Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
Allow shutdown to write utmp and search /var/log Allow mozilla_plugin to send nsplugin signals Split out samba_run_unconfined_net from unconfined_domain stuff. TO allow unconfined.pp module to be removed Allow nrpe to send signal and sigkill to the plugins Fix up xguest to allow it to read hwdata and gconf_etc_t Allow initrc_t to manage faillog
This commit is contained in:
parent
8c47ad04ba
commit
6ed3f15e82
@ -98,9 +98,12 @@ mlsconstrain process { transition dyntransition }
|
|||||||
mlsconstrain process { ptrace }
|
mlsconstrain process { ptrace }
|
||||||
(( h1 dom h2) or ( t1 == mcsptraceall ));
|
(( h1 dom h2) or ( t1 == mcsptraceall ));
|
||||||
|
|
||||||
mlsconstrain process { signal sigkill sigstop }
|
mlsconstrain process { sigkill sigstop }
|
||||||
(( h1 dom h2 ) or ( t1 == mcskillall ));
|
(( h1 dom h2 ) or ( t1 == mcskillall ));
|
||||||
|
|
||||||
|
mlsconstrain process { signal }
|
||||||
|
(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
|
||||||
|
|
||||||
#
|
#
|
||||||
# MCS policy for SELinux-enabled databases
|
# MCS policy for SELinux-enabled databases
|
||||||
#
|
#
|
||||||
|
@ -43,10 +43,10 @@ term_use_all_terms(shutdown_t)
|
|||||||
auth_use_nsswitch(shutdown_t)
|
auth_use_nsswitch(shutdown_t)
|
||||||
auth_write_login_records(shutdown_t)
|
auth_write_login_records(shutdown_t)
|
||||||
|
|
||||||
init_dontaudit_write_utmp(shutdown_t)
|
init_rw_utmp(shutdown_t)
|
||||||
init_read_utmp(shutdown_t)
|
|
||||||
init_telinit(shutdown_t)
|
init_telinit(shutdown_t)
|
||||||
|
|
||||||
|
logging_search_logs(shutdown_t)
|
||||||
logging_send_audit_msgs(shutdown_t)
|
logging_send_audit_msgs(shutdown_t)
|
||||||
|
|
||||||
miscfiles_read_localization(shutdown_t)
|
miscfiles_read_localization(shutdown_t)
|
||||||
|
@ -366,6 +366,7 @@ optional_policy(`
|
|||||||
nsplugin_rw_exec(mozilla_plugin_t)
|
nsplugin_rw_exec(mozilla_plugin_t)
|
||||||
nsplugin_manage_home_dirs(mozilla_plugin_t)
|
nsplugin_manage_home_dirs(mozilla_plugin_t)
|
||||||
nsplugin_manage_home_files(mozilla_plugin_t)
|
nsplugin_manage_home_files(mozilla_plugin_t)
|
||||||
|
nsplugin_signal(mozilla_plugin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -168,6 +168,7 @@ interface(`nsplugin_domtrans',`
|
|||||||
allow $1 nsplugin_t:unix_stream_socket connectto;
|
allow $1 nsplugin_t:unix_stream_socket connectto;
|
||||||
allow nsplugin_t $1:process signal;
|
allow nsplugin_t $1:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## The per role template for the nsplugin module.
|
## The per role template for the nsplugin module.
|
||||||
@ -390,3 +391,21 @@ interface(`nsplugin_exec_domtrans',`
|
|||||||
allow $2 nsplugin_exec_t:file entrypoint;
|
allow $2 nsplugin_exec_t:file entrypoint;
|
||||||
domtrans_pattern($1, nsplugin_exec_t, $2)
|
domtrans_pattern($1, nsplugin_exec_t, $2)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send generic signals to user nsplugin processes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`nsplugin_signal',`
|
||||||
|
gen_require(`
|
||||||
|
type nsplugin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 nsplugin_t:process signal;
|
||||||
|
')
|
||||||
|
@ -90,6 +90,7 @@ template(`sandbox_domain_template',`
|
|||||||
application_type($1_t)
|
application_type($1_t)
|
||||||
|
|
||||||
mls_rangetrans_target($1_t)
|
mls_rangetrans_target($1_t)
|
||||||
|
mcs_untrusted_proc($1_t)
|
||||||
|
|
||||||
type $1_file_t, sandbox_file_type;
|
type $1_file_t, sandbox_file_type;
|
||||||
files_type($1_file_t)
|
files_type($1_file_t)
|
||||||
@ -123,6 +124,7 @@ template(`sandbox_x_domain_template',`
|
|||||||
|
|
||||||
type $1_t, sandbox_x_domain;
|
type $1_t, sandbox_x_domain;
|
||||||
application_type($1_t)
|
application_type($1_t)
|
||||||
|
mcs_untrusted_proc($1_t)
|
||||||
|
|
||||||
type $1_file_t, sandbox_file_type;
|
type $1_file_t, sandbox_file_type;
|
||||||
files_type($1_file_t)
|
files_type($1_file_t)
|
||||||
@ -145,6 +147,7 @@ template(`sandbox_x_domain_template',`
|
|||||||
|
|
||||||
type $1_client_t, sandbox_x_domain;
|
type $1_client_t, sandbox_x_domain;
|
||||||
application_type($1_client_t)
|
application_type($1_client_t)
|
||||||
|
mcs_untrusted_proc($1_t)
|
||||||
|
|
||||||
type $1_client_tmpfs_t, sandbox_tmpfs_type;
|
type $1_client_tmpfs_t, sandbox_tmpfs_type;
|
||||||
files_tmpfs_file($1_client_tmpfs_t)
|
files_tmpfs_file($1_client_tmpfs_t)
|
||||||
|
@ -102,3 +102,30 @@ interface(`mcs_process_set_categories',`
|
|||||||
|
|
||||||
typeattribute $1 mcssetcats;
|
typeattribute $1 mcssetcats;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified process type MCS untrusted.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Make specified process type MCS untrusted. This
|
||||||
|
## prevents this process from sending signals to other processes
|
||||||
|
## with different mcs labels
|
||||||
|
## object.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mcs_untrusted_proc',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mcsuntrustedproc;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mcsuntrustedproc;
|
||||||
|
')
|
||||||
|
|
||||||
|
@ -10,3 +10,5 @@ attribute mcsptraceall;
|
|||||||
attribute mcssetcats;
|
attribute mcssetcats;
|
||||||
attribute mcswriteall;
|
attribute mcswriteall;
|
||||||
attribute mcsreadall;
|
attribute mcsreadall;
|
||||||
|
attribute mcsuntrustedproc;
|
||||||
|
|
||||||
|
@ -371,8 +371,11 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
samba_role_notrans(unconfined_r)
|
optional_policy(`
|
||||||
samba_run_unconfined_net(unconfined_t, unconfined_r)
|
samba_run_unconfined_net(unconfined_t, unconfined_r)
|
||||||
|
')
|
||||||
|
|
||||||
|
samba_role_notrans(unconfined_r)
|
||||||
# samba_run_winbind_helper(unconfined_t, unconfined_r)
|
# samba_run_winbind_helper(unconfined_t, unconfined_r)
|
||||||
samba_run_smbcontrol(unconfined_t, unconfined_r)
|
samba_run_smbcontrol(unconfined_t, unconfined_r)
|
||||||
')
|
')
|
||||||
|
@ -26,6 +26,7 @@ template(`nagios_plugin_template',`
|
|||||||
allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
|
allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
||||||
|
allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
|
||||||
|
|
||||||
# needed by command.cfg
|
# needed by command.cfg
|
||||||
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
||||||
|
@ -555,11 +555,10 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
|
|||||||
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
|
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow smbcontrol_t nmbd_t:process { signal signull };
|
allow smbcontrol_t nmbd_t:process { signal signull };
|
||||||
|
read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||||
|
|
||||||
allow smbcontrol_t nmbd_var_run_t:file { read lock };
|
allow smbcontrol_t smbd_t:process { signal signull };
|
||||||
|
read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
|
||||||
allow smbcontrol_t smbd_t:process signal;
|
|
||||||
|
|
||||||
allow smbcontrol_t winbind_t:process { signal signull };
|
allow smbcontrol_t winbind_t:process { signal signull };
|
||||||
|
|
||||||
files_search_var_lib(smbcontrol_t)
|
files_search_var_lib(smbcontrol_t)
|
||||||
|
@ -21,6 +21,7 @@ template(`virt_domain_template',`
|
|||||||
domain_type($1_t)
|
domain_type($1_t)
|
||||||
domain_user_exemption_target($1_t)
|
domain_user_exemption_target($1_t)
|
||||||
mls_rangetrans_target($1_t)
|
mls_rangetrans_target($1_t)
|
||||||
|
mcs_untrusted_proc($1_t)
|
||||||
role system_r types $1_t;
|
role system_r types $1_t;
|
||||||
|
|
||||||
type $1_devpts_t;
|
type $1_devpts_t;
|
||||||
|
@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
|
|||||||
|
|
||||||
miscfiles_read_fonts($2)
|
miscfiles_read_fonts($2)
|
||||||
miscfiles_setattr_fonts_cache_dirs($2)
|
miscfiles_setattr_fonts_cache_dirs($2)
|
||||||
|
miscfiles_read_hwdata($2)
|
||||||
|
|
||||||
xserver_common_x_domain_template(user, $2)
|
xserver_common_x_domain_template(user, $2)
|
||||||
xserver_xsession_entry_type($2)
|
xserver_xsession_entry_type($2)
|
||||||
@ -127,6 +128,10 @@ interface(`xserver_restricted_role',`
|
|||||||
tunable_policy(`user_direct_dri',`
|
tunable_policy(`user_direct_dri',`
|
||||||
dev_rw_dri($2)
|
dev_rw_dri($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gnome_read_gconf_config($2)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1038,6 +1043,7 @@ interface(`xserver_read_xdm_etc_files',`
|
|||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
read_files_pattern($1, xdm_etc_t, xdm_etc_t)
|
read_files_pattern($1, xdm_etc_t, xdm_etc_t)
|
||||||
|
read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -783,6 +783,25 @@ interface(`auth_rw_faillog',`
|
|||||||
allow $1 faillog_t:file rw_file_perms;
|
allow $1 faillog_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage the login failure log.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`auth_manage_faillog',`
|
||||||
|
gen_require(`
|
||||||
|
type faillog_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
logging_search_logs($1)
|
||||||
|
allow $1 faillog_t:file manage_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the last logins log.
|
## Read the last logins log.
|
||||||
|
@ -505,6 +505,7 @@ auth_read_pam_pid(initrc_t)
|
|||||||
auth_delete_pam_pid(initrc_t)
|
auth_delete_pam_pid(initrc_t)
|
||||||
auth_delete_pam_console_data(initrc_t)
|
auth_delete_pam_console_data(initrc_t)
|
||||||
auth_use_nsswitch(initrc_t)
|
auth_use_nsswitch(initrc_t)
|
||||||
|
auth_manage_faillog(initrc_t)
|
||||||
|
|
||||||
libs_rw_ld_so_cache(initrc_t)
|
libs_rw_ld_so_cache(initrc_t)
|
||||||
libs_exec_lib_files(initrc_t)
|
libs_exec_lib_files(initrc_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user