Merge sbin_t and ls_exec_t into bin_t.
This commit is contained in:
parent
ab514d6a89
commit
8021cb4f63
@ -1,3 +1,4 @@
|
||||
- Merge sbin_t and ls_exec_t into bin_t.
|
||||
- Remove disable_trans booleans.
|
||||
- Output different header sets for kernel and userland from flask headers.
|
||||
- Marked the pax class as deprecated, changed it to userland so
|
||||
|
@ -15,7 +15,7 @@ interface(`acct_domtrans',`
|
||||
type acct_t, acct_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,acct_exec_t,acct_t)
|
||||
')
|
||||
|
||||
@ -34,7 +34,7 @@ interface(`acct_exec',`
|
||||
type acct_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,acct_exec_t)
|
||||
')
|
||||
|
||||
|
@ -44,7 +44,6 @@ fs_getattr_xattr_fs(acct_t)
|
||||
|
||||
term_dontaudit_use_console(acct_t)
|
||||
|
||||
corecmd_search_sbin(acct_t)
|
||||
corecmd_exec_bin(acct_t)
|
||||
corecmd_exec_shell(acct_t)
|
||||
|
||||
|
@ -145,7 +145,6 @@ files_getattr_all_pipes(amanda_t)
|
||||
files_getattr_all_sockets(amanda_t)
|
||||
|
||||
corecmd_exec_shell(amanda_t)
|
||||
corecmd_exec_sbin(amanda_t)
|
||||
corecmd_exec_bin(amanda_t)
|
||||
|
||||
libs_use_ld_so(amanda_t)
|
||||
|
@ -71,7 +71,6 @@ kernel_read_kernel_sysctls(apt_t)
|
||||
# to launch dpkg-preconfigure
|
||||
corecmd_exec_bin(apt_t)
|
||||
corecmd_exec_shell(apt_t)
|
||||
corecmd_exec_sbin(apt_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(apt_t)
|
||||
corenet_tcp_sendrecv_all_if(apt_t)
|
||||
|
@ -16,7 +16,7 @@ interface(`certwatch_domtrans',`
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,certwatch_exec_t,certwatch_t)
|
||||
')
|
||||
|
||||
|
@ -17,7 +17,7 @@ interface(`consoletype_domtrans',`
|
||||
type consoletype_t, consoletype_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,consoletype_exec_t,consoletype_t)
|
||||
')
|
||||
|
||||
@ -68,6 +68,6 @@ interface(`consoletype_exec',`
|
||||
type consoletype_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,consoletype_exec_t)
|
||||
')
|
||||
|
@ -26,9 +26,8 @@ kernel_change_ring_buffer_level(ddcprobe_t)
|
||||
|
||||
files_search_kernel_modules(ddcprobe_t)
|
||||
|
||||
corecmd_list_sbin(ddcprobe_t)
|
||||
corecmd_list_bin(ddcprobe_t)
|
||||
corecmd_exec_sbin(ddcprobe_t)
|
||||
corecmd_exec_bin(ddcprobe_t)
|
||||
|
||||
dev_read_urand(ddcprobe_t)
|
||||
dev_read_raw_memory(ddcprobe_t)
|
||||
|
@ -23,7 +23,7 @@ interface(`dmesg_domtrans',`
|
||||
type dmesg_t, dmesg_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,dmesg_exec_t,dmesg_t)
|
||||
|
||||
allow $1 dmesg_t:fd use;
|
||||
@ -54,8 +54,7 @@ interface(`dmesg_exec',`
|
||||
type dmesg_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,dmesg_exec_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -83,9 +83,7 @@ auth_manage_login_records(logrotate_t)
|
||||
|
||||
# Run helper programs.
|
||||
corecmd_exec_bin(logrotate_t)
|
||||
corecmd_exec_sbin(logrotate_t)
|
||||
corecmd_exec_shell(logrotate_t)
|
||||
corecmd_exec_ls(logrotate_t)
|
||||
|
||||
domain_signal_all_domains(logrotate_t)
|
||||
domain_use_interactive_fds(logrotate_t)
|
||||
|
@ -45,12 +45,8 @@ kernel_read_fs_sysctls(logwatch_t)
|
||||
kernel_read_kernel_sysctls(logwatch_t)
|
||||
kernel_read_system_state(logwatch_t)
|
||||
|
||||
corecmd_read_sbin_symlinks(logwatch_t)
|
||||
corecmd_read_sbin_files(logwatch_t)
|
||||
corecmd_exec_bin(logwatch_t)
|
||||
corecmd_exec_sbin(logwatch_t)
|
||||
corecmd_exec_shell(logwatch_t)
|
||||
corecmd_exec_ls(logwatch_t)
|
||||
|
||||
dev_read_urand(logwatch_t)
|
||||
dev_search_sysfs(logwatch_t)
|
||||
|
@ -61,7 +61,6 @@ kernel_read_network_state(mrtg_t)
|
||||
kernel_read_kernel_sysctls(mrtg_t)
|
||||
|
||||
corecmd_exec_bin(mrtg_t)
|
||||
corecmd_exec_sbin(mrtg_t)
|
||||
corecmd_exec_shell(mrtg_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(mrtg_t)
|
||||
|
@ -241,7 +241,6 @@ interface(`portage_fetch_domain',`
|
||||
kernel_read_kernel_sysctls($1)
|
||||
|
||||
corecmd_exec_bin($1)
|
||||
corecmd_exec_sbin($1)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1)
|
||||
corenet_tcp_sendrecv_generic_if($1)
|
||||
|
@ -88,11 +88,8 @@ kernel_read_system_state(gcc_config_t)
|
||||
kernel_read_kernel_sysctls(gcc_config_t)
|
||||
|
||||
corecmd_exec_shell(gcc_config_t)
|
||||
corecmd_exec_ls(gcc_config_t)
|
||||
corecmd_exec_bin(gcc_config_t)
|
||||
corecmd_exec_sbin(gcc_config_t)
|
||||
corecmd_manage_bin_files(gcc_config_t)
|
||||
corecmd_read_sbin_symlinks(gcc_config_t)
|
||||
|
||||
files_manage_etc_files(gcc_config_t)
|
||||
files_rw_etc_runtime_files(gcc_config_t)
|
||||
|
@ -15,7 +15,7 @@ interface(`prelink_domtrans',`
|
||||
type prelink_t, prelink_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, prelink_exec_t, prelink_t)
|
||||
')
|
||||
|
||||
|
@ -55,7 +55,6 @@ kernel_dontaudit_search_sysctl(prelink_t)
|
||||
corecmd_manage_all_executables(prelink_t)
|
||||
corecmd_relabel_all_executables(prelink_t)
|
||||
corecmd_mmap_all_executables(prelink_t)
|
||||
corecmd_read_sbin_symlinks(prelink_t)
|
||||
corecmd_read_bin_symlinks(prelink_t)
|
||||
|
||||
dev_read_urand(prelink_t)
|
||||
|
@ -208,7 +208,6 @@ template(`su_per_role_template',`
|
||||
auth_use_nsswitch($1_su_t)
|
||||
|
||||
corecmd_search_bin($1_su_t)
|
||||
corecmd_search_sbin($1_su_t)
|
||||
|
||||
domain_use_interactive_fds($1_su_t)
|
||||
|
||||
|
@ -94,7 +94,7 @@ template(`sudo_per_role_template',`
|
||||
# sudo stores a token in the pam_pid directory
|
||||
auth_manage_pam_pid($1_sudo_t)
|
||||
|
||||
corecmd_read_sbin_symlinks($1_sudo_t)
|
||||
corecmd_read_bin_symlinks($1_sudo_t)
|
||||
corecmd_getattr_all_executables($1_sudo_t)
|
||||
|
||||
domain_use_interactive_fds($1_sudo_t)
|
||||
|
@ -40,7 +40,6 @@ kernel_read_system_state(sxid_t)
|
||||
kernel_read_kernel_sysctls(sxid_t)
|
||||
|
||||
corecmd_exec_bin(sxid_t)
|
||||
corecmd_exec_sbin(sxid_t)
|
||||
corecmd_exec_shell(sxid_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(sxid_t)
|
||||
|
@ -16,6 +16,6 @@ interface(`tmpreaper_exec',`
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,tmpreaper_exec_t)
|
||||
')
|
||||
|
@ -74,7 +74,7 @@ kernel_getattr_message_if(tripwire_t)
|
||||
kernel_read_kernel_sysctls(tripwire_t)
|
||||
|
||||
corecmd_exec_shell(tripwire_t)
|
||||
corecmd_exec_sbin(tripwire_t)
|
||||
corecmd_exec_bin(tripwire_t)
|
||||
|
||||
domain_use_interactive_fds(tripwire_t)
|
||||
|
||||
|
@ -16,6 +16,6 @@ interface(`updfstab_domtrans',`
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,updfstab_exec_t,updfstab_t)
|
||||
')
|
||||
|
@ -53,8 +53,6 @@ storage_write_scsi_generic(updfstab_t)
|
||||
term_dontaudit_use_console(updfstab_t)
|
||||
|
||||
corecmd_exec_bin(updfstab_t)
|
||||
corecmd_exec_sbin(updfstab_t)
|
||||
corecmd_exec_ls(updfstab_t)
|
||||
|
||||
domain_use_interactive_fds(updfstab_t)
|
||||
|
||||
|
@ -67,7 +67,7 @@ interface(`usermanage_domtrans_groupadd',`
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,groupadd_exec_t,groupadd_t)
|
||||
')
|
||||
|
||||
@ -226,7 +226,7 @@ interface(`usermanage_domtrans_useradd',`
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,useradd_exec_t,useradd_t)
|
||||
')
|
||||
|
||||
|
@ -101,9 +101,6 @@ dev_read_urand(chfn_t)
|
||||
auth_domtrans_chk_passwd(chfn_t)
|
||||
auth_dontaudit_read_shadow(chfn_t)
|
||||
|
||||
# can exec /sbin/unix_chkpwd
|
||||
corecmd_search_bin(chfn_t)
|
||||
corecmd_search_sbin(chfn_t)
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(chfn_t)
|
||||
|
||||
@ -170,7 +167,6 @@ files_read_etc_runtime_files(crack_t)
|
||||
files_read_usr_files(crack_t)
|
||||
|
||||
corecmd_exec_bin(crack_t)
|
||||
corecmd_dontaudit_search_sbin(crack_t)
|
||||
|
||||
libs_use_ld_so(crack_t)
|
||||
libs_use_shared_libs(crack_t)
|
||||
@ -233,7 +229,6 @@ libs_use_shared_libs(groupadd_t)
|
||||
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(groupadd_t)
|
||||
corecmd_exec_sbin(groupadd_t)
|
||||
|
||||
logging_send_syslog_msg(groupadd_t)
|
||||
|
||||
@ -401,10 +396,7 @@ auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(sysadm_passwd_t)
|
||||
# allow vipw to exec the editor
|
||||
corecmd_search_sbin(sysadm_passwd_t)
|
||||
corecmd_exec_bin(sysadm_passwd_t)
|
||||
corecmd_exec_shell(sysadm_passwd_t)
|
||||
files_read_usr_files(sysadm_passwd_t)
|
||||
@ -470,7 +462,6 @@ kernel_read_kernel_sysctls(useradd_t)
|
||||
corecmd_exec_shell(useradd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(useradd_t)
|
||||
corecmd_exec_sbin(useradd_t)
|
||||
|
||||
domain_use_interactive_fds(useradd_t)
|
||||
|
||||
|
@ -15,6 +15,6 @@ interface(`vbetool_domtrans',`
|
||||
type vbetool_t, vbetool_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,vbetool_exec_t,vbetool_t)
|
||||
')
|
||||
|
@ -76,7 +76,7 @@ template(`ethereal_per_role_template',`
|
||||
|
||||
# Re-execute itself (why?)
|
||||
can_exec($1_ethereal_t, ethereal_exec_t)
|
||||
corecmd_search_sbin($1_ethereal_t)
|
||||
corecmd_search_bin($1_ethereal_t)
|
||||
|
||||
# /home/.ethereal
|
||||
manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
|
||||
|
@ -187,7 +187,7 @@ template(`evolution_per_role_template',`
|
||||
corecmd_exec_shell($1_evolution_t)
|
||||
# Run various programs
|
||||
corecmd_exec_bin($1_evolution_t)
|
||||
corecmd_exec_sbin($1_evolution_t)
|
||||
corecmd_exec_bin($1_evolution_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_evolution_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_t)
|
||||
|
@ -90,7 +90,6 @@ template(`games_per_role_template',`
|
||||
kernel_read_system_state($1_games_t)
|
||||
|
||||
corecmd_exec_bin($1_games_t)
|
||||
corecmd_exec_sbin($1_games_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_games_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_games_t)
|
||||
|
@ -34,7 +34,6 @@ ifdef(`targeted_policy',`
|
||||
|
||||
corecmd_exec_bin(loadkeys_t)
|
||||
corecmd_exec_shell(loadkeys_t)
|
||||
corecmd_search_sbin(loadkeys_t)
|
||||
|
||||
files_read_etc_files(loadkeys_t)
|
||||
files_read_etc_runtime_files(loadkeys_t)
|
||||
|
@ -115,7 +115,6 @@ template(`mozilla_per_role_template',`
|
||||
kernel_read_system_state($1_mozilla_t)
|
||||
kernel_read_net_sysctls($1_mozilla_t)
|
||||
|
||||
corecmd_search_sbin($1_mozilla_t)
|
||||
# Look for plugins
|
||||
corecmd_list_bin($1_mozilla_t)
|
||||
# for bash - old mozilla binary
|
||||
|
@ -107,11 +107,6 @@ template(`screen_per_role_template',`
|
||||
corecmd_read_bin_symlinks($1_screen_t)
|
||||
corecmd_read_bin_pipes($1_screen_t)
|
||||
corecmd_read_bin_sockets($1_screen_t)
|
||||
corecmd_list_sbin($1_screen_t)
|
||||
corecmd_read_sbin_symlinks($1_screen_t)
|
||||
corecmd_read_sbin_files($1_screen_t)
|
||||
corecmd_read_sbin_pipes($1_screen_t)
|
||||
corecmd_read_sbin_sockets($1_screen_t)
|
||||
# Revert to the user domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_screen_t,$2)
|
||||
corecmd_bin_domtrans($1_screen_t,$2)
|
||||
|
@ -101,9 +101,8 @@ template(`thunderbird_per_role_template',`
|
||||
kernel_read_net_sysctls($1_thunderbird_t)
|
||||
kernel_read_system_state($1_thunderbird_t)
|
||||
|
||||
corecmd_exec_shell($1_thunderbird_t)
|
||||
# Startup shellscript
|
||||
corecmd_search_sbin($1_thunderbird_t)
|
||||
corecmd_exec_shell($1_thunderbird_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_thunderbird_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
|
||||
|
@ -151,7 +151,6 @@ template(`uml_per_role_template',`
|
||||
|
||||
# for xterm
|
||||
corecmd_exec_bin($1_uml_t)
|
||||
corecmd_exec_sbin($1_uml_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_uml_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_uml_t)
|
||||
|
@ -88,7 +88,6 @@ template(`userhelper_per_role_template',`
|
||||
corecmd_exec_shell($1_userhelper_t)
|
||||
# By default, revert to the calling domain when a program is executed
|
||||
corecmd_bin_domtrans($1_userhelper_t,$2)
|
||||
corecmd_sbin_domtrans($1_userhelper_t,$2)
|
||||
|
||||
# Inherit descriptors from the current session.
|
||||
domain_use_interactive_fds($1_userhelper_t)
|
||||
@ -152,7 +151,6 @@ template(`userhelper_per_role_template',`
|
||||
userdom_use_unpriv_users_fds($1_userhelper_t)
|
||||
# Allow $1_userhelper_t to transition to user domains.
|
||||
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
|
||||
userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
|
||||
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -165,7 +163,6 @@ template(`userhelper_per_role_template',`
|
||||
tunable_policy(`! secure_mode',`
|
||||
#if we are not in secure mode then we can transition to sysadm_t
|
||||
userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
|
||||
userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
|
||||
userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
|
||||
')
|
||||
|
||||
|
@ -37,8 +37,6 @@ kernel_read_kernel_sysctls(usernetctl_t)
|
||||
|
||||
corecmd_list_bin(usernetctl_t)
|
||||
corecmd_exec_bin(usernetctl_t)
|
||||
corecmd_list_sbin(usernetctl_t)
|
||||
corecmd_exec_sbin(usernetctl_t)
|
||||
corecmd_exec_shell(usernetctl_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(usernetctl_t)
|
||||
|
@ -15,7 +15,7 @@ interface(`yam_domtrans',`
|
||||
type yam_t, yam_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,yam_exec_t,yam_t)
|
||||
')
|
||||
|
||||
|
@ -8,7 +8,6 @@
|
||||
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
|
||||
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@ -16,17 +15,17 @@
|
||||
#
|
||||
# /dev
|
||||
#
|
||||
/dev/MAKEDEV -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/dev/MAKEDEV -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
#
|
||||
# /emul
|
||||
#
|
||||
ifdef(`distro_redhat',`
|
||||
/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
@ -37,14 +36,14 @@ ifdef(`distro_redhat',`
|
||||
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -82,7 +81,7 @@ ifdef(`targeted_policy',`
|
||||
#
|
||||
|
||||
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -94,10 +93,10 @@ ifdef(`distro_gentoo',`
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
/sbin -d gen_context(system_u:object_r:sbin_t,s0)
|
||||
/sbin/.* gen_context(system_u:object_r:sbin_t,s0)
|
||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/sbin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
#
|
||||
# /opt
|
||||
@ -106,7 +105,7 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -122,8 +121,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -136,7 +135,7 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -148,9 +147,9 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -164,7 +163,7 @@ ifdef(`distro_gentoo',`
|
||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
@ -245,7 +244,6 @@ ifdef(`distro_suse', `
|
||||
/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
|
||||
|
||||
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
@ -84,7 +84,7 @@ interface(`corecmd_bin_entry_type',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Make general progams in sbin an entrypoint for
|
||||
## the specified domain.
|
||||
## the specified domain. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -93,11 +93,8 @@ interface(`corecmd_bin_entry_type',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_sbin_entry_type',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
domain_entry_file($1,sbin_t)
|
||||
corecmd_bin_entry_type($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -136,6 +133,24 @@ interface(`corecmd_search_bin',`
|
||||
search_dirs_pattern($1,bin_t,bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the contents of bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_search_bin',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 bin_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of bin directories.
|
||||
@ -154,6 +169,24 @@ interface(`corecmd_list_bin',`
|
||||
list_dirs_pattern($1,bin_t,bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not auidt attempts to write bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_write_bin_dirs',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 bin_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in bin directories.
|
||||
@ -410,7 +443,7 @@ interface(`corecmd_bin_domtrans',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of sbin directories.
|
||||
## Search the contents of sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -419,17 +452,14 @@ interface(`corecmd_bin_domtrans',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_search_sbin',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
corecmd_search_bin($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
## sbin directories.
|
||||
## sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -438,16 +468,13 @@ interface(`corecmd_search_sbin',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_search_sbin',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sbin_t:dir search_dir_perms;
|
||||
corecmd_dontaudit_search_bin($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of sbin directories.
|
||||
## List the contents of sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -456,17 +483,14 @@ interface(`corecmd_dontaudit_search_sbin',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_list_sbin',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_list_bin($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write
|
||||
## sbin directories.
|
||||
## sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -475,16 +499,13 @@ interface(`corecmd_list_sbin',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_write_sbin_dirs',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sbin_t:dir write;
|
||||
corecmd_dontaudit_write_bin_dirs($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of sbin files.
|
||||
## Get the attributes of sbin files. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -493,17 +514,14 @@ interface(`corecmd_dontaudit_write_sbin_dirs',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_getattr_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
getattr_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_getattr_bin_files($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attibutes
|
||||
## of sbin files.
|
||||
## of sbin files. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -512,16 +530,13 @@ interface(`corecmd_getattr_sbin_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_getattr_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sbin_t:file getattr;
|
||||
corecmd_dontaudit_getattr_bin_files($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in sbin directories.
|
||||
## Read files in sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -530,16 +545,13 @@ interface(`corecmd_dontaudit_getattr_sbin_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_read_bin_files($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in sbin directories.
|
||||
## Read symbolic links in sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -548,16 +560,13 @@ interface(`corecmd_read_sbin_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_symlinks',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
read_lnk_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_read_bin_symlinks($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named pipes in sbin directories.
|
||||
## Read named pipes in sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -566,16 +575,13 @@ interface(`corecmd_read_sbin_symlinks',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_pipes',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
read_fifo_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_read_bin_pipes($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named sockets in sbin directories.
|
||||
## Read named sockets in sbin directories. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -584,17 +590,14 @@ interface(`corecmd_read_sbin_pipes',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_sockets',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
read_sock_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_read_bin_sockets($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute generic programs in sbin directories,
|
||||
## in the caller domain.
|
||||
## in the caller domain. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -603,18 +606,13 @@ interface(`corecmd_read_sbin_sockets',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_exec_sbin',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1,sbin_t,sbin_t)
|
||||
read_lnk_files_pattern($1,sbin_t,sbin_t)
|
||||
can_exec($1,sbin_t)
|
||||
corecmd_exec_bin($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete sbin files.
|
||||
## Create, read, write, and delete sbin files. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -624,16 +622,13 @@ interface(`corecmd_exec_sbin',`
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`corecmd_manage_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_manage_bin_files($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from the sbin type.
|
||||
## Relabel to and from the sbin type. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -643,16 +638,13 @@ interface(`corecmd_manage_sbin_files',`
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`corecmd_relabel_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
relabel_files_pattern($1,sbin_t,sbin_t)
|
||||
corecmd_relabel_bin_files($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap a sbin file as executable.
|
||||
## Mmap a sbin file as executable. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -662,18 +654,14 @@ interface(`corecmd_relabel_sbin_files',`
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`corecmd_mmap_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:file { getattr read execute };
|
||||
corecmd_mmap_bin_files($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a file in a sbin directory
|
||||
## in the specified domain.
|
||||
## in the specified domain. (Deprecated)
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -681,7 +669,7 @@ interface(`corecmd_mmap_sbin_files',`
|
||||
## in the specified domain. This allows
|
||||
## the specified domain to execute any file
|
||||
## on these filesystems in the specified
|
||||
## domain. This is not suggested.
|
||||
## domain. This is not suggested. (Deprecated)
|
||||
## </p>
|
||||
## <p>
|
||||
## No interprocess communication (signals, pipes,
|
||||
@ -705,12 +693,8 @@ interface(`corecmd_mmap_sbin_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_sbin_domtrans',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
read_lnk_files_pattern($1,sbin_t,sbin_t)
|
||||
domain_auto_transition_pattern($1,sbin_t,$2)
|
||||
corecmd_bin_domtrans($1,$2,$3)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -718,7 +702,7 @@ interface(`corecmd_sbin_domtrans',`
|
||||
## Execute a file in a sbin directory
|
||||
## in the specified domain but do not
|
||||
## do it automatically. This is an explicit
|
||||
## transition, requiring the caller to use setexeccon().
|
||||
## transition, requiring the caller to use setexeccon(). (Deprecated)
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -726,7 +710,7 @@ interface(`corecmd_sbin_domtrans',`
|
||||
## in the specified domain. This allows
|
||||
## the specified domain to execute any file
|
||||
## on these filesystems in the specified
|
||||
## domain. This is not suggested.
|
||||
## domain. This is not suggested. (Deprecated)
|
||||
## </p>
|
||||
## <p>
|
||||
## No interprocess communication (signals, pipes,
|
||||
@ -750,12 +734,8 @@ interface(`corecmd_sbin_domtrans',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_sbin_spec_domtrans',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
read_lnk_files_pattern($1,sbin_t,sbin_t)
|
||||
domain_transition_pattern($1,sbin_t,$2)
|
||||
corecmd_bin_spec_domtrans($1,$2,$3)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -800,7 +780,7 @@ interface(`corecmd_exec_shell',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ls in the caller domain.
|
||||
## Execute ls in the caller domain. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -809,13 +789,8 @@ interface(`corecmd_exec_shell',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_exec_ls',`
|
||||
gen_require(`
|
||||
type bin_t, ls_exec_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1,bin_t,bin_t)
|
||||
read_lnk_files_pattern($1,bin_t,bin_t)
|
||||
can_exec($1,ls_exec_t)
|
||||
corecmd_exec_bin($1)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -925,11 +900,11 @@ interface(`corecmd_exec_chroot',`
|
||||
interface(`corecmd_getattr_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
type bin_t, sbin_t;
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 { bin_t sbin_t }:dir list_dir_perms;
|
||||
getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
|
||||
allow $1 bin_t:dir list_dir_perms;
|
||||
getattr_files_pattern($1,bin_t,exec_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -946,12 +921,12 @@ interface(`corecmd_getattr_all_executables',`
|
||||
interface(`corecmd_exec_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
type bin_t, sbin_t;
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
can_exec($1,exec_type)
|
||||
list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
|
||||
read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
|
||||
list_dirs_pattern($1,bin_t,bin_t)
|
||||
read_lnk_files_pattern($1,bin_t,exec_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -968,11 +943,11 @@ interface(`corecmd_exec_all_executables',`
|
||||
interface(`corecmd_manage_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
type bin_t, sbin_t;
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1,{ bin_t sbin_t },exec_type)
|
||||
manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
|
||||
manage_files_pattern($1,bin_t,exec_type)
|
||||
manage_lnk_files_pattern($1,bin_t,bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -989,9 +964,10 @@ interface(`corecmd_manage_all_executables',`
|
||||
interface(`corecmd_relabel_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 exec_type:file relabel_file_perms;
|
||||
relabel_files_pattern($1,bin_t,exec_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1007,7 +983,8 @@ interface(`corecmd_relabel_all_executables',`
|
||||
interface(`corecmd_mmap_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 exec_type:file { getattr read execute };
|
||||
mmap_files_pattern($1,bin_t,exec_type)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.5.3)
|
||||
policy_module(corecommands,1.5.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -12,23 +12,11 @@ policy_module(corecommands,1.5.3)
|
||||
attribute exec_type;
|
||||
|
||||
#
|
||||
# bin_t is the type of files in the system bin directories.
|
||||
# bin_t is the type of files in the system bin/sbin directories.
|
||||
#
|
||||
type bin_t;
|
||||
type bin_t alias { ls_exec_t sbin_t };
|
||||
corecmd_executable_file(bin_t)
|
||||
|
||||
#
|
||||
# sbin_t is the type of files in the system sbin directories.
|
||||
#
|
||||
type sbin_t;
|
||||
corecmd_executable_file(sbin_t)
|
||||
|
||||
#
|
||||
# ls_exec_t is the type of the ls program.
|
||||
#
|
||||
type ls_exec_t;
|
||||
corecmd_executable_file(ls_exec_t)
|
||||
|
||||
#
|
||||
# shell_exec_t is the type of user shells such as /bin/bash.
|
||||
#
|
||||
|
@ -230,7 +230,7 @@ selinux_load_policy(kernel_t)
|
||||
term_use_console(kernel_t)
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_sbin(kernel_t)
|
||||
corecmd_list_bin(kernel_t)
|
||||
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
||||
corecmd_exec_bin(kernel_t)
|
||||
|
||||
|
@ -15,7 +15,7 @@ interface(`aide_domtrans',`
|
||||
type aide_t, aide_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,aide_exec_t,aide_t)
|
||||
')
|
||||
|
||||
|
@ -97,7 +97,6 @@ kernel_dontaudit_read_system_state(amavis_t)
|
||||
|
||||
# find perl
|
||||
corecmd_exec_bin(amavis_t)
|
||||
corecmd_search_sbin(amavis_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(amavis_t)
|
||||
corenet_tcp_sendrecv_all_if(amavis_t)
|
||||
|
@ -392,7 +392,7 @@ interface(`apache_domtrans',`
|
||||
type httpd_t, httpd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,httpd_exec_t,httpd_t)
|
||||
')
|
||||
|
||||
@ -593,7 +593,7 @@ interface(`apache_domtrans_helper',`
|
||||
type httpd_helper_t, httpd_helper_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t)
|
||||
')
|
||||
|
||||
|
@ -238,7 +238,6 @@ auth_use_nsswitch(httpd_t)
|
||||
|
||||
# execute perl
|
||||
corecmd_exec_bin(httpd_t)
|
||||
corecmd_exec_sbin(httpd_t)
|
||||
corecmd_exec_shell(httpd_t)
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
@ -63,7 +63,7 @@ dev_read_sysfs(arpwatch_t)
|
||||
fs_getattr_all_fs(arpwatch_t)
|
||||
fs_search_auto_mountpoints(arpwatch_t)
|
||||
|
||||
corecmd_read_sbin_symlinks(arpwatch_t)
|
||||
corecmd_read_bin_symlinks(arpwatch_t)
|
||||
|
||||
domain_use_interactive_fds(arpwatch_t)
|
||||
|
||||
|
@ -80,7 +80,7 @@ kernel_read_system_state(asterisk_t)
|
||||
kernel_read_kernel_sysctls(asterisk_t)
|
||||
|
||||
corecmd_exec_bin(asterisk_t)
|
||||
corecmd_search_sbin(asterisk_t)
|
||||
corecmd_search_bin(asterisk_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(asterisk_t)
|
||||
corenet_tcp_sendrecv_generic_if(asterisk_t)
|
||||
|
@ -15,7 +15,7 @@ interface(`automount_domtrans',`
|
||||
type automount_t, automount_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, automount_exec_t, automount_t)
|
||||
')
|
||||
|
||||
@ -34,7 +34,7 @@ interface(`automount_exec_config',`
|
||||
type automount_etc_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,automount_etc_t)
|
||||
')
|
||||
|
||||
|
@ -73,7 +73,6 @@ files_unmount_all_file_type_fs(automount_t)
|
||||
fs_mount_all_fs(automount_t)
|
||||
fs_unmount_all_fs(automount_t)
|
||||
|
||||
corecmd_exec_sbin(automount_t)
|
||||
corecmd_exec_bin(automount_t)
|
||||
corecmd_exec_shell(automount_t)
|
||||
|
||||
|
@ -117,7 +117,7 @@ dev_read_rand(named_t)
|
||||
fs_getattr_all_fs(named_t)
|
||||
fs_search_auto_mountpoints(named_t)
|
||||
|
||||
corecmd_search_sbin(named_t)
|
||||
corecmd_search_bin(named_t)
|
||||
|
||||
dev_read_urand(named_t)
|
||||
|
||||
|
@ -64,7 +64,7 @@ files_pid_filetrans(ccs_t,ccs_var_run_t, { dir file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(ccs_t)
|
||||
|
||||
corecmd_list_sbin(ccs_t)
|
||||
corecmd_list_bin(ccs_t)
|
||||
corecmd_exec_bin(ccs_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ccs_t)
|
||||
@ -97,7 +97,7 @@ miscfiles_read_localization(ccs_t)
|
||||
sysnet_dns_name_resolve(ccs_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
corecmd_dontaudit_write_sbin_dirs(ccs_t)
|
||||
corecmd_dontaudit_write_bin_dirs(ccs_t)
|
||||
files_manage_isid_type_files(ccs_t)
|
||||
')
|
||||
|
||||
|
@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t)
|
||||
|
||||
corecmd_exec_shell(ciped_t)
|
||||
corecmd_exec_bin(ciped_t)
|
||||
corecmd_exec_sbin(ciped_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ciped_t)
|
||||
corenet_udp_sendrecv_generic_if(ciped_t)
|
||||
|
@ -50,7 +50,7 @@ allow courier_authdaemon_t courier_tcpd_t:fd use;
|
||||
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
|
||||
|
||||
corecmd_search_sbin(courier_authdaemon_t)
|
||||
corecmd_search_bin(courier_authdaemon_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(courier_authdaemon_t)
|
||||
@ -116,7 +116,7 @@ manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
|
||||
manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
|
||||
files_search_var_lib(courier_tcpd_t)
|
||||
|
||||
corecmd_search_sbin(courier_tcpd_t)
|
||||
corecmd_search_bin(courier_tcpd_t)
|
||||
|
||||
corenet_tcp_bind_all_nodes(courier_tcpd_t)
|
||||
corenet_tcp_bind_pop_port(courier_tcpd_t)
|
||||
|
@ -214,7 +214,6 @@ template(`cron_per_role_template',`
|
||||
|
||||
# Run helper programs as the user domain
|
||||
corecmd_bin_domtrans($1_crontab_t,$2)
|
||||
corecmd_sbin_domtrans($1_crontab_t,$2)
|
||||
corecmd_shell_domtrans($1_crontab_t,$2)
|
||||
|
||||
domain_use_interactive_fds($1_crontab_t)
|
||||
|
@ -117,8 +117,8 @@ fs_search_auto_mountpoints(crond_t)
|
||||
auth_domtrans_chk_passwd(crond_t)
|
||||
|
||||
corecmd_exec_shell(crond_t)
|
||||
corecmd_list_sbin(crond_t)
|
||||
corecmd_read_sbin_symlinks(crond_t)
|
||||
corecmd_list_bin(crond_t)
|
||||
corecmd_read_bin_symlinks(crond_t)
|
||||
|
||||
domain_use_interactive_fds(crond_t)
|
||||
|
||||
|
@ -182,7 +182,6 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
||||
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
||||
corecmd_exec_shell(cupsd_t)
|
||||
corecmd_exec_bin(cupsd_t)
|
||||
corecmd_exec_sbin(cupsd_t)
|
||||
|
||||
domain_use_interactive_fds(cupsd_t)
|
||||
|
||||
@ -357,7 +356,6 @@ fs_getattr_all_fs(cupsd_config_t)
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
|
||||
corecmd_exec_bin(cupsd_config_t)
|
||||
corecmd_exec_sbin(cupsd_config_t)
|
||||
corecmd_exec_shell(cupsd_config_t)
|
||||
|
||||
domain_use_interactive_fds(cupsd_config_t)
|
||||
@ -596,7 +594,6 @@ fs_search_auto_mountpoints(hplip_t)
|
||||
|
||||
# for python
|
||||
corecmd_exec_bin(hplip_t)
|
||||
corecmd_search_sbin(hplip_t)
|
||||
|
||||
domain_use_interactive_fds(hplip_t)
|
||||
|
||||
|
@ -62,7 +62,6 @@ fs_getattr_xattr_fs(cvs_t)
|
||||
auth_domtrans_chk_passwd(cvs_t)
|
||||
|
||||
corecmd_exec_bin(cvs_t)
|
||||
corecmd_exec_sbin(cvs_t)
|
||||
corecmd_exec_shell(cvs_t)
|
||||
|
||||
files_read_etc_files(cvs_t)
|
||||
|
@ -108,11 +108,6 @@ template(`dbus_per_role_template',`
|
||||
corecmd_read_bin_files($1_dbusd_t)
|
||||
corecmd_read_bin_pipes($1_dbusd_t)
|
||||
corecmd_read_bin_sockets($1_dbusd_t)
|
||||
corecmd_list_sbin($1_dbusd_t)
|
||||
corecmd_read_sbin_symlinks($1_dbusd_t)
|
||||
corecmd_read_sbin_files($1_dbusd_t)
|
||||
corecmd_read_sbin_pipes($1_dbusd_t)
|
||||
corecmd_read_sbin_sockets($1_dbusd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_dbusd_t)
|
||||
corenet_tcp_sendrecv_all_if($1_dbusd_t)
|
||||
|
@ -76,16 +76,9 @@ auth_use_nsswitch(system_dbusd_t)
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
|
||||
corecmd_list_bin(system_dbusd_t)
|
||||
corecmd_read_bin_symlinks(system_dbusd_t)
|
||||
corecmd_read_bin_files(system_dbusd_t)
|
||||
corecmd_read_bin_pipes(system_dbusd_t)
|
||||
corecmd_read_bin_sockets(system_dbusd_t)
|
||||
corecmd_list_sbin(system_dbusd_t)
|
||||
corecmd_read_sbin_symlinks(system_dbusd_t)
|
||||
corecmd_read_sbin_files(system_dbusd_t)
|
||||
corecmd_read_sbin_pipes(system_dbusd_t)
|
||||
corecmd_read_sbin_sockets(system_dbusd_t)
|
||||
corecmd_exec_sbin(system_dbusd_t)
|
||||
corecmd_exec_bin(system_dbusd_t)
|
||||
|
||||
domain_use_interactive_fds(system_dbusd_t)
|
||||
|
||||
|
@ -15,7 +15,7 @@ interface(`dcc_domtrans_cdcc',`
|
||||
type cdcc_t, cdcc_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,cdcc_exec_t,cdcc_t)
|
||||
')
|
||||
|
||||
@ -66,7 +66,7 @@ interface(`dcc_domtrans_client',`
|
||||
type dcc_client_t, dcc_client_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,dcc_client_exec_t,dcc_client_t)
|
||||
')
|
||||
|
||||
@ -117,7 +117,7 @@ interface(`dcc_domtrans_dbclean',`
|
||||
type dcc_dbclean_t, dcc_dbclean_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,dcc_dbclean_exec_t,dcc_dbclean_t)
|
||||
')
|
||||
|
||||
|
@ -15,6 +15,6 @@ interface(`ddclient_domtrans',`
|
||||
type ddclient_t, ddclient_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, ddclient_exec_t, ddclient_t)
|
||||
')
|
||||
|
@ -79,7 +79,6 @@ fs_getattr_all_fs(dhcpd_t)
|
||||
fs_search_auto_mountpoints(dhcpd_t)
|
||||
|
||||
corecmd_exec_bin(dhcpd_t)
|
||||
corecmd_exec_sbin(dhcpd_t)
|
||||
|
||||
domain_use_interactive_fds(dhcpd_t)
|
||||
|
||||
|
@ -61,7 +61,7 @@ fs_getattr_all_fs(distccd_t)
|
||||
fs_search_auto_mountpoints(distccd_t)
|
||||
|
||||
corecmd_exec_bin(distccd_t)
|
||||
corecmd_read_sbin_symlinks(distccd_t)
|
||||
corecmd_read_bin_symlinks(distccd_t)
|
||||
|
||||
domain_use_interactive_fds(distccd_t)
|
||||
|
||||
|
@ -38,7 +38,6 @@ files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(fail2ban_t)
|
||||
|
||||
corecmd_search_sbin(fail2ban_t)
|
||||
corecmd_exec_bin(fail2ban_t)
|
||||
corecmd_exec_shell(fail2ban_t)
|
||||
|
||||
|
@ -68,7 +68,6 @@ term_getattr_all_user_ptys(fingerd_t)
|
||||
auth_read_lastlog(fingerd_t)
|
||||
|
||||
corecmd_exec_bin(fingerd_t)
|
||||
corecmd_exec_sbin(fingerd_t)
|
||||
corecmd_exec_shell(fingerd_t)
|
||||
|
||||
domain_use_interactive_fds(fingerd_t)
|
||||
|
@ -85,7 +85,7 @@ interface(`ftp_check_exec',`
|
||||
type ftpd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
allow $1 ftpd_exec_t:file x_file_perms;
|
||||
')
|
||||
|
||||
|
@ -86,10 +86,6 @@ dev_read_sysfs(ftpd_t)
|
||||
dev_read_urand(ftpd_t)
|
||||
|
||||
corecmd_exec_bin(ftpd_t)
|
||||
corecmd_exec_sbin(ftpd_t)
|
||||
# Execute /bin/ls (can comment this out for proftpd)
|
||||
# also may need rules to allow tar etc...
|
||||
corecmd_exec_ls(ftpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ftpd_t)
|
||||
corenet_tcp_sendrecv_all_if(ftpd_t)
|
||||
|
@ -51,7 +51,7 @@ files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
|
||||
kernel_read_system_state(gatekeeper_t)
|
||||
kernel_read_kernel_sysctls(gatekeeper_t)
|
||||
|
||||
corecmd_list_sbin(gatekeeper_t)
|
||||
corecmd_list_bin(gatekeeper_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(gatekeeper_t)
|
||||
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
|
||||
|
@ -55,7 +55,6 @@ dev_read_sysfs(i18n_input_t)
|
||||
fs_getattr_all_fs(i18n_input_t)
|
||||
fs_search_auto_mountpoints(i18n_input_t)
|
||||
|
||||
corecmd_search_sbin(i18n_input_t)
|
||||
corecmd_search_bin(i18n_input_t)
|
||||
corecmd_exec_bin(i18n_input_t)
|
||||
|
||||
|
@ -164,7 +164,7 @@ interface(`inetd_domtrans_child',`
|
||||
type inetd_child_t, inetd_child_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,inetd_child_exec_t,inetd_child_t)
|
||||
')
|
||||
|
||||
|
@ -118,7 +118,7 @@ selinux_compute_create_context(inetd_t)
|
||||
|
||||
# Run other daemons in the inetd_child_t domain.
|
||||
corecmd_search_bin(inetd_t)
|
||||
corecmd_read_sbin_symlinks(inetd_t)
|
||||
corecmd_read_bin_symlinks(inetd_t)
|
||||
|
||||
domain_use_interactive_fds(inetd_t)
|
||||
|
||||
|
@ -84,8 +84,6 @@ fs_search_auto_mountpoints(innd_t)
|
||||
|
||||
corecmd_exec_bin(innd_t)
|
||||
corecmd_exec_shell(innd_t)
|
||||
corecmd_search_sbin(innd_t)
|
||||
corecmd_read_sbin_symlinks(innd_t)
|
||||
|
||||
domain_use_interactive_fds(innd_t)
|
||||
|
||||
|
@ -48,7 +48,7 @@ files_pid_filetrans(ircd_t,ircd_var_run_t,file)
|
||||
kernel_read_system_state(ircd_t)
|
||||
kernel_read_kernel_sysctls(ircd_t)
|
||||
|
||||
corecmd_search_sbin(ircd_t)
|
||||
corecmd_search_bin(ircd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ircd_t)
|
||||
corenet_tcp_sendrecv_generic_if(ircd_t)
|
||||
|
@ -183,7 +183,6 @@ kernel_read_proc_symlinks(krb5kdc_t)
|
||||
kernel_read_network_state(krb5kdc_t)
|
||||
kernel_search_network_sysctl(krb5kdc_t)
|
||||
|
||||
corecmd_exec_sbin(krb5kdc_t)
|
||||
corecmd_exec_bin(krb5kdc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(krb5kdc_t)
|
||||
|
@ -80,7 +80,6 @@ dev_append_printer(checkpc_t)
|
||||
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
|
||||
corecmd_exec_shell(checkpc_t)
|
||||
corecmd_exec_bin(checkpc_t)
|
||||
corecmd_search_sbin(checkpc_t)
|
||||
|
||||
domain_use_interactive_fds(checkpc_t)
|
||||
|
||||
@ -170,7 +169,6 @@ fs_search_auto_mountpoints(lpd_t)
|
||||
|
||||
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
||||
corecmd_exec_bin(lpd_t)
|
||||
corecmd_exec_sbin(lpd_t)
|
||||
corecmd_exec_shell(lpd_t)
|
||||
|
||||
domain_use_interactive_fds(lpd_t)
|
||||
|
@ -81,7 +81,6 @@ template(`mta_base_mail_template',`
|
||||
corenet_sendrecv_smtp_client_packets($1_mail_t)
|
||||
|
||||
corecmd_exec_bin($1_mail_t)
|
||||
corecmd_search_sbin($1_mail_t)
|
||||
|
||||
files_read_etc_files($1_mail_t)
|
||||
files_search_spool($1_mail_t)
|
||||
@ -497,7 +496,7 @@ interface(`mta_sendmail_domtrans',`
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_read_sbin_symlinks($1)
|
||||
corecmd_read_bin_symlinks($1)
|
||||
domain_auto_trans($1,sendmail_exec_t,$2)
|
||||
')
|
||||
|
||||
|
@ -195,7 +195,6 @@ kernel_read_kernel_sysctls(nrpe_t)
|
||||
|
||||
corecmd_exec_bin(nrpe_t)
|
||||
corecmd_exec_shell(nrpe_t)
|
||||
corecmd_exec_ls(nrpe_t)
|
||||
|
||||
dev_read_sysfs(nrpe_t)
|
||||
dev_read_urand(nrpe_t)
|
||||
|
@ -71,8 +71,6 @@ selinux_dontaudit_search_fs(NetworkManager_t)
|
||||
|
||||
corecmd_exec_shell(NetworkManager_t)
|
||||
corecmd_exec_bin(NetworkManager_t)
|
||||
corecmd_exec_sbin(NetworkManager_t)
|
||||
corecmd_exec_ls(NetworkManager_t)
|
||||
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
|
@ -241,6 +241,5 @@ interface(`nis_domtrans_ypxfr',`
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
corecmd_search_sbin($1)
|
||||
domtrans_pattern($1,ypxfr_exec_t,ypxfr_t)
|
||||
')
|
||||
|
@ -180,7 +180,6 @@ auth_etc_filetrans_shadow(yppasswdd_t)
|
||||
|
||||
corecmd_exec_bin(yppasswdd_t)
|
||||
corecmd_exec_shell(yppasswdd_t)
|
||||
corecmd_search_sbin(yppasswdd_t)
|
||||
|
||||
domain_use_interactive_fds(yppasswdd_t)
|
||||
|
||||
|
@ -33,7 +33,7 @@ interface(`nscd_domtrans',`
|
||||
type nscd_t, nscd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,nscd_exec_t,nscd_t)
|
||||
')
|
||||
|
||||
|
@ -146,7 +146,6 @@ can_exec(nsd_crond_t,nsd_exec_t)
|
||||
kernel_read_system_state(nsd_crond_t)
|
||||
|
||||
corecmd_exec_bin(nsd_crond_t)
|
||||
corecmd_exec_sbin(nsd_crond_t)
|
||||
corecmd_exec_shell(nsd_crond_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(nsd_crond_t)
|
||||
|
@ -31,7 +31,7 @@ interface(`ntp_domtrans',`
|
||||
type ntpd_t, ntpd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,ntpd_exec_t,ntpd_t)
|
||||
')
|
||||
|
||||
@ -50,6 +50,6 @@ interface(`ntp_domtrans_ntpdate',`
|
||||
type ntpd_t, ntpdate_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
|
||||
')
|
||||
|
@ -85,8 +85,6 @@ fs_search_auto_mountpoints(ntpd_t)
|
||||
auth_use_nsswitch(ntpd_t)
|
||||
|
||||
corecmd_exec_bin(ntpd_t)
|
||||
corecmd_exec_sbin(ntpd_t)
|
||||
corecmd_exec_ls(ntpd_t)
|
||||
corecmd_exec_shell(ntpd_t)
|
||||
|
||||
domain_use_interactive_fds(ntpd_t)
|
||||
|
@ -15,7 +15,7 @@ interface(`oav_domtrans_update',`
|
||||
type oav_update_t, oav_update_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,oav_update_exec_t,oav_update_t)
|
||||
')
|
||||
|
||||
|
@ -38,7 +38,6 @@ files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(oddjob_t)
|
||||
|
||||
corecmd_exec_sbin(oddjob_t)
|
||||
corecmd_exec_bin(oddjob_t)
|
||||
corecmd_exec_shell(oddjob_t)
|
||||
|
||||
|
@ -51,7 +51,6 @@ kernel_read_network_state(openvpn_t)
|
||||
kernel_read_system_state(openvpn_t)
|
||||
|
||||
corecmd_exec_bin(openvpn_t)
|
||||
corecmd_exec_sbin(openvpn_t)
|
||||
corecmd_exec_shell(openvpn_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(openvpn_t)
|
||||
|
@ -84,7 +84,6 @@ corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
|
||||
corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
|
||||
corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
|
||||
|
||||
corecmd_exec_sbin(pegasus_t)
|
||||
corecmd_exec_bin(pegasus_t)
|
||||
corecmd_exec_shell(pegasus_t)
|
||||
|
||||
|
@ -69,10 +69,6 @@ template(`postfix_domain_template',`
|
||||
|
||||
term_dontaudit_use_console(postfix_$1_t)
|
||||
|
||||
corecmd_list_bin(postfix_$1_t)
|
||||
corecmd_list_sbin(postfix_$1_t)
|
||||
corecmd_read_bin_symlinks(postfix_$1_t)
|
||||
corecmd_read_sbin_symlinks(postfix_$1_t)
|
||||
corecmd_exec_shell(postfix_$1_t)
|
||||
|
||||
files_read_etc_files(postfix_$1_t)
|
||||
|
@ -151,8 +151,6 @@ corenet_sendrecv_all_client_packets(postfix_master_t)
|
||||
# for a find command
|
||||
selinux_dontaudit_search_fs(postfix_master_t)
|
||||
|
||||
corecmd_exec_ls(postfix_master_t)
|
||||
corecmd_exec_sbin(postfix_master_t)
|
||||
corecmd_exec_shell(postfix_master_t)
|
||||
corecmd_exec_bin(postfix_master_t)
|
||||
|
||||
@ -326,11 +324,6 @@ corecmd_read_bin_symlinks(postfix_map_t)
|
||||
corecmd_read_bin_files(postfix_map_t)
|
||||
corecmd_read_bin_pipes(postfix_map_t)
|
||||
corecmd_read_bin_sockets(postfix_map_t)
|
||||
corecmd_list_sbin(postfix_map_t)
|
||||
corecmd_read_sbin_symlinks(postfix_map_t)
|
||||
corecmd_read_sbin_files(postfix_map_t)
|
||||
corecmd_read_sbin_pipes(postfix_map_t)
|
||||
corecmd_read_sbin_sockets(postfix_map_t)
|
||||
|
||||
files_list_home(postfix_map_t)
|
||||
files_read_usr_files(postfix_map_t)
|
||||
|
@ -104,8 +104,6 @@ fs_search_auto_mountpoints(postgresql_t)
|
||||
term_use_controlling_term(postgresql_t)
|
||||
|
||||
corecmd_exec_bin(postgresql_t)
|
||||
corecmd_exec_ls(postgresql_t)
|
||||
corecmd_exec_sbin(postgresql_t)
|
||||
corecmd_exec_shell(postgresql_t)
|
||||
|
||||
domain_dontaudit_list_all_domains_state(postgresql_t)
|
||||
|
@ -45,7 +45,6 @@ kernel_read_kernel_sysctls(postgrey_t)
|
||||
|
||||
# for perl
|
||||
corecmd_search_bin(postgrey_t)
|
||||
corecmd_search_sbin(postgrey_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(postgrey_t)
|
||||
corenet_tcp_sendrecv_generic_if(postgrey_t)
|
||||
|
@ -89,7 +89,7 @@ interface(`ppp_domtrans',`
|
||||
type pppd_t, pppd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, pppd_exec_t, pppd_t)
|
||||
')
|
||||
|
||||
@ -153,7 +153,7 @@ interface(`ppp_exec',`
|
||||
type pppd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, pppd_exec_t)
|
||||
')
|
||||
|
||||
|
@ -133,7 +133,6 @@ term_create_pty(pppd_t,pppd_devpts_t)
|
||||
|
||||
# allow running ip-up and ip-down scripts and running chat.
|
||||
corecmd_exec_bin(pppd_t)
|
||||
corecmd_exec_sbin(pppd_t)
|
||||
corecmd_exec_shell(pppd_t)
|
||||
|
||||
domain_use_interactive_fds(pppd_t)
|
||||
|
@ -55,8 +55,6 @@ auth_use_nsswitch(procmail_t)
|
||||
|
||||
corecmd_exec_bin(procmail_t)
|
||||
corecmd_exec_shell(procmail_t)
|
||||
corecmd_dontaudit_search_sbin(procmail_t)
|
||||
corecmd_exec_ls(procmail_t)
|
||||
|
||||
files_read_etc_files(procmail_t)
|
||||
files_read_etc_runtime_files(procmail_t)
|
||||
|
@ -113,7 +113,7 @@ interface(`qmail_domtrans_inject',`
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
',`
|
||||
files_search_var($1)
|
||||
corecmd_search_bin($1)
|
||||
@ -140,7 +140,7 @@ interface(`qmail_domtrans_queue',`
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
files_search_usr($1)
|
||||
corecmd_search_sbin($1)
|
||||
corecmd_search_bin($1)
|
||||
',`
|
||||
files_search_var($1)
|
||||
corecmd_search_bin($1)
|
||||
|
@ -80,7 +80,6 @@ allow qmail_inject_t self:process signal_perms;
|
||||
allow qmail_inject_t qmail_queue_exec_t:file read;
|
||||
|
||||
corecmd_search_bin(qmail_inject_t)
|
||||
corecmd_search_sbin(qmail_inject_t)
|
||||
|
||||
files_search_var(qmail_inject_t)
|
||||
|
||||
@ -109,7 +108,6 @@ allow qmail_local_t qmail_spool_t:file read_file_perms;
|
||||
kernel_read_system_state(qmail_local_t)
|
||||
|
||||
corecmd_exec_shell(qmail_local_t)
|
||||
corecmd_search_sbin(qmail_local_t)
|
||||
|
||||
files_read_etc_files(qmail_local_t)
|
||||
files_read_etc_runtime_files(qmail_local_t)
|
||||
@ -135,7 +133,7 @@ allow qmail_lspawn_t qmail_local_exec_t:file read;
|
||||
|
||||
read_files_pattern(qmail_lspawn_t,qmail_spool_t,qmail_spool_t)
|
||||
|
||||
corecmd_search_sbin(qmail_lspawn_t)
|
||||
corecmd_search_bin(qmail_lspawn_t)
|
||||
|
||||
files_read_etc_files(qmail_lspawn_t)
|
||||
files_search_pids(qmail_lspawn_t)
|
||||
@ -202,7 +200,6 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read;
|
||||
rw_files_pattern(qmail_rspawn_t,qmail_spool_t,qmail_spool_t)
|
||||
|
||||
corecmd_search_bin(qmail_rspawn_t)
|
||||
corecmd_search_sbin(qmail_rspawn_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -276,7 +273,6 @@ allow qmail_start_t self:process signal_perms;
|
||||
can_exec(qmail_start_t, qmail_start_exec_t)
|
||||
|
||||
corecmd_search_bin(qmail_start_t)
|
||||
corecmd_search_sbin(qmail_start_t)
|
||||
|
||||
files_search_var(qmail_start_t)
|
||||
|
||||
@ -298,7 +294,7 @@ optional_policy(`
|
||||
|
||||
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
|
||||
|
||||
corecmd_search_sbin(qmail_tcp_env_t)
|
||||
corecmd_search_bin(qmail_tcp_env_t)
|
||||
|
||||
sysnet_read_config(qmail_tcp_env_t)
|
||||
|
||||
|
@ -84,7 +84,6 @@ auth_domtrans_chk_passwd(radiusd_t)
|
||||
|
||||
corecmd_exec_bin(radiusd_t)
|
||||
corecmd_exec_shell(radiusd_t)
|
||||
corecmd_search_sbin(radiusd_t)
|
||||
|
||||
domain_use_interactive_fds(radiusd_t)
|
||||
|
||||
|
@ -57,16 +57,11 @@ auth_manage_pam_console_data(remote_login_t)
|
||||
auth_domtrans_pam_console(remote_login_t)
|
||||
|
||||
corecmd_list_bin(remote_login_t)
|
||||
corecmd_list_sbin(remote_login_t)
|
||||
corecmd_read_bin_symlinks(remote_login_t)
|
||||
corecmd_read_sbin_symlinks(remote_login_t)
|
||||
# cjp: these are probably not needed:
|
||||
corecmd_read_bin_files(remote_login_t)
|
||||
corecmd_read_bin_pipes(remote_login_t)
|
||||
corecmd_read_bin_sockets(remote_login_t)
|
||||
corecmd_read_sbin_files(remote_login_t)
|
||||
corecmd_read_sbin_pipes(remote_login_t)
|
||||
corecmd_read_sbin_sockets(remote_login_t)
|
||||
|
||||
domain_read_all_entry_files(remote_login_t)
|
||||
|
||||
|
@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(rhgb_t)
|
||||
kernel_read_system_state(rhgb_t)
|
||||
|
||||
corecmd_exec_bin(rhgb_t)
|
||||
corecmd_exec_sbin(rhgb_t)
|
||||
corecmd_exec_shell(rhgb_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(rhgb_t)
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user