Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
Allow shutdown to write utmp and search /var/log Allow mozilla_plugin to send nsplugin signals Split out samba_run_unconfined_net from unconfined_domain stuff. TO allow unconfined.pp module to be removed Allow nrpe to send signal and sigkill to the plugins Fix up xguest to allow it to read hwdata and gconf_etc_t Allow initrc_t to manage faillog
This commit is contained in:
Dan Walsh
parent
8c47ad04ba
commit
6ed3f15e82
@ -98,9 +98,12 @@ mlsconstrain process { transition dyntransition }
|
||||
mlsconstrain process { ptrace }
|
||||
(( h1 dom h2) or ( t1 == mcsptraceall ));
|
||||
|
||||
mlsconstrain process { signal sigkill sigstop }
|
||||
mlsconstrain process { sigkill sigstop }
|
||||
(( h1 dom h2 ) or ( t1 == mcskillall ));
|
||||
|
||||
mlsconstrain process { signal }
|
||||
(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
|
||||
|
||||
#
|
||||
# MCS policy for SELinux-enabled databases
|
||||
#
|
||||
|
||||
@ -43,10 +43,10 @@ term_use_all_terms(shutdown_t)
|
||||
auth_use_nsswitch(shutdown_t)
|
||||
auth_write_login_records(shutdown_t)
|
||||
|
||||
init_dontaudit_write_utmp(shutdown_t)
|
||||
init_read_utmp(shutdown_t)
|
||||
init_rw_utmp(shutdown_t)
|
||||
init_telinit(shutdown_t)
|
||||
|
||||
logging_search_logs(shutdown_t)
|
||||
logging_send_audit_msgs(shutdown_t)
|
||||
|
||||
miscfiles_read_localization(shutdown_t)
|
||||
|
||||
@ -366,6 +366,7 @@ optional_policy(`
|
||||
nsplugin_rw_exec(mozilla_plugin_t)
|
||||
nsplugin_manage_home_dirs(mozilla_plugin_t)
|
||||
nsplugin_manage_home_files(mozilla_plugin_t)
|
||||
nsplugin_signal(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -168,6 +168,7 @@ interface(`nsplugin_domtrans',`
|
||||
allow $1 nsplugin_t:unix_stream_socket connectto;
|
||||
allow nsplugin_t $1:process signal;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per role template for the nsplugin module.
|
||||
@ -390,3 +391,21 @@ interface(`nsplugin_exec_domtrans',`
|
||||
allow $2 nsplugin_exec_t:file entrypoint;
|
||||
domtrans_pattern($1, nsplugin_exec_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to user nsplugin processes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nsplugin_signal',`
|
||||
gen_require(`
|
||||
type nsplugin_t;
|
||||
')
|
||||
|
||||
allow $1 nsplugin_t:process signal;
|
||||
')
|
||||
|
||||
@ -90,6 +90,7 @@ template(`sandbox_domain_template',`
|
||||
application_type($1_t)
|
||||
|
||||
mls_rangetrans_target($1_t)
|
||||
mcs_untrusted_proc($1_t)
|
||||
|
||||
type $1_file_t, sandbox_file_type;
|
||||
files_type($1_file_t)
|
||||
@ -123,6 +124,7 @@ template(`sandbox_x_domain_template',`
|
||||
|
||||
type $1_t, sandbox_x_domain;
|
||||
application_type($1_t)
|
||||
mcs_untrusted_proc($1_t)
|
||||
|
||||
type $1_file_t, sandbox_file_type;
|
||||
files_type($1_file_t)
|
||||
@ -145,6 +147,7 @@ template(`sandbox_x_domain_template',`
|
||||
|
||||
type $1_client_t, sandbox_x_domain;
|
||||
application_type($1_client_t)
|
||||
mcs_untrusted_proc($1_t)
|
||||
|
||||
type $1_client_tmpfs_t, sandbox_tmpfs_type;
|
||||
files_tmpfs_file($1_client_tmpfs_t)
|
||||
|
||||
@ -102,3 +102,30 @@ interface(`mcs_process_set_categories',`
|
||||
|
||||
typeattribute $1 mcssetcats;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified process type MCS untrusted.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Make specified process type MCS untrusted. This
|
||||
## prevents this process from sending signals to other processes
|
||||
## with different mcs labels
|
||||
## object.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mcs_untrusted_proc',`
|
||||
gen_require(`
|
||||
attribute mcsuntrustedproc;
|
||||
')
|
||||
|
||||
typeattribute $1 mcsuntrustedproc;
|
||||
')
|
||||
|
||||
|
||||
@ -10,3 +10,5 @@ attribute mcsptraceall;
|
||||
attribute mcssetcats;
|
||||
attribute mcswriteall;
|
||||
attribute mcsreadall;
|
||||
attribute mcsuntrustedproc;
|
||||
|
||||
|
||||
@ -371,8 +371,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
optional_policy(`
|
||||
samba_run_unconfined_net(unconfined_t, unconfined_r)
|
||||
')
|
||||
|
||||
samba_role_notrans(unconfined_r)
|
||||
samba_run_unconfined_net(unconfined_t, unconfined_r)
|
||||
# samba_run_winbind_helper(unconfined_t, unconfined_r)
|
||||
samba_run_smbcontrol(unconfined_t, unconfined_r)
|
||||
')
|
||||
|
||||
@ -26,6 +26,7 @@ template(`nagios_plugin_template',`
|
||||
allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
||||
allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
|
||||
|
||||
# needed by command.cfg
|
||||
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
||||
|
||||
@ -555,11 +555,10 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
|
||||
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow smbcontrol_t nmbd_t:process { signal signull };
|
||||
read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
|
||||
|
||||
allow smbcontrol_t nmbd_var_run_t:file { read lock };
|
||||
|
||||
allow smbcontrol_t smbd_t:process signal;
|
||||
|
||||
allow smbcontrol_t smbd_t:process { signal signull };
|
||||
read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
|
||||
allow smbcontrol_t winbind_t:process { signal signull };
|
||||
|
||||
files_search_var_lib(smbcontrol_t)
|
||||
|
||||
@ -21,6 +21,7 @@ template(`virt_domain_template',`
|
||||
domain_type($1_t)
|
||||
domain_user_exemption_target($1_t)
|
||||
mls_rangetrans_target($1_t)
|
||||
mcs_untrusted_proc($1_t)
|
||||
role system_r types $1_t;
|
||||
|
||||
type $1_devpts_t;
|
||||
|
||||
@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
|
||||
|
||||
miscfiles_read_fonts($2)
|
||||
miscfiles_setattr_fonts_cache_dirs($2)
|
||||
miscfiles_read_hwdata($2)
|
||||
|
||||
xserver_common_x_domain_template(user, $2)
|
||||
xserver_xsession_entry_type($2)
|
||||
@ -127,6 +128,10 @@ interface(`xserver_restricted_role',`
|
||||
tunable_policy(`user_direct_dri',`
|
||||
dev_rw_dri($2)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_read_gconf_config($2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1038,6 +1043,7 @@ interface(`xserver_read_xdm_etc_files',`
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, xdm_etc_t, xdm_etc_t)
|
||||
read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -783,6 +783,25 @@ interface(`auth_rw_faillog',`
|
||||
allow $1 faillog_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage the login failure log.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_manage_faillog',`
|
||||
gen_require(`
|
||||
type faillog_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 faillog_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the last logins log.
|
||||
|
||||
@ -505,6 +505,7 @@ auth_read_pam_pid(initrc_t)
|
||||
auth_delete_pam_pid(initrc_t)
|
||||
auth_delete_pam_console_data(initrc_t)
|
||||
auth_use_nsswitch(initrc_t)
|
||||
auth_manage_faillog(initrc_t)
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user