more missing types
This commit is contained in:
parent
19b5555f77
commit
710791f1a4
@ -57,6 +57,13 @@ neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
|||||||
type system_map_t;
|
type system_map_t;
|
||||||
files_type(system_map_t)
|
files_type(system_map_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# /var/log/ksyms
|
||||||
|
# cjp: this probably can be removed, I do not
|
||||||
|
# think it is used on 2.6 kernels
|
||||||
|
type var_log_ksyms_t;
|
||||||
|
files_type(var_log_ksyms_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# bootloader local policy
|
# bootloader local policy
|
||||||
|
@ -56,18 +56,19 @@ network_port(dbskkd, tcp,1178,s0)
|
|||||||
network_port(dhcpc, udp,68,s0)
|
network_port(dhcpc, udp,68,s0)
|
||||||
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
|
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
|
||||||
network_port(dict, tcp,2628,s0)
|
network_port(dict, tcp,2628,s0)
|
||||||
network_port(distcc, tcp,3632,s0)
|
network_port(distccd, tcp,3632,s0)
|
||||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||||
network_port(fingerd, tcp,79,s0)
|
network_port(fingerd, tcp,79,s0)
|
||||||
network_port(ftp_data, tcp,20,s0)
|
network_port(ftp_data, tcp,20,s0)
|
||||||
network_port(ftp, tcp,21,s0)
|
network_port(ftp, tcp,21,s0)
|
||||||
|
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||||
network_port(giftd, tcp,1213,s0)
|
network_port(giftd, tcp,1213,s0)
|
||||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
|
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
|
||||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||||
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
|
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
|
||||||
type i18n_input_t, port_type; dnl network_port(i18n_input) # no defined portcon in current strict
|
type i18n_input_port_t, port_type; dnl network_port(i18n_input) # no defined portcon in current strict
|
||||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||||
network_port(innd, tcp,119,s0)
|
network_port(innd, tcp,119,s0)
|
||||||
@ -81,6 +82,7 @@ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
|||||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
||||||
|
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||||
network_port(mail, tcp,2000,s0)
|
network_port(mail, tcp,2000,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
network_port(mysqld, tcp,3306,s0)
|
network_port(mysqld, tcp,3306,s0)
|
||||||
@ -101,6 +103,7 @@ network_port(pyzor, udp,24441,s0)
|
|||||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||||
network_port(razor, tcp,2703,s0)
|
network_port(razor, tcp,2703,s0)
|
||||||
|
network_port(rlogind, tcp,513,s0)
|
||||||
network_port(rndc, tcp,953,s0)
|
network_port(rndc, tcp,953,s0)
|
||||||
network_port(rsh, tcp,514,s0)
|
network_port(rsh, tcp,514,s0)
|
||||||
network_port(rsync, tcp,873,s0, udp,873,s0)
|
network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||||
@ -110,12 +113,14 @@ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
|||||||
network_port(spamd, tcp,783,s0)
|
network_port(spamd, tcp,783,s0)
|
||||||
network_port(ssh, tcp,22,s0)
|
network_port(ssh, tcp,22,s0)
|
||||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
||||||
|
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||||
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||||
network_port(swat, tcp,901,s0)
|
network_port(swat, tcp,901,s0)
|
||||||
network_port(syslogd, udp,514,s0)
|
network_port(syslogd, udp,514,s0)
|
||||||
network_port(telnetd, tcp,23,s0)
|
network_port(telnetd, tcp,23,s0)
|
||||||
network_port(tftp, udp,69,s0)
|
network_port(tftp, udp,69,s0)
|
||||||
network_port(transproxy, tcp,8081,s0)
|
network_port(transproxy, tcp,8081,s0)
|
||||||
|
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||||
network_port(uucpd, tcp,540,s0)
|
network_port(uucpd, tcp,540,s0)
|
||||||
network_port(vnc, tcp,5900,s0)
|
network_port(vnc, tcp,5900,s0)
|
||||||
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||||
@ -142,7 +147,7 @@ sid node gen_context(system_u:object_r:node_t,s0)
|
|||||||
|
|
||||||
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||||
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
||||||
dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
|
type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
|
||||||
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
|
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
|
||||||
network_node(lo, s0, 127.0.0.1, 255.255.255.255)
|
network_node(lo, s0, 127.0.0.1, 255.255.255.255)
|
||||||
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
|
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
|
||||||
|
@ -193,3 +193,17 @@ type zero_device_t, device_node;
|
|||||||
fs_associate(zero_device_t)
|
fs_associate(zero_device_t)
|
||||||
fs_associate_tmpfs(zero_device_t)
|
fs_associate_tmpfs(zero_device_t)
|
||||||
mls_trusted_object(zero_device_t)
|
mls_trusted_object(zero_device_t)
|
||||||
|
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
|
||||||
|
# this is not actually a device
|
||||||
|
# move it to xserver
|
||||||
|
type xconsole_device_t;
|
||||||
|
files_type(xconsole_device_t)
|
||||||
|
|
||||||
|
# devfs is dead on selinux
|
||||||
|
# this should be removed
|
||||||
|
type devfs_control_t, device_node;
|
||||||
|
fs_associate(devfs_control_t)
|
||||||
|
fs_associate_tmpfs(devfs_control_t)
|
||||||
|
@ -40,6 +40,12 @@ interface(`domain_base_type',`
|
|||||||
|
|
||||||
# allow $1 to create child processes in this domain
|
# allow $1 to create child processes in this domain
|
||||||
allow $1 self:process { fork sigchld };
|
allow $1 self:process { fork sigchld };
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
tunable_policy(`allow_execmem',`
|
||||||
|
allow $1 self:process execmem;
|
||||||
|
')
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
Loading…
Reference in New Issue
Block a user