patch from dan Tue, 18 Apr 2006 23:16:15 -0400
This commit is contained in:
Chris PeBenito
parent
5d03fc244b
commit
85a0f96798
@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF)
|
||||
#
|
||||
$(APPDIR)/customizable_types: $(BASE_CONF)
|
||||
@mkdir -p $(APPDIR)
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
|
||||
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
|
||||
|
||||
########################################
|
||||
|
||||
@ -230,7 +230,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
|
||||
#
|
||||
$(APPDIR)/customizable_types: $(POLICY_CONF)
|
||||
@mkdir -p $(APPDIR)
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
|
||||
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
|
||||
|
||||
########################################
|
||||
|
||||
@ -35,7 +35,8 @@
|
||||
/usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
||||
|
||||
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/cache/foomatic(/.*)? -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||
|
||||
@ -126,6 +126,7 @@ miscfiles_read_public_files(ftpd_t)
|
||||
seutil_dontaudit_search_config(ftpd_t)
|
||||
|
||||
sysnet_read_config(ftpd_t)
|
||||
sysnet_use_ldap(ftpd_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
||||
|
||||
@ -315,6 +315,7 @@ files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(postfix_map_t)
|
||||
kernel_dontaudit_list_proc(postfix_map_t)
|
||||
kernel_dontaudit_read_system_state(postfix_map_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postfix_map_t)
|
||||
corenet_udp_sendrecv_all_if(postfix_map_t)
|
||||
@ -358,8 +359,7 @@ seutil_read_config(postfix_map_t)
|
||||
sysnet_read_config(postfix_map_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# FIXME: would be better to use a run interface
|
||||
role system_r types postfix_map_t;
|
||||
term_dontaudit_use_generic_ptys(postfix_map_t)
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
|
||||
@ -113,10 +113,12 @@ interface(`postgresql_tcp_connect',`
|
||||
#
|
||||
interface(`postgresql_stream_connect',`
|
||||
gen_require(`
|
||||
type postgresql_t, postgresql_var_run_t;
|
||||
type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 postgresql_t:unix_stream_socket connectto;
|
||||
allow $1 postgresql_var_run_t:sock_file write;
|
||||
# Some versions of postgresql put the sock file in /tmp
|
||||
allow $1 postgresql_tmp_t:sock_file write;
|
||||
')
|
||||
|
||||
@ -50,6 +50,7 @@ corenet_tcp_sendrecv_all_ports(privoxy_t)
|
||||
corenet_non_ipsec_sendrecv(privoxy_t)
|
||||
corenet_tcp_bind_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_http_port(privoxy_t)
|
||||
corenet_tcp_connect_http_cache_port(privoxy_t)
|
||||
corenet_tcp_connect_ftp_port(privoxy_t)
|
||||
corenet_tcp_connect_tor_port(privoxy_t)
|
||||
|
||||
|
||||
@ -160,6 +160,7 @@ optional_policy(`
|
||||
corenet_non_ipsec_sendrecv(samba_net_t)
|
||||
corenet_tcp_bind_all_nodes(samba_net_t)
|
||||
sysnet_read_config(samba_net_t)
|
||||
corenet_tcp_connect_ldap_port(samba_net_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -269,6 +270,7 @@ files_list_mnt(smbd_t)
|
||||
|
||||
init_use_fds(smbd_t)
|
||||
init_use_script_ptys(smbd_t)
|
||||
init_rw_utmp(smbd_t)
|
||||
|
||||
libs_use_ld_so(smbd_t)
|
||||
libs_use_shared_libs(smbd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
||||
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
||||
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
||||
|
||||
|
||||
@ -173,9 +173,13 @@ dev_getattr_video_dev(pam_console_t)
|
||||
dev_setattr_video_dev(pam_console_t)
|
||||
dev_getattr_xserver_misc_dev(pam_console_t)
|
||||
dev_setattr_xserver_misc_dev(pam_console_t)
|
||||
dev_read_urand(pam_console_t)
|
||||
|
||||
fs_search_auto_mountpoints(pam_console_t)
|
||||
|
||||
mls_file_read_up(pam_console_t)
|
||||
mls_file_write_down(pam_console_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(pam_console_t)
|
||||
storage_setattr_fixed_disk_dev(pam_console_t)
|
||||
storage_getattr_removable_dev(pam_console_t)
|
||||
@ -206,8 +210,8 @@ libs_use_shared_libs(pam_console_t)
|
||||
|
||||
logging_send_syslog_msg(pam_console_t)
|
||||
|
||||
mls_file_read_up(pam_console_t)
|
||||
mls_file_write_down(pam_console_t)
|
||||
miscfiles_read_localization(pam_console_t)
|
||||
miscfiles_read_certs(pam_console_t)
|
||||
|
||||
seutil_read_file_contexts(pam_console_t)
|
||||
|
||||
|
||||
@ -83,12 +83,14 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/vmware(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
||||
/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -189,6 +191,8 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
||||
|
||||
# vmware
|
||||
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -113,3 +113,29 @@ interface(`mount_send_nfs_client_request',`
|
||||
allow $1 mount_t:udp_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute mount in the unconfined mount domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mount_domtrans_unconfined',`
|
||||
ifdef(`targeted_policy',`
|
||||
gen_require(`
|
||||
type unconfined_mount_t, mount_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
|
||||
|
||||
allow $1 unconfined_mount_t:fd use;
|
||||
allow unconfined_mount_t $1:fd use;
|
||||
allow unconfined_mount_t $1:fifo_file rw_file_perms;
|
||||
allow unconfined_mount_t $1:process sigchld;
|
||||
',`
|
||||
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
|
||||
')
|
||||
')
|
||||
|
||||
@ -14,6 +14,12 @@ role system_r types mount_t;
|
||||
type mount_tmp_t;
|
||||
files_tmp_file(mount_tmp_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
type unconfined_mount_t;
|
||||
domain_type(unconfined_mount_t)
|
||||
domain_entry_file(unconfined_mount_t,mount_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# mount local policy
|
||||
@ -151,3 +157,13 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined mount local policy
|
||||
#
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_manage_etc_runtime_files(unconfined_mount_t)
|
||||
unconfined_domain(unconfined_mount_t)
|
||||
')
|
||||
|
||||
@ -36,7 +36,10 @@ ifdef(`targeted_policy',`
|
||||
|
||||
logging_domtrans_auditctl(unconfined_t)
|
||||
|
||||
mount_domtrans_unconfined(unconfined_t)
|
||||
|
||||
seutil_domtrans_restorecon(unconfined_t)
|
||||
seutil_domtrans_semanage(unconfined_t)
|
||||
|
||||
userdom_unconfined(unconfined_t)
|
||||
userdom_priveleged_home_dir_manager(unconfined_t)
|
||||
@ -139,10 +142,6 @@ ifdef(`targeted_policy',`
|
||||
sendmail_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_domtrans_semanage(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_domtrans_dhcpc(unconfined_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user