own individual domains yet. -# $1_exec_t is the type of the corresponding -# programs. -# -define(`inetd_child_domain', ` -type $1_t, domain, privlog, nscd_client_domain; -role system_r types $1_t; - -# -# Allows user to define a tunable to disable domain transition -# -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(initrc_t, $1_exec_t) -can_exec(sysadm_t, $1_exec_t) -} else { -domain_auto_trans(inetd_t, $1_exec_t, $1_t) -allow inetd_t $1_t:process sigkill; -} - -can_network_server($1_t) -can_ypbind($1_t) -uses_shlib($1_t) -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_socket_perms; -allow $1_t self:fifo_file rw_file_perms; -type $1_exec_t, file_type, sysadmfile, exec_type; -read_locale($1_t) -allow $1_t device_t:dir search; -allow $1_t proc_t:dir search; -allow $1_t proc_t:{ file lnk_file } { getattr read }; -allow $1_t self:process { fork signal_perms }; -allow $1_t fs_t:filesystem getattr; - -read_sysctl($1_t) - -allow $1_t etc_t:file { getattr read }; - -tmp_domain($1) -allow $1_t var_t:dir search; -var_run_domain($1) - -# Inherit and use descriptors from inetd. -allow $1_t inetd_t:fd use; - -# for identd -allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow $1_t self:capability { setuid setgid }; -allow $1_t home_root_t:dir search; -allow $1_t self:dir search; -allow $1_t self:{ lnk_file file } { getattr read }; -can_kerberos($1_t) -allow $1_t urandom_device_t:chr_file r_file_perms; -# Use sockets inherited from inetd. -ifelse($2, `', ` -allow inetd_t $1_port_t:udp_socket name_bind; -allow $1_t inetd_t:udp_socket rw_socket_perms; -allow inetd_t $1_port_t:tcp_socket name_bind; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') -ifelse($2, tcp, ` -allow inetd_t $1_port_t:tcp_socket name_bind; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') -ifelse($2, udp, ` -allow inetd_t $1_port_t:udp_socket name_bind; -allow $1_t inetd_t:udp_socket rw_socket_perms; -') -r_dir_file($1_t, proc_net_t) -') -define(`remote_login_daemon', ` -inetd_child_domain($1) - -# Execute /bin/login on a new PTY -allow $1_t { bin_t sbin_t }:dir search; -domain_auto_trans($1_t, login_exec_t, remote_login_t) -can_create_pty($1, `, server_pty, userpty_type') -allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ; - -# Append to /var/log/wtmp. -allow $1_t var_log_t:dir search; -allow $1_t wtmp_t:file rw_file_perms; -allow $1_t initrc_var_run_t:file rw_file_perms; - -# Allow reading of /etc/issue.net -allow $1_t etc_runtime_t:file r_file_perms; - -# Allow krb5 $1 to use fork and open /dev/tty for use -allow $1_t userpty_type:chr_file setattr; -allow $1_t devtty_t:chr_file rw_file_perms; -dontaudit $1_t selinux_config_t:dir search; -') diff --git a/strict/macros/program/irc_macros.te b/strict/macros/program/irc_macros.te deleted file mode 100644 index 3adaef78..00000000 --- a/strict/macros/program/irc_macros.te +++ /dev/null @@ -1,85 +0,0 @@ -# -# Macros for irc domains. -# - -# -# Author: Russell Coker -# - -# -# irc_domain(domain_prefix) -# -# Define a derived domain for the irc program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/irc.te. -# -undefine(`irc_domain') -ifdef(`irc.te', ` -define(`irc_domain',` - -# Home domain -home_domain($1, irc) -file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir) - -# Derived domain based on the calling user domain and the program. -type $1_irc_t, domain; -type $1_irc_exec_t, file_type, sysadmfile, $1_file_type; - -allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t) - -# The user role is authorized for this domain. -role $1_r types $1_irc_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;') - -# allow ps to show irc -can_ps($1_t, $1_irc_t) -allow $1_t $1_irc_t:process signal; - -# Use the network. -can_network_client($1_irc_t) -allow $1_irc_t port_type:tcp_socket name_connect; -can_ypbind($1_irc_t) - -allow $1_irc_t usr_t:file { getattr read }; - -access_terminal($1_irc_t, $1) -uses_shlib($1_irc_t) -allow $1_irc_t etc_t:file { read getattr }; -read_locale($1_irc_t) -allow $1_irc_t fs_t:filesystem getattr; -allow $1_irc_t var_t:dir search; -allow $1_irc_t device_t:dir search; -allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; -allow $1_irc_t privfd:fd use; -allow $1_irc_t proc_t:dir search; -allow $1_irc_t { self proc_t }:lnk_file read; -allow $1_irc_t self:dir search; -dontaudit $1_irc_t var_run_t:dir search; - -# allow utmp access -allow $1_irc_t initrc_var_run_t:file { getattr read }; -dontaudit $1_irc_t initrc_var_run_t:file lock; - -# access files under /tmp -file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t) - -ifdef(`ircd.te', ` -can_tcp_connect($1_irc_t, ircd_t) -')dnl end ifdef irc.te -')dnl end macro definition - -', ` - -define(`irc_domain',`') - -')dnl end ifdef irc.te diff --git a/strict/macros/program/java_macros.te b/strict/macros/program/java_macros.te deleted file mode 100644 index 874d6dc3..00000000 --- a/strict/macros/program/java_macros.te +++ /dev/null @@ -1,93 +0,0 @@ -# -# Authors: Dan Walsh -# -# Macros for javaplugin (java plugin) domains. -# -# -# javaplugin_domain(domain_prefix, role) -# -# Define a derived domain for the javaplugin program when executed by -# a web browser. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/java.te. -# -define(`javaplugin_domain',` -type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool; - -# The user role is authorized for this domain. -role $2_r types $1_javaplugin_t; -domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) - -allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms; -# Unrestricted inheritance from the caller. -allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -allow $1_javaplugin_t $1_t:process signull; - -can_unix_connect($1_javaplugin_t, $1_t) -allow $1_javaplugin_t $1_t:unix_stream_socket { read write }; - -# This domain is granted permissions common to most domains (including can_net) -can_network_client($1_javaplugin_t) -allow $1_javaplugin_t port_type:tcp_socket name_connect; -can_ypbind($1_javaplugin_t) -allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; -allow $1_javaplugin_t self:fifo_file rw_file_perms; -allow $1_javaplugin_t etc_runtime_t:file { getattr read }; -allow $1_javaplugin_t fs_t:filesystem getattr; -r_dir_file($1_javaplugin_t, { proc_t proc_net_t }) -allow $1_javaplugin_t self:dir search; -allow $1_javaplugin_t self:lnk_file read; -allow $1_javaplugin_t self:file { getattr read }; - -read_sysctl($1_javaplugin_t) -allow $1_javaplugin_t sysctl_vm_t:dir search; - -tmp_domain($1_javaplugin) -read_fonts($1_javaplugin_t, $2) -r_dir_file($1_javaplugin_t,{ usr_t etc_t }) - -# Search bin directory under javaplugin for javaplugin executable -allow $1_javaplugin_t bin_t:dir search; -can_exec($1_javaplugin_t, java_exec_t) - -# libdeploy.so legacy -allow $1_javaplugin_t texrel_shlib_t:file execmod; -if (allow_execmem) { -allow $1_javaplugin_t self:process execmem; -} - -# Connect to X server -x_client_domain($1_javaplugin, $2) - -uses_shlib($1_javaplugin_t) -read_locale($1_javaplugin_t) -rw_dir_file($1_javaplugin_t, $1_home_t) - -if (allow_java_execstack) { -legacy_domain($1_javaplugin) -allow $1_javaplugin_t lib_t:file execute; -allow $1_javaplugin_t locale_t:file execute; -allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; -allow $1_javaplugin_t fonts_t:file execute; -allow $1_javaplugin_t sound_device_t:chr_file execute; -} - -allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms; - -allow $1_javaplugin_t home_root_t:dir { getattr search }; -file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t) -allow $1_javaplugin_t $2_xauth_home_t:file { getattr read }; -allow $1_javaplugin_t $2_tmp_t:sock_file write; -allow $1_javaplugin_t $2_t:fd use; - -allow $1_javaplugin_t var_t:dir getattr; -allow $1_javaplugin_t var_lib_t:dir { getattr search }; - -dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write }; -dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write }; -dontaudit $1_javaplugin_t devtty_t:chr_file { read write }; -dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; -dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; - -') diff --git a/strict/macros/program/kerberos_macros.te b/strict/macros/program/kerberos_macros.te deleted file mode 100644 index 91850d3c..00000000 --- a/strict/macros/program/kerberos_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -define(`can_kerberos',` -ifdef(`kerberos.te',` -if (allow_kerberos) { -can_network_client($1, `kerberos_port_t') -allow $1 kerberos_port_t:tcp_socket name_connect; -can_resolve($1) -} -') dnl kerberos.te -dontaudit $1 krb5_conf_t:file write; -allow $1 krb5_conf_t:file { getattr read }; -') diff --git a/strict/macros/program/lockdev_macros.te b/strict/macros/program/lockdev_macros.te deleted file mode 100644 index 28f7c01f..00000000 --- a/strict/macros/program/lockdev_macros.te +++ /dev/null @@ -1,46 +0,0 @@ -# -# Macros for lockdev domains. -# - -# -# Authors: Daniel Walsh -# - -# -# lockdev_domain(domain_prefix) -# -# Define a derived domain for the lockdev programs when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/lockdev.te. -# -undefine(`lockdev_domain') -define(`lockdev_domain',` -# Derived domain based on the calling user domain and the program -type $1_lockdev_t, domain, privlog; -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t) - -# The user role is authorized for this domain. -role $1_r types $1_lockdev_t; -# Use capabilities. -allow $1_lockdev_t self:capability setgid; -allow $1_lockdev_t $1_t:process signull; - -allow $1_lockdev_t var_t:dir search; - -lock_domain($1_lockdev) - -r_dir_file($1_lockdev_t, lockfile) - -allow $1_lockdev_t device_t:dir search; -allow $1_lockdev_t null_device_t:chr_file rw_file_perms; -access_terminal($1_lockdev_t, $1) -dontaudit $1_lockdev_t root_t:dir search; - -uses_shlib($1_lockdev_t) -allow $1_lockdev_t fs_t:filesystem getattr; - -')dnl end macro definition - diff --git a/strict/macros/program/login_macros.te b/strict/macros/program/login_macros.te deleted file mode 100644 index 0d0993c7..00000000 --- a/strict/macros/program/login_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -# Macros for login type programs (/bin/login, sshd, etc). -# -# Author: Russell Coker -# - -define(`login_spawn_domain', ` -domain_trans($1_t, shell_exec_t, $2) - -# Signal the user domains. -allow $1_t $2:process signal; -') diff --git a/strict/macros/program/lpr_macros.te b/strict/macros/program/lpr_macros.te deleted file mode 100644 index 3dea9b07..00000000 --- a/strict/macros/program/lpr_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Macros for lpr domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# lpr_domain(domain_prefix) -# -# Define a derived domain for the lpr/lpq/lprm programs when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/lpr.te. -# -undefine(`lpr_domain') -define(`lpr_domain',` -# Derived domain based on the calling user domain and the program -type $1_lpr_t, domain, privlog, nscd_client_domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t) - -allow $1_t $1_lpr_t:process signull; - -# allow using shared objects, accessing root dir, etc -uses_shlib($1_lpr_t) - -read_locale($1_lpr_t) - -# The user role is authorized for this domain. -role $1_r types $1_lpr_t; - -# This domain is granted permissions common to most domains (including can_net) -can_network_client($1_lpr_t) -allow $1_lpr_t port_type:tcp_socket name_connect; -can_ypbind($1_lpr_t) - -# Use capabilities. -allow $1_lpr_t $1_lpr_t:capability { setuid dac_override net_bind_service chown }; - -allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; - -# for lpd config files (should have a new type) -r_dir_file($1_lpr_t, etc_t) - -# for test print -r_dir_file($1_lpr_t, usr_t) -ifdef(`lpd.te', ` -r_dir_file($1_lpr_t, printconf_t) -') - -tmp_domain($1_lpr) - -# Type for spool files. -type $1_print_spool_t, file_type, sysadmfile; -# Use this type when creating files in /var/spool/lpd and /var/spool/cups. -file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) -allow $1_lpr_t var_spool_t:dir search; - -# for /dev/null -allow $1_lpr_t device_t:dir search; - -# Access the terminal. -access_terminal($1_lpr_t, $1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') -allow $1_lpr_t privfd:fd use; - -# Read user files. -read_content(sysadm_lpr_t, $1) -read_content($1_lpr_t, $1) - -# Read and write shared files in the spool directory. -allow $1_lpr_t print_spool_t:file rw_file_perms; - -# lpr can run in lightweight mode, without a local print spooler. If the -# lpd policy is present, grant some permissions for this domain and the lpd -# domain to interact. -ifdef(`lpd.te', ` -allow $1_lpr_t { var_t var_run_t }:dir search; -allow $1_lpr_t lpd_var_run_t:dir search; -allow $1_lpr_t lpd_var_run_t:sock_file write; - -# Allow lpd to read, rename, and unlink spool files. -allow lpd_t $1_print_spool_t:file r_file_perms; -allow lpd_t $1_print_spool_t:file link_file_perms; - -# Connect to lpd via a Unix domain socket. -allow $1_lpr_t printer_t:sock_file rw_file_perms; -can_unix_connect($1_lpr_t, lpd_t) -dontaudit $1_lpr_t $1_t:unix_stream_socket { read write }; - -# Connect to lpd via a TCP socket. -can_tcp_connect($1_lpr_t, lpd_t) - -allow $1_lpr_t fs_t:filesystem getattr; -# Send SIGHUP to lpd. -allow $1_lpr_t lpd_t:process signal; - -')dnl end if lpd.te - -ifdef(`xdm.te', ` -can_pipe_xdm($1_lpr_t) -') - -ifdef(`cups.te', ` -allow { $1_lpr_t $1_t } cupsd_etc_t:dir search; -allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; -can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) -')dnl end ifdef cups.te - -')dnl end macro definition - diff --git a/strict/macros/program/mail_client_macros.te b/strict/macros/program/mail_client_macros.te deleted file mode 100644 index da22a620..00000000 --- a/strict/macros/program/mail_client_macros.te +++ /dev/null @@ -1,68 +0,0 @@ -# -# Shared macro for mail clients -# -# Author: Ivan Gyurdiev -# - -######################################## -# mail_client_domain(client, role_prefix) -# - -define(`mail_client_domain', ` - -# Allow netstat -# Startup shellscripts -allow $1_t bin_t:dir r_dir_perms; -allow $1_t bin_t:lnk_file r_file_perms; -can_exec($1_t, bin_t) -r_dir_file($1_t, proc_net_t) -allow $1_t sysctl_net_t:dir search; - -# Allow DNS -can_resolve($1_t) - -# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) -can_ypbind($1_t) -can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }) -allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect; - -# Allow printing the mail -ifdef(`cups.te',` -allow $1_t cupsd_etc_t:dir r_dir_perms; -allow $1_t cupsd_rw_etc_t:file r_file_perms; -') -ifdef(`lpr.te', ` -domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t) -') - -# Attachments -read_content($1_t, $2, mail) - -# Save mail -write_untrusted($1_t, $2) - -# Encrypt mail -ifdef(`gpg.te', ` -domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t) -allow $1_t $2_gpg_t:process signal; -') - -# Start links in web browser -ifdef(`mozilla.te', ` -can_exec($1_t, shell_exec_t) -domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t) -') -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -allow $1_t system_dbusd_t:dbus send_msg; -dbusd_client($2, $1) -allow $1_t $2_dbusd_t:dbus send_msg; -ifdef(`cups.te', ` -allow cupsd_t $1_t:dbus send_msg; -') -') -# Allow the user domain to signal/ps. -can_ps($2_t, $1_t) -allow $2_t $1_t:process signal_perms; - -') diff --git a/strict/macros/program/mount_macros.te b/strict/macros/program/mount_macros.te deleted file mode 100644 index 0aa05778..00000000 --- a/strict/macros/program/mount_macros.te +++ /dev/null @@ -1,90 +0,0 @@ -# -# Macros for mount -# -# Author: Brian May -# Extended by Russell Coker -# - -# -# mount_domain(domain_prefix,dst_domain_prefix) -# -# Define a derived domain for the mount program for anyone. -# -define(`mount_domain', ` -# -# Rules for the $2_t domain, used by the $1_t domain. -# -# $2_t is the domain for the mount process. -# -# This macro will not be included by all users and it may be included twice if -# called from other macros, so we need protection for this do not call this -# macro if $2_def is defined -define(`$2_def', `') -# -type $2_t, domain, privlog $3, nscd_client_domain; - -allow $2_t sysfs_t:dir search; - -uses_shlib($2_t) - -role $1_r types $2_t; -# when mount is run by $1 goto $2_t domain -domain_auto_trans($1_t, mount_exec_t, $2_t) - -allow $2_t proc_t:dir search; -allow $2_t proc_t:file { getattr read }; - -# -# Allow mounting of cdrom by user -# -allow $2_t device_type:blk_file getattr; - -tmp_domain($2) - -# Use capabilities. -allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; - -allow $2_t self:unix_stream_socket create_socket_perms; - -# Create and modify /etc/mtab. -file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) - -allow $2_t etc_t:file { getattr read }; - -read_locale($2_t) - -allow $2_t home_root_t:dir search; -allow $2_t $1_home_dir_t:dir search; -allow $2_t noexattrfile:filesystem { mount unmount }; -allow $2_t fs_t:filesystem getattr; -allow $2_t removable_t:filesystem { mount unmount }; -allow $2_t mnt_t:dir { mounton search }; -allow $2_t sbin_t:dir search; - -# Access the terminal. -access_terminal($2_t, $1) -ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;') -allow $2_t var_t:dir search; -allow $2_t var_run_t:dir search; - -ifdef(`distro_redhat',` -ifdef(`pamconsole.te',` -r_dir_file($2_t,pam_var_console_t) -# mount config by default sets fscontext=removable_t -allow $2_t dosfs_t:filesystem relabelfrom; -') dnl end pamconsole.te -') dnl end distro_redhat -') dnl end mount_domain - -# mount_loopback_privs(domain_prefix,dst_domain_prefix) -# -# Add loopback mounting privileges to a particular derived -# mount domain. -# -define(`mount_loopback_privs',` -type $1_$2_source_t, file_type, sysadmfile, $1_file_type; -allow $1_t $1_$2_source_t:file create_file_perms; -allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; -allow $2_t $1_$2_source_t:file rw_file_perms; -') - diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te deleted file mode 100644 index cc8afb0f..00000000 --- a/strict/macros/program/mozilla_macros.te +++ /dev/null @@ -1,157 +0,0 @@ -# -# Macros for mozilla/mozilla (or other browser) domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# mozilla_domain(domain_prefix) -# -# Define a derived domain for the mozilla/mozilla program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/mozilla.te. -# - -# FIXME: Rules were removed to centralize policy in a gnome_app macro -# A similar thing might be necessary for mozilla compiled without GNOME -# support (is this possible?). - -define(`mozilla_domain',` - -type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog; - -# Type transition -if (! disable_mozilla_trans) { -domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t) -} -role $1_r types $1_mozilla_t; - -# X access, Home files -home_domain($1, mozilla) -x_client_domain($1_mozilla, $1) - -# GNOME integration -ifdef(`gnome.te', ` -gnome_application($1_mozilla, $1) -gnome_file_dialog($1_mozilla, $1) -') - -# Look for plugins -allow $1_mozilla_t bin_t:dir { getattr read search }; - -# Browse the web, connect to printer -can_resolve($1_mozilla_t) -can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } ) -allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect; - -# Should not need other ports -dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind }; - -allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; -dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms; - -# Unrestricted inheritance from the caller. -allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh }; -allow $1_mozilla_t $1_t:process signull; - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_mozilla_t) -allow $1_t $1_mozilla_t:process signal_perms; - -# Access /proc, sysctl -allow $1_mozilla_t proc_t:dir search; -allow $1_mozilla_t proc_t:file { getattr read }; -allow $1_mozilla_t proc_t:lnk_file read; -allow $1_mozilla_t sysctl_net_t:dir search; -allow $1_mozilla_t sysctl_t:dir search; - -# /var/lib -allow $1_mozilla_t var_lib_t:dir search; -allow $1_mozilla_t var_lib_t:file { getattr read }; - -# Self permissions -allow $1_mozilla_t self:socket create_socket_perms; -allow $1_mozilla_t self:file { getattr read }; -allow $1_mozilla_t self:sem create_sem_perms; - -# for bash - old mozilla binary -can_exec($1_mozilla_t, mozilla_exec_t) -can_exec($1_mozilla_t, shell_exec_t) -can_exec($1_mozilla_t, bin_t) -allow $1_mozilla_t bin_t:lnk_file read; -allow $1_mozilla_t device_t:dir r_dir_perms; -allow $1_mozilla_t self:dir search; -allow $1_mozilla_t self:lnk_file read; -r_dir_file($1_mozilla_t, proc_net_t) - -# interacting with gstreamer -r_dir_file($1_mozilla_t, var_t) - -# Uploads, local html -read_content($1_mozilla_t, $1, mozilla) - -# Save web pages -write_untrusted($1_mozilla_t, $1) - -# Mozpluggerrc -allow $1_mozilla_t mozilla_conf_t:file r_file_perms; - -######### Java plugin -ifdef(`java.te', ` -javaplugin_domain($1_mozilla, $1) -') dnl java.te - -######### Print web content -ifdef(`cups.te', ` -allow $1_mozilla_t cupsd_etc_t:dir search; -allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; -') -ifdef(`lpr.te', ` -domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t) -dontaudit $1_lpr_t $1_mozilla_home_t:file { read write }; -dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write }; -') dnl if lpr.te - -######### Launch mplayer -ifdef(`mplayer.te', ` -domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) -dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; -dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; -dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; -')dnl end if mplayer.te - -######### Launch email client, and make webcal links work -ifdef(`evolution.te', ` -domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) -domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -') dnl if evolution.te - -ifdef(`thunderbird.te', ` -domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t) -') dnl if evolution.te - -if (allow_execmem) { -allow $1_mozilla_t self:process { execmem execstack }; -} -allow $1_mozilla_t texrel_shlib_t:file execmod; - -ifdef(`dbusd.te', ` -dbusd_client(system, $1_mozilla) -allow $1_mozilla_t system_dbusd_t:dbus send_msg; -ifdef(`cups.te', ` -allow cupsd_t $1_mozilla_t:dbus send_msg; -') -') - -ifdef(`apache.te', ` -ifelse($1, sysadm, `', ` -r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) -') -') - -')dnl end mozilla macro - diff --git a/strict/macros/program/mplayer_macros.te b/strict/macros/program/mplayer_macros.te deleted file mode 100644 index 6d067578..00000000 --- a/strict/macros/program/mplayer_macros.te +++ /dev/null @@ -1,159 +0,0 @@ -# -# Macros for mplayer -# -# Author: Ivan Gyurdiev -# -# mplayer_domains(user) declares domains for mplayer, gmplayer, -# and mencoder - -##################################################### -# mplayer_common(role_prefix, mplayer_domain) # -##################################################### - -define(`mplayer_common',` - -# Read global config -r_dir_file($1_$2_t, mplayer_etc_t) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_$2_t) -allow $1_t $1_$2_t:process signal_perms; - -# Read data in /usr/share (fonts, icons..) -r_dir_file($1_$2_t, usr_t) - -# Read /proc files and directories -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -allow $1_$2_t proc_t:dir search; -allow $1_$2_t proc_t:file { getattr read }; - -# Sysctl on kernel version -read_sysctl($1_$2_t) - -# Allow ps, shared libs, locale, terminal access -can_ps($1_t, $1_$2_t) -uses_shlib($1_$2_t) -read_locale($1_$2_t) -access_terminal($1_$2_t, $1) - -# Required for win32 binary loader -allow $1_$2_t zero_device_t:chr_file { read write execute }; -if (allow_execmem) { -allow $1_$2_t self:process execmem; -} - -if (allow_execmod) { -allow $1_$2_t zero_device_t:chr_file execmod; -} -allow $1_$2_t texrel_shlib_t:file execmod; - -# Access to DVD/CD/V4L -allow $1_$2_t device_t:dir r_dir_perms; -allow $1_$2_t device_t:lnk_file { getattr read }; -allow $1_$2_t removable_device_t:blk_file { getattr read }; -allow $1_$2_t v4l_device_t:chr_file { getattr read }; - -# Legacy domain issues -if (allow_mplayer_execstack) { -legacy_domain($1_$2) -allow $1_$2_t lib_t:file execute; -allow $1_$2_t locale_t:file execute; -allow $1_$2_t sound_device_t:chr_file execute; -} -') - -################################### -# mplayer_domain(role_prefix) # -################################### - -define(`mplayer_domain',` - -type $1_mplayer_t, domain, nscd_client_domain; - -# Type transition -domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t) -role $1_r types $1_mplayer_t; - -# Home access, X access -home_domain($1, mplayer) -x_client_domain($1_mplayer, $1) - -# Mplayer common stuff -mplayer_common($1, mplayer) - -# Fork -allow $1_mplayer_t self:process { fork signal_perms getsched }; -allow $1_mplayer_t self:fifo_file rw_file_perms; - -# Audio, alsa.conf -allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; -allow $1_mplayer_t etc_t:file { getattr read }; -r_dir_file($1_mplayer_t, alsa_etc_rw_t); - -# RTC clock -allow $1_mplayer_t clock_device_t:chr_file { ioctl read }; - -# Legacy domain issues -if (allow_mplayer_execstack) { -allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute; -} - -#======gmplayer gui==========# -# File dialogs -dontaudit_getattr($1_mplayer_t) -dontaudit_read_dir($1_mplayer_t) -dontaudit_search_dir($1_mplayer_t) - -# Unfortunately the ancient file dialog starts in / -allow $1_mplayer_t home_root_t:dir read; - -# Read /etc/mtab -allow $1_mplayer_t etc_runtime_t:file { read getattr }; - -# Run bash/sed (??) -allow $1_mplayer_t bin_t:dir search; -allow $1_mplayer_t bin_t:lnk_file read; -can_exec($1_mplayer_t, bin_t) -can_exec($1_mplayer_t, shell_exec_t) -#============================# - -# Read songs -read_content($1_mplayer_t, $1) - -') dnl end mplayer_domain - -################################### -# mencoder_domain(role_prefix) # -################################### - -define(`mencoder_domain',` - -type $1_mencoder_t, domain; - -# Type transition -domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t) -role $1_r types $1_mencoder_t; - -# Access mplayer home domain -home_domain_access($1_mencoder_t, $1, mplayer) - -# Mplayer common stuff -mplayer_common($1, mencoder) - -# Read content to encode -read_content($1_mencoder_t, $1) - -# Save encoded files -write_trusted($1_mencoder_t, $1) - -') dnl end mencoder_domain - -############################# -# mplayer_domains(role) # -############################# - -define(`mplayer_domains', ` -mplayer_domain($1) -mencoder_domain($1) -') dnl end mplayer_domains - diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te deleted file mode 100644 index 930d1a2c..00000000 --- a/strict/macros/program/mta_macros.te +++ /dev/null @@ -1,121 +0,0 @@ -# Macros for MTA domains. -# - -# -# Author: Russell Coker -# Based on the work of: Stephen Smalley -# Timothy Fraser -# - -# -# mail_domain(domain_prefix) -# -# Define a derived domain for the sendmail program when executed by -# a user domain to send outgoing mail. These domains are separate and -# independent of the domain used for the sendmail daemon process. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/mta.te. -# -undefine(`mail_domain') -define(`mail_domain',` -# Derived domain based on the calling user domain and the program. -type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain; - -ifdef(`sendmail.te', ` -sendmail_user_domain($1) -') - -can_exec($1_mail_t, sendmail_exec_t) -allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; - -# The user role is authorized for this domain. -role $1_r types $1_mail_t; - -uses_shlib($1_mail_t) -can_network_client_tcp($1_mail_t) -allow $1_mail_t port_type:tcp_socket name_connect; -can_resolve($1_mail_t) -can_ypbind($1_mail_t) -allow $1_mail_t self:unix_dgram_socket create_socket_perms; -allow $1_mail_t self:unix_stream_socket create_socket_perms; - -read_locale($1_mail_t) -read_sysctl($1_mail_t) -allow $1_mail_t device_t:dir search; -allow $1_mail_t { var_t var_spool_t }:dir search; -allow $1_mail_t self:process { fork signal_perms setrlimit }; -allow $1_mail_t sbin_t:dir search; - -# It wants to check for nscd -dontaudit $1_mail_t var_run_t:dir search; - -# Use capabilities -allow $1_mail_t self:capability { setuid setgid chown }; - -# Execute procmail. -can_exec($1_mail_t, bin_t) -ifdef(`procmail.te',` -can_exec($1_mail_t, procmail_exec_t)') - -ifelse(`$1', `system', ` -# Transition from a system domain to the derived domain. -domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) -allow privmail sendmail_exec_t:lnk_file { getattr read }; - -ifdef(`crond.te', ` -# Read cron temporary files. -allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; -allow mta_user_agent system_crond_tmp_t:file { read getattr }; -') -can_access_pty(system_mail_t, initrc) - -', ` -# For when the user wants to send mail via port 25 localhost -can_tcp_connect($1_t, mail_server_domain) - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) -allow $1_t sendmail_exec_t:lnk_file { getattr read }; - -# Read user temporary files. -allow $1_mail_t $1_tmp_t:file r_file_perms; -dontaudit $1_mail_t $1_tmp_t:file append; -ifdef(`postfix.te', ` -# postfix seems to need write access if the file handle is opened read/write -allow $1_mail_t $1_tmp_t:file write; -')dnl end if postfix - -allow mta_user_agent $1_tmp_t:file { read getattr }; - -# Write to the user domain tty. -access_terminal(mta_user_agent, $1) -access_terminal($1_mail_t, $1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') -allow $1_mail_t privfd:fd use; - -# Create dead.letter in user home directories. -file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) - -if (use_samba_home_dirs) { -rw_dir_create_file($1_mail_t, cifs_t) -} - -# if you do not want to allow dead.letter then use the following instead -#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; -#allow $1_mail_t $1_home_t:file r_file_perms; - -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) -')dnl end if system - -allow $1_mail_t etc_t:file { getattr read }; -ifdef(`qmail.te', ` -allow $1_mail_t qmail_etc_t:dir search; -allow $1_mail_t qmail_etc_t:{ file lnk_file } read; -')dnl end if qmail - -') diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te deleted file mode 100644 index 0d522822..00000000 --- a/strict/macros/program/newrole_macros.te +++ /dev/null @@ -1,97 +0,0 @@ -# Authors: Anthony Colatrella (NSA) Stephen Smalley -# Russell Coker - -# This macro defines the rules for a newrole like program, it is used by -# newrole.te and sudo.te, but may be used by other policy at some later time. - -define(`newrole_domain', ` -# Rules for the $1_t domain. -# -# $1_t is the domain for the program. -# $1_exec_t is the type of the executable. -# -type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; -in_user_role($1_t) -role sysadm_r types $1_t; - -general_domain_access($1_t); - -uses_shlib($1_t) -read_locale($1_t) -read_sysctl($1_t) - -allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read }; - -# for when the user types "exec newrole" at the command line -allow $1_t privfd:process sigchld; - -# Inherit descriptors from the current session. -allow $1_t privfd:fd use; - -# Execute /sbin/pwdb_chkpwd to check the password. -allow $1_t sbin_t:dir r_dir_perms; - -# Execute shells -allow $1_t bin_t:dir r_dir_perms; -allow $1_t bin_t:lnk_file read; -allow $1_t shell_exec_t:file r_file_perms; - -allow $1_t urandom_device_t:chr_file { getattr read }; - -# Allow $1_t to transition to user domains. -domain_trans($1_t, shell_exec_t, unpriv_userdomain) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_t, shell_exec_t, sysadm_t) -} - -can_setexec($1_t) - -allow $1_t autofs_t:dir search; - -# Use capabilities. -allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override }; - -# Read the devpts root directory. -allow $1_t devpts_t:dir r_dir_perms; - -# Read the /etc/security/default_type file -r_dir_file($1_t, default_context_t) -r_dir_file($1_t, selinux_config_t) -allow $1_t etc_t:file r_file_perms; - -# Read /var. -r_dir_file($1_t, var_t) - -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; - -# Relabel terminals. -allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Access terminals. -allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -ifdef(`distro_debian', ` -# for /etc/alternatives -allow $1_t etc_t:lnk_file read; -') - -# -# Allow newrole to obtain contexts to relabel TTYs -# -can_getsecurity($1_t) - -allow $1_t fs_t:filesystem getattr; - -# for some PAM modules and for cwd -dontaudit $1_t { home_root_t home_type }:dir search; - -allow $1_t proc_t:dir search; -allow $1_t proc_t:file { getattr read }; - -# for when the network connection is killed -dontaudit unpriv_userdomain $1_t:process signal; -') diff --git a/strict/macros/program/orbit_macros.te b/strict/macros/program/orbit_macros.te deleted file mode 100644 index b2dd5d16..00000000 --- a/strict/macros/program/orbit_macros.te +++ /dev/null @@ -1,44 +0,0 @@ -# -# ORBit related types -# -# Author: Ivan Gyurdiev -# -# orbit_domain(prefix, role_prefix) - create ORBit sockets -# orbit_connect(type1_prefix, type2_prefix) -# - allow communication through ORBit sockets from type1 to type2 - -define(`orbit_domain', ` - -# Protect against double inclusion for speed and correctness -ifdef(`orbit_domain_$1_$2', `', ` -define(`orbit_domain_$1_$2') - -# Relabel directory (startup script) -allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto }; - -# Type for ORBit sockets -type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile; -file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t) -allow $1_t tmp_t:dir { read search getattr }; - -# Create the sockets -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; - -# Use random device(s) -allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl }; - -# Why do they do that? -dontaudit $1_t $2_orbit_tmp_t:dir setattr; - -') dnl ifdef orbit_domain_args -') dnl orbit_domain - -########################## - -define(`orbit_connect', ` - -can_unix_connect($1_t, $2_t) -allow $1_t $2_orbit_tmp_t:sock_file write; - -') dnl orbit_connect diff --git a/strict/macros/program/pyzor_macros.te b/strict/macros/program/pyzor_macros.te deleted file mode 100644 index af67d30a..00000000 --- a/strict/macros/program/pyzor_macros.te +++ /dev/null @@ -1,69 +0,0 @@ -# -# Pyzor - Pyzor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -########## -# common definitions for pyzord and all flavors of pyzor -########## -define(`pyzor_base_domain',` - -# Networking -can_network_client_tcp($1_t, http_port_t); -can_network_udp($1_t, pyzor_port_t); -can_resolve($1_t); - -general_proc_read_access($1_t) - -tmp_domain($1) - -allow $1_t bin_t:dir { getattr search }; -allow $1_t bin_t:file getattr; -allow $1_t lib_t:file { getattr read }; -allow $1_t { var_t var_lib_t var_run_t }:dir search; -uses_shlib($1_t) - -# Python does a getattr on this file -allow $1_t pyzor_exec_t:file getattr; - -# mktemp and other randoms -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -# Allow access to various files in the /etc/directory including mtab -# and nsswitch -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) -') - - -# -# Define a user domain for a pyzor -# -# Note: expects to be called with an argument of user, sysadm - -define(`pyzor_domain',` -type $1_pyzor_t, domain, privlog, nscd_client_domain; -role $1_r types $1_pyzor_t; -domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t) - -pyzor_base_domain($1_pyzor) - -# Per-user config/data files -home_domain($1, pyzor) -file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir) - -# System config files -r_dir_file($1_pyzor_t, pyzor_etc_t) - -# System data files -r_dir_file($1_pyzor_t, pyzor_var_lib_t); - -allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms; - -# Allow pyzor to be run by hand. Needed by any action other than -# invocation from a spam filter. -can_access_pty($1_pyzor_t, $1) -allow $1_pyzor_t sshd_t:fd use; -') diff --git a/strict/macros/program/razor_macros.te b/strict/macros/program/razor_macros.te deleted file mode 100644 index e4c7c559..00000000 --- a/strict/macros/program/razor_macros.te +++ /dev/null @@ -1,75 +0,0 @@ -# -# Razor - Razor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -########## -# common definitions for razord and all flavors of razor -########## -define(`razor_base_domain',` - -# Razor is one executable and several symlinks -allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; - -# Networking -can_network_client_tcp($1_t, razor_port_t) -can_resolve($1_t); - -general_proc_read_access($1_t) - -# Read system config file -r_dir_file($1_t, razor_etc_t) - -# Update razor common files -file_type_auto_trans($1_t, var_log_t, razor_log_t, file) -create_dir_file($1_t, razor_log_t) -allow $1_t var_lib_t:dir search; -create_dir_file($1_t, razor_var_lib_t) - -allow $1_t bin_t:dir { getattr search }; -allow $1_t bin_t:file getattr; -allow $1_t lib_t:file { getattr read }; -allow $1_t { var_t var_run_t }:dir search; -uses_shlib($1_t) - -# Razor forks other programs to do part of its work. -general_domain_access($1_t) -can_exec($1_t, bin_t) - -# mktemp and other randoms -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -# Allow access to various files in the /etc/directory including mtab -# and nsswitch -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) -') - - -# -# Define a user domain for a razor -# -# Note: expects to be called with an argument of user, sysadm - -define(`razor_domain',` -type $1_razor_t, domain, privlog, nscd_client_domain; -role $1_r types $1_razor_t; -domain_auto_trans($1_t, razor_exec_t, $1_razor_t) - -razor_base_domain($1_razor) - -# Per-user config/data files -home_domain($1, razor) -file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir) - -tmp_domain($1_razor) - -allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; - -# Allow razor to be run by hand. Needed by any action other than -# invocation from a spam filter. -can_access_pty($1_razor_t, $1) -allow $1_razor_t sshd_t:fd use; -') diff --git a/strict/macros/program/resmgrd_macros.te b/strict/macros/program/resmgrd_macros.te deleted file mode 100644 index ec0ac60a..00000000 --- a/strict/macros/program/resmgrd_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -# Macro for resmgrd - -define(`can_resmgrd_connect', ` -ifdef(`resmgrd.te', ` -allow $1 resmgrd_t:unix_stream_socket connectto; -allow $1 { var_t var_run_t }:dir search; -allow $1 resmgrd_var_run_t:sock_file write; -allow $1 resmgrd_t:fd use; -') -') - diff --git a/strict/macros/program/rhgb_macros.te b/strict/macros/program/rhgb_macros.te deleted file mode 100644 index 9700fba2..00000000 --- a/strict/macros/program/rhgb_macros.te +++ /dev/null @@ -1,8 +0,0 @@ - -define(`rhgb_domain', ` -ifdef(`rhgb.te', ` -allow $1 rhgb_t:process sigchld; -allow $1 rhgb_t:fd use; -allow $1 rhgb_t:fifo_file { read write }; -')dnl end ifdef -') diff --git a/strict/macros/program/rssh_macros.te b/strict/macros/program/rssh_macros.te deleted file mode 100644 index 33fbdb58..00000000 --- a/strict/macros/program/rssh_macros.te +++ /dev/null @@ -1,58 +0,0 @@ -# -# Macros for Rssh domains -# -# Author: Colin Walters -# - -# -# rssh_domain(domain_prefix) -# -# Define a specific rssh domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/rssh.te. -# -undefine(`rssh_domain') -ifdef(`rssh.te', ` -define(`rssh_domain',` -type rssh_$1_t, domain, userdomain, privlog, privfd; -role rssh_$1_r types rssh_$1_t; -allow system_r rssh_$1_r; - -type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type; -type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type; - -general_domain_access(rssh_$1_t); -uses_shlib(rssh_$1_t); -base_file_read_access(rssh_$1_t); -allow rssh_$1_t var_t:dir r_dir_perms; -r_dir_file(rssh_$1_t, etc_t); -allow rssh_$1_t etc_runtime_t:file { getattr read }; -r_dir_file(rssh_$1_t, locale_t); -can_exec(rssh_$1_t, bin_t); - -allow rssh_$1_t proc_t:dir { getattr search }; -allow rssh_$1_t proc_t:lnk_file { getattr read }; - -r_dir_file(rssh_$1_t, rssh_$1_ro_t); -create_dir_file(rssh_$1_t, rssh_$1_rw_t); - -can_create_pty(rssh_$1, `, userpty_type, user_tty_type') -# Use the type when relabeling pty devices. -type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t; - -ifdef(`ssh.te',` -allow rssh_$1_t sshd_t:fd use; -allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms; -allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms; -# For reading /home/user/.ssh -r_dir_file(sshd_t, rssh_$1_ro_t); -domain_trans(sshd_t, rssh_exec_t, rssh_$1_t); -') -') - -', ` - -define(`rssh_domain',`') - -') diff --git a/strict/macros/program/run_program_macros.te b/strict/macros/program/run_program_macros.te deleted file mode 100644 index c98bbee7..00000000 --- a/strict/macros/program/run_program_macros.te +++ /dev/null @@ -1,73 +0,0 @@ - -# $1 is the source domain (or domains), $2 is the source role (or roles) and $3 -# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is -# normally sysadm_r. $4 is the type of program to run and $5 is the domain to -# transition to. -# sample usage: -# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t) -# -# if you have several users who run the same run_init type program for -# different purposes (think of a run_db program used by several database -# administrators to start several databases) then you can list all the source -# domains in $1, all the source roles in $2, but you may not want to list all -# types of programs to run in $4 and target domains in $5 (as that may permit -# entering a domain from the wrong type). In such a situation just specify -# one value for each of $4 and $5 and have some rules such as the following: -# domain_trans(run_whatever_t, whatever_exec_t, whatever_t) - -define(`run_program', ` -type run_$3_exec_t, file_type, exec_type, sysadmfile; - -# domain for program to run in, needs to change role (priv_system_role), change -# identity to system_u (privuser), log failures to syslog (privlog) and -# authenticate users -type run_$3_t, domain, priv_system_role, privuser, privlog; -domain_auto_trans($1, run_$3_exec_t, run_$3_t) -role $2 types run_$3_t; - -domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t) -dontaudit run_$3_t shadow_t:file getattr; - -# for utmp -allow run_$3_t initrc_var_run_t:file rw_file_perms; -allow run_$3_t admin_tty_type:chr_file rw_file_perms; - -dontaudit run_$3_t devpts_t:dir { getattr read }; -dontaudit run_$3_t device_t:dir read; - -# for auth_chkpwd -dontaudit run_$3_t shadow_t:file read; -allow run_$3_t self:process { fork sigchld }; -allow run_$3_t self:fifo_file rw_file_perms; -allow run_$3_t self:capability setuid; -allow run_$3_t self:lnk_file read; - -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_$3_t file_type:dir search; -dontaudit run_$3_t self:capability { dac_override dac_read_search }; - -allow run_$3_t bin_t:lnk_file read; -can_exec(run_$3_t, { bin_t shell_exec_t }) -ifdef(`chkpwd.te', ` -can_exec(run_$3_t, chkpwd_exec_t) -') - -domain_trans(run_$3_t, $4, $5) -can_setexec(run_$3_t) - -allow run_$3_t privfd:fd use; -uses_shlib(run_$3_t) -allow run_$3_t lib_t:file { getattr read }; -can_getsecurity(run_$3_t) -r_dir_file(run_$3_t,selinux_config_t) -r_dir_file(run_$3_t,default_context_t) -allow run_$3_t self:unix_stream_socket create_socket_perms; -allow run_$3_t self:unix_dgram_socket create_socket_perms; -allow run_$3_t etc_t:file { getattr read }; -read_locale(run_$3_t) -allow run_$3_t fs_t:filesystem getattr; -allow run_$3_t { bin_t sbin_t }:dir search; -dontaudit run_$3_t device_t:dir { getattr search }; -') diff --git a/strict/macros/program/samba_macros.te b/strict/macros/program/samba_macros.te deleted file mode 100644 index d7667845..00000000 --- a/strict/macros/program/samba_macros.te +++ /dev/null @@ -1,30 +0,0 @@ -# -# Macros for samba domains. -# - -# -# Authors: Dan Walsh -# - -# -# samba_domain(domain_prefix) -# -# Define a derived domain for the samba program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/samba.te. -# -undefine(`samba_domain') -ifdef(`samba.te', ` -define(`samba_domain',` -if ( samba_enable_home_dirs ) { -allow smbd_t home_root_t:dir r_dir_perms; -file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t) -dontaudit smbd_t $1_file_type:dir_file_class_set getattr; -} -') -', ` -define(`samba_domain',`') - -')dnl end if samba.te diff --git a/strict/macros/program/screen_macros.te b/strict/macros/program/screen_macros.te deleted file mode 100644 index e81a90a5..00000000 --- a/strict/macros/program/screen_macros.te +++ /dev/null @@ -1,113 +0,0 @@ -# -# Macros for screen domains. -# - -# -# Author: Russell Coker -# Based on the work of Stephen Smalley -# and Timothy Fraser -# - -# -# screen_domain(domain_prefix) -# -# Define a derived domain for the screen program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/screen.te. -# -undefine(`screen_domain') -ifdef(`screen.te', ` -define(`screen_domain',` -# Derived domain based on the calling user domain and the program. -type $1_screen_t, domain, privlog, privfd, nscd_client_domain; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, screen_exec_t, $1_screen_t) - -tmp_domain($1_screen, `', `{ dir file fifo_file }') -base_file_read_access($1_screen_t) -# The user role is authorized for this domain. -role $1_r types $1_screen_t; - -uses_shlib($1_screen_t) - -# for SSP -allow $1_screen_t urandom_device_t:chr_file read; - -# Revert to the user domain when a shell is executed. -domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t) -domain_auto_trans($1_screen_t, $1_home_t, $1_t) -if (use_nfs_home_dirs) { -domain_auto_trans($1_screen_t, nfs_t, $1_t) -} -if (use_samba_home_dirs) { -domain_auto_trans($1_screen_t, cifs_t, $1_t) -} - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;') - -home_domain_ro($1, screen) - -allow $1_screen_t privfd:fd use; - -# Write to utmp. -allow $1_screen_t initrc_var_run_t:file rw_file_perms; -ifdef(`utempter.te', ` -dontaudit $1_screen_t utempter_exec_t:file execute; -') - -# create pty devices -can_create_other_pty($1_screen, $1) -allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_screen_t device_t:dir { getattr read }; - -allow $1_screen_t fs_t:filesystem getattr; - -# Create fifo -allow $1_screen_t var_t:dir search; -file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) -type $1_screen_var_run_t, file_type, sysadmfile, pidfile; -file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) - -allow $1_screen_t self:process { fork signal_perms }; -allow $1_t $1_screen_t:process signal; -allow $1_screen_t $1_t:process signal; -allow $1_screen_t self:capability { setuid setgid fsetid }; - -dontaudit $1_screen_t shadow_t:file read; - -allow $1_screen_t tmp_t:dir search; -can_network($1_screen_t) -allow $1_screen_t port_type:tcp_socket name_connect; -can_ypbind($1_screen_t) - -# get stats -allow $1_screen_t proc_t:dir search; -allow $1_screen_t proc_t:file { getattr read }; -allow $1_screen_t proc_t:lnk_file read; -allow $1_screen_t etc_t:{ file lnk_file } { read getattr }; -allow $1_screen_t self:dir { search read }; -allow $1_screen_t self:lnk_file read; -allow $1_screen_t device_t:dir search; -allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; - -# Internal screen networking -allow $1_screen_t self:fd use; -allow $1_screen_t self:unix_stream_socket create_socket_perms; -allow $1_screen_t self:unix_dgram_socket create_socket_perms; - -allow $1_screen_t bin_t:dir search; -allow $1_screen_t bin_t:lnk_file read; -read_locale($1_screen_t) - -dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; -')dnl end screen_domain - -', ` - -define(`screen_domain',`') - -') diff --git a/strict/macros/program/sendmail_macros.te b/strict/macros/program/sendmail_macros.te deleted file mode 100644 index 540e0a25..00000000 --- a/strict/macros/program/sendmail_macros.te +++ /dev/null @@ -1,56 +0,0 @@ -# -# Macros for sendmail domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# - -# -# sendmail_user_domain(domain_prefix) -# -# Define a derived domain for the sendmail program when executed by -# a user domain to send outgoing mail. These domains are separate and -# independent of the domain used for the sendmail daemon process. -# -undefine(`sendmail_user_domain') -define(`sendmail_user_domain', ` - -# Use capabilities -allow $1_mail_t self:capability net_bind_service; - -tmp_domain($1_mail) - -# Write to /var/spool/mail and /var/spool/mqueue. -allow $1_mail_t mail_spool_t:dir rw_dir_perms; -allow $1_mail_t mail_spool_t:file create_file_perms; -allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; -allow $1_mail_t mqueue_spool_t:file create_file_perms; - -# Write to /var/log/sendmail.st -file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t) - -allow $1_mail_t etc_mail_t:dir { getattr search }; - -allow $1_mail_t { var_t var_spool_t }:dir getattr; - -allow $1_mail_t etc_runtime_t:file { getattr read }; - -# Check available space. -allow $1_mail_t fs_t:filesystem getattr; - -allow $1_mail_t sysctl_kernel_t:dir search; - -ifelse(`$1', `sysadm', ` -allow $1_mail_t proc_t:dir { getattr search }; -allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; -dontaudit $1_mail_t proc_net_t:dir search; -allow $1_mail_t sysctl_kernel_t:file { getattr read }; -allow $1_mail_t etc_runtime_t:file { getattr read }; -', ` -dontaudit $1_mail_t proc_t:dir search; -dontaudit $1_mail_t sysctl_kernel_t:file read; -')dnl end if sysadm -') - diff --git a/strict/macros/program/slocate_macros.te b/strict/macros/program/slocate_macros.te deleted file mode 100644 index 115022b0..00000000 --- a/strict/macros/program/slocate_macros.te +++ /dev/null @@ -1,64 +0,0 @@ -# -# Macros for locate domains. -# - -# -# Author: Russell Coker -# - -# -# locate_domain(domain_prefix) -# -# Define a derived domain for the locate program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/locate.te. -# -undefine(`locate_domain') -ifdef(`slocate.te', ` -define(`locate_domain',` -# Derived domain based on the calling user domain and the program. -type $1_locate_t, domain; - -allow $1_locate_t self:process signal; - -allow $1_locate_t etc_t:file { getattr read }; -allow $1_locate_t self:unix_stream_socket create_socket_perms; -r_dir_file($1_locate_t,locate_var_lib_t) -allow $1_locate_t var_lib_t:dir search; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, locate_exec_t, $1_locate_t) - -# The user role is authorized for this domain. -role $1_r types $1_locate_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', ` -allow $1_locate_t $1_gph_t:fd use; -') - -allow $1_locate_t privfd:fd use; - -# allow ps to show locate -can_ps($1_t, $1_locate_t) -allow $1_t $1_locate_t:process signal; - -uses_shlib($1_locate_t) -access_terminal($1_locate_t, $1) - -allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search }; -allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read }; - -base_file_read_access($1_locate_t) -r_dir_file($1_locate_t, { etc_t lib_t var_t }) -dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms; -dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read }; -') - -', ` - -define(`locate_domain',`') - -') diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te deleted file mode 100644 index c85cfc78..00000000 --- a/strict/macros/program/spamassassin_macros.te +++ /dev/null @@ -1,128 +0,0 @@ -# -# Macros for spamassassin domains. -# -# Author: Colin Walters - -# spamassassin_domain(domain_prefix) -# -# Define derived domains for various spamassassin tools when executed -# by a user domain. -# -# The type declarations for the executable types of these programs are -# provided separately in domains/program/spamassassin.te and -# domains/program/spamc.te. -# -undefine(`spamassassin_domain') -ifdef(`spamassassin.te', `define(`using_spamassassin', `')') -ifdef(`spamd.te', `define(`using_spamassassin', `')') -ifdef(`spamc.te', `define(`using_spamassassin', `')') - -ifdef(`using_spamassassin',` - -####### -# Macros used internally in these spamassassin macros. -# - -### -# Define a domain for a spamassassin-like program (spamc/spamassassin). -# -# Note: most of this should really be in a generic macro like -# base_user_program($1, foo) -define(`spamassassin_program_domain',` -type $1_$2_t, domain, privlog $3; -domain_auto_trans($1_t, $2_exec_t, $1_$2_t) - -role $1_r types $1_$2_t; -general_domain_access($1_$2_t) - -base_file_read_access($1_$2_t) -r_dir_file($1_$2_t, etc_t) -ifdef(`sendmail.te', ` -r_dir_file($1_$2_t, etc_mail_t) -') -allow $1_$2_t etc_runtime_t:file r_file_perms; -uses_shlib($1_$2_t) -read_locale($1_$2_t) -dontaudit $1_$2_t var_t:dir search; -tmp_domain($1_$2) -allow $1_$2_t privfd:fd use; -allow $1_$2_t userpty_type:chr_file rw_file_perms; -') dnl end spamassassin_program_domain - -### -# Give privileges to a domain for accessing ~/.spamassassin -# and a few other misc things like /dev/random. -# This is granted to /usr/bin/spamassassin and -# /usr/sbin/spamd, but NOT spamc (because it does not need it). -# -define(`spamassassin_agent_privs',` -allow $1 home_root_t:dir r_dir_perms; -file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t) -create_dir_file($1, $2_spamassassin_home_t) - -allow $1 urandom_device_t:chr_file r_file_perms; -') - -####### -# Define the main spamassassin macro. This itself creates a -# domain for /usr/bin/spamassassin, and also spamc/spamd if -# applicable. -# -define(`spamassassin_domain',` -spamassassin_program_domain($1, spamassassin) - -# For perl libraries. -allow $1_spamassassin_t lib_t:file rx_file_perms; -# Ignore perl digging in /proc and /var. -dontaudit $1_spamassassin_t proc_t:dir search; -dontaudit $1_spamassassin_t proc_t:lnk_file read; -dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; - -# For ~/.spamassassin -home_domain($1, spamassassin) -file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir) - -spamassassin_agent_privs($1_spamassassin_t, $1) - -can_resolve($1_spamassassin_t) -# set tunable if you have spamassassin do DNS lookups -if (spamassasin_can_network) { -can_network($1_spamassassin_t) -allow $1_spamassassin_t port_type:tcp_socket name_connect; -} -if (spamassasin_can_network && allow_ypbind) { -uncond_can_ypbind($1_spamassassin_t) -} -### -# Define the domain for /usr/bin/spamc -# -ifdef(`spamc.te',` -spamassassin_program_domain($1, spamc, `, nscd_client_domain') -can_network($1_spamc_t) -allow $1_spamc_t port_type:tcp_socket name_connect; -can_ypbind($1_spamc_t) - -# Allow connecting to a local spamd -ifdef(`spamd.te',` -can_tcp_connect($1_spamc_t, spamd_t) -can_unix_connect($1_spamc_t, spamd_t) -allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; -') dnl endif spamd.te -') dnl endif spamc.te - -### -# Define the domain for /usr/sbin/spamd -# -ifdef(`spamd.te',` - -spamassassin_agent_privs(spamd_t, $1) - -') dnl endif spamd.te - -') dnl end spamassassin_domain - -', ` - -define(`spamassassin_domain',`') - -') diff --git a/strict/macros/program/ssh_agent_macros.te b/strict/macros/program/ssh_agent_macros.te deleted file mode 100644 index 7215f5c5..00000000 --- a/strict/macros/program/ssh_agent_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Macros for ssh agent -# - -# -# Author: Thomas Bleher -# - -# -# ssh_agent_domain(domain_prefix) -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/ssh-agent.te. -# -define(`ssh_agent_domain',` -# Define a derived domain for the ssh-agent program when executed -# by a user domain. -# Derived domain based on the calling user domain and the program. -type $1_ssh_agent_t, domain, privlog; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) - -# The user role is authorized for this domain. -role $1_r types $1_ssh_agent_t; - -allow $1_ssh_agent_t privfd:fd use; - -# Write to the user domain tty. -access_terminal($1_ssh_agent_t, $1) - -# Allow the user shell to signal the ssh program. -allow $1_t $1_ssh_agent_t:process signal; -# allow ps to show ssh -can_ps($1_t, $1_ssh_agent_t) - -can_ypbind($1_ssh_agent_t) -if (use_nfs_home_dirs) { -allow $1_ssh_agent_t autofs_t:dir { search getattr }; -rw_dir_create_file($1_ssh_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -rw_dir_create_file($1_ssh_agent_t, cifs_t) -} - -uses_shlib($1_ssh_agent_t) -read_locale($1_ssh_agent_t) - -allow $1_ssh_agent_t proc_t:dir search; -dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; -dontaudit $1_ssh_agent_t selinux_config_t:dir search; -dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr }; -read_sysctl($1_ssh_agent_t) - -# Access the ssh temporary files. Should we have an own type here -# to which only ssh, ssh-agent and ssh-add have access? -allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; -file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) -allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; -allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; - -allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; -allow $1_ssh_agent_t self:capability setgid; - -# access the random devices -allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -# for ssh-add -can_unix_connect($1_t, $1_ssh_agent_t) - -# transition back to normal privs upon exec -domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t) -if (use_nfs_home_dirs) { -domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t) -} -if (use_samba_home_dirs) { -domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t) -} -allow $1_ssh_agent_t bin_t:dir search; - -# allow reading of /usr/bin/X11 (is a symlink) -allow $1_ssh_agent_t bin_t:lnk_file read; - -allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; - -allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; - -allow $1_ssh_t $1_tmp_t:sock_file write; -allow $1_ssh_t $1_t:unix_stream_socket connectto; -allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; - -ifdef(`xdm.te', ` -can_pipe_xdm($1_ssh_agent_t) - -# kdm: sigchld -allow $1_ssh_agent_t xdm_t:process sigchld; -') - -# -# Allow command to ssh-agent > ~/.ssh_agent -# -allow $1_ssh_agent_t $1_home_t:file rw_file_perms; -allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms; - -allow $1_ssh_agent_t etc_runtime_t:file { getattr read }; -allow $1_ssh_agent_t etc_t:file { getattr read }; -allow $1_ssh_agent_t lib_t:file { getattr read }; - -allow $1_ssh_agent_t self:dir search; -allow $1_ssh_agent_t self:file { getattr read }; - -# Allow the ssh program to communicate with ssh-agent. -allow $1_ssh_t $1_tmp_t:sock_file write; -allow $1_ssh_t $1_t:unix_stream_socket connectto; -allow $1_ssh_t sshd_t:unix_stream_socket connectto; -')dnl end if ssh_agent - diff --git a/strict/macros/program/ssh_macros.te b/strict/macros/program/ssh_macros.te deleted file mode 100644 index 0f6549f8..00000000 --- a/strict/macros/program/ssh_macros.te +++ /dev/null @@ -1,168 +0,0 @@ -# -# Macros for ssh domains. -# - -# -# Authors: Stephen Smalley -# Russell Coker -# Thomas Bleher -# - -# -# ssh_domain(domain_prefix) -# -# Define a derived domain for the ssh program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/ssh.te. -# -undefine(`ssh_domain') -ifdef(`ssh.te', ` -define(`ssh_domain',` -# Derived domain based on the calling user domain and the program. -type $1_ssh_t, domain, privlog, nscd_client_domain; -type $1_home_ssh_t, file_type, $1_file_type, sysadmfile; - -allow $1_ssh_t autofs_t:dir { search getattr }; -if (use_nfs_home_dirs) { -create_dir_file($1_ssh_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_ssh_t, cifs_t) -} - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) - -# The user role is authorized for this domain. -role $1_r types $1_ssh_t; - -# Grant permissions within the domain. -general_domain_access($1_ssh_t) - -# Use descriptors created by sshd -allow $1_ssh_t privfd:fd use; - -uses_shlib($1_ssh_t) -read_locale($1_ssh_t) - -# Get attributes of file systems. -allow $1_ssh_t fs_type:filesystem getattr; - -base_file_read_access($1_ssh_t) - -# Read /var. -r_dir_file($1_ssh_t, var_t) - -# Read /var/run, /var/log. -allow $1_ssh_t var_run_t:dir r_dir_perms; -allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; -allow $1_ssh_t var_log_t:dir r_dir_perms; -allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms; - -# Read /etc. -r_dir_file($1_ssh_t, etc_t) -allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow $1_ssh_t device_t:dir r_dir_perms; -allow $1_ssh_t device_t:lnk_file r_file_perms; - -# Read /dev/urandom. -allow $1_ssh_t urandom_device_t:chr_file r_file_perms; - -# Read and write /dev/null. -allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms; - -# Grant permissions needed to create TCP and UDP sockets and -# to access the network. -can_network_client_tcp($1_ssh_t) -allow $1_ssh_t ssh_port_t:tcp_socket name_connect; -can_resolve($1_ssh_t) -can_ypbind($1_ssh_t) -can_kerberos($1_ssh_t) - -# for port forwarding -if (user_tcp_server) { -allow $1_ssh_t port_t:tcp_socket name_bind; -} - -# Use capabilities. -allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; - -# run helper programs - needed eg for x11-ssh-askpass -can_exec($1_ssh_t, { shell_exec_t bin_t }) - -# Read the ssh key file. -allow $1_ssh_t sshd_key_t:file r_file_perms; - -# Access the ssh temporary files. -file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t) -allow $1_ssh_t $1_tmp_t:dir r_dir_perms; - -# for rsync -allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms; - -# Access the users .ssh directory. -file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir) -file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file) -allow $1_t $1_home_ssh_t:sock_file create_file_perms; -allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms; -allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read }; -dontaudit $1_ssh_t $1_home_t:dir { getattr search }; -r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) -rw_dir_create_file($1_t, $1_home_ssh_t) - -# for /bin/sh used to execute xauth -dontaudit $1_ssh_t proc_t:dir search; -dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') - -# Write to the user domain tty. -access_terminal($1_ssh_t, $1) - -# Allow the user shell to signal the ssh program. -allow $1_t $1_ssh_t:process signal; -# allow ps to show ssh -can_ps($1_t, $1_ssh_t) - -# Connect to X server -x_client_domain($1_ssh, $1) - -ifdef(`ssh-agent.te', ` -ssh_agent_domain($1) -')dnl end if ssh_agent.te - -#allow ssh to access keys stored on removable media -# Should we have a boolean around this? -allow $1_ssh_t mnt_t:dir search; -r_dir_file($1_ssh_t, removable_t) - -type $1_ssh_keysign_t, domain, nscd_client_domain; -role $1_r types $1_ssh_keysign_t; - -if (allow_ssh_keysign) { -domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) -allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; -allow $1_ssh_keysign_t self:capability { setgid setuid }; -allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms; -uses_shlib($1_ssh_keysign_t) -dontaudit $1_ssh_keysign_t selinux_config_t:dir search; -dontaudit $1_ssh_keysign_t proc_t:dir search; -dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read }; -allow $1_ssh_keysign_t usr_t:dir search; -allow $1_ssh_keysign_t etc_t:file { getattr read }; -allow $1_ssh_keysign_t self:dir search; -allow $1_ssh_keysign_t self:file { getattr read }; -allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; -} - -')dnl end macro definition -', ` - -define(`ssh_domain',`') - -')dnl end if ssh.te diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te deleted file mode 100644 index 206f58ef..00000000 --- a/strict/macros/program/su_macros.te +++ /dev/null @@ -1,188 +0,0 @@ -# -# Macros for su domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# su_domain(domain_prefix) -# -# Define a derived domain for the su program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/su.te. -# - -undefine(`su_restricted_domain') -undefine(`su_mini_domain') -undefine(`su_domain') -ifdef(`su.te', ` - -define(`su_restricted_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; -ifdef(`support_polyinstantiation', ` -typeattribute $1_su_t mlsfileread; -typeattribute $1_su_t mlsfilewrite; -typeattribute $1_su_t mlsfileupgrade; -typeattribute $1_su_t mlsfiledowngrade; -typeattribute $1_su_t mlsprocsetsl; -') - -# for SSP -allow $1_su_t urandom_device_t:chr_file { getattr read }; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, su_exec_t, $1_su_t) - -allow $1_su_t sbin_t:dir search; - -uses_shlib($1_su_t) -allow $1_su_t etc_t:file { getattr read }; -read_locale($1_su_t) -read_sysctl($1_su_t) -allow $1_su_t self:unix_dgram_socket { connect create write }; -allow $1_su_t self:unix_stream_socket create_stream_socket_perms; -allow $1_su_t self:fifo_file rw_file_perms; -allow $1_su_t proc_t:dir search; -allow $1_su_t proc_t:lnk_file read; -r_dir_file($1_su_t, self) -allow $1_su_t proc_t:file read; -allow $1_su_t self:process { setsched setrlimit }; -allow $1_su_t device_t:dir search; -allow $1_su_t self:process { fork sigchld }; -nsswitch_domain($1_su_t) -r_dir_file($1_su_t, selinux_config_t) - -dontaudit $1_su_t shadow_t:file { getattr read }; -dontaudit $1_su_t home_root_t:dir search; -dontaudit $1_su_t init_t:fd use; -allow $1_su_t var_lib_t:dir search; -allow $1_t $1_su_t:process signal; - -ifdef(`crond.te', ` -allow $1_su_t crond_t:fifo_file read; -') - -# Use capabilities. -allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write }; -dontaudit $1_su_t self:capability sys_tty_config; -# -# Caused by su - init scripts -# -dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - -# By default, revert to the calling domain when a shell is executed. -domain_auto_trans($1_su_t, shell_exec_t, $1_t) -allow $1_su_t bin_t:dir search; -allow $1_su_t bin_t:lnk_file read; - -# But also allow transitions to unprivileged user domains. -domain_trans($1_su_t, shell_exec_t, unpriv_userdomain) -can_setexec($1_su_t) - -# Get security decisions -can_getsecurity($1_su_t) -r_dir_file($1_su_t, default_context_t) - -allow $1_su_t privfd:fd use; - -# Write to utmp. -allow $1_su_t { var_t var_run_t }:dir search; -allow $1_su_t initrc_var_run_t:file rw_file_perms; -can_kerberos($1_su_t) - -ifdef(`chkpwd.te', ` -domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) -') - -allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - -') dnl end su_restricted_domain - -define(`su_mini_domain', ` -su_restricted_domain($1,$1) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_su_t, shell_exec_t, sysadm_t) -} - -# Relabel ttys and ptys. -allow $1_su_t device_t:dir { getattr read search }; -allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Close and re-open ttys and ptys to get the fd into the correct domain. -allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; - -')dnl end su_mini_domain - -define(`su_domain', ` -su_mini_domain($1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') - -# The user role is authorized for this domain. -role $1_r types $1_su_t; - -# Write to the user domain tty. -access_terminal($1_su_t, $1) - -allow $1_su_t { home_root_t $1_home_dir_t }:dir search; -allow $1_su_t $1_home_t:file create_file_perms; -ifdef(`user_canbe_sysadm', ` -allow $1_su_t home_dir_type:dir { search write }; -', ` -dontaudit $1_su_t home_dir_type:dir { search write }; -') - -allow $1_su_t autofs_t:dir { search getattr }; -if (use_nfs_home_dirs) { -allow $1_su_t nfs_t:dir search; -} -if (use_samba_home_dirs) { -allow $1_su_t cifs_t:dir search; -} - -ifdef(`support_polyinstantiation', ` -# Su can polyinstantiate -polyinstantiater($1_su_t) -# Su has to unmount polyinstantiated directories (like home) -# that should not be polyinstantiated under the new user -allow $1_su_t fs_t:filesystem unmount; -# Su needs additional permission to mount over a previous mount -allow $1_su_t polymember:dir mounton; -') - -# Modify .Xauthority file (via xauth program). -ifdef(`xauth.te', ` -file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) -file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) -file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) -domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) -') - -ifdef(`cyrus.te', ` -allow $1_su_t cyrus_var_lib_t:dir search; -') -ifdef(`ssh.te', ` -# Access sshd cookie files. -allow $1_su_t sshd_tmp_t:dir rw_dir_perms; -allow $1_su_t sshd_tmp_t:file rw_file_perms; -file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) -') - -allow $1_su_t var_lib_t:dir search; -dontaudit $1_su_t init_t:fd use; -')dnl end su_domain - -', ` - -define(`su_domain',`') - -') - diff --git a/strict/macros/program/sudo_macros.te b/strict/macros/program/sudo_macros.te deleted file mode 100644 index b2b4e1cb..00000000 --- a/strict/macros/program/sudo_macros.te +++ /dev/null @@ -1,34 +0,0 @@ -# Authors: Dan Walsh, Russell Coker -# Maintained by Dan Walsh -define(`sudo_domain',` -newrole_domain($1_sudo, `, privuser') - -# By default, revert to the calling domain when a shell is executed. -domain_auto_trans($1_sudo_t, shell_exec_t, $1_t) - -ifdef(`mta.te', ` -domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms; -') - -allow $1_sudo_t self:capability sys_resource; - -allow $1_sudo_t self:process setrlimit; - -ifdef(`pam.te', ` -allow $1_sudo_t pam_var_run_t:dir create_dir_perms; -allow $1_sudo_t pam_var_run_t:file create_file_perms; -') - -allow $1_sudo_t initrc_var_run_t:file rw_file_perms; -allow $1_sudo_t sysctl_t:dir search; -allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr; -allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read }; -read_sysctl($1_sudo_t) - -allow $1_sudo_t var_run_t:dir search; -r_dir_file($1_sudo_t, default_context_t) -rw_dir_create_file($1_sudo_t, $1_tmp_t) -rw_dir_create_file($1_sudo_t, $1_home_t) -domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t) -') diff --git a/strict/macros/program/thunderbird_macros.te b/strict/macros/program/thunderbird_macros.te deleted file mode 100644 index 2c0711d1..00000000 --- a/strict/macros/program/thunderbird_macros.te +++ /dev/null @@ -1,60 +0,0 @@ -# -# Thunderbird -# -# Author: Ivan Gyurdiev -# - -####################################### -# thunderbird_domain(role_prefix) -# - -# FIXME: Rules were removed to centralize policy in a gnome_app macro -# A similar thing might be necessary for mozilla compiled without GNOME -# support (is this possible?). - -define(`thunderbird_domain', ` - -# Type for program -type $1_thunderbird_t, domain, nscd_client_domain; - -# Transition from user type -if (! disable_thunderbird_trans) { -domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t) -} -role $1_r types $1_thunderbird_t; - -# FIXME: Why does it try to do that? -dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute }; - -# Why is thunderbird looking in .mozilla ? -# FIXME: there are legitimate uses of invoking the browser - about -> release notes -dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search; - -# .kde/....gtkrc -# FIXME: support properly -dontaudit $1_thunderbird_t $1_home_t:file { getattr read }; - -# X, mail common stuff -x_client_domain($1_thunderbird, $1) -mail_client_domain($1_thunderbird, $1) - -allow $1_thunderbird_t self:process signull; -allow $1_thunderbird_t fs_t:filesystem getattr; - -# GNOME support -ifdef(`gnome.te', ` -gnome_application($1_thunderbird, $1) -gnome_file_dialog($1_thunderbird, $1) -allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; -') - -# Access ~/.thunderbird -home_domain($1, thunderbird) - -# RSS feeds -can_network_client_tcp($1_thunderbird_t, http_port_t) -allow $1_thunderbird_t http_port_t:tcp_socket name_connect; - -allow $1_thunderbird_t self:process { execheap execmem execstack }; - -') diff --git a/strict/macros/program/tvtime_macros.te b/strict/macros/program/tvtime_macros.te deleted file mode 100644 index d965ae1e..00000000 --- a/strict/macros/program/tvtime_macros.te +++ /dev/null @@ -1,64 +0,0 @@ -# -# Macros for tvtime domains. -# - -# -# Author: Dan Walsh -# - -# -# tvtime_domain(domain_prefix) -# -# Define a derived domain for the tvtime program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/tvtime.te. -# -undefine(`tvtime_domain') -ifdef(`tvtime.te', ` -define(`tvtime_domain',` - -# Type transition -type $1_tvtime_t, domain, nscd_client_domain; -domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t) -role $1_r types $1_tvtime_t; - -# X access, Home files -home_domain($1, tvtime) -file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir) -x_client_domain($1_tvtime, $1) - -uses_shlib($1_tvtime_t) -read_locale($1_tvtime_t) -read_sysctl($1_tvtime_t) -access_terminal($1_tvtime_t, $1) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_tvtime_t) -allow $1_t $1_tvtime_t:process signal_perms; - -# Read /etc/tvtime -allow $1_tvtime_t etc_t:file { getattr read }; - -# Tmp files -tmp_domain($1_tvtime, `', `{ file dir fifo_file }') - -allow $1_tvtime_t urandom_device_t:chr_file read; -allow $1_tvtime_t clock_device_t:chr_file { ioctl read }; -allow $1_tvtime_t kernel_t:system ipc_info; -allow $1_tvtime_t sound_device_t:chr_file { ioctl read }; -allow $1_tvtime_t $1_home_t:dir { getattr read search }; -allow $1_tvtime_t $1_home_t:file { getattr read }; -allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; -allow $1_tvtime_t self:process setsched; -allow $1_tvtime_t usr_t:file { getattr read }; - -')dnl end tvtime_domain - -', ` - -define(`tvtime_domain',`') - -') - diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te deleted file mode 100644 index bc635f86..00000000 --- a/strict/macros/program/uml_macros.te +++ /dev/null @@ -1,137 +0,0 @@ -# -# Macros for uml domains. -# - -# -# Author: Russell Coker -# - -# -# uml_domain(domain_prefix) -# -# Define a derived domain for the uml program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/uml.te. -# -undefine(`uml_domain') -ifdef(`uml.te', ` -define(`uml_domain',` - -# Derived domain based on the calling user domain and the program. -type $1_uml_t, domain; -type $1_uml_exec_t, file_type, sysadmfile, $1_file_type; -type $1_uml_ro_t, file_type, sysadmfile, $1_file_type; -type $1_uml_rw_t, file_type, sysadmfile, $1_file_type; - -# for X -ifdef(`startx.te', ` -ifelse($1, sysadm, `', ` -ifdef(`xdm.te', ` -allow $1_uml_t xdm_xserver_tmp_t:dir search; -')dnl end if xdm.te -allow $1_uml_t $1_xserver_tmp_t:sock_file write; -can_unix_connect($1_uml_t, $1_xserver_t) -')dnl end ifelse sysadm -')dnl end ifdef startx - -allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms }; -allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms }; -allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms }; -allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms }; -r_dir_file($1_t, uml_ro_t) - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t) -can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) - -# The user role is authorized for this domain. -role $1_r types $1_uml_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;') - -# allow ps, ptrace, signal -can_ps($1_t, $1_uml_t) -can_ptrace($1_t, $1_uml_t) -allow $1_t $1_uml_t:process signal_perms; - -# allow the UML thing to happen -allow $1_uml_t self:process { fork signal_perms ptrace }; -can_create_pty($1_uml) -allow $1_uml_t root_t:dir search; -tmp_domain($1_uml) -can_exec($1_uml_t, $1_uml_tmp_t) -tmpfs_domain($1_uml) -can_exec($1_uml_t, $1_uml_tmpfs_t) -create_dir_file($1_t, $1_uml_tmp_t) -allow $1_t $1_uml_tmp_t:sock_file create_file_perms; -allow $1_uml_t self:fifo_file rw_file_perms; -allow $1_uml_t fs_t:filesystem getattr; - -allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl }; - -ifdef(`uml_net.te', ` -# for uml_net -domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) -allow uml_net_t $1_uml_t:unix_stream_socket { read write }; -allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; -dontaudit uml_net_t privfd:fd use; -can_access_pty(uml_net_t, $1_uml) -dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; -')dnl end ifdef uml_net.te - -# for mconsole -allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto; -allow $1_uml_t $1_t:unix_dgram_socket sendto; - -# Use the network. -can_network($1_uml_t) -allow $1_uml_t port_type:tcp_socket name_connect; -can_ypbind($1_uml_t) - -# for xterm -uses_shlib($1_uml_t) -can_exec($1_uml_t, { bin_t sbin_t lib_t }) -allow $1_uml_t { bin_t sbin_t }:dir search; -allow $1_uml_t etc_t:file { getattr read }; -dontaudit $1_uml_t etc_runtime_t:file read; -can_tcp_connect($1_uml_t, sshd_t) -ifdef(`xauth.te', ` -allow $1_uml_t $1_xauth_home_t:file { getattr read }; -') -allow $1_uml_t var_run_t:dir search; -allow $1_uml_t initrc_var_run_t:file { getattr read }; -dontaudit $1_uml_t initrc_var_run_t:file { write lock }; - -allow $1_uml_t device_t:dir search; -allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; -allow $1_uml_t self:unix_dgram_socket create_socket_perms; -allow $1_uml_t privfd:fd use; -allow $1_uml_t proc_t:dir search; -allow $1_uml_t proc_t:file { getattr read }; - -# for SKAS - need something better -allow $1_uml_t proc_t:file write; - -# Write to the user domain tty. -access_terminal($1_uml_t, $1) - -# access config files -allow $1_uml_t home_root_t:dir search; -file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t) -r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t }) - -# putting uml data under /var is usual... -allow $1_uml_t var_t:dir search; -')dnl end macro definition - -', ` - -define(`uml_domain',`') - -') diff --git a/strict/macros/program/userhelper_macros.te b/strict/macros/program/userhelper_macros.te deleted file mode 100644 index 2c715d37..00000000 --- a/strict/macros/program/userhelper_macros.te +++ /dev/null @@ -1,142 +0,0 @@ -#DESC Userhelper - SELinux utility to run a shell with a new role -# -# Authors: Dan Walsh (Red Hat) -# Maintained by Dan Walsh -# - -# -# userhelper_domain(domain_prefix) -# -# Define a derived domain for the userhelper/userhelper program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/userhelper.te. -# -define(`userhelper_domain',` -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain; - -in_user_role($1_userhelper_t) -role sysadm_r types $1_userhelper_t; - -ifelse($1, sysadm, ` -typealias sysadm_userhelper_t alias userhelper_t; -domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t) -') - -general_domain_access($1_userhelper_t); - -uses_shlib($1_userhelper_t) -read_locale($1_userhelper_t) -read_sysctl($1_userhelper_t) - -# for when the user types "exec userhelper" at the command line -allow $1_userhelper_t privfd:process sigchld; - -domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t) - -# Inherit descriptors from the current session. -allow $1_userhelper_t { init_t privfd }:fd use; - -can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t }) - -# Execute shells -allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms; -allow $1_userhelper_t { sbin_t bin_t }:lnk_file read; -allow $1_userhelper_t shell_exec_t:file r_file_perms; - -# By default, revert to the calling domain when a program is executed. -domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t) - -# Allow $1_userhelper_t to transition to user domains. -domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain) -if (!secure_mode) { - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t) -} -can_setexec($1_userhelper_t) - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -# Allow transitioning to rpm_t, for up2date -allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure }; -') -') - -# Use capabilities. -allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; - -# Write to utmp. -file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file) - -# Read the devpts root directory. -allow $1_userhelper_t devpts_t:dir r_dir_perms; - -# Read the /etc/security/default_type file -allow $1_userhelper_t etc_t:file r_file_perms; - -# Read /var. -r_dir_file($1_userhelper_t, var_t) - -# Read /dev directories and any symbolic links. -allow $1_userhelper_t device_t:dir r_dir_perms; - -# Relabel terminals. -allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Access terminals. -allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;') - -# -# Allow $1_userhelper to obtain contexts to relabel TTYs -# -can_getsecurity($1_userhelper_t) - -allow $1_userhelper_t fs_t:filesystem getattr; - -# for some PAM modules and for cwd -allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search; - -allow $1_userhelper_t proc_t:dir search; -allow $1_userhelper_t proc_t:file { getattr read }; - -# for when the network connection is killed -dontaudit unpriv_userdomain $1_userhelper_t:process signal; - -allow $1_userhelper_t userhelper_conf_t:file rw_file_perms; -allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; - -ifdef(`pam.te', ` -allow $1_userhelper_t pam_var_run_t:dir create_dir_perms; -allow $1_userhelper_t pam_var_run_t:file create_file_perms; -') - -allow $1_userhelper_t urandom_device_t:chr_file { getattr read }; - -allow $1_userhelper_t autofs_t:dir search; -role system_r types $1_userhelper_t; -r_dir_file($1_userhelper_t, nfs_t) - -ifdef(`xdm.te', ` -can_pipe_xdm($1_userhelper_t) -allow $1_userhelper_t xdm_var_run_t:dir search; -') - -r_dir_file($1_userhelper_t, selinux_config_t) -r_dir_file($1_userhelper_t, default_context_t) - -ifdef(`xauth.te', ` -domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) -allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; -') - -ifdef(`pamconsole.te', ` -allow $1_userhelper_t pam_var_console_t:dir { search }; -') - -ifdef(`mozilla.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') - -')dnl end userhelper macro diff --git a/strict/macros/program/vmware_macros.te b/strict/macros/program/vmware_macros.te deleted file mode 100644 index bb0914a5..00000000 --- a/strict/macros/program/vmware_macros.te +++ /dev/null @@ -1,128 +0,0 @@ -# Macro for vmware -# -# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), -# modifications by NAI Labs. -# -# Turned into a macro by Thomas Bleher -# -# vmware_domain(domain_prefix) -# -# Define a derived domain for the vmware program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/vmware.te. This file also -# implements a separate domain vmware_t. -# - -define(`vmware_domain', ` - -# Domain for the user applications to run in. -type $1_vmware_t, domain, privmem; - -role $1_r types $1_vmware_t; - -# The user file type is for files created when the user is running VMWare -type $1_vmware_file_t, $1_file_type, file_type, sysadmfile; - -# The user file type for the VMWare configuration files -type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile; - -############################################################# -# User rules for running VMWare -# -# Transition to VMWare user domain -domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t) -can_exec($1_vmware_t, vmware_user_exec_t) -uses_shlib($1_vmware_t) -var_run_domain($1_vmware) - -general_domain_access($1_vmware_t); - -# Capabilities needed by VMWare for the user execution. This seems a -# bit too much, so be careful. -allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; - -# Access to ttys -allow $1_vmware_t vmware_device_t:chr_file rw_file_perms; -allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_vmware_t privfd:fd use; - -# Access /proc -r_dir_file($1_vmware_t, proc_t) -allow $1_vmware_t proc_net_t:dir search; -allow $1_vmware_t proc_net_t:file { getattr read }; - -# Access to some files in the user home directory -r_dir_file($1_vmware_t, $1_home_t) - -# Access to runtime files for user -allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; -allow $1_vmware_t $1_vmware_file_t:file create_file_perms; -allow $1_vmware_t $1_vmware_conf_t:file create_file_perms; - -# Allow read access to /etc/vmware and /usr/lib/vmware configuration files -r_dir_file($1_vmware_t, vmware_sys_conf_t) - -# Allow $1_vmware_t to read/write files in the tmp dir -tmp_domain($1_vmware) -allow $1_vmware_t $1_vmware_tmp_t:file execute; - -# Allow read access to several paths -r_dir_file($1_vmware_t, etc_t) -allow $1_vmware_t etc_runtime_t:file r_file_perms; -allow $1_vmware_t device_t:dir r_dir_perms; -allow $1_vmware_t var_t:dir r_dir_perms; -allow $1_vmware_t tmpfs_t:file rw_file_perms; - -# Allow vmware to write to ~/.vmware -rw_dir_create_file($1_vmware_t, $1_vmware_file_t) - -# -# This is bad; VMWare needs execute permission to the .cfg file for the -# configuration to run. -# -allow $1_vmware_t $1_vmware_conf_t:file execute; - -# Access X11 config files -allow $1_vmware_t lib_t:file r_file_perms; - -# Access components of VMWare in /usr/lib/vmware/bin by default -allow $1_vmware_t bin_t:dir r_dir_perms; - -# Allow access to lp port (Need to create an lp device domain ) -allow $1_vmware_t device_t:chr_file r_file_perms; - -# Allow access to /dev/mem -allow $1_vmware_t memory_device_t:chr_file { read write }; - -# Allow access to mouse -allow $1_vmware_t mouse_device_t:chr_file r_file_perms; - -# Allow access the sound device -allow $1_vmware_t sound_device_t:chr_file { ioctl write }; - -# Allow removable media and devices -allow $1_vmware_t removable_device_t:blk_file r_file_perms; -allow $1_vmware_t device_t:lnk_file read; - -# Allow access to the real time clock device -allow $1_vmware_t clock_device_t:chr_file read; - -# Allow to attach to Xserver, and Xserver to attach back -ifdef(`gnome-pty-helper.te', ` -allow $1_vmware_t $1_gph_t:fd use; -') -ifdef(`startx.te', ` -allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write }; -allow $1_vmware_t $1_xserver_tmp_t:dir search; -allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto; -allow $1_xserver_t $1_vmware_t:shm r_shm_perms; -allow $1_xserver_t $1_vmware_t:fd use; -') - -# Allow filesystem read access -allow $1_vmware_t fs_t:filesystem getattr; - -') - diff --git a/strict/macros/program/x_client_macros.te b/strict/macros/program/x_client_macros.te deleted file mode 100644 index adce9f0f..00000000 --- a/strict/macros/program/x_client_macros.te +++ /dev/null @@ -1,96 +0,0 @@ -# -# Macros for X client programs -# - -# -# Author: Russell Coker -# Based on the work of Stephen Smalley -# and Timothy Fraser -# - -# Allows clients to write to the X server's shm -bool allow_write_xshm false; - -define(`xsession_domain', ` - -# Connect to xserver -can_unix_connect($1_t, $2_xserver_t) - -# Read /tmp/.X0-lock -allow $1_t $2_xserver_tmp_t:file { getattr read }; - -# Signal Xserver -allow $1_t $2_xserver_t:process signal; - -# Xserver read/write client shm -allow $2_xserver_t $1_t:fd use; -allow $2_xserver_t $1_t:shm rw_shm_perms; -allow $2_xserver_t $1_tmpfs_t:file rw_file_perms; - -# Client read xserver shm -allow $1_t $2_xserver_t:fd use; -allow $1_t $2_xserver_t:shm r_shm_perms; -allow $1_t $2_xserver_tmpfs_t:file r_file_perms; - -# Client write xserver shm -if (allow_write_xshm) { -allow $1_t $2_xserver_t:shm rw_shm_perms; -allow $1_t $2_xserver_tmpfs_t:file rw_file_perms; -} - -') - -# -# x_client_domain(client, role) -# -# Defines common X access rules for the client domain -# -define(`x_client_domain',` - -# Create socket to communicate with X server -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms }; - -# Read .Xauthority file -ifdef(`xauth.te',` -allow $1_t home_root_t:dir { search getattr }; -allow $1_t $2_home_dir_t:dir { search getattr }; -allow $1_t $2_xauth_home_t:file { getattr read }; -') - -# for .xsession-errors -dontaudit $1_t $2_home_t:file write; - -# for X over a ssh tunnel -ifdef(`ssh.te', ` -can_tcp_connect($1_t, sshd_t) -') - -# Use a separate type for tmpfs/shm pseudo files. -tmpfs_domain($1) -allow $1_t self:shm create_shm_perms; - -# allow X client to read all font files -read_fonts($1_t, $2) - -# Allow connections to X server. -ifdef(`xserver.te', ` -allow $1_t tmp_t:dir search; - -ifdef(`xdm.te', ` -xsession_domain($1, xdm) - -# for when /tmp/.X11-unix is created by the system -can_pipe_xdm($1_t) -allow $1_t xdm_tmp_t:dir search; -allow $1_t xdm_tmp_t:sock_file { read write }; -dontaudit $1_t xdm_t:tcp_socket { read write }; -') - -ifdef(`startx.te', ` -xsession_domain($1, $2) -')dnl end startx - -')dnl end xserver - -')dnl end x_client macro diff --git a/strict/macros/program/xauth_macros.te b/strict/macros/program/xauth_macros.te deleted file mode 100644 index ca7a5ee0..00000000 --- a/strict/macros/program/xauth_macros.te +++ /dev/null @@ -1,83 +0,0 @@ -# -# Macros for xauth domains. -# - -# -# Author: Russell Coker -# - -# -# xauth_domain(domain_prefix) -# -# Define a derived domain for the xauth program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/xauth.te. -# -undefine(`xauth_domain') -ifdef(`xauth.te', ` -define(`xauth_domain',` -# Derived domain based on the calling user domain and the program. -type $1_xauth_t, domain; - -allow $1_xauth_t self:process signal; - -home_domain($1, xauth) -file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file) - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t) -ifdef(`ssh.te', ` -domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t) -allow $1_xauth_t sshd_t:fifo_file { getattr read }; -dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write }; -allow $1_xauth_t sshd_t:process sigchld; -')dnl end if ssh - -# The user role is authorized for this domain. -role $1_r types $1_xauth_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', ` -allow $1_xauth_t $1_gph_t:fd use; -') - -allow $1_xauth_t privfd:fd use; -allow $1_xauth_t ptmx_t:chr_file { read write }; - -# allow ps to show xauth -can_ps($1_t, $1_xauth_t) -allow $1_t $1_xauth_t:process signal; - -uses_shlib($1_xauth_t) - -# allow DNS lookups... -can_resolve($1_xauth_t) -can_ypbind($1_xauth_t) -ifdef(`named.te', ` -can_udp_send($1_xauth_t, named_t) -can_udp_send(named_t, $1_xauth_t) -')dnl end if named.te - -allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; -allow $1_xauth_t etc_t:file { getattr read }; -allow $1_xauth_t fs_t:filesystem getattr; - -# Write to the user domain tty. -access_terminal($1_xauth_t, $1) - -# Scan /var/run. -allow $1_xauth_t var_t:dir search; -allow $1_xauth_t var_run_t:dir search; - -tmp_domain($1_xauth) -allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; - -')dnl end xauth_domain macro - -', ` - -define(`xauth_domain',`') - -')dnl end if xauth.te diff --git a/strict/macros/program/xdm_macros.te b/strict/macros/program/xdm_macros.te deleted file mode 100644 index 404b8779..00000000 --- a/strict/macros/program/xdm_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -######################################## -# -# can_pipe_xdm(domain) -# -# Allow communication to xdm over a pipe -# - -define(`can_pipe_xdm', ` -allow $1 xdm_t:fd use; -allow $1 xdm_t:fifo_file { getattr read write ioctl }; -') dnl can_pipe_xdm diff --git a/strict/macros/program/xserver_macros.te b/strict/macros/program/xserver_macros.te deleted file mode 100644 index e2eaf824..00000000 --- a/strict/macros/program/xserver_macros.te +++ /dev/null @@ -1,274 +0,0 @@ -# -# Macros for X server domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################# -# -# xserver_domain(domain_prefix) -# -# Define a derived domain for the X server when executed -# by a user domain (e.g. via startx). See the xdm_t domain -# in domains/program/xdm.te if using an X Display Manager. -# -# The type declarations for the executable type for this program -# and the log type are provided separately in domains/program/xserver.te. -# -# FIXME! The X server requires far too many privileges. -# -undefine(`xserver_domain') -ifdef(`xserver.te', ` - -define(`xserver_domain',` -# Derived domain based on the calling user domain and the program. -ifdef(`distro_redhat', ` -type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain; -allow $1_xserver_t sysctl_modprobe_t:file { getattr read }; -ifdef(`rpm.te', ` -allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; -allow $1_xserver_t rpm_tmpfs_t:file { read write }; -allow $1_xserver_t rpm_t:fd use; -') - -', ` -type $1_xserver_t, domain, privlog, privmem, nscd_client_domain; -') - -# for SSP -allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl }; - -# Transition from the user domain to this domain. -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) -') -', ` -domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t) -')dnl end ifelse xdm -can_exec($1_xserver_t, xserver_exec_t) - -uses_shlib($1_xserver_t) - -allow $1_xserver_t texrel_shlib_t:file execmod; - -can_network($1_xserver_t) -allow $1_xserver_t port_type:tcp_socket name_connect; -can_ypbind($1_xserver_t) -allow $1_xserver_t xserver_port_t:tcp_socket name_bind; - -# for access within the domain -general_domain_access($1_xserver_t) - -allow $1_xserver_t self:process execmem; -# Until the X module loader is fixed. -allow $1_xserver_t self:process execheap; - -allow $1_xserver_t etc_runtime_t:file { getattr read }; - -ifelse($1, xdm, ` -# The system role is authorised for the xdm and initrc domains -role system_r types xdm_xserver_t; - -allow xdm_xserver_t init_t:fd use; - -dontaudit xdm_xserver_t home_dir_type:dir { read search }; - -# Read all global and per user fonts -read_fonts($1_xserver_t, sysadm) -read_fonts($1_xserver_t, staff) -read_fonts($1_xserver_t, user) - -', ` -# The user role is authorized for this domain. -role $1_r types $1_xserver_t; - -allow $1_xserver_t getty_t:fd use; -allow $1_xserver_t local_login_t:fd use; -allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - -allow $1_xserver_t $1_tmpfs_t:file rw_file_perms; -allow $1_t $1_xserver_tmpfs_t:file rw_file_perms; - -can_unix_connect($1_t, $1_xserver_t) - -# Read fonts -read_fonts($1_xserver_t, $1) - -# Access the home directory. -allow $1_xserver_t home_root_t:dir search; -allow $1_xserver_t $1_home_dir_t:dir { getattr search }; - -ifdef(`xauth.te', ` -domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) -allow $1_xserver_t $1_xauth_home_t:file { getattr read }; -', ` -allow $1_xserver_t $1_home_t:file { getattr read }; -')dnl end ifdef xauth -ifdef(`userhelper.te', ` -allow $1_xserver_t userhelper_conf_t:dir search; -')dnl end ifdef userhelper -')dnl end ifelse xdm - -allow $1_xserver_t self:process setsched; - -allow $1_xserver_t fs_t:filesystem getattr; - -# Xorg wants to check if kernel is tainted -read_sysctl($1_xserver_t) - -# Use capabilities. -# allow setuid/setgid for the wrapper program to change UID -# sys_rawio is for iopl access - should not be needed for frame-buffer -# sys_admin, locking shared mem? chowning IPC message queues or semaphores? -# admin of APM bios? -# sys_nice is so that the X server can set a negative nice value -allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -allow $1_xserver_t nfs_t:dir { getattr search }; - -# memory_device_t access is needed if not using the frame buffer -#dontaudit $1_xserver_t memory_device_t:chr_file read; -allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute }; -# net_bind_service is needed if you want your X server to allow TCP connections -# from other hosts, EG an XDM serving a network of X terms -# if you want good security you do not want this -# not sure why some people want chown, fsetid, and sys_tty_config. -#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config }; -dontaudit $1_xserver_t self:capability chown; - -# for nscd -dontaudit $1_xserver_t var_run_t:dir search; - -allow $1_xserver_t mtrr_device_t:file rw_file_perms; -allow $1_xserver_t apm_bios_t:chr_file rw_file_perms; -allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms; -allow $1_xserver_t device_t:lnk_file { getattr read }; -allow $1_xserver_t devtty_t:chr_file rw_file_perms; -allow $1_xserver_t zero_device_t:chr_file { read write execute }; - -# Type for temporary files. -tmp_domain($1_xserver, `', `{ dir file sock_file }') -file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) - -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -allow xdm_t $1_xserver_t:process signal; -can_unix_connect(xdm_t, xdm_xserver_t) -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_xserver_t xdm_t:process signal; -allow xdm_xserver_t xdm_t:shm rw_shm_perms; -allow xdm_t xdm_xserver_t:shm rw_shm_perms; -dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; -') -', ` -allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; -allow $1_t xdm_xserver_t:unix_stream_socket connectto; -allow $1_t $1_xserver_t:process signal; - -# Allow the user domain to connect to the X server. -can_unix_connect($1_t, $1_xserver_t) -allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms; -allow $1_t $1_xserver_tmp_t:dir r_dir_perms; -ifdef(`xdm.te', ` -allow $1_t xdm_tmp_t:sock_file unlink; -allow $1_xserver_t xdm_var_run_t:dir search; -') - -# Signal the user domain. -allow $1_xserver_t $1_t:process signal; - -# Communicate via System V shared memory. -allow $1_xserver_t $1_t:shm rw_shm_perms; -allow $1_t $1_xserver_t:shm rw_shm_perms; -allow $1_xserver_t initrc_t:shm rw_shm_perms; - -')dnl end ifelse xdm - -# Create files in /var/log with the xserver_log_t type. -allow $1_xserver_t var_t:dir search; -file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file) -allow $1_xserver_t xserver_log_t:dir r_dir_perms; - -# Access AGP device. -allow $1_xserver_t agp_device_t:chr_file rw_file_perms; - -# for other device nodes such as the NVidia binary-only driver -allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms; - -# Access /proc/mtrr -allow $1_xserver_t proc_t:file rw_file_perms; -allow $1_xserver_t proc_t:lnk_file { getattr read }; - -# Access /proc/sys/dev -allow $1_xserver_t sysctl_dev_t:dir search; -allow $1_xserver_t sysctl_dev_t:file { getattr read }; -# Access /proc/bus/pci -allow $1_xserver_t proc_t:dir r_dir_perms; - -# Create and access /dev/dri devices. -allow $1_xserver_t device_t:dir { create setattr }; -file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file) -# brought on by rhgb -allow $1_xserver_t mnt_t:dir search; - -allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms }; - -# Run helper programs in $1_xserver_t. -allow $1_xserver_t { bin_t sbin_t }:dir search; -allow $1_xserver_t etc_t:{ file lnk_file } { getattr read }; -allow $1_xserver_t bin_t:lnk_file read; -can_exec($1_xserver_t, { bin_t shell_exec_t }) - -# Connect to xfs. -ifdef(`xfs.te', ` -can_unix_connect($1_xserver_t, xfs_t) -allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; -allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; - -# Bind to the X server socket in /tmp. -allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind; -') - -read_locale($1_xserver_t) - -# Type for tmpfs/shm files. -tmpfs_domain($1_xserver) -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -allow xdm_xserver_t xdm_t:shm rw_shm_perms; -allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; -') -', ` -allow $1_xserver_t $1_t:shm rw_shm_perms; -rw_dir_file($1_xserver_t, $1_tmpfs_t) -')dnl end ifelse xdm - - -r_dir_file($1_xserver_t,sysfs_t) - -# Use the mouse. -allow $1_xserver_t mouse_device_t:chr_file rw_file_perms; -# Allow xserver to read events - the synaptics touchpad -# driver reads raw events -allow $1_xserver_t event_device_t:chr_file rw_file_perms; -ifdef(`pamconsole.te', ` -allow $1_xserver_t pam_var_console_t:dir search; -') -dontaudit $1_xserver_t selinux_config_t:dir search; - -allow $1_xserver_t var_lib_t:dir search; -rw_dir_create_file($1_xserver_t, xkb_var_lib_t) - -')dnl end macro definition - -', ` - -define(`xserver_domain',`') - -') - diff --git a/strict/macros/program/ypbind_macros.te b/strict/macros/program/ypbind_macros.te deleted file mode 100644 index 61db7cc0..00000000 --- a/strict/macros/program/ypbind_macros.te +++ /dev/null @@ -1,20 +0,0 @@ - -define(`uncond_can_ypbind', ` -can_network($1) -r_dir_file($1,var_yp_t) -allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; -allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect; -dontaudit $1 self:capability net_bind_service; -dontaudit $1 reserved_port_type:tcp_socket name_connect; -dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; -') - -define(`can_ypbind', ` -ifdef(`ypbind.te', ` -if (allow_ypbind) { -uncond_can_ypbind($1) -} else { -dontaudit $1 var_yp_t:dir search; -} -') dnl ypbind.te -') dnl can_ypbind diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te deleted file mode 100644 index 2c766656..00000000 --- a/strict/macros/user_macros.te +++ /dev/null @@ -1,324 +0,0 @@ -# -# Macros for all user login domains. -# - -# role_tty_type_change(starting_role, ending_role) -# -# change from role $1_r to $2_r and relabel tty appropriately -# - -undefine(`role_tty_type_change') -define(`role_tty_type_change', ` -allow $1_r $2_r; -type_change $2_t $1_devpts_t:chr_file $2_devpts_t; -type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; -# avoid annoying messages on terminal hangup -dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; -') - -# -# reach_sysadm(user) -# -# Reach sysadm_t via programs like userhelper/sudo/su -# - -undefine(`reach_sysadm') -define(`reach_sysadm', ` -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') -ifdef(`su.te', ` -su_domain($1) -# When an ordinary user domain runs su, su may try to -# update the /root/.Xauthority file, and the user shell may -# try to update the shell history. This is not allowed, but -# we dont need to audit it. -dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; -') dnl ifdef su.te -ifdef(`xauth.te', ` -file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) -ifdef(`userhelper.te', ` -file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) -') dnl userhelper.te -') dnl xauth.te -') dnl reach_sysadm - -# -# priv_user(user) -# -# Privileged user domain -# - -undefine(`priv_user') -define(`priv_user', ` -# Reach sysadm_t -reach_sysadm($1) - -# Read file_contexts for rpm and get security decisions. -r_dir_file($1_t, file_context_t) -can_getsecurity($1_t) - -# Signal and see information about unprivileged user domains. -allow $1_t unpriv_userdomain:process signal_perms; -can_ps($1_t, unpriv_userdomain) -allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; - -# Read /root files if boolean is enabled. -if (staff_read_sysadm_file) { -allow $1_t sysadm_home_dir_t:dir { getattr search }; -allow $1_t sysadm_home_t:file { getattr read }; -} - -') dnl priv_user - -# -# user_domain(domain_prefix) -# -# Define derived types and rules for an ordinary user domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. -# - -# user_domain() is also called by the admin_domain() macro -undefine(`user_domain') -define(`user_domain', ` -# Use capabilities - -# Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir; -type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember; - -# Transition manually for { lnk sock fifo }. The rest is in content macros. -tmp_domain_notrans($1, `, user_tmpfile, $1_file_type') -file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) -allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; - -ifdef(`support_polyinstantiation', ` -type_member $1_t tmp_t:dir $1_tmp_t; -type_member $1_t $1_home_dir_t:dir $1_home_t; -') - -base_user_domain($1) -ifdef(`mls_policy', `', ` -access_removable_media($1_t) -') - -# do not allow privhome access to sysadm_home_dir_t -file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) - -allow $1_t boot_t:dir { getattr search }; -dontaudit $1_t boot_t:lnk_file read; -dontaudit $1_t boot_t:file read; -allow $1_t system_map_t:file { getattr read }; - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -ifelse($1, sysadm, `',` -ifdef(`apache.te', `apache_user_domain($1)') -ifdef(`i18n_input.te', `i18n_input_domain($1)') -') -ifdef(`slocate.te', `locate_domain($1)') -ifdef(`lockdev.te', `lockdev_domain($1)') - -can_kerberos($1_t) -# allow port_t name binding for UDP because it is not very usable otherwise -allow $1_t port_t:udp_socket name_bind; - -# -# Need the following rule to allow users to run vpnc -# -ifdef(`xserver.te', ` -allow $1_t xserver_port_t:tcp_socket name_bind; -') - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -if (user_tcp_server) { -allow $1_t port_t:tcp_socket name_bind; -} -# port access is audited even if dac would not have allowed it, so dontaudit it here -dontaudit $1_t reserved_port_type:tcp_socket name_bind; - -# Allow system log read -if (user_dmesg) { -allow $1_t kernel_t:system syslog_read; -} else { -# else do not log it -dontaudit $1_t kernel_t:system syslog_read; -} - -# Allow read access to utmp. -allow $1_t initrc_var_run_t:file { getattr read lock }; -# The library functions always try to open read-write first, -# then fall back to read-only if it fails. -# Do not audit write denials to utmp to avoid the noise. -dontaudit $1_t initrc_var_run_t:file write; - - -# do not audit read on disk devices -dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; - -ifdef(`xdm.te', ` -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -# -# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp -# -dontaudit xdm_t $1_home_t:file rw_file_perms; -')dnl end ifdef xdm.te - -ifdef(`ftpd.te', ` -if (ftp_home_dir) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -')dnl end ifdef ftpd - - -')dnl end user_domain macro - - -########################################################################### -# -# Domains for ordinary users. -# -undefine(`limited_user_role') -define(`limited_user_role', ` -# user_t/$1_t is an unprivileged users domain. -type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd; - -#Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; -# Type and access for pty devices. -can_create_pty($1, `, userpty_type, user_tty_type') - -# Access ttys. -allow $1_t privfd:fd use; -allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - -# Grant read/search permissions to some of /proc. -r_dir_file($1_t, proc_t) -r_dir_file($1_t, proc_net_t) - -base_file_read_access($1_t) - -# Execute from the system shared libraries. -uses_shlib($1_t) - -# Read /etc. -r_dir_file($1_t, etc_t) -allow $1_t etc_runtime_t:file r_file_perms; -allow $1_t etc_runtime_t:lnk_file { getattr read }; - -allow $1_t self:process { fork sigchld setpgid signal_perms }; - -# read localization information -read_locale($1_t) - -read_sysctl($1_t) -can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t }) - -allow $1_t self:dir search; -allow $1_t self:file { getattr read }; -allow secadm_t self:fifo_file rw_file_perms; - -allow $1_t self:lnk_file read; -allow $1_t self:unix_stream_socket create_socket_perms; -allow $1_t urandom_device_t:chr_file { getattr read }; -dontaudit $1_t { var_spool_t var_log_t }:dir search; - -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; -allow $1_t device_t:lnk_file { getattr read }; -allow $1_t devtty_t:chr_file { read write }; - -') - -undefine(`full_user_role') -define(`full_user_role', ` - -limited_user_role($1) - -typeattribute $1_t web_client_domain; - -attribute $1_file_type; - -ifdef(`useradd.te', ` -# Useradd relabels /etc/skel files so needs these privs -allow useradd_t $1_file_type:dir create_dir_perms; -allow useradd_t $1_file_type:notdevfile_class_set create_file_perms; -') - -can_exec($1_t, usr_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_t readable_t:dir r_dir_perms; -allow $1_t readable_t:notdevfile_class_set r_file_perms; - -# Stat lost+found. -allow $1_t lost_found_t:dir getattr; - -# Read /var, /var/spool, /var/run. -r_dir_file($1_t, var_t) -# what about pipes and sockets under /var/spool? -r_dir_file($1_t, var_spool_t) -r_dir_file($1_t, var_run_t) -allow $1_t var_lib_t:dir r_dir_perms; -allow $1_t var_lib_t:file { getattr read }; - -# for running depmod as part of the kernel packaging process -allow $1_t modules_conf_t:file { getattr read }; - -# Read man directories and files. -r_dir_file($1_t, man_t) - -# Allow users to rw usb devices -if (user_rw_usb) { -rw_dir_create_file($1_t,usbdevfs_t) -} else { -r_dir_file($1_t,usbdevfs_t) -} - -r_dir_file($1_t,sysfs_t) - -# Do not audit write denials to /etc/ld.so.cache. -dontaudit $1_t ld_so_cache_t:file write; - -# $1_t is also granted permissions specific to user domains. -user_domain($1) - -dontaudit $1_t sysadm_home_t:file { read append }; - -ifdef(`syslogd.te', ` -# Some programs that are left in $1_t will try to connect -# to syslogd, but we do not want to let them generate log messages. -# Do not audit. -dontaudit $1_t devlog_t:sock_file { read write }; -dontaudit $1_t syslogd_t:unix_dgram_socket sendto; -') - -# Stop warnings about access to /dev/console -dontaudit $1_t init_t:fd use; -dontaudit $1_t initrc_t:fd use; -allow $1_t initrc_t:fifo_file write; - -# -# Rules used to associate a homedir as a mountpoint -# -allow $1_home_t self:filesystem associate; -allow $1_file_type $1_home_t:filesystem associate; -') - -undefine(`in_user_role') -define(`in_user_role', ` -role user_r types $1; -role staff_r types $1; -') - diff --git a/strict/mcs b/strict/mcs deleted file mode 100644 index d67b134e..00000000 --- a/strict/mcs +++ /dev/null @@ -1,354 +0,0 @@ -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -# MCS is single-sensitivity. -# -sensitivity s0; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; -category c1; -category c2; -category c3; -category c4; -category c5; -category c6; -category c7; -category c8; -category c9; -category c10; -category c11; -category c12; -category c13; -category c14; -category c15; -category c16; -category c17; -category c18; -category c19; -category c20; -category c21; -category c22; -category c23; -category c24; -category c25; -category c26; -category c27; -category c28; -category c29; -category c30; -category c31; -category c32; -category c33; -category c34; -category c35; -category c36; -category c37; -category c38; -category c39; -category c40; -category c41; -category c42; -category c43; -category c44; -category c45; -category c46; -category c47; -category c48; -category c49; -category c50; -category c51; -category c52; -category c53; -category c54; -category c55; -category c56; -category c57; -category c58; -category c59; -category c60; -category c61; -category c62; -category c63; -category c64; -category c65; -category c66; -category c67; -category c68; -category c69; -category c70; -category c71; -category c72; -category c73; -category c74; -category c75; -category c76; -category c77; -category c78; -category c79; -category c80; -category c81; -category c82; -category c83; -category c84; -category c85; -category c86; -category c87; -category c88; -category c89; -category c90; -category c91; -category c92; -category c93; -category c94; -category c95; -category c96; -category c97; -category c98; -category c99; -category c100; -category c101; -category c102; -category c103; -category c104; -category c105; -category c106; -category c107; -category c108; -category c109; -category c110; -category c111; -category c112; -category c113; -category c114; -category c115; -category c116; -category c117; -category c118; -category c119; -category c120; -category c121; -category c122; -category c123; -category c124; -category c125; -category c126; -category c127; -category c128; -category c129; -category c130; -category c131; -category c132; -category c133; -category c134; -category c135; -category c136; -category c137; -category c138; -category c139; -category c140; -category c141; -category c142; -category c143; -category c144; -category c145; -category c146; -category c147; -category c148; -category c149; -category c150; -category c151; -category c152; -category c153; -category c154; -category c155; -category c156; -category c157; -category c158; -category c159; -category c160; -category c161; -category c162; -category c163; -category c164; -category c165; -category c166; -category c167; -category c168; -category c169; -category c170; -category c171; -category c172; -category c173; -category c174; -category c175; -category c176; -category c177; -category c178; -category c179; -category c180; -category c181; -category c182; -category c183; -category c184; -category c185; -category c186; -category c187; -category c188; -category c189; -category c190; -category c191; -category c192; -category c193; -category c194; -category c195; -category c196; -category c197; -category c198; -category c199; -category c200; -category c201; -category c202; -category c203; -category c204; -category c205; -category c206; -category c207; -category c208; -category c209; -category c210; -category c211; -category c212; -category c213; -category c214; -category c215; -category c216; -category c217; -category c218; -category c219; -category c220; -category c221; -category c222; -category c223; -category c224; -category c225; -category c226; -category c227; -category c228; -category c229; -category c230; -category c231; -category c232; -category c233; -category c234; -category c235; -category c236; -category c237; -category c238; -category c239; -category c240; -category c241; -category c242; -category c243; -category c244; -category c245; -category c246; -category c247; -category c248; -category c249; -category c250; -category c251; -category c252; -category c253; -category c254; -category c255; - - -# -# Each MCS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; - -# -# Define the MCS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MCS policy for the file classes -# -# Constrain file access so that the high range of the process dominates -# the high range of the file. We use the high range of the process so -# that processes can always simply run at s0. -# -# Only files are constrained by MCS at this stage. -# -mlsconstrain file { write setattr append unlink link rename - create ioctl lock execute } (h1 dom h2); - -mlsconstrain file { read } ((h1 dom h2) or - ( t1 == mlsfileread )); - - -# new file labels must be dominated by the relabeling subject's clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } - ( h1 dom h2 ); - -define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append -link unlink rename relabelfrom relabelto }') - -define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink -rename search add_name remove_name reparent write rmdir relabelfrom -relabelto }') - -# XXX -# -# For some reason, we need to reference the mlsfileread attribute -# or we get a build error. Below is a dummy entry to do this. -mlsconstrain xextension query ( t1 == mlsfileread ); - diff --git a/strict/mls b/strict/mls deleted file mode 100644 index b3e9b5a3..00000000 --- a/strict/mls +++ /dev/null @@ -1,872 +0,0 @@ -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -sensitivity s0; -sensitivity s1; -sensitivity s2; -sensitivity s3; -sensitivity s4; -sensitivity s5; -sensitivity s6; -sensitivity s7; -sensitivity s8; -sensitivity s9; -sensitivity s10; -sensitivity s11; -sensitivity s12; -sensitivity s13; -sensitivity s14; -sensitivity s15; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; -category c1; -category c2; -category c3; -category c4; -category c5; -category c6; -category c7; -category c8; -category c9; -category c10; -category c11; -category c12; -category c13; -category c14; -category c15; -category c16; -category c17; -category c18; -category c19; -category c20; -category c21; -category c22; -category c23; -category c24; -category c25; -category c26; -category c27; -category c28; -category c29; -category c30; -category c31; -category c32; -category c33; -category c34; -category c35; -category c36; -category c37; -category c38; -category c39; -category c40; -category c41; -category c42; -category c43; -category c44; -category c45; -category c46; -category c47; -category c48; -category c49; -category c50; -category c51; -category c52; -category c53; -category c54; -category c55; -category c56; -category c57; -category c58; -category c59; -category c60; -category c61; -category c62; -category c63; -category c64; -category c65; -category c66; -category c67; -category c68; -category c69; -category c70; -category c71; -category c72; -category c73; -category c74; -category c75; -category c76; -category c77; -category c78; -category c79; -category c80; -category c81; -category c82; -category c83; -category c84; -category c85; -category c86; -category c87; -category c88; -category c89; -category c90; -category c91; -category c92; -category c93; -category c94; -category c95; -category c96; -category c97; -category c98; -category c99; -category c100; -category c101; -category c102; -category c103; -category c104; -category c105; -category c106; -category c107; -category c108; -category c109; -category c110; -category c111; -category c112; -category c113; -category c114; -category c115; -category c116; -category c117; -category c118; -category c119; -category c120; -category c121; -category c122; -category c123; -category c124; -category c125; -category c126; -category c127; -category c128; -category c129; -category c130; -category c131; -category c132; -category c133; -category c134; -category c135; -category c136; -category c137; -category c138; -category c139; -category c140; -category c141; -category c142; -category c143; -category c144; -category c145; -category c146; -category c147; -category c148; -category c149; -category c150; -category c151; -category c152; -category c153; -category c154; -category c155; -category c156; -category c157; -category c158; -category c159; -category c160; -category c161; -category c162; -category c163; -category c164; -category c165; -category c166; -category c167; -category c168; -category c169; -category c170; -category c171; -category c172; -category c173; -category c174; -category c175; -category c176; -category c177; -category c178; -category c179; -category c180; -category c181; -category c182; -category c183; -category c184; -category c185; -category c186; -category c187; -category c188; -category c189; -category c190; -category c191; -category c192; -category c193; -category c194; -category c195; -category c196; -category c197; -category c198; -category c199; -category c200; -category c201; -category c202; -category c203; -category c204; -category c205; -category c206; -category c207; -category c208; -category c209; -category c210; -category c211; -category c212; -category c213; -category c214; -category c215; -category c216; -category c217; -category c218; -category c219; -category c220; -category c221; -category c222; -category c223; -category c224; -category c225; -category c226; -category c227; -category c228; -category c229; -category c230; -category c231; -category c232; -category c233; -category c234; -category c235; -category c236; -category c237; -category c238; -category c239; -category c240; -category c241; -category c242; -category c243; -category c244; -category c245; -category c246; -category c247; -category c248; -category c249; -category c250; -category c251; -category c252; -category c253; -category c254; -category c255; - - -# -# Each MLS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; -level s1:c0.c255; -level s2:c0.c255; -level s3:c0.c255; -level s4:c0.c255; -level s5:c0.c255; -level s6:c0.c255; -level s7:c0.c255; -level s8:c0.c255; -level s9:c0.c255; -level s10:c0.c255; -level s11:c0.c255; -level s12:c0.c255; -level s13:c0.c255; -level s14:c0.c255; -level s15:c0.c255; - - -# -# Define the MLS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MLS policy for the file classes -# - -# make sure these file classes are "single level" -mlsconstrain { file lnk_file fifo_file } { create relabelto } - ( l2 eq h2 ); - -# new file labels must be dominated by the relabeling subject's clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto - ( h1 dom h2 ); - -# the file "read" ops (note the check is dominance of the low level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir search - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -# the "single level" file "write" ops -mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# the "ranged" file "write" ops -mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir { add_name remove_name reparent rmdir } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } -# -# { file chr_file } { execute_no_trans entrypoint execmod } - -# the file upgrade/downgrade rule -mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } - ((( l1 eq l2 ) or - (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( h1 eq h2 ) or - (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); - -# create can also require the upgrade/downgrade checks if the creating process -# has used setfscreate (note that both the high and low level of the object -# default to the process' sensitivity level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create - ((( l1 eq l2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( l1 eq h2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); - - - - -# -# MLS policy for the filesystem class -# - -# new filesystem labels must be dominated by the relabeling subject's clearance -mlsconstrain filesystem relabelto - ( h1 dom h2 ); - -# the filesystem "read" ops (implicit single level) -mlsconstrain filesystem { getattr quotaget } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread )); - -# all the filesystem "write" ops (implicit single level) -mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite )); - -# these access vectors have no MLS restrictions -# filesystem { transition associate } - - - - -# -# MLS policy for the socket classes -# - -# new socket labels must be dominated by the relabeling subject's clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto - ( h1 dom h2 ); - -# the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -# the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )); - -# these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } -# -# { tcp_socket udp_socket rawip_socket } node_bind -# -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } -# -# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write -# - - - - -# -# MLS policy for the ipc classes -# - -# the ipc "read" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { getattr read unix_read } - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -mlsconstrain msg receive - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -# the ipc "write" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msgq enqueue - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain shm lock - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msg send - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -# these access vectors have no MLS restrictions -# { ipc sem msgq shm } associate - - - - -# -# MLS policy for the fd class -# - -# these access vectors have no MLS restrictions -# fd use - - - - -# -# MLS policy for the network object classes -# - -# the netif/node "read" ops (implicit single level socket doing the read) -# (note the check is dominance of the low level) -mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv } - (( l1 dom l2 ) or ( t1 == mlsnetrecvall )); - -# the netif/node "write" ops (implicit single level socket doing the write) -mlsconstrain { netif node } { tcp_send udp_send rawip_send } - (( l1 dom l2 ) and ( l1 domby h2 )); - -# these access vectors have no MLS restrictions -# { netif node } { enforce_dest } - - - - -# -# MLS policy for the process class -# - -# new process labels must be dominated by the relabeling subject's clearance -# and sensitivity level changes require privilege -mlsconstrain process transition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or - (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); -mlsconstrain process dyntransition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); - -# all the process "read" ops -mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } - (( l1 dom l2 ) or - (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsprocread )); - -# all the process "write" ops (note the check is equality on the low level) -mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } - (( l1 eq l2 ) or - (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsprocwrite )); - -# these access vectors have no MLS restrictions -# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem } - - - - -# -# MLS policy for the security class -# - -# these access vectors have no MLS restrictions -# security * - - - - -# -# MLS policy for the system class -# - -# these access vectors have no MLS restrictions -# system * - - - - -# -# MLS policy for the capability class -# - -# these access vectors have no MLS restrictions -# capability * - - - - -# -# MLS policy for the passwd class -# - -# these access vectors have no MLS restrictions -# passwd * - - - - -# -# MLS policy for the drawable class -# - -# the drawable "read" ops (implicit single level) -mlsconstrain drawable { getattr copy } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the drawable "write" ops (implicit single level) -mlsconstrain drawable { create destroy draw copy } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the gc class -# - -# the gc "read" ops (implicit single level) -mlsconstrain gc getattr - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the gc "write" ops (implicit single level) -mlsconstrain gc { create free setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the window class -# - -# the window "read" ops (implicit single level) -mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the window "write" ops (implicit single level) -mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -# these access vectors have no MLS restrictions -# window { map unmap } - - - - -# -# MLS policy for the font class -# - -# the font "read" ops (implicit single level) -mlsconstrain font { load getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the font "write" ops (implicit single level) -mlsconstrain font free - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -# these access vectors have no MLS restrictions -# font use - - - - -# -# MLS policy for the colormap class -# - -# the colormap "read" ops (implicit single level) -mlsconstrain colormap { list read getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the colormap "write" ops (implicit single level) -mlsconstrain colormap { create free install uninstall store setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the property class -# - -# the property "read" ops (implicit single level) -mlsconstrain property { read } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the property "write" ops (implicit single level) -mlsconstrain property { create free write } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the cursor class -# - -# the cursor "write" ops (implicit single level) -mlsconstrain cursor { create createglyph free assign setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xclient class -# - -# the xclient "write" ops (implicit single level) -mlsconstrain xclient kill - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xinput class -# - -# the xinput "read" ops (implicit single level) -mlsconstrain xinput { lookup getattr mousemotion } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the xinput "write" ops (implicit single level) -mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xserver class -# - -# the xserver "read" ops (implicit single level) -mlsconstrain xserver { gethostlist getfontpath getattr screensaver } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the xserver "write" ops (implicit single level) -mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xextension class -# - -# the xextension "read" ops (implicit single level) -mlsconstrain xextension query - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the xextension "write" ops (implicit single level) -mlsconstrain xextension use - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - -# -# MLS policy for the pax class -# - -# these access vectors have no MLS restrictions -# pax { pageexec emutramp mprotect randmmap randexec segmexec } - - - - -# -# MLS policy for the dbus class -# - -# these access vectors have no MLS restrictions -# dbus { acquire_svc send_msg } - - - - -# -# MLS policy for the nscd class -# - -# these access vectors have no MLS restrictions -# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } - - - - -# -# MLS policy for the association class -# - -# these access vectors have no MLS restrictions -# association { sendto recvfrom } - diff --git a/strict/net_contexts b/strict/net_contexts deleted file mode 100644 index 8ab11180..00000000 --- a/strict/net_contexts +++ /dev/null @@ -1,247 +0,0 @@ -# FLASK - -# -# Security contexts for network entities -# If no context is specified, then a default initial SID is used. -# - -# Modified by Reino Wallin -# Multi NIC, and IPSEC features - -# Modified by Russell Coker -# ifdefs to encapsulate domains, and many additional port contexts - -# -# Port numbers (default = initial SID "port") -# -# protocol number context -# protocol low-high context -# -portcon tcp 7 system_u:object_r:inetd_child_port_t -portcon udp 7 system_u:object_r:inetd_child_port_t -portcon tcp 9 system_u:object_r:inetd_child_port_t -portcon udp 9 system_u:object_r:inetd_child_port_t -portcon tcp 13 system_u:object_r:inetd_child_port_t -portcon udp 13 system_u:object_r:inetd_child_port_t -portcon tcp 19 system_u:object_r:inetd_child_port_t -portcon udp 19 system_u:object_r:inetd_child_port_t -portcon tcp 37 system_u:object_r:inetd_child_port_t -portcon udp 37 system_u:object_r:inetd_child_port_t -portcon tcp 113 system_u:object_r:auth_port_t -portcon tcp 512 system_u:object_r:inetd_child_port_t -portcon tcp 543 system_u:object_r:inetd_child_port_t -portcon tcp 544 system_u:object_r:inetd_child_port_t -portcon tcp 891 system_u:object_r:inetd_child_port_t -portcon udp 891 system_u:object_r:inetd_child_port_t -portcon tcp 892 system_u:object_r:inetd_child_port_t -portcon udp 892 system_u:object_r:inetd_child_port_t -portcon tcp 2105 system_u:object_r:inetd_child_port_t -portcon tcp 20 system_u:object_r:ftp_data_port_t -portcon tcp 21 system_u:object_r:ftp_port_t -portcon tcp 22 system_u:object_r:ssh_port_t -portcon tcp 23 system_u:object_r:telnetd_port_t - -portcon tcp 25 system_u:object_r:smtp_port_t -portcon tcp 465 system_u:object_r:smtp_port_t -portcon tcp 587 system_u:object_r:smtp_port_t - -portcon udp 500 system_u:object_r:isakmp_port_t -portcon udp 53 system_u:object_r:dns_port_t -portcon tcp 53 system_u:object_r:dns_port_t - -portcon udp 67 system_u:object_r:dhcpd_port_t -portcon udp 647 system_u:object_r:dhcpd_port_t -portcon tcp 647 system_u:object_r:dhcpd_port_t -portcon udp 847 system_u:object_r:dhcpd_port_t -portcon tcp 847 system_u:object_r:dhcpd_port_t -portcon udp 68 system_u:object_r:dhcpc_port_t -portcon udp 70 system_u:object_r:gopher_port_t -portcon tcp 70 system_u:object_r:gopher_port_t - -portcon udp 69 system_u:object_r:tftp_port_t -portcon tcp 79 system_u:object_r:fingerd_port_t - -portcon tcp 80 system_u:object_r:http_port_t -portcon tcp 443 system_u:object_r:http_port_t -portcon tcp 488 system_u:object_r:http_port_t -portcon tcp 8008 system_u:object_r:http_port_t - -portcon tcp 106 system_u:object_r:pop_port_t -portcon tcp 109 system_u:object_r:pop_port_t -portcon tcp 110 system_u:object_r:pop_port_t -portcon tcp 143 system_u:object_r:pop_port_t -portcon tcp 220 system_u:object_r:pop_port_t -portcon tcp 993 system_u:object_r:pop_port_t -portcon tcp 995 system_u:object_r:pop_port_t -portcon tcp 1109 system_u:object_r:pop_port_t - -portcon udp 111 system_u:object_r:portmap_port_t -portcon tcp 111 system_u:object_r:portmap_port_t - -portcon tcp 119 system_u:object_r:innd_port_t -portcon udp 123 system_u:object_r:ntp_port_t - -portcon tcp 137 system_u:object_r:smbd_port_t -portcon udp 137 system_u:object_r:nmbd_port_t -portcon tcp 138 system_u:object_r:smbd_port_t -portcon udp 138 system_u:object_r:nmbd_port_t -portcon tcp 139 system_u:object_r:smbd_port_t -portcon udp 139 system_u:object_r:nmbd_port_t -portcon tcp 445 system_u:object_r:smbd_port_t - -portcon udp 161 system_u:object_r:snmp_port_t -portcon udp 162 system_u:object_r:snmp_port_t -portcon tcp 199 system_u:object_r:snmp_port_t -portcon udp 512 system_u:object_r:comsat_port_t - -portcon tcp 389 system_u:object_r:ldap_port_t -portcon udp 389 system_u:object_r:ldap_port_t -portcon tcp 636 system_u:object_r:ldap_port_t -portcon udp 636 system_u:object_r:ldap_port_t - -portcon tcp 513 system_u:object_r:rlogind_port_t -portcon tcp 514 system_u:object_r:rsh_port_t - -portcon tcp 515 system_u:object_r:printer_port_t -portcon udp 514 system_u:object_r:syslogd_port_t -portcon udp 517 system_u:object_r:ktalkd_port_t -portcon udp 518 system_u:object_r:ktalkd_port_t -portcon tcp 631 system_u:object_r:ipp_port_t -portcon udp 631 system_u:object_r:ipp_port_t -portcon tcp 88 system_u:object_r:kerberos_port_t -portcon udp 88 system_u:object_r:kerberos_port_t -portcon tcp 464 system_u:object_r:kerberos_admin_port_t -portcon udp 464 system_u:object_r:kerberos_admin_port_t -portcon tcp 749 system_u:object_r:kerberos_admin_port_t -portcon tcp 750 system_u:object_r:kerberos_port_t -portcon udp 750 system_u:object_r:kerberos_port_t -portcon tcp 4444 system_u:object_r:kerberos_master_port_t -portcon udp 4444 system_u:object_r:kerberos_master_port_t -portcon tcp 783 system_u:object_r:spamd_port_t -portcon tcp 540 system_u:object_r:uucpd_port_t -portcon tcp 2401 system_u:object_r:cvs_port_t -portcon udp 2401 system_u:object_r:cvs_port_t -portcon tcp 873 system_u:object_r:rsync_port_t -portcon udp 873 system_u:object_r:rsync_port_t -portcon tcp 901 system_u:object_r:swat_port_t -portcon tcp 953 system_u:object_r:rndc_port_t -portcon tcp 1213 system_u:object_r:giftd_port_t -portcon tcp 1241 system_u:object_r:nessus_port_t -portcon tcp 1234 system_u:object_r:monopd_port_t -portcon udp 1645 system_u:object_r:radius_port_t -portcon udp 1646 system_u:object_r:radacct_port_t -portcon udp 1812 system_u:object_r:radius_port_t -portcon udp 1813 system_u:object_r:radacct_port_t -portcon udp 1718 system_u:object_r:gatekeeper_port_t -portcon udp 1719 system_u:object_r:gatekeeper_port_t -portcon tcp 1721 system_u:object_r:gatekeeper_port_t -portcon tcp 7000 system_u:object_r:gatekeeper_port_t -portcon tcp 2040 system_u:object_r:afs_fs_port_t -portcon udp 7000 system_u:object_r:afs_fs_port_t -portcon udp 7002 system_u:object_r:afs_pt_port_t -portcon udp 7003 system_u:object_r:afs_vl_port_t -portcon udp 7004 system_u:object_r:afs_ka_port_t -portcon udp 7005 system_u:object_r:afs_fs_port_t -portcon udp 7007 system_u:object_r:afs_bos_port_t -portcon tcp 1720 system_u:object_r:asterisk_port_t -portcon udp 2427 system_u:object_r:asterisk_port_t -portcon udp 2727 system_u:object_r:asterisk_port_t -portcon udp 4569 system_u:object_r:asterisk_port_t -portcon udp 5060 system_u:object_r:asterisk_port_t -portcon tcp 2000 system_u:object_r:mail_port_t -portcon tcp 2601 system_u:object_r:zebra_port_t -portcon tcp 2628 system_u:object_r:dict_port_t -portcon tcp 3306 system_u:object_r:mysqld_port_t -portcon tcp 3632 system_u:object_r:distccd_port_t -portcon udp 4011 system_u:object_r:pxe_port_t -portcon udp 5000 system_u:object_r:openvpn_port_t -portcon tcp 5323 system_u:object_r:imaze_port_t -portcon udp 5323 system_u:object_r:imaze_port_t -portcon tcp 5335 system_u:object_r:howl_port_t -portcon udp 5353 system_u:object_r:howl_port_t -portcon tcp 5222 system_u:object_r:jabber_client_port_t -portcon tcp 5223 system_u:object_r:jabber_client_port_t -portcon tcp 5269 system_u:object_r:jabber_interserver_port_t -portcon tcp 5432 system_u:object_r:postgresql_port_t -portcon tcp 5666 system_u:object_r:inetd_child_port_t -portcon tcp 5703 system_u:object_r:ptal_port_t -portcon tcp 50000 system_u:object_r:hplip_port_t -portcon tcp 50002 system_u:object_r:hplip_port_t -portcon tcp 5900 system_u:object_r:vnc_port_t -portcon tcp 5988 system_u:object_r:pegasus_http_port_t -portcon tcp 5989 system_u:object_r:pegasus_https_port_t -portcon tcp 6000 system_u:object_r:xserver_port_t -portcon tcp 6001 system_u:object_r:xserver_port_t -portcon tcp 6002 system_u:object_r:xserver_port_t -portcon tcp 6003 system_u:object_r:xserver_port_t -portcon tcp 6004 system_u:object_r:xserver_port_t -portcon tcp 6005 system_u:object_r:xserver_port_t -portcon tcp 6006 system_u:object_r:xserver_port_t -portcon tcp 6007 system_u:object_r:xserver_port_t -portcon tcp 6008 system_u:object_r:xserver_port_t -portcon tcp 6009 system_u:object_r:xserver_port_t -portcon tcp 6010 system_u:object_r:xserver_port_t -portcon tcp 6011 system_u:object_r:xserver_port_t -portcon tcp 6012 system_u:object_r:xserver_port_t -portcon tcp 6013 system_u:object_r:xserver_port_t -portcon tcp 6014 system_u:object_r:xserver_port_t -portcon tcp 6015 system_u:object_r:xserver_port_t -portcon tcp 6016 system_u:object_r:xserver_port_t -portcon tcp 6017 system_u:object_r:xserver_port_t -portcon tcp 6018 system_u:object_r:xserver_port_t -portcon tcp 6019 system_u:object_r:xserver_port_t -portcon tcp 6667 system_u:object_r:ircd_port_t -portcon tcp 8000 system_u:object_r:soundd_port_t -# 9433 is for YIFF -portcon tcp 9433 system_u:object_r:soundd_port_t -portcon tcp 3128 system_u:object_r:http_cache_port_t -portcon tcp 8080 system_u:object_r:http_cache_port_t -portcon udp 3130 system_u:object_r:http_cache_port_t -# 8118 is for privoxy -portcon tcp 8118 system_u:object_r:http_cache_port_t - -portcon udp 4041 system_u:object_r:clockspeed_port_t -portcon tcp 8081 system_u:object_r:transproxy_port_t -portcon udp 10080 system_u:object_r:amanda_port_t -portcon tcp 10080 system_u:object_r:amanda_port_t -portcon udp 10081 system_u:object_r:amanda_port_t -portcon tcp 10081 system_u:object_r:amanda_port_t -portcon tcp 10082 system_u:object_r:amanda_port_t -portcon tcp 10083 system_u:object_r:amanda_port_t -portcon tcp 60000 system_u:object_r:postgrey_port_t - -portcon tcp 10024 system_u:object_r:amavisd_recv_port_t -portcon tcp 10025 system_u:object_r:amavisd_send_port_t -portcon tcp 3310 system_u:object_r:clamd_port_t -portcon udp 6276 system_u:object_r:dcc_port_t -portcon udp 6277 system_u:object_r:dcc_port_t -portcon udp 24441 system_u:object_r:pyzor_port_t -portcon tcp 2703 system_u:object_r:razor_port_t -portcon tcp 8021 system_u:object_r:zope_port_t - -# Defaults for reserved ports. Earlier portcon entries take precedence; -# these entries just cover any remaining reserved ports not otherwise -# declared or omitted due to removal of a domain. -portcon tcp 1-1023 system_u:object_r:reserved_port_t -portcon udp 1-1023 system_u:object_r:reserved_port_t - -# Network interfaces (default = initial SID "netif" and "netmsg") -# -# interface netif_context default_msg_context -# - -# Nodes (default = initial SID "node") -# -# address mask context -# -nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t -nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t -nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t -nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t -nodecon ff00:: ff00:: system_u:object_r:node_multicast_t -nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t -nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t -nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t -nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t - -# FLASK diff --git a/strict/rbac b/strict/rbac deleted file mode 100644 index 708f70d5..00000000 --- a/strict/rbac +++ /dev/null @@ -1,33 +0,0 @@ -################################################ -# -# Role-based access control (RBAC) configuration. -# - -# The RBAC configuration was originally centralized in this -# file, but has been decomposed into individual role declarations, -# role allow rules, and role transition rules throughout the TE -# configuration to support easy removal or adding of domains without -# modifying a centralized file each time. This also allowed the macros -# to properly instantiate role declarations and rules for domains. -# Hence, this file is largely unused, except for miscellaneous -# role allow rules. - -######################################## -# -# Role allow rules. -# -# A role allow rule specifies the allowable -# transitions between roles on an execve. -# If no rule is specified, then the change in -# roles will not be permitted. Additional -# controls over role transitions based on the -# type of the process may be specified through -# the constraints file. -# -# The syntax of a role allow rule is: -# allow current_role new_role ; -# -# Allow the admin role to transition to the system -# role for run_init. -# -allow sysadm_r system_r; diff --git a/strict/tunables/distro.tun b/strict/tunables/distro.tun deleted file mode 100644 index 2d491895..00000000 --- a/strict/tunables/distro.tun +++ /dev/null @@ -1,14 +0,0 @@ -# Distro-specific customizations. - -# Comment out all but the one that matches your distro. -# The policy .te files can then wrap distro-specific customizations with -# appropriate ifdefs. - - -dnl define(`distro_redhat') - -dnl define(`distro_suse') - -dnl define(`distro_gentoo') - -dnl define(`distro_debian') diff --git a/strict/tunables/tunable.tun b/strict/tunables/tunable.tun deleted file mode 100644 index a6cc2f44..00000000 --- a/strict/tunables/tunable.tun +++ /dev/null @@ -1,34 +0,0 @@ -# Allow rpm to run unconfined. -dnl define(`unlimitedRPM') - -# Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') - -# Allow rc scripts to run unconfined, including any daemon -# started by an rc script that does not have a domain transition -# explicitly defined. -dnl define(`unlimitedRC') - -# Allow sysadm_t to directly start daemons -define(`direct_sysadm_daemon') - -# Do not allow sysadm_t to be in the security manager domain -dnl define(`separate_secadm') - -# Do not audit things that we know to be broken but which -# are not security risks -dnl define(`hide_broken_symptoms') - -# Allow user_r to reach sysadm_r via su, sudo, or userhelper. -# Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') - -# Allow xinetd to run unconfined, including any services it starts -# that do not have a domain transition explicitly defined. -dnl define(`unlimitedInetd') - -# for ndc_t to be used for restart shell scripts -dnl define(`ndc_shell_script') - -# Enable Polyinstantiation support -dnl define(`support_polyinstatiation') diff --git a/strict/types/device.te b/strict/types/device.te deleted file mode 100644 index ffa6c11a..00000000 --- a/strict/types/device.te +++ /dev/null @@ -1,163 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Device types -# - -# -# device_t is the type of /dev. -# -type device_t, file_type, mount_point, dev_fs; - -# -# null_device_t is the type of /dev/null. -# -type null_device_t, device_type, dev_fs, mlstrustedobject; - -# -# zero_device_t is the type of /dev/zero. -# -type zero_device_t, device_type, dev_fs, mlstrustedobject; - -# -# console_device_t is the type of /dev/console. -# -type console_device_t, device_type, dev_fs; - -# -# xconsole_device_t is the type of /dev/xconsole -type xconsole_device_t, file_type, dev_fs; - -# -# memory_device_t is the type of /dev/kmem, -# /dev/mem, and /dev/port. -# -type memory_device_t, device_type, dev_fs; - -# -# random_device_t is the type of /dev/random -# urandom_device_t is the type of /dev/urandom -# -type random_device_t, device_type, dev_fs; -type urandom_device_t, device_type, dev_fs; - -# -# devtty_t is the type of /dev/tty. -# -type devtty_t, device_type, dev_fs, mlstrustedobject; - -# -# tty_device_t is the type of /dev/*tty* -# -type tty_device_t, serial_device, device_type, dev_fs; - -# -# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] -type bsdpty_device_t, device_type, dev_fs; - -# -# usbtty_device_t is the type of /dev/usr/tty* -# -type usbtty_device_t, serial_device, device_type, dev_fs; - -# -# printer_device_t is the type for printer devices -# -type printer_device_t, device_type, dev_fs; - -# -# fixed_disk_device_t is the type of -# /dev/hd* and /dev/sd*. -# -type fixed_disk_device_t, device_type, dev_fs; - -# -# scsi_generic_device_t is the type of /dev/sg* -# it gives access to ALL SCSI devices (both fixed and removable) -# -type scsi_generic_device_t, device_type, dev_fs; - -# -# removable_device_t is the type of -# /dev/scd* and /dev/fd*. -# -type removable_device_t, device_type, dev_fs; - -# -# clock_device_t is the type of -# /dev/rtc. -# -type clock_device_t, device_type, dev_fs; - -# -# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* -# -type tun_tap_device_t, device_type, dev_fs; - -# -# misc_device_t is the type of miscellaneous devices. -# XXX: FIXME! Appropriate access to these devices need to be identified. -# -type misc_device_t, device_type, dev_fs; - -# -# A more general type for mouse devices. -# -type mouse_device_t, device_type, dev_fs; - -# -# For generic /dev/input/event* event devices -# -type event_device_t, device_type, dev_fs; - -# -# Not sure what these devices are for, but X wants access to them. -# -type agp_device_t, device_type, dev_fs; -type dri_device_t, device_type, dev_fs; - -# Type for sound devices. -type sound_device_t, device_type, dev_fs; - -# Type for /dev/ppp. -type ppp_device_t, device_type, dev_fs; - -# Type for frame buffer /dev/fb/* -type framebuf_device_t, device_type, dev_fs; - -# Type for /dev/.devfsd -type devfs_control_t, device_type, dev_fs; - -# Type for /dev/cpu/mtrr -type mtrr_device_t, device_type, dev_fs; - -# Type for /dev/pmu -type power_device_t, device_type, dev_fs; - -# Type for /dev/apm_bios -type apm_bios_t, device_type, dev_fs; - -# Type for v4l -type v4l_device_t, device_type, dev_fs; - -# tape drives -type tape_device_t, device_type, dev_fs; - -# scanners -type scanner_device_t, device_type, dev_fs; - -# cpu control devices /dev/cpu/0/* -type cpu_device_t, device_type, dev_fs; - -# for other device nodes such as the NVidia binary-only driver -type xserver_misc_device_t, device_type, dev_fs; - -# for the IBM zSeries z90crypt hardware ssl accelorator -type crypt_device_t, device_type, dev_fs; - - - - diff --git a/strict/types/devpts.te b/strict/types/devpts.te deleted file mode 100644 index 291ec53a..00000000 --- a/strict/types/devpts.te +++ /dev/null @@ -1,24 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Devpts types -# - -# -# ptmx_t is the type for /dev/ptmx. -# -type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject; - -# -# devpts_t is the type of the devpts file system and -# the type of the root directory of the file system. -# -type devpts_t, mount_point, fs_type; - -ifdef(`targeted_policy', ` -typeattribute devpts_t ttyfile; -') - diff --git a/strict/types/file.te b/strict/types/file.te deleted file mode 100644 index 7b6fa9e4..00000000 --- a/strict/types/file.te +++ /dev/null @@ -1,349 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -####################################### -# -# General file-related types -# - -# -# unlabeled_t is the type of unlabeled objects. -# Objects that have no known labeling information or that -# have labels that are no longer valid are treated as having this type. -# -type unlabeled_t, sysadmfile; - -# -# fs_t is the default type for conventional filesystems. -# -type fs_t, fs_type; - -# needs more work -type eventpollfs_t, fs_type; -type futexfs_t, fs_type; -type bdev_t, fs_type; -type usbfs_t, mount_point, fs_type; -type nfsd_fs_t, fs_type; -type rpc_pipefs_t, fs_type; -type binfmt_misc_fs_t, mount_point, fs_type; - -# -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). -# -type file_t, file_type, mount_point, sysadmfile; - -# default_t is the default type for files that do not -# match any specification in the file_contexts configuration -# other than the generic /.* specification. -type default_t, file_type, mount_point, sysadmfile; - -# -# root_t is the type for the root directory. -# -type root_t, file_type, mount_point, polyparent, sysadmfile; - -# -# mnt_t is the type for mount points such as /mnt/cdrom -type mnt_t, file_type, mount_point, sysadmfile; - -# -# home_root_t is the type for the directory where user home directories -# are created -# -type home_root_t, file_type, mount_point, polyparent, sysadmfile; - -# -# lost_found_t is the type for the lost+found directories. -# -type lost_found_t, file_type, sysadmfile; - -# -# boot_t is the type for files in /boot, -# including the kernel. -# -type boot_t, file_type, mount_point, sysadmfile; -# system_map_t is for the system.map files in /boot -type system_map_t, file_type, sysadmfile; - -# -# boot_runtime_t is the type for /boot/kernel.h, -# which is automatically generated at boot time. -# only for red hat -type boot_runtime_t, file_type, sysadmfile; - -# -# tmp_t is the type of /tmp and /var/tmp. -# -type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile; - -# -# etc_t is the type of the system etc directories. -# -type etc_t, file_type, sysadmfile; - -# -# shadow_t is the type of the /etc/shadow file -# -type shadow_t, file_type, secure_file_type; -allow auth shadow_t:file { getattr read }; - -# -# ld_so_cache_t is the type of /etc/ld.so.cache. -# -type ld_so_cache_t, file_type, sysadmfile; - -# -# etc_runtime_t is the type of various -# files in /etc that are automatically -# generated during initialization. -# -type etc_runtime_t, file_type, sysadmfile; - -# -# fonts_runtime_t is the type of various -# fonts files in /usr that are automatically -# generated during initialization. -# -type fonts_t, file_type, sysadmfile, usercanread; - -# -# etc_aliases_t is the type of the aliases database. -# -type etc_aliases_t, file_type, sysadmfile; - -# net_conf_t is the type of the /etc/resolv.conf file. -# all DHCP clients and PPP need write access to this file. -type net_conf_t, file_type, sysadmfile; - -# -# lib_t is the type of files in the system lib directories. -# -type lib_t, file_type, sysadmfile; - -# -# shlib_t is the type of shared objects in the system lib -# directories. -# -ifdef(`targeted_policy', ` -typealias lib_t alias shlib_t; -', ` -type shlib_t, file_type, sysadmfile; -') - -# -# texrel_shlib_t is the type of shared objects in the system lib -# directories, which require text relocation. -# -ifdef(`targeted_policy', ` -typealias lib_t alias texrel_shlib_t; -', ` -type texrel_shlib_t, file_type, sysadmfile; -') - -# ld_so_t is the type of the system dynamic loaders. -# -type ld_so_t, file_type, sysadmfile; - -# -# bin_t is the type of files in the system bin directories. -# -type bin_t, file_type, sysadmfile; - -# -# cert_t is the type of files in the system certs directories. -# -type cert_t, file_type, sysadmfile, secure_file_type; - -# -# ls_exec_t is the type of the ls program. -# -type ls_exec_t, file_type, exec_type, sysadmfile; - -# -# shell_exec_t is the type of user shells such as /bin/bash. -# -type shell_exec_t, file_type, exec_type, sysadmfile; - -# -# sbin_t is the type of files in the system sbin directories. -# -type sbin_t, file_type, sysadmfile; - -# -# usr_t is the type for /usr. -# -type usr_t, file_type, mount_point, sysadmfile; - -# -# src_t is the type of files in the system src directories. -# -type src_t, file_type, mount_point, sysadmfile; - -# -# var_t is the type for /var. -# -type var_t, file_type, mount_point, sysadmfile; - -# -# Types for subdirectories of /var. -# -type var_run_t, file_type, sysadmfile; -type var_log_t, file_type, sysadmfile, logfile; -typealias var_log_t alias crond_log_t; -type faillog_t, file_type, sysadmfile, logfile; -type var_lock_t, file_type, sysadmfile, lockfile; -type var_lib_t, mount_point, file_type, sysadmfile; -# for /var/{spool,lib}/texmf index files -type tetex_data_t, file_type, sysadmfile, tmpfile; -type var_spool_t, file_type, sysadmfile, tmpfile; -type var_yp_t, file_type, sysadmfile; - -# Type for /var/log/ksyms. -type var_log_ksyms_t, file_type, sysadmfile, logfile; - -# Type for /var/log/lastlog. -type lastlog_t, file_type, sysadmfile, logfile; - -# Type for /var/lib/nfs. -type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread; - -# -# wtmp_t is the type of /var/log/wtmp. -# -type wtmp_t, file_type, sysadmfile, logfile; - -# -# cron_spool_t is the type for /var/spool/cron. -# -type cron_spool_t, file_type, sysadmfile; - -# -# print_spool_t is the type for /var/spool/lpd and /var/spool/cups. -# -type print_spool_t, file_type, sysadmfile, tmpfile; - -# -# mail_spool_t is the type for /var/spool/mail. -# -type mail_spool_t, file_type, sysadmfile; - -# -# mqueue_spool_t is the type for /var/spool/mqueue. -# -type mqueue_spool_t, file_type, sysadmfile; - -# -# man_t is the type for the man directories. -# -type man_t, file_type, sysadmfile; -typealias man_t alias catman_t; - -# -# readable_t is a general type for -# files that are readable by all domains. -# -type readable_t, file_type, sysadmfile; - -# -# Base type for the tests directory. -# -type test_file_t, file_type, sysadmfile; - -# -# poly_t is the type for the polyinstantiated directories. -# -type poly_t, file_type, sysadmfile; - -# -# swapfile_t is for swap files -# -type swapfile_t, file_type, sysadmfile; - -# -# locale_t is the type for system localization -# -type locale_t, file_type, sysadmfile; - -# -# Allow each file type to be associated with -# the default file system type. -# -allow { file_type device_type ttyfile } fs_t:filesystem associate; - -# Allow the pty to be associated with the file system. -allow devpts_t self:filesystem associate; - -type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; -allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; -allow { logfile tmpfile home_type } tmp_t:filesystem associate; -ifdef(`distro_redhat', ` -allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; -') - -type autofs_t, fs_type, noexattrfile, sysadmfile; -allow autofs_t self:filesystem associate; - -type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile; -allow usbdevfs_t self:filesystem associate; - -type sysfs_t, mount_point, fs_type, sysadmfile; -allow sysfs_t self:filesystem associate; - -type iso9660_t, fs_type, noexattrfile, sysadmfile; -allow iso9660_t self:filesystem associate; - -type romfs_t, fs_type, sysadmfile; -allow romfs_t self:filesystem associate; - -type ramfs_t, fs_type, sysadmfile; -allow ramfs_t self:filesystem associate; - -type dosfs_t, fs_type, noexattrfile, sysadmfile; -allow dosfs_t self:filesystem associate; - -type hugetlbfs_t, mount_point, fs_type, sysadmfile; -allow hugetlbfs_t self:filesystem associate; - -typealias file_t alias mqueue_t; - -# udev_runtime_t is the type of the udev table file -type udev_runtime_t, file_type, sysadmfile; - -# krb5_conf_t is the type of the /etc/krb5.conf file -type krb5_conf_t, file_type, sysadmfile; - -type cifs_t, fs_type, noexattrfile, sysadmfile; -allow cifs_t self:filesystem associate; - -type debugfs_t, fs_type, sysadmfile; -allow debugfs_t self:filesystem associate; - -type inotifyfs_t, fs_type, sysadmfile; -allow inotifyfs_t self:filesystem associate; - -type capifs_t, fs_type, sysadmfile; -allow capifs_t self:filesystem associate; - -# removable_t is the default type of all removable media -type removable_t, file_type, sysadmfile, usercanread; -allow removable_t self:filesystem associate; -allow file_type removable_t:filesystem associate; -allow file_type noexattrfile:filesystem associate; - -# Type for anonymous FTP data, used by ftp and rsync -type public_content_t, file_type, sysadmfile, customizable; -type public_content_rw_t, file_type, sysadmfile, customizable; -typealias public_content_t alias ftpd_anon_t; -typealias public_content_rw_t alias ftpd_anon_rw_t; - -allow customizable self:filesystem associate; - -# type for /tmp/.ICE-unix -type ice_tmp_t, file_type, sysadmfile, tmpfile; - -# type for /usr/share/hwdata -type hwdata_t, file_type, sysadmfile; - diff --git a/strict/types/network.te b/strict/types/network.te deleted file mode 100644 index eb8bdcb3..00000000 --- a/strict/types/network.te +++ /dev/null @@ -1,178 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# Modified by Reino Wallin -# Multi NIC, and IPSEC features - -# Modified by Russell Coker -# Move port types to their respective domains, add ifdefs, other cleanups. - -type xserver_port_t, port_type; -# -# Defines used by the te files need to be defined outside of net_constraints -# -type rsh_port_t, port_type, reserved_port_type; -type dns_port_t, port_type, reserved_port_type; -type smtp_port_t, port_type, reserved_port_type; -type dhcpd_port_t, port_type, reserved_port_type; -type smbd_port_t, port_type, reserved_port_type; -type nmbd_port_t, port_type, reserved_port_type; -type http_cache_port_t, port_type; -type http_port_t, port_type, reserved_port_type; -type ipp_port_t, port_type, reserved_port_type; -type gopher_port_t, port_type, reserved_port_type; -type isakmp_port_t, port_type, reserved_port_type; - -allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect; -type pop_port_t, port_type, reserved_port_type; - -type ftp_port_t, port_type, reserved_port_type; -type ftp_data_port_t, port_type, reserved_port_type; - -############################################ -# -# Network types -# - -# -# mail_port_t is for generic mail ports shared by different mail servers -# -type mail_port_t, port_type; - -# -# Ports used to communicate with kerberos server -# -type kerberos_port_t, port_type, reserved_port_type; -type kerberos_admin_port_t, port_type, reserved_port_type; -type kerberos_master_port_t, port_type; - -# -# Ports used to communicate with portmap server -# -type portmap_port_t, port_type, reserved_port_type; - -# -# Ports used to communicate with ldap server -# -type ldap_port_t, port_type, reserved_port_type; - -# -# port_t is the default type of INET port numbers. -# The *_port_t types are used for specific port -# numbers in net_contexts or net_contexts.mls. -# -type port_t, port_type; - -# reserved_port_t is the default type for INET reserved ports -# that are not otherwise mapped to a specific port type. -type reserved_port_t, port_type, reserved_port_type; - -# -# netif_t is the default type of network interfaces. -# The netif_*_t types are used for specific network -# interfaces in net_contexts or net_contexts.mls. -# -type netif_t, netif_type; - -# -# node_t is the default type of network nodes. -# The node_*_t types are used for specific network -# nodes in net_contexts or net_contexts.mls. -# -type node_t, node_type; -type node_lo_t, node_type; -type node_internal_t, node_type; -type node_inaddr_any_t, node_type; -type node_unspec_t, node_type; -type node_link_local_t, node_type; -type node_site_local_t, node_type; -type node_multicast_t, node_type; -type node_mapped_ipv4_t, node_type; -type node_compat_ipv4_t, node_type; - -# Kernel-generated traffic, e.g. ICMP replies. -allow kernel_t netif_type:netif { rawip_send rawip_recv }; -allow kernel_t node_type:node { rawip_send rawip_recv }; - -# Kernel-generated traffic, e.g. TCP resets. -allow kernel_t netif_type:netif { tcp_send tcp_recv }; -allow kernel_t node_type:node { tcp_send tcp_recv }; -type radius_port_t, port_type; -type radacct_port_t, port_type; -type rndc_port_t, port_type, reserved_port_type; -type tftp_port_t, port_type, reserved_port_type; -type printer_port_t, port_type, reserved_port_type; -type mysqld_port_t, port_type; -type postgresql_port_t, port_type; -type ptal_port_t, port_type; -type howl_port_t, port_type; -type dict_port_t, port_type; -type syslogd_port_t, port_type, reserved_port_type; -type spamd_port_t, port_type, reserved_port_type; -type ssh_port_t, port_type, reserved_port_type; -type pxe_port_t, port_type; -type amanda_port_t, port_type; -type fingerd_port_t, port_type, reserved_port_type; -type dhcpc_port_t, port_type, reserved_port_type; -type ntp_port_t, port_type, reserved_port_type; -type stunnel_port_t, port_type; -type zebra_port_t, port_type; -type i18n_input_port_t, port_type; -type vnc_port_t, port_type; -type pegasus_http_port_t, port_type; -type pegasus_https_port_t, port_type; -type openvpn_port_t, port_type; -type clamd_port_t, port_type; -type transproxy_port_t, port_type; -type clockspeed_port_t, port_type; -type pyzor_port_t, port_type; -type postgrey_port_t, port_type; -type asterisk_port_t, port_type; -type utcpserver_port_t, port_type; -type nessus_port_t, port_type; -type razor_port_t, port_type; -type distccd_port_t, port_type; -type socks_port_t, port_type; -type gatekeeper_port_t, port_type; -type dcc_port_t, port_type; -type lrrd_port_t, port_type; -type jabber_client_port_t, port_type; -type jabber_interserver_port_t, port_type; -type ircd_port_t, port_type; -type giftd_port_t, port_type; -type soundd_port_t, port_type; -type imaze_port_t, port_type; -type monopd_port_t, port_type; -# Differentiate between the port where amavisd receives mail, and the -# port where it returns cleaned mail back to the MTA. -type amavisd_recv_port_t, port_type; -type amavisd_send_port_t, port_type; -type innd_port_t, port_type, reserved_port_type; -type snmp_port_t, port_type, reserved_port_type; -type biff_port_t, port_type, reserved_port_type; -type hplip_port_t, port_type; - -#inetd_child_ports - -type rlogind_port_t, port_type, reserved_port_type; -type telnetd_port_t, port_type, reserved_port_type; -type comsat_port_t, port_type, reserved_port_type; -type cvs_port_t, port_type; -type dbskkd_port_t, port_type; -type inetd_child_port_t, port_type, reserved_port_type; -type ktalkd_port_t, port_type, reserved_port_type; -type rsync_port_t, port_type, reserved_port_type; -type uucpd_port_t, port_type, reserved_port_type; -type swat_port_t, port_type, reserved_port_type; -type zope_port_t, port_type; -type auth_port_t, port_type, reserved_port_type; - -# afs ports - -type afs_fs_port_t, port_type; -type afs_pt_port_t, port_type; -type afs_vl_port_t, port_type; -type afs_ka_port_t, port_type; -type afs_bos_port_t, port_type; - diff --git a/strict/types/nfs.te b/strict/types/nfs.te deleted file mode 100644 index 9076bb81..00000000 --- a/strict/types/nfs.te +++ /dev/null @@ -1,22 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################# -# -# NFS types -# - -# -# nfs_t is the default type for NFS file systems -# and their files. -# The nfs_*_t types are used for specific NFS -# servers in net_contexts or net_contexts.mls. -# -type nfs_t, mount_point, fs_type; - -# -# Allow NFS files to be associated with an NFS file system. -# -allow nfs_t self:filesystem associate; -allow file_type nfs_t:filesystem associate; diff --git a/strict/types/procfs.te b/strict/types/procfs.te deleted file mode 100644 index 20703ac5..00000000 --- a/strict/types/procfs.te +++ /dev/null @@ -1,50 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Procfs types -# - -# -# proc_t is the type of /proc. -# proc_kmsg_t is the type of /proc/kmsg. -# proc_kcore_t is the type of /proc/kcore. -# proc_mdstat_t is the type of /proc/mdstat. -# proc_net_t is the type of /proc/net. -# -type proc_t, fs_type, mount_point, proc_fs; -type proc_kmsg_t, proc_fs; -type proc_kcore_t, proc_fs; -type proc_mdstat_t, proc_fs; -type proc_net_t, proc_fs; - -# -# sysctl_t is the type of /proc/sys. -# sysctl_fs_t is the type of /proc/sys/fs. -# sysctl_kernel_t is the type of /proc/sys/kernel. -# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe. -# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug. -# sysctl_net_t is the type of /proc/sys/net. -# sysctl_net_unix_t is the type of /proc/sys/net/unix. -# sysctl_vm_t is the type of /proc/sys/vm. -# sysctl_dev_t is the type of /proc/sys/dev. -# sysctl_rpc_t is the type of /proc/net/rpc. -# -# These types are applied to both the entries in -# /proc/sys and the corresponding sysctl parameters. -# -type sysctl_t, mount_point, sysctl_type; -type sysctl_fs_t, sysctl_type; -type sysctl_kernel_t, sysctl_type; -type sysctl_modprobe_t, sysctl_type; -type sysctl_hotplug_t, sysctl_type; -type sysctl_net_t, sysctl_type; -type sysctl_net_unix_t, sysctl_type; -type sysctl_vm_t, sysctl_type; -type sysctl_dev_t, sysctl_type; -type sysctl_rpc_t, sysctl_type; -type sysctl_irq_t, sysctl_type; - - diff --git a/strict/types/security.te b/strict/types/security.te deleted file mode 100644 index 76d97ddc..00000000 --- a/strict/types/security.te +++ /dev/null @@ -1,54 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Security types -# - -# -# security_t is the target type when checking -# the permissions in the security class. It is also -# applied to selinuxfs inodes. -# -type security_t, mount_point, fs_type, mlstrustedobject; - -# -# policy_config_t is the type of /etc/security/selinux/* -# the security server policy configuration. -# -type policy_config_t, file_type, secadmfile; - -# -# policy_src_t is the type of the policy source -# files. -# -type policy_src_t, file_type, secadmfile; - - -# -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* -# -type default_context_t, file_type, login_contexts, secadmfile; - -# -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files -# -type file_context_t, file_type, secadmfile; - -# -# no_access_t is the type for objects that should -# only be accessed administratively. -# -type no_access_t, file_type, sysadmfile; - -# -# selinux_config_t is the type applied to -# /etc/selinux/config -# -type selinux_config_t, file_type, secadmfile; - - diff --git a/strict/types/x.te b/strict/types/x.te deleted file mode 100644 index 0cee3145..00000000 --- a/strict/types/x.te +++ /dev/null @@ -1,32 +0,0 @@ -# -# Authors: Eamon Walsh -# - -####################################### -# -# Types for the SELinux-enabled X Window System -# - -# -# X protocol extension types. The SELinux extension in the X server -# has a hardcoded table that maps actual extension names to these types. -# -type accelgraphics_ext_t, xextension; -type debug_ext_t, xextension; -type font_ext_t, xextension; -type input_ext_t, xextension; -type screensaver_ext_t, xextension; -type security_ext_t, xextension; -type shmem_ext_t, xextension; -type std_ext_t, xextension; -type sync_ext_t, xextension; -type unknown_ext_t, xextension; -type video_ext_t, xextension; -type windowmgr_ext_t, xextension; - -# -# X property types. The SELinux extension in the X server has a -# hardcoded table that maps actual extension names to these types. -# -type wm_property_t, xproperty; -type unknown_property_t, xproperty; diff --git a/strict/users b/strict/users deleted file mode 100644 index acf0292a..00000000 --- a/strict/users +++ /dev/null @@ -1,57 +0,0 @@ -################################## -# -# User configuration. -# -# This file defines each user recognized by the system security policy. -# Only the user identities defined in this file may be used as the -# user attribute in a security context. -# -# Each user has a set of roles that may be entered by processes -# with the users identity. The syntax of a user declaration is: -# -# user username roles role_set [ level default_level range allowed_range ] level s0 range s0; -# -# The MLS default level and allowed range should only be specified if -# MLS was enabled in the policy. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system_u, -# and a user process should never be assigned the system_u user -# identity. -# -user system_u roles system_r; - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -user user_u roles { user_r }; - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# - -# The sysadm_r user also needs to be permitted system_r if we are to allow -# direct execution of daemons -user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') }; - -# sample for administrative user -#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; - -# sample for regular user -#user jdoe roles { user_r }; - -# -# The following users correspond to special Unix identities -# -ifdef(`nx_server.te', ` -user nx roles nx_server_r; -') diff --git a/targeted/COPYING b/targeted/COPYING deleted file mode 100644 index 5b6e7c66..00000000 --- a/targeted/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/targeted/ChangeLog b/targeted/ChangeLog deleted file mode 100644 index 9be12319..00000000 --- a/targeted/ChangeLog +++ /dev/null @@ -1,414 +0,0 @@ -1.27.2 2005-10-20 - * Merged patch from Chad Hanson. Modified MLS constraints. - Provided comments for the MLS attributes. - * Merged two patches from Thomas Bleher which made some minor - fixes and cleanups. - * Merged patches from Russell Coker. Added comments to some of the - MLS attributes. Added the secure_mode_insmod boolean to determine - whether the system permits loading policy, setting enforcing mode, - and changing boolean values. Made minor fixes for the cdrecord_domain - macro, application_domain, newrole_domain, and daemon_base_domain - macros. Added rules to allow the mail server to access the user - home directories in the targeted policy and allows the postfix - showq program to do DNS lookups. Minor fixes for the MCS - policy. Made other minor fixes and cleanups. - * Merged patch from Dan Walsh. Added opencd, pegasus, readahead, - and roundup policies. Created can_access_pty macro to handle pty - output. Created nsswithch_domain macro for domains using - nsswitch. Added mcs transition rules. Removed mqueue and added - capifs genfscon entries. Added dhcpd and pegasus ports. Added - domain transitions from login domains to pam_console and alsa - domains. Added rules to allow the httpd and squid domains to - relay more protocols. For the targeted policy, removed sysadm_r - role from unconfined_t. Made other fixes and cleanups. -1.27.1 2005-09-15 - * Merged small patches from Russell Coker for the apostrophe, - dhcpc, fsadm, and setfiles policy. - * Merged a patch from Russell Coker with some minor fixes to a - multitude of policy files. - * Merged patch from Dan Walsh from August 15th. Adds certwatch - policy. Adds mcs support to Makefile. Adds mcs file which - defines sensitivities and categories for the MSC policy. Creates - an authentication_domain macro in global_macros.te for domains - that use pam_authentication. Creates the anonymous_domain macro - so that the ftpd, rsync, httpd, and smbd domains can share the - ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to - start isolating individual ethernet devices. Changes vpnc from a - daemon to an application_domain. Adds audit_control capability to - crond_t. Adds dac_override and dac_read_search capabilities to - fsadm_t to allow the manipulation of removable media. Adds - read_sysctl macro to the base_passwd_domain macro. Adds rules to - allow alsa_t to communicate with userspace. Allows networkmanager - to communicate with isakmp_port and to use vpnc. For targeted - policy, removes transitions of sysadm_t to apm_t, backup_t, - bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t. - Makes other minor cleanups and fixes. - -1.26 2005-09-06 - * Updated version for release. - -1.25.4 2005-08-10 - * Merged small patches from Russell Coker for the restorecon, - kudzu, lvm, radvd, and spamassasin policies. - * Added fs_use_trans rule for mqueue from Mark Gebhart to support - the work he has done on providing SELinux support for mqueue. - * Merged a patch from Dan Walsh. Removes the user_can_mount - tunable. Adds disable_evolution_trans and disable_thunderbird_trans - booleans. Adds the nscd_client_domain attribute to insmod_t. - Removes the user_ping boolean from targeted policy. Adds - hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts. - Adds the isakmp_port for vpnc. Creates the pptp daemon domain. - Allows getty to run sbin_t for pppd. Allows initrc to write to - default_t for booting. Allows Hotplug_t sys_rawio for prism54 - card at boot. Other minor fixes. - -1.25.3 2005-07-18 - * Merged patch from Dan Walsh. Adds auth_bool attribute to allow - domains to have read access to shadow_t. Creates pppd_can_insmod - boolean to control the loading of modem kernel modules. Allows - nfs to export noexattrfile types. Allows unix_chpwd to access - cert files and random devices for encryption purposes. Other - minor cleanups and fixes. - -1.25.2 2005-07-11 - * Merged patch from Dan Walsh. Added allow_ptrace boolean to - allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the - audit_control and audit_write capabilities. Stops targeted policy - from transitioning from unconfined_t to netutils. Allows cupsd to - audit messages. Gives prelink the execheap, execmem, and execstack - permissions by default. Adds can_winbind boolean and functions to - better handle samba and winbind communications. Eliminates - allow_execmod checks around texrel_shlib_t libraries. Other minor - cleanups and fixes. - -1.25.1 2005-07-05 - * Moved role_tty_type_change, reach_sysadm, and priv_user macros - from user.te to user_macros.te as suggested by Steve. - * Modified admin_domain macro so autrace would work and removed - privuser attribute for dhcpc as suggested by Russell Coker. - * Merged rather large patch from Dan Walsh. Moves - targeted/strict/mls policies closer together. Adds local.te for - users to customize. Includes minor fixes to auditd, cups, - cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch - that defines all ports in network.te. Ports are always defined - now, no ifdefs are used in network.te. Also includes Ivan - Gyurdiev's user home directory policy patches. These patches add - alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs, - iceauth, orbit, and thunderbird policy. They create read_content, - write_trusted, and write_untrusted macros in content.te. They - create network_home, write_network_home, read_network_home, - base_domain_ro_access, home_domain_access, home_domain, and - home_domain_ro macros in home_macros.te. They also create - $3_read_content, $3_write_content, and write_untrusted booleans. - -1.24 2005-06-20 - * Updated version for release. - -1.23.18 2005-05-31 - * Merged minor fixes to pppd.fc and courier.te by Russell Coker. - * Removed devfsd policy as suggested by Russell Coker. - * Merged patch from Dan Walsh. Includes beginnings of Ivan - Gyurdiev's Font Config policy. Don't transition to fsadm_t from - unconfined_t (sysadm_t) in targeted policy. Add support for - debugfs in modutil. Allow automount to create and delete - directories in /root and /home dirs. Move can_ypbind to - chkpwd_macro.te. Allow useradd to create additional files and - types via the skell mechanism. Other minor cleanups and fixes. - -1.23.17 2005-05-23 - * Merged minor fixes by Petre Rodan to the daemontools, dante, - gpg, kerberos, and ucspi-tcp policies. - * Merged minor fixes by Russell Coker to the bluetooth, crond, - initrc, postfix, and udev policies. Modifies constraints so that - newaliases can be run. Modifies types.fc so that objects in - lost+found directories will not be relabled. - * Modified fc rules for nvidia. - * Added Chad Sellers policy for polyinstantiation support, which - creates the polydir, polyparent, and polymember attributes. Also - added the support_polyinstantiation tunable. - * Merged patch from Dan Walsh. Includes mount_point attribute, - read_font macros and some other policy fixes from Ivan Gyurdiev. - Adds privkmsg and secadmfile attributes and ddcprobe policy. - Removes the use_syslogng boolean. Many other minor fixes. - -1.23.16 2005-05-13 - * Added rdisc policy from Russell Coker. - * Merged minor fix to named policy by Petre Rodan. - * Merged minor fixes to policy from Russell Coker for kudzu, - named, screen, setfiles, telnet, and xdm. - * Merged minor fix to Makefile from Russell Coker. - -1.23.15 2005-05-06 - * Added tripwire and yam policy from David Hampton. - * Merged minor fixes to amavid and a clarification to the - httpdcontent attribute comments from David Hampton. - * Merged patch from Dan Walsh. Includes fixes for restorecon, - games, and postfix from Russell Coker. Adds support for debugfs. - Restores support for reiserfs. Allows udev to work with tmpfs_t - before /dev is labled. Removes transition from sysadm_t - (unconfined_t) to ifconfig_t for the targeted policy. Other minor - cleanups and fixes. - -1.23.14 2005-04-29 - * Added afs policy from Andrew Reisse. - * Merged patch from Lorenzo Hernández García-Hierro which defines - execstack and execheap permissions. The patch excludes these - permissions from general_domain_access and updates the macros for - X, legacy binaries, users, and unconfined domains. - * Added nlmsg_relay permisison where netlink_audit_socket class is - used. Added nlmsg_readpriv permission to auditd_t and auditctl_t. - * Merged some minor cleanups from Russell Coker and David Hampton. - * Merged patch from Dan Walsh. Many changes made to allow - targeted policy to run closer to strict and now almost all of - non-userspace is protected via SELinux. Kernel is now in - unconfined_domain for targeted and runs as root:system_r:kernel_t. - Added transitionbool to daemon_sub_domain, mainly to turn off - httpd_suexec transitioning. Implemented web_client_domain - name_connect rules. Added yp support for cups. Now the real - hotplug, udev, initial_sid_contexts are used for the targeted - policy. Other minor cleanups and fixes. Auditd fixes by Paul - Moore. - -1.23.13 2005-04-22 - * Merged more changes from Dan Walsh to initrc_t for removal of - unconfined_domain. - * Merged Dan Walsh's split of auditd policy into auditd_t for the - audit daemon and auditctl_t for the autoctl program. - * Added use of name_connect to uncond_can_ypbind macro by Dan - Walsh. - * Merged other cleanup and fixes by Dan Walsh. - -1.23.12 2005-04-20 - * Merged Dan Walsh's Netlink changes to handle new auditing pam - modules. - * Merged Dan Walsh's patch removing the sysadmfile attribute from - policy files to separate sysadm_t from secadm_t. - * Added CVS and uucpd policy from Dan Walsh. - * Cleanup by Dan Walsh to handle turning off unlimitedRC. - * Merged Russell Coker's fixes to ntpd, postgrey, and named - policy. - * Cleanup of chkpwd_domain and added permissions to su_domain - macro due to pam changes to support audit. - * Added nlmsg_relay and nlmsg_readpriv permissions to the - netlink_audit_socket class. - -1.23.11 2005-04-14 - * Merged Dan Walsh's separation of the security manager and system - administrator. - * Removed screensaver.te as suggested by Thomas Bleher - * Cleanup of typealiases that are no longer used by Thomas Bleher. - * Cleanup of fc files and additional rules for SuSE by Thomas - Bleher. - * Merged changes to auditd and named policy by Russell Coker. - * Merged MLS change from Darrel Goeddel to support the policy - hierarchy patch. - -1.23.10 2005-04-08 - * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te - -1.23.9 2005-04-07 - * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup - of x_client apps. - * Added dmidecode policy from Ivan Gyurdiev. - -1.23.8 2005-04-05 - * Added netlink_kobject_uevent_socket class. - * Removed empty files pump.te and pump.fc. - * Added NetworkManager policy from Dan Walsh. - * Merged Dan Walsh's major restructuring of Apache's policy. - -1.23.7 2005-04-04 - * Merged David Hampton's amavis and clamav cleanups. - * Added David Hampton's dcc, pyzor, and razor policy. - -1.23.6 2005-04-01 - * Merged cleanup of the Makefile and other stuff from Dan Walsh. - Dan's patch includes some desktop changes from Ivan Gyurdiev. - * Merged Thomas Bleher's patches which increase the usage of - lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to - DOMAIN_var_lib_t, and removes use of notdevfile_class_set where - possible. - * Merged Greg Norris's cleanup of fetchmail. - -1.23.5 2005-03-23 - * Added name_connect support from Dan Walsh. - * Added httpd_unconfined_t from Dan Walsh. - * Merged cleanup of assert.te to allow unresticted full access - from Dan Walsh. - -1.23.4 2005-03-21 - * Merged diffs from Dan Walsh: - * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan - Gyurdiev. - * Added syslogng support to syslog.te. - -1.23.3 2005-03-15 - * Added policy for nx_server from Thomas Bleher. - * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and - publicfile from Petre Rodan. - -1.23.2 2005-03-14 - * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's - gift policy. - * Made sysadm_r the first role for root, so root's home will be labled - as sysadm_home_dir_t instead of staff_home_dir_t. - * Modified fs_use and Makefile to reflect jfs now supporting security - xattrs. - -1.23.1 2005-03-10 - * Merged diffs from Dan Walsh. Dan's patch includes Ivan - Gyurdiev's cleanup of homedir macros and more extensive use of - read_sysctl() - -1.22 2005-03-09 - * Updated version for release. - -1.21 2005-02-24 - * Added secure_file_type attribute from Dan Walsh - * Added access_terminal() macro from Ivan Gyurdiev - * Updated capability access vector for audit capabilities. - * Added mlsconvert Makefile target to help generate MLS policies - (see selinux-doc/README.MLS for instructions). - * Changed policy Makefile to still generate policy.18 as well, - and use it for make load if the kernel doesn't support 19. - * Merged enhanced MLS support from Darrel Goeddel (TCS). - * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris. - * Merged man pages from Dan Walsh. - -1.20 2005-01-04 - * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and - Petre Rodan. - * Merged can_create() macro used for file_type_{,auto_}trans() - from Thomas Bleher. - * Merged dante and stunnel policy by Petre Rodan. - * Merged $1_file_type attribute from Thomas Bleher. - * Merged network_macros from Dan Walsh. - -1.18 2004-10-25 - * Merged diffs from Russell Coker and Dan Walsh. - * Merged mkflask and mkaccess_vector patches from Ulrich Drepper. - * Added reserved_port_t type and portcon entries to map all other - reserved ports to this type. - * Added distro_ prefix to distro tunables to avoid conflicts. - * Merged diffs from Russell Coker. - -1.16 2004-08-16 - * Added nscd definitions. - * Converted many tunables to policy booleans. - * Added crontab permission. - * Merged diffs from Dan Walsh. - This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well. - * Merged diffs from Russell Coker. - * Adjusted constraints for crond restart. - * Merged dbus/userspace object manager policy from Colin Walters. - * Merged dbus definitions from Matthew Rickard. - * Merged dnsmasq policy from Greg Norris. - * Merged gpg-agent policy from Thomas Bleher. - -1.14 2004-06-28 - * Removed vmware-config.pl from vmware.fc. - * Added crond entry to root_default_contexts. - * Merged patch from Dan Walsh. - * Merged mdadm and postfix changes from Colin Walters. - * Merged reiserfs and rpm changes from Russell Coker. - * Merged runaway .* glob fix from Valdis Kletnieks. - * Merged diff from Dan Walsh. - * Merged fine-grained netlink classes and permissions. - * Merged changes for new /etc/selinux layout. - * Changed mkaccess_vector.sh to provide stable order. - * Merged diff from Dan Walsh. - * Fix restorecon path in restorecon.fc. - * Merged pax class and access vector definition from Joshua Brindle. - -1.12 2004-05-12 - * Added targeted policy. - * Merged atd/at into crond/crontab domains. - * Exclude bind mounts from relabeling to avoid aliasing. - * Removed some obsolete types and remapped their initial SIDs to unlabeled. - * Added SE-X related security classes and policy framework. - * Added devnull initial SID and context. - * Merged diffs from Fedora policy. - -1.10 2004-04-07 - * Merged ipv6 support from James Morris of RedHat. - * Merged policy diffs from Dan Walsh. - * Updated call to genhomedircon to reflect new usage. - * Merged policy diffs from Dan Walsh and Russell Coker. - * Removed config-users and config-services per Dan's request. - -1.8 2004-03-09 - * Merged genhomedircon patch from Karl MacMillan of Tresys. - * Added restorecon domain. - * Added unconfined_domain macro. - * Added default_t for /.* file_contexts entry and replaced some - uses of file_t with default_t in the policy. - * Added su_restricted_domain() macro and use it for initrc_t. - * Merged policy diffs from Dan Walsh and Russell Coker. - These included a merge of an earlier patch by Chris PeBenito - to rename the etc types to be consistent with other types. - -1.6 2004-02-18 - * Merged xfs support from Chris PeBenito. - * Merged conditional rules for ping.te. - * Defined setbool permission, added can_setbool macro. - * Partial network policy cleanup. - * Merged with Russell Coker's policy. - * Renamed netscape macro and domain to mozilla and renamed - ipchains domain to iptables for consistency with Russell. - * Merged rhgb macro and domain from Russell Coker. - * Merged tunable.te from Russell Coker. - Only define direct_sysadm_daemon by default in our copy. - * Added rootok permission to passwd class. - * Merged Makefile change from Dan Walsh to generate /home - file_contexts entries for staff users. - * Added automatic role and domain transitions for init scripts and - daemons. Added an optional third argument (nosysadm) to - daemon_domain to omit the direct transition from sysadm_r when - the same executable is also used as an application, in which - case the daemon must be restarted via the init script to obtain - the proper security context. Added system_r to the authorized roles - for admin users at least until support for automatic user identity - transitions exist so that a transition to system_u can be provided - transparently. - * Added support to su domain for using pam_selinux. - Added entries to default_contexts for the su domains to - provide reasonable defaults. Removed user_su_t. - * Tighten restriction on user identity and role transitions in constraints. - * Merged macro for newrole-like domains from Russell Coker. - * Merged stub dbusd domain from Russell Coker. - * Merged stub prelink domain from Dan Walsh. - * Merged updated userhelper and config tool domains from Dan Walsh. - * Added send_msg/recv_msg permissions to can_network macro. - * Merged patch by Chris PeBenito for sshd subsystems. - * Merged patch by Chris PeBenito for passing class to var_run_domain. - * Merged patch by Yuichi Nakamura for append_log_domain macros. - * Merged patch by Chris PeBenito for rpc_pipefs labeling. - * Merged patch by Colin Walters to apply m4 once so that - source file info is preserved for checkpolicy. - -1.4 2003-12-01 - * Merged patches from Russell Coker. - * Revised networking permissions. - * Added new node_bind permission. - * Added new siginh, rlimitinh, and setrlimit permissions. - * Added proc_t:file read permission for new is_selinux_enabled logic. - * Added failsafe_context configuration file to appconfig. - * Moved newrules.pl to policycoreutils, renamed to audit2allow. - * Merged newrules.pl patch from Yuichi Nakamura. - -1.2 2003-09-30 - * More policy merging with Russell Coker. - * Transferred newrules.pl script from the old SELinux. - * Merged MLS configuration patch from Karl MacMillan of Tresys. - * Limit staff_t to reading /proc entries for unpriv_userdomain. - * Updated Makefile and spec file to allow non-root builds, - based on patch by Paul Nasrat. - -1.1 2003-08-13 - * Merged Makefile check-all and te-includes patches from Colin Walters. - * Merged x-debian-packages.patch from Colin Walters. - * Folded read permission into domain_trans. - -1.0 2003-07-11 - * Initial public release. - diff --git a/targeted/Makefile b/targeted/Makefile deleted file mode 100644 index 43116540..00000000 --- a/targeted/Makefile +++ /dev/null @@ -1,364 +0,0 @@ -# -# Makefile for the security policy. -# -# Targets: -# -# install - compile and install the policy configuration, and context files. -# load - compile, install, and load the policy configuration. -# reload - compile, install, and load/reload the policy configuration. -# relabel - relabel filesystems based on the file contexts configuration. -# policy - compile the policy configuration locally for testing/development. -# -# The default target is 'install'. -# - -# Set to y if MLS is enabled in the policy. -MLS=n - -# Set to y if MCS is enabled in the policy -MCS=y - -FLASKDIR = flask/ -PREFIX = /usr -BINDIR = $(PREFIX)/bin -SBINDIR = $(PREFIX)/sbin -LOADPOLICY = $(SBINDIR)/load_policy -CHECKPOLICY = $(BINDIR)/checkpolicy -GENHOMEDIRCON = $(SBINDIR)/genhomedircon -SETFILES = $(SBINDIR)/setfiles -VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') -PREVERS := 20 -KERNVERS := $(shell cat /selinux/policyvers) -MLSENABLED := $(shell cat /selinux/mls) -POLICYVER := policy.$(VERS) -TOPDIR = $(DESTDIR)/etc/selinux -TYPE=targeted - -INSTALLDIR = $(TOPDIR)/$(TYPE) -POLICYPATH = $(INSTALLDIR)/policy -SRCPATH = $(INSTALLDIR)/src -USERPATH = $(INSTALLDIR)/users -CONTEXTPATH = $(INSTALLDIR)/contexts -LOADPATH = $(POLICYPATH)/$(POLICYVER) -FCPATH = $(CONTEXTPATH)/files/file_contexts -HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template - -ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) -ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) -ALL_TYPES := $(wildcard types/*.te) -ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) -ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te -TE_RBAC_FILES := $(ALLTEFILES) rbac -ALL_TUNABLES := $(wildcard tunables/*.tun ) -USER_FILES := users -POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) -ifeq ($(MLS),y) -POLICYFILES += mls -CHECKPOLMLS += -M -endif -ifeq ($(MCS), y) -POLICYFILES += mcs -CHECKPOLMLS += -M -endif -DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts -POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) -POLICYFILES += $(USER_FILES) -POLICYFILES += constraints -POLICYFILES += $(DEFCONTEXTFILES) -CONTEXTFILES = $(DEFCONTEXTFILES) -POLICY_DIRS = domains domains/program domains/misc macros macros/program - -UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) - -FC = file_contexts/file_contexts -HOMEDIR_TEMPLATE = file_contexts/homedir_template -FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) -CONTEXTFILES += $(FCFILES) - -APPDIR=$(CONTEXTPATH) -APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media -CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media - -ROOTFILES = $(addprefix $(APPDIR)/users/,root) - -all: policy - -tmp/valid_fc: $(LOADPATH) $(FC) -ifeq ($(CHECKPOLMLS), -M) -ifeq ($(MLSENABLED),1) - @echo "Validating file contexts files ..." - $(SETFILES) -q -c $(LOADPATH) $(FC) -endif -endif - @touch tmp/valid_fc - -install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users - -$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf - @mkdir -p $(USERPATH) - @echo "# " > tmp/system.users - @echo "# Do not edit this file. " >> tmp/system.users - @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users - @echo "# Please edit local.users to make local changes." >> tmp/system.users - @echo "#" >> tmp/system.users - @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users - install -m 644 tmp/system.users $@ - -$(USERPATH)/local.users: local.users - @mkdir -p $(USERPATH) - install -b -m 644 $< $@ - -$(CONTEXTPATH)/files/media: appconfig/media - @mkdir -p $(CONTEXTPATH)/files/ - install -m 644 $< $@ - -$(APPDIR)/default_contexts: appconfig/default_contexts - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/removable_context: appconfig/removable_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/customizable_types: policy.conf - @mkdir -p $(APPDIR) - @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types - install -m 644 tmp/customizable_types $@ - -$(APPDIR)/port_types: policy.conf - @mkdir -p $(APPDIR) - @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types - install -m 644 tmp/port_types $@ - -$(APPDIR)/default_type: appconfig/default_type - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/userhelper_context: appconfig/userhelper_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/initrc_context: appconfig/initrc_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/failsafe_context: appconfig/failsafe_context - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/dbus_contexts: appconfig/dbus_contexts - @mkdir -p $(APPDIR) - install -m 644 $< $@ - -$(APPDIR)/users/root: appconfig/root_default_contexts - @mkdir -p $(APPDIR)/users - install -m 644 $< $@ - -$(LOADPATH): policy.conf $(CHECKPOLICY) - @echo "Compiling policy ..." - @mkdir -p $(POLICYPATH) - $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf -ifneq ($(VERS),$(PREVERS)) - $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf -endif - -# Note: Can't use install, so not sure how to deal with mode, user, and group -# other than by default. - -policy: $(POLICYVER) - -$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) - $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf -ifeq ($(CHECKPOLMLS), -M) -ifeq (1, $(MLSENABLED)) - @echo "Validating file contexts files ..." - $(SETFILES) -q -c $(POLICYVER) $(FC) -endif -endif - -reload tmp/load: $(LOADPATH) - @echo "Loading Policy ..." - $(LOADPOLICY) - touch tmp/load - -load: tmp/load $(FCPATH) - -enableaudit: policy.conf - grep -v dontaudit policy.conf > policy.audit - mv policy.audit policy.conf - -policy.conf: $(POLICYFILES) $(POLICY_DIRS) - @echo "Building policy.conf ..." - @mkdir -p tmp - m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp - @mv $@.tmp $@ - -install-src: - rm -rf $(SRCPATH)/policy.old - -mv $(SRCPATH)/policy $(SRCPATH)/policy.old - @mkdir -p $(SRCPATH)/policy - cp -R . $(SRCPATH)/policy - -tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program - @mkdir -p tmp - ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp - ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp - mv $@.tmp $@ - -FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';` - -checklabels: $(SETFILES) - $(SETFILES) -v -n $(FC) $(FILESYSTEMS) - -restorelabels: $(SETFILES) - $(SETFILES) -v $(FC) $(FILESYSTEMS) - -relabel: $(FC) $(SETFILES) - $(SETFILES) $(FC) $(FILESYSTEMS) - -file_contexts/misc: - @mkdir -p file_contexts/misc - -$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types - @echo "Installing file contexts files..." - @mkdir -p $(CONTEXTPATH)/files - install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) - install -m 644 $(FC) $(FCPATH) - @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) - -$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd - @echo "Building file contexts files..." - @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp - @grep -v -e HOME -e ROLE -e USER $@.tmp > $@ - @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE) - @-rm $@.tmp - -# Create a tags-file for the policy: -# we need exuberant ctags; unfortunately it is named differently on different distros, sigh... -pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs -CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme -ifeq ($(strip $(CTAGS)),) -CTAGS := $(call pathsearch,ctags) # suse naming scheme -endif - -tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te) - @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) - @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \ - --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \ - --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ - --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \ - --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ - --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ - -clean: - rm -f policy.conf $(POLICYVER) - rm -f tags - rm -f tmp/* - rm -f $(FC) - rm -f flask/*.h -# for the policy regression tester - find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \ - -# Policy regression tester. -# Written by Colin Walters -cur_te = $(filter-out %/,$(subst /,/ ,$@)) - -TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES)) - -define compute_depends - export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //') -endef - - -ifeq ($(TE_DEPENDS_DEFINED),) -ifeq ($(MAKECMDGOALS),check-all) - GENRULES := $(TESTED_TE_FILES) - export TE_DEPENDS_DEFINED := yes -else - # Handle the case where checkunused/blah.te is run directly. - ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),) - GENRULES := $(TESTED_TE_FILES) - export TE_DEPENDS_DEFINED := yes - endif -endif -endif - -# Test for a new enough version of GNU Make. -$(eval have_eval := yes) -ifneq ($(GENRULES),) - ifeq ($(have_eval),) -$(error Need GNU Make 3.80 or better!) -Need GNU Make 3.80 or better - endif -endif -$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f)))) - -PHONIES := - -define compute_presymlinks -PHONIES += presymlink/$(1) -presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1))) - @if ! test -L domains/program/$(1); then \ - cd domains/program && ln -s unused/$(1) .; \ - fi -endef - -# Compute dependencies. -$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f)))) - -PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) -$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : - @$(MAKE) -s clean - -$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/% - @if test -n "$(TE_DEPENDS_$(cur_te))"; then \ - echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \ - fi - @echo "Testing $(cur_te)..."; - @if ! make -s policy 1>/dev/null; then \ - echo "Testing $(cur_te)...FAILED"; \ - exit 1; \ - fi; - @echo "Testing $(cur_te)...success."; \ - -check-all: - @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \ - $(MAKE) --no-print-directory $$goal; \ - done - -.PHONY: clean $(PHONIES) - -mlsconvert: - @for file in $(CONTEXTFILES); do \ - echo "Converting $$file"; \ - sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @for file in $(USER_FILES); do \ - echo "Converting $$file"; \ - sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts - @echo "Enabling MLS in the Makefile" - @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new - @mv Makefile.new Makefile - @echo "Done" - -mcsconvert: - @for file in $(CONTEXTFILES); do \ - echo "Converting $$file"; \ - sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ - mv $$file.new $$file; \ - done - @for file in $(USER_FILES); do \ - echo "Converting $$file"; \ - sed -r -e 's/\;/ level s0 range s0;/' $$file | \ - sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \ - mv $$file.new $$file; \ - done - @echo "Enabling MCS in the Makefile" - @sed "s/MCS=y/MCS=y/" Makefile > Makefile.new - @mv Makefile.new Makefile - @echo "Done" - diff --git a/targeted/README b/targeted/README deleted file mode 100644 index 6818b66d..00000000 --- a/targeted/README +++ /dev/null @@ -1,125 +0,0 @@ -The Makefile targets are: -policy - compile the policy configuration. -install - compile and install the policy configuration. -load - compile, install, and load the policy configuration. -relabel - relabel the filesystem. -check-all - check individual additional policy files in domains/program/unused. -checkunused/FILE.te - check individual file FILE from domains/program/unused. - -If you have configured MLS into your module, then set MLS=y in the -Makefile prior to building the policy. Of course, you must have also -built checkpolicy with MLS enabled. - -Three of the configuration files are independent of the particular -security policy: -1) flask/security_classes - - This file has a simple declaration for each security class. - The corresponding symbol definitions are in the automatically - generated header file . - -2) flask/initial_sids - - This file has a simple declaration for each initial SID. - The corresponding symbol definitions are in the automatically - generated header file . - -3) access_vectors - - This file defines the access vectors. Common prefixes for - access vectors may be defined at the beginning of the file. - After the common prefixes are defined, an access vector - may be defined for each security class. - The corresponding symbol definitions are in the automatically - generated header file . - -In addition to being read by the security server, these configuration -files are used during the kernel build to automatically generate -symbol definitions used by the kernel for security classes, initial -SIDs and permissions. Since the symbol definitions generated from -these files are used during the kernel build, the values of existing -security classes and permissions may not be modified by load_policy. -However, new classes may be appended to the list of classes and new -permissions may be appended to the list of permissions associated with -each access vector definition. - -The policy-dependent configuration files are: -1) tmp/all.te - - This file defines the Type Enforcement (TE) configuration. - This file is automatically generated from a collection of files. - - The macros subdirectory contains a collection of m4 macro definitions - used by the TE configuration. The global_macros.te file contains global - macros used throughout the configuration for common groupings of classes - and permissions and for common sets of rules. The user_macros.te file - contains macros used in defining user domains. The admin_macros.te file - contains macros used in defining admin domains. The macros/program - subdirectory contains macros that are used to instantiate derived domains - for certain programs that encode information about both the calling user - domain and the program, permitting the policy to maintain separation - between different instances of the program. - - The types subdirectory contains several files with declarations for - general types (types not associated with a particular domain) and - some rules defining relationships among those types. Related types - are grouped together into each file in this directory, e.g. all - device type declarations are in the device.te file. - - The domains subdirectory contains several files and directories - with declarations and rules for each domain. User domains are defined in - user.te. Administrator domains are defined in admin.te. Domains for - specific programs, including both system daemons and other programs, are - in the .te files within the domains/program subdirectory. The domains/misc - subdirectory is for miscellaneous domains such as the kernel domain and - the kernel module loader domain. - - The assert.te file contains assertions that are checked after evaluating - the entire TE configuration. - -2) rbac - - This file defines the Role-Based Access Control (RBAC) configuration. - -3) mls - - This file defines the Multi-Level Security (MLS) configuration. - -4) users - - This file defines the users recognized by the security policy. - -5) constraints - - This file defines additional constraints on permissions - in the form of boolean expressions that must be satisfied in order - for specified permissions to be granted. These constraints - are used to further refine the type enforcement tables and - the role allow rules. Typically, these constraints are used - to restrict changes in user identity or role to certain domains. - -6) initial_sid_contexts - - This file defines the security context for each initial SID. - A security context consists of a user identity, a role, a type and - optionally a MLS range if the MLS policy is enabled. If left unspecified, - the high MLS level defaults to the low MLS level. The syntax of a valid - security context is: - - user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]] - -7) fs_use - - This file defines the labeling behavior for inodes in particular - filesystem types. - -8) genfs_contexts - - This file defines security contexts for files in filesystems that - cannot support persistent label mappings or use one of the fixed - labeling schemes specified in fs_use. - -8) net_contexts - - This file defines the security contexts of network objects - such as ports, interfaces, and nodes. - -9) file_contexts/{types.fc,program/*.fc} - These files define the security contexts for persistent files. - -It is possible to test the security server functions on a given policy -configuration by running the checkpolicy program with the -d option. -This program is built from the same sources as the security server -component of the kernel, so it may be used both to verify that a -policy configuration will load successfully and to determine how the -security server would respond if it were using that policy -configuration. A menu-based interface is provided for calling any of -the security server functions after the policy is loaded. diff --git a/targeted/VERSION b/targeted/VERSION deleted file mode 100644 index 457f0385..00000000 --- a/targeted/VERSION +++ /dev/null @@ -1 +0,0 @@ -1.27.2 diff --git a/targeted/appconfig/dbus_contexts b/targeted/appconfig/dbus_contexts deleted file mode 100644 index 116e684f..00000000 --- a/targeted/appconfig/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/targeted/appconfig/default_contexts b/targeted/appconfig/default_contexts deleted file mode 100644 index 94de3303..00000000 --- a/targeted/appconfig/default_contexts +++ /dev/null @@ -1,6 +0,0 @@ -system_r:unconfined_t:s0 system_r:unconfined_t:s0 -system_r:initrc_t:s0 system_r:unconfined_t:s0 -system_r:local_login_t:s0 system_r:unconfined_t:s0 -system_r:remote_login_t:s0 system_r:unconfined_t:s0 -system_r:rshd_t:s0 system_r:unconfined_t:s0 -system_r:crond_t:s0 system_r:unconfined_t:s0 diff --git a/targeted/appconfig/default_type b/targeted/appconfig/default_type deleted file mode 100644 index 7ba74a9f..00000000 --- a/targeted/appconfig/default_type +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t diff --git a/targeted/appconfig/failsafe_context b/targeted/appconfig/failsafe_context deleted file mode 100644 index 30fd6c0b..00000000 --- a/targeted/appconfig/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t:s0 diff --git a/targeted/appconfig/initrc_context b/targeted/appconfig/initrc_context deleted file mode 100644 index dd0e5d97..00000000 --- a/targeted/appconfig/initrc_context +++ /dev/null @@ -1 +0,0 @@ -user_u:system_r:unconfined_t:s0 diff --git a/targeted/appconfig/media b/targeted/appconfig/media deleted file mode 100644 index 81f3463e..00000000 --- a/targeted/appconfig/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t:s0 -floppy system_u:object_r:removable_device_t:s0 -disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/targeted/appconfig/removable_context b/targeted/appconfig/removable_context deleted file mode 100644 index 7fcc56e4..00000000 --- a/targeted/appconfig/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t:s0 diff --git a/targeted/appconfig/root_default_contexts b/targeted/appconfig/root_default_contexts deleted file mode 100644 index 94de3303..00000000 --- a/targeted/appconfig/root_default_contexts +++ /dev/null @@ -1,6 +0,0 @@ -system_r:unconfined_t:s0 system_r:unconfined_t:s0 -system_r:initrc_t:s0 system_r:unconfined_t:s0 -system_r:local_login_t:s0 system_r:unconfined_t:s0 -system_r:remote_login_t:s0 system_r:unconfined_t:s0 -system_r:rshd_t:s0 system_r:unconfined_t:s0 -system_r:crond_t:s0 system_r:unconfined_t:s0 diff --git a/targeted/appconfig/userhelper_context b/targeted/appconfig/userhelper_context deleted file mode 100644 index 01f02a35..00000000 --- a/targeted/appconfig/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:unconfined_t:s0 diff --git a/targeted/assert.te b/targeted/assert.te deleted file mode 100644 index 4fa84f09..00000000 --- a/targeted/assert.te +++ /dev/null @@ -1,40 +0,0 @@ -############################## -# -# Assertions for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################## -# -# Access vector assertions. -# -# An access vector assertion specifies permissions that should not be in -# an access vector based on a source type, a target type, and a class. -# If any of the specified permissions are in the corresponding access -# vector, then the policy compiler will reject the policy configuration. -# Currently, there is only one kind of access vector assertion, neverallow, -# but support for the other kinds of vectors could be easily added. Access -# vector assertions use the same syntax as access vector rules. -# - -# Confined domains must never touch an unconfined domain except to -# send SIGCHLD for child termination notifications. -neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld; - -# Confined domains must never see /proc/pid entries for an unconfined domain. -neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search }; - -# -# Verify that every type that can be entered by -# a domain is also tagged as a domain. -# -neverallow domain ~domain:process { transition dyntransition}; - -# for gross mistakes in policy -neverallow domain domain:dir ~r_dir_perms; -neverallow domain domain:file_class_set ~rw_file_perms; -neverallow domain file_type:process *; -neverallow ~{ domain unlabeled_t } *:process *; diff --git a/targeted/attrib.te b/targeted/attrib.te deleted file mode 100644 index 2a19fa89..00000000 --- a/targeted/attrib.te +++ /dev/null @@ -1,563 +0,0 @@ -# -# Declarations for type attributes. -# - -# A type attribute can be used to identify a set of types with a similar -# property. Each type can have any number of attributes, and each -# attribute can be associated with any number of types. Attributes are -# explicitly declared here, and can then be associated with particular -# types in type declarations. Attribute names can then be used throughout -# the configuration to express the set of types that are associated with -# the attribute. Attributes have no implicit meaning to SELinux. The -# meaning of all attributes are completely defined through their -# usage within the configuration, but should be documented here as -# comments preceding the attribute declaration. - -##################### -# Attributes for MLS: -# - -# Common Terminology -# MLS Range: low-high -# low referred to as "Effective Sensitivity Label (SL)" -# high referred to as "Clearance SL" - - -# -# File System MLS attributes/privileges -# -# Grant MLS read access to files not dominated by the process Effective SL -attribute mlsfileread; -# Grant MLS read access to files which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsfilereadtoclr; -# Grant MLS write access to files not equal to the Effective SL -attribute mlsfilewrite; -# Grant MLS write access to files which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsfilewritetoclr; -# Grant MLS ability to change file label to a new label which dominates -# the old label -attribute mlsfileupgrade; -# Grant MLS ability to change file label to a new label which is -# dominated by or incomparable to the old label -attribute mlsfiledowngrade; - -# -# Network MLS attributes/privileges -# -# Grant MLS read access to packets not dominated by the process Effective SL -attribute mlsnetread; -# Grant MLS read access to packets which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsnetreadtoclr; -# Grant MLS write access to packets not equal to the Effective SL -attribute mlsnetwrite; -# Grant MLS write access to packets which dominate the Effective SL -# and are dominated by the process Clearance SL -attribute mlsnetwritetoclr; -# Grant MLS read access to packets from hosts or interfaces which dominate -# or incomparable to the process Effective SL -attribute mlsnetrecvall; -# Grant MLS ability to change socket label to a new label which dominates -# the old label -attribute mlsnetupgrade; -# Grant MLS ability to change socket label to a new label which is -# dominated by or incomparable to the old label -attribute mlsnetdowngrade; - -# -# IPC MLS attributes/privileges -# -# Grant MLS read access to IPC objects not dominated by the process Effective SL -attribute mlsipcread; -# Grant MLS read access to IPC objects which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsipcreadtoclr; -# Grant MLS write access to IPC objects not equal to the process Effective SL -attribute mlsipcwrite; -# Grant MLS write access to IPC objects which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsipcwritetoclr; - -# -# Process MLS attributes/privileges -# -# Grant MLS read access to processes not dominated by the process Effective SL -attribute mlsprocread; -# Grant MLS read access to processes which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsprocreadtoclr; -# Grant MLS write access to processes not equal to the Effective SL -attribute mlsprocwrite; -# Grant MLS write access to processes which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsprocwritetoclr; -# Grant MLS ability to change Effective SL or Clearance SL of process to a -# label dominated by the Clearance SL -attribute mlsprocsetsl; - -# -# X Window MLS attributes/privileges -# -# Grant MLS read access to X objects not dominated by the process Effective SL -attribute mlsxwinread; -# Grant MLS read access to X objects which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsxwinreadtoclr; -# Grant MLS write access to X objects not equal to the process Effective SL -attribute mlsxwinwrite; -# Grant MLS write access to X objects which dominate the process Effective SL -# and are dominated by the process Clearance SL -attribute mlsxwinwritetoclr; -# Grant MLS read access to X properties not dominated by -# the process Effective SL -attribute mlsxwinreadproperty; -# Grant MLS write access to X properties not equal to the process Effective SL -attribute mlsxwinwriteproperty; -# Grant MLS read access to X colormaps not dominated by -# the process Effective SL -attribute mlsxwinreadcolormap; -# Grant MLS write access to X colormaps not equal to the process Effective SL -attribute mlsxwinwritecolormap; -# Grant MLS write access to X xinputs not equal to the process Effective SL -attribute mlsxwinwritexinput; - -# Grant MLS read/write access to objects which internally arbitrate MLS -attribute mlstrustedobject; - -# -# Both of the following attributes are needed for a range transition to succeed -# -# Grant ability for the current domain to change SL upon process transition -attribute privrangetrans; -# Grant ability for the new process domain to change SL upon process transition -attribute mlsrangetrans; - -######################### -# Attributes for domains: -# - -# The domain attribute identifies every type that can be -# assigned to a process. This attribute is used in TE rules -# that should be applied to all domains, e.g. permitting -# init to kill all processes. -attribute domain; - -# The daemon attribute identifies domains for system processes created via -# the daemon_domain, daemon_base_domain, and init_service_domain macros. -attribute daemon; - -# The privuser attribute identifies every domain that can -# change its SELinux user identity. This attribute is used -# in the constraints configuration. NOTE: This attribute -# is not required for domains that merely change the Linux -# uid attributes, only for domains that must change the -# SELinux user identity. Also note that this attribute makes -# no sense without the privrole attribute. -attribute privuser; - -# The privrole attribute identifies every domain that can -# change its SELinux role. This attribute is used in the -# constraints configuration. -attribute privrole; - -# The userspace_objmgr attribute identifies every domain -# which enforces its own policy. -attribute userspace_objmgr; - -# The priv_system_role attribute identifies every domain that can -# change role from a user role to system_r role, and identity from a user -# identity to system_u. It is used in the constraints configuration. -attribute priv_system_role; - -# The privowner attribute identifies every domain that can -# assign a different SELinux user identity to a file, or that -# can create a file with an identity that is not the same as the -# process identity. This attribute is used in the constraints -# configuration. -attribute privowner; - -# The privlog attribute identifies every domain that can -# communicate with syslogd through its Unix domain socket. -# There is an assertion that other domains can not do it, -# and an allow rule to permit it -attribute privlog; - -# The privmodule attribute identifies every domain that can run -# modprobe, there is an assertion that other domains can not do it, -# and an allow rule to permit it -attribute privmodule; - -# The privsysmod attribute identifies every domain that can have the -# sys_module capability -attribute privsysmod; - -# The privmem attribute identifies every domain that can -# access kernel memory devices. -# This attribute is used in the TE assertions to verify -# that such access is limited to domains that are explicitly -# tagged with this attribute. -attribute privmem; - -# The privkmsg attribute identifies every domain that can -# read kernel messages (/proc/kmsg) -# This attribute is used in the TE assertions to verify -# that such access is limited to domains that are explicitly -# tagged with this attribute. -attribute privkmsg; - -# The privfd attribute identifies every domain that should have -# file handles inherited widely (IE sshd_t and getty_t). -attribute privfd; - -# The privhome attribute identifies every domain that can create files under -# regular user home directories in the regular context (IE act on behalf of -# a user in writing regular files) -attribute privhome; - -# The auth attribute identifies every domain that needs -# to read /etc/shadow, and grants the permission. -attribute auth; - -# The auth_bool attribute identifies every domain that can -# read /etc/shadow if its boolean is set; -attribute auth_bool; - -# The auth_write attribute identifies every domain that can have write or -# relabel access to /etc/shadow, but does not grant it. -attribute auth_write; - -# The auth_chkpwd attribute identifies every system domain that can -# authenticate users by running unix_chkpwd -attribute auth_chkpwd; - -# The change_context attribute identifies setfiles_t, restorecon_t, and other -# system domains that change the context of most/all files on the system -attribute change_context; - -# The etc_writer attribute identifies every domain that can write to etc_t -attribute etc_writer; - -# The sysctl_kernel_writer attribute identifies domains that can write to -# sysctl_kernel_t, in addition the admin attribute is permitted write access -attribute sysctl_kernel_writer; - -# the sysctl_net_writer attribute identifies domains that can write to -# sysctl_net_t files. -attribute sysctl_net_writer; - -# The sysctl_type attribute identifies every type that is assigned -# to a sysctl entry. This can be used in allow rules to grant -# permissions to all sysctl entries without enumerating each individual -# type, but should be used with care. -attribute sysctl_type; - -# The admin attribute identifies every administrator domain. -# It is used in TE assertions when verifying that only administrator -# domains have certain permissions. -# This attribute is presently associated with sysadm_t and -# certain administrator utility domains. -# XXX The use of this attribute should be reviewed for consistency. -# XXX Might want to partition into several finer-grained attributes -# XXX used in different assertions within assert.te. -attribute admin; - -# The secadmin attribute identifies every security administrator domain. -# It is used in TE assertions when verifying that only administrator -# domains have certain permissions. -# This attribute is presently associated with sysadm_t and secadm_t -attribute secadmin; - -# The userdomain attribute identifies every user domain, presently -# user_t and sysadm_t. It is used in TE rules that should be applied -# to all user domains. -attribute userdomain; - -# for a small domain that can only be used for newrole -attribute user_mini_domain; - -# pty for the mini domain -attribute mini_pty_type; - -# pty created by a server such as sshd -attribute server_pty; - -# attribute for all non-administrative devpts types -attribute userpty_type; - -# The user_tty_type identifies every type for a tty or pty owned by an -# unpriviledged user -attribute user_tty_type; - -# The admin_tty_type identifies every type for a tty or pty owned by a -# priviledged user -attribute admin_tty_type; - -# The user_crond_domain attribute identifies every user_crond domain, presently -# user_crond_t and sysadm_crond_t. It is used in TE rules that should be -# applied to all user domains. -attribute user_crond_domain; - -# The unpriv_userdomain identifies non-administrative users (default user_t) -attribute unpriv_userdomain; - -# This attribute is for the main user home directory for unpriv users -attribute user_home_dir_type; - -# The gphdomain attribute identifies every gnome-pty-helper derived -# domain. It is used in TE rules to permit inheritance and use of -# descriptors created by these domains. -attribute gphdomain; - -# The fs_domain identifies every domain that may directly access a fixed disk -attribute fs_domain; - -# This attribute is for all domains for the userhelper program. -attribute userhelperdomain; - -############################ -# Attributes for file types: -# - -# The file_type attribute identifies all types assigned to files -# in persistent filesystems. It is used in TE rules to permit -# the association of all such file types with persistent filesystem -# types, and to permit certain domains to access all such types as -# appropriate. -attribute file_type; - -# The secure_file_type attribute identifies files -# which will be treated with a higer level of security. -# Most domains will be prevented from manipulating files in this domain -attribute secure_file_type; - -# The device_type attribute identifies all types assigned to device nodes -attribute device_type; - -# The proc_fs attribute identifies all types that may be assigned to -# files under /proc. -attribute proc_fs; - -# The dev_fs attribute identifies all types that may be assigned to -# files, sockets, or pipes under /dev. -attribute dev_fs; - -# The sysadmfile attribute identifies all types assigned to files -# that should be completely accessible to administrators. It is used -# in TE rules to grant such access for administrator domains. -attribute sysadmfile; - -# The secadmfile attribute identifies all types assigned to files -# that should be only accessible to security administrators. It is used -# in TE rules to grant such access for security administrator domains. -attribute secadmfile; - -# The fs_type attribute identifies all types assigned to filesystems -# (not limited to persistent filesystems). -# It is used in TE rules to permit certain domains to mount -# any filesystem and to permit most domains to obtain the -# overall filesystem statistics. -attribute fs_type; - -# The mount_point attribute identifies all types that can serve -# as a mount point (for the mount binary). It is used in the mount -# policy to grant mounton permission, and in other domains to grant -# getattr permission over all the mount points. -attribute mount_point; - -# The exec_type attribute identifies all types assigned -# to entrypoint executables for domains. This attribute is -# used in TE rules and assertions that should be applied to all -# such executables. -attribute exec_type; - -# The tmpfile attribute identifies all types assigned to temporary -# files. This attribute is used in TE rules to grant certain -# domains the ability to remove all such files (e.g. init, crond). -attribute tmpfile; - -# The user_tmpfile attribute identifies all types associated with temporary -# files for unpriv_userdomain domains. -attribute user_tmpfile; - -# for the user_xserver_tmp_t etc -attribute xserver_tmpfile; - -# The tmpfsfile attribute identifies all types defined for tmpfs -# type transitions. -# It is used in TE rules to grant certain domains the ability to -# access all such files. -attribute tmpfsfile; - -# The home_type attribute identifies all types assigned to home -# directories. This attribute is used in TE rules to grant certain -# domains the ability to access all home directory types. -attribute home_type; - -# This attribute is for the main user home directory /home/user, to -# distinguish it from sub-dirs. Often you want a process to be able to -# read the user home directory but not read the regular directories under it. -attribute home_dir_type; - -# The ttyfile attribute identifies all types assigned to ttys. -# It is used in TE rules to grant certain domains the ability to -# access all ttys. -attribute ttyfile; - -# The ptyfile attribute identifies all types assigned to ptys. -# It is used in TE rules to grant certain domains the ability to -# access all ptys. -attribute ptyfile; - -# The pidfile attribute identifies all types assigned to pid files. -# It is used in TE rules to grant certain domains the ability to -# access all such files. -attribute pidfile; - - -############################ -# Attributes for network types: -# - -# The socket_type attribute identifies all types assigned to -# kernel-created sockets. Ordinary sockets are assigned the -# domain of the creating process. -# XXX This attribute is unused. Remove? -attribute socket_type; - -# Identifies all types assigned to port numbers to control binding. -attribute port_type; - -# Identifies all types assigned to reserved port (<1024) numbers to control binding. -attribute reserved_port_type; - -# Identifies all types assigned to network interfaces to control -# operations on the interface (XXX obsolete, not supported via LSM) -# and to control traffic sent or received on the interface. -attribute netif_type; - -# Identifies all default types assigned to packets received -# on network interfaces. -attribute netmsg_type; - -# Identifies all types assigned to network nodes/hosts to control -# traffic sent to or received from the node. -attribute node_type; - -# Identifier for log files or directories that only exist for log files. -attribute logfile; - -# Identifier for lock files (/var/lock/*) or directories that only exist for -# lock files. -attribute lockfile; - - - -############################## -# Attributes for security policy types: -# - -# The login_contexts attribute idenitifies the files used -# to define default contexts for login types (e.g., login, cron). -attribute login_contexts; - -# Identifier for a domain used by "sendmail -t" (IE user_mail_t, -# sysadm_mail_t, etc) -attribute user_mail_domain; - -# Identifies domains that can transition to system_mail_t -attribute privmail; - -# Type for non-sysadm home directory -attribute user_home_type; - -# For domains that are part of a mail server and need to read user files and -# fifos, and inherit file handles to enable user email to get to the mail -# spool -attribute mta_user_agent; - -# For domains that are part of a mail server for delivering messages to the -# user -attribute mta_delivery_agent; - -# For domains that make outbound TCP port 25 connections to send mail from the -# mail server. -attribute mail_server_sender; - -# For a mail server process that takes TCP connections on port 25 -attribute mail_server_domain; - -# For web clients such as netscape and squid -attribute web_client_domain; - -# For X Window System server domains -attribute xserver; - -# For X Window System client domains -attribute xclient; - -# For X Window System protocol extensions -attribute xextension; - -# For X Window System property types -attribute xproperty; - -# -# For file systems that do not have extended attributes but need to be -# r/w by users -# -attribute noexattrfile; - -# -# For filetypes that the usercan read -# -attribute usercanread; - -# -# For serial devices -# -attribute serial_device; - -# Attribute to designate unrestricted access -attribute unrestricted; - -# Attribute to designate can transition to unconfined_t -attribute unconfinedtrans; - -# For clients of nscd. -attribute nscd_client_domain; - -# For clients of nscd that can use shmem interface. -attribute nscd_shmem_domain; - -# For labeling of content for httpd. This attribute is only used by -# the httpd_unified domain, which says treat all httpdcontent the -# same. If you want content to be served in a "non-unified" system -# you must specifically add "r_dir_file(httpd_t, your_content_t)" to -# your policy. -attribute httpdcontent; - -# For labeling of domains whos transition can be disabled -attribute transitionbool; - -# For labeling of file_context domains which users can change files to rather -# then the default file context. These file_context can survive a relabeling -# of the file system. -attribute customizable; - -############################## -# Attributes for polyinstatiation support: -# - -# For labeling types that are to be polyinstantiated -attribute polydir; - -# And for labeling the parent directories of those polyinstantiated directories -# This is necessary for remounting the original in the parent to give -# security aware apps access -attribute polyparent; - -# And labeling for the member directories -attribute polymember; - diff --git a/targeted/constraints b/targeted/constraints deleted file mode 100644 index 85586b53..00000000 --- a/targeted/constraints +++ /dev/null @@ -1,54 +0,0 @@ -# -# Define m4 macros for the constraints -# - -# -# Define the constraints -# -# constrain class_set perm_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_op r2 -# | t1 op t2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# -# op : == | != -# role_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name# -# - -# -# Restrict the ability to transition to other users -# or roles to a few privileged types. -# - -constrain process transition - ( u1 == u2 or t1 == privuser ); - -constrain process transition - ( r1 == r2 or t1 == privrole ); - -constrain process dyntransition - ( u1 == u2 and r1 == r2); - -# -# Restrict the ability to label objects with other -# user identities to a few privileged types. -# - -constrain dir_file_class_set { create relabelto relabelfrom } - ( u1 == u2 or t1 == privowner ); - -constrain socket_class_set { create relabelto relabelfrom } - ( u1 == u2 or t1 == privowner ); diff --git a/targeted/domains/misc/kernel.te b/targeted/domains/misc/kernel.te deleted file mode 100644 index 5b13c0fe..00000000 --- a/targeted/domains/misc/kernel.te +++ /dev/null @@ -1,75 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################# -# -# Rules for the kernel_t domain. -# - -# -# kernel_t is the domain of kernel threads. -# It is also the target type when checking permissions in the system class. -# -type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ; -role system_r types kernel_t; -general_domain_access(kernel_t) -general_proc_read_access(kernel_t) -base_file_read_access(kernel_t) -uses_shlib(kernel_t) -can_exec(kernel_t, shell_exec_t) - -# Use capabilities. -allow kernel_t self:capability *; - -r_dir_file(kernel_t, sysfs_t) -allow kernel_t { usbfs_t usbdevfs_t }:dir search; - -# Run init in the init_t domain. -domain_auto_trans(kernel_t, init_exec_t, init_t) - -ifdef(`mls_policy', ` -# run init with maximum MLS range -range_transition kernel_t init_exec_t s0 - s15:c0.c255; -') - -# Share state with the init process. -allow kernel_t init_t:process share; - -# Mount and unmount file systems. -allow kernel_t fs_type:filesystem mount_fs_perms; - -# Send signal to any process. -allow kernel_t domain:process signal; -allow kernel_t domain:dir search; - -# Access the console. -allow kernel_t device_t:dir search; -allow kernel_t console_device_t:chr_file rw_file_perms; - -# Access the initrd filesystem. -allow kernel_t file_t:chr_file rw_file_perms; -can_exec(kernel_t, file_t) -ifdef(`chroot.te', ` -can_exec(kernel_t, chroot_exec_t) -') -allow kernel_t self:capability sys_chroot; - -allow kernel_t { unlabeled_t root_t file_t }:dir mounton; -allow kernel_t unlabeled_t:fifo_file rw_file_perms; -allow kernel_t file_t:dir rw_dir_perms; -allow kernel_t file_t:blk_file create_file_perms; -allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms }; - -# Lookup the policy. -allow kernel_t policy_config_t:dir r_dir_perms; - -# Load the policy configuration. -can_loadpol(kernel_t) - -# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. -can_exec(kernel_t, bin_t) - -ifdef(`targeted_policy', ` -unconfined_domain(kernel_t) -') diff --git a/targeted/domains/misc/local.te b/targeted/domains/misc/local.te deleted file mode 100644 index cedba3c4..00000000 --- a/targeted/domains/misc/local.te +++ /dev/null @@ -1,5 +0,0 @@ -# Local customization of existing policy should be done in this file. -# If you are creating brand new policy for a new "target" domain, you -# need to create a type enforcement (.te) file in domains/program -# and a file context (.fc) file in file_context/program. - diff --git a/targeted/domains/program/NetworkManager.te b/targeted/domains/program/NetworkManager.te deleted file mode 100644 index 28093f28..00000000 --- a/targeted/domains/program/NetworkManager.te +++ /dev/null @@ -1,117 +0,0 @@ -#DESC NetworkManager - -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the NetworkManager_t domain. -# -# NetworkManager_t is the domain for the NetworkManager daemon. -# NetworkManager_exec_t is the type of the NetworkManager executable. -# -daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' ) - -can_network(NetworkManager_t) -allow NetworkManager_t port_type:tcp_socket name_connect; -allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind; -allow NetworkManager_t dhcpc_t:process signal; - -can_ypbind(NetworkManager_t) -uses_shlib(NetworkManager_t) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock}; - -allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -allow NetworkManager_t self:process { setcap getsched }; -allow NetworkManager_t self:fifo_file rw_file_perms; -allow NetworkManager_t self:unix_dgram_socket create_socket_perms; -allow NetworkManager_t self:file { getattr read }; -allow NetworkManager_t self:packet_socket create_socket_perms; -allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; - - -# -# Communicate with Caching Name Server -# -ifdef(`named.te', ` -allow NetworkManager_t named_zone_t:dir search; -rw_dir_create_file(NetworkManager_t, named_cache_t) -domain_auto_trans(NetworkManager_t, named_exec_t, named_t) -allow named_t NetworkManager_t:udp_socket { read write }; -allow named_t NetworkManager_t:netlink_route_socket { read write }; -allow NetworkManager_t named_t:process signal; -allow named_t NetworkManager_t:packet_socket { read write }; -') - -allow NetworkManager_t selinux_config_t:dir search; -allow NetworkManager_t selinux_config_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, NetworkManager) -allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow NetworkManager_t self:dbus send_msg; -ifdef(`hald.te', ` -allow NetworkManager_t hald_t:dbus send_msg; -allow hald_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t initrc_t:dbus send_msg; -allow initrc_t NetworkManager_t:dbus send_msg; -ifdef(`targeted_policy', ` -allow NetworkManager_t unconfined_t:dbus send_msg; -allow unconfined_t NetworkManager_t:dbus send_msg; -') -allow NetworkManager_t userdomain:dbus send_msg; -allow userdomain NetworkManager_t:dbus send_msg; -') - -allow NetworkManager_t usr_t:file { getattr read }; - -ifdef(`ifconfig.te', ` -domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - -allow NetworkManager_t { sbin_t bin_t }:dir search; -allow NetworkManager_t bin_t:lnk_file read; -can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t }) - -# in /etc created by NetworkManager will be labelled net_conf_t. -file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) - -allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; -allow NetworkManager_t proc_t:file { getattr read }; -r_dir_file(NetworkManager_t, proc_net_t) - -allow NetworkManager_t { domain -unrestricted }:dir search; -allow NetworkManager_t { domain -unrestricted }:file { getattr read }; -dontaudit NetworkManager_t unrestricted:dir search; -dontaudit NetworkManager_t unrestricted:file { getattr read }; - -allow NetworkManager_t howl_t:process signal; -allow NetworkManager_t initrc_var_run_t:file { getattr read }; - -domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) -allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms; -# allow vpnc connections -allow NetworkManager_t self:rawip_socket create_socket_perms; -allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms; - -domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t) -domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t) -ifdef(`vpnc.te', ` -domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t) -') - -ifdef(`dhcpc.te', ` -allow NetworkManager_t dhcp_state_t:dir search; -allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink }; -') -allow NetworkManager_t var_lib_t:dir search; -dontaudit NetworkManager_t user_tty_type:chr_file { read write }; -dontaudit NetworkManager_t security_t:dir search; - -ifdef(`consoletype.te', ` -can_exec(NetworkManager_t, consoletype_exec_t) -') - diff --git a/targeted/domains/program/acct.te b/targeted/domains/program/acct.te deleted file mode 100644 index bbb4fdc9..00000000 --- a/targeted/domains/program/acct.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Acct - BSD process accounting -# -# Author: Russell Coker -# X-Debian-Packages: acct -# - -################################# -# -# Rules for the acct_t domain. -# -# acct_exec_t is the type of the acct executable. -# -daemon_base_domain(acct) -ifdef(`crond.te', ` -system_crond_entry(acct_exec_t, acct_t) - -# for monthly cron job -file_type_auto_trans(acct_t, var_log_t, wtmp_t, file) -') - -# for SSP -allow acct_t urandom_device_t:chr_file read; - -type acct_data_t, file_type, logfile, sysadmfile; - -# not sure why we need this, the command "last" is reported as using it -dontaudit acct_t self:capability kill; - -# gzip needs chown capability for some reason -allow acct_t self:capability { chown fsetid sys_pacct }; - -allow acct_t var_t:dir { getattr search }; -rw_dir_create_file(acct_t, acct_data_t) - -can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t }) -allow acct_t { bin_t sbin_t }:dir search; -allow acct_t bin_t:lnk_file read; - -read_locale(acct_t) - -allow acct_t fs_t:filesystem getattr; - -allow acct_t self:unix_stream_socket create_socket_perms; - -allow acct_t self:fifo_file { read write getattr }; - -allow acct_t { self proc_t }:file { read getattr }; - -read_sysctl(acct_t) - -dontaudit acct_t sysadm_home_dir_t:dir { getattr search }; - -# for nscd -dontaudit acct_t var_run_t:dir search; - - -allow acct_t devtty_t:chr_file { read write }; - -allow acct_t { etc_t etc_runtime_t }:file { read getattr }; - -ifdef(`logrotate.te', ` -domain_auto_trans(logrotate_t, acct_exec_t, acct_t) -rw_dir_create_file(logrotate_t, acct_data_t) -can_exec(logrotate_t, acct_data_t) -') - diff --git a/targeted/domains/program/amanda.te b/targeted/domains/program/amanda.te deleted file mode 100644 index 4b63f5f4..00000000 --- a/targeted/domains/program/amanda.te +++ /dev/null @@ -1,284 +0,0 @@ -#DESC Amanda - Automated backup program -# -# This policy file sets the rigths for amanda client started by inetd_t -# and amrecover -# -# X-Debian-Packages: amanda-common amanda-server -# Depends: inetd.te -# Author : Carsten Grohmann -# -# License : GPL -# -# last change: 27. August 2002 -# -# state : complete and tested -# -# Hints : -# - amanda.fc is the appendant file context file -# - If you use amrecover please extract the files and directories to the -# directory speficified in amanda.fc as type amanda_recover_dir_t. -# - The type amanda_user_exec_t is defined to label the files but not used. -# This configuration works only as an client and a amanda client does not need -# this programs. -# -# Enhancements/Corrections: -# - set tighter permissions to /bin/tar instead bin_t - -############################################################################## -# AMANDA CLIENT DECLARATIONS -############################################################################## - -# General declarations -###################### - -type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain; -role system_r types amanda_t; - -# type for the amanda executables -type amanda_exec_t, file_type, sysadmfile, exec_type; - -# type for the amanda executables started by inetd -type amanda_inetd_exec_t, file_type, sysadmfile, exec_type; - -# type for amanda configurations files -type amanda_config_t, file_type, sysadmfile; - -# type for files in /usr/lib/amanda -type amanda_usr_lib_t, file_type, sysadmfile; - -# type for all files in /var/lib/amanda -type amanda_var_lib_t, file_type, sysadmfile; - -# type for all files in /var/lib/amanda/gnutar-lists/ -type amanda_gnutarlists_t, file_type, sysadmfile; - -# type for user startable files -type amanda_user_exec_t, file_type, sysadmfile, exec_type; - -# type for same awk and other scripts -type amanda_script_exec_t, file_type, sysadmfile, exec_type; - -# type for the shell configuration files -type amanda_shellconfig_t, file_type, sysadmfile; - -tmp_domain(amanda) - -# type for /etc/amandates -type amanda_amandates_t, file_type, sysadmfile; - -# type for /etc/dumpdates -type amanda_dumpdates_t, file_type, sysadmfile; - -# type for amanda data -type amanda_data_t, file_type, sysadmfile; - -# Domain transitions -#################### - -domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t) - - -################## -# File permissions -################## - -# configuration files -> read only -allow amanda_t amanda_config_t:file { getattr read }; - -# access to amanda_amandates_t -allow amanda_t amanda_amandates_t:file { getattr lock read write }; - -# access to amanda_dumpdates_t -allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; - -# access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file { read write }; - -# access to proc_t -allow amanda_t proc_t:file { getattr read }; - -# access to etc_t and similar -allow amanda_t etc_t:file { getattr read }; -allow amanda_t etc_runtime_t:file { getattr read }; - -# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) -rw_dir_create_file(amanda_t, amanda_gnutarlists_t) - -# access to device_t and similar -allow amanda_t devtty_t:chr_file { read write }; - -# access to fs_t -allow amanda_t fs_t:filesystem getattr; - -# access to sysctl_kernel_t ( proc/sys/kernel/* ) -read_sysctl(amanda_t) - -##################### -# process permissions -##################### - -# Allow to use shared libs -uses_shlib(amanda_t) - -# Allow to execute a amanda executable file -allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read }; - -# Allow to run a shell -allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read }; - -# access to bin_t (tar) -allow amanda_t bin_t:file { execute execute_no_trans }; - -allow amanda_t self:capability { chown dac_override setuid }; -allow amanda_t self:process { fork sigchld setpgid signal }; -allow amanda_t self:dir search; -allow amanda_t self:file { getattr read }; - - -################################### -# Network and process communication -################################### - -can_network_server(amanda_t); -can_ypbind(amanda_t); -can_exec(amanda_t, sbin_t); - -allow amanda_t self:fifo_file { getattr read write ioctl lock }; -allow amanda_t self:unix_stream_socket create_stream_socket_perms; -allow amanda_t self:unix_dgram_socket create_socket_perms; - - -########################## -# Communication with inetd -########################## - -allow amanda_t inetd_t:udp_socket { read write }; - - -################### -# inetd permissions -################### - -allow inetd_t amanda_usr_lib_t:dir search; - - -######################## -# Access to to save data -######################## - -# access to user_home_t -allow amanda_t user_home_type:file { getattr read }; - -############################################################################## -# AMANDA RECOVER DECLARATIONS -############################################################################## - - -# General declarations -###################### - -# type for amrecover -type amanda_recover_t, domain; -role sysadm_r types amanda_recover_t; -role system_r types amanda_recover_t; - -# exec types for amrecover -type amanda_recover_exec_t, file_type, sysadmfile, exec_type; - -# type for recover files ( restored data ) -type amanda_recover_dir_t, file_type, sysadmfile; -file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t) - -# domain transsition -domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t) - -# file type auto trans to write debug messages -file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t) - - -# amanda recover process permissions -#################################### - -uses_shlib(amanda_recover_t) -allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; -can_exec(amanda_recover_t, shell_exec_t) -allow amanda_recover_t privfd:fd use; - - -# amrecover network and process communication -############################################# - -can_network(amanda_recover_t); -allow amanda_recover_t amanda_port_t:tcp_socket name_connect; -can_ypbind(amanda_recover_t); -read_locale(amanda_recover_t); - -allow amanda_recover_t self:fifo_file { getattr ioctl read write }; -allow amanda_recover_t self:unix_stream_socket { connect create read write }; -allow amanda_recover_t var_log_t:dir search; -rw_dir_create_file(amanda_recover_t, amanda_log_t) - -# amrecover file permissions -############################ - -# access to etc_t and similar -allow amanda_recover_t etc_t:dir search; -allow amanda_recover_t etc_t:file { getattr read }; -allow amanda_recover_t etc_runtime_t:file { getattr read }; - -# access to amanda_recover_dir_t -allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write }; -allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink }; - -# access to var_t and var_run_t -allow amanda_recover_t var_t:dir search; -allow amanda_recover_t var_run_t:dir search; - -# access to proc_t -allow amanda_recover_t proc_t:dir search; -allow amanda_recover_t proc_t:file { getattr read }; - -# access to sysctl_kernel_t -read_sysctl(amanda_recover_t) - -# access to dev_t and similar -allow amanda_recover_t device_t:dir search; -allow amanda_recover_t devtty_t:chr_file { read write }; -allow amanda_recover_t null_device_t:chr_file { getattr write }; - -# access to bin_t -allow amanda_recover_t bin_t:file { execute execute_no_trans }; - -# access to sysadm_home_t and sysadm_home_dir_t to start amrecover -# in the sysadm home directory -allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr }; - -# access to use sysadm_tty_device_t (/dev/tty?) -allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write }; - -# access to amanda_tmp_t and tmp_t -allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write }; -allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink }; -allow amanda_recover_t tmp_t:dir search; - -# -# Rules to allow amanda to be run as a service in xinetd -# -allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind; - -#amanda needs to look at fs_type directories to decide whether it should backup -allow amanda_t { fs_type file_type }:dir {getattr read search }; -allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read }; -allow amanda_t device_type:{ blk_file chr_file } getattr; -allow amanda_t fixed_disk_device_t:blk_file read; -domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t) - -allow amanda_t file_type:sock_file getattr; -logdir_domain(amanda) - -dontaudit amanda_t proc_t:lnk_file read; -dontaudit amanda_t unlabeled_t:file getattr; -#amanda wants to check attributes on fifo_files -allow amanda_t file_type:fifo_file getattr; diff --git a/targeted/domains/program/anaconda.te b/targeted/domains/program/anaconda.te deleted file mode 100644 index 175947d2..00000000 --- a/targeted/domains/program/anaconda.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Anaconda - Red Hat Installation program -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the anaconda_t domain. -# -# anaconda_t is the domain of the installation program -# -type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer; -role system_r types anaconda_t; -unconfined_domain(anaconda_t) - -role system_r types ldconfig_t; -domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) - -# Run other rc scripts in the anaconda_t domain. -domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) - -ifdef(`dmesg.te', ` -domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t) -') - -ifdef(`distro_redhat', ` -file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file) -') - -ifdef(`rpm.te', ` -# Access /var/lib/rpm. -domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) -') - -file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file) - -ifdef(`udev.te', ` -domain_auto_trans(anaconda_t, udev_exec_t, udev_t) -') - -ifdef(`ssh-agent.te', ` -role system_r types sysadm_ssh_agent_t; -domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) -') -ifdef(`passwd.te', ` -domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t) -') diff --git a/targeted/domains/program/apache.te b/targeted/domains/program/apache.te deleted file mode 100644 index e95cae00..00000000 --- a/targeted/domains/program/apache.te +++ /dev/null @@ -1,414 +0,0 @@ -#DESC Apache - Web server -# -# X-Debian-Packages: apache2-common apache -# -############################################################################### -# -# Policy file for running the Apache web server -# -# NOTES: -# This policy will work with SUEXEC enabled as part of the Apache -# configuration. However, the user CGI scripts will run under the -# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the -# of the creating user. -# -# The user CGI scripts must be labeled with the httpd_$1_script_exec_t -# type, and the directory containing the scripts should also be labeled -# with these types. This policy allows user_r role to perform that -# relabeling. If it is desired that only sysadm_r should be able to relabel -# the user CGI scripts, then relabel rule for user_r should be removed. -# -############################################################################### - -define(`httpd_home_dirs', ` -r_dir_file(httpd_t, $1) -r_dir_file(httpd_suexec_t, $1) -can_exec(httpd_suexec_t, $1) -') - -bool httpd_unified false; - -# Allow httpd to use built in scripting (usually php) -bool httpd_builtin_scripting false; - -# Allow httpd cgi support -bool httpd_enable_cgi false; - -# Allow httpd to read home directories -bool httpd_enable_homedirs false; - -# Run SSI execs in system CGI script domain. -bool httpd_ssi_exec false; - -# Allow http daemon to communicate with the TTY -bool httpd_tty_comm false; - -# Allow http daemon to tcp connect -bool httpd_can_network_connect false; - -######################################################### -# Apache types -######################################################### -# httpd_config_t is the type given to the configuration -# files for apache /etc/httpd/conf -# -type httpd_config_t, file_type, sysadmfile; - -# httpd_modules_t is the type given to module files (libraries) -# that come with Apache /etc/httpd/modules and /usr/lib/apache -# -type httpd_modules_t, file_type, sysadmfile; - -# httpd_cache_t is the type given to the /var/cache/httpd -# directory and the files under that directory -# -type httpd_cache_t, file_type, sysadmfile; - -# httpd_exec_t is the type give to the httpd executable. -# -daemon_domain(httpd, `, privmail, nscd_client_domain') - -append_logdir_domain(httpd) -#can read /etc/httpd/logs -allow httpd_t httpd_log_t:lnk_file read; - -# For /etc/init.d/apache2 reload -can_tcp_connect(httpd_t, httpd_t) - -can_tcp_connect(web_client_domain, httpd_t) - -can_exec(httpd_t, httpd_exec_t) -file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file) - -general_domain_access(httpd_t) - -allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read }; - -read_sysctl(httpd_t) - -allow httpd_t crypt_device_t:chr_file rw_file_perms; - -# for modules that want to access /etc/mtab and /proc/meminfo -allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; - -uses_shlib(httpd_t) -allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; -allow httpd_t usr_t:lnk_file { getattr read }; - -# for apache2 memory mapped files -var_lib_domain(httpd) - -# for tomcat -r_dir_file(httpd_t, var_lib_t) - -# execute perl -allow httpd_t { bin_t sbin_t }:dir r_dir_perms; -can_exec(httpd_t, { bin_t sbin_t }) -allow httpd_t bin_t:lnk_file read; - -######################################## -# Set up networking -######################################## - -can_network_server(httpd_t) -can_kerberos(httpd_t) -can_resolve(httpd_t) -nsswitch_domain(httpd_t) -allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; -# allow httpd to connect to mysql/posgresql -allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect; -# allow httpd to work as a relay -allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; - -if (httpd_can_network_connect) { -can_network_client(httpd_t) -allow httpd_t port_type:tcp_socket name_connect; -} - -########################################## -# Legacy: remove when it's fixed # -# Allow libphp5.so with text relocations # -########################################## -allow httpd_t texrel_shlib_t:file execmod; - -######################################### -# Allow httpd to search users directories -######################################### -allow httpd_t home_root_t:dir { getattr search }; -dontaudit httpd_t sysadm_home_dir_t:dir getattr; - -############################################################################ -# Allow the httpd_t the capability to bind to a port and various other stuff -############################################################################ -allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -dontaudit httpd_t self:capability net_admin; - -################################################# -# Allow the httpd_t to read the web servers config files -################################################### -r_dir_file(httpd_t, httpd_config_t) -# allow logrotate to read the config files for restart -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, httpd_config_t) -domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t) -allow logrotate_t httpd_t:process signull; -') -r_dir_file(initrc_t, httpd_config_t) -################################################## - -############################### -# Allow httpd_t to put files in /var/cache/httpd etc -############################## -create_dir_file(httpd_t, httpd_cache_t) - -############################### -# Allow httpd_t to access the tmpfs file system -############################## -tmpfs_domain(httpd) - -##################### -# Allow httpd_t to access -# libraries for its modules -############################### -allow httpd_t httpd_modules_t:file rx_file_perms; -allow httpd_t httpd_modules_t:dir r_dir_perms; -allow httpd_t httpd_modules_t:lnk_file r_file_perms; - -###################################################################### -# Allow initrc_t to access the Apache modules directory. -###################################################################### -allow initrc_t httpd_modules_t:dir r_dir_perms; - -############################################## -# Allow httpd_t to have access to files -# such as nisswitch.conf -# need ioctl for php -############################################### -allow httpd_t etc_t:file { read getattr ioctl }; -allow httpd_t etc_t:lnk_file { getattr read }; - -# setup the system domain for system CGI scripts -apache_domain(sys) -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -# Run SSI execs in system CGI script domain. -if (httpd_ssi_exec) { -domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) -} -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -################################################## -# -# PHP Directives -################################################## - -type httpd_php_exec_t, file_type, sysadmfile, exec_type; -type httpd_php_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t) - -# The system role is authorized for this domain. -role system_r types httpd_php_t; - -general_domain_access(httpd_php_t) -uses_shlib(httpd_php_t) -can_exec(httpd_php_t, lib_t) - -# allow php to read and append to apache logfiles -allow httpd_php_t httpd_log_t:file ra_file_perms; - -# access to /tmp -tmp_domain(httpd) -tmp_domain(httpd_php) - -# Creation of lock files for apache2 -lock_domain(httpd) - -# Allow apache to used public_content_t -anonymous_domain(httpd) - -# connect to mysql -ifdef(`mysqld.te', ` -can_unix_connect(httpd_php_t, mysqld_t) -can_unix_connect(httpd_t, mysqld_t) -can_unix_connect(httpd_sys_script_t, mysqld_t) -allow httpd_php_t mysqld_var_run_t:dir search; -allow httpd_php_t mysqld_var_run_t:sock_file write; -allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search; -allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms; -allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms; -') -allow httpd_t bin_t:dir search; -allow httpd_t sbin_t:dir search; -allow httpd_t httpd_log_t:dir remove_name; - -read_fonts(httpd_t) - -allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; - -allow httpd_t autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs && httpd_enable_homedirs) { -httpd_home_dirs(nfs_t) -} -if (use_samba_home_dirs && httpd_enable_homedirs) { -httpd_home_dirs(cifs_t) -} - -# -# Allow users to mount additional directories as http_source -# -allow httpd_t mnt_t:dir r_dir_perms; - -ifdef(`targeted_policy', ` -typealias httpd_sys_content_t alias httpd_user_content_t; -typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; - -if (httpd_enable_homedirs) { -allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search }; -} -') dnl targeted policy - -# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context -typealias httpd_sys_content_t alias httpd_sysadm_content_t; - -ifdef(`distro_redhat', ` -# -# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat -# This is a bug but it still exists in FC2 -# -typealias httpd_log_t alias httpd_runtime_t; -allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; -dontaudit httpd_t httpd_runtime_t:file ioctl; -') dnl distro_redhat -# -# Customer reported the following -# -ifdef(`snmpd.te', ` -dontaudit httpd_t snmpd_var_lib_t:dir search; -dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; -', ` -dontaudit httpd_t usr_t:dir write; -') - -application_domain(httpd_helper) -role system_r types httpd_helper_t; -domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) -allow httpd_helper_t httpd_config_t:file { getattr read }; -allow httpd_helper_t httpd_log_t:file { append }; - -######################################## -# When the admin starts the server, the server wants to access -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are dontaudited here. -################################################## - -if (httpd_tty_comm) { -allow { httpd_t httpd_helper_t } devpts_t:dir search; -ifdef(`targeted_policy', ` -allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms; -') -allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms; -} else { -dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; -} - -read_sysctl(httpd_sys_script_t) -allow httpd_sys_script_t var_lib_t:dir search; -dontaudit httpd_t selinux_config_t:dir search; -r_dir_file(httpd_t, cert_t) - -# -# unconfined domain for apache scripts. Only to be used as a last resort -# -type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable; -type httpd_unconfined_script_t, domain, nscd_client_domain; -role system_r types httpd_unconfined_script_t; -unconfined_domain(httpd_unconfined_script_t) - -# The following are types for SUEXEC,which runs user scripts as their -# own user ID -# -daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool') -allow httpd_t httpd_suexec_exec_t:file { getattr read }; - -######################################################### -# Permissions for running child processes and scripts -########################################################## - -allow httpd_suexec_t self:capability { setuid setgid }; - -dontaudit httpd_suexec_t var_run_t:dir search; -allow httpd_suexec_t { var_t var_log_t }:dir search; -allow httpd_suexec_t home_root_t:dir search; - -allow httpd_suexec_t httpd_log_t:dir ra_dir_perms; -allow httpd_suexec_t httpd_log_t:file { create ra_file_perms }; -allow httpd_suexec_t httpd_t:fifo_file getattr; -allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; - -allow httpd_suexec_t etc_t:file { getattr read }; -read_locale(httpd_suexec_t) -read_sysctl(httpd_suexec_t) -allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; - -# for shell scripts -allow httpd_suexec_t bin_t:dir search; -allow httpd_suexec_t bin_t:lnk_file read; -can_exec(httpd_suexec_t, { bin_t shell_exec_t }) - -if (httpd_can_network_connect) { -can_network(httpd_suexec_t) -allow httpd_suexec_t port_type:tcp_socket name_connect; -} - -can_ypbind(httpd_suexec_t) -allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; - -allow httpd_suexec_t autofs_t:dir { search getattr }; -tmp_domain(httpd_suexec) - -if (httpd_enable_cgi && httpd_unified) { -domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) -') -} -if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) { -domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) -create_dir_file(httpd_t, httpdcontent) -} -if (httpd_enable_cgi) { -domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; -allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; -} - -# -# Types for squirrelmail -# -type httpd_squirrelmail_t, file_type, sysadmfile; -create_dir_file(httpd_t, httpd_squirrelmail_t) -allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; -# File Type of squirrelmail attachments -type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; -allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; -create_dir_file(httpd_t, squirrelmail_spool_t) -r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) - -ifdef(`mta.te', ` -# apache should set close-on-exec -dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; -dontaudit system_mail_t httpd_log_t:file { append getattr }; -allow system_mail_t httpd_squirrelmail_t:file { append read }; -dontaudit system_mail_t httpd_t:tcp_socket { read write }; -') -bool httpd_enable_ftp_server false; -if (httpd_enable_ftp_server) { -allow httpd_t ftp_port_t:tcp_socket name_bind; -} - diff --git a/targeted/domains/program/apmd.te b/targeted/domains/program/apmd.te deleted file mode 100644 index 720336c2..00000000 --- a/targeted/domains/program/apmd.te +++ /dev/null @@ -1,161 +0,0 @@ -#DESC Apmd - Automatic Power Management daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: apmd -# - -################################# -# -# Rules for the apmd_t domain. -# -daemon_domain(apmd, `, privmodule, nscd_client_domain') - -# for SSP -allow apmd_t urandom_device_t:chr_file read; - -type apm_t, domain, privlog; -type apm_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, apm_exec_t, apm_t) -') -uses_shlib(apm_t) -allow apm_t privfd:fd use; -allow apm_t admin_tty_type:chr_file rw_file_perms; -allow apm_t device_t:dir search; -allow apm_t self:capability { dac_override sys_admin }; -allow apm_t proc_t:dir search; -allow apm_t proc_t:file r_file_perms; -allow apm_t fs_t:filesystem getattr; -allow apm_t apm_bios_t:chr_file rw_file_perms; -role sysadm_r types apm_t; -role system_r types apm_t; - -allow apmd_t device_t:lnk_file read; -allow apmd_t proc_t:file { getattr read write }; -can_sysctl(apmd_t) -allow apmd_t sysfs_t:file write; - -allow apmd_t self:unix_dgram_socket create_socket_perms; -allow apmd_t self:unix_stream_socket create_stream_socket_perms; -allow apmd_t self:fifo_file rw_file_perms; -allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read }; -allow apmd_t etc_t:lnk_file read; - -# acpid wants a socket -file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file) - -# acpid also has a logfile -log_domain(apmd) -tmp_domain(apmd) - -ifdef(`distro_suse', ` -var_lib_domain(apmd) -') - -allow apmd_t self:file { getattr read ioctl }; -allow apmd_t self:process getsession; - -# Use capabilities. -allow apmd_t self:capability { sys_admin sys_nice sys_time kill }; - -# controlling an orderly resume of PCMCIA requires creating device -# nodes 254,{0,1,2} for some reason. -allow apmd_t self:capability mknod; - -# Access /dev/apm_bios. -allow apmd_t apm_bios_t:chr_file rw_file_perms; - -# Run helper programs. -can_exec_any(apmd_t) - -# apmd calls hwclock.sh on suspend and resume -allow apmd_t clock_device_t:chr_file r_file_perms; -ifdef(`hwclock.te', ` -domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) -allow apmd_t adjtime_t:file rw_file_perms; -allow hwclock_t apmd_log_t:file append; -allow hwclock_t apmd_t:unix_stream_socket { read write }; -') - - -# to quiet fuser and ps -# setuid for fuser, dac* for ps -dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; -dontaudit apmd_t domain:socket_class_set getattr; -dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; -dontaudit apmd_t device_type:devfile_class_set getattr; -dontaudit apmd_t home_type:dir { search getattr }; -dontaudit apmd_t domain:key_socket getattr; -dontaudit apmd_t domain:dir search; - -ifdef(`distro_redhat', ` -can_exec(apmd_t, apmd_var_run_t) -# for /var/lock/subsys/network -lock_domain(apmd) - -# ifconfig_exec_t needs to be run in its own domain for Red Hat -ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)') -ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)') -ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)') -', ` -# for ifconfig which is run all the time -dontaudit apmd_t sysctl_t:dir search; -') - -ifdef(`udev.te', ` -allow apmd_t udev_t:file { getattr read }; -allow apmd_t udev_t:lnk_file { getattr read }; -') -# -# apmd tells the machine to shutdown requires the following -# -allow apmd_t initctl_t:fifo_file write; -allow apmd_t initrc_var_run_t:file { read write lock }; - -# -# Allow it to run killof5 and pidof -# -typeattribute apmd_t unrestricted; -r_dir_file(apmd_t, domain) - -# Same for apm/acpid scripts -domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) -ifdef(`consoletype.te', ` -allow consoletype_t apmd_t:fd use; -allow consoletype_t apmd_t:fifo_file write; -') -ifdef(`mount.te', `allow mount_t apmd_t:fd use;') -ifdef(`crond.te', ` -domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t) -allow apmd_t crond_t:fifo_file { getattr read write ioctl }; -') - -ifdef(`mta.te', ` -domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) -') - -# for a find /dev operation that gets /dev/shm -dontaudit apmd_t tmpfs_t:dir r_dir_perms; -dontaudit apmd_t selinux_config_t:dir search; -allow apmd_t user_tty_type:chr_file rw_file_perms; -# Access /dev/apm_bios. -allow initrc_t apm_bios_t:chr_file { setattr getattr read }; - -ifdef(`logrotate.te', ` -allow apmd_t logrotate_t:fd use; -')dnl end if logrotate.te -allow apmd_t devpts_t:dir { getattr search }; -allow apmd_t security_t:dir search; -allow apmd_t usr_t:dir search; -r_dir_file(apmd_t, hwdata_t) -ifdef(`targeted_policy', ` -unconfined_domain(apmd_t) -') - -ifdef(`NetworkManager.te', ` -ifdef(`dbusd.te', ` -allow apmd_t NetworkManager_t:dbus send_msg; -allow NetworkManager_t apmd_t:dbus send_msg; -') -') diff --git a/targeted/domains/program/arpwatch.te b/targeted/domains/program/arpwatch.te deleted file mode 100644 index 3065800c..00000000 --- a/targeted/domains/program/arpwatch.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC arpwatch - keep track of ethernet/ip address pairings -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the arpwatch_t domain. -# -# arpwatch_exec_t is the type of the arpwatch executable. -# -daemon_domain(arpwatch, `, privmail') - -# for files created by arpwatch -type arpwatch_data_t, file_type, sysadmfile; -create_dir_file(arpwatch_t,arpwatch_data_t) -tmp_domain(arpwatch) - -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; - -can_network_server(arpwatch_t) -allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; -allow arpwatch_t self:udp_socket create_socket_perms; -allow arpwatch_t self:unix_dgram_socket create_socket_perms; -allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; - -allow arpwatch_t { sbin_t var_lib_t }:dir search; -allow arpwatch_t sbin_t:lnk_file read; -r_dir_file(arpwatch_t, etc_t) -r_dir_file(arpwatch_t, usr_t) -can_ypbind(arpwatch_t) - -ifdef(`qmail.te', ` -allow arpwatch_t bin_t:dir search; -') - -ifdef(`distro_gentoo', ` -allow initrc_t arpwatch_data_t:dir { add_name write }; -allow initrc_t arpwatch_data_t:file create; -')dnl end distro_gentoo - -# why is mail delivered to a directory of type arpwatch_data_t? -allow mta_delivery_agent arpwatch_data_t:dir search; -allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; -ifdef(`hide_broken_symptoms', ` -dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; -') diff --git a/targeted/domains/program/auditd.te b/targeted/domains/program/auditd.te deleted file mode 100644 index 3dd15a7b..00000000 --- a/targeted/domains/program/auditd.te +++ /dev/null @@ -1,69 +0,0 @@ -#DESC auditd - System auditing daemon -# -# Authors: Colin Walters -# -# Some fixes by Paul Moore -# -define(`audit_manager_domain', ` -allow $1 auditd_etc_t:file rw_file_perms; -create_dir_file($1, auditd_log_t) -domain_auto_trans($1, auditctl_exec_t, auditctl_t) -') - -daemon_domain(auditd) - -allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditd_t self:unix_dgram_socket create_socket_perms; -allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; -allow auditd_t self:process setsched; -allow auditd_t self:file { getattr read write }; -allow auditd_t etc_t:file { getattr read }; - -# Do not use logdir_domain since this is a security file -type auditd_log_t, file_type, secure_file_type; -allow auditd_t var_log_t:dir search; -rw_dir_create_file(auditd_t, auditd_log_t) - -can_exec(auditd_t, init_exec_t) -allow auditd_t initctl_t:fifo_file write; - -ifdef(`targeted_policy', ` -dontaudit auditd_t unconfined_t:fifo_file read; -') - -type auditctl_t, domain, privlog; -type auditctl_exec_t, file_type, exec_type, sysadmfile; -uses_shlib(auditctl_t) -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditctl_t self:capability { audit_write audit_control }; -allow auditctl_t etc_t:file { getattr read }; -allow auditctl_t admin_tty_type:chr_file rw_file_perms; - -type auditd_etc_t, file_type, secure_file_type; -allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms; -allow initrc_t auditd_etc_t:file r_file_perms; - -role secadm_r types auditctl_t; -role sysadm_r types auditctl_t; -audit_manager_domain(secadm_t) - -ifdef(`targeted_policy', `', ` -ifdef(`separate_secadm', `', ` -audit_manager_domain(sysadm_t) -') -') - -role system_r types auditctl_t; -domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t) - -dontaudit auditctl_t local_login_t:fd use; -allow auditctl_t proc_t:dir search; -allow auditctl_t sysctl_kernel_t:dir search; -allow auditctl_t sysctl_kernel_t:file { getattr read }; -dontaudit auditctl_t init_t:fd use; -allow auditctl_t initrc_devpts_t:chr_file { read write }; -allow auditctl_t privfd:fd use; - - -allow auditd_t sbin_t:dir search; -can_exec(auditd_t, sbin_t) diff --git a/targeted/domains/program/avahi.te b/targeted/domains/program/avahi.te deleted file mode 100644 index 0d021b05..00000000 --- a/targeted/domains/program/avahi.te +++ /dev/null @@ -1,29 +0,0 @@ -#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture -# -# Author: Dan Walsh -# - -daemon_domain(avahi, `, privsysmod') -r_dir_file(avahi_t, proc_net_t) -can_network_server(avahi_t) -can_ypbind(avahi_t) -allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow avahi_t self:unix_dgram_socket create_socket_perms; -allow avahi_t self:capability { dac_override setgid chown kill setuid }; -allow avahi_t urandom_device_t:chr_file r_file_perms; -allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind; -allow avahi_t self:fifo_file { read write }; -allow avahi_t self:netlink_route_socket r_netlink_socket_perms; -allow avahi_t self:process setrlimit; -allow avahi_t etc_t:file { getattr read }; -allow avahi_t initrc_t:process { signal signull }; -allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow avahi_t avahi_var_run_t:dir setattr; -allow avahi_t avahi_var_run_t:sock_file create_file_perms; - -ifdef(`dbusd.te', ` -dbusd_client(system, avahi) -allow avahi_t unconfined_t:dbus send_msg; -allow unconfined_t avahi_t:dbus send_msg; -') - diff --git a/targeted/domains/program/bluetooth.te b/targeted/domains/program/bluetooth.te deleted file mode 100644 index c6c5631b..00000000 --- a/targeted/domains/program/bluetooth.te +++ /dev/null @@ -1,116 +0,0 @@ -#DESC Bluetooth -# -# Authors: Dan Walsh -# RH-Packages: Bluetooth -# - -################################# -# -# Rules for the bluetooth_t domain. -# -daemon_domain(bluetooth) - -file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) -file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) - -tmp_domain(bluetooth) -var_lib_domain(bluetooth) - -# Use capabilities. -allow bluetooth_t self:file read; -allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; -allow bluetooth_t self:process getsched; -allow bluetooth_t proc_t:file { getattr read }; - -allow bluetooth_t self:shm create_shm_perms; - -lock_domain(bluetooth) - -# Use the network. -can_network(bluetooth_t) -can_ypbind(bluetooth_t) -ifdef(`dbusd.te', ` -dbusd_client(system, bluetooth) -allow bluetooth_t system_dbusd_t:dbus send_msg; -') -allow bluetooth_t self:socket create_stream_socket_perms; - -allow bluetooth_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; - -dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write }; - -# bluetooth_conf_t is the type of the /etc/bluetooth dir. -type bluetooth_conf_t, file_type, sysadmfile; -type bluetooth_conf_rw_t, file_type, sysadmfile; - -# Read /etc/bluetooth -allow bluetooth_t bluetooth_conf_t:dir search; -allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; -#/usr/sbin/hid2hci causes the following -allow initrc_t usbfs_t:file { getattr read }; -allow bluetooth_t usbfs_t:dir r_dir_perms; -allow bluetooth_t usbfs_t:file rw_file_perms; -allow bluetooth_t bin_t:dir search; -can_exec(bluetooth_t, { bin_t shell_exec_t }) -allow bluetooth_t bin_t:lnk_file read; - -#Handle bluetooth serial devices -allow bluetooth_t tty_device_t:chr_file rw_file_perms; -allow bluetooth_t self:fifo_file rw_file_perms; -allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(bluetooth_t, fonts_t) -allow bluetooth_t urandom_device_t:chr_file r_file_perms; -allow bluetooth_t usr_t:file { getattr read }; - -application_domain(bluetooth_helper, `, nscd_client_domain') -domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) -role system_r types bluetooth_helper_t; -read_locale(bluetooth_helper_t) -typeattribute bluetooth_helper_t unrestricted; -r_dir_file(bluetooth_helper_t, domain) -allow bluetooth_helper_t bin_t:dir { getattr search }; -can_exec(bluetooth_helper_t, { bin_t shell_exec_t }) -allow bluetooth_helper_t bin_t:lnk_file read; -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:fifo_file rw_file_perms; -allow bluetooth_helper_t self:process { fork getsched sigchld }; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; -allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(bluetooth_helper_t, fonts_t) -r_dir_file(bluetooth_helper_t, proc_t) -read_sysctl(bluetooth_helper_t) -allow bluetooth_helper_t tmp_t:dir search; -allow bluetooth_helper_t usr_t:file { getattr read }; -allow bluetooth_helper_t home_dir_type:dir search; -ifdef(`xserver.te', ` -allow bluetooth_helper_t xserver_log_t:dir search; -allow bluetooth_helper_t xserver_log_t:file { getattr read }; -') -ifdef(`targeted_policy', ` -allow bluetooth_helper_t tmp_t:sock_file { read write }; -allow bluetooth_helper_t tmpfs_t:file { read write }; -allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; -allow bluetooth_t unconfined_t:dbus send_msg; -allow unconfined_t bluetooth_t:dbus send_msg; -', ` -ifdef(`xdm.te', ` -allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; -') -allow bluetooth_t unpriv_userdomain:dbus send_msg; -allow unpriv_userdomain bluetooth_t:dbus send_msg; -') -allow bluetooth_helper_t bluetooth_t:socket { read write }; -allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms; -allow bluetooth_helper_t self:unix_stream_socket connectto; -tmp_domain(bluetooth_helper) -allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms; - -dontaudit bluetooth_helper_t default_t:dir { read search }; -dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write }; -dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms; -ifdef(`xserver.te', ` -allow bluetooth_helper_t xserver_log_t:dir search; -allow bluetooth_helper_t xserver_log_t:file { getattr read }; -') diff --git a/targeted/domains/program/canna.te b/targeted/domains/program/canna.te deleted file mode 100644 index feb4e52f..00000000 --- a/targeted/domains/program/canna.te +++ /dev/null @@ -1,46 +0,0 @@ -#DESC canna - A Japanese character set input system. -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the canna_t domain. -# -daemon_domain(canna) - -file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file) - -logdir_domain(canna) -var_lib_domain(canna) - -allow canna_t self:capability { setgid setuid net_bind_service }; -allow canna_t tmp_t:dir { search }; -allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms}; -allow canna_t self:unix_dgram_socket create_stream_socket_perms; -allow canna_t etc_t:file { getattr read }; -allow canna_t usr_t:file { getattr read }; - -allow canna_t proc_t:file r_file_perms; -allow canna_t etc_runtime_t:file r_file_perms; -allow canna_t canna_var_lib_t:dir create; - -rw_dir_create_file(canna_t, canna_var_lib_t) - -can_network_tcp(canna_t) -allow canna_t port_type:tcp_socket name_connect; -can_ypbind(canna_t) - -allow userdomain canna_var_run_t:dir search; -allow userdomain canna_var_run_t:sock_file write; -can_unix_connect(userdomain, canna_t) - -ifdef(`i18n_input.te', ` -allow i18n_input_t canna_var_run_t:dir search; -allow i18n_input_t canna_var_run_t:sock_file write; -can_unix_connect(i18n_input_t, canna_t) -') - -dontaudit canna_t kernel_t:fd use; -dontaudit canna_t root_t:file read; diff --git a/targeted/domains/program/cardmgr.te b/targeted/domains/program/cardmgr.te deleted file mode 100644 index 8f789886..00000000 --- a/targeted/domains/program/cardmgr.te +++ /dev/null @@ -1,90 +0,0 @@ -#DESC Cardmgr - PCMCIA control programs -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: pcmcia-cs -# - -################################# -# -# Rules for the cardmgr_t domain. -# -daemon_domain(cardmgr, `, privmodule') - -# for SSP -allow cardmgr_t urandom_device_t:chr_file read; - -type cardctl_exec_t, file_type, sysadmfile, exec_type; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t) -') -role sysadm_r types cardmgr_t; -allow cardmgr_t admin_tty_type:chr_file { read write }; - -allow cardmgr_t sysfs_t:dir search; -allow cardmgr_t home_root_t:dir search; - -# Use capabilities (net_admin for route), setuid for cardctl -allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; - -# for /etc/resolv.conf -file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file) - -allow cardmgr_t etc_runtime_t:file { getattr read }; - -allow cardmgr_t modules_object_t:dir search; -allow cardmgr_t self:unix_dgram_socket create_socket_perms; -allow cardmgr_t self:unix_stream_socket create_socket_perms; -allow cardmgr_t self:fifo_file rw_file_perms; - -# Create stab file -var_lib_domain(cardmgr) - -# for /var/lib/misc/pcmcia-scheme -# would be better to have it in a different type if I knew how it was created.. -allow cardmgr_t var_lib_t:file { getattr read }; - -# Create device files in /tmp. -type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs; -file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) - -# Create symbolic links in /dev. -type cardmgr_lnk_t, file_type, sysadmfile; -file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file) - -# Run a shell, normal commands, /etc/pcmcia scripts. -can_exec_any(cardmgr_t) -allow cardmgr_t etc_t:lnk_file read; - -# Run ifconfig. -domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t) -allow ifconfig_t cardmgr_t:fd use; - -allow cardmgr_t proc_t:file { getattr read ioctl }; - -# Read /proc/PID directories for all domains (for fuser). -can_ps(cardmgr_t, domain -unrestricted) -dontaudit cardmgr_t unrestricted:dir search; - -allow cardmgr_t device_type:{ chr_file blk_file } getattr; -allow cardmgr_t ttyfile:chr_file getattr; -dontaudit cardmgr_t ptyfile:chr_file getattr; -dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; -dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; -dontaudit cardmgr_t proc_kmsg_t:file getattr; - -allow cardmgr_t tty_device_t:chr_file rw_file_perms; - -ifdef(`apmd.te', ` -domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) -') - -ifdef(`hide_broken_symptoms', ` -dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; -dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; -') -ifdef(`hald.te', ` -rw_dir_file(hald_t, cardmgr_var_run_t) -allow hald_t cardmgr_var_run_t:chr_file create_file_perms; -') -allow cardmgr_t device_t:lnk_file { getattr read }; diff --git a/targeted/domains/program/checkpolicy.te b/targeted/domains/program/checkpolicy.te deleted file mode 100644 index 0cfa5a08..00000000 --- a/targeted/domains/program/checkpolicy.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Checkpolicy - SELinux policy compliler -# -# Authors: Frank Mayer, mayerf@tresys.com -# X-Debian-Packages: checkpolicy -# - -########################### -# -# checkpolicy_t is the domain type for checkpolicy -# checkpolicy_exec_t if file type for the executable - -type checkpolicy_t, domain; -role sysadm_r types checkpolicy_t; -role system_r types checkpolicy_t; -role secadm_r types checkpolicy_t; - -type checkpolicy_exec_t, file_type, exec_type, sysadmfile; - -########################## -# -# Rules - -domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t) - -# able to create and modify binary policy files -allow checkpolicy_t policy_config_t:dir rw_dir_perms; -allow checkpolicy_t policy_config_t:file create_file_perms; - -########################### -# constrain what checkpolicy can use as source files -# - -# only allow read of policy source files -allow checkpolicy_t policy_src_t:dir r_dir_perms; -allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms; - -# allow test policies to be created in src directories -file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) - -# directory search permissions for path to source and binary policy files -allow checkpolicy_t root_t:dir search; -allow checkpolicy_t etc_t:dir search; - -# Read the devpts root directory. -allow checkpolicy_t devpts_t:dir r_dir_perms; -ifdef(`sshd.te', -`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') - -# Other access -allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; -uses_shlib(checkpolicy_t) -allow checkpolicy_t self:capability dac_override; - -########################## -# Allow users to execute checkpolicy without a domain transition -# so it can be used without privilege to write real binary policy file -can_exec(unpriv_userdomain, checkpolicy_exec_t) - -allow checkpolicy_t { userdomain privfd }:fd use; - -allow checkpolicy_t fs_t:filesystem getattr; -allow checkpolicy_t console_device_t:chr_file { read write }; -allow checkpolicy_t init_t:fd use; -allow checkpolicy_t selinux_config_t:dir search; diff --git a/targeted/domains/program/chkpwd.te b/targeted/domains/program/chkpwd.te deleted file mode 100644 index 22ac7f2d..00000000 --- a/targeted/domains/program/chkpwd.te +++ /dev/null @@ -1,18 +0,0 @@ -#DESC Chkpwd - PAM password checking programs -# X-Debian-Packages: libpam-modules -# -# Domains for the /sbin/.*_chkpwd utilities. -# - -# -# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables. -# -type chkpwd_exec_t, file_type, sysadmfile, exec_type; - -chkpwd_domain(system) -dontaudit system_chkpwd_t privfd:fd use; -role sysadm_r types system_chkpwd_t; -in_user_role(system_chkpwd_t) - -# Everything else is in the chkpwd_domain macro in -# macros/program/chkpwd_macros.te. diff --git a/targeted/domains/program/compat.te b/targeted/domains/program/compat.te deleted file mode 100644 index 72dc2d09..00000000 --- a/targeted/domains/program/compat.te +++ /dev/null @@ -1,3 +0,0 @@ -typealias bin_t alias mount_exec_t; -typealias bin_t alias dmesg_exec_t; -typealias bin_t alias loadkeys_exec_t; diff --git a/targeted/domains/program/comsat.te b/targeted/domains/program/comsat.te deleted file mode 100644 index cd0e3f93..00000000 --- a/targeted/domains/program/comsat.te +++ /dev/null @@ -1,20 +0,0 @@ -#DESC comsat - biff server -# -# Author: Dan Walsh -# Depends: inetd.te -# - -################################# -# -# Rules for the comsat_t domain. -# -# comsat_exec_t is the type of the comsat executable. -# - -inetd_child_domain(comsat, udp) -allow comsat_t initrc_var_run_t:file r_file_perms; -dontaudit comsat_t initrc_var_run_t:file write; -allow comsat_t mail_spool_t:dir r_dir_perms; -allow comsat_t mail_spool_t:lnk_file read; -allow comsat_t var_spool_t:dir search; -dontaudit comsat_t sysadm_tty_device_t:chr_file getattr; diff --git a/targeted/domains/program/consoletype.te b/targeted/domains/program/consoletype.te deleted file mode 100644 index b1cc1266..00000000 --- a/targeted/domains/program/consoletype.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC consoletype - determine the type of a console device -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the consoletype_t domain. -# -# consoletype_t is the domain for the consoletype program. -# consoletype_exec_t is the type of the corresponding program. -# -type consoletype_t, domain, mlsfileread, mlsfilewrite; -type consoletype_exec_t, file_type, sysadmfile, exec_type; - -role system_r types consoletype_t; - -uses_shlib(consoletype_t) -general_domain_access(consoletype_t) - -ifdef(`targeted_policy', `', ` -domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t) - -ifdef(`xdm.te', ` -domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) -allow consoletype_t xdm_tmp_t:file { read write }; -') - -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t) -') -') - -allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms; - -allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use; - -# Use capabilities. -allow consoletype_t self:capability sys_admin; - -allow consoletype_t console_device_t:chr_file { getattr ioctl read write }; -allow consoletype_t initrc_t:fifo_file write; -allow consoletype_t nfs_t:file write; -allow consoletype_t sysadm_t:fifo_file rw_file_perms; - -ifdef(`lpd.te', ` -allow consoletype_t printconf_t:file { getattr read }; -') - -ifdef(`pam.te', ` -allow consoletype_t pam_var_run_t:file { getattr read }; -') -ifdef(`distro_redhat', ` -allow consoletype_t tmpfs_t:chr_file rw_file_perms; -') -ifdef(`firstboot.te', ` -allow consoletype_t firstboot_t:fifo_file write; -') -dontaudit consoletype_t proc_t:dir search; -dontaudit consoletype_t proc_t:file read; -dontaudit consoletype_t root_t:file read; -allow consoletype_t crond_t:fifo_file { read getattr ioctl }; -allow consoletype_t system_crond_t:fd use; -allow consoletype_t fs_t:filesystem getattr; diff --git a/targeted/domains/program/cpucontrol.te b/targeted/domains/program/cpucontrol.te deleted file mode 100644 index 23a13b75..00000000 --- a/targeted/domains/program/cpucontrol.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU -# -# Author: Russell Coker -# - -type cpucontrol_conf_t, file_type, sysadmfile; - -daemon_base_domain(cpucontrol) - -# Access cpu devices. -allow cpucontrol_t cpu_device_t:chr_file rw_file_perms; -allow cpucontrol_t device_t:lnk_file { getattr read }; -allow initrc_t cpu_device_t:chr_file getattr; - -allow cpucontrol_t self:capability sys_rawio; - -r_dir_file(cpucontrol_t, cpucontrol_conf_t) diff --git a/targeted/domains/program/cpuspeed.te b/targeted/domains/program/cpuspeed.te deleted file mode 100644 index b80f7054..00000000 --- a/targeted/domains/program/cpuspeed.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC cpuspeed - domain for microcode_ctl, powernowd, etc -# -# Authors: Russell Coker -# Thomas Bleher -# - -daemon_base_domain(cpuspeed) -read_locale(cpuspeed_t) - -allow cpuspeed_t sysfs_t:dir search; -allow cpuspeed_t sysfs_t:file rw_file_perms; -allow cpuspeed_t proc_t:dir r_dir_perms; -allow cpuspeed_t proc_t:file { getattr read }; -allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read }; - -allow cpuspeed_t self:process setsched; -allow cpuspeed_t self:unix_dgram_socket create_socket_perms; diff --git a/targeted/domains/program/crond.te b/targeted/domains/program/crond.te deleted file mode 100644 index 78d70c78..00000000 --- a/targeted/domains/program/crond.te +++ /dev/null @@ -1,33 +0,0 @@ -#DESC crond -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the crond domain. -# -# crond_exec_t is the type of the /usr/sbin/crond and other programs. -# This domain is defined just for targeted policy. -# -type crond_exec_t, file_type, sysadmfile, exec_type; -type crond_t, domain, privuser, privrole, privfd, privowner; -typealias crond_t alias system_crond_t; -type anacron_exec_t, file_type, sysadmfile, exec_type; -type system_crond_tmp_t, file_type, tmpfile, sysadmfile; -type system_cron_spool_t, file_type, sysadmfile; -type sysadm_cron_spool_t, file_type, sysadmfile; -role system_r types crond_t; -domain_auto_trans(initrc_t, crond_exec_t, crond_t) -domain_auto_trans(initrc_t, anacron_exec_t, crond_t) -# Access log files -file_type_auto_trans(crond_t, user_home_dir_t, user_home_t) -file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t) -var_run_domain(crond) - -ifdef(`targeted_policy', ` -unconfined_domain(crond_t) -allow crond_t initrc_t:dbus send_msg; -allow crond_t unconfined_t:dbus send_msg; -allow crond_t unconfined_t:process transition; -') diff --git a/targeted/domains/program/cups.te b/targeted/domains/program/cups.te deleted file mode 100644 index 6bc5106c..00000000 --- a/targeted/domains/program/cups.te +++ /dev/null @@ -1,321 +0,0 @@ -#DESC Cups - Common Unix Printing System -# -# Created cups policy from lpd policy: Russell Coker -# X-Debian-Packages: cupsys cupsys-client cupsys-bsd -# Depends: lpd.te lpr.te - -################################# -# -# Rules for the cupsd_t domain. -# -# cupsd_t is the domain of cupsd. -# cupsd_exec_t is the type of the cupsd executable. -# -daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain') -etcdir_domain(cupsd) -type cupsd_rw_etc_t, file_type, sysadmfile, usercanread; - -can_network(cupsd_t) -allow cupsd_t port_type:tcp_socket name_connect; -logdir_domain(cupsd) - -tmp_domain(cupsd, `', { file dir fifo_file }) - -allow cupsd_t devpts_t:dir search; - -allow cupsd_t device_t:lnk_file read; -allow cupsd_t printer_device_t:chr_file rw_file_perms; -allow cupsd_t urandom_device_t:chr_file { getattr read }; -dontaudit cupsd_t random_device_t:chr_file ioctl; - -# temporary solution, we need something better -allow cupsd_t serial_device:chr_file rw_file_perms; - -r_dir_file(cupsd_t, usbdevfs_t) -r_dir_file(cupsd_t, usbfs_t) - -ifdef(`logrotate.te', ` -domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) -') - -ifdef(`inetd.te', ` -allow inetd_t printer_port_t:tcp_socket name_bind; -domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t) -') - -# write to spool -allow cupsd_t var_spool_t:dir search; - -# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong -file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file }) -allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms }; -allow cupsd_t cupsd_etc_t:file setattr; -allow cupsd_t cupsd_etc_t:dir setattr; - -allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl }; -can_exec(cupsd_t, initrc_exec_t) -allow cupsd_t proc_t:file r_file_perms; -allow cupsd_t proc_t:dir r_dir_perms; -allow cupsd_t self:file { getattr read }; -read_sysctl(cupsd_t) -allow cupsd_t sysctl_dev_t:dir search; -allow cupsd_t sysctl_dev_t:file { getattr read }; - -# for /etc/printcap -dontaudit cupsd_t etc_t:file write; - -# allow cups to execute its backend scripts -can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search; -allow cupsd_t cupsd_exec_t:lnk_file read; -allow cupsd_t reserved_port_t:tcp_socket name_bind; -dontaudit cupsd_t reserved_port_type:tcp_socket name_bind; - -allow cupsd_t self:unix_stream_socket create_socket_perms; -allow cupsd_t self:unix_dgram_socket create_socket_perms; -allow cupsd_t self:fifo_file rw_file_perms; - -# Use capabilities. -allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write }; -dontaudit cupsd_t self:capability net_admin; - -# -# /usr/lib/cups/backend/serial needs sys_admin -# Need new context to run under??? -allow cupsd_t self:capability sys_admin; - -allow cupsd_t self:process setsched; - -# for /var/lib/defoma -allow cupsd_t var_lib_t:dir search; -r_dir_file(cupsd_t, readable_t) - -# Bind to the cups/ipp port (631). -allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind; - -can_tcp_connect(web_client_domain, cupsd_t) -can_tcp_connect(cupsd_t, cupsd_t) - -# Send to portmap. -ifdef(`portmap.te', ` -can_udp_send(cupsd_t, portmap_t) -can_udp_send(portmap_t, cupsd_t) -') - -# Write to /var/spool/cups. -allow cupsd_t print_spool_t:dir { setattr rw_dir_perms }; -allow cupsd_t print_spool_t:file create_file_perms; -allow cupsd_t print_spool_t:file rw_file_perms; - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -allow cupsd_t { bin_t sbin_t }:dir { search getattr }; -allow cupsd_t bin_t:lnk_file read; -can_exec(cupsd_t, { shell_exec_t bin_t sbin_t }) - -# They will also invoke ghostscript, which needs to read fonts -read_fonts(cupsd_t) - -# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -allow cupsd_t lib_t:file { read getattr }; - -# read python modules -allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl }; - -# -# lots of errors generated requiring the following -# -allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms }; - -# -# Satisfy readahead -# -allow initrc_t cupsd_log_t:file { getattr read }; -r_dir_file(cupsd_t, var_t) - -r_dir_file(cupsd_t, usercanread) -ifdef(`samba.te', ` -rw_dir_file(cupsd_t, samba_var_t) -allow smbd_t cupsd_etc_t:dir search; -') - -ifdef(`pam.te', ` -dontaudit cupsd_t pam_var_run_t:file { getattr read }; -') -dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; -# PTAL -daemon_domain(ptal) -etcdir_domain(ptal) - -file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t) -allow ptal_t self:capability { chown sys_rawio }; -allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ptal_t self:unix_stream_socket { listen accept }; -can_network_server_tcp(ptal_t) -allow ptal_t ptal_port_t:tcp_socket name_bind; -allow userdomain ptal_t:unix_stream_socket connectto; -allow userdomain ptal_var_run_t:sock_file write; -allow userdomain ptal_var_run_t:dir search; -allow ptal_t self:fifo_file rw_file_perms; -allow ptal_t device_t:dir read; -allow ptal_t printer_device_t:chr_file rw_file_perms; -allow initrc_t printer_device_t:chr_file getattr; -allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; -r_dir_file(ptal_t, usbdevfs_t) -rw_dir_file(ptal_t, usbfs_t) -allow cupsd_t ptal_var_run_t:sock_file { write setattr }; -allow cupsd_t ptal_t:unix_stream_socket connectto; -allow cupsd_t ptal_var_run_t:dir search; -dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; - -allow initrc_t ptal_var_run_t:dir rmdir; -allow initrc_t ptal_var_run_t:fifo_file unlink; - - -# HPLIP -daemon_domain(hplip) -etcdir_domain(hplip) -allow hplip_t etc_t:file r_file_perms; -allow hplip_t etc_runtime_t:file { read getattr }; -allow hplip_t printer_device_t:chr_file rw_file_perms; -allow cupsd_t hplip_var_run_t:file { read getattr }; -allow hplip_t cupsd_etc_t:dir search; -can_network(hplip_t) -allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect; -allow hplip_t hplip_port_t:tcp_socket name_bind; - -# Uses networking to talk to the daemons -allow hplip_t self:unix_dgram_socket create_socket_perms; -allow hplip_t self:unix_stream_socket create_socket_perms; -allow hplip_t self:rawip_socket create_socket_perms; - -# for python -can_exec(hplip_t, bin_t) -allow hplip_t { sbin_t bin_t }:dir search; -allow hplip_t self:file { getattr read }; -allow hplip_t proc_t:file r_file_perms; -allow hplip_t urandom_device_t:chr_file { getattr read }; -allow hplip_t usr_t:{ file lnk_file } r_file_perms; -allow hplip_t devpts_t:dir search; -allow hplip_t devpts_t:chr_file { getattr ioctl }; - - -dontaudit cupsd_t selinux_config_t:dir search; -dontaudit cupsd_t selinux_config_t:file { getattr read }; - -allow cupsd_t printconf_t:file { getattr read }; - -ifdef(`dbusd.te', ` -dbusd_client(system, cupsd) -allow cupsd_t system_dbusd_t:dbus send_msg; -allow cupsd_t userdomain:dbus send_msg; -') - -# CUPS configuration daemon -daemon_domain(cupsd_config, `, nscd_client_domain') - -allow cupsd_config_t devpts_t:dir search; -allow cupsd_config_t devpts_t:chr_file { getattr ioctl }; - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -') -allow cupsd_config_t initrc_exec_t:file getattr; -')dnl end distro_redhat - -allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read }; -allow cupsd_config_t self:file { getattr read }; - -allow cupsd_config_t proc_t:file { getattr read }; -allow cupsd_config_t cupsd_var_run_t:file { getattr read }; -allow cupsd_config_t cupsd_t:process { signal }; -allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read }; -can_ps(cupsd_config_t, cupsd_t) - -allow cupsd_config_t self:capability { chown sys_tty_config }; - -rw_dir_create_file(cupsd_config_t, cupsd_etc_t) -rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) -file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) -file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file) -allow cupsd_config_t var_t:lnk_file read; - -can_network_tcp(cupsd_config_t) -can_ypbind(cupsd_config_t) -allow cupsd_config_t port_type:tcp_socket name_connect; -can_tcp_connect(cupsd_config_t, cupsd_t) -allow cupsd_config_t self:fifo_file rw_file_perms; - -allow cupsd_config_t self:unix_stream_socket create_socket_perms; -allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -ifdef(`dbusd.te', ` -dbusd_client(system, cupsd_config) -allow cupsd_config_t userdomain:dbus send_msg; -allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; -allow userdomain cupsd_config_t:dbus send_msg; -')dnl end if dbusd.te - -ifdef(`hald.te', ` - -ifdef(`dbusd.te', ` -allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg; -allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg; -')dnl end if dbusd.te - -allow hald_t cupsd_config_t:process signal; -domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t) - -') dnl end if hald.te - - -can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t }) -ifdef(`hostname.te', ` -can_exec(cupsd_t, hostname_exec_t) -can_exec(cupsd_config_t, hostname_exec_t) -') -allow cupsd_config_t { bin_t sbin_t }:dir { search getattr }; -allow cupsd_config_t { bin_t sbin_t }:lnk_file read; -# killall causes the following -dontaudit cupsd_config_t domain:dir { getattr search }; -dontaudit cupsd_config_t selinux_config_t:dir search; - -can_exec(cupsd_config_t, cupsd_config_exec_t) - -allow cupsd_config_t usr_t:file { getattr read }; -allow cupsd_config_t var_lib_t:dir { getattr search }; -allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -allow cupsd_config_t printconf_t:file { getattr read }; - -allow cupsd_config_t urandom_device_t:chr_file { getattr read }; - -ifdef(`logrotate.te', ` -allow cupsd_config_t logrotate_t:fd use; -')dnl end if logrotate.te -allow cupsd_config_t system_crond_t:fd use; -allow cupsd_config_t crond_t:fifo_file r_file_perms; -allow cupsd_t crond_t:fifo_file read; -allow cupsd_t crond_t:fd use; - -# Alternatives asks for this -allow cupsd_config_t initrc_exec_t:file getattr; -ifdef(`targeted_policy', ` -can_unix_connect(cupsd_t, initrc_t) -allow cupsd_t initrc_t:dbus send_msg; -allow initrc_t cupsd_t:dbus send_msg; -allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; -allow unconfined_t cupsd_config_t:dbus send_msg; -allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; -') -typealias printer_port_t alias cupsd_lpd_port_t; -inetd_child_domain(cupsd_lpd) -allow inetd_t printer_port_t:tcp_socket name_bind; -r_dir_file(cupsd_lpd_t, cupsd_etc_t) -r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t) -allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect; -ifdef(`use_mcs', ` -range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; -') - diff --git a/targeted/domains/program/cvs.te b/targeted/domains/program/cvs.te deleted file mode 100644 index 3f3e63c2..00000000 --- a/targeted/domains/program/cvs.te +++ /dev/null @@ -1,31 +0,0 @@ -#DESC cvs - Concurrent Versions System -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the cvs_t domain. -# -# cvs_exec_t is the type of the cvs executable. -# - -inetd_child_domain(cvs, tcp) -typeattribute cvs_t privmail; -typeattribute cvs_t auth_chkpwd; - -type cvs_data_t, file_type, sysadmfile, customizable; -create_dir_file(cvs_t, cvs_data_t) -can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) -allow cvs_t bin_t:dir search; -allow cvs_t { bin_t sbin_t }:lnk_file read; -allow cvs_t etc_runtime_t:file { getattr read }; -allow system_mail_t cvs_data_t:file { getattr read }; -dontaudit cvs_t devtty_t:chr_file { read write }; -ifdef(`kerberos.te', ` -# Allow kerberos to work -allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; -dontaudit cvs_t krb5_conf_t:file write; -') - diff --git a/targeted/domains/program/cyrus.te b/targeted/domains/program/cyrus.te deleted file mode 100644 index a423235a..00000000 --- a/targeted/domains/program/cyrus.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC cyrus-imapd -# -# Authors: Dan Walsh -# - -# cyrusd_exec_t is the type of the cyrusd executable. -# cyrusd_key_t is the type of the cyrus private key files -daemon_domain(cyrus) - -general_domain_access(cyrus_t) -file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file) - -type cyrus_var_lib_t, file_type, sysadmfile; - -allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -allow cyrus_t self:process setrlimit; - -can_network(cyrus_t) -allow cyrus_t port_type:tcp_socket name_connect; -can_ypbind(cyrus_t) -can_exec(cyrus_t, bin_t) -allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; -allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; -allow cyrus_t etc_t:file { getattr read }; -allow cyrus_t lib_t:file { execute execute_no_trans getattr read }; -read_locale(cyrus_t) -read_sysctl(cyrus_t) -tmp_domain(cyrus) -allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind; -allow cyrus_t proc_t:dir search; -allow cyrus_t proc_t:file { getattr read }; -allow cyrus_t sysadm_devpts_t:chr_file { read write }; - -allow cyrus_t var_lib_t:dir search; - -allow cyrus_t etc_runtime_t:file { read getattr }; -ifdef(`crond.te', ` -system_crond_entry(cyrus_exec_t, cyrus_t) -allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms; -allow system_crond_t cyrus_var_lib_t:file create_file_perms; -') -create_dir_file(cyrus_t, mail_spool_t) -allow cyrus_t var_spool_t:dir search; - -ifdef(`saslauthd.te', ` -allow cyrus_t saslauthd_var_run_t:dir search; -allow cyrus_t saslauthd_var_run_t:sock_file { read write }; -allow cyrus_t saslauthd_t:unix_stream_socket { connectto }; -') - -r_dir_file(cyrus_t, cert_t) -allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr }; diff --git a/targeted/domains/program/dbskkd.te b/targeted/domains/program/dbskkd.te deleted file mode 100644 index e75d90b9..00000000 --- a/targeted/domains/program/dbskkd.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC dbskkd - A dictionary server for the SKK Japanese input method system. -# -# Author: Dan Walsh -# - -################################# -# -# Rules for the dbskkd_t domain. -# -# dbskkd_exec_t is the type of the dbskkd executable. -# -# Depends: inetd.te - -inetd_child_domain(dbskkd) diff --git a/targeted/domains/program/dbusd.te b/targeted/domains/program/dbusd.te deleted file mode 100644 index acad4def..00000000 --- a/targeted/domains/program/dbusd.te +++ /dev/null @@ -1,27 +0,0 @@ -#DESC dbus-daemon-1 server for dbus desktop bus protocol -# -# Author: Russell Coker - -dbusd_domain(system) - -allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; - -ifdef(`pamconsole.te', ` -r_dir_file(system_dbusd_t, pam_var_console_t) -') - -# dac_override: /var/run/dbus is owned by messagebus on Debian -allow system_dbusd_t self:capability { dac_override setgid setuid }; -nsswitch_domain(system_dbusd_t) - -# I expect we need more than this - -allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; -allow initrc_t system_dbusd_t:unix_stream_socket connectto; -allow initrc_t system_dbusd_var_run_t:sock_file write; - -can_exec(system_dbusd_t, sbin_t) -allow system_dbusd_t self:fifo_file { read write }; -allow system_dbusd_t self:unix_stream_socket connectto; -allow system_dbusd_t self:unix_stream_socket connectto; -allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/targeted/domains/program/dhcpc.te b/targeted/domains/program/dhcpc.te deleted file mode 100644 index d21b9db8..00000000 --- a/targeted/domains/program/dhcpc.te +++ /dev/null @@ -1,168 +0,0 @@ -#DESC DHCPC - DHCP client -# -# Authors: Wayne Salamon (NAI Labs) -# Russell Coker -# X-Debian-Packages: pump dhcp-client udhcpc -# - -################################# -# -# Rules for the dhcpc_t domain. -# -# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP -# network configurator daemon started by /etc/sysconfig/network-scripts -# rc scripts, runs in this domain. -# dhcpc_exec_t is the type of the dhcpcd executable. -# The dhcpc_t can be used for other DHCPC related files as well. -# -daemon_domain(dhcpc) - -# for SSP -allow dhcpc_t urandom_device_t:chr_file read; - -can_network(dhcpc_t) -allow dhcpc_t port_type:tcp_socket name_connect; -can_ypbind(dhcpc_t) -allow dhcpc_t self:unix_dgram_socket create_socket_perms; -allow dhcpc_t self:unix_stream_socket create_socket_perms; -allow dhcpc_t self:fifo_file rw_file_perms; - -allow dhcpc_t devpts_t:dir search; - -# for localization -allow dhcpc_t lib_t:file { getattr read }; - -ifdef(`consoletype.te', ` -domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t) -') -ifdef(`nscd.te', ` -domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t) -allow dhcpc_t nscd_var_run_t:file { getattr read }; -') -ifdef(`cardmgr.te', ` -domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) -allow cardmgr_t dhcpc_var_run_t:file { getattr read }; -allow cardmgr_t dhcpc_t:process signal_perms; -allow cardmgr_t dhcpc_var_run_t:file unlink; -allow dhcpc_t cardmgr_dev_t:chr_file { read write }; -') -ifdef(`hotplug.te', ` -domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) -allow hotplug_t dhcpc_t:process signal_perms; -allow hotplug_t dhcpc_var_run_t:file { getattr read }; -allow hotplug_t dhcp_etc_t:file rw_file_perms; -allow dhcpc_t hotplug_etc_t:dir { getattr search }; -ifdef(`distro_redhat', ` -domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t) -') -')dnl end hotplug.te - -# for the dhcp client to run ping to check IP addresses -ifdef(`ping.te', ` -domain_auto_trans(dhcpc_t, ping_exec_t, ping_t) -ifdef(`hotplug.te', ` -allow ping_t hotplug_t:fd use; -') dnl end if hotplug -ifdef(`cardmgr.te', ` -allow ping_t cardmgr_t:fd use; -') dnl end if cardmgr -', ` -allow dhcpc_t self:capability setuid; -allow dhcpc_t self:rawip_socket create_socket_perms; -') dnl end if ping - -ifdef(`dhcpd.te', `', ` -type dhcp_state_t, file_type, sysadmfile; -type dhcp_etc_t, file_type, sysadmfile, usercanread; -') -type dhcpc_state_t, file_type, sysadmfile; - -allow dhcpc_t etc_t:lnk_file read; -allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read }; -allow dhcpc_t proc_net_t:dir search; -allow dhcpc_t { proc_t proc_net_t }:file { getattr read }; -allow dhcpc_t self:file { getattr read }; -read_sysctl(dhcpc_t) -allow dhcpc_t userdomain:fd use; -ifdef(`run_init.te', ` -allow dhcpc_t run_init_t:fd use; -') - -# Use capabilities -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; - -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit dhcpc_t self:capability { dac_read_search sys_module }; - -# for udp port 68 -allow dhcpc_t dhcpc_port_t:udp_socket name_bind; - -# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files -# in /etc created by dhcpcd will be labelled net_conf_t. -file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file) - -# Allow access to the dhcpc file types -r_dir_file(dhcpc_t, dhcp_etc_t) -allow dhcpc_t sbin_t:dir search; -can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t }) -ifdef(`distro_redhat', ` -can_exec(dhcpc_t, etc_t) -allow initrc_t dhcp_etc_t:file rw_file_perms; -') -ifdef(`ifconfig.te', ` -domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t) -')dnl end if def ifconfig - - -tmp_domain(dhcpc) - -# Allow dhcpc_t to use packet sockets -allow dhcpc_t self:packet_socket create_socket_perms; -allow dhcpc_t var_lib_t:dir search; -file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) -allow dhcpc_t dhcp_state_t:file { getattr read }; - -allow dhcpc_t bin_t:dir { getattr search }; -allow dhcpc_t bin_t:lnk_file read; -can_exec(dhcpc_t, { bin_t shell_exec_t }) - -ifdef(`hostname.te', ` -domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t) -') -dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms; -allow dhcpc_t { userdomain kernel_t }:fd use; - -allow dhcpc_t home_root_t:dir search; -allow initrc_t dhcpc_state_t:file { getattr read }; -dontaudit dhcpc_t var_lock_t:dir search; -allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; -dontaudit dhcpc_t domain:dir getattr; -allow dhcpc_t initrc_var_run_t:file rw_file_perms; -# -# dhclient sometimes starts ypbind and ntdp -# -can_exec(dhcpc_t, initrc_exec_t) -ifdef(`ypbind.te', ` -domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) -allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; -allow dhcpc_t ypbind_t:process signal; -') -ifdef(`ntpd.te', ` -domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) -') -role sysadm_r types dhcpc_t; -domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t) -ifdef(`dbusd.te', ` -dbusd_client(system, dhcpc) -domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) -allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow dhcpc_t self:dbus send_msg; -allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; -allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; -ifdef(`unconfined.te', ` -allow unconfined_t dhcpc_t:dbus send_msg; -allow dhcpc_t unconfined_t:dbus send_msg; -') -') -ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)') -allow dhcpc_t locale_t:file write; diff --git a/targeted/domains/program/dhcpd.te b/targeted/domains/program/dhcpd.te deleted file mode 100644 index e276af2c..00000000 --- a/targeted/domains/program/dhcpd.te +++ /dev/null @@ -1,78 +0,0 @@ -#DESC DHCPD - DHCP server -# -# Author: Russell Coker -# based on the dhcpc_t policy from: -# Wayne Salamon (NAI Labs) -# X-Debian-Packages: dhcp dhcp3-server -# - -################################# -# -# Rules for the dhcpd_t domain. -# -# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP -# server daemon rc scripts, runs in this domain. -# dhcpd_exec_t is the type of the dhcpdd executable. -# The dhcpd_t can be used for other DHCPC related files as well. -# -daemon_domain(dhcpd, `, nscd_client_domain') - -# for UDP port 4011 -allow dhcpd_t pxe_port_t:udp_socket name_bind; - -type dhcp_etc_t, file_type, sysadmfile, usercanread; - -# Use the network. -can_network(dhcpd_t) -allow dhcpd_t port_type:tcp_socket name_connect; -allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind; -can_ypbind(dhcpd_t) -allow dhcpd_t self:unix_dgram_socket create_socket_perms; -allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; - -allow dhcpd_t var_lib_t:dir search; - -allow dhcpd_t devtty_t:chr_file { read write }; - -# Use capabilities -allow dhcpd_t self:capability { net_raw net_bind_service }; -dontaudit dhcpd_t self:capability net_admin; - -# Allow access to the dhcpd file types -type dhcp_state_t, file_type, sysadmfile; -type dhcpd_state_t, file_type, sysadmfile; -allow dhcpd_t dhcp_etc_t:file { read getattr }; -allow dhcpd_t dhcp_etc_t:dir search; -file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file) - -allow dhcpd_t etc_t:lnk_file read; -allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms; - -# Allow dhcpd_t programs to execute themselves and bin_t (uname etc) -can_exec(dhcpd_t, { dhcpd_exec_t bin_t }) - -# Allow dhcpd_t to use packet sockets -allow dhcpd_t self:packet_socket create_socket_perms; -allow dhcpd_t self:rawip_socket create_socket_perms; - -# allow to run utilities and scripts -allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms; -allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms; -allow dhcpd_t self:fifo_file { read write getattr }; - -# allow reading /proc -allow dhcpd_t proc_t:{ file lnk_file } r_file_perms; -tmp_domain(dhcpd) - -ifdef(`distro_gentoo', ` -allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -allow initrc_t dhcpd_state_t:file setattr; -') -r_dir_file(dhcpd_t, usr_t) -allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms; - -ifdef(`named.te', ` -allow dhcpd_t { named_conf_t named_zone_t }:dir search; -allow dhcpd_t dnssec_t:file { getattr read }; -') diff --git a/targeted/domains/program/dictd.te b/targeted/domains/program/dictd.te deleted file mode 100644 index d610d073..00000000 --- a/targeted/domains/program/dictd.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Dictd - Dictionary daemon -# -# Authors: Russell Coker -# X-Debian-Packages: dictd -# - -################################# -# -# Rules for the dictd_t domain. -# -# dictd_exec_t is the type of the dictd executable. -# -daemon_base_domain(dictd) -type dictd_var_lib_t, file_type, sysadmfile; -typealias dictd_var_lib_t alias var_lib_dictd_t; -etc_domain(dictd) - -# for checking for nscd -dontaudit dictd_t var_run_t:dir search; - -# read config files -allow dictd_t { etc_t etc_runtime_t }:file r_file_perms; - -read_locale(dictd_t) - -allow dictd_t { var_t var_lib_t }:dir search; -allow dictd_t dictd_var_lib_t:dir r_dir_perms; -allow dictd_t dictd_var_lib_t:file r_file_perms; - -allow dictd_t self:capability { setuid setgid }; - -allow dictd_t usr_t:file r_file_perms; - -allow dictd_t self:process { setpgid fork sigchld }; - -allow dictd_t proc_t:file r_file_perms; - -allow dictd_t dict_port_t:tcp_socket name_bind; - -allow dictd_t devtty_t:chr_file rw_file_perms; - -allow dictd_t self:unix_stream_socket create_stream_socket_perms; - -can_network_server(dictd_t) -can_ypbind(dictd_t) -can_tcp_connect(userdomain, dictd_t) - -allow dictd_t fs_t:filesystem getattr; diff --git a/targeted/domains/program/dmidecode.te b/targeted/domains/program/dmidecode.te deleted file mode 100644 index 05b93f79..00000000 --- a/targeted/domains/program/dmidecode.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC dmidecode - decodes DMI data for x86/ia64 bioses -# -# Author: Ivan Gyurdiev -# - -type dmidecode_t, domain, privmem; -type dmidecode_exec_t, file_type, exec_type, sysadmfile; - -# Allow execution by the sysadm -role sysadm_r types dmidecode_t; -role system_r types dmidecode_t; -domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t) - -uses_shlib(dmidecode_t) - -# Allow terminal access -access_terminal(dmidecode_t, sysadm) - -# Allow dmidecode to read /dev/mem -allow dmidecode_t memory_device_t:chr_file read; - -allow dmidecode_t self:capability sys_rawio; diff --git a/targeted/domains/program/dovecot.te b/targeted/domains/program/dovecot.te deleted file mode 100644 index eb7a30ec..00000000 --- a/targeted/domains/program/dovecot.te +++ /dev/null @@ -1,75 +0,0 @@ -#DESC Dovecot POP and IMAP servers -# -# Author: Russell Coker -# X-Debian-Packages: dovecot-imapd, dovecot-pop3d - -# -# Main dovecot daemon -# -daemon_domain(dovecot, `, privhome') -etc_domain(dovecot); - -allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; - -can_exec(dovecot_t, dovecot_exec_t) - -type dovecot_cert_t, file_type, sysadmfile; -type dovecot_passwd_t, file_type, sysadmfile; -type dovecot_spool_t, file_type, sysadmfile; - -allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; -allow dovecot_t self:process setrlimit; -can_network_tcp(dovecot_t) -allow dovecot_t port_type:tcp_socket name_connect; -can_ypbind(dovecot_t) -allow dovecot_t self:unix_dgram_socket create_socket_perms; -allow dovecot_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(dovecot_t, self) - -allow dovecot_t etc_t:file { getattr read }; -allow dovecot_t initrc_var_run_t:file getattr; -allow dovecot_t bin_t:dir { getattr search }; -can_exec(dovecot_t, bin_t) - -allow dovecot_t pop_port_t:tcp_socket name_bind; -allow dovecot_t urandom_device_t:chr_file { getattr read }; -allow dovecot_t cert_t:dir search; -r_dir_file(dovecot_t, dovecot_cert_t) -r_dir_file(dovecot_t, cert_t) - -allow dovecot_t { self proc_t }:file { getattr read }; -allow dovecot_t self:fifo_file rw_file_perms; - -can_kerberos(dovecot_t) - -allow dovecot_t tmp_t:dir search; -rw_dir_create_file(dovecot_t, mail_spool_t) - - -create_dir_file(dovecot_t, dovecot_spool_t) -create_dir_file(mta_delivery_agent, dovecot_spool_t) -allow dovecot_t mail_spool_t:lnk_file read; -allow dovecot_t var_spool_t:dir { search }; - -# -# Dovecot auth daemon -# -daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd') -can_ldap(dovecot_auth_t) -can_ypbind(dovecot_auth_t) -can_kerberos(dovecot_auth_t) -can_resolve(dovecot_auth_t) -allow dovecot_auth_t self:process { fork signal_perms }; -allow dovecot_auth_t self:capability { setgid setuid }; -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -allow dovecot_auth_t self:fifo_file rw_file_perms; -allow dovecot_auth_t urandom_device_t:chr_file { getattr read }; -allow dovecot_auth_t etc_t:file { getattr read }; -allow dovecot_auth_t { self proc_t }:file { getattr read }; -read_locale(dovecot_auth_t) -read_sysctl(dovecot_auth_t) -allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; -dontaudit dovecot_auth_t selinux_config_t:dir search; - diff --git a/targeted/domains/program/fingerd.te b/targeted/domains/program/fingerd.te deleted file mode 100644 index 73fee16b..00000000 --- a/targeted/domains/program/fingerd.te +++ /dev/null @@ -1,80 +0,0 @@ -#DESC Fingerd - Finger daemon -# -# Author: Russell Coker -# X-Debian-Packages: fingerd cfingerd efingerd ffingerd -# - -################################# -# -# Rules for the fingerd_t domain. -# -# fingerd_exec_t is the type of the fingerd executable. -# -daemon_domain(fingerd) - -etcdir_domain(fingerd) - -allow fingerd_t etc_t:lnk_file read; -allow fingerd_t { etc_t etc_runtime_t }:file { read getattr }; - -log_domain(fingerd) -system_crond_entry(fingerd_exec_t, fingerd_t) -ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)') - -allow fingerd_t fingerd_port_t:tcp_socket name_bind; -ifdef(`inetd.te', ` -allow inetd_t fingerd_port_t:tcp_socket name_bind; -# can be run from inetd -domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t) -allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl }; -') -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t) -') - -allow fingerd_t self:capability { setgid setuid }; -# for gzip from logrotate -dontaudit fingerd_t self:capability fsetid; - -# cfingerd runs shell scripts -allow fingerd_t { bin_t sbin_t }:dir search; -allow fingerd_t bin_t:lnk_file read; -can_exec(fingerd_t, { shell_exec_t bin_t sbin_t }) -allow fingerd_t devtty_t:chr_file { read write }; - -allow fingerd_t { ttyfile ptyfile }:chr_file getattr; - -# Use the network. -can_network_server(fingerd_t) -can_ypbind(fingerd_t) - -allow fingerd_t self:unix_dgram_socket create_socket_perms; -allow fingerd_t self:unix_stream_socket create_socket_perms; -allow fingerd_t self:fifo_file { read write getattr }; - -# allow any user domain to connect to the finger server -can_tcp_connect(userdomain, fingerd_t) - -# for .finger, .plan. etc -allow fingerd_t { home_root_t user_home_dir_type }:dir search; -# should really have a different type for .plan etc -allow fingerd_t user_home_type:file { getattr read }; -# stop it accessing sub-directories, prevents checking a Maildir for new mail, -# have to change this when we create a type for Maildir -dontaudit fingerd_t user_home_t:dir search; - -# for mail -allow fingerd_t { var_spool_t mail_spool_t }:dir search; -allow fingerd_t mail_spool_t:file getattr; -allow fingerd_t mail_spool_t:lnk_file read; - -# see who is logged in and when users last logged in -allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr }; -dontaudit fingerd_t initrc_var_run_t:file lock; -allow fingerd_t devpts_t:dir search; -allow fingerd_t ptyfile:chr_file getattr; - -allow fingerd_t proc_t:file { read getattr }; - -# for date command -read_sysctl(fingerd_t) diff --git a/targeted/domains/program/firstboot.te b/targeted/domains/program/firstboot.te deleted file mode 100644 index e07bc432..00000000 --- a/targeted/domains/program/firstboot.te +++ /dev/null @@ -1,131 +0,0 @@ -#DESC firstboot -# -# Author: Dan Walsh -# X-Debian-Packages: firstboot -# - -################################# -# -# Rules for the firstboot_t domain. -# -# firstboot_exec_t is the type of the firstboot executable. -# -application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer') -type firstboot_rw_t, file_type, sysadmfile; -role system_r types firstboot_t; - -ifdef(`xserver.te', ` -domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') - -etc_domain(firstboot) - -allow firstboot_t proc_t:file r_file_perms; - -allow firstboot_t urandom_device_t:chr_file { getattr read }; -allow firstboot_t proc_t:file { getattr read write }; - -domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t) -file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file) - -can_exec_any(firstboot_t) -ifdef(`useradd.te',` -domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t) -domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t) -') -allow firstboot_t etc_runtime_t:file { getattr read }; - -r_dir_file(firstboot_t, etc_t) - -allow firstboot_t firstboot_rw_t:dir create_dir_perms; -allow firstboot_t firstboot_rw_t:file create_file_perms; -allow firstboot_t self:fifo_file { getattr read write }; -allow firstboot_t self:process { fork sigchld }; -allow firstboot_t self:unix_stream_socket { connect create }; -allow firstboot_t initrc_exec_t:file { getattr read }; -allow firstboot_t initrc_var_run_t:file r_file_perms; -allow firstboot_t lib_t:file { getattr read }; -allow firstboot_t local_login_t:fd use; -read_locale(firstboot_t) - -allow firstboot_t proc_t:dir search; -allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms; -allow firstboot_t usr_t:file r_file_perms; - -allow firstboot_t etc_t:file write; - -# Allow write to utmp file -allow firstboot_t initrc_var_run_t:file write; - -ifdef(`samba.te', ` -rw_dir_file(firstboot_t, samba_etc_t) -') - -dontaudit firstboot_t shadow_t:file getattr; - -role system_r types initrc_t; -#role_transition firstboot_r initrc_exec_t system_r; -domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t) - -allow firstboot_t self:passwd rootok; - -ifdef(`userhelper.te', ` -role system_r types sysadm_userhelper_t; -domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) -') - -ifdef(`consoletype.te', ` -allow consoletype_t devtty_t:chr_file { read write }; -allow consoletype_t etc_t:file { getattr read }; -allow consoletype_t firstboot_t:fd use; -') - -allow firstboot_t etc_t:{ file lnk_file } create_file_perms; - -allow firstboot_t self:capability { dac_override setgid }; -allow firstboot_t self:dir search; -allow firstboot_t self:file { read write }; -allow firstboot_t self:lnk_file read; -can_setfscreate(firstboot_t) -allow firstboot_t krb5_conf_t:file rw_file_perms; - -allow firstboot_t modules_conf_t:file { getattr read }; -allow firstboot_t modules_dep_t:file { getattr read }; -allow firstboot_t modules_object_t:dir search; -allow firstboot_t port_t:tcp_socket { recv_msg send_msg }; -allow firstboot_t proc_t:lnk_file read; - -can_getsecurity(firstboot_t) - -dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition }; -read_sysctl(firstboot_t) - -allow firstboot_t var_run_t:dir getattr; -allow firstboot_t var_t:dir getattr; -ifdef(`hostname.te', ` -allow hostname_t devtty_t:chr_file { read write }; -allow hostname_t firstboot_t:fd use; -') -ifdef(`iptables.te', ` -allow iptables_t devtty_t:chr_file { read write }; -allow iptables_t firstboot_t:fd use; -allow iptables_t firstboot_t:fifo_file write; -') -can_network_server(firstboot_t) -can_ypbind(firstboot_t) -ifdef(`printconf.te', ` -can_exec(firstboot_t, printconf_t) -') -create_dir_file(firstboot_t, var_t) -# Add/remove user home directories -file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir) -file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t) - -# -# The big hammer -# -unconfined_domain(firstboot_t) -ifdef(`targeted_policy', ` -allow firstboot_t unconfined_t:process transition; -') - diff --git a/targeted/domains/program/fsadm.te b/targeted/domains/program/fsadm.te deleted file mode 100644 index 0bfbb686..00000000 --- a/targeted/domains/program/fsadm.te +++ /dev/null @@ -1,123 +0,0 @@ -#DESC Fsadm - Disk and file system administration -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount -# - -################################# -# -# Rules for the fsadm_t domain. -# -# fsadm_t is the domain for disk and file system -# administration. -# fsadm_exec_t is the type of the corresponding programs. -# -type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite; -role system_r types fsadm_t; -role sysadm_r types fsadm_t; - -general_domain_access(fsadm_t) - -# for swapon -r_dir_file(fsadm_t, sysfs_t) - -# Read system information files in /proc. -r_dir_file(fsadm_t, proc_t) - -# Read system variables in /proc/sys -read_sysctl(fsadm_t) - -# for /dev/shm -allow fsadm_t tmpfs_t:dir { getattr search }; -allow fsadm_t tmpfs_t:file { read write }; - -base_file_read_access(fsadm_t) - -# Read /etc. -r_dir_file(fsadm_t, etc_t) - -# Read module-related files. -allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow fsadm_t device_t:dir r_dir_perms; -allow fsadm_t device_t:lnk_file r_file_perms; - -uses_shlib(fsadm_t) - -type fsadm_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) -') -tmp_domain(fsadm) - -# remount file system to apply changes -allow fsadm_t fs_t:filesystem remount; - -allow fsadm_t fs_t:filesystem getattr; - -# mkreiserfs needs this -allow fsadm_t proc_t:filesystem getattr; - -# mkreiserfs and other programs need this for UUID -allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; - -# Use capabilities. ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; - -# Write to /etc/mtab. -file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) - -# Inherit and use descriptors from init. -allow fsadm_t init_t:fd use; - -# Run other fs admin programs in the fsadm_t domain. -can_exec(fsadm_t, fsadm_exec_t) - -# Access disk devices. -allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; -allow fsadm_t removable_device_t:devfile_class_set rw_file_perms; -allow fsadm_t scsi_generic_device_t:chr_file r_file_perms; - -# Access lost+found. -allow fsadm_t lost_found_t:dir create_dir_perms; -allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; -allow fsadm_t lost_found_t:lnk_file create_lnk_perms; - -allow fsadm_t file_t:dir { search read getattr rmdir create }; - -# Recreate /mnt/cdrom. -allow fsadm_t mnt_t:dir { search read getattr rmdir create }; - -# Recreate /dev/cdrom. -allow fsadm_t device_t:dir rw_dir_perms; -allow fsadm_t device_t:lnk_file { unlink create }; - -# Enable swapping to devices and files -allow fsadm_t swapfile_t:file { getattr swapon }; -allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; - -# Allow console log change (updfstab) -allow fsadm_t kernel_t:system syslog_console; - -# Access terminals. -can_access_pty(fsadm_t, initrc) -allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') -allow fsadm_t privfd:fd use; - -read_locale(fsadm_t) - -# for smartctl cron jobs -system_crond_entry(fsadm_exec_t, fsadm_t) - -# Access to /initrd devices -allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; -allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; -allow fsadm_t usbfs_t:dir { getattr search }; -allow fsadm_t ramfs_t:fifo_file rw_file_perms; -allow fsadm_t device_type:chr_file getattr; - -# for tune2fs -allow fsadm_t file_type:dir { getattr search }; diff --git a/targeted/domains/program/ftpd.te b/targeted/domains/program/ftpd.te deleted file mode 100644 index b20252bd..00000000 --- a/targeted/domains/program/ftpd.te +++ /dev/null @@ -1,116 +0,0 @@ -#DESC Ftpd - Ftp daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd -# - -################################# -# -# Rules for the ftpd_t domain -# -daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain') -etc_domain(ftpd) - -can_network(ftpd_t) -allow ftpd_t port_type:tcp_socket name_connect; -allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; -allow ftpd_t self:unix_stream_socket create_socket_perms; -allow ftpd_t self:process { getcap setcap setsched setrlimit }; -allow ftpd_t self:fifo_file rw_file_perms; - -allow ftpd_t bin_t:dir search; -can_exec(ftpd_t, bin_t) -allow ftpd_t bin_t:lnk_file read; -read_sysctl(ftpd_t) - -allow ftpd_t urandom_device_t:chr_file { getattr read }; - -ifdef(`crond.te', ` -system_crond_entry(ftpd_exec_t, ftpd_t) -allow system_crond_t xferlog_t:file r_file_perms; -can_exec(ftpd_t, { sbin_t shell_exec_t }) -allow ftpd_t usr_t:file { getattr read }; -ifdef(`logrotate.te', ` -can_exec(ftpd_t, logrotate_exec_t) -')dnl end if logrotate.te -')dnl end if crond.te - -allow ftpd_t ftp_data_port_t:tcp_socket name_bind; -allow ftpd_t port_t:tcp_socket name_bind; - -# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally -type ftpd_lock_t, file_type, sysadmfile, lockfile; - -# Allow ftpd to run directly without inetd. -bool ftpd_is_daemon false; -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file) -allow ftpd_t ftp_port_t:tcp_socket name_bind; -can_tcp_connect(userdomain, ftpd_t) -# Allows it to check exec privs on daemon -allow inetd_t ftpd_exec_t:file x_file_perms; -} -ifdef(`inetd.te', ` -if (!ftpd_is_daemon) { -ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') -domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) - -# Use sockets inherited from inetd. -allow ftpd_t inetd_t:fd use; -allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Send SIGCHLD to inetd on death. -allow ftpd_t inetd_t:process sigchld; -} -') dnl end inetd.te - -# Access shared memory tmpfs instance. -tmpfs_domain(ftpd) - -# Use capabilities. -allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; - -# Append to /var/log/wtmp. -allow ftpd_t wtmp_t:file { getattr append }; -#kerberized ftp requires the following -allow ftpd_t wtmp_t:file { write lock }; - -# Create and modify /var/log/xferlog. -type xferlog_t, file_type, sysadmfile, logfile; -file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file) - -# Execute /bin/ls (can comment this out for proftpd) -# also may need rules to allow tar etc... -can_exec(ftpd_t, ls_exec_t) - -allow initrc_t ftpd_etc_t:file { getattr read }; -allow ftpd_t { etc_t etc_runtime_t }:file { getattr read }; -allow ftpd_t proc_t:file { getattr read }; - -dontaudit ftpd_t sysadm_home_dir_t:dir getattr; -dontaudit ftpd_t selinux_config_t:dir search; -allow ftpd_t autofs_t:dir search; -allow ftpd_t self:file { getattr read }; -tmp_domain(ftpd) - -# Allow ftp to read/write files in the user home directories. -bool ftp_home_dir false; - -if (ftp_home_dir) { -# allow access to /home -allow ftpd_t home_root_t:dir r_dir_perms; -create_dir_file(ftpd_t, home_type) -ifdef(`targeted_policy', ` -file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t) -') -} -if (use_nfs_home_dirs && ftp_home_dir) { - r_dir_file(ftpd_t, nfs_t) -} -if (use_samba_home_dirs && ftp_home_dir) { - r_dir_file(ftpd_t, cifs_t) -} -dontaudit ftpd_t selinux_config_t:dir search; -anonymous_domain(ftpd) - diff --git a/targeted/domains/program/getty.te b/targeted/domains/program/getty.te deleted file mode 100644 index 7899aecf..00000000 --- a/targeted/domains/program/getty.te +++ /dev/null @@ -1,61 +0,0 @@ -#DESC Getty - Manage ttys -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty -# - -################################# -# -# Rules for the getty_t domain. -# -init_service_domain(getty, `, privfd') - -etcdir_domain(getty) - -allow getty_t console_device_t:chr_file setattr; - -tmp_domain(getty) -log_domain(getty) - -allow getty_t { etc_t etc_runtime_t }:file { getattr read }; -allow getty_t etc_t:lnk_file read; -allow getty_t self:process { getpgid getsession }; -allow getty_t self:unix_dgram_socket create_socket_perms; -allow getty_t self:unix_stream_socket create_socket_perms; - -# Use capabilities. -allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; - -read_locale(getty_t) - -# Run login in local_login_t domain. -allow getty_t { sbin_t bin_t }:dir search; -domain_auto_trans(getty_t, login_exec_t, local_login_t) - -# Write to /var/run/utmp. -allow getty_t { var_t var_run_t }:dir search; -allow getty_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow getty_t wtmp_t:file rw_file_perms; - -# Chown, chmod, read and write ttys. -allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; -allow getty_t ttyfile:chr_file { setattr rw_file_perms }; -dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; - -# for error condition handling -allow getty_t fs_t:filesystem getattr; - -lock_domain(getty) -r_dir_file(getty_t, sysfs_t) -# for mgetty -var_run_domain(getty) -allow getty_t self:capability { fowner fsetid }; - -# -# getty needs to be able to run pppd -# -ifdef(`pppd.te', ` -domain_auto_trans(getty_t, pppd_exec_t, pppd_t) -') diff --git a/targeted/domains/program/hald.te b/targeted/domains/program/hald.te deleted file mode 100644 index a51709a2..00000000 --- a/targeted/domains/program/hald.te +++ /dev/null @@ -1,104 +0,0 @@ -#DESC hald - server for device info -# -# Author: Russell Coker -# X-Debian-Packages: -# - -################################# -# -# Rules for the hald_t domain. -# -# hald_exec_t is the type of the hald executable. -# -daemon_domain(hald, `, fs_domain, nscd_client_domain') - -can_exec_any(hald_t) - -allow hald_t { etc_t etc_runtime_t }:file { getattr read }; -allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow hald_t self:unix_dgram_socket create_socket_perms; - -ifdef(`dbusd.te', ` -allow hald_t system_dbusd_t:dbus { acquire_svc send_msg }; -dbusd_client(system, hald) -allow hald_t self:dbus send_msg; -') - -allow hald_t self:file { getattr read }; -allow hald_t proc_t:file rw_file_perms; - -allow hald_t { bin_t sbin_t }:dir search; -allow hald_t self:fifo_file rw_file_perms; -allow hald_t usr_t:file { getattr read }; -allow hald_t bin_t:file getattr; - -# For backwards compatibility with older kernels -allow hald_t self:netlink_socket create_socket_perms; - -allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; -allow hald_t self:netlink_route_socket r_netlink_socket_perms; -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; -can_network_server(hald_t) -can_ypbind(hald_t) - -allow hald_t device_t:lnk_file read; -allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl }; -allow hald_t removable_device_t:blk_file write; -allow hald_t event_device_t:chr_file { getattr read ioctl }; -allow hald_t printer_device_t:chr_file rw_file_perms; -allow hald_t urandom_device_t:chr_file read; -allow hald_t mouse_device_t:chr_file r_file_perms; -allow hald_t device_type:chr_file getattr; - -can_getsecurity(hald_t) - -ifdef(`updfstab.te', ` -domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) -allow updfstab_t hald_t:dbus send_msg; -allow hald_t updfstab_t:dbus send_msg; -') -ifdef(`udev.te', ` -domain_auto_trans(hald_t, udev_exec_t, udev_t) -allow udev_t hald_t:unix_dgram_socket sendto; -allow hald_t udev_tbl_t:file { getattr read }; -') - -ifdef(`hotplug.te', ` -r_dir_file(hald_t, hotplug_etc_t) -') -allow hald_t fs_type:dir { search getattr }; -allow hald_t usbfs_t:dir r_dir_perms; -allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms; -allow hald_t bin_t:lnk_file read; -r_dir_file(hald_t, { selinux_config_t default_context_t } ) -allow hald_t initrc_t:dbus send_msg; -allow initrc_t hald_t:dbus send_msg; -allow hald_t etc_runtime_t:file rw_file_perms; -allow hald_t var_lib_t:dir search; -allow hald_t device_t:dir create_dir_perms; -allow hald_t device_t:chr_file create_file_perms; -tmp_domain(hald) -allow hald_t mnt_t:dir search; -r_dir_file(hald_t, proc_net_t) - -# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket -ifdef(`apmd.te', ` -allow hald_t apmd_var_run_t:sock_file write; -allow hald_t apmd_t:unix_stream_socket connectto; -') - -# For /usr/libexec/hald-probe-smbios -domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t) - -# ?? -ifdef(`lvm.te', ` -allow hald_t lvm_control_t:chr_file r_file_perms; -') -ifdef(`targeted_policy', ` -allow unconfined_t hald_t:dbus send_msg; -allow hald_t unconfined_t:dbus send_msg; -') -ifdef(`mount.te', ` -domain_auto_trans(hald_t, mount_exec_t, mount_t) -') -r_dir_file(hald_t, hwdata_t) diff --git a/targeted/domains/program/hostname.te b/targeted/domains/program/hostname.te deleted file mode 100644 index 2138baf5..00000000 --- a/targeted/domains/program/hostname.te +++ /dev/null @@ -1,28 +0,0 @@ -#DESC hostname - show or set the system host name -# -# Author: Russell Coker -# X-Debian-Packages: hostname - -# for setting the hostname -daemon_core_rules(hostname, , nosysadm) -allow hostname_t self:capability sys_admin; -allow hostname_t etc_t:file { getattr read }; - -allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; -read_locale(hostname_t) -can_resolve(hostname_t) -allow hostname_t userdomain:fd use; -dontaudit hostname_t kernel_t:fd use; -allow hostname_t net_conf_t:file { getattr read }; -allow hostname_t self:unix_stream_socket create_stream_socket_perms; -dontaudit hostname_t var_t:dir search; -allow hostname_t fs_t:filesystem getattr; - -# for when /usr is not mounted -dontaudit hostname_t file_t:dir search; - -ifdef(`distro_redhat', ` -allow hostname_t tmpfs_t:chr_file rw_file_perms; -') -can_access_pty(hostname_t, initrc) -allow hostname_t initrc_t:fd use; diff --git a/targeted/domains/program/hotplug.te b/targeted/domains/program/hotplug.te deleted file mode 100644 index a6d8fbe2..00000000 --- a/targeted/domains/program/hotplug.te +++ /dev/null @@ -1,163 +0,0 @@ -#DESC Hotplug - Hardware event manager -# -# Author: Russell Coker -# X-Debian-Packages: hotplug -# - -################################# -# -# Rules for the hotplug_t domain. -# -# hotplug_exec_t is the type of the hotplug executable. -# -ifdef(`unlimitedUtils', ` -daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain') -', ` -daemon_domain(hotplug, `, privmodule, nscd_client_domain') -') - -etcdir_domain(hotplug) - -allow hotplug_t self:fifo_file { read write getattr ioctl }; -allow hotplug_t self:unix_dgram_socket create_socket_perms; -allow hotplug_t self:unix_stream_socket create_socket_perms; -allow hotplug_t self:udp_socket create_socket_perms; - -read_sysctl(hotplug_t) -allow hotplug_t sysctl_net_t:dir r_dir_perms; -allow hotplug_t sysctl_net_t:file { getattr read }; - -# get info from /proc -r_dir_file(hotplug_t, proc_t) -allow hotplug_t self:file { getattr read ioctl }; - -allow hotplug_t devtty_t:chr_file rw_file_perms; - -allow hotplug_t device_t:dir r_dir_perms; - -# for SSP -allow hotplug_t urandom_device_t:chr_file read; - -allow hotplug_t { bin_t sbin_t }:dir search; -allow hotplug_t { bin_t sbin_t }:lnk_file read; -can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t }) -ifdef(`hostname.te', ` -can_exec(hotplug_t, hostname_exec_t) -dontaudit hostname_t hotplug_t:fd use; -') -ifdef(`netutils.te', ` -ifdef(`distro_redhat', ` -# for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t) - -allow hotplug_t tmpfs_t:dir search; -allow hotplug_t tmpfs_t:chr_file rw_file_perms; -')dnl end if distro_redhat -')dnl end if netutils.te - -allow initrc_t usbdevfs_t:file { getattr read ioctl }; -allow initrc_t modules_dep_t:file { getattr read ioctl }; -r_dir_file(hotplug_t, usbdevfs_t) -allow hotplug_t usbfs_t:dir r_dir_perms; -allow hotplug_t usbfs_t:file { getattr read }; - -# read config files -allow hotplug_t etc_t:dir r_dir_perms; -allow hotplug_t etc_t:{ file lnk_file } r_file_perms; - -allow hotplug_t kernel_t:process { sigchld setpgid }; - -ifdef(`distro_redhat', ` -allow hotplug_t var_lock_t:dir search; -allow hotplug_t var_lock_t:file getattr; -') - -ifdef(`hald.te', ` -allow hotplug_t hald_t:unix_dgram_socket sendto; -allow hald_t hotplug_etc_t:dir search; -allow hald_t hotplug_etc_t:file { getattr read }; -') - -# for killall -allow hotplug_t self:process { getsession getattr }; -allow hotplug_t self:file getattr; - -domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t) -ifdef(`mount.te', ` -domain_auto_trans(hotplug_t, mount_exec_t, mount_t) -') -domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t) -ifdef(`updfstab.te', ` -domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t) -') - -# init scripts run /etc/hotplug/usb.rc -domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t) -allow initrc_t hotplug_etc_t:dir r_dir_perms; - -ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)') - -r_dir_file(hotplug_t, modules_object_t) -allow hotplug_t modules_dep_t:file { getattr read ioctl }; - -# for lsmod -dontaudit hotplug_t self:capability { sys_module sys_admin }; - -# for access("/etc/bashrc", X_OK) on Red Hat -dontaudit hotplug_t self:capability { dac_override dac_read_search }; - -ifdef(`fsadm.te', ` -domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t) -') - -allow hotplug_t var_log_t:dir search; - -# for ps -dontaudit hotplug_t domain:dir { getattr search }; -dontaudit hotplug_t { init_t kernel_t }:file read; -ifdef(`initrc.te', ` -can_ps(hotplug_t, initrc_t) -') - -# for when filesystems are not mounted early in the boot -dontaudit hotplug_t file_t:dir { search getattr }; - -# kernel threads inherit from shared descriptor table used by init -dontaudit hotplug_t initctl_t:fifo_file { read write }; - -# Read /usr/lib/gconv/.* -allow hotplug_t lib_t:file { getattr read }; - -allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -allow hotplug_t sysfs_t:dir { getattr read search write }; -allow hotplug_t sysfs_t:file rw_file_perms; -allow hotplug_t sysfs_t:lnk_file { getattr read }; -r_dir_file(hotplug_t, hwdata_t) -allow hotplug_t udev_runtime_t:file rw_file_perms; -ifdef(`lpd.te', ` -allow hotplug_t printer_device_t:chr_file setattr; -') -allow hotplug_t fixed_disk_device_t:blk_file setattr; -allow hotplug_t removable_device_t:blk_file setattr; -allow hotplug_t sound_device_t:chr_file setattr; - -ifdef(`udev.te', ` -domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t) -') - -file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file) - -can_network_server(hotplug_t) -can_ypbind(hotplug_t) -dbusd_client(system, hotplug) - -# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q -domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t) -ifdef(`mta.te', ` -domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) -') - -allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr }; -allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; - -dontaudit hotplug_t selinux_config_t:dir search; diff --git a/targeted/domains/program/howl.te b/targeted/domains/program/howl.te deleted file mode 100644 index ccb2fb1f..00000000 --- a/targeted/domains/program/howl.te +++ /dev/null @@ -1,21 +0,0 @@ -#DESC howl - port of Apple Rendezvous multicast DNS -# -# Author: Russell Coker -# - -daemon_domain(howl, `, privsysmod') -r_dir_file(howl_t, proc_net_t) -can_network_server(howl_t) -can_ypbind(howl_t) -allow howl_t self:unix_dgram_socket create_socket_perms; -allow howl_t self:capability { kill net_admin sys_module }; - -allow howl_t self:fifo_file rw_file_perms; - -allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; - -allow howl_t self:unix_dgram_socket create_socket_perms; - -allow howl_t etc_t:file { getattr read }; -allow howl_t initrc_var_run_t:file rw_file_perms; - diff --git a/targeted/domains/program/hwclock.te b/targeted/domains/program/hwclock.te deleted file mode 100644 index dab39eec..00000000 --- a/targeted/domains/program/hwclock.te +++ /dev/null @@ -1,49 +0,0 @@ -#DESC Hwclock - Hardware clock manager -# -# Author: David A. Wheeler -# Russell Coker -# X-Debian-Packages: util-linux -# - -################################# -# -# Rules for the hwclock_t domain. -# This domain moves time information between the "hardware clock" -# (which runs when the system is off) and the "system clock", -# and it stores adjustment values in /etc/adjtime so that errors in the -# hardware clock are corrected. -# Note that any errors from this domain are NOT recorded by the system logger, -# because the system logger isnt running when this domain is active. -# -daemon_base_domain(hwclock) -role sysadm_r types hwclock_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) -') -type adjtime_t, file_type, sysadmfile; -allow hwclock_t fs_t:filesystem getattr; - -read_locale(hwclock_t) - -# Give hwclock the capabilities it requires. dac_override is a surprise, -# but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; - -# Allow hwclock to set the hardware clock. -allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms }; - -# Allow hwclock to store & retrieve correction factors. -allow hwclock_t adjtime_t:file { setattr rw_file_perms }; - -# Read and write console and ttys. -allow hwclock_t tty_device_t:chr_file rw_file_perms; -allow hwclock_t ttyfile:chr_file rw_file_perms; -allow hwclock_t ptyfile:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') - -read_locale(hwclock_t) - -# for when /usr is not mounted -dontaudit hwclock_t file_t:dir search; -allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -r_dir_file(hwclock_t, etc_t) diff --git a/targeted/domains/program/ifconfig.te b/targeted/domains/program/ifconfig.te deleted file mode 100644 index 6cccc32d..00000000 --- a/targeted/domains/program/ifconfig.te +++ /dev/null @@ -1,74 +0,0 @@ -#DESC Ifconfig - Configure network interfaces -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: net-tools -# - -################################# -# -# Rules for the ifconfig_t domain. -# -# ifconfig_t is the domain for the ifconfig program. -# ifconfig_exec_t is the type of the corresponding program. -# -type ifconfig_t, domain, privlog, privmodule; -type ifconfig_exec_t, file_type, sysadmfile, exec_type; - -role system_r types ifconfig_t; -role sysadm_r types ifconfig_t; - -uses_shlib(ifconfig_t) -general_domain_access(ifconfig_t) - -domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) -') - -# for /sbin/ip -allow ifconfig_t self:packet_socket create_socket_perms; -allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms; -allow ifconfig_t self:tcp_socket { create ioctl }; -allow ifconfig_t etc_t:file { getattr read }; - -allow ifconfig_t self:socket create_socket_perms; - -# Use capabilities. -allow ifconfig_t self:capability { net_raw net_admin }; -dontaudit ifconfig_t self:capability sys_module; -allow ifconfig_t self:capability sys_tty_config; - -# Inherit and use descriptors from init. -allow ifconfig_t { kernel_t init_t }:fd use; - -# Access /proc -r_dir_file(ifconfig_t, proc_t) -r_dir_file(ifconfig_t, proc_net_t) - -allow ifconfig_t privfd:fd use; -allow ifconfig_t run_init_t:fd use; - -# Create UDP sockets, necessary when called from dhcpc -allow ifconfig_t self:udp_socket create_socket_perms; - -# Access terminals. -can_access_pty(ifconfig_t, initrc) -allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') - -allow ifconfig_t tun_tap_device_t:chr_file { read write }; - -# ifconfig attempts to search some sysctl entries. -# Do not audit those attempts; comment out these rules if it is desired to -# see the denials. -allow ifconfig_t { sysctl_t sysctl_net_t }:dir search; - -allow ifconfig_t fs_t:filesystem getattr; - -read_locale(ifconfig_t) -allow ifconfig_t lib_t:file { getattr read }; - -rhgb_domain(ifconfig_t) -allow ifconfig_t userdomain:fd use; -dontaudit ifconfig_t root_t:file read; -r_dir_file(ifconfig_t, sysfs_t) diff --git a/targeted/domains/program/inetd.te b/targeted/domains/program/inetd.te deleted file mode 100644 index 5c88ab35..00000000 --- a/targeted/domains/program/inetd.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Inetd - Internet services daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# re-written with daemon_domain by Russell Coker -# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd -# - -################################# -# -# Rules for the inetd_t domain and -# the inetd_child_t domain. -# - -daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) - -can_network(inetd_t) -allow inetd_t port_type:tcp_socket name_connect; -allow inetd_t self:unix_dgram_socket create_socket_perms; -allow inetd_t self:unix_stream_socket create_socket_perms; -allow inetd_t self:fifo_file rw_file_perms; -allow inetd_t etc_t:file { getattr read ioctl }; -allow inetd_t self:process setsched; - -log_domain(inetd) -tmp_domain(inetd) - -# Use capabilities. -allow inetd_t self:capability { setuid setgid net_bind_service }; - -# allow any domain to connect to inetd -can_tcp_connect(userdomain, inetd_t) - -# Run each daemon with a defined domain in its own domain. -# These rules have been moved to the individual target domain .te files. - -# Run other daemons in the inetd_child_t domain. -allow inetd_t { bin_t sbin_t }:dir search; -allow inetd_t sbin_t:lnk_file read; - -# Bind to the telnet, ftp, rlogin and rsh ports. -ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;') -ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') -ifdef(`talk.te', ` -allow inetd_t talk_port_t:tcp_socket name_bind; -allow inetd_t ntalk_port_t:tcp_socket name_bind; -') - -allow inetd_t auth_port_t:tcp_socket name_bind; -# Communicate with the portmapper. -ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') - - -inetd_child_domain(inetd_child) -allow inetd_child_t proc_net_t:dir search; -allow inetd_child_t proc_net_t:file { getattr read }; - -ifdef(`unconfined.te', ` -domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t) -') - -ifdef(`unlimitedInetd', ` -unconfined_domain(inetd_t) -') - diff --git a/targeted/domains/program/init.te b/targeted/domains/program/init.te deleted file mode 100644 index dc5c0508..00000000 --- a/targeted/domains/program/init.te +++ /dev/null @@ -1,147 +0,0 @@ -#DESC Init - Process initialization -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysvinit -# - -################################# -# -# Rules for the init_t domain. -# -# init_t is the domain of the init process. -# init_exec_t is the type of the init program. -# initctl_t is the type of the named pipe created -# by init during initialization. This pipe is used -# to communicate with init. -# -type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite; -role system_r types init_t; -uses_shlib(init_t); -type init_exec_t, file_type, sysadmfile, exec_type; -type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject; - -# for init to determine whether SE Linux is active so it can know whether to -# activate it -allow init_t security_t:dir search; -allow init_t security_t:file { getattr read }; - -# for mount points -allow init_t file_t:dir search; - -# Use capabilities. -allow init_t self:capability ~sys_module; - -# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. -domain_auto_trans(init_t, initrc_exec_t, initrc_t) - -# Run the shell in the sysadm_t domain for single-user mode. -domain_auto_trans(init_t, shell_exec_t, sysadm_t) - -# Run /sbin/update in the init_t domain. -can_exec(init_t, sbin_t) - -# Run init. -can_exec(init_t, init_exec_t) - -# Run chroot from initrd scripts. -ifdef(`chroot.te', ` -can_exec(init_t, chroot_exec_t) -') - -# Create /dev/initctl. -file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) -ifdef(`distro_redhat', ` -file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file) -') - -# Create ioctl.save. -file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) - -# Update /etc/ld.so.cache -allow init_t ld_so_cache_t:file rw_file_perms; - -# Allow access to log files -allow init_t var_t:dir search; -allow init_t var_log_t:dir search; -allow init_t var_log_t:file rw_file_perms; - -read_locale(init_t) - -# Create unix sockets -allow init_t self:unix_dgram_socket create_socket_perms; -allow init_t self:unix_stream_socket create_socket_perms; -allow init_t self:fifo_file rw_file_perms; - -# Permissions required for system startup -allow init_t { bin_t sbin_t }:dir r_dir_perms; -allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; - -# allow init to fork -allow init_t self:process { fork sigchld }; - -# Modify utmp. -allow init_t var_run_t:file rw_file_perms; -allow init_t initrc_var_run_t:file { setattr rw_file_perms }; -can_unix_connect(init_t, initrc_t) - -# For /var/run/shutdown.pid. -var_run_domain(init) - -# Shutdown permissions -r_dir_file(init_t, proc_t) -r_dir_file(init_t, self) -allow init_t devpts_t:dir r_dir_perms; - -# Modify wtmp. -allow init_t wtmp_t:file rw_file_perms; - -# Kill all processes. -allow init_t domain:process signal_perms; - -# Allow all processes to send SIGCHLD to init. -allow domain init_t:process { sigchld signull }; - -# If you load a new policy that removes active domains, processes can -# get stuck if you do not allow unlabeled processes to signal init -# If you load an incompatible policy, you should probably reboot, -# since you may have compromised system security. -allow unlabeled_t init_t:process sigchld; - -# for loading policy -allow init_t policy_config_t:file r_file_perms; - -# Set booleans. -can_setbool(init_t) - -# Read and write the console and ttys. -allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms; -ifdef(`distro_redhat', ` -allow init_t tmpfs_t:chr_file rw_file_perms; -') -allow init_t ttyfile:chr_file rw_file_perms; -allow init_t ptyfile:chr_file rw_file_perms; - -# Run system executables. -can_exec(init_t,bin_t) -ifdef(`consoletype.te', ` -can_exec(init_t, consoletype_exec_t) -') - -# Run /etc/X11/prefdm. -can_exec(init_t,etc_t) - -allow init_t lib_t:file { getattr read }; - -allow init_t devtty_t:chr_file { read write }; -allow init_t ramfs_t:dir search; -allow init_t ramfs_t:sock_file write; -r_dir_file(init_t, sysfs_t) - -r_dir_file(init_t, selinux_config_t) - -# file descriptors inherited from the rootfs. -dontaudit init_t root_t:{ file chr_file } { read write }; -ifdef(`targeted_policy', ` -unconfined_domain(init_t) -') - diff --git a/targeted/domains/program/initrc.te b/targeted/domains/program/initrc.te deleted file mode 100644 index 56ca417d..00000000 --- a/targeted/domains/program/initrc.te +++ /dev/null @@ -1,342 +0,0 @@ -#DESC Initrc - System initialization scripts -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysvinit policycoreutils -# - -################################# -# -# Rules for the initrc_t domain. -# -# initrc_t is the domain of the init rc scripts. -# initrc_exec_t is the type of the init program. -# -# do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite; - -role system_r types initrc_t; -uses_shlib(initrc_t); -can_network(initrc_t) -allow initrc_t port_type:tcp_socket name_connect; -can_ypbind(initrc_t) -type initrc_exec_t, file_type, sysadmfile, exec_type; - -# for halt to down interfaces -allow initrc_t self:udp_socket create_socket_perms; - -# read files in /etc/init.d -allow initrc_t etc_t:lnk_file r_file_perms; - -read_locale(initrc_t) - -r_dir_file(initrc_t, usr_t) - -# Read system information files in /proc. -r_dir_file(initrc_t, { proc_t proc_net_t }) -allow initrc_t proc_mdstat_t:file { getattr read }; - -# Allow IPC with self -allow initrc_t self:unix_dgram_socket create_socket_perms; -allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow initrc_t self:fifo_file rw_file_perms; - -# Read the root directory of a usbdevfs filesystem, and -# the devices and drivers files. Permit stating of the -# device nodes, but nothing else. -allow initrc_t usbdevfs_t:dir r_dir_perms; -allow initrc_t usbdevfs_t:lnk_file r_file_perms; -allow initrc_t usbdevfs_t:file getattr; -allow initrc_t usbfs_t:dir r_dir_perms; -allow initrc_t usbfs_t:file getattr; - -# allow initrc to fork and renice itself -allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched }; - -# Can create ptys for open_init_pty -can_create_pty(initrc) - -tmp_domain(initrc) -# -# Some initscripts generate scripts that they need to execute (ldap) -# -can_exec(initrc_t, initrc_tmp_t) - -var_run_domain(initrc) -allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; -allow initrc_t var_run_t:dir { create rmdir }; - -ifdef(`distro_debian', ` -allow initrc_t { etc_t device_t }:dir setattr; - -# for storing state under /dev/shm -allow initrc_t tmpfs_t:dir setattr; -file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir) -file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) -allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate; -') - -allow initrc_t framebuf_device_t:chr_file r_file_perms; - -# Use capabilities. -allow initrc_t self:capability ~{ sys_admin sys_module }; - -# Use system operations. -allow initrc_t kernel_t:system *; - -# Set values in /proc/sys. -can_sysctl(initrc_t) - -# Run helper programs in the initrc_t domain. -allow initrc_t {bin_t sbin_t }:dir r_dir_perms; -allow initrc_t {bin_t sbin_t }:lnk_file read; -can_exec(initrc_t, etc_t) -can_exec(initrc_t, lib_t) -can_exec(initrc_t, bin_t) -can_exec(initrc_t, sbin_t) -can_exec(initrc_t, exec_type) -# -# These rules are here to allow init scripts to su -# -ifdef(`su.te', ` -su_restricted_domain(initrc,system) -role system_r types initrc_su_t; -') -allow initrc_t self:passwd rootok; - -# read /lib/modules -allow initrc_t modules_object_t:dir { search read }; - -# Read conf.modules. -allow initrc_t modules_conf_t:file r_file_perms; - -# Run other rc scripts in the initrc_t domain. -can_exec(initrc_t, initrc_exec_t) - -# Run init (telinit) in the initrc_t domain. -can_exec(initrc_t, init_exec_t) - -# Communicate with the init process. -allow initrc_t initctl_t:fifo_file rw_file_perms; - -# Read /proc/PID directories for all domains. -r_dir_file(initrc_t, domain) -allow initrc_t domain:process { getattr getsession }; - -# Mount and unmount file systems. -allow initrc_t fs_type:filesystem mount_fs_perms; -allow initrc_t file_t:dir { read search getattr mounton }; - -# during boot up initrc needs to do the following -allow initrc_t default_t:dir { write read search getattr mounton }; - -# rhgb-console writes to ramfs -allow initrc_t ramfs_t:fifo_file write; - -# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. -file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) - -# Update /etc/ld.so.cache. -allow initrc_t ld_so_cache_t:file rw_file_perms; - -# Update /var/log/wtmp and /var/log/dmesg. -allow initrc_t wtmp_t:file { setattr rw_file_perms }; -allow initrc_t var_log_t:dir rw_dir_perms; -allow initrc_t var_log_t:file create_file_perms; -allow initrc_t lastlog_t:file { setattr rw_file_perms }; -allow initrc_t logfile:file { read append }; - -# remove old locks -allow initrc_t lockfile:dir rw_dir_perms; -allow initrc_t lockfile:file { getattr unlink }; - -# Access /var/lib/random-seed. -allow initrc_t var_lib_t:file rw_file_perms; -allow initrc_t var_lib_t:file unlink; - -# Create lock file. -allow initrc_t var_lock_t:dir create_dir_perms; -allow initrc_t var_lock_t:file create_file_perms; - -# Set the clock. -allow initrc_t clock_device_t:devfile_class_set rw_file_perms; - -# Kill all processes. -allow initrc_t domain:process signal_perms; - -# Write to /dev/urandom. -allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms; - -# for cryptsetup -allow initrc_t fixed_disk_device_t:blk_file getattr; - -# Set device ownerships/modes. -allow initrc_t framebuf_device_t:chr_file setattr; -allow initrc_t misc_device_t:devfile_class_set setattr; -allow initrc_t device_t:devfile_class_set setattr; -allow initrc_t fixed_disk_device_t:devfile_class_set setattr; -allow initrc_t removable_device_t:devfile_class_set setattr; -allow initrc_t device_t:lnk_file read; -allow initrc_t xconsole_device_t:fifo_file setattr; - -# Stat any file. -allow initrc_t file_type:notdevfile_class_set getattr; -allow initrc_t file_type:dir { search getattr }; - -# Read and write console and ttys. -allow initrc_t devtty_t:chr_file rw_file_perms; -allow initrc_t console_device_t:chr_file rw_file_perms; -allow initrc_t tty_device_t:chr_file rw_file_perms; -allow initrc_t ttyfile:chr_file rw_file_perms; -allow initrc_t ptyfile:chr_file rw_file_perms; - -# Reset tty labels. -allow initrc_t ttyfile:chr_file relabelfrom; -allow initrc_t tty_device_t:chr_file relabelto; - -ifdef(`distro_redhat', ` -# Create and read /boot/kernel.h and /boot/System.map. -# Redhat systems typically create this file at boot time. -allow initrc_t boot_t:lnk_file rw_file_perms; -file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) - -allow initrc_t tmpfs_t:chr_file rw_file_perms; -allow initrc_t tmpfs_t:dir r_dir_perms; - -# Allow initrc domain to set the enforcing flag. -can_setenforce(initrc_t) - -# -# readahead asks for these -# -allow initrc_t etc_aliases_t:file { getattr read }; -allow initrc_t var_lib_nfs_t:file { getattr read }; - -# for /halt /.autofsck and other flag files -file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) - -file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file) -allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr; -allow initrc_t self:capability sys_admin; -allow initrc_t device_t:dir create; -# wants to delete /poweroff and other files -allow initrc_t root_t:file unlink; -# wants to read /.fonts directory -allow initrc_t default_t:file { getattr read }; -ifdef(`xserver.te', ` -# wants to cleanup xserver log dir -allow initrc_t xserver_log_t:dir rw_dir_perms; -allow initrc_t xserver_log_t:file unlink; -') -')dnl end distro_redhat - -allow initrc_t system_map_t:{ file lnk_file } r_file_perms; -allow initrc_t var_spool_t:file rw_file_perms; - -# Allow access to the sysadm TTYs. Note that this will give access to the -# TTYs to any process in the initrc_t domain. Therefore, daemons and such -# started from init should be placed in their own domain. -allow initrc_t admin_tty_type:chr_file rw_file_perms; - -# Access sound device and files. -allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; - -# Read user home directories. -allow initrc_t { home_root_t home_type }:dir r_dir_perms; -allow initrc_t home_type:file r_file_perms; - -# Read and unlink /var/run/*.pid files. -allow initrc_t pidfile:file { getattr read unlink }; - -# for system start scripts -allow initrc_t pidfile:dir { rmdir rw_dir_perms }; -allow initrc_t pidfile:sock_file unlink; - -rw_dir_create_file(initrc_t, var_lib_t) - -# allow start scripts to clean /tmp -allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir }; -allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink }; - -# for lsof which is used by alsa shutdown -dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; -dontaudit initrc_t proc_kmsg_t:file getattr; - -################################# -# -# Rules for the run_init_t domain. -# -ifdef(`targeted_policy', ` -type run_init_exec_t, file_type, sysadmfile, exec_type; -type run_init_t, domain; -domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) -allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; -allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; -typeattribute initrc_t privuser; -domain_trans(initrc_t, shell_exec_t, unconfined_t) -allow initrc_t unconfined_t:system syslog_mod; -', ` -run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) -') -allow initrc_t privfd:fd use; - -# Transition to system_r:initrc_t upon executing init scripts. -ifdef(`direct_sysadm_daemon', ` -role_transition sysadm_r initrc_exec_t system_r; -domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) -') - -# -# Shutting down xinet causes these -# -# Fam -dontaudit initrc_t device_t:dir { read write }; -# Rsync -dontaudit initrc_t mail_spool_t:lnk_file read; - -allow initrc_t sysfs_t:dir { getattr read search }; -allow initrc_t sysfs_t:file { getattr read write }; -allow initrc_t sysfs_t:lnk_file { getattr read }; -allow initrc_t udev_runtime_t:file rw_file_perms; -allow initrc_t device_type:chr_file setattr; -allow initrc_t binfmt_misc_fs_t:dir { getattr search }; -allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; - -# for lsof in shutdown scripts -can_kerberos(initrc_t) - -# -# Wants to remove udev.tbl -# -allow initrc_t device_t:dir rw_dir_perms; -allow initrc_t device_t:lnk_file unlink; - -r_dir_file(initrc_t,selinux_config_t) - -ifdef(`unlimitedRC', ` -unconfined_domain(initrc_t) -') -# -# initrc script does a cat /selinux/enforce -# -allow initrc_t security_t:dir { getattr search }; -allow initrc_t security_t:file { getattr read }; - -# init script state -type initrc_state_t, file_type, sysadmfile; -create_dir_file(initrc_t,initrc_state_t) - -ifdef(`distro_gentoo', ` -# Gentoo integrated run_init+open_init_pty-runscript: -domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) -') -allow initrc_t self:netlink_route_socket r_netlink_socket_perms; -allow initrc_t device_t:lnk_file create_file_perms; -ifdef(`dbusd.te', ` -allow initrc_t system_dbusd_var_run_t:sock_file write; -') - -# Slapd needs to read cert files from its initscript -r_dir_file(initrc_t, cert_t) -ifdef(`use_mcs', ` -range_transition sysadm_t initrc_exec_t s0; -') diff --git a/targeted/domains/program/innd.te b/targeted/domains/program/innd.te deleted file mode 100644 index 25047dfb..00000000 --- a/targeted/domains/program/innd.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC INN - InterNetNews server -# -# Author: Faye Coker -# X-Debian-Packages: inn -# -################################ - -# Types for the server port and news spool. -# -type news_spool_t, file_type, sysadmfile; - - -# need privmail attribute so innd can access system_mail_t -daemon_domain(innd, `, privmail') - -# allow innd to create files and directories of type news_spool_t -create_dir_file(innd_t, news_spool_t) - -# allow user domains to read files and directories these types -r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t }) - -can_exec(initrc_t, innd_etc_t) -can_exec(innd_t, { innd_exec_t bin_t shell_exec_t }) -ifdef(`hostname.te', ` -can_exec(innd_t, hostname_exec_t) -') - -allow innd_t var_spool_t:dir { getattr search }; - -can_network(innd_t) -allow innd_t port_type:tcp_socket name_connect; -can_ypbind(innd_t) - -can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) -allow innd_t self:unix_dgram_socket create_socket_perms; -allow innd_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(innd_t, self) - -allow innd_t self:fifo_file rw_file_perms; -allow innd_t innd_port_t:tcp_socket name_bind; - -allow innd_t self:capability { dac_override kill setgid setuid net_bind_service }; -allow innd_t self:process setsched; - -allow innd_t { bin_t sbin_t }:dir search; -allow innd_t usr_t:lnk_file read; -allow innd_t usr_t:file { getattr read ioctl }; -allow innd_t lib_t:file ioctl; -allow innd_t etc_t:file { getattr read }; -allow innd_t { proc_t etc_runtime_t }:file { getattr read }; -allow innd_t urandom_device_t:chr_file read; - -allow innd_t innd_var_run_t:sock_file create_file_perms; - -# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type -etcdir_domain(innd) - -# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that -# it can write to -logdir_domain(innd) - -# allow innd read-write directory permissions to /var/lib/news. -var_lib_domain(innd) - -ifdef(`crond.te', ` -system_crond_entry(innd_exec_t, innd_t) -allow system_crond_t innd_etc_t:file { getattr read }; -rw_dir_create_file(system_crond_t, innd_log_t) -rw_dir_create_file(system_crond_t, innd_var_run_t) -') - -ifdef(`syslogd.te', ` -allow syslogd_t innd_log_t:dir search; -allow syslogd_t innd_log_t:file create_file_perms; -') - -allow innd_t self:file { getattr read }; -dontaudit innd_t selinux_config_t:dir { search }; -allow system_crond_t innd_etc_t:file { getattr read }; -allow innd_t bin_t:lnk_file { read }; -allow innd_t sbin_t:lnk_file { read }; diff --git a/targeted/domains/program/kerberos.te b/targeted/domains/program/kerberos.te deleted file mode 100644 index 19cc3c49..00000000 --- a/targeted/domains/program/kerberos.te +++ /dev/null @@ -1,91 +0,0 @@ -#DESC Kerberos5 - MIT Kerberos5 -# supports krb5kdc and kadmind daemons -# kinit, kdestroy, klist clients -# ksu support not complete -# -# includes rules for OpenSSH daemon compiled with both -# kerberos5 and SELinux support -# -# Not supported : telnetd, ftpd, kprop/kpropd daemons -# -# Author: Kerry Thompson -# Modified by Colin Walters -# - -################################# -# -# Rules for the krb5kdc_t,kadmind_t domains. -# -daemon_domain(krb5kdc) -daemon_domain(kadmind) - -can_exec(krb5kdc_t, krb5kdc_exec_t) -can_exec(kadmind_t, kadmind_exec_t) - -# types for general configuration files in /etc -type krb5_keytab_t, file_type, sysadmfile, secure_file_type; - -# types for KDC configs and principal file(s) -type krb5kdc_conf_t, file_type, sysadmfile; -type krb5kdc_principal_t, file_type, sysadmfile; - -# Use capabilities. Surplus capabilities may be allowed. -allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice }; -allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice }; - -# krb5kdc and kadmind can use network -can_network_server( { krb5kdc_t kadmind_t } ) -can_ypbind( { krb5kdc_t kadmind_t } ) - -# allow UDP transfer to/from any program -can_udp_send(kerberos_port_t, krb5kdc_t) -can_udp_send(krb5kdc_t, kerberos_port_t) -can_tcp_connect(kerberos_port_t, krb5kdc_t) -can_tcp_connect(kerberos_admin_port_t, kadmind_t) - -# Bind to the kerberos, kerberos-adm ports. -allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; -allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; -allow kadmind_t reserved_port_t:tcp_socket name_bind; -dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; - -# -# Rules for Kerberos5 KDC daemon -allow krb5kdc_t self:unix_dgram_socket create_socket_perms; -allow krb5kdc_t self:unix_stream_socket create_socket_perms; -allow kadmind_t self:unix_stream_socket create_socket_perms; -allow krb5kdc_t krb5kdc_conf_t:dir search; -allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; -allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; -dontaudit krb5kdc_t krb5kdc_principal_t:file write; -allow krb5kdc_t locale_t:file { getattr read }; -dontaudit krb5kdc_t krb5kdc_conf_t:file write; -allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search }; -allow { kadmind_t krb5kdc_t } etc_t:file { getattr read }; -allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms; -dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write; -tmp_domain(krb5kdc) -log_domain(krb5kdc) -allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read }; -allow kadmind_t random_device_t:chr_file { getattr read }; -allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; -allow krb5kdc_t proc_t:dir r_dir_perms; -allow krb5kdc_t proc_t:file { getattr read }; - -# -# Rules for Kerberos5 Kadmin daemon -allow kadmind_t self:unix_dgram_socket { connect create write }; -allow kadmind_t krb5kdc_conf_t:dir search; -allow kadmind_t krb5kdc_conf_t:file r_file_perms; -allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr }; -read_locale(kadmind_t) -dontaudit kadmind_t krb5kdc_conf_t:file write; -tmp_domain(kadmind) -log_domain(kadmind) - -# -# Allow user programs to talk to KDC -allow krb5kdc_t userdomain:udp_socket recvfrom; -allow userdomain krb5kdc_t:udp_socket recvfrom; -allow initrc_t krb5_conf_t:file ioctl; diff --git a/targeted/domains/program/klogd.te b/targeted/domains/program/klogd.te deleted file mode 100644 index dd0b79cc..00000000 --- a/targeted/domains/program/klogd.te +++ /dev/null @@ -1,48 +0,0 @@ -#DESC Klogd - Kernel log daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: klogd -# - -################################# -# -# Rules for the klogd_t domain. -# -daemon_domain(klogd, `, privmem, privkmsg, mlsfileread') - -tmp_domain(klogd) -allow klogd_t proc_t:dir r_dir_perms; -allow klogd_t proc_t:lnk_file r_file_perms; -allow klogd_t proc_t:file { getattr read }; -allow klogd_t self:dir r_dir_perms; -allow klogd_t self:lnk_file r_file_perms; - -# read /etc/nsswitch.conf -allow klogd_t etc_t:lnk_file read; -allow klogd_t etc_t:file r_file_perms; - -read_locale(klogd_t) - -allow klogd_t etc_runtime_t:file { getattr read }; - -# Create unix sockets -allow klogd_t self:unix_dgram_socket create_socket_perms; - -# Use the sys_admin and sys_rawio capabilities. -allow klogd_t self:capability { sys_admin sys_rawio }; -dontaudit klogd_t self:capability sys_resource; - - -# Read /proc/kmsg and /dev/mem. -allow klogd_t proc_kmsg_t:file r_file_perms; -allow klogd_t memory_device_t:chr_file r_file_perms; - -# Control syslog and console logging -allow klogd_t kernel_t:system { syslog_mod syslog_console }; - -# Read /boot/System.map* -allow klogd_t system_map_t:file r_file_perms; -allow klogd_t boot_t:dir r_dir_perms; -ifdef(`targeted_policy', ` -allow klogd_t unconfined_t:system syslog_mod; -') diff --git a/targeted/domains/program/ktalkd.te b/targeted/domains/program/ktalkd.te deleted file mode 100644 index 7ae0109c..00000000 --- a/targeted/domains/program/ktalkd.te +++ /dev/null @@ -1,14 +0,0 @@ -#DESC ktalkd - KDE version of the talk server -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the ktalkd_t domain. -# -# ktalkd_exec_t is the type of the ktalkd executable. -# - -inetd_child_domain(ktalkd, udp) diff --git a/targeted/domains/program/kudzu.te b/targeted/domains/program/kudzu.te deleted file mode 100644 index 9b64f98d..00000000 --- a/targeted/domains/program/kudzu.te +++ /dev/null @@ -1,117 +0,0 @@ -#DESC kudzu - Red Hat utility to recognise new hardware -# -# Author: Russell Coker -# - -daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem') - -read_locale(kudzu_t) - -# for /etc/sysconfig/hwconf - probably need a new type -allow kudzu_t etc_runtime_t:file rw_file_perms; - -# for kmodule -if (allow_execmem) { -allow kudzu_t self:process execmem; -} -allow kudzu_t zero_device_t:chr_file rx_file_perms; -allow kudzu_t memory_device_t:chr_file { read write execute }; - -allow kudzu_t ramfs_t:dir search; -allow kudzu_t ramfs_t:sock_file write; -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; -allow kudzu_t modules_conf_t:file { getattr read unlink rename }; -allow kudzu_t modules_object_t:dir r_dir_perms; -allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; -allow kudzu_t mouse_device_t:chr_file { read write }; -allow kudzu_t proc_net_t:dir r_dir_perms; -allow kudzu_t { proc_net_t proc_t }:file { getattr read }; -allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; -allow kudzu_t scsi_generic_device_t:chr_file r_file_perms; -allow kudzu_t { bin_t sbin_t }:dir { getattr search }; -allow kudzu_t { bin_t sbin_t }:lnk_file read; -read_sysctl(kudzu_t) -allow kudzu_t sysctl_dev_t:dir { getattr search read }; -allow kudzu_t sysctl_dev_t:file { getattr read }; -allow kudzu_t sysctl_kernel_t:file write; -allow kudzu_t usbdevfs_t:dir search; -allow kudzu_t usbdevfs_t:file { getattr read }; -allow kudzu_t usbfs_t:dir search; -allow kudzu_t usbfs_t:file { getattr read }; -var_run_domain(kudzu) -allow kudzu_t kernel_t:system syslog_console; -allow kudzu_t self:udp_socket { create ioctl }; -allow kudzu_t var_lock_t:dir search; -allow kudzu_t devpts_t:dir search; - -# so it can write messages to the console -allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms; - -role sysadm_r types kudzu_t; -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t) -') -ifdef(`anaconda.te', ` -domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) -') - -allow kudzu_t sysadm_home_dir_t:dir search; -rw_dir_create_file(kudzu_t, etc_t) - -rw_dir_create_file(kudzu_t, mnt_t) -can_exec(kudzu_t, { bin_t sbin_t init_exec_t }) -# Read /usr/lib/gconv/gconv-modules.* -allow kudzu_t lib_t:file { read getattr }; -# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux -allow kudzu_t usr_t:file { read getattr }; -r_dir_file(kudzu_t, hwdata_t) - -# Communicate with rhgb-client. -allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow kudzu_t self:unix_dgram_socket create_socket_perms; - -ifdef(`rhgb.te', ` -allow kudzu_t rhgb_t:unix_stream_socket connectto; -') - -allow kudzu_t self:file { getattr read }; -allow kudzu_t self:fifo_file rw_file_perms; -ifdef(`gpm.te', ` -allow kudzu_t gpmctl_t:sock_file getattr; -') - -can_exec(kudzu_t, shell_exec_t) - -# Write to /proc/sys/kernel/hotplug. Why? -allow kudzu_t sysctl_hotplug_t:file { read write }; - -allow kudzu_t sysfs_t:dir { getattr read search }; -allow kudzu_t sysfs_t:file { getattr read }; -allow kudzu_t sysfs_t:lnk_file read; -file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file) -allow kudzu_t tape_device_t:chr_file r_file_perms; -tmp_domain(kudzu, `', `{ file dir chr_file }') - -# for file systems that are not yet mounted -dontaudit kudzu_t file_t:dir search; -ifdef(`lpd.te', ` -allow kudzu_t printconf_t:file { getattr read }; -') -ifdef(`cups.te', ` -allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; -') -dontaudit kudzu_t src_t:dir search; -ifdef(`xserver.te', ` -allow kudzu_t xserver_exec_t:file getattr; -') - -ifdef(`userhelper.te', ` -role system_r types sysadm_userhelper_t; -domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) -', ` -unconfined_domain(kudzu_t) -') - -allow kudzu_t initrc_t:unix_stream_socket connectto; -allow kudzu_t net_conf_t:file { getattr read }; - diff --git a/targeted/domains/program/ldconfig.te b/targeted/domains/program/ldconfig.te deleted file mode 100644 index fbb76886..00000000 --- a/targeted/domains/program/ldconfig.te +++ /dev/null @@ -1,52 +0,0 @@ -#DESC Ldconfig - Configure dynamic linker bindings -# -# Author: Russell Coker -# X-Debian-Packages: libc6 -# - -################################# -# -# Rules for the ldconfig_t domain. -# -type ldconfig_t, domain, privlog, etc_writer; -type ldconfig_exec_t, file_type, sysadmfile, exec_type; - -role sysadm_r types ldconfig_t; -role system_r types ldconfig_t; - -domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t) -dontaudit ldconfig_t device_t:dir search; -can_access_pty(ldconfig_t, initrc) -allow ldconfig_t admin_tty_type:chr_file rw_file_perms; -allow ldconfig_t privfd:fd use; - -uses_shlib(ldconfig_t) - -file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) -allow ldconfig_t lib_t:dir rw_dir_perms; -allow ldconfig_t lib_t:lnk_file create_lnk_perms; - -allow ldconfig_t userdomain:fd use; -# unlink for when /etc/ld.so.cache is mislabeled -allow ldconfig_t etc_t:file { getattr read unlink }; -allow ldconfig_t etc_t:lnk_file read; - -allow ldconfig_t fs_t:filesystem getattr; -allow ldconfig_t tmp_t:dir search; - -ifdef(`apache.te', ` -# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway -dontaudit ldconfig_t httpd_modules_t:dir search; -') - -allow ldconfig_t { var_t var_lib_t }:dir search; -allow ldconfig_t proc_t:file { getattr read }; -ifdef(`hide_broken_symptoms', ` -ifdef(`unconfined.te',` -dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; -'); -')dnl end hide_broken_symptoms -ifdef(`targeted_policy', ` -allow ldconfig_t lib_t:file r_file_perms; -unconfined_domain(ldconfig_t) -') diff --git a/targeted/domains/program/load_policy.te b/targeted/domains/program/load_policy.te deleted file mode 100644 index 3d43900f..00000000 --- a/targeted/domains/program/load_policy.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC LoadPolicy - SELinux policy loading utilities -# -# Authors: Frank Mayer, mayerf@tresys.com -# X-Debian-Packages: policycoreutils -# - -########################### -# load_policy_t is the domain type for load_policy -# load_policy_exec_t is the file type for the executable - -# boolean to determine whether the system permits loading policy, setting -# enforcing mode, and changing boolean values. Set this to true and you -# have to reboot to set it back -bool secure_mode_policyload false; - -type load_policy_t, domain; -role sysadm_r types load_policy_t; -role secadm_r types load_policy_t; -role system_r types load_policy_t; - -type load_policy_exec_t, file_type, exec_type, sysadmfile; - -########################## -# -# Rules - -domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t) - -allow load_policy_t console_device_t:chr_file { read write }; - -# Reload the policy configuration (sysadm_t no longer has this ability) -can_loadpol(load_policy_t) - -# Reset policy boolean values. -can_setbool(load_policy_t) - - -########################### -# constrain from where load_policy can load a policy, specifically -# policy_config_t files -# - -# only allow read of policy config files -allow load_policy_t policy_src_t:dir search; -r_dir_file(load_policy_t, policy_config_t) -r_dir_file(load_policy_t, selinux_config_t) - -# directory search permissions for path to binary policy files -allow load_policy_t root_t:dir search; -allow load_policy_t etc_t:dir search; - -# for mcs.conf -allow load_policy_t etc_t:file { getattr read }; - -# Other access -can_access_pty(load_policy_t, initrc) -allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr }; -uses_shlib(load_policy_t) -allow load_policy_t self:capability dac_override; - -allow load_policy_t { userdomain privfd initrc_t }:fd use; - -allow load_policy_t fs_t:filesystem getattr; - -read_locale(load_policy_t) diff --git a/targeted/domains/program/login.te b/targeted/domains/program/login.te deleted file mode 100644 index 289879b4..00000000 --- a/targeted/domains/program/login.te +++ /dev/null @@ -1,234 +0,0 @@ -#DESC Login - Local/remote login utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# Macroised by Russell Coker -# X-Debian-Packages: login -# - -################################# -# -# Rules for the local_login_t domain -# and the remote_login_t domain. -# - -# $1 is the name of the domain (local or remote) -define(`login_domain', ` -type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade; -role system_r types $1_login_t; - -dontaudit $1_login_t shadow_t:file { getattr read }; - -general_domain_access($1_login_t); - -# Read system information files in /proc. -r_dir_file($1_login_t, proc_t) - -base_file_read_access($1_login_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_login_t readable_t:dir r_dir_perms; -allow $1_login_t readable_t:notdevfile_class_set r_file_perms; - -# Read /var, /var/spool -allow $1_login_t { var_t var_spool_t }:dir search; - -# for when /var/mail is a sym-link -allow $1_login_t var_t:lnk_file read; - -# Read /etc. -r_dir_file($1_login_t, etc_t) -allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms; - -read_locale($1_login_t) - -# for SSP/ProPolice -allow $1_login_t urandom_device_t:chr_file { getattr read }; - -# Read executable types. -allow $1_login_t exec_type:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow $1_login_t device_t:dir r_dir_perms; -allow $1_login_t device_t:lnk_file r_file_perms; - -uses_shlib($1_login_t); - -tmp_domain($1_login) - -ifdef(`pam.te', ` -can_exec($1_login_t, pam_exec_t) -') - -ifdef(`pamconsole.te', ` -rw_dir_create_file($1_login_t, pam_var_console_t) -domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t) -') - -ifdef(`alsa.te', ` -domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) -') - -# Use capabilities -allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -allow $1_login_t self:process setrlimit; -dontaudit $1_login_t sysfs_t:dir search; - -# Set exec context. -can_setexec($1_login_t) - -allow $1_login_t autofs_t:dir { search read getattr }; -allow $1_login_t mnt_t:dir r_dir_perms; - -if (use_nfs_home_dirs) { -r_dir_file($1_login_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file($1_login_t, cifs_t) -} - -# Login can polyinstantiate -polyinstantiater($1_login_t) - -# FIXME: what is this for? -ifdef(`xdm.te', ` -allow xdm_t $1_login_t:process signull; -') - -ifdef(`crack.te', ` -allow $1_login_t crack_db_t:file r_file_perms; -') - -# Permit login to search the user home directories. -allow $1_login_t home_root_t:dir search; -allow $1_login_t home_dir_type:dir search; - -# Write to /var/run/utmp. -allow $1_login_t var_run_t:dir search; -allow $1_login_t initrc_var_run_t:file rw_file_perms; - -# Write to /var/log/wtmp. -allow $1_login_t var_log_t:dir search; -allow $1_login_t wtmp_t:file rw_file_perms; - -# Write to /var/log/lastlog. -allow $1_login_t lastlog_t:file rw_file_perms; - -# Write to /var/log/btmp -allow $1_login_t faillog_t:file { lock append read write }; - -# Search for mail spool file. -allow $1_login_t mail_spool_t:dir r_dir_perms; -allow $1_login_t mail_spool_t:file getattr; -allow $1_login_t mail_spool_t:lnk_file read; - -# Get security policy decisions. -can_getsecurity($1_login_t) - -# allow read access to default_contexts in /etc/security -allow $1_login_t default_context_t:file r_file_perms; -allow $1_login_t default_context_t:dir search; -r_dir_file($1_login_t, selinux_config_t) - -allow $1_login_t mouse_device_t:chr_file { getattr setattr }; - -ifdef(`targeted_policy',` -unconfined_domain($1_login_t) -domain_auto_trans($1_login_t, shell_exec_t, unconfined_t) -') - -')dnl end login_domain macro -################################# -# -# Rules for the local_login_t domain. -# -# local_login_t is the domain of a login process -# spawned by getty. -# -# remote_login_t is the domain of a login process -# spawned by rlogind. -# -# login_exec_t is the type of the login program -# -type login_exec_t, file_type, sysadmfile, exec_type; - -login_domain(local) - -# But also permit other user domains to be entered by login. -login_spawn_domain(local_login, userdomain) - -# Do not audit denied attempts to access devices. -dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; -dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; -dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr }; -dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr }; -dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; -dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; -dontaudit local_login_t removable_device_t:chr_file { getattr setattr }; -dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; - -# Do not audit denied attempts to access /mnt. -dontaudit local_login_t mnt_t:dir r_dir_perms; - - -# Create lock file. -lock_domain(local_login) - -# Read and write ttys. -allow local_login_t tty_device_t:chr_file { setattr rw_file_perms }; -allow local_login_t ttyfile:chr_file { setattr rw_file_perms }; - -# Relabel ttys. -allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto }; -allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto }; - -ifdef(`gpm.te', -`allow local_login_t gpmctl_t:sock_file { getattr setattr };') - -# Allow setting of attributes on sound devices. -allow local_login_t sound_device_t:chr_file { getattr setattr }; - -# Allow setting of attributes on power management devices. -allow local_login_t power_device_t:chr_file { getattr setattr }; -dontaudit local_login_t init_t:fd use; - -################################# -# -# Rules for the remote_login_t domain. -# - -login_domain(remote) - -# Only permit unprivileged user domains to be entered via rlogin, -# since very weak authentication is used. -login_spawn_domain(remote_login, unpriv_userdomain) - -allow remote_login_t userpty_type:chr_file { setattr write }; - -# Use the pty created by rlogind. -ifdef(`rlogind.te', ` -can_access_pty(remote_login_t, rlogind) -# Relabel ptys created by rlogind. -allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto }; -') - -# Use the pty created by telnetd. -ifdef(`telnetd.te', ` -can_access_pty(remote_login_t, telnetd) -# Relabel ptys created by telnetd. -allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto }; -') - -allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl }; -allow remote_login_t fs_t:filesystem { getattr }; - -# Allow remote login to resolve host names (passed in via the -h switch) -can_resolve(remote_login_t) - -ifdef(`use_mcs', ` -ifdef(`getty.te', ` -range_transition getty_t login_exec_t s0 - s0:c0.c255; -') -') diff --git a/targeted/domains/program/lpd.te b/targeted/domains/program/lpd.te deleted file mode 100644 index 76cd44dd..00000000 --- a/targeted/domains/program/lpd.te +++ /dev/null @@ -1,161 +0,0 @@ -#DESC Lpd - Print server -# -# Authors: Stephen Smalley and Timothy Fraser -# Modified by David A. Wheeler for LPRng (Red Hat 7.1) -# Modified by Russell Coker -# X-Debian-Packages: lpr -# - -################################# -# -# Rules for the lpd_t domain. -# -# lpd_t is the domain of lpd. -# lpd_exec_t is the type of the lpd executable. -# printer_t is the type of the Unix domain socket created -# by lpd. -# -daemon_domain(lpd) - -allow lpd_t lpd_var_run_t:sock_file create_file_perms; - -read_fonts(lpd_t) - -type printer_t, file_type, sysadmfile, dev_fs; - -type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf. - -tmp_domain(lpd); - -# for postscript include files -allow lpd_t usr_t:{ file lnk_file } { getattr read }; - -# Allow checkpc to access the lpd spool so it can check & fix it. -# This requires that /usr/sbin/checkpc have type checkpc_t. -type checkpc_t, domain, privlog; -role system_r types checkpc_t; -uses_shlib(checkpc_t) -can_network_client(checkpc_t) -allow checkpc_t port_type:tcp_socket name_connect; -can_ypbind(checkpc_t) -log_domain(checkpc) -type checkpc_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t) -domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t) -role sysadm_r types checkpc_t; -allow checkpc_t admin_tty_type:chr_file { read write }; -allow checkpc_t privfd:fd use; -ifdef(`crond.te', ` -system_crond_entry(checkpc_exec_t, checkpc_t) -') -allow checkpc_t self:capability { setgid setuid dac_override }; -allow checkpc_t self:process { fork signal_perms }; - -allow checkpc_t proc_t:dir search; -allow checkpc_t proc_t:lnk_file read; -allow checkpc_t proc_t:file { getattr read }; -r_dir_file(checkpc_t, self) -allow checkpc_t self:unix_stream_socket create_socket_perms; - -allow checkpc_t { etc_t etc_runtime_t }:file { getattr read }; -allow checkpc_t etc_t:lnk_file read; - -allow checkpc_t { var_t var_spool_t }:dir { getattr search }; -allow checkpc_t print_spool_t:file { rw_file_perms unlink }; -allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr }; -allow checkpc_t device_t:dir search; -allow checkpc_t printer_device_t:chr_file { getattr append }; -allow checkpc_t devtty_t:chr_file rw_file_perms; -allow checkpc_t initrc_devpts_t:chr_file rw_file_perms; - -# Allow access to /dev/console through the fd: -allow checkpc_t init_t:fd use; - -# This is less desirable, but checkpc demands /bin/bash and /bin/chown: -allow checkpc_t { bin_t sbin_t }:dir search; -allow checkpc_t bin_t:lnk_file read; -can_exec(checkpc_t, shell_exec_t) -can_exec(checkpc_t, bin_t) - -# bash wants access to /proc/meminfo -allow lpd_t proc_t:file { getattr read }; - -# gs-gnu wants to read some sysctl entries, it seems to work without though -dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search; - -# for defoma -r_dir_file(lpd_t, var_lib_t) - -allow checkpc_t var_run_t:dir search; -allow checkpc_t lpd_var_run_t:dir { search getattr }; - -# This is needed to permit chown to read /var/spool/lpd/lp. -# This is opens up security more than necessary; this means that ANYTHING -# running in the initrc_t domain can read the printer spool directory. -# Perhaps executing /etc/rc.d/init.d/lpd should transition -# to domain lpd_t, instead of waiting for executing lpd. -allow initrc_t print_spool_t:dir read; - -# for defoma -r_dir_file(lpd_t, readable_t) - -# Use capabilities. -allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; - -# Use the network. -can_network_server(lpd_t) -can_ypbind(lpd_t) -allow lpd_t self:fifo_file rw_file_perms; -allow lpd_t self:unix_stream_socket create_stream_socket_perms; -allow lpd_t self:unix_dgram_socket create_socket_perms; - -allow lpd_t self:file { getattr read }; -allow lpd_t etc_runtime_t:file { getattr read }; - -# Bind to the printer port. -allow lpd_t printer_port_t:tcp_socket name_bind; - -# Send to portmap. -ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)') - -ifdef(`ypbind.te', -`# Connect to ypbind. -can_tcp_connect(lpd_t, ypbind_t)') - -# Create and bind to /dev/printer. -file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file) -allow lpd_t printer_t:unix_stream_socket name_bind; -allow lpd_t printer_t:unix_dgram_socket name_bind; -allow lpd_t printer_device_t:chr_file rw_file_perms; - -# Write to /var/spool/lpd. -allow lpd_t var_spool_t:dir search; -allow lpd_t print_spool_t:dir rw_dir_perms; -allow lpd_t print_spool_t:file create_file_perms; -allow lpd_t print_spool_t:file rw_file_perms; - -# Execute filter scripts. -# can_exec(lpd_t, print_spool_t) - -# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -allow lpd_t bin_t:dir search; -allow lpd_t bin_t:lnk_file read; -can_exec(lpd_t, { bin_t sbin_t shell_exec_t }) - -# lpd must be able to execute the filter utilities in /usr/share/printconf. -can_exec(lpd_t, printconf_t) -allow lpd_t printconf_t:file rx_file_perms; -allow lpd_t printconf_t:dir { getattr search read }; - -# config files for lpd are of type etc_t, probably should change this -allow lpd_t etc_t:file { getattr read }; -allow lpd_t etc_t:lnk_file read; - -# checkpc needs similar permissions. -allow checkpc_t printconf_t:file getattr; -allow checkpc_t printconf_t:dir { getattr search read }; - -# Read printconf files. -allow initrc_t printconf_t:dir r_dir_perms; -allow initrc_t printconf_t:file r_file_perms; - diff --git a/targeted/domains/program/mailman.te b/targeted/domains/program/mailman.te deleted file mode 100644 index 72fe6a75..00000000 --- a/targeted/domains/program/mailman.te +++ /dev/null @@ -1,113 +0,0 @@ -#DESC Mailman - GNU Mailman mailing list manager -# -# Author: Russell Coker -# X-Debian-Packages: mailman - -type mailman_data_t, file_type, sysadmfile; -type mailman_archive_t, file_type, sysadmfile; - -type mailman_log_t, file_type, sysadmfile, logfile; -type mailman_lock_t, file_type, sysadmfile, lockfile; - -define(`mailman_domain', ` -type mailman_$1_t, domain, privlog $2; -type mailman_$1_exec_t, file_type, sysadmfile, exec_type; -role system_r types mailman_$1_t; -file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file) -allow mailman_$1_t mailman_log_t:dir rw_dir_perms; -create_dir_file(mailman_$1_t, mailman_data_t) -uses_shlib(mailman_$1_t) -can_exec_any(mailman_$1_t) -read_sysctl(mailman_$1_t) -allow mailman_$1_t proc_t:dir search; -allow mailman_$1_t proc_t:file { read getattr }; -allow mailman_$1_t var_lib_t:dir r_dir_perms; -allow mailman_$1_t var_lib_t:lnk_file read; -allow mailman_$1_t device_t:dir search; -allow mailman_$1_t etc_runtime_t:file { read getattr }; -read_locale(mailman_$1_t) -file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file) -allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; -allow mailman_$1_t fs_t:filesystem getattr; -can_network(mailman_$1_t) -allow mailman_$1_t smtp_port_t:tcp_socket name_connect; -can_ypbind(mailman_$1_t) -allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; -allow mailman_$1_t var_t:dir r_dir_perms; -tmp_domain(mailman_$1) -') - -mailman_domain(queue, `, auth_chkpwd, nscd_client_domain') -can_tcp_connect(mailman_queue_t, mail_server_domain) - -can_exec(mailman_queue_t, su_exec_t) -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:fifo_file rw_file_perms; -dontaudit mailman_queue_t var_run_t:dir search; -allow mailman_queue_t proc_t:lnk_file { getattr read }; - -# for su -dontaudit mailman_queue_t selinux_config_t:dir search; -allow mailman_queue_t self:dir search; -allow mailman_queue_t self:file { getattr read }; -allow mailman_queue_t self:unix_dgram_socket create_socket_perms; -allow mailman_queue_t self:lnk_file { getattr read }; - -# some of the following could probably be changed to dontaudit, someone who -# knows mailman well should test this out and send the changes -allow mailman_queue_t sysadm_home_dir_t:dir { getattr search }; - -mailman_domain(mail) -dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write }; -allow mailman_mail_t mta_delivery_agent:fd use; -ifdef(`qmail.te', ` -allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; -# do we really need this? -allow mailman_mail_t qmail_lspawn_t:fifo_file write; -') - -create_dir_file(mailman_queue_t, mailman_archive_t) - -ifdef(`apache.te', ` -mailman_domain(cgi) -can_tcp_connect(mailman_cgi_t, mail_server_domain) - -domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t) -# should have separate types for public and private archives -r_dir_file(httpd_t, mailman_archive_t) -create_dir_file(mailman_cgi_t, mailman_archive_t) -allow httpd_t mailman_data_t:dir { getattr search }; - -dontaudit mailman_cgi_t httpd_log_t:file append; -allow httpd_t mailman_cgi_t:process signal; -allow mailman_cgi_t httpd_t:process sigchld; -allow mailman_cgi_t httpd_t:fd use; -allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl }; -allow mailman_cgi_t httpd_sys_script_t:dir search; -allow mailman_cgi_t devtty_t:chr_file { read write }; -allow mailman_cgi_t self:process { fork sigchld }; -allow mailman_cgi_t var_spool_t:dir search; -') - -allow mta_delivery_agent mailman_data_t:dir search; -allow mta_delivery_agent mailman_data_t:lnk_file read; -allow initrc_t mailman_data_t:lnk_file read; -allow initrc_t mailman_data_t:dir r_dir_perms; -domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t) -ifdef(`direct_sysadm_daemon', ` -domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t) -') -allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - -system_crond_entry(mailman_queue_exec_t, mailman_queue_t) -allow mailman_queue_t devtty_t:chr_file { read write }; -allow mailman_queue_t self:process { fork signal sigchld }; -allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; - -# so MTA can access /var/lib/mailman/mail/wrapper -allow mta_delivery_agent var_lib_t:dir search; - -# Handle mailman log files -rw_dir_create_file(logrotate_t, mailman_log_t) -allow logrotate_t mailman_data_t:dir search; -can_exec(logrotate_t, mailman_mail_exec_t) diff --git a/targeted/domains/program/modutil.te b/targeted/domains/program/modutil.te deleted file mode 100644 index a9345344..00000000 --- a/targeted/domains/program/modutil.te +++ /dev/null @@ -1,243 +0,0 @@ -#DESC Modutil - Dynamic module utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: modutils -# - -################################# -# -# Rules for the module utility domains. -# -type modules_dep_t, file_type, sysadmfile; -type modules_conf_t, file_type, sysadmfile; -type modules_object_t, file_type, sysadmfile; - - -ifdef(`IS_INITRD', `', ` -################################# -# -# Rules for the depmod_t domain. -# -type depmod_t, domain; -role system_r types depmod_t; -role sysadm_r types depmod_t; - -uses_shlib(depmod_t) - -r_dir_file(depmod_t, src_t) - -type depmod_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(initrc_t, depmod_exec_t, depmod_t) -allow depmod_t { bin_t sbin_t }:dir search; -can_exec(depmod_t, depmod_exec_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) -') - -# Inherit and use descriptors from init and login programs. -allow depmod_t { init_t privfd }:fd use; - -allow depmod_t { etc_t etc_runtime_t }:file { getattr read }; -allow depmod_t { device_t proc_t }:dir search; -allow depmod_t proc_t:file { getattr read }; -allow depmod_t fs_t:filesystem getattr; - -# read system.map -allow depmod_t boot_t:dir search; -allow depmod_t boot_t:file { getattr read }; -allow depmod_t system_map_t:file { getattr read }; - -# Read conf.modules. -allow depmod_t modules_conf_t:file r_file_perms; - -# Create modules.dep. -file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file) - -# Read module objects. -allow depmod_t modules_object_t:dir r_dir_perms; -allow depmod_t modules_object_t:{ file lnk_file } r_file_perms; -allow depmod_t modules_object_t:file unlink; - -# Access terminals. -can_access_pty(depmod_t, initrc) -allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') - -# Read System.map from home directories. -allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; -r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) -')dnl end IS_INITRD - -################################# -# -# Rules for the insmod_t domain. -# - -type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain -; -role system_r types insmod_t; -role sysadm_r types insmod_t; -type insmod_exec_t, file_type, exec_type, sysadmfile; - -bool secure_mode_insmod false; - -can_ypbind(insmod_t) - -ifdef(`unlimitedUtils', ` -unconfined_domain(insmod_t) -') -uses_shlib(insmod_t) -read_locale(insmod_t) - -# for SSP -allow insmod_t urandom_device_t:chr_file read; -allow insmod_t lib_t:file { getattr read }; - -allow insmod_t { bin_t sbin_t }:dir search; -allow insmod_t { bin_t sbin_t }:lnk_file read; - -allow insmod_t self:dir search; -allow insmod_t self:lnk_file read; - -allow insmod_t usr_t:file { getattr read }; - -allow insmod_t privfd:fd use; -can_access_pty(insmod_t, initrc) -allow insmod_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;') - -allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; - -allow insmod_t sound_device_t:chr_file { read ioctl write }; -allow insmod_t zero_device_t:chr_file read; -allow insmod_t memory_device_t:chr_file rw_file_perms; - -# Read module config and dependency information -allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; - -# Read module objects. -r_dir_file(insmod_t, modules_object_t) -# for locking -allow insmod_t modules_object_t:file write; - -allow insmod_t { var_t var_log_t }:dir search; -ifdef(`xserver.te', ` -allow insmod_t xserver_log_t:file getattr; -allow insmod_t xserver_misc_device_t:chr_file { read write }; -') -rw_dir_create_file(insmod_t, var_log_ksyms_t) -allow insmod_t { etc_t etc_runtime_t }:file { getattr read }; - -allow insmod_t self:udp_socket create_socket_perms; -allow insmod_t self:unix_dgram_socket create_socket_perms; -allow insmod_t self:unix_stream_socket create_stream_socket_perms; -allow insmod_t self:rawip_socket create_socket_perms; -allow insmod_t self:capability { dac_override kill net_raw sys_tty_config }; -allow insmod_t domain:process signal; -allow insmod_t self:process { fork signal_perms }; -allow insmod_t device_t:dir search; -allow insmod_t etc_runtime_t:file { getattr read }; - -# for loading modules at boot time -allow insmod_t { init_t initrc_t }:fd use; -allow insmod_t initrc_t:fifo_file { getattr read write }; - -allow insmod_t fs_t:filesystem getattr; -allow insmod_t sysfs_t:dir search; -allow insmod_t { usbfs_t usbdevfs_t }:dir search; -allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount; -r_dir_file(insmod_t, debugfs_t) - -# Rules for /proc/sys/kernel/tainted -read_sysctl(insmod_t) -allow insmod_t proc_t:dir search; -allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; - -allow insmod_t proc_t:file rw_file_perms; -allow insmod_t proc_t:lnk_file read; - -# Write to /proc/mtrr. -allow insmod_t mtrr_device_t:file write; - -# Read /proc/sys/kernel/hotplug. -allow insmod_t sysctl_hotplug_t:file { getattr read }; - -allow insmod_t device_t:dir read; -allow insmod_t devpts_t:dir { getattr search }; - -if (!secure_mode_insmod) { -domain_auto_trans(privmodule, insmod_exec_t, insmod_t) -allow insmod_t self:capability sys_module; -}dnl end if !secure_mode_insmod - -can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t }) -allow insmod_t devtty_t:chr_file rw_file_perms; -allow insmod_t privmodule:process sigchld; -dontaudit sysadm_t self:capability sys_module; - -ifdef(`mount.te', ` -# Run mount in the mount_t domain. -domain_auto_trans(insmod_t, mount_exec_t, mount_t) -') -# for when /var is not mounted early in the boot -dontaudit insmod_t file_t:dir search; - -# for nscd -dontaudit insmod_t var_run_t:dir search; - -ifdef(`crond.te', ` -rw_dir_create_file(system_crond_t, var_log_ksyms_t) -') - -ifdef(`IS_INITRD', `', ` -################################# -# -# Rules for the update_modules_t domain. -# -type update_modules_t, domain, privlog; -type update_modules_exec_t, file_type, exec_type, sysadmfile; - -role system_r types update_modules_t; -role sysadm_r types update_modules_t; - -domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t) -allow update_modules_t privfd:fd use; -allow update_modules_t init_t:fd use; - -allow update_modules_t device_t:dir { getattr search }; -allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; -can_access_pty(update_modules_t, initrc) -allow update_modules_t admin_tty_type:chr_file rw_file_perms; - -can_exec(update_modules_t, insmod_exec_t) -allow update_modules_t urandom_device_t:chr_file { getattr read }; - -dontaudit update_modules_t sysadm_home_dir_t:dir search; - -uses_shlib(update_modules_t) -read_locale(update_modules_t) -allow update_modules_t lib_t:file { getattr read }; -allow update_modules_t self:process { fork sigchld }; -allow update_modules_t self:fifo_file rw_file_perms; -allow update_modules_t self:file { getattr read }; -allow update_modules_t modules_dep_t:file rw_file_perms; -file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file) -domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) -can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t }) -allow update_modules_t { sbin_t bin_t }:lnk_file read; -allow update_modules_t { sbin_t bin_t }:dir search; -allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms; -allow update_modules_t etc_t:lnk_file read; -allow update_modules_t fs_t:filesystem getattr; - -allow update_modules_t proc_t:dir search; -allow update_modules_t proc_t:file r_file_perms; -allow update_modules_t { self proc_t }:lnk_file read; -read_sysctl(update_modules_t) -allow update_modules_t self:dir search; -allow update_modules_t self:unix_stream_socket create_socket_perms; - -file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file) - -tmp_domain(update_modules) -')dnl end IS_INITRD diff --git a/targeted/domains/program/mta.te b/targeted/domains/program/mta.te deleted file mode 100644 index 2d0b6122..00000000 --- a/targeted/domains/program/mta.te +++ /dev/null @@ -1,82 +0,0 @@ -#DESC MTA - Mail agents -# -# Author: Russell Coker -# X-Debian-Packages: postfix exim sendmail sendmail-wide -# -# policy for all mail servers, including allowing user to send mail from the -# command-line and for cron jobs to use sendmail -t - -# -# sendmail_exec_t is the type of /usr/sbin/sendmail -# -# define sendmail_exec_t if sendmail.te does not do it for us -ifdef(`sendmail.te', `', ` -type sendmail_exec_t, file_type, exec_type, sysadmfile; -') - -# create a system_mail_t domain for daemons, init scripts, etc when they run -# "mail user@domain" -mail_domain(system) - -ifdef(`targeted_policy', ` -# rules are currently defined in sendmail.te, but it is not included in -# targeted policy. We could move these rules permanantly here. -ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') -allow system_mail_t self:dir search; -allow system_mail_t self:lnk_file read; -r_dir_file(system_mail_t, { proc_t proc_net_t }) -allow system_mail_t fs_t:filesystem getattr; -allow system_mail_t { var_t var_spool_t }:dir getattr; -create_dir_file(system_mail_t, mqueue_spool_t) -create_dir_file(system_mail_t, mail_spool_t) -allow system_mail_t mail_spool_t:fifo_file rw_file_perms; -allow system_mail_t etc_mail_t:file { getattr read }; - -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t) -', ` -ifdef(`sendmail.te', ` -# sendmail has an ugly design, the one process parses input from the user and -# then does system things with it. -domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) -', ` -domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t) -') -allow initrc_t sendmail_exec_t:lnk_file { getattr read }; - -# allow the sysadmin to do "mail someone < /home/user/whatever" -allow sysadm_mail_t user_home_dir_type:dir search; -r_dir_file(sysadm_mail_t, user_home_type) -') -# for a mail server process that does things in response to a user command -allow mta_user_agent userdomain:process sigchld; -allow mta_user_agent { userdomain privfd }:fd use; -ifdef(`crond.te', ` -allow mta_user_agent crond_t:process sigchld; -') -allow mta_user_agent sysadm_t:fifo_file { read write }; - -allow { system_mail_t mta_user_agent } privmail:fd use; -allow { system_mail_t mta_user_agent } privmail:process sigchld; -allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; -allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; - -allow mta_delivery_agent home_root_t:dir { getattr search }; - -# for /var/spool/mail -ra_dir_create_file(mta_delivery_agent, mail_spool_t) - -# for piping mail to a command -can_exec(mta_delivery_agent, shell_exec_t) -allow mta_delivery_agent bin_t:dir search; -allow mta_delivery_agent bin_t:lnk_file read; -allow mta_delivery_agent devtty_t:chr_file rw_file_perms; -allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read }; - -allow system_mail_t etc_runtime_t:file { getattr read }; -allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read }; -ifdef(`targeted_policy', ` -typealias system_mail_t alias sysadm_mail_t; -') - diff --git a/targeted/domains/program/mysqld.te b/targeted/domains/program/mysqld.te deleted file mode 100644 index 75557f1c..00000000 --- a/targeted/domains/program/mysqld.te +++ /dev/null @@ -1,94 +0,0 @@ -#DESC Mysqld - Database server -# -# Author: Russell Coker -# X-Debian-Packages: mysql-server -# - -################################# -# -# Rules for the mysqld_t domain. -# -# mysqld_exec_t is the type of the mysqld executable. -# -daemon_domain(mysqld, `, nscd_client_domain') - -allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect }; - -allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; - -etcdir_domain(mysqld) -type mysqld_db_t, file_type, sysadmfile; - -log_domain(mysqld) - -# for temporary tables -tmp_domain(mysqld) - -allow mysqld_t usr_t:file { getattr read }; - -allow mysqld_t self:fifo_file { read write }; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; -allow initrc_t mysqld_t:unix_stream_socket connectto; -allow initrc_t mysqld_var_run_t:sock_file write; - -allow initrc_t mysqld_log_t:file { write append setattr ioctl }; - -allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource }; -allow mysqld_t self:process { setrlimit setsched getsched }; - -allow mysqld_t proc_t:file { getattr read }; - -# Allow access to the mysqld databases -create_dir_file(mysqld_t, mysqld_db_t) -file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file }) - -can_network(mysqld_t) -can_ypbind(mysqld_t) - -# read config files -r_dir_file(initrc_t, mysqld_etc_t) -allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; - -allow mysqld_t etc_t:dir search; - -read_sysctl(mysqld_t) - -can_unix_connect(sysadm_t, mysqld_t) - -# for /root/.my.cnf - should not be needed -allow mysqld_t sysadm_home_dir_t:dir search; -allow mysqld_t sysadm_home_t:file { read getattr }; - -ifdef(`logrotate.te', ` -r_dir_file(logrotate_t, mysqld_etc_t) -allow logrotate_t mysqld_db_t:dir search; -allow logrotate_t mysqld_var_run_t:dir search; -allow logrotate_t mysqld_var_run_t:sock_file write; -can_unix_connect(logrotate_t, mysqld_t) -') - -ifdef(`daemontools.te', ` -domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) -allow svc_start_t mysqld_t:process signal; -svc_ipc_domain(mysqld_t) -')dnl end ifdef daemontools - -ifdef(`distro_redhat', ` -allow initrc_t mysqld_db_t:dir create_dir_perms; - -# because Fedora has the sock_file in the database directory -file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) -') -ifdef(`targeted_policy', `', ` -bool allow_user_mysql_connect false; - -if (allow_user_mysql_connect) { -allow userdomain mysqld_var_run_t:dir search; -allow userdomain mysqld_var_run_t:sock_file write; -} -') - -allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`crond.te', ` -allow system_crond_t mysqld_etc_t:file { getattr read }; -') diff --git a/targeted/domains/program/named.te b/targeted/domains/program/named.te deleted file mode 100644 index 1bf63432..00000000 --- a/targeted/domains/program/named.te +++ /dev/null @@ -1,186 +0,0 @@ -#DESC BIND - Name server -# -# Authors: Yuichi Nakamura , -# Russell Coker -# X-Debian-Packages: bind bind9 -# -# - -################################# -# -# Rules for the named_t domain. -# - -daemon_domain(named, `, nscd_client_domain') -tmp_domain(named) - -type named_checkconf_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t) - -# For /var/run/ndc used in BIND 8 -file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) - -# ndc_t is the domain for the ndc program -type ndc_t, domain, privlog, nscd_client_domain; -role sysadm_r types ndc_t; -role system_r types ndc_t; - -ifdef(`targeted_policy', ` -dontaudit ndc_t root_t:file { getattr read }; -dontaudit ndc_t unlabeled_t:file { getattr read }; -') - -can_exec(named_t, named_exec_t) -allow named_t sbin_t:dir search; - -allow named_t self:process { setsched setcap setrlimit }; - -# A type for configuration files of named. -type named_conf_t, file_type, sysadmfile, mount_point; - -# for primary zone files -type named_zone_t, file_type, sysadmfile; - -# for secondary zone files -type named_cache_t, file_type, sysadmfile; - -# for DNSSEC key files -type dnssec_t, file_type, sysadmfile, secure_file_type; -allow { ndc_t named_t } dnssec_t:file { getattr read }; - -# Use capabilities. Surplus capabilities may be allowed. -allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; - -allow named_t etc_t:file { getattr read }; -allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; - -#Named can use network -can_network(named_t) -allow named_t port_type:tcp_socket name_connect; -can_ypbind(named_t) -# allow UDP transfer to/from any program -can_udp_send(domain, named_t) -can_udp_send(named_t, domain) -can_tcp_connect(domain, named_t) -log_domain(named) - -# Bind to the named port. -allow named_t dns_port_t:udp_socket name_bind; -allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; - -bool named_write_master_zones false; - -#read configuration files -r_dir_file(named_t, named_conf_t) - -if (named_write_master_zones) { -#create and modify zone files -create_dir_file(named_t, named_zone_t) -} -#read zone files -r_dir_file(named_t, named_zone_t) - -#write cache for secondary zones -rw_dir_create_file(named_t, named_cache_t) - -allow named_t self:unix_stream_socket create_stream_socket_perms; -allow named_t self:unix_dgram_socket create_socket_perms; -allow named_t self:netlink_route_socket r_netlink_socket_perms; - -# Read sysctl kernel variables. -read_sysctl(named_t) - -# Read /proc/cpuinfo and /proc/net -r_dir_file(named_t, proc_t) -r_dir_file(named_t, proc_net_t) - -# Read /dev/random. -allow named_t device_t:dir r_dir_perms; -allow named_t random_device_t:chr_file r_file_perms; - -# Use a pipe created by self. -allow named_t self:fifo_file rw_file_perms; - -# Enable named dbus support: -ifdef(`dbusd.te', ` -dbusd_client(system, named) -domain_auto_trans(system_dbusd_t, named_exec_t, named_t) -allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; -allow named_t self:dbus send_msg; -allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg; -allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg; -ifdef(`unconfined.te', ` -allow unconfined_t named_t:dbus send_msg; -allow named_t unconfined_t:dbus send_msg; -') -') - - -# Set own capabilities. -#A type for /usr/sbin/ndc -type ndc_exec_t, file_type,sysadmfile, exec_type; -domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) -uses_shlib(ndc_t) -can_network_client_tcp(ndc_t) -allow ndc_t rndc_port_t:tcp_socket name_connect; -can_ypbind(ndc_t) -can_resolve(ndc_t) -read_locale(ndc_t) -can_tcp_connect(ndc_t, named_t) - -ifdef(`distro_redhat', ` -# for /etc/rndc.key -allow { ndc_t initrc_t } named_conf_t:dir search; -# Allow init script to cp localtime to named_conf_t -allow initrc_t named_conf_t:file { setattr write }; -allow initrc_t named_conf_t:dir create_dir_perms; -allow initrc_t var_run_t:lnk_file create_file_perms; -ifdef(`automount.te', ` -# automount has no need to search the /proc file system for the named chroot -dontaudit automount_t named_zone_t:dir search; -')dnl end ifdef automount.te -')dnl end ifdef distro_redhat - -allow { ndc_t initrc_t } named_conf_t:file { getattr read }; - -allow ndc_t etc_t:dir r_dir_perms; -allow ndc_t etc_t:file r_file_perms; -allow ndc_t self:unix_stream_socket create_stream_socket_perms; -allow ndc_t self:unix_stream_socket connect; -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t var_t:dir search; -allow ndc_t var_run_t:dir search; -allow ndc_t named_var_run_t:sock_file rw_file_perms; -allow ndc_t named_t:unix_stream_socket connectto; -allow ndc_t { privfd init_t }:fd use; -# seems to need read as well for some reason -allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write }; -allow ndc_t fs_t:filesystem getattr; - -# Read sysctl kernel variables. -read_sysctl(ndc_t) - -allow ndc_t self:process { fork signal_perms }; -allow ndc_t self:fifo_file { read write getattr ioctl }; -allow ndc_t named_zone_t:dir search; - -# for chmod in start script -dontaudit initrc_t named_var_run_t:dir setattr; - -# for ndc_t to be used for restart shell scripts -ifdef(`ndc_shell_script', ` -system_crond_entry(ndc_exec_t, ndc_t) -allow ndc_t devtty_t:chr_file { read write ioctl }; -allow ndc_t etc_runtime_t:file { getattr read }; -allow ndc_t proc_t:dir search; -allow ndc_t proc_t:file { getattr read }; -can_exec(ndc_t, { bin_t sbin_t shell_exec_t }) -allow ndc_t named_var_run_t:file getattr; -allow ndc_t named_zone_t:dir { read getattr }; -allow ndc_t named_zone_t:file getattr; -dontaudit ndc_t sysadm_home_t:dir { getattr search read }; -') -allow ndc_t self:netlink_route_socket r_netlink_socket_perms; -dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl }; - - diff --git a/targeted/domains/program/netutils.te b/targeted/domains/program/netutils.te deleted file mode 100644 index 8dcbdf11..00000000 --- a/targeted/domains/program/netutils.te +++ /dev/null @@ -1,64 +0,0 @@ -#DESC Netutils - Network utilities -# -# Authors: Stephen Smalley -# X-Debian-Packages: netbase iputils arping tcpdump -# - -# -# Rules for the netutils_t domain. -# This domain is for network utilities that require access to -# special protocol families. -# -type netutils_t, domain, privlog; -type netutils_exec_t, file_type, sysadmfile, exec_type; -role system_r types netutils_t; -role sysadm_r types netutils_t; - -uses_shlib(netutils_t) -can_network(netutils_t) -allow netutils_t port_type:tcp_socket name_connect; -can_ypbind(netutils_t) -tmp_domain(netutils) - -domain_auto_trans(initrc_t, netutils_exec_t, netutils_t) -ifdef(`targeted_policy', `', ` -domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) -') - -# Inherit and use descriptors from init. -allow netutils_t { userdomain init_t }:fd use; - -allow netutils_t self:process { fork signal_perms }; - -# Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { net_admin net_raw setuid setgid }; - -# Create and use netlink sockets. -allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; - -# Create and use packet sockets. -allow netutils_t self:packet_socket create_socket_perms; - -# Create and use UDP sockets. -allow netutils_t self:udp_socket create_socket_perms; - -# Create and use TCP sockets. -allow netutils_t self:tcp_socket create_socket_perms; - -allow netutils_t self:unix_stream_socket create_socket_perms; - -# Read certain files in /etc -allow netutils_t etc_t:file r_file_perms; -read_locale(netutils_t) - -allow netutils_t fs_t:filesystem getattr; - -# Access terminals. -allow netutils_t privfd:fd use; -can_access_pty(netutils_t, initrc) -allow netutils_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') -allow netutils_t proc_t:dir search; - -# for nscd -dontaudit netutils_t var_t:dir search; diff --git a/targeted/domains/program/newrole.te b/targeted/domains/program/newrole.te deleted file mode 100644 index 207274d9..00000000 --- a/targeted/domains/program/newrole.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC Newrole - SELinux utility to run a shell with a new role -# -# Authors: Anthony Colatrella (NSA) -# Maintained by Stephen Smalley -# X-Debian-Packages: policycoreutils -# - -# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t -bool secure_mode false; - -type newrole_exec_t, file_type, exec_type, sysadmfile; -domain_auto_trans(userdomain, newrole_exec_t, newrole_t) - -newrole_domain(newrole) - -# Write to utmp. -allow newrole_t var_run_t:dir r_dir_perms; -allow newrole_t initrc_var_run_t:file rw_file_perms; - -role secadm_r types newrole_t; - -ifdef(`targeted_policy', ` -typeattribute newrole_t unconfinedtrans; -') diff --git a/targeted/domains/program/nscd.te b/targeted/domains/program/nscd.te deleted file mode 100644 index 8e899c74..00000000 --- a/targeted/domains/program/nscd.te +++ /dev/null @@ -1,79 +0,0 @@ -#DESC NSCD - Name service cache daemon cache lookup of user-name -# -# Author: Russell Coker -# X-Debian-Packages: nscd -# -define(`nscd_socket_domain', ` -can_unix_connect($1, nscd_t) -allow $1 nscd_var_run_t:sock_file rw_file_perms; -allow $1 { var_run_t var_t }:dir search; -allow $1 nscd_t:nscd { getpwd getgrp gethost }; -dontaudit $1 nscd_t:fd use; -dontaudit $1 nscd_var_run_t:dir { search getattr }; -dontaudit $1 nscd_var_run_t:file { getattr read }; -dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -') -################################# -# -# Rules for the nscd_t domain. -# -# nscd is both the client program and the daemon. -daemon_domain(nscd, `, userspace_objmgr') - -allow nscd_t etc_t:file r_file_perms; -allow nscd_t etc_t:lnk_file read; -can_network_client(nscd_t) -allow nscd_t port_type:tcp_socket name_connect; -can_ypbind(nscd_t) - -file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) - -allow nscd_t self:unix_stream_socket create_stream_socket_perms; - -nscd_socket_domain(nscd_client_domain) -nscd_socket_domain(daemon) - -# Clients that are allowed to map the database via a fd obtained from nscd. -nscd_socket_domain(nscd_shmem_domain) -allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms; -allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost }; -# Receive fd from nscd and map the backing file with read access. -allow nscd_shmem_domain nscd_t:fd use; - -# For client program operation, invoked from sysadm_t. -# Transition occurs to nscd_t due to direct_sysadm_daemon. -allow nscd_t self:nscd { admin getstat }; -allow nscd_t admin_tty_type:chr_file rw_file_perms; - -read_sysctl(nscd_t) -allow nscd_t self:process { getattr setsched }; -allow nscd_t self:unix_dgram_socket create_socket_perms; -allow nscd_t self:fifo_file { read write }; -allow nscd_t self:capability { kill setgid setuid net_bind_service }; - -# for when /etc/passwd has just been updated and has the wrong type -allow nscd_t shadow_t:file getattr; - -dontaudit nscd_t sysadm_home_dir_t:dir search; - -ifdef(`winbind.te', ` -# -# Handle winbind for samba, Might only be needed for targeted policy -# -allow nscd_t winbind_var_run_t:sock_file { read write getattr }; -can_unix_connect(nscd_t, winbind_t) -allow nscd_t samba_var_t:dir search; -allow nscd_t winbind_var_run_t:dir { getattr search }; -') - -r_dir_file(nscd_t, selinux_config_t) -can_getsecurity(nscd_t) -allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_route_socket r_netlink_socket_perms; -allow nscd_t tmp_t:dir { search getattr }; -allow nscd_t tmp_t:lnk_file read; -allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; -log_domain(nscd) -r_dir_file(nscd_t, cert_t) -allow nscd_t tun_tap_device_t:chr_file { read write }; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/targeted/domains/program/ntpd.te b/targeted/domains/program/ntpd.te deleted file mode 100644 index 9916a6a4..00000000 --- a/targeted/domains/program/ntpd.te +++ /dev/null @@ -1,88 +0,0 @@ -#DESC NTPD - Time synchronisation daemon -# -# Author: Russell Coker -# X-Debian-Packages: ntp ntp-simple -# - -################################# -# -# Rules for the ntpd_t domain. -# -daemon_domain(ntpd, `, nscd_client_domain') -type ntp_drift_t, file_type, sysadmfile; - -type ntpdate_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) - -logdir_domain(ntpd) - -allow ntpd_t var_lib_t:dir r_dir_perms; -allow ntpd_t usr_t:file r_file_perms; -# reading /usr/share/ssl/cert.pem requires -allow ntpd_t usr_t:lnk_file read; -allow ntpd_t ntp_drift_t:dir rw_dir_perms; -allow ntpd_t ntp_drift_t:file create_file_perms; - -# for SSP -allow ntpd_t urandom_device_t:chr_file { getattr read }; - -# sys_resource and setrlimit is for locking memory -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { fsetid net_admin }; -allow ntpd_t self:process { setcap setsched setrlimit }; -# ntpdate wants sys_nice - -# for some reason it creates a file in /tmp -tmp_domain(ntpd) - -allow ntpd_t etc_t:dir r_dir_perms; -allow ntpd_t etc_t:file { read getattr }; - -# Use the network. -can_network(ntpd_t) -allow ntpd_t ntp_port_t:tcp_socket name_connect; -can_ypbind(ntpd_t) -allow ntpd_t ntp_port_t:udp_socket name_bind; -allow sysadm_t ntp_port_t:udp_socket name_bind; -allow ntpd_t self:unix_dgram_socket create_socket_perms; -allow ntpd_t self:unix_stream_socket create_socket_perms; -allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; - -# so the start script can change firewall entries -allow initrc_t net_conf_t:file { getattr read ioctl }; - -# for cron jobs -# system_crond_t is not right, cron is not doing what it should -ifdef(`crond.te', ` -system_crond_entry(ntpdate_exec_t, ntpd_t) -') - -can_exec(ntpd_t, initrc_exec_t) -allow ntpd_t self:fifo_file { read write getattr }; -allow ntpd_t etc_runtime_t:file r_file_perms; -can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t }) -allow ntpd_t { sbin_t bin_t }:dir search; -allow ntpd_t bin_t:lnk_file read; -read_sysctl(ntpd_t); -allow ntpd_t proc_t:file r_file_perms; -allow ntpd_t sysadm_home_dir_t:dir r_dir_perms; -allow ntpd_t self:file { getattr read }; -dontaudit ntpd_t domain:dir search; -ifdef(`logrotate.te', ` -can_exec(ntpd_t, logrotate_exec_t) -') - -allow ntpd_t devtty_t:chr_file rw_file_perms; - -can_udp_send(ntpd_t, sysadm_t) -can_udp_send(sysadm_t, ntpd_t) -can_udp_send(ntpd_t, ntpd_t) -ifdef(`firstboot.te', ` -dontaudit ntpd_t firstboot_t:fd use; -') -ifdef(`winbind.te', ` -allow ntpd_t winbind_var_run_t:dir r_dir_perms; -allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; -') -# For clock devices like wwvb1 -allow ntpd_t device_t:lnk_file read; diff --git a/targeted/domains/program/passwd.te b/targeted/domains/program/passwd.te deleted file mode 100644 index 30d7f860..00000000 --- a/targeted/domains/program/passwd.te +++ /dev/null @@ -1,156 +0,0 @@ -#DESC Passwd - Password utilities -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: passwd -# - -################################# -# -# Rules for the passwd_t domain. -# -define(`base_passwd_domain', ` -type $1_t, domain, privlog, $2; - -# for SSP -allow $1_t urandom_device_t:chr_file read; - -allow $1_t self:process setrlimit; - -general_domain_access($1_t); -uses_shlib($1_t); - -# Inherit and use descriptors from login. -allow $1_t privfd:fd use; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -read_locale($1_t) - -allow $1_t fs_t:filesystem getattr; - -# allow checking if a shell is executable -allow $1_t shell_exec_t:file execute; - -# Obtain contexts -can_getsecurity($1_t) - -allow $1_t etc_t:file create_file_perms; - -# read /etc/mtab -allow $1_t etc_runtime_t:file { getattr read }; - -# Allow etc_t symlinks for /etc/alternatives on Debian. -allow $1_t etc_t:lnk_file read; - -# Use capabilities. -allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; - -# Access terminals. -allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms; -allow $1_t devtty_t:chr_file rw_file_perms; - -dontaudit $1_t devpts_t:dir getattr; - -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -dontaudit $1_t initrc_var_run_t:file { read write }; - -# user generally runs this from their home directory, so do not audit a search -# on user home dir -dontaudit $1_t { user_home_dir_type user_home_type }:dir search; - -# When the wrong current passwd is entered, passwd, for some reason, -# attempts to access /proc and /dev, but handles failure appropriately. So -# do not audit those denials. -dontaudit $1_t { proc_t device_t }:dir { search read }; - -allow $1_t device_t:dir getattr; -read_sysctl($1_t) -') - -################################# -# -# Rules for the passwd_t domain. -# -define(`passwd_domain', ` -base_passwd_domain($1, `auth_write, privowner') -# Update /etc/shadow and /etc/passwd -file_type_auto_trans($1_t, etc_t, shadow_t, file) -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; -can_setfscreate($1_t) -') - -passwd_domain(passwd) -passwd_domain(sysadm_passwd) -base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner') -can_setfscreate(chfn_t) - -# can exec /sbin/unix_chkpwd -allow chfn_t { bin_t sbin_t }:dir search; - -# uses unix_chkpwd for checking passwords -dontaudit chfn_t shadow_t:file read; -allow chfn_t etc_t:dir rw_dir_perms; -allow chfn_t etc_t:file create_file_perms; -allow chfn_t proc_t:file { getattr read }; -allow chfn_t self:file write; - -in_user_role(passwd_t) -in_user_role(chfn_t) -role sysadm_r types passwd_t; -role sysadm_r types sysadm_passwd_t; -role sysadm_r types chfn_t; -role system_r types passwd_t; -role system_r types chfn_t; - -type admin_passwd_exec_t, file_type, sysadmfile; -type passwd_exec_t, file_type, sysadmfile, exec_type; -type chfn_exec_t, file_type, sysadmfile, exec_type; - -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t) -domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) -domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) - -dontaudit chfn_t var_t:dir search; - -ifdef(`crack.te', ` -allow passwd_t var_t:dir search; -dontaudit passwd_t var_run_t:dir search; -allow passwd_t crack_db_t:dir r_dir_perms; -allow passwd_t crack_db_t:file r_file_perms; -', ` -dontaudit passwd_t var_t:dir search; -') - -# allow vipw to exec the editor -allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; -allow sysadm_passwd_t bin_t:lnk_file read; -can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) -r_dir_file(sysadm_passwd_t, usr_t) - -# allow vipw to create temporary files under /var/tmp/vi.recover -allow sysadm_passwd_t var_t:dir search; -tmp_domain(sysadm_passwd) -# for vipw - vi looks in the root home directory for config -dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; -# for /etc/alternatives/vi -allow sysadm_passwd_t etc_t:lnk_file read; - -# for nscd lookups -dontaudit sysadm_passwd_t var_run_t:dir search; - -# for /proc/meminfo -allow sysadm_passwd_t proc_t:file { getattr read }; - -dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search; -dontaudit sysadm_passwd_t devpts_t:dir search; - -# make sure that getcon succeeds -allow passwd_t userdomain:dir search; -allow passwd_t userdomain:file { getattr read }; -allow passwd_t userdomain:process getattr; - -allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -ifdef(`targeted_policy', ` -role system_r types sysadm_passwd_t; -') diff --git a/targeted/domains/program/pegasus.te b/targeted/domains/program/pegasus.te deleted file mode 100644 index e2b557e2..00000000 --- a/targeted/domains/program/pegasus.te +++ /dev/null @@ -1,37 +0,0 @@ -#DESC pegasus - The Open Group Pegasus CIM/WBEM Server -# -# Author: Jason Vas Dias -# Package: tog-pegasus -# -################################# -# -# Rules for the pegasus domain -# -daemon_domain(pegasus, `, nscd_client_domain, auth') -type pegasus_data_t, file_type, sysadmfile; -type pegasus_conf_t, file_type, sysadmfile; -type pegasus_mof_t, file_type, sysadmfile; -type pegasus_conf_exec_t, file_type, exec_type, sysadmfile; -allow pegasus_t self:capability { dac_override net_bind_service audit_write }; -can_network_tcp(pegasus_t); -nsswitch_domain(pegasus_t); -allow pegasus_t pegasus_var_run_t:sock_file { create setattr }; -allow pegasus_t self:unix_dgram_socket create_socket_perms; -allow pegasus_t self:unix_stream_socket create_stream_socket_perms; -allow pegasus_t self:file { read getattr }; -allow pegasus_t self:fifo_file rw_file_perms; -allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect }; -allow pegasus_t proc_t:file { getattr read }; -allow pegasus_t sysctl_vm_t:dir search; -allow pegasus_t initrc_var_run_t:file { read write lock }; -allow pegasus_t urandom_device_t:chr_file { getattr read }; -r_dir_file(pegasus_t, etc_t) -r_dir_file(pegasus_t, var_lib_t) -r_dir_file(pegasus_t, pegasus_mof_t) -rw_dir_create_file(pegasus_t, pegasus_conf_t) -rw_dir_create_file(pegasus_t, pegasus_data_t) -rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t) -allow pegasus_t shadow_t:file { getattr read }; -dontaudit pegasus_t selinux_config_t:dir search; - diff --git a/targeted/domains/program/ping.te b/targeted/domains/program/ping.te deleted file mode 100644 index 0a0d94c1..00000000 --- a/targeted/domains/program/ping.te +++ /dev/null @@ -1,63 +0,0 @@ -#DESC Ping - Send ICMP messages to network hosts -# -# Author: David A. Wheeler -# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 -# - -################################# -# -# Rules for the ping_t domain. -# -# ping_t is the domain for the ping program. -# ping_exec_t is the type of the corresponding program. -# -type ping_t, domain, privlog, nscd_client_domain; -role sysadm_r types ping_t; -role system_r types ping_t; -in_user_role(ping_t) -type ping_exec_t, file_type, sysadmfile, exec_type; - -ifdef(`targeted_policy', ` - allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms; -', ` -bool user_ping false; - -if (user_ping) { - domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) - # allow access to the terminal - allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; - ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') -} -') - -# Transition into this domain when you run this program. -domain_auto_trans(sysadm_t, ping_exec_t, ping_t) -domain_auto_trans(initrc_t, ping_exec_t, ping_t) - -uses_shlib(ping_t) -can_network_client(ping_t) -can_resolve(ping_t) -can_ypbind(ping_t) -allow ping_t etc_t:file { getattr read }; -allow ping_t self:unix_stream_socket create_socket_perms; - -# Let ping create raw ICMP packets. -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; - -# Use capabilities. -allow ping_t self:capability { net_raw setuid }; - -# Access the terminal. -allow ping_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') -allow ping_t privfd:fd use; -dontaudit ping_t fs_t:filesystem getattr; - -# it tries to access /var/run -dontaudit ping_t var_t:dir search; -dontaudit ping_t devtty_t:chr_file { read write }; -dontaudit ping_t self:capability sys_tty_config; -ifdef(`hide_broken_symptoms', ` -dontaudit ping_t init_t:fd use; -') - diff --git a/targeted/domains/program/portmap.te b/targeted/domains/program/portmap.te deleted file mode 100644 index 54cad6fa..00000000 --- a/targeted/domains/program/portmap.te +++ /dev/null @@ -1,71 +0,0 @@ -#DESC Portmap - Maintain RPC program number map -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: portmap -# - - - -################################# -# -# Rules for the portmap_t domain. -# -daemon_domain(portmap, `, nscd_client_domain') - -can_network(portmap_t) -allow portmap_t port_type:tcp_socket name_connect; -can_ypbind(portmap_t) -allow portmap_t self:unix_dgram_socket create_socket_perms; -allow portmap_t self:unix_stream_socket create_stream_socket_perms; - -tmp_domain(portmap) - -allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; - -# portmap binds to arbitary ports -allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; -allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind; - -allow portmap_t etc_t:file { getattr read }; - -# Send to ypbind, initrc, rpc.statd, xinetd. -ifdef(`ypbind.te', -`can_udp_send(portmap_t, ypbind_t)') -can_udp_send(portmap_t, { initrc_t init_t }) -can_udp_send(init_t, portmap_t) -ifdef(`rpcd.te', -`can_udp_send(portmap_t, rpcd_t)') -ifdef(`inetd.te', -`can_udp_send(portmap_t, inetd_t)') -ifdef(`lpd.te', -`can_udp_send(portmap_t, lpd_t)') -ifdef(`tcpd.te', ` -can_udp_send(tcpd_t, portmap_t) -') -can_udp_send(portmap_t, kernel_t) -can_udp_send(kernel_t, portmap_t) -can_udp_send(sysadm_t, portmap_t) -can_udp_send(portmap_t, sysadm_t) - -# Use capabilities -allow portmap_t self:capability { net_bind_service setuid setgid }; -allow portmap_t self:netlink_route_socket r_netlink_socket_perms; - -application_domain(portmap_helper) -role system_r types portmap_helper_t; -domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) -dontaudit portmap_helper_t self:capability { net_admin }; -allow portmap_helper_t self:capability { net_bind_service }; -allow portmap_helper_t initrc_var_run_t:file rw_file_perms; -file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) -allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; -can_network(portmap_helper_t) -allow portmap_helper_t port_type:tcp_socket name_connect; -can_ypbind(portmap_helper_t) -dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; -allow portmap_helper_t etc_t:file { getattr read }; -dontaudit portmap_helper_t { userdomain privfd }:fd use; -allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --git a/targeted/domains/program/postfix.te b/targeted/domains/program/postfix.te deleted file mode 100644 index 6b94177f..00000000 --- a/targeted/domains/program/postfix.te +++ /dev/null @@ -1,368 +0,0 @@ -#DESC Postfix - Mail server -# -# Author: Russell Coker -# X-Debian-Packages: postfix -# Depends: mta.te -# - -# Type for files created during execution of postfix. -type postfix_var_run_t, file_type, sysadmfile, pidfile; - -type postfix_etc_t, file_type, sysadmfile; -type postfix_exec_t, file_type, sysadmfile, exec_type; -type postfix_public_t, file_type, sysadmfile; -type postfix_private_t, file_type, sysadmfile; -type postfix_spool_t, file_type, sysadmfile; -type postfix_spool_maildrop_t, file_type, sysadmfile; -type postfix_spool_flush_t, file_type, sysadmfile; -type postfix_prng_t, file_type, sysadmfile; - -# postfix needs this for newaliases -allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; - -################################# -# -# Rules for the postfix_$1_t domain. -# -# postfix_$1_exec_t is the type of the postfix_$1 executables. -# -define(`postfix_domain', ` -daemon_core_rules(postfix_$1, `$2') -allow postfix_$1_t self:process setpgid; -allow postfix_$1_t postfix_master_t:process sigchld; -allow postfix_master_t postfix_$1_t:process signal; - -allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms; -allow postfix_$1_t postfix_etc_t:file r_file_perms; -read_locale(postfix_$1_t) -allow postfix_$1_t etc_t:file { getattr read }; -allow postfix_$1_t self:unix_dgram_socket create_socket_perms; -allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; -allow postfix_$1_t self:unix_stream_socket connectto; - -allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms; -allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read }; -allow postfix_$1_t shell_exec_t:file rx_file_perms; -allow postfix_$1_t { var_t var_spool_t }:dir { search getattr }; -allow postfix_$1_t postfix_exec_t:file rx_file_perms; -allow postfix_$1_t devtty_t:chr_file rw_file_perms; -allow postfix_$1_t etc_runtime_t:file r_file_perms; -allow postfix_$1_t proc_t:dir r_dir_perms; -allow postfix_$1_t proc_t:file r_file_perms; -allow postfix_$1_t postfix_exec_t:dir r_dir_perms; -allow postfix_$1_t fs_t:filesystem getattr; -allow postfix_$1_t proc_net_t:dir search; -allow postfix_$1_t proc_net_t:file { getattr read }; -can_exec(postfix_$1_t, postfix_$1_exec_t) -r_dir_file(postfix_$1_t, cert_t) -allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr }; - -allow postfix_$1_t tmp_t:dir getattr; - -file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file) - -read_sysctl(postfix_$1_t) - -')dnl end postfix_domain - -ifdef(`crond.te', -`allow system_mail_t crond_t:tcp_socket { read write create };') - -postfix_domain(master, `, mail_server_domain') -rhgb_domain(postfix_master_t) - -# for a find command -dontaudit postfix_master_t security_t:dir search; - -read_sysctl(postfix_master_t) - -ifdef(`targeted_policy', ` -bool postfix_disable_trans false; -if (!postfix_disable_trans) { -') -domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t) -allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh }; - -domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t) -allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh }; -ifdef(`targeted_policy', `', ` -role_transition sysadm_r postfix_master_exec_t system_r; -') -allow postfix_master_t postfix_etc_t:file rw_file_perms; -dontaudit postfix_master_t admin_tty_type:chr_file { read write }; -allow postfix_master_t devpts_t:dir search; - -domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t) -allow system_mail_t sysadm_t:process sigchld; -allow system_mail_t privfd:fd use; - -ifdef(`pppd.te', ` -domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t) -') - -ifdef(`targeted_policy', ` -} -') - -allow postfix_master_t privfd:fd use; -ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;') -allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms; - -# postfix does a "find" on startup for some reason - keep it quiet -dontaudit postfix_master_t selinux_config_t:dir search; -can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) -ifdef(`distro_redhat', ` -# compatability for old default main.cf -file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t) -# for newer main.cf that uses /etc/aliases -file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t) -') -file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t) -allow postfix_master_t sendmail_exec_t:file r_file_perms; -allow postfix_master_t sbin_t:lnk_file { getattr read }; - -can_exec(postfix_master_t, { ls_exec_t sbin_t }) -allow postfix_master_t self:fifo_file rw_file_perms; -allow postfix_master_t usr_t:file r_file_perms; -can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t }) -# chown is to set the correct ownership of queue dirs -allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; -allow postfix_master_t postfix_public_t:fifo_file create_file_perms; -allow postfix_master_t postfix_public_t:sock_file create_file_perms; -allow postfix_master_t postfix_public_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:dir rw_dir_perms; -allow postfix_master_t postfix_private_t:sock_file create_file_perms; -allow postfix_master_t postfix_private_t:fifo_file create_file_perms; -can_network(postfix_master_t) -allow postfix_master_t port_type:tcp_socket name_connect; -can_ypbind(postfix_master_t) -allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind; -allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; -allow postfix_master_t postfix_prng_t:file getattr; -allow postfix_master_t privfd:fd use; -allow postfix_master_t etc_aliases_t:file rw_file_perms; - -ifdef(`saslauthd.te',` -allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr }; -allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write }; -can_unix_connect(postfix_smtpd_t,saslauthd_t) -') - -create_dir_file(postfix_master_t, postfix_spool_flush_t) -allow postfix_master_t postfix_prng_t:file rw_file_perms; -# for ls to get the current context -allow postfix_master_t self:file { getattr read }; - -# allow access to deferred queue and allow removing bogus incoming entries -allow postfix_master_t postfix_spool_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_t:file create_file_perms; - -dontaudit postfix_master_t man_t:dir search; - -define(`postfix_server_domain', ` -postfix_domain($1, `$2') -domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) -allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow postfix_$1_t self:capability { setuid setgid dac_override }; -can_network_client(postfix_$1_t) -allow postfix_$1_t port_type:tcp_socket name_connect; -can_ypbind(postfix_$1_t) -') - -postfix_server_domain(smtp, `, mail_server_sender') -allow postfix_smtp_t postfix_spool_t:file rw_file_perms; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write; -allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto; -# if you have two different mail servers on the same host let them talk via -# SMTP, also if one mail server wants to talk to itself then allow it and let -# the SMTP protocol sort it out (SE Linux is not to prevent mail server -# misconfiguration) -can_tcp_connect(postfix_smtp_t, mail_server_domain) - -postfix_server_domain(smtpd) -allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search; -allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms; -allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto; -# for OpenSSL certificates -r_dir_file(postfix_smtpd_t,usr_t) -allow postfix_smtpd_t etc_aliases_t:file r_file_perms; -allow postfix_smtpd_t self:file { getattr read }; - -# for prng_exch -allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; - -allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms; - -postfix_server_domain(local, `, mta_delivery_agent') -ifdef(`procmail.te', ` -domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) -# for a bug in the postfix local program -dontaudit procmail_t postfix_local_t:tcp_socket { read write }; -dontaudit procmail_t postfix_master_t:fd use; -') -allow postfix_local_t etc_aliases_t:file r_file_perms; -allow postfix_local_t self:fifo_file rw_file_perms; -allow postfix_local_t self:process { setsched setrlimit }; -allow postfix_local_t postfix_spool_t:file rw_file_perms; -# for .forward - maybe we need a new type for it? -allow postfix_local_t postfix_private_t:dir search; -allow postfix_local_t postfix_private_t:sock_file rw_file_perms; -allow postfix_local_t postfix_master_t:unix_stream_socket connectto; -allow postfix_local_t postfix_public_t:dir search; -allow postfix_local_t postfix_public_t:sock_file write; -tmp_domain(postfix_local) -can_exec(postfix_local_t,{ shell_exec_t bin_t }) -allow postfix_local_t mail_spool_t:dir { remove_name }; -allow postfix_local_t mail_spool_t:file { unlink }; -# For reading spamassasin -r_dir_file(postfix_local_t, etc_mail_t) - -define(`postfix_public_domain',` -postfix_server_domain($1) -allow postfix_$1_t postfix_public_t:dir search; -') - -postfix_public_domain(cleanup) -create_dir_file(postfix_cleanup_t, postfix_spool_t) -allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_cleanup_t postfix_public_t:sock_file { getattr write }; -allow postfix_cleanup_t postfix_private_t:dir search; -allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms; -allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms; -allow postfix_cleanup_t self:process setrlimit; - -allow user_mail_domain postfix_spool_t:dir r_dir_perms; -allow user_mail_domain postfix_etc_t:dir r_dir_perms; -allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms; -allow user_mail_domain self:capability dac_override; - -define(`postfix_user_domain', ` -postfix_domain($1, `$2') -domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t) -in_user_role(postfix_$1_t) -role sysadm_r types postfix_$1_t; -allow postfix_$1_t userdomain:process sigchld; -allow postfix_$1_t userdomain:fifo_file { write getattr }; -allow postfix_$1_t { userdomain privfd }:fd use; -allow postfix_$1_t self:capability dac_override; -') - -postfix_user_domain(postqueue) -allow postfix_postqueue_t postfix_public_t:dir search; -allow postfix_postqueue_t postfix_public_t:fifo_file getattr; -allow postfix_postqueue_t self:udp_socket { create ioctl }; -allow postfix_postqueue_t self:tcp_socket create; -allow postfix_master_t postfix_postqueue_exec_t:file getattr; -domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -allow postfix_postqueue_t initrc_t:process sigchld; -allow postfix_postqueue_t initrc_t:fd use; - -# to write the mailq output, it really should not need read access! -allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr }; -ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;') - -# wants to write to /var/spool/postfix/public/showq -allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms; -allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto; -# write to /var/spool/postfix/public/qmgr -allow postfix_postqueue_t postfix_public_t:fifo_file write; -dontaudit postfix_postqueue_t net_conf_t:file r_file_perms; - -postfix_user_domain(showq) -# the following auto_trans is usually in postfix server domain -domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -can_resolve(postfix_showq_t) -r_dir_file(postfix_showq_t, postfix_spool_maildrop_t) -domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) -allow postfix_showq_t self:capability { setuid setgid }; -allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; -allow postfix_showq_t postfix_spool_t:file r_file_perms; -allow postfix_showq_t self:tcp_socket create_socket_perms; -allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; -dontaudit postfix_showq_t net_conf_t:file r_file_perms; - -postfix_user_domain(postdrop, `, mta_user_agent') -allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; -allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms; -allow postfix_postdrop_t postfix_public_t:dir search; -allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms; -dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write }; -dontaudit postfix_postdrop_t net_conf_t:file r_file_perms; -allow postfix_master_t postfix_postdrop_exec_t:file getattr; -ifdef(`crond.te', -`allow postfix_postdrop_t { crond_t system_crond_t }:fd use; -allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;') -# usually it does not need a UDP socket -allow postfix_postdrop_t self:udp_socket create_socket_perms; -allow postfix_postdrop_t self:tcp_socket create; -allow postfix_postdrop_t self:capability sys_resource; -allow postfix_postdrop_t self:tcp_socket create; - -postfix_public_domain(pickup) -allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms; -allow postfix_pickup_t postfix_private_t:dir search; -allow postfix_pickup_t postfix_private_t:sock_file write; -allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto; -allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms; -allow postfix_pickup_t postfix_spool_maildrop_t:file unlink; -allow postfix_pickup_t self:tcp_socket create_socket_perms; - -postfix_public_domain(qmgr) -allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms; -allow postfix_qmgr_t postfix_public_t:sock_file write; -allow postfix_qmgr_t postfix_private_t:dir search; -allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms; -allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto; - -# for /var/spool/postfix/active -create_dir_file(postfix_qmgr_t, postfix_spool_t) - -postfix_public_domain(bounce) -type postfix_spool_bounce_t, file_type, sysadmfile; -create_dir_file(postfix_bounce_t, postfix_spool_bounce_t) -create_dir_file(postfix_bounce_t, postfix_spool_t) -allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms; -allow postfix_master_t postfix_spool_bounce_t:file getattr; -allow postfix_bounce_t self:capability dac_read_search; -allow postfix_bounce_t postfix_public_t:sock_file write; -allow postfix_bounce_t self:tcp_socket create_socket_perms; - -r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t) - -postfix_public_domain(pipe) -allow postfix_pipe_t postfix_spool_t:dir search; -allow postfix_pipe_t postfix_spool_t:file rw_file_perms; -allow postfix_pipe_t self:fifo_file { read write }; -allow postfix_pipe_t postfix_private_t:dir search; -allow postfix_pipe_t postfix_private_t:sock_file write; -ifdef(`procmail.te', ` -domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) -') -ifdef(`sendmail.te', ` -r_dir_file(sendmail_t, postfix_etc_t) -allow sendmail_t postfix_spool_t:dir search; -') - -# Program for creating database files -application_domain(postfix_map) -base_file_read_access(postfix_map_t) -allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read }; -tmp_domain(postfix_map) -create_dir_file(postfix_map_t, postfix_etc_t) -allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; -dontaudit postfix_map_t proc_t:dir { getattr read search }; -dontaudit postfix_map_t local_login_t:fd use; -allow postfix_master_t postfix_map_exec_t:file rx_file_perms; -read_locale(postfix_map_t) -allow postfix_map_t self:capability setgid; -allow postfix_map_t self:unix_dgram_socket create_socket_perms; -dontaudit postfix_map_t var_t:dir search; -can_network_server(postfix_map_t) -allow postfix_map_t port_type:tcp_socket name_connect; diff --git a/targeted/domains/program/postgresql.te b/targeted/domains/program/postgresql.te deleted file mode 100644 index a86d9d49..00000000 --- a/targeted/domains/program/postgresql.te +++ /dev/null @@ -1,138 +0,0 @@ -#DESC Postgresql - Database server -# -# Author: Russell Coker -# X-Debian-Packages: postgresql -# - -################################# -# -# Rules for the postgresql_t domain. -# -# postgresql_exec_t is the type of the postgresql executable. -# -daemon_domain(postgresql) -allow initrc_t postgresql_exec_t:lnk_file read; -allow postgresql_t usr_t:file { getattr read }; - -allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; - -ifdef(`distro_debian', ` -can_exec(postgresql_t, initrc_exec_t) -# gross hack -domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t) -can_exec(postgresql_t, dpkg_exec_t) -') - -dontaudit postgresql_t sysadm_home_dir_t:dir search; - -# quiet ps and killall -dontaudit postgresql_t domain:dir { getattr search }; - -# for currect directory of scripts -allow postgresql_t { var_spool_t cron_spool_t }:dir search; - -# capability kill is for shutdown script -allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config }; -dontaudit postgresql_t self:capability sys_admin; - -etcdir_domain(postgresql) -type postgresql_db_t, file_type, sysadmfile; - -logdir_domain(postgresql) - -ifdef(`crond.te', ` -# allow crond to find /usr/lib/postgresql/bin/do.maintenance -allow crond_t postgresql_db_t:dir search; -system_crond_entry(postgresql_exec_t, postgresql_t) -') - -tmp_domain(postgresql, `', `{ dir file sock_file }') -file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) - -# Use the network. -can_network(postgresql_t) -can_ypbind(postgresql_t) -allow postgresql_t self:fifo_file { getattr read write ioctl }; -allow postgresql_t self:unix_stream_socket create_stream_socket_perms; -can_unix_connect(postgresql_t, self) -allow postgresql_t self:unix_dgram_socket create_socket_perms; - -allow postgresql_t self:shm create_shm_perms; - -ifdef(`targeted_policy', `', ` -bool allow_user_postgresql_connect false; - -if (allow_user_postgresql_connect) { -# allow any user domain to connect to the database server -can_tcp_connect(userdomain, postgresql_t) -allow userdomain postgresql_t:unix_stream_socket connectto; -allow userdomain postgresql_var_run_t:sock_file write; -allow userdomain postgresql_tmp_t:sock_file write; -} -') -ifdef(`consoletype.te', ` -can_exec(postgresql_t, consoletype_exec_t) -') - -ifdef(`hostname.te', ` -can_exec(postgresql_t, hostname_exec_t) -') - -allow postgresql_t postgresql_port_t:tcp_socket name_bind; -allow postgresql_t auth_port_t:tcp_socket name_connect; - -allow postgresql_t { proc_t self }:file { getattr read }; - -# Allow access to the postgresql databases -create_dir_file(postgresql_t, postgresql_db_t) -file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t) -allow postgresql_t var_lib_t:dir { getattr search }; - -# because postgresql start scripts are broken and put the pid file in the DB -# directory -rw_dir_file(initrc_t, postgresql_db_t) - -# read config files -allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr }; -r_dir_file(initrc_t, postgresql_etc_t) - -allow postgresql_t etc_t:dir rw_dir_perms; - -read_sysctl(postgresql_t) - -allow postgresql_t devtty_t:chr_file { read write }; -allow postgresql_t devpts_t:dir search; - -allow postgresql_t { bin_t sbin_t }:dir search; -allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read }; -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; - -allow postgresql_t self:sem create_sem_perms; - -allow postgresql_t initrc_var_run_t:file { getattr read lock }; -dontaudit postgresql_t selinux_config_t:dir search; -allow postgresql_t mail_spool_t:dir search; -lock_domain(postgresql) -can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) -ifdef(`apache.te', ` -# -# Allow httpd to work with postgresql -# -allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; -can_unix_connect(httpd_t, postgresql_t) -') - -ifdef(`distro_gentoo', ` -# "su - postgres ..." is called from initrc_t -allow initrc_su_t postgresql_db_t:dir search; -allow postgresql_t initrc_su_t:process sigchld; -dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; -') - -dontaudit postgresql_t home_root_t:dir search; -can_kerberos(postgresql_t) -allow postgresql_t urandom_device_t:chr_file { getattr read }; - -if (allow_execmem) { -allow postgresql_t self:process execmem; -} diff --git a/targeted/domains/program/pppd.te b/targeted/domains/program/pppd.te deleted file mode 100644 index 8499da71..00000000 --- a/targeted/domains/program/pppd.te +++ /dev/null @@ -1,148 +0,0 @@ -#DESC PPPD - PPP daemon -# -# Author: Russell Coker -# X-Debian-Packages: ppp -# - -################################# -# -# Rules for the pppd_t domain, et al. -# -# pppd_t is the domain for the pppd program. -# pppd_exec_t is the type of the pppd executable. -# pppd_secret_t is the type of the pap and chap password files -# -bool pppd_for_user false; - -daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain') -type pppd_secret_t, file_type, sysadmfile; - -# Define a separate type for /etc/ppp -etcdir_domain(pppd) -# Define a separate type for writable files under /etc/ppp -type pppd_etc_rw_t, file_type, sysadmfile; -# Automatically label newly created files under /etc/ppp with this type -file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - -# for SSP -allow pppd_t urandom_device_t:chr_file read; - -allow pppd_t sysfs_t:dir search; - -log_domain(pppd) - -# Use the network. -can_network_server(pppd_t) -can_ypbind(pppd_t) - -# Use capabilities. -allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module }; -lock_domain(pppd) - -# Access secret files -allow pppd_t pppd_secret_t:file r_file_perms; - -ifdef(`postfix.te', ` -allow pppd_t postfix_etc_t:dir search; -allow pppd_t postfix_etc_t:file r_file_perms; -allow pppd_t postfix_master_exec_t:file { getattr read }; -allow postfix_postqueue_t pppd_t:fd use; -allow postfix_postqueue_t pppd_t:process sigchld; -') - -# allow running ip-up and ip-down scripts and running chat. -can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t }) -allow pppd_t { bin_t sbin_t }:dir search; -allow pppd_t { sbin_t bin_t }:lnk_file read; -allow ifconfig_t pppd_t:fd use; - -# Access /dev/ppp. -allow pppd_t ppp_device_t:chr_file rw_file_perms; -allow pppd_t devtty_t:chr_file { read write }; - -allow pppd_t self:unix_dgram_socket create_socket_perms; -allow pppd_t self:unix_stream_socket create_socket_perms; - -allow pppd_t proc_t:dir search; -allow pppd_t proc_t:{ file lnk_file } r_file_perms; -allow pppd_t proc_net_t:dir { read search }; -allow pppd_t proc_net_t:file r_file_perms; - -allow pppd_t etc_runtime_t:file r_file_perms; - -allow pppd_t self:socket create_socket_perms; - -allow pppd_t tty_device_t:chr_file { setattr rw_file_perms }; - -allow pppd_t devpts_t:dir search; - -# for scripts -allow pppd_t self:fifo_file rw_file_perms; -allow pppd_t etc_t:lnk_file read; - -# for ~/.ppprc - if it actually exists then you need some policy to read it -allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; - -in_user_role(pppd_t) -if (pppd_for_user) { -# Run pppd in pppd_t by default for user -domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t) -allow unpriv_userdomain pppd_t:process signal; -} - -# for pppoe -can_create_pty(pppd) -allow pppd_t self:file { read getattr }; - -allow pppd_t self:packet_socket create_socket_perms; - -file_type_auto_trans(pppd_t, etc_t, net_conf_t, file) -tmp_domain(pppd) -allow pppd_t sysctl_net_t:dir search; -allow pppd_t sysctl_net_t:file r_file_perms; -allow pppd_t self:netlink_route_socket r_netlink_socket_perms; -allow pppd_t initrc_var_run_t:file r_file_perms; -dontaudit pppd_t initrc_var_run_t:file { lock write }; - -# pppd needs to load kernel modules for certain modems -bool pppd_can_insmod false; -if (pppd_can_insmod) { -ifdef(`modutil.te', ` -domain_auto_trans(pppd_t, insmod_exec_t, insmod_t) -') -} - -daemon_domain(pptp, `, nscd_client_domain') -can_network_client_tcp(pptp_t) -allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect; -can_exec(pptp_t, hostname_exec_t) -domain_auto_trans(pppd_t, pptp_exec_t, pptp_t) -allow pptp_t self:rawip_socket create_socket_perms; -allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow pptp_t self:unix_dgram_socket create_socket_perms; -can_exec(pptp_t, pppd_etc_rw_t) -allow pptp_t devpts_t:chr_file ioctl; -r_dir_file(pptp_t, pppd_etc_rw_t) -r_dir_file(pptp_t, pppd_etc_t) -allow pptp_t devpts_t:dir search; -allow pppd_t devpts_t:chr_file ioctl; -allow pppd_t pptp_t:process signal; -allow pptp_t self:capability net_raw; -allow pptp_t self:fifo_file { read write }; -allow pptp_t ptmx_t:chr_file rw_file_perms; -log_domain(pptp) - -# Fix sockets -allow pptp_t pptp_var_run_t:sock_file create_file_perms; - -# Allow pptp to append to pppd log files -allow pptp_t pppd_log_t:file append; - -ifdef(`named.te', ` -dontaudit ndc_t pppd_t:fd use; -') - -# Allow /etc/ppp/ip-{up,down} to run most anything -type pppd_script_exec_t, file_type, sysadmfile; -domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) -allow pppd_t initrc_t:process noatsecure; diff --git a/targeted/domains/program/privoxy.te b/targeted/domains/program/privoxy.te deleted file mode 100644 index b8a522df..00000000 --- a/targeted/domains/program/privoxy.te +++ /dev/null @@ -1,27 +0,0 @@ -#DESC privoxy - privacy enhancing proxy -# -# Authors: Dan Walsh -# -# - -################################# -# -# Rules for the privoxy_t domain. -# -daemon_domain(privoxy, `, web_client_domain') - -logdir_domain(privoxy) - -# Use capabilities. -allow privoxy_t self:capability net_bind_service; - -# Use the network. -can_network_tcp(privoxy_t) -can_ypbind(privoxy_t) -can_resolve(privoxy_t) -allow privoxy_t http_cache_port_t:tcp_socket name_bind; -allow privoxy_t etc_t:file { getattr read }; -allow privoxy_t self:capability { setgid setuid }; -allow privoxy_t self:unix_stream_socket create_socket_perms ; -allow privoxy_t admin_tty_type:chr_file { read write }; - diff --git a/targeted/domains/program/procmail.te b/targeted/domains/program/procmail.te deleted file mode 100644 index 2c77b46e..00000000 --- a/targeted/domains/program/procmail.te +++ /dev/null @@ -1,91 +0,0 @@ -#DESC Procmail - Mail delivery agent for mail servers -# -# Author: Russell Coker -# X-Debian-Packages: procmail -# - -################################# -# -# Rules for the procmail_t domain. -# -# procmail_exec_t is the type of the procmail executable. -# -# privhome only works until we define a different type for maildir -type procmail_t, domain, privlog, privhome, nscd_client_domain; -type procmail_exec_t, file_type, sysadmfile, exec_type; - -role system_r types procmail_t; - -uses_shlib(procmail_t) -allow procmail_t device_t:dir search; -can_network_server(procmail_t) -nsswitch_domain(procmail_t) - -allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; - -allow procmail_t etc_t:dir r_dir_perms; -allow procmail_t { etc_t etc_runtime_t }:file { getattr read }; -allow procmail_t etc_t:lnk_file read; -read_locale(procmail_t) -read_sysctl(procmail_t) - -allow procmail_t sysctl_t:dir search; - -allow procmail_t self:process { setsched fork sigchld signal }; -dontaudit procmail_t sbin_t:dir { getattr search }; -can_exec(procmail_t, { bin_t shell_exec_t }) -allow procmail_t bin_t:dir { getattr search }; -allow procmail_t bin_t:lnk_file read; -allow procmail_t self:fifo_file rw_file_perms; - -allow procmail_t self:unix_stream_socket create_socket_perms; -allow procmail_t self:unix_dgram_socket create_socket_perms; - -# for /var/mail -rw_dir_create_file(procmail_t, mail_spool_t) - -allow procmail_t var_t:dir { getattr search }; -allow procmail_t var_spool_t:dir r_dir_perms; - -allow procmail_t fs_t:filesystem getattr; -allow procmail_t { self proc_t }:dir search; -allow procmail_t proc_t:file { getattr read }; -allow procmail_t { self proc_t }:lnk_file read; - -# for if /var/mail is a symlink to /var/spool/mail -#allow procmail_t mail_spool_t:lnk_file r_file_perms; - -# for spamassasin -allow procmail_t usr_t:file { getattr ioctl read }; -ifdef(`spamassassin.te', ` -can_exec(procmail_t, spamassassin_exec_t) -allow procmail_t port_t:udp_socket name_bind; -allow procmail_t tmp_t:dir getattr; -') -ifdef(`spamc.te', ` -can_exec(procmail_t, spamc_exec_t) -') - -ifdef(`targeted_policy', ` -allow procmail_t port_t:udp_socket name_bind; -allow procmail_t tmp_t:dir getattr; -') - -# Search /var/run. -allow procmail_t var_run_t:dir { getattr search }; - -# Do not audit attempts to access /root. -dontaudit procmail_t sysadm_home_dir_t:dir { getattr search }; - -allow procmail_t devtty_t:chr_file { read write }; - -allow procmail_t urandom_device_t:chr_file { getattr read }; - -ifdef(`sendmail.te', ` -r_dir_file(procmail_t, etc_mail_t) -allow procmail_t sendmail_t:tcp_socket { read write }; -') - -ifdef(`hide_broken_symptoms', ` -dontaudit procmail_t mqueue_spool_t:file { getattr read write }; -') diff --git a/targeted/domains/program/radius.te b/targeted/domains/program/radius.te deleted file mode 100644 index 5d029236..00000000 --- a/targeted/domains/program/radius.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC RADIUS - Radius server -# -# Author: Russell Coker -# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius -# - -################################# -# -# Rules for the radiusd_t domain. -# -# radiusd_exec_t is the type of the radiusd executable. -# -daemon_domain(radiusd, `, auth') - -etcdir_domain(radiusd) - -system_crond_entry(radiusd_exec_t, radiusd_t) - -allow radiusd_t self:process setsched; - -allow radiusd_t proc_t:file { read getattr }; - -dontaudit radiusd_t sysadm_home_dir_t:dir getattr; - -# allow pthreads to read kernel version -read_sysctl(radiusd_t) - -# read config files -allow radiusd_t etc_t:dir r_dir_perms; -allow radiusd_t { etc_t etc_runtime_t }:file { read getattr }; -allow radiusd_t etc_t:lnk_file read; - -# write log files -logdir_domain(radiusd) -allow radiusd_t radiusd_log_t:dir create; - -allow radiusd_t usr_t:file r_file_perms; - -can_exec(radiusd_t, lib_t) -can_exec(radiusd_t, { bin_t shell_exec_t }) -allow radiusd_t { bin_t sbin_t }:dir search; -allow radiusd_t bin_t:lnk_file read; - -allow radiusd_t devtty_t:chr_file { read write }; -allow radiusd_t self:fifo_file rw_file_perms; -# fsetid is for gzip which needs it when run from scripts -# gzip also needs chown access to preserve GID for radwtmp files -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; - -can_network_server(radiusd_t) -can_ypbind(radiusd_t) -allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; - -# for RADIUS proxy port -allow radiusd_t port_t:udp_socket name_bind; - -ifdef(`snmpd.te', ` -can_tcp_connect(radiusd_t, snmpd_t) -') -ifdef(`logrotate.te', ` -can_exec(radiusd_t, logrotate_exec_t) -') -can_udp_send(sysadm_t, radiusd_t) -can_udp_send(radiusd_t, sysadm_t) - -allow radiusd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/targeted/domains/program/radvd.te b/targeted/domains/program/radvd.te deleted file mode 100644 index 868ef8bf..00000000 --- a/targeted/domains/program/radvd.te +++ /dev/null @@ -1,30 +0,0 @@ -#DESC Radv - IPv6 route advisory daemon -# -# Author: Russell Coker -# X-Debian-Packages: radvd -# - -################################# -# -# Rules for the radvd_t domain. -# -daemon_domain(radvd) - -etc_domain(radvd) -allow radvd_t etc_t:file { getattr read }; - -allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms; - -allow radvd_t self:capability { setgid setuid net_raw }; -allow radvd_t self:{ unix_dgram_socket rawip_socket } create; -allow radvd_t self:unix_stream_socket create_socket_perms; - -can_network_server(radvd_t) -can_ypbind(radvd_t) - -allow radvd_t { proc_t proc_net_t }:dir r_dir_perms; -allow radvd_t { proc_t proc_net_t }:file { getattr read }; -allow radvd_t etc_t:lnk_file read; - -allow radvd_t sysctl_net_t:file r_file_perms; -allow radvd_t sysctl_net_t:dir r_dir_perms; diff --git a/targeted/domains/program/restorecon.te b/targeted/domains/program/restorecon.te deleted file mode 100644 index 52fff2f0..00000000 --- a/targeted/domains/program/restorecon.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC restorecon - Restore or check the context of a file -# -# Authors: Russell Coker -# X-Debian-Packages: policycoreutils -# - -################################# -# -# Rules for the restorecon_t domain. -# -# restorecon_exec_t is the type of the restorecon executable. -# -# needs auth_write attribute because it has relabelfrom/relabelto -# access to shadow_t -type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; -type restorecon_exec_t, file_type, sysadmfile, exec_type; - -role system_r types restorecon_t; -role sysadm_r types restorecon_t; -role secadm_r types restorecon_t; - -can_access_pty(restorecon_t, initrc) -allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl }; - -domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t) -allow restorecon_t { userdomain init_t privfd }:fd use; - -uses_shlib(restorecon_t) -allow restorecon_t self:capability { dac_override dac_read_search fowner }; - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that restorecon can not be run! -allow restorecon_t lib_t:file { read execute }; - -# Get security policy decisions. -can_getsecurity(restorecon_t) - -r_dir_file(restorecon_t, policy_config_t) - -allow restorecon_t file_type:dir r_dir_perms; -allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto }; -allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom }; -allow restorecon_t unlabeled_t:dir read; -allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto }; -ifdef(`distro_redhat', ` -allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto }; -') -ifdef(`dpkg.te', ` -domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t) -') - -allow restorecon_t ptyfile:chr_file getattr; - -allow restorecon_t fs_t:filesystem getattr; - -allow restorecon_t etc_runtime_t:file { getattr read }; -allow restorecon_t etc_t:file { getattr read }; -allow restorecon_t proc_t:file { getattr read }; -dontaudit restorecon_t proc_t:lnk_file { getattr read }; - -allow restorecon_t device_t:file { read write }; -allow restorecon_t kernel_t:fd use; -allow restorecon_t kernel_t:fifo_file { read write }; -allow restorecon_t kernel_t:unix_dgram_socket { read write }; -r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) -allow restorecon_t autofs_t:dir search; diff --git a/targeted/domains/program/rlogind.te b/targeted/domains/program/rlogind.te deleted file mode 100644 index 88af4e4f..00000000 --- a/targeted/domains/program/rlogind.te +++ /dev/null @@ -1,40 +0,0 @@ -#DESC Rlogind - Remote login daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: rsh-client rsh-redone-client -# Depends: inetd.te -# - -################################# -# -# Rules for the rlogind_t domain. -# -remote_login_daemon(rlogind) -typeattribute rlogind_t auth_chkpwd; - -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t) -') - -# for /usr/lib/telnetlogin -can_exec(rlogind_t, rlogind_exec_t) - -# Use capabilities. -allow rlogind_t self:capability { net_bind_service }; - -# Run login in remote_login_t. -allow remote_login_t inetd_t:fd use; -allow remote_login_t inetd_t:tcp_socket rw_file_perms; - -# Send SIGCHLD to inetd on death. -allow rlogind_t inetd_t:process sigchld; - -allow rlogind_t home_dir_type:dir search; -allow rlogind_t home_type:file { getattr read }; -allow rlogind_t self:file { getattr read }; -allow rlogind_t default_t:dir search; -typealias rlogind_port_t alias rlogin_port_t; -read_sysctl(rlogind_t); -ifdef(`kerberos.te', ` -allow rlogind_t krb5_keytab_t:file { getattr read }; -') diff --git a/targeted/domains/program/rpcd.te b/targeted/domains/program/rpcd.te deleted file mode 100644 index 8efa09c6..00000000 --- a/targeted/domains/program/rpcd.te +++ /dev/null @@ -1,167 +0,0 @@ -#DESC Rpcd - RPC daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# Depends: portmap.te -# X-Debian-Packages: nfs-common -# - -################################# -# -# Rules for the rpcd_t and nfsd_t domain. -# -define(`rpc_domain', ` -ifdef(`targeted_policy', ` -daemon_base_domain($1, `, transitionbool') -', ` -daemon_base_domain($1) -') -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_ypbind($1_t) -allow $1_t { etc_runtime_t etc_t }:file { getattr read }; -read_locale($1_t) -allow $1_t self:capability net_bind_service; -dontaudit $1_t self:capability net_admin; - -allow $1_t var_t:dir { getattr search }; -allow $1_t var_lib_t:dir search; -allow $1_t var_lib_nfs_t:dir create_dir_perms; -allow $1_t var_lib_nfs_t:file create_file_perms; -# do not log when it tries to bind to a port belonging to another domain -dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -allow $1_t self:netlink_route_socket r_netlink_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -# bind to arbitary unused ports -allow $1_t port_t:{ tcp_socket udp_socket } name_bind; -allow $1_t sysctl_rpc_t:dir search; -allow $1_t sysctl_rpc_t:file rw_file_perms; -') - -type exports_t, file_type, sysadmfile; -dontaudit userdomain exports_t:file getattr; - -# rpcd_t is the domain of rpc daemons. -# rpcd_exec_t is the type of rpc daemon programs. -# -rpc_domain(rpcd) -var_run_domain(rpcd) -allow rpcd_t rpcd_var_run_t:dir setattr; - -# for rpc.rquotad -allow rpcd_t sysctl_t:dir r_dir_perms; -allow rpcd_t self:fifo_file rw_file_perms; - -# rpcd_t needs to talk to the portmap_t domain -can_udp_send(rpcd_t, portmap_t) - -allow initrc_t exports_t:file r_file_perms; -ifdef(`distro_redhat', ` -allow rpcd_t self:capability { chown dac_override setgid setuid }; -# for /etc/rc.d/init.d/nfs to create /etc/exports -allow initrc_t exports_t:file write; -') - -allow rpcd_t self:file { getattr read }; - -# nfs kernel server needs kernel UDP access. It is less risky and painful -# to just give it everything. -can_network_server(kernel_t) -#can_udp_send(kernel_t, rpcd_t) -#can_udp_send(rpcd_t, kernel_t) - -rpc_domain(nfsd) -domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t) -role sysadm_r types nfsd_t; - -# for /proc/fs/nfs/exports - should we have a new type? -allow nfsd_t proc_t:file r_file_perms; -allow nfsd_t proc_net_t:dir search; -allow nfsd_t exports_t:file { getattr read }; - -allow nfsd_t nfsd_fs_t:filesystem mount; -allow nfsd_t nfsd_fs_t:dir search; -allow nfsd_t nfsd_fs_t:file rw_file_perms; -allow initrc_t sysctl_rpc_t:dir search; -allow initrc_t sysctl_rpc_t:file rw_file_perms; - -type nfsd_rw_t, file_type, sysadmfile, usercanread; -type nfsd_ro_t, file_type, sysadmfile, usercanread; - -bool nfs_export_all_rw false; - -if(nfs_export_all_rw) { -allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; -r_dir_file(kernel_t, noexattrfile) -create_dir_file(kernel_t,{ file_type -shadow_t }) -} - -dontaudit kernel_t shadow_t:file getattr; - -bool nfs_export_all_ro false; - -if(nfs_export_all_ro) { -allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms; -r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t }) -} - -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; -create_dir_file(kernel_t, nfsd_rw_t); -r_dir_file(kernel_t, nfsd_ro_t); - -allow kernel_t nfsd_t:udp_socket rw_socket_perms; -can_udp_send(kernel_t, nfsd_t) -can_udp_send(nfsd_t, kernel_t) - -# does not really need this, but it is easier to just allow it -allow nfsd_t var_run_t:dir search; - -allow nfsd_t self:capability { sys_admin sys_resource }; -allow nfsd_t fs_type:filesystem getattr; - -can_udp_send(nfsd_t, portmap_t) -can_udp_send(portmap_t, nfsd_t) - -can_tcp_connect(nfsd_t, portmap_t) - -# for exportfs and rpc.mountd -allow nfsd_t tmp_t:dir getattr; - -r_dir_file(rpcd_t, rpc_pipefs_t) -allow rpcd_t rpc_pipefs_t:sock_file { read write }; -dontaudit rpcd_t selinux_config_t:dir { search }; -allow rpcd_t proc_net_t:dir search; - - -rpc_domain(gssd) -can_kerberos(gssd_t) -ifdef(`kerberos.te', ` -allow gssd_t krb5_keytab_t:file r_file_perms; -') -allow gssd_t urandom_device_t:chr_file { getattr read }; -r_dir_file(gssd_t, tmp_t) -tmp_domain(gssd) -allow gssd_t self:fifo_file { read write }; -r_dir_file(gssd_t, proc_net_t) -allow gssd_t rpc_pipefs_t:dir r_dir_perms; -allow gssd_t rpc_pipefs_t:sock_file { read write }; -allow gssd_t rpc_pipefs_t:file r_file_perms; -allow gssd_t self:capability { dac_override dac_read_search setuid }; -allow nfsd_t devtty_t:chr_file rw_file_perms; -allow rpcd_t devtty_t:chr_file rw_file_perms; - -bool allow_gssd_read_tmp true; -if (allow_gssd_read_tmp) { -# -#needs to be able to udpate the kerberos ticket file -# -ifdef(`targeted_policy', ` -r_dir_file(gssd_t, tmp_t) -allow gssd_t tmp_t:file write; -', ` -r_dir_file(gssd_t, user_tmpfile) -allow gssd_t user_tmpfile:file write; -') -} diff --git a/targeted/domains/program/rpm.te b/targeted/domains/program/rpm.te deleted file mode 100644 index 62aa940b..00000000 --- a/targeted/domains/program/rpm.te +++ /dev/null @@ -1,16 +0,0 @@ -#DESC rpm - Linux configurable dynamic device naming support -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the rpm domain. -# -# rpm_exec_t is the type of the /bin/rpm and other programs. -# This domain is defined just for targeted policy to labeld /var/lib/rpm -# -type rpm_exec_t, file_type, sysadmfile, exec_type; -type rpm_var_lib_t, file_type, sysadmfile; -typealias var_log_t alias rpm_log_t; -type rpm_tmpfs_t, file_type, sysadmfile; diff --git a/targeted/domains/program/rshd.te b/targeted/domains/program/rshd.te deleted file mode 100644 index 39976c59..00000000 --- a/targeted/domains/program/rshd.te +++ /dev/null @@ -1,65 +0,0 @@ -#DESC RSHD - RSH daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: rsh-server rsh-redone-server -# Depends: inetd.te -# - -################################# -# -# Rules for the rshd_t domain. -# -daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole') - -ifdef(`tcpd.te', ` -domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t) -') - -# Use sockets inherited from inetd. -allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms; - -# Use capabilities. -allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override}; - -# Use the network. -can_network_server(rshd_t) -allow rshd_t rsh_port_t:tcp_socket name_bind; - -allow rshd_t etc_t:file { getattr read }; -read_locale(rshd_t) -allow rshd_t self:unix_dgram_socket create_socket_perms; -allow rshd_t self:unix_stream_socket create_stream_socket_perms; -allow rshd_t { home_root_t home_dir_type }:dir { search getattr }; -can_kerberos(rshd_t) -allow rshd_t { bin_t sbin_t tmp_t}:dir { search }; -allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms; -ifdef(`rlogind.te', ` -allow rshd_t rlogind_tmp_t:file rw_file_perms; -') -allow rshd_t urandom_device_t:chr_file { getattr read }; - -# Read the user's .rhosts file. -allow rshd_t home_type:file r_file_perms ; - -# Random reasons -can_getsecurity(rshd_t) -can_setexec(rshd_t) -r_dir_file(rshd_t, selinux_config_t) -r_dir_file(rshd_t, default_context_t) -read_sysctl(rshd_t); - -if (use_nfs_home_dirs) { -r_dir_file(rshd_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file(rshd_t, cifs_t) -} - -allow rshd_t self:process { fork signal setsched setpgid }; -allow rshd_t self:fifo_file rw_file_perms; - -ifdef(`targeted_policy', ` -unconfined_domain(rshd_t) -domain_auto_trans(rshd_t,shell_exec_t,unconfined_t) -') diff --git a/targeted/domains/program/rsync.te b/targeted/domains/program/rsync.te deleted file mode 100644 index bed52a3f..00000000 --- a/targeted/domains/program/rsync.te +++ /dev/null @@ -1,18 +0,0 @@ -#DESC rsync - flexible replacement for rcp -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the rsync_t domain. -# -# rsync_exec_t is the type of the rsync executable. -# - -inetd_child_domain(rsync) -type rsync_data_t, file_type, sysadmfile; -r_dir_file(rsync_t, rsync_data_t) -anonymous_domain(rsync) -allow rsync_t self:capability sys_chroot; diff --git a/targeted/domains/program/samba.te b/targeted/domains/program/samba.te deleted file mode 100644 index e9f28c49..00000000 --- a/targeted/domains/program/samba.te +++ /dev/null @@ -1,225 +0,0 @@ -#DESC SAMBA - SMB file server -# -# Author: Ryan Bergauer (bergauer@rice.edu) -# X-Debian-Packages: samba -# - -################################# -# -# Declarations for Samba -# - -daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain') -daemon_domain(nmbd) -type samba_etc_t, file_type, sysadmfile, usercanread; -type samba_log_t, file_type, sysadmfile, logfile; -type samba_var_t, file_type, sysadmfile; -type samba_share_t, file_type, sysadmfile, customizable; -type samba_secrets_t, file_type, sysadmfile; - -# for /var/run/samba/messages.tdb -allow smbd_t nmbd_var_run_t:file rw_file_perms; - -allow smbd_t self:process setrlimit; - -# not sure why it needs this -tmp_domain(smbd) - -# Allow samba to search mnt_t for potential mounted dirs -allow smbd_t mnt_t:dir r_dir_perms; - -ifdef(`crond.te', ` -allow system_crond_t samba_etc_t:file { read getattr lock }; -allow system_crond_t samba_log_t:file { read getattr lock }; -#allow system_crond_t samba_secrets_t:file { read getattr lock }; -') - -################################# -# -# Rules for the smbd_t domain. -# - -# Permissions normally found in every_domain. -general_domain_access(smbd_t) -general_proc_read_access(smbd_t) - -allow smbd_t smbd_port_t:tcp_socket name_bind; - -# Use capabilities. -allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search }; - -# Use the network. -can_network(smbd_t) -nsswitch_domain(smbd_t) -can_kerberos(smbd_t) -allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect; - -allow smbd_t urandom_device_t:chr_file { getattr read }; - -# Permissions for Samba files in /etc/samba -# either allow read access to the directory or allow the auto_trans rule to -# allow creation of the secrets.tdb file and the MACHINE.SID file -#allow smbd_t samba_etc_t:dir { search getattr }; -file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file) - -allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms; - -# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba -allow smbd_t var_lib_t:dir search; -create_dir_file(smbd_t, samba_var_t) - -# Needed for shared printers -allow smbd_t var_spool_t:dir search; - -# Permissions to write log files. -allow smbd_t samba_log_t:file { create ra_file_perms }; -allow smbd_t var_log_t:dir search; -allow smbd_t samba_log_t:dir ra_dir_perms; -dontaudit smbd_t samba_log_t:dir remove_name; - -ifdef(`hide_broken_symptoms', ` -dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr; -dontaudit smbd_t devpts_t:dir getattr; -') -allow smbd_t fs_t:filesystem quotaget; - -allow smbd_t usr_t:file { getattr read }; - -# Access Samba shares. -create_dir_file(smbd_t, samba_share_t) -anonymous_domain(smbd) - -ifdef(`logrotate.te', ` -# the application should be changed -can_exec(logrotate_t, samba_log_t) -') -################################# -# -# Rules for the nmbd_t domain. -# - -# Permissions normally found in every_domain. -general_domain_access(nmbd_t) -general_proc_read_access(nmbd_t) - -allow nmbd_t nmbd_port_t:udp_socket name_bind; - -# Use capabilities. -allow nmbd_t self:capability net_bind_service; - -# Use the network. -can_network_server(nmbd_t) - -# Permissions for Samba files in /etc/samba -allow nmbd_t samba_etc_t:file { getattr read }; -allow nmbd_t samba_etc_t:dir { search getattr }; - -# Permissions for Samba cache files in /var/cache/samba -allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search }; -allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; - -allow nmbd_t usr_t:file { getattr read }; - -# Permissions to write log files. -allow nmbd_t samba_log_t:file { create ra_file_perms }; -allow nmbd_t var_log_t:dir search; -allow nmbd_t samba_log_t:dir ra_dir_perms; -allow nmbd_t etc_t:file { getattr read }; -ifdef(`cups.te', ` -allow smbd_t cupsd_rw_etc_t:file { getattr read }; -') -# Needed for winbindd -allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms; - -# Support Samba sharing of home directories -bool samba_enable_home_dirs false; - -ifdef(`mount.te', ` -# -# Domain for running smbmount -# - -# Derive from app. domain. Transition from mount. -application_domain(smbmount, `, fs_domain, nscd_client_domain') -domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t) - -# Capabilities -# FIXME: is all of this really necessary? -allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; - -# Access samba config -allow smbmount_t samba_etc_t:file r_file_perms; -allow smbmount_t samba_etc_t:dir r_dir_perms; -allow initrc_t samba_etc_t:file rw_file_perms; - -# Write samba log -allow smbmount_t samba_log_t:file create_file_perms; -allow smbmount_t samba_log_t:dir r_dir_perms; - -# Write stuff in var -allow smbmount_t var_log_t:dir r_dir_perms; -rw_dir_create_file(smbmount_t, samba_var_t) - -# Access mtab -file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file) - -# Read nsswitch.conf -allow smbmount_t etc_t:file r_file_perms; - -# Networking -can_network(smbmount_t) -allow smbmount_t port_type:tcp_socket name_connect; -can_ypbind(smbmount_t) -allow smbmount_t self:unix_dgram_socket create_socket_perms; -allow smbmount_t self:unix_stream_socket create_socket_perms; -allow kernel_t smbmount_t:tcp_socket { read write }; -allow userdomain smbmount_t:tcp_socket write; - -# Proc -# FIXME: is this necessary? -r_dir_file(smbmount_t, proc_t) - -# Fork smbmnt -allow smbmount_t bin_t:dir r_dir_perms; -can_exec(smbmount_t, smbmount_exec_t) -allow smbmount_t self:process { fork signal_perms }; - -# Mount -allow smbmount_t cifs_t:filesystem mount_fs_perms; -allow smbmount_t cifs_t:dir r_dir_perms; -allow smbmount_t mnt_t:dir r_dir_perms; -allow smbmount_t mnt_t:dir mounton; - -# Terminal -read_locale(smbmount_t) -access_terminal(smbmount_t, sysadm) -allow smbmount_t userdomain:fd use; -allow smbmount_t local_login_t:fd use; -') -# Derive from app. domain. Transition from mount. -application_domain(samba_net, `, nscd_client_domain') -role system_r types samba_net_t; -in_user_role(samba_net_t) -file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file) -read_locale(samba_net_t) -allow samba_net_t samba_etc_t:file r_file_perms; -r_dir_file(samba_net_t, samba_var_t) -can_network_udp(samba_net_t) -access_terminal(samba_net_t, sysadm) -allow samba_net_t self:unix_dgram_socket create_socket_perms; -allow samba_net_t self:unix_stream_socket create_stream_socket_perms; -rw_dir_create_file(samba_net_t, samba_var_t) -allow samba_net_t etc_t:file { getattr read }; -can_network_client(samba_net_t) -allow samba_net_t smbd_port_t:tcp_socket name_connect; -can_ldap(samba_net_t) -can_kerberos(samba_net_t) -allow samba_net_t urandom_device_t:chr_file r_file_perms; -allow samba_net_t proc_t:dir search; -allow samba_net_t proc_t:lnk_file read; -allow samba_net_t self:dir search; -allow samba_net_t self:file read; -allow samba_net_t self:process signal; -tmp_domain(samba_net) -dontaudit samba_net_t sysadm_home_dir_t:dir search; -allow samba_net_t privfd:fd use; diff --git a/targeted/domains/program/saslauthd.te b/targeted/domains/program/saslauthd.te deleted file mode 100644 index 8786dd10..00000000 --- a/targeted/domains/program/saslauthd.te +++ /dev/null @@ -1,41 +0,0 @@ -#DESC saslauthd - Authentication daemon for SASL -# -# Author: Colin Walters -# - -daemon_domain(saslauthd, `, auth_chkpwd, auth_bool') - -allow saslauthd_t self:fifo_file { read write }; -allow saslauthd_t self:unix_dgram_socket create_socket_perms; -allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; -allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; -allow saslauthd_t var_lib_t:dir search; - -allow saslauthd_t etc_t:dir { getattr search }; -allow saslauthd_t etc_t:file r_file_perms; -allow saslauthd_t net_conf_t:file r_file_perms; - -allow saslauthd_t self:file r_file_perms; -allow saslauthd_t proc_t:file { getattr read }; - -allow saslauthd_t urandom_device_t:chr_file { getattr read }; - -# Needs investigation -dontaudit saslauthd_t home_root_t:dir getattr; -can_network_client_tcp(saslauthd_t) -allow saslauthd_t pop_port_t:tcp_socket name_connect; - -bool allow_saslauthd_read_shadow false; - -if (allow_saslauthd_read_shadow) { -allow saslauthd_t shadow_t:file r_file_perms; -} -dontaudit saslauthd_t selinux_config_t:dir search; -dontaudit saslauthd_t selinux_config_t:file { getattr read }; - - -dontaudit saslauthd_t initrc_t:unix_stream_socket connectto; -ifdef(`mysqld.te', ` -allow saslauthd_t mysqld_db_t:dir search; -allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms; -') diff --git a/targeted/domains/program/sendmail.te b/targeted/domains/program/sendmail.te deleted file mode 100644 index fa695451..00000000 --- a/targeted/domains/program/sendmail.te +++ /dev/null @@ -1,17 +0,0 @@ -#DESC sendmail -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the sendmaild domain. -# -# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs. -# This domain is defined just for targeted policy. -# -type sendmail_exec_t, file_type, sysadmfile, exec_type; -type sendmail_log_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) -var_run_domain(sendmail) - diff --git a/targeted/domains/program/setfiles.te b/targeted/domains/program/setfiles.te deleted file mode 100644 index 85bcd4ce..00000000 --- a/targeted/domains/program/setfiles.te +++ /dev/null @@ -1,66 +0,0 @@ -#DESC Setfiles - SELinux filesystem labeling utilities -# -# Authors: Russell Coker -# X-Debian-Packages: policycoreutils -# - -################################# -# -# Rules for the setfiles_t domain. -# -# setfiles_exec_t is the type of the setfiles executable. -# -# needs auth_write attribute because it has relabelfrom/relabelto -# access to shadow_t -type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade; -type setfiles_exec_t, file_type, sysadmfile, exec_type; - -role system_r types setfiles_t; -role sysadm_r types setfiles_t; -role secadm_r types setfiles_t; - -ifdef(`distro_redhat', ` -domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t) -') -can_access_pty(hostname_t, initrc) -allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl }; - -allow setfiles_t self:unix_dgram_socket create_socket_perms; - -domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t) -allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; - -uses_shlib(setfiles_t) -allow setfiles_t self:capability { dac_override dac_read_search fowner }; - -# for upgrading glibc and other shared objects - without this the upgrade -# scripts will put things in a state such that setfiles can not be run! -allow setfiles_t lib_t:file { read execute }; - -# Get security policy decisions. -can_getsecurity(setfiles_t) - -r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }) - -allow setfiles_t file_type:dir r_dir_perms; -allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom }; -allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto; -allow setfiles_t unlabeled_t:dir read; -allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto }; -allow setfiles_t { ttyfile ptyfile }:chr_file getattr; -# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal -dontaudit setfiles_t ttyfile:chr_file relabelfrom; - -allow setfiles_t fs_t:filesystem getattr; -allow setfiles_t fs_type:dir r_dir_perms; - -read_locale(setfiles_t) - -allow setfiles_t etc_runtime_t:file { getattr read }; -allow setfiles_t etc_t:file { getattr read }; -allow setfiles_t proc_t:file { getattr read }; -dontaudit setfiles_t proc_t:lnk_file { getattr read }; - -# for config files in a home directory -allow setfiles_t home_type:file r_file_perms; -dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom; diff --git a/targeted/domains/program/slapd.te b/targeted/domains/program/slapd.te deleted file mode 100644 index dd9e416f..00000000 --- a/targeted/domains/program/slapd.te +++ /dev/null @@ -1,61 +0,0 @@ -#DESC Slapd - OpenLDAP server -# -# Author: Russell Coker -# X-Debian-Packages: slapd -# - -################################# -# -# Rules for the slapd_t domain. -# -# slapd_exec_t is the type of the slapd executable. -# -daemon_domain(slapd) - -allow slapd_t ldap_port_t:tcp_socket name_bind; - -etc_domain(slapd) -type slapd_db_t, file_type, sysadmfile; -type slapd_replog_t, file_type, sysadmfile; - -tmp_domain(slapd) - -# Use the network. -can_network(slapd_t) -allow slapd_t port_type:tcp_socket name_connect; -can_ypbind(slapd_t) -allow slapd_t self:fifo_file { read write }; -allow slapd_t self:unix_stream_socket create_socket_perms; -allow slapd_t self:unix_dgram_socket create_socket_perms; -# allow any domain to connect to the LDAP server -can_tcp_connect(domain, slapd_t) - -# Use capabilities should not need kill... -allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search }; -allow slapd_t self:process setsched; - -allow slapd_t proc_t:file r_file_perms; - -# Allow access to the slapd databases -create_dir_file(slapd_t, slapd_db_t) -allow initrc_t slapd_db_t:dir r_dir_perms; -allow slapd_t var_lib_t:dir r_dir_perms; - -# Allow access to write the replication log (should tighten this) -create_dir_file(slapd_t, slapd_replog_t) - -# read config files -allow slapd_t etc_t:{ file lnk_file } { getattr read }; -allow slapd_t etc_runtime_t:file { getattr read }; - -# for startup script -allow initrc_t slapd_etc_t:file { getattr read }; - -allow slapd_t etc_t:dir r_dir_perms; - -read_sysctl(slapd_t) - -allow slapd_t usr_t:file { read getattr }; -allow slapd_t urandom_device_t:chr_file { getattr read }; -allow slapd_t self:netlink_route_socket r_netlink_socket_perms; -r_dir_file(slapd_t, cert_t) diff --git a/targeted/domains/program/snmpd.te b/targeted/domains/program/snmpd.te deleted file mode 100644 index ea75c8d6..00000000 --- a/targeted/domains/program/snmpd.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC SNMPD - Simple Network Management Protocol daemon -# -# Author: Russell Coker -# X-Debian-Packages: snmpd -# - -################################# -# -# Rules for the snmpd_t domain. -# -daemon_domain(snmpd, `, nscd_client_domain') - -#temp -allow snmpd_t var_t:dir getattr; - -can_network_server(snmpd_t) -can_ypbind(snmpd_t) - -allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; - -etc_domain(snmpd) - -# for the .index file -var_lib_domain(snmpd) -file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file }) -file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file) -allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; - -log_domain(snmpd) -# for /usr/share/snmp/mibs -allow snmpd_t usr_t:file { getattr read }; - -can_udp_send(sysadm_t, snmpd_t) -can_udp_send(snmpd_t, sysadm_t) - -allow snmpd_t self:unix_dgram_socket create_socket_perms; -allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -allow snmpd_t etc_t:lnk_file read; -allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms; -allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read }; -allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config }; - -allow snmpd_t proc_t:dir search; -allow snmpd_t proc_t:file r_file_perms; -allow snmpd_t self:file { getattr read }; -allow snmpd_t self:fifo_file rw_file_perms; -allow snmpd_t { bin_t sbin_t }:dir search; -can_exec(snmpd_t, { bin_t sbin_t shell_exec_t }) - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -r_dir_file(snmpd_t, rpm_var_lib_t) -dontaudit snmpd_t rpm_var_lib_t:dir write; -dontaudit snmpd_t rpm_var_lib_t:file write; -') -') - -allow snmpd_t home_root_t:dir search; -allow snmpd_t initrc_var_run_t:file r_file_perms; -dontaudit snmpd_t initrc_var_run_t:file write; -dontaudit snmpd_t rpc_pipefs_t:dir getattr; -allow snmpd_t rpc_pipefs_t:dir getattr; -read_sysctl(snmpd_t) -allow snmpd_t sysctl_net_t:dir search; -allow snmpd_t sysctl_net_t:file { getattr read }; - -dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read }; -allow snmpd_t sysfs_t:dir { getattr read search }; -ifdef(`amanda.te', ` -dontaudit snmpd_t amanda_dumpdates_t:file { getattr read }; -') -ifdef(`cupsd.te', ` -allow snmpd_t cupsd_rw_etc_t:file { getattr read }; -') -allow snmpd_t var_lib_nfs_t:dir search; - -# needed in order to retrieve net traffic data -allow snmpd_t proc_net_t:dir search; -allow snmpd_t proc_net_t:file r_file_perms; - -allow snmpd_t domain:dir { getattr search }; -allow snmpd_t domain:file { getattr read }; -allow snmpd_t domain:process signull; - -dontaudit snmpd_t selinux_config_t:dir search; diff --git a/targeted/domains/program/spamc.te b/targeted/domains/program/spamc.te deleted file mode 100644 index 9b49fbf0..00000000 --- a/targeted/domains/program/spamc.te +++ /dev/null @@ -1,10 +0,0 @@ -#DESC Spamc - Spamassassin client -# -# Author: Colin Walters -# X-Debian-Packages: spamc -# Depends: spamassassin.te -# - -type spamc_exec_t, file_type, sysadmfile, exec_type; - -# Everything else is in spamassassin_macros.te. diff --git a/targeted/domains/program/spamd.te b/targeted/domains/program/spamd.te deleted file mode 100644 index 7c250024..00000000 --- a/targeted/domains/program/spamd.te +++ /dev/null @@ -1,70 +0,0 @@ -#DESC Spamd - Spamassassin daemon -# -# Author: Colin Walters -# X-Debian-Packages: spamassassin -# Depends: spamassassin.te -# - -daemon_domain(spamd) - -tmp_domain(spamd) - -general_domain_access(spamd_t) -uses_shlib(spamd_t) -read_sysctl(spamd_t) - -# Various Perl bits -allow spamd_t lib_t:file rx_file_perms; -dontaudit spamd_t shadow_t:file { getattr read }; -dontaudit spamd_t initrc_var_run_t:file { read write lock }; -dontaudit spamd_t sysadm_home_dir_t:dir { getattr search }; - -can_network_server(spamd_t) -allow spamd_t spamd_port_t:tcp_socket name_bind; -can_ypbind(spamd_t) -allow spamd_t self:capability net_bind_service; - -allow spamd_t proc_t:file { getattr read }; - -# Spamassassin, when run as root and using per-user config files, -# setuids to the user running spamc. Comment this if you are not -# using this ability. -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; - -allow spamd_t { bin_t sbin_t }:dir { getattr search }; -can_exec(spamd_t, bin_t) - -ifdef(`sendmail.te', ` -allow spamd_t etc_mail_t:dir { getattr read search }; -allow spamd_t etc_mail_t:file { getattr ioctl read }; -') -allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read }; - -ifdef(`amavis.te', ` -# for bayes tokens -allow spamd_t var_lib_t:dir { getattr search }; -rw_dir_create_file(spamd_t, amavisd_lib_t) -') - -allow spamd_t usr_t:file { getattr ioctl read }; -allow spamd_t usr_t:lnk_file { getattr read }; -allow spamd_t urandom_device_t:chr_file { getattr read }; - -system_crond_entry(spamd_exec_t, spamd_t) - -allow spamd_t autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs) { -allow spamd_t nfs_t:dir rw_dir_perms; -allow spamd_t nfs_t:file create_file_perms; -} - -if (use_samba_home_dirs) { -allow spamd_t cifs_t:dir rw_dir_perms; -allow spamd_t cifs_t:file create_file_perms; -} - -allow spamd_t home_root_t:dir getattr; -allow spamd_t user_home_dir_type:dir { search getattr }; - - diff --git a/targeted/domains/program/squid.te b/targeted/domains/program/squid.te deleted file mode 100644 index 1727186b..00000000 --- a/targeted/domains/program/squid.te +++ /dev/null @@ -1,85 +0,0 @@ -#DESC Squid - Web cache -# -# Author: Russell Coker -# X-Debian-Packages: squid -# - -################################# -# -# Rules for the squid_t domain. -# -# squid_t is the domain the squid process runs in -ifdef(`apache.te',` -can_tcp_connect(squid_t, httpd_t) -') -bool squid_connect_any false; -daemon_domain(squid, `, web_client_domain, nscd_client_domain') -type squid_conf_t, file_type, sysadmfile; -general_domain_access(squid_t) -allow { squid_t initrc_t } squid_conf_t:file r_file_perms; -allow squid_t squid_conf_t:dir r_dir_perms; -allow squid_t squid_conf_t:lnk_file read; - -logdir_domain(squid) -rw_dir_create_file(initrc_t, squid_log_t) - -allow squid_t usr_t:file { getattr read }; - -# type for /var/cache/squid -type squid_cache_t, file_type, sysadmfile; - -allow squid_t self:capability { setgid setuid net_bind_service dac_override }; -allow squid_t { etc_t etc_runtime_t }:file r_file_perms; -allow squid_t etc_t:lnk_file read; -allow squid_t self:unix_stream_socket create_socket_perms; -allow squid_t self:unix_dgram_socket create_socket_perms; -allow squid_t self:fifo_file rw_file_perms; - -read_sysctl(squid_t) - -allow squid_t devtty_t:chr_file rw_file_perms; - -allow squid_t { self proc_t }:file { read getattr }; - -# for when we use /var/spool/cache -allow squid_t var_spool_t:dir search; - -# Grant permissions to create, access, and delete cache files. -# No type transitions required, as the files inherit the parent directory type. -create_dir_file(squid_t, squid_cache_t) -ifdef(`logrotate.te', -`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)') -ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') - -# Use the network -can_network(squid_t) -if (squid_connect_any) { -allow squid_t port_type:tcp_socket name_connect; -} -can_ypbind(squid_t) -can_tcp_connect(web_client_domain, squid_t) - -# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) -allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind; -allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect; - -# to allow running programs from /usr/lib/squid (IE unlinkd) -# also allow exec()ing itself -can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } ) -allow squid_t { bin_t sbin_t }:dir search; -allow squid_t { bin_t sbin_t }:lnk_file read; - -dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr; -ifdef(`targeted_policy', ` -dontaudit squid_t tty_device_t:chr_file { read write }; -') -allow squid_t urandom_device_t:chr_file { getattr read }; - -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -r_dir_file(squid_t, cert_t) -ifdef(`winbind.te', ` -domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) -allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; -allow winbind_helper_t squid_log_t:file ra_file_perms; -') diff --git a/targeted/domains/program/ssh.te b/targeted/domains/program/ssh.te deleted file mode 100644 index bfd1ea20..00000000 --- a/targeted/domains/program/ssh.te +++ /dev/null @@ -1,22 +0,0 @@ -#DESC sshd -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the sshd domain. -# -# sshd_exec_t is the type of the /bin/sshd and other programs. -# This domain is defined just for targeted policy. -# -type sshd_exec_t, file_type, sysadmfile, exec_type; -type ssh_exec_t, file_type, sysadmfile, exec_type; -type ssh_keygen_exec_t, file_type, sysadmfile, exec_type; -type ssh_keysign_exec_t, file_type, sysadmfile, exec_type; -type sshd_key_t, file_type, sysadmfile; -type sshd_var_run_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) -ifdef(`use_mcs', ` -range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; -') diff --git a/targeted/domains/program/stunnel.te b/targeted/domains/program/stunnel.te deleted file mode 100644 index 4dbfcec8..00000000 --- a/targeted/domains/program/stunnel.te +++ /dev/null @@ -1,33 +0,0 @@ -# DESC: selinux policy for stunnel -# -# Author: petre rodan -# -ifdef(`distro_gentoo', ` - -daemon_domain(stunnel) - -can_network(stunnel_t) -allow stunnel_t port_type:tcp_socket name_connect; - -allow stunnel_t self:capability { setgid setuid sys_chroot }; -allow stunnel_t self:fifo_file { read write }; -allow stunnel_t self:tcp_socket { read write }; -allow stunnel_t self:unix_stream_socket { connect create }; - -r_dir_file(stunnel_t, etc_t) -', ` -inetd_child_domain(stunnel, tcp) -allow stunnel_t self:capability sys_chroot; - -bool stunnel_is_daemon false; -if (stunnel_is_daemon) { -# Policy to run stunnel as a daemon should go here. -allow stunnel_t self:tcp_socket rw_stream_socket_perms; -allow stunnel_t stunnel_port_t:tcp_socket name_bind; -} -') - -type stunnel_etc_t, file_type, sysadmfile; -r_dir_file(stunnel_t, stunnel_etc_t) -allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; - diff --git a/targeted/domains/program/su.te b/targeted/domains/program/su.te deleted file mode 100644 index 6d39909c..00000000 --- a/targeted/domains/program/su.te +++ /dev/null @@ -1,23 +0,0 @@ -#DESC Su - Run shells with substitute user and group -# -# Domains for the su program. -# X-Debian-Packages: login - -# -# su_exec_t is the type of the su executable. -# -type su_exec_t, file_type, sysadmfile; - -allow sysadm_su_t user_home_dir_type:dir search; - -# Everything else is in the su_domain macro in -# macros/program/su_macros.te. - -ifdef(`use_mcs', ` -ifdef(`targeted_policy', ` -range_transition unconfined_t su_exec_t s0 - s0:c0.c255; -domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t) -can_exec(sysadm_su_t, bin_t) -rw_dir_create_file(sysadm_su_t, home_dir_type) -') -') diff --git a/targeted/domains/program/syslogd.te b/targeted/domains/program/syslogd.te deleted file mode 100644 index be427ecd..00000000 --- a/targeted/domains/program/syslogd.te +++ /dev/null @@ -1,109 +0,0 @@ -#DESC Syslogd - System log daemon -# -# Authors: Stephen Smalley and Timothy Fraser -# X-Debian-Packages: sysklogd syslog-ng -# - -################################# -# -# Rules for the syslogd_t domain. -# -# syslogd_t is the domain of syslogd. -# syslogd_exec_t is the type of the syslogd executable. -# devlog_t is the type of the Unix domain socket created -# by syslogd. -# -ifdef(`klogd.te', ` -daemon_domain(syslogd, `, privkmsg, nscd_client_domain') -', ` -daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain') -') - -# can_network is for the UDP socket -can_network_udp(syslogd_t) -can_ypbind(syslogd_t) - -r_dir_file(syslogd_t, sysfs_t) - -type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject; - -# if something can log to syslog they should be able to log to the console -allow privlog console_device_t:chr_file { ioctl read write getattr }; - -tmp_domain(syslogd) - -# read files in /etc -allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms; - -# Use capabilities. -allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config }; - -# Modify/create log files. -create_append_log_file(syslogd_t, var_log_t) - -# Create and bind to /dev/log or /var/run/log. -file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file) -ifdef(`distro_suse', ` -# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel -file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) -') -allow syslogd_t self:unix_dgram_socket create_socket_perms; -allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -allow syslogd_t self:fifo_file rw_file_perms; -allow syslogd_t devlog_t:unix_stream_socket name_bind; -allow syslogd_t devlog_t:unix_dgram_socket name_bind; -# log to the xconsole -allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; - -# Domains with the privlog attribute may log to syslogd. -allow privlog devlog_t:sock_file rw_file_perms; -can_unix_send(privlog,syslogd_t) -can_unix_connect(privlog,syslogd_t) -# allow /dev/log to be a link elsewhere for chroot setup -allow privlog devlog_t:lnk_file read; - -ifdef(`crond.te', ` -# for daemon re-start -allow system_crond_t syslogd_t:lnk_file read; -') - -ifdef(`logrotate.te', ` -allow logrotate_t syslogd_exec_t:file r_file_perms; -') - -# for sending messages to logged in users -allow syslogd_t initrc_var_run_t:file { read lock }; -dontaudit syslogd_t initrc_var_run_t:file write; -allow syslogd_t ttyfile:chr_file { getattr write }; - -# -# Special case to handle crashes -# -allow syslogd_t { device_t file_t }:sock_file { getattr unlink }; - -# Allow syslog to a terminal -allow syslogd_t tty_device_t:chr_file { getattr write ioctl append }; - -# Allow name_bind for remote logging -allow syslogd_t syslogd_port_t:udp_socket name_bind; -# -# /initrd is not umounted before minilog starts -# -dontaudit syslogd_t file_t:dir search; -allow syslogd_t { tmpfs_t devpts_t }:dir search; -dontaudit syslogd_t unlabeled_t:file { getattr read }; -dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; -allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`targeted_policy', ` -allow syslogd_t var_run_t:fifo_file { ioctl read write }; -') - -# Allow access to /proc/kmsg for syslog-ng -allow syslogd_t proc_t:dir search; -allow syslogd_t proc_kmsg_t:file { getattr read }; -allow syslogd_t kernel_t:system { syslog_mod syslog_console }; -allow syslogd_t self:capability { sys_admin chown fsetid }; -allow syslogd_t var_log_t:dir { create setattr }; -allow syslogd_t syslogd_port_t:tcp_socket name_bind; -allow syslogd_t rsh_port_t:tcp_socket name_connect; diff --git a/targeted/domains/program/telnetd.te b/targeted/domains/program/telnetd.te deleted file mode 100644 index bbbb2c19..00000000 --- a/targeted/domains/program/telnetd.te +++ /dev/null @@ -1,10 +0,0 @@ -# telnet server daemon -# - -################################# -# -# Rules for the telnetd_t domain -# - -remote_login_daemon(telnetd) -typealias telnetd_port_t alias telnet_port_t; diff --git a/targeted/domains/program/tftpd.te b/targeted/domains/program/tftpd.te deleted file mode 100644 index c7499871..00000000 --- a/targeted/domains/program/tftpd.te +++ /dev/null @@ -1,41 +0,0 @@ -#DESC TFTP - UDP based file server for boot loaders -# -# Author: Russell Coker -# X-Debian-Packages: tftpd atftpd -# Depends: inetd.te -# - -################################# -# -# Rules for the tftpd_t domain. -# -# tftpd_exec_t is the type of the tftpd executable. -# -daemon_domain(tftpd) - -# tftpdir_t is the type of files in the /tftpboot directories. -type tftpdir_t, file_type, sysadmfile; -r_dir_file(tftpd_t, tftpdir_t) - -domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t) - -# Use the network. -can_network_udp(tftpd_t) -allow tftpd_t tftp_port_t:udp_socket name_bind; -ifdef(`inetd.te', ` -allow inetd_t tftp_port_t:udp_socket name_bind; -') -allow tftpd_t self:unix_dgram_socket create_socket_perms; -allow tftpd_t self:unix_stream_socket create_stream_socket_perms; - -# allow any domain to connect to the TFTP server -allow tftpd_t inetd_t:udp_socket rw_socket_perms; - -# Use capabilities -allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot }; - -allow tftpd_t etc_t:dir r_dir_perms; -allow tftpd_t etc_t:file r_file_perms; - -allow tftpd_t var_t:dir r_dir_perms; -allow tftpd_t var_t:{ file lnk_file } r_file_perms; diff --git a/targeted/domains/program/udev.te b/targeted/domains/program/udev.te deleted file mode 100644 index cc5f7d45..00000000 --- a/targeted/domains/program/udev.te +++ /dev/null @@ -1,152 +0,0 @@ -#DESC udev - Linux configurable dynamic device naming support -# -# Author: Dan Walsh dwalsh@redhat.com -# - -################################# -# -# Rules for the udev_t domain. -# -# udev_exec_t is the type of the udev executable. -# -daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite') - -general_domain_access(udev_t) - -if (allow_execmem) { -# for alsactl -allow udev_t self:process execmem; -} - -etc_domain(udev) -type udev_helper_exec_t, file_type, sysadmfile, exec_type; -can_exec_any(udev_t) - -# -# Rules used for udev -# -type udev_tdb_t, file_type, sysadmfile, dev_fs; -typealias udev_tdb_t alias udev_tbl_t; -file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice }; -allow udev_t self:file { getattr read }; -allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; -allow udev_t self:unix_dgram_socket create_socket_perms; -allow udev_t self:fifo_file rw_file_perms; -allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; -allow udev_t device_t:file { unlink rw_file_perms }; -allow udev_t device_t:sock_file create_file_perms; -allow udev_t device_t:lnk_file create_lnk_perms; -allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -ifdef(`distro_redhat', ` -allow udev_t tmpfs_t:dir create_dir_perms; -allow udev_t tmpfs_t:{ sock_file file } create_file_perms; -allow udev_t tmpfs_t:lnk_file create_lnk_perms; -allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms }; -allow udev_t tmpfs_t:dir search; - -# for arping used for static IP addresses on PCMCIA ethernet -domain_auto_trans(udev_t, netutils_exec_t, netutils_t) -') -allow udev_t etc_t:file { getattr read ioctl }; -allow udev_t { bin_t sbin_t }:dir r_dir_perms; -allow udev_t { sbin_t bin_t }:lnk_file read; -allow udev_t bin_t:lnk_file read; -can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) -can_exec(udev_t, udev_exec_t) -rw_dir_file(udev_t, sysfs_t) -allow udev_t sysadm_tty_device_t:chr_file { read write }; - -# to read the file_contexts file -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } ) - -allow udev_t policy_config_t:dir search; -allow udev_t proc_t:file { getattr read ioctl }; -allow udev_t proc_kcore_t:file getattr; - -# Get security policy decisions. -can_getsecurity(udev_t) - -# set file system create context -can_setfscreate(udev_t) - -allow udev_t kernel_t:fd use; -allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; -allow udev_t kernel_t:process signal; - -allow udev_t initrc_var_run_t:file r_file_perms; -dontaudit udev_t initrc_var_run_t:file write; - -domain_auto_trans(kernel_t, udev_exec_t, udev_t) -domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t) -ifdef(`hide_broken_symptoms', ` -dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; -') -allow udev_t devpts_t:dir { getattr search }; -allow udev_t etc_runtime_t:file { getattr read }; -ifdef(`xdm.te', ` -allow udev_t xdm_var_run_t:file { getattr read }; -') - -ifdef(`hotplug.te', ` -r_dir_file(udev_t, hotplug_etc_t) -') -allow udev_t var_log_t:dir search; - -ifdef(`consoletype.te', ` -can_exec(udev_t, consoletype_exec_t) -') -ifdef(`pamconsole.te', ` -allow udev_t pam_var_console_t:dir search; -allow udev_t pam_var_console_t:file { getattr read }; -domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) -') -allow udev_t var_lock_t:dir search; -allow udev_t var_lock_t:file getattr; -domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t) -ifdef(`hide_broken_symptoms', ` -dontaudit ifconfig_t udev_t:unix_dgram_socket { read write }; -') - -dontaudit udev_t file_t:dir search; -ifdef(`dhcpc.te', ` -domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) -') - -allow udev_t udev_helper_exec_t:dir r_dir_perms; - -dbusd_client(system, udev) - -allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms }; -allow udev_t sysctl_dev_t:dir search; -allow udev_t mnt_t:dir search; -allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read }; -allow udev_t self:rawip_socket create_socket_perms; -dontaudit udev_t domain:dir r_dir_perms; -dontaudit udev_t ttyfile:chr_file unlink; -ifdef(`hotplug.te', ` -r_dir_file(udev_t, hotplug_var_run_t) -') -r_dir_file(udev_t, modules_object_t) -# -# Udev is now writing dhclient-eth*.conf* files. -# -ifdef(`dhcpd.te', `define(`use_dhcp')') -ifdef(`dhcpc.te', `define(`use_dhcp')') -ifdef(`use_dhcp', ` -allow udev_t dhcp_etc_t:file rw_file_perms; -file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file) -') -r_dir_file(udev_t, domain) -allow udev_t modules_dep_t:file r_file_perms; - -nsswitch_domain(udev_t) - -ifdef(`unlimitedUtils', ` -unconfined_domain(udev_t) -') -dontaudit hostname_t udev_t:fd use; -ifdef(`use_mcs', ` -range_transition kernel_t udev_exec_t s0 - s0:c0.c255; -range_transition initrc_t udev_exec_t s0 - s0:c0.c255; -') diff --git a/targeted/domains/program/updfstab.te b/targeted/domains/program/updfstab.te deleted file mode 100644 index 82edf3d3..00000000 --- a/targeted/domains/program/updfstab.te +++ /dev/null @@ -1,81 +0,0 @@ -#DESC updfstab - Red Hat utility to change /etc/fstab -# -# Author: Russell Coker -# - -daemon_base_domain(updfstab, `, fs_domain, etc_writer') - -rw_dir_create_file(updfstab_t, etc_t) -create_dir_file(updfstab_t, mnt_t) - -# Read /dev directories and modify sym-links -allow updfstab_t device_t:dir rw_dir_perms; -allow updfstab_t device_t:lnk_file create_file_perms; - -# Access disk devices. -allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms; -allow updfstab_t removable_device_t:blk_file rw_file_perms; -allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms; - -# for /proc/partitions -allow updfstab_t proc_t:file { getattr read }; - -# for /proc/self/mounts -r_dir_file(updfstab_t, self) - -# for /etc/mtab -allow updfstab_t etc_runtime_t:file { getattr read }; - -read_locale(updfstab_t) - -ifdef(`dbusd.te', ` -dbusd_client(system, updfstab) -allow updfstab_t system_dbusd_t:dbus { send_msg }; -allow initrc_t updfstab_t:dbus send_msg; -allow updfstab_t initrc_t:dbus send_msg; -') - -# not sure what the sysctl_kernel_t file is, or why it wants to write it, so -# I will not allow it -read_sysctl(updfstab_t) -dontaudit updfstab_t sysctl_kernel_t:file write; -allow updfstab_t modules_conf_t:file { getattr read }; -allow updfstab_t sbin_t:dir search; -allow updfstab_t sbin_t:lnk_file read; -allow updfstab_t { var_t var_log_t }:dir search; - -allow updfstab_t kernel_t:fd use; - -allow updfstab_t self:unix_stream_socket create_stream_socket_perms; -allow updfstab_t self:unix_dgram_socket create_socket_perms; - -ifdef(`modutil.te', ` -dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t) -can_exec(updfstab_t, insmod_exec_t) -allow updfstab_t modules_object_t:dir search; -allow updfstab_t modules_dep_t:file { getattr read }; -') - -ifdef(`pamconsole.te', ` -domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t) -') -allow updfstab_t kernel_t:system syslog_console; -allow updfstab_t sysadm_tty_device_t:chr_file { read write }; -allow updfstab_t self:capability dac_override; -dontaudit updfstab_t self:capability sys_admin; - -r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } ) -can_getsecurity(updfstab_t) - -allow updfstab_t { sbin_t bin_t }:dir { search getattr }; -dontaudit updfstab_t devtty_t:chr_file { read write }; -allow updfstab_t self:fifo_file { getattr read write ioctl }; -can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } ) -dontaudit updfstab_t home_root_t:dir { getattr search }; -dontaudit updfstab_t { home_dir_type home_type }:dir search; -allow updfstab_t fs_t:filesystem { getattr }; -allow updfstab_t tmpfs_t:dir getattr; -ifdef(`hald.te', ` -can_unix_connect(updfstab_t, hald_t) -') - diff --git a/targeted/domains/program/uucpd.te b/targeted/domains/program/uucpd.te deleted file mode 100644 index 05791bd3..00000000 --- a/targeted/domains/program/uucpd.te +++ /dev/null @@ -1,24 +0,0 @@ -#DESC uucpd - UUCP file transfer daemon -# -# Author: Dan Walsh -# -# Depends: inetd.te - -################################# -# -# Rules for the uucpd_t domain. -# -# uucpd_exec_t is the type of the uucpd executable. -# - -inetd_child_domain(uucpd, tcp) -type uucpd_rw_t, file_type, sysadmfile; -type uucpd_ro_t, file_type, sysadmfile; -type uucpd_spool_t, file_type, sysadmfile; -create_dir_file(uucpd_t, uucpd_rw_t) -r_dir_file(uucpd_t, uucpd_ro_t) -allow uucpd_t sbin_t:dir search; -can_exec(uucpd_t, sbin_t) -logdir_domain(uucpd) -allow uucpd_t var_spool_t:dir search; -create_dir_file(uucpd_t, uucpd_spool_t) diff --git a/targeted/domains/program/webalizer.te b/targeted/domains/program/webalizer.te deleted file mode 100644 index c1f38bde..00000000 --- a/targeted/domains/program/webalizer.te +++ /dev/null @@ -1,51 +0,0 @@ -# DESC webalizer - webalizer -# -# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp) -# -# Depends: apache.te - -application_domain(webalizer, `, nscd_client_domain') -# to use from cron -system_crond_entry(webalizer_exec_t,webalizer_t) -role system_r types webalizer_t; - -##type definision -# type for usage file -type webalizer_usage_t,file_type,sysadmfile; -# type for /var/lib/webalizer -type webalizer_write_t,file_type,sysadmfile; -# type for webalizer.conf -etc_domain(webalizer) - -#read apache log -allow webalizer_t var_log_t:dir r_dir_perms; -r_dir_file(webalizer_t, httpd_log_t) -ifdef(`ftpd.te', ` -allow webalizer_t xferlog_t:file { getattr read }; -') - -#r/w /var/lib/webalizer -var_lib_domain(webalizer) - -#read /var/www/usage -create_dir_file(webalizer_t, httpd_sys_content_t) - -#read system files under /etc -allow webalizer_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale(webalizer_t) - -# can use tmp file -tmp_domain(webalizer) - -# can read /proc -read_sysctl(webalizer_t) -allow webalizer_t proc_t:dir search; -allow webalizer_t proc_t:file r_file_perms; - -# network -can_network_server(webalizer_t) - -#process communication inside webalizer itself -general_domain_access(webalizer_t) - -allow webalizer_t self:capability dac_override; diff --git a/targeted/domains/program/winbind.te b/targeted/domains/program/winbind.te deleted file mode 100644 index 7b9e5e98..00000000 --- a/targeted/domains/program/winbind.te +++ /dev/null @@ -1,50 +0,0 @@ -#DESC winbind - Name Service Switch daemon for resolving names from NT servers -# -# Author: Dan Walsh (dwalsh@redhat.com) -# - -################################# -# -# Declarations for winbind -# - -daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain') -log_domain(winbind) -tmp_domain(winbind) -allow winbind_t etc_t:file r_file_perms; -allow winbind_t etc_t:lnk_file read; -can_network(winbind_t) -allow winbind_t smbd_port_t:tcp_socket name_connect; -can_resolve(winbind_t) - -ifdef(`samba.te', `', ` -type samba_etc_t, file_type, sysadmfile, usercanread; -type samba_log_t, file_type, sysadmfile, logfile; -type samba_var_t, file_type, sysadmfile; -type samba_secrets_t, file_type, sysadmfile; -') -file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file) -rw_dir_create_file(winbind_t, samba_log_t) -allow winbind_t samba_secrets_t:file rw_file_perms; -allow winbind_t self:unix_dgram_socket create_socket_perms; -allow winbind_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_t urandom_device_t:chr_file { getattr read }; -allow winbind_t self:fifo_file { read write }; -rw_dir_create_file(winbind_t, samba_var_t) -can_kerberos(winbind_t) -allow winbind_t self:netlink_route_socket r_netlink_socket_perms; -allow winbind_t winbind_var_run_t:sock_file create_file_perms; -allow initrc_t winbind_var_run_t:file r_file_perms; - -application_domain(winbind_helper, `, nscd_client_domain') -role system_r types winbind_helper_t; -access_terminal(winbind_helper_t, sysadm) -read_locale(winbind_helper_t) -r_dir_file(winbind_helper_t, samba_etc_t) -r_dir_file(winbind_t, samba_etc_t) -allow winbind_helper_t self:unix_dgram_socket create_socket_perms; -allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; -allow winbind_helper_t samba_var_t:dir search; -allow winbind_helper_t winbind_var_run_t:dir r_dir_perms; -can_winbind(winbind_helper_t) -allow winbind_helper_t privfd:fd use; diff --git a/targeted/domains/program/xdm.te b/targeted/domains/program/xdm.te deleted file mode 100644 index 740f1246..00000000 --- a/targeted/domains/program/xdm.te +++ /dev/null @@ -1,26 +0,0 @@ -#DESC xdm - Linux configurable dynamic device naming support -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the xdm domain. -# -# xdm_exec_t is the type of the /usr/bin/gdm and other programs. -# This domain is defined just for targeted policy. -# -type xdm_exec_t, file_type, sysadmfile, exec_type; -type xsession_exec_t, file_type, sysadmfile, exec_type; -type xserver_log_t, file_type, sysadmfile; -type xdm_xserver_tmp_t, file_type, sysadmfile; -type xdm_rw_etc_t, file_type, sysadmfile; -type xdm_var_run_t, file_type, sysadmfile; -type xdm_var_lib_t, file_type, sysadmfile; -type xdm_tmp_t, file_type, sysadmfile; -domain_auto_trans(initrc_t, xdm_exec_t, xdm_t) -domain_auto_trans(init_t, xdm_exec_t, xdm_t) -ifdef(`use_mcs', ` -range_transition init_t xdm_exec_t s0 - s0:c0.c255; -range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; -') diff --git a/targeted/domains/program/ypbind.te b/targeted/domains/program/ypbind.te deleted file mode 100644 index ed7c3f80..00000000 --- a/targeted/domains/program/ypbind.te +++ /dev/null @@ -1,44 +0,0 @@ -#DESC Ypbind - NIS/YP -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# X-Debian-Packages: nis -# Depends: portmap.te named.te -# - -################################# -# -# Rules for the ypbind_t domain. -# -daemon_domain(ypbind) - -tmp_domain(ypbind) - -# Use capabilities. -allow ypbind_t self:capability { net_bind_service }; -dontaudit ypbind_t self:capability net_admin; - -# Use the network. -can_network(ypbind_t) -allow ypbind_t port_type:tcp_socket name_connect; -allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind; - -allow ypbind_t self:fifo_file rw_file_perms; - -read_sysctl(ypbind_t) - -# Send to portmap and initrc. -can_udp_send(ypbind_t, portmap_t) -can_udp_send(ypbind_t, initrc_t) - -# Read and write /var/yp. -allow ypbind_t var_yp_t:dir rw_dir_perms; -allow ypbind_t var_yp_t:file create_file_perms; -allow initrc_t var_yp_t:dir { getattr read }; -allow ypbind_t etc_t:file { getattr read }; -allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; -allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; -dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -can_udp_send(initrc_t, ypbind_t) - diff --git a/targeted/domains/program/ypserv.te b/targeted/domains/program/ypserv.te deleted file mode 100644 index 1ecc731d..00000000 --- a/targeted/domains/program/ypserv.te +++ /dev/null @@ -1,42 +0,0 @@ -#DESC Ypserv - NIS/YP -# -# Authors: Dan Walsh -# Depends: portmap.te -# - -################################# -# -# Rules for the ypserv_t domain. -# -daemon_domain(ypserv) - -tmp_domain(ypserv) - -# Use capabilities. -allow ypserv_t self:capability { net_bind_service }; - -# Use the network. -can_network_server(ypserv_t) - -allow ypserv_t self:fifo_file rw_file_perms; - -read_sysctl(ypserv_t) - -# Send to portmap and initrc. -can_udp_send(ypserv_t, portmap_t) -can_udp_send(ypserv_t, initrc_t) - -type ypserv_conf_t, file_type, sysadmfile; - -# Read and write /var/yp. -allow ypserv_t var_yp_t:dir rw_dir_perms; -allow ypserv_t var_yp_t:file create_file_perms; -allow ypserv_t ypserv_conf_t:file { getattr read }; -allow ypserv_t self:unix_dgram_socket create_socket_perms; -allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`rpcd.te', ` -allow rpcd_t ypserv_conf_t:file { getattr read }; -') -allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; -can_exec(ypserv_t, bin_t) diff --git a/targeted/domains/program/zebra.te b/targeted/domains/program/zebra.te deleted file mode 100644 index 640c6211..00000000 --- a/targeted/domains/program/zebra.te +++ /dev/null @@ -1,32 +0,0 @@ -#DESC Zebra - BGP server -# -# Author: Russell Coker -# X-Debian-Packages: zebra -# - -daemon_domain(zebra, `, sysctl_net_writer') -type zebra_conf_t, file_type, sysadmfile; -r_dir_file({ initrc_t zebra_t }, zebra_conf_t) - -can_network_server(zebra_t) -can_ypbind(zebra_t) -allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; - -allow zebra_t self:process setcap; -allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw }; -file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file) - -logdir_domain(zebra) - -# /tmp/.bgpd is such a bad idea! -tmp_domain(zebra, `', sock_file) - -allow zebra_t self:unix_dgram_socket create_socket_perms; -allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow zebra_t self:rawip_socket create_socket_perms; -allow zebra_t self:netlink_route_socket r_netlink_socket_perms; -allow zebra_t zebra_port_t:tcp_socket name_bind; - -allow zebra_t proc_t:file { getattr read }; -allow zebra_t { sysctl_t sysctl_net_t }:dir search; -allow zebra_t sysctl_net_t:file rw_file_perms; diff --git a/targeted/domains/unconfined.te b/targeted/domains/unconfined.te deleted file mode 100644 index 715aa777..00000000 --- a/targeted/domains/unconfined.te +++ /dev/null @@ -1,91 +0,0 @@ -#DESC Unconfined - The unconfined domain - -# This is the initial domain, and is used for everything that -# is not explicitly confined. It has no restrictions. -# It needs to be carefully protected from the confined domains. - -type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem; -role system_r types unconfined_t; -role user_r types unconfined_t; -unconfined_domain(unconfined_t) -allow domain unconfined_t:fd use; -allow domain unconfined_t:process sigchld; - -# Define some type aliases to help with compatibility with -# macros and domains from the "strict" policy. -typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t }; - -typeattribute tty_device_t admin_tty_type; -typeattribute devpts_t admin_tty_type; - -# User home directory type. -type user_home_t, file_type, sysadmfile, home_type; -type user_home_dir_t, file_type, sysadmfile, home_dir_type; -file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir) -allow privhome home_root_t:dir { getattr search }; -file_type_auto_trans(privhome, user_home_dir_t, user_home_t) - -define(`user_typealias', ` -ifelse($1,`user',`',` -typealias user_home_t alias $1_home_t; -typealias user_home_dir_t alias $1_home_dir_t; -') -typealias tty_device_t alias $1_tty_device_t; -typealias devpts_t alias $1_devpts_t; -') -user_typealias(sysadm) -user_typealias(staff) -user_typealias(user) -attribute user_file_type; -attribute staff_file_type; -attribute sysadm_file_type; - -allow unconfined_t unlabeled_t:filesystem *; -allow unconfined_t self:system syslog_read; -allow unlabeled_t self:filesystem associate; - -# Support NFS home directories -bool use_nfs_home_dirs false; - -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -bool allow_execmem true; - -# Allow making the stack executable via mprotect. -# Also requires allow_execmem. -bool allow_execstack true; - -# Allow making a modified private file mapping executable (text relocation). -bool allow_execmod true; - -# Support SAMBA home directories -bool use_samba_home_dirs false; - -ifdef(`samba.te', `samba_domain(user)') -ifdef(`i18n_input.te', `i18n_input_domain(user)') - -# Allow system to run with NIS -bool allow_ypbind false; - -# Allow system to run with Kerberos -bool allow_kerberos false; - -# allow reading of default file context -bool read_default_t true; - -if (allow_execmem) { -allow domain self:process execmem; -} - -#Removing i18n_input from targeted for now, since wants to read users homedirs -typealias bin_t alias i18n_input_exec_t; -typealias unconfined_t alias i18n_input_t; -typealias var_run_t alias i18n_input_var_run_t; -ifdef(`su.te', ` -typealias unconfined_t alias { sysadm_chkpwd_t }; -typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t }; -su_domain(sysadm) -typeattribute sysadm_su_t unconfinedtrans; -role system_r types sysadm_su_t; -') - diff --git a/targeted/file_contexts/distros.fc b/targeted/file_contexts/distros.fc deleted file mode 100644 index 33c7f5e1..00000000 --- a/targeted/file_contexts/distros.fc +++ /dev/null @@ -1,164 +0,0 @@ -ifdef(`distro_redhat', ` -/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0 -/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0 -/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0 -/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0 -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0 -/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0 -/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0 -/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0 -/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0 -/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0 -/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0 -/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0 -/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0 -/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0 -/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0 -/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0 -/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0 -/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0 -/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0 -/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0 -/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0 -/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0 -# -# /emul/ia32-linux/usr -# -/emul(/.*)? system_u:object_r:usr_t:s0 -/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0 -/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 -/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 -/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0 -# /emul/ia32-linux/lib -/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0 -/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 -# /emul/ia32-linux/bin -/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0 -# /emul/ia32-linux/sbin -/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0 - -ifdef(`dbusd.te', `', ` -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 -') - -# The following are libraries with text relocations in need of execmod permissions -# Some of them should be fixed and removed from this list - -# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv -# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0 -/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0 -/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0 - -# Fedora Extras packages: ladspa, imlib2, ocaml -/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0 - -# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -# Flash plugin, Macromedia -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -# Jai, Sun Microsystems (Jpackage SPRM) -/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0 - -# Java, Sun Microsystems (JPackage SRPM) -/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0 - -/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0 -') - -ifdef(`distro_suse', ` -/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0 -/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0 -/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0 -/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/success -- system_u:object_r:etc_runtime_t:s0 -/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0 -') diff --git a/targeted/file_contexts/homedir_template b/targeted/file_contexts/homedir_template deleted file mode 100644 index e994915a..00000000 --- a/targeted/file_contexts/homedir_template +++ /dev/null @@ -1,12 +0,0 @@ -# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each users home directory, -# and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each users role when role != user_r, and to "user" otherwise. -HOME_ROOT -d system_u:object_r:home_root_t:s0 -HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0 -HOME_DIR/.+ system_u:object_r:ROLE_home_t:s0 -HOME_ROOT/\.journal <> -HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s0 -HOME_ROOT/lost\+found/.* <> -HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0 -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 diff --git a/targeted/file_contexts/program/NetworkManager.fc b/targeted/file_contexts/program/NetworkManager.fc deleted file mode 100644 index cb57584e..00000000 --- a/targeted/file_contexts/program/NetworkManager.fc +++ /dev/null @@ -1,2 +0,0 @@ -# NetworkManager -/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t:s0 diff --git a/targeted/file_contexts/program/acct.fc b/targeted/file_contexts/program/acct.fc deleted file mode 100644 index 78622bd3..00000000 --- a/targeted/file_contexts/program/acct.fc +++ /dev/null @@ -1,5 +0,0 @@ -# berkeley process accounting -/sbin/accton -- system_u:object_r:acct_exec_t:s0 -/usr/sbin/accton -- system_u:object_r:acct_exec_t:s0 -/var/account(/.*)? system_u:object_r:acct_data_t:s0 -/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0 diff --git a/targeted/file_contexts/program/afs.fc b/targeted/file_contexts/program/afs.fc deleted file mode 100644 index fb49f336..00000000 --- a/targeted/file_contexts/program/afs.fc +++ /dev/null @@ -1,20 +0,0 @@ -# afs -/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t -/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t -/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t -/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t -/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t -/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t -/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t - -/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t -/usr/afs/etc(/.*)? system_u:object_r:afs_config_t -/usr/afs/local(/.*)? system_u:object_r:afs_config_t -/usr/afs/db -d system_u:object_r:afs_dbdir_t -/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t -/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t -/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t - -/vicepa system_u:object_r:afs_files_t -/vicepb system_u:object_r:afs_files_t -/vicepc system_u:object_r:afs_files_t diff --git a/targeted/file_contexts/program/alsa.fc b/targeted/file_contexts/program/alsa.fc deleted file mode 100644 index 837b071c..00000000 --- a/targeted/file_contexts/program/alsa.fc +++ /dev/null @@ -1,3 +0,0 @@ -#DESC ainit - configuration tool for ALSA -/usr/bin/ainit -- system_u:object_r:alsa_exec_t -/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t diff --git a/targeted/file_contexts/program/amanda.fc b/targeted/file_contexts/program/amanda.fc deleted file mode 100644 index 917b41aa..00000000 --- a/targeted/file_contexts/program/amanda.fc +++ /dev/null @@ -1,70 +0,0 @@ -# -# Author: Carsten Grohmann -# - -# amanda -/etc/amanda(/.*)? system_u:object_r:amanda_config_t:s0 -/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t:s0 -/etc/amandates system_u:object_r:amanda_amandates_t:s0 -/etc/dumpdates system_u:object_r:amanda_dumpdates_t:s0 -/root/restore -d system_u:object_r:amanda_recover_dir_t:s0 -/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t:s0 -/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t:s0 -/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t:s0 -/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t:s0 -/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t:s0 -/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t:s0 -/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t:s0 -/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t:s0 -/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t:s0 -/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t:s0 -/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t:s0 -/var/lib/amanda -d system_u:object_r:amanda_var_lib_t:s0 -/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t:s0 -/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t:s0 -/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t:s0 -/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t:s0 -/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t:s0 -/var/lib/amanda/index system_u:object_r:amanda_data_t:s0 -/var/log/amanda(/.*)? system_u:object_r:amanda_log_t:s0 diff --git a/targeted/file_contexts/program/amavis.fc b/targeted/file_contexts/program/amavis.fc deleted file mode 100644 index 366da332..00000000 --- a/targeted/file_contexts/program/amavis.fc +++ /dev/null @@ -1,8 +0,0 @@ -# amavis -/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t -/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t -/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t -/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t -/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t -/var/amavis(/.*)? system_u:object_r:amavisd_lib_t -/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t diff --git a/targeted/file_contexts/program/anaconda.fc b/targeted/file_contexts/program/anaconda.fc deleted file mode 100644 index a0cbc0eb..00000000 --- a/targeted/file_contexts/program/anaconda.fc +++ /dev/null @@ -1,5 +0,0 @@ -# -# Anaconda file context -# currently anaconda does not have any file context since it is started during install -# This is a placeholder to stop makefile from complaining -# diff --git a/targeted/file_contexts/program/apache.fc b/targeted/file_contexts/program/apache.fc deleted file mode 100644 index 0eb4c1cf..00000000 --- a/targeted/file_contexts/program/apache.fc +++ /dev/null @@ -1,60 +0,0 @@ -# apache -HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0 -/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 -/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/mason(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/cache/rt3(/.*)? system_u:object_r:httpd_cache_t:s0 -/etc/httpd -d system_u:object_r:httpd_config_t:s0 -/etc/httpd/conf.* system_u:object_r:httpd_config_t:s0 -/etc/httpd/logs system_u:object_r:httpd_log_t:s0 -/etc/httpd/modules system_u:object_r:httpd_modules_t:s0 -/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t:s0 -/etc/vhosts -- system_u:object_r:httpd_config_t:s0 -/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t:s0 -/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t:s0 -/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t:s0 -/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t:s0 -/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t:s0 -/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t:s0 -/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 -/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t:s0 -/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0 -/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t:s0 -/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0 -/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t:s0 -/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t:s0 -/var/run/apache.* system_u:object_r:httpd_var_run_t:s0 -/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t:s0 -/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0 -/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t:s0 -/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t:s0 -/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t:s0 -/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t:s0 -/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0 -ifdef(`distro_debian', ` -/var/log/horde2(/.*)? system_u:object_r:httpd_log_t:s0 -') -ifdef(`distro_suse', ` -# suse puts shell scripts there :-( -/usr/share/apache2/[^/]* -- system_u:object_r:bin_t:s0 -/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t:s0 -') -/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t:s0 -/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t:s0 -/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t:s0 -/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0 -/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t:s0 -ifdef(`targeted_policy', `', ` -/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t:s0 -') -/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t:s0 - diff --git a/targeted/file_contexts/program/apmd.fc b/targeted/file_contexts/program/apmd.fc deleted file mode 100644 index 6554b526..00000000 --- a/targeted/file_contexts/program/apmd.fc +++ /dev/null @@ -1,14 +0,0 @@ -# apmd -/usr/sbin/apmd -- system_u:object_r:apmd_exec_t:s0 -/usr/sbin/acpid -- system_u:object_r:apmd_exec_t:s0 -/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t:s0 -/usr/bin/apm -- system_u:object_r:apm_exec_t:s0 -/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t:s0 -/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t:s0 -/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0 -/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t:s0 -/var/log/acpid -- system_u:object_r:apmd_log_t:s0 -ifdef(`distro_suse', ` -/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t:s0 -') - diff --git a/targeted/file_contexts/program/arpwatch.fc b/targeted/file_contexts/program/arpwatch.fc deleted file mode 100644 index 48699406..00000000 --- a/targeted/file_contexts/program/arpwatch.fc +++ /dev/null @@ -1,4 +0,0 @@ -# arpwatch - keep track of ethernet/ip address pairings -/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t:s0 -/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0 -/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0 diff --git a/targeted/file_contexts/program/asterisk.fc b/targeted/file_contexts/program/asterisk.fc deleted file mode 100644 index 6f4eb4b2..00000000 --- a/targeted/file_contexts/program/asterisk.fc +++ /dev/null @@ -1,7 +0,0 @@ -# asterisk -/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t -/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t -/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t -/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t -/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t -/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t diff --git a/targeted/file_contexts/program/audio-entropyd.fc b/targeted/file_contexts/program/audio-entropyd.fc deleted file mode 100644 index a8f616a5..00000000 --- a/targeted/file_contexts/program/audio-entropyd.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t diff --git a/targeted/file_contexts/program/auditd.fc b/targeted/file_contexts/program/auditd.fc deleted file mode 100644 index 08b93201..00000000 --- a/targeted/file_contexts/program/auditd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# auditd -/sbin/auditctl -- system_u:object_r:auditctl_exec_t:s0 -/sbin/auditd -- system_u:object_r:auditd_exec_t:s0 -/var/log/audit.log -- system_u:object_r:auditd_log_t:s0 -/var/log/audit(/.*)? system_u:object_r:auditd_log_t:s0 -/etc/auditd.conf -- system_u:object_r:auditd_etc_t:s0 -/etc/audit.rules -- system_u:object_r:auditd_etc_t:s0 - diff --git a/targeted/file_contexts/program/authbind.fc b/targeted/file_contexts/program/authbind.fc deleted file mode 100644 index 9fed63e8..00000000 --- a/targeted/file_contexts/program/authbind.fc +++ /dev/null @@ -1,3 +0,0 @@ -# authbind -/etc/authbind(/.*)? system_u:object_r:authbind_etc_t -/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t diff --git a/targeted/file_contexts/program/automount.fc b/targeted/file_contexts/program/automount.fc deleted file mode 100644 index f7b56f74..00000000 --- a/targeted/file_contexts/program/automount.fc +++ /dev/null @@ -1,5 +0,0 @@ -# automount -/usr/sbin/automount -- system_u:object_r:automount_exec_t -/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t -/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t -/etc/auto\..+ -- system_u:object_r:automount_etc_t diff --git a/targeted/file_contexts/program/avahi.fc b/targeted/file_contexts/program/avahi.fc deleted file mode 100644 index fa6e00e0..00000000 --- a/targeted/file_contexts/program/avahi.fc +++ /dev/null @@ -1,4 +0,0 @@ -#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture -/usr/sbin/avahi-daemon -- system_u:object_r:avahi_exec_t:s0 -/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0 -/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0 diff --git a/targeted/file_contexts/program/backup.fc b/targeted/file_contexts/program/backup.fc deleted file mode 100644 index ed828092..00000000 --- a/targeted/file_contexts/program/backup.fc +++ /dev/null @@ -1,6 +0,0 @@ -# backup -# label programs that do backups to other files on disk (IE a cron job that -# calls tar) in backup_exec_t and label the directory for storing them as -# backup_store_t, Debian uses /var/backups -#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t -/var/backups(/.*)? system_u:object_r:backup_store_t diff --git a/targeted/file_contexts/program/bluetooth.fc b/targeted/file_contexts/program/bluetooth.fc deleted file mode 100644 index 6c5aac36..00000000 --- a/targeted/file_contexts/program/bluetooth.fc +++ /dev/null @@ -1,11 +0,0 @@ -# bluetooth -/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t:s0 -/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t:s0 -/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t:s0 -/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t:s0 -/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0 -/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t:s0 -/var/run/sdp -s system_u:object_r:bluetooth_var_run_t:s0 -/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t:s0 -/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t:s0 -/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t:s0 diff --git a/targeted/file_contexts/program/bonobo.fc b/targeted/file_contexts/program/bonobo.fc deleted file mode 100644 index 9c27b250..00000000 --- a/targeted/file_contexts/program/bonobo.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t diff --git a/targeted/file_contexts/program/bootloader.fc b/targeted/file_contexts/program/bootloader.fc deleted file mode 100644 index 90f8e85b..00000000 --- a/targeted/file_contexts/program/bootloader.fc +++ /dev/null @@ -1,11 +0,0 @@ -# bootloader -/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t -/initrd\.img.* -l system_u:object_r:boot_t -/sbin/lilo.* -- system_u:object_r:bootloader_exec_t -/sbin/grub.* -- system_u:object_r:bootloader_exec_t -/vmlinuz.* -l system_u:object_r:boot_t -/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t -/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t -/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t -/sbin/ybin.* -- system_u:object_r:bootloader_exec_t -/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t diff --git a/targeted/file_contexts/program/calamaris.fc b/targeted/file_contexts/program/calamaris.fc deleted file mode 100644 index 36d8c87b..00000000 --- a/targeted/file_contexts/program/calamaris.fc +++ /dev/null @@ -1,4 +0,0 @@ -# squid -/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t -/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t -/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t diff --git a/targeted/file_contexts/program/canna.fc b/targeted/file_contexts/program/canna.fc deleted file mode 100644 index aada263e..00000000 --- a/targeted/file_contexts/program/canna.fc +++ /dev/null @@ -1,12 +0,0 @@ -# canna.fc -/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t:s0 -/usr/sbin/jserver -- system_u:object_r:canna_exec_t:s0 -/usr/bin/cannaping -- system_u:object_r:canna_exec_t:s0 -/usr/bin/catdic -- system_u:object_r:canna_exec_t:s0 -/var/log/canna(/.*)? system_u:object_r:canna_log_t:s0 -/var/log/wnn(/.*)? system_u:object_r:canna_log_t:s0 -/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t:s0 -/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t:s0 -/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t:s0 -/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t:s0 -/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t:s0 diff --git a/targeted/file_contexts/program/cardmgr.fc b/targeted/file_contexts/program/cardmgr.fc deleted file mode 100644 index 1dc51875..00000000 --- a/targeted/file_contexts/program/cardmgr.fc +++ /dev/null @@ -1,7 +0,0 @@ -# cardmgr -/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t:s0 -/sbin/cardctl -- system_u:object_r:cardctl_exec_t:s0 -/var/run/stab -- system_u:object_r:cardmgr_var_run_t:s0 -/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t:s0 -/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t:s0 -/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t:s0 diff --git a/targeted/file_contexts/program/cdrecord.fc b/targeted/file_contexts/program/cdrecord.fc deleted file mode 100644 index d03d3bc4..00000000 --- a/targeted/file_contexts/program/cdrecord.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cdrecord -/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t - diff --git a/targeted/file_contexts/program/certwatch.fc b/targeted/file_contexts/program/certwatch.fc deleted file mode 100644 index 20bb8caf..00000000 --- a/targeted/file_contexts/program/certwatch.fc +++ /dev/null @@ -1,3 +0,0 @@ -# certwatch.fc -/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t - diff --git a/targeted/file_contexts/program/checkpolicy.fc b/targeted/file_contexts/program/checkpolicy.fc deleted file mode 100644 index dddeecfe..00000000 --- a/targeted/file_contexts/program/checkpolicy.fc +++ /dev/null @@ -1,2 +0,0 @@ -# checkpolicy -/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t:s0 diff --git a/targeted/file_contexts/program/chkpwd.fc b/targeted/file_contexts/program/chkpwd.fc deleted file mode 100644 index 5f253f7e..00000000 --- a/targeted/file_contexts/program/chkpwd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# chkpwd -/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 -/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0 -ifdef(`distro_suse', ` -/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t:s0 -') diff --git a/targeted/file_contexts/program/chroot.fc b/targeted/file_contexts/program/chroot.fc deleted file mode 100644 index aa61acc2..00000000 --- a/targeted/file_contexts/program/chroot.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/chroot -- system_u:object_r:chroot_exec_t diff --git a/targeted/file_contexts/program/ciped.fc b/targeted/file_contexts/program/ciped.fc deleted file mode 100644 index e3a12a18..00000000 --- a/targeted/file_contexts/program/ciped.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t -/etc/cipe/ip-up.* -- system_u:object_r:bin_t -/etc/cipe/ip-down.* -- system_u:object_r:bin_t diff --git a/targeted/file_contexts/program/clamav.fc b/targeted/file_contexts/program/clamav.fc deleted file mode 100644 index 90c898cb..00000000 --- a/targeted/file_contexts/program/clamav.fc +++ /dev/null @@ -1,15 +0,0 @@ -# clamscan -/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t -/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t -/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t -/usr/sbin/clamd -- system_u:object_r:clamd_exec_t -/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t -/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t -/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t -/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t -/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t -/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t -/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t -/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t -/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t -/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t diff --git a/targeted/file_contexts/program/clockspeed.fc b/targeted/file_contexts/program/clockspeed.fc deleted file mode 100644 index e00cd566..00000000 --- a/targeted/file_contexts/program/clockspeed.fc +++ /dev/null @@ -1,11 +0,0 @@ -# clockspeed -/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t -/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t -/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t -/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t -/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t -/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t -/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t - -/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t - diff --git a/targeted/file_contexts/program/compat.fc b/targeted/file_contexts/program/compat.fc deleted file mode 100644 index 4772ed76..00000000 --- a/targeted/file_contexts/program/compat.fc +++ /dev/null @@ -1,62 +0,0 @@ -ifdef(`setfiles.te', `', ` -# setfiles -/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0 -') - -ifdef(`mount.te', `', ` -# mount -/bin/mount.* -- system_u:object_r:mount_exec_t:s0 -/bin/umount.* -- system_u:object_r:mount_exec_t:s0 -') -ifdef(`loadkeys.te', `', ` -# loadkeys -/bin/unikeys -- system_u:object_r:loadkeys_exec_t:s0 -/bin/loadkeys -- system_u:object_r:loadkeys_exec_t:s0 -') -ifdef(`dmesg.te', `', ` -# dmesg -/bin/dmesg -- system_u:object_r:dmesg_exec_t:s0 -') -ifdef(`fsadm.te', `', ` -# fs admin utilities -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0 -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0 -/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0 -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0 -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/parted -- system_u:object_r:fsadm_exec_t:s0 -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0 -/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0 -/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0 -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0 -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0 -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0 -/sbin/partx -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0 -/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0 -') -ifdef(`kudzu.te', `', ` -# kudzu -/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0 -/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0 -') diff --git a/targeted/file_contexts/program/comsat.fc b/targeted/file_contexts/program/comsat.fc deleted file mode 100644 index 37049010..00000000 --- a/targeted/file_contexts/program/comsat.fc +++ /dev/null @@ -1,2 +0,0 @@ -# biff server -/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t:s0 diff --git a/targeted/file_contexts/program/consoletype.fc b/targeted/file_contexts/program/consoletype.fc deleted file mode 100644 index 1258f578..00000000 --- a/targeted/file_contexts/program/consoletype.fc +++ /dev/null @@ -1,2 +0,0 @@ -# consoletype -/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0 diff --git a/targeted/file_contexts/program/courier.fc b/targeted/file_contexts/program/courier.fc deleted file mode 100644 index 16f6adb1..00000000 --- a/targeted/file_contexts/program/courier.fc +++ /dev/null @@ -1,18 +0,0 @@ -# courier pop, imap, and webmail -/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t -/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t -/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t -/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t -/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t -/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t -/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t -/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t -/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t -/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t -/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t -/var/run/courier(/.*)? system_u:object_r:courier_var_run_t -/etc/courier(/.*)? system_u:object_r:courier_etc_t diff --git a/targeted/file_contexts/program/cpucontrol.fc b/targeted/file_contexts/program/cpucontrol.fc deleted file mode 100644 index e7e488a2..00000000 --- a/targeted/file_contexts/program/cpucontrol.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cpucontrol -/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t:s0 -/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t:s0 diff --git a/targeted/file_contexts/program/cpuspeed.fc b/targeted/file_contexts/program/cpuspeed.fc deleted file mode 100644 index 5e91f557..00000000 --- a/targeted/file_contexts/program/cpuspeed.fc +++ /dev/null @@ -1,3 +0,0 @@ -# cpuspeed -/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t:s0 -/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t:s0 diff --git a/targeted/file_contexts/program/crack.fc b/targeted/file_contexts/program/crack.fc deleted file mode 100644 index 7d991366..00000000 --- a/targeted/file_contexts/program/crack.fc +++ /dev/null @@ -1,6 +0,0 @@ -# crack - for password checking -/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t -/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t -/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t -/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t -/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t diff --git a/targeted/file_contexts/program/crond.fc b/targeted/file_contexts/program/crond.fc deleted file mode 100644 index 3ee6ee57..00000000 --- a/targeted/file_contexts/program/crond.fc +++ /dev/null @@ -1,34 +0,0 @@ -# crond -/etc/crontab -- system_u:object_r:system_cron_spool_t:s0 -/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0 -/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t:s0 -/usr/sbin/anacron -- system_u:object_r:anacron_exec_t:s0 -/var/spool/cron -d system_u:object_r:cron_spool_t:s0 -/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t:s0 -/var/spool/cron/crontabs/.* -- <> -/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t:s0 -/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t:s0 -/var/spool/cron/[^/]* -- <> -/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t:s0 -/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t:s0 -# fcron -/usr/sbin/fcron -- system_u:object_r:crond_exec_t:s0 -/var/spool/fcron -d system_u:object_r:cron_spool_t:s0 -/var/spool/fcron/.* <> -/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t:s0 -/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t:s0 -/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t:s0 -/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t:s0 -/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t:s0 -# atd -/usr/sbin/atd -- system_u:object_r:crond_exec_t:s0 -/var/spool/at -d system_u:object_r:cron_spool_t:s0 -/var/spool/at/spool -d system_u:object_r:cron_spool_t:s0 -/var/spool/at/[^/]* -- <> -/var/run/atd\.pid -- system_u:object_r:crond_var_run_t:s0 -ifdef(`distro_suse', ` -/usr/lib/cron/run-crons -- system_u:object_r:bin_t:s0 -/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t:s0 -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d system_u:object_r:cron_spool_t:s0 -') diff --git a/targeted/file_contexts/program/crontab.fc b/targeted/file_contexts/program/crontab.fc deleted file mode 100644 index 5c186998..00000000 --- a/targeted/file_contexts/program/crontab.fc +++ /dev/null @@ -1,3 +0,0 @@ -# crontab -/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t -/usr/bin/at -- system_u:object_r:crontab_exec_t diff --git a/targeted/file_contexts/program/cups.fc b/targeted/file_contexts/program/cups.fc deleted file mode 100644 index fea8ef07..00000000 --- a/targeted/file_contexts/program/cups.fc +++ /dev/null @@ -1,46 +0,0 @@ -# cups printing -/etc/cups(/.*)? system_u:object_r:cupsd_etc_t:s0 -/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t:s0 -/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0 -/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/client\.conf -- system_u:object_r:etc_t:s0 -/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0 -/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t:s0 -/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t:s0 -/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t:s0 -/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t:s0 -/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t:s0 -ifdef(`hald.te', ` -# cupsd_config depends on hald -/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t:s0 -/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t:s0 -/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t:s0 -') -/var/log/cups(/.*)? system_u:object_r:cupsd_log_t:s0 -/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t:s0 -/var/spool/cups(/.*)? system_u:object_r:print_spool_t:s0 -/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t:s0 -/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t:s0 -/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t:s0 -/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t:s0 -/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t:s0 -/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t:s0 -/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t:s0 -/etc/hp(/.*)? system_u:object_r:hplip_etc_t:s0 -/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t:s0 -/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t:s0 -/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t:s0 -/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t:s0 -/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t:s0 -/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t:s0 diff --git a/targeted/file_contexts/program/cvs.fc b/targeted/file_contexts/program/cvs.fc deleted file mode 100644 index 8aa1edc6..00000000 --- a/targeted/file_contexts/program/cvs.fc +++ /dev/null @@ -1,2 +0,0 @@ -# cvs program -/usr/bin/cvs -- system_u:object_r:cvs_exec_t:s0 diff --git a/targeted/file_contexts/program/cyrus.fc b/targeted/file_contexts/program/cyrus.fc deleted file mode 100644 index f415273b..00000000 --- a/targeted/file_contexts/program/cyrus.fc +++ /dev/null @@ -1,5 +0,0 @@ -# cyrus -/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t:s0 -/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t:s0 -/var/spool/imap(/.*)? system_u:object_r:mail_spool_t:s0 diff --git a/targeted/file_contexts/program/daemontools.fc b/targeted/file_contexts/program/daemontools.fc deleted file mode 100644 index c2642ed5..00000000 --- a/targeted/file_contexts/program/daemontools.fc +++ /dev/null @@ -1,54 +0,0 @@ -# daemontools - -/var/service/.* system_u:object_r:svc_svc_t - -# symlinks to /var/service/* -/service(/.*)? system_u:object_r:svc_svc_t - -# supervise scripts -/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t -/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t - -# supervise init binaries -# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/* -/usr/bin/svc -- system_u:object_r:svc_start_exec_t -/usr/bin/svscan -- system_u:object_r:svc_start_exec_t -/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t -/usr/bin/svok -- system_u:object_r:svc_start_exec_t -/usr/bin/supervise -- system_u:object_r:svc_start_exec_t - -# starting scripts -/var/service/.*/run.* system_u:object_r:svc_run_exec_t -/var/service/.*/log/run system_u:object_r:svc_run_exec_t - -# configurations -/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t - -# log -/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t - -# programs that impose a given environment to daemons -/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t -/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t -/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t -/usr/bin/envdir -- system_u:object_r:svc_run_exec_t -/usr/bin/setlock -- system_u:object_r:svc_run_exec_t - -# helper programs -/usr/bin/fghack -- system_u:object_r:svc_run_exec_t -/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t - -/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t -# daemontools logger # writes to service/*/log/main/ and /var/log/*/ -/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t - -/sbin/svcinit -- system_u:object_r:initrc_exec_t -/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t - diff --git a/targeted/file_contexts/program/dante.fc b/targeted/file_contexts/program/dante.fc deleted file mode 100644 index ce7f3353..00000000 --- a/targeted/file_contexts/program/dante.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dante -/usr/sbin/sockd -- system_u:object_r:dante_exec_t -/etc/socks(/.*)? system_u:object_r:dante_conf_t -/var/run/sockd.pid -- system_u:object_r:dante_var_run_t diff --git a/targeted/file_contexts/program/dbskkd.fc b/targeted/file_contexts/program/dbskkd.fc deleted file mode 100644 index 4f2d72fd..00000000 --- a/targeted/file_contexts/program/dbskkd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# A dictionary server for the SKK Japanese input method system. -/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t:s0 diff --git a/targeted/file_contexts/program/dbusd.fc b/targeted/file_contexts/program/dbusd.fc deleted file mode 100644 index ea4e0653..00000000 --- a/targeted/file_contexts/program/dbusd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0 -/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t:s0 -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 diff --git a/targeted/file_contexts/program/dcc.fc b/targeted/file_contexts/program/dcc.fc deleted file mode 100644 index a6b1372a..00000000 --- a/targeted/file_contexts/program/dcc.fc +++ /dev/null @@ -1,17 +0,0 @@ -# DCC -/etc/dcc(/.*)? system_u:object_r:dcc_var_t -/etc/dcc/map -- system_u:object_r:dcc_client_map_t -/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t -/usr/bin/cdcc system_u:object_r:cdcc_exec_t -/usr/bin/dccproc system_u:object_r:dcc_client_exec_t -/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t -/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t -/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t -/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t -/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t -/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t -/var/dcc(/.*)? system_u:object_r:dcc_var_t -/var/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc system_u:object_r:dcc_var_run_t -/var/run/dcc/map -- system_u:object_r:dcc_client_map_t -/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t diff --git a/targeted/file_contexts/program/ddclient.fc b/targeted/file_contexts/program/ddclient.fc deleted file mode 100644 index 83ee3d2b..00000000 --- a/targeted/file_contexts/program/ddclient.fc +++ /dev/null @@ -1,11 +0,0 @@ -# ddclient -/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t -/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t -/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t -/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t -# ddt - Dynamic DNS client -/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t -/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t -/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t -/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t -/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t diff --git a/targeted/file_contexts/program/ddcprobe.fc b/targeted/file_contexts/program/ddcprobe.fc deleted file mode 100644 index 43133496..00000000 --- a/targeted/file_contexts/program/ddcprobe.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t diff --git a/targeted/file_contexts/program/dhcpc.fc b/targeted/file_contexts/program/dhcpc.fc deleted file mode 100644 index e892abe0..00000000 --- a/targeted/file_contexts/program/dhcpc.fc +++ /dev/null @@ -1,19 +0,0 @@ -# dhcpcd -/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0 -/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0 -/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t:s0 -/etc/dhclient-script -- system_u:object_r:dhcp_etc_t:s0 -/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t:s0 -/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t:s0 -/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t:s0 -/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t:s0 -/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t:s0 -/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t:s0 -/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t:s0 -/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t:s0 -# pump -/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0 -ifdef(`dhcp_defined', `', ` -/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t:s0 -define(`dhcp_defined') -') diff --git a/targeted/file_contexts/program/dhcpd.fc b/targeted/file_contexts/program/dhcpd.fc deleted file mode 100644 index 5aff3440..00000000 --- a/targeted/file_contexts/program/dhcpd.fc +++ /dev/null @@ -1,34 +0,0 @@ -# dhcpd -/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0 -/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0 -/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t:s0 -/var/lib/dhcp([3d])?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 -/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 -ifdef(`dhcp_defined', `', ` -/var/lib/dhcp([3d])? -d system_u:object_r:dhcp_state_t:s0 -define(`dhcp_defined') -') - -ifdef(`distro_gentoo', ` -/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0 -/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0 -/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0 -/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t:s0 -/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 -/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 - -# for the chroot setup -/chroot/dhcp -d system_u:object_r:root_t:s0 -/chroot/dhcp/dev -d system_u:object_r:device_t:s0 -/chroot/dhcp/etc -d system_u:object_r:etc_t:s0 -/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0 -/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0 -/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t:s0 -/chroot/dhcp/var -d system_u:object_r:var_t:s0 -/chroot/dhcp/var/run -d system_u:object_r:var_run_t:s0 -/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t:s0 -/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0 -/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0 -/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t:s0 -') - diff --git a/targeted/file_contexts/program/dictd.fc b/targeted/file_contexts/program/dictd.fc deleted file mode 100644 index b0898631..00000000 --- a/targeted/file_contexts/program/dictd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dictd -/etc/dictd\.conf -- system_u:object_r:dictd_etc_t:s0 -/usr/sbin/dictd -- system_u:object_r:dictd_exec_t:s0 -/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t:s0 diff --git a/targeted/file_contexts/program/distcc.fc b/targeted/file_contexts/program/distcc.fc deleted file mode 100644 index 3ab97979..00000000 --- a/targeted/file_contexts/program/distcc.fc +++ /dev/null @@ -1,2 +0,0 @@ -# distcc -/usr/bin/distccd -- system_u:object_r:distccd_exec_t diff --git a/targeted/file_contexts/program/djbdns.fc b/targeted/file_contexts/program/djbdns.fc deleted file mode 100644 index 6174b9f7..00000000 --- a/targeted/file_contexts/program/djbdns.fc +++ /dev/null @@ -1,26 +0,0 @@ -#djbdns -/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t -/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t -/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t - -/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t -/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t -/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t -/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t -/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t -/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t - -/var/tinydns(/.*)? system_u:object_r:svc_svc_t -/var/tinydns/run -- system_u:object_r:svc_run_exec_t -/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t -/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t -/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t -/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t - -/var/axfrdns(/.*)? system_u:object_r:svc_svc_t -/var/axfrdns/run -- system_u:object_r:svc_run_exec_t -/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t -/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t -/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t -/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t - diff --git a/targeted/file_contexts/program/dmesg.fc b/targeted/file_contexts/program/dmesg.fc deleted file mode 100644 index 2df5752a..00000000 --- a/targeted/file_contexts/program/dmesg.fc +++ /dev/null @@ -1,2 +0,0 @@ -# dmesg -/bin/dmesg -- system_u:object_r:dmesg_exec_t diff --git a/targeted/file_contexts/program/dmidecode.fc b/targeted/file_contexts/program/dmidecode.fc deleted file mode 100644 index 7b02fd53..00000000 --- a/targeted/file_contexts/program/dmidecode.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dmidecode -/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t:s0 -/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t:s0 -/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t:s0 diff --git a/targeted/file_contexts/program/dnsmasq.fc b/targeted/file_contexts/program/dnsmasq.fc deleted file mode 100644 index e1b1c358..00000000 --- a/targeted/file_contexts/program/dnsmasq.fc +++ /dev/null @@ -1,4 +0,0 @@ -# dnsmasq -/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t -/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t -/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t diff --git a/targeted/file_contexts/program/dovecot.fc b/targeted/file_contexts/program/dovecot.fc deleted file mode 100644 index bc45b9d4..00000000 --- a/targeted/file_contexts/program/dovecot.fc +++ /dev/null @@ -1,16 +0,0 @@ -# for Dovecot POP and IMAP server -/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t:s0 -/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t:s0 -/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t:s0 -ifdef(`distro_redhat', ` -/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0 -') -ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0 -') -/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0 -/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0 -/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t:s0 -/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0 -/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t:s0 -/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t:s0 diff --git a/targeted/file_contexts/program/dpkg.fc b/targeted/file_contexts/program/dpkg.fc deleted file mode 100644 index f0f56f62..00000000 --- a/targeted/file_contexts/program/dpkg.fc +++ /dev/null @@ -1,49 +0,0 @@ -# dpkg/dselect/apt -/etc/apt(/.*)? system_u:object_r:apt_etc_t -/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t -/usr/bin/apt-cache -- system_u:object_r:apt_exec_t -/usr/bin/apt-config -- system_u:object_r:apt_exec_t -/usr/bin/apt-get -- system_u:object_r:apt_exec_t -/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t -/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t -/usr/bin/dselect -- system_u:object_r:dpkg_exec_t -/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t -/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t -/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t -/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t -/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t -/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t -/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t -/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t -/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t -/usr/share/lintian/.+ -- system_u:object_r:bin_t -/usr/share/kernel-package/.+ -- system_u:object_r:bin_t -/usr/share/smartmontools/selftests -- system_u:object_r:bin_t -/usr/share/bug/[^/]+ -- system_u:object_r:bin_t -/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t -/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t -/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t -/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t -/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t -/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t -/var/lib/kde(/.*)? system_u:object_r:debian_menu_t -/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t -/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t -/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t -/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t -/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t -/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t -/usr/share/dlint/digparse -- system_u:object_r:bin_t -/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t -/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t -/var/lib/defoma(/.*)? system_u:object_r:fonts_t -/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t -/usr/share/intltool-debian/.* -- system_u:object_r:bin_t -/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t -/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t -/usr/share/shorewall/.* -- system_u:object_r:bin_t -/usr/share/reportbug/.* -- system_u:object_r:bin_t -/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t -/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t -/bin/mountpoint -- system_u:object_r:fsadm_exec_t diff --git a/targeted/file_contexts/program/ethereal.fc b/targeted/file_contexts/program/ethereal.fc deleted file mode 100644 index abe9b020..00000000 --- a/targeted/file_contexts/program/ethereal.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t -/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t -HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t diff --git a/targeted/file_contexts/program/evolution.fc b/targeted/file_contexts/program/evolution.fc deleted file mode 100644 index 1a3bf38e..00000000 --- a/targeted/file_contexts/program/evolution.fc +++ /dev/null @@ -1,8 +0,0 @@ -/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t -/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t -/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t -/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t -/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t -HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t -HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t -/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t diff --git a/targeted/file_contexts/program/fetchmail.fc b/targeted/file_contexts/program/fetchmail.fc deleted file mode 100644 index 5186172f..00000000 --- a/targeted/file_contexts/program/fetchmail.fc +++ /dev/null @@ -1,5 +0,0 @@ -# fetchmail -/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t -/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t -/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t -/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t diff --git a/targeted/file_contexts/program/fingerd.fc b/targeted/file_contexts/program/fingerd.fc deleted file mode 100644 index f7ed20dd..00000000 --- a/targeted/file_contexts/program/fingerd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# fingerd -/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t:s0 -/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t:s0 -/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0 -/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t:s0 -/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t:s0 diff --git a/targeted/file_contexts/program/firstboot.fc b/targeted/file_contexts/program/firstboot.fc deleted file mode 100644 index 9a087ed7..00000000 --- a/targeted/file_contexts/program/firstboot.fc +++ /dev/null @@ -1,4 +0,0 @@ -# firstboot -/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t:s0 -/usr/share/firstboot system_u:object_r:firstboot_rw_t:s0 -/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t:s0 diff --git a/targeted/file_contexts/program/fontconfig.fc b/targeted/file_contexts/program/fontconfig.fc deleted file mode 100644 index d8a8dc95..00000000 --- a/targeted/file_contexts/program/fontconfig.fc +++ /dev/null @@ -1,4 +0,0 @@ -HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t -HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t -HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t -HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t diff --git a/targeted/file_contexts/program/fs_daemon.fc b/targeted/file_contexts/program/fs_daemon.fc deleted file mode 100644 index 19ac5313..00000000 --- a/targeted/file_contexts/program/fs_daemon.fc +++ /dev/null @@ -1,4 +0,0 @@ -# fs admin daemons -/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t -/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t -/etc/smartd\.conf -- system_u:object_r:etc_runtime_t diff --git a/targeted/file_contexts/program/fsadm.fc b/targeted/file_contexts/program/fsadm.fc deleted file mode 100644 index 4601a394..00000000 --- a/targeted/file_contexts/program/fsadm.fc +++ /dev/null @@ -1,40 +0,0 @@ -# fs admin utilities -/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t:s0 -/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0 -/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0 -/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0 -/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0 -/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0 -/sbin/parted -- system_u:object_r:fsadm_exec_t:s0 -/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0 -/sbin/dump -- system_u:object_r:fsadm_exec_t:s0 -/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0 -/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0 -/sbin/raidautorun -- system_u:object_r:fsadm_exec_t:s0 -/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0 -/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0 -/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0 -/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0 -/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0 -/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0 -/sbin/partx -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0 -/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0 -/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t:s0 diff --git a/targeted/file_contexts/program/ftpd.fc b/targeted/file_contexts/program/ftpd.fc deleted file mode 100644 index 92a8c3eb..00000000 --- a/targeted/file_contexts/program/ftpd.fc +++ /dev/null @@ -1,17 +0,0 @@ -# ftpd -/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t:s0 -/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t:s0 -/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t:s0 -/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0 -/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t:s0 -/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t:s0 -/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t:s0 -/var/log/xferlog.* -- system_u:object_r:xferlog_t:s0 -/var/log/vsftpd.* -- system_u:object_r:xferlog_t:s0 -/var/log/xferreport.* -- system_u:object_r:xferlog_t:s0 -/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0 -/var/ftp(/.*)? system_u:object_r:public_content_t:s0 -/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0 diff --git a/targeted/file_contexts/program/games.fc b/targeted/file_contexts/program/games.fc deleted file mode 100644 index 3465eeee..00000000 --- a/targeted/file_contexts/program/games.fc +++ /dev/null @@ -1,61 +0,0 @@ -# games -/usr/lib/games(/.*)? system_u:object_r:games_exec_t -/var/lib/games(/.*)? system_u:object_r:games_data_t -ifdef(`distro_debian', ` -/usr/games/.* -- system_u:object_r:games_exec_t -/var/games(/.*)? system_u:object_r:games_data_t -', ` -/usr/bin/micq -- system_u:object_r:games_exec_t -/usr/bin/blackjack -- system_u:object_r:games_exec_t -/usr/bin/gataxx -- system_u:object_r:games_exec_t -/usr/bin/glines -- system_u:object_r:games_exec_t -/usr/bin/gnect -- system_u:object_r:games_exec_t -/usr/bin/gnibbles -- system_u:object_r:games_exec_t -/usr/bin/gnobots2 -- system_u:object_r:games_exec_t -/usr/bin/gnome-stones -- system_u:object_r:games_exec_t -/usr/bin/gnomine -- system_u:object_r:games_exec_t -/usr/bin/gnotravex -- system_u:object_r:games_exec_t -/usr/bin/gnotski -- system_u:object_r:games_exec_t -/usr/bin/gtali -- system_u:object_r:games_exec_t -/usr/bin/iagno -- system_u:object_r:games_exec_t -/usr/bin/mahjongg -- system_u:object_r:games_exec_t -/usr/bin/same-gnome -- system_u:object_r:games_exec_t -/usr/bin/sol -- system_u:object_r:games_exec_t -/usr/bin/atlantik -- system_u:object_r:games_exec_t -/usr/bin/kasteroids -- system_u:object_r:games_exec_t -/usr/bin/katomic -- system_u:object_r:games_exec_t -/usr/bin/kbackgammon -- system_u:object_r:games_exec_t -/usr/bin/kbattleship -- system_u:object_r:games_exec_t -/usr/bin/kblackbox -- system_u:object_r:games_exec_t -/usr/bin/kbounce -- system_u:object_r:games_exec_t -/usr/bin/kenolaba -- system_u:object_r:games_exec_t -/usr/bin/kfouleggs -- system_u:object_r:games_exec_t -/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t -/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t -/usr/bin/klickety -- system_u:object_r:games_exec_t -/usr/bin/klines -- system_u:object_r:games_exec_t -/usr/bin/kmahjongg -- system_u:object_r:games_exec_t -/usr/bin/kmines -- system_u:object_r:games_exec_t -/usr/bin/kolf -- system_u:object_r:games_exec_t -/usr/bin/konquest -- system_u:object_r:games_exec_t -/usr/bin/kpat -- system_u:object_r:games_exec_t -/usr/bin/kpoker -- system_u:object_r:games_exec_t -/usr/bin/kreversi -- system_u:object_r:games_exec_t -/usr/bin/ksame -- system_u:object_r:games_exec_t -/usr/bin/kshisen -- system_u:object_r:games_exec_t -/usr/bin/ksirtet -- system_u:object_r:games_exec_t -/usr/bin/ksmiletris -- system_u:object_r:games_exec_t -/usr/bin/ksnake -- system_u:object_r:games_exec_t -/usr/bin/ksokoban -- system_u:object_r:games_exec_t -/usr/bin/kspaceduel -- system_u:object_r:games_exec_t -/usr/bin/ktron -- system_u:object_r:games_exec_t -/usr/bin/ktuberling -- system_u:object_r:games_exec_t -/usr/bin/kwin4 -- system_u:object_r:games_exec_t -/usr/bin/kwin4proc -- system_u:object_r:games_exec_t -/usr/bin/lskat -- system_u:object_r:games_exec_t -/usr/bin/lskatproc -- system_u:object_r:games_exec_t -/usr/bin/Maelstrom -- system_u:object_r:games_exec_t -/usr/bin/civclient.* -- system_u:object_r:games_exec_t -/usr/bin/civserver.* -- system_u:object_r:games_exec_t -')dnl end non-Debian section - diff --git a/targeted/file_contexts/program/gatekeeper.fc b/targeted/file_contexts/program/gatekeeper.fc deleted file mode 100644 index e51491a3..00000000 --- a/targeted/file_contexts/program/gatekeeper.fc +++ /dev/null @@ -1,7 +0,0 @@ -# gatekeeper -/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t -/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t -/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t -/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t -/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t -/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t diff --git a/targeted/file_contexts/program/gconf.fc b/targeted/file_contexts/program/gconf.fc deleted file mode 100644 index 3ee63e01..00000000 --- a/targeted/file_contexts/program/gconf.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t -/etc/gconf(/.*)? system_u:object_r:gconf_etc_t -HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t -HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t -/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t diff --git a/targeted/file_contexts/program/getty.fc b/targeted/file_contexts/program/getty.fc deleted file mode 100644 index 19b7e649..00000000 --- a/targeted/file_contexts/program/getty.fc +++ /dev/null @@ -1,5 +0,0 @@ -# getty -/sbin/.*getty -- system_u:object_r:getty_exec_t:s0 -/etc/mgetty(/.*)? system_u:object_r:getty_etc_t:s0 -/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t:s0 -/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t:s0 diff --git a/targeted/file_contexts/program/gift.fc b/targeted/file_contexts/program/gift.fc deleted file mode 100644 index 88ed5f21..00000000 --- a/targeted/file_contexts/program/gift.fc +++ /dev/null @@ -1,5 +0,0 @@ -/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t -/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t -/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t -/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t -HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t diff --git a/targeted/file_contexts/program/gnome-pty-helper.fc b/targeted/file_contexts/program/gnome-pty-helper.fc deleted file mode 100644 index 24a0b1bc..00000000 --- a/targeted/file_contexts/program/gnome-pty-helper.fc +++ /dev/null @@ -1,3 +0,0 @@ -# gnome-pty-helper -/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t -/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t diff --git a/targeted/file_contexts/program/gnome.fc b/targeted/file_contexts/program/gnome.fc deleted file mode 100644 index 670c86f4..00000000 --- a/targeted/file_contexts/program/gnome.fc +++ /dev/null @@ -1,8 +0,0 @@ -# FIXME: add a lot more GNOME folders -HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t -HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t -ifdef(`evolution.te', ` -HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t -') -HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t -HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t diff --git a/targeted/file_contexts/program/gnome_vfs.fc b/targeted/file_contexts/program/gnome_vfs.fc deleted file mode 100644 index f945d596..00000000 --- a/targeted/file_contexts/program/gnome_vfs.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t diff --git a/targeted/file_contexts/program/gpg-agent.fc b/targeted/file_contexts/program/gpg-agent.fc deleted file mode 100644 index bb25b636..00000000 --- a/targeted/file_contexts/program/gpg-agent.fc +++ /dev/null @@ -1,3 +0,0 @@ -# gpg-agent -/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t -/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t diff --git a/targeted/file_contexts/program/gpg.fc b/targeted/file_contexts/program/gpg.fc deleted file mode 100644 index 650df0cf..00000000 --- a/targeted/file_contexts/program/gpg.fc +++ /dev/null @@ -1,7 +0,0 @@ -# gpg -HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t -/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t -/usr/bin/kgpg -- system_u:object_r:gpg_exec_t -/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t -/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t - diff --git a/targeted/file_contexts/program/gpm.fc b/targeted/file_contexts/program/gpm.fc deleted file mode 100644 index b6818819..00000000 --- a/targeted/file_contexts/program/gpm.fc +++ /dev/null @@ -1,5 +0,0 @@ -# gpm -/dev/gpmctl -s system_u:object_r:gpmctl_t -/dev/gpmdata -p system_u:object_r:gpmctl_t -/usr/sbin/gpm -- system_u:object_r:gpm_exec_t -/etc/gpm(/.*)? system_u:object_r:gpm_conf_t diff --git a/targeted/file_contexts/program/groupadd.fc b/targeted/file_contexts/program/groupadd.fc deleted file mode 100644 index e69de29b..00000000 diff --git a/targeted/file_contexts/program/hald.fc b/targeted/file_contexts/program/hald.fc deleted file mode 100644 index b57463df..00000000 --- a/targeted/file_contexts/program/hald.fc +++ /dev/null @@ -1,6 +0,0 @@ -# hald - hardware information daemon -/usr/sbin/hald -- system_u:object_r:hald_exec_t:s0 -/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t:s0 -/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t:s0 -/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t:s0 -/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t:s0 diff --git a/targeted/file_contexts/program/hostname.fc b/targeted/file_contexts/program/hostname.fc deleted file mode 100644 index 01a957a7..00000000 --- a/targeted/file_contexts/program/hostname.fc +++ /dev/null @@ -1 +0,0 @@ -/bin/hostname -- system_u:object_r:hostname_exec_t:s0 diff --git a/targeted/file_contexts/program/hotplug.fc b/targeted/file_contexts/program/hotplug.fc deleted file mode 100644 index 05c65041..00000000 --- a/targeted/file_contexts/program/hotplug.fc +++ /dev/null @@ -1,13 +0,0 @@ -# hotplug -/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t:s0 -/sbin/hotplug -- system_u:object_r:hotplug_exec_t:s0 -/sbin/netplugd -- system_u:object_r:hotplug_exec_t:s0 -/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t:s0 -/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t:s0 -/etc/netplug\.d(/.*)? system_u:object_r:sbin_t:s0 -/etc/hotplug/.*agent -- system_u:object_r:sbin_t:s0 -/etc/hotplug/.*rc -- system_u:object_r:sbin_t:s0 -/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t:s0 -/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t:s0 -/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t:s0 -/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t:s0 diff --git a/targeted/file_contexts/program/howl.fc b/targeted/file_contexts/program/howl.fc deleted file mode 100644 index 4546ac1b..00000000 --- a/targeted/file_contexts/program/howl.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/bin/nifd -- system_u:object_r:howl_exec_t:s0 -/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t:s0 -/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t:s0 diff --git a/targeted/file_contexts/program/hwclock.fc b/targeted/file_contexts/program/hwclock.fc deleted file mode 100644 index 9d0d9099..00000000 --- a/targeted/file_contexts/program/hwclock.fc +++ /dev/null @@ -1,3 +0,0 @@ -# hwclock -/sbin/hwclock -- system_u:object_r:hwclock_exec_t:s0 -/etc/adjtime -- system_u:object_r:adjtime_t:s0 diff --git a/targeted/file_contexts/program/i18n_input.fc b/targeted/file_contexts/program/i18n_input.fc deleted file mode 100644 index 5403e2b3..00000000 --- a/targeted/file_contexts/program/i18n_input.fc +++ /dev/null @@ -1,11 +0,0 @@ -# i18n_input.fc -/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t -/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t -/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t -/usr/bin/httx -- system_u:object_r:i18n_input_exec_t -/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t -/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t -/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t -/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t -/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t -/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t diff --git a/targeted/file_contexts/program/iceauth.fc b/targeted/file_contexts/program/iceauth.fc deleted file mode 100644 index 31bf1f3d..00000000 --- a/targeted/file_contexts/program/iceauth.fc +++ /dev/null @@ -1,3 +0,0 @@ -# iceauth -/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t -HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t diff --git a/targeted/file_contexts/program/ifconfig.fc b/targeted/file_contexts/program/ifconfig.fc deleted file mode 100644 index 22d52ed3..00000000 --- a/targeted/file_contexts/program/ifconfig.fc +++ /dev/null @@ -1,12 +0,0 @@ -# ifconfig -/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ip -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0 -/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0 -/bin/ip -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ethtool -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t:s0 -/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t:s0 diff --git a/targeted/file_contexts/program/imazesrv.fc b/targeted/file_contexts/program/imazesrv.fc deleted file mode 100644 index dae194eb..00000000 --- a/targeted/file_contexts/program/imazesrv.fc +++ /dev/null @@ -1,4 +0,0 @@ -# imazesrv -/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t -/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t -/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t diff --git a/targeted/file_contexts/program/inetd.fc b/targeted/file_contexts/program/inetd.fc deleted file mode 100644 index d066e36f..00000000 --- a/targeted/file_contexts/program/inetd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# inetd -/usr/sbin/inetd -- system_u:object_r:inetd_exec_t:s0 -/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t:s0 -/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t:s0 -/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t:s0 -/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t:s0 -/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0 -/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t:s0 diff --git a/targeted/file_contexts/program/init.fc b/targeted/file_contexts/program/init.fc deleted file mode 100644 index cdf424f3..00000000 --- a/targeted/file_contexts/program/init.fc +++ /dev/null @@ -1,3 +0,0 @@ -# init -/dev/initctl -p system_u:object_r:initctl_t:s0 -/sbin/init -- system_u:object_r:init_exec_t:s0 diff --git a/targeted/file_contexts/program/initrc.fc b/targeted/file_contexts/program/initrc.fc deleted file mode 100644 index 65a1dbaf..00000000 --- a/targeted/file_contexts/program/initrc.fc +++ /dev/null @@ -1,48 +0,0 @@ -# init rc scripts -ifdef(`targeted_policy', ` -/etc/X11/prefdm -- system_u:object_r:bin_t:s0 -', ` -/etc/X11/prefdm -- system_u:object_r:initrc_exec_t:s0 -') -/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t:s0 -/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t:s0 -/etc/init\.d/.* -- system_u:object_r:initrc_exec_t:s0 -/etc/init\.d/functions -- system_u:object_r:etc_t:s0 -/var/run/utmp -- system_u:object_r:initrc_var_run_t:s0 -/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t:s0 -/var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0 -/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t:s0 -ifdef(`distro_suse', ` -/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t:s0 -/var/run/keymap -- system_u:object_r:initrc_var_run_t:s0 -/var/run/numlock-on -- system_u:object_r:initrc_var_run_t:s0 -/var/run/setleds-on -- system_u:object_r:initrc_var_run_t:s0 -/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t:s0 -/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t:s0 -') - -ifdef(`distro_gentoo', ` -/sbin/rc -- system_u:object_r:initrc_exec_t:s0 -/sbin/runscript -- system_u:object_r:initrc_exec_t:s0 -/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t:s0 -/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t:s0 -') - -# run_init -/usr/sbin/run_init -- system_u:object_r:run_init_exec_t:s0 -/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t:s0 -/etc/nologin.* -- system_u:object_r:etc_runtime_t:s0 -/etc/nohotplug -- system_u:object_r:etc_runtime_t:s0 -ifdef(`distro_redhat', ` -/halt -- system_u:object_r:etc_runtime_t:s0 -/fastboot -- system_u:object_r:etc_runtime_t:s0 -/fsckoptions -- system_u:object_r:etc_runtime_t:s0 -/forcefsck -- system_u:object_r:etc_runtime_t:s0 -/poweroff -- system_u:object_r:etc_runtime_t:s0 -/\.autofsck -- system_u:object_r:etc_runtime_t:s0 -/\.autorelabel -- system_u:object_r:etc_runtime_t:s0 -') - diff --git a/targeted/file_contexts/program/innd.fc b/targeted/file_contexts/program/innd.fc deleted file mode 100644 index a7bb62f3..00000000 --- a/targeted/file_contexts/program/innd.fc +++ /dev/null @@ -1,49 +0,0 @@ -# innd -/usr/sbin/innd.* -- system_u:object_r:innd_exec_t:s0 -/usr/bin/rpost -- system_u:object_r:innd_exec_t:s0 -/usr/bin/suck -- system_u:object_r:innd_exec_t:s0 -/var/run/innd(/.*)? system_u:object_r:innd_var_run_t:s0 -/etc/news(/.*)? system_u:object_r:innd_etc_t:s0 -/etc/news/boot -- system_u:object_r:innd_exec_t:s0 -/var/spool/news(/.*)? system_u:object_r:news_spool_t:s0 -/var/log/news(/.*)? system_u:object_r:innd_log_t:s0 -/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t:s0 -/var/run/news(/.*)? system_u:object_r:innd_var_run_t:s0 -/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t:s0 -/usr/bin/inews -- system_u:object_r:innd_exec_t:s0 -/usr/bin/rnews -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t:s0 -/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t:s0 -/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t:s0 diff --git a/targeted/file_contexts/program/ipsec.fc b/targeted/file_contexts/program/ipsec.fc deleted file mode 100644 index e915b75f..00000000 --- a/targeted/file_contexts/program/ipsec.fc +++ /dev/null @@ -1,32 +0,0 @@ -# IPSEC utilities and daemon. - -/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t -/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t -/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t -/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t -/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t -/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t -/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t -/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t -/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t -/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t -/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t -/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t -/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t -/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t -/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t -/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t - -# Kame -/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t -/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t -/sbin/setkey -- system_u:object_r:ipsec_exec_t -/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t -/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t -/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t diff --git a/targeted/file_contexts/program/iptables.fc b/targeted/file_contexts/program/iptables.fc deleted file mode 100644 index 3dcde2e7..00000000 --- a/targeted/file_contexts/program/iptables.fc +++ /dev/null @@ -1,8 +0,0 @@ -# iptables -/sbin/ipchains.* -- system_u:object_r:iptables_exec_t -/sbin/iptables.* -- system_u:object_r:iptables_exec_t -/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t -/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t -/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t -/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t - diff --git a/targeted/file_contexts/program/irc.fc b/targeted/file_contexts/program/irc.fc deleted file mode 100644 index 9f52efb2..00000000 --- a/targeted/file_contexts/program/irc.fc +++ /dev/null @@ -1,5 +0,0 @@ -# irc clients -/usr/bin/[st]irc -- system_u:object_r:irc_exec_t -/usr/bin/ircII -- system_u:object_r:irc_exec_t -/usr/bin/tinyirc -- system_u:object_r:irc_exec_t -HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t diff --git a/targeted/file_contexts/program/ircd.fc b/targeted/file_contexts/program/ircd.fc deleted file mode 100644 index 2ef668cc..00000000 --- a/targeted/file_contexts/program/ircd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# ircd - irc server -/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t -/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t -/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t -/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t -/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t diff --git a/targeted/file_contexts/program/irqbalance.fc b/targeted/file_contexts/program/irqbalance.fc deleted file mode 100644 index c8494912..00000000 --- a/targeted/file_contexts/program/irqbalance.fc +++ /dev/null @@ -1,2 +0,0 @@ -# irqbalance -/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t diff --git a/targeted/file_contexts/program/jabberd.fc b/targeted/file_contexts/program/jabberd.fc deleted file mode 100644 index c614cb89..00000000 --- a/targeted/file_contexts/program/jabberd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# jabberd -/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t -/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t -/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t diff --git a/targeted/file_contexts/program/java.fc b/targeted/file_contexts/program/java.fc deleted file mode 100644 index 8edf85b2..00000000 --- a/targeted/file_contexts/program/java.fc +++ /dev/null @@ -1,2 +0,0 @@ -# java -/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t diff --git a/targeted/file_contexts/program/kerberos.fc b/targeted/file_contexts/program/kerberos.fc deleted file mode 100644 index 2faebe03..00000000 --- a/targeted/file_contexts/program/kerberos.fc +++ /dev/null @@ -1,20 +0,0 @@ -# MIT Kerberos krbkdc, kadmind -/etc/krb5\.keytab system_u:object_r:krb5_keytab_t:s0 -/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0 -/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0 -/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 -/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 -/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 -/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 -/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t:s0 -/var/log/kadmind\.log system_u:object_r:kadmind_log_t:s0 -/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t:s0 - -# gentoo file locations -/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0 -/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0 -/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0 -/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0 -/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t:s0 -/var/log/kadmin.log -- system_u:object_r:kadmind_log_t:s0 - diff --git a/targeted/file_contexts/program/klogd.fc b/targeted/file_contexts/program/klogd.fc deleted file mode 100644 index 5fcdf291..00000000 --- a/targeted/file_contexts/program/klogd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# klogd -/sbin/klogd -- system_u:object_r:klogd_exec_t:s0 -/usr/sbin/klogd -- system_u:object_r:klogd_exec_t:s0 -/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t:s0 diff --git a/targeted/file_contexts/program/ktalkd.fc b/targeted/file_contexts/program/ktalkd.fc deleted file mode 100644 index 33973fdf..00000000 --- a/targeted/file_contexts/program/ktalkd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# kde talk daemon -/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t:s0 diff --git a/targeted/file_contexts/program/kudzu.fc b/targeted/file_contexts/program/kudzu.fc deleted file mode 100644 index 3602a309..00000000 --- a/targeted/file_contexts/program/kudzu.fc +++ /dev/null @@ -1,4 +0,0 @@ -# kudzu -(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0 -/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0 -/var/run/Xconfig -- root:object_r:kudzu_var_run_t:s0 diff --git a/targeted/file_contexts/program/lcd.fc b/targeted/file_contexts/program/lcd.fc deleted file mode 100644 index 4294d442..00000000 --- a/targeted/file_contexts/program/lcd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# lcd -/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t diff --git a/targeted/file_contexts/program/ldconfig.fc b/targeted/file_contexts/program/ldconfig.fc deleted file mode 100644 index 1f82fcfe..00000000 --- a/targeted/file_contexts/program/ldconfig.fc +++ /dev/null @@ -1 +0,0 @@ -/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t:s0 diff --git a/targeted/file_contexts/program/load_policy.fc b/targeted/file_contexts/program/load_policy.fc deleted file mode 100644 index a4c98cee..00000000 --- a/targeted/file_contexts/program/load_policy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# load_policy -/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0 -/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0 diff --git a/targeted/file_contexts/program/loadkeys.fc b/targeted/file_contexts/program/loadkeys.fc deleted file mode 100644 index f440f3c3..00000000 --- a/targeted/file_contexts/program/loadkeys.fc +++ /dev/null @@ -1,3 +0,0 @@ -# loadkeys -/bin/unikeys -- system_u:object_r:loadkeys_exec_t -/bin/loadkeys -- system_u:object_r:loadkeys_exec_t diff --git a/targeted/file_contexts/program/lockdev.fc b/targeted/file_contexts/program/lockdev.fc deleted file mode 100644 index 9185bec5..00000000 --- a/targeted/file_contexts/program/lockdev.fc +++ /dev/null @@ -1,2 +0,0 @@ -# lockdev -/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t diff --git a/targeted/file_contexts/program/login.fc b/targeted/file_contexts/program/login.fc deleted file mode 100644 index ab8bf1ad..00000000 --- a/targeted/file_contexts/program/login.fc +++ /dev/null @@ -1,3 +0,0 @@ -# login -/bin/login -- system_u:object_r:login_exec_t:s0 -/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0 diff --git a/targeted/file_contexts/program/logrotate.fc b/targeted/file_contexts/program/logrotate.fc deleted file mode 100644 index a7c9ea3c..00000000 --- a/targeted/file_contexts/program/logrotate.fc +++ /dev/null @@ -1,13 +0,0 @@ -# logrotate -/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t -/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t -ifdef(`distro_debian', ` -/usr/bin/savelog -- system_u:object_r:logrotate_exec_t -/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t -', ` -/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t -') -/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t -/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t -# using a hard-coded name under /var/tmp is a bug - new version fixes it -/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t diff --git a/targeted/file_contexts/program/lpd.fc b/targeted/file_contexts/program/lpd.fc deleted file mode 100644 index da61bf4c..00000000 --- a/targeted/file_contexts/program/lpd.fc +++ /dev/null @@ -1,8 +0,0 @@ -# lpd -/dev/printer -s system_u:object_r:printer_t:s0 -/usr/sbin/lpd -- system_u:object_r:lpd_exec_t:s0 -/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t:s0 -/var/spool/lpd(/.*)? system_u:object_r:print_spool_t:s0 -/usr/share/printconf/.* -- system_u:object_r:printconf_t:s0 -/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t:s0 -/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t:s0 diff --git a/targeted/file_contexts/program/lpr.fc b/targeted/file_contexts/program/lpr.fc deleted file mode 100644 index 618ddcc2..00000000 --- a/targeted/file_contexts/program/lpr.fc +++ /dev/null @@ -1,4 +0,0 @@ -# lp utilities. -/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t -/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t -/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t diff --git a/targeted/file_contexts/program/lrrd.fc b/targeted/file_contexts/program/lrrd.fc deleted file mode 100644 index 08494fc9..00000000 --- a/targeted/file_contexts/program/lrrd.fc +++ /dev/null @@ -1,10 +0,0 @@ -# lrrd -/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t -/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t -/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t -/var/log/lrrd.* -- system_u:object_r:lrrd_log_t -/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t -/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t -/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t diff --git a/targeted/file_contexts/program/lvm.fc b/targeted/file_contexts/program/lvm.fc deleted file mode 100644 index 648beb05..00000000 --- a/targeted/file_contexts/program/lvm.fc +++ /dev/null @@ -1,69 +0,0 @@ -# lvm -/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t -/etc/lvm(/.*)? system_u:object_r:lvm_etc_t -/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t -/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t -/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t -/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t -/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t -# LVM creates lock files in /var before /var is mounted -# configure LVM to put lockfiles in /etc/lvm/lock instead -# for this policy to work (unless you have no separate /var) -/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t -/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t -/dev/lvm -c system_u:object_r:fixed_disk_device_t -/dev/mapper/control -c system_u:object_r:lvm_control_t -/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t -/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t -/sbin/e2fsadm -- system_u:object_r:lvm_exec_t -/sbin/lvchange -- system_u:object_r:lvm_exec_t -/sbin/lvcreate -- system_u:object_r:lvm_exec_t -/sbin/lvdisplay -- system_u:object_r:lvm_exec_t -/sbin/lvextend -- system_u:object_r:lvm_exec_t -/sbin/lvmchange -- system_u:object_r:lvm_exec_t -/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t -/sbin/lvmsadc -- system_u:object_r:lvm_exec_t -/sbin/lvmsar -- system_u:object_r:lvm_exec_t -/sbin/lvreduce -- system_u:object_r:lvm_exec_t -/sbin/lvremove -- system_u:object_r:lvm_exec_t -/sbin/lvrename -- system_u:object_r:lvm_exec_t -/sbin/lvscan -- system_u:object_r:lvm_exec_t -/sbin/pvchange -- system_u:object_r:lvm_exec_t -/sbin/pvcreate -- system_u:object_r:lvm_exec_t -/sbin/pvdata -- system_u:object_r:lvm_exec_t -/sbin/pvdisplay -- system_u:object_r:lvm_exec_t -/sbin/pvmove -- system_u:object_r:lvm_exec_t -/sbin/pvscan -- system_u:object_r:lvm_exec_t -/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t -/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t -/sbin/vgchange -- system_u:object_r:lvm_exec_t -/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t -/sbin/vgck -- system_u:object_r:lvm_exec_t -/sbin/vgcreate -- system_u:object_r:lvm_exec_t -/sbin/vgdisplay -- system_u:object_r:lvm_exec_t -/sbin/vgexport -- system_u:object_r:lvm_exec_t -/sbin/vgextend -- system_u:object_r:lvm_exec_t -/sbin/vgimport -- system_u:object_r:lvm_exec_t -/sbin/vgmerge -- system_u:object_r:lvm_exec_t -/sbin/vgmknodes -- system_u:object_r:lvm_exec_t -/sbin/vgreduce -- system_u:object_r:lvm_exec_t -/sbin/vgremove -- system_u:object_r:lvm_exec_t -/sbin/vgrename -- system_u:object_r:lvm_exec_t -/sbin/vgscan -- system_u:object_r:lvm_exec_t -/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t -/sbin/vgsplit -- system_u:object_r:lvm_exec_t -/sbin/vgwrapper -- system_u:object_r:lvm_exec_t -/sbin/cryptsetup -- system_u:object_r:lvm_exec_t -/sbin/dmsetup -- system_u:object_r:lvm_exec_t -/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t -/sbin/lvm -- system_u:object_r:lvm_exec_t -/sbin/lvm\.static -- system_u:object_r:lvm_exec_t -/usr/sbin/lvm -- system_u:object_r:lvm_exec_t -/sbin/lvresize -- system_u:object_r:lvm_exec_t -/sbin/lvs -- system_u:object_r:lvm_exec_t -/sbin/pvremove -- system_u:object_r:lvm_exec_t -/sbin/pvs -- system_u:object_r:lvm_exec_t -/sbin/vgs -- system_u:object_r:lvm_exec_t -/sbin/multipathd -- system_u:object_r:lvm_exec_t -/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t -/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t diff --git a/targeted/file_contexts/program/mailman.fc b/targeted/file_contexts/program/mailman.fc deleted file mode 100644 index d8d5b4b7..00000000 --- a/targeted/file_contexts/program/mailman.fc +++ /dev/null @@ -1,24 +0,0 @@ -# mailman list server -/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t:s0 -/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0 -/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t:s0 -/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t:s0 -/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t:s0 -/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t:s0 - -ifdef(`distro_debian', ` -/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t:s0 -/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0 -/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0 -/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t:s0 -/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t:s0 -') - -ifdef(`distro_redhat', ` -/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t:s0 -/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0 -/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t:s0 -/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t:s0 -/etc/mailman(/.*)? system_u:object_r:mailman_data_t:s0 -/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t:s0 -') diff --git a/targeted/file_contexts/program/mdadm.fc b/targeted/file_contexts/program/mdadm.fc deleted file mode 100644 index 7ca9f0d4..00000000 --- a/targeted/file_contexts/program/mdadm.fc +++ /dev/null @@ -1,4 +0,0 @@ -# mdadm - manage MD devices aka Linux Software Raid. -/sbin/mdmpd -- system_u:object_r:mdadm_exec_t -/sbin/mdadm -- system_u:object_r:mdadm_exec_t -/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t diff --git a/targeted/file_contexts/program/modutil.fc b/targeted/file_contexts/program/modutil.fc deleted file mode 100644 index 0c881795..00000000 --- a/targeted/file_contexts/program/modutil.fc +++ /dev/null @@ -1,14 +0,0 @@ -# module utilities -/etc/modules\.conf.* -- system_u:object_r:modules_conf_t:s0 -/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0 -/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t:s0 -/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t:s0 -/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t:s0 -/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0 -/sbin/depmod.* -- system_u:object_r:depmod_exec_t:s0 -/sbin/modprobe.* -- system_u:object_r:insmod_exec_t:s0 -/sbin/insmod.* -- system_u:object_r:insmod_exec_t:s0 -/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t:s0 -/sbin/rmmod.* -- system_u:object_r:insmod_exec_t:s0 -/sbin/update-modules -- system_u:object_r:update_modules_exec_t:s0 -/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t:s0 diff --git a/targeted/file_contexts/program/monopd.fc b/targeted/file_contexts/program/monopd.fc deleted file mode 100644 index 457493e2..00000000 --- a/targeted/file_contexts/program/monopd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# monopd -/etc/monopd\.conf -- system_u:object_r:monopd_etc_t -/usr/sbin/monopd -- system_u:object_r:monopd_exec_t -/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t diff --git a/targeted/file_contexts/program/mount.fc b/targeted/file_contexts/program/mount.fc deleted file mode 100644 index 7b1ca140..00000000 --- a/targeted/file_contexts/program/mount.fc +++ /dev/null @@ -1,3 +0,0 @@ -# mount -/bin/mount.* -- system_u:object_r:mount_exec_t -/bin/umount.* -- system_u:object_r:mount_exec_t diff --git a/targeted/file_contexts/program/mozilla.fc b/targeted/file_contexts/program/mozilla.fc deleted file mode 100644 index 2b533a62..00000000 --- a/targeted/file_contexts/program/mozilla.fc +++ /dev/null @@ -1,21 +0,0 @@ -# netscape/mozilla -HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t -/usr/bin/netscape -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t -/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t -/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t -/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t -/etc/mozpluggerrc system_u:object_r:mozilla_conf_t diff --git a/targeted/file_contexts/program/mplayer.fc b/targeted/file_contexts/program/mplayer.fc deleted file mode 100644 index 10465aa5..00000000 --- a/targeted/file_contexts/program/mplayer.fc +++ /dev/null @@ -1,6 +0,0 @@ -# mplayer -/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t -/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t - -/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t -HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t diff --git a/targeted/file_contexts/program/mrtg.fc b/targeted/file_contexts/program/mrtg.fc deleted file mode 100644 index adfecff5..00000000 --- a/targeted/file_contexts/program/mrtg.fc +++ /dev/null @@ -1,7 +0,0 @@ -# mrtg - traffic grapher -/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t -/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t -/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t -/etc/mrtg.* system_u:object_r:mrtg_etc_t -/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t -/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t diff --git a/targeted/file_contexts/program/mta.fc b/targeted/file_contexts/program/mta.fc deleted file mode 100644 index 68b30e88..00000000 --- a/targeted/file_contexts/program/mta.fc +++ /dev/null @@ -1,12 +0,0 @@ -# types for general mail servers -/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t:s0 -/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t:s0 -/etc/aliases -- system_u:object_r:etc_aliases_t:s0 -/etc/aliases\.db -- system_u:object_r:etc_aliases_t:s0 -/var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0 -/var/mail(/.*)? system_u:object_r:mail_spool_t:s0 -ifdef(`postfix.te', `', ` -/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0 -/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t:s0 -') - diff --git a/targeted/file_contexts/program/mysqld.fc b/targeted/file_contexts/program/mysqld.fc deleted file mode 100644 index 22933da5..00000000 --- a/targeted/file_contexts/program/mysqld.fc +++ /dev/null @@ -1,12 +0,0 @@ -# mysql database server -/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0 -/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0 -/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0 -/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0 -/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 -/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0 -/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0 -/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0 -ifdef(`distro_debian', ` -/etc/mysql/debian-start -- system_u:object_r:bin_t:s0 -') diff --git a/targeted/file_contexts/program/nagios.fc b/targeted/file_contexts/program/nagios.fc deleted file mode 100644 index 6a8a22df..00000000 --- a/targeted/file_contexts/program/nagios.fc +++ /dev/null @@ -1,15 +0,0 @@ -# nagios - network monitoring server -/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t -/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t -# nagios -ifdef(`distro_debian', ` -/usr/sbin/nagios -- system_u:object_r:nagios_exec_t -/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t -', ` -/usr/bin/nagios -- system_u:object_r:nagios_exec_t -/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t -') -/etc/nagios(/.*)? system_u:object_r:nagios_etc_t -/var/log/nagios(/.*)? system_u:object_r:nagios_log_t -/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t diff --git a/targeted/file_contexts/program/named.fc b/targeted/file_contexts/program/named.fc deleted file mode 100644 index b94d6419..00000000 --- a/targeted/file_contexts/program/named.fc +++ /dev/null @@ -1,49 +0,0 @@ -# named -ifdef(`distro_redhat', ` -/var/named(/.*)? system_u:object_r:named_zone_t:s0 -/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 -/etc/named\.conf -- system_u:object_r:named_conf_t:s0 -') dnl end distro_redhat - -ifdef(`distro_debian', ` -/etc/bind(/.*)? system_u:object_r:named_zone_t:s0 -/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0 -/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0 -/var/cache/bind(/.*)? system_u:object_r:named_cache_t:s0 -') dnl distro_debian - -/etc/rndc.* -- system_u:object_r:named_conf_t:s0 -/etc/rndc\.key -- system_u:object_r:dnssec_t:s0 -/usr/sbin/named -- system_u:object_r:named_exec_t:s0 -/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t:s0 -/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t:s0 -/var/run/ndc -s system_u:object_r:named_var_run_t:s0 -/var/run/bind(/.*)? system_u:object_r:named_var_run_t:s0 -/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0 -/usr/sbin/lwresd -- system_u:object_r:named_exec_t:s0 -/var/log/named.* -- system_u:object_r:named_log_t:s0 - -ifdef(`distro_redhat', ` -/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 -/var/named/chroot(/.*)? system_u:object_r:named_conf_t:s0 -/var/named/chroot/dev/null -c system_u:object_r:null_device_t:s0 -/var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0 -/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t:s0 -/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t:s0 -/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t:s0 -/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0 -/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0 -/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 -/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 -') dnl distro_redhat - -ifdef(`distro_gentoo', ` -/etc/bind(/.*)? system_u:object_r:named_zone_t:s0 -/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0 -/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0 -/var/bind(/.*)? system_u:object_r:named_cache_t:s0 -/var/bind/pri(/.*)? system_u:object_r:named_zone_t:s0 -') dnl distro_gentoo diff --git a/targeted/file_contexts/program/nessusd.fc b/targeted/file_contexts/program/nessusd.fc deleted file mode 100644 index adec00b2..00000000 --- a/targeted/file_contexts/program/nessusd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# nessusd - network scanning server -/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t -/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t -/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t -/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t -/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t diff --git a/targeted/file_contexts/program/netutils.fc b/targeted/file_contexts/program/netutils.fc deleted file mode 100644 index a6ae5d5f..00000000 --- a/targeted/file_contexts/program/netutils.fc +++ /dev/null @@ -1,4 +0,0 @@ -# network utilities -/sbin/arping -- system_u:object_r:netutils_exec_t:s0 -/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t:s0 -/etc/network/ifstate -- system_u:object_r:etc_runtime_t:s0 diff --git a/targeted/file_contexts/program/newrole.fc b/targeted/file_contexts/program/newrole.fc deleted file mode 100644 index 6b03678a..00000000 --- a/targeted/file_contexts/program/newrole.fc +++ /dev/null @@ -1,2 +0,0 @@ -# newrole -/usr/bin/newrole -- system_u:object_r:newrole_exec_t:s0 diff --git a/targeted/file_contexts/program/nrpe.fc b/targeted/file_contexts/program/nrpe.fc deleted file mode 100644 index 6523cc33..00000000 --- a/targeted/file_contexts/program/nrpe.fc +++ /dev/null @@ -1,7 +0,0 @@ -# nrpe -/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t -/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t -ifdef(`nagios.te', `', ` -/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t -/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t -') diff --git a/targeted/file_contexts/program/nscd.fc b/targeted/file_contexts/program/nscd.fc deleted file mode 100644 index aa8af5b0..00000000 --- a/targeted/file_contexts/program/nscd.fc +++ /dev/null @@ -1,7 +0,0 @@ -# nscd -/usr/sbin/nscd -- system_u:object_r:nscd_exec_t:s0 -/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t:s0 -/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t:s0 -/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0 -/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0 -/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t:s0 diff --git a/targeted/file_contexts/program/nsd.fc b/targeted/file_contexts/program/nsd.fc deleted file mode 100644 index 43b49fe1..00000000 --- a/targeted/file_contexts/program/nsd.fc +++ /dev/null @@ -1,12 +0,0 @@ -# nsd -/etc/nsd(/.*)? system_u:object_r:nsd_conf_t -/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t -/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t -/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t -/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t -/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t -/usr/sbin/nsd -- system_u:object_r:nsd_exec_t -/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t -/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t -/usr/sbin/zonec -- system_u:object_r:nsd_exec_t -/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t diff --git a/targeted/file_contexts/program/ntpd.fc b/targeted/file_contexts/program/ntpd.fc deleted file mode 100644 index b9040bb2..00000000 --- a/targeted/file_contexts/program/ntpd.fc +++ /dev/null @@ -1,12 +0,0 @@ -/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t:s0 -/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t:s0 -/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t:s0 -/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t:s0 -/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t:s0 -/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t:s0 -/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t:s0 -/var/log/ntp.* -- system_u:object_r:ntpd_log_t:s0 -/var/log/xntpd.* -- system_u:object_r:ntpd_log_t:s0 -/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t:s0 -/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0 -/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0 diff --git a/targeted/file_contexts/program/nx_server.fc b/targeted/file_contexts/program/nx_server.fc deleted file mode 100644 index d9936465..00000000 --- a/targeted/file_contexts/program/nx_server.fc +++ /dev/null @@ -1,5 +0,0 @@ -# nx -/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t -/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t -/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t - diff --git a/targeted/file_contexts/program/oav-update.fc b/targeted/file_contexts/program/oav-update.fc deleted file mode 100644 index 5e88a02c..00000000 --- a/targeted/file_contexts/program/oav-update.fc +++ /dev/null @@ -1,4 +0,0 @@ -/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t -/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t -/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t -/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t diff --git a/targeted/file_contexts/program/openca-ca.fc b/targeted/file_contexts/program/openca-ca.fc deleted file mode 100644 index 99ddefe6..00000000 --- a/targeted/file_contexts/program/openca-ca.fc +++ /dev/null @@ -1,8 +0,0 @@ -/etc/openca(/.*)? system_u:object_r:openca_etc_t -/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t -/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t -/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t -/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t -/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t -/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t -/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t diff --git a/targeted/file_contexts/program/openca-common.fc b/targeted/file_contexts/program/openca-common.fc deleted file mode 100644 index b75952f9..00000000 --- a/targeted/file_contexts/program/openca-common.fc +++ /dev/null @@ -1,7 +0,0 @@ -/etc/openca(/.*)? system_u:object_r:openca_etc_t -/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t -/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t -/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t -/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t -/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t -/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t diff --git a/targeted/file_contexts/program/openct.fc b/targeted/file_contexts/program/openct.fc deleted file mode 100644 index 43d656e6..00000000 --- a/targeted/file_contexts/program/openct.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/openct-control -- system_u:object_r:openct_exec_t -/var/run/openct(/.*)? system_u:object_r:openct_var_run_t diff --git a/targeted/file_contexts/program/openvpn.fc b/targeted/file_contexts/program/openvpn.fc deleted file mode 100644 index 34b2992f..00000000 --- a/targeted/file_contexts/program/openvpn.fc +++ /dev/null @@ -1,4 +0,0 @@ -# OpenVPN - -/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t -/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t diff --git a/targeted/file_contexts/program/orbit.fc b/targeted/file_contexts/program/orbit.fc deleted file mode 100644 index 4afbc83a..00000000 --- a/targeted/file_contexts/program/orbit.fc +++ /dev/null @@ -1,3 +0,0 @@ -/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t -/tmp/orbit-USER(-.*)?/linc.* -s <> -/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t diff --git a/targeted/file_contexts/program/pam.fc b/targeted/file_contexts/program/pam.fc deleted file mode 100644 index 7209276e..00000000 --- a/targeted/file_contexts/program/pam.fc +++ /dev/null @@ -1,3 +0,0 @@ -/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t -/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t -/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t diff --git a/targeted/file_contexts/program/pamconsole.fc b/targeted/file_contexts/program/pamconsole.fc deleted file mode 100644 index 75c8c55c..00000000 --- a/targeted/file_contexts/program/pamconsole.fc +++ /dev/null @@ -1,3 +0,0 @@ -# pam_console_apply -/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t -/var/run/console(/.*)? system_u:object_r:pam_var_console_t diff --git a/targeted/file_contexts/program/passwd.fc b/targeted/file_contexts/program/passwd.fc deleted file mode 100644 index 823f9314..00000000 --- a/targeted/file_contexts/program/passwd.fc +++ /dev/null @@ -1,13 +0,0 @@ -# spasswd -/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0 -/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0 -/usr/bin/chsh -- system_u:object_r:chfn_exec_t:s0 -/usr/bin/chfn -- system_u:object_r:chfn_exec_t:s0 -/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0 -/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0 diff --git a/targeted/file_contexts/program/pegasus.fc b/targeted/file_contexts/program/pegasus.fc deleted file mode 100644 index f4b9f15c..00000000 --- a/targeted/file_contexts/program/pegasus.fc +++ /dev/null @@ -1,9 +0,0 @@ -# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver -/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0 -/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0 -/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0 -/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0 -/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0 -/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0 -/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0 - diff --git a/targeted/file_contexts/program/perdition.fc b/targeted/file_contexts/program/perdition.fc deleted file mode 100644 index a2d2adba..00000000 --- a/targeted/file_contexts/program/perdition.fc +++ /dev/null @@ -1,3 +0,0 @@ -# perdition POP and IMAP proxy -/usr/sbin/perdition -- system_u:object_r:perdition_exec_t -/etc/perdition(/.*)? system_u:object_r:perdition_etc_t diff --git a/targeted/file_contexts/program/ping.fc b/targeted/file_contexts/program/ping.fc deleted file mode 100644 index a4ed8cb4..00000000 --- a/targeted/file_contexts/program/ping.fc +++ /dev/null @@ -1,3 +0,0 @@ -# ping -/bin/ping.* -- system_u:object_r:ping_exec_t:s0 -/usr/sbin/hping2 -- system_u:object_r:ping_exec_t:s0 diff --git a/targeted/file_contexts/program/portmap.fc b/targeted/file_contexts/program/portmap.fc deleted file mode 100644 index 60da9948..00000000 --- a/targeted/file_contexts/program/portmap.fc +++ /dev/null @@ -1,10 +0,0 @@ -# portmap -/sbin/portmap -- system_u:object_r:portmap_exec_t:s0 -ifdef(`distro_debian', ` -/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0 -/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0 -', ` -/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0 -/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0 -') -/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t:s0 diff --git a/targeted/file_contexts/program/portslave.fc b/targeted/file_contexts/program/portslave.fc deleted file mode 100644 index 873334dd..00000000 --- a/targeted/file_contexts/program/portslave.fc +++ /dev/null @@ -1,5 +0,0 @@ -# portslave -/usr/sbin/portslave -- system_u:object_r:portslave_exec_t -/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t -/etc/portslave(/.*)? system_u:object_r:portslave_etc_t -/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t diff --git a/targeted/file_contexts/program/postfix.fc b/targeted/file_contexts/program/postfix.fc deleted file mode 100644 index 300da75b..00000000 --- a/targeted/file_contexts/program/postfix.fc +++ /dev/null @@ -1,59 +0,0 @@ -# postfix -/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0 -ifdef(`distro_redhat', ` -/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0 -/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t:s0 -/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0 -/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t:s0 -/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t:s0 -/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0 -/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0 -/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0 -/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0 -/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0 -/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0 -', ` -/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t:s0 -/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0 -/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t:s0 -/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t:s0 -/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0 -/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0 -/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0 -/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0 -/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0 -/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0 -/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0 -') -/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0 -/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0 -/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t:s0 -/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0 -/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t:s0 -/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t:s0 -/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t:s0 -/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0 -/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0 -/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0 -/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0 -/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0 -/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0 -/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0 -/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0 -/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0 -/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0 -/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0 -/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0 -/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0 -/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0 -/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0 diff --git a/targeted/file_contexts/program/postgresql.fc b/targeted/file_contexts/program/postgresql.fc deleted file mode 100644 index 635a74a2..00000000 --- a/targeted/file_contexts/program/postgresql.fc +++ /dev/null @@ -1,20 +0,0 @@ -# postgresql - database server -/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t:s0 -/usr/bin/postgres -- system_u:object_r:postgresql_exec_t:s0 -/usr/bin/initdb -- system_u:object_r:postgresql_exec_t:s0 - -/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0 -/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0 -/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0 -/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0 -/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t:s0 -/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0 -/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t:s0 -/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t:s0 -/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t:s0 -/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0 -/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0 -ifdef(`distro_redhat', ` -/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0 -/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t:s0 -') diff --git a/targeted/file_contexts/program/postgrey.fc b/targeted/file_contexts/program/postgrey.fc deleted file mode 100644 index 89e43fd0..00000000 --- a/targeted/file_contexts/program/postgrey.fc +++ /dev/null @@ -1,5 +0,0 @@ -# postgrey - postfix grey-listing server -/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t -/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t -/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t -/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t diff --git a/targeted/file_contexts/program/pppd.fc b/targeted/file_contexts/program/pppd.fc deleted file mode 100644 index 87e3cb75..00000000 --- a/targeted/file_contexts/program/pppd.fc +++ /dev/null @@ -1,25 +0,0 @@ -# pppd -/usr/sbin/pppd -- system_u:object_r:pppd_exec_t:s0 -/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0 -/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t:s0 -/dev/ppp -c system_u:object_r:ppp_device_t:s0 -/dev/pppox.* -c system_u:object_r:ppp_device_t:s0 -/dev/ippp.* -c system_u:object_r:ppp_device_t:s0 -/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t:s0 -/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t:s0 -/etc/ppp -d system_u:object_r:pppd_etc_t:s0 -/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t:s0 -/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t:s0 -/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t:s0 -/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t:s0 -/var/log/ppp/.* -- system_u:object_r:pppd_log_t:s0 -/etc/ppp/ip-down\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/ip-up\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t:s0 -/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t:s0 -/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t:s0 -# Fix pptp sockets -/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t:s0 -# Fix /etc/ppp {up,down} family scripts (see man pppd) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t:s0 diff --git a/targeted/file_contexts/program/prelink.fc b/targeted/file_contexts/program/prelink.fc deleted file mode 100644 index 331e315e..00000000 --- a/targeted/file_contexts/program/prelink.fc +++ /dev/null @@ -1,8 +0,0 @@ -# prelink - prelink ELF shared libraries and binaries to speed up startup time -/usr/sbin/prelink -- system_u:object_r:prelink_exec_t -ifdef(`distro_debian', ` -/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t -') -/etc/prelink\.conf -- system_u:object_r:etc_prelink_t -/var/log/prelink\.log -- system_u:object_r:prelink_log_t -/etc/prelink\.cache -- system_u:object_r:prelink_cache_t diff --git a/targeted/file_contexts/program/privoxy.fc b/targeted/file_contexts/program/privoxy.fc deleted file mode 100644 index d8d56479..00000000 --- a/targeted/file_contexts/program/privoxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# privoxy -/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t:s0 -/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t:s0 diff --git a/targeted/file_contexts/program/procmail.fc b/targeted/file_contexts/program/procmail.fc deleted file mode 100644 index 543602db..00000000 --- a/targeted/file_contexts/program/procmail.fc +++ /dev/null @@ -1,2 +0,0 @@ -# procmail -/usr/bin/procmail -- system_u:object_r:procmail_exec_t diff --git a/targeted/file_contexts/program/publicfile.fc b/targeted/file_contexts/program/publicfile.fc deleted file mode 100644 index dc32249e..00000000 --- a/targeted/file_contexts/program/publicfile.fc +++ /dev/null @@ -1,9 +0,0 @@ - -/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t -/usr/bin/httpd -- system_u:object_r:publicfile_exec_t -/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t - -# this is the place where online content located -# set this to suit your needs -#/var/www(/.*)? system_u:object_r:publicfile_content_t - diff --git a/targeted/file_contexts/program/pxe.fc b/targeted/file_contexts/program/pxe.fc deleted file mode 100644 index 165076ae..00000000 --- a/targeted/file_contexts/program/pxe.fc +++ /dev/null @@ -1,5 +0,0 @@ -# pxe network boot server -/usr/sbin/pxe -- system_u:object_r:pxe_exec_t -/var/log/pxe\.log -- system_u:object_r:pxe_log_t -/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t - diff --git a/targeted/file_contexts/program/pyzor.fc b/targeted/file_contexts/program/pyzor.fc deleted file mode 100644 index ff622957..00000000 --- a/targeted/file_contexts/program/pyzor.fc +++ /dev/null @@ -1,6 +0,0 @@ -/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t -/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t -/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t -/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t -/var/log/pyzord.log -- system_u:object_r:pyzord_log_t -HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t diff --git a/targeted/file_contexts/program/qmail.fc b/targeted/file_contexts/program/qmail.fc deleted file mode 100644 index 7704ed76..00000000 --- a/targeted/file_contexts/program/qmail.fc +++ /dev/null @@ -1,38 +0,0 @@ -# qmail - Debian locations -/etc/qmail(/.*)? system_u:object_r:qmail_etc_t -/var/qmail(/.*)? system_u:object_r:qmail_etc_t -/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t -/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t -/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t -/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t -/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t -/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t -/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t -/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t -/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t -/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t -/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t -/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t -/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t -/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t -/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t -/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t -# qmail - djb locations -/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t -/var/qmail/bin -d system_u:object_r:bin_t -/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t -/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t -/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t -/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t -/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t -/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t -/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t -/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t -/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t -/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t -/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t -/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t -/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t -/var/qmail/rc -- system_u:object_r:bin_t -/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t -/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t diff --git a/targeted/file_contexts/program/quota.fc b/targeted/file_contexts/program/quota.fc deleted file mode 100644 index f91f1a43..00000000 --- a/targeted/file_contexts/program/quota.fc +++ /dev/null @@ -1,10 +0,0 @@ -# quota system -/var/lib/quota(/.*)? system_u:object_r:quota_flag_t -/sbin/quota(check|on) -- system_u:object_r:quota_exec_t -ifdef(`distro_redhat', ` -/usr/sbin/convertquota -- system_u:object_r:quota_exec_t -', ` -/sbin/convertquota -- system_u:object_r:quota_exec_t -') -HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t -/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t diff --git a/targeted/file_contexts/program/radius.fc b/targeted/file_contexts/program/radius.fc deleted file mode 100644 index e3b9d51b..00000000 --- a/targeted/file_contexts/program/radius.fc +++ /dev/null @@ -1,15 +0,0 @@ -# radius -/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t:s0 -/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t:s0 -/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t:s0 -/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t:s0 -/var/log/radius(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t:s0 -/var/log/radutmp -- system_u:object_r:radiusd_log_t:s0 -/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t:s0 -/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0 -/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0 -/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t:s0 -/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t:s0 diff --git a/targeted/file_contexts/program/radvd.fc b/targeted/file_contexts/program/radvd.fc deleted file mode 100644 index ab6bc47c..00000000 --- a/targeted/file_contexts/program/radvd.fc +++ /dev/null @@ -1,5 +0,0 @@ -# radvd -/etc/radvd\.conf -- system_u:object_r:radvd_etc_t:s0 -/usr/sbin/radvd -- system_u:object_r:radvd_exec_t:s0 -/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t:s0 -/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t:s0 diff --git a/targeted/file_contexts/program/razor.fc b/targeted/file_contexts/program/razor.fc deleted file mode 100644 index f3f13469..00000000 --- a/targeted/file_contexts/program/razor.fc +++ /dev/null @@ -1,6 +0,0 @@ -# razor -/etc/razor(/.*)? system_u:object_r:razor_etc_t -/usr/bin/razor.* system_u:object_r:razor_exec_t -/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t -/var/log/razor-agent.log system_u:object_r:razor_log_t -HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t diff --git a/targeted/file_contexts/program/rdisc.fc b/targeted/file_contexts/program/rdisc.fc deleted file mode 100644 index d3f9dcfb..00000000 --- a/targeted/file_contexts/program/rdisc.fc +++ /dev/null @@ -1,2 +0,0 @@ -# rdisc -/sbin/rdisc system_u:object_r:rdisc_exec_t diff --git a/targeted/file_contexts/program/readahead.fc b/targeted/file_contexts/program/readahead.fc deleted file mode 100644 index 0755fefa..00000000 --- a/targeted/file_contexts/program/readahead.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/readahead -- system_u:object_r:readahead_exec_t diff --git a/targeted/file_contexts/program/resmgrd.fc b/targeted/file_contexts/program/resmgrd.fc deleted file mode 100644 index bee4680c..00000000 --- a/targeted/file_contexts/program/resmgrd.fc +++ /dev/null @@ -1,6 +0,0 @@ -# resmgrd -/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t -/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t -/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t -/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t - diff --git a/targeted/file_contexts/program/restorecon.fc b/targeted/file_contexts/program/restorecon.fc deleted file mode 100644 index cd62c784..00000000 --- a/targeted/file_contexts/program/restorecon.fc +++ /dev/null @@ -1,2 +0,0 @@ -# restorecon -/sbin/restorecon -- system_u:object_r:restorecon_exec_t:s0 diff --git a/targeted/file_contexts/program/rhgb.fc b/targeted/file_contexts/program/rhgb.fc deleted file mode 100644 index 118972ef..00000000 --- a/targeted/file_contexts/program/rhgb.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t diff --git a/targeted/file_contexts/program/rlogind.fc b/targeted/file_contexts/program/rlogind.fc deleted file mode 100644 index ce68e2c9..00000000 --- a/targeted/file_contexts/program/rlogind.fc +++ /dev/null @@ -1,4 +0,0 @@ -# rlogind and telnetd -/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t:s0 -/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t:s0 -/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t:s0 diff --git a/targeted/file_contexts/program/roundup.fc b/targeted/file_contexts/program/roundup.fc deleted file mode 100644 index 99b2700b..00000000 --- a/targeted/file_contexts/program/roundup.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t -/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t diff --git a/targeted/file_contexts/program/rpcd.fc b/targeted/file_contexts/program/rpcd.fc deleted file mode 100644 index 916cd25f..00000000 --- a/targeted/file_contexts/program/rpcd.fc +++ /dev/null @@ -1,12 +0,0 @@ -# RPC daemons -/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t:s0 -/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t:s0 -/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t:s0 -/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t:s0 -/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t:s0 -/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t:s0 -/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0 -/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t:s0 -/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t:s0 -/etc/exports -- system_u:object_r:exports_t:s0 - diff --git a/targeted/file_contexts/program/rpm.fc b/targeted/file_contexts/program/rpm.fc deleted file mode 100644 index 494fbcfd..00000000 --- a/targeted/file_contexts/program/rpm.fc +++ /dev/null @@ -1,29 +0,0 @@ -# rpm -/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t:s0 -/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t:s0 -/bin/rpm -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/yum -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/apt-get -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t:s0 -/usr/bin/synaptic -- system_u:object_r:rpm_exec_t:s0 -/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t:s0 -/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t:s0 -/var/log/yum\.log -- system_u:object_r:rpm_log_t:s0 -ifdef(`distro_redhat', ` -/usr/sbin/up2date -- system_u:object_r:rpm_exec_t:s0 -/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t:s0 -') -# SuSE -ifdef(`distro_suse', ` -/usr/bin/online_update -- system_u:object_r:rpm_exec_t:s0 -/sbin/yast2 -- system_u:object_r:rpm_exec_t:s0 -/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t:s0 -/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t:s0 -') - -ifdef(`mls_policy', ` -/sbin/cpio -- system_u:object_r:rpm_exec_t:s0 -') diff --git a/targeted/file_contexts/program/rshd.fc b/targeted/file_contexts/program/rshd.fc deleted file mode 100644 index a7141fef..00000000 --- a/targeted/file_contexts/program/rshd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# rshd. -/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t:s0 -/usr/sbin/in\.rexecd -- system_u:object_r:rshd_exec_t:s0 -/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t:s0 diff --git a/targeted/file_contexts/program/rssh.fc b/targeted/file_contexts/program/rssh.fc deleted file mode 100644 index 16ec3a3b..00000000 --- a/targeted/file_contexts/program/rssh.fc +++ /dev/null @@ -1,2 +0,0 @@ -# rssh -/usr/bin/rssh -- system_u:object_r:rssh_exec_t diff --git a/targeted/file_contexts/program/rsync.fc b/targeted/file_contexts/program/rsync.fc deleted file mode 100644 index edb25f32..00000000 --- a/targeted/file_contexts/program/rsync.fc +++ /dev/null @@ -1,3 +0,0 @@ -# rsync program -/usr/bin/rsync -- system_u:object_r:rsync_exec_t:s0 -/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0 diff --git a/targeted/file_contexts/program/samba.fc b/targeted/file_contexts/program/samba.fc deleted file mode 100644 index 204eb3fe..00000000 --- a/targeted/file_contexts/program/samba.fc +++ /dev/null @@ -1,26 +0,0 @@ -# samba scripts -/usr/sbin/smbd -- system_u:object_r:smbd_exec_t:s0 -/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t:s0 -/usr/bin/net -- system_u:object_r:samba_net_exec_t:s0 -/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0 -/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0 -/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0 -/var/lib/samba(/.*)? system_u:object_r:samba_var_t:s0 -/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0 -/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0 -# samba really wants write access to smbpasswd -/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0 -/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0 -/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t:s0 -/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0 -/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t:s0 -/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0 -/var/spool/samba(/.*)? system_u:object_r:samba_var_t:s0 -ifdef(`mount.te', ` -/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0 -/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0 -') diff --git a/targeted/file_contexts/program/saslauthd.fc b/targeted/file_contexts/program/saslauthd.fc deleted file mode 100644 index a8275a6e..00000000 --- a/targeted/file_contexts/program/saslauthd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# saslauthd -/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t:s0 -/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t:s0 diff --git a/targeted/file_contexts/program/scannerdaemon.fc b/targeted/file_contexts/program/scannerdaemon.fc deleted file mode 100644 index a43bf877..00000000 --- a/targeted/file_contexts/program/scannerdaemon.fc +++ /dev/null @@ -1,4 +0,0 @@ -# scannerdaemon -/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t -/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t -/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t diff --git a/targeted/file_contexts/program/screen.fc b/targeted/file_contexts/program/screen.fc deleted file mode 100644 index 0e6e78d6..00000000 --- a/targeted/file_contexts/program/screen.fc +++ /dev/null @@ -1,5 +0,0 @@ -# screen -/usr/bin/screen -- system_u:object_r:screen_exec_t -HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t -/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t -/var/run/screens?/S-[^/]+/.* <> diff --git a/targeted/file_contexts/program/sendmail.fc b/targeted/file_contexts/program/sendmail.fc deleted file mode 100644 index ee28318c..00000000 --- a/targeted/file_contexts/program/sendmail.fc +++ /dev/null @@ -1,6 +0,0 @@ -# sendmail -/etc/mail(/.*)? system_u:object_r:etc_mail_t:s0 -/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0 -/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0 -/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t:s0 -/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t:s0 diff --git a/targeted/file_contexts/program/setfiles.fc b/targeted/file_contexts/program/setfiles.fc deleted file mode 100644 index 45e245be..00000000 --- a/targeted/file_contexts/program/setfiles.fc +++ /dev/null @@ -1,3 +0,0 @@ -# setfiles -/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0 - diff --git a/targeted/file_contexts/program/seuser.fc b/targeted/file_contexts/program/seuser.fc deleted file mode 100644 index 0c7f71b7..00000000 --- a/targeted/file_contexts/program/seuser.fc +++ /dev/null @@ -1,4 +0,0 @@ -# seuser -/usr/bin/seuser -- system_u:object_r:seuser_exec_t -/usr/apol/seuser\.conf system_u:object_r:seuser_conf_t - diff --git a/targeted/file_contexts/program/slapd.fc b/targeted/file_contexts/program/slapd.fc deleted file mode 100644 index 7c072d19..00000000 --- a/targeted/file_contexts/program/slapd.fc +++ /dev/null @@ -1,7 +0,0 @@ -# slapd - ldap server -/usr/sbin/slapd -- system_u:object_r:slapd_exec_t:s0 -/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t:s0 -/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t:s0 -/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t:s0 -/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t:s0 -/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t:s0 diff --git a/targeted/file_contexts/program/slocate.fc b/targeted/file_contexts/program/slocate.fc deleted file mode 100644 index 1796c778..00000000 --- a/targeted/file_contexts/program/slocate.fc +++ /dev/null @@ -1,4 +0,0 @@ -# locate - file locater -/usr/bin/slocate -- system_u:object_r:locate_exec_t -/var/lib/slocate(/.*)? system_u:object_r:locate_var_lib_t -/etc/updatedb\.conf -- system_u:object_r:locate_etc_t diff --git a/targeted/file_contexts/program/slrnpull.fc b/targeted/file_contexts/program/slrnpull.fc deleted file mode 100644 index 4c0d36c7..00000000 --- a/targeted/file_contexts/program/slrnpull.fc +++ /dev/null @@ -1,3 +0,0 @@ -# slrnpull -/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t -/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t diff --git a/targeted/file_contexts/program/snmpd.fc b/targeted/file_contexts/program/snmpd.fc deleted file mode 100644 index c81b3fec..00000000 --- a/targeted/file_contexts/program/snmpd.fc +++ /dev/null @@ -1,10 +0,0 @@ -# snmpd -/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t:s0 -/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0 -/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0 -/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t:s0 -/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t:s0 -/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t:s0 -/var/run/snmpd -d system_u:object_r:snmpd_var_run_t:s0 -/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t:s0 -/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0 diff --git a/targeted/file_contexts/program/snort.fc b/targeted/file_contexts/program/snort.fc deleted file mode 100644 index a40670c2..00000000 --- a/targeted/file_contexts/program/snort.fc +++ /dev/null @@ -1,4 +0,0 @@ -# SNORT -/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t -/etc/snort(/.*)? system_u:object_r:snort_etc_t -/var/log/snort(/.*)? system_u:object_r:snort_log_t diff --git a/targeted/file_contexts/program/sound-server.fc b/targeted/file_contexts/program/sound-server.fc deleted file mode 100644 index dfa82455..00000000 --- a/targeted/file_contexts/program/sound-server.fc +++ /dev/null @@ -1,8 +0,0 @@ -# sound servers, nas, yiff, etc -/usr/sbin/yiff -- system_u:object_r:soundd_exec_t -/usr/bin/nasd -- system_u:object_r:soundd_exec_t -/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t -/etc/nas(/.*)? system_u:object_r:etc_soundd_t -/etc/yiff(/.*)? system_u:object_r:etc_soundd_t -/var/state/yiff(/.*)? system_u:object_r:soundd_state_t -/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t diff --git a/targeted/file_contexts/program/sound.fc b/targeted/file_contexts/program/sound.fc deleted file mode 100644 index 5e6b0d1e..00000000 --- a/targeted/file_contexts/program/sound.fc +++ /dev/null @@ -1,3 +0,0 @@ -# sound -/bin/aumix-minimal -- system_u:object_r:sound_exec_t -/etc/\.aumixrc -- system_u:object_r:sound_file_t diff --git a/targeted/file_contexts/program/spamassassin.fc b/targeted/file_contexts/program/spamassassin.fc deleted file mode 100644 index a85b8b19..00000000 --- a/targeted/file_contexts/program/spamassassin.fc +++ /dev/null @@ -1,3 +0,0 @@ -# spamassasin -/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t -HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t diff --git a/targeted/file_contexts/program/spamc.fc b/targeted/file_contexts/program/spamc.fc deleted file mode 100644 index 1168d40c..00000000 --- a/targeted/file_contexts/program/spamc.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/spamc -- system_u:object_r:spamc_exec_t:s0 diff --git a/targeted/file_contexts/program/spamd.fc b/targeted/file_contexts/program/spamd.fc deleted file mode 100644 index 8c9add85..00000000 --- a/targeted/file_contexts/program/spamd.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/spamd -- system_u:object_r:spamd_exec_t:s0 -/usr/bin/spamd -- system_u:object_r:spamd_exec_t:s0 -/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t:s0 diff --git a/targeted/file_contexts/program/speedmgmt.fc b/targeted/file_contexts/program/speedmgmt.fc deleted file mode 100644 index 486906e9..00000000 --- a/targeted/file_contexts/program/speedmgmt.fc +++ /dev/null @@ -1,2 +0,0 @@ -# speedmgmt -/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t diff --git a/targeted/file_contexts/program/squid.fc b/targeted/file_contexts/program/squid.fc deleted file mode 100644 index e0d6f716..00000000 --- a/targeted/file_contexts/program/squid.fc +++ /dev/null @@ -1,11 +0,0 @@ -# squid -/usr/sbin/squid -- system_u:object_r:squid_exec_t:s0 -/var/cache/squid(/.*)? system_u:object_r:squid_cache_t:s0 -/var/spool/squid(/.*)? system_u:object_r:squid_cache_t:s0 -/var/log/squid(/.*)? system_u:object_r:squid_log_t:s0 -/etc/squid(/.*)? system_u:object_r:squid_conf_t:s0 -/var/run/squid\.pid -- system_u:object_r:squid_var_run_t:s0 -/usr/share/squid(/.*)? system_u:object_r:squid_conf_t:s0 -ifdef(`httpd.te', ` -/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t:s0 -') diff --git a/targeted/file_contexts/program/ssh-agent.fc b/targeted/file_contexts/program/ssh-agent.fc deleted file mode 100644 index 512eb47a..00000000 --- a/targeted/file_contexts/program/ssh-agent.fc +++ /dev/null @@ -1,2 +0,0 @@ -# ssh-agent -/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t diff --git a/targeted/file_contexts/program/ssh.fc b/targeted/file_contexts/program/ssh.fc deleted file mode 100644 index 4ccba2eb..00000000 --- a/targeted/file_contexts/program/ssh.fc +++ /dev/null @@ -1,21 +0,0 @@ -# ssh -/usr/bin/ssh -- system_u:object_r:ssh_exec_t:s0 -/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0 -/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t:s0 -# sshd -/etc/ssh/primes -- system_u:object_r:sshd_key_t:s0 -/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t:s0 -/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t:s0 -/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t:s0 -/usr/sbin/sshd -- system_u:object_r:sshd_exec_t:s0 -/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t:s0 -# subsystems -/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t:s0 -/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t:s0 -ifdef(`distro_suse', ` -/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t:s0 -') -ifdef(`targeted_policy', `', ` -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0 -') diff --git a/targeted/file_contexts/program/stunnel.fc b/targeted/file_contexts/program/stunnel.fc deleted file mode 100644 index 2f0798c4..00000000 --- a/targeted/file_contexts/program/stunnel.fc +++ /dev/null @@ -1,3 +0,0 @@ -/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t:s0 -/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t:s0 -/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t:s0 diff --git a/targeted/file_contexts/program/su.fc b/targeted/file_contexts/program/su.fc deleted file mode 100644 index 8712b4b1..00000000 --- a/targeted/file_contexts/program/su.fc +++ /dev/null @@ -1,2 +0,0 @@ -# su -/bin/su -- system_u:object_r:su_exec_t:s0 diff --git a/targeted/file_contexts/program/sudo.fc b/targeted/file_contexts/program/sudo.fc deleted file mode 100644 index d7338946..00000000 --- a/targeted/file_contexts/program/sudo.fc +++ /dev/null @@ -1,3 +0,0 @@ -# sudo -/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t - diff --git a/targeted/file_contexts/program/sulogin.fc b/targeted/file_contexts/program/sulogin.fc deleted file mode 100644 index eb719dcf..00000000 --- a/targeted/file_contexts/program/sulogin.fc +++ /dev/null @@ -1,2 +0,0 @@ -# sulogin -/sbin/sulogin -- system_u:object_r:sulogin_exec_t diff --git a/targeted/file_contexts/program/swat.fc b/targeted/file_contexts/program/swat.fc deleted file mode 100644 index 721c229c..00000000 --- a/targeted/file_contexts/program/swat.fc +++ /dev/null @@ -1,2 +0,0 @@ -# samba management tool -/usr/sbin/swat -- system_u:object_r:swat_exec_t diff --git a/targeted/file_contexts/program/sxid.fc b/targeted/file_contexts/program/sxid.fc deleted file mode 100644 index e9126bca..00000000 --- a/targeted/file_contexts/program/sxid.fc +++ /dev/null @@ -1,6 +0,0 @@ -# sxid - ldap server -/usr/bin/sxid -- system_u:object_r:sxid_exec_t -/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t -/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t -/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t -/var/log/setuid.* -- system_u:object_r:sxid_log_t diff --git a/targeted/file_contexts/program/syslogd.fc b/targeted/file_contexts/program/syslogd.fc deleted file mode 100644 index d0fb0a41..00000000 --- a/targeted/file_contexts/program/syslogd.fc +++ /dev/null @@ -1,11 +0,0 @@ -# syslogd -/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0 -/sbin/minilogd -- system_u:object_r:syslogd_exec_t:s0 -/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0 -/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t:s0 -/dev/log -s system_u:object_r:devlog_t:s0 -/var/run/log -s system_u:object_r:devlog_t:s0 -ifdef(`distro_suse', ` -/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t:s0 -') -/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t:s0 diff --git a/targeted/file_contexts/program/sysstat.fc b/targeted/file_contexts/program/sysstat.fc deleted file mode 100644 index 2637b68b..00000000 --- a/targeted/file_contexts/program/sysstat.fc +++ /dev/null @@ -1,7 +0,0 @@ -# sysstat and other sar programs -/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t -/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t -/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t -/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t -/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t -/var/log/sa(/.*)? system_u:object_r:sysstat_log_t diff --git a/targeted/file_contexts/program/tcpd.fc b/targeted/file_contexts/program/tcpd.fc deleted file mode 100644 index 2e84aa86..00000000 --- a/targeted/file_contexts/program/tcpd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# tcpd -/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t diff --git a/targeted/file_contexts/program/telnetd.fc b/targeted/file_contexts/program/telnetd.fc deleted file mode 100644 index 15587a2d..00000000 --- a/targeted/file_contexts/program/telnetd.fc +++ /dev/null @@ -1,3 +0,0 @@ -# telnetd -/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t:s0 -/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t:s0 diff --git a/targeted/file_contexts/program/tftpd.fc b/targeted/file_contexts/program/tftpd.fc deleted file mode 100644 index 1e503b90..00000000 --- a/targeted/file_contexts/program/tftpd.fc +++ /dev/null @@ -1,4 +0,0 @@ -# tftpd -/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t:s0 -/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t:s0 -/tftpboot(/.*)? system_u:object_r:tftpdir_t:s0 diff --git a/targeted/file_contexts/program/thunderbird.fc b/targeted/file_contexts/program/thunderbird.fc deleted file mode 100644 index ca373460..00000000 --- a/targeted/file_contexts/program/thunderbird.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t -HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t diff --git a/targeted/file_contexts/program/timidity.fc b/targeted/file_contexts/program/timidity.fc deleted file mode 100644 index 2b44dcec..00000000 --- a/targeted/file_contexts/program/timidity.fc +++ /dev/null @@ -1,2 +0,0 @@ -# timidity -/usr/bin/timidity -- system_u:object_r:timidity_exec_t diff --git a/targeted/file_contexts/program/tinydns.fc b/targeted/file_contexts/program/tinydns.fc deleted file mode 100644 index 10ea1a35..00000000 --- a/targeted/file_contexts/program/tinydns.fc +++ /dev/null @@ -1,6 +0,0 @@ -# tinydns -/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t -/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t -/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t -#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t -#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t diff --git a/targeted/file_contexts/program/tmpreaper.fc b/targeted/file_contexts/program/tmpreaper.fc deleted file mode 100644 index d8ed96e4..00000000 --- a/targeted/file_contexts/program/tmpreaper.fc +++ /dev/null @@ -1,3 +0,0 @@ -# tmpreaper or tmpwatch -/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t -/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t diff --git a/targeted/file_contexts/program/traceroute.fc b/targeted/file_contexts/program/traceroute.fc deleted file mode 100644 index 66a6c5fc..00000000 --- a/targeted/file_contexts/program/traceroute.fc +++ /dev/null @@ -1,6 +0,0 @@ -# traceroute -/bin/traceroute.* -- system_u:object_r:traceroute_exec_t -/bin/tracepath.* -- system_u:object_r:traceroute_exec_t -/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t -/usr/bin/lft -- system_u:object_r:traceroute_exec_t -/usr/bin/nmap -- system_u:object_r:traceroute_exec_t diff --git a/targeted/file_contexts/program/transproxy.fc b/targeted/file_contexts/program/transproxy.fc deleted file mode 100644 index 2027eeaf..00000000 --- a/targeted/file_contexts/program/transproxy.fc +++ /dev/null @@ -1,3 +0,0 @@ -# transproxy - http transperant proxy -/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t -/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t diff --git a/targeted/file_contexts/program/tripwire.fc b/targeted/file_contexts/program/tripwire.fc deleted file mode 100644 index 88afc341..00000000 --- a/targeted/file_contexts/program/tripwire.fc +++ /dev/null @@ -1,9 +0,0 @@ -# tripwire -/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t -/usr/sbin/siggen system_u:object_r:siggen_exec_t -/usr/sbin/tripwire system_u:object_r:tripwire_exec_t -/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t -/usr/sbin/twadmin system_u:object_r:twadmin_exec_t -/usr/sbin/twprint system_u:object_r:twprint_exec_t -/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t -/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t diff --git a/targeted/file_contexts/program/tvtime.fc b/targeted/file_contexts/program/tvtime.fc deleted file mode 100644 index 0969e966..00000000 --- a/targeted/file_contexts/program/tvtime.fc +++ /dev/null @@ -1,3 +0,0 @@ -# tvtime -/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t - diff --git a/targeted/file_contexts/program/ucspi-tcp.fc b/targeted/file_contexts/program/ucspi-tcp.fc deleted file mode 100644 index 448c1ab4..00000000 --- a/targeted/file_contexts/program/ucspi-tcp.fc +++ /dev/null @@ -1,3 +0,0 @@ -#ucspi-tcp -/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t -/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t diff --git a/targeted/file_contexts/program/udev.fc b/targeted/file_contexts/program/udev.fc deleted file mode 100644 index 0df162f9..00000000 --- a/targeted/file_contexts/program/udev.fc +++ /dev/null @@ -1,14 +0,0 @@ -# udev -/sbin/udevsend -- system_u:object_r:udev_exec_t:s0 -/sbin/udev -- system_u:object_r:udev_exec_t:s0 -/sbin/udevd -- system_u:object_r:udev_exec_t:s0 -/sbin/start_udev -- system_u:object_r:udev_exec_t:s0 -/sbin/udevstart -- system_u:object_r:udev_exec_t:s0 -/usr/bin/udevinfo -- system_u:object_r:udev_exec_t:s0 -/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t:s0 -/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t:s0 -/etc/udev/devices/.* system_u:object_r:device_t:s0 -/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t:s0 -/dev/udev\.tbl -- system_u:object_r:udev_tbl_t:s0 -/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t:s0 -/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t:s0 diff --git a/targeted/file_contexts/program/uml.fc b/targeted/file_contexts/program/uml.fc deleted file mode 100644 index dc1621df..00000000 --- a/targeted/file_contexts/program/uml.fc +++ /dev/null @@ -1,4 +0,0 @@ -# User Mode Linux -/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t -/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t -HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t diff --git a/targeted/file_contexts/program/uml_net.fc b/targeted/file_contexts/program/uml_net.fc deleted file mode 100644 index 67aa1f2f..00000000 --- a/targeted/file_contexts/program/uml_net.fc +++ /dev/null @@ -1,3 +0,0 @@ -# User Mode Linux -# WARNING: Do not install this file on any machine that has hostile users. -/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t diff --git a/targeted/file_contexts/program/unconfined.fc b/targeted/file_contexts/program/unconfined.fc deleted file mode 100644 index c3a6c121..00000000 --- a/targeted/file_contexts/program/unconfined.fc +++ /dev/null @@ -1,3 +0,0 @@ -# Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t diff --git a/targeted/file_contexts/program/updfstab.fc b/targeted/file_contexts/program/updfstab.fc deleted file mode 100644 index f6ac1d94..00000000 --- a/targeted/file_contexts/program/updfstab.fc +++ /dev/null @@ -1,3 +0,0 @@ -# updfstab -/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t:s0 -/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t:s0 diff --git a/targeted/file_contexts/program/uptimed.fc b/targeted/file_contexts/program/uptimed.fc deleted file mode 100644 index f80ccb4c..00000000 --- a/targeted/file_contexts/program/uptimed.fc +++ /dev/null @@ -1,4 +0,0 @@ -# uptimed -/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t -/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t -/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t diff --git a/targeted/file_contexts/program/usbmodules.fc b/targeted/file_contexts/program/usbmodules.fc deleted file mode 100644 index 52e03a48..00000000 --- a/targeted/file_contexts/program/usbmodules.fc +++ /dev/null @@ -1,3 +0,0 @@ -# usbmodules -/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t -/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t diff --git a/targeted/file_contexts/program/useradd.fc b/targeted/file_contexts/program/useradd.fc deleted file mode 100644 index b29351b6..00000000 --- a/targeted/file_contexts/program/useradd.fc +++ /dev/null @@ -1,10 +0,0 @@ -#useradd -/usr/sbin/usermod -- system_u:object_r:useradd_exec_t -/usr/sbin/useradd -- system_u:object_r:useradd_exec_t -/usr/sbin/userdel -- system_u:object_r:useradd_exec_t -#groupadd -/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t -/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t -/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t -/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t -/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t diff --git a/targeted/file_contexts/program/userhelper.fc b/targeted/file_contexts/program/userhelper.fc deleted file mode 100644 index 8623456b..00000000 --- a/targeted/file_contexts/program/userhelper.fc +++ /dev/null @@ -1,2 +0,0 @@ -/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t -/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t diff --git a/targeted/file_contexts/program/usernetctl.fc b/targeted/file_contexts/program/usernetctl.fc deleted file mode 100644 index b9ef00f6..00000000 --- a/targeted/file_contexts/program/usernetctl.fc +++ /dev/null @@ -1,2 +0,0 @@ -# usernetctl -/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t diff --git a/targeted/file_contexts/program/utempter.fc b/targeted/file_contexts/program/utempter.fc deleted file mode 100644 index 4e6670ac..00000000 --- a/targeted/file_contexts/program/utempter.fc +++ /dev/null @@ -1,2 +0,0 @@ -# utempter -/usr/sbin/utempter -- system_u:object_r:utempter_exec_t diff --git a/targeted/file_contexts/program/uucpd.fc b/targeted/file_contexts/program/uucpd.fc deleted file mode 100644 index a359cc36..00000000 --- a/targeted/file_contexts/program/uucpd.fc +++ /dev/null @@ -1,5 +0,0 @@ -# uucico program -/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t:s0 -/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t:s0 -/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0 -/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t:s0 diff --git a/targeted/file_contexts/program/uwimapd.fc b/targeted/file_contexts/program/uwimapd.fc deleted file mode 100644 index 00f90737..00000000 --- a/targeted/file_contexts/program/uwimapd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# uw-imapd and uw-imapd-ssl -/usr/sbin/imapd -- system_u:object_r:imapd_exec_t diff --git a/targeted/file_contexts/program/vmware.fc b/targeted/file_contexts/program/vmware.fc deleted file mode 100644 index d015988c..00000000 --- a/targeted/file_contexts/program/vmware.fc +++ /dev/null @@ -1,42 +0,0 @@ -# -# File contexts for VMWare. -# Contributed by Mark Westerman (mark.westerman@westcam.com) -# Changes made by NAI Labs. -# Tested with VMWare 3.1 -# -/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t -/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t -/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t -/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t - -/dev/vmmon -c system_u:object_r:vmware_device_t -/dev/vmnet.* -c system_u:object_r:vmware_device_t -/dev/plex86 -c system_u:object_r:vmware_device_t - -/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t -/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t - -/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t -/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t - -# -# This is only an example of how to protect vmware session configuration -# files. A general user can execute vmware and start a vmware session -# but the user can not modify the session configuration information -#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t -#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t - -# The rules below assume that the user VMWare virtual disks are in the -# ~/vmware, and the preferences and license files are in ~/.vmware. -# -HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t diff --git a/targeted/file_contexts/program/vpnc.fc b/targeted/file_contexts/program/vpnc.fc deleted file mode 100644 index afaea760..00000000 --- a/targeted/file_contexts/program/vpnc.fc +++ /dev/null @@ -1,4 +0,0 @@ -# vpnc -/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t -/sbin/vpnc -- system_u:object_r:vpnc_exec_t -/etc/vpnc/vpnc-script -- system_u:object_r:bin_t diff --git a/targeted/file_contexts/program/watchdog.fc b/targeted/file_contexts/program/watchdog.fc deleted file mode 100644 index d7a8c7f5..00000000 --- a/targeted/file_contexts/program/watchdog.fc +++ /dev/null @@ -1,5 +0,0 @@ -# watchdog -/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t -/dev/watchdog -c system_u:object_r:watchdog_device_t -/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t -/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t diff --git a/targeted/file_contexts/program/webalizer.fc b/targeted/file_contexts/program/webalizer.fc deleted file mode 100644 index 7244932f..00000000 --- a/targeted/file_contexts/program/webalizer.fc +++ /dev/null @@ -1,3 +0,0 @@ -# -/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t:s0 -/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t:s0 diff --git a/targeted/file_contexts/program/winbind.fc b/targeted/file_contexts/program/winbind.fc deleted file mode 100644 index b1d9d575..00000000 --- a/targeted/file_contexts/program/winbind.fc +++ /dev/null @@ -1,11 +0,0 @@ -/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t:s0 -/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0 -ifdef(`samba.te', `', ` -/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0 -/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0 -/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0 -/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0 -/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0 -') -/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t:s0 -/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t:s0 diff --git a/targeted/file_contexts/program/xauth.fc b/targeted/file_contexts/program/xauth.fc deleted file mode 100644 index 055fc2f6..00000000 --- a/targeted/file_contexts/program/xauth.fc +++ /dev/null @@ -1,4 +0,0 @@ -# xauth -/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t -HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t -HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t diff --git a/targeted/file_contexts/program/xdm.fc b/targeted/file_contexts/program/xdm.fc deleted file mode 100644 index 267e1e0f..00000000 --- a/targeted/file_contexts/program/xdm.fc +++ /dev/null @@ -1,40 +0,0 @@ -# X Display Manager -/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t:s0 -/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t:s0 -/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t:s0 -/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t:s0 -/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t:s0 -/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t:s0 -/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t:s0 -/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t:s0 -/var/log/gdm(/.*)? system_u:object_r:xserver_log_t:s0 -/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t:s0 -/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t:s0 -/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t:s0 -/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t:s0 -/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t:s0 -/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t:s0 -/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t:s0 -/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t:s0 -/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t:s0 -/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t:s0 -/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t:s0 -ifdef(`distro_suse', ` -/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t:s0 -') - -# -# Additional Xsession scripts -# -/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t:s0 -/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t:s0 -/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t:s0 -/etc/X11/xinit(/.*)? system_u:object_r:bin_t:s0 -# -# Rules for kde login -# -/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t:s0 -/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t:s0 -/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t:s0 -/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t:s0 -/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t:s0 diff --git a/targeted/file_contexts/program/xfs.fc b/targeted/file_contexts/program/xfs.fc deleted file mode 100644 index 9edae3f9..00000000 --- a/targeted/file_contexts/program/xfs.fc +++ /dev/null @@ -1,5 +0,0 @@ -# xfs -/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t -/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t -/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t -/usr/bin/xfstt -- system_u:object_r:xfs_exec_t diff --git a/targeted/file_contexts/program/xprint.fc b/targeted/file_contexts/program/xprint.fc deleted file mode 100644 index 3c72a774..00000000 --- a/targeted/file_contexts/program/xprint.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/Xprt -- system_u:object_r:xprint_exec_t diff --git a/targeted/file_contexts/program/xserver.fc b/targeted/file_contexts/program/xserver.fc deleted file mode 100644 index 3d48a6fc..00000000 --- a/targeted/file_contexts/program/xserver.fc +++ /dev/null @@ -1,17 +0,0 @@ -# X server -/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t -/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t -/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t -/var/log/XFree86.* -- system_u:object_r:xserver_log_t -/var/log/Xorg.* -- system_u:object_r:xserver_log_t -/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t -/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t -/tmp/\.X11-unix/.* -s <> -/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t -/tmp/\.ICE-unix/.* -s <> diff --git a/targeted/file_contexts/program/yam.fc b/targeted/file_contexts/program/yam.fc deleted file mode 100644 index 023b7406..00000000 --- a/targeted/file_contexts/program/yam.fc +++ /dev/null @@ -1,5 +0,0 @@ -# yam -/etc/yam.conf -- system_u:object_r:yam_etc_t -/usr/bin/yam system_u:object_r:yam_exec_t -/var/yam(/.*)? system_u:object_r:yam_content_t -/var/www/yam(/.*)? system_u:object_r:yam_content_t diff --git a/targeted/file_contexts/program/ypbind.fc b/targeted/file_contexts/program/ypbind.fc deleted file mode 100644 index f9f6ff8b..00000000 --- a/targeted/file_contexts/program/ypbind.fc +++ /dev/null @@ -1,2 +0,0 @@ -# ypbind -/sbin/ypbind -- system_u:object_r:ypbind_exec_t:s0 diff --git a/targeted/file_contexts/program/yppasswdd.fc b/targeted/file_contexts/program/yppasswdd.fc deleted file mode 100644 index e390bd82..00000000 --- a/targeted/file_contexts/program/yppasswdd.fc +++ /dev/null @@ -1,2 +0,0 @@ -# yppasswd -/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t diff --git a/targeted/file_contexts/program/ypserv.fc b/targeted/file_contexts/program/ypserv.fc deleted file mode 100644 index 023746f3..00000000 --- a/targeted/file_contexts/program/ypserv.fc +++ /dev/null @@ -1,4 +0,0 @@ -# ypserv -/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t:s0 -/usr/lib/yp/.+ -- system_u:object_r:bin_t:s0 -/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t:s0 diff --git a/targeted/file_contexts/program/zebra.fc b/targeted/file_contexts/program/zebra.fc deleted file mode 100644 index 328f9871..00000000 --- a/targeted/file_contexts/program/zebra.fc +++ /dev/null @@ -1,13 +0,0 @@ -# Zebra - BGP daemon -/usr/sbin/zebra -- system_u:object_r:zebra_exec_t:s0 -/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t:s0 -/var/log/zebra(/.*)? system_u:object_r:zebra_log_t:s0 -/etc/zebra(/.*)? system_u:object_r:zebra_conf_t:s0 -/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0 -/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0 -# Quagga -/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0 -/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t:s0 -/etc/quagga(/.*)? system_u:object_r:zebra_conf_t:s0 -/var/log/quagga(/.*)? system_u:object_r:zebra_log_t:s0 -/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t:s0 diff --git a/targeted/file_contexts/types.fc b/targeted/file_contexts/types.fc deleted file mode 100644 index 4b36106e..00000000 --- a/targeted/file_contexts/types.fc +++ /dev/null @@ -1,517 +0,0 @@ -# -# This file describes the security contexts to be applied to files -# when the security policy is installed. The setfiles program -# reads this file and labels files accordingly. -# -# Each specification has the form: -# regexp [ -type ] ( context | <> ) -# -# By default, the regexp is an anchored match on both ends (i.e. a -# caret (^) is prepended and a dollar sign ($) is appended automatically). -# This default may be overridden by using .* at the beginning and/or -# end of the regular expression. -# -# The optional type field specifies the file type as shown in the mode -# field by ls, e.g. use -d to match only directories or -- to match only -# regular files. -# -# The value of < may be used to indicate that matching files -# should not be relabeled. -# -# The last matching specification is used. -# -# If there are multiple hard links to a file that match -# different specifications and those specifications indicate -# different security contexts, then a warning is displayed -# but the file is still labeled based on the last matching -# specification other than <>. -# -# Some of the files listed here get re-created during boot and therefore -# need type transition rules to retain the correct type. These files are -# listed here anyway so that if the setfiles program is used on a running -# system it does not relabel them to something we do not want. An example of -# this is /var/run/utmp. -# - -# -# The security context for all files not otherwise specified. -# -/.* system_u:object_r:default_t:s0 - -# -# The root directory. -# -/ -d system_u:object_r:root_t:s0 - -# -# Ordinary user home directories. -# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each users home directory, -# and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each users role when role != user_r, and to "user" otherwise. -# -HOME_ROOT -d system_u:object_r:home_root_t:s0 -HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0 -HOME_DIR/.+ system_u:object_r:ROLE_home_t:s0 - -/root/\.default_contexts -- system_u:object_r:default_context_t:s0 - -# -# Mount points; do not relabel subdirectories, since -# we do not want to change any removable media by default. -/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 -/mnt/[^/]*/.* <> -/media(/[^/]*)? -d system_u:object_r:mnt_t:s0 -/media/[^/]*/.* <> - -# -# /var -# -/var(/.*)? system_u:object_r:var_t:s0 -/var/cache/man(/.*)? system_u:object_r:man_t:s0 -/var/yp(/.*)? system_u:object_r:var_yp_t:s0 -/var/lib(/.*)? system_u:object_r:var_lib_t:s0 -/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t:s0 -/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t:s0 -/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t:s0 -/var/lock(/.*)? system_u:object_r:var_lock_t:s0 -/var/tmp -d system_u:object_r:tmp_t:s0 -/var/tmp/.* <> -/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0 -/var/lib/nfs/rpc_pipefs(/.*)? <> -/var/mailman/bin(/.*)? system_u:object_r:bin_t:s0 -/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t:s0 - -# -# /var/ftp -# -/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0 -/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0 -/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 -/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0 - -# -# /bin -# -/bin(/.*)? system_u:object_r:bin_t:s0 -/bin/tcsh -- system_u:object_r:shell_exec_t:s0 -/bin/bash -- system_u:object_r:shell_exec_t:s0 -/bin/bash2 -- system_u:object_r:shell_exec_t:s0 -/bin/sash -- system_u:object_r:shell_exec_t:s0 -/bin/d?ash -- system_u:object_r:shell_exec_t:s0 -/bin/zsh.* -- system_u:object_r:shell_exec_t:s0 -/usr/sbin/sesh -- system_u:object_r:shell_exec_t:s0 -/bin/ls -- system_u:object_r:ls_exec_t:s0 - -# -# /boot -# -/boot(/.*)? system_u:object_r:boot_t:s0 -/boot/System\.map(-.*)? system_u:object_r:system_map_t:s0 - -# -# /dev -# -/dev(/.*)? system_u:object_r:device_t:s0 -/dev/pts(/.*)? <> -/dev/cpu/.* -c system_u:object_r:cpu_device_t:s0 -/dev/microcode -c system_u:object_r:cpu_device_t:s0 -/dev/MAKEDEV -- system_u:object_r:sbin_t:s0 -/dev/null -c system_u:object_r:null_device_t:s0 -/dev/full -c system_u:object_r:null_device_t:s0 -/dev/zero -c system_u:object_r:zero_device_t:s0 -/dev/console -c system_u:object_r:console_device_t:s0 -/dev/xconsole -p system_u:object_r:xconsole_device_t:s0 -/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t:s0 -/dev/nvram -c system_u:object_r:memory_device_t:s0 -/dev/random -c system_u:object_r:random_device_t:s0 -/dev/urandom -c system_u:object_r:urandom_device_t:s0 -/dev/adb.* -c system_u:object_r:tty_device_t:s0 -/dev/capi.* -c system_u:object_r:tty_device_t:s0 -/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t:s0 -/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t:s0 -/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t:s0 -/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t:s0 -/dev/isdn.* -c system_u:object_r:tty_device_t:s0 -/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0 -/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t:s0 -/dev/cu.* -c system_u:object_r:tty_device_t:s0 -/dev/vcs[^/]* -c system_u:object_r:tty_device_t:s0 -/dev/ip2[^/]* -c system_u:object_r:tty_device_t:s0 -/dev/hvc.* -c system_u:object_r:tty_device_t:s0 -/dev/hvsi.* -c system_u:object_r:tty_device_t:s0 -/dev/ttySG.* -c system_u:object_r:tty_device_t:s0 -/dev/tty -c system_u:object_r:devtty_t:s0 -/dev/lp.* -c system_u:object_r:printer_device_t:s0 -/dev/par.* -c system_u:object_r:printer_device_t:s0 -/dev/usb/lp.* -c system_u:object_r:printer_device_t:s0 -/dev/usblp.* -c system_u:object_r:printer_device_t:s0 -ifdef(`distro_redhat', ` -/dev/root -b system_u:object_r:fixed_disk_device_t:s0 -') -/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t:s0 -/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t:s0 -/dev/rd.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t:s0 -/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/loop.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/net/.* -c system_u:object_r:tun_tap_device_t:s0 -/dev/ram.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/rawctl -c system_u:object_r:fixed_disk_device_t:s0 -/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t:s0 -/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s0 -/dev/initrd -b system_u:object_r:fixed_disk_device_t:s0 -/dev/jsfd -b system_u:object_r:fixed_disk_device_t:s0 -/dev/js.* -c system_u:object_r:mouse_device_t:s0 -/dev/jsflash -c system_u:object_r:fixed_disk_device_t:s0 -/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t:s0 -/dev/usb/rio500 -c system_u:object_r:removable_device_t:s0 -/dev/fd[^/]+ -b system_u:object_r:removable_device_t:s0 -# I think a parallel port disk is a removable device... -/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t:s0 -/dev/p[fg][0-3] -b system_u:object_r:removable_device_t:s0 -/dev/aztcd -b system_u:object_r:removable_device_t:s0 -/dev/bpcd -b system_u:object_r:removable_device_t:s0 -/dev/gscd -b system_u:object_r:removable_device_t:s0 -/dev/hitcd -b system_u:object_r:removable_device_t:s0 -/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0 -/dev/mcdx? -b system_u:object_r:removable_device_t:s0 -/dev/cdu.* -b system_u:object_r:removable_device_t:s0 -/dev/cm20.* -b system_u:object_r:removable_device_t:s0 -/dev/optcd -b system_u:object_r:removable_device_t:s0 -/dev/sbpcd.* -b system_u:object_r:removable_device_t:s0 -/dev/sjcd -b system_u:object_r:removable_device_t:s0 -/dev/sonycd -b system_u:object_r:removable_device_t:s0 -# parallel port ATAPI generic device -/dev/pg[0-3] -c system_u:object_r:removable_device_t:s0 -/dev/rtc -c system_u:object_r:clock_device_t:s0 -/dev/psaux -c system_u:object_r:mouse_device_t:s0 -/dev/atibm -c system_u:object_r:mouse_device_t:s0 -/dev/logibm -c system_u:object_r:mouse_device_t:s0 -/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 -/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t:s0 -/dev/input/event.* -c system_u:object_r:event_device_t:s0 -/dev/input/mice -c system_u:object_r:mouse_device_t:s0 -/dev/input/js.* -c system_u:object_r:mouse_device_t:s0 -/dev/ptmx -c system_u:object_r:ptmx_t:s0 -/dev/sequencer -c system_u:object_r:misc_device_t:s0 -/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t:s0 -/dev/apm_bios -c system_u:object_r:apm_bios_t:s0 -/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t:s0 -/dev/pmu -c system_u:object_r:power_device_t:s0 -/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t:s0 -/dev/winradio. -c system_u:object_r:v4l_device_t:s0 -/dev/vttuner -c system_u:object_r:v4l_device_t:s0 -/dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0 -/dev/adsp -c system_u:object_r:sound_device_t:s0 -/dev/mixer.* -c system_u:object_r:sound_device_t:s0 -/dev/dsp.* -c system_u:object_r:sound_device_t:s0 -/dev/audio.* -c system_u:object_r:sound_device_t:s0 -/dev/r?midi.* -c system_u:object_r:sound_device_t:s0 -/dev/sequencer2 -c system_u:object_r:sound_device_t:s0 -/dev/smpte.* -c system_u:object_r:sound_device_t:s0 -/dev/sndstat -c system_u:object_r:sound_device_t:s0 -/dev/beep -c system_u:object_r:sound_device_t:s0 -/dev/patmgr[01] -c system_u:object_r:sound_device_t:s0 -/dev/mpu401.* -c system_u:object_r:sound_device_t:s0 -/dev/srnd[0-7] -c system_u:object_r:sound_device_t:s0 -/dev/aload.* -c system_u:object_r:sound_device_t:s0 -/dev/amidi.* -c system_u:object_r:sound_device_t:s0 -/dev/amixer.* -c system_u:object_r:sound_device_t:s0 -/dev/snd/.* -c system_u:object_r:sound_device_t:s0 -/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t:s0 -/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t:s0 -/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t:s0 -/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t:s0 -/dev/ht[0-1] -b system_u:object_r:tape_device_t:s0 -/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t:s0 -/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t:s0 -/dev/tape.* -c system_u:object_r:tape_device_t:s0 -ifdef(`distro_suse', ` -/dev/usbscanner -c system_u:object_r:scanner_device_t:s0 -') -/dev/usb/scanner.* -c system_u:object_r:scanner_device_t:s0 -/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t:s0 -/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0 -/dev/usb/tty.* -c system_u:object_r:usbtty_device_t:s0 -/dev/mmetfgrab -c system_u:object_r:scanner_device_t:s0 -/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t:s0 -/dev/dri/.+ -c system_u:object_r:dri_device_t:s0 -/dev/radeon -c system_u:object_r:dri_device_t:s0 -/dev/agpgart -c system_u:object_r:agp_device_t:s0 -/dev/z90crypt -c system_u:object_r:crypt_device_t:s0 - -# -# Misc -# -/proc(/.*)? <> -/sys(/.*)? <> -/selinux(/.*)? <> - -# -# /opt -# -/opt(/.*)? system_u:object_r:usr_t:s0 -/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t:s0 -/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/opt(/.*)?/man(/.*)? system_u:object_r:man_t:s0 -/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t:s0 - -# -# /etc -# -/etc(/.*)? system_u:object_r:etc_t:s0 -/var/db/.*\.db -- system_u:object_r:etc_t:s0 -/etc/\.pwd\.lock -- system_u:object_r:shadow_t:s0 -/etc/passwd\.lock -- system_u:object_r:shadow_t:s0 -/etc/group\.lock -- system_u:object_r:shadow_t:s0 -/etc/shadow.* -- system_u:object_r:shadow_t:s0 -/etc/gshadow.* -- system_u:object_r:shadow_t:s0 -/var/db/shadow.* -- system_u:object_r:shadow_t:s0 -/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t:s0 -/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t:s0 -/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t:s0 -/etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0 -/etc/ioctl\.save -- system_u:object_r:etc_runtime_t:s0 -/etc/mtab -- system_u:object_r:etc_runtime_t:s0 -/etc/motd -- system_u:object_r:etc_runtime_t:s0 -/etc/issue -- system_u:object_r:etc_runtime_t:s0 -/etc/issue\.net -- system_u:object_r:etc_runtime_t:s0 -/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t:s0 -/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t:s0 -/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t:s0 -/etc/asound\.state -- system_u:object_r:etc_runtime_t:s0 -/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t:s0 -ifdef(`distro_gentoo', ` -/etc/profile\.env -- system_u:object_r:etc_runtime_t:s0 -/etc/csh\.env -- system_u:object_r:etc_runtime_t:s0 -/etc/env\.d/.* -- system_u:object_r:etc_runtime_t:s0 -') -/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0 -/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0 -/etc/yp\.conf.* -- system_u:object_r:net_conf_t:s0 -/etc/resolv\.conf.* -- system_u:object_r:net_conf_t:s0 - -/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 -/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t:s0 -/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t:s0 -/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 -/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s0 - - -# -# /lib(64)? -# -/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 - -# -# /sbin -# -/sbin(/.*)? system_u:object_r:sbin_t:s0 - -# -# /tmp -# -/tmp -d system_u:object_r:tmp_t:s0 -/tmp/.* <> - -# -# /usr -# -/usr(/.*)? system_u:object_r:usr_t:s0 -/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0 -/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/usr/lib/win32/.* -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 -/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 -/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/usr/etc(/.*)? system_u:object_r:etc_t:s0 -/usr/inclu.e(/.*)? system_u:object_r:usr_t:s0 -/usr/libexec(/.*)? system_u:object_r:bin_t:s0 -/usr/src(/.*)? system_u:object_r:src_t:s0 -/usr/tmp -d system_u:object_r:tmp_t:s0 -/usr/tmp/.* <> -/usr/man(/.*)? system_u:object_r:man_t:s0 -/usr/share/man(/.*)? system_u:object_r:man_t:s0 -/usr/share/mc/extfs/.* -- system_u:object_r:bin_t:s0 -/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t:s0 -/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t:s0 -/usr/share/ssl/private(/.*)? system_u:object_r:cert_t:s0 - -# nvidia share libraries -/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -# libGL -/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t:s0 - -ifdef(`distro_debian', ` -/usr/share/selinux(/.*)? system_u:object_r:policy_src_t:s0 -') -ifdef(`distro_gentoo', ` -/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t:s0 -') - -# -# /usr/lib(64)? -# -/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t:s0 -/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t:s0 -/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t:s0 - -# -# /usr/local -# -/usr/local/etc(/.*)? system_u:object_r:etc_t:s0 -/usr/local/src(/.*)? system_u:object_r:src_t:s0 -/usr/local/man(/.*)? system_u:object_r:man_t:s0 -/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 - - -# -# /usr/X11R6/man -# -/usr/X11R6/man(/.*)? system_u:object_r:man_t:s0 - -# -# Fonts dir -# -/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t:s0 -ifdef(`distro_debian', ` -/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t:s0 -') -/usr/share/fonts(/.*)? system_u:object_r:fonts_t:s0 -/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t:s0 -/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t:s0 - -# -# /var/run -# -/var/run(/.*)? system_u:object_r:var_run_t:s0 -/var/run/.*\.*pid <> - -# -# /var/spool -# -/var/spool(/.*)? system_u:object_r:var_spool_t:s0 -/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t:s0 -/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t:s0 - -# -# /var/log -# -/var/log(/.*)? system_u:object_r:var_log_t:s0 -/var/log/wtmp.* -- system_u:object_r:wtmp_t:s0 -/var/log/btmp.* -- system_u:object_r:faillog_t:s0 -/var/log/faillog -- system_u:object_r:faillog_t:s0 -/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t:s0 -/var/log/dmesg -- system_u:object_r:var_log_t:s0 -/var/log/lastlog -- system_u:object_r:lastlog_t:s0 -/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t:s0 -/var/log/syslog -- system_u:object_r:var_log_t:s0 - -# -# Journal files -# -/\.journal <> -/usr/\.journal <> -/boot/\.journal <> -HOME_ROOT/\.journal <> -/var/\.journal <> -/tmp/\.journal <> -/usr/local/\.journal <> - -# -# Lost and found directories. -# -/lost\+found -d system_u:object_r:lost_found_t:s0 -/lost\+found/.* <> -/usr/lost\+found -d system_u:object_r:lost_found_t:s0 -/usr/lost\+found/.* <> -/boot/lost\+found -d system_u:object_r:lost_found_t:s0 -/boot/lost\+found/.* <> -HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s0 -HOME_ROOT/lost\+found/.* <> -/var/lost\+found -d system_u:object_r:lost_found_t:s0 -/var/lost\+found/.* <> -/tmp/lost\+found -d system_u:object_r:lost_found_t:s0 -/tmp/lost\+found/.* <> -/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s0 -/var/tmp/lost\+found/.* <> -/usr/local/lost\+found -d system_u:object_r:lost_found_t:s0 -/usr/local/lost\+found/.* <> - -# -# system localization -# -/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t:s0 -/usr/share/locale(/.*)? system_u:object_r:locale_t:s0 -/usr/lib/locale(/.*)? system_u:object_r:locale_t:s0 -/etc/localtime -- system_u:object_r:locale_t:s0 -/etc/localtime -l system_u:object_r:etc_t:s0 -/etc/pki(/.*)? system_u:object_r:cert_t:s0 - -# -# Gnu Cash -# -/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0 -/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t:s0 - -# -# Turboprint -# -/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0 -/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t:s0 - -# -# initrd mount point, only used during boot -# -/initrd -d system_u:object_r:root_t:s0 - -# -# The krb5.conf file is always being tested for writability, so -# we defined a type to dontaudit -# -/etc/krb5\.conf -- system_u:object_r:krb5_conf_t:s0 - -# -# Thunderbird -# -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t:s0 -/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t:s0 - -# -# /srv -# -/srv(/.*)? system_u:object_r:var_t:s0 - -/etc/sysconfig/network-scripts/ifup-.* -- system_u:object_r:bin_t:s0 -/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t:s0 diff --git a/targeted/flask/Makefile b/targeted/flask/Makefile deleted file mode 100644 index 970b9fed..00000000 --- a/targeted/flask/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# flask needs to know where to export the libselinux headers. -LIBSEL ?= ../../libselinux - -# flask needs to know where to export the kernel headers. -LINUXDIR ?= ../../../linux-2.6 - -AWK = awk - -CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ - else if [ -x /bin/bash ]; then echo /bin/bash; \ - else echo sh; fi ; fi) - -FLASK_H_DEPEND = security_classes initial_sids -AV_H_DEPEND = access_vectors - -FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h -AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h -ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) - -all: $(ALL_H_FILES) - -$(FLASK_H_FILES): $(FLASK_H_DEPEND) - $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) - -$(AV_H_FILES): $(AV_H_DEPEND) - $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) - -tolib: all - install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux - install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src - -tokern: all - install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include - -install: all - -relabel: - -clean: - rm -f $(FLASK_H_FILES) - rm -f $(AV_H_FILES) diff --git a/targeted/flask/access_vectors b/targeted/flask/access_vectors deleted file mode 100644 index dc20463f..00000000 --- a/targeted/flask/access_vectors +++ /dev/null @@ -1,608 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - unlink - link - rename - execute - swapon - quotaon - mounton -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - recv_msg - send_msg - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - transition - associate - quotamod - quotaget -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir -} - -class file -inherits file -{ - execute_no_trans - entrypoint - execmod -} - -class lnk_file -inherits file - -class chr_file -inherits file -{ - execute_no_trans - entrypoint - execmod -} - -class blk_file -inherits file - -class sock_file -inherits file - -class fifo_file -inherits file - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - connectto - newconn - acceptfrom - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - enforce_dest -} - -class netif -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto - newconn - acceptfrom -} - -class unix_dgram_socket -inherits socket - - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap -} - - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console -} - -# -# Define the access vector interpretation for controling capabilies -# - -class capability -{ - # The capabilities are defined in include/linux/capability.h - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control -} - - -# -# Define the access vector interpretation for controlling -# changes to passwd information. -# -class passwd -{ - passwd # change another user passwd - chfn # change another user finger info - chsh # change another user shell - rootok # pam_rootok check (skip auth) - crontab # crontab on another user -} - -# -# SE-X Windows stuff -# -class drawable -{ - create - destroy - draw - copy - getattr -} - -class gc -{ - create - free - getattr - setattr -} - -class window -{ - addchild - create - destroy - map - unmap - chstack - chproplist - chprop - listprop - getattr - setattr - setfocus - move - chselection - chparent - ctrllife - enumerate - transparent - mousemotion - clientcomevent - inputevent - drawevent - windowchangeevent - windowchangerequest - serverchangeevent - extensionevent -} - -class font -{ - load - free - getattr - use -} - -class colormap -{ - create - free - install - uninstall - list - read - store - getattr - setattr -} - -class property -{ - create - free - read - write -} - -class cursor -{ - create - createglyph - free - assign - setattr -} - -class xclient -{ - kill -} - -class xinput -{ - lookup - getattr - setattr - setfocus - warppointer - activegrab - passivegrab - ungrab - bell - mousemotion - relabelinput -} - -class xserver -{ - screensaver - gethostlist - sethostlist - getfontpath - setfontpath - getattr - grab - ungrab -} - -class xextension -{ - query - use -} - -# -# Define the access vector interpretation for controlling -# PaX flags -# -class pax -{ - pageexec # Paging based non-executable pages - emutramp # Emulate trampolines - mprotect # Restrict mprotect() - randmmap # Randomize mmap() base - randexec # Randomize ET_EXEC base - segmexec # Segmentation based non-executable pages -} - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_firewall_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv -} - -class netlink_ip6fw_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access and communication through the D-BUS messaging -# system. -# -class dbus -{ - acquire_svc - send_msg -} - -# Define the access vector interpretation for controlling -# access through the name service cache daemon (nscd). -# -class nscd -{ - getpwd - getgrp - gethost - getstat - admin - shmempwd - shmemgrp - shmemhost -} - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket diff --git a/targeted/flask/initial_sids b/targeted/flask/initial_sids deleted file mode 100644 index 95894eb4..00000000 --- a/targeted/flask/initial_sids +++ /dev/null @@ -1,35 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# - -sid kernel -sid security -sid unlabeled -sid fs -sid file -sid file_labels -sid init -sid any_socket -sid port -sid netif -sid netmsg -sid node -sid igmp_packet -sid icmp_socket -sid tcp_socket -sid sysctl_modprobe -sid sysctl -sid sysctl_fs -sid sysctl_kernel -sid sysctl_net -sid sysctl_net_unix -sid sysctl_vm -sid sysctl_dev -sid kmod -sid policy -sid scmp_packet -sid devnull - -# FLASK diff --git a/targeted/flask/mkaccess_vector.sh b/targeted/flask/mkaccess_vector.sh deleted file mode 100644 index b5da734b..00000000 --- a/targeted/flask/mkaccess_vector.sh +++ /dev/null @@ -1,227 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift - -# output files -av_permissions="av_permissions.h" -av_inherit="av_inherit.h" -common_perm_to_string="common_perm_to_string.h" -av_perm_to_string="av_perm_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$av_permissions\" - inheritfile = \"$av_inherit\" - cpermfile = \"$common_perm_to_string\" - avpermfile = \"$av_perm_to_string\" - "' - nextstate = "COMMON_OR_AV"; - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; - printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; - printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; -; - } -/^[ \t]*#/ { - next; - } -$1 == "common" { - if (nextstate != "COMMON_OR_AV") - { - printf("Parse error: Unexpected COMMON definition on line %d\n", NR); - next; - } - - if ($2 in common_defined) - { - printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); - next; - } - common_defined[$2] = 1; - - tclass = $2; - common_name = $2; - permission = 1; - - printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; - - nextstate = "COMMON-OPENBRACKET"; - next; - } -$1 == "class" { - if (nextstate != "COMMON_OR_AV" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - tclass = $2; - - if (tclass in av_defined) - { - printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); - next; - } - av_defined[tclass] = 1; - - inherits = ""; - permission = 1; - - nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "inherits" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); - next; - } - - if (!($2 in common_defined)) - { - printf("COMMON %s is not defined (line %d).\n", $2, NR); - next; - } - - inherits = $2; - permission = common_base[$2]; - - for (combined in common_perms) - { - split(combined,separate, SUBSEP); - if (separate[1] == inherits) - { - inherited_perms[common_perms[combined]] = separate[2]; - } - } - - j = 1; - for (i in inherited_perms) { - ind[j] = i + 0; - j++; - } - n = asort(ind); - for (i = 1; i <= n; i++) { - perm = inherited_perms[ind[i]]; - printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; - spaces = 40 - (length(perm) + length(tclass)); - if (spaces < 1) - spaces = 1; - for (j = 0; j < spaces; j++) - printf(" ") > outfile; - printf("0x%08xUL\n", ind[i]) > outfile; - } - printf("\n") > outfile; - for (i in ind) delete ind[i]; - for (i in inherited_perms) delete inherited_perms[i]; - - printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; - - nextstate = "CLASS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "{" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET" && - nextstate != "COMMON-OPENBRACKET") - { - printf("Parse error: Unexpected { on line %d\n", NR); - next; - } - - if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "COMMON-OPENBRACKET") - nextstate = "COMMON-CLOSEBRACKET"; - } -/[a-z][a-z_]*/ { - if (nextstate != "COMMON-CLOSEBRACKET" && - nextstate != "CLASS-CLOSEBRACKET") - { - printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - if ((common_name,$1) in common_perms) - { - printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); - next; - } - - common_perms[common_name,$1] = permission; - - printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - - printf(" S_(\"%s\")\n", $1) > cpermfile; - } - else - { - if ((tclass,$1) in av_perms) - { - printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); - next; - } - - av_perms[tclass,$1] = permission; - - if (inherits != "") - { - if ((inherits,$1) in common_perms) - { - printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); - next; - } - } - - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - - printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; - } - - spaces = 40 - (length($1) + length(tclass)); - if (spaces < 1) - spaces = 1; - - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; - } -$1 == "}" { - if (nextstate != "CLASS-CLOSEBRACKET" && - nextstate != "COMMON-CLOSEBRACKET") - { - printf("Parse error: Unexpected } on line %d\n", NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - common_base[common_name] = permission; - printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; - } - - printf("\n") > outfile; - - nextstate = "COMMON_OR_AV"; - } -END { - if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") - printf("Parse error: Unexpected end of file\n"); - - }' - -# FLASK diff --git a/targeted/flask/mkflask.sh b/targeted/flask/mkflask.sh deleted file mode 100644 index 9c847549..00000000 --- a/targeted/flask/mkflask.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift 1 - -# output file -output_file="flask.h" -debug_file="class_to_string.h" -debug_file2="initial_sid_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$output_file\" - debugfile = \"$debug_file\" - debugfile2 = \"$debug_file2\" - "' - nextstate = "CLASS"; - - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; - printf("\n/*\n * Security object class definitions\n */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; - printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf(" S_(\"null\")\n") > debugfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; - printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; - printf(" \"null\",\n") > debugfile2; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "CLASS") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - if ($2 in class_found) - { - printf("Duplicate class definition for %s on line %d.\n", $2, NR); - next; - } - class_found[$2] = 1; - - class_value++; - - printf("#define SECCLASS_%s", toupper($2)) > outfile; - for (i = 0; i < 40 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", class_value) > outfile; - - printf(" S_(\"%s\")\n", $2) > debugfile; - } -$1 == "sid" { - if (nextstate == "CLASS") - { - nextstate = "SID"; - printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; - } - - if ($2 in sid_found) - { - printf("Duplicate SID definition for %s on line %d.\n", $2, NR); - next; - } - sid_found[$2] = 1; - sid_value++; - - printf("#define SECINITSID_%s", toupper($2)) > outfile; - for (i = 0; i < 37 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile2; - } -END { - if (nextstate != "SID") - printf("Parse error: Unexpected end of file\n"); - - printf("\n#define SECINITSID_NUM") > outfile; - for (i = 0; i < 34; i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf("\n#endif\n") > outfile; - printf("};\n\n") > debugfile2; - }' - -# FLASK diff --git a/targeted/flask/security_classes b/targeted/flask/security_classes deleted file mode 100644 index 2669c30b..00000000 --- a/targeted/flask/security_classes +++ /dev/null @@ -1,86 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -class security -class process -class system -class capability - -# file-related classes -class filesystem -class file -class dir -class fd -class lnk_file -class chr_file -class blk_file -class sock_file -class fifo_file - -# network-related classes -class socket -class tcp_socket -class udp_socket -class rawip_socket -class node -class netif -class netlink_socket -class packet_socket -class key_socket -class unix_stream_socket -class unix_dgram_socket - -# sysv-ipc-related classes -class sem -class msg -class msgq -class shm -class ipc - -# -# userspace object manager classes -# - -# passwd/chfn/chsh -class passwd - -# SE-X Windows stuff -class drawable -class window -class gc -class font -class colormap -class property -class cursor -class xclient -class xinput -class xserver -class xextension - -# pax flags -class pax - -# extended netlink sockets -class netlink_route_socket -class netlink_firewall_socket -class netlink_tcpdiag_socket -class netlink_nflog_socket -class netlink_xfrm_socket -class netlink_selinux_socket -class netlink_audit_socket -class netlink_ip6fw_socket -class netlink_dnrt_socket - -class dbus -class nscd - -# IPSec association -class association - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket - -# FLASK diff --git a/targeted/fs_use b/targeted/fs_use deleted file mode 100644 index d8840390..00000000 --- a/targeted/fs_use +++ /dev/null @@ -1,33 +0,0 @@ -# -# Define the labeling behavior for inodes in particular filesystem types. -# This information was formerly hardcoded in the SELinux module. - -# Use xattrs for the following filesystem types. -# Requires that a security xattr handler exist for the filesystem. -fs_use_xattr ext2 system_u:object_r:fs_t:s0; -fs_use_xattr ext3 system_u:object_r:fs_t:s0; -fs_use_xattr xfs system_u:object_r:fs_t:s0; -fs_use_xattr jfs system_u:object_r:fs_t:s0; -fs_use_xattr reiserfs system_u:object_r:fs_t:s0; - -# Use the allocating task SID to label inodes in the following filesystem -# types, and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems that represent objects -# like pipes and sockets, so that these objects are labeled with the same -# type as the creating task. -fs_use_task pipefs system_u:object_r:fs_t:s0; -fs_use_task sockfs system_u:object_r:fs_t:s0; - -# Use a transition SID based on the allocating task SID and the -# filesystem SID to label inodes in the following filesystem types, -# and label the filesystem itself with the specified context. -# This is appropriate for pseudo filesystems like devpts and tmpfs -# where we want to label objects with a derived type. -fs_use_trans devpts system_u:object_r:devpts_t:s0; -fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; -fs_use_trans shm system_u:object_r:tmpfs_t:s0; -fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; - -# The separate genfs_contexts configuration can be used for filesystem -# types that cannot support persistent label mappings or use -# one of the fixed label schemes specified here. diff --git a/targeted/genfs_contexts b/targeted/genfs_contexts deleted file mode 100644 index b76cd4d9..00000000 --- a/targeted/genfs_contexts +++ /dev/null @@ -1,108 +0,0 @@ -# FLASK - -# -# Security contexts for files in filesystems that -# cannot support xattr or use one of the fixed labeling schemes -# specified in fs_use. -# -# Each specifications has the form: -# genfscon fstype pathname-prefix [ -type ] context -# -# The entry with the longest matching pathname prefix is used. -# / refers to the root directory of the file system, and -# everything is specified relative to this root directory. -# If there is no entry with a matching pathname prefix, then -# the unlabeled initial SID is used. -# -# The optional type field specifies the file type as shown in the mode -# field by ls, e.g. use -c to match only character device files, -b -# to match only block device files. -# -# Except for proc, in 2.6 other filesystems are limited to a single entry (/) -# that covers all entries in the filesystem with a default file context. -# For proc, a pathname can be reliably generated from the proc_dir_entry -# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) -# calls. /proc/PID entries are automatically labeled based on the associated -# process. -# -# Support for other filesystem types requires corresponding code to be -# added to the kernel, either as an xattr handler in the filesystem -# implementation (preferred, and necessary if you want to access the labels -# from userspace) or as logic in the SELinux module. - -# proc (excluding /proc/PID) -genfscon proc / system_u:object_r:proc_t:s0 -genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0 -genfscon proc /kcore system_u:object_r:proc_kcore_t:s0 -genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 -genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 -genfscon proc /net system_u:object_r:proc_net_t:s0 -genfscon proc /sysvipc system_u:object_r:proc_t:s0 -genfscon proc /sys system_u:object_r:sysctl_t:s0 -genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 -genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 -genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 -genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 -genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 -genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 -genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 -genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 -genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 - -# rootfs -genfscon rootfs / system_u:object_r:root_t:s0 - -# sysfs -genfscon sysfs / system_u:object_r:sysfs_t:s0 - -# selinuxfs -genfscon selinuxfs / system_u:object_r:security_t:s0 - -# autofs -genfscon autofs / system_u:object_r:autofs_t:s0 -genfscon automount / system_u:object_r:autofs_t:s0 - -# usbdevfs -genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0 - -# iso9660 -genfscon iso9660 / system_u:object_r:iso9660_t:s0 -genfscon udf / system_u:object_r:iso9660_t:s0 - -# romfs -genfscon romfs / system_u:object_r:romfs_t:s0 -genfscon cramfs / system_u:object_r:romfs_t:s0 - -# ramfs -genfscon ramfs / system_u:object_r:ramfs_t:s0 - -# vfat, msdos -genfscon vfat / system_u:object_r:dosfs_t:s0 -genfscon msdos / system_u:object_r:dosfs_t:s0 -genfscon fat / system_u:object_r:dosfs_t:s0 -genfscon ntfs / system_u:object_r:dosfs_t:s0 - -# samba -genfscon cifs / system_u:object_r:cifs_t:s0 -genfscon smbfs / system_u:object_r:cifs_t:s0 - -# nfs -genfscon nfs / system_u:object_r:nfs_t:s0 -genfscon nfs4 / system_u:object_r:nfs_t:s0 -genfscon afs / system_u:object_r:nfs_t:s0 - -genfscon debugfs / system_u:object_r:debugfs_t:s0 -genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 -genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 -genfscon capifs / system_u:object_r:capifs_t:s0 -genfscon configfs / system_u:object_r:configfs_t:s0 - -# needs more work -genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 -genfscon futexfs / system_u:object_r:futexfs_t:s0 -genfscon bdev / system_u:object_r:bdev_t:s0 -genfscon usbfs / system_u:object_r:usbfs_t:s0 -genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 -genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 -genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 - diff --git a/targeted/initial_sid_contexts b/targeted/initial_sid_contexts deleted file mode 100644 index 6653d051..00000000 --- a/targeted/initial_sid_contexts +++ /dev/null @@ -1,46 +0,0 @@ -# FLASK - -# -# Define the security context for each initial SID -# sid sidname context - -sid kernel system_u:system_r:kernel_t:s0 -sid security system_u:object_r:security_t:s0 -sid unlabeled system_u:object_r:unlabeled_t:s0 -sid fs system_u:object_r:fs_t:s0 -sid file system_u:object_r:file_t:s0 -# Persistent label mapping is gone. This initial SID can be removed. -sid file_labels system_u:object_r:unlabeled_t:s0 -# init_t:s0 is still used, but an initial SID is no longer required. -sid init system_u:object_r:unlabeled_t:s0 -# any_socket is no longer used. -sid any_socket system_u:object_r:unlabeled_t:s0 -sid port system_u:object_r:port_t:s0 -sid netif system_u:object_r:netif_t:s0 -# netmsg is no longer used. -sid netmsg system_u:object_r:unlabeled_t:s0 -sid node system_u:object_r:node_t:s0 -# These sockets are now labeled with the kernel SID, -# and do not require their own initial SIDs. -sid igmp_packet system_u:object_r:unlabeled_t:s0 -sid icmp_socket system_u:object_r:unlabeled_t:s0 -sid tcp_socket system_u:object_r:unlabeled_t:s0 -# Most of the sysctl SIDs are now computed at runtime -# from genfs_contexts, so the corresponding initial SIDs -# are no longer required. -sid sysctl_modprobe system_u:object_r:unlabeled_t:s0 -# But we still need the base sysctl initial SID as a default. -sid sysctl system_u:object_r:sysctl_t:s0 -sid sysctl_fs system_u:object_r:unlabeled_t:s0 -sid sysctl_kernel system_u:object_r:unlabeled_t:s0 -sid sysctl_net system_u:object_r:unlabeled_t:s0 -sid sysctl_net_unix system_u:object_r:unlabeled_t:s0 -sid sysctl_vm system_u:object_r:unlabeled_t:s0 -sid sysctl_dev system_u:object_r:unlabeled_t:s0 -# No longer used, can be removed. -sid kmod system_u:object_r:unlabeled_t:s0 -sid policy system_u:object_r:unlabeled_t:s0 -sid scmp_packet system_u:object_r:unlabeled_t:s0 -sid devnull system_u:object_r:null_device_t:s0 - -# FLASK diff --git a/targeted/local.users b/targeted/local.users deleted file mode 100644 index 6dd04d60..00000000 --- a/targeted/local.users +++ /dev/null @@ -1,21 +0,0 @@ -################################## -# -# User configuration. -# -# This file defines additional users recognized by the system security policy. -# Only the user identities defined in this file and the system.users file -# may be used as the user attribute in a security context. -# -# Each user has a set of roles that may be entered by processes -# with the users identity. The syntax of a user declaration is: -# -# user username roles role_set [ level default_level range allowed_range ]; -# -# The MLS default level and allowed range should only be specified if -# MLS was enabled in the policy. - -# sample for administrative user -# user jadmin roles { staff_r sysadm_r system_r }; - -# sample for regular user -#user jdoe roles { user_r }; diff --git a/targeted/macros/admin_macros.te b/targeted/macros/admin_macros.te deleted file mode 100644 index aaa816e4..00000000 --- a/targeted/macros/admin_macros.te +++ /dev/null @@ -1,227 +0,0 @@ -# -# Macros for all admin domains. -# - -# -# admin_domain(domain_prefix) -# -# Define derived types and rules for an administrator domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. If the every_domain() rules are desired, -# then these rules must also be specified separately. -# -undefine(`admin_domain') -define(`admin_domain',` -# Type for home directory. -attribute $1_file_type; -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; -type $1_home_t, file_type, sysadmfile, home_type, $1_file_type; - -# Type and access for pty devices. -can_create_pty($1, `, admin_tty_type') - -# Transition manually for { lnk sock fifo }. The rest is in content macros. -tmp_domain_notrans($1, `, $1_file_type') -file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) -allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; - -# Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type; - -# Inherit rules for ordinary users. -base_user_domain($1) -access_removable_media($1_t) - -allow $1_t self:capability setuid; - -ifdef(`su.te', `su_domain($1)') -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') - -# Let admin stat the shadow file. -allow $1_t shadow_t:file getattr; - -ifdef(`crond.te', ` -allow $1_crond_t var_log_t:file r_file_perms; -') - -# Allow system log read -allow $1_t kernel_t:system syslog_read; - -# Allow autrace -# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv; - -# Use capabilities other than sys_module. -allow $1_t self:capability ~sys_module; - -# Use system operations. -allow $1_t kernel_t:system *; - -# Set password information for other users. -allow $1_t self:passwd { passwd chfn chsh }; - -# Skip authentication when pam_rootok is specified. -allow $1_t self:passwd rootok; - -# Manipulate other user crontab. -allow $1_t self:passwd crontab; -can_getsecurity(sysadm_crontab_t) - -# Change system parameters. -can_sysctl($1_t) - -# Create and use all files that have the sysadmfile attribute. -allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms; -allow $1_t sysadmfile:lnk_file create_lnk_perms; -allow $1_t sysadmfile:dir create_dir_perms; - -# for lsof -allow $1_t mtrr_device_t:file getattr; -allow $1_t fs_type:dir getattr; - -# Access removable devices. -allow $1_t removable_device_t:devfile_class_set rw_file_perms; - -# Communicate with the init process. -allow $1_t initctl_t:fifo_file rw_file_perms; - -# Examine all processes. -can_ps($1_t, domain) - -# allow renice -allow $1_t domain:process setsched; - -# Send signals to all processes. -allow $1_t { domain unlabeled_t }:process signal_perms; - -# Access all user terminals. -allow $1_t tty_device_t:chr_file rw_file_perms; -allow $1_t ttyfile:chr_file rw_file_perms; -allow $1_t ptyfile:chr_file rw_file_perms; -allow $1_t serial_device:chr_file setattr; - -# allow setting up tunnels -allow $1_t tun_tap_device_t:chr_file rw_file_perms; - -# run ls -l /dev -allow $1_t device_t:dir r_dir_perms; -allow $1_t { device_t device_type }:{ chr_file blk_file } getattr; -allow $1_t ptyfile:chr_file getattr; - -# Run programs from staff home directories. -# Not ideal, but typical if users want to login as both sysadm_t or staff_t. -can_exec($1_t, staff_home_t) - -# Run programs from /usr/src. -can_exec($1_t, src_t) - -# Relabel all files. -# Actually this will not allow relabeling ALL files unless you change -# sysadmfile to file_type (and change the assertion in assert.te that -# only auth_write can relabel shadow_t) -allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto }; -allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto }; - -ifdef(`startx.te', ` -ifdef(`xserver.te', ` -# Create files in /tmp/.X11-unix with our X servers derived -# tmp type rather than user_xserver_tmp_t. -file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) -')dnl end xserver.te -')dnl end startx.te - -ifdef(`xdm.te', ` -ifdef(`xauth.te', ` -if (xdm_sysadm_login) { -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -} -can_pipe_xdm($1_t) -')dnl end ifdef xauth.te -')dnl end ifdef xdm.te - -# -# A user who is authorized for sysadm_t may nonetheless have -# a home directory labeled with user_home_t if the user is expected -# to login in either user_t or sysadm_t. Hence, the derived domains -# for programs need to be able to access user_home_t. -# - -# Allow our gph domain to write to .xsession-errors. -ifdef(`gnome-pty-helper.te', ` -allow $1_gph_t user_home_dir_type:dir rw_dir_perms; -allow $1_gph_t user_home_type:file create_file_perms; -') - -# Allow our crontab domain to unlink a user cron spool file. -ifdef(`crontab.te', -`allow $1_crontab_t user_cron_spool_t:file unlink;') - -# for the administrator to run TCP servers directly -can_tcp_connect($1_t, $1_t) -allow $1_t port_t:tcp_socket name_bind; - -# Connect data port to ftpd. -ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') - -# Connect second port to rshd. -ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') - -# -# Allow sysadm to execute quota commands against filesystems and files. -# -allow $1_t fs_type:filesystem quotamod; - -# Grant read and write access to /dev/console. -allow $1_t console_device_t:chr_file rw_file_perms; - -# Allow MAKEDEV to work -allow $1_t device_t:dir rw_dir_perms; -allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; -allow $1_t device_t:lnk_file { create read }; - -# for lsof -allow $1_t domain:socket_class_set getattr; -allow $1_t eventpollfs_t:file getattr; -') - -define(`security_manager_domain', ` - -typeattribute $1 secadmin; -# Allow administrator domains to set the enforcing flag. -can_setenforce($1) - -# Allow administrator domains to set policy booleans. -can_setbool($1) - -# Get security policy decisions. -can_getsecurity($1) - -# Allow administrator domains to set security parameters -can_setsecparam($1) - -# Run admin programs that require different permissions in their own domain. -# These rules were moved into the appropriate program domain file. - -# added by mayerf@tresys.com -# The following rules are temporary until such time that a complete -# policy management infrastructure is in place so that an administrator -# cannot directly manipulate policy files with arbitrary programs. -# -allow $1 secadmfile:file { relabelto relabelfrom create_file_perms }; -allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms }; -allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms }; - -# Set an exec context, e.g. for runcon. -can_setexec($1) - -# Set a context other than the default one for newly created files. -can_setfscreate($1) - -allow $1 self:netlink_audit_socket nlmsg_readpriv; - -') - - diff --git a/targeted/macros/base_user_macros.te b/targeted/macros/base_user_macros.te deleted file mode 100644 index cecbaf7d..00000000 --- a/targeted/macros/base_user_macros.te +++ /dev/null @@ -1,397 +0,0 @@ -# -# Macros for all user login domains. -# - -# -# base_user_domain(domain_prefix) -# -# Define derived types and rules for an ordinary user domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. -# - -# base_user_domain() is also called by the admin_domain() macro -undefine(`base_user_domain') -define(`base_user_domain', ` - -# Type for network-obtained content -type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember; -type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember; - -# Allow user to relabel untrusted content -allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom }; -allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename }; - -# Read content -read_content($1_t, $1) - -# Write trusted content. This includes proper transition -# for /home, and /tmp, so no other transition is necessary (or allowed) -write_trusted($1_t, $1) - -# Maybe the home directory is networked -network_home($1_t) - -# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted. -# Relabel files in the home directory -file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); -allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto }; -can_setfscreate($1_t) - -ifdef(`ftpd.te' , ` -if (ftpd_is_daemon) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -') - -allow $1_t self:capability { setgid chown fowner }; -dontaudit $1_t self:capability { sys_nice fsetid }; - -# $1_r is authorized for $1_t for the initial login domain. -role $1_r types $1_t; -allow system_r $1_r; - -r_dir_file($1_t, usercanread) - -# Grant permissions within the domain. -general_domain_access($1_t) - -if (allow_execmem) { -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -allow $1_t self:process execmem; -} - -if (allow_execmem && allow_execstack) { -# Allow making the stack executable via mprotect. -allow $1_t self:process execstack; -} - -# Allow text relocations on system shared libraries, e.g. libGL. -allow $1_t texrel_shlib_t:file execmod; - -# -# kdeinit wants this access -# -allow $1_t device_t:dir { getattr search }; - -# Find CDROM devices -r_dir_file($1_t, sysctl_dev_t) -# for eject -allow $1_t fixed_disk_device_t:blk_file getattr; - -allow $1_t fs_type:dir getattr; - -allow $1_t event_device_t:chr_file { getattr read ioctl }; - -# open office is looking for the following -allow $1_t dri_device_t:chr_file getattr; -dontaudit $1_t dri_device_t:chr_file rw_file_perms; - -# Supress ls denials: -# getattr() - ls -l -# search_dir() - symlink path resolution -# read_dir() - deep ls: ls parent/... - -dontaudit_getattr($1_t) -dontaudit_search_dir($1_t) -dontaudit_read_dir($1_t) - -# allow ptrace -can_ptrace($1_t, $1_t) - -# Allow user to run restorecon and relabel files -can_getsecurity($1_t) -r_dir_file($1_t, default_context_t) -r_dir_file($1_t, file_context_t) - -allow $1_t usbtty_device_t:chr_file read; - -# GNOME checks for usb and other devices -rw_dir_file($1_t,usbfs_t) - -can_exec($1_t, noexattrfile) -# Bind to a Unix domain socket in /tmp. -allow $1_t $1_tmp_t:unix_stream_socket name_bind; - -# Use the type when relabeling terminal devices. -type_change $1_t tty_device_t:chr_file $1_tty_device_t; - -# Debian login is from shadow utils and does not allow resetting the perms. -# have to fix this! -type_change $1_t ttyfile:chr_file $1_tty_device_t; - -# for running TeX programs -r_dir_file($1_t, tetex_data_t) -can_exec($1_t, tetex_data_t) - -# Use the type when relabeling pty devices. -type_change $1_t server_pty:chr_file $1_devpts_t; - -tmpfs_domain($1) - -ifdef(`cardmgr.te', ` -# to allow monitoring of pcmcia status -allow $1_t cardmgr_var_run_t:file { getattr read }; -') - -# Modify mail spool file. -allow $1_t mail_spool_t:dir r_dir_perms; -allow $1_t mail_spool_t:file rw_file_perms; -allow $1_t mail_spool_t:lnk_file read; - -# -# Allow graphical boot to check battery lifespan -# -ifdef(`apmd.te', ` -allow $1_t apmd_t:unix_stream_socket connectto; -allow $1_t apmd_var_run_t:sock_file write; -') - -# -# Allow the query of filesystem quotas -# -allow $1_t fs_type:filesystem quotaget; - -# Run helper programs. -can_exec_any($1_t) -# Run programs developed by other users in the same domain. -can_exec($1_t, $1_home_t) -can_exec($1_t, $1_tmp_t) - -# Run user programs that require different permissions in their own domain. -# These rules were moved into the individual program domains. - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)') -ifdef(`chkpwd.te', `chkpwd_domain($1)') -ifdef(`fingerd.te', `fingerd_macro($1)') -ifdef(`mta.te', `mail_domain($1)') -ifdef(`exim.te', `exim_user_domain($1)') -ifdef(`crontab.te', `crontab_domain($1)') - -ifdef(`screen.te', `screen_domain($1)') -ifdef(`tvtime.te', `tvtime_domain($1)') -ifdef(`mozilla.te', `mozilla_domain($1)') -ifdef(`thunderbird.te', `thunderbird_domain($1)') -ifdef(`samba.te', `samba_domain($1)') -ifdef(`gpg.te', `gpg_domain($1)') -ifdef(`xauth.te', `xauth_domain($1)') -ifdef(`iceauth.te', `iceauth_domain($1)') -ifdef(`startx.te', `xserver_domain($1)') -ifdef(`lpr.te', `lpr_domain($1)') -ifdef(`ssh.te', `ssh_domain($1)') -ifdef(`irc.te', `irc_domain($1)') -ifdef(`using_spamassassin', `spamassassin_domain($1)') -ifdef(`pyzor.te', `pyzor_domain($1)') -ifdef(`razor.te', `razor_domain($1)') -ifdef(`uml.te', `uml_domain($1)') -ifdef(`cdrecord.te', `cdrecord_domain($1)') -ifdef(`mplayer.te', `mplayer_domains($1)') - -fontconfig_domain($1) - -# GNOME -ifdef(`gnome.te', ` -gnome_domain($1) -ifdef(`games.te', `games_domain($1)') -ifdef(`gift.te', `gift_domains($1)') -ifdef(`evolution.te', `evolution_domains($1)') -ifdef(`ethereal.te', `ethereal_domain($1)') -') - -# ICE communication channel -ice_domain($1, $1) - -# ORBit communication channel (independent of GNOME) -orbit_domain($1, $1) - -# Instantiate a derived domain for user cron jobs. -ifdef(`crond.te', `crond_domain($1)') - -ifdef(`vmware.te', `vmware_domain($1)') - -if (user_direct_mouse) { -# Read the mouse. -allow $1_t mouse_device_t:chr_file r_file_perms; -} -# Access other miscellaneous devices. -allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms; -allow $1_t device_t:lnk_file { getattr read }; - -can_resmgrd_connect($1_t) - -# -# evolution and gnome-session try to create a netlink socket -# -dontaudit $1_t self:netlink_socket create_socket_perms; -dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms; - -# Use the network. -can_network($1_t) -allow $1_t port_type:tcp_socket name_connect; -can_ypbind($1_t) -can_winbind($1_t) - -ifdef(`pamconsole.te', ` -allow $1_t pam_var_console_t:dir search; -') - -allow $1_t var_lock_t:dir search; - -# Grant permissions to access the system DBus -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -can_network_server_tcp($1_dbusd_t) -allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; - -allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_client($1, $1) -allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc }; -dbusd_domain($1) -ifdef(`hald.te', ` -allow $1_t hald_t:dbus send_msg; -allow hald_t $1_t:dbus send_msg; -') dnl end ifdef hald.te -') dnl end ifdef dbus.te - -# allow port_t name binding for UDP because it is not very usable otherwise -allow $1_t port_t:udp_socket name_bind; - -# Gnome pannel binds to the following -ifdef(`cups.te', ` -allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr }; -') - -# for perl -dontaudit $1_t net_conf_t:file ioctl; - -# Communicate within the domain. -can_udp_send($1_t, self) - -# Connect to inetd. -ifdef(`inetd.te', ` -can_tcp_connect($1_t, inetd_t) -can_udp_send($1_t, inetd_t) -can_udp_send(inetd_t, $1_t) -') - -# Connect to portmap. -ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') - -# Inherit and use sockets from inetd -ifdef(`inetd.te', ` -allow $1_t inetd_t:fd use; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;') - -# Very permissive allowing every domain to see every type. -allow $1_t kernel_t:system ipc_info; - -# When the user domain runs ps, there will be a number of access -# denials when ps tries to search /proc. Do not audit these denials. -dontaudit $1_t domain:dir r_dir_perms; -dontaudit $1_t domain:notdevfile_class_set r_file_perms; -dontaudit $1_t domain:process { getattr getsession }; -# -# Cups daemon running as user tries to write /etc/printcap -# -dontaudit $1_t usr_t:file setattr; - -# Use X -x_client_domain($1, $1) - -ifdef(`xserver.te', ` -allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms; -') - -ifdef(`xdm.te', ` -# Connect to the X server run by the X Display Manager. -can_unix_connect($1_t, xdm_t) -# certain apps want to read xdm.pid file -r_dir_file($1_t, xdm_var_run_t) -allow $1_t xdm_var_lib_t:file { getattr read }; -allow xdm_t $1_home_dir_t:dir getattr; -ifdef(`xauth.te', ` -file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file) -') - -')dnl end ifdef xdm.te - -# Access the sound device. -allow $1_t sound_device_t:chr_file { getattr read write ioctl }; - -# Access the power device. -allow $1_t power_device_t:chr_file { getattr read write ioctl }; - -allow $1_t var_log_t:dir { getattr search }; -dontaudit $1_t logfile:file getattr; - -# Check to see if cdrom is mounted -allow $1_t mnt_t:dir { getattr search }; - -# Get attributes of file systems. -allow $1_t fs_type:filesystem getattr; - -# Read and write /dev/tty and /dev/null. -allow $1_t devtty_t:chr_file rw_file_perms; -allow $1_t null_device_t:chr_file rw_file_perms; -allow $1_t zero_device_t:chr_file { rw_file_perms execute }; -allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms; -# -# Added to allow reading of cdrom -# -allow $1_t rpc_pipefs_t:dir getattr; -allow $1_t nfsd_fs_t:dir getattr; -allow $1_t binfmt_misc_fs_t:dir getattr; - -# /initrd is left mounted, various programs try to look at it -dontaudit $1_t ramfs_t:dir getattr; - -# -# Emacs wants this access -# -allow $1_t wtmp_t:file r_file_perms; -dontaudit $1_t wtmp_t:file write; - -# Read the devpts root directory. -allow $1_t devpts_t:dir r_dir_perms; - -r_dir_file($1_t, src_t) - -# Allow user to read default_t files -# This is different from reading default_t content, -# because it also includes sockets, fifos, and links - -if (read_default_t) { -allow $1_t default_t:dir r_dir_perms; -allow $1_t default_t:notdevfile_class_set r_file_perms; -} - -# Read fonts -read_fonts($1_t, $1) - -read_sysctl($1_t); - -# -# Caused by su - init scripts -# -dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write }; - -# -# Running ifconfig as a user generates the following -# -dontaudit $1_t self:socket create; -dontaudit $1_t sysctl_net_t:dir search; - -ifdef(`rpcd.te', ` -create_dir_file($1_t, nfsd_rw_t) -') - -')dnl end base_user_domain macro - diff --git a/targeted/macros/content_macros.te b/targeted/macros/content_macros.te deleted file mode 100644 index fb36d460..00000000 --- a/targeted/macros/content_macros.te +++ /dev/null @@ -1,188 +0,0 @@ -# Content access macros - -# FIXME: After nested booleans are supported, replace NFS/CIFS -# w/ read_network_home, and write_network_home macros from global - -# FIXME: If true/false constant booleans are supported, replace -# ugly $3 ifdefs with if(true), if(false)... - -# FIXME: Do we want write to imply read? - -############################################################ -# read_content(domain, role_prefix, bool_prefix) -# -# Allow the given domain to read content. -# Content may be trusted or untrusted, -# Reading anything is subject to a controlling boolean based on bool_prefix. -# Reading untrusted content is additionally subject to read_untrusted_content -# Reading default_t is additionally subject to read_default_t - -define(`read_content', ` - -# Declare controlling boolean -ifelse($3, `', `', ` -ifdef(`$3_read_content_defined', `', ` -define(`$3_read_content_defined') -bool $3_read_content false; -') dnl ifdef -') dnl ifelse - -# Handle nfs home dirs -ifelse($3, `', -`if (use_nfs_home_dirs) { ', -`if ($3_read_content && use_nfs_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -r_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file r_file_perms; -dontaudit $1 nfs_t:dir r_dir_perms; -} - -# Handle samba home dirs -ifelse($3, `', -`if (use_samba_home_dirs) { ', -`if ($3_read_content && use_samba_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -r_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file r_file_perms; -dontaudit $1 cifs_t:dir r_dir_perms; -} - -# Handle removable media, /tmp, and /home -ifelse($3, `', `', -`if ($3_read_content) {') -allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -r_dir_file($1, { $2_tmp_t $2_home_t } ) -ifdef(`mls_policy', `', ` -r_dir_file($1, removable_t) -') - -ifelse($3, `', `', -`} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms; -dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms; -}') - -# Handle default_t content -ifelse($3, `', -`if (read_default_t) { ', -`if ($3_read_content && read_default_t) {') -r_dir_file($1, default_t) -} else { -dontaudit $1 default_t:file r_file_perms; -dontaudit $1 default_t:dir r_dir_perms; -} - -# Handle untrusted content -ifelse($3, `', -`if (read_untrusted_content) { ', -`if ($3_read_content && read_untrusted_content) {') -allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t }) -} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms; -dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms; -} -') dnl read_content - -################################################# -# write_trusted(domain, role_prefix, bool_prefix) -# -# Allow the given domain to write trusted content. -# This is subject to a controlling boolean based -# on bool_prefix. - -define(`write_trusted', ` - -# Declare controlling boolean -ifelse($3, `', `', ` -ifdef(`$3_write_content_defined', `', ` -define(`$3_write_content_defined') -bool $3_write_content false; -') dnl ifdef -') dnl ifelse - -# Handle nfs homedirs -ifelse($3, `', -`if (use_nfs_home_dirs) { ', -`if ($3_write_content && use_nfs_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file create_file_perms; -dontaudit $1 nfs_t:dir create_dir_perms; -} - -# Handle samba homedirs -ifelse($3, `', -`if (use_samba_home_dirs) { ', -`if ($3_write_content && use_samba_home_dirs) {') -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file create_file_perms; -dontaudit $1 cifs_t:dir create_dir_perms; -} - -# Handle /tmp and /home -ifelse($3, `', `', -`if ($3_write_content) {') -allow $1 home_root_t:dir { read getattr search }; -file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file }); -file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file }); -ifelse($3, `', `', -`} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; -dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; -}') - -') dnl write_trusted - -######################################### -# write_untrusted(domain, role_prefix) -# -# Allow the given domain to write untrusted content. -# This is subject to the global boolean write_untrusted. - -define(`write_untrusted', ` - -# Handle nfs homedirs -if (write_untrusted_content && use_nfs_home_dirs) { -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, nfs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 nfs_t:file create_file_perms; -dontaudit $1 nfs_t:dir create_dir_perms; -} - -# Handle samba homedirs -if (write_untrusted_content && use_samba_home_dirs) { -allow $1 { autofs_t home_root_t }:dir { read search getattr }; -create_dir_file($1, cifs_t) -} else { -dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; -dontaudit $1 cifs_t:file create_file_perms; -dontaudit $1 cifs_t:dir create_dir_perms; -} - -# Handle /tmp and /home -if (write_untrusted_content) { -allow $1 home_root_t:dir { read getattr search }; -file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file }) -file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file }) -} else { -dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; -dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; -dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; -} - -') dnl write_untrusted diff --git a/targeted/macros/core_macros.te b/targeted/macros/core_macros.te deleted file mode 100644 index 6bae8bf4..00000000 --- a/targeted/macros/core_macros.te +++ /dev/null @@ -1,706 +0,0 @@ - -############################## -# -# core macros for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley , Timothy Fraser -# Howard Holm (NSA) -# Russell Coker -# - -################################# -# -# Macros for groups of classes and -# groups of permissions. -# - -# -# All directory and file classes -# -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# All non-directory file classes. -# -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') - -# -# Non-device file classes. -# -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') - -# -# Device file classes. -# -define(`devfile_class_set', `{ chr_file blk_file }') - -# -# All socket classes. -# -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') - - -# -# Datagram socket classes. -# -define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') - -# -# Stream socket classes. -# -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') - -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') - - -# -# Permissions for getting file attributes. -# -define(`stat_file_perms', `{ getattr }') - -# -# Permissions for executing files. -# -define(`x_file_perms', `{ getattr execute }') - -# -# Permissions for reading files and their attributes. -# -define(`r_file_perms', `{ read getattr lock ioctl }') - -# -# Permissions for reading and executing files. -# -define(`rx_file_perms', `{ read getattr lock execute ioctl }') - -# -# Permissions for reading and writing files and their attributes. -# -define(`rw_file_perms', `{ ioctl read getattr lock write append }') - -# -# Permissions for reading and appending to files. -# -define(`ra_file_perms', `{ ioctl read getattr lock append }') - -# -# Permissions for linking, unlinking and renaming files. -# -define(`link_file_perms', `{ getattr link unlink rename }') - -# -# Permissions for creating lnk_files. -# -define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') - -# -# Permissions for creating and using files. -# -define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') - -# -# Permissions for reading directories and their attributes. -# -define(`r_dir_perms', `{ read getattr lock search ioctl }') - -# -# Permissions for reading and writing directories and their attributes. -# -define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }') - -# -# Permissions for reading and adding names to directories. -# -define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') - - -# -# Permissions for creating and using directories. -# -define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') - -# -# Permissions to mount and unmount file systems. -# -define(`mount_fs_perms', `{ mount remount unmount getattr }') - -# -# Permissions for using sockets. -# -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`create_socket_perms', `{ create rw_socket_perms }') - -# -# Permissions for using stream sockets. -# -define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') - -# -# Permissions for creating and using stream sockets. -# -define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') - -# -# Permissions for creating and using sockets. -# -define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - -# -# Permissions for creating and using sockets. -# -define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') - - -# -# Permissions for creating and using netlink sockets. -# -define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that modify state. -# -define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') - -# -# Permissions for using netlink sockets for operations that observe state. -# -define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') - -# -# Permissions for sending all signals. -# -define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') - -# -# Permissions for sending and receiving network packets. -# -define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') - -# -# Permissions for using System V IPC -# -define(`r_sem_perms', `{ associate getattr read unix_read }') -define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') -define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') -define(`r_msgq_perms', `{ associate getattr read unix_read }') -define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') -define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') -define(`r_shm_perms', `{ associate getattr read unix_read }') -define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') -define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') - -################################# -# -# Macros for type transition rules and -# access vector rules. -# - -# -# Simple combinations for reading and writing both -# directories and files. -# -define(`r_dir_file', ` -allow $1 $2:dir r_dir_perms; -allow $1 $2:file r_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`rw_dir_file', ` -allow $1 $2:dir rw_dir_perms; -allow $1 $2:file rw_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`ra_dir_file', ` -allow $1 $2:dir ra_dir_perms; -allow $1 $2:file ra_file_perms; -allow $1 $2:lnk_file { getattr read }; -') - -define(`ra_dir_create_file', ` -allow $1 $2:dir ra_dir_perms; -allow $1 $2:file { create ra_file_perms }; -allow $1 $2:lnk_file { create read getattr }; -') - -define(`rw_dir_create_file', ` -allow $1 $2:dir rw_dir_perms; -allow $1 $2:file create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_dir_file', ` -allow $1 $2:dir create_dir_perms; -allow $1 $2:file create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_dir_notdevfile', ` -allow $1 $2:dir create_dir_perms; -allow $1 $2:{ file sock_file fifo_file } create_file_perms; -allow $1 $2:lnk_file create_lnk_perms; -') - -define(`create_append_log_file', ` -allow $1 $2:dir { read getattr search add_name write }; -allow $1 $2:file { create ioctl getattr setattr append link }; -') - -################################## -# -# can_ps(domain1, domain2) -# -# Authorize domain1 to see /proc entries for domain2 (see it in ps output) -# -define(`can_ps',` -allow $1 $2:dir { search getattr read }; -allow $1 $2:{ file lnk_file } { read getattr }; -allow $1 $2:process getattr; -# We need to suppress this denial because procps tries to access -# /proc/pid/environ and this now triggers a ptrace check in recent kernels -# (2.4 and 2.6). Might want to change procps to not do this, or only if -# running in a privileged domain. -dontaudit $1 $2:process ptrace; -') - -################################## -# -# can_getsecurity(domain) -# -# Authorize a domain to get security policy decisions. -# -define(`can_getsecurity',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } { getattr read }; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user }; -') - -################################## -# -# can_setenforce(domain) -# -# Authorize a domain to set the enforcing flag. -# Due to its sensitivity, always audit this permission. -# -define(`can_setenforce',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -if (!secure_mode_policyload) { -allow $1 security_t:security setenforce; -auditallow $1 security_t:security setenforce; -}dnl end if !secure_mode_policyload -') - -################################## -# -# can_setbool(domain) -# -# Authorize a domain to set a policy boolean. -# Due to its sensitivity, always audit this permission. -# -define(`can_setbool',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -if (!secure_mode_policyload) { -allow $1 security_t:security setbool; -auditallow $1 security_t:security setbool; -}dnl end if !secure_mode_policyload -') - -################################## -# -# can_setsecparam(domain) -# -# Authorize a domain to set security parameters. -# Due to its sensitivity, always audit this permission. -# -define(`can_setsecparam',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -allow $1 security_t:security setsecparam; -auditallow $1 security_t:security setsecparam; -') - -################################## -# -# can_loadpol(domain) -# -# Authorize a domain to load a policy configuration. -# Due to its sensitivity, always audit this permission. -# -define(`can_loadpol',` -# Get the selinuxfs mount point via /proc/self/mounts. -allow $1 proc_t:dir search; -allow $1 proc_t:lnk_file read; -allow $1 proc_t:file { getattr read }; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -# Access selinuxfs. -allow $1 security_t:dir { read search getattr }; -allow $1 security_t:file { getattr read write }; -if (!secure_mode_policyload) { -allow $1 security_t:security load_policy; -auditallow $1 security_t:security load_policy; -}dnl end if !secure_mode_policyload -') - -################################# -# -# domain_trans(parent_domain, program_type, child_domain) -# -# Permissions for transitioning to a new domain. -# - -define(`domain_trans',` - -# -# Allow the process to transition to the new domain. -# -allow $1 $3:process transition; - -# -# Do not audit when glibc secure mode is enabled upon the transition. -# -dontaudit $1 $3:process noatsecure; - -# -# Do not audit when signal-related state is cleared upon the transition. -# -dontaudit $1 $3:process siginh; - -# -# Do not audit when resource limits are reset upon the transition. -# -dontaudit $1 $3:process rlimitinh; - -# -# Allow the process to execute the program. -# -allow $1 $2:file { read x_file_perms }; - -# -# Allow the process to reap the new domain. -# -allow $3 $1:process sigchld; - -# -# Allow the new domain to inherit and use file -# descriptions from the creating process and vice versa. -# -allow $3 $1:fd use; -allow $1 $3:fd use; - -# -# Allow the new domain to write back to the old domain via a pipe. -# -allow $3 $1:fifo_file rw_file_perms; - -# -# Allow the new domain to read and execute the program. -# -allow $3 $2:file rx_file_perms; - -# -# Allow the new domain to be entered via the program. -# -allow $3 $2:file entrypoint; -') - -################################# -# -# domain_auto_trans(parent_domain, program_type, child_domain) -# -# Define a default domain transition and allow it. -# -define(`domain_auto_trans',` -domain_trans($1,$2,$3) -type_transition $1 $2:process $3; -') - -################################# -# -# can_ptrace(domain, domain) -# -# Permissions for running ptrace (strace or gdb) on another domain -# -define(`can_ptrace',` -allow $1 $2:process ptrace; -allow $2 $1:process sigchld; -') - -################################# -# -# can_exec(domain, type) -# -# Permissions for executing programs with -# a specified type without changing domains. -# -define(`can_exec',` -allow $1 $2:file { rx_file_perms execute_no_trans }; -') - -# this is an internal macro used by can_create -define(`can_create_internal', ` -ifelse(`$3', `dir', ` -allow $1 $2:$3 create_dir_perms; -', `$3', `lnk_file', ` -allow $1 $2:$3 create_lnk_perms; -', ` -allow $1 $2:$3 create_file_perms; -')dnl end if dir -')dnl end can_create_internal - - -################################# -# -# can_create(domain, file_type, object_class) -# -# Permissions for creating files of the specified type and class -# -define(`can_create', ` -ifelse(regexp($3, `\w'), -1, `', ` -can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1')) - -can_create($1, $2, regexp($3, `\w+\(.*\)', `\1')) -') -') -################################# -# -# file_type_trans(domain, dir_type, file_type) -# -# Permissions for transitioning to a new file type. -# - -define(`file_type_trans',` - -# -# Allow the process to modify the directory. -# -allow $1 $2:dir rw_dir_perms; - -# -# Allow the process to create the file. -# -ifelse(`$4', `', ` -can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }') -', ` -can_create($1, $3, $4) -')dnl end if param 4 specified - -') - -################################# -# -# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class) -# -# the object class will default to notdevfile_class_set if not specified as -# the fourth parameter -# -# Define a default file type transition and allow it. -# -define(`file_type_auto_trans',` -ifelse(`$4', `', ` -file_type_trans($1,$2,$3) -type_transition $1 $2:dir $3; -type_transition $1 $2:notdevfile_class_set $3; -', ` -file_type_trans($1,$2,$3,$4) -type_transition $1 $2:$4 $3; -')dnl end ifelse - -') - - -################################# -# -# can_unix_connect(client, server) -# -# Permissions for establishing a Unix stream connection. -# -define(`can_unix_connect',` -allow $1 $2:unix_stream_socket connectto; -') - -################################# -# -# can_unix_send(sender, receiver) -# -# Permissions for sending Unix datagrams. -# -define(`can_unix_send',` -allow $1 $2:unix_dgram_socket sendto; -') - -################################# -# -# can_tcp_connect(client, server) -# -# Permissions for establishing a TCP connection. -# Irrelevant until we have labeled networking. -# -define(`can_tcp_connect',` -#allow $1 $2:tcp_socket { connectto recvfrom }; -#allow $2 $1:tcp_socket { acceptfrom recvfrom }; -#allow $2 kernel_t:tcp_socket recvfrom; -#allow $1 kernel_t:tcp_socket recvfrom; -') - -################################# -# -# can_udp_send(sender, receiver) -# -# Permissions for sending/receiving UDP datagrams. -# Irrelevant until we have labeled networking. -# -define(`can_udp_send',` -#allow $1 $2:udp_socket sendto; -#allow $2 $1:udp_socket recvfrom; -') - - -################################## -# -# base_pty_perms(domain_prefix) -# -# Base permissions used for can_create_pty() and can_create_other_pty() -# -define(`base_pty_perms', ` -# Access the pty master multiplexer. -allow $1_t ptmx_t:chr_file rw_file_perms; - -allow $1_t devpts_t:filesystem getattr; - -# allow searching /dev/pts -allow $1_t devpts_t:dir { getattr read search }; - -# ignore old BSD pty devices -dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; -') - - -################################## -# -# pty_slave_label(domain_prefix, attributes) -# -# give access to a slave pty but do not allow creating new ptys -# -define(`pty_slave_label', ` -type $1_devpts_t, file_type, sysadmfile, ptyfile $2; - -# Allow the pty to be associated with the file system. -allow $1_devpts_t devpts_t:filesystem associate; - -# Label pty files with a derived type. -type_transition $1_t devpts_t:chr_file $1_devpts_t; - -# allow searching /dev/pts -allow $1_t devpts_t:dir { getattr read search }; - -# Read and write my pty files. -allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; -') - - -################################## -# -# can_create_pty(domain_prefix, attributes) -# -# Permissions for creating ptys. -# -define(`can_create_pty',` -base_pty_perms($1) -pty_slave_label($1, `$2') -') - - -################################## -# -# can_create_other_pty(domain_prefix,other_domain) -# -# Permissions for creating ptys for another domain. -# -define(`can_create_other_pty',` -base_pty_perms($1) -# Label pty files with a derived type. -type_transition $1_t devpts_t:chr_file $2_devpts_t; - -# Read and write pty files. -allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms }; -') - - -# -# general_domain_access(domain) -# -# Grant permissions within the domain. -# This includes permissions to processes, /proc/PID files, -# file descriptors, pipes, Unix sockets, and System V IPC objects -# labeled with the domain. -# -define(`general_domain_access',` -# Access other processes in the same domain. -# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap. -# These must be granted separately if desired. -allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap}; - -# Access /proc/PID files for processes in the same domain. -allow $1 self:dir r_dir_perms; -allow $1 self:notdevfile_class_set r_file_perms; - -# Access file descriptions, pipes, and sockets -# created by processes in the same domain. -allow $1 self:fd *; -allow $1 self:fifo_file rw_file_perms; -allow $1 self:unix_dgram_socket create_socket_perms; -allow $1 self:unix_stream_socket create_stream_socket_perms; - -# Allow the domain to communicate with other processes in the same domain. -allow $1 self:unix_dgram_socket sendto; -allow $1 self:unix_stream_socket connectto; - -# Access System V IPC objects created by processes in the same domain. -allow $1 self:sem create_sem_perms; -allow $1 self:msg { send receive }; -allow $1 self:msgq create_msgq_perms; -allow $1 self:shm create_shm_perms; -allow $1 unpriv_userdomain:fd use; -# -# Every app is asking for ypbind so I am adding this here, -# eventually this should become can_nsswitch -# -can_ypbind($1) -allow $1 autofs_t:dir { search getattr }; -')dnl end general_domain_access diff --git a/targeted/macros/global_macros.te b/targeted/macros/global_macros.te deleted file mode 100644 index 0faa4bef..00000000 --- a/targeted/macros/global_macros.te +++ /dev/null @@ -1,766 +0,0 @@ -############################## -# -# Global macros for the type enforcement (TE) configuration. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# Howard Holm (NSA) -# Russell Coker -# -# -# - -################################## -# -# can_setexec(domain) -# -# Authorize a domain to set its exec context -# (via /proc/pid/attr/exec). -# -define(`can_setexec',` -allow $1 self:process setexec; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################## -# -# can_getcon(domain) -# -# Authorize a domain to get its context -# (via /proc/pid/attr/current). -# -define(`can_getcon',` -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read }; -allow $1 self:process getattr; -') - -################################## -# -# can_setcon(domain) -# -# Authorize a domain to set its current context -# (via /proc/pid/attr/current). -# -define(`can_setcon',` -allow $1 self:process setcurrent; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################## -# read_sysctl(domain) -# -# Permissions for reading sysctl variables. -# If the second parameter is full, allow -# reading of any sysctl variables, else only -# sysctl_kernel_t. -# -define(`read_sysctl', ` -# Read system variables in /sys. -ifelse($2,`full', ` -allow $1 sysctl_type:dir r_dir_perms; -allow $1 sysctl_type:file r_file_perms; -', ` -allow $1 sysctl_t:dir search; -allow $1 sysctl_kernel_t:dir search; -allow $1 sysctl_kernel_t:file { getattr read }; -') - -')dnl read_sysctl - -################################## -# -# can_setfscreate(domain) -# -# Authorize a domain to set its fscreate context -# (via /proc/pid/attr/fscreate). -# -define(`can_setfscreate',` -allow $1 self:process setfscreate; -allow $1 proc_t:dir search; -allow $1 proc_t:{ file lnk_file } read; -allow $1 self:dir search; -allow $1 self:file { getattr read write }; -') - -################################# -# -# uses_shlib(domain) -# -# Permissions for using shared libraries. -# -define(`uses_shlib',` -allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms; -allow $1 lib_t:lnk_file r_file_perms; -allow $1 ld_so_t:file rx_file_perms; -#allow $1 ld_so_t:file execute_no_trans; -allow $1 ld_so_t:lnk_file r_file_perms; -allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms; -allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms; -allow $1 texrel_shlib_t:file execmod; -allow $1 ld_so_cache_t:file r_file_perms; -allow $1 device_t:dir search; -allow $1 null_device_t:chr_file rw_file_perms; -') - -################################# -# -# can_exec_any(domain) -# -# Permissions for executing a variety -# of executable types. -# -define(`can_exec_any',` -allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms; -allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read }; -uses_shlib($1) -can_exec($1, etc_t) -can_exec($1, lib_t) -can_exec($1, bin_t) -can_exec($1, sbin_t) -can_exec($1, exec_type) -can_exec($1, ld_so_t) -') - - -################################# -# -# can_sysctl(domain) -# -# Permissions for modifying sysctl parameters. -# -define(`can_sysctl',` -allow $1 sysctl_type:dir r_dir_perms; -allow $1 sysctl_type:file { setattr rw_file_perms }; -') - - -################################## -# -# read_locale(domain) -# -# Permissions for reading the locale data, -# /etc/localtime and the files that it links to -# -define(`read_locale', ` -allow $1 etc_t:lnk_file read; -allow $1 lib_t:file r_file_perms; -r_dir_file($1, locale_t) -') - -define(`can_access_pty', ` -allow $1 devpts_t:dir r_dir_perms; -allow $1 $2_devpts_t:chr_file rw_file_perms; -') - -################################### -# -# access_terminal(domain, typeprefix) -# -# Permissions for accessing the terminal -# -define(`access_terminal', ` -allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; -allow $1 devtty_t:chr_file { read write getattr ioctl }; -can_access_pty($1, $2) -') - -# -# general_proc_read_access(domain) -# -# Grant read/search permissions to most of /proc, excluding -# the /proc/PID directories and the /proc/kmsg and /proc/kcore files. -# The general_domain_access macro grants access to the domain /proc/PID -# directories, but not to other domains. Only permissions to stat -# are granted for /proc/kmsg and /proc/kcore, since these files are more -# sensitive. -# -define(`general_proc_read_access',` -# Read system information files in /proc. -r_dir_file($1, proc_t) -r_dir_file($1, proc_net_t) -allow $1 proc_mdstat_t:file r_file_perms; - -# Stat /proc/kmsg and /proc/kcore. -allow $1 proc_fs:file stat_file_perms; - -# Read system variables in /proc/sys. -read_sysctl($1) -') - -# -# base_file_read_access(domain) -# -# Grant read/search permissions to a few system file types. -# -define(`base_file_read_access',` -# Read /. -allow $1 root_t:dir r_dir_perms; -allow $1 root_t:notdevfile_class_set r_file_perms; - -# Read /home. -allow $1 home_root_t:dir r_dir_perms; - -# Read /usr. -allow $1 usr_t:dir r_dir_perms; -allow $1 usr_t:notdevfile_class_set r_file_perms; - -# Read bin and sbin directories. -allow $1 bin_t:dir r_dir_perms; -allow $1 bin_t:notdevfile_class_set r_file_perms; -allow $1 sbin_t:dir r_dir_perms; -allow $1 sbin_t:notdevfile_class_set r_file_perms; -read_sysctl($1) - -r_dir_file($1, selinux_config_t) - -if (read_default_t) { -# -# Read default_t -#. -allow $1 default_t:dir r_dir_perms; -allow $1 default_t:notdevfile_class_set r_file_perms; -} - -') - -####################### -# daemon_core_rules(domain_prefix, attribs) -# -# Define the core rules for a daemon, used by both daemon_base_domain() and -# init_service_domain(). -# Attribs is the list of attributes which must start with "," if it is not empty -# -# Author: Russell Coker -# -define(`daemon_core_rules', ` -type $1_t, domain, privlog, daemon $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -dontaudit $1_t self:capability sys_tty_config; - -role system_r types $1_t; - -# Inherit and use descriptors from init. -allow $1_t init_t:fd use; -allow $1_t init_t:process sigchld; -allow $1_t self:process { signal_perms fork }; - -uses_shlib($1_t) - -allow $1_t { self proc_t }:dir r_dir_perms; -allow $1_t { self proc_t }:lnk_file { getattr read }; - -allow $1_t device_t:dir r_dir_perms; -ifdef(`udev.te', ` -allow $1_t udev_tdb_t:file r_file_perms; -')dnl end if udev.te -allow $1_t null_device_t:chr_file rw_file_perms; -dontaudit $1_t console_device_t:chr_file rw_file_perms; -dontaudit $1_t unpriv_userdomain:fd use; - -r_dir_file($1_t, sysfs_t) - -allow $1_t autofs_t:dir { search getattr }; -ifdef(`targeted_policy', ` -dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write }; -dontaudit $1_t root_t:file { getattr read }; -')dnl end if targeted_policy - -')dnl end macro daemon_core_rules - -####################### -# init_service_domain(domain_prefix, attribs) -# -# Define a domain for a program that is run from init -# Attribs is the list of attributes which must start with "," if it is not empty -# -# Author: Russell Coker -# -define(`init_service_domain', ` -daemon_core_rules($1, `$2') - -domain_auto_trans(init_t, $1_exec_t, $1_t) -')dnl - -####################### -# daemon_base_domain(domain_prefix, attribs) -# -# Define a daemon domain with a base set of type declarations -# and permissions that are common to most daemons. -# attribs is the list of attributes which must start with "," if it is not empty -# nosysadm may be given as an optional third parameter, to specify that the -# sysadmin should not transition to the domain when directly calling the executable -# -# Author: Russell Coker -# -define(`daemon_base_domain', ` -daemon_core_rules($1, `$2') - -rhgb_domain($1_t) - -read_sysctl($1_t) - -ifdef(`direct_sysadm_daemon', ` -dontaudit $1_t admin_tty_type:chr_file rw_file_perms; -') - -# -# Allows user to define a tunable to disable domain transition -# -ifelse(index(`$2',`transitionbool'), -1, `', ` -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(initrc_t, $1_exec_t) -can_exec(sysadm_t, $1_exec_t) -} else { -') dnl transitionbool -domain_auto_trans(initrc_t, $1_exec_t, $1_t) - -allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; -ifdef(`direct_sysadm_daemon', ` -ifelse(`$3', `nosysadm', `', ` -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; -')dnl end nosysadm -')dnl end direct_sysadm_daemon -ifelse(index(`$2', `transitionbool'), -1, `', ` -} -') dnl end transitionbool -ifdef(`direct_sysadm_daemon', ` -ifelse(`$3', `nosysadm', `', ` -role_transition sysadm_r $1_exec_t system_r; -')dnl end nosysadm -')dnl end direct_sysadm_daemon - -allow $1_t privfd:fd use; -ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;') -allow $1_t initrc_devpts_t:chr_file rw_file_perms; -')dnl - -# allow a domain to create its own files under /var/run and to create files -# in directories that are created for it. $2 is an optional list of -# classes to use; default is file. -define(`var_run_domain', ` -type $1_var_run_t, file_type, sysadmfile, pidfile; - -ifelse(`$2', `', ` -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file) -', ` -file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) -') -allow $1_t var_t:dir search; -allow $1_t $1_var_run_t:dir rw_dir_perms; -') - -####################### -# daemon_domain(domain_prefix, attribs) -# -# see daemon_base_domain for calling details -# daemon_domain defines some additional privileges needed by many domains, -# like pid files and locale support - -define(`daemon_domain', ` -ifdef(`targeted_policy', ` -daemon_base_domain($1, `$2, transitionbool', $3) -', ` -daemon_base_domain($1, `$2', $3) -') -# Create pid file. -allow $1_t var_t:dir { getattr search }; -var_run_domain($1) - -allow $1_t devtty_t:chr_file rw_file_perms; - -# for daemons that look at /root on startup -dontaudit $1_t sysadm_home_dir_t:dir search; - -# for df -allow $1_t fs_type:filesystem getattr; -allow $1_t removable_t:filesystem getattr; - -read_locale($1_t) - -# for localization -allow $1_t lib_t:file { getattr read }; -')dnl end daemon_domain macro - -define(`uses_authbind', -`domain_auto_trans($1, authbind_exec_t, authbind_t) -allow authbind_t $1:process sigchld; -allow authbind_t $1:fd use; -allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; -') - -# define a sub-domain, $1_t is the parent domain, $2 is the name -# of the sub-domain. -# -define(`daemon_sub_domain', ` -# $1 is the parent domain (or domains), $2_t is the child domain, -# and $3 is any attributes to apply to the child -type $2_t, domain, privlog, daemon $3; -type $2_exec_t, file_type, sysadmfile, exec_type; - -role system_r types $2_t; - -ifelse(index(`$3',`transitionbool'), -1, ` - -domain_auto_trans($1, $2_exec_t, $2_t) - -', ` - -bool $2_disable_trans false; - -if (! $2_disable_trans) { -domain_auto_trans($1, $2_exec_t, $2_t) -} - -'); -# Inherit and use descriptors from parent. -allow $2_t $1:fd use; -allow $2_t $1:process sigchld; - -allow $2_t self:process signal_perms; - -uses_shlib($2_t) - -allow $2_t { self proc_t }:dir r_dir_perms; -allow $2_t { self proc_t }:lnk_file read; - -allow $2_t device_t:dir getattr; -') - -# grant access to /tmp -# by default, only plain files and dirs may be stored there. -# This can be overridden with a third parameter -define(`tmp_domain', ` -type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; -ifelse($3, `', -`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')', -`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')') -') - -# grant access to /tmp. Do not perform an automatic transition. -define(`tmp_domain_notrans', ` -type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2; -') - -define(`tmpfs_domain', ` -ifdef(`$1_tmpfs_t_defined',`', ` -define(`$1_tmpfs_t_defined') -type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile; -# Use this type when creating tmpfs/shm objects. -file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t) -allow $1_tmpfs_t tmpfs_t:filesystem associate; -') -') - -define(`var_lib_domain', ` -type $1_var_lib_t, file_type, sysadmfile; -file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) -allow $1_t $1_var_lib_t:dir rw_dir_perms; -') - -define(`log_domain', ` -type $1_log_t, file_type, sysadmfile, logfile; -file_type_auto_trans($1_t, var_log_t, $1_log_t, file) -') - -define(`logdir_domain', ` -log_domain($1) -allow $1_t $1_log_t:dir { setattr rw_dir_perms }; -') - -define(`etc_domain', ` -type $1_etc_t, file_type, sysadmfile, usercanread; -allow $1_t $1_etc_t:file r_file_perms; -') - -define(`etcdir_domain', ` -etc_domain($1) -allow $1_t $1_etc_t:dir r_dir_perms; -allow $1_t $1_etc_t:lnk_file { getattr read }; -') - -define(`append_log_domain', ` -type $1_log_t, file_type, sysadmfile, logfile; -allow $1_t var_log_t:dir ra_dir_perms; -allow $1_t $1_log_t:file { create ra_file_perms }; -type_transition $1_t var_log_t:file $1_log_t; -') - -define(`append_logdir_domain', ` -append_log_domain($1) -allow $1_t $1_log_t:dir { setattr ra_dir_perms }; -') - -define(`lock_domain', ` -type $1_lock_t, file_type, sysadmfile, lockfile; -file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file) -') - -####################### -# application_domain(domain_prefix) -# -# Define a domain with a base set of type declarations -# and permissions that are common to simple applications. -# -# Author: Russell Coker -# -define(`application_domain', ` -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role sysadm_r types $1_t; -ifdef(`targeted_policy', ` -role system_r types $1_t; -') -domain_auto_trans(sysadm_t, $1_exec_t, $1_t) -uses_shlib($1_t) -') - -define(`system_domain', ` -type $1_t, domain, privlog $2; -type $1_exec_t, file_type, sysadmfile, exec_type; -role system_r types $1_t; -uses_shlib($1_t) -allow $1_t etc_t:dir r_dir_perms; -') - -# Dontaudit macros to prevent flooding the log - -define(`dontaudit_getattr', ` -dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; -dontaudit $1 unlabeled_t:dir_file_class_set getattr; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr; -')dnl end dontaudit_getattr - -define(`dontaudit_search_dir', ` -dontaudit $1 file_type - secure_file_type:dir search; -dontaudit $1 unlabeled_t:dir search; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search; -')dnl end dontaudit_search_dir - -define(`dontaudit_read_dir', ` -dontaudit $1 file_type - secure_file_type:dir read; -dontaudit $1 unlabeled_t:dir read; -dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read; -')dnl end dontaudit_read_dir - -# Define legacy_domain for legacy binaries (java) -# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old -# toolchain. They cause the kernel to automatically start translating all -# read protection requests to read|execute for backward compatibility on -# x86. They will all need execmem and execmod, including execmod to -# shlib_t and ld_so_t unlike non-legacy binaries. - -define(`legacy_domain', ` -allow $1_t self:process { execmem execstack }; -allow $1_t { texrel_shlib_t shlib_t }:file execmod; -allow $1_t ld_so_t:file execmod; -allow $1_t ld_so_cache_t:file execute; -') - - -# Allow domain to perform polyinstantiation functions -# polyinstantiater(domain) - -define(`polyinstantiater', ` - -ifdef(`support_polyinstantiation', ` -# Need to give access to /selinux/member -allow $1 security_t:security compute_member; - -# Need to give access to the directories to be polyinstantiated -allow $1 polydir:dir { getattr mounton add_name create setattr write search }; - -# Need to give access to the polyinstantiated subdirectories -allow $1 polymember:dir {getattr search }; - -# Need to give access to parent directories where original -# is remounted for polyinstantiation aware programs (like gdm) -allow $1 polyparent:dir { getattr mounton }; - -# Need to give permission to create directories where applicable -allow $1 polymember: dir { create setattr }; -allow $1 polydir: dir { write add_name }; -allow $1 self:process setfscreate; -allow $1 polyparent:dir { write add_name }; -# Default type for mountpoints -allow $1 poly_t:dir { create mounton }; - -# Need sys_admin capability for mounting -allow $1 self:capability sys_admin; -')dnl end else support_polyinstantiation - -')dnl end polyinstantiater - -# -# Domain that is allow to read anonymous data off the network -# without providing authentication. -# Also define boolean to allow anonymous writing -# -define(`anonymous_domain', ` -r_dir_file($1_t, { public_content_t public_content_rw_t } ) -bool allow_$1_anon_write false; -if (allow_$1_anon_write) { -create_dir_file($1_t,public_content_rw_t) -} -') -# -# Define a domain that can do anything, so that it is -# effectively unconfined by the SELinux policy. This -# means that it is only restricted by the normal Linux -# protections. Note that you may need to add further rules -# to allow other domains to interact with this domain as expected, -# since this macro only allows the specified domain to act upon -# all other domains and types, not vice versa. -# -define(`unconfined_domain', ` - -typeattribute $1 unrestricted; -typeattribute $1 privuser; - -# Mount/unmount any filesystem. -allow $1 fs_type:filesystem *; - -# Mount/unmount any filesystem with the context= option. -allow $1 file_type:filesystem *; - -# Create/access any file in a labeled filesystem; -allow $1 file_type:{ file chr_file } ~execmod; -allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; -allow $1 sysctl_t:{ dir file } *; -allow $1 device_type:devfile_class_set *; -allow $1 mtrr_device_t:file *; - -# Create/access other files. fs_type is to pick up various -# pseudo filesystem types that are applied to both the filesystem -# and its files. -allow $1 { unlabeled_t fs_type }:dir_file_class_set *; -allow $1 proc_fs:{ dir file } *; - -# For /proc/pid -r_dir_file($1,domain) -# Write access is for setting attributes under /proc/self/attr. -allow $1 self:file rw_file_perms; - -# Read and write sysctls. -can_sysctl($1) - -# Access the network. -allow $1 node_type:node *; -allow $1 netif_type:netif *; -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; -allow $1 port_type:tcp_socket name_connect; - -# Bind to any network address. -allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind; -allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind; -allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; - -# Use/sendto/connectto sockets created by any domain. -allow $1 domain:{ socket_class_set socket key_socket } *; - -# Use descriptors and pipes created by any domain. -allow $1 domain:fd use; -allow $1 domain:fifo_file rw_file_perms; - -# Act upon any other process. -allow $1 domain:process ~{ transition dyntransition execmem }; -# Transition to myself, to make get_ordered_context_list happy. -allow $1 self:process transition; - -if (allow_execmem) { -# Allow making anonymous memory executable, e.g. -# for runtime-code generation or executable stack. -allow $1 self:process execmem; -} - -if (allow_execmem && allow_execstack) { -# Allow making the stack executable via mprotect. -allow $1 self:process execstack; -} - -if (allow_execmod) { -# Allow text relocations on system shared libraries, e.g. libGL. -ifdef(`targeted_policy', ` -allow $1 file_type:file execmod; -', ` -allow $1 texrel_shlib_t:file execmod; -allow $1 home_type:file execmod; -') -} - -# Create/access any System V IPC objects. -allow $1 domain:{ sem msgq shm } *; -allow $1 domain:msg { send receive }; - -# Access the security API. -if (!secure_mode_policyload) { -allow $1 security_t:security *; -auditallow $1 security_t:security { load_policy setenforce setbool }; -}dnl end if !secure_mode_policyload - -# Perform certain system operations that lacked individual capabilities. -allow $1 kernel_t:system *; - -# Use any Linux capability. -allow $1 self:capability *; - -# Set user information and skip authentication. -allow $1 self:passwd *; - -# Communicate via dbusd. -allow $1 self:dbus *; -ifdef(`dbusd.te', ` -allow $1 system_dbusd_t:dbus *; -') - -# Get info via nscd. -allow $1 self:nscd *; -ifdef(`nscd.te', ` -allow $1 nscd_t:nscd *; -') - -')dnl end unconfined_domain - - -define(`access_removable_media', ` - -can_exec($1, { removable_t noexattrfile } ) -if (user_rw_noexattrfile) { -create_dir_file($1, noexattrfile) -create_dir_file($1, removable_t) -# Write floppies -allow $1 removable_device_t:blk_file rw_file_perms; -allow $1 usbtty_device_t:chr_file write; -} else { -r_dir_file($1, noexattrfile) -r_dir_file($1, removable_t) -allow $1 removable_device_t:blk_file r_file_perms; -} -allow $1 removable_t:filesystem getattr; - -') - -define(`authentication_domain', ` -can_ypbind($1) -can_kerberos($1) -can_ldap($1) -can_resolve($1) -can_winbind($1) -r_dir_file($1, cert_t) -allow $1 { random_device_t urandom_device_t }:chr_file { getattr read }; -allow $1 self:capability { audit_write audit_control }; -dontaudit $1 shadow_t:file { getattr read }; -allow $1 sbin_t:dir search; -allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -') diff --git a/targeted/macros/home_macros.te b/targeted/macros/home_macros.te deleted file mode 100644 index 033b32f8..00000000 --- a/targeted/macros/home_macros.te +++ /dev/null @@ -1,130 +0,0 @@ -# Home macros - -################################################ -# network_home(source) -# -# Allows source domain to use a network home -# This includes privileges of create and execute -# as well as the ability to create sockets and fifo - -define(`network_home', ` -allow $1 autofs_t:dir { search getattr }; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -can_exec($1, nfs_t) -allow $1 nfs_t:{ sock_file fifo_file } create_file_perms; -} - -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -can_exec($1, cifs_t) -allow $1 cifs_t:{ sock_file fifo_file } create_file_perms; -} -') dnl network_home - -################################################ -# write_network_home(source) -# -# Allows source domain to create directories and -# files on network file system - -define(`write_network_home', ` -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -create_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; -') dnl write_network_home - -################################################ -# read_network_home(source) -# -# Allows source domain to read directories and -# files on network file system - -define(`read_network_home', ` -allow $1 home_root_t:dir search; - -if (use_nfs_home_dirs) { -r_dir_file($1, nfs_t) -} -if (use_samba_home_dirs) { -r_dir_file($1, cifs_t) -} -allow $1 autofs_t:dir { search getattr }; -') dnl read_network_home - -################################################## -# home_domain_ro_access(source, user, app) -# -# Gives source access to the read-only home -# domain of app for the given user type - -define(`home_domain_ro_access', ` -allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; -read_network_home($1) -r_dir_file($1, $2_$3_ro_home_t) -') dnl home_domain_ro_access - -################################################# -# home_domain_access(source, user, app) -# -# Gives source full access to the home -# domain of app for the given user type -# -# Requires transition in caller - -define(`home_domain_access', ` -allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; -write_network_home($1) -create_dir_file($1, $2_$3_home_t) -') dnl home_domain_access - -#################################################################### -# home_domain (prefix, app) -# -# Creates a domain in the prefix home where an application can -# store its settings. It is accessible by the prefix domain. -# -# Requires transition in caller - -define(`home_domain', ` - -# Declare home domain -type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember; -typealias $1_$2_home_t alias $1_$2_rw_t; - -# User side access -create_dir_file($1_t, $1_$2_home_t) -allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_access($1_$2_t, $1, $2) -') - -#################################################################### -# home_domain_ro (user, app) -# -# Creates a read-only domain in the user home where an application can -# store its settings. It is fully accessible by the user, but -# it is read-only for the application. -# - -define(`home_domain_ro', ` - -# Declare home domain -type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; -typealias $1_$2_ro_home_t alias $1_$2_ro_t; - -# User side access -create_dir_file($1_t, $1_$2_ro_home_t) -allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; - -# App side access -home_domain_ro_access($1_$2_t, $1, $2) -') diff --git a/targeted/macros/mini_user_macros.te b/targeted/macros/mini_user_macros.te deleted file mode 100644 index 9f7d9940..00000000 --- a/targeted/macros/mini_user_macros.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# Macros for all user login domains. -# - -# -# mini_user_domain(domain_prefix) -# -# Define derived types and rules for a minimal privs user domain named -# $1_mini_t which is permitted to be in $1_r role and transition to $1_t. -# -undefine(`mini_user_domain') -define(`mini_user_domain',` -# user_t/$1_t is an unprivileged users domain. -type $1_mini_t, domain, user_mini_domain; - -# for ~/.bash_profile and other files that the mini domain should be allowed -# to read (but not write) -type $1_home_mini_t, file_type, sysadmfile; -allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom }; -allow $1_mini_t $1_home_mini_t:file r_file_perms; - -# $1_r is authorized for $1_mini_t for the initial login domain. -role $1_r types $1_mini_t; -uses_shlib($1_mini_t) -pty_slave_label($1_mini, `, userpty_type, mini_pty_type') - -allow $1_mini_t devtty_t:chr_file rw_file_perms; -allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read }; -dontaudit $1_mini_t proc_t:dir { getattr search }; -allow $1_mini_t self:unix_stream_socket create_socket_perms; -allow $1_mini_t self:fifo_file rw_file_perms; -allow $1_mini_t self:process { fork sigchld setpgid }; -dontaudit $1_mini_t var_t:dir search; -allow $1_mini_t { bin_t sbin_t }:dir search; - -dontaudit $1_mini_t device_t:dir { getattr read }; -dontaudit $1_mini_t devpts_t:dir { getattr read }; -dontaudit $1_mini_t proc_t:lnk_file read; - -can_exec($1_mini_t, bin_t) -allow $1_mini_t { home_root_t $1_home_dir_t }:dir search; -dontaudit $1_mini_t home_root_t:dir getattr; -dontaudit $1_mini_t $1_home_dir_t:dir { getattr read }; -dontaudit $1_mini_t $1_home_t:file { append getattr read write }; - -dontaudit $1_mini_t fs_t:filesystem getattr; - -type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t; -# uncomment this if using mini domains for console logins -#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t; - -type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t; -type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t; - -domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t) -')dnl end mini_user_domain definition - diff --git a/targeted/macros/network_macros.te b/targeted/macros/network_macros.te deleted file mode 100644 index 8e8b05a4..00000000 --- a/targeted/macros/network_macros.te +++ /dev/null @@ -1,190 +0,0 @@ -################################# -# -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`base_can_network',` -# -# Allow the domain to create and use $2 sockets. -# Other kinds of sockets must be separately authorized for use. -allow $1 self:$2_socket connected_socket_perms; - -# -# Allow the domain to send or receive using any network interface. -# netif_type is a type attribute for all network interface types. -# -allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv }; -# -# Allow the domain to send to or receive from any node. -# node_type is a type attribute for all node types. -# -allow $1 node_type:node { $2_send rawip_send }; -allow $1 node_type:node { $2_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any port. -# port_type is a type attribute for all port types. -# -ifelse($3, `', ` -allow $1 port_type:$2_socket { send_msg recv_msg }; -', ` -allow $1 $3:$2_socket { send_msg recv_msg }; -') - -# XXX Allow binding to any node type. Remove once -# individual rules have been added to all domains that -# bind sockets. -allow $1 node_type:$2_socket node_bind; -# -# Allow access to network files including /etc/resolv.conf -# -allow $1 net_conf_t:file r_file_perms; -')dnl end can_network definition - -################################# -# -# can_network_server_tcp(domain) -# -# Permissions for accessing a tcp network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_server_tcp',` -base_can_network($1, tcp, `$2') -allow $1 self:tcp_socket { listen accept }; -') - -################################# -# -# can_network_client_tcp(domain) -# -# Permissions for accessing a tcp network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_client_tcp',` -base_can_network($1, tcp, `$2') -allow $1 self:tcp_socket { connect }; -') - -################################# -# -# can_network_tcp(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_tcp',` - -can_network_server_tcp($1, `$2') -can_network_client_tcp($1, `$2') - -') - -################################# -# -# can_network_udp(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_udp',` -base_can_network($1, udp, `$2') -allow $1 self:udp_socket { connect }; -') - -################################# -# -# can_network_server(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_server',` - -can_network_server_tcp($1, `$2') -can_network_udp($1, `$2') - -')dnl end can_network_server definition - - -################################# -# -# can_network_client(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network_client',` - -can_network_client_tcp($1, `$2') -can_network_udp($1, `$2') - -')dnl end can_network_client definition - -################################# -# -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network',` - -can_network_tcp($1, `$2') -can_network_udp($1, `$2') - -ifdef(`mount.te', ` -# -# Allow the domain to send NFS client requests via the socket -# created by mount. -# -allow $1 mount_t:udp_socket rw_socket_perms; -') - -')dnl end can_network definition - -define(`can_resolve',` -can_network_client($1, `dns_port_t') -allow $1 dns_port_t:tcp_socket name_connect; -') - -define(`can_portmap',` -can_network_client($1, `portmap_port_t') -allow $1 portmap_port_t:tcp_socket name_connect; -') - -define(`can_ldap',` -can_network_client_tcp($1, `ldap_port_t') -allow $1 ldap_port_t:tcp_socket name_connect; -') - -define(`can_winbind',` -ifdef(`winbind.te', ` -allow $1 winbind_var_run_t:dir { getattr search }; -allow $1 winbind_t:unix_stream_socket connectto; -allow $1 winbind_var_run_t:sock_file { getattr read write }; -') -') - - -################################# -# -# nsswitch_domain(domain) -# -# Permissions for looking up uid/username mapping via nsswitch -# -define(`nsswitch_domain', ` -can_resolve($1) -can_ypbind($1) -can_ldap($1) -can_winbind($1) -') diff --git a/targeted/macros/program/apache_macros.te b/targeted/macros/program/apache_macros.te deleted file mode 100644 index a0d0e5ff..00000000 --- a/targeted/macros/program/apache_macros.te +++ /dev/null @@ -1,205 +0,0 @@ - -define(`apache_domain', ` - -#This type is for webpages -# -type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable; - -# This type is used for .htaccess files -# -type httpd_$1_htaccess_t, file_type, sysadmfile, customizable; -allow httpd_t httpd_$1_htaccess_t: file r_file_perms; - -# This type is used for executable scripts files -# -type httpd_$1_script_exec_t, file_type, sysadmfile, customizable; - -# Type that CGI scripts run as -type httpd_$1_script_t, domain, privmail, nscd_client_domain; -role system_r types httpd_$1_script_t; -uses_shlib(httpd_$1_script_t) - -if (httpd_enable_cgi) { -domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; -allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; -allow httpd_t httpd_$1_script_exec_t:file r_file_perms; - -allow httpd_$1_script_t httpd_t:fd use; -allow httpd_$1_script_t httpd_t:process sigchld; - -allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl }; -allow httpd_$1_script_t usr_t:lnk_file { getattr read }; - -allow httpd_$1_script_t self:process { fork signal_perms }; - -allow httpd_$1_script_t devtty_t:chr_file { getattr read write }; -allow httpd_$1_script_t urandom_device_t:chr_file { getattr read }; -allow httpd_$1_script_t etc_runtime_t:file { getattr read }; -read_locale(httpd_$1_script_t) -allow httpd_$1_script_t fs_t:filesystem getattr; -allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -allow httpd_$1_script_t { self proc_t }:file r_file_perms; -allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; -allow httpd_$1_script_t { self proc_t }:lnk_file read; - -allow httpd_$1_script_t device_t:dir { getattr search }; -allow httpd_$1_script_t null_device_t:chr_file rw_file_perms; -} - -if (httpd_enable_cgi && httpd_can_network_connect) { -can_network_client(httpd_$1_script_t) -allow httpd_$1_script_t port_type:tcp_socket name_connect; -} - -ifdef(`ypbind.te', ` -if (httpd_enable_cgi && allow_ypbind) { -uncond_can_ypbind(httpd_$1_script_t) -} -') -# The following are the only areas that -# scripts can read, read/write, or append to -# -type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable; -type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable; -type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; -file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) - -######################################################### -# Permissions for running child processes and scripts -########################################################## -allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search }; - -domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -allow httpd_$1_script_t httpd_t:fifo_file write; - -allow httpd_$1_script_t self:fifo_file rw_file_perms; - -allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms; - -########################################################################### -# Allow the script interpreters to run the scripts. So -# the perl executable will be able to run a perl script -######################################################################### -allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms; -can_exec_any(httpd_$1_script_t) - -allow httpd_$1_script_t etc_t:file { getattr read }; -dontaudit httpd_$1_script_t selinux_config_t:dir search; - -############################################################################ -# Allow the script process to search the cgi directory, and users directory -############################################################################## -allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr }; -can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -allow httpd_$1_script_t home_root_t:dir { getattr search }; -allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; - -############################################################################# -# Allow the scripts to read, read/write, append to the specified directories -# or files -############################################################################ -read_fonts(httpd_$1_script_t) -r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) -create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) -allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms; -ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) -anonymous_domain(httpd_$1_script) - -if (httpd_enable_cgi && httpd_unified) { -create_dir_file(httpd_$1_script_t, httpdcontent) -can_exec(httpd_$1_script_t, httpdcontent) -} - -# -# If a user starts a script by hand it gets the proper context -# -ifdef(`targeted_policy', `', ` -if (httpd_enable_cgi) { -domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) -} -') -role sysadm_r types httpd_$1_script_t; - -dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; -dontaudit httpd_$1_script_t sysctl_t:dir search; - -############################################ -# Allow scripts to append to http logs -######################################### -allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search; -allow httpd_$1_script_t httpd_log_t:file { getattr append }; - -# apache should set close-on-exec -dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - -################################################################ -# Allow the web server to run scripts and serve pages -############################################################## -if (httpd_builtin_scripting) { -r_dir_file(httpd_t, httpd_$1_script_ro_t) -create_dir_file(httpd_t, httpd_$1_script_rw_t) -allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; -ra_dir_file(httpd_t, httpd_$1_script_ra_t) -r_dir_file(httpd_t, httpd_$1_content_t) -} - -') -define(`apache_user_domain', ` - -apache_domain($1) - -typeattribute httpd_$1_content_t $1_file_type; - -if (httpd_enable_cgi && httpd_unified) { -domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) -} - -if (httpd_enable_cgi) { -# If a user starts a script by hand it gets the proper context -domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t) -} -role $1_r types httpd_$1_script_t; - -####################################### -# Allow user to create or edit web content -######################################### - -create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) -allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; - -###################################################################### -# Allow the user to create htaccess files -##################################################################### - -allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom }; - -######################################################################### -# Allow user to create files or directories -# that scripts are able to read, write, or append to -########################################################################### - -create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }) -allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom }; - -# allow accessing files/dirs below the users home dir -if (httpd_enable_homedirs) { -allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search }; -ifdef(`nfs_home_dirs', ` -r_dir_file(httpd_$1_script_t, nfs_t) -')dnl end if nfs_home_dirs -} -ifdef(`crond.te', ` -create_dir_file($1_crond_t, httpd_$1_content_t) -') - -ifdef(`ftpd.te', ` -if (ftp_home_dir) { -create_dir_file(ftpd_t, httpd_$1_content_t) -} -') - - -') diff --git a/targeted/macros/program/bonobo_macros.te b/targeted/macros/program/bonobo_macros.te deleted file mode 100644 index 4c3fdac5..00000000 --- a/targeted/macros/program/bonobo_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Bonobo -# -# Author: Ivan Gyurdiev -# -# bonobo_domain(role_prefix) - invoke per role -# bonobo_client(app_prefix, role_prefix) - invoke per client app -# bonobo_connect(type1_prefix, type2_prefix) - -# connect two bonobo clients, the channel is bidirectional - -###################### - -define(`bonobo_domain', ` - -# Protect against double inclusion for faster compile -ifdef(`bonobo_domain_$1', `', ` -define(`bonobo_domain_$1') - -# Type for daemon -type $1_bonobo_t, domain, nscd_client_domain; - -# Transition from caller -domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t) -role $1_r types $1_bonobo_t; - -# Shared libraries, gconv-modules -uses_shlib($1_bonobo_t) -allow $1_bonobo_t lib_t:file r_file_perms; - -read_locale($1_bonobo_t) -read_sysctl($1_bonobo_t) - -# Session management -# FIXME: More specific context is needed for gnome-session -ice_connect($1_bonobo, $1) - -# nsswitch.conf -allow $1_bonobo_t etc_t:file { read getattr }; - -# Fork to start apps -allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal }; -allow $1_bonobo_t self:fifo_file rw_file_perms; - -# ??? -allow $1_bonobo_t root_t:dir search; -allow $1_bonobo_t home_root_t:dir search; -allow $1_bonobo_t $1_home_dir_t:dir search; - -# libexec ??? -allow $1_bonobo_t bin_t:dir search; - -# ORBit sockets for bonobo -orbit_domain($1_bonobo, $1) - -# Bonobo can launch evolution -ifdef(`evolution.te', ` -domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t) -domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t) -domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t) -domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t) -') - -# Bonobo can launch GNOME vfs daemon -ifdef(`gnome_vfs.te', ` -domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t) -') - -# Transition to ROLE_t on bin_t apps -# FIXME: The goal is to get rid of this rule, as it -# defeats the purpose of a separate domain. It is only -# here temporarily, since bonobo runs as ROLE_t by default anyway -domain_auto_trans($1_bonobo_t, bin_t, $1_t) - -can_pipe_xdm($1_bonobo_t) - -') dnl ifdef bonobo_domain_args -') dnl bonobo_domain - -##################### - -define(`bonobo_client', ` - -# Protect against double inclusion for faster compile -ifdef(`bonobo_client_$1_$2', `', ` -define(`bonobo_client_$1_$2') -# Connect over bonobo -bonobo_connect($1, $2_gconfd, $1) - -# Create ORBit sockets -orbit_domain($1, $2) - -# Connect to bonobo -orbit_connect($1, $2_bonobo) -orbit_connect($2_bonobo, $1) - -# Lock /tmp/bonobo-activation-register.lock -# Stat /tmp/bonobo-activation-server.ior -# FIXME: this should probably be of type $2_bonobo.. -# Note that this is file, not sock_file -allow $1_t $2_orbit_tmp_t:file { getattr read write lock }; - -domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t) - -') dnl ifdef bonobo_client_args -') dnl bonobo_client - -##################### - -define(`bonobo_connect', ` - -# FIXME: Should there be a macro for unidirectional conn. ? - -orbit_connect($1, $2) -orbit_connect($2, $1) - -') dnl bonobo_connect diff --git a/targeted/macros/program/cdrecord_macros.te b/targeted/macros/program/cdrecord_macros.te deleted file mode 100644 index 72d3f4fd..00000000 --- a/targeted/macros/program/cdrecord_macros.te +++ /dev/null @@ -1,53 +0,0 @@ -# macros for the cdrecord domain -# Author: Thomas Bleher - -define(`cdrecord_domain', ` -type $1_cdrecord_t, domain, privlog; - -domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t) - -# The user role is authorized for this domain. -role $1_r types $1_cdrecord_t; - -uses_shlib($1_cdrecord_t) -read_locale($1_cdrecord_t) - -# allow ps to show cdrecord and allow the user to kill it -can_ps($1_t, $1_cdrecord_t) -allow $1_t $1_cdrecord_t:process signal; - -# write to the user domain tty. -access_terminal($1_cdrecord_t, $1) -allow $1_cdrecord_t privfd:fd use; - -allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; - -allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; -allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -can_resmgrd_connect($1_cdrecord_t) - -read_content($1_cdrecord_t, $1, cdrecord) - -allow $1_cdrecord_t etc_t:file { getattr read }; - -# allow searching for cdrom-drive -allow $1_cdrecord_t device_t:dir r_dir_perms; -allow $1_cdrecord_t device_t:lnk_file { getattr read }; - -# allow cdrecord to write the CD -allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl }; -allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; - -allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; -allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; -can_access_pty($1_cdrecord_t, $1) -allow $1_cdrecord_t $1_home_t:dir search; -allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms; -allow $1_cdrecord_t $1_home_t:file r_file_perms; -if (use_nfs_home_dirs) { -allow $1_cdrecord_t mnt_t:dir search; -r_dir_file($1_cdrecord_t, nfs_t) -} -') - diff --git a/targeted/macros/program/chkpwd_macros.te b/targeted/macros/program/chkpwd_macros.te deleted file mode 100644 index 62d8b44b..00000000 --- a/targeted/macros/program/chkpwd_macros.te +++ /dev/null @@ -1,69 +0,0 @@ -# -# Macros for chkpwd domains. -# - -# -# chkpwd_domain(domain_prefix) -# -# Define a derived domain for the *_chkpwd program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/su.te. -# -undefine(`chkpwd_domain') -ifdef(`chkpwd.te', ` -define(`chkpwd_domain',` -# Derived domain based on the calling user domain and the program. -type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; - -role $1_r types $1_chkpwd_t; - -# is_selinux_enabled -allow $1_chkpwd_t proc_t:file read; - -can_getcon($1_chkpwd_t) -authentication_domain($1_chkpwd_t) - -ifelse($1, system, ` -domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) -dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; -authentication_domain(auth_chkpwd) -', ` -domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) - -# Write to the user domain tty. -access_terminal($1_chkpwd_t, $1) - -allow $1_chkpwd_t privfd:fd use; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') -') - -uses_shlib($1_chkpwd_t) -allow $1_chkpwd_t etc_t:file { getattr read }; -allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; -allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; -read_locale($1_chkpwd_t) - -# Use capabilities. -allow $1_chkpwd_t self:capability setuid; -r_dir_file($1_chkpwd_t, selinux_config_t) - -# for nscd -ifdef(`nscd.te', `', ` -dontaudit $1_chkpwd_t var_t:dir search; -') - -dontaudit $1_chkpwd_t fs_t:filesystem getattr; -') - -', ` - -define(`chkpwd_domain',`') - -') diff --git a/targeted/macros/program/chroot_macros.te b/targeted/macros/program/chroot_macros.te deleted file mode 100644 index 47ca86ba..00000000 --- a/targeted/macros/program/chroot_macros.te +++ /dev/null @@ -1,131 +0,0 @@ - -# macro for chroot environments -# Author Russell Coker - -# chroot(initial_domain, basename, role, tty_device_type) -define(`chroot', ` - -ifelse(`$1', `initrc', ` -define(`chroot_role', `system_r') -define(`chroot_tty_device', `{ console_device_t admin_tty_type }') -define(`chroot_mount_domain', `mount_t') -define(`chroot_fd_use', `{ privfd init_t }') -', ` -define(`chroot_role', `$1_r') -define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }') -define(`chroot_fd_use', `privfd') - -# allow mounting /proc and /dev -ifdef(`$1_mount_def', `', ` -mount_domain($1, $1_mount) -role chroot_role types $1_mount_t; -') -define(`chroot_mount_domain', `$1_mount_t') -ifdef(`ssh.te', ` -can_tcp_connect($1_ssh_t, $2_t) -')dnl end ssh -')dnl end ifelse initrc - -# types for read-only and read-write files in the chroot -type $2_ro_t, file_type, sysadmfile, home_type, user_home_type; -type $2_rw_t, file_type, sysadmfile, home_type, user_home_type; -# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t -# when you execute it -type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type; - -allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton }; -allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton }; - -# entry point for $2_super_t -type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type; -# $2_t is the base domain, has full access to $2_rw_t files -type $2_t, domain; -# $2_super_t is the super-chroot domain, can also write to $2_ro_t -# but still can not access outside the chroot -type $2_super_t, domain; -allow $2_super_t chroot_tty_device:chr_file rw_file_perms; - -ifdef(`$1_chroot_def', `', ` -dnl can not have this defined twice -define(`$1_chroot_def') - -allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount }; - -# $1_chroot_t is the domain for /usr/sbin/chroot -type $1_chroot_t, domain; - -# allow $1_chroot_t to write to the tty device -allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms; -allow $1_chroot_t chroot_fd_use:fd use; -allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use; - -role chroot_role types $1_chroot_t; -uses_shlib($1_chroot_t) -allow $1_chroot_t self:capability sys_chroot; -allow $1_t $1_chroot_t:dir { search getattr read }; -allow $1_t $1_chroot_t:{ file lnk_file } { read getattr }; -domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t) -allow $1_chroot_t fs_t:filesystem getattr; -')dnl End conditional - -role chroot_role types { $2_t $2_super_t }; - -# allow ps to show processes and allow killing them -allow $1_t { $2_super_t $2_t }:dir { search getattr read }; -allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr }; -allow $1_t { $2_super_t $2_t }:process signal_perms; -allow $2_super_t $2_t:dir { search getattr read }; -allow $2_super_t $2_t:{ file lnk_file } { read getattr }; -allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace }; -allow $1_t $2_super_t:process { signal_perms ptrace }; -allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace }; - -allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr; -allow { $2_super_t $2_t } device_t:dir { search getattr }; -allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms; -allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms; -allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config }; -allow $2_super_t self:capability sys_ptrace; - -can_tcp_connect($2_super_t, $2_t) -allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms; - -# quiet ps and killall -dontaudit { $2_super_t $2_t } domain:dir { search getattr }; - -# allow $2_t to write to the owner tty device (should remove this) -allow $2_t chroot_tty_device:chr_file { read write }; - -r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($2_super_t, { $2_ro_t $2_super_entry_t }) -create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -# $2_super_t transitions to $2_t when it executes -# any file that $2_t can write -domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t) -allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read; -r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t }) -create_dir_notdevfile($2_t, $2_rw_t) -allow $2_t $2_rw_t:fifo_file create_file_perms; -allow $2_t $2_ro_t:fifo_file rw_file_perms; -allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms; -create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }) -can_exec($1_t, { $2_ro_t $2_dropdown_t }) -domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t) -domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t) -allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto }; -general_proc_read_access({ $2_t $2_super_t }) -general_domain_access({ $2_t $2_super_t }) -can_create_pty($2) -can_create_pty($2_super) -can_network({ $2_t $2_super_t }) -allow { $2_t $2_super_t } port_type:tcp_socket name_connect; -allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms; -allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton; -allow { $2_t $2_super_t } self:capability { dac_override kill }; - -undefine(`chroot_role') -undefine(`chroot_tty_device') -undefine(`chroot_mount_domain') -undefine(`chroot_fd_use') -') diff --git a/targeted/macros/program/clamav_macros.te b/targeted/macros/program/clamav_macros.te deleted file mode 100644 index bc159304..00000000 --- a/targeted/macros/program/clamav_macros.te +++ /dev/null @@ -1,58 +0,0 @@ -# -# Macros for clamscan -# -# Author: Brian May -# - -# -# can_clamd_connect(domain_prefix) -# -# Define a domain that can access clamd -# -define(`can_clamd_connect',` -allow $1_t clamd_var_run_t:dir search; -allow $1_t clamd_var_run_t:sock_file write; -allow $1_t clamd_sock_t:sock_file write; -can_unix_connect($1_t, clamd_t) -') - -# clamscan_domain(domain_prefix) -# -# Define a derived domain for the clamscan program when executed -# -define(`clamscan_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_clamscan_t, domain, privlog; - -# Uses shared librarys -uses_shlib($1_clamscan_t) -allow $1_clamscan_t fs_t:filesystem getattr; -r_dir_file($1_clamscan_t, etc_t) -read_locale($1_clamscan_t) - -# Access virus signatures -allow $1_clamscan_t var_lib_t:dir search; -r_dir_file($1_clamscan_t, clamav_var_lib_t) - -# Allow temp files -tmp_domain($1_clamscan) - -# Why is this required? -allow $1_clamscan_t proc_t:dir r_dir_perms; -allow $1_clamscan_t proc_t:file r_file_perms; -read_sysctl($1_clamscan_t) -allow $1_clamscan_t self:unix_stream_socket { connect create read write }; -') - -define(`user_clamscan_domain',` -clamscan_domain($1) -role $1_r types $1_clamscan_t; -domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t) -access_terminal($1_clamscan_t, $1) -r_dir_file($1_clamscan_t,$1_home_t); -r_dir_file($1_clamscan_t,$1_home_dir_t); -allow $1_clamscan_t $1_home_t:file r_file_perms; -allow $1_clamscan_t privfd:fd use; -ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;') -') - diff --git a/targeted/macros/program/crond_macros.te b/targeted/macros/program/crond_macros.te deleted file mode 100644 index 5e61d7d1..00000000 --- a/targeted/macros/program/crond_macros.te +++ /dev/null @@ -1,126 +0,0 @@ -# -# Macros for crond domains. -# - -# -# Authors: Jonathan Crowley (MITRE) , -# Stephen Smalley and Timothy Fraser -# Russell Coker -# - -# -# crond_domain(domain_prefix) -# -# Define a derived domain for cron jobs executed by crond on behalf -# of a user domain. These domains are separate from the top-level domain -# defined for the crond daemon and the domain defined for system cron jobs, -# which are specified in domains/program/crond.te. -# -undefine(`crond_domain') -define(`crond_domain',` -# Derived domain for user cron jobs, user user_crond_domain if not system -ifelse(`system', `$1', ` -type $1_crond_t, domain, privlog, privmail, nscd_client_domain; -', ` -type $1_crond_t, domain, user_crond_domain; - -# Access user files and dirs. -allow $1_crond_t home_root_t:dir search; -file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t) - -# Run scripts in user home directory and access shared libs. -can_exec($1_crond_t, $1_home_t) - -file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t) -') -r_dir_file($1_crond_t, selinux_config_t) - -# Type of user crontabs once moved to cron spool. -type $1_cron_spool_t, file_type, sysadmfile; - -ifdef(`fcron.te', ` -allow crond_t $1_cron_spool_t:file create_file_perms; -') - -allow $1_crond_t urandom_device_t:chr_file { getattr read }; - -allow $1_crond_t usr_t:file { getattr ioctl read }; -allow $1_crond_t usr_t:lnk_file read; - -# Permit a transition from the crond_t domain to this domain. -# The transition is requested explicitly by the modified crond -# via execve_secure. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -domain_trans(crond_t, shell_exec_t, $1_crond_t) - -ifdef(`mta.te', ` -domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) -allow $1_crond_t sendmail_exec_t:lnk_file { getattr read }; - -# $1_mail_t should only be reading from the cron fifo not needing to write -dontaudit $1_mail_t crond_t:fifo_file write; -allow mta_user_agent $1_crond_t:fd use; -') - -# The user role is authorized for this domain. -role $1_r types $1_crond_t; - -# This domain is granted permissions common to most domains. -can_network($1_crond_t) -allow $1_crond_t port_type:tcp_socket name_connect; -can_ypbind($1_crond_t) -r_dir_file($1_crond_t, self) -allow $1_crond_t self:fifo_file rw_file_perms; -allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; -allow $1_crond_t self:unix_dgram_socket create_socket_perms; -allow $1_crond_t etc_runtime_t:file { getattr read }; -allow $1_crond_t self:process { fork signal_perms setsched }; -allow $1_crond_t proc_t:dir r_dir_perms; -allow $1_crond_t proc_t:file { getattr read ioctl }; -read_locale($1_crond_t) -read_sysctl($1_crond_t) -allow $1_crond_t var_spool_t:dir search; -allow $1_crond_t fs_type:filesystem getattr; - -allow $1_crond_t devtty_t:chr_file { read write }; -allow $1_crond_t var_t:dir r_dir_perms; -allow $1_crond_t var_t:file { getattr read ioctl }; -allow $1_crond_t var_log_t:dir search; - -# Use capabilities. -allow $1_crond_t self:capability dac_override; - -# Inherit and use descriptors from initrc - I think this is wrong -#allow $1_crond_t initrc_t:fd use; - -# -# Since crontab files are not directly executed, -# crond must ensure that the crontab file has -# a type that is appropriate for the domain of -# the user cron job. It performs an entrypoint -# permission check for this purpose. -# -allow $1_crond_t $1_cron_spool_t:file entrypoint; - -# Run helper programs. -can_exec_any($1_crond_t) - -# ps does not need to access /boot when run from cron -dontaudit $1_crond_t boot_t:dir search; -# quiet other ps operations -dontaudit $1_crond_t domain:dir { getattr search }; -# for nscd -dontaudit $1_crond_t var_run_t:dir search; -') - -# When system_crond_t domain executes a type $1 executable then transition to -# domain $2, allow $2 to interact with crond_t as well. -define(`system_crond_entry', ` -ifdef(`crond.te', ` -domain_auto_trans(system_crond_t, $1, $2) -allow $2 crond_t:fifo_file { getattr read write ioctl }; -# a rule for privfd may make this obsolete -allow $2 crond_t:fd use; -allow $2 crond_t:process sigchld; -')dnl end ifdef -')dnl end system_crond_entry diff --git a/targeted/macros/program/crontab_macros.te b/targeted/macros/program/crontab_macros.te deleted file mode 100644 index a18d80f4..00000000 --- a/targeted/macros/program/crontab_macros.te +++ /dev/null @@ -1,102 +0,0 @@ -# -# Macros for crontab domains. -# - -# -# Authors: Jonathan Crowley (MITRE) -# Revised by Stephen Smalley -# - -# -# crontab_domain(domain_prefix) -# -# Define a derived domain for the crontab program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/crontab.te. -# -undefine(`crontab_domain') -define(`crontab_domain',` -# Derived domain based on the calling user domain and the program. -type $1_crontab_t, domain, privlog; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) - -can_ps($1_t, $1_crontab_t) - -# for ^Z -allow $1_t $1_crontab_t:process signal; - -# The user role is authorized for this domain. -role $1_r types $1_crontab_t; - -uses_shlib($1_crontab_t) -allow $1_crontab_t etc_t:file { getattr read }; -allow $1_crontab_t self:unix_stream_socket create_socket_perms; -allow $1_crontab_t self:unix_dgram_socket create_socket_perms; -read_locale($1_crontab_t) - -# Use capabilities dac_override is to create the file in the directory -# under /tmp -allow $1_crontab_t self:capability { setuid setgid chown dac_override }; - -# Type for temporary files. -file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) - -# Use the type when creating files in /var/spool/cron. -allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; -allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; -file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) -allow $1_crontab_t self:process { fork signal_perms }; -ifdef(`fcron.te', ` -# fcron wants an instant update of a crontab change for the administrator -# also crontab does a security check for crontab -u -ifelse(`$1', `sysadm', ` -allow $1_crontab_t crond_t:process signal; -can_setfscreate($1_crontab_t) -', ` -dontaudit $1_crontab_t crond_t:process signal; -')dnl end ifelse -')dnl end ifdef fcron - -# for the checks used by crontab -u -dontaudit $1_crontab_t security_t:dir search; -allow $1_crontab_t proc_t:dir search; -allow $1_crontab_t proc_t:{ file lnk_file } { getattr read }; -allow $1_crontab_t selinux_config_t:dir search; -allow $1_crontab_t selinux_config_t:file { getattr read }; -dontaudit $1_crontab_t self:dir search; - -# crontab signals crond by updating the mtime on the spooldir -allow $1_crontab_t cron_spool_t:dir setattr; -# Allow crond to read those crontabs in cron spool. -allow crond_t $1_cron_spool_t:file r_file_perms; - -# Run helper programs as $1_t -allow $1_crontab_t { bin_t sbin_t }:dir search; -allow $1_crontab_t bin_t:lnk_file read; -domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) - -# Read user crontabs -allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; -allow $1_crontab_t $1_home_t:file r_file_perms; -dontaudit $1_crontab_t $1_home_dir_t:dir write; - -# Access the cron log file. -allow $1_crontab_t crond_log_t:file r_file_perms; -allow $1_crontab_t crond_log_t:file append; - -# Access terminals. -allow $1_crontab_t device_t:dir search; -access_terminal($1_crontab_t, $1); - -allow $1_crontab_t fs_t:filesystem getattr; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') -allow $1_crontab_t privfd:fd use; - -dontaudit $1_crontab_t var_run_t:dir search; -') diff --git a/targeted/macros/program/daemontools_macros.te b/targeted/macros/program/daemontools_macros.te deleted file mode 100644 index 94c4f8e7..00000000 --- a/targeted/macros/program/daemontools_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -ifdef(`daemontools.te', ` - -define(`svc_ipc_domain',` -allow $1 svc_start_t:process sigchld; -allow $1 svc_start_t:fd use; -allow $1 svc_start_t:fifo_file { read write getattr }; -allow svc_start_t $1:process signal; -') - -') dnl ifdef daemontools - diff --git a/targeted/macros/program/dbusd_macros.te b/targeted/macros/program/dbusd_macros.te deleted file mode 100644 index 2e542a0a..00000000 --- a/targeted/macros/program/dbusd_macros.te +++ /dev/null @@ -1,90 +0,0 @@ -# -# Macros for Dbus -# -# Author: Colin Walters - -# dbusd_domain(domain_prefix) -# -# Define a derived domain for the DBus daemon. - -define(`dbusd_domain', ` -ifelse(`system', `$1',` -daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm') -# For backwards compatibility -typealias system_dbusd_t alias dbusd_t; -type etc_dbusd_t, file_type, sysadmfile; -',` -type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr; -role $1_r types $1_dbusd_t; -domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t) -read_locale($1_dbusd_t) -allow $1_t $1_dbusd_t:process { sigkill signal }; -allow $1_dbusd_t self:process { sigkill signal }; -dontaudit $1_dbusd_t var_t:dir { getattr search }; -')dnl end ifelse system - -base_file_read_access($1_dbusd_t) -uses_shlib($1_dbusd_t) -allow $1_dbusd_t etc_t:file { getattr read }; -r_dir_file($1_dbusd_t, etc_dbusd_t) -tmp_domain($1_dbusd) -allow $1_dbusd_t self:process fork; -can_pipe_xdm($1_dbusd_t) - -allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; -allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; - -allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; -allow $1_dbusd_t self:file { getattr read write }; -allow $1_dbusd_t proc_t:file read; - -can_getsecurity($1_dbusd_t) -r_dir_file($1_dbusd_t, default_context_t) -allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; - -ifdef(`pamconsole.te', ` -r_dir_file($1_dbusd_t, pam_var_console_t) -') - -allow $1_dbusd_t self:dbus { send_msg acquire_svc }; - -')dnl end dbusd_domain definition - -# dbusd_client(dbus_type, domain_prefix) -# Example: dbusd_client_domain(system, user) -# -# Define a new derived domain for connecting to dbus_type -# from domain_prefix_t. -undefine(`dbusd_client') -define(`dbusd_client',` - -ifdef(`dbusd.te',` -# Derived type used for connection -type $2_dbusd_$1_t; -type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; - -# SE-DBus specific permissions -allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; - -# For connecting to the bus -allow $2_t $1_dbusd_t:unix_stream_socket connectto; - -ifelse(`system', `$1', ` -allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; -allow { $2_t } system_dbusd_var_run_t:sock_file write; -',`') dnl endif system -') dnl endif dbusd.te -') - -# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) -# Example: can_dbusd_converse(system, hald, updfstab) -# Example: can_dbusd_converse(session, user, user) -define(`can_dbusd_converse',`') -ifdef(`dbusd.te',` -undefine(`can_dbusd_converse') -define(`can_dbusd_converse',` -allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg }; -allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg }; -') dnl endif dbusd.te -') diff --git a/targeted/macros/program/ethereal_macros.te b/targeted/macros/program/ethereal_macros.te deleted file mode 100644 index 36f1a966..00000000 --- a/targeted/macros/program/ethereal_macros.te +++ /dev/null @@ -1,82 +0,0 @@ -# DESC - Ethereal -# -# Author: Ivan Gyurdiev -# - -############################################################# -# ethereal_networking(app_prefix) - -# restricted ethereal rules (sysadm only) -# - -define(`ethereal_networking', ` - -# Create various types of sockets -allow $1_t self:netlink_route_socket create_netlink_socket_perms; -allow $1_t self:udp_socket create_socket_perms; -allow $1_t self:packet_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:tcp_socket create_socket_perms; - -allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid }; - -# Resolve names via DNS -can_resolve($1_t) - -') dnl ethereal_networking - -######################################################## -# Ethereal (GNOME) -# - -define(`ethereal_domain', ` - -# Type for program -type $1_ethereal_t, domain, nscd_client_domain; - -# Transition from sysadm type -domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t) -role $1_r types $1_ethereal_t; - -# Manual transition from userhelper -ifdef(`userhelper.te', ` -allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure }; -allow $1_ethereal_t userhelperdomain:fd use; -allow $1_ethereal_t userhelperdomain:process sigchld; -') dnl userhelper - -# X, GNOME -x_client_domain($1_ethereal, $1) -gnome_application($1_ethereal, $1) -gnome_file_dialog($1_ethereal, $1) - -# Why does it write this? -ifdef(`snmpd.te', ` -dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; -') - -# /home/.ethereal -home_domain($1, ethereal) -file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir) - -# Enable restricted networking rules for sysadm - this is shared w/ tethereal -ifelse($1, `sysadm', ` -ethereal_networking($1_ethereal) - -# Ethereal tries to write to user terminal -dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write }; -dontaudit sysadm_ethereal_t unpriv_userdomain:fd use; -', `') - -# Store temporary files -tmp_domain($1_ethereal) - -# Re-execute itself (why?) -can_exec($1_ethereal_t, ethereal_exec_t) -allow $1_ethereal_t sbin_t:dir search; - -# Supress .local denials until properly implemented -dontaudit $1_ethereal_t $1_home_t:dir search; - -# FIXME: policy is incomplete - -') dnl ethereal_domain diff --git a/targeted/macros/program/evolution_macros.te b/targeted/macros/program/evolution_macros.te deleted file mode 100644 index 37fc0879..00000000 --- a/targeted/macros/program/evolution_macros.te +++ /dev/null @@ -1,234 +0,0 @@ -# -# Evolution -# -# Author: Ivan Gyurdiev -# - -################################################ -# evolution_common(app_prefix,role_prefix) -# -define(`evolution_common', ` - -# Gnome common stuff -gnome_application($1, $2) - -# Stat root -allow $1_t root_t:dir search; - -# Access null device -allow $1_t null_device_t:chr_file rw_file_perms; - -# FIXME: suppress access to .local/.icons/.themes until properly implemented -dontaudit $1_t $2_home_t:dir r_dir_perms; - -# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) -# until properly implemented -dontaudit $1_t $2_home_t:file r_file_perms; - -') dnl evolution_common - -####################################### -# evolution_data_server(role_prefix) -# - -define(`evolution_data_server', ` - -# Type for daemon -type $1_evolution_server_t, domain, nscd_client_domain; - -# Transition from user type -if (! disable_evolution_trans) { -domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t) -} -role $1_r types $1_evolution_server_t; - -# Evolution common stuff -evolution_common($1_evolution_server, $1) - -# Access evolution home -home_domain_access($1_evolution_server_t, $1, evolution) - -# Talks to exchange -bonobo_connect($1_evolution_server, $1_evolution_exchange) - -can_exec($1_evolution_server_t, shell_exec_t) - -# Obtain weather data via http (read server name from xml file in /usr) -allow $1_evolution_server_t usr_t:file r_file_perms; -can_resolve($1_evolution_server_t) -can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } ) -allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect; - -# Talk to ldap (address book) -can_network_client_tcp($1_evolution_server_t, ldap_port_t) -allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect; - -# Look in /etc/pki -r_dir_file($1_evolution_server_t, cert_t) - -') dnl evolution_data_server - -####################################### -# evolution_webcal(role_prefix) -# - -define(`evolution_webcal', ` - -# Type for program -type $1_evolution_webcal_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -role $1_r types $1_evolution_webcal_t; - -# X/evolution common stuff -x_client_domain($1_evolution_webcal, $1) -evolution_common($1_evolution_webcal, $1) - -# Search home directory (?) -allow $1_evolution_webcal_t $1_home_dir_t:dir search; - -# Networking capability - connect to website and handle ics link -# FIXME: is this necessary ? -can_resolve($1_evolution_webcal_t); -can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } ) -allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect; - -') dnl evolution_webcal - -####################################### -# evolution_alarm(role_prefix) -# -define(`evolution_alarm', ` - -# Type for program -type $1_evolution_alarm_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t) -role $1_r types $1_evolution_alarm_t; - -# Common evolution stuff, X -evolution_common($1_evolution_alarm, $1) -x_client_domain($1_evolution_alarm, $1) - -# Connect to exchange, e-d-s -bonobo_connect($1_evolution_alarm, $1_evolution_server) -bonobo_connect($1_evolution_alarm, $1_evolution_exchange) - -# Access evolution home -home_domain_access($1_evolution_alarm_t, $1, evolution) - -') dnl evolution_alarm - -######################################## -# evolution_exchange(role_prefix) -# -define(`evolution_exchange', ` - -# Type for program -type $1_evolution_exchange_t, domain, nscd_client_domain; - -# Transition from user type -domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t) -role $1_r types $1_evolution_exchange_t; - -# Common evolution stuff, X -evolution_common($1_evolution_exchange, $1) -x_client_domain($1_evolution_exchange, $1) - -# Access evolution home -home_domain_access($1_evolution_exchange_t, $1, evolution) - -# /tmp/.exchange-$USER -tmp_domain($1_evolution_exchange) - -# Allow netstat -allow $1_evolution_exchange_t bin_t:dir search; -can_exec($1_evolution_exchange_t, bin_t) -r_dir_file($1_evolution_exchange_t, proc_net_t) -allow $1_evolution_exchange_t sysctl_net_t:dir search; -allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms; - -# Clock applet talks to exchange (FIXME: Needs policy) -bonobo_connect($1, $1_evolution_exchange) - -# FIXME: policy incomplete - -') dnl evolution_exchange - -####################################### -# evolution_domain(role_prefix) -# - -define(`evolution_domain', ` - -# Type for program -type $1_evolution_t, domain, nscd_client_domain, privlog; - -# Transition from user type -domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t) -role $1_r types $1_evolution_t; - -# X, mail, evolution common stuff -x_client_domain($1_evolution, $1) -mail_client_domain($1_evolution, $1) -gnome_file_dialog($1_evolution, $1) -evolution_common($1_evolution, $1) - -# Connect to e-d-s, exchange, alarm -bonobo_connect($1_evolution, $1_evolution_server) -bonobo_connect($1_evolution, $1_evolution_exchange) -bonobo_connect($1_evolution, $1_evolution_alarm) - -# Access .evolution -home_domain($1, evolution) - -# Store passwords in .gnome2_private -gnome_private_store($1_evolution, $1) - -# Run various programs -allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms; -allow $1_evolution_t { self bin_t }:lnk_file r_file_perms; - -### Junk mail filtering (start spamd) -ifdef(`spamd.te', ` -# Start the spam daemon -domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t) -role $1_r types spamd_t; - -# Write pid file and socket in ~/.evolution/cache/tmp -file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file }) - -# Allow evolution to signal the daemon -# FIXME: Now evolution can read spamd temp files -allow $1_evolution_t spamd_tmp_t:file r_file_perms; -allow $1_evolution_t spamd_t:process signal; -dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr; -') dnl spamd.te - -### Junk mail filtering (start spamc) -ifdef(`spamc.te', ` -domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t) - -# Allow connection to spamd socket above -allow $1_spamc_t $1_evolution_home_t:dir search; -') dnl spamc.te - -### Junk mail filtering (start spamassassin) -ifdef(`spamassassin.te', ` -domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t) -') dnl spamassasin.te - -') dnl evolution_domain - -################################# -# evolution_domains(role_prefix) - -define(`evolution_domains', ` -evolution_domain($1) -evolution_data_server($1) -evolution_webcal($1) -evolution_alarm($1) -evolution_exchange($1) -') dnl end evolution_domains diff --git a/targeted/macros/program/fingerd_macros.te b/targeted/macros/program/fingerd_macros.te deleted file mode 100644 index fd56ca7f..00000000 --- a/targeted/macros/program/fingerd_macros.te +++ /dev/null @@ -1,15 +0,0 @@ -# -# Macro for fingerd -# -# Author: Russell Coker -# - -# -# fingerd_macro(domain_prefix) -# -# allow fingerd to create a fingerlog file in the user home dir -# -define(`fingerd_macro', ` -type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type; -file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) -') diff --git a/targeted/macros/program/fontconfig_macros.te b/targeted/macros/program/fontconfig_macros.te deleted file mode 100644 index 7f4a56d3..00000000 --- a/targeted/macros/program/fontconfig_macros.te +++ /dev/null @@ -1,52 +0,0 @@ -# -# Fontconfig related types -# -# Author: Ivan Gyurdiev -# -# fontconfig_domain(role_prefix) - create fontconfig domain -# -# read_fonts(domain, role_prefix) - -# allow domain to read fonts, optionally per/user -# - -define(`fontconfig_domain', ` - -type $1_fonts_t, file_type, $1_file_type, sysadmfile; -type $1_fonts_config_t, file_type, $1_file_type, sysadmfile; -type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile; - -create_dir_file($1_t, $1_fonts_t) -allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom }; - -create_dir_file($1_t, $1_fonts_config_t) -allow $1_t $1_fonts_config_t:file { relabelto relabelfrom }; - -# For startup relabel -allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; - -') dnl fontconfig_domain - -#################### - -define(`read_fonts', ` - -# Read global fonts and font config -r_dir_file($1, fonts_t) -r_dir_file($1, etc_t) - -ifelse(`$2', `', `', ` - -# Manipulate the global font cache -create_dir_file($1, $2_fonts_cache_t) - -# Read per user fonts and font config -r_dir_file($1, $2_fonts_t) -r_dir_file($1, $2_fonts_config_t) - -# There are some fonts in .gnome2 -ifdef(`gnome.te', ` -allow $1 $2_gnome_settings_t:dir { getattr search }; -') - -') dnl ifelse -') dnl read_fonts diff --git a/targeted/macros/program/games_domain.te b/targeted/macros/program/games_domain.te deleted file mode 100644 index d4c1d053..00000000 --- a/targeted/macros/program/games_domain.te +++ /dev/null @@ -1,89 +0,0 @@ -#DESC games -# -# Macros for games -# -# -# Authors: Dan Walsh -# -# -# games_domain(domain_prefix) -# -# -define(`games_domain', ` - -type $1_games_t, domain, nscd_client_domain; - -# Type transition -if (! disable_games_trans) { -domain_auto_trans($1_t, games_exec_t, $1_games_t) -} -can_exec($1_games_t, games_exec_t) -role $1_r types $1_games_t; - -can_create_pty($1_games) - -# X access, GNOME, /tmp files -x_client_domain($1_games, $1) -tmp_domain($1_games, `', { dir notdevfile_class_set }) -gnome_application($1_games, $1) -gnome_file_dialog($1_games, $1) - -# Games seem to need this -if (allow_execmem) { -allow $1_games_t self:process execmem; -} - -allow $1_games_t texrel_shlib_t:file execmod; -allow $1_games_t var_t:dir { search getattr }; -rw_dir_create_file($1_games_t, games_data_t) -allow $1_games_t sound_device_t:chr_file rw_file_perms; -can_udp_send($1_games_t, $1_games_t) -can_tcp_connect($1_games_t, $1_games_t) - -# Access /home/user/.gnome2 -# FIXME: Change to use per app types -create_dir_file($1_games_t, $1_gnome_settings_t) - -# FIXME: why is this necessary - ORBit? -# ORBit works differently now -create_dir_file($1_games_t, $1_tmp_t) -allow $1_games_t $1_tmp_t:sock_file create_file_perms; -can_unix_connect($1_t, $1_games_t) -can_unix_connect($1_games_t, $1_t) - -ifdef(`xdm.te', ` -allow $1_games_t xdm_tmp_t:dir rw_dir_perms; -allow $1_games_t xdm_tmp_t:sock_file create_file_perms; -allow $1_games_t xdm_var_lib_t:file { getattr read }; -')dnl end if xdm.te - -allow $1_games_t var_lib_t:dir search; -r_dir_file($1_games_t, man_t) -allow $1_games_t { proc_t self }:dir search; -allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr }; -ifdef(`mozilla.te', ` -dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; -') -allow $1_games_t event_device_t:chr_file getattr; -allow $1_games_t mouse_device_t:chr_file getattr; - -allow $1_games_t self:file { getattr read }; -allow $1_games_t self:sem create_sem_perms; - -allow $1_games_t { bin_t sbin_t }:dir { getattr search }; -can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t }) -allow $1_games_t bin_t:lnk_file read; - -dontaudit $1_games_t var_run_t:dir search; -dontaudit $1_games_t initrc_var_run_t:file { read write }; -dontaudit $1_games_t var_log_t:dir search; - -can_network($1_games_t) -allow $1_games_t port_t:tcp_socket name_bind; -allow $1_games_t port_t:tcp_socket name_connect; - -# Suppress .icons denial until properly implemented -dontaudit $1_games_t $1_home_t:dir read; - -')dnl end macro definition - diff --git a/targeted/macros/program/gconf_macros.te b/targeted/macros/program/gconf_macros.te deleted file mode 100644 index 6f97ca33..00000000 --- a/targeted/macros/program/gconf_macros.te +++ /dev/null @@ -1,57 +0,0 @@ -# -# GConfd daemon -# -# Author: Ivan Gyurdiev -# - -####################################### -# gconfd_domain(role_prefix) -# - -define(`gconfd_domain', ` - -# Type for daemon -type $1_gconfd_t, domain, nscd_client_domain, privlog; - -gnome_application($1_gconfd, $1) - -# Transition from user type -domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t) -role $1_r types $1_gconfd_t; - -allow $1_gconfd_t self:process { signal getsched }; - -# Access .gconfd and .gconf -home_domain($1, gconfd) -file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir) - -# Access /etc/gconf -r_dir_file($1_gconfd_t, gconf_etc_t) - -# /tmp/gconfd-USER -tmp_domain($1_gconfd) - -can_pipe_xdm($1_gconfd_t) -ifdef(`xdm.te', ` -allow xdm_t $1_gconfd_t:process signal; -') - -') dnl gconf_domain - -##################################### -# gconf_client(prefix, role_prefix) -# - -define(`gconf_client', ` - -# Launch the daemon if necessary -domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t) - -# Connect over bonobo -bonobo_connect($1, $2_gconfd) - -# Read lock/ior -allow $1_t $2_gconfd_tmp_t:dir { getattr search }; -allow $1_t $2_gconfd_tmp_t:file { getattr read }; - -') dnl gconf_client diff --git a/targeted/macros/program/gift_macros.te b/targeted/macros/program/gift_macros.te deleted file mode 100644 index d8e39e2f..00000000 --- a/targeted/macros/program/gift_macros.te +++ /dev/null @@ -1,104 +0,0 @@ -# -# Macros for giFT -# -# Author: Ivan Gyurdiev -# -# gift_domains(domain_prefix) -# declares a domain for giftui and giftd - -######################### -# gift_domain(user) # -######################### - -define(`gift_domain', ` - -# Type transition -type $1_gift_t, domain, nscd_client_domain; -domain_auto_trans($1_t, gift_exec_t, $1_gift_t) -role $1_r types $1_gift_t; - -# X access, Home files, GNOME, /tmp -x_client_domain($1_gift, $1) -gnome_application($1_gift, $1) -home_domain($1, gift) -file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_gift_t) -allow $1_t $1_gift_t:process signal_perms; - -# Launch gift daemon -allow $1_gift_t bin_t:dir search; -domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t) - -# Connect to gift daemon -can_network_client_tcp($1_gift_t, giftd_port_t) -allow $1_gift_t giftd_port_t:tcp_socket name_connect; - -# Read /proc/meminfo -allow $1_gift_t proc_t:dir search; -allow $1_gift_t proc_t:file { getattr read }; - -# giftui looks in .icons, .themes. -dontaudit $1_gift_t $1_home_t:dir { getattr read search }; -dontaudit $1_gift_t $1_home_t:file { getattr read }; - -') dnl gift_domain - -########################## -# giftd_domain(user) # -########################## - -define(`giftd_domain', ` - -type $1_giftd_t, domain; - -# Transition from user type -domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t) -role $1_r types $1_giftd_t; - -# Self permissions, allow fork -allow $1_giftd_t self:process { fork signal sigchld setsched }; -allow $1_giftd_t self:unix_stream_socket create_socket_perms; - -read_sysctl($1_giftd_t) -read_locale($1_giftd_t) -uses_shlib($1_giftd_t) -access_terminal($1_giftd_t, $1) - -# Read /proc/meminfo -allow $1_giftd_t proc_t:dir search; -allow $1_giftd_t proc_t:file { getattr read }; - -# Read /etc/mtab -allow $1_giftd_t etc_runtime_t:file { getattr read }; - -# Access home domain -home_domain_access($1_giftd_t, $1, gift) -file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir) - -# Serve content on various p2p networks. Ports can be random. -can_network_server($1_giftd_t) -allow $1_giftd_t self:udp_socket listen; -allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind; - -# Connect to various p2p networks. Ports can be random. -can_network_client($1_giftd_t) -allow $1_giftd_t port_type:tcp_socket name_connect; - -# Plugins -r_dir_file($1_giftd_t, usr_t) - -# Connect to xdm -can_pipe_xdm($1_giftd_t) - -') dnl giftd_domain - -########################## -# gift_domains(user) # -########################## - -define(`gift_domains', ` -gift_domain($1) -giftd_domain($1) -') dnl gift_domains diff --git a/targeted/macros/program/gnome_macros.te b/targeted/macros/program/gnome_macros.te deleted file mode 100644 index 5d31af51..00000000 --- a/targeted/macros/program/gnome_macros.te +++ /dev/null @@ -1,115 +0,0 @@ -# -# GNOME related types -# -# Author: Ivan Gyurdiev -# -# gnome_domain(role_prefix) - create GNOME domain (run for each role) -# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps -# gnome_file_dialog(role_prefix) - gnome file dialog rules -# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private - -define(`gnome_domain', ` - -# Types for .gnome2 and .gnome2_private. -# For backwards compatibility, allow unrestricted -# access from ROLE_t. However, content inside -# *should* be labeled per application eventually. -# For .gnome2_private, use the private_store macro below. - -type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile; -create_dir_file($1_t, $1_gnome_settings_t) -allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto }; - -type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile; -create_dir_file($1_t, $1_gnome_secret_t) -allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto }; - -# GConf domain -gconfd_domain($1) -gconf_client($1, $1) - -# Bonobo-activation-server -bonobo_domain($1) -bonobo_client($1, $1) - -# GNOME vfs daemon -gnome_vfs_domain($1) -gnome_vfs_client($1, $1) - -# ICE is necessary for session management -ice_domain($1, $1) - -') - -################################# - -define(`gnome_application', ` - -# If launched from a terminal -access_terminal($1_t, $2) - -# Forking is generally okay -allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork }; -allow $1_t self:fifo_file rw_file_perms; - -# Shlib, locale, sysctl, proc -uses_shlib($1_t) -read_locale($1_t) -read_sysctl($1_t) - -allow $1_t { self proc_t }:dir { search read getattr }; -allow $1_t { self proc_t }:{ file lnk_file } { read getattr }; - -# Most gnome apps use bonobo -bonobo_client($1, $2) - -# Within-process bonobo-activation of components -bonobo_connect($1, $1) - -# Session management happens over ICE -# FIXME: More specific context is needed for gnome-session -ice_connect($1, $2) - -# Most talk to GConf -gconf_client($1, $2) - -# Allow getattr/read/search of .gnome2 and .gnome2_private -# Reading files should *not* be allowed - instead, more specific -# types should be created to handle such requests -allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms; - -# Access /etc/mtab, /etc/nsswitch.conf -allow $1_t etc_t:file { read getattr }; -allow $1_t etc_runtime_t:file { read getattr }; - -# Themes, gtkrc -allow $1_t usr_t:{ file lnk_file } r_file_perms; - -') dnl gnome_application - -################################ - -define(`gnome_file_dialog', ` - -# GNOME Open/Save As dialogs -dontaudit_getattr($1_t) -dontaudit_search_dir($1_t) - -# Bonobo connection to gnome_vfs daemon -bonobo_connect($1, $2_gnome_vfs) - -') dnl gnome_file_dialog - -################################ - -define(`gnome_private_store', ` - -# Type for storing secret data -# (different from home, not directly accessible from ROLE_t) -type $1_secret_t, file_type, $2_file_type, sysadmfile; - -# Put secret files in .gnome2_private -file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file); -allow $2_t $1_secret_t:file unlink; - -') dnl gnome_private_store diff --git a/targeted/macros/program/gnome_vfs_macros.te b/targeted/macros/program/gnome_vfs_macros.te deleted file mode 100644 index 8ff5c28a..00000000 --- a/targeted/macros/program/gnome_vfs_macros.te +++ /dev/null @@ -1,55 +0,0 @@ -# -# GNOME VFS daemon -# -# Author: Ivan Gyurdiev -# - -####################################### -# gnome_vfs_domain(role_prefix) -# - -define(`gnome_vfs_domain', ` - -# Type for daemon -type $1_gnome_vfs_t, domain, nscd_client_domain; - -# GNOME, dbus -gnome_application($1_gnome_vfs, $1) -dbusd_client(system, $1_gnome_vfs) -allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg; -ifdef(`hald.te', ` -allow $1_gnome_vfs_t hald_t:dbus send_msg; -allow hald_t $1_gnome_vfs_t:dbus send_msg; -') - -# Transition from user type -domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t) -role $1_r types $1_gnome_vfs_t; - -# Stat top level directories on mount_points (check free space?) -allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr; - -# Search path to /home (??) -allow $1_gnome_vfs_t home_root_t:dir search; -allow $1_gnome_vfs_t $1_home_dir_t:dir search; - -# Search path to rpc_pipefs mount point (??) -allow $1_gnome_vfs_t var_lib_nfs_t:dir search; -allow $1_gnome_vfs_t var_lib_t:dir search; - -# Search libexec (??) -allow $1_gnome_vfs_t bin_t:dir search; -can_exec($1_gnome_vfs_t, bin_t) - -') dnl gnome_vfs_domain - -##################################### -# gnome_vfs_client(prefix, role_prefix) -# - -define(`gnome_vfs_client', ` - -# Connect over bonobo -bonobo_connect($1, $2_gnome_vfs) - -') dnl gnome_vfs_client diff --git a/targeted/macros/program/gpg_agent_macros.te b/targeted/macros/program/gpg_agent_macros.te deleted file mode 100644 index f7ad8b04..00000000 --- a/targeted/macros/program/gpg_agent_macros.te +++ /dev/null @@ -1,125 +0,0 @@ -# -# Macros for gpg agent -# -# Author: Thomas Bleher -# -# -# gpg_agent_domain(domain_prefix) -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gpg-agent.te. -# -define(`gpg_agent_domain',` -# Define a derived domain for the gpg-agent program when executed -# by a user domain. -# Derived domain based on the calling user domain and the program. -type $1_gpg_agent_t, domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) - -# The user role is authorized for this domain. -role $1_r types $1_gpg_agent_t; - -allow $1_gpg_agent_t privfd:fd use; - -# Write to the user domain tty. -access_terminal($1_gpg_agent_t, $1) - -# Allow the user shell to signal the gpg-agent program. -allow $1_t $1_gpg_agent_t:process { signal sigkill }; -# allow ps to show gpg-agent -can_ps($1_t, $1_gpg_agent_t) - -uses_shlib($1_gpg_agent_t) -read_locale($1_gpg_agent_t) - -# rlimit: gpg-agent wants to prevent coredumps -allow $1_gpg_agent_t self:process { setrlimit fork sigchld }; - -allow $1_gpg_agent_t { self proc_t }:dir search; -allow $1_gpg_agent_t { self proc_t }:lnk_file read; - -allow $1_gpg_agent_t device_t:dir { getattr read }; - -# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; -create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) -if (use_nfs_home_dirs) { -create_dir_file($1_gpg_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_gpg_agent_t, cifs_t) -} - -allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms; -allow $1_gpg_agent_t self:fifo_file { getattr read write }; - -# create /tmp files -tmp_domain($1_gpg_agent, `', `{ file dir sock_file }') - -# gpg connect -allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; -allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; -can_unix_connect($1_gpg_t, $1_gpg_agent_t) - -# policy for pinentry -# =================== -# we need to allow gpg-agent to call pinentry so it can get the passphrase -# from the user. -# Please note that I didnt use the x_client_domain-macro as it gives too -# much permissions -type $1_gpg_pinentry_t, domain; -role $1_r types $1_gpg_pinentry_t; - -allow $1_gpg_agent_t bin_t:dir search; -domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) - -uses_shlib($1_gpg_pinentry_t) -read_locale($1_gpg_pinentry_t) - -allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; -allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; - -ifdef(`xdm.te', ` -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; -allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; -can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) -')dnl end ig xdm.te - -read_fonts($1_gpg_pinentry_t, $1) -# read kde font cache -allow $1_gpg_pinentry_t usr_t:file { getattr read }; - -allow $1_gpg_pinentry_t { proc_t self }:dir search; -allow $1_gpg_pinentry_t { proc_t self }:lnk_file read; -# read /proc/meminfo -allow $1_gpg_pinentry_t proc_t:file read; - -allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; - -# for .Xauthority -allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; -allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; -# wants to put some lock files into the user home dir, seems to work fine without -dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; -dontaudit $1_gpg_pinentry_t $1_home_t:file write; -if (use_nfs_home_dirs) { -allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; -allow $1_gpg_pinentry_t nfs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t nfs_t:file write; -} -if (use_samba_home_dirs) { -allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; -allow $1_gpg_pinentry_t cifs_t:file { getattr read }; -dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; -dontaudit $1_gpg_pinentry_t cifs_t:file write; -} - -# read /etc/X11/qtrc -allow $1_gpg_pinentry_t etc_t:file { getattr read }; - -dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search }; - -')dnl end if gpg_agent diff --git a/targeted/macros/program/gpg_macros.te b/targeted/macros/program/gpg_macros.te deleted file mode 100644 index 9dba8f7c..00000000 --- a/targeted/macros/program/gpg_macros.te +++ /dev/null @@ -1,113 +0,0 @@ -# -# Macros for gpg and pgp -# -# Author: Russell Coker -# -# based on the work of: -# Stephen Smalley and Timothy Fraser -# - -# -# gpg_domain(domain_prefix) -# -# Define a derived domain for the gpg/pgp program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gpg.te. -# -define(`gpg_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_gpg_t, domain, privlog; -type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) -role $1_r types $1_gpg_t; - -can_network($1_gpg_t) -allow $1_gpg_t port_type:tcp_socket name_connect; -can_ypbind($1_gpg_t) - -# for a bug in kmail -dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write }; - -allow $1_gpg_t device_t:dir r_dir_perms; -allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -allow $1_gpg_t etc_t:file r_file_perms; - -allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms; -allow $1_gpg_t self:tcp_socket create_stream_socket_perms; - -access_terminal($1_gpg_t, $1) -ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') - -# Inherit and use descriptors -allow $1_gpg_t { privfd $1_t }:fd use; -allow { $1_t $1_gpg_t } $1_gpg_t:process signal; - -# setrlimit is for ulimit -c 0 -allow $1_gpg_t self:process { setrlimit setcap setpgid }; - -# allow ps to show gpg -can_ps($1_t, $1_gpg_t) - -uses_shlib($1_gpg_t) - -# Access .gnupg -rw_dir_create_file($1_gpg_t, $1_gpg_secret_t) - -# Read content to encrypt/decrypt/sign -read_content($1_gpg_t, $1) - -# Write content to encrypt/decrypt/sign -write_trusted($1_gpg_t, $1) - -allow $1_gpg_t self:capability { ipc_lock setuid }; - -allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; -allow $1_gpg_t fs_t:filesystem getattr; -allow $1_gpg_t usr_t:file r_file_perms; -read_locale($1_gpg_t) - -dontaudit $1_gpg_t var_t:dir search; - -ifdef(`gpg-agent.te', `gpg_agent_domain($1)') - -# for helper programs (which automatically fetch keys) -# Note: this is only tested with the hkp interface. If you use eg the -# mail interface you will likely need additional permissions. -type $1_gpg_helper_t, domain; -role $1_r types $1_gpg_helper_t; - -domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t) -uses_shlib($1_gpg_helper_t) - -# allow gpg to fork so it can call the helpers -allow $1_gpg_t self:process { fork sigchld }; -allow $1_gpg_t self:fifo_file { getattr read write }; - -dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; -if (use_nfs_home_dirs) { -dontaudit $1_gpg_helper_t nfs_t:file { read write }; -} -if (use_samba_home_dirs) { -dontaudit $1_gpg_helper_t cifs_t:file { read write }; -} - -# communicate with the user -allow $1_gpg_helper_t $1_t:fd use; -allow $1_gpg_helper_t $1_t:fifo_file write; -# get keys from the network -can_network_client($1_gpg_helper_t) -allow $1_gpg_helper_t port_type:tcp_socket name_connect; -allow $1_gpg_helper_t etc_t:file { getattr read }; -allow $1_gpg_helper_t urandom_device_t:chr_file read; -allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; -# for nscd -dontaudit $1_gpg_helper_t var_t:dir search; - -can_pipe_xdm($1_gpg_t) - -')dnl end gpg_domain definition diff --git a/targeted/macros/program/gph_macros.te b/targeted/macros/program/gph_macros.te deleted file mode 100644 index d784fcc3..00000000 --- a/targeted/macros/program/gph_macros.te +++ /dev/null @@ -1,85 +0,0 @@ -# -# Macros for gnome-pty-helper domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# gph_domain(domain_prefix, role_prefix) -# -# Define a derived domain for the gnome-pty-helper program when -# executed by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/gnome-pty-helper.te. -# -# The *_gph_t domains are for the gnome_pty_helper program. -# This program is executed by gnome-terminal to handle -# updates to utmp and wtmp. In this regard, it is similar -# to utempter. However, unlike utempter, gnome-pty-helper -# also creates the pty file for the terminal program. -# There is one *_gph_t domain for each user domain. -# -undefine(`gph_domain') -define(`gph_domain',` -# Derived domain based on the calling user domain and the program. -type $1_gph_t, domain, gphdomain, nscd_client_domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, gph_exec_t, $1_gph_t) - -# The user role is authorized for this domain. -role $2_r types $1_gph_t; - -# This domain is granted permissions common to most domains. -uses_shlib($1_gph_t) - -# Use capabilities. -allow $1_gph_t self:capability { chown fsetid setgid setuid }; - -# Update /var/run/utmp and /var/log/wtmp. -allow $1_gph_t { var_t var_run_t }:dir search; -allow $1_gph_t initrc_var_run_t:file rw_file_perms; -allow $1_gph_t wtmp_t:file rw_file_perms; - -# Allow gph to rw to stream sockets of appropriate user type. -# (Need this so gnome-pty-helper can pass pty fd to parent -# gnome-terminal which is running in a user domain.) -allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms; - -allow $1_gph_t self:unix_stream_socket create_stream_socket_perms; - -# Allow user domain to use pty fd from gnome-pty-helper. -allow $1_t $1_gph_t:fd use; - -# Use the network, e.g. for NIS lookups. -can_resolve($1_gph_t) -can_ypbind($1_gph_t) - -allow $1_gph_t etc_t:file { getattr read }; - -# Added by David A. Wheeler: -# Allow gnome-pty-helper to update /var/log/lastlog -# (the gnome-pty-helper in Red Hat Linux 7.1 does this): -allow $1_gph_t lastlog_t:file rw_file_perms; -allow $1_gph_t var_log_t:dir search; -allow $1_t $1_gph_t:process signal; - -ifelse($2, `system', ` -# Create ptys for the system -can_create_other_pty($1_gph, initrc) -', ` -# Create ptys for the user domain. -can_create_other_pty($1_gph, $1) - -# Read and write the users tty. -allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms; - -# Allow gnome-pty-helper to write the .xsession-errors file. -allow $1_gph_t home_root_t:dir search; -allow $1_gph_t $1_home_t:dir { search add_name }; -allow $1_gph_t $1_home_t:file { create write }; -')dnl end ifelse system -')dnl end macro diff --git a/targeted/macros/program/i18n_input_macros.te b/targeted/macros/program/i18n_input_macros.te deleted file mode 100644 index 58699fc8..00000000 --- a/targeted/macros/program/i18n_input_macros.te +++ /dev/null @@ -1,21 +0,0 @@ -# -# Macros for i18n_input -# - -# -# Authors: Dan Walsh -# - -# -# i18n_input_domain(domain) -# -ifdef(`i18n_input.te', ` -define(`i18n_input_domain', ` -allow i18n_input_t $1_home_dir_t:dir { getattr search }; -r_dir_file(i18n_input_t, $1_home_t) -if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) } -if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) } -') -') - - diff --git a/targeted/macros/program/ice_macros.te b/targeted/macros/program/ice_macros.te deleted file mode 100644 index b3734963..00000000 --- a/targeted/macros/program/ice_macros.te +++ /dev/null @@ -1,38 +0,0 @@ -# -# ICE related types -# -# Author: Ivan Gyurdiev -# -# ice_domain(prefix, role) - create ICE sockets -# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets - -define(`ice_domain', ` -ifdef(`$1_ice_tmp_t_defined',`', ` -define(`$1_ice_tmp_t_defined') - -# Type for ICE sockets -type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile; -file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t) - -# Create the sockets -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; - -# FIXME: How does iceauth tie in? - -') -') - -# FIXME: Should this be bidirectional? -# Adding only unidirectional for now. - -define(`ice_connect', ` - -# Read .ICEauthority file -allow $1_t $2_iceauth_home_t:file { read getattr }; - -can_unix_connect($1_t, $2_t) -allow $1_t ice_tmp_t:dir r_dir_perms; -allow $1_t $2_ice_tmp_t:sock_file { read write }; -allow $1_t $2_t:unix_stream_socket { read write }; -') diff --git a/targeted/macros/program/iceauth_macros.te b/targeted/macros/program/iceauth_macros.te deleted file mode 100644 index cc7e804c..00000000 --- a/targeted/macros/program/iceauth_macros.te +++ /dev/null @@ -1,40 +0,0 @@ -# -# Macros for iceauth domains. -# -# Author: Ivan Gyurdiev -# -# iceauth_domain(domain_prefix) - -define(`iceauth_domain',` - -# Program type -type $1_iceauth_t, domain; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t) -role $1_r types $1_iceauth_t; - -# Store .ICEauthority files -home_domain($1, iceauth) -file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file) - -# Supress xdm trying to restore .ICEauthority permissions -ifdef(`xdm.te', ` -dontaudit xdm_t $1_iceauth_home_t:file r_file_perms; -') - -# /root -allow $1_iceauth_t root_t:dir search; - -# Terminal output -access_terminal($1_iceauth_t, $1) - -uses_shlib($1_iceauth_t) - -# ??? -allow $1_iceauth_t etc_t:dir search; -allow $1_iceauth_t usr_t:dir search; - -# FIXME: policy is incomplete - -')dnl end xauth_domain macro diff --git a/targeted/macros/program/inetd_macros.te b/targeted/macros/program/inetd_macros.te deleted file mode 100644 index e5c4eed2..00000000 --- a/targeted/macros/program/inetd_macros.te +++ /dev/null @@ -1,97 +0,0 @@ -################################# -# -# Rules for the $1_t domain. -# -# $1_t is a general domain for daemons started -# by inetd that do not have their own individual domains yet. -# $1_exec_t is the type of the corresponding -# programs. -# -define(`inetd_child_domain', ` -type $1_t, domain, privlog, nscd_client_domain; -role system_r types $1_t; - -# -# Allows user to define a tunable to disable domain transition -# -bool $1_disable_trans false; -if ($1_disable_trans) { -can_exec(initrc_t, $1_exec_t) -can_exec(sysadm_t, $1_exec_t) -} else { -domain_auto_trans(inetd_t, $1_exec_t, $1_t) -allow inetd_t $1_t:process sigkill; -} - -can_network_server($1_t) -can_ypbind($1_t) -uses_shlib($1_t) -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket create_socket_perms; -allow $1_t self:fifo_file rw_file_perms; -type $1_exec_t, file_type, sysadmfile, exec_type; -read_locale($1_t) -allow $1_t device_t:dir search; -allow $1_t proc_t:dir search; -allow $1_t proc_t:{ file lnk_file } { getattr read }; -allow $1_t self:process { fork signal_perms }; -allow $1_t fs_t:filesystem getattr; - -read_sysctl($1_t) - -allow $1_t etc_t:file { getattr read }; - -tmp_domain($1) -allow $1_t var_t:dir search; -var_run_domain($1) - -# Inherit and use descriptors from inetd. -allow $1_t inetd_t:fd use; - -# for identd -allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow $1_t self:capability { setuid setgid }; -allow $1_t home_root_t:dir search; -allow $1_t self:dir search; -allow $1_t self:{ lnk_file file } { getattr read }; -can_kerberos($1_t) -allow $1_t urandom_device_t:chr_file r_file_perms; -# Use sockets inherited from inetd. -ifelse($2, `', ` -allow inetd_t $1_port_t:udp_socket name_bind; -allow $1_t inetd_t:udp_socket rw_socket_perms; -allow inetd_t $1_port_t:tcp_socket name_bind; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') -ifelse($2, tcp, ` -allow inetd_t $1_port_t:tcp_socket name_bind; -allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; -') -ifelse($2, udp, ` -allow inetd_t $1_port_t:udp_socket name_bind; -allow $1_t inetd_t:udp_socket rw_socket_perms; -') -r_dir_file($1_t, proc_net_t) -') -define(`remote_login_daemon', ` -inetd_child_domain($1) - -# Execute /bin/login on a new PTY -allow $1_t { bin_t sbin_t }:dir search; -domain_auto_trans($1_t, login_exec_t, remote_login_t) -can_create_pty($1, `, server_pty, userpty_type') -allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ; - -# Append to /var/log/wtmp. -allow $1_t var_log_t:dir search; -allow $1_t wtmp_t:file rw_file_perms; -allow $1_t initrc_var_run_t:file rw_file_perms; - -# Allow reading of /etc/issue.net -allow $1_t etc_runtime_t:file r_file_perms; - -# Allow krb5 $1 to use fork and open /dev/tty for use -allow $1_t userpty_type:chr_file setattr; -allow $1_t devtty_t:chr_file rw_file_perms; -dontaudit $1_t selinux_config_t:dir search; -') diff --git a/targeted/macros/program/irc_macros.te b/targeted/macros/program/irc_macros.te deleted file mode 100644 index 3adaef78..00000000 --- a/targeted/macros/program/irc_macros.te +++ /dev/null @@ -1,85 +0,0 @@ -# -# Macros for irc domains. -# - -# -# Author: Russell Coker -# - -# -# irc_domain(domain_prefix) -# -# Define a derived domain for the irc program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/irc.te. -# -undefine(`irc_domain') -ifdef(`irc.te', ` -define(`irc_domain',` - -# Home domain -home_domain($1, irc) -file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir) - -# Derived domain based on the calling user domain and the program. -type $1_irc_t, domain; -type $1_irc_exec_t, file_type, sysadmfile, $1_file_type; - -allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t) - -# The user role is authorized for this domain. -role $1_r types $1_irc_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;') - -# allow ps to show irc -can_ps($1_t, $1_irc_t) -allow $1_t $1_irc_t:process signal; - -# Use the network. -can_network_client($1_irc_t) -allow $1_irc_t port_type:tcp_socket name_connect; -can_ypbind($1_irc_t) - -allow $1_irc_t usr_t:file { getattr read }; - -access_terminal($1_irc_t, $1) -uses_shlib($1_irc_t) -allow $1_irc_t etc_t:file { read getattr }; -read_locale($1_irc_t) -allow $1_irc_t fs_t:filesystem getattr; -allow $1_irc_t var_t:dir search; -allow $1_irc_t device_t:dir search; -allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; -allow $1_irc_t privfd:fd use; -allow $1_irc_t proc_t:dir search; -allow $1_irc_t { self proc_t }:lnk_file read; -allow $1_irc_t self:dir search; -dontaudit $1_irc_t var_run_t:dir search; - -# allow utmp access -allow $1_irc_t initrc_var_run_t:file { getattr read }; -dontaudit $1_irc_t initrc_var_run_t:file lock; - -# access files under /tmp -file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t) - -ifdef(`ircd.te', ` -can_tcp_connect($1_irc_t, ircd_t) -')dnl end ifdef irc.te -')dnl end macro definition - -', ` - -define(`irc_domain',`') - -')dnl end ifdef irc.te diff --git a/targeted/macros/program/java_macros.te b/targeted/macros/program/java_macros.te deleted file mode 100644 index 874d6dc3..00000000 --- a/targeted/macros/program/java_macros.te +++ /dev/null @@ -1,93 +0,0 @@ -# -# Authors: Dan Walsh -# -# Macros for javaplugin (java plugin) domains. -# -# -# javaplugin_domain(domain_prefix, role) -# -# Define a derived domain for the javaplugin program when executed by -# a web browser. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/java.te. -# -define(`javaplugin_domain',` -type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool; - -# The user role is authorized for this domain. -role $2_r types $1_javaplugin_t; -domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t) - -allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms; -# Unrestricted inheritance from the caller. -allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -allow $1_javaplugin_t $1_t:process signull; - -can_unix_connect($1_javaplugin_t, $1_t) -allow $1_javaplugin_t $1_t:unix_stream_socket { read write }; - -# This domain is granted permissions common to most domains (including can_net) -can_network_client($1_javaplugin_t) -allow $1_javaplugin_t port_type:tcp_socket name_connect; -can_ypbind($1_javaplugin_t) -allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; -allow $1_javaplugin_t self:fifo_file rw_file_perms; -allow $1_javaplugin_t etc_runtime_t:file { getattr read }; -allow $1_javaplugin_t fs_t:filesystem getattr; -r_dir_file($1_javaplugin_t, { proc_t proc_net_t }) -allow $1_javaplugin_t self:dir search; -allow $1_javaplugin_t self:lnk_file read; -allow $1_javaplugin_t self:file { getattr read }; - -read_sysctl($1_javaplugin_t) -allow $1_javaplugin_t sysctl_vm_t:dir search; - -tmp_domain($1_javaplugin) -read_fonts($1_javaplugin_t, $2) -r_dir_file($1_javaplugin_t,{ usr_t etc_t }) - -# Search bin directory under javaplugin for javaplugin executable -allow $1_javaplugin_t bin_t:dir search; -can_exec($1_javaplugin_t, java_exec_t) - -# libdeploy.so legacy -allow $1_javaplugin_t texrel_shlib_t:file execmod; -if (allow_execmem) { -allow $1_javaplugin_t self:process execmem; -} - -# Connect to X server -x_client_domain($1_javaplugin, $2) - -uses_shlib($1_javaplugin_t) -read_locale($1_javaplugin_t) -rw_dir_file($1_javaplugin_t, $1_home_t) - -if (allow_java_execstack) { -legacy_domain($1_javaplugin) -allow $1_javaplugin_t lib_t:file execute; -allow $1_javaplugin_t locale_t:file execute; -allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute; -allow $1_javaplugin_t fonts_t:file execute; -allow $1_javaplugin_t sound_device_t:chr_file execute; -} - -allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms; - -allow $1_javaplugin_t home_root_t:dir { getattr search }; -file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t) -allow $1_javaplugin_t $2_xauth_home_t:file { getattr read }; -allow $1_javaplugin_t $2_tmp_t:sock_file write; -allow $1_javaplugin_t $2_t:fd use; - -allow $1_javaplugin_t var_t:dir getattr; -allow $1_javaplugin_t var_lib_t:dir { getattr search }; - -dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write }; -dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write }; -dontaudit $1_javaplugin_t devtty_t:chr_file { read write }; -dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; -dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; - -') diff --git a/targeted/macros/program/kerberos_macros.te b/targeted/macros/program/kerberos_macros.te deleted file mode 100644 index 91850d3c..00000000 --- a/targeted/macros/program/kerberos_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -define(`can_kerberos',` -ifdef(`kerberos.te',` -if (allow_kerberos) { -can_network_client($1, `kerberos_port_t') -allow $1 kerberos_port_t:tcp_socket name_connect; -can_resolve($1) -} -') dnl kerberos.te -dontaudit $1 krb5_conf_t:file write; -allow $1 krb5_conf_t:file { getattr read }; -') diff --git a/targeted/macros/program/lockdev_macros.te b/targeted/macros/program/lockdev_macros.te deleted file mode 100644 index 28f7c01f..00000000 --- a/targeted/macros/program/lockdev_macros.te +++ /dev/null @@ -1,46 +0,0 @@ -# -# Macros for lockdev domains. -# - -# -# Authors: Daniel Walsh -# - -# -# lockdev_domain(domain_prefix) -# -# Define a derived domain for the lockdev programs when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/lockdev.te. -# -undefine(`lockdev_domain') -define(`lockdev_domain',` -# Derived domain based on the calling user domain and the program -type $1_lockdev_t, domain, privlog; -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t) - -# The user role is authorized for this domain. -role $1_r types $1_lockdev_t; -# Use capabilities. -allow $1_lockdev_t self:capability setgid; -allow $1_lockdev_t $1_t:process signull; - -allow $1_lockdev_t var_t:dir search; - -lock_domain($1_lockdev) - -r_dir_file($1_lockdev_t, lockfile) - -allow $1_lockdev_t device_t:dir search; -allow $1_lockdev_t null_device_t:chr_file rw_file_perms; -access_terminal($1_lockdev_t, $1) -dontaudit $1_lockdev_t root_t:dir search; - -uses_shlib($1_lockdev_t) -allow $1_lockdev_t fs_t:filesystem getattr; - -')dnl end macro definition - diff --git a/targeted/macros/program/login_macros.te b/targeted/macros/program/login_macros.te deleted file mode 100644 index 0d0993c7..00000000 --- a/targeted/macros/program/login_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -# Macros for login type programs (/bin/login, sshd, etc). -# -# Author: Russell Coker -# - -define(`login_spawn_domain', ` -domain_trans($1_t, shell_exec_t, $2) - -# Signal the user domains. -allow $1_t $2:process signal; -') diff --git a/targeted/macros/program/lpr_macros.te b/targeted/macros/program/lpr_macros.te deleted file mode 100644 index d8b3b312..00000000 --- a/targeted/macros/program/lpr_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Macros for lpr domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# lpr_domain(domain_prefix) -# -# Define a derived domain for the lpr/lpq/lprm programs when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/lpr.te. -# -undefine(`lpr_domain') -define(`lpr_domain',` -# Derived domain based on the calling user domain and the program -type $1_lpr_t, domain, privlog, nscd_client_domain; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t) - -allow $1_t $1_lpr_t:process signull; - -# allow using shared objects, accessing root dir, etc -uses_shlib($1_lpr_t) - -read_locale($1_lpr_t) - -# The user role is authorized for this domain. -role $1_r types $1_lpr_t; - -# This domain is granted permissions common to most domains (including can_net) -can_network_client($1_lpr_t) -allow $1_lpr_t port_type:tcp_socket name_connect; -can_ypbind($1_lpr_t) - -# Use capabilities. -allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown }; - -allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms; - -# for lpd config files (should have a new type) -r_dir_file($1_lpr_t, etc_t) - -# for test print -r_dir_file($1_lpr_t, usr_t) -ifdef(`lpd.te', ` -r_dir_file($1_lpr_t, printconf_t) -') - -tmp_domain($1_lpr) - -# Type for spool files. -type $1_print_spool_t, file_type, sysadmfile; -# Use this type when creating files in /var/spool/lpd and /var/spool/cups. -file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) -allow $1_lpr_t var_spool_t:dir search; - -# for /dev/null -allow $1_lpr_t device_t:dir search; - -# Access the terminal. -access_terminal($1_lpr_t, $1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') -allow $1_lpr_t privfd:fd use; - -# Read user files. -read_content(sysadm_lpr_t, $1) -read_content($1_lpr_t, $1) - -# Read and write shared files in the spool directory. -allow $1_lpr_t print_spool_t:file rw_file_perms; - -# lpr can run in lightweight mode, without a local print spooler. If the -# lpd policy is present, grant some permissions for this domain and the lpd -# domain to interact. -ifdef(`lpd.te', ` -allow $1_lpr_t { var_t var_run_t }:dir search; -allow $1_lpr_t lpd_var_run_t:dir search; -allow $1_lpr_t lpd_var_run_t:sock_file write; - -# Allow lpd to read, rename, and unlink spool files. -allow lpd_t $1_print_spool_t:file r_file_perms; -allow lpd_t $1_print_spool_t:file link_file_perms; - -# Connect to lpd via a Unix domain socket. -allow $1_lpr_t printer_t:sock_file rw_file_perms; -can_unix_connect($1_lpr_t, lpd_t) -dontaudit $1_lpr_t $1_t:unix_stream_socket { read write }; - -# Connect to lpd via a TCP socket. -can_tcp_connect($1_lpr_t, lpd_t) - -allow $1_lpr_t fs_t:filesystem getattr; -# Send SIGHUP to lpd. -allow $1_lpr_t lpd_t:process signal; - -')dnl end if lpd.te - -ifdef(`xdm.te', ` -can_pipe_xdm($1_lpr_t) -') - -ifdef(`cups.te', ` -allow { $1_lpr_t $1_t } cupsd_etc_t:dir search; -allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; -can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) -')dnl end ifdef cups.te - -')dnl end macro definition - diff --git a/targeted/macros/program/mail_client_macros.te b/targeted/macros/program/mail_client_macros.te deleted file mode 100644 index da22a620..00000000 --- a/targeted/macros/program/mail_client_macros.te +++ /dev/null @@ -1,68 +0,0 @@ -# -# Shared macro for mail clients -# -# Author: Ivan Gyurdiev -# - -######################################## -# mail_client_domain(client, role_prefix) -# - -define(`mail_client_domain', ` - -# Allow netstat -# Startup shellscripts -allow $1_t bin_t:dir r_dir_perms; -allow $1_t bin_t:lnk_file r_file_perms; -can_exec($1_t, bin_t) -r_dir_file($1_t, proc_net_t) -allow $1_t sysctl_net_t:dir search; - -# Allow DNS -can_resolve($1_t) - -# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) -can_ypbind($1_t) -can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }) -allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect; - -# Allow printing the mail -ifdef(`cups.te',` -allow $1_t cupsd_etc_t:dir r_dir_perms; -allow $1_t cupsd_rw_etc_t:file r_file_perms; -') -ifdef(`lpr.te', ` -domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t) -') - -# Attachments -read_content($1_t, $2, mail) - -# Save mail -write_untrusted($1_t, $2) - -# Encrypt mail -ifdef(`gpg.te', ` -domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t) -allow $1_t $2_gpg_t:process signal; -') - -# Start links in web browser -ifdef(`mozilla.te', ` -can_exec($1_t, shell_exec_t) -domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t) -') -ifdef(`dbusd.te', ` -dbusd_client(system, $1) -allow $1_t system_dbusd_t:dbus send_msg; -dbusd_client($2, $1) -allow $1_t $2_dbusd_t:dbus send_msg; -ifdef(`cups.te', ` -allow cupsd_t $1_t:dbus send_msg; -') -') -# Allow the user domain to signal/ps. -can_ps($2_t, $1_t) -allow $2_t $1_t:process signal_perms; - -') diff --git a/targeted/macros/program/mount_macros.te b/targeted/macros/program/mount_macros.te deleted file mode 100644 index 0aa05778..00000000 --- a/targeted/macros/program/mount_macros.te +++ /dev/null @@ -1,90 +0,0 @@ -# -# Macros for mount -# -# Author: Brian May -# Extended by Russell Coker -# - -# -# mount_domain(domain_prefix,dst_domain_prefix) -# -# Define a derived domain for the mount program for anyone. -# -define(`mount_domain', ` -# -# Rules for the $2_t domain, used by the $1_t domain. -# -# $2_t is the domain for the mount process. -# -# This macro will not be included by all users and it may be included twice if -# called from other macros, so we need protection for this do not call this -# macro if $2_def is defined -define(`$2_def', `') -# -type $2_t, domain, privlog $3, nscd_client_domain; - -allow $2_t sysfs_t:dir search; - -uses_shlib($2_t) - -role $1_r types $2_t; -# when mount is run by $1 goto $2_t domain -domain_auto_trans($1_t, mount_exec_t, $2_t) - -allow $2_t proc_t:dir search; -allow $2_t proc_t:file { getattr read }; - -# -# Allow mounting of cdrom by user -# -allow $2_t device_type:blk_file getattr; - -tmp_domain($2) - -# Use capabilities. -allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; - -allow $2_t self:unix_stream_socket create_socket_perms; - -# Create and modify /etc/mtab. -file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) - -allow $2_t etc_t:file { getattr read }; - -read_locale($2_t) - -allow $2_t home_root_t:dir search; -allow $2_t $1_home_dir_t:dir search; -allow $2_t noexattrfile:filesystem { mount unmount }; -allow $2_t fs_t:filesystem getattr; -allow $2_t removable_t:filesystem { mount unmount }; -allow $2_t mnt_t:dir { mounton search }; -allow $2_t sbin_t:dir search; - -# Access the terminal. -access_terminal($2_t, $1) -ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;') -allow $2_t var_t:dir search; -allow $2_t var_run_t:dir search; - -ifdef(`distro_redhat',` -ifdef(`pamconsole.te',` -r_dir_file($2_t,pam_var_console_t) -# mount config by default sets fscontext=removable_t -allow $2_t dosfs_t:filesystem relabelfrom; -') dnl end pamconsole.te -') dnl end distro_redhat -') dnl end mount_domain - -# mount_loopback_privs(domain_prefix,dst_domain_prefix) -# -# Add loopback mounting privileges to a particular derived -# mount domain. -# -define(`mount_loopback_privs',` -type $1_$2_source_t, file_type, sysadmfile, $1_file_type; -allow $1_t $1_$2_source_t:file create_file_perms; -allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; -allow $2_t $1_$2_source_t:file rw_file_perms; -') - diff --git a/targeted/macros/program/mozilla_macros.te b/targeted/macros/program/mozilla_macros.te deleted file mode 100644 index cc8afb0f..00000000 --- a/targeted/macros/program/mozilla_macros.te +++ /dev/null @@ -1,157 +0,0 @@ -# -# Macros for mozilla/mozilla (or other browser) domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# mozilla_domain(domain_prefix) -# -# Define a derived domain for the mozilla/mozilla program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/mozilla.te. -# - -# FIXME: Rules were removed to centralize policy in a gnome_app macro -# A similar thing might be necessary for mozilla compiled without GNOME -# support (is this possible?). - -define(`mozilla_domain',` - -type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog; - -# Type transition -if (! disable_mozilla_trans) { -domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t) -} -role $1_r types $1_mozilla_t; - -# X access, Home files -home_domain($1, mozilla) -x_client_domain($1_mozilla, $1) - -# GNOME integration -ifdef(`gnome.te', ` -gnome_application($1_mozilla, $1) -gnome_file_dialog($1_mozilla, $1) -') - -# Look for plugins -allow $1_mozilla_t bin_t:dir { getattr read search }; - -# Browse the web, connect to printer -can_resolve($1_mozilla_t) -can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } ) -allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect; - -# Should not need other ports -dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind }; - -allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; -dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms; - -# Unrestricted inheritance from the caller. -allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh }; -allow $1_mozilla_t $1_t:process signull; - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_mozilla_t) -allow $1_t $1_mozilla_t:process signal_perms; - -# Access /proc, sysctl -allow $1_mozilla_t proc_t:dir search; -allow $1_mozilla_t proc_t:file { getattr read }; -allow $1_mozilla_t proc_t:lnk_file read; -allow $1_mozilla_t sysctl_net_t:dir search; -allow $1_mozilla_t sysctl_t:dir search; - -# /var/lib -allow $1_mozilla_t var_lib_t:dir search; -allow $1_mozilla_t var_lib_t:file { getattr read }; - -# Self permissions -allow $1_mozilla_t self:socket create_socket_perms; -allow $1_mozilla_t self:file { getattr read }; -allow $1_mozilla_t self:sem create_sem_perms; - -# for bash - old mozilla binary -can_exec($1_mozilla_t, mozilla_exec_t) -can_exec($1_mozilla_t, shell_exec_t) -can_exec($1_mozilla_t, bin_t) -allow $1_mozilla_t bin_t:lnk_file read; -allow $1_mozilla_t device_t:dir r_dir_perms; -allow $1_mozilla_t self:dir search; -allow $1_mozilla_t self:lnk_file read; -r_dir_file($1_mozilla_t, proc_net_t) - -# interacting with gstreamer -r_dir_file($1_mozilla_t, var_t) - -# Uploads, local html -read_content($1_mozilla_t, $1, mozilla) - -# Save web pages -write_untrusted($1_mozilla_t, $1) - -# Mozpluggerrc -allow $1_mozilla_t mozilla_conf_t:file r_file_perms; - -######### Java plugin -ifdef(`java.te', ` -javaplugin_domain($1_mozilla, $1) -') dnl java.te - -######### Print web content -ifdef(`cups.te', ` -allow $1_mozilla_t cupsd_etc_t:dir search; -allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; -') -ifdef(`lpr.te', ` -domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t) -dontaudit $1_lpr_t $1_mozilla_home_t:file { read write }; -dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write }; -') dnl if lpr.te - -######### Launch mplayer -ifdef(`mplayer.te', ` -domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) -dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; -dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; -dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; -')dnl end if mplayer.te - -######### Launch email client, and make webcal links work -ifdef(`evolution.te', ` -domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) -domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) -') dnl if evolution.te - -ifdef(`thunderbird.te', ` -domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t) -') dnl if evolution.te - -if (allow_execmem) { -allow $1_mozilla_t self:process { execmem execstack }; -} -allow $1_mozilla_t texrel_shlib_t:file execmod; - -ifdef(`dbusd.te', ` -dbusd_client(system, $1_mozilla) -allow $1_mozilla_t system_dbusd_t:dbus send_msg; -ifdef(`cups.te', ` -allow cupsd_t $1_mozilla_t:dbus send_msg; -') -') - -ifdef(`apache.te', ` -ifelse($1, sysadm, `', ` -r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) -') -') - -')dnl end mozilla macro - diff --git a/targeted/macros/program/mplayer_macros.te b/targeted/macros/program/mplayer_macros.te deleted file mode 100644 index 6d067578..00000000 --- a/targeted/macros/program/mplayer_macros.te +++ /dev/null @@ -1,159 +0,0 @@ -# -# Macros for mplayer -# -# Author: Ivan Gyurdiev -# -# mplayer_domains(user) declares domains for mplayer, gmplayer, -# and mencoder - -##################################################### -# mplayer_common(role_prefix, mplayer_domain) # -##################################################### - -define(`mplayer_common',` - -# Read global config -r_dir_file($1_$2_t, mplayer_etc_t) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_$2_t) -allow $1_t $1_$2_t:process signal_perms; - -# Read data in /usr/share (fonts, icons..) -r_dir_file($1_$2_t, usr_t) - -# Read /proc files and directories -# Necessary for /proc/meminfo, /proc/cpuinfo, etc.. -allow $1_$2_t proc_t:dir search; -allow $1_$2_t proc_t:file { getattr read }; - -# Sysctl on kernel version -read_sysctl($1_$2_t) - -# Allow ps, shared libs, locale, terminal access -can_ps($1_t, $1_$2_t) -uses_shlib($1_$2_t) -read_locale($1_$2_t) -access_terminal($1_$2_t, $1) - -# Required for win32 binary loader -allow $1_$2_t zero_device_t:chr_file { read write execute }; -if (allow_execmem) { -allow $1_$2_t self:process execmem; -} - -if (allow_execmod) { -allow $1_$2_t zero_device_t:chr_file execmod; -} -allow $1_$2_t texrel_shlib_t:file execmod; - -# Access to DVD/CD/V4L -allow $1_$2_t device_t:dir r_dir_perms; -allow $1_$2_t device_t:lnk_file { getattr read }; -allow $1_$2_t removable_device_t:blk_file { getattr read }; -allow $1_$2_t v4l_device_t:chr_file { getattr read }; - -# Legacy domain issues -if (allow_mplayer_execstack) { -legacy_domain($1_$2) -allow $1_$2_t lib_t:file execute; -allow $1_$2_t locale_t:file execute; -allow $1_$2_t sound_device_t:chr_file execute; -} -') - -################################### -# mplayer_domain(role_prefix) # -################################### - -define(`mplayer_domain',` - -type $1_mplayer_t, domain, nscd_client_domain; - -# Type transition -domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t) -role $1_r types $1_mplayer_t; - -# Home access, X access -home_domain($1, mplayer) -x_client_domain($1_mplayer, $1) - -# Mplayer common stuff -mplayer_common($1, mplayer) - -# Fork -allow $1_mplayer_t self:process { fork signal_perms getsched }; -allow $1_mplayer_t self:fifo_file rw_file_perms; - -# Audio, alsa.conf -allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; -allow $1_mplayer_t etc_t:file { getattr read }; -r_dir_file($1_mplayer_t, alsa_etc_rw_t); - -# RTC clock -allow $1_mplayer_t clock_device_t:chr_file { ioctl read }; - -# Legacy domain issues -if (allow_mplayer_execstack) { -allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute; -} - -#======gmplayer gui==========# -# File dialogs -dontaudit_getattr($1_mplayer_t) -dontaudit_read_dir($1_mplayer_t) -dontaudit_search_dir($1_mplayer_t) - -# Unfortunately the ancient file dialog starts in / -allow $1_mplayer_t home_root_t:dir read; - -# Read /etc/mtab -allow $1_mplayer_t etc_runtime_t:file { read getattr }; - -# Run bash/sed (??) -allow $1_mplayer_t bin_t:dir search; -allow $1_mplayer_t bin_t:lnk_file read; -can_exec($1_mplayer_t, bin_t) -can_exec($1_mplayer_t, shell_exec_t) -#============================# - -# Read songs -read_content($1_mplayer_t, $1) - -') dnl end mplayer_domain - -################################### -# mencoder_domain(role_prefix) # -################################### - -define(`mencoder_domain',` - -type $1_mencoder_t, domain; - -# Type transition -domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t) -role $1_r types $1_mencoder_t; - -# Access mplayer home domain -home_domain_access($1_mencoder_t, $1, mplayer) - -# Mplayer common stuff -mplayer_common($1, mencoder) - -# Read content to encode -read_content($1_mencoder_t, $1) - -# Save encoded files -write_trusted($1_mencoder_t, $1) - -') dnl end mencoder_domain - -############################# -# mplayer_domains(role) # -############################# - -define(`mplayer_domains', ` -mplayer_domain($1) -mencoder_domain($1) -') dnl end mplayer_domains - diff --git a/targeted/macros/program/mta_macros.te b/targeted/macros/program/mta_macros.te deleted file mode 100644 index b221f541..00000000 --- a/targeted/macros/program/mta_macros.te +++ /dev/null @@ -1,121 +0,0 @@ -# Macros for MTA domains. -# - -# -# Author: Russell Coker -# Based on the work of: Stephen Smalley -# Timothy Fraser -# - -# -# mail_domain(domain_prefix) -# -# Define a derived domain for the sendmail program when executed by -# a user domain to send outgoing mail. These domains are separate and -# independent of the domain used for the sendmail daemon process. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/mta.te. -# -undefine(`mail_domain') -define(`mail_domain',` -# Derived domain based on the calling user domain and the program. -type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain; - -ifdef(`sendmail.te', ` -sendmail_user_domain($1) -') - -can_exec($1_mail_t, sendmail_exec_t) -allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; - -# The user role is authorized for this domain. -role $1_r types $1_mail_t; - -uses_shlib($1_mail_t) -can_network_client_tcp($1_mail_t) -allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect; -can_resolve($1_mail_t) -can_ypbind($1_mail_t) -allow $1_mail_t self:unix_dgram_socket create_socket_perms; -allow $1_mail_t self:unix_stream_socket create_socket_perms; - -read_locale($1_mail_t) -read_sysctl($1_mail_t) -allow $1_mail_t device_t:dir search; -allow $1_mail_t { var_t var_spool_t }:dir search; -allow $1_mail_t self:process { fork signal_perms setrlimit }; -allow $1_mail_t sbin_t:dir search; - -# It wants to check for nscd -dontaudit $1_mail_t var_run_t:dir search; - -# Use capabilities -allow $1_mail_t self:capability { setuid setgid chown }; - -# Execute procmail. -can_exec($1_mail_t, bin_t) -ifdef(`procmail.te',` -can_exec($1_mail_t, procmail_exec_t)') - -ifelse(`$1', `system', ` -# Transition from a system domain to the derived domain. -domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) -allow privmail sendmail_exec_t:lnk_file { getattr read }; - -ifdef(`crond.te', ` -# Read cron temporary files. -allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; -allow mta_user_agent system_crond_tmp_t:file { read getattr }; -') -can_access_pty(system_mail_t, initrc) - -', ` -# For when the user wants to send mail via port 25 localhost -can_tcp_connect($1_t, mail_server_domain) - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t) -allow $1_t sendmail_exec_t:lnk_file { getattr read }; - -# Read user temporary files. -allow $1_mail_t $1_tmp_t:file r_file_perms; -dontaudit $1_mail_t $1_tmp_t:file append; -ifdef(`postfix.te', ` -# postfix seems to need write access if the file handle is opened read/write -allow $1_mail_t $1_tmp_t:file write; -')dnl end if postfix - -allow mta_user_agent $1_tmp_t:file { read getattr }; - -# Write to the user domain tty. -access_terminal(mta_user_agent, $1) -access_terminal($1_mail_t, $1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') -allow $1_mail_t privfd:fd use; - -# Create dead.letter in user home directories. -file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) - -if (use_samba_home_dirs) { -rw_dir_create_file($1_mail_t, cifs_t) -} - -# if you do not want to allow dead.letter then use the following instead -#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; -#allow $1_mail_t $1_home_t:file r_file_perms; - -# for reading .forward - maybe we need a new type for it? -# also for delivering mail to maildir -file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) -')dnl end if system - -allow $1_mail_t etc_t:file { getattr read }; -ifdef(`qmail.te', ` -allow $1_mail_t qmail_etc_t:dir search; -allow $1_mail_t qmail_etc_t:{ file lnk_file } read; -')dnl end if qmail - -') diff --git a/targeted/macros/program/newrole_macros.te b/targeted/macros/program/newrole_macros.te deleted file mode 100644 index 0d522822..00000000 --- a/targeted/macros/program/newrole_macros.te +++ /dev/null @@ -1,97 +0,0 @@ -# Authors: Anthony Colatrella (NSA) Stephen Smalley -# Russell Coker - -# This macro defines the rules for a newrole like program, it is used by -# newrole.te and sudo.te, but may be used by other policy at some later time. - -define(`newrole_domain', ` -# Rules for the $1_t domain. -# -# $1_t is the domain for the program. -# $1_exec_t is the type of the executable. -# -type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2; -in_user_role($1_t) -role sysadm_r types $1_t; - -general_domain_access($1_t); - -uses_shlib($1_t) -read_locale($1_t) -read_sysctl($1_t) - -allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read }; - -# for when the user types "exec newrole" at the command line -allow $1_t privfd:process sigchld; - -# Inherit descriptors from the current session. -allow $1_t privfd:fd use; - -# Execute /sbin/pwdb_chkpwd to check the password. -allow $1_t sbin_t:dir r_dir_perms; - -# Execute shells -allow $1_t bin_t:dir r_dir_perms; -allow $1_t bin_t:lnk_file read; -allow $1_t shell_exec_t:file r_file_perms; - -allow $1_t urandom_device_t:chr_file { getattr read }; - -# Allow $1_t to transition to user domains. -domain_trans($1_t, shell_exec_t, unpriv_userdomain) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_t, shell_exec_t, sysadm_t) -} - -can_setexec($1_t) - -allow $1_t autofs_t:dir search; - -# Use capabilities. -allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override }; - -# Read the devpts root directory. -allow $1_t devpts_t:dir r_dir_perms; - -# Read the /etc/security/default_type file -r_dir_file($1_t, default_context_t) -r_dir_file($1_t, selinux_config_t) -allow $1_t etc_t:file r_file_perms; - -# Read /var. -r_dir_file($1_t, var_t) - -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; - -# Relabel terminals. -allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Access terminals. -allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') - -ifdef(`distro_debian', ` -# for /etc/alternatives -allow $1_t etc_t:lnk_file read; -') - -# -# Allow newrole to obtain contexts to relabel TTYs -# -can_getsecurity($1_t) - -allow $1_t fs_t:filesystem getattr; - -# for some PAM modules and for cwd -dontaudit $1_t { home_root_t home_type }:dir search; - -allow $1_t proc_t:dir search; -allow $1_t proc_t:file { getattr read }; - -# for when the network connection is killed -dontaudit unpriv_userdomain $1_t:process signal; -') diff --git a/targeted/macros/program/orbit_macros.te b/targeted/macros/program/orbit_macros.te deleted file mode 100644 index b2dd5d16..00000000 --- a/targeted/macros/program/orbit_macros.te +++ /dev/null @@ -1,44 +0,0 @@ -# -# ORBit related types -# -# Author: Ivan Gyurdiev -# -# orbit_domain(prefix, role_prefix) - create ORBit sockets -# orbit_connect(type1_prefix, type2_prefix) -# - allow communication through ORBit sockets from type1 to type2 - -define(`orbit_domain', ` - -# Protect against double inclusion for speed and correctness -ifdef(`orbit_domain_$1_$2', `', ` -define(`orbit_domain_$1_$2') - -# Relabel directory (startup script) -allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto }; - -# Type for ORBit sockets -type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile; -file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t) -allow $1_t tmp_t:dir { read search getattr }; - -# Create the sockets -allow $1_t self:unix_stream_socket create_stream_socket_perms; -allow $1_t self:unix_dgram_socket create_socket_perms; - -# Use random device(s) -allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl }; - -# Why do they do that? -dontaudit $1_t $2_orbit_tmp_t:dir setattr; - -') dnl ifdef orbit_domain_args -') dnl orbit_domain - -########################## - -define(`orbit_connect', ` - -can_unix_connect($1_t, $2_t) -allow $1_t $2_orbit_tmp_t:sock_file write; - -') dnl orbit_connect diff --git a/targeted/macros/program/pyzor_macros.te b/targeted/macros/program/pyzor_macros.te deleted file mode 100644 index af67d30a..00000000 --- a/targeted/macros/program/pyzor_macros.te +++ /dev/null @@ -1,69 +0,0 @@ -# -# Pyzor - Pyzor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -########## -# common definitions for pyzord and all flavors of pyzor -########## -define(`pyzor_base_domain',` - -# Networking -can_network_client_tcp($1_t, http_port_t); -can_network_udp($1_t, pyzor_port_t); -can_resolve($1_t); - -general_proc_read_access($1_t) - -tmp_domain($1) - -allow $1_t bin_t:dir { getattr search }; -allow $1_t bin_t:file getattr; -allow $1_t lib_t:file { getattr read }; -allow $1_t { var_t var_lib_t var_run_t }:dir search; -uses_shlib($1_t) - -# Python does a getattr on this file -allow $1_t pyzor_exec_t:file getattr; - -# mktemp and other randoms -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -# Allow access to various files in the /etc/directory including mtab -# and nsswitch -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) -') - - -# -# Define a user domain for a pyzor -# -# Note: expects to be called with an argument of user, sysadm - -define(`pyzor_domain',` -type $1_pyzor_t, domain, privlog, nscd_client_domain; -role $1_r types $1_pyzor_t; -domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t) - -pyzor_base_domain($1_pyzor) - -# Per-user config/data files -home_domain($1, pyzor) -file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir) - -# System config files -r_dir_file($1_pyzor_t, pyzor_etc_t) - -# System data files -r_dir_file($1_pyzor_t, pyzor_var_lib_t); - -allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms; - -# Allow pyzor to be run by hand. Needed by any action other than -# invocation from a spam filter. -can_access_pty($1_pyzor_t, $1) -allow $1_pyzor_t sshd_t:fd use; -') diff --git a/targeted/macros/program/razor_macros.te b/targeted/macros/program/razor_macros.te deleted file mode 100644 index e4c7c559..00000000 --- a/targeted/macros/program/razor_macros.te +++ /dev/null @@ -1,75 +0,0 @@ -# -# Razor - Razor is a collaborative, networked system to detect and -# block spam using identifying digests of messages. -# -# Author: David Hampton -# - -########## -# common definitions for razord and all flavors of razor -########## -define(`razor_base_domain',` - -# Razor is one executable and several symlinks -allow $1_t razor_exec_t:{ file lnk_file } { getattr read }; - -# Networking -can_network_client_tcp($1_t, razor_port_t) -can_resolve($1_t); - -general_proc_read_access($1_t) - -# Read system config file -r_dir_file($1_t, razor_etc_t) - -# Update razor common files -file_type_auto_trans($1_t, var_log_t, razor_log_t, file) -create_dir_file($1_t, razor_log_t) -allow $1_t var_lib_t:dir search; -create_dir_file($1_t, razor_var_lib_t) - -allow $1_t bin_t:dir { getattr search }; -allow $1_t bin_t:file getattr; -allow $1_t lib_t:file { getattr read }; -allow $1_t { var_t var_run_t }:dir search; -uses_shlib($1_t) - -# Razor forks other programs to do part of its work. -general_domain_access($1_t) -can_exec($1_t, bin_t) - -# mktemp and other randoms -allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms; - -# Allow access to various files in the /etc/directory including mtab -# and nsswitch -allow $1_t { etc_t etc_runtime_t }:file { getattr read }; -read_locale($1_t) -') - - -# -# Define a user domain for a razor -# -# Note: expects to be called with an argument of user, sysadm - -define(`razor_domain',` -type $1_razor_t, domain, privlog, nscd_client_domain; -role $1_r types $1_razor_t; -domain_auto_trans($1_t, razor_exec_t, $1_razor_t) - -razor_base_domain($1_razor) - -# Per-user config/data files -home_domain($1, razor) -file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir) - -tmp_domain($1_razor) - -allow $1_razor_t self:unix_stream_socket create_stream_socket_perms; - -# Allow razor to be run by hand. Needed by any action other than -# invocation from a spam filter. -can_access_pty($1_razor_t, $1) -allow $1_razor_t sshd_t:fd use; -') diff --git a/targeted/macros/program/resmgrd_macros.te b/targeted/macros/program/resmgrd_macros.te deleted file mode 100644 index ec0ac60a..00000000 --- a/targeted/macros/program/resmgrd_macros.te +++ /dev/null @@ -1,11 +0,0 @@ -# Macro for resmgrd - -define(`can_resmgrd_connect', ` -ifdef(`resmgrd.te', ` -allow $1 resmgrd_t:unix_stream_socket connectto; -allow $1 { var_t var_run_t }:dir search; -allow $1 resmgrd_var_run_t:sock_file write; -allow $1 resmgrd_t:fd use; -') -') - diff --git a/targeted/macros/program/rhgb_macros.te b/targeted/macros/program/rhgb_macros.te deleted file mode 100644 index 9700fba2..00000000 --- a/targeted/macros/program/rhgb_macros.te +++ /dev/null @@ -1,8 +0,0 @@ - -define(`rhgb_domain', ` -ifdef(`rhgb.te', ` -allow $1 rhgb_t:process sigchld; -allow $1 rhgb_t:fd use; -allow $1 rhgb_t:fifo_file { read write }; -')dnl end ifdef -') diff --git a/targeted/macros/program/rssh_macros.te b/targeted/macros/program/rssh_macros.te deleted file mode 100644 index 33fbdb58..00000000 --- a/targeted/macros/program/rssh_macros.te +++ /dev/null @@ -1,58 +0,0 @@ -# -# Macros for Rssh domains -# -# Author: Colin Walters -# - -# -# rssh_domain(domain_prefix) -# -# Define a specific rssh domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/rssh.te. -# -undefine(`rssh_domain') -ifdef(`rssh.te', ` -define(`rssh_domain',` -type rssh_$1_t, domain, userdomain, privlog, privfd; -role rssh_$1_r types rssh_$1_t; -allow system_r rssh_$1_r; - -type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type; -type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type; - -general_domain_access(rssh_$1_t); -uses_shlib(rssh_$1_t); -base_file_read_access(rssh_$1_t); -allow rssh_$1_t var_t:dir r_dir_perms; -r_dir_file(rssh_$1_t, etc_t); -allow rssh_$1_t etc_runtime_t:file { getattr read }; -r_dir_file(rssh_$1_t, locale_t); -can_exec(rssh_$1_t, bin_t); - -allow rssh_$1_t proc_t:dir { getattr search }; -allow rssh_$1_t proc_t:lnk_file { getattr read }; - -r_dir_file(rssh_$1_t, rssh_$1_ro_t); -create_dir_file(rssh_$1_t, rssh_$1_rw_t); - -can_create_pty(rssh_$1, `, userpty_type, user_tty_type') -# Use the type when relabeling pty devices. -type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t; - -ifdef(`ssh.te',` -allow rssh_$1_t sshd_t:fd use; -allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms; -allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms; -# For reading /home/user/.ssh -r_dir_file(sshd_t, rssh_$1_ro_t); -domain_trans(sshd_t, rssh_exec_t, rssh_$1_t); -') -') - -', ` - -define(`rssh_domain',`') - -') diff --git a/targeted/macros/program/run_program_macros.te b/targeted/macros/program/run_program_macros.te deleted file mode 100644 index c98bbee7..00000000 --- a/targeted/macros/program/run_program_macros.te +++ /dev/null @@ -1,73 +0,0 @@ - -# $1 is the source domain (or domains), $2 is the source role (or roles) and $3 -# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is -# normally sysadm_r. $4 is the type of program to run and $5 is the domain to -# transition to. -# sample usage: -# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t) -# -# if you have several users who run the same run_init type program for -# different purposes (think of a run_db program used by several database -# administrators to start several databases) then you can list all the source -# domains in $1, all the source roles in $2, but you may not want to list all -# types of programs to run in $4 and target domains in $5 (as that may permit -# entering a domain from the wrong type). In such a situation just specify -# one value for each of $4 and $5 and have some rules such as the following: -# domain_trans(run_whatever_t, whatever_exec_t, whatever_t) - -define(`run_program', ` -type run_$3_exec_t, file_type, exec_type, sysadmfile; - -# domain for program to run in, needs to change role (priv_system_role), change -# identity to system_u (privuser), log failures to syslog (privlog) and -# authenticate users -type run_$3_t, domain, priv_system_role, privuser, privlog; -domain_auto_trans($1, run_$3_exec_t, run_$3_t) -role $2 types run_$3_t; - -domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t) -dontaudit run_$3_t shadow_t:file getattr; - -# for utmp -allow run_$3_t initrc_var_run_t:file rw_file_perms; -allow run_$3_t admin_tty_type:chr_file rw_file_perms; - -dontaudit run_$3_t devpts_t:dir { getattr read }; -dontaudit run_$3_t device_t:dir read; - -# for auth_chkpwd -dontaudit run_$3_t shadow_t:file read; -allow run_$3_t self:process { fork sigchld }; -allow run_$3_t self:fifo_file rw_file_perms; -allow run_$3_t self:capability setuid; -allow run_$3_t self:lnk_file read; - -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_$3_t file_type:dir search; -dontaudit run_$3_t self:capability { dac_override dac_read_search }; - -allow run_$3_t bin_t:lnk_file read; -can_exec(run_$3_t, { bin_t shell_exec_t }) -ifdef(`chkpwd.te', ` -can_exec(run_$3_t, chkpwd_exec_t) -') - -domain_trans(run_$3_t, $4, $5) -can_setexec(run_$3_t) - -allow run_$3_t privfd:fd use; -uses_shlib(run_$3_t) -allow run_$3_t lib_t:file { getattr read }; -can_getsecurity(run_$3_t) -r_dir_file(run_$3_t,selinux_config_t) -r_dir_file(run_$3_t,default_context_t) -allow run_$3_t self:unix_stream_socket create_socket_perms; -allow run_$3_t self:unix_dgram_socket create_socket_perms; -allow run_$3_t etc_t:file { getattr read }; -read_locale(run_$3_t) -allow run_$3_t fs_t:filesystem getattr; -allow run_$3_t { bin_t sbin_t }:dir search; -dontaudit run_$3_t device_t:dir { getattr search }; -') diff --git a/targeted/macros/program/samba_macros.te b/targeted/macros/program/samba_macros.te deleted file mode 100644 index d7667845..00000000 --- a/targeted/macros/program/samba_macros.te +++ /dev/null @@ -1,30 +0,0 @@ -# -# Macros for samba domains. -# - -# -# Authors: Dan Walsh -# - -# -# samba_domain(domain_prefix) -# -# Define a derived domain for the samba program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/samba.te. -# -undefine(`samba_domain') -ifdef(`samba.te', ` -define(`samba_domain',` -if ( samba_enable_home_dirs ) { -allow smbd_t home_root_t:dir r_dir_perms; -file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t) -dontaudit smbd_t $1_file_type:dir_file_class_set getattr; -} -') -', ` -define(`samba_domain',`') - -')dnl end if samba.te diff --git a/targeted/macros/program/screen_macros.te b/targeted/macros/program/screen_macros.te deleted file mode 100644 index e81a90a5..00000000 --- a/targeted/macros/program/screen_macros.te +++ /dev/null @@ -1,113 +0,0 @@ -# -# Macros for screen domains. -# - -# -# Author: Russell Coker -# Based on the work of Stephen Smalley -# and Timothy Fraser -# - -# -# screen_domain(domain_prefix) -# -# Define a derived domain for the screen program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/screen.te. -# -undefine(`screen_domain') -ifdef(`screen.te', ` -define(`screen_domain',` -# Derived domain based on the calling user domain and the program. -type $1_screen_t, domain, privlog, privfd, nscd_client_domain; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, screen_exec_t, $1_screen_t) - -tmp_domain($1_screen, `', `{ dir file fifo_file }') -base_file_read_access($1_screen_t) -# The user role is authorized for this domain. -role $1_r types $1_screen_t; - -uses_shlib($1_screen_t) - -# for SSP -allow $1_screen_t urandom_device_t:chr_file read; - -# Revert to the user domain when a shell is executed. -domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t) -domain_auto_trans($1_screen_t, $1_home_t, $1_t) -if (use_nfs_home_dirs) { -domain_auto_trans($1_screen_t, nfs_t, $1_t) -} -if (use_samba_home_dirs) { -domain_auto_trans($1_screen_t, cifs_t, $1_t) -} - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;') - -home_domain_ro($1, screen) - -allow $1_screen_t privfd:fd use; - -# Write to utmp. -allow $1_screen_t initrc_var_run_t:file rw_file_perms; -ifdef(`utempter.te', ` -dontaudit $1_screen_t utempter_exec_t:file execute; -') - -# create pty devices -can_create_other_pty($1_screen, $1) -allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_screen_t device_t:dir { getattr read }; - -allow $1_screen_t fs_t:filesystem getattr; - -# Create fifo -allow $1_screen_t var_t:dir search; -file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) -type $1_screen_var_run_t, file_type, sysadmfile, pidfile; -file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) - -allow $1_screen_t self:process { fork signal_perms }; -allow $1_t $1_screen_t:process signal; -allow $1_screen_t $1_t:process signal; -allow $1_screen_t self:capability { setuid setgid fsetid }; - -dontaudit $1_screen_t shadow_t:file read; - -allow $1_screen_t tmp_t:dir search; -can_network($1_screen_t) -allow $1_screen_t port_type:tcp_socket name_connect; -can_ypbind($1_screen_t) - -# get stats -allow $1_screen_t proc_t:dir search; -allow $1_screen_t proc_t:file { getattr read }; -allow $1_screen_t proc_t:lnk_file read; -allow $1_screen_t etc_t:{ file lnk_file } { read getattr }; -allow $1_screen_t self:dir { search read }; -allow $1_screen_t self:lnk_file read; -allow $1_screen_t device_t:dir search; -allow $1_screen_t { home_root_t $1_home_dir_t }:dir search; - -# Internal screen networking -allow $1_screen_t self:fd use; -allow $1_screen_t self:unix_stream_socket create_socket_perms; -allow $1_screen_t self:unix_dgram_socket create_socket_perms; - -allow $1_screen_t bin_t:dir search; -allow $1_screen_t bin_t:lnk_file read; -read_locale($1_screen_t) - -dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr; -')dnl end screen_domain - -', ` - -define(`screen_domain',`') - -') diff --git a/targeted/macros/program/sendmail_macros.te b/targeted/macros/program/sendmail_macros.te deleted file mode 100644 index 540e0a25..00000000 --- a/targeted/macros/program/sendmail_macros.te +++ /dev/null @@ -1,56 +0,0 @@ -# -# Macros for sendmail domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# Russell Coker -# - -# -# sendmail_user_domain(domain_prefix) -# -# Define a derived domain for the sendmail program when executed by -# a user domain to send outgoing mail. These domains are separate and -# independent of the domain used for the sendmail daemon process. -# -undefine(`sendmail_user_domain') -define(`sendmail_user_domain', ` - -# Use capabilities -allow $1_mail_t self:capability net_bind_service; - -tmp_domain($1_mail) - -# Write to /var/spool/mail and /var/spool/mqueue. -allow $1_mail_t mail_spool_t:dir rw_dir_perms; -allow $1_mail_t mail_spool_t:file create_file_perms; -allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; -allow $1_mail_t mqueue_spool_t:file create_file_perms; - -# Write to /var/log/sendmail.st -file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t) - -allow $1_mail_t etc_mail_t:dir { getattr search }; - -allow $1_mail_t { var_t var_spool_t }:dir getattr; - -allow $1_mail_t etc_runtime_t:file { getattr read }; - -# Check available space. -allow $1_mail_t fs_t:filesystem getattr; - -allow $1_mail_t sysctl_kernel_t:dir search; - -ifelse(`$1', `sysadm', ` -allow $1_mail_t proc_t:dir { getattr search }; -allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; -dontaudit $1_mail_t proc_net_t:dir search; -allow $1_mail_t sysctl_kernel_t:file { getattr read }; -allow $1_mail_t etc_runtime_t:file { getattr read }; -', ` -dontaudit $1_mail_t proc_t:dir search; -dontaudit $1_mail_t sysctl_kernel_t:file read; -')dnl end if sysadm -') - diff --git a/targeted/macros/program/slocate_macros.te b/targeted/macros/program/slocate_macros.te deleted file mode 100644 index 115022b0..00000000 --- a/targeted/macros/program/slocate_macros.te +++ /dev/null @@ -1,64 +0,0 @@ -# -# Macros for locate domains. -# - -# -# Author: Russell Coker -# - -# -# locate_domain(domain_prefix) -# -# Define a derived domain for the locate program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/locate.te. -# -undefine(`locate_domain') -ifdef(`slocate.te', ` -define(`locate_domain',` -# Derived domain based on the calling user domain and the program. -type $1_locate_t, domain; - -allow $1_locate_t self:process signal; - -allow $1_locate_t etc_t:file { getattr read }; -allow $1_locate_t self:unix_stream_socket create_socket_perms; -r_dir_file($1_locate_t,locate_var_lib_t) -allow $1_locate_t var_lib_t:dir search; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, locate_exec_t, $1_locate_t) - -# The user role is authorized for this domain. -role $1_r types $1_locate_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', ` -allow $1_locate_t $1_gph_t:fd use; -') - -allow $1_locate_t privfd:fd use; - -# allow ps to show locate -can_ps($1_t, $1_locate_t) -allow $1_t $1_locate_t:process signal; - -uses_shlib($1_locate_t) -access_terminal($1_locate_t, $1) - -allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search }; -allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read }; - -base_file_read_access($1_locate_t) -r_dir_file($1_locate_t, { etc_t lib_t var_t }) -dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms; -dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read }; -') - -', ` - -define(`locate_domain',`') - -') diff --git a/targeted/macros/program/spamassassin_macros.te b/targeted/macros/program/spamassassin_macros.te deleted file mode 100644 index c85cfc78..00000000 --- a/targeted/macros/program/spamassassin_macros.te +++ /dev/null @@ -1,128 +0,0 @@ -# -# Macros for spamassassin domains. -# -# Author: Colin Walters - -# spamassassin_domain(domain_prefix) -# -# Define derived domains for various spamassassin tools when executed -# by a user domain. -# -# The type declarations for the executable types of these programs are -# provided separately in domains/program/spamassassin.te and -# domains/program/spamc.te. -# -undefine(`spamassassin_domain') -ifdef(`spamassassin.te', `define(`using_spamassassin', `')') -ifdef(`spamd.te', `define(`using_spamassassin', `')') -ifdef(`spamc.te', `define(`using_spamassassin', `')') - -ifdef(`using_spamassassin',` - -####### -# Macros used internally in these spamassassin macros. -# - -### -# Define a domain for a spamassassin-like program (spamc/spamassassin). -# -# Note: most of this should really be in a generic macro like -# base_user_program($1, foo) -define(`spamassassin_program_domain',` -type $1_$2_t, domain, privlog $3; -domain_auto_trans($1_t, $2_exec_t, $1_$2_t) - -role $1_r types $1_$2_t; -general_domain_access($1_$2_t) - -base_file_read_access($1_$2_t) -r_dir_file($1_$2_t, etc_t) -ifdef(`sendmail.te', ` -r_dir_file($1_$2_t, etc_mail_t) -') -allow $1_$2_t etc_runtime_t:file r_file_perms; -uses_shlib($1_$2_t) -read_locale($1_$2_t) -dontaudit $1_$2_t var_t:dir search; -tmp_domain($1_$2) -allow $1_$2_t privfd:fd use; -allow $1_$2_t userpty_type:chr_file rw_file_perms; -') dnl end spamassassin_program_domain - -### -# Give privileges to a domain for accessing ~/.spamassassin -# and a few other misc things like /dev/random. -# This is granted to /usr/bin/spamassassin and -# /usr/sbin/spamd, but NOT spamc (because it does not need it). -# -define(`spamassassin_agent_privs',` -allow $1 home_root_t:dir r_dir_perms; -file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t) -create_dir_file($1, $2_spamassassin_home_t) - -allow $1 urandom_device_t:chr_file r_file_perms; -') - -####### -# Define the main spamassassin macro. This itself creates a -# domain for /usr/bin/spamassassin, and also spamc/spamd if -# applicable. -# -define(`spamassassin_domain',` -spamassassin_program_domain($1, spamassassin) - -# For perl libraries. -allow $1_spamassassin_t lib_t:file rx_file_perms; -# Ignore perl digging in /proc and /var. -dontaudit $1_spamassassin_t proc_t:dir search; -dontaudit $1_spamassassin_t proc_t:lnk_file read; -dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; - -# For ~/.spamassassin -home_domain($1, spamassassin) -file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir) - -spamassassin_agent_privs($1_spamassassin_t, $1) - -can_resolve($1_spamassassin_t) -# set tunable if you have spamassassin do DNS lookups -if (spamassasin_can_network) { -can_network($1_spamassassin_t) -allow $1_spamassassin_t port_type:tcp_socket name_connect; -} -if (spamassasin_can_network && allow_ypbind) { -uncond_can_ypbind($1_spamassassin_t) -} -### -# Define the domain for /usr/bin/spamc -# -ifdef(`spamc.te',` -spamassassin_program_domain($1, spamc, `, nscd_client_domain') -can_network($1_spamc_t) -allow $1_spamc_t port_type:tcp_socket name_connect; -can_ypbind($1_spamc_t) - -# Allow connecting to a local spamd -ifdef(`spamd.te',` -can_tcp_connect($1_spamc_t, spamd_t) -can_unix_connect($1_spamc_t, spamd_t) -allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; -') dnl endif spamd.te -') dnl endif spamc.te - -### -# Define the domain for /usr/sbin/spamd -# -ifdef(`spamd.te',` - -spamassassin_agent_privs(spamd_t, $1) - -') dnl endif spamd.te - -') dnl end spamassassin_domain - -', ` - -define(`spamassassin_domain',`') - -') diff --git a/targeted/macros/program/ssh_agent_macros.te b/targeted/macros/program/ssh_agent_macros.te deleted file mode 100644 index 7215f5c5..00000000 --- a/targeted/macros/program/ssh_agent_macros.te +++ /dev/null @@ -1,117 +0,0 @@ -# -# Macros for ssh agent -# - -# -# Author: Thomas Bleher -# - -# -# ssh_agent_domain(domain_prefix) -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/ssh-agent.te. -# -define(`ssh_agent_domain',` -# Define a derived domain for the ssh-agent program when executed -# by a user domain. -# Derived domain based on the calling user domain and the program. -type $1_ssh_agent_t, domain, privlog; - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t) - -# The user role is authorized for this domain. -role $1_r types $1_ssh_agent_t; - -allow $1_ssh_agent_t privfd:fd use; - -# Write to the user domain tty. -access_terminal($1_ssh_agent_t, $1) - -# Allow the user shell to signal the ssh program. -allow $1_t $1_ssh_agent_t:process signal; -# allow ps to show ssh -can_ps($1_t, $1_ssh_agent_t) - -can_ypbind($1_ssh_agent_t) -if (use_nfs_home_dirs) { -allow $1_ssh_agent_t autofs_t:dir { search getattr }; -rw_dir_create_file($1_ssh_agent_t, nfs_t) -} -if (use_samba_home_dirs) { -rw_dir_create_file($1_ssh_agent_t, cifs_t) -} - -uses_shlib($1_ssh_agent_t) -read_locale($1_ssh_agent_t) - -allow $1_ssh_agent_t proc_t:dir search; -dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; -dontaudit $1_ssh_agent_t selinux_config_t:dir search; -dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr }; -read_sysctl($1_ssh_agent_t) - -# Access the ssh temporary files. Should we have an own type here -# to which only ssh, ssh-agent and ssh-add have access? -allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms; -file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t) -allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms; -allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms; - -allow $1_ssh_agent_t self:process { fork sigchld setrlimit }; -allow $1_ssh_agent_t self:capability setgid; - -# access the random devices -allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read }; - -# for ssh-add -can_unix_connect($1_t, $1_ssh_agent_t) - -# transition back to normal privs upon exec -domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t) -if (use_nfs_home_dirs) { -domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t) -} -if (use_samba_home_dirs) { -domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t) -} -allow $1_ssh_agent_t bin_t:dir search; - -# allow reading of /usr/bin/X11 (is a symlink) -allow $1_ssh_agent_t bin_t:lnk_file read; - -allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull; - -allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search; - -allow $1_ssh_t $1_tmp_t:sock_file write; -allow $1_ssh_t $1_t:unix_stream_socket connectto; -allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto; - -ifdef(`xdm.te', ` -can_pipe_xdm($1_ssh_agent_t) - -# kdm: sigchld -allow $1_ssh_agent_t xdm_t:process sigchld; -') - -# -# Allow command to ssh-agent > ~/.ssh_agent -# -allow $1_ssh_agent_t $1_home_t:file rw_file_perms; -allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms; - -allow $1_ssh_agent_t etc_runtime_t:file { getattr read }; -allow $1_ssh_agent_t etc_t:file { getattr read }; -allow $1_ssh_agent_t lib_t:file { getattr read }; - -allow $1_ssh_agent_t self:dir search; -allow $1_ssh_agent_t self:file { getattr read }; - -# Allow the ssh program to communicate with ssh-agent. -allow $1_ssh_t $1_tmp_t:sock_file write; -allow $1_ssh_t $1_t:unix_stream_socket connectto; -allow $1_ssh_t sshd_t:unix_stream_socket connectto; -')dnl end if ssh_agent - diff --git a/targeted/macros/program/ssh_macros.te b/targeted/macros/program/ssh_macros.te deleted file mode 100644 index 0f6549f8..00000000 --- a/targeted/macros/program/ssh_macros.te +++ /dev/null @@ -1,168 +0,0 @@ -# -# Macros for ssh domains. -# - -# -# Authors: Stephen Smalley -# Russell Coker -# Thomas Bleher -# - -# -# ssh_domain(domain_prefix) -# -# Define a derived domain for the ssh program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/ssh.te. -# -undefine(`ssh_domain') -ifdef(`ssh.te', ` -define(`ssh_domain',` -# Derived domain based on the calling user domain and the program. -type $1_ssh_t, domain, privlog, nscd_client_domain; -type $1_home_ssh_t, file_type, $1_file_type, sysadmfile; - -allow $1_ssh_t autofs_t:dir { search getattr }; -if (use_nfs_home_dirs) { -create_dir_file($1_ssh_t, nfs_t) -} -if (use_samba_home_dirs) { -create_dir_file($1_ssh_t, cifs_t) -} - -# Transition from the user domain to the derived domain. -domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t) - -# The user role is authorized for this domain. -role $1_r types $1_ssh_t; - -# Grant permissions within the domain. -general_domain_access($1_ssh_t) - -# Use descriptors created by sshd -allow $1_ssh_t privfd:fd use; - -uses_shlib($1_ssh_t) -read_locale($1_ssh_t) - -# Get attributes of file systems. -allow $1_ssh_t fs_type:filesystem getattr; - -base_file_read_access($1_ssh_t) - -# Read /var. -r_dir_file($1_ssh_t, var_t) - -# Read /var/run, /var/log. -allow $1_ssh_t var_run_t:dir r_dir_perms; -allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms; -allow $1_ssh_t var_log_t:dir r_dir_perms; -allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms; - -# Read /etc. -r_dir_file($1_ssh_t, etc_t) -allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms; - -# Read /dev directories and any symbolic links. -allow $1_ssh_t device_t:dir r_dir_perms; -allow $1_ssh_t device_t:lnk_file r_file_perms; - -# Read /dev/urandom. -allow $1_ssh_t urandom_device_t:chr_file r_file_perms; - -# Read and write /dev/null. -allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms; - -# Grant permissions needed to create TCP and UDP sockets and -# to access the network. -can_network_client_tcp($1_ssh_t) -allow $1_ssh_t ssh_port_t:tcp_socket name_connect; -can_resolve($1_ssh_t) -can_ypbind($1_ssh_t) -can_kerberos($1_ssh_t) - -# for port forwarding -if (user_tcp_server) { -allow $1_ssh_t port_t:tcp_socket name_bind; -} - -# Use capabilities. -allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; - -# run helper programs - needed eg for x11-ssh-askpass -can_exec($1_ssh_t, { shell_exec_t bin_t }) - -# Read the ssh key file. -allow $1_ssh_t sshd_key_t:file r_file_perms; - -# Access the ssh temporary files. -file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t) -allow $1_ssh_t $1_tmp_t:dir r_dir_perms; - -# for rsync -allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms; - -# Access the users .ssh directory. -file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir) -file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file) -allow $1_t $1_home_ssh_t:sock_file create_file_perms; -allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms; -allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read }; -dontaudit $1_ssh_t $1_home_t:dir { getattr search }; -r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) -rw_dir_create_file($1_t, $1_home_ssh_t) - -# for /bin/sh used to execute xauth -dontaudit $1_ssh_t proc_t:dir search; -dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;') - -# Write to the user domain tty. -access_terminal($1_ssh_t, $1) - -# Allow the user shell to signal the ssh program. -allow $1_t $1_ssh_t:process signal; -# allow ps to show ssh -can_ps($1_t, $1_ssh_t) - -# Connect to X server -x_client_domain($1_ssh, $1) - -ifdef(`ssh-agent.te', ` -ssh_agent_domain($1) -')dnl end if ssh_agent.te - -#allow ssh to access keys stored on removable media -# Should we have a boolean around this? -allow $1_ssh_t mnt_t:dir search; -r_dir_file($1_ssh_t, removable_t) - -type $1_ssh_keysign_t, domain, nscd_client_domain; -role $1_r types $1_ssh_keysign_t; - -if (allow_ssh_keysign) { -domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) -allow $1_ssh_keysign_t sshd_key_t:file { getattr read }; -allow $1_ssh_keysign_t self:capability { setgid setuid }; -allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms; -uses_shlib($1_ssh_keysign_t) -dontaudit $1_ssh_keysign_t selinux_config_t:dir search; -dontaudit $1_ssh_keysign_t proc_t:dir search; -dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read }; -allow $1_ssh_keysign_t usr_t:dir search; -allow $1_ssh_keysign_t etc_t:file { getattr read }; -allow $1_ssh_keysign_t self:dir search; -allow $1_ssh_keysign_t self:file { getattr read }; -allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms; -} - -')dnl end macro definition -', ` - -define(`ssh_domain',`') - -')dnl end if ssh.te diff --git a/targeted/macros/program/su_macros.te b/targeted/macros/program/su_macros.te deleted file mode 100644 index 206f58ef..00000000 --- a/targeted/macros/program/su_macros.te +++ /dev/null @@ -1,188 +0,0 @@ -# -# Macros for su domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# -# su_domain(domain_prefix) -# -# Define a derived domain for the su program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/su.te. -# - -undefine(`su_restricted_domain') -undefine(`su_mini_domain') -undefine(`su_domain') -ifdef(`su.te', ` - -define(`su_restricted_domain', ` -# Derived domain based on the calling user domain and the program. -type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; -ifdef(`support_polyinstantiation', ` -typeattribute $1_su_t mlsfileread; -typeattribute $1_su_t mlsfilewrite; -typeattribute $1_su_t mlsfileupgrade; -typeattribute $1_su_t mlsfiledowngrade; -typeattribute $1_su_t mlsprocsetsl; -') - -# for SSP -allow $1_su_t urandom_device_t:chr_file { getattr read }; - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, su_exec_t, $1_su_t) - -allow $1_su_t sbin_t:dir search; - -uses_shlib($1_su_t) -allow $1_su_t etc_t:file { getattr read }; -read_locale($1_su_t) -read_sysctl($1_su_t) -allow $1_su_t self:unix_dgram_socket { connect create write }; -allow $1_su_t self:unix_stream_socket create_stream_socket_perms; -allow $1_su_t self:fifo_file rw_file_perms; -allow $1_su_t proc_t:dir search; -allow $1_su_t proc_t:lnk_file read; -r_dir_file($1_su_t, self) -allow $1_su_t proc_t:file read; -allow $1_su_t self:process { setsched setrlimit }; -allow $1_su_t device_t:dir search; -allow $1_su_t self:process { fork sigchld }; -nsswitch_domain($1_su_t) -r_dir_file($1_su_t, selinux_config_t) - -dontaudit $1_su_t shadow_t:file { getattr read }; -dontaudit $1_su_t home_root_t:dir search; -dontaudit $1_su_t init_t:fd use; -allow $1_su_t var_lib_t:dir search; -allow $1_t $1_su_t:process signal; - -ifdef(`crond.te', ` -allow $1_su_t crond_t:fifo_file read; -') - -# Use capabilities. -allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write }; -dontaudit $1_su_t self:capability sys_tty_config; -# -# Caused by su - init scripts -# -dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - -# By default, revert to the calling domain when a shell is executed. -domain_auto_trans($1_su_t, shell_exec_t, $1_t) -allow $1_su_t bin_t:dir search; -allow $1_su_t bin_t:lnk_file read; - -# But also allow transitions to unprivileged user domains. -domain_trans($1_su_t, shell_exec_t, unpriv_userdomain) -can_setexec($1_su_t) - -# Get security decisions -can_getsecurity($1_su_t) -r_dir_file($1_su_t, default_context_t) - -allow $1_su_t privfd:fd use; - -# Write to utmp. -allow $1_su_t { var_t var_run_t }:dir search; -allow $1_su_t initrc_var_run_t:file rw_file_perms; -can_kerberos($1_su_t) - -ifdef(`chkpwd.te', ` -domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) -') - -allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - -') dnl end su_restricted_domain - -define(`su_mini_domain', ` -su_restricted_domain($1,$1) -if(!secure_mode) -{ - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_su_t, shell_exec_t, sysadm_t) -} - -# Relabel ttys and ptys. -allow $1_su_t device_t:dir { getattr read search }; -allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Close and re-open ttys and ptys to get the fd into the correct domain. -allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; - -')dnl end su_mini_domain - -define(`su_domain', ` -su_mini_domain($1) - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') - -# The user role is authorized for this domain. -role $1_r types $1_su_t; - -# Write to the user domain tty. -access_terminal($1_su_t, $1) - -allow $1_su_t { home_root_t $1_home_dir_t }:dir search; -allow $1_su_t $1_home_t:file create_file_perms; -ifdef(`user_canbe_sysadm', ` -allow $1_su_t home_dir_type:dir { search write }; -', ` -dontaudit $1_su_t home_dir_type:dir { search write }; -') - -allow $1_su_t autofs_t:dir { search getattr }; -if (use_nfs_home_dirs) { -allow $1_su_t nfs_t:dir search; -} -if (use_samba_home_dirs) { -allow $1_su_t cifs_t:dir search; -} - -ifdef(`support_polyinstantiation', ` -# Su can polyinstantiate -polyinstantiater($1_su_t) -# Su has to unmount polyinstantiated directories (like home) -# that should not be polyinstantiated under the new user -allow $1_su_t fs_t:filesystem unmount; -# Su needs additional permission to mount over a previous mount -allow $1_su_t polymember:dir mounton; -') - -# Modify .Xauthority file (via xauth program). -ifdef(`xauth.te', ` -file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) -file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) -file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) -domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) -') - -ifdef(`cyrus.te', ` -allow $1_su_t cyrus_var_lib_t:dir search; -') -ifdef(`ssh.te', ` -# Access sshd cookie files. -allow $1_su_t sshd_tmp_t:dir rw_dir_perms; -allow $1_su_t sshd_tmp_t:file rw_file_perms; -file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) -') - -allow $1_su_t var_lib_t:dir search; -dontaudit $1_su_t init_t:fd use; -')dnl end su_domain - -', ` - -define(`su_domain',`') - -') - diff --git a/targeted/macros/program/sudo_macros.te b/targeted/macros/program/sudo_macros.te deleted file mode 100644 index b2b4e1cb..00000000 --- a/targeted/macros/program/sudo_macros.te +++ /dev/null @@ -1,34 +0,0 @@ -# Authors: Dan Walsh, Russell Coker -# Maintained by Dan Walsh -define(`sudo_domain',` -newrole_domain($1_sudo, `, privuser') - -# By default, revert to the calling domain when a shell is executed. -domain_auto_trans($1_sudo_t, shell_exec_t, $1_t) - -ifdef(`mta.te', ` -domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms; -') - -allow $1_sudo_t self:capability sys_resource; - -allow $1_sudo_t self:process setrlimit; - -ifdef(`pam.te', ` -allow $1_sudo_t pam_var_run_t:dir create_dir_perms; -allow $1_sudo_t pam_var_run_t:file create_file_perms; -') - -allow $1_sudo_t initrc_var_run_t:file rw_file_perms; -allow $1_sudo_t sysctl_t:dir search; -allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr; -allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read }; -read_sysctl($1_sudo_t) - -allow $1_sudo_t var_run_t:dir search; -r_dir_file($1_sudo_t, default_context_t) -rw_dir_create_file($1_sudo_t, $1_tmp_t) -rw_dir_create_file($1_sudo_t, $1_home_t) -domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t) -') diff --git a/targeted/macros/program/thunderbird_macros.te b/targeted/macros/program/thunderbird_macros.te deleted file mode 100644 index 2c0711d1..00000000 --- a/targeted/macros/program/thunderbird_macros.te +++ /dev/null @@ -1,60 +0,0 @@ -# -# Thunderbird -# -# Author: Ivan Gyurdiev -# - -####################################### -# thunderbird_domain(role_prefix) -# - -# FIXME: Rules were removed to centralize policy in a gnome_app macro -# A similar thing might be necessary for mozilla compiled without GNOME -# support (is this possible?). - -define(`thunderbird_domain', ` - -# Type for program -type $1_thunderbird_t, domain, nscd_client_domain; - -# Transition from user type -if (! disable_thunderbird_trans) { -domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t) -} -role $1_r types $1_thunderbird_t; - -# FIXME: Why does it try to do that? -dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute }; - -# Why is thunderbird looking in .mozilla ? -# FIXME: there are legitimate uses of invoking the browser - about -> release notes -dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search; - -# .kde/....gtkrc -# FIXME: support properly -dontaudit $1_thunderbird_t $1_home_t:file { getattr read }; - -# X, mail common stuff -x_client_domain($1_thunderbird, $1) -mail_client_domain($1_thunderbird, $1) - -allow $1_thunderbird_t self:process signull; -allow $1_thunderbird_t fs_t:filesystem getattr; - -# GNOME support -ifdef(`gnome.te', ` -gnome_application($1_thunderbird, $1) -gnome_file_dialog($1_thunderbird, $1) -allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; -') - -# Access ~/.thunderbird -home_domain($1, thunderbird) - -# RSS feeds -can_network_client_tcp($1_thunderbird_t, http_port_t) -allow $1_thunderbird_t http_port_t:tcp_socket name_connect; - -allow $1_thunderbird_t self:process { execheap execmem execstack }; - -') diff --git a/targeted/macros/program/tvtime_macros.te b/targeted/macros/program/tvtime_macros.te deleted file mode 100644 index d965ae1e..00000000 --- a/targeted/macros/program/tvtime_macros.te +++ /dev/null @@ -1,64 +0,0 @@ -# -# Macros for tvtime domains. -# - -# -# Author: Dan Walsh -# - -# -# tvtime_domain(domain_prefix) -# -# Define a derived domain for the tvtime program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/tvtime.te. -# -undefine(`tvtime_domain') -ifdef(`tvtime.te', ` -define(`tvtime_domain',` - -# Type transition -type $1_tvtime_t, domain, nscd_client_domain; -domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t) -role $1_r types $1_tvtime_t; - -# X access, Home files -home_domain($1, tvtime) -file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir) -x_client_domain($1_tvtime, $1) - -uses_shlib($1_tvtime_t) -read_locale($1_tvtime_t) -read_sysctl($1_tvtime_t) -access_terminal($1_tvtime_t, $1) - -# Allow the user domain to signal/ps. -can_ps($1_t, $1_tvtime_t) -allow $1_t $1_tvtime_t:process signal_perms; - -# Read /etc/tvtime -allow $1_tvtime_t etc_t:file { getattr read }; - -# Tmp files -tmp_domain($1_tvtime, `', `{ file dir fifo_file }') - -allow $1_tvtime_t urandom_device_t:chr_file read; -allow $1_tvtime_t clock_device_t:chr_file { ioctl read }; -allow $1_tvtime_t kernel_t:system ipc_info; -allow $1_tvtime_t sound_device_t:chr_file { ioctl read }; -allow $1_tvtime_t $1_home_t:dir { getattr read search }; -allow $1_tvtime_t $1_home_t:file { getattr read }; -allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; -allow $1_tvtime_t self:process setsched; -allow $1_tvtime_t usr_t:file { getattr read }; - -')dnl end tvtime_domain - -', ` - -define(`tvtime_domain',`') - -') - diff --git a/targeted/macros/program/uml_macros.te b/targeted/macros/program/uml_macros.te deleted file mode 100644 index bc635f86..00000000 --- a/targeted/macros/program/uml_macros.te +++ /dev/null @@ -1,137 +0,0 @@ -# -# Macros for uml domains. -# - -# -# Author: Russell Coker -# - -# -# uml_domain(domain_prefix) -# -# Define a derived domain for the uml program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/uml.te. -# -undefine(`uml_domain') -ifdef(`uml.te', ` -define(`uml_domain',` - -# Derived domain based on the calling user domain and the program. -type $1_uml_t, domain; -type $1_uml_exec_t, file_type, sysadmfile, $1_file_type; -type $1_uml_ro_t, file_type, sysadmfile, $1_file_type; -type $1_uml_rw_t, file_type, sysadmfile, $1_file_type; - -# for X -ifdef(`startx.te', ` -ifelse($1, sysadm, `', ` -ifdef(`xdm.te', ` -allow $1_uml_t xdm_xserver_tmp_t:dir search; -')dnl end if xdm.te -allow $1_uml_t $1_xserver_tmp_t:sock_file write; -can_unix_connect($1_uml_t, $1_xserver_t) -')dnl end ifelse sysadm -')dnl end ifdef startx - -allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms }; -allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms }; -allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms }; -allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms }; -r_dir_file($1_t, uml_ro_t) - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t) -can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t }) - -# The user role is authorized for this domain. -role $1_r types $1_uml_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;') - -# Inherit and use descriptors from newrole. -ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;') - -# allow ps, ptrace, signal -can_ps($1_t, $1_uml_t) -can_ptrace($1_t, $1_uml_t) -allow $1_t $1_uml_t:process signal_perms; - -# allow the UML thing to happen -allow $1_uml_t self:process { fork signal_perms ptrace }; -can_create_pty($1_uml) -allow $1_uml_t root_t:dir search; -tmp_domain($1_uml) -can_exec($1_uml_t, $1_uml_tmp_t) -tmpfs_domain($1_uml) -can_exec($1_uml_t, $1_uml_tmpfs_t) -create_dir_file($1_t, $1_uml_tmp_t) -allow $1_t $1_uml_tmp_t:sock_file create_file_perms; -allow $1_uml_t self:fifo_file rw_file_perms; -allow $1_uml_t fs_t:filesystem getattr; - -allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl }; - -ifdef(`uml_net.te', ` -# for uml_net -domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t) -allow uml_net_t $1_uml_t:unix_stream_socket { read write }; -allow uml_net_t $1_uml_t:unix_dgram_socket { read write }; -dontaudit uml_net_t privfd:fd use; -can_access_pty(uml_net_t, $1_uml) -dontaudit uml_net_t $1_uml_rw_t:dir { getattr search }; -')dnl end ifdef uml_net.te - -# for mconsole -allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto; -allow $1_uml_t $1_t:unix_dgram_socket sendto; - -# Use the network. -can_network($1_uml_t) -allow $1_uml_t port_type:tcp_socket name_connect; -can_ypbind($1_uml_t) - -# for xterm -uses_shlib($1_uml_t) -can_exec($1_uml_t, { bin_t sbin_t lib_t }) -allow $1_uml_t { bin_t sbin_t }:dir search; -allow $1_uml_t etc_t:file { getattr read }; -dontaudit $1_uml_t etc_runtime_t:file read; -can_tcp_connect($1_uml_t, sshd_t) -ifdef(`xauth.te', ` -allow $1_uml_t $1_xauth_home_t:file { getattr read }; -') -allow $1_uml_t var_run_t:dir search; -allow $1_uml_t initrc_var_run_t:file { getattr read }; -dontaudit $1_uml_t initrc_var_run_t:file { write lock }; - -allow $1_uml_t device_t:dir search; -allow $1_uml_t self:unix_stream_socket create_stream_socket_perms; -allow $1_uml_t self:unix_dgram_socket create_socket_perms; -allow $1_uml_t privfd:fd use; -allow $1_uml_t proc_t:dir search; -allow $1_uml_t proc_t:file { getattr read }; - -# for SKAS - need something better -allow $1_uml_t proc_t:file write; - -# Write to the user domain tty. -access_terminal($1_uml_t, $1) - -# access config files -allow $1_uml_t home_root_t:dir search; -file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t) -r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t }) - -# putting uml data under /var is usual... -allow $1_uml_t var_t:dir search; -')dnl end macro definition - -', ` - -define(`uml_domain',`') - -') diff --git a/targeted/macros/program/userhelper_macros.te b/targeted/macros/program/userhelper_macros.te deleted file mode 100644 index 2c715d37..00000000 --- a/targeted/macros/program/userhelper_macros.te +++ /dev/null @@ -1,142 +0,0 @@ -#DESC Userhelper - SELinux utility to run a shell with a new role -# -# Authors: Dan Walsh (Red Hat) -# Maintained by Dan Walsh -# - -# -# userhelper_domain(domain_prefix) -# -# Define a derived domain for the userhelper/userhelper program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/userhelper.te. -# -define(`userhelper_domain',` -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain; - -in_user_role($1_userhelper_t) -role sysadm_r types $1_userhelper_t; - -ifelse($1, sysadm, ` -typealias sysadm_userhelper_t alias userhelper_t; -domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t) -') - -general_domain_access($1_userhelper_t); - -uses_shlib($1_userhelper_t) -read_locale($1_userhelper_t) -read_sysctl($1_userhelper_t) - -# for when the user types "exec userhelper" at the command line -allow $1_userhelper_t privfd:process sigchld; - -domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t) - -# Inherit descriptors from the current session. -allow $1_userhelper_t { init_t privfd }:fd use; - -can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t }) - -# Execute shells -allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms; -allow $1_userhelper_t { sbin_t bin_t }:lnk_file read; -allow $1_userhelper_t shell_exec_t:file r_file_perms; - -# By default, revert to the calling domain when a program is executed. -domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t) - -# Allow $1_userhelper_t to transition to user domains. -domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain) -if (!secure_mode) { - # if we are not in secure mode then we can transition to sysadm_t - domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t) -} -can_setexec($1_userhelper_t) - -ifdef(`distro_redhat', ` -ifdef(`rpm.te', ` -# Allow transitioning to rpm_t, for up2date -allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure }; -') -') - -# Use capabilities. -allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; - -# Write to utmp. -file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file) - -# Read the devpts root directory. -allow $1_userhelper_t devpts_t:dir r_dir_perms; - -# Read the /etc/security/default_type file -allow $1_userhelper_t etc_t:file r_file_perms; - -# Read /var. -r_dir_file($1_userhelper_t, var_t) - -# Read /dev directories and any symbolic links. -allow $1_userhelper_t device_t:dir r_dir_perms; - -# Relabel terminals. -allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; - -# Access terminals. -allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;') - -# -# Allow $1_userhelper to obtain contexts to relabel TTYs -# -can_getsecurity($1_userhelper_t) - -allow $1_userhelper_t fs_t:filesystem getattr; - -# for some PAM modules and for cwd -allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search; - -allow $1_userhelper_t proc_t:dir search; -allow $1_userhelper_t proc_t:file { getattr read }; - -# for when the network connection is killed -dontaudit unpriv_userdomain $1_userhelper_t:process signal; - -allow $1_userhelper_t userhelper_conf_t:file rw_file_perms; -allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; - -ifdef(`pam.te', ` -allow $1_userhelper_t pam_var_run_t:dir create_dir_perms; -allow $1_userhelper_t pam_var_run_t:file create_file_perms; -') - -allow $1_userhelper_t urandom_device_t:chr_file { getattr read }; - -allow $1_userhelper_t autofs_t:dir search; -role system_r types $1_userhelper_t; -r_dir_file($1_userhelper_t, nfs_t) - -ifdef(`xdm.te', ` -can_pipe_xdm($1_userhelper_t) -allow $1_userhelper_t xdm_var_run_t:dir search; -') - -r_dir_file($1_userhelper_t, selinux_config_t) -r_dir_file($1_userhelper_t, default_context_t) - -ifdef(`xauth.te', ` -domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) -allow $1_userhelper_t $1_xauth_home_t:file { getattr read }; -') - -ifdef(`pamconsole.te', ` -allow $1_userhelper_t pam_var_console_t:dir { search }; -') - -ifdef(`mozilla.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') - -')dnl end userhelper macro diff --git a/targeted/macros/program/vmware_macros.te b/targeted/macros/program/vmware_macros.te deleted file mode 100644 index bb0914a5..00000000 --- a/targeted/macros/program/vmware_macros.te +++ /dev/null @@ -1,128 +0,0 @@ -# Macro for vmware -# -# Based on work contributed by Mark Westerman (mark.westerman@westcam.com), -# modifications by NAI Labs. -# -# Turned into a macro by Thomas Bleher -# -# vmware_domain(domain_prefix) -# -# Define a derived domain for the vmware program when executed by -# a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/vmware.te. This file also -# implements a separate domain vmware_t. -# - -define(`vmware_domain', ` - -# Domain for the user applications to run in. -type $1_vmware_t, domain, privmem; - -role $1_r types $1_vmware_t; - -# The user file type is for files created when the user is running VMWare -type $1_vmware_file_t, $1_file_type, file_type, sysadmfile; - -# The user file type for the VMWare configuration files -type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile; - -############################################################# -# User rules for running VMWare -# -# Transition to VMWare user domain -domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t) -can_exec($1_vmware_t, vmware_user_exec_t) -uses_shlib($1_vmware_t) -var_run_domain($1_vmware) - -general_domain_access($1_vmware_t); - -# Capabilities needed by VMWare for the user execution. This seems a -# bit too much, so be careful. -allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio }; - -# Access to ttys -allow $1_vmware_t vmware_device_t:chr_file rw_file_perms; -allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms; -allow $1_vmware_t privfd:fd use; - -# Access /proc -r_dir_file($1_vmware_t, proc_t) -allow $1_vmware_t proc_net_t:dir search; -allow $1_vmware_t proc_net_t:file { getattr read }; - -# Access to some files in the user home directory -r_dir_file($1_vmware_t, $1_home_t) - -# Access to runtime files for user -allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms; -allow $1_vmware_t $1_vmware_file_t:file create_file_perms; -allow $1_vmware_t $1_vmware_conf_t:file create_file_perms; - -# Allow read access to /etc/vmware and /usr/lib/vmware configuration files -r_dir_file($1_vmware_t, vmware_sys_conf_t) - -# Allow $1_vmware_t to read/write files in the tmp dir -tmp_domain($1_vmware) -allow $1_vmware_t $1_vmware_tmp_t:file execute; - -# Allow read access to several paths -r_dir_file($1_vmware_t, etc_t) -allow $1_vmware_t etc_runtime_t:file r_file_perms; -allow $1_vmware_t device_t:dir r_dir_perms; -allow $1_vmware_t var_t:dir r_dir_perms; -allow $1_vmware_t tmpfs_t:file rw_file_perms; - -# Allow vmware to write to ~/.vmware -rw_dir_create_file($1_vmware_t, $1_vmware_file_t) - -# -# This is bad; VMWare needs execute permission to the .cfg file for the -# configuration to run. -# -allow $1_vmware_t $1_vmware_conf_t:file execute; - -# Access X11 config files -allow $1_vmware_t lib_t:file r_file_perms; - -# Access components of VMWare in /usr/lib/vmware/bin by default -allow $1_vmware_t bin_t:dir r_dir_perms; - -# Allow access to lp port (Need to create an lp device domain ) -allow $1_vmware_t device_t:chr_file r_file_perms; - -# Allow access to /dev/mem -allow $1_vmware_t memory_device_t:chr_file { read write }; - -# Allow access to mouse -allow $1_vmware_t mouse_device_t:chr_file r_file_perms; - -# Allow access the sound device -allow $1_vmware_t sound_device_t:chr_file { ioctl write }; - -# Allow removable media and devices -allow $1_vmware_t removable_device_t:blk_file r_file_perms; -allow $1_vmware_t device_t:lnk_file read; - -# Allow access to the real time clock device -allow $1_vmware_t clock_device_t:chr_file read; - -# Allow to attach to Xserver, and Xserver to attach back -ifdef(`gnome-pty-helper.te', ` -allow $1_vmware_t $1_gph_t:fd use; -') -ifdef(`startx.te', ` -allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write }; -allow $1_vmware_t $1_xserver_tmp_t:dir search; -allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto; -allow $1_xserver_t $1_vmware_t:shm r_shm_perms; -allow $1_xserver_t $1_vmware_t:fd use; -') - -# Allow filesystem read access -allow $1_vmware_t fs_t:filesystem getattr; - -') - diff --git a/targeted/macros/program/x_client_macros.te b/targeted/macros/program/x_client_macros.te deleted file mode 100644 index adce9f0f..00000000 --- a/targeted/macros/program/x_client_macros.te +++ /dev/null @@ -1,96 +0,0 @@ -# -# Macros for X client programs -# - -# -# Author: Russell Coker -# Based on the work of Stephen Smalley -# and Timothy Fraser -# - -# Allows clients to write to the X server's shm -bool allow_write_xshm false; - -define(`xsession_domain', ` - -# Connect to xserver -can_unix_connect($1_t, $2_xserver_t) - -# Read /tmp/.X0-lock -allow $1_t $2_xserver_tmp_t:file { getattr read }; - -# Signal Xserver -allow $1_t $2_xserver_t:process signal; - -# Xserver read/write client shm -allow $2_xserver_t $1_t:fd use; -allow $2_xserver_t $1_t:shm rw_shm_perms; -allow $2_xserver_t $1_tmpfs_t:file rw_file_perms; - -# Client read xserver shm -allow $1_t $2_xserver_t:fd use; -allow $1_t $2_xserver_t:shm r_shm_perms; -allow $1_t $2_xserver_tmpfs_t:file r_file_perms; - -# Client write xserver shm -if (allow_write_xshm) { -allow $1_t $2_xserver_t:shm rw_shm_perms; -allow $1_t $2_xserver_tmpfs_t:file rw_file_perms; -} - -') - -# -# x_client_domain(client, role) -# -# Defines common X access rules for the client domain -# -define(`x_client_domain',` - -# Create socket to communicate with X server -allow $1_t self:unix_dgram_socket create_socket_perms; -allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms }; - -# Read .Xauthority file -ifdef(`xauth.te',` -allow $1_t home_root_t:dir { search getattr }; -allow $1_t $2_home_dir_t:dir { search getattr }; -allow $1_t $2_xauth_home_t:file { getattr read }; -') - -# for .xsession-errors -dontaudit $1_t $2_home_t:file write; - -# for X over a ssh tunnel -ifdef(`ssh.te', ` -can_tcp_connect($1_t, sshd_t) -') - -# Use a separate type for tmpfs/shm pseudo files. -tmpfs_domain($1) -allow $1_t self:shm create_shm_perms; - -# allow X client to read all font files -read_fonts($1_t, $2) - -# Allow connections to X server. -ifdef(`xserver.te', ` -allow $1_t tmp_t:dir search; - -ifdef(`xdm.te', ` -xsession_domain($1, xdm) - -# for when /tmp/.X11-unix is created by the system -can_pipe_xdm($1_t) -allow $1_t xdm_tmp_t:dir search; -allow $1_t xdm_tmp_t:sock_file { read write }; -dontaudit $1_t xdm_t:tcp_socket { read write }; -') - -ifdef(`startx.te', ` -xsession_domain($1, $2) -')dnl end startx - -')dnl end xserver - -')dnl end x_client macro diff --git a/targeted/macros/program/xauth_macros.te b/targeted/macros/program/xauth_macros.te deleted file mode 100644 index ca7a5ee0..00000000 --- a/targeted/macros/program/xauth_macros.te +++ /dev/null @@ -1,83 +0,0 @@ -# -# Macros for xauth domains. -# - -# -# Author: Russell Coker -# - -# -# xauth_domain(domain_prefix) -# -# Define a derived domain for the xauth program when executed -# by a user domain. -# -# The type declaration for the executable type for this program is -# provided separately in domains/program/xauth.te. -# -undefine(`xauth_domain') -ifdef(`xauth.te', ` -define(`xauth_domain',` -# Derived domain based on the calling user domain and the program. -type $1_xauth_t, domain; - -allow $1_xauth_t self:process signal; - -home_domain($1, xauth) -file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file) - -# Transition from the user domain to this domain. -domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t) -ifdef(`ssh.te', ` -domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t) -allow $1_xauth_t sshd_t:fifo_file { getattr read }; -dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write }; -allow $1_xauth_t sshd_t:process sigchld; -')dnl end if ssh - -# The user role is authorized for this domain. -role $1_r types $1_xauth_t; - -# Inherit and use descriptors from gnome-pty-helper. -ifdef(`gnome-pty-helper.te', ` -allow $1_xauth_t $1_gph_t:fd use; -') - -allow $1_xauth_t privfd:fd use; -allow $1_xauth_t ptmx_t:chr_file { read write }; - -# allow ps to show xauth -can_ps($1_t, $1_xauth_t) -allow $1_t $1_xauth_t:process signal; - -uses_shlib($1_xauth_t) - -# allow DNS lookups... -can_resolve($1_xauth_t) -can_ypbind($1_xauth_t) -ifdef(`named.te', ` -can_udp_send($1_xauth_t, named_t) -can_udp_send(named_t, $1_xauth_t) -')dnl end if named.te - -allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; -allow $1_xauth_t etc_t:file { getattr read }; -allow $1_xauth_t fs_t:filesystem getattr; - -# Write to the user domain tty. -access_terminal($1_xauth_t, $1) - -# Scan /var/run. -allow $1_xauth_t var_t:dir search; -allow $1_xauth_t var_run_t:dir search; - -tmp_domain($1_xauth) -allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; - -')dnl end xauth_domain macro - -', ` - -define(`xauth_domain',`') - -')dnl end if xauth.te diff --git a/targeted/macros/program/xdm_macros.te b/targeted/macros/program/xdm_macros.te deleted file mode 100644 index bea127f4..00000000 --- a/targeted/macros/program/xdm_macros.te +++ /dev/null @@ -1,13 +0,0 @@ -######################################## -# -# can_pipe_xdm(domain) -# -# Allow communication to xdm over a pipe -# - -define(`can_pipe_xdm', ` -ifdef(`xdm.te', ` -allow $1 xdm_t:fd use; -allow $1 xdm_t:fifo_file { getattr read write ioctl }; -') -') dnl can_pipe_xdm diff --git a/targeted/macros/program/xserver_macros.te b/targeted/macros/program/xserver_macros.te deleted file mode 100644 index e2eaf824..00000000 --- a/targeted/macros/program/xserver_macros.te +++ /dev/null @@ -1,274 +0,0 @@ -# -# Macros for X server domains. -# - -# -# Authors: Stephen Smalley and Timothy Fraser -# - -################################# -# -# xserver_domain(domain_prefix) -# -# Define a derived domain for the X server when executed -# by a user domain (e.g. via startx). See the xdm_t domain -# in domains/program/xdm.te if using an X Display Manager. -# -# The type declarations for the executable type for this program -# and the log type are provided separately in domains/program/xserver.te. -# -# FIXME! The X server requires far too many privileges. -# -undefine(`xserver_domain') -ifdef(`xserver.te', ` - -define(`xserver_domain',` -# Derived domain based on the calling user domain and the program. -ifdef(`distro_redhat', ` -type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain; -allow $1_xserver_t sysctl_modprobe_t:file { getattr read }; -ifdef(`rpm.te', ` -allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; -allow $1_xserver_t rpm_tmpfs_t:file { read write }; -allow $1_xserver_t rpm_t:fd use; -') - -', ` -type $1_xserver_t, domain, privlog, privmem, nscd_client_domain; -') - -# for SSP -allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl }; - -# Transition from the user domain to this domain. -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t) -') -', ` -domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t) -')dnl end ifelse xdm -can_exec($1_xserver_t, xserver_exec_t) - -uses_shlib($1_xserver_t) - -allow $1_xserver_t texrel_shlib_t:file execmod; - -can_network($1_xserver_t) -allow $1_xserver_t port_type:tcp_socket name_connect; -can_ypbind($1_xserver_t) -allow $1_xserver_t xserver_port_t:tcp_socket name_bind; - -# for access within the domain -general_domain_access($1_xserver_t) - -allow $1_xserver_t self:process execmem; -# Until the X module loader is fixed. -allow $1_xserver_t self:process execheap; - -allow $1_xserver_t etc_runtime_t:file { getattr read }; - -ifelse($1, xdm, ` -# The system role is authorised for the xdm and initrc domains -role system_r types xdm_xserver_t; - -allow xdm_xserver_t init_t:fd use; - -dontaudit xdm_xserver_t home_dir_type:dir { read search }; - -# Read all global and per user fonts -read_fonts($1_xserver_t, sysadm) -read_fonts($1_xserver_t, staff) -read_fonts($1_xserver_t, user) - -', ` -# The user role is authorized for this domain. -role $1_r types $1_xserver_t; - -allow $1_xserver_t getty_t:fd use; -allow $1_xserver_t local_login_t:fd use; -allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - -allow $1_xserver_t $1_tmpfs_t:file rw_file_perms; -allow $1_t $1_xserver_tmpfs_t:file rw_file_perms; - -can_unix_connect($1_t, $1_xserver_t) - -# Read fonts -read_fonts($1_xserver_t, $1) - -# Access the home directory. -allow $1_xserver_t home_root_t:dir search; -allow $1_xserver_t $1_home_dir_t:dir { getattr search }; - -ifdef(`xauth.te', ` -domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t) -allow $1_xserver_t $1_xauth_home_t:file { getattr read }; -', ` -allow $1_xserver_t $1_home_t:file { getattr read }; -')dnl end ifdef xauth -ifdef(`userhelper.te', ` -allow $1_xserver_t userhelper_conf_t:dir search; -')dnl end ifdef userhelper -')dnl end ifelse xdm - -allow $1_xserver_t self:process setsched; - -allow $1_xserver_t fs_t:filesystem getattr; - -# Xorg wants to check if kernel is tainted -read_sysctl($1_xserver_t) - -# Use capabilities. -# allow setuid/setgid for the wrapper program to change UID -# sys_rawio is for iopl access - should not be needed for frame-buffer -# sys_admin, locking shared mem? chowning IPC message queues or semaphores? -# admin of APM bios? -# sys_nice is so that the X server can set a negative nice value -allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -allow $1_xserver_t nfs_t:dir { getattr search }; - -# memory_device_t access is needed if not using the frame buffer -#dontaudit $1_xserver_t memory_device_t:chr_file read; -allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute }; -# net_bind_service is needed if you want your X server to allow TCP connections -# from other hosts, EG an XDM serving a network of X terms -# if you want good security you do not want this -# not sure why some people want chown, fsetid, and sys_tty_config. -#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config }; -dontaudit $1_xserver_t self:capability chown; - -# for nscd -dontaudit $1_xserver_t var_run_t:dir search; - -allow $1_xserver_t mtrr_device_t:file rw_file_perms; -allow $1_xserver_t apm_bios_t:chr_file rw_file_perms; -allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms; -allow $1_xserver_t device_t:lnk_file { getattr read }; -allow $1_xserver_t devtty_t:chr_file rw_file_perms; -allow $1_xserver_t zero_device_t:chr_file { read write execute }; - -# Type for temporary files. -tmp_domain($1_xserver, `', `{ dir file sock_file }') -file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) - -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -allow xdm_t $1_xserver_t:process signal; -can_unix_connect(xdm_t, xdm_xserver_t) -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms; -allow xdm_xserver_t xdm_t:process signal; -allow xdm_xserver_t xdm_t:shm rw_shm_perms; -allow xdm_t xdm_xserver_t:shm rw_shm_perms; -dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; -') -', ` -allow $1_t xdm_xserver_tmp_t:dir r_dir_perms; -allow $1_t xdm_xserver_t:unix_stream_socket connectto; -allow $1_t $1_xserver_t:process signal; - -# Allow the user domain to connect to the X server. -can_unix_connect($1_t, $1_xserver_t) -allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms; -allow $1_t $1_xserver_tmp_t:dir r_dir_perms; -ifdef(`xdm.te', ` -allow $1_t xdm_tmp_t:sock_file unlink; -allow $1_xserver_t xdm_var_run_t:dir search; -') - -# Signal the user domain. -allow $1_xserver_t $1_t:process signal; - -# Communicate via System V shared memory. -allow $1_xserver_t $1_t:shm rw_shm_perms; -allow $1_t $1_xserver_t:shm rw_shm_perms; -allow $1_xserver_t initrc_t:shm rw_shm_perms; - -')dnl end ifelse xdm - -# Create files in /var/log with the xserver_log_t type. -allow $1_xserver_t var_t:dir search; -file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file) -allow $1_xserver_t xserver_log_t:dir r_dir_perms; - -# Access AGP device. -allow $1_xserver_t agp_device_t:chr_file rw_file_perms; - -# for other device nodes such as the NVidia binary-only driver -allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms; - -# Access /proc/mtrr -allow $1_xserver_t proc_t:file rw_file_perms; -allow $1_xserver_t proc_t:lnk_file { getattr read }; - -# Access /proc/sys/dev -allow $1_xserver_t sysctl_dev_t:dir search; -allow $1_xserver_t sysctl_dev_t:file { getattr read }; -# Access /proc/bus/pci -allow $1_xserver_t proc_t:dir r_dir_perms; - -# Create and access /dev/dri devices. -allow $1_xserver_t device_t:dir { create setattr }; -file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file) -# brought on by rhgb -allow $1_xserver_t mnt_t:dir search; - -allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms }; - -# Run helper programs in $1_xserver_t. -allow $1_xserver_t { bin_t sbin_t }:dir search; -allow $1_xserver_t etc_t:{ file lnk_file } { getattr read }; -allow $1_xserver_t bin_t:lnk_file read; -can_exec($1_xserver_t, { bin_t shell_exec_t }) - -# Connect to xfs. -ifdef(`xfs.te', ` -can_unix_connect($1_xserver_t, xfs_t) -allow $1_xserver_t xfs_tmp_t:dir r_dir_perms; -allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms; - -# Bind to the X server socket in /tmp. -allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind; -') - -read_locale($1_xserver_t) - -# Type for tmpfs/shm files. -tmpfs_domain($1_xserver) -ifelse($1, xdm, ` -ifdef(`xdm.te', ` -allow xdm_xserver_t xdm_t:shm rw_shm_perms; -allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; -') -', ` -allow $1_xserver_t $1_t:shm rw_shm_perms; -rw_dir_file($1_xserver_t, $1_tmpfs_t) -')dnl end ifelse xdm - - -r_dir_file($1_xserver_t,sysfs_t) - -# Use the mouse. -allow $1_xserver_t mouse_device_t:chr_file rw_file_perms; -# Allow xserver to read events - the synaptics touchpad -# driver reads raw events -allow $1_xserver_t event_device_t:chr_file rw_file_perms; -ifdef(`pamconsole.te', ` -allow $1_xserver_t pam_var_console_t:dir search; -') -dontaudit $1_xserver_t selinux_config_t:dir search; - -allow $1_xserver_t var_lib_t:dir search; -rw_dir_create_file($1_xserver_t, xkb_var_lib_t) - -')dnl end macro definition - -', ` - -define(`xserver_domain',`') - -') - diff --git a/targeted/macros/program/ypbind_macros.te b/targeted/macros/program/ypbind_macros.te deleted file mode 100644 index 04a8f1db..00000000 --- a/targeted/macros/program/ypbind_macros.te +++ /dev/null @@ -1,19 +0,0 @@ -define(`uncond_can_ypbind', ` -can_network($1) -r_dir_file($1,var_yp_t) -allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; -allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect; -dontaudit $1 self:capability net_bind_service; -dontaudit $1 reserved_port_type:tcp_socket name_connect; -dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind; -') - -define(`can_ypbind', ` -ifdef(`ypbind.te', ` -if (allow_ypbind) { -uncond_can_ypbind($1) -} else { -dontaudit $1 var_yp_t:dir search; -} -') dnl ypbind.te -') dnl can_ypbind diff --git a/targeted/macros/user_macros.te b/targeted/macros/user_macros.te deleted file mode 100644 index fb9b9ae3..00000000 --- a/targeted/macros/user_macros.te +++ /dev/null @@ -1,325 +0,0 @@ -# -# Macros for all user login domains. -# - -# role_tty_type_change(starting_role, ending_role) -# -# change from role $1_r to $2_r and relabel tty appropriately -# - -undefine(`role_tty_type_change') -define(`role_tty_type_change', ` -allow $1_r $2_r; -type_change $2_t $1_devpts_t:chr_file $2_devpts_t; -type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t; -# avoid annoying messages on terminal hangup -dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl; -') - -# -# reach_sysadm(user) -# -# Reach sysadm_t via programs like userhelper/sudo/su -# - -undefine(`reach_sysadm') -define(`reach_sysadm', ` -ifdef(`userhelper.te', `userhelper_domain($1)') -ifdef(`sudo.te', `sudo_domain($1)') -ifdef(`su.te', ` -su_domain($1) -# When an ordinary user domain runs su, su may try to -# update the /root/.Xauthority file, and the user shell may -# try to update the shell history. This is not allowed, but -# we dont need to audit it. -dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms; -dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms; -') dnl ifdef su.te -ifdef(`xauth.te', ` -file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) -ifdef(`userhelper.te', ` -file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file) -') dnl userhelper.te -') dnl xauth.te -') dnl reach_sysadm - -# -# priv_user(user) -# -# Privileged user domain -# - -undefine(`priv_user') -define(`priv_user', ` -# Reach sysadm_t -reach_sysadm($1) - -# Read file_contexts for rpm and get security decisions. -r_dir_file($1_t, file_context_t) -can_getsecurity($1_t) - -# Signal and see information about unprivileged user domains. -allow $1_t unpriv_userdomain:process signal_perms; -can_ps($1_t, unpriv_userdomain) -allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr; - -# Read /root files if boolean is enabled. -if (staff_read_sysadm_file) { -allow $1_t sysadm_home_dir_t:dir { getattr search }; -allow $1_t sysadm_home_t:file { getattr read }; -} - -') dnl priv_user - -# -# user_domain(domain_prefix) -# -# Define derived types and rules for an ordinary user domain. -# -# The type declaration and role authorization for the domain must be -# provided separately. Likewise, domain transitions into this domain -# must be specified separately. -# - -# user_domain() is also called by the admin_domain() macro -undefine(`user_domain') -define(`user_domain', ` -# Use capabilities - -# Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir; -type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember; - -# Transition manually for { lnk sock fifo }. The rest is in content macros. -tmp_domain_notrans($1, `, user_tmpfile, $1_file_type') -file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file }) -allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom }; - -ifdef(`support_polyinstantiation', ` -type_member $1_t tmp_t:dir $1_tmp_t; -type_member $1_t $1_home_dir_t:dir $1_home_t; -') - -base_user_domain($1) -ifdef(`mls_policy', `', ` -access_removable_media($1_t) -') - -# do not allow privhome access to sysadm_home_dir_t -file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t) - -allow $1_t boot_t:dir { getattr search }; -dontaudit $1_t boot_t:lnk_file read; -dontaudit $1_t boot_t:file read; -allow $1_t system_map_t:file { getattr read }; - -# Instantiate derived domains for a number of programs. -# These derived domains encode both information about the calling -# user domain and the program, and allow us to maintain separation -# between different instances of the program being run by different -# user domains. -ifelse($1, sysadm, `',` -ifdef(`apache.te', `apache_user_domain($1)') -ifdef(`i18n_input.te', `i18n_input_domain($1)') -') -ifdef(`slocate.te', `locate_domain($1)') -ifdef(`lockdev.te', `lockdev_domain($1)') - -can_kerberos($1_t) -# allow port_t name binding for UDP because it is not very usable otherwise -allow $1_t port_t:udp_socket name_bind; - -# -# Need the following rule to allow users to run vpnc -# -ifdef(`xserver.te', ` -allow $1_t xserver_port_t:tcp_socket name_bind; -') - -# Allow users to run TCP servers (bind to ports and accept connection from -# the same domain and outside users) disabling this forces FTP passive mode -# and may change other protocols -if (user_tcp_server) { -allow $1_t port_t:tcp_socket name_bind; -} -# port access is audited even if dac would not have allowed it, so dontaudit it here -dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind; - -# Allow system log read -if (user_dmesg) { -allow $1_t kernel_t:system syslog_read; -} else { -# else do not log it -dontaudit $1_t kernel_t:system syslog_read; -} - -# Allow read access to utmp. -allow $1_t initrc_var_run_t:file { getattr read lock }; -# The library functions always try to open read-write first, -# then fall back to read-only if it fails. -# Do not audit write denials to utmp to avoid the noise. -dontaudit $1_t initrc_var_run_t:file write; - - -# do not audit read on disk devices -dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read; - -ifdef(`xdm.te', ` -allow xdm_t $1_home_t:lnk_file read; -allow xdm_t $1_home_t:dir search; -# -# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp -# -dontaudit xdm_t $1_home_t:file rw_file_perms; -')dnl end ifdef xdm.te - -ifdef(`ftpd.te', ` -if (ftp_home_dir) { -file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) -} -')dnl end ifdef ftpd - - -')dnl end user_domain macro - - -########################################################################### -# -# Domains for ordinary users. -# -undefine(`limited_user_role') -define(`limited_user_role', ` -# user_t/$1_t is an unprivileged users domain. -type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd; - -#Type for tty devices. -type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs; -# Type and access for pty devices. -can_create_pty($1, `, userpty_type, user_tty_type') - -# Access ttys. -allow $1_t privfd:fd use; -allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; - -# Grant read/search permissions to some of /proc. -r_dir_file($1_t, proc_t) -# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead -r_dir_file($1_t, proc_net_t) - -base_file_read_access($1_t) - -# Execute from the system shared libraries. -uses_shlib($1_t) - -# Read /etc. -r_dir_file($1_t, etc_t) -allow $1_t etc_runtime_t:file r_file_perms; -allow $1_t etc_runtime_t:lnk_file { getattr read }; - -allow $1_t self:process { fork sigchld setpgid signal_perms }; - -# read localization information -read_locale($1_t) - -read_sysctl($1_t) -can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t }) - -allow $1_t self:dir search; -allow $1_t self:file { getattr read }; -allow $1_t self:fifo_file rw_file_perms; - -allow $1_t self:lnk_file read; -allow $1_t self:unix_stream_socket create_socket_perms; -allow $1_t urandom_device_t:chr_file { getattr read }; -dontaudit $1_t { var_spool_t var_log_t }:dir search; - -# Read /dev directories and any symbolic links. -allow $1_t device_t:dir r_dir_perms; -allow $1_t device_t:lnk_file { getattr read }; -allow $1_t devtty_t:chr_file { read write }; - -') - -undefine(`full_user_role') -define(`full_user_role', ` - -limited_user_role($1) - -typeattribute $1_t web_client_domain; - -attribute $1_file_type; - -ifdef(`useradd.te', ` -# Useradd relabels /etc/skel files so needs these privs -allow useradd_t $1_file_type:dir create_dir_perms; -allow useradd_t $1_file_type:notdevfile_class_set create_file_perms; -') - -can_exec($1_t, usr_t) - -# Read directories and files with the readable_t type. -# This type is a general type for "world"-readable files. -allow $1_t readable_t:dir r_dir_perms; -allow $1_t readable_t:notdevfile_class_set r_file_perms; - -# Stat lost+found. -allow $1_t lost_found_t:dir getattr; - -# Read /var, /var/spool, /var/run. -r_dir_file($1_t, var_t) -# what about pipes and sockets under /var/spool? -r_dir_file($1_t, var_spool_t) -r_dir_file($1_t, var_run_t) -allow $1_t var_lib_t:dir r_dir_perms; -allow $1_t var_lib_t:file { getattr read }; - -# for running depmod as part of the kernel packaging process -allow $1_t modules_conf_t:file { getattr read }; - -# Read man directories and files. -r_dir_file($1_t, man_t) - -# Allow users to rw usb devices -if (user_rw_usb) { -rw_dir_create_file($1_t,usbdevfs_t) -} else { -r_dir_file($1_t,usbdevfs_t) -} - -r_dir_file($1_t,sysfs_t) - -# Do not audit write denials to /etc/ld.so.cache. -dontaudit $1_t ld_so_cache_t:file write; - -# $1_t is also granted permissions specific to user domains. -user_domain($1) - -dontaudit $1_t sysadm_home_t:file { read append }; - -ifdef(`syslogd.te', ` -# Some programs that are left in $1_t will try to connect -# to syslogd, but we do not want to let them generate log messages. -# Do not audit. -dontaudit $1_t devlog_t:sock_file { read write }; -dontaudit $1_t syslogd_t:unix_dgram_socket sendto; -') - -# Stop warnings about access to /dev/console -dontaudit $1_t init_t:fd use; -dontaudit $1_t initrc_t:fd use; -allow $1_t initrc_t:fifo_file write; - -# -# Rules used to associate a homedir as a mountpoint -# -allow $1_home_t self:filesystem associate; -allow $1_file_type $1_home_t:filesystem associate; -') - -undefine(`in_user_role') -define(`in_user_role', ` -role user_r types $1; -role staff_r types $1; -') - diff --git a/targeted/mcs b/targeted/mcs deleted file mode 100644 index 8a04ae85..00000000 --- a/targeted/mcs +++ /dev/null @@ -1,162 +0,0 @@ -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -# MCS is single-sensitivity. -# -sensitivity s0; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; -category c24; category c25; category c26; category c27; -category c28; category c29; category c30; category c31; -category c32; category c33; category c34; category c35; -category c36; category c37; category c38; category c39; -category c40; category c41; category c42; category c43; -category c44; category c45; category c46; category c47; -category c48; category c49; category c50; category c51; -category c52; category c53; category c54; category c55; -category c56; category c57; category c58; category c59; -category c60; category c61; category c62; category c63; -category c64; category c65; category c66; category c67; -category c68; category c69; category c70; category c71; -category c72; category c73; category c74; category c75; -category c76; category c77; category c78; category c79; -category c80; category c81; category c82; category c83; -category c84; category c85; category c86; category c87; -category c88; category c89; category c90; category c91; -category c92; category c93; category c94; category c95; -category c96; category c97; category c98; category c99; -category c100; category c101; category c102; category c103; -category c104; category c105; category c106; category c107; -category c108; category c109; category c110; category c111; -category c112; category c113; category c114; category c115; -category c116; category c117; category c118; category c119; -category c120; category c121; category c122; category c123; -category c124; category c125; category c126; category c127; -category c128; category c129; category c130; category c131; -category c132; category c133; category c134; category c135; -category c136; category c137; category c138; category c139; -category c140; category c141; category c142; category c143; -category c144; category c145; category c146; category c147; -category c148; category c149; category c150; category c151; -category c152; category c153; category c154; category c155; -category c156; category c157; category c158; category c159; -category c160; category c161; category c162; category c163; -category c164; category c165; category c166; category c167; -category c168; category c169; category c170; category c171; -category c172; category c173; category c174; category c175; -category c176; category c177; category c178; category c179; -category c180; category c181; category c182; category c183; -category c184; category c185; category c186; category c187; -category c188; category c189; category c190; category c191; -category c192; category c193; category c194; category c195; -category c196; category c197; category c198; category c199; -category c200; category c201; category c202; category c203; -category c204; category c205; category c206; category c207; -category c208; category c209; category c210; category c211; -category c212; category c213; category c214; category c215; -category c216; category c217; category c218; category c219; -category c220; category c221; category c222; category c223; -category c224; category c225; category c226; category c227; -category c228; category c229; category c230; category c231; -category c232; category c233; category c234; category c235; -category c236; category c237; category c238; category c239; -category c240; category c241; category c242; category c243; -category c244; category c245; category c246; category c247; -category c248; category c249; category c250; category c251; -category c252; category c253; category c254; category c255; - - -# -# Each MCS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; - -# -# Define the MCS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MCS policy for the file classes -# -# Constrain file access so that the high range of the process dominates -# the high range of the file. We use the high range of the process so -# that processes can always simply run at s0. -# -# Only files are constrained by MCS at this stage. -# -mlsconstrain file { write setattr append unlink link rename - create ioctl lock execute } (h1 dom h2); - -mlsconstrain file { read } ((h1 dom h2) or - ( t1 == mlsfileread )); - - -# new file labels must be dominated by the relabeling subject's clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto } - ( h1 dom h2 ); - -define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append -link unlink rename relabelfrom relabelto }') - -define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink -rename search add_name remove_name reparent write rmdir relabelfrom -relabelto }') - -# XXX -# -# For some reason, we need to reference the mlsfileread attribute -# or we get a build error. Below is a dummy entry to do this. -mlsconstrain xextension query ( t1 == mlsfileread ); - diff --git a/targeted/mls b/targeted/mls deleted file mode 100644 index c7d04efa..00000000 --- a/targeted/mls +++ /dev/null @@ -1,665 +0,0 @@ -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -sensitivity s0; -sensitivity s1; -sensitivity s2; -sensitivity s3; -sensitivity s4; -sensitivity s5; -sensitivity s6; -sensitivity s7; -sensitivity s8; -sensitivity s9; -sensitivity s10; -sensitivity s11; -sensitivity s12; -sensitivity s13; -sensitivity s14; -sensitivity s15; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; -category c24; category c25; category c26; category c27; -category c28; category c29; category c30; category c31; -category c32; category c33; category c34; category c35; -category c36; category c37; category c38; category c39; -category c40; category c41; category c42; category c43; -category c44; category c45; category c46; category c47; -category c48; category c49; category c50; category c51; -category c52; category c53; category c54; category c55; -category c56; category c57; category c58; category c59; -category c60; category c61; category c62; category c63; -category c64; category c65; category c66; category c67; -category c68; category c69; category c70; category c71; -category c72; category c73; category c74; category c75; -category c76; category c77; category c78; category c79; -category c80; category c81; category c82; category c83; -category c84; category c85; category c86; category c87; -category c88; category c89; category c90; category c91; -category c92; category c93; category c94; category c95; -category c96; category c97; category c98; category c99; -category c100; category c101; category c102; category c103; -category c104; category c105; category c106; category c107; -category c108; category c109; category c110; category c111; -category c112; category c113; category c114; category c115; -category c116; category c117; category c118; category c119; -category c120; category c121; category c122; category c123; -category c124; category c125; category c126; category c127; -category c128; category c129; category c130; category c131; -category c132; category c133; category c134; category c135; -category c136; category c137; category c138; category c139; -category c140; category c141; category c142; category c143; -category c144; category c145; category c146; category c147; -category c148; category c149; category c150; category c151; -category c152; category c153; category c154; category c155; -category c156; category c157; category c158; category c159; -category c160; category c161; category c162; category c163; -category c164; category c165; category c166; category c167; -category c168; category c169; category c170; category c171; -category c172; category c173; category c174; category c175; -category c176; category c177; category c178; category c179; -category c180; category c181; category c182; category c183; -category c184; category c185; category c186; category c187; -category c188; category c189; category c190; category c191; -category c192; category c193; category c194; category c195; -category c196; category c197; category c198; category c199; -category c200; category c201; category c202; category c203; -category c204; category c205; category c206; category c207; -category c208; category c209; category c210; category c211; -category c212; category c213; category c214; category c215; -category c216; category c217; category c218; category c219; -category c220; category c221; category c222; category c223; -category c224; category c225; category c226; category c227; -category c228; category c229; category c230; category c231; -category c232; category c233; category c234; category c235; -category c236; category c237; category c238; category c239; -category c240; category c241; category c242; category c243; -category c244; category c245; category c246; category c247; -category c248; category c249; category c250; category c251; -category c252; category c253; category c254; category c255; - - -# -# Each MLS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; -level s1:c0.c255; -level s2:c0.c255; -level s3:c0.c255; -level s4:c0.c255; -level s5:c0.c255; -level s6:c0.c255; -level s7:c0.c255; -level s8:c0.c255; -level s9:c0.c255; -level s10:c0.c255; -level s11:c0.c255; -level s12:c0.c255; -level s13:c0.c255; -level s14:c0.c255; -level s15:c0.c255; - - -# -# Define the MLS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - -# -# MLS policy for the file classes -# - -# make sure these file classes are "single level" -mlsconstrain { file lnk_file fifo_file } { create relabelto } - ( l2 eq h2 ); - -# new file labels must be dominated by the relabeling subject's clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto - ( h1 dom h2 ); - -# the file "read" ops (note the check is dominance of the low level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir search - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread ) or - ( t2 == mlstrustedobject )); - -# the "single level" file "write" ops -mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# the "ranged" file "write" ops -mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -mlsconstrain dir { add_name remove_name reparent rmdir } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } -# -# { file chr_file } { execute_no_trans entrypoint execmod } - -# the file upgrade/downgrade rule -mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } - ((( l1 eq l2 ) or - (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( h1 eq h2 ) or - (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or - (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); - -# create can also require the upgrade/downgrade checks if the creating process -# has used setfscreate (note that both the high and low level of the object -# default to the process' sensitivity level) -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create - ((( l1 eq l2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and - (( l1 eq h2 ) or - (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or - (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); - - - - -# -# MLS policy for the filesystem class -# - -# new filesystem labels must be dominated by the relabeling subject's clearance -mlsconstrain filesystem relabelto - ( h1 dom h2 ); - -# the filesystem "read" ops (implicit single level) -mlsconstrain filesystem { getattr quotaget } - (( l1 dom l2 ) or - (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfileread )); - -# all the filesystem "write" ops (implicit single level) -mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } - (( l1 eq l2 ) or - (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsfilewrite )); - -# these access vectors have no MLS restrictions -# filesystem { transition associate } - - - - -# -# MLS policy for the socket classes -# - -# new socket labels must be dominated by the relabeling subject's clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto - ( h1 dom h2 ); - -# the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - -# the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } - ((( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )); - -# these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } -# -# { tcp_socket udp_socket rawip_socket } node_bind -# -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } -# -# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write -# - - - - -# -# MLS policy for the ipc classes -# - -# the ipc "read" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { getattr read unix_read } - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -mlsconstrain msg receive - (( l1 dom l2 ) or - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - -# the ipc "write" ops (implicit single level) -mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msgq enqueue - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain shm lock - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -mlsconstrain msg send - (( l1 eq l2 ) or - (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsipcwrite )); - -# these access vectors have no MLS restrictions -# { ipc sem msgq shm } associate - - - - -# -# MLS policy for the fd class -# - -# these access vectors have no MLS restrictions -# fd use - - - - -# -# MLS policy for the network object classes -# - -# the netif/node "read" ops (implicit single level socket doing the read) -# (note the check is dominance of the low level) -mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv } - (( l1 dom l2 ) or ( t1 == mlsnetrecvall )); - -# the netif/node "write" ops (implicit single level socket doing the write) -mlsconstrain { netif node } { tcp_send udp_send rawip_send } - (( l1 dom l2 ) and ( l1 domby h2 )); - -# these access vectors have no MLS restrictions -# { netif node } { enforce_dest } - - - - -# -# MLS policy for the process class -# - -# new process labels must be dominated by the relabeling subject's clearance -# and sensitivity level changes require privilege -mlsconstrain process transition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or - (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); -mlsconstrain process dyntransition - (( h1 dom h2 ) and - (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); - -# all the process "read" ops -mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } - (( l1 dom l2 ) or - (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsprocread )); - -# all the process "write" ops (note the check is equality on the low level) -mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } - (( l1 eq l2 ) or - (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsprocwrite )); - -# these access vectors have no MLS restrictions -# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem } - - - - -# -# MLS policy for the security class -# - -# these access vectors have no MLS restrictions -# security * - - - - -# -# MLS policy for the system class -# - -# these access vectors have no MLS restrictions -# system * - - - - -# -# MLS policy for the capability class -# - -# these access vectors have no MLS restrictions -# capability * - - - - -# -# MLS policy for the passwd class -# - -# these access vectors have no MLS restrictions -# passwd * - - - - -# -# MLS policy for the drawable class -# - -# the drawable "read" ops (implicit single level) -mlsconstrain drawable { getattr copy } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the drawable "write" ops (implicit single level) -mlsconstrain drawable { create destroy draw copy } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the gc class -# - -# the gc "read" ops (implicit single level) -mlsconstrain gc getattr - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the gc "write" ops (implicit single level) -mlsconstrain gc { create free setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the window class -# - -# the window "read" ops (implicit single level) -mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the window "write" ops (implicit single level) -mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite ) or - ( t2 == mlstrustedobject )); - -# these access vectors have no MLS restrictions -# window { map unmap } - - - - -# -# MLS policy for the font class -# - -# the font "read" ops (implicit single level) -mlsconstrain font { load getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the font "write" ops (implicit single level) -mlsconstrain font free - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - -# these access vectors have no MLS restrictions -# font use - - - - -# -# MLS policy for the colormap class -# - -# the colormap "read" ops (implicit single level) -mlsconstrain colormap { list read getattr } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadcolormap ) or - ( t1 == mlsxwinread )); - -# the colormap "write" ops (implicit single level) -mlsconstrain colormap { create free install uninstall store setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritecolormap ) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the property class -# - -# the property "read" ops (implicit single level) -mlsconstrain property { read } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinreadproperty ) or - ( t1 == mlsxwinread )); - -# the property "write" ops (implicit single level) -mlsconstrain property { create free write } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwriteproperty ) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the cursor class -# - -# the cursor "write" ops (implicit single level) -mlsconstrain cursor { create createglyph free assign setattr } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xclient class -# - -# the xclient "write" ops (implicit single level) -mlsconstrain xclient kill - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xinput class -# - -# these access vectors have no MLS restrictions -# xinput ~{ relabelinput setattr } - -# the xinput "write" ops (implicit single level) -mlsconstrain xinput { setattr relabelinput } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwritexinput ) or - ( t1 == mlsxwinwrite )); - - - - -# -# MLS policy for the xserver class -# - -# these access vectors have no MLS restrictions -# xserver * - - - - -# -# MLS policy for the xextension class -# - -# these access vectors have no MLS restrictions -# xextension { query use } - - -# -# MLS policy for the pax class -# - -# these access vectors have no MLS restrictions -# pax { pageexec emutramp mprotect randmmap randexec segmexec } - - - - -# -# MLS policy for the dbus class -# - -# these access vectors have no MLS restrictions -# dbus { acquire_svc send_msg } - - - - -# -# MLS policy for the nscd class -# - -# these access vectors have no MLS restrictions -# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } - - - - -# -# MLS policy for the association class -# - -# these access vectors have no MLS restrictions -# association { sendto recvfrom } - diff --git a/targeted/net_contexts b/targeted/net_contexts deleted file mode 100644 index 59e6c543..00000000 --- a/targeted/net_contexts +++ /dev/null @@ -1,245 +0,0 @@ -# FLASK - -# -# Security contexts for network entities -# If no context is specified, then a default initial SID is used. -# - -# Modified by Reino Wallin -# Multi NIC, and IPSEC features - -# Modified by Russell Coker -# ifdefs to encapsulate domains, and many additional port contexts - -# -# Port numbers (default = initial SID "port") -# -# protocol number context -# protocol low-high context -# -portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 -portcon udp 7 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 -portcon udp 9 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 -portcon udp 13 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 -portcon udp 19 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 -portcon udp 37 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 113 system_u:object_r:auth_port_t:s0 -portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 -portcon udp 891 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 -portcon udp 892 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 -portcon tcp 21 system_u:object_r:ftp_port_t:s0 -portcon tcp 22 system_u:object_r:ssh_port_t:s0 -portcon tcp 23 system_u:object_r:telnetd_port_t:s0 - -portcon tcp 25 system_u:object_r:smtp_port_t:s0 -portcon tcp 465 system_u:object_r:smtp_port_t:s0 -portcon tcp 587 system_u:object_r:smtp_port_t:s0 - -portcon udp 500 system_u:object_r:isakmp_port_t:s0 -portcon udp 53 system_u:object_r:dns_port_t:s0 -portcon tcp 53 system_u:object_r:dns_port_t:s0 - -portcon udp 67 system_u:object_r:dhcpd_port_t:s0 -portcon udp 647 system_u:object_r:dhcpd_port_t:s0 -portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 -portcon udp 847 system_u:object_r:dhcpd_port_t:s0 -portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 -portcon udp 68 system_u:object_r:dhcpc_port_t:s0 -portcon udp 70 system_u:object_r:gopher_port_t:s0 -portcon tcp 70 system_u:object_r:gopher_port_t:s0 - -portcon udp 69 system_u:object_r:tftp_port_t:s0 -portcon tcp 79 system_u:object_r:fingerd_port_t:s0 - -portcon tcp 80 system_u:object_r:http_port_t:s0 -portcon tcp 443 system_u:object_r:http_port_t:s0 -portcon tcp 488 system_u:object_r:http_port_t:s0 -portcon tcp 8008 system_u:object_r:http_port_t:s0 - -portcon tcp 106 system_u:object_r:pop_port_t:s0 -portcon tcp 109 system_u:object_r:pop_port_t:s0 -portcon tcp 110 system_u:object_r:pop_port_t:s0 -portcon tcp 143 system_u:object_r:pop_port_t:s0 -portcon tcp 220 system_u:object_r:pop_port_t:s0 -portcon tcp 993 system_u:object_r:pop_port_t:s0 -portcon tcp 995 system_u:object_r:pop_port_t:s0 -portcon tcp 1109 system_u:object_r:pop_port_t:s0 - -portcon udp 111 system_u:object_r:portmap_port_t:s0 -portcon tcp 111 system_u:object_r:portmap_port_t:s0 - -portcon tcp 119 system_u:object_r:innd_port_t:s0 -portcon udp 123 system_u:object_r:ntp_port_t:s0 - -portcon tcp 137 system_u:object_r:smbd_port_t:s0 -portcon udp 137 system_u:object_r:nmbd_port_t:s0 -portcon tcp 138 system_u:object_r:smbd_port_t:s0 -portcon udp 138 system_u:object_r:nmbd_port_t:s0 -portcon tcp 139 system_u:object_r:smbd_port_t:s0 -portcon udp 139 system_u:object_r:nmbd_port_t:s0 -portcon tcp 445 system_u:object_r:smbd_port_t:s0 - -portcon udp 161 system_u:object_r:snmp_port_t:s0 -portcon udp 162 system_u:object_r:snmp_port_t:s0 -portcon tcp 199 system_u:object_r:snmp_port_t:s0 -portcon udp 512 system_u:object_r:comsat_port_t:s0 - -portcon tcp 389 system_u:object_r:ldap_port_t:s0 -portcon udp 389 system_u:object_r:ldap_port_t:s0 -portcon tcp 636 system_u:object_r:ldap_port_t:s0 -portcon udp 636 system_u:object_r:ldap_port_t:s0 - -portcon tcp 513 system_u:object_r:rlogind_port_t:s0 -portcon tcp 514 system_u:object_r:rsh_port_t:s0 - -portcon tcp 515 system_u:object_r:printer_port_t:s0 -portcon udp 514 system_u:object_r:syslogd_port_t:s0 -portcon udp 517 system_u:object_r:ktalkd_port_t:s0 -portcon udp 518 system_u:object_r:ktalkd_port_t:s0 -portcon tcp 631 system_u:object_r:ipp_port_t:s0 -portcon udp 631 system_u:object_r:ipp_port_t:s0 -portcon tcp 88 system_u:object_r:kerberos_port_t:s0 -portcon udp 88 system_u:object_r:kerberos_port_t:s0 -portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 -portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 -portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 -portcon tcp 750 system_u:object_r:kerberos_port_t:s0 -portcon udp 750 system_u:object_r:kerberos_port_t:s0 -portcon tcp 783 system_u:object_r:spamd_port_t:s0 -portcon tcp 540 system_u:object_r:uucpd_port_t:s0 -portcon tcp 2401 system_u:object_r:cvs_port_t:s0 -portcon udp 2401 system_u:object_r:cvs_port_t:s0 -portcon tcp 873 system_u:object_r:rsync_port_t:s0 -portcon udp 873 system_u:object_r:rsync_port_t:s0 -portcon tcp 901 system_u:object_r:swat_port_t:s0 -portcon tcp 953 system_u:object_r:rndc_port_t:s0 -portcon tcp 1213 system_u:object_r:giftd_port_t:s0 -portcon tcp 1241 system_u:object_r:nessus_port_t:s0 -portcon tcp 1234 system_u:object_r:monopd_port_t:s0 -portcon udp 1645 system_u:object_r:radius_port_t:s0 -portcon udp 1646 system_u:object_r:radacct_port_t:s0 -portcon udp 1812 system_u:object_r:radius_port_t:s0 -portcon udp 1813 system_u:object_r:radacct_port_t:s0 -portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 -portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 -portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 -portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 -portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 -portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 -portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 -portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 -portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 -portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 -portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 -portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 -portcon udp 2427 system_u:object_r:asterisk_port_t:s0 -portcon udp 2727 system_u:object_r:asterisk_port_t:s0 -portcon udp 4569 system_u:object_r:asterisk_port_t:s0 -portcon udp 5060 system_u:object_r:asterisk_port_t:s0 -portcon tcp 2000 system_u:object_r:mail_port_t:s0 -portcon tcp 2601 system_u:object_r:zebra_port_t:s0 -portcon tcp 2628 system_u:object_r:dict_port_t:s0 -portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 -portcon tcp 3632 system_u:object_r:distccd_port_t:s0 -portcon udp 4011 system_u:object_r:pxe_port_t:s0 -portcon udp 5000 system_u:object_r:openvpn_port_t:s0 -portcon tcp 5323 system_u:object_r:imaze_port_t:s0 -portcon udp 5323 system_u:object_r:imaze_port_t:s0 -portcon tcp 5335 system_u:object_r:howl_port_t:s0 -portcon udp 5353 system_u:object_r:howl_port_t:s0 -portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 -portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 -portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 -portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 -portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 -portcon tcp 5703 system_u:object_r:ptal_port_t:s0 -portcon tcp 50000 system_u:object_r:hplip_port_t:s0 -portcon tcp 50002 system_u:object_r:hplip_port_t:s0 -portcon tcp 5900 system_u:object_r:vnc_port_t:s0 -portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 -portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 -portcon tcp 6000 system_u:object_r:xserver_port_t:s0 -portcon tcp 6001 system_u:object_r:xserver_port_t:s0 -portcon tcp 6002 system_u:object_r:xserver_port_t:s0 -portcon tcp 6003 system_u:object_r:xserver_port_t:s0 -portcon tcp 6004 system_u:object_r:xserver_port_t:s0 -portcon tcp 6005 system_u:object_r:xserver_port_t:s0 -portcon tcp 6006 system_u:object_r:xserver_port_t:s0 -portcon tcp 6007 system_u:object_r:xserver_port_t:s0 -portcon tcp 6008 system_u:object_r:xserver_port_t:s0 -portcon tcp 6009 system_u:object_r:xserver_port_t:s0 -portcon tcp 6010 system_u:object_r:xserver_port_t:s0 -portcon tcp 6011 system_u:object_r:xserver_port_t:s0 -portcon tcp 6012 system_u:object_r:xserver_port_t:s0 -portcon tcp 6013 system_u:object_r:xserver_port_t:s0 -portcon tcp 6014 system_u:object_r:xserver_port_t:s0 -portcon tcp 6015 system_u:object_r:xserver_port_t:s0 -portcon tcp 6016 system_u:object_r:xserver_port_t:s0 -portcon tcp 6017 system_u:object_r:xserver_port_t:s0 -portcon tcp 6018 system_u:object_r:xserver_port_t:s0 -portcon tcp 6019 system_u:object_r:xserver_port_t:s0 -portcon tcp 6667 system_u:object_r:ircd_port_t:s0 -portcon tcp 8000 system_u:object_r:soundd_port_t:s0 -# 9433 is for YIFF -portcon tcp 9433 system_u:object_r:soundd_port_t:s0 -portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 -portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 -portcon udp 3130 system_u:object_r:http_cache_port_t:s0 -# 8118 is for privoxy -portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 - -portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 -portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 -portcon udp 10080 system_u:object_r:amanda_port_t:s0 -portcon tcp 10080 system_u:object_r:amanda_port_t:s0 -portcon udp 10081 system_u:object_r:amanda_port_t:s0 -portcon tcp 10081 system_u:object_r:amanda_port_t:s0 -portcon tcp 10082 system_u:object_r:amanda_port_t:s0 -portcon tcp 10083 system_u:object_r:amanda_port_t:s0 -portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 - -portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 -portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 -portcon tcp 3310 system_u:object_r:clamd_port_t:s0 -portcon udp 6276 system_u:object_r:dcc_port_t:s0 -portcon udp 6277 system_u:object_r:dcc_port_t:s0 -portcon udp 24441 system_u:object_r:pyzor_port_t:s0 -portcon tcp 2703 system_u:object_r:razor_port_t:s0 -portcon tcp 8021 system_u:object_r:zope_port_t:s0 - -# Defaults for reserved ports. Earlier portcon entries take precedence; -# these entries just cover any remaining reserved ports not otherwise -# declared or omitted due to removal of a domain. -portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 -portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 - -# Network interfaces (default = initial SID "netif" and "netmsg") -# -# interface netif_context default_msg_context -# - -# Nodes (default = initial SID "node") -# -# address mask context -# -nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t:s0 -nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t:s0 -nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t:s0 -nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t:s0 -nodecon ff00:: ff00:: system_u:object_r:node_multicast_t:s0 -nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t:s0 -nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t:s0 -nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t:s0 -nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t:s0 - -# FLASK diff --git a/targeted/rbac b/targeted/rbac deleted file mode 100644 index 0d6971d0..00000000 --- a/targeted/rbac +++ /dev/null @@ -1,26 +0,0 @@ -################################################ -# -# Role-based access control (RBAC) configuration. -# - -######################################## -# -# Role allow rules. -# -# A role allow rule specifies the allowable -# transitions between roles on an execve. -# If no rule is specified, then the change in -# roles will not be permitted. Additional -# controls over role transitions based on the -# type of the process may be specified through -# the constraints file. -# -# The syntax of a role allow rule is: -# allow current_role new_role ; -# - -allow sysadm_r system_r; -allow user_r system_r; -allow user_r sysadm_r; -allow sysadm_r user_r; -allow system_r sysadm_r; diff --git a/targeted/tunables/distro.tun b/targeted/tunables/distro.tun deleted file mode 100644 index 00b6eca5..00000000 --- a/targeted/tunables/distro.tun +++ /dev/null @@ -1,14 +0,0 @@ -# Distro-specific customizations. - -# Comment out all but the one that matches your distro. -# The policy .te files can then wrap distro-specific customizations with -# appropriate ifdefs. - - -define(`distro_redhat') - -dnl define(`distro_suse') - -dnl define(`distro_gentoo') - -dnl define(`distro_debian') diff --git a/targeted/tunables/tunable.tun b/targeted/tunables/tunable.tun deleted file mode 100644 index a1f9d6e7..00000000 --- a/targeted/tunables/tunable.tun +++ /dev/null @@ -1,7 +0,0 @@ -define(`targeted_policy') -define(`hide_broken_symptoms') -define(`distro_redhat') -define(`unlimitedInetd') -define(`unlimitedRC') -define(`unlimitedUtils') -define(`use_mcs') diff --git a/targeted/types/device.te b/targeted/types/device.te deleted file mode 100644 index aee0a4cb..00000000 --- a/targeted/types/device.te +++ /dev/null @@ -1,163 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Device types -# - -# -# device_t is the type of /dev. -# -type device_t, file_type, mount_point, dev_fs; - -# -# null_device_t is the type of /dev/null. -# -type null_device_t, device_type, dev_fs, mlstrustedobject; - -# -# zero_device_t is the type of /dev/zero. -# -type zero_device_t, device_type, dev_fs, mlstrustedobject; - -# -# console_device_t is the type of /dev/console. -# -type console_device_t, device_type, dev_fs; - -# -# xconsole_device_t is the type of /dev/xconsole -type xconsole_device_t, file_type, dev_fs; - -# -# memory_device_t is the type of /dev/kmem, -# /dev/mem, and /dev/port. -# -type memory_device_t, device_type, dev_fs; - -# -# random_device_t is the type of /dev/random -# urandom_device_t is the type of /dev/urandom -# -type random_device_t, device_type, dev_fs; -type urandom_device_t, device_type, dev_fs; - -# -# devtty_t is the type of /dev/tty. -# -type devtty_t, device_type, dev_fs, mlstrustedobject; - -# -# tty_device_t is the type of /dev/*tty* -# -type tty_device_t, serial_device, device_type, dev_fs; - -# -# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] -type bsdpty_device_t, device_type, dev_fs; - -# -# usbtty_device_t is the type of /dev/usr/tty* -# -type usbtty_device_t, serial_device, device_type, dev_fs; - -# -# printer_device_t is the type for printer devices -# -type printer_device_t, device_type, dev_fs; - -# -# fixed_disk_device_t is the type of -# /dev/hd* and /dev/sd*. -# -type fixed_disk_device_t, device_type, dev_fs; - -# -# scsi_generic_device_t is the type of /dev/sg* -# it gives access to ALL SCSI devices (both fixed and removable) -# -type scsi_generic_device_t, device_type, dev_fs; - -# -# removable_device_t is the type of -# /dev/scd* and /dev/fd*. -# -type removable_device_t, device_type, dev_fs; - -# -# clock_device_t is the type of -# /dev/rtc. -# -type clock_device_t, device_type, dev_fs; - -# -# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* -# -type tun_tap_device_t, device_type, dev_fs; - -# -# misc_device_t is the type of miscellaneous devices. -# XXX: FIXME! Appropriate access to these devices need to be identified. -# -type misc_device_t, device_type, dev_fs; - -# -# A more general type for mouse devices. -# -type mouse_device_t, device_type, dev_fs; - -# -# For generic /dev/input/event* event devices -# -type event_device_t, device_type, dev_fs; - -# -# Not sure what these devices are for, but X wants access to them. -# -type agp_device_t, device_type, dev_fs; -type dri_device_t, device_type, dev_fs; - -# Type for sound devices. -type sound_device_t, device_type, dev_fs; - -# Type for /dev/ppp. -type ppp_device_t, device_type, dev_fs; - -# Type for frame buffer /dev/fb/* -type framebuf_device_t, device_type, dev_fs; - -# Type for /dev/.devfsd -type devfs_control_t, device_type, dev_fs; - -# Type for /dev/cpu/mtrr and /proc/mtrr -type mtrr_device_t, device_type, dev_fs, proc_fs; - -# Type for /dev/pmu -type power_device_t, device_type, dev_fs; - -# Type for /dev/apm_bios -type apm_bios_t, device_type, dev_fs; - -# Type for v4l -type v4l_device_t, device_type, dev_fs; - -# tape drives -type tape_device_t, device_type, dev_fs; - -# scanners -type scanner_device_t, device_type, dev_fs; - -# cpu control devices /dev/cpu/0/* -type cpu_device_t, device_type, dev_fs; - -# for other device nodes such as the NVidia binary-only driver -type xserver_misc_device_t, device_type, dev_fs; - -# for the IBM zSeries z90crypt hardware ssl accelorator -type crypt_device_t, device_type, dev_fs; - - - - diff --git a/targeted/types/devpts.te b/targeted/types/devpts.te deleted file mode 100644 index c6982ac3..00000000 --- a/targeted/types/devpts.te +++ /dev/null @@ -1,23 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Devpts types -# - -# -# ptmx_t is the type for /dev/ptmx. -# -type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject; - -# -# devpts_t is the type of the devpts file system and -# the type of the root directory of the file system. -# -type devpts_t, mount_point, fs_type; - -ifdef(`targeted_policy', ` -typeattribute devpts_t ttyfile; -') diff --git a/targeted/types/file.te b/targeted/types/file.te deleted file mode 100644 index 6db5c895..00000000 --- a/targeted/types/file.te +++ /dev/null @@ -1,325 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -####################################### -# -# General file-related types -# - -# -# unlabeled_t is the type of unlabeled objects. -# Objects that have no known labeling information or that -# have labels that are no longer valid are treated as having this type. -# -type unlabeled_t, sysadmfile; - -# -# fs_t is the default type for conventional filesystems. -# -type fs_t, fs_type; - -# needs more work -type eventpollfs_t, fs_type; -type futexfs_t, fs_type; -type bdev_t, fs_type; -type usbfs_t, mount_point, fs_type; -type nfsd_fs_t, fs_type; -type rpc_pipefs_t, fs_type; -type binfmt_misc_fs_t, mount_point, fs_type; - -# -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). -# -type file_t, file_type, mount_point, sysadmfile; - -# default_t is the default type for files that do not -# match any specification in the file_contexts configuration -# other than the generic /.* specification. -type default_t, file_type, mount_point, sysadmfile; - -# -# root_t is the type for the root directory. -# -type root_t, file_type, mount_point, polyparent, sysadmfile; - -# -# mnt_t is the type for mount points such as /mnt/cdrom -type mnt_t, file_type, mount_point, sysadmfile; - -# -# home_root_t is the type for the directory where user home directories -# are created -# -type home_root_t, file_type, mount_point, polyparent, sysadmfile; - -# -# lost_found_t is the type for the lost+found directories. -# -type lost_found_t, file_type, sysadmfile; - -# -# boot_t is the type for files in /boot, -# including the kernel. -# -type boot_t, file_type, mount_point, sysadmfile; -# system_map_t is for the system.map files in /boot -type system_map_t, file_type, sysadmfile; - -# -# boot_runtime_t is the type for /boot/kernel.h, -# which is automatically generated at boot time. -# only for red hat -type boot_runtime_t, file_type, sysadmfile; - -# -# tmp_t is the type of /tmp and /var/tmp. -# -type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile; - -# -# etc_t is the type of the system etc directories. -# -type etc_t, file_type, sysadmfile; - -# etc_mail_t is the type of /etc/mail. -type etc_mail_t, file_type, sysadmfile, usercanread; - -# -# shadow_t is the type of the /etc/shadow file -# -type shadow_t, file_type, secure_file_type; -allow auth shadow_t:file { getattr read }; - -# -# ld_so_cache_t is the type of /etc/ld.so.cache. -# -type ld_so_cache_t, file_type, sysadmfile; - -# -# etc_runtime_t is the type of various -# files in /etc that are automatically -# generated during initialization. -# -type etc_runtime_t, file_type, sysadmfile; - -# -# fonts_runtime_t is the type of various -# fonts files in /usr that are automatically -# generated during initialization. -# -type fonts_t, file_type, sysadmfile, usercanread; - -# -# etc_aliases_t is the type of the aliases database. -# -type etc_aliases_t, file_type, sysadmfile; - -# net_conf_t is the type of the /etc/resolv.conf file. -# all DHCP clients and PPP need write access to this file. -type net_conf_t, file_type, sysadmfile; - -# -# lib_t is the type of files in the system lib directories. -# -type lib_t, file_type, sysadmfile; - -# -# shlib_t is the type of shared objects in the system lib -# directories. -# -ifdef(`targeted_policy', ` -typealias lib_t alias shlib_t; -', ` -type shlib_t, file_type, sysadmfile; -') - -# -# texrel_shlib_t is the type of shared objects in the system lib -# directories, which require text relocation. -# -ifdef(`targeted_policy', ` -typealias lib_t alias texrel_shlib_t; -', ` -type texrel_shlib_t, file_type, sysadmfile; -') - -# ld_so_t is the type of the system dynamic loaders. -# -type ld_so_t, file_type, sysadmfile; - -# -# bin_t is the type of files in the system bin directories. -# -type bin_t, file_type, sysadmfile; - -# -# cert_t is the type of files in the system certs directories. -# -type cert_t, file_type, sysadmfile, secure_file_type; - -# -# ls_exec_t is the type of the ls program. -# -type ls_exec_t, file_type, exec_type, sysadmfile; - -# -# shell_exec_t is the type of user shells such as /bin/bash. -# -type shell_exec_t, file_type, exec_type, sysadmfile; - -# -# sbin_t is the type of files in the system sbin directories. -# -type sbin_t, file_type, sysadmfile; - -# -# usr_t is the type for /usr. -# -type usr_t, file_type, mount_point, sysadmfile; - -# -# src_t is the type of files in the system src directories. -# -type src_t, file_type, mount_point, sysadmfile; - -# -# var_t is the type for /var. -# -type var_t, file_type, mount_point, sysadmfile; - -# -# Types for subdirectories of /var. -# -type var_run_t, file_type, sysadmfile; -type var_log_t, file_type, sysadmfile, logfile; -typealias var_log_t alias crond_log_t; -type faillog_t, file_type, sysadmfile, logfile; -type var_lock_t, file_type, sysadmfile, lockfile; -type var_lib_t, mount_point, file_type, sysadmfile; -# for /var/{spool,lib}/texmf index files -type tetex_data_t, file_type, sysadmfile, tmpfile; -type var_spool_t, file_type, sysadmfile, tmpfile; -type var_yp_t, file_type, sysadmfile; - -# Type for /var/log/ksyms. -type var_log_ksyms_t, file_type, sysadmfile, logfile; - -# Type for /var/log/lastlog. -type lastlog_t, file_type, sysadmfile, logfile; - -# Type for /var/lib/nfs. -type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread; - -# -# wtmp_t is the type of /var/log/wtmp. -# -type wtmp_t, file_type, sysadmfile, logfile; - -# -# cron_spool_t is the type for /var/spool/cron. -# -type cron_spool_t, file_type, sysadmfile; - -# -# print_spool_t is the type for /var/spool/lpd and /var/spool/cups. -# -type print_spool_t, file_type, sysadmfile, tmpfile; - -# -# mail_spool_t is the type for /var/spool/mail. -# -type mail_spool_t, file_type, sysadmfile; - -# -# mqueue_spool_t is the type for /var/spool/mqueue. -# -type mqueue_spool_t, file_type, sysadmfile; - -# -# man_t is the type for the man directories. -# -type man_t, file_type, sysadmfile; -typealias man_t alias catman_t; - -# -# readable_t is a general type for -# files that are readable by all domains. -# -type readable_t, file_type, sysadmfile; - -# -# Base type for the tests directory. -# -type test_file_t, file_type, sysadmfile; - -# -# poly_t is the type for the polyinstantiated directories. -# -type poly_t, file_type, sysadmfile; - -# -# swapfile_t is for swap files -# -type swapfile_t, file_type, sysadmfile; - -# -# locale_t is the type for system localization -# -type locale_t, file_type, sysadmfile; - -# -# Allow each file type to be associated with -# the default file system type. -# -allow { file_type device_type ttyfile } fs_t:filesystem associate; - -type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; -allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; -allow { logfile tmpfile home_type } tmp_t:filesystem associate; -ifdef(`distro_redhat', ` -allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; -') - -type autofs_t, fs_type, noexattrfile, sysadmfile; -type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile; -type sysfs_t, mount_point, fs_type, sysadmfile; -type iso9660_t, fs_type, noexattrfile, sysadmfile; -type romfs_t, fs_type, sysadmfile; -type ramfs_t, fs_type, sysadmfile; -type dosfs_t, fs_type, noexattrfile, sysadmfile; -type hugetlbfs_t, mount_point, fs_type, sysadmfile; -typealias file_t alias mqueue_t; - -# udev_runtime_t is the type of the udev table file -type udev_runtime_t, file_type, sysadmfile; - -# krb5_conf_t is the type of the /etc/krb5.conf file -type krb5_conf_t, file_type, sysadmfile; - -type cifs_t, fs_type, noexattrfile, sysadmfile; -type debugfs_t, fs_type, sysadmfile; -type configfs_t, fs_type, sysadmfile; -type inotifyfs_t, fs_type, sysadmfile; -type capifs_t, fs_type, sysadmfile; - -# removable_t is the default type of all removable media -type removable_t, file_type, sysadmfile, usercanread; -allow file_type removable_t:filesystem associate; -allow file_type noexattrfile:filesystem associate; - -# Type for anonymous FTP data, used by ftp and rsync -type public_content_t, file_type, sysadmfile, customizable; -type public_content_rw_t, file_type, sysadmfile, customizable; -typealias public_content_t alias ftpd_anon_t; -typealias public_content_rw_t alias ftpd_anon_rw_t; - -# type for /tmp/.ICE-unix -type ice_tmp_t, file_type, sysadmfile, tmpfile; - -# type for /usr/share/hwdata -type hwdata_t, file_type, sysadmfile; -allow { fs_type file_type } self:filesystem associate; - diff --git a/targeted/types/network.te b/targeted/types/network.te deleted file mode 100644 index fad6baf7..00000000 --- a/targeted/types/network.te +++ /dev/null @@ -1,177 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -# Modified by Reino Wallin -# Multi NIC, and IPSEC features - -# Modified by Russell Coker -# Move port types to their respective domains, add ifdefs, other cleanups. - -type xserver_port_t, port_type; -# -# Defines used by the te files need to be defined outside of net_constraints -# -type rsh_port_t, port_type, reserved_port_type; -type dns_port_t, port_type, reserved_port_type; -type smtp_port_t, port_type, reserved_port_type; -type dhcpd_port_t, port_type, reserved_port_type; -type smbd_port_t, port_type, reserved_port_type; -type nmbd_port_t, port_type, reserved_port_type; -type http_cache_port_t, port_type; -type http_port_t, port_type, reserved_port_type; -type ipp_port_t, port_type, reserved_port_type; -type gopher_port_t, port_type, reserved_port_type; -type isakmp_port_t, port_type, reserved_port_type; - -allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect; -type pop_port_t, port_type, reserved_port_type; - -type ftp_port_t, port_type, reserved_port_type; -type ftp_data_port_t, port_type, reserved_port_type; - -############################################ -# -# Network types -# - -# -# mail_port_t is for generic mail ports shared by different mail servers -# -type mail_port_t, port_type; - -# -# Ports used to communicate with kerberos server -# -type kerberos_port_t, port_type, reserved_port_type; -type kerberos_admin_port_t, port_type, reserved_port_type; - -# -# Ports used to communicate with portmap server -# -type portmap_port_t, port_type, reserved_port_type; - -# -# Ports used to communicate with ldap server -# -type ldap_port_t, port_type, reserved_port_type; - -# -# port_t is the default type of INET port numbers. -# The *_port_t types are used for specific port -# numbers in net_contexts or net_contexts.mls. -# -type port_t, port_type; - -# reserved_port_t is the default type for INET reserved ports -# that are not otherwise mapped to a specific port type. -type reserved_port_t, port_type; - -# -# netif_t is the default type of network interfaces. -# The netif_*_t types are used for specific network -# interfaces in net_contexts or net_contexts.mls. -# -type netif_t, netif_type; - -# -# node_t is the default type of network nodes. -# The node_*_t types are used for specific network -# nodes in net_contexts or net_contexts.mls. -# -type node_t, node_type; -type node_lo_t, node_type; -type node_internal_t, node_type; -type node_inaddr_any_t, node_type; -type node_unspec_t, node_type; -type node_link_local_t, node_type; -type node_site_local_t, node_type; -type node_multicast_t, node_type; -type node_mapped_ipv4_t, node_type; -type node_compat_ipv4_t, node_type; - -# Kernel-generated traffic, e.g. ICMP replies. -allow kernel_t netif_type:netif { rawip_send rawip_recv }; -allow kernel_t node_type:node { rawip_send rawip_recv }; - -# Kernel-generated traffic, e.g. TCP resets. -allow kernel_t netif_type:netif { tcp_send tcp_recv }; -allow kernel_t node_type:node { tcp_send tcp_recv }; -type radius_port_t, port_type; -type radacct_port_t, port_type; -type rndc_port_t, port_type, reserved_port_type; -type tftp_port_t, port_type, reserved_port_type; -type printer_port_t, port_type, reserved_port_type; -type mysqld_port_t, port_type; -type postgresql_port_t, port_type; -type ptal_port_t, port_type; -type howl_port_t, port_type; -type dict_port_t, port_type; -type syslogd_port_t, port_type, reserved_port_type; -type spamd_port_t, port_type, reserved_port_type; -type ssh_port_t, port_type, reserved_port_type; -type pxe_port_t, port_type; -type amanda_port_t, port_type; -type fingerd_port_t, port_type, reserved_port_type; -type dhcpc_port_t, port_type, reserved_port_type; -type ntp_port_t, port_type, reserved_port_type; -type stunnel_port_t, port_type; -type zebra_port_t, port_type; -type i18n_input_port_t, port_type; -type vnc_port_t, port_type; -type pegasus_http_port_t, port_type; -type pegasus_https_port_t, port_type; -type openvpn_port_t, port_type; -type clamd_port_t, port_type; -type transproxy_port_t, port_type; -type clockspeed_port_t, port_type; -type pyzor_port_t, port_type; -type postgrey_port_t, port_type; -type asterisk_port_t, port_type; -type utcpserver_port_t, port_type; -type nessus_port_t, port_type; -type razor_port_t, port_type; -type distccd_port_t, port_type; -type socks_port_t, port_type; -type gatekeeper_port_t, port_type; -type dcc_port_t, port_type; -type lrrd_port_t, port_type; -type jabber_client_port_t, port_type; -type jabber_interserver_port_t, port_type; -type ircd_port_t, port_type; -type giftd_port_t, port_type; -type soundd_port_t, port_type; -type imaze_port_t, port_type; -type monopd_port_t, port_type; -# Differentiate between the port where amavisd receives mail, and the -# port where it returns cleaned mail back to the MTA. -type amavisd_recv_port_t, port_type; -type amavisd_send_port_t, port_type; -type innd_port_t, port_type, reserved_port_type; -type snmp_port_t, port_type, reserved_port_type; -type biff_port_t, port_type, reserved_port_type; -type hplip_port_t, port_type; - -#inetd_child_ports - -type rlogind_port_t, port_type, reserved_port_type; -type telnetd_port_t, port_type, reserved_port_type; -type comsat_port_t, port_type, reserved_port_type; -type cvs_port_t, port_type; -type dbskkd_port_t, port_type; -type inetd_child_port_t, port_type, reserved_port_type; -type ktalkd_port_t, port_type, reserved_port_type; -type rsync_port_t, port_type, reserved_port_type; -type uucpd_port_t, port_type, reserved_port_type; -type swat_port_t, port_type, reserved_port_type; -type zope_port_t, port_type; -type auth_port_t, port_type, reserved_port_type; - -# afs ports - -type afs_fs_port_t, port_type; -type afs_pt_port_t, port_type; -type afs_vl_port_t, port_type; -type afs_ka_port_t, port_type; -type afs_bos_port_t, port_type; - diff --git a/targeted/types/nfs.te b/targeted/types/nfs.te deleted file mode 100644 index e6dd6e0e..00000000 --- a/targeted/types/nfs.te +++ /dev/null @@ -1,21 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################# -# -# NFS types -# - -# -# nfs_t is the default type for NFS file systems -# and their files. -# The nfs_*_t types are used for specific NFS -# servers in net_contexts or net_contexts.mls. -# -type nfs_t, mount_point, fs_type; - -# -# Allow NFS files to be associated with an NFS file system. -# -allow file_type nfs_t:filesystem associate; diff --git a/targeted/types/procfs.te b/targeted/types/procfs.te deleted file mode 100644 index 20703ac5..00000000 --- a/targeted/types/procfs.te +++ /dev/null @@ -1,50 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Procfs types -# - -# -# proc_t is the type of /proc. -# proc_kmsg_t is the type of /proc/kmsg. -# proc_kcore_t is the type of /proc/kcore. -# proc_mdstat_t is the type of /proc/mdstat. -# proc_net_t is the type of /proc/net. -# -type proc_t, fs_type, mount_point, proc_fs; -type proc_kmsg_t, proc_fs; -type proc_kcore_t, proc_fs; -type proc_mdstat_t, proc_fs; -type proc_net_t, proc_fs; - -# -# sysctl_t is the type of /proc/sys. -# sysctl_fs_t is the type of /proc/sys/fs. -# sysctl_kernel_t is the type of /proc/sys/kernel. -# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe. -# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug. -# sysctl_net_t is the type of /proc/sys/net. -# sysctl_net_unix_t is the type of /proc/sys/net/unix. -# sysctl_vm_t is the type of /proc/sys/vm. -# sysctl_dev_t is the type of /proc/sys/dev. -# sysctl_rpc_t is the type of /proc/net/rpc. -# -# These types are applied to both the entries in -# /proc/sys and the corresponding sysctl parameters. -# -type sysctl_t, mount_point, sysctl_type; -type sysctl_fs_t, sysctl_type; -type sysctl_kernel_t, sysctl_type; -type sysctl_modprobe_t, sysctl_type; -type sysctl_hotplug_t, sysctl_type; -type sysctl_net_t, sysctl_type; -type sysctl_net_unix_t, sysctl_type; -type sysctl_vm_t, sysctl_type; -type sysctl_dev_t, sysctl_type; -type sysctl_rpc_t, sysctl_type; -type sysctl_irq_t, sysctl_type; - - diff --git a/targeted/types/security.te b/targeted/types/security.te deleted file mode 100644 index cc1574f8..00000000 --- a/targeted/types/security.te +++ /dev/null @@ -1,60 +0,0 @@ -# -# Authors: Stephen Smalley and Timothy Fraser -# - -############################################ -# -# Security types -# - -# -# security_t is the target type when checking -# the permissions in the security class. It is also -# applied to selinuxfs inodes. -# -type security_t, mount_point, fs_type, mlstrustedobject; -dontaudit domain security_t:dir search; -dontaudit domain security_t:file { getattr read }; - -# -# policy_config_t is the type of /etc/security/selinux/* -# the security server policy configuration. -# -type policy_config_t, file_type, secadmfile; -# Since libselinux attempts to read these by default, most domains -# do not need it. -dontaudit domain selinux_config_t:dir search; -dontaudit domain selinux_config_t:file { getattr read }; - -# -# policy_src_t is the type of the policy source -# files. -# -type policy_src_t, file_type, secadmfile; - - -# -# default_context_t is the type applied to -# /etc/selinux/*/contexts/* -# -type default_context_t, file_type, login_contexts, secadmfile; - -# -# file_context_t is the type applied to -# /etc/selinux/*/contexts/files -# -type file_context_t, file_type, secadmfile; - -# -# no_access_t is the type for objects that should -# only be accessed administratively. -# -type no_access_t, file_type, sysadmfile; - -# -# selinux_config_t is the type applied to -# /etc/selinux/config -# -type selinux_config_t, file_type, secadmfile; - - diff --git a/targeted/types/x.te b/targeted/types/x.te deleted file mode 100644 index 0cee3145..00000000 --- a/targeted/types/x.te +++ /dev/null @@ -1,32 +0,0 @@ -# -# Authors: Eamon Walsh -# - -####################################### -# -# Types for the SELinux-enabled X Window System -# - -# -# X protocol extension types. The SELinux extension in the X server -# has a hardcoded table that maps actual extension names to these types. -# -type accelgraphics_ext_t, xextension; -type debug_ext_t, xextension; -type font_ext_t, xextension; -type input_ext_t, xextension; -type screensaver_ext_t, xextension; -type security_ext_t, xextension; -type shmem_ext_t, xextension; -type std_ext_t, xextension; -type sync_ext_t, xextension; -type unknown_ext_t, xextension; -type video_ext_t, xextension; -type windowmgr_ext_t, xextension; - -# -# X property types. The SELinux extension in the X server has a -# hardcoded table that maps actual extension names to these types. -# -type wm_property_t, xproperty; -type unknown_property_t, xproperty; diff --git a/targeted/users b/targeted/users deleted file mode 100644 index 88adac5a..00000000 --- a/targeted/users +++ /dev/null @@ -1,38 +0,0 @@ -################################## -# -# User configuration. -# -# This file defines each user recognized by the system security policy. -# Only the user identities defined in this file may be used as the -# user attribute in a security context. -# -# Each user has a set of roles that may be entered by processes -# with the users identity. The syntax of a user declaration is: -# -# user username roles role_set [ ranges MLS_range_set ] level s0 range s0; -# -# The MLS range set should only be specified if MLS was enabled -# for the module and checkpolicy. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system_u, -# and a user process should never be assigned the system_u user -# identity. -# -user system_u roles system_r level s0 range s0 - s0:c0.c255; - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. Authorized for all roles in the -# relaxed policy. sysadm_r is retained for compatibility, but could -# be dropped as long as userspace has no hardcoded dependency on it. -# user_u must be retained due to present userspace hardcoded dependency. -# -user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; - -# root is retained as a separate user identity simply as a compatibility -# measure with the "strict" policy. It could be dropped and mapped to user_u -# but this allows existing file contexts that have "root" as the user identity -# to remain valid. -user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; diff --git a/tools/buildtest.sh b/tools/buildtest.sh index 2878de35..7bcb4049 100755 --- a/tools/buildtest.sh +++ b/tools/buildtest.sh @@ -4,7 +4,7 @@ DISTROS="rhel4 gentoo debian" TYPES="strict targeted strict-mcs targeted-mcs strict-mls targeted-mls" POLVER="`checkpolicy -V |cut -f 1 -d ' '`" SETFILES="/usr/sbin/setfiles" -SE_LINK="/usr/bin/semodule_link" +SE_LINK="time -p /usr/bin/semodule_link" die() { if [ "$1" -eq "1" ]; then @@ -14,18 +14,20 @@ die() { exit 1 } -cleanup() { - make bare +cleanup_mon() { + make MONOLITHIC=y bare +} + +cleanup_mod() { make MONOLITHIC=n bare } do_test() { local OPTS="" - trap cleanup SIGINT SIGQUIT - for i in $TYPES; do # Monolithic tests + trap cleanup_mon SIGINT SIGQUIT OPTS="TYPE=$i MONOLITHIC=y QUIET=y DIRECT_INITRC=y" [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1" echo "**** Options: $OPTS ****" @@ -34,9 +36,10 @@ do_test() { make $OPTS || die "$?" "$OPTS" make $OPTS file_contexts || die "$?" "$OPTS" $SETFILES -q -c policy.$POLVER file_contexts || die "$?" "$OPTS" - make $OPTS bare || die "$?" "$OPTS" + cleanup_mon # Loadable module tests + trap cleanup_mod SIGINT SIGQUIT OPTS="TYPE=$i MONOLITHIC=n QUIET=y DIRECT_INITRC=y" [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1" echo "**** Options: $OPTS ****" @@ -48,11 +51,16 @@ do_test() { ############# FIXME rm dmesg.pp $SE_LINK tmp/base.pp *.pp || die "$?" "$OPTS" - make $OPTS bare || die "$?" "$OPTS" + cleanup_mod done } -cleanup +cleanup_mon +cleanup_mod do_test +for i in $DISTROS; do + do_test $i +done + echo "Completed successfully." diff --git a/tools/quicktest.sh b/tools/quicktest.sh index e97f81d4..9d62f8ec 100755 --- a/tools/quicktest.sh +++ b/tools/quicktest.sh @@ -3,7 +3,7 @@ TYPES="strict targeted-mcs strict-mls" POLVER="`checkpolicy -V |cut -f 1 -d ' '`" SETFILES="/usr/sbin/setfiles" -SE_LINK="/usr/bin/semodule_link" +SE_LINK="time -p /usr/bin/semodule_link" die() { if [ "$1" -eq "1" ]; then @@ -13,18 +13,20 @@ die() { exit 1 } -cleanup() { - make bare +cleanup_mon() { + make MONOLITHIC=y bare +} + +cleanup_mod() { make MONOLITHIC=n bare } do_test() { local OPTS="" - trap cleanup SIGINT SIGQUIT - for i in $TYPES; do # Monolithic tests + trap cleanup_mon SIGINT SIGQUIT OPTS="TYPE=$i MONOLITHIC=y QUIET=y DIRECT_INITRC=y" [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1" echo "**** Options: $OPTS ****" @@ -33,9 +35,10 @@ do_test() { make $OPTS || die "$?" "$OPTS" make $OPTS file_contexts || die "$?" "$OPTS" $SETFILES -q -c policy.$POLVER file_contexts || die "$?" "$OPTS" - make $OPTS bare || die "$?" "$OPTS" + cleanup_mon # Loadable module tests + trap cleanup_mod SIGINT SIGQUIT OPTS="TYPE=$i MONOLITHIC=n QUIET=y DIRECT_INITRC=y" [ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1" echo "**** Options: $OPTS ****" @@ -47,11 +50,12 @@ do_test() { ############# FIXME rm dmesg.pp $SE_LINK tmp/base.pp *.pp || die "$?" "$OPTS" - make $OPTS bare || die "$?" "$OPTS" + cleanup_mod done } -cleanup +cleanup_mon +cleanup_mod do_test echo "Completed successfully."