patch from dan Wed, 01 Feb 2006 08:33:30 -0500
This commit is contained in:
Chris PeBenito
parent
37f15c525d
commit
955019421b
@ -25,7 +25,7 @@ logging_send_syslog_msg(anaconda_t)
|
||||
|
||||
modutils_domtrans_insmod(anaconda_t)
|
||||
|
||||
unconfined_domain_template(anaconda_t)
|
||||
unconfined_domain(anaconda_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
bootloader_create_runtime_file(anaconda_t)
|
||||
|
||||
@ -43,7 +43,7 @@ allow firstboot_t firstboot_rw_t:file create_file_perms;
|
||||
files_filetrans_etc(firstboot_t,firstboot_rw_t,file)
|
||||
|
||||
# The big hammer
|
||||
unconfined_domain_template(firstboot_t)
|
||||
unconfined_domain(firstboot_t)
|
||||
|
||||
kernel_read_system_state(firstboot_t)
|
||||
kernel_read_kernel_sysctls(firstboot_t)
|
||||
|
||||
@ -132,7 +132,7 @@ ifdef(`targeted_policy',`
|
||||
# make more sense here. also, require
|
||||
# blocks curently do not work in the
|
||||
# else block of optionals
|
||||
unconfined_domain_template(kudzu_t)
|
||||
unconfined_domain(kudzu_t)
|
||||
')
|
||||
|
||||
optional_policy(`gpm',`
|
||||
|
||||
@ -132,7 +132,7 @@ ifdef(`distro_debian', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(logrotate_t)
|
||||
unconfined_domain(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`acct',`
|
||||
|
||||
@ -174,11 +174,11 @@ sysnet_read_config(rpm_t)
|
||||
userdom_use_unpriv_users_fd(rpm_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
unconfined_domain_template(rpm_t)
|
||||
unconfined_domain(rpm_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(rpm_t)
|
||||
unconfined_domain(rpm_t)
|
||||
',`
|
||||
# cjp: these are here to stop type_transition
|
||||
# conflicts since rpm_t is an alias of
|
||||
@ -330,11 +330,11 @@ seutil_domtrans_restorecon(rpm_script_t)
|
||||
userdom_use_all_users_fd(rpm_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
unconfined_domain_template(rpm_script_t)
|
||||
unconfined_domain(rpm_script_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(rpm_script_t)
|
||||
unconfined_domain(rpm_script_t)
|
||||
',`
|
||||
optional_policy(`bootloader',`
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage,1.2.0)
|
||||
policy_module(usermanage,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -293,6 +293,9 @@ dev_read_urand(passwd_t)
|
||||
fs_getattr_xattr_fs(passwd_t)
|
||||
fs_search_auto_mountpoints(passwd_t)
|
||||
|
||||
mls_file_write_down(passwd_t)
|
||||
mls_file_downgrade(passwd_t)
|
||||
|
||||
selinux_get_fs_mount(passwd_t)
|
||||
selinux_validate_context(passwd_t)
|
||||
selinux_compute_access_vector(passwd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mono,1.0.1)
|
||||
policy_module(mono,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,7 +19,6 @@ domain_entry_file(mono_t,mono_exec_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow mono_t self:process { execheap execmem };
|
||||
unconfined_domain_template(mono_t)
|
||||
unconfined_domain_noaudit(mono_t)
|
||||
role system_r types mono_t;
|
||||
')
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(wine,1.0.0)
|
||||
policy_module(wine,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,7 +19,7 @@ domain_entry_file(wine_t,wine_exec_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow wine_t self:process { execstack execmem };
|
||||
unconfined_domain_template(wine_t)
|
||||
unconfined_domain_noaudit(wine_t)
|
||||
role system_r types wine_t;
|
||||
allow wine_t file_type:file execmod;
|
||||
')
|
||||
|
||||
@ -93,7 +93,7 @@ interface(`bootloader_search_boot',`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir search;
|
||||
allow $1 boot_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -549,16 +549,16 @@ interface(`domain_dontaudit_getattr_all_domains',`
|
||||
#
|
||||
interface(`domain_read_confined_domains_state',`
|
||||
gen_require(`
|
||||
attribute domain, unconfined_domain;
|
||||
attribute domain, unconfined_domain_type;
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 { domain -unconfined_domain }:dir r_dir_perms;
|
||||
allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
|
||||
allow $1 { domain -unconfined_domain }:file r_file_perms;
|
||||
allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
|
||||
allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
|
||||
allow $1 { domain -unconfined_domain_type }:file r_file_perms;
|
||||
|
||||
dontaudit $1 unconfined_domain:dir search;
|
||||
dontaudit $1 unconfined_domain:file { getattr read };
|
||||
dontaudit $1 unconfined_domain_type:dir search;
|
||||
dontaudit $1 unconfined_domain_type:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -571,10 +571,10 @@ interface(`domain_read_confined_domains_state',`
|
||||
#
|
||||
interface(`domain_getattr_confined_domains',`
|
||||
gen_require(`
|
||||
attribute domain, unconfined_domain;
|
||||
attribute domain, unconfined_domain_type;
|
||||
')
|
||||
|
||||
allow $1 { domain -unconfined_domain }:process getattr;
|
||||
allow $1 { domain -unconfined_domain_type }:process getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -640,10 +640,10 @@ interface(`domain_dontaudit_ptrace_all_domains',`
|
||||
#
|
||||
interface(`domain_dontaudit_ptrace_confined_domains',`
|
||||
gen_require(`
|
||||
attribute domain, unconfined_domain;
|
||||
attribute domain, unconfined_domain_type;
|
||||
')
|
||||
|
||||
dontaudit $1 { domain -unconfined_domain }:process ptrace;
|
||||
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1070,10 +1070,10 @@ interface(`domain_unconfined',`
|
||||
attribute can_change_process_identity;
|
||||
attribute can_change_process_role;
|
||||
attribute can_change_object_identity;
|
||||
attribute unconfined_domain;
|
||||
attribute unconfined_domain_type;
|
||||
')
|
||||
|
||||
typeattribute $1 unconfined_domain;
|
||||
typeattribute $1 unconfined_domain_type;
|
||||
|
||||
# pass all constraints
|
||||
typeattribute $1 can_change_process_identity;
|
||||
|
||||
@ -13,7 +13,7 @@ attribute domain;
|
||||
neverallow domain ~domain:process { transition dyntransition };
|
||||
|
||||
# Domains that are unconfined
|
||||
attribute unconfined_domain;
|
||||
attribute unconfined_domain_type;
|
||||
|
||||
# Domains that can set their current context
|
||||
# (perform dynamic transitions)
|
||||
|
||||
@ -149,7 +149,7 @@ interface(`fs_unmount_xattr_fs',`
|
||||
type fs_t;
|
||||
')
|
||||
|
||||
allow $1 fs_t:filesystem mount;
|
||||
allow $1 fs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -289,7 +289,7 @@ interface(`fs_unmount_autofs',`
|
||||
type autofs_t;
|
||||
')
|
||||
|
||||
allow $1 autofs_t:filesystem mount;
|
||||
allow $1 autofs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -856,7 +856,7 @@ interface(`fs_unmount_dos_fs',`
|
||||
type dosfs_t;
|
||||
')
|
||||
|
||||
allow $1 dosfs_t:filesystem mount;
|
||||
allow $1 dosfs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -976,7 +976,7 @@ interface(`fs_unmount_iso9660_fs',`
|
||||
type iso9660_t;
|
||||
')
|
||||
|
||||
allow $1 iso9660_t:filesystem mount;
|
||||
allow $1 iso9660_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1043,7 +1043,7 @@ interface(`fs_unmount_nfs',`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:filesystem mount;
|
||||
allow $1 nfs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1608,7 +1608,7 @@ interface(`fs_unmount_nfsd_fs',`
|
||||
type nfsd_fs_t;
|
||||
')
|
||||
|
||||
allow $1 nfsd_fs_t:filesystem mount;
|
||||
allow $1 nfsd_fs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1709,7 +1709,7 @@ interface(`fs_unmount_ramfs',`
|
||||
type ramfs_t;
|
||||
')
|
||||
|
||||
allow $1 ramfs_t:filesystem mount;
|
||||
allow $1 ramfs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1855,7 +1855,7 @@ interface(`fs_unmount_romfs',`
|
||||
type romfs_t;
|
||||
')
|
||||
|
||||
allow $1 romfs_t:filesystem mount;
|
||||
allow $1 romfs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1922,7 +1922,7 @@ interface(`fs_unmount_rpc_pipefs',`
|
||||
type rpc_pipefs_t;
|
||||
')
|
||||
|
||||
allow $1 rpc_pipefs_t:filesystem mount;
|
||||
allow $1 rpc_pipefs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1988,7 +1988,7 @@ interface(`fs_unmount_tmpfs',`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 tmpfs_t:filesystem mount;
|
||||
allow $1 tmpfs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.2.0)
|
||||
policy_module(filesystem,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -134,6 +134,7 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
|
||||
#
|
||||
type dosfs_t, noxattrfs;
|
||||
fs_type(dosfs_t)
|
||||
allow dosfs_t fs_t:filesystem associate;
|
||||
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
|
||||
|
||||
@ -233,7 +233,7 @@ mls_process_read_up(kernel_t)
|
||||
mls_process_write_down(kernel_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(kernel_t)
|
||||
unconfined_domain(kernel_t)
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mls,1.2.0)
|
||||
policy_module(mls,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,6 +64,7 @@ type init_exec_t;
|
||||
type initrc_t;
|
||||
type initrc_exec_t;
|
||||
type login_exec_t;
|
||||
type lvm_exec_t;
|
||||
type sshd_exec_t;
|
||||
type su_exec_t;
|
||||
type udev_exec_t;
|
||||
@ -86,7 +87,7 @@ range_transition unconfined_t initrc_exec_t s0;
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
# run init with maximum MLS range
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
range_transition initrc_t auditd_exec_t s15:c0.c255;
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
|
||||
')
|
||||
|
||||
@ -7,7 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
|
||||
|
||||
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
@ -28,19 +28,21 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
|
||||
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
|
||||
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
|
||||
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
|
||||
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
@ -59,7 +61,7 @@ ifdef(`distro_debian', `
|
||||
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
|
||||
|
||||
@ -611,6 +611,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_sys_script_t httpd_suexec_t:process sigchld;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(httpd_suexec_t)
|
||||
fs_read_nfs_symlinks(httpd_suexec_t)
|
||||
@ -688,7 +692,7 @@ optional_policy(`mysql',`
|
||||
# Apache unconfined script local policy
|
||||
#
|
||||
|
||||
unconfined_domain_template(httpd_unconfined_script_t)
|
||||
unconfined_domain(httpd_unconfined_script_t)
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_system_entry(httpd_t, httpd_exec_t)
|
||||
|
||||
@ -183,7 +183,7 @@ ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(apmd_t)
|
||||
term_dontaudit_use_generic_ptys(apmd_t)
|
||||
files_dontaudit_read_root_files(apmd_t)
|
||||
unconfined_domain_template(apmd_t)
|
||||
unconfined_domain(apmd_t)
|
||||
')
|
||||
|
||||
optional_policy(`automount',`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount,1.1.0)
|
||||
policy_module(automount,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -63,7 +63,7 @@ kernel_read_proc_symlinks(automount_t)
|
||||
kernel_read_system_state(automount_t)
|
||||
kernel_list_proc(automount_t)
|
||||
|
||||
bootloader_getattr_boot_dirs(automount_t)
|
||||
bootloader_search_boot(automount_t)
|
||||
|
||||
corecmd_exec_sbin(automount_t)
|
||||
corecmd_exec_bin(automount_t)
|
||||
|
||||
@ -151,7 +151,7 @@ ifdef(`targeted_policy',`
|
||||
allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
unconfined_domain_template(crond_t)
|
||||
unconfined_domain(crond_t)
|
||||
|
||||
# cjp: fix this to generic_user interfaces
|
||||
userdom_manage_user_home_subdirs(user,crond_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.2.2)
|
||||
policy_module(hal,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,7 +50,7 @@ kernel_read_kernel_sysctls(hald_t)
|
||||
kernel_read_fs_sysctls(hald_t)
|
||||
kernel_write_proc_files(hald_t)
|
||||
|
||||
bootloader_getattr_boot_dirs(hald_t)
|
||||
bootloader_search_boot(hald_t)
|
||||
|
||||
corecmd_exec_bin(hald_t)
|
||||
corecmd_exec_sbin(hald_t)
|
||||
|
||||
@ -149,7 +149,7 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(inetd_t)
|
||||
unconfined_domain(inetd_t)
|
||||
',`
|
||||
optional_policy(`unconfined',`
|
||||
unconfined_domtrans(inetd_t)
|
||||
|
||||
@ -31,6 +31,9 @@ kernel_rw_irq_sysctls(irqbalance_t)
|
||||
|
||||
dev_read_sysfs(irqbalance_t)
|
||||
|
||||
files_read_etc_files(irqbalance_t)
|
||||
files_read_etc_runtime_files(irqbalance_t)
|
||||
|
||||
fs_getattr_all_fs(irqbalance_t)
|
||||
fs_search_auto_mountpoints(irqbalance_t)
|
||||
|
||||
|
||||
@ -1,2 +1,4 @@
|
||||
|
||||
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/var/run/NetworkManager.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.2.0)
|
||||
policy_module(networkmanager,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -24,7 +24,7 @@ allow NetworkManager_t self:process { setcap getsched signal_perms };
|
||||
allow NetworkManager_t self:fifo_file rw_file_perms;
|
||||
allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
|
||||
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
||||
allow NetworkManager_t self:udp_socket create_socket_perms;
|
||||
allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(procmail,1.1.2)
|
||||
policy_module(procmail,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -96,6 +96,7 @@ optional_policy(`postfix',`
|
||||
optional_policy(`sendmail',`
|
||||
mta_read_config(procmail_t)
|
||||
sendmail_rw_tcp_sockets(procmail_t)
|
||||
sendmail_rw_unix_stream_sockets(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`spamassassin',`
|
||||
|
||||
@ -130,7 +130,7 @@ userdom_spec_domtrans_unpriv_users(remote_login_t)
|
||||
mta_getattr_spool(remote_login_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(remote_login_t)
|
||||
unconfined_domain(remote_login_t)
|
||||
unconfined_shell_domtrans(remote_login_t)
|
||||
')
|
||||
|
||||
|
||||
@ -68,7 +68,7 @@ sysnet_read_config(rshd_t)
|
||||
userdom_search_all_users_home(rshd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(rshd_t)
|
||||
unconfined_domain(rshd_t)
|
||||
unconfined_shell_domtrans(rshd_t)
|
||||
')
|
||||
|
||||
|
||||
@ -26,6 +26,10 @@
|
||||
## </param>
|
||||
#
|
||||
template(`samba_per_userdomain_template',`
|
||||
gen_require(`
|
||||
type smbd_t;
|
||||
')
|
||||
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
userdom_manage_user_home_subdir_files($1,smbd_t)
|
||||
userdom_manage_user_home_subdir_symlinks($1,smbd_t)
|
||||
|
||||
@ -52,6 +52,21 @@ interface(`sendmail_rw_tcp_sockets',`
|
||||
|
||||
allow $1 sendmail_t:tcp_socket { read write };
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write sendmail unix_stream_sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`sendmail_rw_unix_stream_sockets',`
|
||||
gen_require(`
|
||||
type sendmail_t;
|
||||
')
|
||||
|
||||
allow $1 sendmail_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
||||
@ -102,7 +102,7 @@ mta_manage_queue(sendmail_t)
|
||||
mta_manage_spool(sendmail_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(sendmail_t)
|
||||
unconfined_domain(sendmail_t)
|
||||
term_dontaudit_use_unallocated_ttys(sendmail_t)
|
||||
term_dontaudit_use_generic_ptys(sendmail_t)
|
||||
files_dontaudit_read_root_files(sendmail_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(spamassassin,1.2.0)
|
||||
policy_module(spamassassin,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -111,6 +111,7 @@ logging_send_syslog_msg(spamd_t)
|
||||
miscfiles_read_localization(spamd_t)
|
||||
|
||||
sysnet_read_config(spamd_t)
|
||||
sysnet_use_ldap(spamd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(spamd_t)
|
||||
userdom_search_unpriv_user_home_dirs(spamd_t)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# HOME_DIR
|
||||
#
|
||||
ifdef(`strict',`
|
||||
ifdef(`strict_policy',`
|
||||
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
|
||||
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
|
||||
@ -51,6 +51,9 @@ ifdef(`strict_policy',`
|
||||
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
|
||||
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
|
||||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
|
||||
/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
||||
@ -64,7 +67,6 @@ ifdef(`strict_policy',`
|
||||
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
|
||||
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
|
||||
|
||||
|
||||
@ -484,6 +484,27 @@ interface(`xserver_read_xdm_pid',`
|
||||
allow $1 xdm_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
type xdm_xserver_t, xserver_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
|
||||
|
||||
allow $1 xdm_xserver_t:fd use;
|
||||
allow xdm_xserver_t $1:fd use;
|
||||
allow xdm_xserver_t $1:fifo_file rw_file_perms;
|
||||
allow xdm_xserver_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
|
||||
@ -57,10 +57,8 @@ files_type(xsession_exec_t)
|
||||
type xserver_log_t;
|
||||
logging_log_file(xserver_log_t)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
xserver_common_domain_template(xdm)
|
||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||
')
|
||||
xserver_common_domain_template(xdm)
|
||||
init_system_domain(xdm_xserver_t,xserver_exec_t)
|
||||
|
||||
optional_policy(`prelink',`
|
||||
prelink_object_file(xkb_var_lib_t)
|
||||
@ -300,7 +298,7 @@ ifdef(`strict_policy',`
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
unconfined_domain_template(xdm_t)
|
||||
unconfined_domain(xdm_t)
|
||||
unconfined_domtrans(xdm_t)
|
||||
')
|
||||
|
||||
@ -425,6 +423,13 @@ ifdef(`strict_policy',`
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow xdm_xserver_t self:process { execheap execmem };
|
||||
|
||||
unconfined_domain(xdm_xserver_t)
|
||||
unconfined_domtrans(xdm_xserver_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# cjp: TODO: integrate strict policy:
|
||||
# init script wants to check if it needs to update windowmanagerlist
|
||||
|
||||
@ -169,7 +169,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(init_t)
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin',`
|
||||
@ -456,7 +456,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
domain_subj_id_change_exemption(initrc_t)
|
||||
unconfined_domain_template(initrc_t)
|
||||
unconfined_domain(initrc_t)
|
||||
',`
|
||||
# cjp: require doesnt work in optionals :\
|
||||
# this also would result in a type transition
|
||||
|
||||
@ -88,7 +88,7 @@ ifdef(`hide_broken_symptoms',`
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow ldconfig_t lib_t:file r_file_perms;
|
||||
unconfined_domain_template(ldconfig_t)
|
||||
unconfined_domain(ldconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`apache',`
|
||||
|
||||
@ -171,7 +171,7 @@ userdom_sigchld_all_users(local_login_t)
|
||||
mta_getattr_spool(local_login_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(local_login_t)
|
||||
unconfined_domain(local_login_t)
|
||||
unconfined_shell_domtrans(local_login_t)
|
||||
')
|
||||
|
||||
|
||||
@ -14,7 +14,11 @@ type clvmd_var_run_t;
|
||||
files_pid_file(clvmd_var_run_t)
|
||||
|
||||
type lvm_t;
|
||||
type lvm_exec_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type lvm_exec_t;
|
||||
')
|
||||
init_system_domain(lvm_t,lvm_exec_t)
|
||||
# needs privowner because it assigns the identity system_u to device nodes
|
||||
# but runs as the identity of the sysadmin
|
||||
|
||||
@ -124,7 +124,7 @@ ifdef(`hide_broken_symptoms',`
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(insmod_t)
|
||||
unconfined_domain(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug',`
|
||||
|
||||
@ -163,7 +163,7 @@ ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(udev_t)
|
||||
term_dontaudit_use_generic_ptys(udev_t)
|
||||
|
||||
unconfined_domain_template(udev_t)
|
||||
unconfined_domain(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin',`
|
||||
|
||||
@ -2,13 +2,13 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## A template to make the specified domain unconfined.
|
||||
## Make the specified domain unconfined.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to make unconfined.
|
||||
## </param>
|
||||
#
|
||||
template(`unconfined_domain_template',`
|
||||
interface(`unconfined_domain_noaudit',`
|
||||
gen_require(`
|
||||
class dbus all_dbus_perms;
|
||||
class nscd all_nscd_perms;
|
||||
@ -41,14 +41,12 @@ template(`unconfined_domain_template',`
|
||||
tunable_policy(`allow_execheap',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1 self:process execheap;
|
||||
auditallow $1 self:process execheap;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
# Allow making anonymous memory executable, e.g.
|
||||
# for runtime-code generation or executable stack.
|
||||
allow $1 self:process execmem;
|
||||
auditallow $1 self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem && allow_execstack',`
|
||||
@ -101,6 +99,28 @@ template(`unconfined_domain_template',`
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified domain unconfined and
|
||||
## audit executable memory and executable heap
|
||||
## usage.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to make unconfined.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_domain',`
|
||||
unconfined_domain_noaudit($1)
|
||||
|
||||
tunable_policy(`allow_execheap',`
|
||||
auditallow $1 self:process execheap;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
auditallow $1 self:process execmem;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the unconfined domain.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.2.2)
|
||||
policy_module(unconfined,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -20,7 +20,7 @@ role system_r types unconfined_t;
|
||||
# Local policy
|
||||
#
|
||||
|
||||
unconfined_domain_template(unconfined_t)
|
||||
unconfined_domain(unconfined_t)
|
||||
|
||||
logging_send_syslog_msg(unconfined_t)
|
||||
|
||||
@ -148,4 +148,8 @@ ifdef(`targeted_policy',`
|
||||
optional_policy(`wine',`
|
||||
wine_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`xserver',`
|
||||
xserver_domtrans_xdm_xserver(unconfined_t)
|
||||
')
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user