rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

aliases

Browse Source
This commit is contained in:
Chris PeBenito 2005-06-09 14:26:05 +00:00
parent 5d31560b4d
commit 80048ca5d2
6 changed files with 76 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
refpolicy/policy/modules/system/locallogin.te
View File

@ -37,18 +37,18 @@ allow local_login_t self:capability { dac_override chown fowner fsetid kill setg
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use; allow local_login_t self:fd use;
allow local_login_t self:fifo_file { read getattr lock ioctl write append }; allow local_login_t self:fifo_file rw_file_perms;
allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow local_login_t self:unix_dgram_socket create_socket_perms;
allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow local_login_t self:unix_stream_socket create_stream_socket_perms;
allow local_login_t self:unix_dgram_socket sendto; allow local_login_t self:unix_dgram_socket sendto;
allow local_login_t self:unix_stream_socket connectto; allow local_login_t self:unix_stream_socket connectto;
allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; allow local_login_t self:shm create_shm_perms;
allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive }; allow local_login_t self:msg { send receive };
allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow local_login_t local_login_tmp_t:dir create_dir_perms;
allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow local_login_t local_login_tmp_t:file create_file_perms;
files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t) kernel_read_system_state(local_login_t)
@ -139,7 +139,7 @@ allow local_login_t var_t:lnk_file read;
dontaudit local_login_t sysfs_t:dir search; dontaudit local_login_t sysfs_t:dir search;
allow local_login_t autofs_t:dir { search read getattr }; allow local_login_t autofs_t:dir r_dir_perms;
allow local_login_t mnt_t:dir r_dir_perms; allow local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for? # FIXME: what is this for?
@ -198,14 +198,14 @@ allow local_login_t power_device_t:chr_file { getattr setattr };
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow sulogin_t self:fd use; allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file { read getattr lock ioctl write append }; allow sulogin_t self:fifo_file rw_file_perms;
allow sulogin_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto; allow sulogin_t self:unix_dgram_socket sendto;
allow sulogin_t self:unix_stream_socket connectto; allow sulogin_t self:unix_stream_socket connectto;
allow sulogin_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; allow sulogin_t self:shm create_shm_perms;
allow sulogin_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow sulogin_t self:msgq createmsgq_perms;
allow sulogin_t self:msg { send receive }; allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t) kernel_read_system_state(sulogin_t)

12
refpolicy/policy/modules/system/lvm.if
View File

@ -15,10 +15,7 @@
define(`lvm_transition',` define(`lvm_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 lvm_exec_t:file { getattr read execute }; domain_auto_trans($1, lvm_exec_t, lvm_t)
allow $1 lvm_t:process transition;
type_transition $1 lvm_exec_t:process lvm_t;
dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
allow $1 lvm_t:fd use; allow $1 lvm_t:fd use;
allow lvm_t $1:fd use; allow lvm_t $1:fd use;
@ -80,14 +77,15 @@ define(`lvm_transition_add_role_use_terminal_depend',`
define(`lvm_read_config',` define(`lvm_read_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 lvm_etc_t:dir { getattr search read }; allow $1 lvm_etc_t:dir r_dir_perms;
allow $1 lvm_etc_t:file { getattr read }; allow $1 lvm_etc_t:file r_file_perms;
') ')
define(`lvm_read_config_depend',` define(`lvm_read_config_depend',`
type lvm_t, lvm_exec_t; type lvm_t, lvm_exec_t;
class file { getattr read }; class dir r_dir_perms;
class file r_file_perms;
') ')
## </module> ## </module>

28
refpolicy/policy/modules/system/lvm.te
View File

@ -39,32 +39,32 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority. # LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched; allow lvm_t self:process setsched;
allow lvm_t self:file { read getattr lock ioctl }; allow lvm_t self:file r_file_perms;
allow lvm_t self:fifo_file { ioctl read getattr lock write append }; allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t lvm_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow lvm_t lvm_tmp_t:file create_file_perms;
files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir }) files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir })
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks) # /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
allow lvm_t lvm_exec_t:dir search; allow lvm_t lvm_exec_t:dir search;
allow lvm_t lvm_exec_t:{ file lnk_file } { read getattr lock ioctl }; allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
# LVM is split into many individual binaries # LVM is split into many individual binaries
allow lvm_t lvm_exec_t:file { getattr read execute execute_no_trans }; can_exec(lvm_t, lvm_exec_t)
# Creating lock files # Creating lock files
allow lvm_t lvm_lock_t:dir { read getattr lock search ioctl add_name remove_name write }; allow lvm_t lvm_lock_t:dir ra_dir_perms;
allow lvm_t lvm_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow lvm_t lvm_lock_t:file create_file_perms;
files_create_private_lock_file(lvm_t,lvm_lock_t) files_create_private_lock_file(lvm_t,lvm_lock_t)
allow lvm_t lvm_etc_t:file { read getattr lock ioctl }; allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file { getattr read }; allow lvm_t lvm_etc_t:lnk_file r_file_perms;
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
allow lvm_t lvm_etc_t:dir { read getattr lock search ioctl add_name remove_name write }; allow lvm_t lvm_etc_t:dir rw_dir_perms;
allow lvm_t lvm_metadata_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow lvm_t lvm_metadata_t:file create_file_perms;
allow lvm_t lvm_metadata_t:dir { read getattr lock search ioctl add_name remove_name write }; allow lvm_t lvm_metadata_t:dir rw_dir_perms;
type_transition lvm_t lvm_etc_t:file lvm_metadata_t; type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
files_create_private_config(lvm_t,lvm_metadata_t,file) files_create_private_config(lvm_t,lvm_metadata_t,file)

32
refpolicy/policy/modules/system/miscfiles.if
View File

@ -51,15 +51,15 @@ define(`miscfiles_read_fonts',`
# FIXME: search usr_t dir # FIXME: search usr_t dir
# FIXME: search lib_t dir # FIXME: search lib_t dir
# cjp: fonts can be in either of the above dirs # cjp: fonts can be in either of the above dirs
allow $1 fonts_t:dir { getattr read search }; allow $1 fonts_t:dir r_dir_perms;
allow $1 fonts_t:file { getattr read }; allow $1 fonts_t:file r_file_perms;
') ')
define(`miscfiles_read_fonts_depend',` define(`miscfiles_read_fonts_depend',`
type fonts_t; type fonts_t;
class dir { getattr read search }; class dir r_dir_perms;
class file { getattr read }; class file r_file_perms;
') ')
######################################## ########################################
@ -81,9 +81,9 @@ define(`miscfiles_read_localization',`
# FIXME: $1 read etc_t:lnk_file here # FIXME: $1 read etc_t:lnk_file here
# FIXME: $1 search usr_t:dir here # FIXME: $1 search usr_t:dir here
allow $1 locale_t:dir { getattr read search }; allow $1 locale_t:dir r_dir_perms;
allow $1 locale_t:lnk_file { getattr read }; allow $1 locale_t:lnk_file r_file_perms;
allow $1 locale_t:file { getattr read }; allow $1 locale_t:file r_file_perms;
# why? # why?
libraries_read_library_resources($1) libraries_read_library_resources($1)
@ -92,9 +92,9 @@ define(`miscfiles_read_localization',`
define(`miscfiles_read_localization_depend',` define(`miscfiles_read_localization_depend',`
type locale_t; type locale_t;
class dir { getattr read search }; class dir r_dir_perms;
class lnk_file { getattr read }; class lnk_file r_file_perms;
class file { getattr read }; class file r_file_perms;
') ')
######################################## ########################################
@ -142,17 +142,17 @@ define(`miscfiles_read_man_pages',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search usr_t dir # FIXME: search usr_t dir
allow $1 man_t:dir { getattr read search }; allow $1 man_t:dir r_dir_perms;
allow $1 man_t:file { getattr read }; allow $1 man_t:file r_file_perms;
allow $1 man_t:lnk_file { getattr read }; allow $1 man_t:lnk_file r_file_perms;
') ')
define(`miscfiles_read_man_pages_depend',` define(`miscfiles_read_man_pages_depend',`
type man_t; type man_t;
class dir { getattr read search }; class dir r_dir_perms;
class file { getattr read }; class file r_file_perms;
class lnk_file { getattr read }; class lnk_file r_file_perms;
') ')
## </module> ## </module>

31
refpolicy/policy/modules/system/modutils.if
View File

@ -16,7 +16,7 @@ define(`modutils_read_kernel_module_dependencies',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
bootloader_list_kernel_modules($1) bootloader_list_kernel_modules($1)
allow $1 modules_dep_t:file { getattr read }; allow $1 modules_dep_t:file r_file_perms;
') ')
define(`modutils_read_kernel_module_dependencies_depend',` define(`modutils_read_kernel_module_dependencies_depend',`
@ -41,13 +41,13 @@ define(`modutils_read_kernel_module_dependencies_depend',`
define(`modutils_read_kernel_module_loading_config',` define(`modutils_read_kernel_module_loading_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 modules_conf_t:file { getattr read }; allow $1 modules_conf_t:file r_file_perms;
') ')
define(`modutils_read_kernel_module_loading_config_depend',` define(`modutils_read_kernel_module_loading_config_depend',`
type modules_conf_t; type modules_conf_t;
class file { getattr create read write setattr unlink }; class file r_file_perms;
') ')
######################################## ########################################
@ -65,10 +65,7 @@ define(`modutils_read_kernel_module_loading_config_depend',`
define(`modutils_insmod_transition',` define(`modutils_insmod_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 insmod_exec_t:file { getattr read execute }; domain_auto_trans($1, insmod_exec_t, insmod_t)
allow $1 insmod_t:process transition;
type_transition $1 insmod_exec_t:process insmod_t;
dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
allow $1 insmod_t:fd use; allow $1 insmod_t:fd use;
allow insmod_t $1:fd use; allow insmod_t $1:fd use;
@ -126,7 +123,7 @@ define(`modutils_insmod_transition_add_role_use_terminal_depend',`
define(`modutils_insmod_execute',` define(`modutils_insmod_execute',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 insmod_exec_t:file { getattr read execute execute_no_trans }; can_exec($1, insmod_exec_t)
') ')
define(`modutils_insmod_execute_depend',` define(`modutils_insmod_execute_depend',`
@ -149,10 +146,7 @@ define(`modutils_insmod_execute_depend',`
define(`modutils_depmod_transition',` define(`modutils_depmod_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 depmod_exec_t:file { getattr read execute }; domain_auto_trans($1, depmod_exec_t, depmod_t)
allow $1 depmod_t:process transition;
type_transition $1 depmod_exec_t:process depmod_t;
dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
allow $1 depmod_t:fd use; allow $1 depmod_t:fd use;
allow depmod_t $1:fd use; allow depmod_t $1:fd use;
@ -207,7 +201,7 @@ define(`modutils_depmod_transition_add_role_use_terminal_depend',`
define(`modutils_depmod_execute',` define(`modutils_depmod_execute',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 depmod_exec_t:file { getattr read execute execute_no_trans }; can_exec($1, depmod_exec_t)
') ')
define(`modutils_depmod_execute_depend',` define(`modutils_depmod_execute_depend',`
@ -230,10 +224,7 @@ define(`modutils_depmod_execute_depend',`
define(`modutils_update_modules_transition',` define(`modutils_update_modules_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 update_modules_exec_t:file { getattr read execute }; domain_auto_trans($1, update_modules_exec_t, update_modules_t)
allow $1 update_modules_t:process transition;
type_transition $1 update_modules_exec_t:process update_modules_t;
dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
allow $1 update_modules_t:fd use; allow $1 update_modules_t:fd use;
allow update_modules_t $1:fd use; allow update_modules_t $1:fd use;
@ -272,13 +263,13 @@ define(`modutils_update_modules_transition_add_role_use_terminal',`
modutils_update_modules_transition($1) modutils_update_modules_transition($1)
role $2 types update_modules_t; role $2 types update_modules_t;
allow update_modules_t $3:chr_file { getattr read write ioctl }; allow update_modules_t $3:chr_file rw_file_perms;
') ')
define(`modutils_update_modules_transition_add_role_use_terminal_depend',` define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
type update_modules_t; type update_modules_t;
class chr_file { getattr read write ioctl }; class chr_file rw_file_perms;
') ')
######################################## ########################################
@ -288,7 +279,7 @@ define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
define(`modutils_update_modules_execute',` define(`modutils_update_modules_execute',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans }; can_exec($1, update_modules_exec_t)
') ')
define(`modutils_update_modules_execute_depend',` define(`modutils_update_modules_execute_depend',`

33
refpolicy/policy/modules/system/modutils.te
View File

@ -41,13 +41,13 @@ files_make_temporary_file(update_modules_tmp_t)
allow insmod_t self:capability { dac_override net_raw sys_tty_config }; allow insmod_t self:capability { dac_override net_raw sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow insmod_t self:rawip_socket create_socket_perms;
# Read module config and dependency information # Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans }; can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t) kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t) kernel_read_system_state(insmod_t)
@ -121,12 +121,12 @@ allow insmod_t usbfs_t:filesystem mount;
# depmod local policy # depmod local policy
# #
allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans }; can_exec(depmod_t, depmod_exec_t)
# Read conf.modules. # Read conf.modules.
allow depmod_t modules_conf_t:file { getattr read }; allow depmod_t modules_conf_t:file r_file_perms;
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow depmod_t modules_dep_t:file create_file_perms;
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t) kernel_read_system_state(depmod_t)
@ -167,26 +167,23 @@ r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
# update-modules local policy # update-modules local policy
# #
allow update_modules_t self:fifo_file { getattr read write }; allow update_modules_t self:fifo_file rw_file_perms;
allow update_modules_t modules_dep_t:file { getattr read write }; allow update_modules_t modules_dep_t:file rw_file_perms;
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans }; can_exec(update_modules_t, insmod_exec_t)
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans }; can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration # manage module loading configuration
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow update_modules_t modules_conf_t:file create_file_perms;
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
files_create_private_config(update_modules_t,modules_conf_t) files_create_private_config(update_modules_t,modules_conf_t)
# transition to depmod # transition to depmod
allow update_modules_t depmod_exec_t:file { getattr read execute }; domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
allow update_modules_t depmod_t:process transition;
type_transition update_modules_t depmod_exec_t:process depmod_t;
dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow update_modules_t update_modules_tmp_t:file create_file_perms;
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir }) files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
kernel_read_kernel_sysctl(update_modules_t) kernel_read_kernel_sysctl(update_modules_t)