- Allow users to exec restorecond
This commit is contained in:
parent
f5a104d238
commit
85582d623f
@ -245,7 +245,7 @@ allow_nsplugin_execmem=true
|
|||||||
|
|
||||||
# Allow unconfined domain to transition to confined domain
|
# Allow unconfined domain to transition to confined domain
|
||||||
#
|
#
|
||||||
allow_unconfined_nsplugin_transition=true
|
allow_unconfined_nsplugin_transition=false
|
||||||
|
|
||||||
# System uses init upstart program
|
# System uses init upstart program
|
||||||
#
|
#
|
||||||
|
149
policy-F12.patch
149
policy-F12.patch
@ -12909,7 +12909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
|
||||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 13:14:31.000000000 -0700
|
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 13:14:31.000000000 -0700
|
||||||
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-21 19:37:35.000000000 -0700
|
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-24 17:38:43.000000000 -0700
|
||||||
@@ -19,6 +19,9 @@
|
@@ -19,6 +19,9 @@
|
||||||
type NetworkManager_tmp_t;
|
type NetworkManager_tmp_t;
|
||||||
files_tmp_file(NetworkManager_tmp_t)
|
files_tmp_file(NetworkManager_tmp_t)
|
||||||
@ -12951,16 +12951,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||||
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||||
@@ -63,6 +70,8 @@
|
@@ -63,6 +70,9 @@
|
||||||
kernel_read_network_state(NetworkManager_t)
|
kernel_read_network_state(NetworkManager_t)
|
||||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||||
kernel_load_module(NetworkManager_t)
|
kernel_load_module(NetworkManager_t)
|
||||||
|
+kernel_request_load_module(NetworkManager_t)
|
||||||
+kernel_read_debugfs(NetworkManager_t)
|
+kernel_read_debugfs(NetworkManager_t)
|
||||||
+kernel_rw_net_sysctls(NetworkManager_t)
|
+kernel_rw_net_sysctls(NetworkManager_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
||||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||||
@@ -81,13 +90,18 @@
|
@@ -81,13 +91,18 @@
|
||||||
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
||||||
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
||||||
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
||||||
@ -12979,7 +12980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
mls_file_read_all_levels(NetworkManager_t)
|
mls_file_read_all_levels(NetworkManager_t)
|
||||||
|
|
||||||
@@ -98,15 +112,20 @@
|
@@ -98,15 +113,20 @@
|
||||||
|
|
||||||
domain_use_interactive_fds(NetworkManager_t)
|
domain_use_interactive_fds(NetworkManager_t)
|
||||||
domain_read_confined_domains_state(NetworkManager_t)
|
domain_read_confined_domains_state(NetworkManager_t)
|
||||||
@ -13001,7 +13002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
logging_send_syslog_msg(NetworkManager_t)
|
logging_send_syslog_msg(NetworkManager_t)
|
||||||
|
|
||||||
miscfiles_read_localization(NetworkManager_t)
|
miscfiles_read_localization(NetworkManager_t)
|
||||||
@@ -116,25 +135,40 @@
|
@@ -116,25 +136,40 @@
|
||||||
|
|
||||||
seutil_read_config(NetworkManager_t)
|
seutil_read_config(NetworkManager_t)
|
||||||
|
|
||||||
@ -13049,7 +13050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -146,8 +180,25 @@
|
@@ -146,8 +181,25 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -13077,7 +13078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -155,23 +206,51 @@
|
@@ -155,23 +207,51 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -13131,7 +13132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -179,12 +258,15 @@
|
@@ -179,12 +259,15 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -15843,7 +15844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 11:19:57.000000000 -0700
|
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 11:19:57.000000000 -0700
|
||||||
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-16 07:03:09.000000000 -0700
|
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-25 07:42:34.000000000 -0700
|
||||||
@@ -54,7 +54,7 @@
|
@@ -54,7 +54,7 @@
|
||||||
allow $1_t self:unix_dgram_socket create_socket_perms;
|
allow $1_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -15853,7 +15854,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
|
manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
|
manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
@@ -109,6 +109,10 @@
|
@@ -99,6 +99,7 @@
|
||||||
|
files_read_etc_runtime_files($1_t)
|
||||||
|
files_search_var($1_t)
|
||||||
|
files_search_var_lib($1_t)
|
||||||
|
+ files_list_home($1_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch($1_t)
|
||||||
|
|
||||||
|
@@ -109,6 +110,10 @@
|
||||||
userdom_dontaudit_use_unpriv_user_fds($1_t)
|
userdom_dontaudit_use_unpriv_user_fds($1_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -15866,7 +15875,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
|
||||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 13:14:31.000000000 -0700
|
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 13:14:31.000000000 -0700
|
||||||
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-16 07:03:09.000000000 -0700
|
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-25 07:42:43.000000000 -0700
|
||||||
|
@@ -53,7 +53,7 @@
|
||||||
|
# RPC local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow rpcd_t self:capability { chown dac_override setgid setuid };
|
||||||
|
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
|
||||||
|
allow rpcd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
|
allow rpcd_t rpcd_var_run_t:dir setattr;
|
||||||
@@ -91,6 +91,8 @@
|
@@ -91,6 +91,8 @@
|
||||||
|
|
||||||
seutil_dontaudit_search_config(rpcd_t)
|
seutil_dontaudit_search_config(rpcd_t)
|
||||||
@ -19016,7 +19034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
|
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 11:19:57.000000000 -0700
|
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 11:19:57.000000000 -0700
|
||||||
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-16 07:03:09.000000000 -0700
|
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-25 07:58:35.000000000 -0700
|
||||||
@@ -3,12 +3,17 @@
|
@@ -3,12 +3,17 @@
|
||||||
#
|
#
|
||||||
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||||
@ -19028,7 +19046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||||
+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
|
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||||
|
|
||||||
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||||
@ -23546,8 +23564,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 11:19:57.000000000 -0700
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 11:19:57.000000000 -0700
|
||||||
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-16 07:03:09.000000000 -0700
|
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-24 20:11:24.000000000 -0700
|
||||||
@@ -535,6 +535,53 @@
|
@@ -351,6 +351,27 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Execute restorecond in the caller domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`seutil_exec_restorecond',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type restorecond_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_usr($1)
|
||||||
|
+ corecmd_search_bin($1)
|
||||||
|
+ can_exec($1, restorecond_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Execute run_init in the run_init domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -535,6 +556,53 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -23601,7 +23647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute setfiles in the caller domain.
|
## Execute setfiles in the caller domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -680,6 +727,7 @@
|
@@ -680,6 +748,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
@ -23609,7 +23655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||||
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||||
')
|
')
|
||||||
@@ -999,6 +1047,26 @@
|
@@ -999,6 +1068,26 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -23636,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute semanage in the semanage domain, and
|
## Execute semanage in the semanage domain, and
|
||||||
## allow the specified role the semanage domain,
|
## allow the specified role the semanage domain,
|
||||||
## and use the caller's terminal.
|
## and use the caller's terminal.
|
||||||
@@ -1010,7 +1078,7 @@
|
@@ -1010,7 +1099,7 @@
|
||||||
## </param>
|
## </param>
|
||||||
## <param name="role">
|
## <param name="role">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -23645,7 +23691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
@@ -1028,6 +1096,33 @@
|
@@ -1028,6 +1117,33 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -23679,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Full management of the semanage
|
## Full management of the semanage
|
||||||
## module store.
|
## module store.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1139,3 +1234,194 @@
|
@@ -1139,3 +1255,194 @@
|
||||||
selinux_dontaudit_get_fs_mount($1)
|
selinux_dontaudit_get_fs_mount($1)
|
||||||
seutil_dontaudit_read_config($1)
|
seutil_dontaudit_read_config($1)
|
||||||
')
|
')
|
||||||
@ -25608,7 +25654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 10:30:04.000000000 -0700
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 10:30:04.000000000 -0700
|
||||||
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-21 05:24:59.000000000 -0700
|
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-24 20:12:04.000000000 -0700
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26055,7 +26101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -508,182 +515,208 @@
|
@@ -508,182 +515,209 @@
|
||||||
# evolution and gnome-session try to create a netlink socket
|
# evolution and gnome-session try to create a netlink socket
|
||||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
@ -26160,6 +26206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_exec_checkpolicy($1_t)
|
seutil_exec_checkpolicy($1_t)
|
||||||
- seutil_exec_setfiles($1_t)
|
- seutil_exec_setfiles($1_t)
|
||||||
+ seutil_exec_setfiles($1_usertype)
|
+ seutil_exec_setfiles($1_usertype)
|
||||||
|
+ seutil_exec_restorecond($1_usertype)
|
||||||
# for when the network connection is killed
|
# for when the network connection is killed
|
||||||
# this is needed when a login role can change
|
# this is needed when a login role can change
|
||||||
# to this one.
|
# to this one.
|
||||||
@ -26337,7 +26384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -711,13 +744,26 @@
|
@@ -711,13 +745,26 @@
|
||||||
|
|
||||||
userdom_base_user_template($1)
|
userdom_base_user_template($1)
|
||||||
|
|
||||||
@ -26369,7 +26416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
userdom_change_password_template($1)
|
userdom_change_password_template($1)
|
||||||
|
|
||||||
@@ -735,70 +781,71 @@
|
@@ -735,70 +782,71 @@
|
||||||
|
|
||||||
allow $1_t self:context contains;
|
allow $1_t self:context contains;
|
||||||
|
|
||||||
@ -26474,7 +26521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -835,6 +882,32 @@
|
@@ -835,6 +883,32 @@
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -26507,7 +26554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
loadkeys_run($1_t,$1_r)
|
loadkeys_run($1_t,$1_r)
|
||||||
')
|
')
|
||||||
@@ -865,51 +938,81 @@
|
@@ -865,51 +939,81 @@
|
||||||
|
|
||||||
userdom_restricted_user_template($1)
|
userdom_restricted_user_template($1)
|
||||||
|
|
||||||
@ -26602,7 +26649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -943,8 +1046,8 @@
|
@@ -943,8 +1047,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -26612,7 +26659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
userdom_common_user_template($1)
|
userdom_common_user_template($1)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -953,11 +1056,12 @@
|
@@ -953,11 +1057,12 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
@ -26627,7 +26674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# cjp: why?
|
# cjp: why?
|
||||||
files_read_kernel_symbol_table($1_t)
|
files_read_kernel_symbol_table($1_t)
|
||||||
|
|
||||||
@@ -975,36 +1079,53 @@
|
@@ -975,36 +1080,53 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26695,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1040,7 +1161,7 @@
|
@@ -1040,7 +1162,7 @@
|
||||||
template(`userdom_admin_user_template',`
|
template(`userdom_admin_user_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute admindomain;
|
attribute admindomain;
|
||||||
@ -26704,7 +26751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1049,8 +1170,7 @@
|
@@ -1049,8 +1171,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
@ -26714,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domain_obj_id_change_exemption($1_t)
|
domain_obj_id_change_exemption($1_t)
|
||||||
role system_r types $1_t;
|
role system_r types $1_t;
|
||||||
@@ -1075,6 +1195,9 @@
|
@@ -1075,6 +1196,9 @@
|
||||||
# Skip authentication when pam_rootok is specified.
|
# Skip authentication when pam_rootok is specified.
|
||||||
allow $1_t self:passwd rootok;
|
allow $1_t self:passwd rootok;
|
||||||
|
|
||||||
@ -26724,7 +26771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
kernel_getattr_message_if($1_t)
|
kernel_getattr_message_if($1_t)
|
||||||
@@ -1089,6 +1212,7 @@
|
@@ -1089,6 +1213,7 @@
|
||||||
kernel_sigstop_unlabeled($1_t)
|
kernel_sigstop_unlabeled($1_t)
|
||||||
kernel_signull_unlabeled($1_t)
|
kernel_signull_unlabeled($1_t)
|
||||||
kernel_sigchld_unlabeled($1_t)
|
kernel_sigchld_unlabeled($1_t)
|
||||||
@ -26732,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
# allow setting up tunnels
|
# allow setting up tunnels
|
||||||
@@ -1096,8 +1220,6 @@
|
@@ -1096,8 +1221,6 @@
|
||||||
|
|
||||||
dev_getattr_generic_blk_files($1_t)
|
dev_getattr_generic_blk_files($1_t)
|
||||||
dev_getattr_generic_chr_files($1_t)
|
dev_getattr_generic_chr_files($1_t)
|
||||||
@ -26741,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Allow MAKEDEV to work
|
# Allow MAKEDEV to work
|
||||||
dev_create_all_blk_files($1_t)
|
dev_create_all_blk_files($1_t)
|
||||||
dev_create_all_chr_files($1_t)
|
dev_create_all_chr_files($1_t)
|
||||||
@@ -1124,6 +1246,8 @@
|
@@ -1124,6 +1247,8 @@
|
||||||
files_exec_usr_src_files($1_t)
|
files_exec_usr_src_files($1_t)
|
||||||
|
|
||||||
fs_getattr_all_fs($1_t)
|
fs_getattr_all_fs($1_t)
|
||||||
@ -26750,7 +26797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
fs_set_all_quotas($1_t)
|
fs_set_all_quotas($1_t)
|
||||||
fs_exec_noxattr($1_t)
|
fs_exec_noxattr($1_t)
|
||||||
|
|
||||||
@@ -1152,20 +1276,6 @@
|
@@ -1152,20 +1277,6 @@
|
||||||
# But presently necessary for installing the file_contexts file.
|
# But presently necessary for installing the file_contexts file.
|
||||||
seutil_manage_bin_policy($1_t)
|
seutil_manage_bin_policy($1_t)
|
||||||
|
|
||||||
@ -26771,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
postgresql_unconfined($1_t)
|
postgresql_unconfined($1_t)
|
||||||
')
|
')
|
||||||
@@ -1211,6 +1321,7 @@
|
@@ -1211,6 +1322,7 @@
|
||||||
dev_relabel_all_dev_nodes($1)
|
dev_relabel_all_dev_nodes($1)
|
||||||
|
|
||||||
files_create_boot_flag($1)
|
files_create_boot_flag($1)
|
||||||
@ -26779,7 +26826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Necessary for managing /boot/efi
|
# Necessary for managing /boot/efi
|
||||||
fs_manage_dos_files($1)
|
fs_manage_dos_files($1)
|
||||||
@@ -1276,11 +1387,15 @@
|
@@ -1276,11 +1388,15 @@
|
||||||
interface(`userdom_user_home_content',`
|
interface(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_t;
|
type user_home_t;
|
||||||
@ -26795,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1391,12 +1506,13 @@
|
@@ -1391,12 +1507,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
@ -26810,7 +26857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1429,6 +1545,14 @@
|
@@ -1429,6 +1546,14 @@
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@ -26825,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1444,9 +1568,11 @@
|
@@ -1444,9 +1569,11 @@
|
||||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_dir_t;
|
type user_home_dir_t;
|
||||||
@ -26837,7 +26884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1503,6 +1629,25 @@
|
@@ -1503,6 +1630,25 @@
|
||||||
allow $1 user_home_dir_t:dir relabelto;
|
allow $1 user_home_dir_t:dir relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26863,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create directories in the home dir root with
|
## Create directories in the home dir root with
|
||||||
@@ -1577,6 +1722,8 @@
|
@@ -1577,6 +1723,8 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||||
@ -26872,7 +26919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1670,6 +1817,7 @@
|
@@ -1670,6 +1818,7 @@
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26880,7 +26927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
')
|
')
|
||||||
@@ -1797,19 +1945,32 @@
|
@@ -1797,19 +1946,32 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_exec_user_home_content_files',`
|
interface(`userdom_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26920,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1844,6 +2005,7 @@
|
@@ -1844,6 +2006,7 @@
|
||||||
interface(`userdom_manage_user_home_content_files',`
|
interface(`userdom_manage_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
@ -26928,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
manage_files_pattern($1, user_home_t, user_home_t)
|
manage_files_pattern($1, user_home_t, user_home_t)
|
||||||
@@ -2391,27 +2553,7 @@
|
@@ -2391,27 +2554,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26957,7 +27004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -2765,11 +2907,32 @@
|
@@ -2765,11 +2908,32 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_user_home_content',`
|
interface(`userdom_search_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26992,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2897,7 +3060,25 @@
|
@@ -2897,7 +3061,25 @@
|
||||||
type user_tmp_t;
|
type user_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27019,7 +27066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2934,6 +3115,7 @@
|
@@ -2934,6 +3116,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, userdomain, userdomain)
|
read_files_pattern($1, userdomain, userdomain)
|
||||||
@ -27027,7 +27074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3064,3 +3246,559 @@
|
@@ -3064,3 +3247,559 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
300
policygentool
300
policygentool
@ -1,297 +1,3 @@
|
|||||||
#! /usr/bin/env python
|
#!/bin/sh
|
||||||
# Copyright (C) 2006 Red Hat
|
echo "$0 is no longer supported, better tools exist for creating policy"
|
||||||
# see file 'COPYING' for use and warranty information
|
echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
|
||||||
#
|
|
||||||
# policygentool is a tool for the initial generation of SELinux policy
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of the GNU General Public License as
|
|
||||||
# published by the Free Software Foundation; either version 2 of
|
|
||||||
# the License, or (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
|
|
||||||
# 02111-1307 USA
|
|
||||||
#
|
|
||||||
#
|
|
||||||
import os, sys, getopt
|
|
||||||
import re
|
|
||||||
|
|
||||||
########################### Interface File #############################
|
|
||||||
interface="""\
|
|
||||||
## <summary>policy for TEMPLATETYPE</summary>
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Execute a domain transition to run TEMPLATETYPE.
|
|
||||||
## </summary>
|
|
||||||
## <param name=\"domain\">
|
|
||||||
## <summary>
|
|
||||||
## Domain allowed to transition.
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`TEMPLATETYPE_domtrans',`
|
|
||||||
gen_require(`
|
|
||||||
type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
|
|
||||||
|
|
||||||
allow TEMPLATETYPE_t $1:fd use;
|
|
||||||
allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
|
|
||||||
allow TEMPLATETYPE_t $1:process sigchld;
|
|
||||||
')
|
|
||||||
"""
|
|
||||||
|
|
||||||
########################### Type Enforcement File #############################
|
|
||||||
te="""\
|
|
||||||
policy_module(TEMPLATETYPE,1.0.0)
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Declarations
|
|
||||||
#
|
|
||||||
|
|
||||||
type TEMPLATETYPE_t;
|
|
||||||
type TEMPLATETYPE_exec_t;
|
|
||||||
domain_type(TEMPLATETYPE_t)
|
|
||||||
init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
|
|
||||||
"""
|
|
||||||
te_logfile="""
|
|
||||||
# log files
|
|
||||||
type TEMPLATETYPE_var_log_t;
|
|
||||||
logging_log_file(TEMPLATETYPE_var_log_t)
|
|
||||||
"""
|
|
||||||
te_pidfile="""
|
|
||||||
# pid files
|
|
||||||
type TEMPLATETYPE_var_run_t;
|
|
||||||
files_pid_file(TEMPLATETYPE_var_run_t)
|
|
||||||
"""
|
|
||||||
te_libfile="""
|
|
||||||
# var/lib files
|
|
||||||
type TEMPLATETYPE_var_lib_t;
|
|
||||||
files_type(TEMPLATETYPE_var_lib_t)
|
|
||||||
"""
|
|
||||||
te_sep="""
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# TEMPLATETYPE local policy
|
|
||||||
#
|
|
||||||
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
|
|
||||||
|
|
||||||
# Some common macros (you might be able to remove some)
|
|
||||||
files_read_etc_files(TEMPLATETYPE_t)
|
|
||||||
libs_use_ld_so(TEMPLATETYPE_t)
|
|
||||||
libs_use_shared_libs(TEMPLATETYPE_t)
|
|
||||||
miscfiles_read_localization(TEMPLATETYPE_t)
|
|
||||||
## internal communication is often done using fifo and unix sockets.
|
|
||||||
allow TEMPLATETYPE_t self:fifo_file { read write };
|
|
||||||
allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
|
|
||||||
"""
|
|
||||||
te_pidfile2="""
|
|
||||||
# pid file
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
|
|
||||||
files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
|
|
||||||
"""
|
|
||||||
te_logfile2="""
|
|
||||||
# log files
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
|
|
||||||
logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
|
|
||||||
"""
|
|
||||||
te_libfile2="""
|
|
||||||
# var/lib files for TEMPLATETYPE
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
|
|
||||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
|
|
||||||
files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
|
|
||||||
"""
|
|
||||||
te_network2="""
|
|
||||||
## Networking basics (adjust to your needs!)
|
|
||||||
sysnet_dns_name_resolve(TEMPLATETYPE_t)
|
|
||||||
corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
|
|
||||||
corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
|
|
||||||
corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
|
|
||||||
corenet_tcp_connect_http_port(TEMPLATETYPE_t)
|
|
||||||
#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
|
|
||||||
## if it is a network daemon, consider these:
|
|
||||||
#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
|
|
||||||
#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
|
|
||||||
allow TEMPLATETYPE_t self:tcp_socket { listen accept };
|
|
||||||
"""
|
|
||||||
te_initsc2="""
|
|
||||||
# Init script handling
|
|
||||||
init_use_fds(TEMPLATETYPE_t)
|
|
||||||
init_use_script_ptys(TEMPLATETYPE_t)
|
|
||||||
domain_use_interactive_fds(TEMPLATETYPE_t)
|
|
||||||
"""
|
|
||||||
|
|
||||||
########################### File Context ##################################
|
|
||||||
fc="""\
|
|
||||||
# TEMPLATETYPE executable will have:
|
|
||||||
# label: system_u:object_r:TEMPLATETYPE_exec_t
|
|
||||||
# MLS sensitivity: s0
|
|
||||||
# MCS categories: <none>
|
|
||||||
|
|
||||||
EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
|
|
||||||
"""
|
|
||||||
fc_pidfile="""\
|
|
||||||
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
|
|
||||||
"""
|
|
||||||
fc_logfile="""\
|
|
||||||
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
|
|
||||||
"""
|
|
||||||
fc_libfile="""\
|
|
||||||
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
|
|
||||||
"""
|
|
||||||
def errorExit(error):
|
|
||||||
sys.stderr.write("%s: " % sys.argv[0])
|
|
||||||
sys.stderr.write("%s\n" % error)
|
|
||||||
sys.stderr.flush()
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
|
|
||||||
def write_te_file(module, pidfile, logfile, libfile, network, initsc):
|
|
||||||
file="%s.te" % module
|
|
||||||
newte=re.sub("TEMPLATETYPE", module, te)
|
|
||||||
if libfile:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
|
|
||||||
if logfile:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
|
|
||||||
if pidfile:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
|
|
||||||
if libfile:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
|
|
||||||
if logfile:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
|
|
||||||
if pidfile:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
|
|
||||||
if network:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
|
|
||||||
if initsc:
|
|
||||||
newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
|
|
||||||
if os.path.exists(file):
|
|
||||||
errorExit("%s already exists" % file)
|
|
||||||
fd = open(file, 'w')
|
|
||||||
fd.write(newte)
|
|
||||||
fd.close()
|
|
||||||
|
|
||||||
def write_if_file(module):
|
|
||||||
file="%s.if" % module
|
|
||||||
newif=re.sub("TEMPLATETYPE", module, interface)
|
|
||||||
if os.path.exists(file):
|
|
||||||
errorExit("%s already exists" % file)
|
|
||||||
fd = open(file, 'w')
|
|
||||||
fd.write(newif)
|
|
||||||
fd.close()
|
|
||||||
|
|
||||||
def write_fc_file(module, executable, pidfile, logfile, libfile):
|
|
||||||
file="%s.fc" % module
|
|
||||||
temp=re.sub("TEMPLATETYPE", module, fc)
|
|
||||||
newfc=re.sub("EXECUTABLE", executable, temp)
|
|
||||||
if pidfile:
|
|
||||||
temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
|
|
||||||
newfc=newfc + re.sub("FILENAME", pidfile, temp)
|
|
||||||
if logfile:
|
|
||||||
temp=re.sub("TEMPLATETYPE", module, fc_logfile)
|
|
||||||
newfc=newfc + re.sub("FILENAME", logfile, temp)
|
|
||||||
if libfile:
|
|
||||||
temp=re.sub("TEMPLATETYPE", module, fc_libfile)
|
|
||||||
newfc=newfc + re.sub("FILENAME", libfile, temp)
|
|
||||||
if os.path.exists(file):
|
|
||||||
errorExit("%s already exists" % file)
|
|
||||||
fd = open(file, 'w')
|
|
||||||
fd.write(newfc)
|
|
||||||
fd.close()
|
|
||||||
|
|
||||||
def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
|
|
||||||
write_te_file(module, pidfile, logfile, libfile, initsc, network)
|
|
||||||
write_if_file(module)
|
|
||||||
write_fc_file(module, executable, pidfile, logfile, libfile)
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
def usage(message = ""):
|
|
||||||
print '%s ModuleName Executable' % sys.argv[0]
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
if len(sys.argv) != 3:
|
|
||||||
usage()
|
|
||||||
|
|
||||||
print """\n
|
|
||||||
This tool generate three files for policy development, A Type Enforcement (te)
|
|
||||||
file, a File Context (fc), and a Interface File(if). Most of the policy rules
|
|
||||||
will be written in the te file. Use the File Context file to associate file
|
|
||||||
paths with security context. Use the interface rules to allow other protected
|
|
||||||
domains to interact with the newly defined domains.
|
|
||||||
|
|
||||||
After generating these files use the /usr/share/selinux/devel/Makefile to
|
|
||||||
compile your policy package. Then use the semodule tool to load it.
|
|
||||||
|
|
||||||
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
|
|
||||||
# make -f /usr/share/selinux/devel/Makefile
|
|
||||||
# semodule -i myapp.pp
|
|
||||||
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
|
|
||||||
|
|
||||||
Now you can turn on permissive mode, start your application and avc messages
|
|
||||||
will be generated. You can use audit2allow to help translate the avc messages
|
|
||||||
into policy.
|
|
||||||
|
|
||||||
# setenforce 0
|
|
||||||
# service myapp start
|
|
||||||
# audit2allow -R -i /var/log/audit/audit.log
|
|
||||||
|
|
||||||
Return to continue:"""
|
|
||||||
sys.stdin.readline().rstrip()
|
|
||||||
|
|
||||||
print 'If the module uses pidfiles, what is the pidfile called?'
|
|
||||||
pidfile = sys.stdin.readline().rstrip()
|
|
||||||
if pidfile == "":
|
|
||||||
pidfile = None
|
|
||||||
print 'If the module uses logfiles, where are they stored?'
|
|
||||||
logfile = sys.stdin.readline().rstrip()
|
|
||||||
if logfile == "":
|
|
||||||
logfile = None
|
|
||||||
print 'If the module has var/lib files, where are they stored?'
|
|
||||||
libfile = sys.stdin.readline().rstrip()
|
|
||||||
if libfile == "":
|
|
||||||
libfile = None
|
|
||||||
print 'Does the module have a init script? [yN]'
|
|
||||||
initsc = sys.stdin.readline().rstrip()
|
|
||||||
if initsc == "" or initsc == "n" or initsc == "N":
|
|
||||||
initsc = False
|
|
||||||
elif initsc == "y" or initsc == "Y":
|
|
||||||
initsc = True
|
|
||||||
else:
|
|
||||||
raise "Please answer with 'y' or 'n'!"
|
|
||||||
print 'Does the module use the network? [yN]'
|
|
||||||
network = sys.stdin.readline().rstrip()
|
|
||||||
if network == "" or network == "n" or network == "N":
|
|
||||||
network = False
|
|
||||||
elif network == "y" or network == "Y":
|
|
||||||
network = True
|
|
||||||
else:
|
|
||||||
raise "Please answer with 'y' or 'n'!"
|
|
||||||
|
|
||||||
gen_policy(
|
|
||||||
module=sys.argv[1],
|
|
||||||
executable=sys.argv[2],
|
|
||||||
pidfile=pidfile,
|
|
||||||
logfile=logfile,
|
|
||||||
libfile=libfile,
|
|
||||||
initsc=initsc,
|
|
||||||
network=network
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.6.32
|
Version: 3.6.32
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -448,6 +448,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
|
||||||
|
- Allow users to exec restorecond
|
||||||
|
|
||||||
* Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
|
* Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
|
||||||
- Allow sendmail to request kernel modules load
|
- Allow sendmail to request kernel modules load
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user