trunk: a pile of misc fixes, mainly sync xml docs with interface implementation.
This commit is contained in:
Chris PeBenito
parent
a42ce93a4d
commit
8f3a0a95e0
@ -92,6 +92,8 @@ interface(`portage_compile_domain',`
|
||||
|
||||
gen_require(`
|
||||
class dbus send_msg;
|
||||
type portage_devpts_t, portage_log_t, portage_tmp_t;
|
||||
type portage_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
|
||||
@ -219,6 +221,10 @@ interface(`portage_compile_domain',`
|
||||
## </param>
|
||||
#
|
||||
interface(`portage_fetch_domain',`
|
||||
gen_require(`
|
||||
type portage_cache_t, portage_conf_t, portage_ebuild_t;
|
||||
type portage_tmp_t, portage_fetch_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 self:capability { dac_override fowner fsetid };
|
||||
allow $1 self:process signal;
|
||||
@ -290,6 +296,9 @@ interface(`portage_fetch_domain',`
|
||||
## </param>
|
||||
#
|
||||
interface(`portage_main_domain',`
|
||||
gen_require(`
|
||||
type portage_log_t, portage_tmp_t;
|
||||
')
|
||||
|
||||
# - setfscreate for merging to live fs
|
||||
# - setexec to run portage fetch
|
||||
|
||||
@ -34,6 +34,7 @@ interface(`awstats_rw_pipes',`
|
||||
interface(`awstats_cgi_exec',`
|
||||
gen_require(`
|
||||
type httpd_awstats_script_exec_t;
|
||||
type httpd_awstats_content_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_awstats_content_t:dir search_dir_perms;
|
||||
|
||||
@ -192,11 +192,6 @@ template(`ethereal_per_role_template',`
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ethereal_admin_template',`
|
||||
gen_require(`
|
||||
|
||||
@ -809,7 +809,12 @@ template(`evolution_per_role_template',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object">
|
||||
## <param name="file_type">
|
||||
## <summary>
|
||||
## Private file type.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="class">
|
||||
## <summary>
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, dir will be used.
|
||||
@ -864,6 +869,12 @@ template(`evolution_stream_connect',`
|
||||
## Send and receive messages from
|
||||
## evolution over dbus.
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
@ -885,6 +896,12 @@ interface(`evolution_dbus_chat',`
|
||||
## Send and receive messages from
|
||||
## evolution_alarm over dbus.
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
|
||||
@ -192,11 +192,6 @@ template(`wireshark_per_role_template',`
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`wireshark_admin_template',`
|
||||
gen_require(`
|
||||
|
||||
@ -197,6 +197,25 @@ interface(`corecmd_getattr_bin_files',`
|
||||
getattr_files_pattern($1,bin_t,bin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_getattr_bin_files',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 bin_t:dir search_dir_perms;
|
||||
dontaudit $1 bin_t:file getattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in bin directories.
|
||||
@ -685,7 +704,7 @@ interface(`corecmd_mmap_sbin_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_sbin_domtrans',`
|
||||
corecmd_bin_domtrans($1,$2,$3)
|
||||
corecmd_bin_domtrans($1,$2)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
|
||||
')
|
||||
|
||||
@ -726,7 +745,7 @@ interface(`corecmd_sbin_domtrans',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_sbin_spec_domtrans',`
|
||||
corecmd_bin_spec_domtrans($1,$2,$3)
|
||||
corecmd_bin_spec_domtrans($1,$2)
|
||||
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
|
||||
')
|
||||
|
||||
|
||||
@ -1219,6 +1219,11 @@ interface(`domain_mmap_all_entry_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## <summary>
|
||||
## The type of the new process.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for userhelper
|
||||
interface(`domain_entry_file_spec_domtrans',`
|
||||
|
||||
@ -4208,7 +4208,7 @@ interface(`files_getattr_generic_locks',`
|
||||
#
|
||||
interface(`files_manage_generic_locks',`
|
||||
gen_require(`
|
||||
type var_lock_t;
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
@ -4229,6 +4229,7 @@ interface(`files_manage_generic_locks',`
|
||||
interface(`files_delete_all_locks',`
|
||||
gen_require(`
|
||||
attribute lockfile;
|
||||
type var_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
@ -4659,6 +4660,17 @@ interface(`files_manage_generic_spool',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="file">
|
||||
## <summary>
|
||||
## Type to which the created node will be transitioned.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="class">
|
||||
## <summary>
|
||||
## Object class(es) (single or set including {}) for which this
|
||||
## the transition will occur.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_spool_filetrans',`
|
||||
gen_require(`
|
||||
|
||||
@ -776,6 +776,25 @@ interface(`fs_read_noxattr_fs_symlinks',`
|
||||
read_lnk_files_pattern($1,noxattrfs,noxattrfs)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read
|
||||
## dirs on a CIFS or SMB filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_list_cifs_dirs',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read
|
||||
@ -833,6 +852,44 @@ interface(`fs_read_cifs_symlinks',`
|
||||
read_lnk_files_pattern($1,cifs_t,cifs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named pipes
|
||||
## on a CIFS or SMB network filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_cifs_named_pipes',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
read_fifo_files_pattern($1,cifs_t,cifs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named pipes
|
||||
## on a CIFS or SMB network filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_cifs_named_sockets',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
read_sock_files_pattern($1,cifs_t,cifs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute files on a CIFS or SMB
|
||||
@ -1647,6 +1704,43 @@ interface(`fs_read_nfs_symlinks',`
|
||||
read_lnk_files_pattern($1,nfs_t,nfs_t)
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Read named sockets on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_nfs_named_sockets',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
read_sock_files_pattern($1,nfs_t,nfs_t)
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Read named pipes on a NFS network filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_read_nfs_named_pipes',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
read_fifo_files_pattern($1,nfs_t,nfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read directories of RPC file system pipes.
|
||||
@ -2611,7 +2705,7 @@ interface(`fs_getattr_rpc_pipefs',`
|
||||
#
|
||||
interface(`fs_rw_rpc_named_pipes',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
type rpc_pipefs_t;
|
||||
')
|
||||
|
||||
allow $1 rpc_pipefs_t:fifo_file { read write };
|
||||
|
||||
@ -625,6 +625,7 @@ interface(`term_dontaudit_use_ptmx',`
|
||||
interface(`term_getattr_all_user_ptys',`
|
||||
gen_require(`
|
||||
attribute ptynode;
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
@ -667,6 +668,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
|
||||
interface(`term_setattr_all_user_ptys',`
|
||||
gen_require(`
|
||||
attribute ptynode;
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
|
||||
@ -10,16 +10,6 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the fetchmail domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fetchmail_admin',`
|
||||
|
||||
@ -293,6 +293,11 @@ template(`mta_admin_template',`
|
||||
## Type to be used as a mail server domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_mailserver',`
|
||||
gen_require(`
|
||||
|
||||
@ -102,6 +102,16 @@ interface(`ppp_domtrans',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to allow the ppp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the ppp domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ppp_run_cond',`
|
||||
@ -126,6 +136,16 @@ interface(`ppp_run_cond',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to allow the ppp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the ppp domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ppp_run',`
|
||||
@ -280,23 +300,13 @@ interface(`ppp_pid_filetrans',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the ppp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ppp_admin',`
|
||||
gen_require(`
|
||||
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
|
||||
type pppd_etc_t, pppd_script_t, pppd_secret_t;
|
||||
type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t;
|
||||
type pppd_etc_t, pppd_secret_t;
|
||||
type pppd_etc_rw_t, pppd_var_run_t;
|
||||
|
||||
type pptp_t, pptp_log_t, pptp_var_run_t;
|
||||
')
|
||||
@ -319,9 +329,6 @@ interface(`ppp_admin',`
|
||||
|
||||
manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, pppd_var_lib_t, pppd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
|
||||
|
||||
|
||||
@ -10,16 +10,6 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the privoxy domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`privoxy_admin',`
|
||||
|
||||
@ -24,38 +24,28 @@ interface(`radius_use',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the radius domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`radius_admin',`
|
||||
gen_require(`
|
||||
type radius_t, radius_etc_t, radius_log_t;
|
||||
type radius_etc_rw_t, radius_var_lib_t, radius_var_run_t;
|
||||
type radiusd_t, radiusd_etc_t, radiusd_log_t;
|
||||
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 radius_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, radius_t)
|
||||
allow $1 radiusd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, radiusd_t)
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, radius_etc_t, radius_etc_t)
|
||||
manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, radius_log_t, radius_log_t)
|
||||
manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
|
||||
|
||||
manage_files_pattern($1, radius_etc_rw_t, radius_etc_rw_t)
|
||||
manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, radius_var_lib_t, radius_var_lib_t)
|
||||
manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, radius_var_run_t, radius_var_run_t)
|
||||
manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
|
||||
')
|
||||
|
||||
@ -10,16 +10,6 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the radvd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`radvd_admin',`
|
||||
|
||||
@ -126,16 +126,6 @@ interface(`rwho_manage_spool_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the rwho domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`rwho_admin',`
|
||||
|
||||
@ -29,16 +29,6 @@ interface(`sasl_connect',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the sasl domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`sasl_admin',`
|
||||
|
||||
@ -28,16 +28,6 @@ interface(`smartmon_read_tmp_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the smartmon domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`smartmon_admin',`
|
||||
|
||||
@ -95,33 +95,23 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the snmp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`snmp_admin',`
|
||||
gen_require(`
|
||||
type snmp_t, snmp_log_t;
|
||||
type snmp_var_lib_t, snmp_var_run_t;
|
||||
type snmpd_t, snmpd_log_t;
|
||||
type snmpd_var_lib_t, snmpd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 snmp_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, snmp_t)
|
||||
allow $1 snmpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, snmpd_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, snmp_log_t, snmp_log_t)
|
||||
manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, snmp_var_lib_t, snmp_var_lib_t)
|
||||
manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, snmp_var_run_t, snmp_var_run_t)
|
||||
manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
|
||||
')
|
||||
|
||||
@ -10,31 +10,21 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the tftp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tftp_admin',`
|
||||
gen_require(`
|
||||
type tftp_t, tftpdir_t;
|
||||
type tftp_rw_t, tftp_var_run_t;
|
||||
type tftpd_t, tftpdir_t;
|
||||
type tftpdir_rw_t, tftpd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 tftp_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, tftp_t)
|
||||
allow $1 tftpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, tftpd_t)
|
||||
|
||||
manage_files_pattern($1, tftp_rw_t, tftp_rw_t)
|
||||
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
||||
|
||||
manage_files_pattern($1, tftpdir_t, tftpdir_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, tftp_var_run_t, tftp_var_run_t)
|
||||
manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
|
||||
')
|
||||
|
||||
@ -28,21 +28,11 @@ interface(`tor_domtrans',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the tor domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tor_admin',`
|
||||
gen_require(`
|
||||
type tor_t, tor_log_t, tor_etc_t;
|
||||
type tor_t, tor_var_log_t, tor_etc_t;
|
||||
type tor_var_lib_t, tor_var_run_t;
|
||||
')
|
||||
|
||||
@ -50,7 +40,7 @@ interface(`tor_admin',`
|
||||
ps_process_pattern($1, tor_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, tor_log_t, tor_log_t)
|
||||
manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, tor_etc_t, tor_etc_t)
|
||||
|
||||
@ -71,41 +71,31 @@ interface(`uucp_domtrans_uux',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the uucp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`uucp_admin',`
|
||||
gen_require(`
|
||||
type uucp_t, uucp_tmp_t, uucp_log_t;
|
||||
type uucp_spool_t, uucp_ro_t, uucp_rw_t;
|
||||
type uucp_var_run_t;
|
||||
type uucpd_t, uucpd_tmp_t, uucpd_log_t;
|
||||
type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
|
||||
type uucpd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 uucp_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, uucp_t)
|
||||
allow $1 uucpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, uucpd_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, uucp_tmp_t, uucp_tmp_t)
|
||||
manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, uucp_log_t, uucp_log_t)
|
||||
manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
|
||||
|
||||
files_list_spool($1)
|
||||
manage_files_pattern($1, uucp_spool_t, uucp_spool_t)
|
||||
manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
|
||||
|
||||
manage_files_pattern($1, uucp_rw_t, uucp_rw_t)
|
||||
manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
|
||||
|
||||
manage_files_pattern($1, uucp_ro_t, uucp_ro_t)
|
||||
manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, uucp_var_run_t, uucp_var_run_t)
|
||||
manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
|
||||
')
|
||||
|
||||
@ -87,16 +87,6 @@ interface(`zabbix_read_pid_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the zabbix domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zabbix_admin',`
|
||||
|
||||
@ -32,16 +32,6 @@ interface(`zebra_read_config',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the zebra domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zebra_admin',`
|
||||
|
||||
@ -690,16 +690,6 @@ interface(`logging_manage_generic_logs',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the audit domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin_audit',`
|
||||
@ -731,16 +721,6 @@ interface(`logging_admin_audit',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin_syslog',`
|
||||
@ -788,19 +768,9 @@ interface(`logging_admin_syslog',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_admin',`
|
||||
logging_admin_audit($1, $2, $3)
|
||||
logging_admin_syslog($1, $2, $3)
|
||||
logging_admin_audit($1)
|
||||
logging_admin_syslog($1)
|
||||
')
|
||||
|
||||
@ -382,6 +382,7 @@ interface(`miscfiles_read_tetex_data',`
|
||||
interface(`miscfiles_exec_tetex_data',`
|
||||
gen_require(`
|
||||
type fonts_t;
|
||||
type tetex_data_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
|
||||
@ -200,7 +200,7 @@ interface(`modutils_domtrans_depmod',`
|
||||
#
|
||||
interface(`modutils_run_depmod',`
|
||||
gen_require(`
|
||||
type depmod_t;
|
||||
type depmod_t, insmod_t;
|
||||
')
|
||||
|
||||
modutils_domtrans_depmod($1)
|
||||
|
||||
@ -817,7 +817,7 @@ interface(`seutil_read_file_contexts',`
|
||||
#
|
||||
interface(`seutil_rw_file_contexts',`
|
||||
gen_require(`
|
||||
type selinux_config_t, file_context_t;
|
||||
type selinux_config_t, file_context_t, default_context_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -838,7 +838,7 @@ interface(`seutil_rw_file_contexts',`
|
||||
#
|
||||
interface(`seutil_manage_file_contexts',`
|
||||
gen_require(`
|
||||
type selinux_config_t, file_context_t;
|
||||
type selinux_config_t, file_context_t, default_context_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
|
||||
@ -191,7 +191,7 @@ template(`userdom_ro_home_template',`
|
||||
fs_read_nfs_named_sockets($1_t)
|
||||
fs_read_nfs_named_pipes($1_t)
|
||||
',`
|
||||
fs_dontaudit_read_nfs_dirs($1_t)
|
||||
fs_dontaudit_list_nfs($1_t)
|
||||
fs_dontaudit_read_nfs_files($1_t)
|
||||
')
|
||||
|
||||
@ -1111,10 +1111,6 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
java_per_role_template($1, $1_t, $1_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mono_per_role_template($1, $1_t, $1_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
setroubleshoot_dontaudit_stream_connect($1_t)
|
||||
')
|
||||
@ -4130,8 +4126,8 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sysadm_entry_spec_domtrans_to',`
|
||||
refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans_to() instead.')
|
||||
sysadm_entry_spec_domtrans_to($1)
|
||||
refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.')
|
||||
sysadm_entry_spec_domtrans($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -4850,7 +4846,7 @@ interface(`userdom_search_generic_user_home_dirs',`
|
||||
#
|
||||
interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
|
||||
refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_dir_filetrans_home_content() instead.')
|
||||
unprivuser_home_dir_filetrans_home_content($1)
|
||||
unprivuser_home_dir_filetrans_home_content($1, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
Loading…
Reference in New Issue
Block a user