another round of renaming, for consistency
This commit is contained in:
parent
743b65115c
commit
8fd3673225
@ -59,7 +59,7 @@ ifdef(`targeted_policy', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(dmesg_t)
|
seutil_sigchld_newrole(dmesg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -12,13 +12,13 @@ domain_obj_id_change_exempt(logrotate_t)
|
|||||||
role system_r types logrotate_t;
|
role system_r types logrotate_t;
|
||||||
|
|
||||||
type logrotate_exec_t;
|
type logrotate_exec_t;
|
||||||
files_file_type(logrotate_exec_t)
|
files_type(logrotate_exec_t)
|
||||||
|
|
||||||
type logrotate_tmp_t;
|
type logrotate_tmp_t;
|
||||||
files_tmp_file(logrotate_tmp_t)
|
files_tmp_file(logrotate_tmp_t)
|
||||||
|
|
||||||
type logrotate_var_lib_t;
|
type logrotate_var_lib_t;
|
||||||
files_file_type(logrotate_var_lib_t)
|
files_type(logrotate_var_lib_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -76,13 +76,13 @@ domain_signal_all_domains(logrotate_t)
|
|||||||
domain_use_wide_inherit_fd(logrotate_t)
|
domain_use_wide_inherit_fd(logrotate_t)
|
||||||
|
|
||||||
files_read_usr_files(logrotate_t)
|
files_read_usr_files(logrotate_t)
|
||||||
files_read_generic_etc_files(logrotate_t)
|
files_read_etc_files(logrotate_t)
|
||||||
files_read_etc_runtime_files(logrotate_t)
|
files_read_etc_runtime_files(logrotate_t)
|
||||||
files_manage_generic_lock_files(logrotate_t)
|
files_manage_generic_locks(logrotate_t)
|
||||||
files_read_all_pids(logrotate_t)
|
files_read_all_pids(logrotate_t)
|
||||||
# Write to /var/spool/slrnpull - should be moved into its own type.
|
# Write to /var/spool/slrnpull - should be moved into its own type.
|
||||||
files_manage_spools(logrotate_t)
|
files_manage_generic_spools(logrotate_t)
|
||||||
files_manage_spool_dirs(logrotate_t)
|
files_manage_generic_spool_dirs(logrotate_t)
|
||||||
|
|
||||||
hostname_exec(logrotate_t)
|
hostname_exec(logrotate_t)
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ fs_getattr_xattr_fs(netutils_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(netutils_t)
|
domain_use_wide_inherit_fd(netutils_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(netutils_t)
|
files_read_etc_files(netutils_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_var(netutils_t)
|
files_dontaudit_search_var(netutils_t)
|
||||||
|
|
||||||
@ -110,7 +110,7 @@ fs_dontaudit_getattr_xattr_fs(ping_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(ping_t)
|
domain_use_wide_inherit_fd(ping_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(ping_t)
|
files_read_etc_files(ping_t)
|
||||||
files_dontaudit_search_var(ping_t)
|
files_dontaudit_search_var(ping_t)
|
||||||
|
|
||||||
libs_use_ld_so(ping_t)
|
libs_use_ld_so(ping_t)
|
||||||
@ -166,7 +166,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(traceroute_t)
|
domain_use_wide_inherit_fd(traceroute_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(traceroute_t)
|
files_read_etc_files(traceroute_t)
|
||||||
files_dontaudit_search_var(traceroute_t)
|
files_dontaudit_search_var(traceroute_t)
|
||||||
|
|
||||||
libs_use_ld_so(traceroute_t)
|
libs_use_ld_so(traceroute_t)
|
||||||
|
@ -14,7 +14,7 @@ domain_wide_inherit_fd(rpm_t)
|
|||||||
role system_r types rpm_t;
|
role system_r types rpm_t;
|
||||||
|
|
||||||
type rpm_file_t;
|
type rpm_file_t;
|
||||||
files_file_type(rpm_file_t)
|
files_type(rpm_file_t)
|
||||||
|
|
||||||
type rpm_tmp_t;
|
type rpm_tmp_t;
|
||||||
files_tmp_file(rpm_tmp_t)
|
files_tmp_file(rpm_tmp_t)
|
||||||
@ -26,7 +26,7 @@ type rpm_log_t;
|
|||||||
logging_log_file(rpm_log_t)
|
logging_log_file(rpm_log_t)
|
||||||
|
|
||||||
type rpm_var_lib_t;
|
type rpm_var_lib_t;
|
||||||
files_file_type(rpm_var_lib_t)
|
files_type(rpm_var_lib_t)
|
||||||
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
||||||
|
|
||||||
type rpm_script_t; #, admin, privmem, priv_system_role;
|
type rpm_script_t; #, admin, privmem, priv_system_role;
|
||||||
@ -138,7 +138,7 @@ domain_exec_all_entry_files(rpm_t)
|
|||||||
domain_read_all_domains_state(rpm_t)
|
domain_read_all_domains_state(rpm_t)
|
||||||
domain_use_wide_inherit_fd(rpm_t)
|
domain_use_wide_inherit_fd(rpm_t)
|
||||||
|
|
||||||
files_exec_generic_etc_files(rpm_t)
|
files_exec_etc_files(rpm_t)
|
||||||
|
|
||||||
init_domtrans_script(rpm_t)
|
init_domtrans_script(rpm_t)
|
||||||
|
|
||||||
@ -287,7 +287,7 @@ domain_exec_all_entry_files(rpm_script_t)
|
|||||||
domain_signal_all_domains(rpm_script_t)
|
domain_signal_all_domains(rpm_script_t)
|
||||||
domain_signull_all_domains(rpm_script_t)
|
domain_signull_all_domains(rpm_script_t)
|
||||||
|
|
||||||
files_exec_generic_etc_files(rpm_script_t)
|
files_exec_etc_files(rpm_script_t)
|
||||||
files_read_etc_runtime_files(rpm_script_t)
|
files_read_etc_runtime_files(rpm_script_t)
|
||||||
|
|
||||||
init_domtrans_script(rpm_script_t)
|
init_domtrans_script(rpm_script_t)
|
||||||
|
@ -7,7 +7,7 @@ policy_module(usermanage,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type admin_passwd_exec_t;
|
type admin_passwd_exec_t;
|
||||||
files_file_type(admin_passwd_exec_t)
|
files_type(admin_passwd_exec_t)
|
||||||
|
|
||||||
type chfn_t;
|
type chfn_t;
|
||||||
domain_obj_id_change_exempt(chfn_t)
|
domain_obj_id_change_exempt(chfn_t)
|
||||||
@ -24,7 +24,7 @@ type crack_exec_t;
|
|||||||
domain_entry_file(crack_t,crack_exec_t)
|
domain_entry_file(crack_t,crack_exec_t)
|
||||||
|
|
||||||
type crack_db_t; #, usercanread;
|
type crack_db_t; #, usercanread;
|
||||||
files_file_type(crack_db_t)
|
files_type(crack_db_t)
|
||||||
|
|
||||||
type crack_tmp_t;
|
type crack_tmp_t;
|
||||||
files_tmp_file(crack_tmp_t)
|
files_tmp_file(crack_tmp_t)
|
||||||
@ -49,7 +49,7 @@ domain_type(sysadm_passwd_t)
|
|||||||
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
|
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
|
||||||
|
|
||||||
type sysadm_passwd_tmp_t;
|
type sysadm_passwd_tmp_t;
|
||||||
files_file_type(sysadm_passwd_tmp_t)
|
files_type(sysadm_passwd_tmp_t)
|
||||||
|
|
||||||
type useradd_t; # nscd_client_domain;
|
type useradd_t; # nscd_client_domain;
|
||||||
type useradd_exec_t;
|
type useradd_exec_t;
|
||||||
@ -95,7 +95,7 @@ dev_read_urand(chfn_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(chfn_t)
|
domain_use_wide_inherit_fd(chfn_t)
|
||||||
|
|
||||||
files_manage_generic_etc_files(chfn_t)
|
files_manage_etc_files(chfn_t)
|
||||||
files_read_etc_runtime_files(chfn_t)
|
files_read_etc_runtime_files(chfn_t)
|
||||||
files_dontaudit_search_var(chfn_t)
|
files_dontaudit_search_var(chfn_t)
|
||||||
|
|
||||||
@ -165,7 +165,7 @@ dev_read_urand(crack_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(crack_t)
|
fs_getattr_xattr_fs(crack_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(crack_t)
|
files_read_etc_files(crack_t)
|
||||||
files_read_etc_runtime_files(crack_t)
|
files_read_etc_runtime_files(crack_t)
|
||||||
# for dictionaries
|
# for dictionaries
|
||||||
files_read_usr_files(crack_t)
|
files_read_usr_files(crack_t)
|
||||||
@ -228,7 +228,7 @@ init_dontaudit_write_script_pid(groupadd_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(groupadd_t)
|
domain_use_wide_inherit_fd(groupadd_t)
|
||||||
|
|
||||||
files_manage_generic_etc_files(groupadd_t)
|
files_manage_etc_files(groupadd_t)
|
||||||
|
|
||||||
libs_use_ld_so(groupadd_t)
|
libs_use_ld_so(groupadd_t)
|
||||||
libs_use_shared_libs(groupadd_t)
|
libs_use_shared_libs(groupadd_t)
|
||||||
@ -306,7 +306,7 @@ init_dontaudit_rw_script_pid(passwd_t)
|
|||||||
domain_use_wide_inherit_fd(passwd_t)
|
domain_use_wide_inherit_fd(passwd_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(passwd_t)
|
files_read_etc_runtime_files(passwd_t)
|
||||||
files_manage_generic_etc_files(passwd_t)
|
files_manage_etc_files(passwd_t)
|
||||||
files_search_var(passwd_t)
|
files_search_var(passwd_t)
|
||||||
|
|
||||||
libs_use_ld_so(passwd_t)
|
libs_use_ld_so(passwd_t)
|
||||||
@ -405,7 +405,7 @@ files_read_usr_files(sysadm_passwd_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(sysadm_passwd_t)
|
domain_use_wide_inherit_fd(sysadm_passwd_t)
|
||||||
|
|
||||||
files_manage_generic_etc_files(sysadm_passwd_t)
|
files_manage_etc_files(sysadm_passwd_t)
|
||||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
@ -496,7 +496,7 @@ corecmd_exec_sbin(useradd_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(useradd_t)
|
domain_use_wide_inherit_fd(useradd_t)
|
||||||
|
|
||||||
files_manage_generic_etc_files(useradd_t)
|
files_manage_etc_files(useradd_t)
|
||||||
|
|
||||||
init_use_fd(useradd_t)
|
init_use_fd(useradd_t)
|
||||||
init_rw_script_pid(useradd_t)
|
init_rw_script_pid(useradd_t)
|
||||||
|
@ -44,7 +44,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
files_tmp_file($1_gpg_agent_tmp_t)
|
files_tmp_file($1_gpg_agent_tmp_t)
|
||||||
|
|
||||||
type $1_gpg_secret_t; #, $1_file_type;
|
type $1_gpg_secret_t; #, $1_file_type;
|
||||||
files_file_type($1_gpg_secret_t)
|
files_type($1_gpg_secret_t)
|
||||||
|
|
||||||
type $1_gpg_helper_t;
|
type $1_gpg_helper_t;
|
||||||
domain_type($1_gpg_helper_t)
|
domain_type($1_gpg_helper_t)
|
||||||
@ -95,7 +95,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs($1_gpg_t)
|
fs_getattr_xattr_fs($1_gpg_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_gpg_t)
|
files_read_etc_files($1_gpg_t)
|
||||||
files_read_usr_files($1_gpg_t)
|
files_read_usr_files($1_gpg_t)
|
||||||
|
|
||||||
libs_use_shared_libs($1_gpg_t)
|
libs_use_shared_libs($1_gpg_t)
|
||||||
@ -210,7 +210,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
dev_read_urand($1_gpg_helper_t)
|
dev_read_urand($1_gpg_helper_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_gpg_helper_t)
|
files_read_etc_files($1_gpg_helper_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_var($1_gpg_helper_t)
|
files_dontaudit_search_var($1_gpg_helper_t)
|
||||||
|
|
||||||
@ -322,7 +322,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
files_read_usr_files($1_gpg_pinentry_t)
|
files_read_usr_files($1_gpg_pinentry_t)
|
||||||
# read /etc/X11/qtrc
|
# read /etc/X11/qtrc
|
||||||
files_read_generic_etc_files($1_gpg_pinentry_t)
|
files_read_etc_files($1_gpg_pinentry_t)
|
||||||
|
|
||||||
libs_use_ld_so($1_gpg_pinentry_t)
|
libs_use_ld_so($1_gpg_pinentry_t)
|
||||||
libs_use_shared_libs($1_gpg_pinentry_t)
|
libs_use_shared_libs($1_gpg_pinentry_t)
|
||||||
|
@ -9,16 +9,16 @@ policy_module(gpg, 1.0)
|
|||||||
# Type for gpg or pgp executables.
|
# Type for gpg or pgp executables.
|
||||||
type gpg_exec_t;
|
type gpg_exec_t;
|
||||||
type gpg_helper_exec_t;
|
type gpg_helper_exec_t;
|
||||||
files_file_type(gpg_exec_t)
|
files_type(gpg_exec_t)
|
||||||
files_file_type(gpg_helper_exec_t)
|
files_type(gpg_helper_exec_t)
|
||||||
|
|
||||||
# Type for the gpg-agent executable.
|
# Type for the gpg-agent executable.
|
||||||
type gpg_agent_exec_t;
|
type gpg_agent_exec_t;
|
||||||
files_file_type(gpg_agent_exec_t)
|
files_type(gpg_agent_exec_t)
|
||||||
|
|
||||||
# type for the pinentry executable
|
# type for the pinentry executable
|
||||||
type pinentry_exec_t;
|
type pinentry_exec_t;
|
||||||
files_file_type(pinentry_exec_t)
|
files_type(pinentry_exec_t)
|
||||||
|
|
||||||
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
|
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
|
||||||
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
||||||
|
@ -59,7 +59,7 @@ interface(`bootloader_run',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`bootloader_search_boot_dir',`
|
interface(`bootloader_search_boot',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type boot_t;
|
type boot_t;
|
||||||
class dir search;
|
class dir search;
|
||||||
@ -362,9 +362,9 @@ interface(`bootloader_manage_kernel_modules',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)])
|
# bootloader_create_modules(domain,privatetype,[class(es)])
|
||||||
#
|
#
|
||||||
interface(`bootloader_create_private_module_dir_entry',`
|
interface(`bootloader_create_modules',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
|
@ -12,7 +12,7 @@ attribute rw_kern_modules;
|
|||||||
# boot_t is the type for files in /boot
|
# boot_t is the type for files in /boot
|
||||||
#
|
#
|
||||||
type boot_t;
|
type boot_t;
|
||||||
files_file_type(boot_t)
|
files_type(boot_t)
|
||||||
files_mountpoint(boot_t)
|
files_mountpoint(boot_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -21,7 +21,7 @@ files_mountpoint(boot_t)
|
|||||||
# only for Red Hat
|
# only for Red Hat
|
||||||
#
|
#
|
||||||
type boot_runtime_t;
|
type boot_runtime_t;
|
||||||
files_file_type(boot_runtime_t)
|
files_type(boot_runtime_t)
|
||||||
|
|
||||||
type bootloader_t;
|
type bootloader_t;
|
||||||
domain_type(bootloader_t)
|
domain_type(bootloader_t)
|
||||||
@ -35,7 +35,7 @@ domain_entry_file(bootloader_t,bootloader_exec_t)
|
|||||||
# grub.conf, lilo.conf, etc.
|
# grub.conf, lilo.conf, etc.
|
||||||
#
|
#
|
||||||
type bootloader_etc_t alias etc_bootloader_t;
|
type bootloader_etc_t alias etc_bootloader_t;
|
||||||
files_file_type(bootloader_etc_t)
|
files_type(bootloader_etc_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# The temp file is used for initrd creation;
|
# The temp file is used for initrd creation;
|
||||||
@ -47,7 +47,7 @@ dev_node(bootloader_tmp_t)
|
|||||||
|
|
||||||
# kernel modules
|
# kernel modules
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
files_file_type(modules_object_t)
|
files_type(modules_object_t)
|
||||||
|
|
||||||
neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
||||||
|
|
||||||
@ -55,7 +55,7 @@ neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
|||||||
# system_map_t is for the system.map files in /boot
|
# system_map_t is for the system.map files in /boot
|
||||||
#
|
#
|
||||||
type system_map_t;
|
type system_map_t;
|
||||||
files_file_type(system_map_t)
|
files_type(system_map_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -122,11 +122,11 @@ libs_use_ld_so(bootloader_t)
|
|||||||
libs_use_shared_libs(bootloader_t)
|
libs_use_shared_libs(bootloader_t)
|
||||||
libs_read_lib(bootloader_t)
|
libs_read_lib(bootloader_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(bootloader_t)
|
files_read_etc_files(bootloader_t)
|
||||||
files_read_etc_runtime_files(bootloader_t)
|
files_read_etc_runtime_files(bootloader_t)
|
||||||
files_read_usr_src(bootloader_t)
|
files_read_usr_src_files(bootloader_t)
|
||||||
files_read_usr_files(bootloader_t)
|
files_read_usr_files(bootloader_t)
|
||||||
files_read_var_file(bootloader_t)
|
files_read_var_files(bootloader_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_pids(bootloader_t)
|
files_dontaudit_search_pids(bootloader_t)
|
||||||
|
|
||||||
@ -185,7 +185,7 @@ optional_policy(`lvm.te',`
|
|||||||
|
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_exec_insmod(insmod_t)
|
modutils_exec_insmod(insmod_t)
|
||||||
modutils_read_kernel_module_dependencies(bootloader_t)
|
modutils_read_mods_deps(bootloader_t)
|
||||||
modutils_read_module_conf(bootloader_t)
|
modutils_read_module_conf(bootloader_t)
|
||||||
modutils_exec_insmod(bootloader_t)
|
modutils_exec_insmod(bootloader_t)
|
||||||
modutils_exec_depmod(bootloader_t)
|
modutils_exec_depmod(bootloader_t)
|
||||||
|
@ -9,7 +9,7 @@ attribute memory_raw_write;
|
|||||||
# device_t is the type of /dev.
|
# device_t is the type of /dev.
|
||||||
#
|
#
|
||||||
type device_t;
|
type device_t;
|
||||||
files_file_type(device_t)
|
files_type(device_t)
|
||||||
files_mountpoint(device_t)
|
files_mountpoint(device_t)
|
||||||
fs_associate_tmpfs(device_t)
|
fs_associate_tmpfs(device_t)
|
||||||
|
|
||||||
|
@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
|
|||||||
# tmpfs_t is the type for tmpfs filesystems
|
# tmpfs_t is the type for tmpfs filesystems
|
||||||
#
|
#
|
||||||
type tmpfs_t, filesystem_type;
|
type tmpfs_t, filesystem_type;
|
||||||
files_file_type(tmpfs_t)
|
files_type(tmpfs_t)
|
||||||
|
|
||||||
# Use a transition SID based on the allocating task SID and the
|
# Use a transition SID based on the allocating task SID and the
|
||||||
# filesystem SID to label inodes in the following filesystem types,
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
|
@ -128,7 +128,7 @@ interface(`storage_raw_write_fixed_disk',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`storage_create_fixed_disk_dev_entry',`
|
interface(`storage_create_fixed_disk',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
|
@ -25,7 +25,7 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
# Type of user crontabs once moved to cron spool.
|
# Type of user crontabs once moved to cron spool.
|
||||||
type $1_cron_spool_t;
|
type $1_cron_spool_t;
|
||||||
files_file_type($1_cron_spool_t)
|
files_type($1_cron_spool_t)
|
||||||
|
|
||||||
type $1_crond_t; # user_crond_domain;
|
type $1_crond_t; # user_crond_domain;
|
||||||
domain_type($1_crond_t);
|
domain_type($1_crond_t);
|
||||||
@ -92,7 +92,7 @@ template(`cron_per_userdomain_template',`
|
|||||||
domain_exec_all_entry_files($1_crond_t)
|
domain_exec_all_entry_files($1_crond_t)
|
||||||
|
|
||||||
files_read_usr_files($1_crond_t)
|
files_read_usr_files($1_crond_t)
|
||||||
files_exec_generic_etc_files($1_crond_t)
|
files_exec_etc_files($1_crond_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_dontaudit_search_pids($1_crond_t)
|
files_dontaudit_search_pids($1_crond_t)
|
||||||
|
|
||||||
@ -176,7 +176,7 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd($1_crontab_t)
|
domain_use_wide_inherit_fd($1_crontab_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_crontab_t)
|
files_read_etc_files($1_crontab_t)
|
||||||
|
|
||||||
libs_use_ld_so($1_crontab_t)
|
libs_use_ld_so($1_crontab_t)
|
||||||
libs_use_shared_libs($1_crontab_t)
|
libs_use_shared_libs($1_crontab_t)
|
||||||
|
@ -7,10 +7,10 @@ policy_module(cron, 1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type anacron_exec_t;
|
type anacron_exec_t;
|
||||||
files_file_type(anacron_exec_t)
|
files_type(anacron_exec_t)
|
||||||
|
|
||||||
type cron_spool_t;
|
type cron_spool_t;
|
||||||
files_file_type(cron_spool_t)
|
files_type(cron_spool_t)
|
||||||
|
|
||||||
type crond_t; #, privmail, nscd_client_domain
|
type crond_t; #, privmail, nscd_client_domain
|
||||||
type crond_exec_t;
|
type crond_exec_t;
|
||||||
@ -27,7 +27,7 @@ type crond_var_run_t;
|
|||||||
files_pid_file(crond_var_run_t)
|
files_pid_file(crond_var_run_t)
|
||||||
|
|
||||||
type crontab_exec_t;
|
type crontab_exec_t;
|
||||||
files_file_type(crontab_exec_t)
|
files_type(crontab_exec_t)
|
||||||
|
|
||||||
type system_cron_spool_t;
|
type system_cron_spool_t;
|
||||||
type system_crond_t; #, privmail, nscd_client_domain;
|
type system_crond_t; #, privmail, nscd_client_domain;
|
||||||
@ -99,8 +99,8 @@ corecmd_list_sbin(crond_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(crond_t)
|
domain_use_wide_inherit_fd(crond_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(crond_t)
|
files_read_etc_files(crond_t)
|
||||||
files_read_spools(crond_t)
|
files_read_generic_spools(crond_t)
|
||||||
|
|
||||||
init_use_fd(crond_t)
|
init_use_fd(crond_t)
|
||||||
init_use_script_pty(crond_t)
|
init_use_script_pty(crond_t)
|
||||||
@ -112,7 +112,7 @@ logging_send_syslog_msg(crond_t)
|
|||||||
|
|
||||||
seutil_read_config(crond_t)
|
seutil_read_config(crond_t)
|
||||||
seutil_read_default_contexts(crond_t)
|
seutil_read_default_contexts(crond_t)
|
||||||
seutil_newrole_sigchld(crond_t)
|
seutil_sigchld_newrole(crond_t)
|
||||||
|
|
||||||
miscfiles_read_localization(crond_t)
|
miscfiles_read_localization(crond_t)
|
||||||
|
|
||||||
@ -206,7 +206,7 @@ allow system_crond_t crond_t:process sigchld;
|
|||||||
|
|
||||||
# Write /var/lock/makewhatis.lock.
|
# Write /var/lock/makewhatis.lock.
|
||||||
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
||||||
files_create_lock_file(system_crond_t,system_crond_lock_t)
|
files_create_lock(system_crond_t,system_crond_lock_t)
|
||||||
|
|
||||||
# write temporary files
|
# write temporary files
|
||||||
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
||||||
@ -254,18 +254,18 @@ corecmd_exec_sbin(system_crond_t)
|
|||||||
|
|
||||||
domain_exec_all_entry_files(system_crond_t)
|
domain_exec_all_entry_files(system_crond_t)
|
||||||
|
|
||||||
files_exec_generic_etc_files(system_crond_t)
|
files_exec_etc_files(system_crond_t)
|
||||||
files_read_generic_etc_files(system_crond_t)
|
files_read_etc_files(system_crond_t)
|
||||||
files_read_etc_runtime_files(system_crond_t)
|
files_read_etc_runtime_files(system_crond_t)
|
||||||
files_list_all_dirs(system_crond_t)
|
files_list_all_dirs(system_crond_t)
|
||||||
files_getattr_all_files(system_crond_t)
|
files_getattr_all_files(system_crond_t)
|
||||||
files_read_usr_files(system_crond_t)
|
files_read_usr_files(system_crond_t)
|
||||||
files_read_var_file(system_crond_t)
|
files_read_var_files(system_crond_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_dontaudit_search_pids(system_crond_t)
|
files_dontaudit_search_pids(system_crond_t)
|
||||||
# Access other spool directories like
|
# Access other spool directories like
|
||||||
# /var/spool/anacron and /var/spool/slrnpull.
|
# /var/spool/anacron and /var/spool/slrnpull.
|
||||||
files_manage_spools(system_crond_t)
|
files_manage_generic_spools(system_crond_t)
|
||||||
|
|
||||||
init_use_fd(system_crond_t)
|
init_use_fd(system_crond_t)
|
||||||
init_use_script_fd(system_crond_t)
|
init_use_script_fd(system_crond_t)
|
||||||
|
@ -94,7 +94,7 @@ corecmd_read_sbin_symlink(inetd_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(inetd_t)
|
domain_use_wide_inherit_fd(inetd_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(inetd_t)
|
files_read_etc_files(inetd_t)
|
||||||
|
|
||||||
init_use_fd(inetd_t)
|
init_use_fd(inetd_t)
|
||||||
init_use_script_pty(inetd_t)
|
init_use_script_pty(inetd_t)
|
||||||
@ -121,7 +121,7 @@ optional_policy(`mount.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(inetd_t)
|
seutil_sigchld_newrole(inetd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
@ -199,7 +199,7 @@ dev_read_urand(inetd_child_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(inetd_child_t)
|
fs_getattr_xattr_fs(inetd_child_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(inetd_child_t)
|
files_read_etc_files(inetd_child_t)
|
||||||
|
|
||||||
libs_use_ld_so(inetd_child_t)
|
libs_use_ld_so(inetd_child_t)
|
||||||
libs_use_shared_libs(inetd_child_t)
|
libs_use_shared_libs(inetd_child_t)
|
||||||
|
@ -54,7 +54,7 @@ template(`mta_per_userdomain_template',`
|
|||||||
|
|
||||||
corecmd_exec_bin($1_mail_t)
|
corecmd_exec_bin($1_mail_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_mail_t)
|
files_read_etc_files($1_mail_t)
|
||||||
|
|
||||||
logging_send_syslog_msg($1_mail_t)
|
logging_send_syslog_msg($1_mail_t)
|
||||||
|
|
||||||
|
@ -7,21 +7,21 @@ policy_module(mta,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
files_file_type(etc_aliases_t)
|
files_type(etc_aliases_t)
|
||||||
|
|
||||||
type etc_mail_t;
|
type etc_mail_t;
|
||||||
files_file_type(etc_mail_t)
|
files_type(etc_mail_t)
|
||||||
|
|
||||||
attribute mailserver_domain;
|
attribute mailserver_domain;
|
||||||
|
|
||||||
type mqueue_spool_t;
|
type mqueue_spool_t;
|
||||||
files_file_type(mqueue_spool_t)
|
files_type(mqueue_spool_t)
|
||||||
|
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
files_file_type(mail_spool_t)
|
files_type(mail_spool_t)
|
||||||
|
|
||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
files_file_type(sendmail_exec_t)
|
files_type(sendmail_exec_t)
|
||||||
|
|
||||||
type system_mail_t; #, user_mail_domain, nscd_client_domain;
|
type system_mail_t; #, user_mail_domain, nscd_client_domain;
|
||||||
domain_type(system_mail_t)
|
domain_type(system_mail_t)
|
||||||
@ -67,7 +67,7 @@ fs_getattr_xattr_fs(system_mail_t)
|
|||||||
init_use_script_pty(system_mail_t)
|
init_use_script_pty(system_mail_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(system_mail_t)
|
files_read_etc_runtime_files(system_mail_t)
|
||||||
files_read_generic_etc_files(system_mail_t)
|
files_read_etc_files(system_mail_t)
|
||||||
# It wants to check for nscd
|
# It wants to check for nscd
|
||||||
files_dontaudit_search_pids(system_mail_t)
|
files_dontaudit_search_pids(system_mail_t)
|
||||||
|
|
||||||
@ -146,7 +146,7 @@ ifdef(`targeted_policy', `
|
|||||||
|
|
||||||
ifdef(`postfix.te', `', `
|
ifdef(`postfix.te', `', `
|
||||||
domain_exec_all_entry_files(system_mail_t)
|
domain_exec_all_entry_files(system_mail_t)
|
||||||
files_exec_generic_etc_files(system_mail_t)
|
files_exec_etc_files(system_mail_t)
|
||||||
corecmd_exec_bin(system_mail_t)
|
corecmd_exec_bin(system_mail_t)
|
||||||
corecmd_exec_sbin(system_mail_t)
|
corecmd_exec_sbin(system_mail_t)
|
||||||
libs_use_ld_so(system_mail_t)
|
libs_use_ld_so(system_mail_t)
|
||||||
|
@ -7,7 +7,7 @@ policy_module(nis,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type var_yp_t;
|
type var_yp_t;
|
||||||
files_file_type(var_yp_t)
|
files_type(var_yp_t)
|
||||||
|
|
||||||
type ypbind_t;
|
type ypbind_t;
|
||||||
type ypbind_exec_t;
|
type ypbind_exec_t;
|
||||||
@ -24,7 +24,7 @@ type ypserv_exec_t;
|
|||||||
init_daemon_domain(ypserv_t,ypserv_exec_t)
|
init_daemon_domain(ypserv_t,ypserv_exec_t)
|
||||||
|
|
||||||
type ypserv_conf_t;
|
type ypserv_conf_t;
|
||||||
files_file_type(ypserv_conf_t)
|
files_type(ypserv_conf_t)
|
||||||
|
|
||||||
type ypserv_tmp_t;
|
type ypserv_tmp_t;
|
||||||
files_tmp_file(ypserv_tmp_t)
|
files_tmp_file(ypserv_tmp_t)
|
||||||
@ -83,7 +83,7 @@ term_dontaudit_use_console(ypbind_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(ypbind_t)
|
domain_use_wide_inherit_fd(ypbind_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(ypbind_t)
|
files_read_etc_files(ypbind_t)
|
||||||
|
|
||||||
init_use_fd(ypbind_t)
|
init_use_fd(ypbind_t)
|
||||||
init_use_script_pty(ypbind_t)
|
init_use_script_pty(ypbind_t)
|
||||||
@ -111,7 +111,7 @@ optional_policy(`mount.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(ypbind_t)
|
seutil_sigchld_newrole(ypbind_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
@ -200,7 +200,7 @@ ifdef(`targeted_policy', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(ypserv_t)
|
seutil_sigchld_newrole(ypserv_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -65,7 +65,7 @@ auth_manage_pam_console_data(remote_login_t)
|
|||||||
|
|
||||||
domain_read_all_entry_files(remote_login_t)
|
domain_read_all_entry_files(remote_login_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(remote_login_t)
|
files_read_etc_files(remote_login_t)
|
||||||
files_read_etc_runtime_files(remote_login_t)
|
files_read_etc_runtime_files(remote_login_t)
|
||||||
files_list_home(remote_login_t)
|
files_list_home(remote_login_t)
|
||||||
files_read_usr_files(remote_login_t)
|
files_read_usr_files(remote_login_t)
|
||||||
|
@ -63,7 +63,7 @@ term_dontaudit_use_console(sendmail_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(sendmail_t)
|
domain_use_wide_inherit_fd(sendmail_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(sendmail_t)
|
files_read_etc_files(sendmail_t)
|
||||||
files_search_spool(sendmail_t)
|
files_search_spool(sendmail_t)
|
||||||
|
|
||||||
init_use_fd(sendmail_t)
|
init_use_fd(sendmail_t)
|
||||||
@ -100,7 +100,7 @@ optional_policy(`nis.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(sendmail_t)
|
seutil_sigchld_newrole(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -28,7 +28,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
#
|
#
|
||||||
|
|
||||||
type $1_home_ssh_t; #, $1_file_type;
|
type $1_home_ssh_t; #, $1_file_type;
|
||||||
files_file_type($1_home_ssh_t)
|
files_type($1_home_ssh_t)
|
||||||
role $1_r types $1_ssh_t;
|
role $1_r types $1_ssh_t;
|
||||||
|
|
||||||
type $1_ssh_t; #, nscd_client_domain;
|
type $1_ssh_t; #, nscd_client_domain;
|
||||||
@ -109,7 +109,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
files_list_home($1_ssh_t)
|
files_list_home($1_ssh_t)
|
||||||
files_read_usr_files($1_ssh_t)
|
files_read_usr_files($1_ssh_t)
|
||||||
files_read_etc_runtime_files($1_ssh_t)
|
files_read_etc_runtime_files($1_ssh_t)
|
||||||
files_read_generic_etc_files($1_ssh_t)
|
files_read_etc_files($1_ssh_t)
|
||||||
|
|
||||||
libs_use_ld_so($1_ssh_t)
|
libs_use_ld_so($1_ssh_t)
|
||||||
libs_use_shared_libs($1_ssh_t)
|
libs_use_shared_libs($1_ssh_t)
|
||||||
@ -248,7 +248,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd($1_ssh_agent_t)
|
domain_use_wide_inherit_fd($1_ssh_agent_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_ssh_agent_t)
|
files_read_etc_files($1_ssh_agent_t)
|
||||||
files_read_etc_runtime_files($1_ssh_agent_t)
|
files_read_etc_runtime_files($1_ssh_agent_t)
|
||||||
|
|
||||||
libs_read_lib($1_ssh_agent_t)
|
libs_read_lib($1_ssh_agent_t)
|
||||||
@ -343,11 +343,11 @@ template(`ssh_per_userdomain_template',`
|
|||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
## <param name="userdomain_prefix">
|
## <param name="userdomain_prefix">
|
||||||
## The prefix of the user domain (e.g., user
|
## The prefix of the server domain (e.g., sshd
|
||||||
## is the prefix for user_t).
|
## is the prefix for sshd_t).
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`sshd_program_domain', `
|
template(`ssh_server_template', `
|
||||||
type $1_t, ssh_server; #, nscd_client_domain;
|
type $1_t, ssh_server; #, nscd_client_domain;
|
||||||
role system_r types $1_t;
|
role system_r types $1_t;
|
||||||
|
|
||||||
@ -413,7 +413,7 @@ template(`sshd_program_domain', `
|
|||||||
domain_role_change_exempt($1_t)
|
domain_role_change_exempt($1_t)
|
||||||
domain_obj_id_change_exempt($1_t)
|
domain_obj_id_change_exempt($1_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_t)
|
files_read_etc_files($1_t)
|
||||||
files_read_etc_runtime_files($1_t)
|
files_read_etc_runtime_files($1_t)
|
||||||
|
|
||||||
init_rw_script_pid($1_t)
|
init_rw_script_pid($1_t)
|
||||||
|
@ -10,18 +10,18 @@ attribute ssh_server;
|
|||||||
|
|
||||||
# Type for the ssh-agent executable.
|
# Type for the ssh-agent executable.
|
||||||
type ssh_agent_exec_t;
|
type ssh_agent_exec_t;
|
||||||
files_file_type(ssh_agent_exec_t)
|
files_type(ssh_agent_exec_t)
|
||||||
|
|
||||||
# ssh client executable.
|
# ssh client executable.
|
||||||
type ssh_exec_t;
|
type ssh_exec_t;
|
||||||
files_file_type(ssh_exec_t)
|
files_type(ssh_exec_t)
|
||||||
|
|
||||||
type ssh_keygen_t;
|
type ssh_keygen_t;
|
||||||
type ssh_keygen_exec_t;
|
type ssh_keygen_exec_t;
|
||||||
init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
|
init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
|
||||||
role system_r types ssh_keygen_t;
|
role system_r types ssh_keygen_t;
|
||||||
|
|
||||||
sshd_program_domain(sshd)
|
ssh_server_template(sshd)
|
||||||
|
|
||||||
optional_policy(`inetd.te',`
|
optional_policy(`inetd.te',`
|
||||||
# CJP: commenting this out until typeattribute works in a conditional
|
# CJP: commenting this out until typeattribute works in a conditional
|
||||||
@ -37,12 +37,12 @@ optional_policy(`inetd.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
type sshd_exec_t;
|
type sshd_exec_t;
|
||||||
files_file_type(sshd_exec_t)
|
files_type(sshd_exec_t)
|
||||||
|
|
||||||
sshd_program_domain(sshd_extern)
|
ssh_server_template(sshd_extern)
|
||||||
|
|
||||||
type sshd_key_t;
|
type sshd_key_t;
|
||||||
files_file_type(sshd_key_t)
|
files_type(sshd_key_t)
|
||||||
|
|
||||||
type sshd_tmp_t;
|
type sshd_tmp_t;
|
||||||
files_tmp_file(sshd_tmp_t)
|
files_tmp_file(sshd_tmp_t)
|
||||||
@ -191,7 +191,7 @@ term_dontaudit_use_console(ssh_keygen_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(ssh_keygen_t)
|
domain_use_wide_inherit_fd(ssh_keygen_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(ssh_keygen_t)
|
files_read_etc_files(ssh_keygen_t)
|
||||||
|
|
||||||
init_use_fd(ssh_keygen_t)
|
init_use_fd(ssh_keygen_t)
|
||||||
init_use_script_pty(ssh_keygen_t)
|
init_use_script_pty(ssh_keygen_t)
|
||||||
@ -222,7 +222,7 @@ optional_policy(`rhgb.te', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(ssh_keygen_t)
|
seutil_sigchld_newrole(ssh_keygen_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -57,7 +57,7 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
libs_use_ld_so($1_chkpwd_t)
|
libs_use_ld_so($1_chkpwd_t)
|
||||||
libs_use_shared_libs($1_chkpwd_t)
|
libs_use_shared_libs($1_chkpwd_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_chkpwd_t)
|
files_read_etc_files($1_chkpwd_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_var($1_chkpwd_t)
|
files_dontaudit_search_var($1_chkpwd_t)
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
|
|||||||
attribute can_relabelto_shadow_passwords;
|
attribute can_relabelto_shadow_passwords;
|
||||||
|
|
||||||
type chkpwd_exec_t;
|
type chkpwd_exec_t;
|
||||||
files_file_type(chkpwd_exec_t)
|
files_type(chkpwd_exec_t)
|
||||||
|
|
||||||
type faillog_t;
|
type faillog_t;
|
||||||
logging_log_file(faillog_t)
|
logging_log_file(faillog_t)
|
||||||
@ -20,7 +20,7 @@ type lastlog_t;
|
|||||||
logging_log_file(lastlog_t)
|
logging_log_file(lastlog_t)
|
||||||
|
|
||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
files_file_type(login_exec_t)
|
files_type(login_exec_t)
|
||||||
|
|
||||||
type pam_console_t;
|
type pam_console_t;
|
||||||
type pam_console_exec_t;
|
type pam_console_exec_t;
|
||||||
@ -40,13 +40,13 @@ type pam_tmp_t;
|
|||||||
files_tmp_file(pam_tmp_t)
|
files_tmp_file(pam_tmp_t)
|
||||||
|
|
||||||
type pam_var_console_t; #, nscd_client_domain
|
type pam_var_console_t; #, nscd_client_domain
|
||||||
files_file_type(pam_var_console_t)
|
files_type(pam_var_console_t)
|
||||||
|
|
||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
files_pid_file(pam_var_run_t)
|
files_pid_file(pam_var_run_t)
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
files_file_type(shadow_t)
|
files_type(shadow_t)
|
||||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||||
@ -100,7 +100,7 @@ term_use_all_user_ptys(pam_t)
|
|||||||
|
|
||||||
init_dontaudit_rw_script_pid(pam_t)
|
init_dontaudit_rw_script_pid(pam_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(pam_t)
|
files_read_etc_files(pam_t)
|
||||||
files_list_pids(pam_t)
|
files_list_pids(pam_t)
|
||||||
|
|
||||||
libs_use_ld_so(pam_t)
|
libs_use_ld_so(pam_t)
|
||||||
@ -172,7 +172,7 @@ term_setattr_unallocated_ttys(pam_console_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(pam_console_t)
|
domain_use_wide_inherit_fd(pam_console_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(pam_console_t)
|
files_read_etc_files(pam_console_t)
|
||||||
files_search_pids(pam_console_t)
|
files_search_pids(pam_console_t)
|
||||||
files_list_mnt(pam_console_t)
|
files_list_mnt(pam_console_t)
|
||||||
|
|
||||||
@ -204,7 +204,7 @@ optional_policy(`hotplug.te', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(pam_console_t)
|
seutil_sigchld_newrole(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
@ -244,7 +244,7 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
|
|||||||
|
|
||||||
term_use_unallocated_tty(system_chkpwd_t)
|
term_use_unallocated_tty(system_chkpwd_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(system_chkpwd_t)
|
files_read_etc_files(system_chkpwd_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_dontaudit_search_var(system_chkpwd_t)
|
files_dontaudit_search_var(system_chkpwd_t)
|
||||||
|
|
||||||
@ -297,7 +297,7 @@ term_dontaudit_use_ptmx(utempter_t)
|
|||||||
|
|
||||||
init_rw_script_pid(utempter_t)
|
init_rw_script_pid(utempter_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(utempter_t)
|
files_read_etc_files(utempter_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd(utempter_t)
|
domain_use_wide_inherit_fd(utempter_t)
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@ policy_module(clock,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type adjtime_t;
|
type adjtime_t;
|
||||||
files_file_type(adjtime_t)
|
files_type(adjtime_t)
|
||||||
|
|
||||||
type hwclock_t;
|
type hwclock_t;
|
||||||
type hwclock_exec_t;
|
type hwclock_exec_t;
|
||||||
@ -65,7 +65,7 @@ ifdef(`targeted_policy', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(hwclock_t)
|
seutil_sigchld_newrole(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -5,25 +5,25 @@ policy_module(corecommands,1.0)
|
|||||||
# bin_t is the type of files in the system bin directories.
|
# bin_t is the type of files in the system bin directories.
|
||||||
#
|
#
|
||||||
type bin_t;
|
type bin_t;
|
||||||
files_file_type(bin_t)
|
files_type(bin_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# sbin_t is the type of files in the system sbin directories.
|
# sbin_t is the type of files in the system sbin directories.
|
||||||
#
|
#
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
files_file_type(sbin_t)
|
files_type(sbin_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# ls_exec_t is the type of the ls program.
|
# ls_exec_t is the type of the ls program.
|
||||||
#
|
#
|
||||||
type ls_exec_t;
|
type ls_exec_t;
|
||||||
files_file_type(ls_exec_t)
|
files_type(ls_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# shell_exec_t is the type of user shells such as /bin/bash.
|
# shell_exec_t is the type of user shells such as /bin/bash.
|
||||||
#
|
#
|
||||||
type shell_exec_t;
|
type shell_exec_t;
|
||||||
files_file_type(shell_exec_t)
|
files_type(shell_exec_t)
|
||||||
|
|
||||||
type chroot_exec_t;
|
type chroot_exec_t;
|
||||||
files_file_type(chroot_exec_t)
|
files_type(chroot_exec_t)
|
||||||
|
@ -61,7 +61,7 @@ interface(`domain_entry_file',`
|
|||||||
class file entrypoint;
|
class file entrypoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($2)
|
files_type($2)
|
||||||
allow $1 $2:file entrypoint;
|
allow $1 $2:file entrypoint;
|
||||||
typeattribute $2 entry_type;
|
typeattribute $2 entry_type;
|
||||||
')
|
')
|
||||||
|
@ -17,9 +17,9 @@
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_file_type(type)
|
# files_type(type)
|
||||||
#
|
#
|
||||||
interface(`files_file_type',`
|
interface(`files_type',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute file_type;
|
attribute file_type;
|
||||||
')
|
')
|
||||||
@ -38,7 +38,7 @@ interface(`files_lock_file',`
|
|||||||
attribute lockfile;
|
attribute lockfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_type($1)
|
||||||
typeattribute $1 lockfile;
|
typeattribute $1 lockfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -51,7 +51,7 @@ interface(`files_mountpoint',`
|
|||||||
attribute mountpoint;
|
attribute mountpoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_type($1)
|
||||||
typeattribute $1 mountpoint;
|
typeattribute $1 mountpoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -64,7 +64,7 @@ interface(`files_pid_file',`
|
|||||||
attribute pidfile;
|
attribute pidfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_type($1)
|
||||||
typeattribute $1 pidfile;
|
typeattribute $1 pidfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -77,7 +77,7 @@ interface(`files_tmp_file',`
|
|||||||
attribute tmpfile;
|
attribute tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_type($1)
|
||||||
typeattribute $1 tmpfile;
|
typeattribute $1 tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -95,7 +95,7 @@ interface(`files_tmpfs_file',`
|
|||||||
attribute tmpfsfile;
|
attribute tmpfsfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_type($1)
|
||||||
fs_associate_tmpfs($1)
|
fs_associate_tmpfs($1)
|
||||||
typeattribute $1 tmpfsfile;
|
typeattribute $1 tmpfsfile;
|
||||||
')
|
')
|
||||||
@ -439,9 +439,9 @@ interface(`files_list_etc',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_read_generic_etc_files(domain)
|
# files_read_etc_files(domain)
|
||||||
#
|
#
|
||||||
interface(`files_read_generic_etc_files',`
|
interface(`files_read_etc_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type etc_t;
|
type etc_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -456,9 +456,9 @@ interface(`files_read_generic_etc_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_rw_generic_etc_files(domain)
|
# files_rw_etc_files(domain)
|
||||||
#
|
#
|
||||||
interface(`files_rw_generic_etc_files',`
|
interface(`files_rw_etc_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type etc_t;
|
type etc_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -473,9 +473,9 @@ interface(`files_rw_generic_etc_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_manage_generic_etc_files(domain)
|
# files_manage_etc_files(domain)
|
||||||
#
|
#
|
||||||
interface(`files_manage_generic_etc_files',`
|
interface(`files_manage_etc_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type etc_t;
|
type etc_t;
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -496,7 +496,7 @@ interface(`files_manage_generic_etc_files',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_delete_generic_etc_files',`
|
interface(`files_delete_etc_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type etc_t;
|
type etc_t;
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -509,9 +509,9 @@ interface(`files_delete_generic_etc_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_exec_generic_etc_files(domain)
|
# files_exec_etc_files(domain)
|
||||||
#
|
#
|
||||||
interface(`files_exec_generic_etc_files',`
|
interface(`files_exec_etc_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type etc_t;
|
type etc_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -591,7 +591,6 @@ interface(`files_create_etc_config',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to search directories on new filesystems
|
## Do not audit attempts to search directories on new filesystems
|
||||||
@ -908,9 +907,9 @@ interface(`files_exec_usr_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_read_usr_src(domain)
|
# files_read_usr_src_files(domain)
|
||||||
#
|
#
|
||||||
interface(`files_read_usr_src',`
|
interface(`files_read_usr_src_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type usr_t, src_t;
|
type usr_t, src_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -957,7 +956,7 @@ interface(`files_dontaudit_search_var',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_read_var_file',`
|
interface(`files_read_var_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t;
|
type var_t;
|
||||||
class dir search;
|
class dir search;
|
||||||
@ -1003,9 +1002,9 @@ interface(`files_manage_urandom_seed',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_getattr_generic_lock_files(domain)
|
# files_getattr_generic_locks(domain)
|
||||||
#
|
#
|
||||||
interface(`files_getattr_generic_lock_files',`
|
interface(`files_getattr_generic_locks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_lock_t;
|
type var_lock_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -1018,9 +1017,9 @@ interface(`files_getattr_generic_lock_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_manage_generic_lock_files(domain)
|
# files_manage_generic_locks(domain)
|
||||||
#
|
#
|
||||||
interface(`files_manage_generic_lock_files',`
|
interface(`files_manage_generic_locks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_lock_t;
|
type var_lock_t;
|
||||||
class dir { getattr search create read write setattr add_name remove_name rmdir };
|
class dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||||
@ -1033,9 +1032,9 @@ interface(`files_manage_generic_lock_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_delete_all_lock_files(domain)
|
# files_delete_all_locks(domain)
|
||||||
#
|
#
|
||||||
interface(`files_delete_all_lock_files',`
|
interface(`files_delete_all_locks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute lockfile;
|
attribute lockfile;
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -1048,9 +1047,9 @@ interface(`files_delete_all_lock_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_create_lock_file(domain,private_type,[object class(es)])
|
# files_create_lock(domain,private_type,[object class(es)])
|
||||||
#
|
#
|
||||||
interface(`files_create_lock_file',`
|
interface(`files_create_lock',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_lock_t;
|
type var_t, var_lock_t;
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -1246,9 +1245,9 @@ interface(`files_list_spool',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_manage_spool_dirs(domain)
|
# files_manage_generic_spool_dirs(domain)
|
||||||
#
|
#
|
||||||
interface(`files_manage_spool_dirs',`
|
interface(`files_manage_generic_spool_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_spool_t;
|
type var_t, var_spool_t;
|
||||||
class dir create_dir_perms;
|
class dir create_dir_perms;
|
||||||
@ -1260,9 +1259,9 @@ interface(`files_manage_spool_dirs',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_read_spools(domain)
|
# files_read_generic_spools(domain)
|
||||||
#
|
#
|
||||||
interface(`files_read_spools',`
|
interface(`files_read_generic_spools',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_spool_t;
|
type var_t, var_spool_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -1276,9 +1275,9 @@ interface(`files_read_spools',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# files_manage_spools(domain)
|
# files_manage_generic_spools(domain)
|
||||||
#
|
#
|
||||||
interface(`files_manage_spools',`
|
interface(`files_manage_generic_spools',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type var_t, var_spool_t;
|
type var_t, var_spool_t;
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
|
@ -14,7 +14,7 @@ type fsadm_tmp_t;
|
|||||||
files_tmp_file(fsadm_tmp_t)
|
files_tmp_file(fsadm_tmp_t)
|
||||||
|
|
||||||
type swapfile_t;
|
type swapfile_t;
|
||||||
files_file_type(swapfile_t)
|
files_type(swapfile_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
||||||
@ -73,7 +73,7 @@ domain_use_wide_inherit_fd(fsadm_t)
|
|||||||
|
|
||||||
files_list_home(fsadm_t)
|
files_list_home(fsadm_t)
|
||||||
files_read_usr_files(fsadm_t)
|
files_read_usr_files(fsadm_t)
|
||||||
files_read_generic_etc_files(fsadm_t)
|
files_read_etc_files(fsadm_t)
|
||||||
files_list_mnt(fsadm_t)
|
files_list_mnt(fsadm_t)
|
||||||
files_manage_lost_found(fsadm_t)
|
files_manage_lost_found(fsadm_t)
|
||||||
# Write to /etc/mtab.
|
# Write to /etc/mtab.
|
||||||
|
@ -59,9 +59,9 @@ auth_rw_login_records(getty_t)
|
|||||||
corecmd_search_bin(getty_t)
|
corecmd_search_bin(getty_t)
|
||||||
|
|
||||||
files_rw_generic_pids(getty_t)
|
files_rw_generic_pids(getty_t)
|
||||||
files_manage_generic_lock_files(getty_t)
|
files_manage_generic_locks(getty_t)
|
||||||
files_read_etc_runtime_files(getty_t)
|
files_read_etc_runtime_files(getty_t)
|
||||||
files_read_generic_etc_files(getty_t)
|
files_read_etc_files(getty_t)
|
||||||
|
|
||||||
init_rw_script_pid(getty_t)
|
init_rw_script_pid(getty_t)
|
||||||
init_use_script_pty(getty_t)
|
init_use_script_pty(getty_t)
|
||||||
|
@ -41,7 +41,7 @@ init_use_script_pty(hostname_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(hostname_t)
|
domain_use_wide_inherit_fd(hostname_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(hostname_t)
|
files_read_etc_files(hostname_t)
|
||||||
files_dontaudit_search_var(hostname_t)
|
files_dontaudit_search_var(hostname_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_dontaudit_search_isid_type_dir(hostname_t)
|
files_dontaudit_search_isid_type_dir(hostname_t)
|
||||||
@ -81,7 +81,7 @@ optional_policy(`hotplug.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(hostname_t)
|
seutil_sigchld_newrole(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -12,7 +12,7 @@ kernel_userland_entry(hotplug_t,hotplug_exec_t)
|
|||||||
init_system_domain(hotplug_t,hotplug_exec_t)
|
init_system_domain(hotplug_t,hotplug_exec_t)
|
||||||
|
|
||||||
type hotplug_etc_t; #, usercanread;
|
type hotplug_etc_t; #, usercanread;
|
||||||
files_file_type(hotplug_etc_t)
|
files_type(hotplug_etc_t)
|
||||||
|
|
||||||
type hotplug_var_run_t;
|
type hotplug_var_run_t;
|
||||||
files_pid_file(hotplug_var_run_t)
|
files_pid_file(hotplug_var_run_t)
|
||||||
@ -78,9 +78,9 @@ corecmd_exec_sbin(hotplug_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(hotplug_t)
|
domain_use_wide_inherit_fd(hotplug_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(hotplug_t)
|
files_read_etc_files(hotplug_t)
|
||||||
files_manage_etc_runtime_files(hotplug_t)
|
files_manage_etc_runtime_files(hotplug_t)
|
||||||
files_exec_generic_etc_files(hotplug_t)
|
files_exec_etc_files(hotplug_t)
|
||||||
# for when filesystems are not mounted early in the boot:
|
# for when filesystems are not mounted early in the boot:
|
||||||
files_dontaudit_search_isid_type_dir(hotplug_t)
|
files_dontaudit_search_isid_type_dir(hotplug_t)
|
||||||
|
|
||||||
@ -102,7 +102,7 @@ libs_use_shared_libs(hotplug_t)
|
|||||||
libs_read_lib(hotplug_t)
|
libs_read_lib(hotplug_t)
|
||||||
|
|
||||||
modutils_domtrans_insmod(hotplug_t)
|
modutils_domtrans_insmod(hotplug_t)
|
||||||
modutils_read_kernel_module_dependencies(hotplug_t)
|
modutils_read_mods_deps(hotplug_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hotplug_t)
|
miscfiles_read_localization(hotplug_t)
|
||||||
|
|
||||||
@ -118,7 +118,7 @@ ifdef(`distro_redhat', `
|
|||||||
netutils_domtrans(hotplug_t)
|
netutils_domtrans(hotplug_t)
|
||||||
fs_use_tmpfs_character_devices(hotplug_t)
|
fs_use_tmpfs_character_devices(hotplug_t)
|
||||||
')
|
')
|
||||||
files_getattr_generic_lock_files(hotplug_t)
|
files_getattr_generic_locks(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
@ -152,7 +152,7 @@ optional_policy(`nis.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(hotplug_t)
|
seutil_sigchld_newrole(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
|
@ -32,7 +32,7 @@ files_pid_file(init_var_run_t)
|
|||||||
# to communicate with init.
|
# to communicate with init.
|
||||||
#
|
#
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
files_file_type(initctl_t)
|
files_type(initctl_t)
|
||||||
|
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
domain_type(initrc_t)
|
domain_type(initrc_t)
|
||||||
@ -50,7 +50,7 @@ type initrc_var_run_t;
|
|||||||
files_pid_file(initrc_var_run_t)
|
files_pid_file(initrc_var_run_t)
|
||||||
|
|
||||||
type initrc_state_t;
|
type initrc_state_t;
|
||||||
files_file_type(initrc_state_t)
|
files_type(initrc_state_t)
|
||||||
|
|
||||||
type initrc_tmp_t;
|
type initrc_tmp_t;
|
||||||
files_tmp_file(initrc_tmp_t)
|
files_tmp_file(initrc_tmp_t)
|
||||||
@ -108,12 +108,12 @@ domain_sigstop_all_domains(init_t)
|
|||||||
domain_sigstop_all_domains(init_t)
|
domain_sigstop_all_domains(init_t)
|
||||||
domain_sigchld_all_domains(init_t)
|
domain_sigchld_all_domains(init_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(init_t)
|
files_read_etc_files(init_t)
|
||||||
files_rw_generic_pids(init_t)
|
files_rw_generic_pids(init_t)
|
||||||
files_dontaudit_search_isid_type_dir(init_t)
|
files_dontaudit_search_isid_type_dir(init_t)
|
||||||
files_manage_etc_runtime_files(init_t)
|
files_manage_etc_runtime_files(init_t)
|
||||||
# Run /etc/X11/prefdm:
|
# Run /etc/X11/prefdm:
|
||||||
files_exec_generic_etc_files(init_t)
|
files_exec_etc_files(init_t)
|
||||||
# file descriptors inherited from the rootfs:
|
# file descriptors inherited from the rootfs:
|
||||||
files_dontaudit_rw_root_file(init_t)
|
files_dontaudit_rw_root_file(init_t)
|
||||||
files_dontaudit_rw_root_chr_dev(init_t)
|
files_dontaudit_rw_root_chr_dev(init_t)
|
||||||
@ -260,16 +260,16 @@ domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
|
|||||||
|
|
||||||
files_getattr_all_files(initrc_t)
|
files_getattr_all_files(initrc_t)
|
||||||
files_delete_all_tmp_files(initrc_t)
|
files_delete_all_tmp_files(initrc_t)
|
||||||
files_delete_all_lock_files(initrc_t)
|
files_delete_all_locks(initrc_t)
|
||||||
files_read_all_pids(initrc_t)
|
files_read_all_pids(initrc_t)
|
||||||
files_delete_all_pids(initrc_t)
|
files_delete_all_pids(initrc_t)
|
||||||
files_read_generic_etc_files(initrc_t)
|
files_read_etc_files(initrc_t)
|
||||||
files_manage_etc_runtime_files(initrc_t)
|
files_manage_etc_runtime_files(initrc_t)
|
||||||
files_manage_generic_lock_files(initrc_t)
|
files_manage_generic_locks(initrc_t)
|
||||||
files_exec_generic_etc_files(initrc_t)
|
files_exec_etc_files(initrc_t)
|
||||||
files_read_usr_files(initrc_t)
|
files_read_usr_files(initrc_t)
|
||||||
files_manage_urandom_seed(initrc_t)
|
files_manage_urandom_seed(initrc_t)
|
||||||
files_manage_spools(initrc_t)
|
files_manage_generic_spools(initrc_t)
|
||||||
|
|
||||||
libs_rw_ld_so_cache(initrc_t)
|
libs_rw_ld_so_cache(initrc_t)
|
||||||
libs_use_ld_so(initrc_t)
|
libs_use_ld_so(initrc_t)
|
||||||
@ -340,7 +340,7 @@ optional_policy(`hotplug.te',`
|
|||||||
# init scripts run /etc/hotplug/usb.rc
|
# init scripts run /etc/hotplug/usb.rc
|
||||||
hotplug_read_config(initrc_t)
|
hotplug_read_config(initrc_t)
|
||||||
|
|
||||||
modutils_read_kernel_module_dependencies(initrc_t)
|
modutils_read_mods_deps(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`lvm.te',`
|
optional_policy(`lvm.te',`
|
||||||
|
@ -52,7 +52,7 @@ term_dontaudit_use_console(iptables_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(iptables_t)
|
domain_use_wide_inherit_fd(iptables_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(iptables_t)
|
files_read_etc_files(iptables_t)
|
||||||
|
|
||||||
init_use_fd(iptables_t)
|
init_use_fd(iptables_t)
|
||||||
init_use_script_pty(iptables_t)
|
init_use_script_pty(iptables_t)
|
||||||
@ -103,7 +103,7 @@ optional_policy(`nis.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(iptables_t)
|
seutil_sigchld_newrole(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -10,33 +10,33 @@ policy_module(libraries,1.0)
|
|||||||
# ld_so_cache_t is the type of /etc/ld.so.cache.
|
# ld_so_cache_t is the type of /etc/ld.so.cache.
|
||||||
#
|
#
|
||||||
type ld_so_cache_t;
|
type ld_so_cache_t;
|
||||||
files_file_type(ld_so_cache_t)
|
files_type(ld_so_cache_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# ld_so_t is the type of the system dynamic loaders.
|
# ld_so_t is the type of the system dynamic loaders.
|
||||||
#
|
#
|
||||||
type ld_so_t;
|
type ld_so_t;
|
||||||
files_file_type(ld_so_t)
|
files_type(ld_so_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# lib_t is the type of files in the system lib directories.
|
# lib_t is the type of files in the system lib directories.
|
||||||
#
|
#
|
||||||
type lib_t;
|
type lib_t;
|
||||||
files_file_type(lib_t)
|
files_type(lib_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# shlib_t is the type of shared objects in the system lib
|
# shlib_t is the type of shared objects in the system lib
|
||||||
# directories.
|
# directories.
|
||||||
#
|
#
|
||||||
type shlib_t;
|
type shlib_t;
|
||||||
files_file_type(shlib_t)
|
files_type(shlib_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# texrel_shlib_t is the type of shared objects in the system lib
|
# texrel_shlib_t is the type of shared objects in the system lib
|
||||||
# directories, which require text relocation.
|
# directories, which require text relocation.
|
||||||
#
|
#
|
||||||
type texrel_shlib_t;
|
type texrel_shlib_t;
|
||||||
files_file_type(texrel_shlib_t)
|
files_type(texrel_shlib_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -65,9 +65,9 @@ fs_getattr_xattr_fs(ldconfig_t)
|
|||||||
domain_use_wide_inherit_fd(ldconfig_t)
|
domain_use_wide_inherit_fd(ldconfig_t)
|
||||||
|
|
||||||
files_search_var_lib(ldconfig_t)
|
files_search_var_lib(ldconfig_t)
|
||||||
files_read_generic_etc_files(ldconfig_t)
|
files_read_etc_files(ldconfig_t)
|
||||||
# for when /etc/ld.so.cache is mislabeled:
|
# for when /etc/ld.so.cache is mislabeled:
|
||||||
files_delete_generic_etc_files(ldconfig_t)
|
files_delete_etc_files(ldconfig_t)
|
||||||
|
|
||||||
init_use_script_pty(ldconfig_t)
|
init_use_script_pty(ldconfig_t)
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@ domain_wide_inherit_fd(local_login_t)
|
|||||||
role system_r types local_login_t;
|
role system_r types local_login_t;
|
||||||
|
|
||||||
type local_login_tmp_t;
|
type local_login_tmp_t;
|
||||||
files_file_type(local_login_tmp_t)
|
files_type(local_login_tmp_t)
|
||||||
|
|
||||||
type sulogin_t;
|
type sulogin_t;
|
||||||
type sulogin_exec_t;
|
type sulogin_exec_t;
|
||||||
@ -102,10 +102,10 @@ auth_manage_pam_console_data(local_login_t)
|
|||||||
|
|
||||||
domain_read_all_entry_files(local_login_t)
|
domain_read_all_entry_files(local_login_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(local_login_t)
|
files_read_etc_files(local_login_t)
|
||||||
files_read_etc_runtime_files(local_login_t)
|
files_read_etc_runtime_files(local_login_t)
|
||||||
files_read_usr_files(local_login_t)
|
files_read_usr_files(local_login_t)
|
||||||
files_manage_generic_lock_files(var_lock_t)
|
files_manage_generic_locks(var_lock_t)
|
||||||
|
|
||||||
init_rw_script_pid(local_login_t)
|
init_rw_script_pid(local_login_t)
|
||||||
init_dontaudit_use_fd(local_login_t)
|
init_dontaudit_use_fd(local_login_t)
|
||||||
@ -223,7 +223,7 @@ kernel_read_system_state(sulogin_t)
|
|||||||
|
|
||||||
fs_search_auto_mountpoints(sulogin_t)
|
fs_search_auto_mountpoints(sulogin_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(sulogin_t)
|
files_read_etc_files(sulogin_t)
|
||||||
# because file systems are not mounted:
|
# because file systems are not mounted:
|
||||||
files_dontaudit_search_isid_type_dir(sulogin_t)
|
files_dontaudit_search_isid_type_dir(sulogin_t)
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ interface(`logging_log_file',`
|
|||||||
attribute logfile;
|
attribute logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_file_type($1)
|
files_type($1)
|
||||||
typeattribute $1 logfile;
|
typeattribute $1 logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -143,10 +143,16 @@ interface(`logging_read_all_logs',`
|
|||||||
allow $1 logfile:file r_file_perms;
|
allow $1 logfile:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <summary>
|
||||||
# logging_exec_all_logs(domain)
|
## Execute all log files in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
|
# cjp: not sure why this is needed. This was added
|
||||||
|
# because of logrotate.
|
||||||
interface(`logging_exec_all_logs',`
|
interface(`logging_exec_all_logs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
|
@ -19,7 +19,7 @@ type auditd_var_run_t;
|
|||||||
files_pid_file(auditd_var_run_t)
|
files_pid_file(auditd_var_run_t)
|
||||||
|
|
||||||
type devlog_t;
|
type devlog_t;
|
||||||
files_file_type(devlog_t)
|
files_type(devlog_t)
|
||||||
|
|
||||||
type klogd_t;
|
type klogd_t;
|
||||||
type klogd_exec_t;
|
type klogd_exec_t;
|
||||||
@ -42,7 +42,7 @@ type syslogd_var_run_t;
|
|||||||
files_pid_file(syslogd_var_run_t)
|
files_pid_file(syslogd_var_run_t)
|
||||||
|
|
||||||
type var_log_t, logfile;
|
type var_log_t, logfile;
|
||||||
files_file_type(var_log_t)
|
files_type(var_log_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -72,7 +72,7 @@ init_use_script_pty(auditd_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(auditd_t)
|
domain_use_wide_inherit_fd(auditd_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(auditd_t)
|
files_read_etc_files(auditd_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(auditd_t)
|
logging_send_syslog_msg(auditd_t)
|
||||||
|
|
||||||
@ -90,7 +90,7 @@ ifdef(`targeted_policy', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(auditd_t)
|
seutil_sigchld_newrole(auditd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
@ -139,7 +139,7 @@ fs_getattr_all_fs(klogd_t)
|
|||||||
files_create_pid(klogd_t,klogd_var_run_t)
|
files_create_pid(klogd_t,klogd_var_run_t)
|
||||||
files_read_etc_runtime_files(klogd_t)
|
files_read_etc_runtime_files(klogd_t)
|
||||||
# read /etc/nsswitch.conf
|
# read /etc/nsswitch.conf
|
||||||
files_read_generic_etc_files(klogd_t)
|
files_read_etc_files(klogd_t)
|
||||||
|
|
||||||
init_use_fd(klogd_t)
|
init_use_fd(klogd_t)
|
||||||
|
|
||||||
@ -219,7 +219,7 @@ init_use_script_pty(syslogd_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(syslogd_t)
|
domain_use_wide_inherit_fd(syslogd_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(syslogd_t)
|
files_read_etc_files(syslogd_t)
|
||||||
|
|
||||||
libs_use_ld_so(syslogd_t)
|
libs_use_ld_so(syslogd_t)
|
||||||
libs_use_shared_libs(syslogd_t)
|
libs_use_shared_libs(syslogd_t)
|
||||||
@ -262,7 +262,7 @@ optional_policy(`nis.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(syslogd_t)
|
seutil_sigchld_newrole(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
|
@ -15,13 +15,13 @@ domain_obj_id_change_exempt(lvm_t)
|
|||||||
role system_r types lvm_t;
|
role system_r types lvm_t;
|
||||||
|
|
||||||
type lvm_etc_t;
|
type lvm_etc_t;
|
||||||
files_file_type(lvm_etc_t)
|
files_type(lvm_etc_t)
|
||||||
|
|
||||||
type lvm_lock_t;
|
type lvm_lock_t;
|
||||||
files_lock_file(lvm_lock_t)
|
files_lock_file(lvm_lock_t)
|
||||||
|
|
||||||
type lvm_metadata_t;
|
type lvm_metadata_t;
|
||||||
files_file_type(lvm_metadata_t)
|
files_type(lvm_metadata_t)
|
||||||
|
|
||||||
type lvm_tmp_t;
|
type lvm_tmp_t;
|
||||||
files_tmp_file(lvm_tmp_t)
|
files_tmp_file(lvm_tmp_t)
|
||||||
@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t)
|
|||||||
# Creating lock files
|
# Creating lock files
|
||||||
allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
||||||
allow lvm_t lvm_lock_t:file create_file_perms;
|
allow lvm_t lvm_lock_t:file create_file_perms;
|
||||||
files_create_lock_file(lvm_t,lvm_lock_t)
|
files_create_lock(lvm_t,lvm_lock_t)
|
||||||
|
|
||||||
allow lvm_t lvm_etc_t:file r_file_perms;
|
allow lvm_t lvm_etc_t:file r_file_perms;
|
||||||
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
|
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
|
||||||
@ -111,7 +111,7 @@ storage_relabel_fixed_disk(lvm_t)
|
|||||||
# depending on its version
|
# depending on its version
|
||||||
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
|
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
|
||||||
# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
|
# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
|
||||||
storage_create_fixed_disk_dev_entry(lvm_t)
|
storage_create_fixed_disk(lvm_t)
|
||||||
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
||||||
storage_manage_fixed_disk(lvm_t)
|
storage_manage_fixed_disk(lvm_t)
|
||||||
|
|
||||||
@ -123,7 +123,7 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t)
|
|||||||
domain_use_wide_inherit_fd(lvm_t)
|
domain_use_wide_inherit_fd(lvm_t)
|
||||||
|
|
||||||
files_search_var(lvm_t)
|
files_search_var(lvm_t)
|
||||||
files_read_generic_etc_files(lvm_t)
|
files_read_etc_files(lvm_t)
|
||||||
files_read_etc_runtime_files(lvm_t)
|
files_read_etc_runtime_files(lvm_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_dontaudit_search_isid_type_dir(lvm_t)
|
files_dontaudit_search_isid_type_dir(lvm_t)
|
||||||
@ -141,7 +141,7 @@ miscfiles_read_localization(lvm_t)
|
|||||||
|
|
||||||
seutil_read_config(lvm_t)
|
seutil_read_config(lvm_t)
|
||||||
seutil_read_file_contexts(lvm_t)
|
seutil_read_file_contexts(lvm_t)
|
||||||
seutil_newrole_sigchld(lvm_t)
|
seutil_sigchld_newrole(lvm_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# this is from the initrd:
|
# this is from the initrd:
|
||||||
|
@ -5,41 +5,41 @@ policy_module(miscfiles,1.0)
|
|||||||
# catman_t is the type for /var/catman.
|
# catman_t is the type for /var/catman.
|
||||||
#
|
#
|
||||||
type catman_t; # , tmpfile;
|
type catman_t; # , tmpfile;
|
||||||
files_file_type(catman_t)
|
files_type(catman_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# cert_t is the type of files in the system certs directories.
|
# cert_t is the type of files in the system certs directories.
|
||||||
#
|
#
|
||||||
type cert_t;
|
type cert_t;
|
||||||
files_file_type(cert_t)
|
files_type(cert_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# fonts_t is the type of various font
|
# fonts_t is the type of various font
|
||||||
# files in /usr
|
# files in /usr
|
||||||
#
|
#
|
||||||
type fonts_t;
|
type fonts_t;
|
||||||
files_file_type(fonts_t)
|
files_type(fonts_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# locale_t is the type for system localization
|
# locale_t is the type for system localization
|
||||||
#
|
#
|
||||||
type locale_t;
|
type locale_t;
|
||||||
files_file_type(locale_t)
|
files_type(locale_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# man_t is the type for the man directories.
|
# man_t is the type for the man directories.
|
||||||
#
|
#
|
||||||
type man_t;
|
type man_t;
|
||||||
files_file_type(man_t)
|
files_type(man_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Base type for the tests directory.
|
# Base type for the tests directory.
|
||||||
#
|
#
|
||||||
type test_file_t;
|
type test_file_t;
|
||||||
files_file_type(test_file_t)
|
files_type(test_file_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# for /var/{spool,lib}/texmf index files
|
# for /var/{spool,lib}/texmf index files
|
||||||
#
|
#
|
||||||
type tetex_data_t; # , tmpfile;
|
type tetex_data_t; # , tmpfile;
|
||||||
files_file_type(tetex_data_t)
|
files_type(tetex_data_t)
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`modutils_read_kernel_module_dependencies',`
|
interface(`modutils_read_mods_deps',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type modules_dep_t;
|
type modules_dep_t;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',`
|
|||||||
# This file type can be in /etc or
|
# This file type can be in /etc or
|
||||||
# /lib(64)?/modules
|
# /lib(64)?/modules
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
bootloader_search_boot_dir($1)
|
bootloader_search_boot($1)
|
||||||
|
|
||||||
allow $1 modules_conf_t:file r_file_perms;
|
allow $1 modules_conf_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
@ -8,11 +8,11 @@ policy_module(modutils,1.0)
|
|||||||
|
|
||||||
# module loading config
|
# module loading config
|
||||||
type modules_conf_t;
|
type modules_conf_t;
|
||||||
files_file_type(modules_conf_t)
|
files_type(modules_conf_t)
|
||||||
|
|
||||||
# module dependencies
|
# module dependencies
|
||||||
type modules_dep_t;
|
type modules_dep_t;
|
||||||
files_file_type(modules_dep_t)
|
files_type(modules_dep_t)
|
||||||
|
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
type insmod_exec_t;
|
type insmod_exec_t;
|
||||||
@ -78,9 +78,9 @@ domain_signal_all_domains(insmod_t)
|
|||||||
domain_use_wide_inherit_fd(insmod_t)
|
domain_use_wide_inherit_fd(insmod_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(insmod_t)
|
files_read_etc_runtime_files(insmod_t)
|
||||||
files_read_generic_etc_files(insmod_t)
|
files_read_etc_files(insmod_t)
|
||||||
files_read_usr_files(insmod_t)
|
files_read_usr_files(insmod_t)
|
||||||
files_exec_generic_etc_files(insmod_t)
|
files_exec_etc_files(insmod_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_dontaudit_search_pids(insmod_t)
|
files_dontaudit_search_pids(insmod_t)
|
||||||
# for when /var is not mounted early in the boot:
|
# for when /var is not mounted early in the boot:
|
||||||
@ -127,7 +127,7 @@ can_exec(depmod_t, depmod_exec_t)
|
|||||||
allow depmod_t modules_conf_t:file r_file_perms;
|
allow depmod_t modules_conf_t:file r_file_perms;
|
||||||
|
|
||||||
allow depmod_t modules_dep_t:file create_file_perms;
|
allow depmod_t modules_dep_t:file create_file_perms;
|
||||||
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
|
bootloader_create_modules(depmod_t,modules_dep_t)
|
||||||
|
|
||||||
kernel_read_system_state(depmod_t)
|
kernel_read_system_state(depmod_t)
|
||||||
|
|
||||||
@ -148,8 +148,8 @@ init_use_script_fd(depmod_t)
|
|||||||
init_use_script_pty(depmod_t)
|
init_use_script_pty(depmod_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(depmod_t)
|
files_read_etc_runtime_files(depmod_t)
|
||||||
files_read_generic_etc_files(depmod_t)
|
files_read_etc_files(depmod_t)
|
||||||
files_read_usr_src(depmod_t)
|
files_read_usr_src_files(depmod_t)
|
||||||
|
|
||||||
libs_use_ld_so(depmod_t)
|
libs_use_ld_so(depmod_t)
|
||||||
libs_use_shared_libs(depmod_t)
|
libs_use_shared_libs(depmod_t)
|
||||||
@ -177,7 +177,7 @@ can_exec(update_modules_t, update_modules_exec_t)
|
|||||||
|
|
||||||
# manage module loading configuration
|
# manage module loading configuration
|
||||||
allow update_modules_t modules_conf_t:file create_file_perms;
|
allow update_modules_t modules_conf_t:file create_file_perms;
|
||||||
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
|
bootloader_create_modules(update_modules_t,modules_conf_t)
|
||||||
files_create_etc_config(update_modules_t,modules_conf_t)
|
files_create_etc_config(update_modules_t,modules_conf_t)
|
||||||
|
|
||||||
# transition to depmod
|
# transition to depmod
|
||||||
@ -203,8 +203,8 @@ init_use_script_pty(depmod_t)
|
|||||||
domain_use_wide_inherit_fd(depmod_t)
|
domain_use_wide_inherit_fd(depmod_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(update_modules_t)
|
files_read_etc_runtime_files(update_modules_t)
|
||||||
files_read_generic_etc_files(update_modules_t)
|
files_read_etc_files(update_modules_t)
|
||||||
files_exec_generic_etc_files(update_modules_t)
|
files_exec_etc_files(update_modules_t)
|
||||||
|
|
||||||
corecmd_exec_bin(update_modules_t)
|
corecmd_exec_bin(update_modules_t)
|
||||||
corecmd_exec_sbin(update_modules_t)
|
corecmd_exec_sbin(update_modules_t)
|
||||||
|
@ -55,7 +55,7 @@ corecmd_exec_bin(mount_t)
|
|||||||
domain_use_wide_inherit_fd(mount_t)
|
domain_use_wide_inherit_fd(mount_t)
|
||||||
|
|
||||||
files_search_all_dirs(mount_t)
|
files_search_all_dirs(mount_t)
|
||||||
files_read_generic_etc_files(mount_t)
|
files_read_etc_files(mount_t)
|
||||||
files_manage_etc_runtime_files(mount_t)
|
files_manage_etc_runtime_files(mount_t)
|
||||||
files_mounton_all_mountpoints(mount_t)
|
files_mounton_all_mountpoints(mount_t)
|
||||||
files_unmount_rootfs(mount_t)
|
files_unmount_rootfs(mount_t)
|
||||||
|
@ -224,7 +224,7 @@ interface(`seutil_exec_newrole',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`seutil_dontaudit_newrole_signal',`
|
interface(`seutil_dontaudit_signal_newrole',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class process signal;
|
class process signal;
|
||||||
@ -235,9 +235,9 @@ interface(`seutil_dontaudit_newrole_signal',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# seutil_newrole_sigchld(domain)
|
# seutil_sigchld_newrole(domain)
|
||||||
#
|
#
|
||||||
interface(`seutil_newrole_sigchld',`
|
interface(`seutil_sigchld_newrole',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class process sigchld;
|
class process sigchld;
|
||||||
|
@ -21,14 +21,14 @@ domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
|
|||||||
# /etc/selinux/*/contexts/*
|
# /etc/selinux/*/contexts/*
|
||||||
#
|
#
|
||||||
type default_context_t;
|
type default_context_t;
|
||||||
files_file_type(default_context_t)
|
files_type(default_context_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# file_context_t is the type applied to
|
# file_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/files
|
# /etc/selinux/*/contexts/files
|
||||||
#
|
#
|
||||||
type file_context_t;
|
type file_context_t;
|
||||||
files_file_type(file_context_t)
|
files_type(file_context_t)
|
||||||
|
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
domain_type(load_policy_t)
|
domain_type(load_policy_t)
|
||||||
@ -51,7 +51,7 @@ domain_entry_file(newrole_t,newrole_exec_t)
|
|||||||
# the security server policy configuration.
|
# the security server policy configuration.
|
||||||
#
|
#
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
files_file_type(policy_config_t)
|
files_type(policy_config_t)
|
||||||
|
|
||||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||||
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||||
@ -61,7 +61,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||||||
# files.
|
# files.
|
||||||
#
|
#
|
||||||
type policy_src_t;
|
type policy_src_t;
|
||||||
files_file_type(policy_src_t)
|
files_type(policy_src_t)
|
||||||
|
|
||||||
type restorecon_t, can_relabelto_binary_policy;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
@ -80,7 +80,7 @@ domain_entry_file(run_init_t,run_init_exec_t)
|
|||||||
# /etc/selinux/config
|
# /etc/selinux/config
|
||||||
#
|
#
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_file_type(selinux_config_t)
|
files_type(selinux_config_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
domain_obj_id_change_exempt(setfiles_t)
|
domain_obj_id_change_exempt(setfiles_t)
|
||||||
@ -216,7 +216,7 @@ domain_use_wide_inherit_fd(newrole_t)
|
|||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
init_rw_script_pid(newrole_t)
|
init_rw_script_pid(newrole_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(newrole_t)
|
files_read_etc_files(newrole_t)
|
||||||
|
|
||||||
libs_use_ld_so(newrole_t)
|
libs_use_ld_so(newrole_t)
|
||||||
libs_use_shared_libs(newrole_t)
|
libs_use_shared_libs(newrole_t)
|
||||||
@ -284,7 +284,7 @@ init_use_script_pty(restorecon_t)
|
|||||||
domain_use_wide_inherit_fd(restorecon_t)
|
domain_use_wide_inherit_fd(restorecon_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(restorecon_t)
|
files_read_etc_runtime_files(restorecon_t)
|
||||||
files_read_generic_etc_files(restorecon_t)
|
files_read_etc_files(restorecon_t)
|
||||||
|
|
||||||
libs_use_ld_so(restorecon_t)
|
libs_use_ld_so(restorecon_t)
|
||||||
libs_use_shared_libs(restorecon_t)
|
libs_use_shared_libs(restorecon_t)
|
||||||
@ -362,7 +362,7 @@ ifdef(`targeted_policy',`',`
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(run_init_t)
|
domain_use_wide_inherit_fd(run_init_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(run_init_t)
|
files_read_etc_files(run_init_t)
|
||||||
files_dontaudit_search_all_dirs(run_init_t)
|
files_dontaudit_search_all_dirs(run_init_t)
|
||||||
|
|
||||||
init_domtrans_script(run_init_t)
|
init_domtrans_script(run_init_t)
|
||||||
@ -427,7 +427,7 @@ libs_use_ld_so(setfiles_t)
|
|||||||
libs_use_shared_libs(setfiles_t)
|
libs_use_shared_libs(setfiles_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(setfiles_t)
|
files_read_etc_runtime_files(setfiles_t)
|
||||||
files_read_generic_etc_files(setfiles_t)
|
files_read_etc_files(setfiles_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(setfiles_t)
|
logging_send_syslog_msg(setfiles_t)
|
||||||
|
|
||||||
|
@ -9,11 +9,11 @@ policy_module(sysnetwork,1.0)
|
|||||||
# this is shared between dhcpc and dhcpd:
|
# this is shared between dhcpc and dhcpd:
|
||||||
type dhcp_etc_t; #, usercanread;
|
type dhcp_etc_t; #, usercanread;
|
||||||
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
|
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
|
||||||
files_file_type(dhcp_etc_t)
|
files_type(dhcp_etc_t)
|
||||||
|
|
||||||
# this is shared between dhcpc and dhcpd:
|
# this is shared between dhcpc and dhcpd:
|
||||||
type dhcp_state_t;
|
type dhcp_state_t;
|
||||||
files_file_type(dhcp_state_t)
|
files_type(dhcp_state_t)
|
||||||
|
|
||||||
type dhcpc_t;
|
type dhcpc_t;
|
||||||
type dhcpc_exec_t;
|
type dhcpc_exec_t;
|
||||||
@ -21,7 +21,7 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
|||||||
role system_r types dhcpc_t;
|
role system_r types dhcpc_t;
|
||||||
|
|
||||||
type dhcpc_state_t;
|
type dhcpc_state_t;
|
||||||
files_file_type(dhcpc_state_t)
|
files_type(dhcpc_state_t)
|
||||||
|
|
||||||
type dhcpc_tmp_t;
|
type dhcpc_tmp_t;
|
||||||
files_tmp_file(dhcpc_tmp_t)
|
files_tmp_file(dhcpc_tmp_t)
|
||||||
@ -35,7 +35,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
|
|||||||
role system_r types ifconfig_t;
|
role system_r types ifconfig_t;
|
||||||
|
|
||||||
type net_conf_t alias resolv_conf_t;
|
type net_conf_t alias resolv_conf_t;
|
||||||
files_file_type(net_conf_t)
|
files_type(net_conf_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -118,7 +118,7 @@ corecmd_exec_shell(dhcpc_t)
|
|||||||
|
|
||||||
domain_use_wide_inherit_fd(dhcpc_t)
|
domain_use_wide_inherit_fd(dhcpc_t)
|
||||||
|
|
||||||
files_read_generic_etc_files(dhcpc_t)
|
files_read_etc_files(dhcpc_t)
|
||||||
files_read_etc_runtime_files(dhcpc_t)
|
files_read_etc_runtime_files(dhcpc_t)
|
||||||
|
|
||||||
init_use_fd(dhcpc_t)
|
init_use_fd(dhcpc_t)
|
||||||
@ -135,7 +135,7 @@ miscfiles_read_localization(dhcpc_t)
|
|||||||
modutils_domtrans_insmod(dhcpc_t)
|
modutils_domtrans_insmod(dhcpc_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
files_exec_generic_etc_files(dhcpc_t)
|
files_exec_etc_files(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
@ -171,7 +171,7 @@ optional_policy(`ntpd.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
seutil_newrole_sigchld(dhcpc_t)
|
seutil_sigchld_newrole(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te',`
|
optional_policy(`udev.te',`
|
||||||
@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
|
|||||||
# for /sbin/ip
|
# for /sbin/ip
|
||||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||||
files_read_generic_etc_files(ifconfig_t);
|
files_read_etc_files(ifconfig_t);
|
||||||
|
|
||||||
kernel_use_fd(ifconfig_t)
|
kernel_use_fd(ifconfig_t)
|
||||||
kernel_read_system_state(ifconfig_t)
|
kernel_read_system_state(ifconfig_t)
|
||||||
|
@ -16,15 +16,15 @@ domain_wide_inherit_fd(udev_t)
|
|||||||
init_daemon_domain(udev_t,udev_exec_t)
|
init_daemon_domain(udev_t,udev_exec_t)
|
||||||
|
|
||||||
type udev_etc_t alias etc_udev_t;
|
type udev_etc_t alias etc_udev_t;
|
||||||
files_file_type(udev_etc_t)
|
files_type(udev_etc_t)
|
||||||
|
|
||||||
# udev_runtime_t is the type of the udev table file
|
# udev_runtime_t is the type of the udev table file
|
||||||
# cjp: this is probably a copy of udev_tbl_t and can be removed
|
# cjp: this is probably a copy of udev_tbl_t and can be removed
|
||||||
type udev_runtime_t;
|
type udev_runtime_t;
|
||||||
files_file_type(udev_runtime_t)
|
files_type(udev_runtime_t)
|
||||||
|
|
||||||
type udev_tbl_t alias udev_tdb_t;
|
type udev_tbl_t alias udev_tdb_t;
|
||||||
files_file_type(udev_tbl_t)
|
files_type(udev_tbl_t)
|
||||||
|
|
||||||
type udev_var_run_t;
|
type udev_var_run_t;
|
||||||
files_pid_file(udev_var_run_t)
|
files_pid_file(udev_var_run_t)
|
||||||
@ -91,8 +91,8 @@ domain_exec_all_entry_files(udev_t)
|
|||||||
domain_dontaudit_list_all_domains_proc(udev_t)
|
domain_dontaudit_list_all_domains_proc(udev_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(udev_t)
|
files_read_etc_runtime_files(udev_t)
|
||||||
files_read_generic_etc_files(udev_t)
|
files_read_etc_files(udev_t)
|
||||||
files_exec_generic_etc_files(udev_t)
|
files_exec_etc_files(udev_t)
|
||||||
files_dontaudit_search_isid_type_dir(udev_t)
|
files_dontaudit_search_isid_type_dir(udev_t)
|
||||||
|
|
||||||
init_use_fd(udev_t)
|
init_use_fd(udev_t)
|
||||||
|
@ -1,12 +1,28 @@
|
|||||||
## <summary>Policy for user domains</summary>
|
## <summary>Policy for user domains</summary>
|
||||||
|
|
||||||
########################################
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The template containing rules common to unprivileged
|
||||||
|
## users and administrative users.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## This template creates a user domain, types, and
|
||||||
|
## rules for the user's tty, pty, home directories,
|
||||||
|
## tmp, and tmpfs files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This generally should not be used, rather the
|
||||||
|
## unpriv_user_template or admin_user_template should
|
||||||
|
## be used.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
# Base user domain template
|
template(`base_user_template',`
|
||||||
#
|
|
||||||
# This is common to user and admin domain
|
|
||||||
|
|
||||||
template(`base_user_domain',`
|
|
||||||
|
|
||||||
attribute $1_file_type;
|
attribute $1_file_type;
|
||||||
|
|
||||||
@ -22,11 +38,11 @@ template(`base_user_domain',`
|
|||||||
|
|
||||||
# type for contents of home directory
|
# type for contents of home directory
|
||||||
type $1_home_t, $1_file_type, home_type;
|
type $1_home_t, $1_file_type, home_type;
|
||||||
files_file_type($1_home_t)
|
files_type($1_home_t)
|
||||||
|
|
||||||
# type of home directory
|
# type of home directory
|
||||||
type $1_home_dir_t, home_dir_type, home_type;
|
type $1_home_dir_t, home_dir_type, home_type;
|
||||||
files_file_type($1_home_t)
|
files_type($1_home_t)
|
||||||
|
|
||||||
type $1_tmp_t, $1_file_type;
|
type $1_tmp_t, $1_file_type;
|
||||||
files_tmp_file($1_tmp_t)
|
files_tmp_file($1_tmp_t)
|
||||||
@ -154,8 +170,8 @@ template(`base_user_domain',`
|
|||||||
domain_exec_all_entry_files($1_t)
|
domain_exec_all_entry_files($1_t)
|
||||||
domain_use_wide_inherit_fd($1_t)
|
domain_use_wide_inherit_fd($1_t)
|
||||||
|
|
||||||
files_exec_generic_etc_files($1_t)
|
files_exec_etc_files($1_t)
|
||||||
files_read_usr_src($1_t)
|
files_read_usr_src_files($1_t)
|
||||||
|
|
||||||
# Caused by su - init scripts
|
# Caused by su - init scripts
|
||||||
init_dontaudit_use_script_pty($1_t)
|
init_dontaudit_use_script_pty($1_t)
|
||||||
@ -392,19 +408,30 @@ template(`base_user_domain',`
|
|||||||
|
|
||||||
')dnl end base_user_domain macro
|
')dnl end base_user_domain macro
|
||||||
|
|
||||||
########################################
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The template for creating a unprivileged user.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## This template creates a user domain, types, and
|
||||||
|
## rules for the user's tty, pty, home directories,
|
||||||
|
## tmp, and tmpfs files.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
# User domain template
|
template(`unpriv_user_template', `
|
||||||
#
|
|
||||||
|
|
||||||
template(`user_domain_template', `
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
base_user_domain($1)
|
base_user_template($1)
|
||||||
|
|
||||||
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
|
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
|
||||||
domain_wide_inherit_fd($1_t)
|
domain_wide_inherit_fd($1_t)
|
||||||
@ -455,7 +482,7 @@ template(`user_domain_template', `
|
|||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||||
|
|
||||||
files_read_generic_etc_files($1_t)
|
files_read_etc_files($1_t)
|
||||||
files_list_home($1_t)
|
files_list_home($1_t)
|
||||||
files_read_usr_files($1_t)
|
files_read_usr_files($1_t)
|
||||||
|
|
||||||
@ -494,7 +521,7 @@ template(`user_domain_template', `
|
|||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
# for when the network connection is killed
|
# for when the network connection is killed
|
||||||
seutil_dontaudit_newrole_signal($1_t)
|
seutil_dontaudit_signal_newrole($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# Need the following rule to allow users to run vpnc
|
# Need the following rule to allow users to run vpnc
|
||||||
@ -594,18 +621,44 @@ template(`user_domain_template', `
|
|||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## The template for creating an administrative user.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## This template creates a user domain, types, and
|
||||||
|
## rules for the user's tty, pty, home directories,
|
||||||
|
## tmp, and tmpfs files.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <secdesc>
|
||||||
|
## The privileges given to administrative users are:
|
||||||
|
## <ul>
|
||||||
|
## <li>Raw disk access</li>
|
||||||
|
## <li>Set all sysctls</li>
|
||||||
|
## <li>All kernel ring buffer controls</li>
|
||||||
|
## <li>Set SELinux enforcement mode (enforcing/permissive)</li>
|
||||||
|
## <li>Set SELinux booleans</li>
|
||||||
|
## <li>Relabel all files but shadow</li>
|
||||||
|
## <li>Create, read, write, and delete all files but shadow</li>
|
||||||
|
## <li>Manage source and binary format SELinux policy</li>
|
||||||
|
## <li>Run insmod</li>
|
||||||
|
## </ul>
|
||||||
|
## </secdesc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## The prefix of the user domain (e.g., sysadm
|
||||||
|
## is the prefix for sysadm_t).
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
# Admin domain template
|
template(`admin_user_template',`
|
||||||
#
|
|
||||||
template(`admin_domain_template',`
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
base_user_domain($1)
|
base_user_template($1)
|
||||||
|
|
||||||
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
||||||
domain_obj_id_change_exempt($1_t)
|
domain_obj_id_change_exempt($1_t)
|
||||||
@ -658,6 +711,14 @@ template(`admin_domain_template',`
|
|||||||
kernel_read_ring_buffer($1_t)
|
kernel_read_ring_buffer($1_t)
|
||||||
kernel_get_sysvipc_info($1_t)
|
kernel_get_sysvipc_info($1_t)
|
||||||
kernel_rw_all_sysctl($1_t)
|
kernel_rw_all_sysctl($1_t)
|
||||||
|
|
||||||
|
# signal unlabeled processes:
|
||||||
|
kernel_kill_unlabeled($1_t)
|
||||||
|
kernel_signal_unlabeled($1_t)
|
||||||
|
kernel_sigstop_unlabeled($1_t)
|
||||||
|
kernel_signull_unlabeled($1_t)
|
||||||
|
kernel_sigchld_unlabeled($1_t)
|
||||||
|
|
||||||
selinux_set_enforce_mode($1_t)
|
selinux_set_enforce_mode($1_t)
|
||||||
selinux_set_boolean($1_t)
|
selinux_set_boolean($1_t)
|
||||||
selinux_set_parameters($1_t)
|
selinux_set_parameters($1_t)
|
||||||
@ -668,12 +729,6 @@ template(`admin_domain_template',`
|
|||||||
selinux_compute_create_context($1_t)
|
selinux_compute_create_context($1_t)
|
||||||
selinux_compute_relabel_context($1_t)
|
selinux_compute_relabel_context($1_t)
|
||||||
selinux_compute_user_contexts($1_t)
|
selinux_compute_user_contexts($1_t)
|
||||||
# signal unlabeled processes:
|
|
||||||
kernel_kill_unlabeled($1_t)
|
|
||||||
kernel_signal_unlabeled($1_t)
|
|
||||||
kernel_sigstop_unlabeled($1_t)
|
|
||||||
kernel_signull_unlabeled($1_t)
|
|
||||||
kernel_sigchld_unlabeled($1_t)
|
|
||||||
|
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
|
|
||||||
|
@ -29,9 +29,9 @@ attribute userdomain;
|
|||||||
# unprivileged user domains
|
# unprivileged user domains
|
||||||
attribute unpriv_userdomain;
|
attribute unpriv_userdomain;
|
||||||
|
|
||||||
admin_domain_template(sysadm)
|
admin_user_template(sysadm)
|
||||||
user_domain_template(staff)
|
unpriv_user_template(staff)
|
||||||
user_domain_template(user)
|
unpriv_user_template(user)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user