another round of renaming, for consistency

This commit is contained in:
Chris PeBenito 2005-06-29 14:26:41 +00:00
parent 743b65115c
commit 8fd3673225
49 changed files with 335 additions and 275 deletions

View File

@ -59,7 +59,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(dmesg_t) seutil_sigchld_newrole(dmesg_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -12,13 +12,13 @@ domain_obj_id_change_exempt(logrotate_t)
role system_r types logrotate_t; role system_r types logrotate_t;
type logrotate_exec_t; type logrotate_exec_t;
files_file_type(logrotate_exec_t) files_type(logrotate_exec_t)
type logrotate_tmp_t; type logrotate_tmp_t;
files_tmp_file(logrotate_tmp_t) files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t; type logrotate_var_lib_t;
files_file_type(logrotate_var_lib_t) files_type(logrotate_var_lib_t)
######################################## ########################################
# #
@ -76,13 +76,13 @@ domain_signal_all_domains(logrotate_t)
domain_use_wide_inherit_fd(logrotate_t) domain_use_wide_inherit_fd(logrotate_t)
files_read_usr_files(logrotate_t) files_read_usr_files(logrotate_t)
files_read_generic_etc_files(logrotate_t) files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t) files_read_etc_runtime_files(logrotate_t)
files_manage_generic_lock_files(logrotate_t) files_manage_generic_locks(logrotate_t)
files_read_all_pids(logrotate_t) files_read_all_pids(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type. # Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_spools(logrotate_t) files_manage_generic_spools(logrotate_t)
files_manage_spool_dirs(logrotate_t) files_manage_generic_spool_dirs(logrotate_t)
hostname_exec(logrotate_t) hostname_exec(logrotate_t)

View File

@ -56,7 +56,7 @@ fs_getattr_xattr_fs(netutils_t)
domain_use_wide_inherit_fd(netutils_t) domain_use_wide_inherit_fd(netutils_t)
files_read_generic_etc_files(netutils_t) files_read_etc_files(netutils_t)
# for nscd # for nscd
files_dontaudit_search_var(netutils_t) files_dontaudit_search_var(netutils_t)
@ -110,7 +110,7 @@ fs_dontaudit_getattr_xattr_fs(ping_t)
domain_use_wide_inherit_fd(ping_t) domain_use_wide_inherit_fd(ping_t)
files_read_generic_etc_files(ping_t) files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t) files_dontaudit_search_var(ping_t)
libs_use_ld_so(ping_t) libs_use_ld_so(ping_t)
@ -166,7 +166,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_wide_inherit_fd(traceroute_t) domain_use_wide_inherit_fd(traceroute_t)
files_read_generic_etc_files(traceroute_t) files_read_etc_files(traceroute_t)
files_dontaudit_search_var(traceroute_t) files_dontaudit_search_var(traceroute_t)
libs_use_ld_so(traceroute_t) libs_use_ld_so(traceroute_t)

View File

@ -14,7 +14,7 @@ domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t; role system_r types rpm_t;
type rpm_file_t; type rpm_file_t;
files_file_type(rpm_file_t) files_type(rpm_file_t)
type rpm_tmp_t; type rpm_tmp_t;
files_tmp_file(rpm_tmp_t) files_tmp_file(rpm_tmp_t)
@ -26,7 +26,7 @@ type rpm_log_t;
logging_log_file(rpm_log_t) logging_log_file(rpm_log_t)
type rpm_var_lib_t; type rpm_var_lib_t;
files_file_type(rpm_var_lib_t) files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t; typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role; type rpm_script_t; #, admin, privmem, priv_system_role;
@ -138,7 +138,7 @@ domain_exec_all_entry_files(rpm_t)
domain_read_all_domains_state(rpm_t) domain_read_all_domains_state(rpm_t)
domain_use_wide_inherit_fd(rpm_t) domain_use_wide_inherit_fd(rpm_t)
files_exec_generic_etc_files(rpm_t) files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t) init_domtrans_script(rpm_t)
@ -287,7 +287,7 @@ domain_exec_all_entry_files(rpm_script_t)
domain_signal_all_domains(rpm_script_t) domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t)
files_exec_generic_etc_files(rpm_script_t) files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t)
init_domtrans_script(rpm_script_t) init_domtrans_script(rpm_script_t)

View File

@ -7,7 +7,7 @@ policy_module(usermanage,1.0)
# #
type admin_passwd_exec_t; type admin_passwd_exec_t;
files_file_type(admin_passwd_exec_t) files_type(admin_passwd_exec_t)
type chfn_t; type chfn_t;
domain_obj_id_change_exempt(chfn_t) domain_obj_id_change_exempt(chfn_t)
@ -24,7 +24,7 @@ type crack_exec_t;
domain_entry_file(crack_t,crack_exec_t) domain_entry_file(crack_t,crack_exec_t)
type crack_db_t; #, usercanread; type crack_db_t; #, usercanread;
files_file_type(crack_db_t) files_type(crack_db_t)
type crack_tmp_t; type crack_tmp_t;
files_tmp_file(crack_tmp_t) files_tmp_file(crack_tmp_t)
@ -49,7 +49,7 @@ domain_type(sysadm_passwd_t)
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t) domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
type sysadm_passwd_tmp_t; type sysadm_passwd_tmp_t;
files_file_type(sysadm_passwd_tmp_t) files_type(sysadm_passwd_tmp_t)
type useradd_t; # nscd_client_domain; type useradd_t; # nscd_client_domain;
type useradd_exec_t; type useradd_exec_t;
@ -95,7 +95,7 @@ dev_read_urand(chfn_t)
domain_use_wide_inherit_fd(chfn_t) domain_use_wide_inherit_fd(chfn_t)
files_manage_generic_etc_files(chfn_t) files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t) files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t) files_dontaudit_search_var(chfn_t)
@ -165,7 +165,7 @@ dev_read_urand(crack_t)
fs_getattr_xattr_fs(crack_t) fs_getattr_xattr_fs(crack_t)
files_read_generic_etc_files(crack_t) files_read_etc_files(crack_t)
files_read_etc_runtime_files(crack_t) files_read_etc_runtime_files(crack_t)
# for dictionaries # for dictionaries
files_read_usr_files(crack_t) files_read_usr_files(crack_t)
@ -228,7 +228,7 @@ init_dontaudit_write_script_pid(groupadd_t)
domain_use_wide_inherit_fd(groupadd_t) domain_use_wide_inherit_fd(groupadd_t)
files_manage_generic_etc_files(groupadd_t) files_manage_etc_files(groupadd_t)
libs_use_ld_so(groupadd_t) libs_use_ld_so(groupadd_t)
libs_use_shared_libs(groupadd_t) libs_use_shared_libs(groupadd_t)
@ -306,7 +306,7 @@ init_dontaudit_rw_script_pid(passwd_t)
domain_use_wide_inherit_fd(passwd_t) domain_use_wide_inherit_fd(passwd_t)
files_read_etc_runtime_files(passwd_t) files_read_etc_runtime_files(passwd_t)
files_manage_generic_etc_files(passwd_t) files_manage_etc_files(passwd_t)
files_search_var(passwd_t) files_search_var(passwd_t)
libs_use_ld_so(passwd_t) libs_use_ld_so(passwd_t)
@ -405,7 +405,7 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_wide_inherit_fd(sysadm_passwd_t) domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_generic_etc_files(sysadm_passwd_t) files_manage_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
@ -496,7 +496,7 @@ corecmd_exec_sbin(useradd_t)
domain_use_wide_inherit_fd(useradd_t) domain_use_wide_inherit_fd(useradd_t)
files_manage_generic_etc_files(useradd_t) files_manage_etc_files(useradd_t)
init_use_fd(useradd_t) init_use_fd(useradd_t)
init_rw_script_pid(useradd_t) init_rw_script_pid(useradd_t)

View File

@ -44,7 +44,7 @@ template(`gpg_per_userdomain_template',`
files_tmp_file($1_gpg_agent_tmp_t) files_tmp_file($1_gpg_agent_tmp_t)
type $1_gpg_secret_t; #, $1_file_type; type $1_gpg_secret_t; #, $1_file_type;
files_file_type($1_gpg_secret_t) files_type($1_gpg_secret_t)
type $1_gpg_helper_t; type $1_gpg_helper_t;
domain_type($1_gpg_helper_t) domain_type($1_gpg_helper_t)
@ -95,7 +95,7 @@ template(`gpg_per_userdomain_template',`
fs_getattr_xattr_fs($1_gpg_t) fs_getattr_xattr_fs($1_gpg_t)
files_read_generic_etc_files($1_gpg_t) files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t) files_read_usr_files($1_gpg_t)
libs_use_shared_libs($1_gpg_t) libs_use_shared_libs($1_gpg_t)
@ -210,7 +210,7 @@ template(`gpg_per_userdomain_template',`
dev_read_urand($1_gpg_helper_t) dev_read_urand($1_gpg_helper_t)
files_read_generic_etc_files($1_gpg_helper_t) files_read_etc_files($1_gpg_helper_t)
# for nscd # for nscd
files_dontaudit_search_var($1_gpg_helper_t) files_dontaudit_search_var($1_gpg_helper_t)
@ -322,7 +322,7 @@ template(`gpg_per_userdomain_template',`
files_read_usr_files($1_gpg_pinentry_t) files_read_usr_files($1_gpg_pinentry_t)
# read /etc/X11/qtrc # read /etc/X11/qtrc
files_read_generic_etc_files($1_gpg_pinentry_t) files_read_etc_files($1_gpg_pinentry_t)
libs_use_ld_so($1_gpg_pinentry_t) libs_use_ld_so($1_gpg_pinentry_t)
libs_use_shared_libs($1_gpg_pinentry_t) libs_use_shared_libs($1_gpg_pinentry_t)

View File

@ -9,16 +9,16 @@ policy_module(gpg, 1.0)
# Type for gpg or pgp executables. # Type for gpg or pgp executables.
type gpg_exec_t; type gpg_exec_t;
type gpg_helper_exec_t; type gpg_helper_exec_t;
files_file_type(gpg_exec_t) files_type(gpg_exec_t)
files_file_type(gpg_helper_exec_t) files_type(gpg_helper_exec_t)
# Type for the gpg-agent executable. # Type for the gpg-agent executable.
type gpg_agent_exec_t; type gpg_agent_exec_t;
files_file_type(gpg_agent_exec_t) files_type(gpg_agent_exec_t)
# type for the pinentry executable # type for the pinentry executable
type pinentry_exec_t; type pinentry_exec_t;
files_file_type(pinentry_exec_t) files_type(pinentry_exec_t)
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; #allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; #allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;

View File

@ -59,7 +59,7 @@ interface(`bootloader_run',`
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`bootloader_search_boot_dir',` interface(`bootloader_search_boot',`
gen_require(` gen_require(`
type boot_t; type boot_t;
class dir search; class dir search;
@ -362,9 +362,9 @@ interface(`bootloader_manage_kernel_modules',`
######################################## ########################################
# #
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)]) # bootloader_create_modules(domain,privatetype,[class(es)])
# #
interface(`bootloader_create_private_module_dir_entry',` interface(`bootloader_create_modules',`
gen_require(` gen_require(`
type modules_object_t; type modules_object_t;
class dir rw_dir_perms; class dir rw_dir_perms;

View File

@ -12,7 +12,7 @@ attribute rw_kern_modules;
# boot_t is the type for files in /boot # boot_t is the type for files in /boot
# #
type boot_t; type boot_t;
files_file_type(boot_t) files_type(boot_t)
files_mountpoint(boot_t) files_mountpoint(boot_t)
# #
@ -21,7 +21,7 @@ files_mountpoint(boot_t)
# only for Red Hat # only for Red Hat
# #
type boot_runtime_t; type boot_runtime_t;
files_file_type(boot_runtime_t) files_type(boot_runtime_t)
type bootloader_t; type bootloader_t;
domain_type(bootloader_t) domain_type(bootloader_t)
@ -35,7 +35,7 @@ domain_entry_file(bootloader_t,bootloader_exec_t)
# grub.conf, lilo.conf, etc. # grub.conf, lilo.conf, etc.
# #
type bootloader_etc_t alias etc_bootloader_t; type bootloader_etc_t alias etc_bootloader_t;
files_file_type(bootloader_etc_t) files_type(bootloader_etc_t)
# #
# The temp file is used for initrd creation; # The temp file is used for initrd creation;
@ -47,7 +47,7 @@ dev_node(bootloader_tmp_t)
# kernel modules # kernel modules
type modules_object_t; type modules_object_t;
files_file_type(modules_object_t) files_type(modules_object_t)
neverallow ~rw_kern_modules modules_object_t:file { create append write }; neverallow ~rw_kern_modules modules_object_t:file { create append write };
@ -55,7 +55,7 @@ neverallow ~rw_kern_modules modules_object_t:file { create append write };
# system_map_t is for the system.map files in /boot # system_map_t is for the system.map files in /boot
# #
type system_map_t; type system_map_t;
files_file_type(system_map_t) files_type(system_map_t)
######################################## ########################################
# #
@ -122,11 +122,11 @@ libs_use_ld_so(bootloader_t)
libs_use_shared_libs(bootloader_t) libs_use_shared_libs(bootloader_t)
libs_read_lib(bootloader_t) libs_read_lib(bootloader_t)
files_read_generic_etc_files(bootloader_t) files_read_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t) files_read_etc_runtime_files(bootloader_t)
files_read_usr_src(bootloader_t) files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t) files_read_usr_files(bootloader_t)
files_read_var_file(bootloader_t) files_read_var_files(bootloader_t)
# for nscd # for nscd
files_dontaudit_search_pids(bootloader_t) files_dontaudit_search_pids(bootloader_t)
@ -185,7 +185,7 @@ optional_policy(`lvm.te',`
optional_policy(`modutils.te',` optional_policy(`modutils.te',`
modutils_exec_insmod(insmod_t) modutils_exec_insmod(insmod_t)
modutils_read_kernel_module_dependencies(bootloader_t) modutils_read_mods_deps(bootloader_t)
modutils_read_module_conf(bootloader_t) modutils_read_module_conf(bootloader_t)
modutils_exec_insmod(bootloader_t) modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t) modutils_exec_depmod(bootloader_t)

View File

@ -9,7 +9,7 @@ attribute memory_raw_write;
# device_t is the type of /dev. # device_t is the type of /dev.
# #
type device_t; type device_t;
files_file_type(device_t) files_type(device_t)
files_mountpoint(device_t) files_mountpoint(device_t)
fs_associate_tmpfs(device_t) fs_associate_tmpfs(device_t)

View File

@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
# tmpfs_t is the type for tmpfs filesystems # tmpfs_t is the type for tmpfs filesystems
# #
type tmpfs_t, filesystem_type; type tmpfs_t, filesystem_type;
files_file_type(tmpfs_t) files_type(tmpfs_t)
# Use a transition SID based on the allocating task SID and the # Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types, # filesystem SID to label inodes in the following filesystem types,

View File

@ -128,7 +128,7 @@ interface(`storage_raw_write_fixed_disk',`
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`storage_create_fixed_disk_dev_entry',` interface(`storage_create_fixed_disk',`
gen_require(` gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write; attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t; type fixed_disk_device_t;

View File

@ -25,7 +25,7 @@ template(`cron_per_userdomain_template',`
# Type of user crontabs once moved to cron spool. # Type of user crontabs once moved to cron spool.
type $1_cron_spool_t; type $1_cron_spool_t;
files_file_type($1_cron_spool_t) files_type($1_cron_spool_t)
type $1_crond_t; # user_crond_domain; type $1_crond_t; # user_crond_domain;
domain_type($1_crond_t); domain_type($1_crond_t);
@ -92,7 +92,7 @@ template(`cron_per_userdomain_template',`
domain_exec_all_entry_files($1_crond_t) domain_exec_all_entry_files($1_crond_t)
files_read_usr_files($1_crond_t) files_read_usr_files($1_crond_t)
files_exec_generic_etc_files($1_crond_t) files_exec_etc_files($1_crond_t)
# for nscd: # for nscd:
files_dontaudit_search_pids($1_crond_t) files_dontaudit_search_pids($1_crond_t)
@ -176,7 +176,7 @@ template(`cron_per_userdomain_template',`
domain_use_wide_inherit_fd($1_crontab_t) domain_use_wide_inherit_fd($1_crontab_t)
files_read_generic_etc_files($1_crontab_t) files_read_etc_files($1_crontab_t)
libs_use_ld_so($1_crontab_t) libs_use_ld_so($1_crontab_t)
libs_use_shared_libs($1_crontab_t) libs_use_shared_libs($1_crontab_t)

View File

@ -7,10 +7,10 @@ policy_module(cron, 1.0)
# #
type anacron_exec_t; type anacron_exec_t;
files_file_type(anacron_exec_t) files_type(anacron_exec_t)
type cron_spool_t; type cron_spool_t;
files_file_type(cron_spool_t) files_type(cron_spool_t)
type crond_t; #, privmail, nscd_client_domain type crond_t; #, privmail, nscd_client_domain
type crond_exec_t; type crond_exec_t;
@ -27,7 +27,7 @@ type crond_var_run_t;
files_pid_file(crond_var_run_t) files_pid_file(crond_var_run_t)
type crontab_exec_t; type crontab_exec_t;
files_file_type(crontab_exec_t) files_type(crontab_exec_t)
type system_cron_spool_t; type system_cron_spool_t;
type system_crond_t; #, privmail, nscd_client_domain; type system_crond_t; #, privmail, nscd_client_domain;
@ -99,8 +99,8 @@ corecmd_list_sbin(crond_t)
domain_use_wide_inherit_fd(crond_t) domain_use_wide_inherit_fd(crond_t)
files_read_generic_etc_files(crond_t) files_read_etc_files(crond_t)
files_read_spools(crond_t) files_read_generic_spools(crond_t)
init_use_fd(crond_t) init_use_fd(crond_t)
init_use_script_pty(crond_t) init_use_script_pty(crond_t)
@ -112,7 +112,7 @@ logging_send_syslog_msg(crond_t)
seutil_read_config(crond_t) seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t) seutil_read_default_contexts(crond_t)
seutil_newrole_sigchld(crond_t) seutil_sigchld_newrole(crond_t)
miscfiles_read_localization(crond_t) miscfiles_read_localization(crond_t)
@ -206,7 +206,7 @@ allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock. # Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file create_file_perms; allow system_crond_t system_crond_lock_t:file create_file_perms;
files_create_lock_file(system_crond_t,system_crond_lock_t) files_create_lock(system_crond_t,system_crond_lock_t)
# write temporary files # write temporary files
allow system_crond_t system_crond_tmp_t:file create_file_perms; allow system_crond_t system_crond_tmp_t:file create_file_perms;
@ -254,18 +254,18 @@ corecmd_exec_sbin(system_crond_t)
domain_exec_all_entry_files(system_crond_t) domain_exec_all_entry_files(system_crond_t)
files_exec_generic_etc_files(system_crond_t) files_exec_etc_files(system_crond_t)
files_read_generic_etc_files(system_crond_t) files_read_etc_files(system_crond_t)
files_read_etc_runtime_files(system_crond_t) files_read_etc_runtime_files(system_crond_t)
files_list_all_dirs(system_crond_t) files_list_all_dirs(system_crond_t)
files_getattr_all_files(system_crond_t) files_getattr_all_files(system_crond_t)
files_read_usr_files(system_crond_t) files_read_usr_files(system_crond_t)
files_read_var_file(system_crond_t) files_read_var_files(system_crond_t)
# for nscd: # for nscd:
files_dontaudit_search_pids(system_crond_t) files_dontaudit_search_pids(system_crond_t)
# Access other spool directories like # Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull. # /var/spool/anacron and /var/spool/slrnpull.
files_manage_spools(system_crond_t) files_manage_generic_spools(system_crond_t)
init_use_fd(system_crond_t) init_use_fd(system_crond_t)
init_use_script_fd(system_crond_t) init_use_script_fd(system_crond_t)

View File

@ -94,7 +94,7 @@ corecmd_read_sbin_symlink(inetd_t)
domain_use_wide_inherit_fd(inetd_t) domain_use_wide_inherit_fd(inetd_t)
files_read_generic_etc_files(inetd_t) files_read_etc_files(inetd_t)
init_use_fd(inetd_t) init_use_fd(inetd_t)
init_use_script_pty(inetd_t) init_use_script_pty(inetd_t)
@ -121,7 +121,7 @@ optional_policy(`mount.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(inetd_t) seutil_sigchld_newrole(inetd_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
@ -199,7 +199,7 @@ dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t)
files_read_generic_etc_files(inetd_child_t) files_read_etc_files(inetd_child_t)
libs_use_ld_so(inetd_child_t) libs_use_ld_so(inetd_child_t)
libs_use_shared_libs(inetd_child_t) libs_use_shared_libs(inetd_child_t)

View File

@ -54,7 +54,7 @@ template(`mta_per_userdomain_template',`
corecmd_exec_bin($1_mail_t) corecmd_exec_bin($1_mail_t)
files_read_generic_etc_files($1_mail_t) files_read_etc_files($1_mail_t)
logging_send_syslog_msg($1_mail_t) logging_send_syslog_msg($1_mail_t)

View File

@ -7,21 +7,21 @@ policy_module(mta,1.0)
# #
type etc_aliases_t; type etc_aliases_t;
files_file_type(etc_aliases_t) files_type(etc_aliases_t)
type etc_mail_t; type etc_mail_t;
files_file_type(etc_mail_t) files_type(etc_mail_t)
attribute mailserver_domain; attribute mailserver_domain;
type mqueue_spool_t; type mqueue_spool_t;
files_file_type(mqueue_spool_t) files_type(mqueue_spool_t)
type mail_spool_t; type mail_spool_t;
files_file_type(mail_spool_t) files_type(mail_spool_t)
type sendmail_exec_t; type sendmail_exec_t;
files_file_type(sendmail_exec_t) files_type(sendmail_exec_t)
type system_mail_t; #, user_mail_domain, nscd_client_domain; type system_mail_t; #, user_mail_domain, nscd_client_domain;
domain_type(system_mail_t) domain_type(system_mail_t)
@ -67,7 +67,7 @@ fs_getattr_xattr_fs(system_mail_t)
init_use_script_pty(system_mail_t) init_use_script_pty(system_mail_t)
files_read_etc_runtime_files(system_mail_t) files_read_etc_runtime_files(system_mail_t)
files_read_generic_etc_files(system_mail_t) files_read_etc_files(system_mail_t)
# It wants to check for nscd # It wants to check for nscd
files_dontaudit_search_pids(system_mail_t) files_dontaudit_search_pids(system_mail_t)
@ -146,7 +146,7 @@ ifdef(`targeted_policy', `
ifdef(`postfix.te', `', ` ifdef(`postfix.te', `', `
domain_exec_all_entry_files(system_mail_t) domain_exec_all_entry_files(system_mail_t)
files_exec_generic_etc_files(system_mail_t) files_exec_etc_files(system_mail_t)
corecmd_exec_bin(system_mail_t) corecmd_exec_bin(system_mail_t)
corecmd_exec_sbin(system_mail_t) corecmd_exec_sbin(system_mail_t)
libs_use_ld_so(system_mail_t) libs_use_ld_so(system_mail_t)

View File

@ -7,7 +7,7 @@ policy_module(nis,1.0)
# #
type var_yp_t; type var_yp_t;
files_file_type(var_yp_t) files_type(var_yp_t)
type ypbind_t; type ypbind_t;
type ypbind_exec_t; type ypbind_exec_t;
@ -24,7 +24,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t,ypserv_exec_t) init_daemon_domain(ypserv_t,ypserv_exec_t)
type ypserv_conf_t; type ypserv_conf_t;
files_file_type(ypserv_conf_t) files_type(ypserv_conf_t)
type ypserv_tmp_t; type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t) files_tmp_file(ypserv_tmp_t)
@ -83,7 +83,7 @@ term_dontaudit_use_console(ypbind_t)
domain_use_wide_inherit_fd(ypbind_t) domain_use_wide_inherit_fd(ypbind_t)
files_read_generic_etc_files(ypbind_t) files_read_etc_files(ypbind_t)
init_use_fd(ypbind_t) init_use_fd(ypbind_t)
init_use_script_pty(ypbind_t) init_use_script_pty(ypbind_t)
@ -111,7 +111,7 @@ optional_policy(`mount.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(ypbind_t) seutil_sigchld_newrole(ypbind_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
@ -200,7 +200,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(ypserv_t) seutil_sigchld_newrole(ypserv_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -65,7 +65,7 @@ auth_manage_pam_console_data(remote_login_t)
domain_read_all_entry_files(remote_login_t) domain_read_all_entry_files(remote_login_t)
files_read_generic_etc_files(remote_login_t) files_read_etc_files(remote_login_t)
files_read_etc_runtime_files(remote_login_t) files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t) files_list_home(remote_login_t)
files_read_usr_files(remote_login_t) files_read_usr_files(remote_login_t)

View File

@ -63,7 +63,7 @@ term_dontaudit_use_console(sendmail_t)
domain_use_wide_inherit_fd(sendmail_t) domain_use_wide_inherit_fd(sendmail_t)
files_read_generic_etc_files(sendmail_t) files_read_etc_files(sendmail_t)
files_search_spool(sendmail_t) files_search_spool(sendmail_t)
init_use_fd(sendmail_t) init_use_fd(sendmail_t)
@ -100,7 +100,7 @@ optional_policy(`nis.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(sendmail_t) seutil_sigchld_newrole(sendmail_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -28,7 +28,7 @@ template(`ssh_per_userdomain_template',`
# #
type $1_home_ssh_t; #, $1_file_type; type $1_home_ssh_t; #, $1_file_type;
files_file_type($1_home_ssh_t) files_type($1_home_ssh_t)
role $1_r types $1_ssh_t; role $1_r types $1_ssh_t;
type $1_ssh_t; #, nscd_client_domain; type $1_ssh_t; #, nscd_client_domain;
@ -109,7 +109,7 @@ template(`ssh_per_userdomain_template',`
files_list_home($1_ssh_t) files_list_home($1_ssh_t)
files_read_usr_files($1_ssh_t) files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t) files_read_etc_runtime_files($1_ssh_t)
files_read_generic_etc_files($1_ssh_t) files_read_etc_files($1_ssh_t)
libs_use_ld_so($1_ssh_t) libs_use_ld_so($1_ssh_t)
libs_use_shared_libs($1_ssh_t) libs_use_shared_libs($1_ssh_t)
@ -248,7 +248,7 @@ template(`ssh_per_userdomain_template',`
domain_use_wide_inherit_fd($1_ssh_agent_t) domain_use_wide_inherit_fd($1_ssh_agent_t)
files_read_generic_etc_files($1_ssh_agent_t) files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t)
libs_read_lib($1_ssh_agent_t) libs_read_lib($1_ssh_agent_t)
@ -343,11 +343,11 @@ template(`ssh_per_userdomain_template',`
## </p> ## </p>
## </desc> ## </desc>
## <param name="userdomain_prefix"> ## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user ## The prefix of the server domain (e.g., sshd
## is the prefix for user_t). ## is the prefix for sshd_t).
## </param> ## </param>
# #
template(`sshd_program_domain', ` template(`ssh_server_template', `
type $1_t, ssh_server; #, nscd_client_domain; type $1_t, ssh_server; #, nscd_client_domain;
role system_r types $1_t; role system_r types $1_t;
@ -413,7 +413,7 @@ template(`sshd_program_domain', `
domain_role_change_exempt($1_t) domain_role_change_exempt($1_t)
domain_obj_id_change_exempt($1_t) domain_obj_id_change_exempt($1_t)
files_read_generic_etc_files($1_t) files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t) files_read_etc_runtime_files($1_t)
init_rw_script_pid($1_t) init_rw_script_pid($1_t)

View File

@ -10,18 +10,18 @@ attribute ssh_server;
# Type for the ssh-agent executable. # Type for the ssh-agent executable.
type ssh_agent_exec_t; type ssh_agent_exec_t;
files_file_type(ssh_agent_exec_t) files_type(ssh_agent_exec_t)
# ssh client executable. # ssh client executable.
type ssh_exec_t; type ssh_exec_t;
files_file_type(ssh_exec_t) files_type(ssh_exec_t)
type ssh_keygen_t; type ssh_keygen_t;
type ssh_keygen_exec_t; type ssh_keygen_exec_t;
init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t) init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
role system_r types ssh_keygen_t; role system_r types ssh_keygen_t;
sshd_program_domain(sshd) ssh_server_template(sshd)
optional_policy(`inetd.te',` optional_policy(`inetd.te',`
# CJP: commenting this out until typeattribute works in a conditional # CJP: commenting this out until typeattribute works in a conditional
@ -37,12 +37,12 @@ optional_policy(`inetd.te',`
') ')
type sshd_exec_t; type sshd_exec_t;
files_file_type(sshd_exec_t) files_type(sshd_exec_t)
sshd_program_domain(sshd_extern) ssh_server_template(sshd_extern)
type sshd_key_t; type sshd_key_t;
files_file_type(sshd_key_t) files_type(sshd_key_t)
type sshd_tmp_t; type sshd_tmp_t;
files_tmp_file(sshd_tmp_t) files_tmp_file(sshd_tmp_t)
@ -191,7 +191,7 @@ term_dontaudit_use_console(ssh_keygen_t)
domain_use_wide_inherit_fd(ssh_keygen_t) domain_use_wide_inherit_fd(ssh_keygen_t)
files_read_generic_etc_files(ssh_keygen_t) files_read_etc_files(ssh_keygen_t)
init_use_fd(ssh_keygen_t) init_use_fd(ssh_keygen_t)
init_use_script_pty(ssh_keygen_t) init_use_script_pty(ssh_keygen_t)
@ -222,7 +222,7 @@ optional_policy(`rhgb.te', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(ssh_keygen_t) seutil_sigchld_newrole(ssh_keygen_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -57,7 +57,7 @@ template(`authlogin_per_userdomain_template',`
libs_use_ld_so($1_chkpwd_t) libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t) libs_use_shared_libs($1_chkpwd_t)
files_read_generic_etc_files($1_chkpwd_t) files_read_etc_files($1_chkpwd_t)
# for nscd # for nscd
files_dontaudit_search_var($1_chkpwd_t) files_dontaudit_search_var($1_chkpwd_t)

View File

@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords; attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t; type chkpwd_exec_t;
files_file_type(chkpwd_exec_t) files_type(chkpwd_exec_t)
type faillog_t; type faillog_t;
logging_log_file(faillog_t) logging_log_file(faillog_t)
@ -20,7 +20,7 @@ type lastlog_t;
logging_log_file(lastlog_t) logging_log_file(lastlog_t)
type login_exec_t; type login_exec_t;
files_file_type(login_exec_t) files_type(login_exec_t)
type pam_console_t; type pam_console_t;
type pam_console_exec_t; type pam_console_exec_t;
@ -40,13 +40,13 @@ type pam_tmp_t;
files_tmp_file(pam_tmp_t) files_tmp_file(pam_tmp_t)
type pam_var_console_t; #, nscd_client_domain type pam_var_console_t; #, nscd_client_domain
files_file_type(pam_var_console_t) files_type(pam_var_console_t)
type pam_var_run_t; type pam_var_run_t;
files_pid_file(pam_var_run_t) files_pid_file(pam_var_run_t)
type shadow_t; type shadow_t;
files_file_type(shadow_t) files_type(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@ -100,7 +100,7 @@ term_use_all_user_ptys(pam_t)
init_dontaudit_rw_script_pid(pam_t) init_dontaudit_rw_script_pid(pam_t)
files_read_generic_etc_files(pam_t) files_read_etc_files(pam_t)
files_list_pids(pam_t) files_list_pids(pam_t)
libs_use_ld_so(pam_t) libs_use_ld_so(pam_t)
@ -172,7 +172,7 @@ term_setattr_unallocated_ttys(pam_console_t)
domain_use_wide_inherit_fd(pam_console_t) domain_use_wide_inherit_fd(pam_console_t)
files_read_generic_etc_files(pam_console_t) files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t) files_search_pids(pam_console_t)
files_list_mnt(pam_console_t) files_list_mnt(pam_console_t)
@ -204,7 +204,7 @@ optional_policy(`hotplug.te', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(pam_console_t) seutil_sigchld_newrole(pam_console_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
@ -244,7 +244,7 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
term_use_unallocated_tty(system_chkpwd_t) term_use_unallocated_tty(system_chkpwd_t)
files_read_generic_etc_files(system_chkpwd_t) files_read_etc_files(system_chkpwd_t)
# for nscd # for nscd
files_dontaudit_search_var(system_chkpwd_t) files_dontaudit_search_var(system_chkpwd_t)
@ -297,7 +297,7 @@ term_dontaudit_use_ptmx(utempter_t)
init_rw_script_pid(utempter_t) init_rw_script_pid(utempter_t)
files_read_generic_etc_files(utempter_t) files_read_etc_files(utempter_t)
domain_use_wide_inherit_fd(utempter_t) domain_use_wide_inherit_fd(utempter_t)

View File

@ -7,7 +7,7 @@ policy_module(clock,1.0)
# #
type adjtime_t; type adjtime_t;
files_file_type(adjtime_t) files_type(adjtime_t)
type hwclock_t; type hwclock_t;
type hwclock_exec_t; type hwclock_exec_t;
@ -65,7 +65,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(hwclock_t) seutil_sigchld_newrole(hwclock_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -5,25 +5,25 @@ policy_module(corecommands,1.0)
# bin_t is the type of files in the system bin directories. # bin_t is the type of files in the system bin directories.
# #
type bin_t; type bin_t;
files_file_type(bin_t) files_type(bin_t)
# #
# sbin_t is the type of files in the system sbin directories. # sbin_t is the type of files in the system sbin directories.
# #
type sbin_t; type sbin_t;
files_file_type(sbin_t) files_type(sbin_t)
# #
# ls_exec_t is the type of the ls program. # ls_exec_t is the type of the ls program.
# #
type ls_exec_t; type ls_exec_t;
files_file_type(ls_exec_t) files_type(ls_exec_t)
# #
# shell_exec_t is the type of user shells such as /bin/bash. # shell_exec_t is the type of user shells such as /bin/bash.
# #
type shell_exec_t; type shell_exec_t;
files_file_type(shell_exec_t) files_type(shell_exec_t)
type chroot_exec_t; type chroot_exec_t;
files_file_type(chroot_exec_t) files_type(chroot_exec_t)

View File

@ -61,7 +61,7 @@ interface(`domain_entry_file',`
class file entrypoint; class file entrypoint;
') ')
files_file_type($2) files_type($2)
allow $1 $2:file entrypoint; allow $1 $2:file entrypoint;
typeattribute $2 entry_type; typeattribute $2 entry_type;
') ')

View File

@ -17,9 +17,9 @@
######################################## ########################################
# #
# files_file_type(type) # files_type(type)
# #
interface(`files_file_type',` interface(`files_type',`
gen_require(` gen_require(`
attribute file_type; attribute file_type;
') ')
@ -38,7 +38,7 @@ interface(`files_lock_file',`
attribute lockfile; attribute lockfile;
') ')
files_file_type($1) files_type($1)
typeattribute $1 lockfile; typeattribute $1 lockfile;
') ')
@ -51,7 +51,7 @@ interface(`files_mountpoint',`
attribute mountpoint; attribute mountpoint;
') ')
files_file_type($1) files_type($1)
typeattribute $1 mountpoint; typeattribute $1 mountpoint;
') ')
@ -64,7 +64,7 @@ interface(`files_pid_file',`
attribute pidfile; attribute pidfile;
') ')
files_file_type($1) files_type($1)
typeattribute $1 pidfile; typeattribute $1 pidfile;
') ')
@ -77,7 +77,7 @@ interface(`files_tmp_file',`
attribute tmpfile; attribute tmpfile;
') ')
files_file_type($1) files_type($1)
typeattribute $1 tmpfile; typeattribute $1 tmpfile;
') ')
@ -95,7 +95,7 @@ interface(`files_tmpfs_file',`
attribute tmpfsfile; attribute tmpfsfile;
') ')
files_file_type($1) files_type($1)
fs_associate_tmpfs($1) fs_associate_tmpfs($1)
typeattribute $1 tmpfsfile; typeattribute $1 tmpfsfile;
') ')
@ -439,9 +439,9 @@ interface(`files_list_etc',`
######################################## ########################################
# #
# files_read_generic_etc_files(domain) # files_read_etc_files(domain)
# #
interface(`files_read_generic_etc_files',` interface(`files_read_etc_files',`
gen_require(` gen_require(`
type etc_t; type etc_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -456,9 +456,9 @@ interface(`files_read_generic_etc_files',`
######################################## ########################################
# #
# files_rw_generic_etc_files(domain) # files_rw_etc_files(domain)
# #
interface(`files_rw_generic_etc_files',` interface(`files_rw_etc_files',`
gen_require(` gen_require(`
type etc_t; type etc_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -473,9 +473,9 @@ interface(`files_rw_generic_etc_files',`
######################################## ########################################
# #
# files_manage_generic_etc_files(domain) # files_manage_etc_files(domain)
# #
interface(`files_manage_generic_etc_files',` interface(`files_manage_etc_files',`
gen_require(` gen_require(`
type etc_t; type etc_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -496,7 +496,7 @@ interface(`files_manage_generic_etc_files',`
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`files_delete_generic_etc_files',` interface(`files_delete_etc_files',`
gen_require(` gen_require(`
type etc_t; type etc_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -509,9 +509,9 @@ interface(`files_delete_generic_etc_files',`
######################################## ########################################
# #
# files_exec_generic_etc_files(domain) # files_exec_etc_files(domain)
# #
interface(`files_exec_generic_etc_files',` interface(`files_exec_etc_files',`
gen_require(` gen_require(`
type etc_t; type etc_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -591,7 +591,6 @@ interface(`files_create_etc_config',`
') ')
') ')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to search directories on new filesystems ## Do not audit attempts to search directories on new filesystems
@ -908,9 +907,9 @@ interface(`files_exec_usr_files',`
######################################## ########################################
# #
# files_read_usr_src(domain) # files_read_usr_src_files(domain)
# #
interface(`files_read_usr_src',` interface(`files_read_usr_src_files',`
gen_require(` gen_require(`
type usr_t, src_t; type usr_t, src_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -957,7 +956,7 @@ interface(`files_dontaudit_search_var',`
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`files_read_var_file',` interface(`files_read_var_files',`
gen_require(` gen_require(`
type var_t; type var_t;
class dir search; class dir search;
@ -1003,9 +1002,9 @@ interface(`files_manage_urandom_seed',`
######################################## ########################################
# #
# files_getattr_generic_lock_files(domain) # files_getattr_generic_locks(domain)
# #
interface(`files_getattr_generic_lock_files',` interface(`files_getattr_generic_locks',`
gen_require(` gen_require(`
type var_lock_t; type var_lock_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -1018,9 +1017,9 @@ interface(`files_getattr_generic_lock_files',`
######################################## ########################################
# #
# files_manage_generic_lock_files(domain) # files_manage_generic_locks(domain)
# #
interface(`files_manage_generic_lock_files',` interface(`files_manage_generic_locks',`
gen_require(` gen_require(`
type var_lock_t; type var_lock_t;
class dir { getattr search create read write setattr add_name remove_name rmdir }; class dir { getattr search create read write setattr add_name remove_name rmdir };
@ -1033,9 +1032,9 @@ interface(`files_manage_generic_lock_files',`
######################################## ########################################
# #
# files_delete_all_lock_files(domain) # files_delete_all_locks(domain)
# #
interface(`files_delete_all_lock_files',` interface(`files_delete_all_locks',`
gen_require(` gen_require(`
attribute lockfile; attribute lockfile;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -1048,9 +1047,9 @@ interface(`files_delete_all_lock_files',`
######################################## ########################################
# #
# files_create_lock_file(domain,private_type,[object class(es)]) # files_create_lock(domain,private_type,[object class(es)])
# #
interface(`files_create_lock_file',` interface(`files_create_lock',`
gen_require(` gen_require(`
type var_t, var_lock_t; type var_t, var_lock_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -1246,9 +1245,9 @@ interface(`files_list_spool',`
######################################## ########################################
# #
# files_manage_spool_dirs(domain) # files_manage_generic_spool_dirs(domain)
# #
interface(`files_manage_spool_dirs',` interface(`files_manage_generic_spool_dirs',`
gen_require(` gen_require(`
type var_t, var_spool_t; type var_t, var_spool_t;
class dir create_dir_perms; class dir create_dir_perms;
@ -1260,9 +1259,9 @@ interface(`files_manage_spool_dirs',`
######################################## ########################################
# #
# files_read_spools(domain) # files_read_generic_spools(domain)
# #
interface(`files_read_spools',` interface(`files_read_generic_spools',`
gen_require(` gen_require(`
type var_t, var_spool_t; type var_t, var_spool_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -1276,9 +1275,9 @@ interface(`files_read_spools',`
######################################## ########################################
# #
# files_manage_spools(domain) # files_manage_generic_spools(domain)
# #
interface(`files_manage_spools',` interface(`files_manage_generic_spools',`
gen_require(` gen_require(`
type var_t, var_spool_t; type var_t, var_spool_t;
class dir rw_dir_perms; class dir rw_dir_perms;

View File

@ -14,7 +14,7 @@ type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t) files_tmp_file(fsadm_tmp_t)
type swapfile_t; type swapfile_t;
files_file_type(swapfile_t) files_type(swapfile_t)
######################################## ########################################
@ -73,7 +73,7 @@ domain_use_wide_inherit_fd(fsadm_t)
files_list_home(fsadm_t) files_list_home(fsadm_t)
files_read_usr_files(fsadm_t) files_read_usr_files(fsadm_t)
files_read_generic_etc_files(fsadm_t) files_read_etc_files(fsadm_t)
files_list_mnt(fsadm_t) files_list_mnt(fsadm_t)
files_manage_lost_found(fsadm_t) files_manage_lost_found(fsadm_t)
# Write to /etc/mtab. # Write to /etc/mtab.

View File

@ -59,9 +59,9 @@ auth_rw_login_records(getty_t)
corecmd_search_bin(getty_t) corecmd_search_bin(getty_t)
files_rw_generic_pids(getty_t) files_rw_generic_pids(getty_t)
files_manage_generic_lock_files(getty_t) files_manage_generic_locks(getty_t)
files_read_etc_runtime_files(getty_t) files_read_etc_runtime_files(getty_t)
files_read_generic_etc_files(getty_t) files_read_etc_files(getty_t)
init_rw_script_pid(getty_t) init_rw_script_pid(getty_t)
init_use_script_pty(getty_t) init_use_script_pty(getty_t)

View File

@ -41,7 +41,7 @@ init_use_script_pty(hostname_t)
domain_use_wide_inherit_fd(hostname_t) domain_use_wide_inherit_fd(hostname_t)
files_read_generic_etc_files(hostname_t) files_read_etc_files(hostname_t)
files_dontaudit_search_var(hostname_t) files_dontaudit_search_var(hostname_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hostname_t) files_dontaudit_search_isid_type_dir(hostname_t)
@ -81,7 +81,7 @@ optional_policy(`hotplug.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(hostname_t) seutil_sigchld_newrole(hostname_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -12,7 +12,7 @@ kernel_userland_entry(hotplug_t,hotplug_exec_t)
init_system_domain(hotplug_t,hotplug_exec_t) init_system_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread; type hotplug_etc_t; #, usercanread;
files_file_type(hotplug_etc_t) files_type(hotplug_etc_t)
type hotplug_var_run_t; type hotplug_var_run_t;
files_pid_file(hotplug_var_run_t) files_pid_file(hotplug_var_run_t)
@ -78,9 +78,9 @@ corecmd_exec_sbin(hotplug_t)
domain_use_wide_inherit_fd(hotplug_t) domain_use_wide_inherit_fd(hotplug_t)
files_read_generic_etc_files(hotplug_t) files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t)
files_exec_generic_etc_files(hotplug_t) files_exec_etc_files(hotplug_t)
# for when filesystems are not mounted early in the boot: # for when filesystems are not mounted early in the boot:
files_dontaudit_search_isid_type_dir(hotplug_t) files_dontaudit_search_isid_type_dir(hotplug_t)
@ -102,7 +102,7 @@ libs_use_shared_libs(hotplug_t)
libs_read_lib(hotplug_t) libs_read_lib(hotplug_t)
modutils_domtrans_insmod(hotplug_t) modutils_domtrans_insmod(hotplug_t)
modutils_read_kernel_module_dependencies(hotplug_t) modutils_read_mods_deps(hotplug_t)
miscfiles_read_localization(hotplug_t) miscfiles_read_localization(hotplug_t)
@ -118,7 +118,7 @@ ifdef(`distro_redhat', `
netutils_domtrans(hotplug_t) netutils_domtrans(hotplug_t)
fs_use_tmpfs_character_devices(hotplug_t) fs_use_tmpfs_character_devices(hotplug_t)
') ')
files_getattr_generic_lock_files(hotplug_t) files_getattr_generic_locks(hotplug_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
@ -152,7 +152,7 @@ optional_policy(`nis.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(hotplug_t) seutil_sigchld_newrole(hotplug_t)
') ')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`

View File

@ -32,7 +32,7 @@ files_pid_file(init_var_run_t)
# to communicate with init. # to communicate with init.
# #
type initctl_t; type initctl_t;
files_file_type(initctl_t) files_type(initctl_t)
type initrc_t; type initrc_t;
domain_type(initrc_t) domain_type(initrc_t)
@ -50,7 +50,7 @@ type initrc_var_run_t;
files_pid_file(initrc_var_run_t) files_pid_file(initrc_var_run_t)
type initrc_state_t; type initrc_state_t;
files_file_type(initrc_state_t) files_type(initrc_state_t)
type initrc_tmp_t; type initrc_tmp_t;
files_tmp_file(initrc_tmp_t) files_tmp_file(initrc_tmp_t)
@ -108,12 +108,12 @@ domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t) domain_sigchld_all_domains(init_t)
files_read_generic_etc_files(init_t) files_read_etc_files(init_t)
files_rw_generic_pids(init_t) files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dir(init_t) files_dontaudit_search_isid_type_dir(init_t)
files_manage_etc_runtime_files(init_t) files_manage_etc_runtime_files(init_t)
# Run /etc/X11/prefdm: # Run /etc/X11/prefdm:
files_exec_generic_etc_files(init_t) files_exec_etc_files(init_t)
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_file(init_t) files_dontaudit_rw_root_file(init_t)
files_dontaudit_rw_root_chr_dev(init_t) files_dontaudit_rw_root_chr_dev(init_t)
@ -260,16 +260,16 @@ domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
files_delete_all_tmp_files(initrc_t) files_delete_all_tmp_files(initrc_t)
files_delete_all_lock_files(initrc_t) files_delete_all_locks(initrc_t)
files_read_all_pids(initrc_t) files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t) files_delete_all_pids(initrc_t)
files_read_generic_etc_files(initrc_t) files_read_etc_files(initrc_t)
files_manage_etc_runtime_files(initrc_t) files_manage_etc_runtime_files(initrc_t)
files_manage_generic_lock_files(initrc_t) files_manage_generic_locks(initrc_t)
files_exec_generic_etc_files(initrc_t) files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_spools(initrc_t) files_manage_generic_spools(initrc_t)
libs_rw_ld_so_cache(initrc_t) libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t) libs_use_ld_so(initrc_t)
@ -340,7 +340,7 @@ optional_policy(`hotplug.te',`
# init scripts run /etc/hotplug/usb.rc # init scripts run /etc/hotplug/usb.rc
hotplug_read_config(initrc_t) hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t) modutils_read_mods_deps(initrc_t)
') ')
optional_policy(`lvm.te',` optional_policy(`lvm.te',`

View File

@ -52,7 +52,7 @@ term_dontaudit_use_console(iptables_t)
domain_use_wide_inherit_fd(iptables_t) domain_use_wide_inherit_fd(iptables_t)
files_read_generic_etc_files(iptables_t) files_read_etc_files(iptables_t)
init_use_fd(iptables_t) init_use_fd(iptables_t)
init_use_script_pty(iptables_t) init_use_script_pty(iptables_t)
@ -103,7 +103,7 @@ optional_policy(`nis.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(iptables_t) seutil_sigchld_newrole(iptables_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -10,33 +10,33 @@ policy_module(libraries,1.0)
# ld_so_cache_t is the type of /etc/ld.so.cache. # ld_so_cache_t is the type of /etc/ld.so.cache.
# #
type ld_so_cache_t; type ld_so_cache_t;
files_file_type(ld_so_cache_t) files_type(ld_so_cache_t)
# #
# ld_so_t is the type of the system dynamic loaders. # ld_so_t is the type of the system dynamic loaders.
# #
type ld_so_t; type ld_so_t;
files_file_type(ld_so_t) files_type(ld_so_t)
# #
# lib_t is the type of files in the system lib directories. # lib_t is the type of files in the system lib directories.
# #
type lib_t; type lib_t;
files_file_type(lib_t) files_type(lib_t)
# #
# shlib_t is the type of shared objects in the system lib # shlib_t is the type of shared objects in the system lib
# directories. # directories.
# #
type shlib_t; type shlib_t;
files_file_type(shlib_t) files_type(shlib_t)
# #
# texrel_shlib_t is the type of shared objects in the system lib # texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation. # directories, which require text relocation.
# #
type texrel_shlib_t; type texrel_shlib_t;
files_file_type(texrel_shlib_t) files_type(texrel_shlib_t)
######################################## ########################################
# #
@ -65,9 +65,9 @@ fs_getattr_xattr_fs(ldconfig_t)
domain_use_wide_inherit_fd(ldconfig_t) domain_use_wide_inherit_fd(ldconfig_t)
files_search_var_lib(ldconfig_t) files_search_var_lib(ldconfig_t)
files_read_generic_etc_files(ldconfig_t) files_read_etc_files(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled: # for when /etc/ld.so.cache is mislabeled:
files_delete_generic_etc_files(ldconfig_t) files_delete_etc_files(ldconfig_t)
init_use_script_pty(ldconfig_t) init_use_script_pty(ldconfig_t)

View File

@ -16,7 +16,7 @@ domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t; role system_r types local_login_t;
type local_login_tmp_t; type local_login_tmp_t;
files_file_type(local_login_tmp_t) files_type(local_login_tmp_t)
type sulogin_t; type sulogin_t;
type sulogin_exec_t; type sulogin_exec_t;
@ -102,10 +102,10 @@ auth_manage_pam_console_data(local_login_t)
domain_read_all_entry_files(local_login_t) domain_read_all_entry_files(local_login_t)
files_read_generic_etc_files(local_login_t) files_read_etc_files(local_login_t)
files_read_etc_runtime_files(local_login_t) files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t) files_read_usr_files(local_login_t)
files_manage_generic_lock_files(var_lock_t) files_manage_generic_locks(var_lock_t)
init_rw_script_pid(local_login_t) init_rw_script_pid(local_login_t)
init_dontaudit_use_fd(local_login_t) init_dontaudit_use_fd(local_login_t)
@ -223,7 +223,7 @@ kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t) fs_search_auto_mountpoints(sulogin_t)
files_read_generic_etc_files(sulogin_t) files_read_etc_files(sulogin_t)
# because file systems are not mounted: # because file systems are not mounted:
files_dontaudit_search_isid_type_dir(sulogin_t) files_dontaudit_search_isid_type_dir(sulogin_t)

View File

@ -9,7 +9,7 @@ interface(`logging_log_file',`
attribute logfile; attribute logfile;
') ')
files_file_type($1) files_type($1)
typeattribute $1 logfile; typeattribute $1 logfile;
') ')
@ -143,10 +143,16 @@ interface(`logging_read_all_logs',`
allow $1 logfile:file r_file_perms; allow $1 logfile:file r_file_perms;
') ')
####################################### ########################################
# ## <summary>
# logging_exec_all_logs(domain) ## Execute all log files in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
# #
# cjp: not sure why this is needed. This was added
# because of logrotate.
interface(`logging_exec_all_logs',` interface(`logging_exec_all_logs',`
gen_require(` gen_require(`
attribute logfile; attribute logfile;

View File

@ -19,7 +19,7 @@ type auditd_var_run_t;
files_pid_file(auditd_var_run_t) files_pid_file(auditd_var_run_t)
type devlog_t; type devlog_t;
files_file_type(devlog_t) files_type(devlog_t)
type klogd_t; type klogd_t;
type klogd_exec_t; type klogd_exec_t;
@ -42,7 +42,7 @@ type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t) files_pid_file(syslogd_var_run_t)
type var_log_t, logfile; type var_log_t, logfile;
files_file_type(var_log_t) files_type(var_log_t)
######################################## ########################################
# #
@ -72,7 +72,7 @@ init_use_script_pty(auditd_t)
domain_use_wide_inherit_fd(auditd_t) domain_use_wide_inherit_fd(auditd_t)
files_read_generic_etc_files(auditd_t) files_read_etc_files(auditd_t)
logging_send_syslog_msg(auditd_t) logging_send_syslog_msg(auditd_t)
@ -90,7 +90,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(auditd_t) seutil_sigchld_newrole(auditd_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
@ -139,7 +139,7 @@ fs_getattr_all_fs(klogd_t)
files_create_pid(klogd_t,klogd_var_run_t) files_create_pid(klogd_t,klogd_var_run_t)
files_read_etc_runtime_files(klogd_t) files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf # read /etc/nsswitch.conf
files_read_generic_etc_files(klogd_t) files_read_etc_files(klogd_t)
init_use_fd(klogd_t) init_use_fd(klogd_t)
@ -219,7 +219,7 @@ init_use_script_pty(syslogd_t)
domain_use_wide_inherit_fd(syslogd_t) domain_use_wide_inherit_fd(syslogd_t)
files_read_generic_etc_files(syslogd_t) files_read_etc_files(syslogd_t)
libs_use_ld_so(syslogd_t) libs_use_ld_so(syslogd_t)
libs_use_shared_libs(syslogd_t) libs_use_shared_libs(syslogd_t)
@ -262,7 +262,7 @@ optional_policy(`nis.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(syslogd_t) seutil_sigchld_newrole(syslogd_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -15,13 +15,13 @@ domain_obj_id_change_exempt(lvm_t)
role system_r types lvm_t; role system_r types lvm_t;
type lvm_etc_t; type lvm_etc_t;
files_file_type(lvm_etc_t) files_type(lvm_etc_t)
type lvm_lock_t; type lvm_lock_t;
files_lock_file(lvm_lock_t) files_lock_file(lvm_lock_t)
type lvm_metadata_t; type lvm_metadata_t;
files_file_type(lvm_metadata_t) files_type(lvm_metadata_t)
type lvm_tmp_t; type lvm_tmp_t;
files_tmp_file(lvm_tmp_t) files_tmp_file(lvm_tmp_t)
@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t)
# Creating lock files # Creating lock files
allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms; allow lvm_t lvm_lock_t:file create_file_perms;
files_create_lock_file(lvm_t,lvm_lock_t) files_create_lock(lvm_t,lvm_lock_t)
allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms;
@ -111,7 +111,7 @@ storage_relabel_fixed_disk(lvm_t)
# depending on its version # depending on its version
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>) # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
# and links from /dev/<vg> to /dev/mapper/<vg>-<lv> # and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
storage_create_fixed_disk_dev_entry(lvm_t) storage_create_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed? # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t) storage_manage_fixed_disk(lvm_t)
@ -123,7 +123,7 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t)
domain_use_wide_inherit_fd(lvm_t) domain_use_wide_inherit_fd(lvm_t)
files_search_var(lvm_t) files_search_var(lvm_t)
files_read_generic_etc_files(lvm_t) files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t) files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(lvm_t) files_dontaudit_search_isid_type_dir(lvm_t)
@ -141,7 +141,7 @@ miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t) seutil_read_config(lvm_t)
seutil_read_file_contexts(lvm_t) seutil_read_file_contexts(lvm_t)
seutil_newrole_sigchld(lvm_t) seutil_sigchld_newrole(lvm_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# this is from the initrd: # this is from the initrd:

View File

@ -5,41 +5,41 @@ policy_module(miscfiles,1.0)
# catman_t is the type for /var/catman. # catman_t is the type for /var/catman.
# #
type catman_t; # , tmpfile; type catman_t; # , tmpfile;
files_file_type(catman_t) files_type(catman_t)
# #
# cert_t is the type of files in the system certs directories. # cert_t is the type of files in the system certs directories.
# #
type cert_t; type cert_t;
files_file_type(cert_t) files_type(cert_t)
# #
# fonts_t is the type of various font # fonts_t is the type of various font
# files in /usr # files in /usr
# #
type fonts_t; type fonts_t;
files_file_type(fonts_t) files_type(fonts_t)
# #
# locale_t is the type for system localization # locale_t is the type for system localization
# #
type locale_t; type locale_t;
files_file_type(locale_t) files_type(locale_t)
# #
# man_t is the type for the man directories. # man_t is the type for the man directories.
# #
type man_t; type man_t;
files_file_type(man_t) files_type(man_t)
# #
# Base type for the tests directory. # Base type for the tests directory.
# #
type test_file_t; type test_file_t;
files_file_type(test_file_t) files_type(test_file_t)
# #
# for /var/{spool,lib}/texmf index files # for /var/{spool,lib}/texmf index files
# #
type tetex_data_t; # , tmpfile; type tetex_data_t; # , tmpfile;
files_file_type(tetex_data_t) files_type(tetex_data_t)

View File

@ -8,7 +8,7 @@
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`modutils_read_kernel_module_dependencies',` interface(`modutils_read_mods_deps',`
gen_require(` gen_require(`
type modules_dep_t; type modules_dep_t;
class file r_file_perms; class file r_file_perms;
@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',`
# This file type can be in /etc or # This file type can be in /etc or
# /lib(64)?/modules # /lib(64)?/modules
files_search_etc($1) files_search_etc($1)
bootloader_search_boot_dir($1) bootloader_search_boot($1)
allow $1 modules_conf_t:file r_file_perms; allow $1 modules_conf_t:file r_file_perms;
') ')

View File

@ -8,11 +8,11 @@ policy_module(modutils,1.0)
# module loading config # module loading config
type modules_conf_t; type modules_conf_t;
files_file_type(modules_conf_t) files_type(modules_conf_t)
# module dependencies # module dependencies
type modules_dep_t; type modules_dep_t;
files_file_type(modules_dep_t) files_type(modules_dep_t)
type insmod_t; type insmod_t;
type insmod_exec_t; type insmod_exec_t;
@ -78,9 +78,9 @@ domain_signal_all_domains(insmod_t)
domain_use_wide_inherit_fd(insmod_t) domain_use_wide_inherit_fd(insmod_t)
files_read_etc_runtime_files(insmod_t) files_read_etc_runtime_files(insmod_t)
files_read_generic_etc_files(insmod_t) files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t) files_read_usr_files(insmod_t)
files_exec_generic_etc_files(insmod_t) files_exec_etc_files(insmod_t)
# for nscd: # for nscd:
files_dontaudit_search_pids(insmod_t) files_dontaudit_search_pids(insmod_t)
# for when /var is not mounted early in the boot: # for when /var is not mounted early in the boot:
@ -127,7 +127,7 @@ can_exec(depmod_t, depmod_exec_t)
allow depmod_t modules_conf_t:file r_file_perms; allow depmod_t modules_conf_t:file r_file_perms;
allow depmod_t modules_dep_t:file create_file_perms; allow depmod_t modules_dep_t:file create_file_perms;
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) bootloader_create_modules(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t) kernel_read_system_state(depmod_t)
@ -148,8 +148,8 @@ init_use_script_fd(depmod_t)
init_use_script_pty(depmod_t) init_use_script_pty(depmod_t)
files_read_etc_runtime_files(depmod_t) files_read_etc_runtime_files(depmod_t)
files_read_generic_etc_files(depmod_t) files_read_etc_files(depmod_t)
files_read_usr_src(depmod_t) files_read_usr_src_files(depmod_t)
libs_use_ld_so(depmod_t) libs_use_ld_so(depmod_t)
libs_use_shared_libs(depmod_t) libs_use_shared_libs(depmod_t)
@ -177,7 +177,7 @@ can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration # manage module loading configuration
allow update_modules_t modules_conf_t:file create_file_perms; allow update_modules_t modules_conf_t:file create_file_perms;
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) bootloader_create_modules(update_modules_t,modules_conf_t)
files_create_etc_config(update_modules_t,modules_conf_t) files_create_etc_config(update_modules_t,modules_conf_t)
# transition to depmod # transition to depmod
@ -203,8 +203,8 @@ init_use_script_pty(depmod_t)
domain_use_wide_inherit_fd(depmod_t) domain_use_wide_inherit_fd(depmod_t)
files_read_etc_runtime_files(update_modules_t) files_read_etc_runtime_files(update_modules_t)
files_read_generic_etc_files(update_modules_t) files_read_etc_files(update_modules_t)
files_exec_generic_etc_files(update_modules_t) files_exec_etc_files(update_modules_t)
corecmd_exec_bin(update_modules_t) corecmd_exec_bin(update_modules_t)
corecmd_exec_sbin(update_modules_t) corecmd_exec_sbin(update_modules_t)

View File

@ -55,7 +55,7 @@ corecmd_exec_bin(mount_t)
domain_use_wide_inherit_fd(mount_t) domain_use_wide_inherit_fd(mount_t)
files_search_all_dirs(mount_t) files_search_all_dirs(mount_t)
files_read_generic_etc_files(mount_t) files_read_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t) files_manage_etc_runtime_files(mount_t)
files_mounton_all_mountpoints(mount_t) files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t) files_unmount_rootfs(mount_t)

View File

@ -224,7 +224,7 @@ interface(`seutil_exec_newrole',`
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`seutil_dontaudit_newrole_signal',` interface(`seutil_dontaudit_signal_newrole',`
gen_require(` gen_require(`
type newrole_t; type newrole_t;
class process signal; class process signal;
@ -235,9 +235,9 @@ interface(`seutil_dontaudit_newrole_signal',`
####################################### #######################################
# #
# seutil_newrole_sigchld(domain) # seutil_sigchld_newrole(domain)
# #
interface(`seutil_newrole_sigchld',` interface(`seutil_sigchld_newrole',`
gen_require(` gen_require(`
type newrole_t; type newrole_t;
class process sigchld; class process sigchld;

View File

@ -21,14 +21,14 @@ domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
# /etc/selinux/*/contexts/* # /etc/selinux/*/contexts/*
# #
type default_context_t; type default_context_t;
files_file_type(default_context_t) files_type(default_context_t)
# #
# file_context_t is the type applied to # file_context_t is the type applied to
# /etc/selinux/*/contexts/files # /etc/selinux/*/contexts/files
# #
type file_context_t; type file_context_t;
files_file_type(file_context_t) files_type(file_context_t)
type load_policy_t; type load_policy_t;
domain_type(load_policy_t) domain_type(load_policy_t)
@ -51,7 +51,7 @@ domain_entry_file(newrole_t,newrole_exec_t)
# the security server policy configuration. # the security server policy configuration.
# #
type policy_config_t; type policy_config_t;
files_file_type(policy_config_t) files_type(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append }; neverallow ~can_write_binary_policy policy_config_t:file { write append };
@ -61,7 +61,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
# files. # files.
# #
type policy_src_t; type policy_src_t;
files_file_type(policy_src_t) files_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy; type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t; type restorecon_exec_t;
@ -80,7 +80,7 @@ domain_entry_file(run_init_t,run_init_exec_t)
# /etc/selinux/config # /etc/selinux/config
# #
type selinux_config_t; type selinux_config_t;
files_file_type(selinux_config_t) files_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy; type setfiles_t, can_relabelto_binary_policy;
domain_obj_id_change_exempt(setfiles_t) domain_obj_id_change_exempt(setfiles_t)
@ -216,7 +216,7 @@ domain_use_wide_inherit_fd(newrole_t)
# Write to utmp. # Write to utmp.
init_rw_script_pid(newrole_t) init_rw_script_pid(newrole_t)
files_read_generic_etc_files(newrole_t) files_read_etc_files(newrole_t)
libs_use_ld_so(newrole_t) libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t) libs_use_shared_libs(newrole_t)
@ -284,7 +284,7 @@ init_use_script_pty(restorecon_t)
domain_use_wide_inherit_fd(restorecon_t) domain_use_wide_inherit_fd(restorecon_t)
files_read_etc_runtime_files(restorecon_t) files_read_etc_runtime_files(restorecon_t)
files_read_generic_etc_files(restorecon_t) files_read_etc_files(restorecon_t)
libs_use_ld_so(restorecon_t) libs_use_ld_so(restorecon_t)
libs_use_shared_libs(restorecon_t) libs_use_shared_libs(restorecon_t)
@ -362,7 +362,7 @@ ifdef(`targeted_policy',`',`
domain_use_wide_inherit_fd(run_init_t) domain_use_wide_inherit_fd(run_init_t)
files_read_generic_etc_files(run_init_t) files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t) files_dontaudit_search_all_dirs(run_init_t)
init_domtrans_script(run_init_t) init_domtrans_script(run_init_t)
@ -427,7 +427,7 @@ libs_use_ld_so(setfiles_t)
libs_use_shared_libs(setfiles_t) libs_use_shared_libs(setfiles_t)
files_read_etc_runtime_files(setfiles_t) files_read_etc_runtime_files(setfiles_t)
files_read_generic_etc_files(setfiles_t) files_read_etc_files(setfiles_t)
logging_send_syslog_msg(setfiles_t) logging_send_syslog_msg(setfiles_t)

View File

@ -9,11 +9,11 @@ policy_module(sysnetwork,1.0)
# this is shared between dhcpc and dhcpd: # this is shared between dhcpc and dhcpd:
type dhcp_etc_t; #, usercanread; type dhcp_etc_t; #, usercanread;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
files_file_type(dhcp_etc_t) files_type(dhcp_etc_t)
# this is shared between dhcpc and dhcpd: # this is shared between dhcpc and dhcpd:
type dhcp_state_t; type dhcp_state_t;
files_file_type(dhcp_state_t) files_type(dhcp_state_t)
type dhcpc_t; type dhcpc_t;
type dhcpc_exec_t; type dhcpc_exec_t;
@ -21,7 +21,7 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t; role system_r types dhcpc_t;
type dhcpc_state_t; type dhcpc_state_t;
files_file_type(dhcpc_state_t) files_type(dhcpc_state_t)
type dhcpc_tmp_t; type dhcpc_tmp_t;
files_tmp_file(dhcpc_tmp_t) files_tmp_file(dhcpc_tmp_t)
@ -35,7 +35,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t; role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t; type net_conf_t alias resolv_conf_t;
files_file_type(net_conf_t) files_type(net_conf_t)
######################################## ########################################
# #
@ -118,7 +118,7 @@ corecmd_exec_shell(dhcpc_t)
domain_use_wide_inherit_fd(dhcpc_t) domain_use_wide_inherit_fd(dhcpc_t)
files_read_generic_etc_files(dhcpc_t) files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t)
init_use_fd(dhcpc_t) init_use_fd(dhcpc_t)
@ -135,7 +135,7 @@ miscfiles_read_localization(dhcpc_t)
modutils_domtrans_insmod(dhcpc_t) modutils_domtrans_insmod(dhcpc_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
files_exec_generic_etc_files(dhcpc_t) files_exec_etc_files(dhcpc_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
@ -171,7 +171,7 @@ optional_policy(`ntpd.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
seutil_newrole_sigchld(dhcpc_t) seutil_sigchld_newrole(dhcpc_t)
') ')
optional_policy(`udev.te',` optional_policy(`udev.te',`
@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip # for /sbin/ip
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl }; allow ifconfig_t self:tcp_socket { create ioctl };
files_read_generic_etc_files(ifconfig_t); files_read_etc_files(ifconfig_t);
kernel_use_fd(ifconfig_t) kernel_use_fd(ifconfig_t)
kernel_read_system_state(ifconfig_t) kernel_read_system_state(ifconfig_t)

View File

@ -16,15 +16,15 @@ domain_wide_inherit_fd(udev_t)
init_daemon_domain(udev_t,udev_exec_t) init_daemon_domain(udev_t,udev_exec_t)
type udev_etc_t alias etc_udev_t; type udev_etc_t alias etc_udev_t;
files_file_type(udev_etc_t) files_type(udev_etc_t)
# udev_runtime_t is the type of the udev table file # udev_runtime_t is the type of the udev table file
# cjp: this is probably a copy of udev_tbl_t and can be removed # cjp: this is probably a copy of udev_tbl_t and can be removed
type udev_runtime_t; type udev_runtime_t;
files_file_type(udev_runtime_t) files_type(udev_runtime_t)
type udev_tbl_t alias udev_tdb_t; type udev_tbl_t alias udev_tdb_t;
files_file_type(udev_tbl_t) files_type(udev_tbl_t)
type udev_var_run_t; type udev_var_run_t;
files_pid_file(udev_var_run_t) files_pid_file(udev_var_run_t)
@ -91,8 +91,8 @@ domain_exec_all_entry_files(udev_t)
domain_dontaudit_list_all_domains_proc(udev_t) domain_dontaudit_list_all_domains_proc(udev_t)
files_read_etc_runtime_files(udev_t) files_read_etc_runtime_files(udev_t)
files_read_generic_etc_files(udev_t) files_read_etc_files(udev_t)
files_exec_generic_etc_files(udev_t) files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dir(udev_t) files_dontaudit_search_isid_type_dir(udev_t)
init_use_fd(udev_t) init_use_fd(udev_t)

View File

@ -1,12 +1,28 @@
## <summary>Policy for user domains</summary> ## <summary>Policy for user domains</summary>
######################################## #######################################
## <summary>
## The template containing rules common to unprivileged
## users and administrative users.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## <p>
## This generally should not be used, rather the
## unpriv_user_template or admin_user_template should
## be used.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
# #
# Base user domain template template(`base_user_template',`
#
# This is common to user and admin domain
template(`base_user_domain',`
attribute $1_file_type; attribute $1_file_type;
@ -22,11 +38,11 @@ template(`base_user_domain',`
# type for contents of home directory # type for contents of home directory
type $1_home_t, $1_file_type, home_type; type $1_home_t, $1_file_type, home_type;
files_file_type($1_home_t) files_type($1_home_t)
# type of home directory # type of home directory
type $1_home_dir_t, home_dir_type, home_type; type $1_home_dir_t, home_dir_type, home_type;
files_file_type($1_home_t) files_type($1_home_t)
type $1_tmp_t, $1_file_type; type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t) files_tmp_file($1_tmp_t)
@ -154,8 +170,8 @@ template(`base_user_domain',`
domain_exec_all_entry_files($1_t) domain_exec_all_entry_files($1_t)
domain_use_wide_inherit_fd($1_t) domain_use_wide_inherit_fd($1_t)
files_exec_generic_etc_files($1_t) files_exec_etc_files($1_t)
files_read_usr_src($1_t) files_read_usr_src_files($1_t)
# Caused by su - init scripts # Caused by su - init scripts
init_dontaudit_use_script_pty($1_t) init_dontaudit_use_script_pty($1_t)
@ -392,19 +408,30 @@ template(`base_user_domain',`
')dnl end base_user_domain macro ')dnl end base_user_domain macro
######################################## #######################################
## <summary>
## The template for creating a unprivileged user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
# #
# User domain template template(`unpriv_user_template', `
#
template(`user_domain_template', `
############################## ##############################
# #
# Declarations # Declarations
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
base_user_domain($1) base_user_template($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
domain_wide_inherit_fd($1_t) domain_wide_inherit_fd($1_t)
@ -455,7 +482,7 @@ template(`user_domain_template', `
# port access is audited even if dac would not have allowed it, so dontaudit it here # port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
files_read_generic_etc_files($1_t) files_read_etc_files($1_t)
files_list_home($1_t) files_list_home($1_t)
files_read_usr_files($1_t) files_read_usr_files($1_t)
@ -494,7 +521,7 @@ template(`user_domain_template', `
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
# for when the network connection is killed # for when the network connection is killed
seutil_dontaudit_newrole_signal($1_t) seutil_dontaudit_signal_newrole($1_t)
') ')
# Need the following rule to allow users to run vpnc # Need the following rule to allow users to run vpnc
@ -594,18 +621,44 @@ template(`user_domain_template', `
') dnl end TODO ') dnl end TODO
') ')
######################################## #######################################
## <summary>
## The template for creating an administrative user.
## </summary>
## <desc>
## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
## </p>
## </desc>
## <secdesc>
## The privileges given to administrative users are:
## <ul>
## <li>Raw disk access</li>
## <li>Set all sysctls</li>
## <li>All kernel ring buffer controls</li>
## <li>Set SELinux enforcement mode (enforcing/permissive)</li>
## <li>Set SELinux booleans</li>
## <li>Relabel all files but shadow</li>
## <li>Create, read, write, and delete all files but shadow</li>
## <li>Manage source and binary format SELinux policy</li>
## <li>Run insmod</li>
## </ul>
## </secdesc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
## </param>
# #
# Admin domain template template(`admin_user_template',`
#
template(`admin_domain_template',`
############################## ##############################
# #
# Declarations # Declarations
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
base_user_domain($1) base_user_template($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
domain_obj_id_change_exempt($1_t) domain_obj_id_change_exempt($1_t)
@ -658,6 +711,14 @@ template(`admin_domain_template',`
kernel_read_ring_buffer($1_t) kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t) kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctl($1_t) kernel_rw_all_sysctl($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
selinux_set_enforce_mode($1_t) selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t) selinux_set_boolean($1_t)
selinux_set_parameters($1_t) selinux_set_parameters($1_t)
@ -668,12 +729,6 @@ template(`admin_domain_template',`
selinux_compute_create_context($1_t) selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t) selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t) selinux_compute_user_contexts($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
corenet_tcp_bind_generic_port($1_t) corenet_tcp_bind_generic_port($1_t)

View File

@ -29,9 +29,9 @@ attribute userdomain;
# unprivileged user domains # unprivileged user domains
attribute unpriv_userdomain; attribute unpriv_userdomain;
admin_domain_template(sysadm) admin_user_template(sysadm)
user_domain_template(staff) unpriv_user_template(staff)
user_domain_template(user) unpriv_user_template(user)
######################################## ########################################
# #