patch from dan 1/16/06
This commit is contained in:
parent
cc5df23b7e
commit
93727e3fd2
@ -16,9 +16,9 @@ If you want to setup a directory where you can upload files to you must label th
|
||||
.TP
|
||||
chcon -t public_content_rw_t /var/ftp/incoming
|
||||
.TP
|
||||
You must also turn on the boolean allow_ftp_anon_write.
|
||||
You must also turn on the boolean allow_ftpd_anon_write.
|
||||
.TP
|
||||
setsebool -P allow_ftp_anon_write=1
|
||||
setsebool -P allow_ftpd_anon_write=1
|
||||
.TP
|
||||
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
|
||||
.TP
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kudzu,1.0.1)
|
||||
policy_module(kudzu,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -63,6 +63,7 @@ fs_search_ramfs(kudzu_t)
|
||||
fs_write_ramfs_socket(kudzu_t)
|
||||
|
||||
mls_file_read_up(kudzu_t)
|
||||
mls_file_write_down(kudzu_t)
|
||||
|
||||
modutils_read_mods_deps(kudzu_t)
|
||||
modutils_read_module_conf(kudzu_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(readahead,1.0.1)
|
||||
policy_module(readahead,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -35,6 +35,7 @@ dev_getattr_generic_blk_file(readahead_t)
|
||||
dev_getattr_all_chr_files(readahead_t)
|
||||
dev_getattr_all_blk_files(readahead_t)
|
||||
dev_dontaudit_read_all_blk_files(readahead_t)
|
||||
dev_dontaudit_getattr_memory_dev(readahead_t)
|
||||
|
||||
domain_use_wide_inherit_fd(readahead_t)
|
||||
|
||||
@ -46,6 +47,7 @@ fs_getattr_all_fs(readahead_t)
|
||||
fs_search_auto_mountpoints(readahead_t)
|
||||
fs_getattr_all_pipes(readahead_t)
|
||||
fs_getattr_all_files(readahead_t)
|
||||
fs_search_ramfs(readahead_t)
|
||||
|
||||
term_dontaudit_use_console(readahead_t)
|
||||
|
||||
|
@ -2,3 +2,4 @@
|
||||
# /usr
|
||||
#
|
||||
/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
|
@ -1133,6 +1133,22 @@ interface(`dev_delete_lvm_control',`
|
||||
allow $1 lvm_control_t:chr_file unlink;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit getattr raw memory devices (e.g. /dev/mem).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_dontaudit_getattr_memory_dev',`
|
||||
gen_require(`
|
||||
type memory_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 memory_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read raw memory devices (e.g. /dev/mem).
|
||||
|
@ -952,6 +952,23 @@ interface(`fs_relabelfrom_dos_fs',`
|
||||
allow $1 dosfs_t:filesystem relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read eventpollfs files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_eventpollfs',`
|
||||
gen_require(`
|
||||
type eventpollfs_t;
|
||||
')
|
||||
|
||||
allow $1 eventpollfs_t:dir search_dir_perms;
|
||||
allow $1 eventpollfs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount an iso9660 filesystem, which
|
||||
@ -2280,6 +2297,25 @@ interface(`fs_use_tmpfs_chr_dev',`
|
||||
allow $1 tmpfs_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit Read and write character nodes on tmpfs filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 tmpfs_t:dir r_dir_perms;
|
||||
dontaudit $1 tmpfs_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel character nodes on tmpfs filesystems.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mls,1.1.2)
|
||||
policy_module(mls,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,6 +55,7 @@ attribute mlsrangetrans;
|
||||
# temporarily have to break encapsulation to work around this.
|
||||
#
|
||||
|
||||
type auditd_exec_t;
|
||||
type crond_exec_t;
|
||||
type cupsd_exec_t;
|
||||
type getty_t;
|
||||
@ -87,4 +88,5 @@ range_transition unconfined_t initrc_exec_t s0;
|
||||
ifdef(`enable_mls',`
|
||||
# run init with maximum MLS range
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
range_transition initrc_t auditd_exec_t s15:c0.c255;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.1.3)
|
||||
policy_module(apache,1.1.4)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -690,6 +690,10 @@ optional_policy(`mysql',`
|
||||
|
||||
unconfined_domain_template(httpd_unconfined_script_t)
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_system_entry(httpd_t, httpd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket(httpd_unconfined_script_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apm,1.1.1)
|
||||
policy_module(apm,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -196,6 +196,7 @@ optional_policy(`clock',`
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_system_entry(apmd_t, apmd_exec_t)
|
||||
cron_domtrans_anacron_system_job(apmd_t)
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount,1.0.4)
|
||||
policy_module(automount,1.0.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -108,6 +108,7 @@ fs_search_auto_mountpoints(automount_t)
|
||||
fs_manage_auto_mountpoints(automount_t)
|
||||
|
||||
term_dontaudit_use_console(automount_t)
|
||||
term_dontaudit_getattr_pty_dir(automount_t)
|
||||
|
||||
init_use_fd(automount_t)
|
||||
init_use_script_pty(automount_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.1.4)
|
||||
policy_module(cron,1.1.5)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -120,7 +120,7 @@ files_search_default(crond_t)
|
||||
|
||||
init_use_fd(crond_t)
|
||||
init_use_script_pty(crond_t)
|
||||
init_read_script_pid(crond_t)
|
||||
init_rw_script_pid(crond_t)
|
||||
|
||||
libs_use_ld_so(crond_t)
|
||||
libs_use_shared_libs(crond_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.1.1)
|
||||
policy_module(cups,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -201,8 +201,7 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_use_fd(cupsd_t)
|
||||
cron_read_pipe(cupsd_t)
|
||||
cron_system_entry(cupsd_t, cupsd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
@ -580,8 +579,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_use_system_job_fd(cupsd_config_t)
|
||||
cron_read_pipe(cupsd_config_t)
|
||||
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.1.5)
|
||||
policy_module(hal,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,6 +50,8 @@ kernel_read_kernel_sysctl(hald_t)
|
||||
kernel_read_fs_sysctl(hald_t)
|
||||
kernel_write_proc_file(hald_t)
|
||||
|
||||
bootloader_getattr_boot_dir(hald_t)
|
||||
|
||||
corecmd_exec_bin(hald_t)
|
||||
corecmd_exec_sbin(hald_t)
|
||||
|
||||
@ -82,8 +84,8 @@ domain_exec_all_entry_files(hald_t)
|
||||
files_exec_etc_files(hald_t)
|
||||
files_read_etc_files(hald_t)
|
||||
files_rw_etc_runtime_files(hald_t)
|
||||
files_search_mnt(hald_t)
|
||||
files_manage_mnt_dirs(hald_t)
|
||||
files_manage_mnt_files(hald_t)
|
||||
files_search_var_lib(hald_t)
|
||||
files_read_usr_files(hald_t)
|
||||
# hal is now execing pm-suspend
|
||||
@ -145,6 +147,10 @@ optional_policy(`apm',`
|
||||
apm_stream_connect(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`bind',`
|
||||
bind_search_cache(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`clock',`
|
||||
clock_domtrans(hald_t)
|
||||
')
|
||||
@ -158,6 +164,7 @@ optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(hald,hald_t)
|
||||
dbus_send_system_bus_msg(hald_t)
|
||||
dbus_connect_system_bus(hald_t)
|
||||
allow hald_t self:dbus send_msg;
|
||||
|
||||
init_dbus_chat_script(hald_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mta,1.1.3)
|
||||
policy_module(mta,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -53,6 +53,8 @@ kernel_read_network_state(system_mail_t)
|
||||
dev_read_rand(system_mail_t)
|
||||
dev_read_urand(system_mail_t)
|
||||
|
||||
fs_read_eventpollfs(system_mail_t)
|
||||
|
||||
init_use_script_pty(system_mail_t)
|
||||
|
||||
userdom_use_sysadm_terms(system_mail_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sendmail,1.1.1)
|
||||
policy_module(sendmail,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,6 +31,7 @@ allow sendmail_t self:fifo_file rw_file_perms;
|
||||
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow sendmail_t self:unix_dgram_socket create_socket_perms;
|
||||
allow sendmail_t self:tcp_socket create_stream_socket_perms;
|
||||
allow sendmail_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow sendmail_t sendmail_log_t:file create_file_perms;
|
||||
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
||||
@ -92,6 +93,7 @@ sysnet_read_config(sendmail_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
|
||||
|
||||
mta_read_config(sendmail_t)
|
||||
mta_filetrans_etc_aliases(sendmail_t)
|
||||
# Write to /etc/aliases and /etc/mail.
|
||||
mta_rw_aliases(sendmail_t)
|
||||
|
@ -918,6 +918,19 @@ interface(`auth_dontaudit_exec_utempter',`
|
||||
dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_setattr_login_records(domain)
|
||||
#
|
||||
interface(`auth_setattr_login_records',`
|
||||
gen_require(`
|
||||
type wtmp_t;
|
||||
')
|
||||
|
||||
allow $1 wtmp_t:file setattr;
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_read_login_records(domain)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.1.1)
|
||||
policy_module(authlogin,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -129,14 +129,6 @@ optional_policy(`nscd',`
|
||||
nscd_use_socket(pam_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
||||
# Supress xdm denial
|
||||
ifdef(`xdm.te', `
|
||||
dontaudit pam_t xdm_t:fd use;
|
||||
') dnl ifdef
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# PAM console local policy
|
||||
@ -229,6 +221,10 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`alsa',`
|
||||
alsa_domtrans(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`gpm',`
|
||||
gpm_getattr_gpmctl(pam_console_t)
|
||||
gpm_setattr_gpmctl(pam_console_t)
|
||||
|
@ -29,6 +29,7 @@ dev_read_sysfs(hostname_t)
|
||||
|
||||
fs_getattr_xattr_fs(hostname_t)
|
||||
fs_search_auto_mountpoints(hostname_t)
|
||||
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
|
||||
|
||||
term_dontaudit_use_console(hostname_t)
|
||||
term_use_all_user_ttys(hostname_t)
|
||||
@ -55,35 +56,6 @@ miscfiles_read_localization(hostname_t)
|
||||
sysnet_read_config(hostname_t)
|
||||
sysnet_dns_name_resolve(hostname_t)
|
||||
|
||||
userdom_use_all_user_fd(hostname_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
fs_use_tmpfs_chr_dev(hostname_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(hostname_t)
|
||||
term_dontaudit_use_generic_pty(hostname_t)
|
||||
files_dontaudit_read_root_file(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`firstboot',`
|
||||
firstboot_use_fd(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug',`
|
||||
hotplug_dontaudit_use_fd(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_sigchld_newrole(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev',`
|
||||
udev_dontaudit_use_fd(hostname_t)
|
||||
udev_read_db(hostname_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.1.4)
|
||||
policy_module(init,1.1.5)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -298,6 +298,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
auth_delete_pam_pid(initrc_t)
|
||||
|
@ -158,7 +158,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.1.1)
|
||||
policy_module(logging,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -20,7 +20,11 @@ type auditd_log_t;
|
||||
files_security_file(auditd_log_t)
|
||||
|
||||
type auditd_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type auditd_exec_t;
|
||||
')
|
||||
init_daemon_domain(auditd_t,auditd_exec_t)
|
||||
|
||||
type auditd_var_run_t;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lvm,1.1.0)
|
||||
policy_module(lvm,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -209,6 +209,7 @@ storage_create_fixed_disk(lvm_t)
|
||||
storage_manage_fixed_disk(lvm_t)
|
||||
|
||||
term_dontaudit_getattr_all_user_ttys(lvm_t)
|
||||
term_dontaudit_getattr_pty_dir(lvm_t)
|
||||
|
||||
corecmd_search_sbin(lvm_t)
|
||||
corecmd_dontaudit_getattr_sbin_file(lvm_t)
|
||||
@ -259,11 +260,3 @@ optional_policy(`gpm',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(lvm_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# it has no reason to need this
|
||||
allow lvm_t var_t:dir { search getattr };
|
||||
allow lvm_t ramfs_t:filesystem unmount;
|
||||
|
||||
dontaudit lvm_t xconsole_device_t:fifo_file getattr;
|
||||
') dnl end TODO
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mount,1.1.2)
|
||||
policy_module(mount,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -32,6 +32,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||
|
||||
dev_getattr_all_blk_files(mount_t)
|
||||
dev_list_all_dev_nodes(mount_t)
|
||||
dev_rw_lvm_control(mount_t)
|
||||
|
||||
storage_raw_read_fixed_disk(mount_t)
|
||||
storage_raw_write_fixed_disk(mount_t)
|
||||
@ -46,7 +47,7 @@ fs_relabelfrom_all_fs(mount_t)
|
||||
fs_search_auto_mountpoints(mount_t)
|
||||
fs_use_tmpfs_chr_dev(mount_t)
|
||||
|
||||
term_use_console(mount_t)
|
||||
term_use_all_terms(mount_t)
|
||||
|
||||
# required for mount.smbfs
|
||||
corecmd_exec_sbin(mount_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.0.2)
|
||||
policy_module(selinuxutil,1.0.3)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
@ -316,6 +316,7 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
||||
#
|
||||
|
||||
allow restorecon_t self:capability { dac_override dac_read_search fowner };
|
||||
allow restorecon_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
@ -469,6 +470,7 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
|
||||
allow setfiles_t self:capability { dac_override dac_read_search fowner };
|
||||
allow setfiles_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
|
@ -33,6 +33,7 @@ template(`unconfined_domain_template',`
|
||||
corenet_unconfined($1)
|
||||
dev_unconfined($1)
|
||||
domain_unconfined($1)
|
||||
domain_dontaudit_read_all_domains_state($1)
|
||||
files_unconfined($1)
|
||||
fs_unconfined($1)
|
||||
selinux_unconfined($1)
|
||||
|
@ -111,6 +111,7 @@ template(`base_user_template',`
|
||||
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
|
||||
allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
|
||||
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
|
||||
files_search_home($1_t)
|
||||
|
||||
can_exec($1_t,$1_tmp_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.1.5)
|
||||
policy_module(userdomain,1.1.6)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r, secadm_r;
|
||||
|
Loading…
Reference in New Issue
Block a user