more work to clean up and complete current modules
This commit is contained in:
parent
2ba9a794db
commit
7a2f20a315
@ -103,6 +103,7 @@ dev_setattr_all_blk_files(bootloader_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
||||
dev_read_rand(bootloader_t)
|
||||
dev_read_urand(bootloader_t)
|
||||
dev_getattr_sysfs_dir(bootloader_t)
|
||||
# for reading BIOS data
|
||||
dev_read_raw_memory(bootloader_t)
|
||||
|
||||
@ -113,6 +114,7 @@ term_getattr_all_user_ttys(bootloader_t)
|
||||
init_getattr_initctl(bootloader_t)
|
||||
init_use_script_pty(bootloader_t)
|
||||
init_use_script_fd(bootloader_t)
|
||||
init_rw_script_pipe(bootloader_t)
|
||||
|
||||
domain_use_wide_inherit_fd(bootloader_t)
|
||||
|
||||
@ -183,10 +185,6 @@ optional_policy(`modutils.te',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow bootloader_t initrc_t:fifo_file { read write };
|
||||
|
||||
allow bootloader_t sysfs_t:dir getattr;
|
||||
|
||||
allow bootloader_t var_t:dir search;
|
||||
allow bootloader_t var_t:file { getattr read };
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,12 @@
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_userland_entry',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class process sigchld;
|
||||
class fifo_file rw_file_perms;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
domain_auto_trans(kernel_t, $2, $1)
|
||||
|
||||
@ -29,15 +34,6 @@ define(`kernel_userland_entry',`
|
||||
allow $1 kernel_t:process sigchld;
|
||||
')
|
||||
|
||||
define(`kernel_userland_entry_depend',`
|
||||
type kernel_t;
|
||||
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class file { getattr read execute };
|
||||
class fifo_file rw_file_perms;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_rootfs_mountpoint">
|
||||
## <description>
|
||||
@ -61,6 +57,25 @@ define(`kernel_rootfs_mountpoint_depend',`
|
||||
class dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_sigchld">
|
||||
## <description>
|
||||
## Send a SIGCHLD signal to kernel threads.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process sending the signal.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_sigchld',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow kernel_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_share_state">
|
||||
## <description>
|
||||
@ -73,15 +88,12 @@ define(`kernel_rootfs_mountpoint_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_share_state',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow kernel_t $1:process share;
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class process share;
|
||||
')
|
||||
|
||||
define(`kernel_share_state_depend',`
|
||||
type kernel_t;
|
||||
|
||||
class process share;
|
||||
allow kernel_t $1:process share;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -227,6 +227,48 @@ define(`storage_raw_write_lvm_volume',`
|
||||
typeattribute $1 fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_scsi_generic">
|
||||
## <description>
|
||||
## Allow the caller to get the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_getattr_scsi_generic',`
|
||||
gen_require(`
|
||||
type scsi_generic_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_scsi_generic">
|
||||
## <description>
|
||||
## Allow the caller to set the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_setattr_scsi_generic',`
|
||||
gen_require(`
|
||||
type scsi_generic_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_read_scsi_generic">
|
||||
## <description>
|
||||
@ -383,6 +425,26 @@ define(`storage_setattr_removable_device',`
|
||||
allow $1 removable_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_setattr_removable_device">
|
||||
## <description>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of removable devices device nodes.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_dontaudit_setattr_removable_device',`
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 removable_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_read_removable_device">
|
||||
## <description>
|
||||
|
@ -1,21 +1,6 @@
|
||||
## <module name="authlogin" layer="system">
|
||||
## <summary>Common policy for authentication and user login.</summary>
|
||||
|
||||
|
||||
########################################
|
||||
## <interface name="authlogin_per_userdomain_template">
|
||||
## <description>
|
||||
##
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="userdomain_prefix">
|
||||
##
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Per user domain template for this module
|
||||
@ -110,29 +95,19 @@ define(`authlogin_per_userdomain_template_depend',`
|
||||
########################################
|
||||
## <interface name="auth_login_entry_type">
|
||||
## <description>
|
||||
##
|
||||
## Use the login program as an entry point program.
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of process using the login program as entry point.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_login_entry_type(domain)
|
||||
#
|
||||
define(`auth_login_entry_type',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
domain_entry_file($1,login_exec_t)
|
||||
gen_require(`
|
||||
type login_exec_t;
|
||||
')
|
||||
|
||||
define(`auth_login_entry_type_depend',`
|
||||
type login_exec_t;
|
||||
domain_entry_file($1,login_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -149,13 +124,15 @@ define(`auth_login_entry_type_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`auth_domtrans_login_program',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type login_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
# FIXME: search bin_t
|
||||
allow $1 login_exec_t:file rx_file_perms;
|
||||
allow $1 $2:process transition;
|
||||
type_transition $1 login_exec_t:process $2;
|
||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,login_exec_t,$2)
|
||||
|
||||
allow $1 $2:fd use;
|
||||
allow $2 $1:fd use;
|
||||
@ -163,35 +140,26 @@ define(`auth_domtrans_login_program',`
|
||||
allow $2 $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`auth_domtrans_login_program_depend',`
|
||||
type login_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
########################################
|
||||
## <interface name="auth_domtrans_chk_passwd">
|
||||
## <description>
|
||||
## Run unix_chkpwd to check a password.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`auth_domtrans_chk_passwd',`
|
||||
gen_require(`
|
||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
class process sigchld;
|
||||
class udp_socket create_socket_perms;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_domtrans_chk_passwd">
|
||||
## <description>
|
||||
##
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_domtrans_chk_passwd(domain)
|
||||
#
|
||||
define(`auth_domtrans_chk_passwd',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
||||
|
||||
allow $1 system_chkpwd_t:fd use;
|
||||
@ -200,7 +168,6 @@ define(`auth_domtrans_chk_passwd',`
|
||||
allow system_chkpwd_t $1:process sigchld;
|
||||
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
#allow $1_t sbin_t:dir search;
|
||||
#can_ypbind($1_t)
|
||||
#can_kerberos($1_t)
|
||||
#can_ldap($1_t)
|
||||
@ -217,145 +184,99 @@ define(`auth_domtrans_chk_passwd',`
|
||||
')
|
||||
')
|
||||
|
||||
define(`auth_domtrans_chk_passwd_depend',`
|
||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition sigchld };
|
||||
class udp_socket create_socket_perms;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_dontaudit_getattr_shadow">
|
||||
## <description>
|
||||
##
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_dontaudit_getattr_shadow(domain)
|
||||
#
|
||||
define(`auth_dontaudit_getattr_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
dontaudit $1 shadow_t:file getattr;
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
class file stat_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_dontaudit_getattr_shadow_depend',`
|
||||
type shadow_t;
|
||||
|
||||
class file stat_file_perms;
|
||||
dontaudit $1 shadow_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_read_shadow">
|
||||
## <description>
|
||||
##
|
||||
## Read the shadow passwords file (/etc/shadow)
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_read_shadow(domain)
|
||||
#
|
||||
define(`auth_read_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords;
|
||||
type shadow_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
allow $1 shadow_t:file r_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords;
|
||||
')
|
||||
|
||||
define(`auth_read_shadow_depend',`
|
||||
attribute can_read_shadow_passwords;
|
||||
|
||||
type shadow_t;
|
||||
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_dontaudit_read_shadow">
|
||||
## <description>
|
||||
##
|
||||
## Do not audit attempts to read the shadow
|
||||
## password file (/etc/shadow).
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of the domain to not audit.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_dontaudit_read_shadow(domain)
|
||||
#
|
||||
define(`auth_dontaudit_read_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_dontaudit_read_shadow_depend',`
|
||||
type shadow_t;
|
||||
|
||||
class file r_file_perms;
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_rw_shadow">
|
||||
## <description>
|
||||
##
|
||||
## Read and write the shadow password file (/etc/shadow).
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_rw_shadow(domain)
|
||||
#
|
||||
define(`auth_rw_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
type shadow_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
allow $1 shadow_t:file rw_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
')
|
||||
|
||||
define(`auth_rw_shadow_depend',`
|
||||
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
|
||||
type shadow_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_manage_shadow(domain)
|
||||
#
|
||||
define(`auth_manage_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
type shadow_t;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 shadow_t:file create_file_perms;
|
||||
files_create_etc_config($1,shadow_t,file)
|
||||
@ -363,49 +284,34 @@ define(`auth_manage_shadow',`
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
')
|
||||
|
||||
define(`auth_manage_shadow_depend',`
|
||||
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
|
||||
type shadow_t;
|
||||
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_relabelto_shadow(domain)
|
||||
#
|
||||
define(`auth_relabelto_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
type shadow_t;
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 shadow_t:file relabelto;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
define(`auth_relabelto_shadow_depend',`
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
|
||||
type shadow_t;
|
||||
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_rw_faillog(domain)
|
||||
#
|
||||
define(`auth_rw_faillog',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 faillog_t:file rw_file_perms;
|
||||
logging_search_logs($1)
|
||||
gen_require(`
|
||||
type faillog_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_rw_faillog_depend',`
|
||||
type faillog_t;
|
||||
|
||||
class file rw_file_perms;
|
||||
logging_search_logs($1)
|
||||
allow $1 faillog_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -413,18 +319,15 @@ define(`auth_rw_faillog_depend',`
|
||||
# auth_rw_lastlog(domain)
|
||||
#
|
||||
define(`auth_rw_lastlog',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type lastlog_t;
|
||||
class file { getattr read write setattr };
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 lastlog_t:file { getattr read write setattr };
|
||||
')
|
||||
|
||||
define(`auth_rw_lastlog_depend',`
|
||||
type lastlog_t;
|
||||
|
||||
class file { getattr read write setattr };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_domtrans_pam">
|
||||
## <description>
|
||||
@ -436,7 +339,12 @@ define(`auth_rw_lastlog_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`auth_domtrans_pam',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_t, pam_exec_t;
|
||||
class process sigchld;
|
||||
class fd
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,pam_exec_t,pam_t)
|
||||
|
||||
@ -446,15 +354,6 @@ define(`auth_domtrans_pam',`
|
||||
allow pam_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`auth_domtrans_pam_depend',`
|
||||
type pam_t, pam_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_run_pam">
|
||||
## <description>
|
||||
@ -472,46 +371,32 @@ define(`auth_domtrans_pam_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`auth_run_pam',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_t;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
auth_domtrans_pam($1)
|
||||
role $2 types pam_t;
|
||||
allow pam_t $3:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_run_pam_depend',`
|
||||
type pam_t;
|
||||
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_exec_pam">
|
||||
## <description>
|
||||
##
|
||||
## Execute the pam program.
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_exec_pam(domain)
|
||||
#
|
||||
define(`auth_exec_pam',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,pam_exec_t)
|
||||
gen_require(`
|
||||
type pam_exec_t;
|
||||
')
|
||||
|
||||
define(`auth_exec_pam_depend',`
|
||||
type pam_exec_t;
|
||||
|
||||
class file { getattr read execute execute_no_trans };
|
||||
can_exec($1,pam_exec_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -519,7 +404,11 @@ define(`auth_exec_pam_depend',`
|
||||
# auth_read_pam_pid(domain)
|
||||
#
|
||||
define(`auth_read_pam_pid',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_var_run_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
@ -527,32 +416,22 @@ define(`auth_read_pam_pid',`
|
||||
allow $1 pam_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_read_pam_pid_depend',`
|
||||
type pam_var_run_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_delete_pam_pid">
|
||||
## <description>
|
||||
##
|
||||
## Delete pam PID files.
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_delete_pam_pid(domain)
|
||||
#
|
||||
define(`auth_delete_pam_pid',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_var_run_t;
|
||||
class dir { getattr search read write remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
@ -560,19 +439,17 @@ define(`auth_delete_pam_pid',`
|
||||
allow $1 pam_var_run_t:file { getattr unlink };
|
||||
')
|
||||
|
||||
define(`auth_delete_pam_pid_depend',`
|
||||
type pam_var_run_t;
|
||||
|
||||
class dir { getattr search read write remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_domtrans_pam_console(domain)
|
||||
#
|
||||
define(`auth_domtrans_pam_console',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_console_t, pam_console_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
|
||||
|
||||
@ -582,52 +459,31 @@ define(`auth_domtrans_pam_console',`
|
||||
allow pam_console_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`auth_domtrans_pam_console_depend',`
|
||||
type pam_console_t, pam_console_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_list_pam_console_data">
|
||||
## <description>
|
||||
##
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_list_pam_console_data(domain)
|
||||
#
|
||||
define(`auth_list_pam_console_data',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_var_console_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
allow $1 pam_var_console_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
define(`auth_list_pam_console_data_depend',`
|
||||
type pam_var_console_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_read_pam_console_data(domain)
|
||||
#
|
||||
define(`auth_read_pam_console_data',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_var_console_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
@ -635,19 +491,17 @@ define(`auth_read_pam_console_data',`
|
||||
allow $1 pam_var_console_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_read_pam_console_data_depend',`
|
||||
type pam_var_console_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_manage_pam_console_data(domain)
|
||||
#
|
||||
define(`auth_manage_pam_console_data',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type pam_var_console_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
@ -656,14 +510,6 @@ define(`auth_manage_pam_console_data',`
|
||||
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
define(`auth_manage_pam_console_data_depend',`
|
||||
type pam_var_console_t;
|
||||
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_relabel_all_files_except_shadow">
|
||||
## <description>
|
||||
@ -681,13 +527,11 @@ define(`auth_manage_pam_console_data_depend',`
|
||||
#
|
||||
|
||||
define(`auth_relabel_all_files_except_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
files_relabel_all_files($1,$2 -shadow_t)
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
')
|
||||
|
||||
define(`auth_relabel_all_files_except_shadow_depend',`
|
||||
type shadow_t;
|
||||
files_relabel_all_files($1,$2 -shadow_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -707,13 +551,11 @@ define(`auth_relabel_all_files_except_shadow_depend',`
|
||||
#
|
||||
|
||||
define(`auth_manage_all_files_except_shadow',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
files_manage_all_files($1,$2 -shadow_t)
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
')
|
||||
|
||||
define(`auth_manage_all_files_except_shadow_depend',`
|
||||
type shadow_t;
|
||||
files_manage_all_files($1,$2 -shadow_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -727,7 +569,12 @@ define(`auth_manage_all_files_except_shadow_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`auth_domtrans_utempter',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type utempter_t, utempter_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,utempter_exec_t,utempter_t)
|
||||
|
||||
@ -737,15 +584,6 @@ define(`auth_domtrans_utempter',`
|
||||
allow utempter_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`auth_domtrans_utempter_depend',`
|
||||
type utempter_t, utempter_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_run_utempter">
|
||||
## <description>
|
||||
@ -763,73 +601,41 @@ define(`auth_domtrans_utempter_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`auth_run_utempter',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type utempter_t;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
auth_domtrans_utempter($1)
|
||||
role $2 types utempter_t;
|
||||
allow utempter_t $3:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_run_utempter_depend',`
|
||||
type utempter_t;
|
||||
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_read_login_records">
|
||||
## <description>
|
||||
##
|
||||
## </description>
|
||||
## <securitydesc>
|
||||
## ...
|
||||
## </securitydesc>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_read_login_records(domain)
|
||||
#
|
||||
define(`auth_read_login_records',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type wtmp_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 wtmp_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`auth_read_login_records_depend',`
|
||||
type wtmp_t;
|
||||
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_dontaudit_write_login_records">
|
||||
## <description>
|
||||
##
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
##
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
#######################################
|
||||
#
|
||||
# auth_dontaudit_write_login_records(domain)
|
||||
#
|
||||
define(`auth_dontaudit_write_login_records',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
dontaudit $1 wtmp_t:file write;
|
||||
gen_require(`
|
||||
type wtmp_t;
|
||||
class file write;
|
||||
')
|
||||
|
||||
define(`auth_read_login_records_depend',`
|
||||
type wtmp_t;
|
||||
|
||||
class file write;
|
||||
dontaudit $1 wtmp_t:file write;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -141,12 +141,27 @@ kernel_read_system_state(pam_console_t)
|
||||
kernel_use_fd(pam_console_t)
|
||||
|
||||
dev_read_sysfs(pam_console_t)
|
||||
dev_getattr_framebuffer(pam_console_t)
|
||||
dev_setattr_framebuffer(pam_console_t)
|
||||
dev_getattr_misc(pam_console_t)
|
||||
dev_setattr_misc(pam_console_t)
|
||||
dev_getattr_mouse(pam_console_t)
|
||||
dev_setattr_mouse(pam_console_t)
|
||||
dev_getattr_power_management(pam_console_t)
|
||||
dev_setattr_power_management(pam_console_t)
|
||||
dev_getattr_scanner(pam_console_t)
|
||||
dev_setattr_scanner(pam_console_t)
|
||||
dev_getattr_snd_dev(pam_console_t)
|
||||
dev_setattr_snd_dev(pam_console_t)
|
||||
dev_getattr_video_dev(pam_console_t)
|
||||
dev_setattr_video_dev(pam_console_t)
|
||||
|
||||
# Allow to set attributes on /dev entries
|
||||
storage_getattr_fixed_disk(pam_console_t)
|
||||
storage_setattr_fixed_disk(pam_console_t)
|
||||
storage_getattr_removable_device(pam_console_t)
|
||||
storage_setattr_removable_device(pam_console_t)
|
||||
storage_getattr_scsi_generic(pam_console_t)
|
||||
storage_setattr_scsi_generic(pam_console_t)
|
||||
|
||||
term_use_console(pam_console_t)
|
||||
term_getattr_unallocated_ttys(pam_console_t)
|
||||
@ -201,18 +216,7 @@ optional_policy(`rhgb.te', `
|
||||
')
|
||||
allow pam_console_t autofs_t:dir { search getattr };
|
||||
|
||||
allow pam_console_t {
|
||||
framebuf_device_t
|
||||
v4l_device_t
|
||||
apm_bios_t
|
||||
sound_device_t
|
||||
misc_device_t
|
||||
scanner_device_t
|
||||
mouse_device_t
|
||||
power_device_t
|
||||
removable_device_t
|
||||
scsi_generic_device_t
|
||||
}:chr_file { getattr setattr };
|
||||
allow pam_console_t apm_bios_t:chr_file { getattr setattr };
|
||||
|
||||
ifdef(`gpm.te', `
|
||||
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
||||
|
@ -940,6 +940,25 @@ define(`files_dontaudit_search_var_depend',`
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_search_var_lib">
|
||||
## <description>
|
||||
## Search the /var/lib directory.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`files_search_var_lib',`
|
||||
gen_require(`
|
||||
type var_t, var_lib_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 { var_t var_lib_t }:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_manage_urandom_seed(domain)
|
||||
|
@ -43,6 +43,8 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
|
||||
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
|
||||
files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||
|
||||
|
||||
kernel_sigchld(hotplug_t)
|
||||
kernel_read_system_state(hotplug_t)
|
||||
kernel_read_kernel_sysctl(hotplug_t)
|
||||
kernel_read_net_sysctl(hotplug_t)
|
||||
@ -58,6 +60,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
|
||||
|
||||
dev_read_sysfs(hotplug_t)
|
||||
dev_read_usbfs(hotplug_t)
|
||||
dev_setattr_snd_dev(hotplug_t)
|
||||
# for SSP:
|
||||
dev_read_urand(hotplug_t)
|
||||
|
||||
@ -167,14 +170,9 @@ optional_policy(`rhgb.te', `
|
||||
|
||||
allow kernel_t hotplug_etc_t:dir search;
|
||||
|
||||
allow hotplug_t sound_device_t:chr_file setattr;
|
||||
|
||||
can_ypbind(hotplug_t)
|
||||
dbusd_client(system, hotplug)
|
||||
|
||||
allow hotplug_t kernel_t:process sigchld;
|
||||
|
||||
|
||||
# for ps
|
||||
dontaudit hotplug_t domain:dir { getattr search };
|
||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||
|
@ -329,6 +329,25 @@ define(`init_get_script_process_group',`
|
||||
allow $1 initrc_t:process getpgid;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="init_rw_script_pipe">
|
||||
## <description>
|
||||
## Read and write init script unnamed pipes.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`init_rw_script_pipe',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
allow $1 initrc_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_use_script_pty(domain)
|
||||
|
@ -64,6 +64,7 @@ fs_getattr_xattr_fs(ldconfig_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ldconfig_t)
|
||||
|
||||
files_search_var_lib(ldconfig_t)
|
||||
files_read_generic_etc_files(ldconfig_t)
|
||||
# for when /etc/ld.so.cache is mislabeled:
|
||||
files_delete_generic_etc_files(ldconfig_t)
|
||||
@ -83,8 +84,6 @@ ifdef(`apache.te', `
|
||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
||||
')
|
||||
|
||||
allow ldconfig_t { var_t var_lib_t }:dir search;
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`unconfined.te',`
|
||||
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
|
||||
|
@ -54,6 +54,20 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctl(local_login_t)
|
||||
|
||||
dev_setattr_mouse(local_login_t)
|
||||
dev_getattr_mouse(local_login_t)
|
||||
dev_getattr_snd_dev(local_login_t)
|
||||
dev_setattr_snd_dev(local_login_t)
|
||||
dev_getattr_power_management(local_login_t)
|
||||
dev_setattr_power_management(local_login_t)
|
||||
dev_dontaudit_getattr_generic_blk_file(local_login_t)
|
||||
dev_dontaudit_setattr_generic_blk_file(local_login_t)
|
||||
dev_dontaudit_getattr_generic_chr_file(local_login_t)
|
||||
dev_dontaudit_setattr_generic_chr_file(local_login_t)
|
||||
dev_dontaudit_getattr_misc(local_login_t)
|
||||
dev_dontaudit_setattr_misc(local_login_t)
|
||||
dev_dontaudit_getattr_scanner(local_login_t)
|
||||
dev_dontaudit_setattr_scanner(local_login_t)
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(local_login_t)
|
||||
|
||||
@ -66,6 +80,8 @@ selinux_compute_user_contexts(local_login_t)
|
||||
|
||||
storage_dontaudit_getattr_fixed_disk(local_login_t)
|
||||
storage_dontaudit_setattr_fixed_disk(local_login_t)
|
||||
storage_dontaudit_getattr_removable_device(local_login_t)
|
||||
storage_dontaudit_setattr_removable_device(local_login_t)
|
||||
|
||||
term_use_all_user_ttys(local_login_t)
|
||||
term_use_unallocated_tty(local_login_t)
|
||||
@ -171,19 +187,11 @@ ifdef(`targeted_policy',`
|
||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
||||
allow local_login_t sound_device_t:chr_file { getattr setattr };
|
||||
allow local_login_t power_device_t:chr_file { getattr setattr };
|
||||
|
||||
# Do not audit denied attempts to access devices.
|
||||
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
|
||||
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
|
||||
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
|
||||
dontaudit local_login_t device_t:lnk_file { getattr setattr };
|
||||
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
|
||||
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
|
||||
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
|
||||
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
|
||||
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
|
||||
|
||||
# Do not audit denied attempts to access /mnt.
|
||||
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
||||
|
@ -65,6 +65,8 @@ dev_search_usbfs(insmod_t)
|
||||
dev_write_mtrr(insmod_t)
|
||||
dev_read_urand(insmod_t)
|
||||
dev_rw_agp_dev(insmod_t)
|
||||
dev_read_snd_dev(insmod_t)
|
||||
dev_write_snd_dev(insmod_t)
|
||||
|
||||
fs_getattr_xattr_fs(insmod_t)
|
||||
|
||||
@ -105,8 +107,6 @@ ifdef(`TODO',`
|
||||
|
||||
allow insmod_t apm_bios_t:chr_file { read write };
|
||||
|
||||
allow insmod_t sound_device_t:chr_file { read ioctl write };
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
allow insmod_t xserver_log_t:file getattr;
|
||||
')
|
||||
|
@ -1,4 +1,11 @@
|
||||
|
||||
policy_module(mount,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type mount_t;
|
||||
type mount_exec_t;
|
||||
init_system_domain(mount_t,mount_exec_t)
|
||||
|
@ -102,6 +102,7 @@ init_dontaudit_write_script_pid(udev_t)
|
||||
libs_use_ld_so(udev_t)
|
||||
libs_use_shared_libs(udev_t)
|
||||
|
||||
logging_search_logs(udev_t)
|
||||
logging_send_syslog_msg(udev_t)
|
||||
|
||||
miscfiles_read_localization(udev_t)
|
||||
@ -141,7 +142,7 @@ optional_policy(`sysnetwork.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow udev_t var_log_t:dir search;
|
||||
|
||||
allow udev_t var_lock_t:dir search;
|
||||
allow udev_t var_lock_t:file getattr;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user