move constraints interfaces to domain module. move sysfs and usbfs to
devices module
This commit is contained in:
Chris PeBenito
parent
8ae194f629
commit
8bd6789954
@ -22,7 +22,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(dmesg_t)
|
||||
kernel_read_hardware_state(dmesg_t)
|
||||
dev_read_sysfs(dmesg_t)
|
||||
kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
kernel_change_ring_buffer_level(dmesg_t)
|
||||
|
||||
@ -9,7 +9,7 @@ policy_module(rpm,1.0)
|
||||
type rpm_t; #, admin, privmem, priv_system_role;
|
||||
type rpm_exec_t;
|
||||
init_system_domain(rpm_t,rpm_exec_t)
|
||||
kernel_obj_id_change_exempt(rpm_t)
|
||||
domain_obj_id_change_exempt(rpm_t)
|
||||
domain_wide_inherit_fd(rpm_t)
|
||||
role system_r types rpm_t;
|
||||
|
||||
@ -31,7 +31,7 @@ typealias rpm_var_lib_t alias var_lib_rpm_t;
|
||||
|
||||
type rpm_script_t; #, admin, privmem, priv_system_role;
|
||||
type rpm_script_exec_t;
|
||||
kernel_obj_id_change_exempt(rpm_script_t)
|
||||
domain_obj_id_change_exempt(rpm_script_t)
|
||||
corecmd_shell_entry_type(rpm_script_t)
|
||||
domain_type(rpm_script_t)
|
||||
domain_entry_file(rpm_t,rpm_script_t)
|
||||
|
||||
@ -10,7 +10,7 @@ type admin_passwd_exec_t;
|
||||
files_file_type(admin_passwd_exec_t)
|
||||
|
||||
type chfn_t;
|
||||
kernel_obj_id_change_exempt(chfn_t)
|
||||
domain_obj_id_change_exempt(chfn_t)
|
||||
domain_type(chfn_t)
|
||||
role system_r types chfn_t;
|
||||
|
||||
@ -31,12 +31,12 @@ files_tmp_file(crack_tmp_t)
|
||||
|
||||
type groupadd_t; #, nscd_client_domain;
|
||||
type groupadd_exec_t;
|
||||
kernel_obj_id_change_exempt(groupadd_t)
|
||||
domain_obj_id_change_exempt(groupadd_t)
|
||||
init_system_domain(groupadd_t,groupadd_exec_t)
|
||||
role system_r types groupadd_t;
|
||||
|
||||
type passwd_t;
|
||||
kernel_obj_id_change_exempt(passwd_t)
|
||||
domain_obj_id_change_exempt(passwd_t)
|
||||
domain_type(passwd_t)
|
||||
role system_r types passwd_t;
|
||||
|
||||
@ -44,7 +44,7 @@ type passwd_exec_t;
|
||||
domain_entry_file(passwd_t,passwd_exec_t)
|
||||
|
||||
type sysadm_passwd_t;
|
||||
kernel_obj_id_change_exempt(sysadm_passwd_t)
|
||||
domain_obj_id_change_exempt(sysadm_passwd_t)
|
||||
domain_type(sysadm_passwd_t)
|
||||
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
|
||||
|
||||
@ -53,7 +53,7 @@ files_file_type(sysadm_passwd_tmp_t)
|
||||
|
||||
type useradd_t; # nscd_client_domain;
|
||||
type useradd_exec_t;
|
||||
kernel_obj_id_change_exempt(useradd_t)
|
||||
domain_obj_id_change_exempt(useradd_t)
|
||||
init_system_domain(useradd_t,useradd_exec_t)
|
||||
role system_r types useradd_t;
|
||||
|
||||
|
||||
@ -1621,4 +1621,177 @@ define(`dev_rw_power_management_depend',`
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_search_sysfs">
|
||||
## <description>
|
||||
## Search the directory containing hardware information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_search_sysfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 sysfs_t:dir search;
|
||||
')
|
||||
|
||||
define(`dev_search_sysfs_depend',`
|
||||
type sysfs_t;
|
||||
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_read_sysfs">
|
||||
## <description>
|
||||
## Allow caller to read hardware state information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type reading hardware state information.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_read_sysfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
allow $1 sysfs_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
define(`dev_read_sysfs_depend',`
|
||||
type sysfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_rw_sysfs">
|
||||
## <description>
|
||||
## Allow caller to modify hardware state information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type modifying hardware state information.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_rw_sysfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
allow $1 sysfs_t:lnk_file r_file_perms;
|
||||
allow $1 sysfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`dev_rw_sysfs_depend',`
|
||||
type sysfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_search_usbfs">
|
||||
## <description>
|
||||
## Search the directory containing USB hardware information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_search_usbfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir search;
|
||||
')
|
||||
|
||||
define(`dev_search_usbfs_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_list_usbfs">
|
||||
## <description>
|
||||
## Allow caller to get a list of usb hardware.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type getting the list.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_list_usbfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
allow $1 usbfs_t:lnk_file r_file_perms;
|
||||
allow $1 usbfs_t:file getattr;
|
||||
')
|
||||
|
||||
define(`dev_list_usbfs_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file getattr;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_read_usbfs">
|
||||
## <description>
|
||||
## Read USB hardware information using
|
||||
## the usbfs filesystem interface.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_read_usbfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
allow $1 usbfs_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
define(`dev_read_usbfs_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dev_rw_usbfs">
|
||||
## <description>
|
||||
## Allow caller to modify usb hardware configuration files.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type modifying the options.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`dev_rw_usbfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
allow $1 usbfs_t:lnk_file r_file_perms;
|
||||
allow $1 usbfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`dev_rw_usbfs_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -143,6 +143,14 @@ type sound_device_t, device_node;
|
||||
fs_associate(sound_device_t)
|
||||
fs_associate_tmpfs(sound_device_t)
|
||||
|
||||
#
|
||||
# sysfs_t is the type for the /sys pseudofs
|
||||
#
|
||||
type sysfs_t;
|
||||
files_mountpoint(sysfs_t)
|
||||
fs_make_fs(sysfs_t)
|
||||
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
#
|
||||
# urandom_device_t is the type of /dev/urandom
|
||||
#
|
||||
@ -150,6 +158,15 @@ type urandom_device_t, device_node;
|
||||
fs_associate(urandom_device_t)
|
||||
fs_associate_tmpfs(urandom_device_t)
|
||||
|
||||
#
|
||||
# usbfs_t is the type for the /proc/bus/usb pseudofs
|
||||
#
|
||||
type usbfs_t alias usbdevfs_t;
|
||||
files_mountpoint(usbfs_t)
|
||||
fs_make_noxattr_fs(usbfs_t)
|
||||
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
|
||||
type v4l_device_t, device_node;
|
||||
fs_associate(v4l_device_t)
|
||||
fs_associate_tmpfs(v4l_device_t)
|
||||
|
||||
@ -129,69 +129,6 @@ define(`kernel_dontaudit_use_fd_depend',`
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_subj_id_change_exempt">
|
||||
## <description>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of user identity.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_subj_id_change_exempt',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
typeattribute $1 can_change_process_identity;
|
||||
')
|
||||
|
||||
define(`kernel_subj_id_change_exempt_depend',`
|
||||
attribute can_change_process_identity;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_role_change_exempt">
|
||||
## <description>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of role.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_role_change_exempt',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
typeattribute $1 can_change_process_role;
|
||||
')
|
||||
|
||||
define(`kernel_role_change_exempt_depend',`
|
||||
attribute can_change_process_role;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_obj_id_change_exempt">
|
||||
## <description>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing the user identity in object contexts.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_obj_id_change_exempt',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
typeattribute $1 can_change_object_identity;
|
||||
')
|
||||
|
||||
define(`kernel_obj_id_change_exempt_depend',`
|
||||
attribute can_change_object_identity;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_load_module">
|
||||
## <description>
|
||||
@ -1457,79 +1394,6 @@ define(`kernel_rw_all_sysctl',`
|
||||
kernel_rw_rpc_sysctl($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_search_sysfs">
|
||||
## <description>
|
||||
## Search the directory containing hardware information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_search_sysfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 sysfs_t:dir search;
|
||||
')
|
||||
|
||||
define(`kernel_search_sysfs_depend',`
|
||||
type sysfs_t;
|
||||
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_read_hardware_state">
|
||||
## <description>
|
||||
## Allow caller to read hardware state information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type reading hardware state information.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_read_hardware_state',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
allow $1 sysfs_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_read_hardware_state_depend',`
|
||||
type sysfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_rw_hardware_config_option">
|
||||
## <description>
|
||||
## Allow caller to modify hardware state information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type modifying hardware state information.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_rw_hardware_config_option',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
allow $1 sysfs_t:lnk_file r_file_perms;
|
||||
allow $1 sysfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_rw_hardware_config_option_depend',`
|
||||
type sysfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_kill_unlabeled">
|
||||
## <description>
|
||||
@ -1691,104 +1555,4 @@ define(`kernel_relabel_unlabeled_depend',`
|
||||
class blk_file { getattr relabelfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_search_usbfs">
|
||||
## <description>
|
||||
## Search the directory containing USB hardware information.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_search_usbfs',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir search;
|
||||
')
|
||||
|
||||
define(`kernel_search_usbfs_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_list_usb_hardware">
|
||||
## <description>
|
||||
## Allow caller to get a list of usb hardware.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type getting the list.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_list_usb_hardware',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
allow $1 usbfs_t:lnk_file r_file_perms;
|
||||
allow $1 usbfs_t:file getattr;
|
||||
')
|
||||
|
||||
define(`kernel_list_usb_hardware_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file getattr;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_read_usb_hardware_state">
|
||||
## <description>
|
||||
## Read USB hardware information using
|
||||
## the usbfs filesystem interface.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_read_usb_hardware_state',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
allow $1 usbfs_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_read_usb_hardware_state_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_rw_usb_hardware_config_option">
|
||||
## <description>
|
||||
## Allow caller to modify usb hardware configuration files.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type modifying the options.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_rw_usb_hardware_config_option',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 usbfs_t:dir r_dir_perms;
|
||||
allow $1 usbfs_t:lnk_file r_file_perms;
|
||||
allow $1 usbfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_rw_usb_hardware_config_option_depend',`
|
||||
type usbfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file rw_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -8,11 +8,6 @@ attribute can_setsecparam;
|
||||
attribute can_load_kernmodule;
|
||||
attribute can_receive_kernel_messages;
|
||||
|
||||
# constraint related attributes
|
||||
attribute can_change_process_identity;
|
||||
attribute can_change_process_role;
|
||||
attribute can_change_object_identity;
|
||||
|
||||
#
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
@ -59,14 +54,6 @@ fs_make_fs(security_t)
|
||||
sid security context_template(system_u:object_r:security_t,s0)
|
||||
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
||||
|
||||
#
|
||||
# sysfs_t is the type for /sys
|
||||
#
|
||||
type sysfs_t;
|
||||
files_mountpoint(sysfs_t)
|
||||
fs_make_fs(sysfs_t)
|
||||
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
#
|
||||
# Procfs types
|
||||
#
|
||||
@ -144,15 +131,6 @@ genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
|
||||
type sysctl_dev_t;
|
||||
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
|
||||
|
||||
#
|
||||
# usbfs_t is the type for /proc/bus/usb
|
||||
#
|
||||
type usbfs_t alias usbdevfs_t;
|
||||
files_mountpoint(usbfs_t)
|
||||
fs_make_noxattr_fs(usbfs_t)
|
||||
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel local policy
|
||||
|
||||
@ -76,7 +76,7 @@ allow crond_t system_cron_spool_t:dir r_dir_perms;
|
||||
allow crond_t system_cron_spool_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(crond_t)
|
||||
kernel_read_hardware_state(crond_t)
|
||||
dev_read_sysfs(crond_t)
|
||||
kernel_get_selinuxfs_mount_point(crond_t)
|
||||
kernel_validate_context(crond_t)
|
||||
kernel_compute_access_vector(crond_t)
|
||||
|
||||
@ -7,9 +7,9 @@ policy_module(authlogin,1.0)
|
||||
#
|
||||
|
||||
type remote_login_t; #, nscd_client_domain;
|
||||
kernel_obj_id_change_exempt(remote_login_t)
|
||||
kernel_subj_id_change_exempt(remote_login_t)
|
||||
kernel_role_change_exempt(remote_login_t)
|
||||
domain_obj_id_change_exempt(remote_login_t)
|
||||
domain_subj_id_change_exempt(remote_login_t)
|
||||
domain_role_change_exempt(remote_login_t)
|
||||
domain_type(remote_login_t)
|
||||
domain_wide_inherit_fd(remote_login_t)
|
||||
auth_login_entry_type(remote_login_t)
|
||||
|
||||
@ -40,7 +40,7 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
|
||||
files_create_pid(sendmail_t,sendmail_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(sendmail_t)
|
||||
kernel_read_hardware_state(sendmail_t)
|
||||
dev_read_sysfs(sendmail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(sendmail_t)
|
||||
corenet_raw_sendrecv_all_if(sendmail_t)
|
||||
|
||||
@ -138,7 +138,7 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(pam_console_t)
|
||||
kernel_read_system_state(pam_console_t)
|
||||
kernel_read_hardware_state(pam_console_t)
|
||||
dev_read_sysfs(pam_console_t)
|
||||
kernel_use_fd(pam_console_t)
|
||||
|
||||
# Allow to set attributes on /dev entries
|
||||
|
||||
@ -30,7 +30,7 @@ dontaudit hwclock_t self:capability sys_tty_config;
|
||||
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
|
||||
|
||||
kernel_read_kernel_sysctl(hwclock_t)
|
||||
kernel_read_hardware_state(hwclock_t)
|
||||
dev_read_sysfs(hwclock_t)
|
||||
|
||||
dev_rw_realtime_clock(hwclock_t)
|
||||
|
||||
|
||||
@ -85,6 +85,69 @@ define(`domain_wide_inherit_fd_depend',`
|
||||
attribute privfd;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_subj_id_change_exempt">
|
||||
## <description>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of user identity.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`domain_subj_id_change_exempt',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
typeattribute $1 can_change_process_identity;
|
||||
')
|
||||
|
||||
define(`domain_subj_id_change_exempt_depend',`
|
||||
attribute can_change_process_identity;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_role_change_exempt">
|
||||
## <description>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of role.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`domain_role_change_exempt',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
typeattribute $1 can_change_process_role;
|
||||
')
|
||||
|
||||
define(`domain_role_change_exempt_depend',`
|
||||
attribute can_change_process_role;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_obj_id_change_exempt">
|
||||
## <description>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing the user identity in object contexts.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`domain_obj_id_change_exempt',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
typeattribute $1 can_change_object_identity;
|
||||
')
|
||||
|
||||
define(`domain_obj_id_change_exempt_depend',`
|
||||
attribute can_change_object_identity;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_use_wide_inherit_fd(domain)
|
||||
|
||||
@ -10,6 +10,11 @@ attribute entry_type;
|
||||
# widely-inheritable file descriptors
|
||||
attribute privfd;
|
||||
|
||||
# constraint related attributes
|
||||
attribute can_change_process_identity;
|
||||
attribute can_change_process_role;
|
||||
attribute can_change_object_identity;
|
||||
|
||||
neverallow domain ~domain:process { transition dyntransition };
|
||||
|
||||
# enabling setcurrent breaks process tranquility. If you do not
|
||||
|
||||
@ -42,7 +42,7 @@ files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
|
||||
|
||||
allow getty_t getty_log_t:file { getattr append setattr };
|
||||
|
||||
kernel_read_hardware_state(getty_t)
|
||||
dev_read_sysfs(getty_t)
|
||||
|
||||
# for error condition handling
|
||||
fs_getattr_xattr_fs(getty_t)
|
||||
|
||||
@ -26,7 +26,7 @@ dontaudit hostname_t self:capability sys_tty_config;
|
||||
sysnet_read_config(hostname_t)
|
||||
|
||||
kernel_read_kernel_sysctl(hostname_t)
|
||||
kernel_read_hardware_state(hostname_t)
|
||||
dev_read_sysfs(hostname_t)
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
|
||||
fs_getattr_xattr_fs(hostname_t)
|
||||
|
||||
@ -45,9 +45,9 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||
|
||||
kernel_read_system_state(hotplug_t)
|
||||
kernel_read_kernel_sysctl(hotplug_t)
|
||||
kernel_read_hardware_state(hotplug_t)
|
||||
dev_read_sysfs(hotplug_t)
|
||||
kernel_read_net_sysctl(hotplug_t)
|
||||
kernel_read_usb_hardware_state(hotplug_t)
|
||||
dev_read_usbfs(hotplug_t)
|
||||
|
||||
bootloader_read_kernel_modules(hotplug_t)
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t)
|
||||
|
||||
kernel_set_boolean(init_t)
|
||||
kernel_read_system_state(init_t)
|
||||
kernel_read_hardware_state(init_t)
|
||||
dev_read_sysfs(init_t)
|
||||
kernel_share_state(init_t)
|
||||
|
||||
term_use_all_terms(init_t)
|
||||
@ -180,12 +180,12 @@ kernel_read_ring_buffer(initrc_t)
|
||||
kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_hardware_state(initrc_t)
|
||||
kernel_rw_hardware_config_option(initrc_t)
|
||||
dev_read_sysfs(initrc_t)
|
||||
dev_rw_sysfs(initrc_t)
|
||||
kernel_read_all_sysctl(initrc_t)
|
||||
kernel_rw_all_sysctl(initrc_t)
|
||||
kernel_get_selinux_enforcement_mode(initrc_t)
|
||||
kernel_list_usb_hardware(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
kernel_dontaudit_getattr_message_if(initrc_t)
|
||||
|
||||
@ -333,7 +333,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
kernel_read_usb_hardware_state(initrc_t)
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
hotplug_read_config(initrc_t)
|
||||
|
||||
@ -39,7 +39,7 @@ allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
kernel_read_system_state(iptables_t)
|
||||
kernel_read_network_state(iptables_t)
|
||||
kernel_read_hardware_state(iptables_t)
|
||||
dev_read_sysfs(iptables_t)
|
||||
kernel_read_kernel_sysctl(iptables_t)
|
||||
kernel_read_modprobe_sysctl(iptables_t)
|
||||
kernel_use_fd(iptables_t)
|
||||
|
||||
@ -7,9 +7,9 @@ policy_module(locallogin,1.0)
|
||||
#
|
||||
|
||||
type local_login_t; #, nscd_client_domain;
|
||||
kernel_obj_id_change_exempt(local_login_t)
|
||||
kernel_subj_id_change_exempt(local_login_t)
|
||||
kernel_role_change_exempt(local_login_t)
|
||||
domain_obj_id_change_exempt(local_login_t)
|
||||
domain_subj_id_change_exempt(local_login_t)
|
||||
domain_role_change_exempt(local_login_t)
|
||||
auth_login_entry_type(local_login_t)
|
||||
domain_type(local_login_t)
|
||||
domain_wide_inherit_fd(local_login_t)
|
||||
@ -20,9 +20,9 @@ files_file_type(local_login_tmp_t)
|
||||
|
||||
type sulogin_t;
|
||||
type sulogin_exec_t;
|
||||
kernel_obj_id_change_exempt(sulogin_t)
|
||||
kernel_subj_id_change_exempt(sulogin_t)
|
||||
kernel_role_change_exempt(sulogin_t)
|
||||
domain_obj_id_change_exempt(sulogin_t)
|
||||
domain_subj_id_change_exempt(sulogin_t)
|
||||
domain_role_change_exempt(sulogin_t)
|
||||
domain_wide_inherit_fd(sulogin_t)
|
||||
init_domain(sulogin_t,sulogin_exec_t)
|
||||
init_system_domain(sulogin_t,sulogin_exec_t)
|
||||
|
||||
@ -59,7 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
files_create_pid(auditd_t,auditd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(auditd_t)
|
||||
kernel_read_hardware_state(auditd_t)
|
||||
dev_read_sysfs(auditd_t)
|
||||
|
||||
fs_getattr_all_fs(auditd_t)
|
||||
|
||||
@ -186,7 +186,7 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_pid(syslogd_t,syslogd_var_run_t)
|
||||
|
||||
kernel_read_hardware_state(syslogd_t)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
kernel_read_kernel_sysctl(syslogd_t)
|
||||
|
||||
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||
|
||||
@ -11,7 +11,7 @@ type lvm_exec_t;
|
||||
init_system_domain(lvm_t,lvm_exec_t)
|
||||
# needs privowner because it assigns the identity system_u to device nodes
|
||||
# but runs as the identity of the sysadmin
|
||||
kernel_obj_id_change_exempt(lvm_t)
|
||||
domain_obj_id_change_exempt(lvm_t)
|
||||
role system_r types lvm_t;
|
||||
|
||||
type lvm_etc_t;
|
||||
@ -76,9 +76,9 @@ kernel_compute_create_context(lvm_t)
|
||||
kernel_compute_relabel_context(lvm_t)
|
||||
kernel_compute_reachable_user_contexts(lvm_t)
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
kernel_read_hardware_state(lvm_t)
|
||||
dev_read_sysfs(lvm_t)
|
||||
# Read /sys/block. Device mapper metadata is kept there.
|
||||
kernel_read_hardware_state(sysfs_t)
|
||||
dev_read_sysfs(sysfs_t)
|
||||
# Read system variables in /proc/sys
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
# it has no reason to need this
|
||||
|
||||
@ -51,8 +51,6 @@ can_exec(insmod_t, insmod_exec_t)
|
||||
|
||||
kernel_load_module(insmod_t)
|
||||
kernel_read_system_state(insmod_t)
|
||||
kernel_search_sysfs(insmod_t)
|
||||
kernel_search_usbfs(insmod_t)
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
kernel_read_kernel_sysctl(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
@ -62,6 +60,8 @@ bootloader_read_kernel_modules(insmod_t)
|
||||
# for locking: (cjp: ????)
|
||||
bootloader_write_kernel_modules(insmod_t)
|
||||
|
||||
dev_search_sysfs(insmod_t)
|
||||
dev_search_usbfs(insmod_t)
|
||||
dev_write_mtrr(insmod_t)
|
||||
dev_read_urand(insmod_t)
|
||||
dev_rw_agp_dev(insmod_t)
|
||||
|
||||
@ -38,8 +38,8 @@ type load_policy_exec_t;
|
||||
domain_entry_file(load_policy_t,load_policy_exec_t)
|
||||
|
||||
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
kernel_role_change_exempt(newrole_t)
|
||||
kernel_obj_id_change_exempt(newrole_t)
|
||||
domain_role_change_exempt(newrole_t)
|
||||
domain_obj_id_change_exempt(newrole_t)
|
||||
domain_type(newrole_t)
|
||||
domain_wide_inherit_fd(newrole_t)
|
||||
|
||||
@ -65,7 +65,7 @@ files_file_type(policy_src_t)
|
||||
|
||||
type restorecon_t, can_relabelto_binary_policy;
|
||||
type restorecon_exec_t;
|
||||
kernel_obj_id_change_exempt(restorecon_t)
|
||||
domain_obj_id_change_exempt(restorecon_t)
|
||||
init_system_domain(restorecon_t,restorecon_exec_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
@ -83,7 +83,7 @@ type selinux_config_t;
|
||||
files_file_type(selinux_config_t)
|
||||
|
||||
type setfiles_t, can_relabelto_binary_policy;
|
||||
kernel_obj_id_change_exempt(setfiles_t)
|
||||
domain_obj_id_change_exempt(setfiles_t)
|
||||
domain_type(setfiles_t)
|
||||
role system_r types setfiles_t;
|
||||
|
||||
|
||||
@ -38,8 +38,8 @@ type load_policy_exec_t;
|
||||
domain_entry_file(load_policy_t,load_policy_exec_t)
|
||||
|
||||
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
kernel_role_change_exempt(newrole_t)
|
||||
kernel_obj_id_change_exempt(newrole_t)
|
||||
domain_role_change_exempt(newrole_t)
|
||||
domain_obj_id_change_exempt(newrole_t)
|
||||
domain_type(newrole_t)
|
||||
domain_wide_inherit_fd(newrole_t)
|
||||
|
||||
@ -65,7 +65,7 @@ files_file_type(policy_src_t)
|
||||
|
||||
type restorecon_t, can_relabelto_binary_policy;
|
||||
type restorecon_exec_t;
|
||||
kernel_obj_id_change_exempt(restorecon_t)
|
||||
domain_obj_id_change_exempt(restorecon_t)
|
||||
init_system_domain(restorecon_t,restorecon_exec_t)
|
||||
role system_r types restorecon_t;
|
||||
|
||||
@ -83,7 +83,7 @@ type selinux_config_t;
|
||||
files_file_type(selinux_config_t)
|
||||
|
||||
type setfiles_t, can_relabelto_binary_policy;
|
||||
kernel_obj_id_change_exempt(setfiles_t)
|
||||
domain_obj_id_change_exempt(setfiles_t)
|
||||
domain_type(setfiles_t)
|
||||
role system_r types setfiles_t;
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ allow ifconfig_t dhcpc_t:process sigchld;
|
||||
kernel_read_system_state(dhcpc_t)
|
||||
kernel_read_network_state(dhcpc_t)
|
||||
kernel_read_kernel_sysctl(dhcpc_t)
|
||||
kernel_read_hardware_state(dhcpc_t)
|
||||
dev_read_sysfs(dhcpc_t)
|
||||
kernel_use_fd(dhcpc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(dhcpc_t)
|
||||
|
||||
@ -10,7 +10,7 @@ type udev_t; # nscd_client_domain
|
||||
type udev_exec_t;
|
||||
type udev_helper_exec_t;
|
||||
kernel_userland_entry(udev_t,udev_exec_t)
|
||||
kernel_obj_id_change_exempt(udev_t)
|
||||
domain_obj_id_change_exempt(udev_t)
|
||||
domain_entry_file(udev_t,udev_helper_exec_t)
|
||||
domain_wide_inherit_fd(udev_t)
|
||||
init_daemon_domain(udev_t,udev_exec_t)
|
||||
@ -70,7 +70,7 @@ kernel_read_device_sysctl(udev_t)
|
||||
kernel_read_hotplug_sysctl(udev_t)
|
||||
kernel_read_modprobe_sysctl(udev_t)
|
||||
kernel_read_kernel_sysctl(udev_t)
|
||||
kernel_read_hardware_state(udev_t)
|
||||
dev_read_sysfs(udev_t)
|
||||
kernel_get_selinuxfs_mount_point(udev_t)
|
||||
kernel_validate_context(udev_t)
|
||||
kernel_compute_access_vector(udev_t)
|
||||
|
||||
@ -108,7 +108,7 @@ define(`base_user_domain',`
|
||||
# Find CDROM devices:
|
||||
kernel_read_device_sysctl($1_t)
|
||||
# GNOME checks for usb and other devices:
|
||||
kernel_rw_usb_hardware_config_option($1_t)
|
||||
dev_rw_usbfs($1_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_t)
|
||||
corenet_raw_sendrecv_all_if($1_t)
|
||||
@ -453,7 +453,7 @@ define(`user_domain_template', `
|
||||
|
||||
kernel_read_system_state($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
kernel_read_hardware_state($1_t)
|
||||
dev_read_sysfs($1_t)
|
||||
|
||||
# cjp: why?
|
||||
bootloader_read_kernel_symbol_table($1_t)
|
||||
@ -614,7 +614,7 @@ define(`admin_domain_template',`
|
||||
base_user_domain($1)
|
||||
|
||||
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
||||
kernel_obj_id_change_exempt($1_t)
|
||||
domain_obj_id_change_exempt($1_t)
|
||||
role system_r types $1_t;
|
||||
|
||||
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user