trunk: 11 more cherry picks from fedora policy, by david hardeman.
This commit is contained in:
parent
b81bfc2651
commit
8a948caf2b
@ -3,7 +3,7 @@
|
||||
Carter.
|
||||
- Database labeled networking update from KaiGai Kohei.
|
||||
- Several misc changes from the Fedora policy, cherry picked by David
|
||||
Hrdeman.
|
||||
Hardeman.
|
||||
- Large whitespace fix from Dominick Grift.
|
||||
- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
|
||||
- Issuing commands to upstart is over a datagram socket, not the initctl
|
||||
|
@ -3,6 +3,7 @@
|
||||
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
|
||||
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
|
||||
/etc/amanda/.*/index(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
||||
|
||||
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amanda, 1.9.0)
|
||||
policy_module(amanda, 1.9.1)
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -82,8 +82,9 @@ allow amanda_t amanda_amandates_t:file { getattr lock read write };
|
||||
allow amanda_t amanda_config_t:file { getattr read };
|
||||
|
||||
# access to amandas data structure
|
||||
allow amanda_t amanda_data_t:dir { read search write };
|
||||
allow amanda_t amanda_data_t:file manage_file_perms;
|
||||
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
|
||||
|
||||
# access to amanda_dumpdates_t
|
||||
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
||||
@ -146,6 +147,8 @@ fs_getattr_xattr_fs(amanda_t)
|
||||
fs_list_all(amanda_t)
|
||||
|
||||
storage_raw_read_fixed_disk(amanda_t)
|
||||
storage_read_tape(amanda_t)
|
||||
storage_write_tape(amanda_t)
|
||||
|
||||
# Added for targeted policy
|
||||
term_use_unallocated_ttys(amanda_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(anaconda, 1.3.0)
|
||||
policy_module(anaconda, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -32,14 +32,8 @@ modutils_domtrans_insmod(anaconda_t)
|
||||
|
||||
seutil_domtrans_semanage(anaconda_t)
|
||||
|
||||
unconfined_domain(anaconda_t)
|
||||
|
||||
unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
optional_policy(`
|
||||
dmesg_domtrans(anaconda_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kudzu_domtrans(anaconda_t)
|
||||
')
|
||||
@ -57,6 +51,10 @@ optional_policy(`
|
||||
udev_domtrans(anaconda_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(anaconda_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
usermanage_domtrans_admin_passwd(anaconda_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kismet, 1.0.1)
|
||||
policy_module(kismet, 1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -25,7 +25,7 @@ logging_log_file(kismet_log_t)
|
||||
# kismet local policy
|
||||
#
|
||||
|
||||
allow kismet_t self:capability { net_admin setuid setgid };
|
||||
allow kismet_t self:capability { net_admin net_raw setuid setgid };
|
||||
allow kismet_t self:packet_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||
|
@ -68,6 +68,24 @@ interface(`netutils_exec',`
|
||||
can_exec($1, netutils_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to network utilities.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_signal',`
|
||||
gen_require(`
|
||||
type netutils_t;
|
||||
')
|
||||
|
||||
allow $1 netutils_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ping in the ping domain.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(netutils, 1.6.0)
|
||||
policy_module(netutils, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -63,4 +63,9 @@ interface(`usernetctl_run',`
|
||||
optional_policy(`
|
||||
modutils_run_insmod(usernetctl_t, $2, $3)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
ppp_run(usernetctl_t,$2,$3)
|
||||
')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usernetctl, 1.3.0)
|
||||
policy_module(usernetctl, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -49,15 +49,21 @@ files_read_usr_files(usernetctl_t)
|
||||
|
||||
fs_search_auto_mountpoints(usernetctl_t)
|
||||
|
||||
auth_use_nsswitch(usernetctl_t)
|
||||
|
||||
libs_use_ld_so(usernetctl_t)
|
||||
libs_use_shared_libs(usernetctl_t)
|
||||
|
||||
logging_send_syslog_msg(usernetctl_t)
|
||||
|
||||
miscfiles_read_localization(usernetctl_t)
|
||||
|
||||
seutil_read_config(usernetctl_t)
|
||||
|
||||
sysnet_read_config(usernetctl_t)
|
||||
|
||||
term_search_ptys(usernetctl_t)
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(usernetctl_t)
|
||||
')
|
||||
|
@ -13,6 +13,7 @@
|
||||
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
@ -48,6 +49,7 @@ ifdef(`distro_redhat', `
|
||||
/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
|
||||
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
@ -79,6 +79,26 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
|
||||
dontaudit $1 fixed_disk_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit the caller attempts to read from a fixed disk.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_raw_read_fixed_disk',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read;
|
||||
type fixed_disk_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
|
||||
dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to directly read from a fixed disk.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(storage, 1.6.0)
|
||||
policy_module(storage, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(fetchmail, 1.6.0)
|
||||
policy_module(fetchmail, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -14,7 +14,7 @@ type fetchmail_var_run_t;
|
||||
files_pid_file(fetchmail_var_run_t)
|
||||
|
||||
type fetchmail_etc_t;
|
||||
files_type(fetchmail_etc_t)
|
||||
files_config_file(fetchmail_etc_t)
|
||||
|
||||
type fetchmail_uidl_cache_t;
|
||||
files_type(fetchmail_uidl_cache_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(oav, 1.6.0)
|
||||
policy_module(oav, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -12,7 +12,7 @@ application_domain(oav_update_t, oav_update_exec_t)
|
||||
|
||||
# cjp: may be collapsable to etc_t
|
||||
type oav_update_etc_t;
|
||||
files_type(oav_update_etc_t)
|
||||
files_config_file(oav_update_etc_t)
|
||||
|
||||
type oav_update_var_lib_t;
|
||||
files_type(oav_update_var_lib_t)
|
||||
@ -22,7 +22,7 @@ type scannerdaemon_exec_t;
|
||||
init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
|
||||
|
||||
type scannerdaemon_etc_t;
|
||||
files_type(scannerdaemon_etc_t)
|
||||
files_config_file(scannerdaemon_etc_t)
|
||||
|
||||
type scannerdaemon_log_t;
|
||||
logging_log_file(scannerdaemon_log_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ricci, 1.3.0)
|
||||
policy_module(ricci, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -443,6 +443,7 @@ kernel_read_system_state(ricci_modstorage_t)
|
||||
create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
|
||||
files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
|
||||
|
||||
corecmd_exec_shell(ricci_modstorage_t)
|
||||
corecmd_exec_bin(ricci_modstorage_t)
|
||||
|
||||
dev_read_sysfs(ricci_modstorage_t)
|
||||
|
@ -1,2 +1,6 @@
|
||||
|
||||
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
||||
|
||||
/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
|
||||
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rsync, 1.6.0)
|
||||
policy_module(rsync, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,6 +31,9 @@ role system_r types rsync_t;
|
||||
type rsync_data_t;
|
||||
files_type(rsync_data_t)
|
||||
|
||||
type rsync_log_t;
|
||||
logging_log_file(rsync_log_t)
|
||||
|
||||
type rsync_tmp_t;
|
||||
files_tmp_file(rsync_tmp_t)
|
||||
|
||||
@ -42,7 +45,7 @@ files_pid_file(rsync_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow rsync_t self:capability sys_chroot;
|
||||
allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
|
||||
allow rsync_t self:process signal_perms;
|
||||
allow rsync_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rsync_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -52,7 +55,6 @@ allow rsync_t self:udp_socket connected_socket_perms;
|
||||
# cjp: this should probably only be inetd_child_t rules?
|
||||
# search home and kerberos also.
|
||||
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow rsync_t self:capability { setuid setgid };
|
||||
#end for identd
|
||||
|
||||
allow rsync_t rsync_data_t:dir list_dir_perms;
|
||||
@ -95,7 +97,8 @@ libs_use_ld_so(rsync_t)
|
||||
libs_use_shared_libs(rsync_t)
|
||||
|
||||
logging_send_syslog_msg(rsync_t)
|
||||
logging_dontaudit_search_logs(rsync_t)
|
||||
manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
|
||||
logging_log_filetrans(rsync_t,rsync_log_t,file)
|
||||
|
||||
miscfiles_read_localization(rsync_t)
|
||||
miscfiles_read_public_files(rsync_t)
|
||||
@ -117,7 +120,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
tunable_policy(`rsync_export_all_ro',`
|
||||
allow rsync_t self:capability dac_override;
|
||||
fs_read_noxattr_fs_files(rsync_t)
|
||||
auth_read_all_files_except_shadow(rsync_t)
|
||||
')
|
||||
|
@ -1 +1,25 @@
|
||||
## <summary>SSL Tunneling Proxy</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Define the specified domain as a stunnel inetd service.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type associated with the stunnel inetd service process.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entrypoint">
|
||||
## <summary>
|
||||
## The type associated with the process program.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`stunnel_service_domain',`
|
||||
gen_require(`
|
||||
type stunnel_t;
|
||||
')
|
||||
|
||||
domtrans_pattern(stunnel_t,$2,$1)
|
||||
allow $1 stunnel_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(stunnel, 1.6.0)
|
||||
policy_module(stunnel, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -20,7 +20,7 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
type stunnel_etc_t;
|
||||
files_type(stunnel_etc_t)
|
||||
files_config_file(stunnel_etc_t)
|
||||
|
||||
type stunnel_tmp_t;
|
||||
files_tmp_file(stunnel_tmp_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hotplug, 1.9.0)
|
||||
policy_module(hotplug, 1.9.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -121,6 +121,7 @@ ifdef(`distro_redhat', `
|
||||
optional_policy(`
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(hotplug_t)
|
||||
netutils_signal(hotplug_t)
|
||||
fs_rw_tmpfs_chr_files(hotplug_t)
|
||||
')
|
||||
files_getattr_generic_locks(hotplug_t)
|
||||
|
Loading…
Reference in New Issue
Block a user