more updates
This commit is contained in:
parent
605ba28540
commit
98a8ead4c5
@ -1,3 +1,5 @@
|
|||||||
|
- Add equivalents for old can_resolve(), can_ldap(), and
|
||||||
|
can_portmap() to sysnetwork.
|
||||||
- Fix base module compile issues.
|
- Fix base module compile issues.
|
||||||
- Added policies:
|
- Added policies:
|
||||||
ktalk
|
ktalk
|
||||||
|
@ -4,12 +4,18 @@
|
|||||||
# file should be used.
|
# file should be used.
|
||||||
#
|
#
|
||||||
|
|
||||||
## Allow execution of anonymous mappings, e.g. executable stack.
|
## Allow making anonymous memory executable, e.g.
|
||||||
|
## for runtime-code generation or executable stack.
|
||||||
gen_tunable(allow_execmem,false)
|
gen_tunable(allow_execmem,false)
|
||||||
|
|
||||||
## Support Share libraries with text relocations
|
## Allow making a modified private file
|
||||||
|
## mapping executable (text relocation).
|
||||||
gen_tunable(allow_execmod,false)
|
gen_tunable(allow_execmod,false)
|
||||||
|
|
||||||
|
## Allow making the stack executable via mprotect.
|
||||||
|
## Also requires allow_execmem.
|
||||||
|
gen_tunable(allow_execstack,false)
|
||||||
|
|
||||||
## Allow gpg executable stack
|
## Allow gpg executable stack
|
||||||
gen_tunable(allow_gpg_execstack,false)
|
gen_tunable(allow_gpg_execstack,false)
|
||||||
|
|
||||||
@ -56,9 +62,6 @@ gen_tunable(ssh_sysadm_login,false)
|
|||||||
## dir and read files (such as ~/.bashrc)
|
## dir and read files (such as ~/.bashrc)
|
||||||
gen_tunable(staff_read_sysadm_file,false)
|
gen_tunable(staff_read_sysadm_file,false)
|
||||||
|
|
||||||
## Allow the use of DNS for name resolution.
|
|
||||||
gen_tunable(use_dns,false)
|
|
||||||
|
|
||||||
## Support NFS home directories
|
## Support NFS home directories
|
||||||
gen_tunable(use_nfs_home_dirs,false)
|
gen_tunable(use_nfs_home_dirs,false)
|
||||||
|
|
||||||
|
@ -14,6 +14,9 @@ role system_r types logrotate_t;
|
|||||||
type logrotate_exec_t;
|
type logrotate_exec_t;
|
||||||
files_type(logrotate_exec_t)
|
files_type(logrotate_exec_t)
|
||||||
|
|
||||||
|
type logrotate_lock_t;
|
||||||
|
files_lock_file(logrotate_lock_t)
|
||||||
|
|
||||||
type logrotate_tmp_t;
|
type logrotate_tmp_t;
|
||||||
files_tmp_file(logrotate_tmp_t)
|
files_tmp_file(logrotate_tmp_t)
|
||||||
|
|
||||||
@ -46,6 +49,9 @@ allow logrotate_t self:sem create_sem_perms;
|
|||||||
allow logrotate_t self:msgq create_msgq_perms;
|
allow logrotate_t self:msgq create_msgq_perms;
|
||||||
allow logrotate_t self:msg { send receive };
|
allow logrotate_t self:msg { send receive };
|
||||||
|
|
||||||
|
allow logrotate_t logrotate_lock_t:file create_file_perms;
|
||||||
|
files_create_lock(logrotate_t,logrotate_lock_t)
|
||||||
|
|
||||||
can_exec(logrotate_t, logrotate_tmp_t)
|
can_exec(logrotate_t, logrotate_tmp_t)
|
||||||
|
|
||||||
allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
|
allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
|
||||||
@ -82,7 +88,6 @@ domain_getattr_all_entry_files(logrotate_t)
|
|||||||
files_read_usr_files(logrotate_t)
|
files_read_usr_files(logrotate_t)
|
||||||
files_read_etc_files(logrotate_t)
|
files_read_etc_files(logrotate_t)
|
||||||
files_read_etc_runtime_files(logrotate_t)
|
files_read_etc_runtime_files(logrotate_t)
|
||||||
files_manage_generic_locks(logrotate_t)
|
|
||||||
files_read_all_pids(logrotate_t)
|
files_read_all_pids(logrotate_t)
|
||||||
# Write to /var/spool/slrnpull - should be moved into its own type.
|
# Write to /var/spool/slrnpull - should be moved into its own type.
|
||||||
files_manage_generic_spools(logrotate_t)
|
files_manage_generic_spools(logrotate_t)
|
||||||
|
@ -117,6 +117,7 @@ libs_use_ld_so(ping_t)
|
|||||||
libs_use_shared_libs(ping_t)
|
libs_use_shared_libs(ping_t)
|
||||||
|
|
||||||
sysnet_read_config(ping_t)
|
sysnet_read_config(ping_t)
|
||||||
|
sysnet_dns_name_resolve(ping_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(ping_t)
|
logging_send_syslog_msg(ping_t)
|
||||||
|
|
||||||
|
@ -618,6 +618,23 @@ interface(`corenet_udp_bind_generic_port',`
|
|||||||
allow $1 port_t:udp_socket name_bind;
|
allow $1 port_t:udp_socket name_bind;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect TCP sockets to generic ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_tcp_connect_generic_port',`
|
||||||
|
gen_require(`
|
||||||
|
type port_t;
|
||||||
|
class tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 port_t:tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive TCP network traffic on all ports.
|
## Send and receive TCP network traffic on all ports.
|
||||||
@ -835,6 +852,23 @@ interface(`corenet_udp_bind_reserved_port',`
|
|||||||
allow $1 self:capability net_bind_service;
|
allow $1 self:capability net_bind_service;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect TCP sockets to generic reserved ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_tcp_connect_reserved_port',`
|
||||||
|
gen_require(`
|
||||||
|
type reserved_port_t;
|
||||||
|
class tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 reserved_port_t:tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive TCP network traffic on all reserved ports.
|
## Send and receive TCP network traffic on all reserved ports.
|
||||||
@ -971,6 +1005,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
|
|||||||
dontaudit $1 reserved_port_type:udp_socket name_bind;
|
dontaudit $1 reserved_port_type:udp_socket name_bind;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to connect TCP sockets
|
||||||
|
## all reserved ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
|
||||||
|
gen_require(`
|
||||||
|
attribute reserved_port_type;
|
||||||
|
class tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 reserved_port_type:tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write the TUN/TAP virtual network device.
|
## Read and write the TUN/TAP virtual network device.
|
||||||
@ -982,11 +1034,11 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
|
|||||||
interface(`corenet_use_tun_tap_device',`
|
interface(`corenet_use_tun_tap_device',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type tun_tap_device_t;
|
type tun_tap_device_t;
|
||||||
class chr_file { read write };
|
class chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 tun_tap_device_t:chr_file { read write };
|
allow $1 tun_tap_device_t:chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -183,6 +183,25 @@ interface(`dev_rw_generic_file',`
|
|||||||
allow $1 device_t:file rw_file_perms;
|
allow $1 device_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete generic files in /dev.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_delete_generic_file',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
class dir { search write remove_name };
|
||||||
|
class file unlink;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir { search write remove_name };
|
||||||
|
allow $1 device_t:file unlink;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Dontaudit getattr on generic pipes.
|
## Dontaudit getattr on generic pipes.
|
||||||
|
@ -1629,6 +1629,24 @@ interface(`fs_dontaudit_list_tmpfs',`
|
|||||||
dontaudit $1 tmpfs_t:dir r_dir_perms;
|
dontaudit $1 tmpfs_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## tmpfs directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_tmpfs_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type tmpfs_t;
|
||||||
|
class dir create_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 tmpfs_t:dir create_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# fs_create_tmpfs_data(domain,derivedtype,[class])
|
# fs_create_tmpfs_data(domain,derivedtype,[class])
|
||||||
@ -1726,6 +1744,26 @@ interface(`fs_relabel_tmpfs_blk_dev',`
|
|||||||
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
|
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write, create and delete generic
|
||||||
|
## files on tmpfs filesystems.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_tmpfs_files',`
|
||||||
|
gen_require(`
|
||||||
|
type tmpfs_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 tmpfs_t:dir rw_dir_perms;
|
||||||
|
allow $1 tmpfs_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write, create and delete symbolic
|
## Read and write, create and delete symbolic
|
||||||
|
@ -22,6 +22,7 @@ sid fs context_template(system_u:object_r:fs_t,s0)
|
|||||||
fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
|
fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
|
fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
|
fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
fs_use_xattr reiserfs context_template(system_u:object_r:fs_t,s0);
|
||||||
fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
|
fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
|
||||||
# Use the allocating task SID to label inodes in the following filesystem
|
# Use the allocating task SID to label inodes in the following filesystem
|
||||||
@ -55,9 +56,11 @@ genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
|
|||||||
type hugetlbfs_t, filesystem_type;
|
type hugetlbfs_t, filesystem_type;
|
||||||
files_mountpoint(hugetlbfs_t)
|
files_mountpoint(hugetlbfs_t)
|
||||||
allow hugetlbfs_t self:filesystem associate;
|
allow hugetlbfs_t self:filesystem associate;
|
||||||
|
genfscon hugetlbfs / context_template(system_u:object_r:hugetlbfs_t,s0)
|
||||||
|
|
||||||
type inotifyfs_t, filesystem_type;
|
type inotifyfs_t, filesystem_type;
|
||||||
allow inotifyfs_t self:filesystem associate;
|
allow inotifyfs_t self:filesystem associate;
|
||||||
|
genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
|
||||||
|
|
||||||
type mqueue_t, filesystem_type;
|
type mqueue_t, filesystem_type;
|
||||||
files_mountpoint(mqueue_t)
|
files_mountpoint(mqueue_t)
|
||||||
@ -89,8 +92,8 @@ files_type(tmpfs_t)
|
|||||||
# and label the filesystem itself with the specified context.
|
# and label the filesystem itself with the specified context.
|
||||||
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
||||||
# where we want to label objects with a derived type.
|
# where we want to label objects with a derived type.
|
||||||
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
|
|
||||||
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
|
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
|
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
|
|
||||||
allow tmpfs_t self:filesystem associate;
|
allow tmpfs_t self:filesystem associate;
|
||||||
allow tmpfs_t noxattrfs:filesystem associate;
|
allow tmpfs_t noxattrfs:filesystem associate;
|
||||||
@ -119,10 +122,10 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
|
|||||||
#
|
#
|
||||||
type dosfs_t, filesystem_type, noxattrfs;
|
type dosfs_t, filesystem_type, noxattrfs;
|
||||||
allow dosfs_t self:filesystem associate;
|
allow dosfs_t self:filesystem associate;
|
||||||
genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
|
|
||||||
genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
|
|
||||||
genfscon fat / context_template(system_u:object_r:dosfs_t,s0)
|
genfscon fat / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
|
genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
|
genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
|
genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# iso9660_t is the type for CD filesystems
|
# iso9660_t is the type for CD filesystems
|
||||||
|
@ -51,6 +51,23 @@ interface(`kernel_rootfs_mountpoint',`
|
|||||||
allow kernel_t $1:dir mounton;
|
allow kernel_t $1:dir mounton;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the process group of kernel threads.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_setpgid',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
class process setpgid;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 kernel_t:process setpgid;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send a SIGCHLD signal to kernel threads.
|
## Send a SIGCHLD signal to kernel threads.
|
||||||
@ -65,7 +82,7 @@ interface(`kernel_sigchld',`
|
|||||||
class process sigchld;
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow kernel_t $1:process sigchld;
|
allow $1 kernel_t:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -274,6 +274,28 @@ interface(`selinux_compute_create_context',`
|
|||||||
allow $1 security_t:security compute_create;
|
allow $1 security_t:security compute_create;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allows caller to compute polyinstatntiated
|
||||||
|
## directory members.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`selinux_compute_member',`
|
||||||
|
gen_require(`
|
||||||
|
type security_t;
|
||||||
|
class dir { read search getattr };
|
||||||
|
class file { getattr read write };
|
||||||
|
class security compute_member;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 security_t:dir { read search getattr };
|
||||||
|
allow $1 security_t:file { getattr read write };
|
||||||
|
allow $1 security_t:security compute_member;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Calculate the context for relabeling objects.
|
## Calculate the context for relabeling objects.
|
||||||
|
@ -107,6 +107,24 @@ interface(`bind_write_config',`
|
|||||||
allow $1 named_conf_t:file { write setattr };
|
allow $1 named_conf_t:file { write setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## BIND configuration directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`bind_manage_config_dir',`
|
||||||
|
gen_require(`
|
||||||
|
type named_conf_t;
|
||||||
|
class dir perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 named_conf_t:dir create_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to set the attributes
|
## Do not audit attempts to set the attributes
|
||||||
|
@ -15,6 +15,9 @@ type named_exec_t;
|
|||||||
init_daemon_domain(named_t,named_exec_t)
|
init_daemon_domain(named_t,named_exec_t)
|
||||||
role system_r types named_t;
|
role system_r types named_t;
|
||||||
|
|
||||||
|
type named_checkconf_exec_t;
|
||||||
|
init_system_domain(named_t,named_checkconf_exec_t)
|
||||||
|
|
||||||
# A type for configuration files of named.
|
# A type for configuration files of named.
|
||||||
type named_conf_t;
|
type named_conf_t;
|
||||||
files_type(named_conf_t)
|
files_type(named_conf_t)
|
||||||
@ -23,6 +26,9 @@ files_type(named_conf_t)
|
|||||||
type named_cache_t;
|
type named_cache_t;
|
||||||
files_type(named_cache_t)
|
files_type(named_cache_t)
|
||||||
|
|
||||||
|
type named_log_t;
|
||||||
|
logging_log_file(named_log_t)
|
||||||
|
|
||||||
type named_tmp_t;
|
type named_tmp_t;
|
||||||
files_tmp_file(named_tmp_t)
|
files_tmp_file(named_tmp_t)
|
||||||
|
|
||||||
@ -67,6 +73,10 @@ allow named_t named_cache_t:lnk_file create_lnk_perms;
|
|||||||
|
|
||||||
can_exec(named_t, named_exec_t)
|
can_exec(named_t, named_exec_t)
|
||||||
|
|
||||||
|
allow named_t named_log_t:file create_file_perms;
|
||||||
|
allow named_t named_log_t:dir rw_dir_perms;
|
||||||
|
logging_create_log(named_t,named_log_t,{ file dir })
|
||||||
|
|
||||||
allow named_t named_tmp_t:dir create_dir_perms;
|
allow named_t named_tmp_t:dir create_dir_perms;
|
||||||
allow named_t named_tmp_t:file create_file_perms;
|
allow named_t named_tmp_t:file create_file_perms;
|
||||||
files_create_tmp_files(named_t, named_tmp_t, { file dir })
|
files_create_tmp_files(named_t, named_tmp_t, { file dir })
|
||||||
@ -99,7 +109,8 @@ corenet_tcp_bind_all_nodes(named_t)
|
|||||||
corenet_udp_bind_all_nodes(named_t)
|
corenet_udp_bind_all_nodes(named_t)
|
||||||
corenet_tcp_bind_dns_port(named_t)
|
corenet_tcp_bind_dns_port(named_t)
|
||||||
corenet_udp_bind_dns_port(named_t)
|
corenet_udp_bind_dns_port(named_t)
|
||||||
#corenet_tcp_bind_rndc_port(named_t)
|
corenet_tcp_bind_rndc_port(named_t)
|
||||||
|
corenet_tcp_connect_all_ports(named_t)
|
||||||
|
|
||||||
dev_read_sysfs(named_t)
|
dev_read_sysfs(named_t)
|
||||||
dev_read_rand(named_t)
|
dev_read_rand(named_t)
|
||||||
@ -196,6 +207,7 @@ corenet_tcp_sendrecv_all_nodes(ndc_t)
|
|||||||
corenet_raw_sendrecv_all_nodes(ndc_t)
|
corenet_raw_sendrecv_all_nodes(ndc_t)
|
||||||
corenet_tcp_sendrecv_all_ports(ndc_t)
|
corenet_tcp_sendrecv_all_ports(ndc_t)
|
||||||
corenet_tcp_bind_all_nodes(ndc_t)
|
corenet_tcp_bind_all_nodes(ndc_t)
|
||||||
|
corenet_tcp_connect_rndc_port(ndc_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(ndc_t)
|
fs_getattr_xattr_fs(ndc_t)
|
||||||
|
|
||||||
@ -215,20 +227,13 @@ logging_send_syslog_msg(ndc_t)
|
|||||||
miscfiles_read_localization(ndc_t)
|
miscfiles_read_localization(ndc_t)
|
||||||
|
|
||||||
sysnet_read_config(ndc_t)
|
sysnet_read_config(ndc_t)
|
||||||
|
sysnet_dns_name_resolve(ndc_t)
|
||||||
|
|
||||||
# for /etc/rndc.key
|
# for /etc/rndc.key
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
allow ndc_t named_conf_t:dir search;
|
allow ndc_t named_conf_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow ndc_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if(ndc_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(ndc_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(ndc_t)
|
|
||||||
corenet_udp_bind_all_nodes(ndc_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`named_write_master_zones',`
|
tunable_policy(`named_write_master_zones',`
|
||||||
allow named_t named_zone_t:dir create_dir_perms;
|
allow named_t named_zone_t:dir create_dir_perms;
|
||||||
allow named_t named_zone_t:file create_file_perms;
|
allow named_t named_zone_t:file create_file_perms;
|
||||||
|
@ -288,7 +288,6 @@ logging_send_syslog_msg(system_crond_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(system_crond_t)
|
miscfiles_read_localization(system_crond_t)
|
||||||
miscfiles_read_man_pages(system_crond_t)
|
miscfiles_read_man_pages(system_crond_t)
|
||||||
miscfiles_rw_man_cache(system_crond_t)
|
|
||||||
|
|
||||||
seutil_read_config(system_crond_t)
|
seutil_read_config(system_crond_t)
|
||||||
|
|
||||||
|
@ -55,10 +55,7 @@ interface(`kerberos_use',`
|
|||||||
corenet_tcp_bind_all_nodes($1)
|
corenet_tcp_bind_all_nodes($1)
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
')
|
sysnet_dns_name_resolve($1)
|
||||||
|
|
||||||
tunable_policy(`allow_kerberos && use_dns',`
|
|
||||||
corenet_udp_sendrecv_dns_port($1)
|
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -42,8 +42,6 @@ template(`mta_per_userdomain_template',`
|
|||||||
|
|
||||||
allow $1_mail_t self:capability { setuid setgid chown };
|
allow $1_mail_t self:capability { setuid setgid chown };
|
||||||
allow $1_mail_t self:process { signal_perms setrlimit };
|
allow $1_mail_t self:process { signal_perms setrlimit };
|
||||||
|
|
||||||
# tcp networking
|
|
||||||
allow $1_mail_t self:tcp_socket create_socket_perms;
|
allow $1_mail_t self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
# re-exec itself
|
# re-exec itself
|
||||||
@ -91,19 +89,12 @@ template(`mta_per_userdomain_template',`
|
|||||||
miscfiles_read_localization($1_mail_t)
|
miscfiles_read_localization($1_mail_t)
|
||||||
|
|
||||||
sysnet_read_config($1_mail_t)
|
sysnet_read_config($1_mail_t)
|
||||||
|
sysnet_dns_name_resolve($1_mail_t)
|
||||||
|
|
||||||
userdom_use_user_terminals($1,$1_mail_t)
|
userdom_use_user_terminals($1,$1_mail_t)
|
||||||
# Write to the user domain tty. cjp: why?
|
# Write to the user domain tty. cjp: why?
|
||||||
userdom_use_user_terminals($1,mta_user_agent)
|
userdom_use_user_terminals($1,mta_user_agent)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow $1_mail_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if($1_mail_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes($1_mail_t)
|
|
||||||
corenet_udp_bind_all_nodes($1_mail_t)
|
|
||||||
corenet_udp_sendrecv_dns_port($1_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
fs_manage_cifs_files($1_mail_t)
|
fs_manage_cifs_files($1_mail_t)
|
||||||
fs_manage_cifs_symlinks($1_mail_t)
|
fs_manage_cifs_symlinks($1_mail_t)
|
||||||
|
@ -45,7 +45,6 @@ ifdef(`targeted_policy',`',`
|
|||||||
|
|
||||||
allow system_mail_t self:capability { setuid setgid chown };
|
allow system_mail_t self:capability { setuid setgid chown };
|
||||||
allow system_mail_t self:process { signal_perms setrlimit };
|
allow system_mail_t self:process { signal_perms setrlimit };
|
||||||
|
|
||||||
allow system_mail_t self:tcp_socket create_socket_perms;
|
allow system_mail_t self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
# re-exec itself
|
# re-exec itself
|
||||||
@ -60,9 +59,10 @@ corenet_tcp_sendrecv_all_if(system_mail_t)
|
|||||||
corenet_raw_sendrecv_all_if(system_mail_t)
|
corenet_raw_sendrecv_all_if(system_mail_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(system_mail_t)
|
corenet_tcp_sendrecv_all_nodes(system_mail_t)
|
||||||
corenet_raw_sendrecv_all_nodes(system_mail_t)
|
corenet_raw_sendrecv_all_nodes(system_mail_t)
|
||||||
corenet_tcp_bind_all_nodes(system_mail_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(system_mail_t)
|
corenet_tcp_sendrecv_all_ports(system_mail_t)
|
||||||
|
corenet_tcp_bind_all_nodes(system_mail_t)
|
||||||
|
|
||||||
|
dev_read_rand(system_mail_t)
|
||||||
dev_read_urand(system_mail_t)
|
dev_read_urand(system_mail_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(system_mail_t)
|
fs_getattr_xattr_fs(system_mail_t)
|
||||||
@ -86,6 +86,7 @@ logging_send_syslog_msg(system_mail_t)
|
|||||||
miscfiles_read_localization(system_mail_t)
|
miscfiles_read_localization(system_mail_t)
|
||||||
|
|
||||||
sysnet_read_config(system_mail_t)
|
sysnet_read_config(system_mail_t)
|
||||||
|
sysnet_dns_name_resolve(system_mail_t)
|
||||||
|
|
||||||
userdom_use_sysadm_terms(system_mail_t)
|
userdom_use_sysadm_terms(system_mail_t)
|
||||||
|
|
||||||
@ -116,14 +117,6 @@ ifdef(`targeted_policy',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow system_mail_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if(system_mail_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(system_mail_t)
|
|
||||||
corenet_udp_bind_all_nodes(system_mail_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(system_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`cron.te',`
|
optional_policy(`cron.te',`
|
||||||
cron_read_system_job_tmp_files(system_mail_t)
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
')
|
')
|
||||||
@ -174,14 +167,6 @@ allow system_mail_t privmail:fd use;
|
|||||||
allow system_mail_t privmail:process sigchld;
|
allow system_mail_t privmail:process sigchld;
|
||||||
allow system_mail_t privmail:fifo_file { read write };
|
allow system_mail_t privmail:fifo_file { read write };
|
||||||
|
|
||||||
optional_policy(`arpwatch.te',`
|
|
||||||
allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
|
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
|
||||||
dontaudit system_mail_t arpwatch_t:packet_socket { read write };
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`qmail.te',`
|
optional_policy(`qmail.te',`
|
||||||
allow system_mail_t qmail_etc_t:dir search;
|
allow system_mail_t qmail_etc_t:dir search;
|
||||||
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||||
|
@ -32,8 +32,9 @@ files_tmp_file(mysqld_tmp_t)
|
|||||||
|
|
||||||
allow mysqld_t self:capability { dac_override setgid setuid };
|
allow mysqld_t self:capability { dac_override setgid setuid };
|
||||||
dontaudit mysqld_t self:capability sys_tty_config;
|
dontaudit mysqld_t self:capability sys_tty_config;
|
||||||
allow mysqld_t self:process getsched;
|
allow mysqld_t self:process { setsched getsched };
|
||||||
allow mysqld_t self:fifo_file { read write };
|
allow mysqld_t self:fifo_file { read write };
|
||||||
|
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow mysqld_t self:tcp_socket connected_socket_perms;
|
allow mysqld_t self:tcp_socket connected_socket_perms;
|
||||||
@ -112,6 +113,10 @@ optional_policy(`nis.te',`
|
|||||||
nis_use_ypbind(mysqld_t)
|
nis_use_ypbind(mysqld_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(mysqld_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`selinuxutil.te',`
|
optional_policy(`selinuxutil.te',`
|
||||||
seutil_sigchld_newrole(mysqld_t)
|
seutil_sigchld_newrole(mysqld_t)
|
||||||
')
|
')
|
||||||
|
@ -35,17 +35,20 @@ interface(`nis_use_ypbind',`
|
|||||||
corenet_tcp_sendrecv_all_nodes($1)
|
corenet_tcp_sendrecv_all_nodes($1)
|
||||||
corenet_udp_sendrecv_all_nodes($1)
|
corenet_udp_sendrecv_all_nodes($1)
|
||||||
corenet_raw_sendrecv_all_nodes($1)
|
corenet_raw_sendrecv_all_nodes($1)
|
||||||
corenet_tcp_bind_all_nodes($1)
|
|
||||||
corenet_udp_bind_all_nodes($1)
|
|
||||||
corenet_tcp_sendrecv_all_ports($1)
|
corenet_tcp_sendrecv_all_ports($1)
|
||||||
corenet_udp_sendrecv_all_ports($1)
|
corenet_udp_sendrecv_all_ports($1)
|
||||||
|
corenet_tcp_bind_all_nodes($1)
|
||||||
|
corenet_udp_bind_all_nodes($1)
|
||||||
corenet_tcp_bind_generic_port($1)
|
corenet_tcp_bind_generic_port($1)
|
||||||
corenet_udp_bind_generic_port($1)
|
corenet_udp_bind_generic_port($1)
|
||||||
corenet_tcp_bind_reserved_port($1)
|
corenet_tcp_bind_reserved_port($1)
|
||||||
corenet_udp_bind_reserved_port($1)
|
corenet_udp_bind_reserved_port($1)
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
|
||||||
corenet_dontaudit_udp_bind_all_reserved_ports($1)
|
corenet_dontaudit_udp_bind_all_reserved_ports($1)
|
||||||
|
corenet_tcp_connect_portmap_port($1)
|
||||||
|
corenet_tcp_connect_reserved_port($1)
|
||||||
|
corenet_tcp_connect_generic_port($1)
|
||||||
|
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
|
||||||
',`
|
',`
|
||||||
dontaudit $1 var_yp_t:dir search;
|
dontaudit $1 var_yp_t:dir search;
|
||||||
')
|
')
|
||||||
|
@ -11,6 +11,9 @@ type nscd_t;
|
|||||||
type nscd_exec_t;
|
type nscd_exec_t;
|
||||||
init_daemon_domain(nscd_t,nscd_exec_t)
|
init_daemon_domain(nscd_t,nscd_exec_t)
|
||||||
|
|
||||||
|
type nscd_log_t;
|
||||||
|
logging_log_file(nscd_log_t)
|
||||||
|
|
||||||
type nscd_var_run_t;
|
type nscd_var_run_t;
|
||||||
files_pid_file(nscd_var_run_t)
|
files_pid_file(nscd_var_run_t)
|
||||||
|
|
||||||
@ -35,6 +38,9 @@ allow nscd_t self:udp_socket create_socket_perms;
|
|||||||
# cjp: this should probably be in a direct_sysadm_daemon tunable
|
# cjp: this should probably be in a direct_sysadm_daemon tunable
|
||||||
allow nscd_t self:nscd { admin getstat };
|
allow nscd_t self:nscd { admin getstat };
|
||||||
|
|
||||||
|
allow nscd_t nscd_log_t:file create_file_perms;
|
||||||
|
logging_create_log(nscd_t,nscd_log_t)
|
||||||
|
|
||||||
allow nscd_t nscd_var_run_t:file create_file_perms;
|
allow nscd_t nscd_var_run_t:file create_file_perms;
|
||||||
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
|
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
|
||||||
files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
|
files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
|
||||||
@ -66,6 +72,7 @@ corenet_udp_sendrecv_all_ports(nscd_t)
|
|||||||
corenet_tcp_bind_all_nodes(nscd_t)
|
corenet_tcp_bind_all_nodes(nscd_t)
|
||||||
corenet_udp_bind_all_nodes(nscd_t)
|
corenet_udp_bind_all_nodes(nscd_t)
|
||||||
corenet_tcp_connect_all_ports(nscd_t)
|
corenet_tcp_connect_all_ports(nscd_t)
|
||||||
|
corenet_use_tun_tap_device(nscd_t)
|
||||||
|
|
||||||
selinux_get_fs_mount(nscd_t)
|
selinux_get_fs_mount(nscd_t)
|
||||||
selinux_validate_context(nscd_t)
|
selinux_validate_context(nscd_t)
|
||||||
@ -111,8 +118,6 @@ optional_policy(`udev.te', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
nscd_socket_domain(daemon)
|
|
||||||
|
|
||||||
optional_policy(`winbind.te', `
|
optional_policy(`winbind.te', `
|
||||||
# Handle winbind for samba, Might only be needed for targeted policy
|
# Handle winbind for samba, Might only be needed for targeted policy
|
||||||
|
|
||||||
@ -124,6 +129,7 @@ optional_policy(`winbind.te', `
|
|||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
rhgb_domain(nscd_t)
|
rhgb_domain(nscd_t)
|
||||||
')
|
')
|
||||||
|
r_dir_file(nscd_t, cert_t)
|
||||||
allow nscd_t tmp_t:dir { search getattr };
|
allow nscd_t tmp_t:dir { search getattr };
|
||||||
allow nscd_t tmp_t:lnk_file read;
|
allow nscd_t tmp_t:lnk_file read;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -1,5 +1,19 @@
|
|||||||
## <summary>Network time protocol daemon</summary>
|
## <summary>Network time protocol daemon</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## NTP stub interface. No access allowed.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain" optional="true">
|
||||||
|
## N/A
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`ntp_stub',`
|
||||||
|
gen_require(`ntp.te',`
|
||||||
|
type ntpd_t;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute ntp server in the ntpd domain.
|
## Execute ntp server in the ntpd domain.
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
|
|
||||||
policy_module(authlogin,1.0)
|
policy_module(remotelogin,1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type remote_login_t;
|
type remote_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
|
||||||
domain_obj_id_change_exempt(remote_login_t)
|
domain_obj_id_change_exempt(remote_login_t)
|
||||||
domain_subj_id_change_exempt(remote_login_t)
|
domain_subj_id_change_exempt(remote_login_t)
|
||||||
domain_role_change_exempt(remote_login_t)
|
domain_role_change_exempt(remote_login_t)
|
||||||
@ -107,6 +107,8 @@ logging_send_syslog_msg(remote_login_t)
|
|||||||
seutil_read_config(remote_login_t)
|
seutil_read_config(remote_login_t)
|
||||||
seutil_read_default_contexts(remote_login_t)
|
seutil_read_default_contexts(remote_login_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(remote_login_t)
|
||||||
|
|
||||||
miscfiles_read_localization(remote_login_t)
|
miscfiles_read_localization(remote_login_t)
|
||||||
|
|
||||||
userdom_use_unpriv_users_fd(remote_login_t)
|
userdom_use_unpriv_users_fd(remote_login_t)
|
||||||
@ -132,18 +134,6 @@ tunable_policy(`read_default_t',`
|
|||||||
files_read_default_pipes(remote_login_t)
|
files_read_default_pipes(remote_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# Allow remote login to resolve host names (passed in via the -h switch)
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow remote_login_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if(remote_login_t)
|
|
||||||
corenet_raw_sendrecv_all_if(remote_login_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(remote_login_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes(remote_login_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(remote_login_t)
|
|
||||||
corenet_udp_bind_all_nodes(remote_login_t)
|
|
||||||
sysnet_read_config(remote_login_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_read_nfs_files(remote_login_t)
|
fs_read_nfs_files(remote_login_t)
|
||||||
fs_read_nfs_symlinks(remote_login_t)
|
fs_read_nfs_symlinks(remote_login_t)
|
||||||
@ -172,6 +162,8 @@ optional_policy(`remotelogin.te',`
|
|||||||
# FIXME: what is this for?
|
# FIXME: what is this for?
|
||||||
remotelogin_signull(xdm_t)
|
remotelogin_signull(xdm_t)
|
||||||
')
|
')
|
||||||
|
# Login can polyinstantiate
|
||||||
|
polyinstantiater(remote_login_t)
|
||||||
|
|
||||||
allow remote_login_t userpty_type:chr_file { setattr write };
|
allow remote_login_t userpty_type:chr_file { setattr write };
|
||||||
allow remote_login_t ptyfile:chr_file { getattr ioctl };
|
allow remote_login_t ptyfile:chr_file { getattr ioctl };
|
||||||
|
@ -129,11 +129,6 @@ optional_policy(`rhgb.te', `
|
|||||||
rhgb_domain(sendmail_t)
|
rhgb_domain(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`arpwatch.te',`
|
|
||||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
|
||||||
allow mta_delivery_agent arpwatch_data_t:dir search;
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Need this transition to create /etc/aliases.db
|
# Need this transition to create /etc/aliases.db
|
||||||
#
|
#
|
||||||
|
@ -144,6 +144,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
seutil_read_config($1_ssh_t)
|
seutil_read_config($1_ssh_t)
|
||||||
|
|
||||||
sysnet_read_config($1_ssh_t)
|
sysnet_read_config($1_ssh_t)
|
||||||
|
sysnet_dns_name_resolve($1_ssh_t)
|
||||||
|
|
||||||
userdom_use_unpriv_users_fd($1_ssh_t)
|
userdom_use_unpriv_users_fd($1_ssh_t)
|
||||||
|
|
||||||
@ -155,14 +156,6 @@ template(`ssh_per_userdomain_template',`
|
|||||||
files_read_default_pipes($1_ssh_t)
|
files_read_default_pipes($1_ssh_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
|
||||||
corenet_udp_sendrecv_all_if($1_ssh_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes($1_ssh_t)
|
|
||||||
corenet_udp_sendrecv_dns_port($1_ssh_t)
|
|
||||||
corenet_udp_bind_all_nodes($1_ssh_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs($1_ssh_t)
|
fs_manage_nfs_dirs($1_ssh_t)
|
||||||
fs_manage_nfs_files($1_ssh_t)
|
fs_manage_nfs_files($1_ssh_t)
|
||||||
|
@ -53,6 +53,14 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
files_list_etc($1_chkpwd_t)
|
files_list_etc($1_chkpwd_t)
|
||||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||||
|
|
||||||
|
# Transition from the user domain to this domain.
|
||||||
|
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||||
|
|
||||||
|
allow $1_chkpwd_t $2:fd use;
|
||||||
|
allow $2 $1_chkpwd_t:fd use;
|
||||||
|
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
||||||
|
allow $1_chkpwd_t $2:process sigchld;
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
kernel_read_system_state($1_chkpwd_t)
|
kernel_read_system_state($1_chkpwd_t)
|
||||||
|
|
||||||
@ -73,13 +81,7 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
|
|
||||||
seutil_read_config($1_chkpwd_t)
|
seutil_read_config($1_chkpwd_t)
|
||||||
|
|
||||||
# Transition from the user domain to this domain.
|
sysnet_dns_name_resolve($1_chkpwd_t)
|
||||||
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
|
||||||
|
|
||||||
allow $1_chkpwd_t $2:fd use;
|
|
||||||
allow $2 $1_chkpwd_t:fd use;
|
|
||||||
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
|
||||||
allow $1_chkpwd_t $2:process sigchld;
|
|
||||||
|
|
||||||
# Write to the user domain tty.
|
# Write to the user domain tty.
|
||||||
userdom_use_user_terminals($1,$1_chkpwd_t)
|
userdom_use_user_terminals($1,$1_chkpwd_t)
|
||||||
@ -87,17 +89,6 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow $1_chkpwd_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if($1_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_if($1_chkpwd_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes($1_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
|
||||||
corenet_udp_bind_all_nodes($1_chkpwd_t)
|
|
||||||
corenet_udp_sendrecv_dns_port($1_chkpwd_t)
|
|
||||||
sysnet_read_config($1_chkpwd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`kerberos.te',`
|
optional_policy(`kerberos.te',`
|
||||||
kerberos_use($1_chkpwd_t)
|
kerberos_use($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
@ -237,16 +228,7 @@ interface(`auth_domtrans_chk_passwd',`
|
|||||||
|
|
||||||
dontaudit $1 shadow_t:file { getattr read };
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
sysnet_dns_name_resolve($1)
|
||||||
allow $1 self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if($1)
|
|
||||||
corenet_raw_sendrecv_all_if($1)
|
|
||||||
corenet_udp_sendrecv_all_nodes($1)
|
|
||||||
corenet_raw_sendrecv_all_nodes($1)
|
|
||||||
corenet_udp_bind_all_nodes($1)
|
|
||||||
corenet_udp_sendrecv_dns_port($1)
|
|
||||||
sysnet_read_config($1)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`kerberos.te',`
|
optional_policy(`kerberos.te',`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
|
@ -124,6 +124,10 @@ optional_policy(`nscd.te',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
||||||
|
# Supress xdm denial
|
||||||
|
ifdef(`xdm.te', `
|
||||||
|
dontaudit pam_t xdm_t:fd use;
|
||||||
|
') dnl ifdef
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -272,34 +276,15 @@ miscfiles_read_localization(system_chkpwd_t)
|
|||||||
|
|
||||||
seutil_read_config(system_chkpwd_t)
|
seutil_read_config(system_chkpwd_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
|
sysnet_dns_name_resolve(system_chkpwd_t)
|
||||||
|
sysnet_use_ldap(system_chkpwd_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
|
||||||
allow system_chkpwd_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if(system_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_if(system_chkpwd_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(system_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
|
||||||
corenet_udp_bind_all_nodes(system_chkpwd_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
|
|
||||||
sysnet_read_config(system_chkpwd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`kerberos.te',`
|
optional_policy(`kerberos.te',`
|
||||||
kerberos_use(system_chkpwd_t)
|
kerberos_use(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`ldap.te',`
|
|
||||||
allow system_chkpwd_t self:tcp_socket create_socket_perms;
|
|
||||||
corenet_tcp_sendrecv_all_if(system_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_if(system_chkpwd_t)
|
|
||||||
corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
|
||||||
corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
|
|
||||||
corenet_tcp_bind_all_nodes(system_chkpwd_t)
|
|
||||||
sysnet_read_config(system_chkpwd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(system_chkpwd_t)
|
nis_use_ypbind(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
@ -18,12 +18,9 @@ role system_r types hostname_t;
|
|||||||
|
|
||||||
# for setting the hostname
|
# for setting the hostname
|
||||||
allow hostname_t self:process { sigchld sigkill sigstop signull signal };
|
allow hostname_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
|
|
||||||
allow hostname_t self:capability sys_admin;
|
allow hostname_t self:capability sys_admin;
|
||||||
dontaudit hostname_t self:capability sys_tty_config;
|
dontaudit hostname_t self:capability sys_tty_config;
|
||||||
|
|
||||||
sysnet_read_config(hostname_t)
|
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(hostname_t)
|
kernel_read_kernel_sysctl(hostname_t)
|
||||||
kernel_dontaudit_use_fd(hostname_t)
|
kernel_dontaudit_use_fd(hostname_t)
|
||||||
kernel_list_proc(hostname_t)
|
kernel_list_proc(hostname_t)
|
||||||
@ -55,6 +52,9 @@ logging_send_syslog_msg(hostname_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(hostname_t)
|
miscfiles_read_localization(hostname_t)
|
||||||
|
|
||||||
|
sysnet_read_config(hostname_t)
|
||||||
|
sysnet_dns_name_resolve(hostname_t)
|
||||||
|
|
||||||
userdom_use_all_user_fd(hostname_t)
|
userdom_use_all_user_fd(hostname_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
@ -67,17 +67,6 @@ ifdef(`targeted_policy', `
|
|||||||
files_dontaudit_read_root_file(hostname_t)
|
files_dontaudit_read_root_file(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow hostname_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if(hostname_t)
|
|
||||||
corenet_raw_sendrecv_all_if(hostname_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(hostname_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes(hostname_t)
|
|
||||||
corenet_udp_bind_all_nodes(hostname_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(hostname_t)
|
|
||||||
sysnet_read_config(hostname_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`firstboot.te',`
|
optional_policy(`firstboot.te',`
|
||||||
firstboot_use_fd(hostname_t)
|
firstboot_use_fd(hostname_t)
|
||||||
')
|
')
|
||||||
@ -91,6 +80,7 @@ optional_policy(`selinuxutil.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te',`
|
optional_policy(`udev.te',`
|
||||||
|
udev_dontaudit_use_fd(hostname_t)
|
||||||
udev_read_db(hostname_t)
|
udev_read_db(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -104,10 +104,10 @@ interface(`hotplug_getattr_config_dir',`
|
|||||||
interface(`hotplug_search_config',`
|
interface(`hotplug_search_config',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type hotplug_etc_t;
|
type hotplug_etc_t;
|
||||||
class dir search;
|
class dir { getattr search };
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 hotplug_etc_t:dir search;
|
allow $1 hotplug_etc_t:dir { getattr search };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -23,14 +23,13 @@ files_pid_file(hotplug_var_run_t)
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow hotplug_t self:capability { net_admin sys_tty_config mknod };
|
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
||||||
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
|
dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
|
||||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||||
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
allow hotplug_t self:process { getsession getattr };
|
allow hotplug_t self:process { getsession getattr };
|
||||||
|
|
||||||
allow hotplug_t self:fifo_file rw_file_perms;
|
allow hotplug_t self:fifo_file rw_file_perms;
|
||||||
|
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow hotplug_t self:udp_socket create_socket_perms;
|
allow hotplug_t self:udp_socket create_socket_perms;
|
||||||
allow hotplug_t self:tcp_socket connected_stream_socket_perms;
|
allow hotplug_t self:tcp_socket connected_stream_socket_perms;
|
||||||
|
|
||||||
@ -45,6 +44,7 @@ allow hotplug_t hotplug_var_run_t:file { getattr create read write append setatt
|
|||||||
files_create_pid(hotplug_t,hotplug_var_run_t)
|
files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||||
|
|
||||||
kernel_sigchld(hotplug_t)
|
kernel_sigchld(hotplug_t)
|
||||||
|
kernel_setpgid(hotplug_t)
|
||||||
kernel_read_system_state(hotplug_t)
|
kernel_read_system_state(hotplug_t)
|
||||||
kernel_read_kernel_sysctl(hotplug_t)
|
kernel_read_kernel_sysctl(hotplug_t)
|
||||||
kernel_read_net_sysctl(hotplug_t)
|
kernel_read_net_sysctl(hotplug_t)
|
||||||
@ -58,7 +58,7 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
|
|||||||
corenet_tcp_sendrecv_all_ports(hotplug_t)
|
corenet_tcp_sendrecv_all_ports(hotplug_t)
|
||||||
corenet_tcp_bind_all_nodes(hotplug_t)
|
corenet_tcp_bind_all_nodes(hotplug_t)
|
||||||
|
|
||||||
dev_read_sysfs(hotplug_t)
|
dev_rw_sysfs(hotplug_t)
|
||||||
dev_read_usbfs(hotplug_t)
|
dev_read_usbfs(hotplug_t)
|
||||||
dev_setattr_printer(hotplug_t)
|
dev_setattr_printer(hotplug_t)
|
||||||
dev_setattr_snd_dev(hotplug_t)
|
dev_setattr_snd_dev(hotplug_t)
|
||||||
@ -107,6 +107,8 @@ modutils_read_mods_deps(hotplug_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(hotplug_t)
|
miscfiles_read_localization(hotplug_t)
|
||||||
|
|
||||||
|
seutil_dontaudit_search_config(hotplug_t)
|
||||||
|
|
||||||
sysnet_read_config(hotplug_t)
|
sysnet_read_config(hotplug_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
|
userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
|
||||||
@ -122,8 +124,6 @@ ifdef(`distro_redhat', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
unconfined_domain_template(hotplug_t)
|
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_domtrans(hotplug_t)
|
consoletype_domtrans(hotplug_t)
|
||||||
')
|
')
|
||||||
|
@ -90,10 +90,14 @@ interface(`init_daemon_domain',`
|
|||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
optional_policy(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
kernel_dontaudit_use_fd($1)
|
kernel_dontaudit_use_fd($1)
|
||||||
files_dontaudit_read_root_file($1)
|
files_dontaudit_read_root_file($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket($1)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -385,6 +385,10 @@ ifdef(`distro_redhat',`
|
|||||||
|
|
||||||
# readahead asks for these
|
# readahead asks for these
|
||||||
mta_read_aliases(initrc_t)
|
mta_read_aliases(initrc_t)
|
||||||
|
|
||||||
|
optional_policy(`bind.te',`
|
||||||
|
bind_manage_config_dir(initrc_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
@ -546,6 +550,12 @@ ifdef(`distro_redhat', `
|
|||||||
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
||||||
allow initrc_t self:capability sys_admin;
|
allow initrc_t self:capability sys_admin;
|
||||||
allow initrc_t device_t:dir create;
|
allow initrc_t device_t:dir create;
|
||||||
|
|
||||||
|
optional_policy(`rpm.te',`
|
||||||
|
rpm_stub()
|
||||||
|
#read ahead wants to read this
|
||||||
|
allow initrc_t system_cron_spool_t:file { getattr read };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
|
@ -28,6 +28,9 @@ type ipsec_mgmt_exec_t;
|
|||||||
init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
|
init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
|
||||||
role system_r types ipsec_mgmt_t;
|
role system_r types ipsec_mgmt_t;
|
||||||
|
|
||||||
|
type ipsec_mgmt_lock_t;
|
||||||
|
files_lock_file(ipsec_mgmt_lock_t)
|
||||||
|
|
||||||
type ipsec_mgmt_var_run_t;
|
type ipsec_mgmt_var_run_t;
|
||||||
files_pid_file(ipsec_mgmt_var_run_t)
|
files_pid_file(ipsec_mgmt_var_run_t)
|
||||||
|
|
||||||
@ -155,6 +158,9 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
|||||||
allow ipsec_mgmt_t self:key_socket { create setopt };
|
allow ipsec_mgmt_t self:key_socket { create setopt };
|
||||||
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
|
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
|
||||||
|
|
||||||
|
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
|
||||||
|
files_create_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t)
|
||||||
|
|
||||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
|
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
|
||||||
files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t)
|
files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t)
|
||||||
|
|
||||||
@ -235,9 +241,6 @@ files_exec_etc_files(ipsec_mgmt_t)
|
|||||||
files_read_etc_runtime_files(ipsec_mgmt_t)
|
files_read_etc_runtime_files(ipsec_mgmt_t)
|
||||||
files_dontaudit_getattr_default_dir(ipsec_mgmt_t)
|
files_dontaudit_getattr_default_dir(ipsec_mgmt_t)
|
||||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||||
# Allow scripts to use /var/locl/subsys/ipsec
|
|
||||||
# cjp: need a lock type
|
|
||||||
files_manage_generic_locks(ipsec_mgmt_t)
|
|
||||||
|
|
||||||
init_use_script_pty(ipsec_mgmt_t)
|
init_use_script_pty(ipsec_mgmt_t)
|
||||||
init_exec_script(ipsec_mgmt_t)
|
init_exec_script(ipsec_mgmt_t)
|
||||||
|
@ -69,6 +69,7 @@ logging_send_syslog_msg(iptables_t)
|
|||||||
miscfiles_read_localization(iptables_t)
|
miscfiles_read_localization(iptables_t)
|
||||||
|
|
||||||
sysnet_domtrans_ifconfig(iptables_t)
|
sysnet_domtrans_ifconfig(iptables_t)
|
||||||
|
sysnet_dns_name_resolve(iptables_t)
|
||||||
|
|
||||||
userdom_use_all_user_fd(iptables_t)
|
userdom_use_all_user_fd(iptables_t)
|
||||||
|
|
||||||
@ -79,19 +80,6 @@ ifdef(`targeted_policy', `
|
|||||||
files_dontaudit_read_root_file(iptables_t)
|
files_dontaudit_read_root_file(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
|
||||||
allow iptables_t self:udp_socket create_socket_perms;
|
|
||||||
|
|
||||||
corenet_udp_sendrecv_all_if(iptables_t)
|
|
||||||
corenet_raw_sendrecv_all_if(iptables_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(iptables_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes(iptables_t)
|
|
||||||
corenet_udp_bind_all_nodes(iptables_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(iptables_t)
|
|
||||||
|
|
||||||
sysnet_read_config(iptables_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`firstboot.te',`
|
optional_policy(`firstboot.te',`
|
||||||
firstboot_use_fd(iptables_t)
|
firstboot_use_fd(iptables_t)
|
||||||
firstboot_write_pipe(iptables_t)
|
firstboot_write_pipe(iptables_t)
|
||||||
|
@ -225,7 +225,7 @@ interface(`libs_use_shared_libs',`
|
|||||||
type lib_t, shlib_t, texrel_shlib_t;
|
type lib_t, shlib_t, texrel_shlib_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
class file rx_file_perms;
|
class file { rx_file_perms execmod };
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_usr($1)
|
files_search_usr($1)
|
||||||
@ -233,6 +233,7 @@ interface(`libs_use_shared_libs',`
|
|||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
||||||
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
||||||
|
allow $1 texrel_shlib_t:file execmod;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type local_login_t;
|
type local_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
|
||||||
auth_login_entry_type(local_login_t)
|
auth_login_entry_type(local_login_t)
|
||||||
domain_type(local_login_t)
|
domain_type(local_login_t)
|
||||||
domain_obj_id_change_exempt(local_login_t)
|
domain_obj_id_change_exempt(local_login_t)
|
||||||
@ -15,6 +15,9 @@ domain_role_change_exempt(local_login_t)
|
|||||||
domain_wide_inherit_fd(local_login_t)
|
domain_wide_inherit_fd(local_login_t)
|
||||||
role system_r types local_login_t;
|
role system_r types local_login_t;
|
||||||
|
|
||||||
|
type local_login_lock_t;
|
||||||
|
files_lock_file(local_login_lock_t)
|
||||||
|
|
||||||
type local_login_tmp_t;
|
type local_login_tmp_t;
|
||||||
files_type(local_login_tmp_t)
|
files_type(local_login_tmp_t)
|
||||||
|
|
||||||
@ -47,6 +50,9 @@ allow local_login_t self:sem create_sem_perms;
|
|||||||
allow local_login_t self:msgq create_msgq_perms;
|
allow local_login_t self:msgq create_msgq_perms;
|
||||||
allow local_login_t self:msg { send receive };
|
allow local_login_t self:msg { send receive };
|
||||||
|
|
||||||
|
allow local_login_t local_login_lock_t:file create_file_perms;
|
||||||
|
files_create_lock(local_login_t,local_login_lock_t)
|
||||||
|
|
||||||
allow local_login_t local_login_tmp_t:dir create_dir_perms;
|
allow local_login_t local_login_tmp_t:dir create_dir_perms;
|
||||||
allow local_login_t local_login_tmp_t:file create_file_perms;
|
allow local_login_t local_login_tmp_t:file create_file_perms;
|
||||||
files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
|
files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
|
||||||
@ -125,7 +131,6 @@ domain_read_all_entry_files(local_login_t)
|
|||||||
files_read_etc_files(local_login_t)
|
files_read_etc_files(local_login_t)
|
||||||
files_read_etc_runtime_files(local_login_t)
|
files_read_etc_runtime_files(local_login_t)
|
||||||
files_read_usr_files(local_login_t)
|
files_read_usr_files(local_login_t)
|
||||||
files_manage_generic_locks(var_lock_t)
|
|
||||||
files_list_mnt(local_login_t)
|
files_list_mnt(local_login_t)
|
||||||
files_list_world_readable(local_login_t)
|
files_list_world_readable(local_login_t)
|
||||||
files_read_world_readable_files(local_login_t)
|
files_read_world_readable_files(local_login_t)
|
||||||
@ -209,6 +214,8 @@ optional_policy(`locallogin.te',`
|
|||||||
# FIXME: what is this for?
|
# FIXME: what is this for?
|
||||||
locallogin_signull(xdm_t)
|
locallogin_signull(xdm_t)
|
||||||
')
|
')
|
||||||
|
# Login can polyinstantiate
|
||||||
|
polyinstantiater(local_login_t)
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
|
@ -200,6 +200,12 @@ logging_send_syslog_msg(klogd_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(klogd_t)
|
miscfiles_read_localization(klogd_t)
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
ifdef(`targeted_policy', `
|
||||||
|
allow klogd_t unconfined_t:system syslog_mod;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# syslogd local policy
|
# syslogd local policy
|
||||||
|
@ -1,26 +1,5 @@
|
|||||||
## <summary>Miscelaneous files.</summary>
|
## <summary>Miscelaneous files.</summary>
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
## Allow process to create files and dirs in /var/cache/man
|
|
||||||
## and /var/catman/
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## Type type of the process performing this action.
|
|
||||||
## </param>
|
|
||||||
#
|
|
||||||
interface(`miscfiles_rw_man_cache',`
|
|
||||||
gen_require(`
|
|
||||||
type catman_t;
|
|
||||||
class dir create_dir_perms;
|
|
||||||
class file create_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
allow $1 catman_t:dir create_dir_perms;
|
|
||||||
allow $1 catman_t:file create_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read fonts
|
## Read fonts
|
||||||
|
@ -14,7 +14,7 @@ files_type(modules_conf_t)
|
|||||||
type modules_dep_t;
|
type modules_dep_t;
|
||||||
files_type(modules_dep_t)
|
files_type(modules_dep_t)
|
||||||
|
|
||||||
type insmod_t;
|
type insmod_t; #, mlsfilewrite
|
||||||
type insmod_exec_t;
|
type insmod_exec_t;
|
||||||
kernel_userland_entry(insmod_t,insmod_exec_t)
|
kernel_userland_entry(insmod_t,insmod_exec_t)
|
||||||
init_system_domain(insmod_t,insmod_exec_t)
|
init_system_domain(insmod_t,insmod_exec_t)
|
||||||
@ -111,10 +111,18 @@ ifdef(`targeted_policy',`
|
|||||||
unconfined_domain_template(insmod_t)
|
unconfined_domain_template(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`hotplug.te',`
|
||||||
|
hotplug_search_config(insmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`mount.te',`
|
optional_policy(`mount.te',`
|
||||||
mount_domtrans(insmod_t)
|
mount_domtrans(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(insmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
rpm_rw_pipe(insmod_t)
|
rpm_rw_pipe(insmod_t)
|
||||||
')
|
')
|
||||||
|
@ -6,7 +6,7 @@ policy_module(mount,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type mount_t;
|
type mount_t; #, mlsfileread, mlsfilewrite
|
||||||
type mount_exec_t;
|
type mount_exec_t;
|
||||||
init_system_domain(mount_t,mount_exec_t)
|
init_system_domain(mount_t,mount_exec_t)
|
||||||
role system_r types mount_t;
|
role system_r types mount_t;
|
||||||
@ -45,6 +45,7 @@ fs_unmount_all_fs(mount_t)
|
|||||||
fs_remount_all_fs(mount_t)
|
fs_remount_all_fs(mount_t)
|
||||||
fs_relabelfrom_xattr_fs(mount_t)
|
fs_relabelfrom_xattr_fs(mount_t)
|
||||||
fs_search_auto_mountpoints(mount_t)
|
fs_search_auto_mountpoints(mount_t)
|
||||||
|
fs_use_tmpfs_chr_dev(mount_t)
|
||||||
|
|
||||||
term_use_console(mount_t)
|
term_use_console(mount_t)
|
||||||
|
|
||||||
@ -77,12 +78,11 @@ logging_send_syslog_msg(mount_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(mount_t)
|
miscfiles_read_localization(mount_t)
|
||||||
|
|
||||||
|
sysnet_use_portmap(mount_t)
|
||||||
|
|
||||||
userdom_use_all_user_fd(mount_t)
|
userdom_use_all_user_fd(mount_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
fs_use_tmpfs_chr_dev(mount_t)
|
|
||||||
allow mount_t tmpfs_t:dir mounton;
|
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
auth_read_pam_console_data(mount_t)
|
auth_read_pam_console_data(mount_t)
|
||||||
# mount config by default sets fscontext=removable_t
|
# mount config by default sets fscontext=removable_t
|
||||||
@ -109,6 +109,7 @@ optional_policy(`portmap.te', `
|
|||||||
corenet_udp_bind_generic_port(mount_t)
|
corenet_udp_bind_generic_port(mount_t)
|
||||||
corenet_tcp_bind_reserved_port(mount_t)
|
corenet_tcp_bind_reserved_port(mount_t)
|
||||||
corenet_udp_bind_reserved_port(mount_t)
|
corenet_udp_bind_reserved_port(mount_t)
|
||||||
|
corenet_tcp_connect_all_ports(mount_t)
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(mount_t)
|
nis_use_ypbind(mount_t)
|
||||||
|
@ -345,3 +345,91 @@ interface(`sysnet_create_dhcp_state',`
|
|||||||
type_transition $1 dhcp_state_t:$3 $2;
|
type_transition $1 dhcp_state_t:$3 $2;
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Perform a DNS name resolution.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sysnet_dns_name_resolve',`
|
||||||
|
gen_require(`
|
||||||
|
type net_conf_t;
|
||||||
|
class udp_socket create_socket_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
|
corenet_udp_sendrecv_all_if($1)
|
||||||
|
corenet_raw_sendrecv_all_if($1)
|
||||||
|
corenet_udp_sendrecv_all_nodes($1)
|
||||||
|
corenet_raw_sendrecv_all_nodes($1)
|
||||||
|
corenet_udp_sendrecv_dns_port($1)
|
||||||
|
corenet_udp_bind_all_nodes($1)
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 net_conf_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect and use a LDAP server.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sysnet_use_ldap',`
|
||||||
|
gen_require(`
|
||||||
|
type net_conf_t;
|
||||||
|
class tcp_socket create_socket_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_all_if($1)
|
||||||
|
corenet_raw_sendrecv_all_if($1)
|
||||||
|
corenet_tcp_sendrecv_all_nodes($1)
|
||||||
|
corenet_raw_sendrecv_all_nodes($1)
|
||||||
|
corenet_tcp_sendrecv_ldap_port($1)
|
||||||
|
corenet_tcp_bind_all_nodes($1)
|
||||||
|
corenet_tcp_connect_ldap_port($1)
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 net_conf_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect and use remote port mappers.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sysnet_use_portmap',`
|
||||||
|
gen_require(`
|
||||||
|
type net_conf_t;
|
||||||
|
class tcp_socket create_socket_perms;
|
||||||
|
class udp_socket create_socket_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 self:tcp_socket create_socket_perms;
|
||||||
|
allow $1 self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_all_if($1)
|
||||||
|
corenet_udp_sendrecv_all_if($1)
|
||||||
|
corenet_raw_sendrecv_all_if($1)
|
||||||
|
corenet_tcp_sendrecv_all_nodes($1)
|
||||||
|
corenet_udp_sendrecv_all_nodes($1)
|
||||||
|
corenet_raw_sendrecv_all_nodes($1)
|
||||||
|
corenet_tcp_sendrecv_portmap_port($1)
|
||||||
|
corenet_udp_sendrecv_portmap_port($1)
|
||||||
|
corenet_tcp_bind_all_nodes($1)
|
||||||
|
corenet_udp_bind_all_nodes($1)
|
||||||
|
corenet_tcp_connect_portmap_port($1)
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 net_conf_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
@ -172,6 +172,9 @@ optional_policy(`hotplug.te',`
|
|||||||
# for the dhcp client to run ping to check IP addresses
|
# for the dhcp client to run ping to check IP addresses
|
||||||
optional_policy(`netutils.te',`
|
optional_policy(`netutils.te',`
|
||||||
netutils_domtrans_ping(dhcpc_t)
|
netutils_domtrans_ping(dhcpc_t)
|
||||||
|
',`
|
||||||
|
allow dhcpc_t self:capability setuid;
|
||||||
|
allow dhcpc_t self:rawip_socket create_socket_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
|
@ -24,6 +24,24 @@ interface(`udev_domtrans',`
|
|||||||
allow udev_t $1:process sigchld;
|
allow udev_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to inherit a
|
||||||
|
## udev file descriptor.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`udev_dontaudit_use_fd',`
|
||||||
|
gen_require(`
|
||||||
|
type udev_t;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 udev_t:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to read or write
|
## Do not audit attempts to read or write
|
||||||
@ -33,7 +51,7 @@ interface(`udev_domtrans',`
|
|||||||
## Domain to not audit.
|
## Domain to not audit.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`udev_donaudit_rw_unix_dgram_socket',`
|
interface(`udev_dontaudit_rw_unix_dgram_socket',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type udev_t;
|
type udev_t;
|
||||||
class unix_dgram_socket { read write };
|
class unix_dgram_socket { read write };
|
||||||
|
@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t)
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice };
|
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio };
|
||||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow udev_t self:process { execmem setfscreate };
|
allow udev_t self:process { execmem setfscreate };
|
||||||
allow udev_t self:fd use;
|
allow udev_t self:fd use;
|
||||||
@ -75,8 +75,10 @@ kernel_rw_unix_dgram_socket(udev_t)
|
|||||||
kernel_sendto_unix_dgram_socket(udev_t)
|
kernel_sendto_unix_dgram_socket(udev_t)
|
||||||
kernel_signal(udev_t)
|
kernel_signal(udev_t)
|
||||||
|
|
||||||
dev_read_sysfs(udev_t)
|
dev_rw_sysfs(udev_t)
|
||||||
dev_manage_dev_nodes(udev_t)
|
dev_manage_dev_nodes(udev_t)
|
||||||
|
dev_rw_generic_file(udev_t)
|
||||||
|
dev_delete_generic_file(udev_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(udev_t)
|
fs_getattr_all_fs(udev_t)
|
||||||
|
|
||||||
@ -125,6 +127,8 @@ sysnet_domtrans_ifconfig(udev_t)
|
|||||||
userdom_use_sysadm_tty(udev_t)
|
userdom_use_sysadm_tty(udev_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
|
fs_manage_tmpfs_dirs(udev_t)
|
||||||
|
fs_manage_tmpfs_files(udev_t)
|
||||||
fs_manage_tmpfs_symlinks(udev_t)
|
fs_manage_tmpfs_symlinks(udev_t)
|
||||||
fs_manage_tmpfs_sockets(udev_t)
|
fs_manage_tmpfs_sockets(udev_t)
|
||||||
fs_manage_tmpfs_blk_dev(udev_t)
|
fs_manage_tmpfs_blk_dev(udev_t)
|
||||||
|
@ -34,10 +34,16 @@ template(`unconfined_domain_template',`
|
|||||||
files_unconfined($1)
|
files_unconfined($1)
|
||||||
|
|
||||||
tunable_policy(`allow_execmem',`
|
tunable_policy(`allow_execmem',`
|
||||||
# Allow loading DSOs that require executable stack.
|
# Allow making anonymous memory executable, e.g.
|
||||||
|
# for runtime-code generation or executable stack.
|
||||||
allow $1 self:process execmem;
|
allow $1 self:process execmem;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`allow_execmem && allow_execstack',`
|
||||||
|
# Allow making the stack executable via mprotect.
|
||||||
|
allow $1 self:process execstack;
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
auth_unconfined($1)
|
auth_unconfined($1)
|
||||||
')
|
')
|
||||||
@ -61,8 +67,13 @@ template(`unconfined_domain_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
if (allow_execmod) {
|
if (allow_execmod) {
|
||||||
|
ifdef(`targeted_policy', `
|
||||||
|
allow $1 file_type:file execmod;
|
||||||
|
', `
|
||||||
# Allow text relocations on system shared libraries, e.g. libGL.
|
# Allow text relocations on system shared libraries, e.g. libGL.
|
||||||
allow $1 texrel_shlib_t:file execmod;
|
allow $1 texrel_shlib_t:file execmod;
|
||||||
|
allow $1 home_type:file execmod;
|
||||||
|
')
|
||||||
}
|
}
|
||||||
|
|
||||||
ifdef(`dbusd.te', `
|
ifdef(`dbusd.te', `
|
||||||
|
@ -139,8 +139,8 @@ template(`base_user_template',`
|
|||||||
corenet_udp_sendrecv_all_ports($1_t)
|
corenet_udp_sendrecv_all_ports($1_t)
|
||||||
corenet_tcp_bind_all_nodes($1_t)
|
corenet_tcp_bind_all_nodes($1_t)
|
||||||
corenet_udp_bind_all_nodes($1_t)
|
corenet_udp_bind_all_nodes($1_t)
|
||||||
# allow port_t name binding for UDP because it is not very usable otherwise
|
|
||||||
corenet_udp_bind_generic_port($1_t)
|
corenet_udp_bind_generic_port($1_t)
|
||||||
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
|
|
||||||
dev_read_input($1_t)
|
dev_read_input($1_t)
|
||||||
dev_read_misc($1_t)
|
dev_read_misc($1_t)
|
||||||
@ -194,7 +194,6 @@ template(`base_user_template',`
|
|||||||
logging_dontaudit_getattr_all_logs($1_t)
|
logging_dontaudit_getattr_all_logs($1_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_t)
|
miscfiles_read_localization($1_t)
|
||||||
miscfiles_rw_man_cache($1_t)
|
|
||||||
# for running TeX programs
|
# for running TeX programs
|
||||||
miscfiles_read_tetex_data($1_t)
|
miscfiles_read_tetex_data($1_t)
|
||||||
miscfiles_exec_tetex_data($1_t)
|
miscfiles_exec_tetex_data($1_t)
|
||||||
@ -301,6 +300,8 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
can_winbind($1_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Cups daemon running as user tries to write /etc/printcap
|
# Cups daemon running as user tries to write /etc/printcap
|
||||||
#
|
#
|
||||||
@ -324,8 +325,6 @@ template(`base_user_template',`
|
|||||||
#
|
#
|
||||||
dontaudit $1_t sysctl_net_t:dir search;
|
dontaudit $1_t sysctl_net_t:dir search;
|
||||||
|
|
||||||
dontaudit $1_t default_context_t:dir search;
|
|
||||||
|
|
||||||
r_dir_file($1_t, usercanread)
|
r_dir_file($1_t, usercanread)
|
||||||
|
|
||||||
tunable_policy(`allow_execmod',`
|
tunable_policy(`allow_execmod',`
|
||||||
@ -1481,7 +1480,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',`
|
|||||||
term_dontaudit_use_unallocated_tty($1)
|
term_dontaudit_use_unallocated_tty($1)
|
||||||
',`
|
',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute sysadm_tty_device_t;
|
type sysadm_tty_device_t;
|
||||||
class chr_file { read write };
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -186,6 +186,11 @@ ifdef(`targeted_policy',`
|
|||||||
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
|
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`ntp.te',`
|
||||||
|
ntp_stub()
|
||||||
|
corenet_udp_bind_ntp_port(sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`pcmcia.te',`
|
optional_policy(`pcmcia.te',`
|
||||||
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user