partial (most of it) merge of selinux-policy-strict-sources-1.27.1-15
This commit is contained in:
parent
c0c7013540
commit
77f6e2cd27
@ -576,6 +576,15 @@ allow $1 $2:unix_stream_socket connectto;
|
||||
#
|
||||
allow $1 $2:unix_dgram_socket sendto;
|
||||
|
||||
#
|
||||
# can_winbind():
|
||||
#
|
||||
ifdef(`winbind.te', `
|
||||
allow $1 winbind_var_run_t:dir { getattr search };
|
||||
allow $1 winbind_t:unix_stream_socket connectto;
|
||||
allow $1 winbind_var_run_t:sock_file { getattr read write };
|
||||
')
|
||||
|
||||
#
|
||||
# can_ypbind(): complete
|
||||
#
|
||||
|
@ -147,13 +147,141 @@ category c124;
|
||||
category c125;
|
||||
category c126;
|
||||
category c127;
|
||||
category c128;
|
||||
category c129;
|
||||
category c130;
|
||||
category c131;
|
||||
category c132;
|
||||
category c133;
|
||||
category c134;
|
||||
category c135;
|
||||
category c136;
|
||||
category c137;
|
||||
category c138;
|
||||
category c139;
|
||||
category c140;
|
||||
category c141;
|
||||
category c142;
|
||||
category c143;
|
||||
category c144;
|
||||
category c145;
|
||||
category c146;
|
||||
category c147;
|
||||
category c148;
|
||||
category c149;
|
||||
category c150;
|
||||
category c151;
|
||||
category c152;
|
||||
category c153;
|
||||
category c154;
|
||||
category c155;
|
||||
category c156;
|
||||
category c157;
|
||||
category c158;
|
||||
category c159;
|
||||
category c160;
|
||||
category c161;
|
||||
category c162;
|
||||
category c163;
|
||||
category c164;
|
||||
category c165;
|
||||
category c166;
|
||||
category c167;
|
||||
category c168;
|
||||
category c169;
|
||||
category c170;
|
||||
category c171;
|
||||
category c172;
|
||||
category c173;
|
||||
category c174;
|
||||
category c175;
|
||||
category c176;
|
||||
category c177;
|
||||
category c178;
|
||||
category c179;
|
||||
category c180;
|
||||
category c181;
|
||||
category c182;
|
||||
category c183;
|
||||
category c184;
|
||||
category c185;
|
||||
category c186;
|
||||
category c187;
|
||||
category c188;
|
||||
category c189;
|
||||
category c190;
|
||||
category c191;
|
||||
category c192;
|
||||
category c193;
|
||||
category c194;
|
||||
category c195;
|
||||
category c196;
|
||||
category c197;
|
||||
category c198;
|
||||
category c199;
|
||||
category c200;
|
||||
category c201;
|
||||
category c202;
|
||||
category c203;
|
||||
category c204;
|
||||
category c205;
|
||||
category c206;
|
||||
category c207;
|
||||
category c208;
|
||||
category c209;
|
||||
category c210;
|
||||
category c211;
|
||||
category c212;
|
||||
category c213;
|
||||
category c214;
|
||||
category c215;
|
||||
category c216;
|
||||
category c217;
|
||||
category c218;
|
||||
category c219;
|
||||
category c220;
|
||||
category c221;
|
||||
category c222;
|
||||
category c223;
|
||||
category c224;
|
||||
category c225;
|
||||
category c226;
|
||||
category c227;
|
||||
category c228;
|
||||
category c229;
|
||||
category c230;
|
||||
category c231;
|
||||
category c232;
|
||||
category c233;
|
||||
category c234;
|
||||
category c235;
|
||||
category c236;
|
||||
category c237;
|
||||
category c238;
|
||||
category c239;
|
||||
category c240;
|
||||
category c241;
|
||||
category c242;
|
||||
category c243;
|
||||
category c244;
|
||||
category c245;
|
||||
category c246;
|
||||
category c247;
|
||||
category c248;
|
||||
category c249;
|
||||
category c250;
|
||||
category c251;
|
||||
category c252;
|
||||
category c253;
|
||||
category c254;
|
||||
category c255;
|
||||
|
||||
|
||||
#
|
||||
# Each MCS level specifies a sensitivity and zero or more categories which may
|
||||
# be associated with that sensitivity.
|
||||
#
|
||||
level s0:c0.c127;
|
||||
level s0:c0.c255;
|
||||
|
||||
#
|
||||
# Define the MCS policy
|
||||
@ -201,9 +329,23 @@ level s0:c0.c127;
|
||||
#
|
||||
# Only files are constrained by MCS at this stage.
|
||||
#
|
||||
mlsconstrain file { read write setattr append unlink link rename
|
||||
mlsconstrain file { write setattr append unlink link rename
|
||||
create ioctl lock execute } (h1 dom h2);
|
||||
|
||||
mlsconstrain file { read } ((h1 dom h2) or
|
||||
( t1 == mlsfileread ));
|
||||
|
||||
|
||||
# new file labels must be dominated by the relabeling subject clearance
|
||||
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
|
||||
( h1 dom h2 );
|
||||
|
||||
define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
|
||||
link unlink rename relabelfrom relabelto }')
|
||||
|
||||
define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
|
||||
rename search add_name remove_name reparent write rmdir relabelfrom
|
||||
relabelto }')
|
||||
|
||||
# XXX
|
||||
#
|
||||
|
@ -15,12 +15,17 @@ sensitivity s6;
|
||||
sensitivity s7;
|
||||
sensitivity s8;
|
||||
sensitivity s9;
|
||||
|
||||
sensitivity s10;
|
||||
sensitivity s11;
|
||||
sensitivity s12;
|
||||
sensitivity s13;
|
||||
sensitivity s14;
|
||||
sensitivity s15;
|
||||
|
||||
#
|
||||
# Define the ordering of the sensitivity levels (least to greatest)
|
||||
#
|
||||
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
|
||||
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
|
||||
|
||||
|
||||
#
|
||||
@ -156,22 +161,156 @@ category c124;
|
||||
category c125;
|
||||
category c126;
|
||||
category c127;
|
||||
category c128;
|
||||
category c129;
|
||||
category c130;
|
||||
category c131;
|
||||
category c132;
|
||||
category c133;
|
||||
category c134;
|
||||
category c135;
|
||||
category c136;
|
||||
category c137;
|
||||
category c138;
|
||||
category c139;
|
||||
category c140;
|
||||
category c141;
|
||||
category c142;
|
||||
category c143;
|
||||
category c144;
|
||||
category c145;
|
||||
category c146;
|
||||
category c147;
|
||||
category c148;
|
||||
category c149;
|
||||
category c150;
|
||||
category c151;
|
||||
category c152;
|
||||
category c153;
|
||||
category c154;
|
||||
category c155;
|
||||
category c156;
|
||||
category c157;
|
||||
category c158;
|
||||
category c159;
|
||||
category c160;
|
||||
category c161;
|
||||
category c162;
|
||||
category c163;
|
||||
category c164;
|
||||
category c165;
|
||||
category c166;
|
||||
category c167;
|
||||
category c168;
|
||||
category c169;
|
||||
category c170;
|
||||
category c171;
|
||||
category c172;
|
||||
category c173;
|
||||
category c174;
|
||||
category c175;
|
||||
category c176;
|
||||
category c177;
|
||||
category c178;
|
||||
category c179;
|
||||
category c180;
|
||||
category c181;
|
||||
category c182;
|
||||
category c183;
|
||||
category c184;
|
||||
category c185;
|
||||
category c186;
|
||||
category c187;
|
||||
category c188;
|
||||
category c189;
|
||||
category c190;
|
||||
category c191;
|
||||
category c192;
|
||||
category c193;
|
||||
category c194;
|
||||
category c195;
|
||||
category c196;
|
||||
category c197;
|
||||
category c198;
|
||||
category c199;
|
||||
category c200;
|
||||
category c201;
|
||||
category c202;
|
||||
category c203;
|
||||
category c204;
|
||||
category c205;
|
||||
category c206;
|
||||
category c207;
|
||||
category c208;
|
||||
category c209;
|
||||
category c210;
|
||||
category c211;
|
||||
category c212;
|
||||
category c213;
|
||||
category c214;
|
||||
category c215;
|
||||
category c216;
|
||||
category c217;
|
||||
category c218;
|
||||
category c219;
|
||||
category c220;
|
||||
category c221;
|
||||
category c222;
|
||||
category c223;
|
||||
category c224;
|
||||
category c225;
|
||||
category c226;
|
||||
category c227;
|
||||
category c228;
|
||||
category c229;
|
||||
category c230;
|
||||
category c231;
|
||||
category c232;
|
||||
category c233;
|
||||
category c234;
|
||||
category c235;
|
||||
category c236;
|
||||
category c237;
|
||||
category c238;
|
||||
category c239;
|
||||
category c240;
|
||||
category c241;
|
||||
category c242;
|
||||
category c243;
|
||||
category c244;
|
||||
category c245;
|
||||
category c246;
|
||||
category c247;
|
||||
category c248;
|
||||
category c249;
|
||||
category c250;
|
||||
category c251;
|
||||
category c252;
|
||||
category c253;
|
||||
category c254;
|
||||
category c255;
|
||||
|
||||
|
||||
#
|
||||
# Each MLS level specifies a sensitivity and zero or more categories which may
|
||||
# be associated with that sensitivity.
|
||||
#
|
||||
level s0:c0.c127;
|
||||
level s1:c0.c127;
|
||||
level s2:c0.c127;
|
||||
level s3:c0.c127;
|
||||
level s4:c0.c127;
|
||||
level s5:c0.c127;
|
||||
level s6:c0.c127;
|
||||
level s7:c0.c127;
|
||||
level s8:c0.c127;
|
||||
level s9:c0.c127;
|
||||
level s0:c0.c255;
|
||||
level s1:c0.c255;
|
||||
level s2:c0.c255;
|
||||
level s3:c0.c255;
|
||||
level s4:c0.c255;
|
||||
level s5:c0.c255;
|
||||
level s6:c0.c255;
|
||||
level s7:c0.c255;
|
||||
level s8:c0.c255;
|
||||
level s9:c0.c255;
|
||||
level s10:c0.c255;
|
||||
level s11:c0.c255;
|
||||
level s12:c0.c255;
|
||||
level s13:c0.c255;
|
||||
level s14:c0.c255;
|
||||
level s15:c0.c255;
|
||||
|
||||
|
||||
#
|
||||
|
@ -48,10 +48,6 @@ optional_policy(`usermanage.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`su.te',`
|
||||
role system_r types sysadm_su_t;
|
||||
domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
|
||||
')
|
||||
optional_policy(`ssh.te',`
|
||||
role system_r types sysadm_ssh_agent_t;
|
||||
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
|
||||
|
@ -104,6 +104,7 @@ libs_read_lib(kudzu_t)
|
||||
|
||||
logging_send_syslog_msg(kudzu_t)
|
||||
|
||||
miscfiles_read_hwdata(kudzu_t)
|
||||
miscfiles_read_localization(kudzu_t)
|
||||
|
||||
modutils_read_module_conf(kudzu_t)
|
||||
|
@ -11,9 +11,6 @@
|
||||
interface(`logrotate_domtrans',`
|
||||
gen_require(`
|
||||
type logrotate_t, logrotate_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,logrotate_exec_t,logrotate_t)
|
||||
@ -42,7 +39,6 @@ interface(`logrotate_domtrans',`
|
||||
interface(`logrotate_run',`
|
||||
gen_require(`
|
||||
type logrotate_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
logrotate_domtrans($1)
|
||||
@ -66,6 +62,22 @@ interface(`logrotate_exec',`
|
||||
can_exec($1,logrotate_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit and use logrotate file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`logrotate_use_fd',`
|
||||
gen_require(`
|
||||
type logrotate_t;
|
||||
')
|
||||
|
||||
allow $1 logrotate_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to inherit logrotate file descriptors.
|
||||
@ -77,7 +89,6 @@ interface(`logrotate_exec',`
|
||||
interface(`logrotate_dontaudit_use_fd',`
|
||||
gen_require(`
|
||||
type logrotate_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
dontaudit $1 logrotate_t:fd use;
|
||||
@ -94,7 +105,6 @@ interface(`logrotate_dontaudit_use_fd',`
|
||||
interface(`logrotate_read_tmp_files',`
|
||||
gen_require(`
|
||||
type logrotate_tmp_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
|
@ -28,9 +28,6 @@
|
||||
## </param>
|
||||
#
|
||||
template(`su_per_userdomain_template',`
|
||||
# in optional since loadable modules do not natively
|
||||
# support per-userdomain templates yet.
|
||||
optional_policy(`su.te',`
|
||||
gen_require(`
|
||||
type su_exec_t;
|
||||
')
|
||||
@ -46,7 +43,7 @@ template(`su_per_userdomain_template',`
|
||||
|
||||
allow $2 $1_su_t:process signal;
|
||||
|
||||
allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
dontaudit $1_su_t self:capability sys_tty_config;
|
||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||
allow $1_su_t self:fifo_file rw_file_perms;
|
||||
@ -121,13 +118,13 @@ template(`su_per_userdomain_template',`
|
||||
userdom_spec_domtrans_all_users($1_su_t)
|
||||
}
|
||||
|
||||
if (use_nfs_home_dirs) {
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_search_nfs($1_su_t)
|
||||
}
|
||||
')
|
||||
|
||||
if (use_samba_home_dirs) {
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_search_cifs($1_su_t)
|
||||
}
|
||||
')
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
cron_read_pipe($1_su_t)
|
||||
@ -196,7 +193,6 @@ template(`su_per_userdomain_template',`
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
|
@ -6,7 +6,11 @@ policy_module(su,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type su_exec_t;
|
||||
')
|
||||
files_type(su_exec_t)
|
||||
|
||||
# Remaining policy in the per-user domain template
|
||||
|
@ -68,14 +68,14 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe
|
||||
allow chfn_t self:process { setrlimit setfscreate };
|
||||
allow chfn_t self:fd use;
|
||||
allow chfn_t self:fifo_file rw_file_perms;
|
||||
allow chfn_t self:unix_dgram_socket create_socket_perms;
|
||||
allow chfn_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow chfn_t self:unix_dgram_socket sendto;
|
||||
allow chfn_t self:unix_stream_socket connectto;
|
||||
allow chfn_t self:shm create_shm_perms;
|
||||
allow chfn_t self:sem create_sem_perms;
|
||||
allow chfn_t self:msgq create_msgq_perms;
|
||||
allow chfn_t self:msg { send receive };
|
||||
allow chfn_t self:unix_dgram_socket create_socket_perms;
|
||||
allow chfn_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow chfn_t self:unix_dgram_socket sendto;
|
||||
allow chfn_t self:unix_stream_socket connectto;
|
||||
|
||||
kernel_read_system_state(chfn_t)
|
||||
kernel_read_kernel_sysctl(chfn_t)
|
||||
@ -192,14 +192,15 @@ allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
|
||||
allow groupadd_t self:process { setrlimit setfscreate };
|
||||
allow groupadd_t self:fd use;
|
||||
allow groupadd_t self:fifo_file rw_file_perms;
|
||||
allow groupadd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow groupadd_t self:unix_dgram_socket sendto;
|
||||
allow groupadd_t self:unix_stream_socket connectto;
|
||||
allow groupadd_t self:shm create_shm_perms;
|
||||
allow groupadd_t self:sem create_sem_perms;
|
||||
allow groupadd_t self:msgq create_msgq_perms;
|
||||
allow groupadd_t self:msg { send receive };
|
||||
allow groupadd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow groupadd_t self:unix_dgram_socket sendto;
|
||||
allow groupadd_t self:unix_stream_socket connectto;
|
||||
allow groupadd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
||||
|
||||
fs_getattr_xattr_fs(groupadd_t)
|
||||
fs_search_auto_mountpoints(groupadd_t)
|
||||
@ -236,6 +237,7 @@ miscfiles_read_localization(groupadd_t)
|
||||
|
||||
auth_manage_shadow(groupadd_t)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
auth_use_nsswitch(groupadd_t)
|
||||
|
||||
seutil_read_config(groupadd_t)
|
||||
|
||||
@ -445,7 +447,6 @@ allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
role system_r types sysadm_passwd_t;
|
||||
allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
@ -459,14 +460,15 @@ allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
|
||||
allow useradd_t self:process setfscreate;
|
||||
allow useradd_t self:fd use;
|
||||
allow useradd_t self:fifo_file rw_file_perms;
|
||||
allow useradd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
allow useradd_t self:shm create_shm_perms;
|
||||
allow useradd_t self:sem create_sem_perms;
|
||||
allow useradd_t self:msgq create_msgq_perms;
|
||||
allow useradd_t self:msg { send receive };
|
||||
allow useradd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
allow useradd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
selinux_get_fs_mount(useradd_t)
|
||||
@ -486,6 +488,7 @@ term_use_all_user_ptys(useradd_t)
|
||||
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
|
||||
corecmd_exec_shell(useradd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
|
@ -89,6 +89,10 @@ userdom_use_unpriv_users_fd(webalizer_t)
|
||||
apache_read_log(webalizer_t)
|
||||
apache_manage_sys_content(webalizer_t)
|
||||
|
||||
optional_policy(`ftp.te',`
|
||||
ftp_read_log(webalizer_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(webalizer_t)
|
||||
')
|
||||
|
@ -53,7 +53,7 @@ network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||
network_port(dbskkd, tcp,1178,s0)
|
||||
network_port(dhcpc, udp,68,s0)
|
||||
network_port(dhcpd, udp,67,s0)
|
||||
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
|
||||
network_port(dict, tcp,2628,s0)
|
||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||
network_port(fingerd, tcp,79,s0)
|
||||
@ -86,6 +86,8 @@ network_port(nessus, tcp,1241,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
|
||||
network_port(ntp, udp,123,s0)
|
||||
network_port(openvpn, udp,5000,s0)
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
|
@ -175,6 +175,24 @@ interface(`fs_getattr_xattr_fs',`
|
||||
allow $1 fs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the quotas of a persistent
|
||||
## filesystem which has extended
|
||||
## attributes, such as ext3, JFS, or XFS.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain getting quotas.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_get_xattr_fs_quotas',`
|
||||
gen_require(`
|
||||
type fs_t;
|
||||
')
|
||||
|
||||
allow $1 fs_t:filesystem quotaget;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to
|
||||
|
@ -44,6 +44,10 @@ type binfmt_misc_fs_t, filesystem_type;
|
||||
files_mountpoint(binfmt_misc_fs_t)
|
||||
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||
|
||||
type capifs_t, filesystem_type;
|
||||
allow capifs_t self:filesystem associate;
|
||||
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
||||
|
||||
type eventpollfs_t, filesystem_type;
|
||||
genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
|
||||
|
||||
|
@ -709,17 +709,17 @@ interface(`kernel_read_network_state',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to search the sysctl directory.
|
||||
## Do not audit attempts by caller to search
|
||||
## the base directory of sysctls.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_dontaudit_search_sysctl_dir',`
|
||||
interface(`kernel_dontaudit_search_sysctl',`
|
||||
gen_require(`
|
||||
type sysctl_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_t:dir search;
|
||||
@ -736,8 +736,6 @@ interface(`kernel_dontaudit_search_sysctl_dir',`
|
||||
interface(`kernel_read_device_sysctl',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_dev_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
@ -757,8 +755,6 @@ interface(`kernel_read_device_sysctl',`
|
||||
interface(`kernel_rw_device_sysctl',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_dev_t;
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
@ -778,8 +774,6 @@ interface(`kernel_rw_device_sysctl',`
|
||||
interface(`kernel_read_vm_sysctl',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_vm_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
@ -798,8 +792,6 @@ interface(`kernel_read_vm_sysctl',`
|
||||
interface(`kernel_rw_vm_sysctl',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_vm_t;
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
@ -809,16 +801,31 @@ interface(`kernel_rw_vm_sysctl',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to search sysctl network directories.
|
||||
## Search network sysctl directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_search_network_sysctl',`
|
||||
gen_require(`
|
||||
type proc_t, sysctl_t, sysctl_net_t;
|
||||
')
|
||||
|
||||
allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to search network sysctl directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_search_network_sysctl_dir',`
|
||||
interface(`kernel_dontaudit_search_network_sysctl',`
|
||||
gen_require(`
|
||||
type sysctl_net_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 sysctl_net_t:dir search;
|
||||
|
@ -220,10 +220,6 @@ ifdef(`TODO',`
|
||||
ifdef(`targeted_policy', `
|
||||
unconfined_domain(kernel_t)
|
||||
')
|
||||
ifdef(`mls_policy', `
|
||||
# run init with maximum MLS range
|
||||
range_transition kernel_t init_exec_t s0 - s9:c0.c127;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
|
@ -43,3 +43,32 @@ attribute mlstrustedobject;
|
||||
|
||||
attribute privrangetrans;
|
||||
attribute mlsrangetrans;
|
||||
|
||||
########################################
|
||||
#
|
||||
# THIS IS A HACK
|
||||
#
|
||||
# Only the base module can have range_transitions, so we
|
||||
# temporarily have to break encapsulation to work around this.
|
||||
#
|
||||
|
||||
type getty_t;
|
||||
type login_exec_t;
|
||||
type init_exec_t;
|
||||
type initrc_t;
|
||||
type su_exec_t;
|
||||
type udev_exec_t;
|
||||
type unconfined_t;
|
||||
|
||||
ifdef(`enable_mcs', `
|
||||
range_transition getty_t login_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
|
||||
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
|
||||
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
|
||||
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls', `
|
||||
# run init with maximum MLS range
|
||||
range_transition kernel_t init_exec_t s0 - s9:c0.c255;
|
||||
')
|
||||
|
@ -31,12 +31,27 @@ interface(`selinux_get_fs_mount',`
|
||||
interface(`selinux_dontaudit_getattr_dir',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search selinuxfs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_search_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search selinuxfs.
|
||||
@ -48,7 +63,6 @@ interface(`selinux_dontaudit_getattr_dir',`
|
||||
interface(`selinux_dontaudit_search_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir search;
|
||||
@ -66,8 +80,6 @@ interface(`selinux_dontaudit_search_fs',`
|
||||
interface(`selinux_get_enforce_mode',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -97,9 +109,6 @@ interface(`selinux_set_enforce_mode',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
attribute can_setenforce;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security setenforce;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -121,9 +130,6 @@ interface(`selinux_load_policy',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
attribute can_load_policy;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security load_policy;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -158,9 +164,6 @@ interface(`selinux_load_policy',`
|
||||
interface(`selinux_set_boolean',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security setbool;
|
||||
')
|
||||
|
||||
ifelse(`$2',`',`
|
||||
@ -199,9 +202,6 @@ interface(`selinux_set_parameters',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
attribute can_setsecparam;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security setsecparam;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -222,9 +222,6 @@ interface(`selinux_set_parameters',`
|
||||
interface(`selinux_validate_context',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security check_context;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -243,9 +240,6 @@ interface(`selinux_validate_context',`
|
||||
interface(`selinux_compute_access_vector',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security compute_av;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -264,9 +258,6 @@ interface(`selinux_compute_access_vector',`
|
||||
interface(`selinux_compute_create_context',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security compute_create;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -286,9 +277,6 @@ interface(`selinux_compute_create_context',`
|
||||
interface(`selinux_compute_member',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security compute_member;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -316,9 +304,6 @@ interface(`selinux_compute_member',`
|
||||
interface(`selinux_compute_relabel_context',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security compute_relabel;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -337,9 +322,6 @@ interface(`selinux_compute_relabel_context',`
|
||||
interface(`selinux_compute_user_contexts',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir { read search getattr };
|
||||
class file { getattr read write };
|
||||
class security compute_user;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
@ -359,9 +341,6 @@ interface(`selinux_unconfined',`
|
||||
gen_require(`
|
||||
attribute can_load_policy, can_setenforce, can_setsecparam;
|
||||
type security_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read write };
|
||||
class security { load_policy setenforce setbool };
|
||||
')
|
||||
|
||||
# Access the security API.
|
||||
|
@ -51,6 +51,7 @@ ifdef(`distro_redhat', `
|
||||
|
||||
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
|
||||
|
||||
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
|
||||
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
|
||||
|
||||
/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s0)
|
||||
|
@ -29,6 +29,10 @@ files_mountpoint(devpts_t)
|
||||
fs_type(devpts_t)
|
||||
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
typeattribute devpts_t ttynode;
|
||||
')
|
||||
|
||||
#
|
||||
# devtty_t is the type of /dev/tty.
|
||||
#
|
||||
|
@ -539,7 +539,7 @@ interface(`apache_list_modules',`
|
||||
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
|
||||
interface(`apache_manage_sys_content',`
|
||||
gen_require(`
|
||||
type httpd_log_t;
|
||||
type httpd_sys_content_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
|
@ -215,6 +215,14 @@ corenet_tcp_bind_all_nodes(httpd_t)
|
||||
corenet_udp_bind_all_nodes(httpd_t)
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
corenet_tcp_connect_postgresql_port(httpd_t)
|
||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
||||
# allow httpd to work as a relay
|
||||
corenet_tcp_connect_gopher_port(httpd_t)
|
||||
corenet_tcp_connect_ftp_port(httpd_t)
|
||||
corenet_tcp_connect_http_port(httpd_t)
|
||||
corenet_tcp_connect_http_cache_port(httpd_t)
|
||||
|
||||
dev_read_sysfs(httpd_t)
|
||||
dev_read_rand(httpd_t)
|
||||
@ -226,6 +234,8 @@ fs_search_auto_mountpoints(httpd_t)
|
||||
|
||||
term_dontaudit_use_console(httpd_t)
|
||||
|
||||
auth_use_nsswitch(httpd_t)
|
||||
|
||||
# execute perl
|
||||
corecmd_exec_bin(httpd_t)
|
||||
corecmd_exec_sbin(httpd_t)
|
||||
@ -261,7 +271,6 @@ miscfiles_read_certs(httpd_t)
|
||||
|
||||
seutil_dontaudit_search_config(httpd_t)
|
||||
|
||||
sysnet_dns_name_resolve(httpd_t)
|
||||
sysnet_use_ldap(httpd_t)
|
||||
sysnet_read_config(httpd_t)
|
||||
|
||||
@ -363,10 +372,6 @@ optional_policy(`mysql.te',`
|
||||
mysql_rw_db_socket(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(httpd_t)
|
||||
')
|
||||
|
@ -20,6 +20,9 @@ domain_entry_file(apm_t,apm_exec_t)
|
||||
type apmd_log_t;
|
||||
logging_log_file(apmd_log_t)
|
||||
|
||||
type apmd_tmp_t;
|
||||
files_tmp_file(apmd_tmp_t)
|
||||
|
||||
type apmd_var_run_t;
|
||||
files_pid_file(apmd_var_run_t)
|
||||
|
||||
@ -72,6 +75,10 @@ allow apmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow apmd_t apmd_log_t:file create_file_perms;
|
||||
logging_create_log(apmd_t,apmd_log_t)
|
||||
|
||||
allow apmd_t apmd_tmp_t:dir create_dir_perms;
|
||||
allow apmd_t apmd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(apmd_t, apmd_tmp_t, { file dir })
|
||||
|
||||
allow apmd_t apmd_var_run_t:dir rw_dir_perms;
|
||||
allow apmd_t apmd_var_run_t:file create_file_perms;
|
||||
allow apmd_t apmd_var_run_t:sock_file create_file_perms;
|
||||
@ -96,6 +103,8 @@ fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
|
||||
fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
|
||||
fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
|
||||
|
||||
selinux_search_fs(apmd_t)
|
||||
|
||||
term_dontaudit_use_console(apmd_t)
|
||||
|
||||
corecmd_exec_bin(apmd_t)
|
||||
@ -144,6 +153,7 @@ ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(apmd_t)
|
||||
term_dontaudit_use_generic_pty(apmd_t)
|
||||
files_dontaudit_read_root_file(apmd_t)
|
||||
unconfined_domain_template(apmd_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -168,7 +178,7 @@ ifdef(`distro_redhat',`
|
||||
',`
|
||||
|
||||
# for ifconfig which is run all the time
|
||||
kernel_dontaudit_search_sysctl_dir(apmd_t)
|
||||
kernel_dontaudit_search_sysctl(apmd_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_suse',`
|
||||
@ -182,6 +192,10 @@ optional_policy(`clock.te',`
|
||||
clock_rw_adjtime(apmd_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
logrotate_use_fd(apmd_t)
|
||||
')
|
||||
|
||||
optional_policy(`mta.te',`
|
||||
mta_send_mail(apmd_t)
|
||||
')
|
||||
@ -212,6 +226,8 @@ optional_policy(`cron.te',`
|
||||
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
r_dir_file(apmd_t, hwdata_t)
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(apmd_t)
|
||||
')
|
||||
|
@ -35,8 +35,9 @@ dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||
allow system_dbusd_t self:process getattr;
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
|
||||
@ -71,6 +72,9 @@ selinux_compute_user_contexts(system_dbusd_t)
|
||||
|
||||
term_dontaudit_use_console(system_dbusd_t)
|
||||
|
||||
auth_use_nsswitch(system_dbusd_t)
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
|
||||
corecmd_list_bin(system_dbusd_t)
|
||||
corecmd_read_bin_symlink(system_dbusd_t)
|
||||
corecmd_read_bin_file(system_dbusd_t)
|
||||
@ -120,14 +124,6 @@ tunable_policy(`read_default_t',`
|
||||
files_read_default_pipes(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(system_dbusd_t)
|
||||
')
|
||||
|
@ -61,6 +61,7 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t)
|
||||
corenet_udp_sendrecv_all_ports(dhcpd_t)
|
||||
corenet_tcp_bind_all_nodes(dhcpd_t)
|
||||
corenet_udp_bind_all_nodes(dhcpd_t)
|
||||
corenet_tcp_bind_dhcpd_port(dhcpd_t)
|
||||
corenet_udp_bind_dhcpd_port(dhcpd_t)
|
||||
corenet_udp_bind_pxe_port(dhcpd_t)
|
||||
corenet_tcp_connect_all_ports(dhcpd_t)
|
||||
|
@ -157,10 +157,10 @@ tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
|
||||
fs_read_cifs_symlinks(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`crond.te', `
|
||||
optional_policy(`cron.te',`
|
||||
corecmd_exec_shell(ftpd_t)
|
||||
|
||||
files_read_usr_file(ftpd_t)
|
||||
files_read_usr_files(ftpd_t)
|
||||
|
||||
cron_system_entry(ftpd_t, ftpd_exec_t)
|
||||
|
||||
@ -170,14 +170,16 @@ optional_policy(`crond.te', `
|
||||
')
|
||||
|
||||
optional_policy(`inetd.te',`
|
||||
if (!ftpd_is_daemon) {
|
||||
tunable_policy(`! ftpd_is_daemon',`
|
||||
#reh: typeattributes not allowed in conditionals yet.
|
||||
#inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`tcpd.te',`
|
||||
tunable_policy(`! ftpd_is_daemon',`
|
||||
tcpd_domtrans(tcpd_t)
|
||||
')
|
||||
}
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
|
@ -101,6 +101,7 @@ libs_exec_lib_files(hald_t)
|
||||
logging_send_syslog_msg(hald_t)
|
||||
|
||||
miscfiles_read_localization(hald_t)
|
||||
miscfiles_read_hwdata(hald_t)
|
||||
|
||||
seutil_read_config(hald_t)
|
||||
seutil_read_default_contexts(hald_t)
|
||||
|
@ -343,7 +343,7 @@ interface(`mta_rw_aliases',`
|
||||
#
|
||||
interface(`mta_dontaudit_rw_delivery_tcp_socket',`
|
||||
gen_require(`
|
||||
attribute mailserver_domain;
|
||||
attribute mailserver_delivery;
|
||||
')
|
||||
|
||||
dontaudit $1 mailserver_delivery:tcp_socket { read write };
|
||||
|
@ -68,6 +68,7 @@ corenet_raw_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_tcp_sendrecv_all_ports(mysqld_t)
|
||||
corenet_tcp_bind_all_nodes(mysqld_t)
|
||||
corenet_tcp_bind_mysqld_port(mysqld_t)
|
||||
corenet_tcp_connect_mysqld_port(mysqld_t)
|
||||
|
||||
dev_read_sysfs(mysqld_t)
|
||||
|
||||
|
@ -182,6 +182,8 @@ fs_search_auto_mountpoints(ypserv_t)
|
||||
|
||||
term_dontaudit_use_console(ypserv_t)
|
||||
|
||||
corecmd_exec_bin(ypserv_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ypserv_t)
|
||||
|
||||
init_use_fd(ypserv_t)
|
||||
|
@ -34,6 +34,7 @@ allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow nscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow nscd_t self:tcp_socket create_socket_perms;
|
||||
allow nscd_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
@ -30,10 +30,11 @@ init_system_domain(ntpd_t,ntpdate_exec_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot };
|
||||
# sys_resource and setrlimit is for locking memory
|
||||
# ntpdate wants sys_nice
|
||||
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
|
||||
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
|
||||
allow ntpd_t self:process { signal_perms setcap setsched };
|
||||
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
|
||||
allow ntpd_t self:fifo_file { read write getattr };
|
||||
allow ntpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ntpd_t self:unix_stream_socket create_socket_perms;
|
||||
@ -120,8 +121,7 @@ ifdef(`targeted_policy', `
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
# for cron jobs
|
||||
# system_crond_t is not right, cron is not doing what it should
|
||||
cron_system_entry(ntpd_t,ntpd_exec_t)
|
||||
cron_system_entry(ntpd_t,ntpdate_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`firstboot.te',`
|
||||
|
@ -26,6 +26,7 @@ files_pid_file(rsync_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow rsync_t self:capability sys_chroot;
|
||||
allow rsync_t self:process signal_perms;
|
||||
allow rsync_t self:fifo_file rw_file_perms;
|
||||
allow rsync_t self:tcp_socket { listen accept connected_socket_perms };
|
||||
|
@ -225,10 +225,12 @@ dev_read_sysfs(smbd_t)
|
||||
dev_read_urand(smbd_t)
|
||||
|
||||
fs_getattr_all_fs(smbd_t)
|
||||
fs_get_xattr_fs_quotas(smbd_t)
|
||||
fs_search_auto_mountpoints(smbd_t)
|
||||
|
||||
term_dontaudit_use_console(smbd_t)
|
||||
|
||||
auth_use_nsswitch(smbd_t)
|
||||
auth_domtrans_chk_passwd(smbd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(smbd_t)
|
||||
@ -238,6 +240,8 @@ files_read_etc_files(smbd_t)
|
||||
files_read_etc_runtime_files(smbd_t)
|
||||
files_read_usr_files(smbd_t)
|
||||
files_search_spool(smbd_t)
|
||||
# Allow samba to list mnt_t for potential mounted dirs
|
||||
files_list_mnt(smbd_t)
|
||||
|
||||
init_use_fd(smbd_t)
|
||||
init_use_script_pty(smbd_t)
|
||||
@ -268,17 +272,6 @@ optional_policy(`kerberos.te',`
|
||||
kerberos_use(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`ldap.te',`
|
||||
allow smbd_t self:tcp_socket create_socket_perms;
|
||||
corenet_tcp_sendrecv_all_if(smbd_t)
|
||||
corenet_raw_sendrecv_all_if(smbd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(smbd_t)
|
||||
corenet_raw_sendrecv_all_nodes(smbd_t)
|
||||
corenet_tcp_sendrecv_ldap_port(smbd_t)
|
||||
corenet_tcp_bind_all_nodes(smbd_t)
|
||||
sysnet_read_config(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(smbd_t)
|
||||
')
|
||||
@ -300,7 +293,10 @@ optional_policy(`rhgb.te',`
|
||||
rhgb_domain(smbd_t)
|
||||
')
|
||||
anonymous_domain(smbd)
|
||||
can_winbind(smbd_t)
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
|
||||
dontaudit smbd_t devpts_t:dir getattr;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -626,6 +622,8 @@ allow winbind_helper_t samba_etc_t:dir r_dir_perms;
|
||||
allow winbind_helper_t samba_etc_t:lnk_file { getattr read };
|
||||
allow winbind_helper_t samba_etc_t:file r_file_perms;
|
||||
|
||||
allow winbind_helper_t samba_var_t:dir search;
|
||||
|
||||
allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
|
||||
allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write };
|
||||
allow winbind_helper_t winbind_t:unix_stream_socket connectto;
|
||||
@ -644,3 +642,7 @@ miscfiles_read_localization(winbind_helper_t)
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(winbind_helper_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow winbind_helper_t squid_log_t:file ra_file_perms;
|
||||
')
|
||||
|
@ -26,11 +26,10 @@ files_type(snmpd_var_lib_t)
|
||||
# Local policy
|
||||
#
|
||||
allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
|
||||
allow snmpd_t self:file { getattr read };
|
||||
allow snmpd_t self:fifo_file rw_file_perms;
|
||||
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow snmpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow snmpd_t snmpd_etc_t:file { getattr read };
|
||||
|
||||
@ -38,9 +37,10 @@ allow snmpd_t snmpd_log_t:file create_file_perms;
|
||||
logging_create_log(snmpd_t,snmpd_log_t)
|
||||
|
||||
allow snmpd_t snmpd_var_lib_t:file create_file_perms;
|
||||
allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
|
||||
allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
|
||||
files_create_usr(snmpd_t,snmpd_var_lib_t)
|
||||
files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir })
|
||||
files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir sock_file })
|
||||
files_create_var_lib(snmpd_t,snmpd_var_lib_t)
|
||||
|
||||
allow snmpd_t snmpd_var_run_t:file create_file_perms;
|
||||
@ -80,6 +80,7 @@ corecmd_exec_sbin(snmpd_t)
|
||||
corecmd_exec_shell(snmpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(snmpd_t)
|
||||
domain_signull_all_domains(snmpd_t)
|
||||
domain_read_all_domains_state(snmpd_t)
|
||||
|
||||
files_read_etc_files(snmpd_t)
|
||||
|
@ -78,6 +78,10 @@ corenet_tcp_bind_all_nodes(squid_t)
|
||||
corenet_udp_bind_all_nodes(squid_t)
|
||||
corenet_tcp_bind_http_cache_port(squid_t)
|
||||
corenet_udp_bind_http_cache_port(squid_t)
|
||||
corenet_tcp_bind_ftp_port(squid_t)
|
||||
corenet_udp_bind_ftp_port(squid_t)
|
||||
corenet_tcp_bind_gopher_port(squid_t)
|
||||
corenet_udp_bind_gopher_port(squid_t)
|
||||
corenet_tcp_connect_ftp_port(squid_t)
|
||||
corenet_tcp_connect_gopher_port(squid_t)
|
||||
corenet_tcp_connect_http_port(squid_t)
|
||||
|
@ -825,6 +825,28 @@ interface(`auth_manage_login_records',`
|
||||
allow $1 wtmp_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use nsswitch to look up uid-username mappings.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
|
||||
sysnet_dns_name_resolve($1)
|
||||
sysnet_use_ldap($1)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_winbind($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to the authlogin module.
|
||||
|
@ -19,7 +19,11 @@ logging_log_file(faillog_t)
|
||||
type lastlog_t;
|
||||
logging_log_file(lastlog_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type login_exec_t;
|
||||
')
|
||||
files_type(login_exec_t)
|
||||
|
||||
type pam_console_t;
|
||||
@ -141,7 +145,8 @@ allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# for /var/run/console.lock checking
|
||||
allow pam_console_t pam_var_console_t:dir r_dir_perms;;
|
||||
allow pam_console_t pam_var_console_t:file r_file_perms;
|
||||
allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
||||
dontaudit pam_console_t pam_var_console_t:file write;
|
||||
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
|
||||
|
||||
kernel_read_kernel_sysctl(pam_console_t)
|
||||
kernel_use_fd(pam_console_t)
|
||||
@ -182,6 +187,8 @@ term_setattr_console(pam_console_t)
|
||||
term_getattr_unallocated_ttys(pam_console_t)
|
||||
term_setattr_unallocated_ttys(pam_console_t)
|
||||
|
||||
auth_use_nsswitch(pam_console_t)
|
||||
|
||||
domain_use_wide_inherit_fd(pam_console_t)
|
||||
|
||||
files_read_etc_files(pam_console_t)
|
||||
@ -305,6 +312,8 @@ allow utempter_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow utempter_t wtmp_t:file rw_file_perms;
|
||||
|
||||
dev_read_urand(utempter_t)
|
||||
|
||||
term_getattr_all_user_ttys(utempter_t)
|
||||
term_getattr_all_user_ptys(utempter_t)
|
||||
term_dontaudit_use_all_user_ttys(utempter_t)
|
||||
|
@ -50,7 +50,7 @@ domain_use_wide_inherit_fd(hwclock_t)
|
||||
init_use_fd(hwclock_t)
|
||||
init_use_script_pty(hwclock_t)
|
||||
|
||||
files_list_etc(hwclock_t)
|
||||
files_read_etc_files(hwclock_t)
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dir(hwclock_t)
|
||||
|
||||
|
@ -6,7 +6,11 @@ policy_module(getty,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type getty_t;
|
||||
')
|
||||
type getty_exec_t;
|
||||
init_domain(getty_t,getty_exec_t)
|
||||
domain_wide_inherit_fd(getty_t)
|
||||
|
@ -111,6 +111,7 @@ libs_read_lib(hotplug_t)
|
||||
modutils_domtrans_insmod(hotplug_t)
|
||||
modutils_read_mods_deps(hotplug_t)
|
||||
|
||||
miscfiles_read_hwdata(hotplug_t)
|
||||
miscfiles_read_localization(hotplug_t)
|
||||
|
||||
seutil_dontaudit_search_config(hotplug_t)
|
||||
@ -163,6 +164,10 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(hotplug_t)
|
||||
')
|
||||
|
@ -22,7 +22,11 @@ role system_r types init_t;
|
||||
#
|
||||
# init_exec_t is the type of the init program.
|
||||
#
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type init_exec_t;
|
||||
')
|
||||
kernel_userland_entry(init_t,init_exec_t)
|
||||
domain_entry_file(init_t,init_exec_t)
|
||||
|
||||
@ -41,7 +45,11 @@ type initctl_t;
|
||||
files_type(initctl_t)
|
||||
mls_trusted_object(initctl_t)
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
domain_type(initrc_t)
|
||||
role system_r types initrc_t;
|
||||
|
||||
@ -192,7 +200,7 @@ allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow initrc_t init_t:fd use;
|
||||
|
||||
allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
|
||||
can_exec(initrc_t,initrc_exec_t)
|
||||
|
||||
allow initrc_t initrc_state_t:dir create_dir_perms;
|
||||
allow initrc_t initrc_state_t:file create_file_perms;
|
||||
@ -201,6 +209,7 @@ allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rena
|
||||
allow initrc_t initrc_var_run_t:file create_file_perms;
|
||||
files_create_pid(initrc_t,initrc_var_run_t)
|
||||
|
||||
can_exec(initrc_t,initrc_tmp_t)
|
||||
allow initrc_t initrc_tmp_t:file create_file_perms;
|
||||
allow initrc_t initrc_tmp_t:dir create_dir_perms;
|
||||
files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
|
||||
@ -329,6 +338,8 @@ logging_append_all_logs(initrc_t)
|
||||
logging_read_auditd_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
miscfiles_read_certs(initrc_t)
|
||||
|
||||
mls_file_read_up(initrc_t)
|
||||
mls_file_write_down(initrc_t)
|
||||
@ -610,6 +621,16 @@ ifdef(`distro_redhat', `
|
||||
allow initrc_t self:capability sys_admin;
|
||||
allow initrc_t device_t:dir create;
|
||||
|
||||
# wants to delete /poweroff and other files
|
||||
allow initrc_t root_t:file unlink;
|
||||
# wants to read /.fonts directory
|
||||
allow initrc_t default_t:file { getattr read };
|
||||
ifdef(`xserver.te', `
|
||||
# wants to cleanup xserver log dir
|
||||
allow initrc_t xserver_log_t:dir rw_dir_perms;
|
||||
allow initrc_t xserver_log_t:file unlink;
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_stub()
|
||||
#read ahead wants to read this
|
||||
|
@ -89,6 +89,7 @@ corenet_raw_sendrecv_all_nodes(ipsec_t)
|
||||
corenet_tcp_sendrecv_all_ports(ipsec_t)
|
||||
corenet_tcp_bind_all_nodes(ipsec_t)
|
||||
corenet_udp_bind_reserved_port(ipsec_t)
|
||||
corenet_udp_bind_isakmp_port(ipsec_t)
|
||||
|
||||
dev_read_sysfs(ipsec_t)
|
||||
dev_read_rand(ipsec_t)
|
||||
|
@ -123,16 +123,19 @@ fs_search_auto_mountpoints(auditd_t)
|
||||
|
||||
term_dontaudit_use_console(auditd_t)
|
||||
|
||||
init_use_fd(auditd_t)
|
||||
init_exec(auditd_t)
|
||||
init_write_initctl(auditd_t)
|
||||
init_use_script_pty(auditd_t)
|
||||
# cjp: why?
|
||||
corecmd_exec_sbin(auditd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(auditd_t)
|
||||
|
||||
files_read_etc_files(auditd_t)
|
||||
files_list_usr(auditd_t)
|
||||
|
||||
init_use_fd(auditd_t)
|
||||
init_exec(auditd_t)
|
||||
init_write_initctl(auditd_t)
|
||||
init_use_script_pty(auditd_t)
|
||||
|
||||
logging_send_syslog_msg(auditd_t)
|
||||
|
||||
libs_use_ld_so(auditd_t)
|
||||
@ -292,6 +295,7 @@ init_use_script_pty(syslogd_t)
|
||||
domain_use_wide_inherit_fd(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
files_read_etc_runtime_files(syslogd_t)
|
||||
# /initrd is not umounted before minilog starts
|
||||
files_dontaudit_search_isid_type_dir(syslogd_t)
|
||||
|
||||
@ -325,6 +329,10 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(syslogd_t)
|
||||
')
|
||||
|
@ -12,8 +12,8 @@
|
||||
#
|
||||
# /srv
|
||||
#
|
||||
/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:ftpd_anon_t,s0)
|
||||
/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:ftpd_anon_t,s0)
|
||||
/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
|
||||
/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:public_content_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
@ -44,7 +44,7 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/ftp(/.*)? gen_context(system_u:object_r:ftpd_anon_t,s0)
|
||||
/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
|
||||
|
@ -5,7 +5,7 @@
|
||||
## Read system SSL certificates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_certs',`
|
||||
@ -23,7 +23,7 @@ interface(`miscfiles_read_certs',`
|
||||
## Read fonts.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_fonts',`
|
||||
@ -41,40 +41,20 @@ interface(`miscfiles_read_fonts',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read public files used for file
|
||||
## transfer services.
|
||||
## Read hardware identification data.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_public_files',`
|
||||
interface(`miscfiles_read_hwdata',`
|
||||
gen_require(`
|
||||
type ftpd_anon_t;
|
||||
type hwdata_t;
|
||||
')
|
||||
|
||||
allow $1 ftpd_anon_t:dir r_dir_perms;
|
||||
allow $1 ftpd_anon_t:file r_file_perms;
|
||||
allow $1 ftpd_anon_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete public files
|
||||
## and directories used for file transfer services.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_manage_public_files',`
|
||||
gen_require(`
|
||||
type ftpd_anon_rw_t;
|
||||
')
|
||||
|
||||
allow $1 ftpd_anon_rw_t:dir create_dir_perms;
|
||||
allow $1 ftpd_anon_rw_t:file create_file_perms;
|
||||
allow $1 ftpd_anon_rw_t:lnk_file create_lnk_perms;
|
||||
allow $1 hwdata_t:dir r_dir_perms;
|
||||
allow $1 hwdata_t:file r_file_perms;
|
||||
allow $1 hwdata_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -82,7 +62,7 @@ interface(`miscfiles_manage_public_files',`
|
||||
## Allow process to read localization info
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_localization',`
|
||||
@ -106,7 +86,7 @@ interface(`miscfiles_read_localization',`
|
||||
## Allow process to read legacy time localization info
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_legacy_read_localization',`
|
||||
@ -176,12 +156,50 @@ interface(`miscfiles_manage_man_pages',`
|
||||
allow $1 man_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read public files used for file
|
||||
## transfer services.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_public_files',`
|
||||
gen_require(`
|
||||
type public_content_t;
|
||||
')
|
||||
|
||||
allow $1 public_content_t:dir r_dir_perms;
|
||||
allow $1 public_content_t:file r_file_perms;
|
||||
allow $1 public_content_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete public files
|
||||
## and directories used for file transfer services.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_manage_public_files',`
|
||||
gen_require(`
|
||||
type public_content_rw_t;
|
||||
')
|
||||
|
||||
allow $1 public_content_rw_t:dir create_dir_perms;
|
||||
allow $1 public_content_rw_t:file create_file_perms;
|
||||
allow $1 public_content_rw_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read TeX data
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_tetex_data',`
|
||||
@ -203,7 +221,7 @@ interface(`miscfiles_read_tetex_data',`
|
||||
## Execute TeX data programs in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_exec_tetex_data',`
|
||||
|
@ -20,13 +20,10 @@ type fonts_t;
|
||||
files_type(fonts_t)
|
||||
|
||||
#
|
||||
# Type for anonymous FTP data, used by ftp and rsync
|
||||
# type for /usr/share/hwdata
|
||||
#
|
||||
type ftpd_anon_t; #, customizable;
|
||||
files_type(ftpd_anon_t)
|
||||
|
||||
type ftpd_anon_rw_t; #, customizable;
|
||||
files_type(ftpd_anon_rw_t)
|
||||
type hwdata_t;
|
||||
files_type(hwdata_t)
|
||||
|
||||
#
|
||||
# type for /tmp/.ICE-unix
|
||||
@ -46,6 +43,15 @@ files_type(locale_t)
|
||||
type man_t alias catman_t;
|
||||
files_type(man_t)
|
||||
|
||||
#
|
||||
# Types for public content
|
||||
#
|
||||
type public_content_t; #, customizable;
|
||||
files_type(public_content_t)
|
||||
|
||||
type public_content_rw_t; #, customizable;
|
||||
files_type(public_content_rw_t)
|
||||
|
||||
#
|
||||
# Base type for the tests directory.
|
||||
#
|
||||
|
@ -19,7 +19,7 @@ files_tmp_file(mount_tmp_t)
|
||||
# mount local policy
|
||||
#
|
||||
|
||||
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown };
|
||||
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
|
||||
|
||||
allow mount_t mount_tmp_t:file create_file_perms;
|
||||
allow mount_t mount_tmp_t:dir create_dir_perms;
|
||||
|
@ -168,7 +168,8 @@ init_use_script_pty(load_policy_t)
|
||||
|
||||
domain_use_wide_inherit_fd(load_policy_t)
|
||||
|
||||
files_search_etc(load_policy_t)
|
||||
# for mcs.conf
|
||||
files_read_etc_files(load_policy_t)
|
||||
|
||||
libs_use_ld_so(load_policy_t)
|
||||
libs_use_shared_libs(load_policy_t)
|
||||
@ -287,6 +288,11 @@ dev_rw_generic_file(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
mls_file_read_up(restorecon_t)
|
||||
mls_file_write_down(restorecon_t)
|
||||
mls_file_upgrade(restorecon_t)
|
||||
mls_file_downgrade(restorecon_t)
|
||||
|
||||
selinux_get_fs_mount(restorecon_t)
|
||||
selinux_validate_context(restorecon_t)
|
||||
selinux_compute_access_vector(restorecon_t)
|
||||
@ -311,11 +317,6 @@ libs_use_shared_libs(restorecon_t)
|
||||
|
||||
logging_send_syslog_msg(restorecon_t)
|
||||
|
||||
mls_file_read_up(restorecon_t)
|
||||
mls_file_write_down(restorecon_t)
|
||||
mls_file_upgrade(restorecon_t)
|
||||
mls_file_downgrade(restorecon_t)
|
||||
|
||||
userdom_use_all_user_fd(restorecon_t)
|
||||
|
||||
# relabeling rules
|
||||
@ -430,6 +431,11 @@ kernel_list_unlabeled(setfiles_t)
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
fs_list_all(setfiles_t)
|
||||
|
||||
mls_file_read_up(setfiles_t)
|
||||
mls_file_write_down(setfiles_t)
|
||||
mls_file_upgrade(setfiles_t)
|
||||
mls_file_downgrade(setfiles_t)
|
||||
|
||||
selinux_get_fs_mount(setfiles_t)
|
||||
selinux_validate_context(setfiles_t)
|
||||
selinux_compute_access_vector(setfiles_t)
|
||||
|
@ -395,13 +395,19 @@ interface(`sysnet_dns_name_resolve',`
|
||||
type net_conf_t;
|
||||
')
|
||||
|
||||
allow $1 self:tcp_socket create_socket_perms;
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_all_ports($1)
|
||||
corenet_udp_sendrecv_dns_port($1)
|
||||
corenet_tcp_bind_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_tcp_connect_dns_port($1)
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file r_file_perms;
|
||||
|
@ -57,6 +57,7 @@ allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
|
||||
allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
|
||||
|
||||
allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
|
||||
allow dhcpc_t dhcp_state_t:file { getattr read };
|
||||
allow dhcpc_t dhcpc_state_t:file create_file_perms;
|
||||
type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
|
||||
|
||||
@ -268,8 +269,7 @@ files_read_etc_files(ifconfig_t);
|
||||
kernel_use_fd(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
kernel_dontaudit_search_sysctl_dir(ifconfig_t)
|
||||
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
|
||||
kernel_search_network_sysctl(ifconfig_t)
|
||||
|
||||
corenet_use_tun_tap_device(ifconfig_t)
|
||||
|
||||
|
@ -6,8 +6,13 @@ policy_module(udev,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type udev_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type udev_exec_t;
|
||||
')
|
||||
|
||||
type udev_t;
|
||||
type udev_helper_exec_t;
|
||||
kernel_userland_entry(udev_t,udev_exec_t)
|
||||
domain_obj_id_change_exempt(udev_t)
|
||||
@ -34,19 +39,19 @@ files_pid_file(udev_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio };
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice };
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file rw_file_perms;
|
||||
allow udev_t self:unix_stream_socket { listen accept };
|
||||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt };
|
||||
allow udev_t self:shm create_shm_perms;
|
||||
allow udev_t self:sem create_sem_perms;
|
||||
allow udev_t self:msgq create_msgq_perms;
|
||||
allow udev_t self:msg { send receive };
|
||||
allow udev_t self:unix_stream_socket { listen accept };
|
||||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow udev_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow udev_t udev_exec_t:file write;
|
||||
@ -89,6 +94,8 @@ selinux_compute_create_context(udev_t)
|
||||
selinux_compute_relabel_context(udev_t)
|
||||
selinux_compute_user_contexts(udev_t)
|
||||
|
||||
auth_use_nsswitch(udev_t)
|
||||
|
||||
corecmd_exec_bin(udev_t)
|
||||
corecmd_exec_sbin(udev_t)
|
||||
corecmd_exec_shell(udev_t)
|
||||
|
@ -6,7 +6,11 @@ policy_module(unconfined,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
type unconfined_exec_t;
|
||||
init_system_domain(unconfined_t,unconfined_exec_t)
|
||||
role system_r types unconfined_t;
|
||||
@ -34,5 +38,12 @@ ifdef(`targeted_policy',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`samba.te', `samba_domain(user)')
|
||||
|
||||
ifdef(`use_mcs',`
|
||||
domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
|
||||
can_exec(sysadm_su_t, bin_t)
|
||||
rw_dir_create_file(sysadm_su_t, home_dir_type)
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
')
|
||||
|
@ -443,6 +443,9 @@ attribute serial_device;
|
||||
# Attribute to designate unrestricted access
|
||||
attribute unrestricted;
|
||||
|
||||
# Attribute to designate can transition to unconfined_t
|
||||
attribute unconfinedtrans;
|
||||
|
||||
# For clients of nscd.
|
||||
attribute nscd_client_domain;
|
||||
|
||||
|
@ -30,7 +30,7 @@ domain_auto_trans(kernel_t, init_exec_t, init_t)
|
||||
|
||||
ifdef(`mls_policy', `
|
||||
# run init with maximum MLS range
|
||||
range_transition kernel_t init_exec_t s0 - s9:c0.c127;
|
||||
range_transition kernel_t init_exec_t s0 - s9:c0.c255;
|
||||
')
|
||||
|
||||
# Share state with the init process.
|
||||
|
@ -17,11 +17,6 @@ unconfined_domain(anaconda_t)
|
||||
role system_r types ldconfig_t;
|
||||
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
|
||||
|
||||
ifdef(`su.te', `
|
||||
role system_r types sysadm_su_t;
|
||||
domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
|
||||
')
|
||||
|
||||
# Run other rc scripts in the anaconda_t domain.
|
||||
domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
|
||||
|
||||
|
@ -113,9 +113,12 @@ allow httpd_t bin_t:lnk_file read;
|
||||
can_network_server(httpd_t)
|
||||
can_kerberos(httpd_t)
|
||||
can_resolve(httpd_t)
|
||||
can_ypbind(httpd_t)
|
||||
can_ldap(httpd_t)
|
||||
nsswitch_domain(httpd_t)
|
||||
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
|
||||
# allow httpd to work as a relay
|
||||
allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
|
||||
|
||||
if (httpd_can_network_connect) {
|
||||
can_network_client(httpd_t)
|
||||
@ -222,7 +225,7 @@ tmp_domain(httpd_php)
|
||||
# Creation of lock files for apache2
|
||||
lock_domain(httpd)
|
||||
|
||||
# Allow apache to used ftpd_anon_t
|
||||
# Allow apache to used public_content_t
|
||||
anonymous_domain(httpd)
|
||||
|
||||
# connect to mysql
|
||||
@ -305,9 +308,9 @@ allow httpd_helper_t httpd_log_t:file { append };
|
||||
if (httpd_tty_comm) {
|
||||
allow { httpd_t httpd_helper_t } devpts_t:dir search;
|
||||
ifdef(`targeted_policy', `
|
||||
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
|
||||
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
|
||||
')
|
||||
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
|
||||
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
|
||||
} else {
|
||||
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
|
||||
}
|
||||
@ -367,13 +370,13 @@ allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
|
||||
allow httpd_suexec_t autofs_t:dir { search getattr };
|
||||
tmp_domain(httpd_suexec)
|
||||
|
||||
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
||||
if (httpd_enable_cgi && httpd_unified) {
|
||||
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
}
|
||||
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
|
||||
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
|
||||
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
create_dir_file(httpd_t, httpdcontent)
|
||||
}
|
||||
|
@ -47,6 +47,7 @@ file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
|
||||
|
||||
# acpid also has a logfile
|
||||
log_domain(apmd)
|
||||
tmp_domain(apmd)
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
var_lib_domain(apmd)
|
||||
@ -140,3 +141,15 @@ dontaudit apmd_t selinux_config_t:dir search;
|
||||
allow apmd_t user_tty_type:chr_file rw_file_perms;
|
||||
# Access /dev/apm_bios.
|
||||
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
|
||||
|
||||
ifdef(`logrotate.te', `
|
||||
allow apmd_t logrotate_t:fd use;
|
||||
')dnl end if logrotate.te
|
||||
allow apmd_t devpts_t:dir { getattr search };
|
||||
allow apmd_t security_t:dir search;
|
||||
allow apmd_t usr_t:dir search;
|
||||
r_dir_file(apmd_t, hwdata_t)
|
||||
ifdef(`targeted_policy', `
|
||||
unconfined_domain(apmd_t)
|
||||
')
|
||||
|
||||
|
@ -65,3 +65,5 @@ allow auditctl_t initrc_devpts_t:chr_file { read write };
|
||||
allow auditctl_t privfd:fd use;
|
||||
|
||||
|
||||
allow auditd_t sbin_t:dir search;
|
||||
can_exec(auditd_t, sbin_t)
|
||||
|
@ -34,7 +34,9 @@ allow automount_t self:unix_dgram_socket create_socket_perms;
|
||||
can_exec(automount_t, { etc_t automount_etc_t })
|
||||
|
||||
can_network_server(automount_t)
|
||||
can_resolve(automount_t)
|
||||
can_ypbind(automount_t)
|
||||
can_ldap(automount_t)
|
||||
|
||||
ifdef(`fsadm.te', `
|
||||
domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
|
||||
@ -56,6 +58,7 @@ can_exec(automount_t, bin_t)')
|
||||
|
||||
allow automount_t { bin_t sbin_t }:dir search;
|
||||
can_exec(automount_t, mount_exec_t)
|
||||
can_exec(automount_t, shell_exec_t)
|
||||
|
||||
allow mount_t autofs_t:dir getattr;
|
||||
dontaudit automount_t var_t:dir write;
|
||||
@ -73,3 +76,4 @@ file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
|
||||
|
||||
allow automount_t var_lib_t:dir search;
|
||||
allow automount_t var_lib_nfs_t:dir search;
|
||||
|
||||
|
@ -24,7 +24,9 @@ allow bootloader_t var_log_t:file write;
|
||||
# for nscd
|
||||
dontaudit bootloader_t var_run_t:dir search;
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
|
||||
')
|
||||
allow bootloader_t { initrc_t privfd }:fd use;
|
||||
|
||||
tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
|
||||
|
@ -15,7 +15,9 @@ daemon_domain(cardmgr, `, privmodule')
|
||||
allow cardmgr_t urandom_device_t:chr_file read;
|
||||
|
||||
type cardctl_exec_t, file_type, sysadmfile, exec_type;
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
|
||||
')
|
||||
role sysadm_r types cardmgr_t;
|
||||
allow cardmgr_t admin_tty_type:chr_file { read write };
|
||||
|
||||
@ -85,3 +87,4 @@ ifdef(`hald.te', `
|
||||
rw_dir_file(hald_t, cardmgr_var_run_t)
|
||||
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
|
||||
')
|
||||
allow cardmgr_t device_t:lnk_file { getattr read };
|
||||
|
@ -106,7 +106,7 @@ allow system_crond_t init_t:fd use;
|
||||
|
||||
# Inherit and use descriptors from initrc for anacron.
|
||||
allow system_crond_t initrc_t:fd use;
|
||||
allow system_crond_t initrc_devpts_t:chr_file { read write };
|
||||
can_access_pty(system_crond_t, initrc)
|
||||
|
||||
# Use capabilities.
|
||||
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
||||
@ -205,7 +205,7 @@ dontaudit system_crond_t removable_t:filesystem getattr;
|
||||
#
|
||||
# Required for webalizer
|
||||
#
|
||||
dontaudit crond_t self:capability sys_tty_config;
|
||||
ifdef(`apache.te', `
|
||||
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
|
||||
')
|
||||
dontaudit crond_t self:capability sys_tty_config;
|
||||
|
@ -188,6 +188,7 @@ allow hplip_t hplip_port_t:tcp_socket name_bind;
|
||||
# Uses networking to talk to the daemons
|
||||
allow hplip_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hplip_t self:unix_stream_socket create_socket_perms;
|
||||
allow hplip_t self:rawip_socket create_socket_perms;
|
||||
|
||||
# for python
|
||||
can_exec(hplip_t, bin_t)
|
||||
@ -196,6 +197,9 @@ allow hplip_t self:file { getattr read };
|
||||
allow hplip_t proc_t:file r_file_perms;
|
||||
allow hplip_t urandom_device_t:chr_file { getattr read };
|
||||
allow hplip_t usr_t:{ file lnk_file } r_file_perms;
|
||||
allow hplip_t devpts_t:dir search;
|
||||
allow hplip_t devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
|
||||
dontaudit cupsd_t selinux_config_t:dir search;
|
||||
dontaudit cupsd_t selinux_config_t:file { getattr read };
|
||||
@ -209,7 +213,7 @@ allow cupsd_t userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
# CUPS configuration daemon
|
||||
daemon_domain(cupsd_config)
|
||||
daemon_domain(cupsd_config, `, nscd_client_domain')
|
||||
|
||||
allow cupsd_config_t devpts_t:dir search;
|
||||
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
|
||||
@ -231,12 +235,13 @@ allow cupsd_config_t cupsd_t:process { signal };
|
||||
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
|
||||
can_ps(cupsd_config_t, cupsd_t)
|
||||
|
||||
allow cupsd_config_t self:capability chown;
|
||||
allow cupsd_config_t self:capability { chown sys_tty_config };
|
||||
|
||||
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
|
||||
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
|
||||
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
|
||||
file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
|
||||
allow cupsd_config_t var_t:lnk_file read;
|
||||
|
||||
can_network_tcp(cupsd_config_t)
|
||||
can_ypbind(cupsd_config_t)
|
||||
@ -245,6 +250,7 @@ can_tcp_connect(cupsd_config_t, cupsd_t)
|
||||
allow cupsd_config_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, cupsd_config)
|
||||
allow cupsd_config_t userdomain:dbus send_msg;
|
||||
@ -255,9 +261,8 @@ allow userdomain cupsd_config_t:dbus send_msg;
|
||||
ifdef(`hald.te', `
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
allow cupsd_t hald_t:dbus send_msg;
|
||||
allow cupsd_config_t hald_t:dbus send_msg;
|
||||
allow hald_t cupsd_t:dbus send_msg;
|
||||
allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
|
||||
allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
|
||||
')dnl end if dbusd.te
|
||||
|
||||
allow hald_t cupsd_config_t:process signal;
|
||||
@ -310,3 +315,7 @@ allow inetd_t printer_port_t:tcp_socket name_bind;
|
||||
r_dir_file(cupsd_lpd_t, cupsd_etc_t)
|
||||
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
|
||||
allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
|
||||
ifdef(`use_mcs', `
|
||||
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
|
||||
')
|
||||
|
||||
|
@ -23,6 +23,9 @@ allow cvs_t { bin_t sbin_t }:lnk_file read;
|
||||
allow cvs_t etc_runtime_t:file { getattr read };
|
||||
allow system_mail_t cvs_data_t:file { getattr read };
|
||||
dontaudit cvs_t devtty_t:chr_file { read write };
|
||||
ifdef(`kerberos.te', `
|
||||
# Allow kerberos to work
|
||||
allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
|
||||
dontaudit cvs_t krb5_conf_t:file write;
|
||||
')
|
||||
|
||||
|
@ -42,7 +42,7 @@ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
|
||||
create_dir_file(cyrus_t, mail_spool_t)
|
||||
allow cyrus_t var_spool_t:dir search;
|
||||
|
||||
ifdef(`saslaudthd.te', `
|
||||
ifdef(`saslauthd.te', `
|
||||
allow cyrus_t saslauthd_var_run_t:dir search;
|
||||
allow cyrus_t saslauthd_var_run_t:sock_file { read write };
|
||||
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
|
||||
|
@ -12,7 +12,7 @@ r_dir_file(system_dbusd_t, pam_var_console_t)
|
||||
|
||||
# dac_override: /var/run/dbus is owned by messagebus on Debian
|
||||
allow system_dbusd_t self:capability { dac_override setgid setuid };
|
||||
can_ypbind(system_dbusd_t)
|
||||
nsswitch_domain(system_dbusd_t)
|
||||
|
||||
# I expect we need more than this
|
||||
|
||||
@ -23,3 +23,5 @@ allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
can_exec(system_dbusd_t, sbin_t)
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:unix_stream_socket connectto;
|
||||
allow system_dbusd_t self:unix_stream_socket connectto;
|
||||
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
@ -120,6 +120,7 @@ tmp_domain(dhcpc)
|
||||
allow dhcpc_t self:packet_socket create_socket_perms;
|
||||
allow dhcpc_t var_lib_t:dir search;
|
||||
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
|
||||
allow dhcpc_t dhcp_state_t:file { getattr read };
|
||||
|
||||
allow dhcpc_t bin_t:dir { getattr search };
|
||||
allow dhcpc_t bin_t:lnk_file read;
|
||||
@ -161,5 +162,5 @@ allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
|
||||
ifdef(`unconfined.te', `
|
||||
allow unconfined_t dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t unconfined_t:dbus send_msg;
|
||||
')dnl end ifdef unconfined.te
|
||||
')
|
||||
')
|
||||
|
@ -17,8 +17,6 @@
|
||||
#
|
||||
daemon_domain(dhcpd, `, nscd_client_domain')
|
||||
|
||||
allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
|
||||
|
||||
# for UDP port 4011
|
||||
allow dhcpd_t pxe_port_t:udp_socket name_bind;
|
||||
|
||||
@ -27,6 +25,7 @@ type dhcp_etc_t, file_type, sysadmfile, usercanread;
|
||||
# Use the network.
|
||||
can_network(dhcpd_t)
|
||||
allow dhcpd_t port_type:tcp_socket name_connect;
|
||||
allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
|
||||
can_ypbind(dhcpd_t)
|
||||
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dhcpd_t self:unix_stream_socket create_socket_perms;
|
||||
|
@ -102,10 +102,10 @@ allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
|
||||
allow fsadm_t kernel_t:system syslog_console;
|
||||
|
||||
# Access terminals.
|
||||
allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
|
||||
can_access_pty(fsadm_t, initrc)
|
||||
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
allow fsadm_t privfd:fd use;
|
||||
allow fsadm_t devpts_t:dir { getattr search };
|
||||
|
||||
read_locale(fsadm_t)
|
||||
|
||||
|
@ -100,4 +100,4 @@ allow hald_t unconfined_t:dbus send_msg;
|
||||
ifdef(`mount.te', `
|
||||
domain_auto_trans(hald_t, mount_exec_t, mount_t)
|
||||
')
|
||||
|
||||
r_dir_file(hald_t, hwdata_t)
|
||||
|
@ -24,5 +24,5 @@ dontaudit hostname_t file_t:dir search;
|
||||
ifdef(`distro_redhat', `
|
||||
allow hostname_t tmpfs_t:chr_file rw_file_perms;
|
||||
')
|
||||
allow hostname_t initrc_devpts_t:chr_file { read write };
|
||||
can_access_pty(hostname_t, initrc)
|
||||
allow hostname_t initrc_t:fd use;
|
||||
|
@ -11,9 +11,9 @@
|
||||
# hotplug_exec_t is the type of the hotplug executable.
|
||||
#
|
||||
ifdef(`unlimitedUtils', `
|
||||
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
|
||||
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
|
||||
', `
|
||||
daemon_domain(hotplug, `, privmodule')
|
||||
daemon_domain(hotplug, `, privmodule, nscd_client_domain')
|
||||
')
|
||||
|
||||
etcdir_domain(hotplug)
|
||||
@ -132,6 +132,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
||||
allow hotplug_t sysfs_t:dir { getattr read search write };
|
||||
allow hotplug_t sysfs_t:file rw_file_perms;
|
||||
allow hotplug_t sysfs_t:lnk_file { getattr read };
|
||||
r_dir_file(hotplug_t, hwdata_t)
|
||||
allow hotplug_t udev_runtime_t:file rw_file_perms;
|
||||
ifdef(`lpd.te', `
|
||||
allow hotplug_t printer_device_t:chr_file setattr;
|
||||
|
@ -21,7 +21,6 @@ ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
|
||||
')
|
||||
type adjtime_t, file_type, sysadmfile;
|
||||
|
||||
allow hwclock_t fs_t:filesystem getattr;
|
||||
|
||||
read_locale(hwclock_t)
|
||||
@ -47,3 +46,4 @@ read_locale(hwclock_t)
|
||||
# for when /usr is not mounted
|
||||
dontaudit hwclock_t file_t:dir search;
|
||||
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
r_dir_file(hwclock_t, etc_t)
|
||||
|
@ -52,7 +52,8 @@ allow ifconfig_t run_init_t:fd use;
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Access terminals.
|
||||
allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
can_access_pty(ifconfig_t, initrc)
|
||||
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
@ -60,7 +61,7 @@ allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
# ifconfig attempts to search some sysctl entries.
|
||||
# Do not audit those attempts; comment out these rules if it is desired to
|
||||
# see the denials.
|
||||
dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
|
||||
allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
|
||||
|
||||
allow ifconfig_t fs_t:filesystem getattr;
|
||||
|
||||
|
@ -56,6 +56,10 @@ allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit ge
|
||||
can_create_pty(initrc)
|
||||
|
||||
tmp_domain(initrc)
|
||||
#
|
||||
# Some initscripts generate scripts that they need to execute (ldap)
|
||||
#
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
|
||||
var_run_domain(initrc)
|
||||
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
|
||||
@ -214,7 +218,15 @@ file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
|
||||
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
||||
allow initrc_t self:capability sys_admin;
|
||||
allow initrc_t device_t:dir create;
|
||||
|
||||
# wants to delete /poweroff and other files
|
||||
allow initrc_t root_t:file unlink;
|
||||
# wants to read /.fonts directory
|
||||
allow initrc_t default_t:file { getattr read };
|
||||
ifdef(`xserver.te', `
|
||||
# wants to cleanup xserver log dir
|
||||
allow initrc_t xserver_log_t:dir rw_dir_perms;
|
||||
allow initrc_t xserver_log_t:file unlink;
|
||||
')
|
||||
')dnl end distro_redhat
|
||||
|
||||
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
|
||||
@ -322,3 +334,6 @@ allow initrc_t device_t:lnk_file create_file_perms;
|
||||
ifdef(`dbusd.te', `
|
||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
')
|
||||
|
||||
# Slapd needs to read cert files from its initscript
|
||||
r_dir_file(initrc_t, cert_t)
|
||||
|
@ -219,7 +219,7 @@ can_exec(ipsec_mgmt_t, consoletype_exec_t )
|
||||
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
|
||||
dontaudit ipsec_t ttyfile:chr_file { read write };
|
||||
allow ipsec_t self:capability { dac_override dac_read_search };
|
||||
allow ipsec_t reserved_port_t:udp_socket name_bind;
|
||||
allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
|
||||
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
|
||||
dontaudit ipsec_mgmt_t device_t:lnk_file read;
|
||||
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
|
||||
|
@ -64,6 +64,7 @@ can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
|
||||
allow kudzu_t lib_t:file { read getattr };
|
||||
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
|
||||
allow kudzu_t usr_t:file { read getattr };
|
||||
r_dir_file(kudzu_t, hwdata_t)
|
||||
|
||||
# Communicate with rhgb-client.
|
||||
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
@ -16,7 +16,8 @@ role system_r types ldconfig_t;
|
||||
|
||||
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
|
||||
dontaudit ldconfig_t device_t:dir search;
|
||||
allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
can_access_pty(ldconfig_t, initrc)
|
||||
allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
|
||||
allow ldconfig_t privfd:fd use;
|
||||
|
||||
uses_shlib(ldconfig_t)
|
||||
|
@ -45,11 +45,12 @@ r_dir_file(load_policy_t, selinux_config_t)
|
||||
allow load_policy_t root_t:dir search;
|
||||
allow load_policy_t etc_t:dir search;
|
||||
|
||||
# Read the devpts root directory (needed?)
|
||||
allow load_policy_t devpts_t:dir r_dir_perms;
|
||||
# for mcs.conf
|
||||
allow load_policy_t etc_t:file { getattr read };
|
||||
|
||||
# Other access
|
||||
allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
|
||||
can_access_pty(load_policy_t, initrc)
|
||||
allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
|
||||
uses_shlib(load_policy_t)
|
||||
allow load_policy_t self:capability dac_override;
|
||||
|
||||
|
@ -200,23 +200,20 @@ login_domain(remote)
|
||||
# since very weak authentication is used.
|
||||
login_spawn_domain(remote_login, unpriv_userdomain)
|
||||
|
||||
allow remote_login_t devpts_t:dir search;
|
||||
allow remote_login_t userpty_type:chr_file { setattr write };
|
||||
|
||||
# Use the pty created by rlogind.
|
||||
ifdef(`rlogind.te', `
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
can_access_pty(remote_login_t, rlogind)
|
||||
# Relabel ptys created by rlogind.
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
# Use the pty created by telnetd.
|
||||
ifdef(`telnetd.te', `
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
can_access_pty(remote_login_t, telnetd)
|
||||
# Relabel ptys created by telnetd.
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
|
||||
@ -225,3 +222,8 @@ allow remote_login_t fs_t:filesystem { getattr };
|
||||
# Allow remote login to resolve host names (passed in via the -h switch)
|
||||
can_resolve(remote_login_t)
|
||||
|
||||
ifdef(`use_mcs', `
|
||||
ifdef(`getty.te', `
|
||||
range_transition getty_t login_exec_t s0 - s0:c0.c255;
|
||||
')
|
||||
')
|
||||
|
@ -59,7 +59,8 @@ allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
|
||||
allow depmod_t modules_object_t:file unlink;
|
||||
|
||||
# Access terminals.
|
||||
allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
can_access_pty(depmod_t, initrc)
|
||||
allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||
|
||||
# Read System.map from home directories.
|
||||
@ -97,7 +98,8 @@ allow insmod_t self:lnk_file read;
|
||||
allow insmod_t usr_t:file { getattr read };
|
||||
|
||||
allow insmod_t privfd:fd use;
|
||||
allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
can_access_pty(insmod_t, initrc)
|
||||
allow insmod_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
|
||||
@ -162,7 +164,6 @@ type insmod_exec_t, file_type, exec_type, sysadmfile;
|
||||
domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
|
||||
can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
|
||||
allow insmod_t devtty_t:chr_file rw_file_perms;
|
||||
allow update_modules_t devpts_t:dir search;
|
||||
allow insmod_t privmodule:process sigchld;
|
||||
dontaudit sysadm_t self:capability sys_module;
|
||||
|
||||
@ -197,8 +198,8 @@ allow update_modules_t init_t:fd use;
|
||||
|
||||
allow update_modules_t device_t:dir { getattr search };
|
||||
allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
|
||||
allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
allow update_modules_t devpts_t:dir search;
|
||||
can_access_pty(update_modules_t, initrc)
|
||||
allow update_modules_t admin_tty_type:chr_file rw_file_perms;
|
||||
|
||||
can_exec(update_modules_t, insmod_exec_t)
|
||||
allow update_modules_t urandom_device_t:chr_file { getattr read };
|
||||
|
@ -16,13 +16,14 @@ mount_loopback_privs(sysadm, mount)
|
||||
role sysadm_r types mount_t;
|
||||
role system_r types mount_t;
|
||||
|
||||
allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write };
|
||||
can_access_pty(mount_t, initrc)
|
||||
allow mount_t console_device_t:chr_file { read write };
|
||||
|
||||
domain_auto_trans(initrc_t, mount_exec_t, mount_t)
|
||||
allow mount_t init_t:fd use;
|
||||
allow mount_t privfd:fd use;
|
||||
|
||||
allow mount_t self:capability { ipc_lock dac_override };
|
||||
allow mount_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
allow mount_t self:process { fork signal_perms };
|
||||
|
||||
allow mount_t file_type:dir search;
|
||||
|
@ -12,7 +12,7 @@
|
||||
#
|
||||
daemon_domain(mysqld, `, nscd_client_domain')
|
||||
|
||||
allow mysqld_t mysqld_port_t:tcp_socket name_bind;
|
||||
allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
|
||||
|
||||
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
|
||||
|
||||
@ -88,7 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write;
|
||||
}
|
||||
')
|
||||
|
||||
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
ifdef(`crond.te', `
|
||||
allow system_crond_t mysqld_etc_t:file { getattr read };
|
||||
')
|
||||
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
@ -113,8 +113,8 @@ can_resolve(ndc_t)
|
||||
read_locale(ndc_t)
|
||||
can_tcp_connect(ndc_t, named_t)
|
||||
|
||||
# for /etc/rndc.key
|
||||
ifdef(`distro_redhat', `
|
||||
# for /etc/rndc.key
|
||||
allow { ndc_t initrc_t } named_conf_t:dir search;
|
||||
# Allow init script to cp localtime to named_conf_t
|
||||
allow initrc_t named_conf_t:file { setattr write };
|
||||
|
@ -55,7 +55,8 @@ allow netutils_t fs_t:filesystem getattr;
|
||||
|
||||
# Access terminals.
|
||||
allow netutils_t privfd:fd use;
|
||||
allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
can_access_pty(netutils_t, initrc)
|
||||
allow netutils_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
|
||||
allow netutils_t proc_t:dir search;
|
||||
|
||||
|
@ -18,3 +18,7 @@ allow newrole_t var_run_t:dir r_dir_perms;
|
||||
allow newrole_t initrc_var_run_t:file rw_file_perms;
|
||||
|
||||
role secadm_r types newrole_t;
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
typeattribute newrole_t unconfinedtrans;
|
||||
')
|
||||
|
@ -76,3 +76,4 @@ allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
|
||||
log_domain(nscd)
|
||||
r_dir_file(nscd_t, cert_t)
|
||||
allow nscd_t tun_tap_device_t:chr_file { read write };
|
||||
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
@ -26,11 +26,11 @@ allow ntpd_t ntp_drift_t:file create_file_perms;
|
||||
# for SSP
|
||||
allow ntpd_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
|
||||
dontaudit ntpd_t self:capability { net_admin };
|
||||
allow ntpd_t self:process { setcap setsched };
|
||||
# sys_resource and setrlimit is for locking memory
|
||||
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
|
||||
dontaudit ntpd_t self:capability { fsetid net_admin };
|
||||
allow ntpd_t self:process { setcap setsched setrlimit };
|
||||
# ntpdate wants sys_nice
|
||||
dontaudit ntpd_t self:capability { fsetid sys_nice };
|
||||
|
||||
# for some reason it creates a file in /tmp
|
||||
tmp_domain(ntpd)
|
||||
@ -54,7 +54,7 @@ allow initrc_t net_conf_t:file { getattr read ioctl };
|
||||
# for cron jobs
|
||||
# system_crond_t is not right, cron is not doing what it should
|
||||
ifdef(`crond.te', `
|
||||
system_crond_entry(ntpd_exec_t, ntpd_t)
|
||||
system_crond_entry(ntpdate_exec_t, ntpd_t)
|
||||
')
|
||||
|
||||
can_exec(ntpd_t, initrc_exec_t)
|
||||
|
@ -25,6 +25,7 @@ allow pam_console_t { kernel_t init_t }:fd use;
|
||||
# for /var/run/console.lock checking
|
||||
allow pam_console_t { var_t var_run_t }:dir search;
|
||||
r_dir_file(pam_console_t, pam_var_console_t)
|
||||
dontaudit pam_console_t pam_var_console_t:file write;
|
||||
|
||||
# Allow to set attributes on /dev entries
|
||||
allow pam_console_t device_t:dir { getattr read };
|
||||
@ -48,3 +49,4 @@ allow pam_console_t xdm_var_run_t:file { getattr read };
|
||||
allow initrc_t pam_var_console_t:dir rw_dir_perms;
|
||||
allow initrc_t pam_var_console_t:file unlink;
|
||||
allow pam_console_t file_context_t:file { getattr read };
|
||||
nsswitch_domain(pam_console_t)
|
||||
|
@ -153,5 +153,4 @@ allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_rel
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
role system_r types sysadm_passwd_t;
|
||||
allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
37
strict/domains/program/pegasus.te
Normal file
37
strict/domains/program/pegasus.te
Normal file
@ -0,0 +1,37 @@
|
||||
#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
|
||||
#
|
||||
# Author: Jason Vas Dias <jvdias@redhat.com>
|
||||
# Package: tog-pegasus
|
||||
#
|
||||
#################################
|
||||
#
|
||||
# Rules for the pegasus domain
|
||||
#
|
||||
daemon_domain(pegasus, `, nscd_client_domain, auth')
|
||||
type pegasus_data_t, file_type, sysadmfile;
|
||||
type pegasus_conf_t, file_type, sysadmfile;
|
||||
type pegasus_mof_t, file_type, sysadmfile;
|
||||
type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
|
||||
allow pegasus_t self:capability { dac_override net_bind_service audit_write };
|
||||
can_network_tcp(pegasus_t);
|
||||
nsswitch_domain(pegasus_t);
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
|
||||
allow pegasus_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pegasus_t self:file { read getattr };
|
||||
allow pegasus_t self:fifo_file rw_file_perms;
|
||||
allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
|
||||
allow pegasus_t proc_t:file { getattr read };
|
||||
allow pegasus_t sysctl_vm_t:dir search;
|
||||
allow pegasus_t initrc_var_run_t:file { read write lock };
|
||||
allow pegasus_t urandom_device_t:chr_file { getattr read };
|
||||
r_dir_file(pegasus_t, etc_t)
|
||||
r_dir_file(pegasus_t, var_lib_t)
|
||||
r_dir_file(pegasus_t, pegasus_mof_t)
|
||||
rw_dir_create_file(pegasus_t, pegasus_conf_t)
|
||||
rw_dir_create_file(pegasus_t, pegasus_data_t)
|
||||
rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
|
||||
allow pegasus_t shadow_t:file { getattr read };
|
||||
dontaudit pegasus_t selinux_config_t:dir search;
|
||||
|
@ -37,6 +37,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)
|
||||
uses_shlib(ping_t)
|
||||
can_network_client(ping_t)
|
||||
can_resolve(ping_t)
|
||||
allow ping_t dns_port_t:tcp_socket name_connect;
|
||||
can_ypbind(ping_t)
|
||||
allow ping_t etc_t:file { getattr read };
|
||||
allow ping_t self:unix_stream_socket create_socket_perms;
|
||||
@ -58,6 +59,6 @@ dontaudit ping_t var_t:dir search;
|
||||
dontaudit ping_t devtty_t:chr_file { read write };
|
||||
dontaudit ping_t self:capability sys_tty_config;
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
allow ping_t init_t:fd use;
|
||||
dontaudit ping_t init_t:fd use;
|
||||
')
|
||||
|
||||
|
@ -54,6 +54,8 @@ allow postfix_$1_t fs_t:filesystem getattr;
|
||||
allow postfix_$1_t proc_net_t:dir search;
|
||||
allow postfix_$1_t proc_net_t:file { getattr read };
|
||||
can_exec(postfix_$1_t, postfix_$1_exec_t)
|
||||
r_dir_file(postfix_$1_t, cert_t)
|
||||
allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
|
||||
|
||||
allow postfix_$1_t tmp_t:dir getattr;
|
||||
|
||||
@ -69,6 +71,9 @@ ifdef(`crond.te',
|
||||
postfix_domain(master, `, mail_server_domain')
|
||||
rhgb_domain(postfix_master_t)
|
||||
|
||||
# for a find command
|
||||
dontaudit postfix_master_t security_t:dir search;
|
||||
|
||||
read_sysctl(postfix_master_t)
|
||||
|
||||
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
|
||||
@ -97,10 +102,12 @@ allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
|
||||
dontaudit postfix_master_t selinux_config_t:dir search;
|
||||
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
|
||||
ifdef(`distro_redhat', `
|
||||
# compatability for old default main.cf
|
||||
file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
|
||||
', `
|
||||
file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
|
||||
# for newer main.cf that uses /etc/aliases
|
||||
file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
|
||||
')
|
||||
file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
|
||||
allow postfix_master_t sendmail_exec_t:file r_file_perms;
|
||||
allow postfix_master_t sbin_t:lnk_file { getattr read };
|
||||
ifdef(`pppd.te', `
|
||||
@ -121,7 +128,7 @@ allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
|
||||
can_network(postfix_master_t)
|
||||
allow postfix_master_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(postfix_master_t)
|
||||
allow postfix_master_t smtp_port_t:tcp_socket name_bind;
|
||||
allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
|
||||
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
|
||||
allow postfix_master_t postfix_prng_t:file getattr;
|
||||
@ -135,14 +142,10 @@ can_unix_connect(postfix_smtpd_t,saslauthd_t)
|
||||
')
|
||||
|
||||
create_dir_file(postfix_master_t, postfix_spool_flush_t)
|
||||
allow postfix_master_t random_device_t:chr_file { read getattr };
|
||||
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
||||
# for ls to get the current context
|
||||
allow postfix_master_t self:file { getattr read };
|
||||
|
||||
# for SSP
|
||||
allow postfix_master_t urandom_device_t:chr_file read;
|
||||
|
||||
# allow access to deferred queue and allow removing bogus incoming entries
|
||||
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
|
||||
allow postfix_master_t postfix_spool_t:file create_file_perms;
|
||||
@ -163,7 +166,6 @@ postfix_server_domain(smtp, `, mail_server_sender')
|
||||
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
||||
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
|
||||
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
|
||||
allow postfix_smtp_t urandom_device_t:chr_file { getattr read };
|
||||
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
|
||||
# if you have two different mail servers on the same host let them talk via
|
||||
# SMTP, also if one mail server wants to talk to itself then allow it and let
|
||||
@ -172,7 +174,6 @@ allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
|
||||
can_tcp_connect(postfix_smtp_t, mail_server_domain)
|
||||
|
||||
postfix_server_domain(smtpd)
|
||||
allow postfix_smtpd_t urandom_device_t:chr_file { getattr read };
|
||||
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
||||
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
|
||||
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
|
||||
@ -184,7 +185,6 @@ allow postfix_smtpd_t self:file { getattr read };
|
||||
|
||||
# for prng_exch
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
|
||||
|
||||
postfix_server_domain(local, `, mta_delivery_agent')
|
||||
@ -196,7 +196,7 @@ dontaudit procmail_t postfix_master_t:fd use;
|
||||
')
|
||||
allow postfix_local_t etc_aliases_t:file r_file_perms;
|
||||
allow postfix_local_t self:fifo_file rw_file_perms;
|
||||
allow postfix_local_t self:process setrlimit;
|
||||
allow postfix_local_t self:process { setsched setrlimit };
|
||||
allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
||||
# for .forward - maybe we need a new type for it?
|
||||
allow postfix_local_t postfix_private_t:dir search;
|
||||
@ -241,6 +241,7 @@ postfix_user_domain(postqueue)
|
||||
allow postfix_postqueue_t postfix_public_t:dir search;
|
||||
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
|
||||
allow postfix_postqueue_t self:udp_socket { create ioctl };
|
||||
allow postfix_postqueue_t self:tcp_socket create;
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
||||
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
||||
allow postfix_postqueue_t initrc_t:process sigchld;
|
||||
@ -260,7 +261,7 @@ dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
|
||||
postfix_user_domain(showq)
|
||||
# the following auto_trans is usually in postfix server domain
|
||||
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
||||
allow postfix_showq_t self:udp_socket { create ioctl };
|
||||
can_resolve(postfix_showq_t)
|
||||
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
|
||||
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
||||
allow postfix_showq_t self:capability { setuid setgid };
|
||||
@ -284,6 +285,7 @@ ifdef(`crond.te',
|
||||
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
|
||||
# usually it does not need a UDP socket
|
||||
allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
||||
allow postfix_postdrop_t self:tcp_socket create;
|
||||
allow postfix_postdrop_t self:capability sys_resource;
|
||||
|
||||
postfix_public_domain(pickup)
|
||||
@ -329,7 +331,8 @@ ifdef(`procmail.te', `
|
||||
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
|
||||
')
|
||||
ifdef(`sendmail.te', `
|
||||
allow sendmail_t postfix_etc_t:dir search;
|
||||
r_dir_file(sendmail_t, postfix_etc_t)
|
||||
allow sendmail_t postfix_spool_t:dir search;
|
||||
')
|
||||
|
||||
# Program for creating database files
|
||||
@ -350,3 +353,4 @@ can_network_server(postfix_map_t)
|
||||
allow postfix_map_t port_type:tcp_socket name_connect;
|
||||
allow postfix_local_t mail_spool_t:dir { remove_name };
|
||||
allow postfix_local_t mail_spool_t:file { unlink };
|
||||
can_exec(postfix_local_t, bin_t)
|
||||
|
@ -19,8 +19,7 @@ role system_r types procmail_t;
|
||||
uses_shlib(procmail_t)
|
||||
allow procmail_t device_t:dir search;
|
||||
can_network_server(procmail_t)
|
||||
can_ypbind(procmail_t)
|
||||
can_winbind(procmail_t)
|
||||
nsswitch_domain(procmail_t)
|
||||
|
||||
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
|
||||
|
||||
@ -60,6 +59,14 @@ allow procmail_t { self proc_t }:lnk_file read;
|
||||
allow procmail_t usr_t:file { getattr ioctl read };
|
||||
ifdef(`spamassassin.te', `
|
||||
can_exec(procmail_t, spamassassin_exec_t)
|
||||
can_resolve(procmail_t)
|
||||
allow procmail_t port_t:udp_socket name_bind;
|
||||
allow procmail_t tmp_t:dir getattr;
|
||||
')
|
||||
ifdef(`targeted_policy', `
|
||||
can_resolve(procmail_t)
|
||||
allow procmail_t port_t:udp_socket name_bind;
|
||||
allow procmail_t tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
# Search /var/run.
|
||||
|
21
strict/domains/program/readahead.te
Normal file
21
strict/domains/program/readahead.te
Normal file
@ -0,0 +1,21 @@
|
||||
#DESC readahead - read files in page cache
|
||||
#
|
||||
# Author: Dan Walsh (dwalsh@redhat.com)
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Declarations for readahead
|
||||
#
|
||||
|
||||
daemon_domain(readahead)
|
||||
#
|
||||
# readahead asks for these
|
||||
#
|
||||
allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
|
||||
allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
|
||||
dontaudit readahead_t shadow_t:file { getattr read };
|
||||
allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
|
||||
dontaudit readahead_t file_type:sock_file getattr;
|
||||
allow readahead_t proc_t:file { getattr read };
|
||||
dontaudit readahead_t device_type:blk_file read;
|
@ -19,7 +19,7 @@ role system_r types restorecon_t;
|
||||
role sysadm_r types restorecon_t;
|
||||
role secadm_r types restorecon_t;
|
||||
|
||||
allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
|
||||
can_access_pty(restorecon_t, initrc)
|
||||
allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
|
||||
|
||||
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
|
||||
|
@ -35,4 +35,6 @@ allow rlogind_t self:file { getattr read };
|
||||
allow rlogind_t default_t:dir search;
|
||||
typealias rlogind_port_t alias rlogin_port_t;
|
||||
read_sysctl(rlogind_t);
|
||||
allow rlogind_t krb5_keytab_t:file r_file_perms;
|
||||
ifdef(`kerberos.te', `
|
||||
allow rlogind_t krb5_keytab_t:file { getattr read };
|
||||
')
|
||||
|
29
strict/domains/program/roundup.te
Normal file
29
strict/domains/program/roundup.te
Normal file
@ -0,0 +1,29 @@
|
||||
# Roundup Issue Tracking System
|
||||
#
|
||||
# Authors: W. Michael Petullo <redhat@flyn.org
|
||||
#
|
||||
daemon_domain(roundup)
|
||||
var_lib_domain(roundup)
|
||||
can_network(roundup_t)
|
||||
allow roundup_t http_cache_port_t:tcp_socket name_bind;
|
||||
allow roundup_t smtp_port_t:tcp_socket name_connect;
|
||||
|
||||
# execute python
|
||||
allow roundup_t bin_t:dir r_dir_perms;
|
||||
can_exec(roundup_t, bin_t)
|
||||
allow roundup_t bin_t:lnk_file read;
|
||||
|
||||
allow roundup_t self:capability { setgid setuid };
|
||||
|
||||
allow roundup_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
ifdef(`mysqld.te', `
|
||||
allow roundup_t mysqld_db_t:dir search;
|
||||
allow roundup_t mysqld_var_run_t:sock_file write;
|
||||
allow roundup_t mysqld_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# /usr/share/mysql/charsets/Index.xml
|
||||
allow roundup_t usr_t:file { getattr read };
|
||||
allow roundup_t urandom_device_t:chr_file { getattr read };
|
||||
allow roundup_t etc_t:file { getattr read };
|
@ -19,7 +19,7 @@ daemon_base_domain($1)
|
||||
can_network($1_t)
|
||||
allow $1_t port_type:tcp_socket name_connect;
|
||||
can_ypbind($1_t)
|
||||
allow $1_t etc_t:file { getattr read };
|
||||
allow $1_t { etc_runtime_t etc_t }:file { getattr read };
|
||||
read_locale($1_t)
|
||||
allow $1_t self:capability net_bind_service;
|
||||
dontaudit $1_t self:capability net_admin;
|
||||
@ -148,6 +148,15 @@ r_dir_file(gssd_t, proc_net_t)
|
||||
allow gssd_t rpc_pipefs_t:dir r_dir_perms;
|
||||
allow gssd_t rpc_pipefs_t:sock_file { read write };
|
||||
allow gssd_t rpc_pipefs_t:file r_file_perms;
|
||||
allow gssd_t self:capability setuid;
|
||||
allow gssd_t self:capability { dac_override dac_read_search setuid };
|
||||
allow nfsd_t devtty_t:chr_file rw_file_perms;
|
||||
allow rpcd_t devtty_t:chr_file rw_file_perms;
|
||||
|
||||
bool allow_gssd_read_tmp true;
|
||||
if (allow_gssd_read_tmp) {
|
||||
ifdef(`targeted_policy', `
|
||||
r_dir_file(gssd_t, tmp_t)
|
||||
', `
|
||||
r_dir_file(gssd_t, user_tmpfile)
|
||||
')
|
||||
}
|
||||
|
@ -15,5 +15,4 @@ inetd_child_domain(rsync)
|
||||
type rsync_data_t, file_type, sysadmfile;
|
||||
r_dir_file(rsync_t, rsync_data_t)
|
||||
anonymous_domain(rsync)
|
||||
|
||||
|
||||
allow rsync_t self:capability sys_chroot;
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user