more work to clean up and complete current modules

This commit is contained in:
Chris PeBenito 2005-06-20 17:41:29 +00:00
parent 2ba9a794db
commit 7a2f20a315
14 changed files with 873 additions and 579 deletions

View File

@ -103,6 +103,7 @@ dev_setattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t) dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t) dev_read_urand(bootloader_t)
dev_getattr_sysfs_dir(bootloader_t)
# for reading BIOS data # for reading BIOS data
dev_read_raw_memory(bootloader_t) dev_read_raw_memory(bootloader_t)
@ -113,6 +114,7 @@ term_getattr_all_user_ttys(bootloader_t)
init_getattr_initctl(bootloader_t) init_getattr_initctl(bootloader_t)
init_use_script_pty(bootloader_t) init_use_script_pty(bootloader_t)
init_use_script_fd(bootloader_t) init_use_script_fd(bootloader_t)
init_rw_script_pipe(bootloader_t)
domain_use_wide_inherit_fd(bootloader_t) domain_use_wide_inherit_fd(bootloader_t)
@ -183,10 +185,6 @@ optional_policy(`modutils.te',`
ifdef(`TODO',` ifdef(`TODO',`
allow bootloader_t initrc_t:fifo_file { read write };
allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t var_t:dir search; allow bootloader_t var_t:dir search;
allow bootloader_t var_t:file { getattr read }; allow bootloader_t var_t:file { getattr read };

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,12 @@
## </interface> ## </interface>
# #
define(`kernel_userland_entry',` define(`kernel_userland_entry',`
gen_require(`$0'_depend) gen_require(`
type kernel_t;
class process sigchld;
class fifo_file rw_file_perms;
class fd use;
')
domain_auto_trans(kernel_t, $2, $1) domain_auto_trans(kernel_t, $2, $1)
@ -29,15 +34,6 @@ define(`kernel_userland_entry',`
allow $1 kernel_t:process sigchld; allow $1 kernel_t:process sigchld;
') ')
define(`kernel_userland_entry_depend',`
type kernel_t;
class process { transition noatsecure siginh rlimitinh sigchld };
class file { getattr read execute };
class fifo_file rw_file_perms;
class fd use;
')
######################################## ########################################
## <interface name="kernel_rootfs_mountpoint"> ## <interface name="kernel_rootfs_mountpoint">
## <description> ## <description>
@ -61,6 +57,25 @@ define(`kernel_rootfs_mountpoint_depend',`
class dir mounton; class dir mounton;
') ')
########################################
## <interface name="kernel_sigchld">
## <description>
## Send a SIGCHLD signal to kernel threads.
## </description>
## <parameter name="domain">
## The type of the process sending the signal.
## </parameter>
## </interface>
#
define(`kernel_sigchld',`
gen_require(`
type kernel_t;
class process sigchld;
')
allow kernel_t $1:process sigchld;
')
######################################## ########################################
## <interface name="kernel_share_state"> ## <interface name="kernel_share_state">
## <description> ## <description>
@ -73,15 +88,12 @@ define(`kernel_rootfs_mountpoint_depend',`
## </interface> ## </interface>
# #
define(`kernel_share_state',` define(`kernel_share_state',`
gen_require(`$0'_depend) gen_require(`
type kernel_t;
allow kernel_t $1:process share; class process share;
') ')
define(`kernel_share_state_depend',` allow kernel_t $1:process share;
type kernel_t;
class process share;
') ')
######################################## ########################################

View File

@ -227,6 +227,48 @@ define(`storage_raw_write_lvm_volume',`
typeattribute $1 fixed_disk_raw_write; typeattribute $1 fixed_disk_raw_write;
') ')
########################################
## <interface name="storage_getattr_scsi_generic">
## <description>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`storage_getattr_scsi_generic',`
gen_require(`
type scsi_generic_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')
########################################
## <interface name="storage_setattr_scsi_generic">
## <description>
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`storage_setattr_scsi_generic',`
gen_require(`
type scsi_generic_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file setattr;
')
######################################## ########################################
## <interface name="storage_read_scsi_generic"> ## <interface name="storage_read_scsi_generic">
## <description> ## <description>
@ -383,6 +425,26 @@ define(`storage_setattr_removable_device',`
allow $1 removable_device_t:blk_file setattr; allow $1 removable_device_t:blk_file setattr;
') ')
########################################
## <interface name="storage_dontaudit_setattr_removable_device">
## <description>
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
## </description>
## <parameter name="domain">
## The type of the process to not audit.
## </parameter>
## </interface>
#
define(`storage_dontaudit_setattr_removable_device',`
gen_require(`
type removable_device_t;
class blk_file setattr;
')
dontaudit $1 removable_device_t:blk_file setattr;
')
######################################## ########################################
## <interface name="storage_raw_read_removable_device"> ## <interface name="storage_raw_read_removable_device">
## <description> ## <description>

View File

@ -1,21 +1,6 @@
## <module name="authlogin" layer="system"> ## <module name="authlogin" layer="system">
## <summary>Common policy for authentication and user login.</summary> ## <summary>Common policy for authentication and user login.</summary>
########################################
## <interface name="authlogin_per_userdomain_template">
## <description>
##
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="userdomain_prefix">
##
## </parameter>
## </interface>
#
####################################### #######################################
# #
# Per user domain template for this module # Per user domain template for this module
@ -110,29 +95,19 @@ define(`authlogin_per_userdomain_template_depend',`
######################################## ########################################
## <interface name="auth_login_entry_type"> ## <interface name="auth_login_entry_type">
## <description> ## <description>
## ## Use the login program as an entry point program.
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of process using the login program as entry point.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_login_entry_type(domain)
#
define(`auth_login_entry_type',` define(`auth_login_entry_type',`
gen_require(`$0'_depend) gen_require(`
type login_exec_t;
domain_entry_file($1,login_exec_t)
') ')
define(`auth_login_entry_type_depend',` domain_entry_file($1,login_exec_t)
type login_exec_t;
') ')
######################################## ########################################
@ -149,13 +124,15 @@ define(`auth_login_entry_type_depend',`
## </interface> ## </interface>
# #
define(`auth_domtrans_login_program',` define(`auth_domtrans_login_program',`
gen_require(`$0'_depend) gen_require(`
type login_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
# FIXME: search bin_t corecmd_search_bin($1)
allow $1 login_exec_t:file rx_file_perms; domain_auto_trans($1,login_exec_t,$2)
allow $1 $2:process transition;
type_transition $1 login_exec_t:process $2;
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
allow $1 $2:fd use; allow $1 $2:fd use;
allow $2 $1:fd use; allow $2 $1:fd use;
@ -163,35 +140,26 @@ define(`auth_domtrans_login_program',`
allow $2 $1:process sigchld; allow $2 $1:process sigchld;
') ')
define(`auth_domtrans_login_program_depend',` ########################################
type login_exec_t; ## <interface name="auth_domtrans_chk_passwd">
## <description>
class file rx_file_perms; ## Run unix_chkpwd to check a password.
class process { transition noatsecure siginh rlimitinh sigchld }; ## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`auth_domtrans_chk_passwd',`
gen_require(`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
class process sigchld;
class udp_socket create_socket_perms;
class fd use; class fd use;
class fifo_file rw_file_perms; class fifo_file rw_file_perms;
') ')
######################################## corecmd_search_sbin($1)
## <interface name="auth_domtrans_chk_passwd">
## <description>
##
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
##
## </parameter>
## </interface>
#
#######################################
#
# auth_domtrans_chk_passwd(domain)
#
define(`auth_domtrans_chk_passwd',`
gen_require(`$0'_depend)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
allow $1 system_chkpwd_t:fd use; allow $1 system_chkpwd_t:fd use;
@ -200,7 +168,6 @@ define(`auth_domtrans_chk_passwd',`
allow system_chkpwd_t $1:process sigchld; allow system_chkpwd_t $1:process sigchld;
dontaudit $1 shadow_t:file { getattr read }; dontaudit $1 shadow_t:file { getattr read };
#allow $1_t sbin_t:dir search;
#can_ypbind($1_t) #can_ypbind($1_t)
#can_kerberos($1_t) #can_kerberos($1_t)
#can_ldap($1_t) #can_ldap($1_t)
@ -217,145 +184,99 @@ define(`auth_domtrans_chk_passwd',`
') ')
') ')
define(`auth_domtrans_chk_passwd_depend',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
class file rx_file_perms;
class process { transition sigchld };
class udp_socket create_socket_perms;
class fd use;
class fifo_file rw_file_perms;
')
######################################## ########################################
## <interface name="auth_dontaudit_getattr_shadow"> ## <interface name="auth_dontaudit_getattr_shadow">
## <description> ## <description>
## ##
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of the process performing this action.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_dontaudit_getattr_shadow(domain)
#
define(`auth_dontaudit_getattr_shadow',` define(`auth_dontaudit_getattr_shadow',`
gen_require(`$0'_depend) gen_require(`
type shadow_t;
dontaudit $1 shadow_t:file getattr; class file stat_file_perms;
') ')
define(`auth_dontaudit_getattr_shadow_depend',` dontaudit $1 shadow_t:file getattr;
type shadow_t;
class file stat_file_perms;
') ')
######################################## ########################################
## <interface name="auth_read_shadow"> ## <interface name="auth_read_shadow">
## <description> ## <description>
## ## Read the shadow passwords file (/etc/shadow)
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of the process performing this action.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_read_shadow(domain)
#
define(`auth_read_shadow',` define(`auth_read_shadow',`
gen_require(`$0'_depend) gen_require(`
attribute can_read_shadow_passwords;
type shadow_t;
class file r_file_perms;
')
files_list_etc($1) files_list_etc($1)
allow $1 shadow_t:file r_file_perms; allow $1 shadow_t:file r_file_perms;
typeattribute $1 can_read_shadow_passwords; typeattribute $1 can_read_shadow_passwords;
') ')
define(`auth_read_shadow_depend',`
attribute can_read_shadow_passwords;
type shadow_t;
class file r_file_perms;
')
######################################## ########################################
## <interface name="auth_dontaudit_read_shadow"> ## <interface name="auth_dontaudit_read_shadow">
## <description> ## <description>
## ## Do not audit attempts to read the shadow
## password file (/etc/shadow).
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of the domain to not audit.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_dontaudit_read_shadow(domain)
#
define(`auth_dontaudit_read_shadow',` define(`auth_dontaudit_read_shadow',`
gen_require(`$0'_depend) gen_require(`
type shadow_t;
dontaudit $1 shadow_t:file { getattr read }; class file r_file_perms;
') ')
define(`auth_dontaudit_read_shadow_depend',` dontaudit $1 shadow_t:file { getattr read };
type shadow_t;
class file r_file_perms;
') ')
######################################## ########################################
## <interface name="auth_rw_shadow"> ## <interface name="auth_rw_shadow">
## <description> ## <description>
## ## Read and write the shadow password file (/etc/shadow).
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of the process performing this action.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_rw_shadow(domain)
#
define(`auth_rw_shadow',` define(`auth_rw_shadow',`
gen_require(`$0'_depend) gen_require(`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
class file rw_file_perms;
')
files_list_etc($1) files_list_etc($1)
allow $1 shadow_t:file rw_file_perms; allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
') ')
define(`auth_rw_shadow_depend',`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
class file rw_file_perms;
')
####################################### #######################################
# #
# auth_manage_shadow(domain) # auth_manage_shadow(domain)
# #
define(`auth_manage_shadow',` define(`auth_manage_shadow',`
gen_require(`$0'_depend) gen_require(`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
class file create_file_perms;
')
allow $1 shadow_t:file create_file_perms; allow $1 shadow_t:file create_file_perms;
files_create_etc_config($1,shadow_t,file) files_create_etc_config($1,shadow_t,file)
@ -363,49 +284,34 @@ define(`auth_manage_shadow',`
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
') ')
define(`auth_manage_shadow_depend',`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
class file create_file_perms;
')
####################################### #######################################
# #
# auth_relabelto_shadow(domain) # auth_relabelto_shadow(domain)
# #
define(`auth_relabelto_shadow',` define(`auth_relabelto_shadow',`
gen_require(`$0'_depend) gen_require(`
attribute can_relabelto_shadow_passwords;
type shadow_t;
class file relabelto;
')
files_search_etc($1) files_search_etc($1)
allow $1 shadow_t:file relabelto; allow $1 shadow_t:file relabelto;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
define(`auth_relabelto_shadow_depend',`
attribute can_relabelto_shadow_passwords;
type shadow_t;
class file relabelto;
')
####################################### #######################################
# #
# auth_rw_faillog(domain) # auth_rw_faillog(domain)
# #
define(`auth_rw_faillog',` define(`auth_rw_faillog',`
gen_require(`$0'_depend) gen_require(`
type faillog_t;
allow $1 faillog_t:file rw_file_perms; class file rw_file_perms;
logging_search_logs($1)
') ')
define(`auth_rw_faillog_depend',` logging_search_logs($1)
type faillog_t; allow $1 faillog_t:file rw_file_perms;
class file rw_file_perms;
') ')
####################################### #######################################
@ -413,18 +319,15 @@ define(`auth_rw_faillog_depend',`
# auth_rw_lastlog(domain) # auth_rw_lastlog(domain)
# #
define(`auth_rw_lastlog',` define(`auth_rw_lastlog',`
gen_require(`$0'_depend) gen_require(`
type lastlog_t;
class file { getattr read write setattr };
')
logging_search_logs($1) logging_search_logs($1)
allow $1 lastlog_t:file { getattr read write setattr }; allow $1 lastlog_t:file { getattr read write setattr };
') ')
define(`auth_rw_lastlog_depend',`
type lastlog_t;
class file { getattr read write setattr };
')
######################################## ########################################
## <interface name="auth_domtrans_pam"> ## <interface name="auth_domtrans_pam">
## <description> ## <description>
@ -436,7 +339,12 @@ define(`auth_rw_lastlog_depend',`
## </interface> ## </interface>
# #
define(`auth_domtrans_pam',` define(`auth_domtrans_pam',`
gen_require(`$0'_depend) gen_require(`
type pam_t, pam_exec_t;
class process sigchld;
class fd
class fifo_file rw_file_perms;
')
domain_auto_trans($1,pam_exec_t,pam_t) domain_auto_trans($1,pam_exec_t,pam_t)
@ -446,15 +354,6 @@ define(`auth_domtrans_pam',`
allow pam_t $1:process sigchld; allow pam_t $1:process sigchld;
') ')
define(`auth_domtrans_pam_depend',`
type pam_t, pam_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd
class fifo_file rw_file_perms;
')
######################################## ########################################
## <interface name="auth_run_pam"> ## <interface name="auth_run_pam">
## <description> ## <description>
@ -472,46 +371,32 @@ define(`auth_domtrans_pam_depend',`
## </interface> ## </interface>
# #
define(`auth_run_pam',` define(`auth_run_pam',`
gen_require(`$0'_depend) gen_require(`
type pam_t;
class chr_file rw_file_perms;
')
auth_domtrans_pam($1) auth_domtrans_pam($1)
role $2 types pam_t; role $2 types pam_t;
allow pam_t $3:chr_file rw_file_perms; allow pam_t $3:chr_file rw_file_perms;
') ')
define(`auth_run_pam_depend',`
type pam_t;
class chr_file rw_file_perms;
')
######################################## ########################################
## <interface name="auth_exec_pam"> ## <interface name="auth_exec_pam">
## <description> ## <description>
## ## Execute the pam program.
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of the process performing this action.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_exec_pam(domain)
#
define(`auth_exec_pam',` define(`auth_exec_pam',`
gen_require(`$0'_depend) gen_require(`
type pam_exec_t;
can_exec($1,pam_exec_t)
') ')
define(`auth_exec_pam_depend',` can_exec($1,pam_exec_t)
type pam_exec_t;
class file { getattr read execute execute_no_trans };
') ')
####################################### #######################################
@ -519,7 +404,11 @@ define(`auth_exec_pam_depend',`
# auth_read_pam_pid(domain) # auth_read_pam_pid(domain)
# #
define(`auth_read_pam_pid',` define(`auth_read_pam_pid',`
gen_require(`$0'_depend) gen_require(`
type pam_var_run_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_var($1) files_search_var($1)
files_search_pids($1) files_search_pids($1)
@ -527,32 +416,22 @@ define(`auth_read_pam_pid',`
allow $1 pam_var_run_t:file r_file_perms; allow $1 pam_var_run_t:file r_file_perms;
') ')
define(`auth_read_pam_pid_depend',`
type pam_var_run_t;
class dir r_dir_perms;
class file r_file_perms;
')
######################################## ########################################
## <interface name="auth_delete_pam_pid"> ## <interface name="auth_delete_pam_pid">
## <description> ## <description>
## ## Delete pam PID files.
## </description> ## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain"> ## <parameter name="domain">
## ## The type of the process performing this action.
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
#######################################
#
# auth_delete_pam_pid(domain)
#
define(`auth_delete_pam_pid',` define(`auth_delete_pam_pid',`
gen_require(`$0'_depend) gen_require(`
type pam_var_run_t;
class dir { getattr search read write remove_name };
class file { getattr unlink };
')
files_search_var($1) files_search_var($1)
files_search_pids($1) files_search_pids($1)
@ -560,19 +439,17 @@ define(`auth_delete_pam_pid',`
allow $1 pam_var_run_t:file { getattr unlink }; allow $1 pam_var_run_t:file { getattr unlink };
') ')
define(`auth_delete_pam_pid_depend',`
type pam_var_run_t;
class dir { getattr search read write remove_name };
class file { getattr unlink };
')
####################################### #######################################
# #
# auth_domtrans_pam_console(domain) # auth_domtrans_pam_console(domain)
# #
define(`auth_domtrans_pam_console',` define(`auth_domtrans_pam_console',`
gen_require(`$0'_depend) gen_require(`
type pam_console_t, pam_console_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,pam_console_exec_t,pam_console_t) domain_auto_trans($1,pam_console_exec_t,pam_console_t)
@ -582,52 +459,31 @@ define(`auth_domtrans_pam_console',`
allow pam_console_t $1:process sigchld; allow pam_console_t $1:process sigchld;
') ')
define(`auth_domtrans_pam_console_depend',`
type pam_console_t, pam_console_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="auth_list_pam_console_data">
## <description>
##
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
##
## </parameter>
## </interface>
#
####################################### #######################################
# #
# auth_list_pam_console_data(domain) # auth_list_pam_console_data(domain)
# #
define(`auth_list_pam_console_data',` define(`auth_list_pam_console_data',`
gen_require(`$0'_depend) gen_require(`
type pam_var_console_t;
class dir r_dir_perms;
')
files_search_var($1) files_search_var($1)
files_search_pids($1) files_search_pids($1)
allow $1 pam_var_console_t:dir r_dir_perms; allow $1 pam_var_console_t:dir r_dir_perms;
') ')
define(`auth_list_pam_console_data_depend',`
type pam_var_console_t;
class dir r_dir_perms;
')
####################################### #######################################
# #
# auth_read_pam_console_data(domain) # auth_read_pam_console_data(domain)
# #
define(`auth_read_pam_console_data',` define(`auth_read_pam_console_data',`
gen_require(`$0'_depend) gen_require(`
type pam_var_console_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_var($1) files_search_var($1)
files_search_pids($1) files_search_pids($1)
@ -635,19 +491,17 @@ define(`auth_read_pam_console_data',`
allow $1 pam_var_console_t:file r_file_perms; allow $1 pam_var_console_t:file r_file_perms;
') ')
define(`auth_read_pam_console_data_depend',`
type pam_var_console_t;
class dir r_dir_perms;
class file r_file_perms;
')
####################################### #######################################
# #
# auth_manage_pam_console_data(domain) # auth_manage_pam_console_data(domain)
# #
define(`auth_manage_pam_console_data',` define(`auth_manage_pam_console_data',`
gen_require(`$0'_depend) gen_require(`
type pam_var_console_t;
class dir rw_dir_perms;
class file create_file_perms;
class lnk_file create_lnk_perms;
')
files_search_var($1) files_search_var($1)
files_search_pids($1) files_search_pids($1)
@ -656,14 +510,6 @@ define(`auth_manage_pam_console_data',`
allow $1 pam_var_console_t:lnk_file create_lnk_perms; allow $1 pam_var_console_t:lnk_file create_lnk_perms;
') ')
define(`auth_manage_pam_console_data_depend',`
type pam_var_console_t;
class dir rw_dir_perms;
class file create_file_perms;
class lnk_file create_lnk_perms;
')
######################################## ########################################
## <interface name="auth_relabel_all_files_except_shadow"> ## <interface name="auth_relabel_all_files_except_shadow">
## <description> ## <description>
@ -681,13 +527,11 @@ define(`auth_manage_pam_console_data_depend',`
# #
define(`auth_relabel_all_files_except_shadow',` define(`auth_relabel_all_files_except_shadow',`
gen_require(`$0'_depend) gen_require(`
type shadow_t;
files_relabel_all_files($1,$2 -shadow_t)
') ')
define(`auth_relabel_all_files_except_shadow_depend',` files_relabel_all_files($1,$2 -shadow_t)
type shadow_t;
') ')
######################################## ########################################
@ -707,13 +551,11 @@ define(`auth_relabel_all_files_except_shadow_depend',`
# #
define(`auth_manage_all_files_except_shadow',` define(`auth_manage_all_files_except_shadow',`
gen_require(`$0'_depend) gen_require(`
type shadow_t;
files_manage_all_files($1,$2 -shadow_t)
') ')
define(`auth_manage_all_files_except_shadow_depend',` files_manage_all_files($1,$2 -shadow_t)
type shadow_t;
') ')
######################################## ########################################
@ -727,7 +569,12 @@ define(`auth_manage_all_files_except_shadow_depend',`
## </interface> ## </interface>
# #
define(`auth_domtrans_utempter',` define(`auth_domtrans_utempter',`
gen_require(`$0'_depend) gen_require(`
type utempter_t, utempter_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,utempter_exec_t,utempter_t) domain_auto_trans($1,utempter_exec_t,utempter_t)
@ -737,15 +584,6 @@ define(`auth_domtrans_utempter',`
allow utempter_t $1:process sigchld; allow utempter_t $1:process sigchld;
') ')
define(`auth_domtrans_utempter_depend',`
type utempter_t, utempter_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
######################################## ########################################
## <interface name="auth_run_utempter"> ## <interface name="auth_run_utempter">
## <description> ## <description>
@ -763,73 +601,41 @@ define(`auth_domtrans_utempter_depend',`
## </interface> ## </interface>
# #
define(`auth_run_utempter',` define(`auth_run_utempter',`
gen_require(`$0'_depend) gen_require(`
type utempter_t;
class chr_file rw_file_perms;
')
auth_domtrans_utempter($1) auth_domtrans_utempter($1)
role $2 types utempter_t; role $2 types utempter_t;
allow utempter_t $3:chr_file rw_file_perms; allow utempter_t $3:chr_file rw_file_perms;
') ')
define(`auth_run_utempter_depend',`
type utempter_t;
class chr_file rw_file_perms;
')
########################################
## <interface name="auth_read_login_records">
## <description>
##
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
##
## </parameter>
## </interface>
#
####################################### #######################################
# #
# auth_read_login_records(domain) # auth_read_login_records(domain)
# #
define(`auth_read_login_records',` define(`auth_read_login_records',`
gen_require(`$0'_depend) gen_require(`
type wtmp_t;
class file r_file_perms;
')
logging_search_logs($1) logging_search_logs($1)
allow $1 wtmp_t:file r_file_perms; allow $1 wtmp_t:file r_file_perms;
') ')
define(`auth_read_login_records_depend',`
type wtmp_t;
class file r_file_perms;
')
########################################
## <interface name="auth_dontaudit_write_login_records">
## <description>
##
## </description>
## <parameter name="domain">
##
## </parameter>
## </interface>
#
####################################### #######################################
# #
# auth_dontaudit_write_login_records(domain) # auth_dontaudit_write_login_records(domain)
# #
define(`auth_dontaudit_write_login_records',` define(`auth_dontaudit_write_login_records',`
gen_require(`$0'_depend) gen_require(`
type wtmp_t;
dontaudit $1 wtmp_t:file write; class file write;
') ')
define(`auth_read_login_records_depend',` dontaudit $1 wtmp_t:file write;
type wtmp_t;
class file write;
') ')
####################################### #######################################

View File

@ -141,12 +141,27 @@ kernel_read_system_state(pam_console_t)
kernel_use_fd(pam_console_t) kernel_use_fd(pam_console_t)
dev_read_sysfs(pam_console_t) dev_read_sysfs(pam_console_t)
dev_getattr_framebuffer(pam_console_t)
dev_setattr_framebuffer(pam_console_t)
dev_getattr_misc(pam_console_t)
dev_setattr_misc(pam_console_t)
dev_getattr_mouse(pam_console_t)
dev_setattr_mouse(pam_console_t)
dev_getattr_power_management(pam_console_t)
dev_setattr_power_management(pam_console_t)
dev_getattr_scanner(pam_console_t)
dev_setattr_scanner(pam_console_t)
dev_getattr_snd_dev(pam_console_t)
dev_setattr_snd_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
# Allow to set attributes on /dev entries
storage_getattr_fixed_disk(pam_console_t) storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t) storage_setattr_fixed_disk(pam_console_t)
storage_getattr_removable_device(pam_console_t) storage_getattr_removable_device(pam_console_t)
storage_setattr_removable_device(pam_console_t) storage_setattr_removable_device(pam_console_t)
storage_getattr_scsi_generic(pam_console_t)
storage_setattr_scsi_generic(pam_console_t)
term_use_console(pam_console_t) term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t) term_getattr_unallocated_ttys(pam_console_t)
@ -201,18 +216,7 @@ optional_policy(`rhgb.te', `
') ')
allow pam_console_t autofs_t:dir { search getattr }; allow pam_console_t autofs_t:dir { search getattr };
allow pam_console_t { allow pam_console_t apm_bios_t:chr_file { getattr setattr };
framebuf_device_t
v4l_device_t
apm_bios_t
sound_device_t
misc_device_t
scanner_device_t
mouse_device_t
power_device_t
removable_device_t
scsi_generic_device_t
}:chr_file { getattr setattr };
ifdef(`gpm.te', ` ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr }; allow pam_console_t gpmctl_t:sock_file { getattr setattr };

View File

@ -940,6 +940,25 @@ define(`files_dontaudit_search_var_depend',`
class dir search; class dir search;
') ')
########################################
## <interface name="files_search_var_lib">
## <description>
## Search the /var/lib directory.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`files_search_var_lib',`
gen_require(`
type var_t, var_lib_t;
class dir search;
')
allow $1 { var_t var_lib_t }:dir search;
')
######################################## ########################################
# #
# files_manage_urandom_seed(domain) # files_manage_urandom_seed(domain)

View File

@ -43,6 +43,8 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink }; allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_pid(hotplug_t,hotplug_var_run_t) files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_sigchld(hotplug_t)
kernel_read_system_state(hotplug_t) kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t) kernel_read_kernel_sysctl(hotplug_t)
kernel_read_net_sysctl(hotplug_t) kernel_read_net_sysctl(hotplug_t)
@ -58,6 +60,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
dev_read_sysfs(hotplug_t) dev_read_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t) dev_read_usbfs(hotplug_t)
dev_setattr_snd_dev(hotplug_t)
# for SSP: # for SSP:
dev_read_urand(hotplug_t) dev_read_urand(hotplug_t)
@ -167,14 +170,9 @@ optional_policy(`rhgb.te', `
allow kernel_t hotplug_etc_t:dir search; allow kernel_t hotplug_etc_t:dir search;
allow hotplug_t sound_device_t:chr_file setattr;
can_ypbind(hotplug_t) can_ypbind(hotplug_t)
dbusd_client(system, hotplug) dbusd_client(system, hotplug)
allow hotplug_t kernel_t:process sigchld;
# for ps # for ps
dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read; dontaudit hotplug_t { init_t kernel_t }:file read;

View File

@ -329,6 +329,25 @@ define(`init_get_script_process_group',`
allow $1 initrc_t:process getpgid; allow $1 initrc_t:process getpgid;
') ')
########################################
## <interface name="init_rw_script_pipe">
## <description>
## Read and write init script unnamed pipes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`init_rw_script_pipe',`
gen_require(`
type initrc_t;
class chr_file { read write };
')
allow $1 initrc_t:fifo_file { read write };
')
######################################## ########################################
# #
# init_use_script_pty(domain) # init_use_script_pty(domain)

View File

@ -64,6 +64,7 @@ fs_getattr_xattr_fs(ldconfig_t)
domain_use_wide_inherit_fd(ldconfig_t) domain_use_wide_inherit_fd(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_generic_etc_files(ldconfig_t) files_read_generic_etc_files(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled: # for when /etc/ld.so.cache is mislabeled:
files_delete_generic_etc_files(ldconfig_t) files_delete_generic_etc_files(ldconfig_t)
@ -83,8 +84,6 @@ ifdef(`apache.te', `
dontaudit ldconfig_t httpd_modules_t:dir search; dontaudit ldconfig_t httpd_modules_t:dir search;
') ')
allow ldconfig_t { var_t var_lib_t }:dir search;
ifdef(`hide_broken_symptoms', ` ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',` ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; dontaudit ldconfig_t unconfined_t:tcp_socket { read write };

View File

@ -54,6 +54,20 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t) kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t) kernel_read_kernel_sysctl(local_login_t)
dev_setattr_mouse(local_login_t)
dev_getattr_mouse(local_login_t)
dev_getattr_snd_dev(local_login_t)
dev_setattr_snd_dev(local_login_t)
dev_getattr_power_management(local_login_t)
dev_setattr_power_management(local_login_t)
dev_dontaudit_getattr_generic_blk_file(local_login_t)
dev_dontaudit_setattr_generic_blk_file(local_login_t)
dev_dontaudit_getattr_generic_chr_file(local_login_t)
dev_dontaudit_setattr_generic_chr_file(local_login_t)
dev_dontaudit_getattr_misc(local_login_t)
dev_dontaudit_setattr_misc(local_login_t)
dev_dontaudit_getattr_scanner(local_login_t)
dev_dontaudit_setattr_scanner(local_login_t)
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand(local_login_t) dev_read_urand(local_login_t)
@ -66,6 +80,8 @@ selinux_compute_user_contexts(local_login_t)
storage_dontaudit_getattr_fixed_disk(local_login_t) storage_dontaudit_getattr_fixed_disk(local_login_t)
storage_dontaudit_setattr_fixed_disk(local_login_t) storage_dontaudit_setattr_fixed_disk(local_login_t)
storage_dontaudit_getattr_removable_device(local_login_t)
storage_dontaudit_setattr_removable_device(local_login_t)
term_use_all_user_ttys(local_login_t) term_use_all_user_ttys(local_login_t)
term_use_unallocated_tty(local_login_t) term_use_unallocated_tty(local_login_t)
@ -171,19 +187,11 @@ ifdef(`targeted_policy',`
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
') ')
allow local_login_t mouse_device_t:chr_file { getattr setattr };
allow local_login_t sound_device_t:chr_file { getattr setattr };
allow local_login_t power_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access devices. # Do not audit denied attempts to access devices.
dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; dontaudit local_login_t device_t:lnk_file { getattr setattr };
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access /mnt. # Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms; dontaudit local_login_t mnt_t:dir r_dir_perms;

View File

@ -65,6 +65,8 @@ dev_search_usbfs(insmod_t)
dev_write_mtrr(insmod_t) dev_write_mtrr(insmod_t)
dev_read_urand(insmod_t) dev_read_urand(insmod_t)
dev_rw_agp_dev(insmod_t) dev_rw_agp_dev(insmod_t)
dev_read_snd_dev(insmod_t)
dev_write_snd_dev(insmod_t)
fs_getattr_xattr_fs(insmod_t) fs_getattr_xattr_fs(insmod_t)
@ -105,8 +107,6 @@ ifdef(`TODO',`
allow insmod_t apm_bios_t:chr_file { read write }; allow insmod_t apm_bios_t:chr_file { read write };
allow insmod_t sound_device_t:chr_file { read ioctl write };
ifdef(`xserver.te', ` ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr; allow insmod_t xserver_log_t:file getattr;
') ')

View File

@ -1,4 +1,11 @@
policy_module(mount,1.0)
########################################
#
# Declarations
#
type mount_t; type mount_t;
type mount_exec_t; type mount_exec_t;
init_system_domain(mount_t,mount_exec_t) init_system_domain(mount_t,mount_exec_t)

View File

@ -102,6 +102,7 @@ init_dontaudit_write_script_pid(udev_t)
libs_use_ld_so(udev_t) libs_use_ld_so(udev_t)
libs_use_shared_libs(udev_t) libs_use_shared_libs(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t) logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t) miscfiles_read_localization(udev_t)
@ -141,7 +142,7 @@ optional_policy(`sysnetwork.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow udev_t var_log_t:dir search;
allow udev_t var_lock_t:dir search; allow udev_t var_lock_t:dir search;
allow udev_t var_lock_t:file getattr; allow udev_t var_lock_t:file getattr;