trunk: 14 patches from dan.

This commit is contained in:
Chris PeBenito 2009-03-23 14:56:43 +00:00
parent 244b45d225
commit 8f800d48df
29 changed files with 204 additions and 36 deletions

View File

@ -1,5 +1,5 @@
policy_module(corenetwork, 1.11.4)
policy_module(corenetwork, 1.11.5)
########################################
#
@ -118,6 +118,7 @@ network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon

View File

@ -1,8 +1,6 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
ifdef(`distro_debian',`
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
')
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(apcupsd, 1.5.2)
policy_module(apcupsd, 1.5.3)
########################################
#

View File

@ -55,6 +55,24 @@ interface(`avahi_kill',`
allow $1 avahi_t:process sigkill;
')
########################################
## <summary>
## Send avahi a signull
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`avahi_signull',`
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signull;
')
########################################
## <summary>
## Send and receive messages from

View File

@ -1,5 +1,5 @@
policy_module(avahi, 1.10.2)
policy_module(avahi, 1.10.3)
########################################
#

View File

@ -15,6 +15,7 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)

View File

@ -173,7 +173,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
@ -196,6 +196,9 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
files_list_spool($1)
admin_pattern($1, bluetooth_spool_t)
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)

View File

@ -1,5 +1,5 @@
policy_module(bluetooth, 3.1.2)
policy_module(bluetooth, 3.1.3)
########################################
#
@ -93,6 +93,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
@ -147,10 +148,10 @@ optional_policy(`
optional_policy(`
cups_dbus_chat(bluetooth_t)
')
')
optional_policy(`
nis_use_ypbind(bluetooth_t)
optional_policy(`
hal_dbus_chat(bluetooth_t)
')
')
optional_policy(`

View File

@ -15,7 +15,9 @@ interface(`cvs_read_data',`
type cvs_data_t;
')
allow $1 cvs_data_t:file { getattr read };
list_dirs_pattern($1, cvs_data_t, cvs_data_t)
read_files_pattern($1, cvs_data_t, cvs_data_t)
read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(cvs, 1.7.2)
policy_module(cvs, 1.7.3)
########################################
#

View File

@ -4,4 +4,6 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

View File

@ -39,6 +39,25 @@ interface(`dnsmasq_signal',`
allow $1 dnsmasq_t:process signal;
')
########################################
## <summary>
## Send dnsmasq a signull
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
#
interface(`dnsmasq_signull',`
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process signull;
')
########################################
## <summary>
## Send dnsmasq a kill signal.
@ -58,6 +77,44 @@ interface(`dnsmasq_kill',`
allow $1 dnsmasq_t:process sigkill;
')
########################################
## <summary>
## Delete dnsmasq pid files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
#
interface(`dnsmasq_delete_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
########################################
## <summary>
## Read dnsmasq pid files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
#
interface(`dnsmasq_read_pid_files',`
gen_require(`
type dnsmasq_var_run_t;
')
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate

View File

@ -1,5 +1,5 @@
policy_module(dnsmasq, 1.7.1)
policy_module(dnsmasq, 1.7.2)
########################################
#
@ -69,23 +69,20 @@ domain_use_interactive_fds(dnsmasq_t)
# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)
auth_use_nsswitch(dnsmasq_t)
logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
sysnet_read_config(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
nis_use_ypbind(dnsmasq_t)
')
optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
@ -96,4 +93,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
')

View File

@ -19,6 +19,7 @@
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(kerberos, 1.9.2)
policy_module(kerberos, 1.9.3)
########################################
#
@ -290,6 +290,7 @@ corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
corenet_tcp_sendrecv_all_ports(kpropd_t)
corenet_tcp_bind_generic_node(kpropd_t)
corenet_tcp_bind_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)

View File

@ -2,6 +2,7 @@
# /etc
#
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
#

View File

@ -44,6 +44,24 @@ interface(`openvpn_run',`
role $2 types openvpn_t;
')
########################################
## <summary>
## Send OPENVPN clients the kill signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`openvpn_kill',`
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process sigkill;
')
########################################
## <summary>
## Send generic signals to OPENVPN clients.
@ -62,6 +80,24 @@ interface(`openvpn_signal',`
allow $1 openvpn_t:process signal;
')
########################################
## <summary>
## Send signulls to OPENVPN clients.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`openvpn_signull',`
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process signull;
')
########################################
## <summary>
## Allow the specified domain to read

View File

@ -1,5 +1,5 @@
policy_module(openvpn, 1.7.2)
policy_module(openvpn, 1.7.3)
########################################
#
@ -22,6 +22,9 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
type openvpn_etc_t;
files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
@ -40,6 +43,7 @@ files_pid_file(openvpn_var_run_t)
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -47,11 +51,13 @@ allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
can_exec(openvpn_t, openvpn_etc_t)
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
@ -99,6 +105,8 @@ miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_write_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)

View File

@ -1,5 +1,6 @@
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(pcscd, 1.4.2)
policy_module(pcscd, 1.4.3)
########################################
#
@ -27,9 +27,10 @@ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
allow pcscd_t self:unix_dgram_socket create_socket_perms;
allow pcscd_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
corenet_all_recvfrom_unlabeled(pcscd_t)
corenet_all_recvfrom_netlabel(pcscd_t)
@ -56,6 +57,14 @@ miscfiles_read_localization(pcscd_t)
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
dbus_system_bus_client(pcscd_t)
optional_policy(`
hal_dbus_chat(pcscd_t)
')
')
optional_policy(`
openct_stream_connect(pcscd_t)
openct_read_pid_files(pcscd_t)

View File

@ -1,5 +1,5 @@
policy_module(radvd, 1.10.2)
policy_module(radvd, 1.10.3)
########################################
#
@ -22,7 +22,7 @@ files_config_file(radvd_etc_t)
#
# Local policy
#
allow radvd_t self:capability { setgid setuid net_raw };
allow radvd_t self:capability { setgid setuid net_raw net_admin };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:unix_dgram_socket create_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(rlogin, 1.8.2)
policy_module(rlogin, 1.8.3)
########################################
#
@ -90,9 +90,21 @@ userdom_read_user_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(rlogind_t)
fs_read_nfs_files(rlogind_t)
fs_read_nfs_symlinks(rlogind_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(rlogind_t)
fs_read_cifs_files(rlogind_t)
fs_read_cifs_symlinks(rlogind_t)
')
optional_policy(`
kerberos_use(rlogind_t)
kerberos_read_keytab(rlogind_t)
kerberos_keytab_template(rlogind, rlogind_t)
kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(rsync, 1.8.2)
policy_module(rsync, 1.8.3)
########################################
#
@ -119,5 +119,9 @@ optional_policy(`
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
auth_can_read_shadow_passwords(rsync_t)

View File

@ -1,6 +1,7 @@
/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(stunnel, 1.8.2)
policy_module(stunnel, 1.8.3)
########################################
#
@ -54,6 +54,8 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
corecmd_exec_bin(stunnel_t)
corenet_all_recvfrom_unlabeled(stunnel_t)
corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_generic_if(stunnel_t)
@ -105,6 +107,7 @@ ifdef(`distro_gentoo', `
dev_read_urand(stunnel_t)
files_read_etc_files(stunnel_t)
files_read_etc_runtime_files(stunnel_t)
files_search_home(stunnel_t)
optional_policy(`

View File

@ -1,6 +1,6 @@
/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/usr/lib(64)?/sa/sadc -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(sysstat, 1.4.0)
policy_module(sysstat, 1.4.1)
########################################
#
@ -19,13 +19,14 @@ logging_log_file(sysstat_log_t)
# Local policy
#
allow sysstat_t self:capability sys_resource;
allow sysstat_t self:capability { sys_resource sys_tty_config };
dontaudit sysstat_t self:capability sys_admin;
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc

View File

@ -6,4 +6,6 @@
/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(uucp, 1.9.2)
policy_module(uucp, 1.9.3)
########################################
#
@ -10,6 +10,9 @@ type uucpd_exec_t;
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
role system_r types uucpd_t;
type uucpd_lock_t;
files_lock_file(uucpd_lock_t)
type uucpd_tmp_t;
files_tmp_file(uucpd_tmp_t)
@ -58,6 +61,10 @@ manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
uucp_manage_spool(uucpd_t)
manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
files_search_locks(uucpd_t)
manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })