trunk: more open perm fixes.
This commit is contained in:
Chris PeBenito
parent
6e68e6bb5e
commit
82d2775c92
@ -228,5 +228,5 @@ interface(`dpkg_lock_db',`
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 dpkg_var_lib_t:dir list_dir_perms;
|
||||
allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
|
||||
allow $1 dpkg_lock_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
@ -111,7 +111,7 @@ interface(`portage_compile_domain',`
|
||||
|
||||
# write compile logs
|
||||
allow $1 portage_log_t:dir setattr;
|
||||
allow $1 portage_log_t:file { append write setattr };
|
||||
allow $1 portage_log_t:file { write_file_perms setattr };
|
||||
|
||||
# run scripts out of the build directory
|
||||
can_exec(portage_sandbox_t, portage_tmp_t)
|
||||
|
||||
@ -85,7 +85,7 @@ interface(`prelink_read_cache',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 prelink_cache_t:file { getattr read };
|
||||
allow $1 prelink_cache_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -166,9 +166,7 @@ template(`evolution_per_role_template',`
|
||||
userdom_search_user_home_dirs($1, $1_evolution_t)
|
||||
|
||||
# Allow the user domain to signal/ps.
|
||||
allow $2 $1_evolution_t:dir { search getattr read };
|
||||
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_evolution_t:process getattr;
|
||||
ps_process_pattern($2, $1_evolution_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state($1_evolution_t)
|
||||
|
||||
|
||||
@ -79,7 +79,7 @@ template(`uml_per_role_template',`
|
||||
allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
|
||||
|
||||
# allow the UML thing to happen
|
||||
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
|
||||
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
term_create_pty($1_uml_t,$1_uml_devpts_t)
|
||||
|
||||
manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
|
||||
|
||||
@ -180,7 +180,7 @@ interface(`vmware_read_system_config',`
|
||||
type vmware_sys_conf_t;
|
||||
')
|
||||
|
||||
allow $1 vmware_sys_conf_t:file { getattr read };
|
||||
allow $1 vmware_sys_conf_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -360,8 +360,7 @@ interface(`corecmd_mmap_bin_files',`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:file { getattr read execute };
|
||||
mmap_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1555,7 +1555,7 @@ interface(`corenet_rw_tun_tap_dev',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
|
||||
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1574,7 +1574,7 @@ interface(`corenet_rw_ppp_dev',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 ppp_device_t:chr_file rw_file_perms;
|
||||
allow $1 ppp_device_t:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1119,7 +1119,7 @@ interface(`files_mounton_all_mountpoints',`
|
||||
attribute mountpoint;
|
||||
')
|
||||
|
||||
allow $1 mountpoint:dir { getattr search mounton };
|
||||
allow $1 mountpoint:dir { search_dir_perms mounton };
|
||||
allow $1 mountpoint:file { getattr mounton };
|
||||
')
|
||||
|
||||
@ -1552,7 +1552,7 @@ interface(`files_create_kernel_img',`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:file { getattr read write create };
|
||||
allow $1 boot_t:file { create_file_perms rw_file_perms };
|
||||
manage_lnk_files_pattern($1, boot_t, boot_t)
|
||||
')
|
||||
|
||||
@ -1682,7 +1682,7 @@ interface(`files_mounton_default',`
|
||||
type default_t;
|
||||
')
|
||||
|
||||
allow $1 default_t:dir { getattr search mounton };
|
||||
allow $1 default_t:dir { search_dir_perms mounton };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -3723,7 +3723,7 @@ interface(`files_create_kernel_symbol_table',`
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
|
||||
allow $1 system_map_t:file { rw_file_perms create };
|
||||
allow $1 system_map_t:file { create_file_perms rw_file_perms };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -4742,7 +4742,7 @@ interface(`files_polyinstantiate_all',`
|
||||
allow $1 self:capability { chown fsetid sys_admin };
|
||||
|
||||
# Need to give access to the directories to be polyinstantiated
|
||||
allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
|
||||
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
||||
|
||||
# Need to give access to the polyinstantiated subdirectories
|
||||
allow $1 polymember:dir search_dir_perms;
|
||||
@ -4754,8 +4754,8 @@ interface(`files_polyinstantiate_all',`
|
||||
# Need to give permission to create directories where applicable
|
||||
allow $1 self:process setfscreate;
|
||||
allow $1 polymember: dir { create setattr relabelto };
|
||||
allow $1 polydir: dir { write add_name };
|
||||
allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
|
||||
allow $1 polydir: dir { write add_name open };
|
||||
allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
|
||||
|
||||
# Default type for mountpoints
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
|
||||
@ -1936,7 +1936,6 @@ interface(`fs_read_rpc_sockets',`
|
||||
')
|
||||
|
||||
allow $1 rpc_pipefs_t:sock_file { read write };
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2706,7 +2705,7 @@ interface(`fs_rw_rpc_named_pipes',`
|
||||
type rpc_pipefs_t;
|
||||
')
|
||||
|
||||
allow $1 rpc_pipefs_t:fifo_file { read write };
|
||||
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -2147,7 +2147,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:dir { getattr search read relabelfrom };
|
||||
allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -165,7 +165,7 @@ interface(`selinux_dontaudit_read_fs',`
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir search_dir_perms;
|
||||
dontaudit $1 security_t:file { getattr read };
|
||||
dontaudit $1 security_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -186,7 +186,7 @@ interface(`selinux_get_enforce_mode',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read };
|
||||
allow $1 security_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -219,7 +219,7 @@ interface(`selinux_set_enforce_mode',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
typeattribute $1 can_setenforce;
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
@ -250,7 +250,7 @@ interface(`selinux_load_policy',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
typeattribute $1 can_load_policy;
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
@ -292,7 +292,7 @@ interface(`selinux_set_boolean',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
|
||||
if(!secure_mode_policyload) {
|
||||
allow $1 security_t:security setbool;
|
||||
@ -333,7 +333,7 @@ interface(`selinux_set_parameters',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security setsecparam;
|
||||
auditallow $1 security_t:security setsecparam;
|
||||
typeattribute $1 can_setsecparam;
|
||||
@ -356,7 +356,7 @@ interface(`selinux_validate_context',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security check_context;
|
||||
')
|
||||
|
||||
@ -377,7 +377,7 @@ interface(`selinux_dontaudit_validate_context',`
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir list_dir_perms;
|
||||
dontaudit $1 security_t:file { getattr read write };
|
||||
dontaudit $1 security_t:file rw_file_perms;
|
||||
dontaudit $1 security_t:security check_context;
|
||||
')
|
||||
|
||||
@ -398,7 +398,7 @@ interface(`selinux_compute_access_vector',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security compute_av;
|
||||
')
|
||||
|
||||
@ -419,7 +419,7 @@ interface(`selinux_compute_create_context',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security compute_create;
|
||||
')
|
||||
|
||||
@ -440,7 +440,7 @@ interface(`selinux_compute_member',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security compute_member;
|
||||
')
|
||||
|
||||
@ -469,7 +469,7 @@ interface(`selinux_compute_relabel_context',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security compute_relabel;
|
||||
')
|
||||
|
||||
@ -489,7 +489,7 @@ interface(`selinux_compute_user_contexts',`
|
||||
')
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
|
||||
@ -173,7 +173,7 @@ interface(`term_use_all_terms',`
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:dir list_dir_perms;
|
||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -932,7 +932,7 @@ interface(`term_append_unallocated_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { getattr append };
|
||||
allow $1 tty_device_t:chr_file append_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -951,7 +951,7 @@ interface(`term_write_unallocated_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { getattr write };
|
||||
allow $1 tty_device_t:chr_file write_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -971,7 +971,7 @@ interface(`term_use_unallocated_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { rw_term_perms lock append };
|
||||
allow $1 tty_device_t:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -990,7 +990,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
type tty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
|
||||
dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1092,7 +1092,7 @@ interface(`term_write_all_user_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 ttynode:chr_file { getattr write append };
|
||||
allow $1 ttynode:chr_file write_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1112,7 +1112,7 @@ interface(`term_use_all_user_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 ttynode:chr_file { rw_term_perms lock append };
|
||||
allow $1 ttynode:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1131,5 +1131,5 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
||||
attribute ttynode;
|
||||
')
|
||||
|
||||
dontaudit $1 ttynode:chr_file { read write };
|
||||
dontaudit $1 ttynode:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
@ -37,7 +37,7 @@ interface(`amavis_read_spool_files',`
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 amavis_spool_t:file { getattr read };
|
||||
allow $1 amavis_spool_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -940,7 +940,7 @@ interface(`apache_read_squirrelmail_data',`
|
||||
type httpd_squirrelmail_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_squirrelmail_t:file { getattr read };
|
||||
allow $1 httpd_squirrelmail_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -959,7 +959,7 @@ interface(`apache_append_squirrelmail_data',`
|
||||
type httpd_squirrelmail_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_squirrelmail_t:file { getattr append };
|
||||
allow $1 httpd_squirrelmail_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -55,7 +55,7 @@ interface(`apcupsd_read_log',`
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 apcupsd_log_t:dir list_dir_perms;
|
||||
allow $1 apcupsd_log_t:file { read getattr lock };
|
||||
allow $1 apcupsd_log_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -76,7 +76,7 @@ interface(`apcupsd_append_log',`
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 apcupsd_log_t:dir list_dir_perms;
|
||||
allow $1 apcupsd_log_t:file { getattr append };
|
||||
allow $1 apcupsd_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -16,8 +16,8 @@ interface(`bitlbee_read_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 bitlbee_conf_t:dir { getattr read search };
|
||||
allow $1 bitlbee_conf_t:file { read getattr };
|
||||
allow $1 bitlbee_conf_t:dir list_dir_perms;
|
||||
allow $1 bitlbee_conf_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -285,7 +285,7 @@ template(`cron_admin_template',`
|
||||
')
|
||||
|
||||
# Allow our crontab domain to unlink a user cron spool file.
|
||||
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
|
||||
allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
|
||||
|
||||
logging_read_generic_logs($1_crond_t)
|
||||
|
||||
|
||||
@ -207,7 +207,7 @@ interface(`cups_read_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 cupsd_log_t:file { getattr read };
|
||||
allow $1 cupsd_log_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -226,7 +226,7 @@ interface(`cups_write_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 cupsd_log_t:file write;
|
||||
allow $1 cupsd_log_t:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -36,7 +36,7 @@ interface(`fail2ban_read_log',`
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 fail2ban_log_t:dir list_dir_perms;
|
||||
allow $1 fail2ban_log_t:file { read getattr lock };
|
||||
allow $1 fail2ban_log_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -67,7 +67,7 @@ interface(`ftp_read_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 ftpd_etc_t:file { getattr read };
|
||||
allow $1 ftpd_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -93,9 +93,9 @@ interface(`inn_read_config',`
|
||||
type innd_etc_t;
|
||||
')
|
||||
|
||||
allow $1 innd_etc_t:dir { getattr read search };
|
||||
allow $1 innd_etc_t:file { read getattr };
|
||||
allow $1 innd_etc_t:lnk_file { getattr read };
|
||||
allow $1 innd_etc_t:dir list_dir_perms;
|
||||
allow $1 innd_etc_t:file read_file_perms;
|
||||
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -113,9 +113,9 @@ interface(`inn_read_news_lib',`
|
||||
type innd_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 innd_var_lib_t:dir { getattr read search };
|
||||
allow $1 innd_var_lib_t:file { read getattr };
|
||||
allow $1 innd_var_lib_t:lnk_file { getattr read };
|
||||
allow $1 innd_var_lib_t:dir list_dir_perms;
|
||||
allow $1 innd_var_lib_t:file read_file_perms;
|
||||
allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -133,9 +133,9 @@ interface(`inn_read_news_spool',`
|
||||
type news_spool_t;
|
||||
')
|
||||
|
||||
allow $1 news_spool_t:dir { getattr read search };
|
||||
allow $1 news_spool_t:file { read getattr };
|
||||
allow $1 news_spool_t:lnk_file { getattr read };
|
||||
allow $1 news_spool_t:dir list_dir_perms;
|
||||
allow $1 news_spool_t:file read_file_perms;
|
||||
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -73,7 +73,7 @@ interface(`kerberos_use',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 krb5_conf_t:file { getattr read };
|
||||
allow $1 krb5_conf_t:file read_file_perms;
|
||||
dontaudit $1 krb5_conf_t:file write;
|
||||
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
||||
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
|
||||
|
||||
@ -36,7 +36,7 @@ interface(`ldap_read_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 slapd_etc_t:file { getattr read };
|
||||
allow $1 slapd_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -114,7 +114,7 @@ template(`mta_base_mail_template',`
|
||||
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
|
||||
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
|
||||
|
||||
allow $1_mail_t etc_mail_t:dir { getattr search };
|
||||
allow $1_mail_t etc_mail_t:dir search_dir_perms;
|
||||
|
||||
# Write to /var/spool/mail and /var/spool/mqueue.
|
||||
manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
|
||||
|
||||
@ -74,9 +74,9 @@ interface(`mysql_read_config',`
|
||||
type mysqld_etc_t;
|
||||
')
|
||||
|
||||
allow $1 mysqld_etc_t:dir { getattr read search };
|
||||
allow $1 mysqld_etc_t:file { read getattr };
|
||||
allow $1 mysqld_etc_t:lnk_file { getattr read };
|
||||
allow $1 mysqld_etc_t:dir list_dir_perms;
|
||||
allow $1 mysqld_etc_t:file read_file_perms;
|
||||
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -98,7 +98,7 @@ interface(`mysql_search_db',`
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 mysqld_db_t:dir search;
|
||||
allow $1 mysqld_db_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -156,7 +156,7 @@ interface(`mysql_rw_db_sockets',`
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 mysqld_db_t:dir search;
|
||||
allow $1 mysqld_db_t:dir search_dir_perms;
|
||||
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
||||
')
|
||||
|
||||
@ -176,5 +176,5 @@ interface(`mysql_write_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 mysqld_log_t:file { write append setattr ioctl };
|
||||
allow $1 mysqld_log_t:file { write_file_perms setattr };
|
||||
')
|
||||
|
||||
@ -223,7 +223,7 @@ interface(`nis_read_ypserv_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 ypserv_conf_t:file { getattr read };
|
||||
allow $1 ypserv_conf_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -49,7 +49,7 @@ interface(`portmap_run_helper',`
|
||||
|
||||
portmap_domtrans_helper($1)
|
||||
role $2 types portmap_helper_t;
|
||||
allow portmap_helper_t $3:chr_file { getattr read write ioctl };
|
||||
allow portmap_helper_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -208,9 +208,9 @@ interface(`postfix_read_config',`
|
||||
type postfix_etc_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_etc_t:dir { getattr read search };
|
||||
allow $1 postfix_etc_t:file { read getattr };
|
||||
allow $1 postfix_etc_t:lnk_file { getattr read };
|
||||
allow $1 postfix_etc_t:dir list_dir_perms;
|
||||
allow $1 postfix_etc_t:file read_file_perms;
|
||||
allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
|
||||
@ -272,9 +272,9 @@ interface(`postgresql_read_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 postgresql_etc_t:dir { getattr read search };
|
||||
allow $1 postgresql_etc_t:file { read getattr };
|
||||
allow $1 postgresql_etc_t:lnk_file { getattr read };
|
||||
allow $1 postgresql_etc_t:dir list_dir_perms;
|
||||
allow $1 postgresql_etc_t:file read_file_perms;
|
||||
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -230,7 +230,7 @@ interface(`ppp_read_rw_config',`
|
||||
')
|
||||
|
||||
allow $1 pppd_etc_t:dir list_dir_perms;
|
||||
allow $1 pppd_etc_rw_t:file { getattr read };
|
||||
allow $1 pppd_etc_rw_t:file read_file_perms;
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
@ -250,7 +250,7 @@ interface(`ppp_read_secrets',`
|
||||
')
|
||||
|
||||
allow $1 pppd_etc_t:dir list_dir_perms;
|
||||
allow $1 pppd_secret_t:file { getattr read };
|
||||
allow $1 pppd_secret_t:file read_file_perms;
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
|
||||
@ -72,9 +72,9 @@ template(`qmail_child_domain_template',`
|
||||
allow $1_t $2:fifo_file rw_file_perms;
|
||||
allow $1_t $2:process sigchld;
|
||||
|
||||
allow $1_t qmail_etc_t:dir { getattr read search };
|
||||
allow $1_t qmail_etc_t:file { getattr read };
|
||||
allow $1_t qmail_etc_t:lnk_file { getattr read };
|
||||
allow $1_t qmail_etc_t:dir list_dir_perms;
|
||||
allow $1_t qmail_etc_t:file read_file_perms;
|
||||
allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow $1_t qmail_start_t:fd use;
|
||||
|
||||
@ -158,9 +158,9 @@ interface(`qmail_read_config',`
|
||||
type qmail_etc_t;
|
||||
')
|
||||
|
||||
allow $1 qmail_etc_t:dir { getattr read search };
|
||||
allow $1 qmail_etc_t:file { getattr read };
|
||||
allow $1 qmail_etc_t:lnk_file { getattr read };
|
||||
allow $1 qmail_etc_t:dir list_dir_perms;
|
||||
allow $1 qmail_etc_t:file read_file_perms;
|
||||
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
|
||||
files_search_var($1)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
|
||||
@ -56,7 +56,8 @@ template(`razor_common_domain_template',`
|
||||
files_search_var_lib($1_t)
|
||||
|
||||
# Razor is one executable and several symlinks
|
||||
allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
|
||||
allow $1_t razor_exec_t:file read_file_perms;
|
||||
allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
kernel_read_system_state($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
|
||||
@ -194,5 +194,5 @@ interface(`rhgb_rw_tmpfs_files',`
|
||||
type rhgb_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 rhgb_tmpfs_t:file { read write };
|
||||
allow $1 rhgb_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@ -263,7 +263,7 @@ interface(`samba_read_secrets',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 samba_secrets_t:file { read getattr lock };
|
||||
allow $1 samba_secrets_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -15,7 +15,7 @@ interface(`smartmon_read_tmp_files',`
|
||||
type fsdaemon_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
|
||||
allow $1 fsdaemon_tmp_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -391,7 +391,7 @@ template(`ssh_per_role_template',`
|
||||
allow $1_ssh_keysign_t self:capability { setgid setuid };
|
||||
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
|
||||
allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
|
||||
|
||||
dev_read_urand($1_ssh_keysign_t)
|
||||
|
||||
@ -452,7 +452,7 @@ template(`ssh_server_template', `
|
||||
can_exec($1_t, sshd_exec_t)
|
||||
|
||||
# Access key files
|
||||
allow $1_t sshd_key_t:file { getattr read };
|
||||
allow $1_t sshd_key_t:file read_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls($1_t)
|
||||
|
||||
|
||||
@ -320,7 +320,7 @@ template(`xserver_per_role_template',`
|
||||
|
||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
|
||||
|
||||
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
||||
allow $1_xserver_t $2:process signal;
|
||||
@ -539,7 +539,7 @@ template(`xserver_ro_session_template',`
|
||||
allow $2 $1_xserver_t:process signal;
|
||||
|
||||
# Read /tmp/.X0-lock
|
||||
allow $2 $1_xserver_tmp_t:file { getattr read };
|
||||
allow $2 $1_xserver_tmp_t:file read_file_perms;
|
||||
|
||||
# Client read xserver shm
|
||||
allow $2 $1_xserver_t:fd use;
|
||||
@ -615,8 +615,8 @@ template(`xserver_user_client_template',`
|
||||
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# Read .Xauthority file
|
||||
allow $2 $1_xauth_home_t:file { getattr read };
|
||||
allow $2 $1_iceauth_home_t:file { getattr read };
|
||||
allow $2 $1_xauth_home_t:file read_file_perms;
|
||||
allow $2 $1_iceauth_home_t:file read_file_perms;
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@ -885,13 +885,13 @@ template(`xserver_user_x_domain_template',`
|
||||
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# Read .Xauthority file
|
||||
allow $3 $1_xauth_home_t:file { getattr read };
|
||||
allow $3 $1_iceauth_home_t:file { getattr read };
|
||||
allow $3 $1_xauth_home_t:file read_file_perms;
|
||||
allow $3 $1_iceauth_home_t:file read_file_perms;
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $3 xdm_t:fd use;
|
||||
allow $3 xdm_t:fifo_file { getattr read write ioctl };
|
||||
allow $3 xdm_tmp_t:dir search;
|
||||
allow $3 xdm_tmp_t:dir search_dir_perms;
|
||||
allow $3 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $3 xdm_t:tcp_socket { read write };
|
||||
|
||||
@ -1230,7 +1230,7 @@ interface(`xserver_read_xdm_rw_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 xdm_rw_etc_t:file { getattr read };
|
||||
allow $1 xdm_rw_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1306,7 +1306,7 @@ interface(`xserver_read_xdm_lib_files',`
|
||||
type xdm_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_var_lib_t:file { getattr read };
|
||||
allow $1 xdm_var_lib_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1479,7 +1479,7 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_xserver_tmp_t:file { getattr read };
|
||||
allow $1 xdm_xserver_tmp_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -31,7 +31,7 @@ template(`authlogin_common_auth_domain_template',`
|
||||
allow $1_chkpwd_t self:process getattr;
|
||||
|
||||
files_list_etc($1_chkpwd_t)
|
||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||
allow $1_chkpwd_t shadow_t:file read_file_perms;
|
||||
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state($1_chkpwd_t)
|
||||
|
||||
@ -47,7 +47,7 @@ interface(`clock_run',`
|
||||
|
||||
clock_domtrans($1)
|
||||
role $2 types hwclock_t;
|
||||
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
||||
allow hwclock_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -48,7 +48,7 @@ interface(`fstools_run',`
|
||||
|
||||
fstools_domtrans($1)
|
||||
role $2 types fsadm_t;
|
||||
allow fsadm_t $3:chr_file { getattr read write ioctl };
|
||||
allow fsadm_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -54,7 +54,7 @@ interface(`getty_read_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 getty_log_t:file { getattr read };
|
||||
allow $1 getty_log_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -74,7 +74,7 @@ interface(`getty_read_config',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 getty_etc_t:file { getattr read };
|
||||
allow $1 getty_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -47,7 +47,7 @@ interface(`hostname_run',`
|
||||
|
||||
hostname_domtrans($1)
|
||||
role $2 types hostname_t;
|
||||
allow hostname_t $3:chr_file { getattr read write ioctl };
|
||||
allow hostname_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1394,7 +1394,7 @@ interface(`init_write_utmp',`
|
||||
')
|
||||
|
||||
files_list_pids($1)
|
||||
allow $1 initrc_var_run_t:file { getattr write };
|
||||
allow $1 initrc_var_run_t:file { getattr open write };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -48,7 +48,7 @@ interface(`sysnet_run_dhcpc',`
|
||||
|
||||
sysnet_domtrans_dhcpc($1)
|
||||
role $2 types dhcpc_t;
|
||||
allow dhcpc_t $3:chr_file { getattr read write ioctl };
|
||||
allow dhcpc_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -198,7 +198,7 @@ interface(`sysnet_read_dhcpc_state',`
|
||||
type dhcpc_state_t;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_state_t:file { getattr read };
|
||||
allow $1 dhcpc_state_t:file read_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -348,7 +348,7 @@ interface(`sysnet_read_dhcpc_pid',`
|
||||
')
|
||||
|
||||
files_list_pids($1)
|
||||
allow $1 dhcpc_var_run_t:file { getattr read };
|
||||
allow $1 dhcpc_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -645,5 +645,5 @@ interface(`unconfined_write_tmp_files',`
|
||||
type unconfined_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 unconfined_tmp_t:file { getattr write append };
|
||||
allow $1 unconfined_tmp_t:file write_file_perms;
|
||||
')
|
||||
|
||||
@ -57,7 +57,7 @@ template(`userdom_base_user_template',`
|
||||
allow $1_t self:context contains;
|
||||
dontaudit $1_t self:socket create;
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
||||
allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||
@ -5310,7 +5310,7 @@ interface(`userdom_write_unpriv_users_tmp_files',`
|
||||
attribute user_tmpfile;
|
||||
')
|
||||
|
||||
allow $1 user_tmpfile:file { getattr write append };
|
||||
allow $1 user_tmpfile:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
# Specified domain transition patterns
|
||||
#
|
||||
define(`domain_transition_pattern',`
|
||||
allow $1 $2:file { getattr read execute };
|
||||
allow $1 $2:file { getattr open read execute };
|
||||
allow $1 $3:process transition;
|
||||
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
@ -48,7 +48,8 @@ define(`send_audit_msgs_pattern',`
|
||||
')
|
||||
|
||||
define(`ps_process_pattern',`
|
||||
allow $1 $2:dir { search getattr read };
|
||||
allow $1 $2:{ file lnk_file } { read getattr };
|
||||
allow $1 $2:dir list_dir_perms;
|
||||
allow $1 $2:file read_file_perms;
|
||||
allow $1 $2:lnk_file read_lnk_file_perms;
|
||||
allow $1 $2:process getattr;
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user