more fix
This commit is contained in:
Chris PeBenito
parent
0354e306b7
commit
9bbc757a76
@ -105,7 +105,7 @@ allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
|
||||
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
|
||||
|
||||
allow amanda_t amanda_log_t:file create_file_perms;
|
||||
allow amanda_t amanda_log_t:dir rw_dir_perms;
|
||||
allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
|
||||
logging_create_log(amanda_t,amanda_log_t,{ file dir })
|
||||
|
||||
allow amanda_t amanda_tmp_t:dir create_dir_perms;
|
||||
|
||||
@ -17,8 +17,8 @@ domain_obj_id_change_exempt(firstboot_t)
|
||||
domain_subj_id_change_exempt(firstboot_t)
|
||||
role system_r types firstboot_t;
|
||||
|
||||
type firstboot_etc_t; #, usercanread;
|
||||
files_type(firstboot_etc_t)
|
||||
type firstboot_etc_t;
|
||||
files_config_file(firstboot_etc_t)
|
||||
|
||||
type firstboot_rw_t;
|
||||
files_type(firstboot_rw_t)
|
||||
|
||||
@ -24,8 +24,8 @@ role system_r types crack_t;
|
||||
type crack_exec_t;
|
||||
domain_entry_file(crack_t,crack_exec_t)
|
||||
|
||||
type crack_db_t; #, usercanread;
|
||||
files_type(crack_db_t)
|
||||
type crack_db_t;
|
||||
files_config_file(crack_db_t)
|
||||
|
||||
type crack_tmp_t;
|
||||
files_tmp_file(crack_tmp_t)
|
||||
|
||||
@ -11,8 +11,8 @@ domain_type(webalizer_t)
|
||||
domain_entry_file(webalizer_t,webalizer_exec_t)
|
||||
role system_r types webalizer_t;
|
||||
|
||||
type webalizer_etc_t; #, usercanread;
|
||||
files_type(webalizer_etc_t)
|
||||
type webalizer_etc_t;
|
||||
files_config_file(webalizer_etc_t)
|
||||
|
||||
type webalizer_usage_t;
|
||||
files_type(webalizer_usage_t)
|
||||
|
||||
@ -148,7 +148,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||||
#
|
||||
type removable_t, filesystem_type, noxattrfs;
|
||||
allow removable_t noxattrfs:filesystem associate;
|
||||
files_type(removable_t)
|
||||
files_config_file(removable_t)
|
||||
|
||||
#
|
||||
# nfs_t is the default type for NFS file systems
|
||||
|
||||
@ -62,6 +62,12 @@ allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
|
||||
allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
|
||||
type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
|
||||
|
||||
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
||||
allow bluetooth_t bluetooth_helper_t:fd use;
|
||||
allow bluetooth_helper_t bluetooth_t:fd use;
|
||||
allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t bluetooth_t:process sigchld;
|
||||
|
||||
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
|
||||
files_create_lock(bluetooth_t,bluetooth_lock_t)
|
||||
|
||||
@ -195,6 +201,8 @@ files_dontaudit_list_default(bluetooth_helper_t)
|
||||
libs_use_ld_so(bluetooth_helper_t)
|
||||
libs_use_shared_libs(bluetooth_helper_t)
|
||||
|
||||
logging_send_syslog_msg(bluetooth_helper_t)
|
||||
|
||||
miscfiles_read_localization(bluetooth_helper_t)
|
||||
miscfiles_read_fonts(bluetooth_helper_t)
|
||||
|
||||
@ -203,7 +211,6 @@ optional_policy(`nscd.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
||||
|
||||
# a "run" interface needs to be
|
||||
# added, and have sysadm_t use it
|
||||
|
||||
@ -25,7 +25,7 @@ files_pid_file(canna_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow canna_t self:capability { setgid setuid };
|
||||
allow canna_t self:capability { setgid setuid net_bind_service };
|
||||
dontaudit canna_t self:capability sys_tty_config;
|
||||
allow canna_t self:process signal_perms;
|
||||
allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
|
||||
|
||||
@ -209,7 +209,16 @@ allow crond_t user_home_dir_type:dir r_dir_perms;
|
||||
#
|
||||
# System cron process domain
|
||||
#
|
||||
ifdef(`targeted_policy',`',`
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
# cjp: why?
|
||||
squid_domtrans(system_crond_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# cjp: fix:
|
||||
allow crond_t unconfined_t:process transition;
|
||||
',`
|
||||
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
||||
allow system_crond_t self:process { signal_perms setsched };
|
||||
allow system_crond_t self:fifo_file rw_file_perms;
|
||||
@ -370,11 +379,6 @@ ifdef(`targeted_policy',`',`
|
||||
#samba_read_secrets(system_crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
# cjp: why?
|
||||
squid_domtrans(system_crond_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit userdomain system_crond_t:fd use;
|
||||
|
||||
|
||||
@ -21,11 +21,11 @@ gen_require(`
|
||||
')
|
||||
init_daemon_domain(cupsd_t,cupsd_exec_t)
|
||||
|
||||
type cupsd_etc_t; #, usercanread;
|
||||
files_type(cupsd_etc_t)
|
||||
type cupsd_etc_t;
|
||||
files_config_file(cupsd_etc_t)
|
||||
|
||||
type cupsd_rw_etc_t; #, usercanread;
|
||||
files_type(cupsd_rw_etc_t)
|
||||
type cupsd_rw_etc_t;
|
||||
files_config_file(cupsd_rw_etc_t)
|
||||
|
||||
type cupsd_log_t;
|
||||
logging_log_file(cupsd_log_t)
|
||||
@ -51,8 +51,8 @@ type hplip_t;
|
||||
type hplip_exec_t;
|
||||
init_daemon_domain(hplip_t,hplip_exec_t)
|
||||
|
||||
type hplip_etc_t; #, usercanread;
|
||||
files_type(hplip_etc_t)
|
||||
type hplip_etc_t;
|
||||
files_config_file(hplip_etc_t)
|
||||
|
||||
type hplip_var_run_t;
|
||||
files_pid_file(hplip_var_run_t)
|
||||
@ -61,8 +61,8 @@ type ptal_t;
|
||||
type ptal_exec_t;
|
||||
init_daemon_domain(ptal_t,ptal_exec_t)
|
||||
|
||||
type ptal_etc_t; #, usercanread;
|
||||
files_type(ptal_etc_t)
|
||||
type ptal_etc_t;
|
||||
files_config_file(ptal_etc_t)
|
||||
|
||||
type ptal_var_run_t;
|
||||
files_pid_file(ptal_var_run_t)
|
||||
@ -74,8 +74,8 @@ files_pid_file(ptal_var_run_t)
|
||||
|
||||
# /usr/lib/cups/backend/serial needs sys_admin(?!)
|
||||
allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
|
||||
dontaudit cupsd_t self:capability net_admin;
|
||||
allow cupsd_t self:process setsched;
|
||||
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
||||
allow cupsd_t self:process { setsched signal_perms };
|
||||
allow cupsd_t self:fifo_file rw_file_perms;
|
||||
allow cupsd_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -85,7 +85,7 @@ allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom
|
||||
allow cupsd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
|
||||
allow cupsd_t cupsd_etc_t:dir { r_dir_perms setattr };
|
||||
allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr };
|
||||
allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
|
||||
files_search_etc(cupsd_t)
|
||||
|
||||
@ -100,7 +100,7 @@ allow cupsd_t cupsd_exec_t:dir search;
|
||||
allow cupsd_t cupsd_exec_t:lnk_file read;
|
||||
|
||||
allow cupsd_t cupsd_log_t:file create_file_perms;
|
||||
allow cupsd_t cupsd_log_t:dir rw_dir_perms;
|
||||
allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
|
||||
logging_create_log(cupsd_t,cupsd_log_t,{ file dir })
|
||||
|
||||
allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
|
||||
@ -232,13 +232,11 @@ allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
|
||||
allow cupsd_t kernel_t:tcp_socket recvfrom;
|
||||
allow web_client_domain kernel_t:tcp_socket recvfrom;
|
||||
|
||||
allow cupsd_t usercanread:dir { getattr read search };
|
||||
allow cupsd_t usercanread:file { read getattr };
|
||||
allow cupsd_t usercanread:lnk_file { getattr read };
|
||||
') dnl end TODO
|
||||
|
||||
|
||||
allow cupsd_t usercanread:dir r_dir_perms;
|
||||
allow cupsd_t usercanread:file r_file_perms;
|
||||
allow cupsd_t usercanread:lnk_file { getattr read };
|
||||
|
||||
allow cupsd_t devpts_t:dir search;
|
||||
|
||||
@ -279,7 +277,7 @@ allow cupsd_t portmap_t:udp_socket recvfrom;
|
||||
#
|
||||
allow initrc_t cupsd_log_t:file { getattr read };
|
||||
allow cupsd_t var_t:dir { getattr read search };
|
||||
allow cupsd_t var_t:file { read getattr };
|
||||
allow cupsd_t var_t:file r_file_perms;
|
||||
allow cupsd_t var_t:lnk_file { getattr read };
|
||||
|
||||
optional_policy(`samba.te', `
|
||||
@ -506,6 +504,7 @@ allow hplip_t devpts_t:chr_file { getattr ioctl };
|
||||
#
|
||||
|
||||
allow cupsd_config_t self:capability { chown sys_tty_config };
|
||||
allow cupsd_config_t self:process signal_perms;
|
||||
allow cupsd_config_t self:fifo_file rw_file_perms;
|
||||
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -699,8 +698,8 @@ optional_policy(`kerberos.te',`
|
||||
')
|
||||
#end for identd
|
||||
|
||||
allow cupsd_lpd_t cupsd_etc_t:dir { getattr read search };
|
||||
allow cupsd_lpd_t cupsd_etc_t:file { read getattr };
|
||||
allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
|
||||
allow cupsd_lpd_t cupsd_etc_t:file r_file_perms;
|
||||
allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
|
||||
@ -711,7 +710,7 @@ allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
|
||||
allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(cupsd_lpd_t,cupsd_lpd_var_run_t)
|
||||
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:dir { getattr read search };
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:file { read getattr };
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
|
||||
|
||||
|
||||
@ -10,8 +10,8 @@ type dictd_t;
|
||||
type dictd_exec_t;
|
||||
init_daemon_domain(dictd_t,dictd_exec_t)
|
||||
|
||||
type dictd_etc_t; #, usercanread;
|
||||
files_type(dictd_etc_t)
|
||||
type dictd_etc_t;
|
||||
files_config_file(dictd_etc_t)
|
||||
|
||||
type dictd_var_lib_t alias var_lib_dictd_t;
|
||||
files_type(dictd_var_lib_t)
|
||||
|
||||
@ -12,8 +12,8 @@ init_daemon_domain(dovecot_t,dovecot_exec_t)
|
||||
type dovecot_cert_t;
|
||||
files_type(dovecot_cert_t)
|
||||
|
||||
type dovecot_etc_t; #, usercanread;
|
||||
files_type(dovecot_etc_t)
|
||||
type dovecot_etc_t;
|
||||
files_config_file(dovecot_etc_t)
|
||||
|
||||
type dovecot_passwd_t;
|
||||
files_type(dovecot_passwd_t)
|
||||
|
||||
@ -10,8 +10,8 @@ type fingerd_exec_t;
|
||||
init_daemon_domain(fingerd_t,fingerd_exec_t)
|
||||
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
|
||||
|
||||
type fingerd_etc_t; #, usercanread;
|
||||
files_type(fingerd_etc_t)
|
||||
type fingerd_etc_t;
|
||||
files_config_file(fingerd_etc_t)
|
||||
|
||||
type fingerd_log_t;
|
||||
logging_log_file(fingerd_log_t)
|
||||
|
||||
@ -11,7 +11,7 @@ type ftpd_exec_t;
|
||||
init_daemon_domain(ftpd_t,ftpd_exec_t)
|
||||
|
||||
type ftpd_etc_t;
|
||||
files_type(ftpd_etc_t)
|
||||
files_config_file(ftpd_etc_t)
|
||||
|
||||
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
|
||||
type ftpd_lock_t;
|
||||
|
||||
@ -9,8 +9,8 @@ type innd_t;
|
||||
type innd_exec_t;
|
||||
init_daemon_domain(innd_t,innd_exec_t)
|
||||
|
||||
type innd_etc_t; #, usercanread;
|
||||
files_type(innd_etc_t)
|
||||
type innd_etc_t;
|
||||
files_config_file(innd_etc_t)
|
||||
|
||||
type innd_log_t;
|
||||
logging_log_file(innd_log_t)
|
||||
|
||||
@ -13,8 +13,8 @@ init_daemon_domain(slapd_t,slapd_exec_t)
|
||||
type slapd_db_t;
|
||||
files_type(slapd_db_t)
|
||||
|
||||
type slapd_etc_t; #, usercanread;
|
||||
files_type(slapd_etc_t)
|
||||
type slapd_etc_t;
|
||||
files_config_file(slapd_etc_t)
|
||||
|
||||
type slapd_replog_t;
|
||||
files_type(slapd_replog_t)
|
||||
|
||||
@ -521,15 +521,12 @@ interface(`mta_delete_spool',`
|
||||
interface(`mta_manage_spool',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir rw_dir_perms;
|
||||
allow $1 mail_spool_t:lnk_file { getattr read };
|
||||
allow $1 mail_spool_t:file create_file_perms;
|
||||
allow $1 mail_spool_t:dir manage_dir_perms;
|
||||
allow $1 mail_spool_t:lnk_file create_lnk_perms;
|
||||
allow $1 mail_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -17,7 +17,7 @@ type etc_aliases_t;
|
||||
files_type(etc_aliases_t)
|
||||
|
||||
type etc_mail_t;
|
||||
files_type(etc_mail_t)
|
||||
files_config_file(etc_mail_t)
|
||||
|
||||
type mqueue_spool_t;
|
||||
files_type(mqueue_spool_t)
|
||||
|
||||
@ -17,7 +17,7 @@ type mysqld_db_t;
|
||||
files_type(mysqld_db_t)
|
||||
|
||||
type mysqld_etc_t alias etc_mysqld_t;
|
||||
files_type(mysqld_etc_t)
|
||||
files_config_file(mysqld_etc_t)
|
||||
|
||||
type mysqld_log_t;
|
||||
logging_log_file(mysqld_log_t)
|
||||
|
||||
@ -115,6 +115,28 @@ interface(`nis_use_ypbind',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ypbind in the ypbind domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`nis_domtrans_ypbind',`
|
||||
gen_require(`
|
||||
type ypbind_t, ypbind_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,ypbind_exec_t,ypbind_t)
|
||||
|
||||
allow $1 ypbind_t:fd use;
|
||||
allow ypbind_t $1:fd use;
|
||||
allow ypbind_t $1:fifo_file rw_file_perms;
|
||||
allow ypbind_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to ypbind.
|
||||
|
||||
@ -12,8 +12,8 @@ init_daemon_domain(postgresql_t,postgresql_exec_t)
|
||||
type postgresql_db_t;
|
||||
files_type(postgresql_db_t)
|
||||
|
||||
type postgresql_etc_t; #, usercanread;
|
||||
files_type(postgresql_etc_t)
|
||||
type postgresql_etc_t;
|
||||
files_config_file(postgresql_etc_t)
|
||||
|
||||
type postgresql_lock_t;
|
||||
files_lock_file(postgresql_lock_t)
|
||||
|
||||
@ -16,8 +16,8 @@ type pppd_devpts_t;
|
||||
term_pty(pppd_devpts_t)
|
||||
|
||||
# Define a separate type for /etc/ppp
|
||||
type pppd_etc_t; #, usercanread;
|
||||
files_type(pppd_etc_t)
|
||||
type pppd_etc_t;
|
||||
files_config_file(pppd_etc_t)
|
||||
|
||||
# Define a separate type for writable files under /etc/ppp
|
||||
type pppd_etc_rw_t;
|
||||
|
||||
@ -10,8 +10,8 @@ type radiusd_t;
|
||||
type radiusd_exec_t;
|
||||
init_daemon_domain(radiusd_t,radiusd_exec_t)
|
||||
|
||||
type radiusd_etc_t; #, usercanread;
|
||||
files_type(radiusd_etc_t)
|
||||
type radiusd_etc_t;
|
||||
files_config_file(radiusd_etc_t)
|
||||
|
||||
type radiusd_log_t;
|
||||
logging_log_file(radiusd_log_t)
|
||||
|
||||
@ -12,8 +12,8 @@ init_daemon_domain(radvd_t,radvd_exec_t)
|
||||
type radvd_var_run_t;
|
||||
files_pid_file(radvd_var_run_t)
|
||||
|
||||
type radvd_etc_t; #, usercanread;
|
||||
files_type(radvd_etc_t)
|
||||
type radvd_etc_t;
|
||||
files_config_file(radvd_etc_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -24,13 +24,13 @@ rpc_domain_template(rpcd)
|
||||
rpc_domain_template(nfsd)
|
||||
|
||||
type nfsd_rw_t;
|
||||
files_type(nfsd_rw_t)
|
||||
files_config_file(nfsd_rw_t)
|
||||
|
||||
type nfsd_ro_t;
|
||||
files_type(nfsd_ro_t)
|
||||
files_config_file(nfsd_ro_t)
|
||||
|
||||
type var_lib_nfs_t;
|
||||
files_type(var_lib_nfs_t)
|
||||
files_config_file(var_lib_nfs_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -13,8 +13,8 @@ init_daemon_domain(nmbd_t,nmbd_exec_t)
|
||||
type nmbd_var_run_t;
|
||||
files_pid_file(nmbd_var_run_t)
|
||||
|
||||
type samba_etc_t; #, usercanread;
|
||||
files_type(samba_etc_t)
|
||||
type samba_etc_t;
|
||||
files_config_file(samba_etc_t)
|
||||
|
||||
type samba_log_t;
|
||||
logging_log_file(samba_log_t)
|
||||
@ -32,8 +32,8 @@ files_tmp_file(samba_net_tmp_t)
|
||||
type samba_secrets_t;
|
||||
files_type(samba_secrets_t)
|
||||
|
||||
type samba_share_t; #, customizable;
|
||||
files_type(samba_share_t)
|
||||
type samba_share_t;
|
||||
files_config_file(samba_share_t)
|
||||
|
||||
type samba_var_t;
|
||||
files_type(samba_var_t)
|
||||
|
||||
@ -9,8 +9,8 @@ type snmpd_t;
|
||||
type snmpd_exec_t;
|
||||
init_daemon_domain(snmpd_t,snmpd_exec_t)
|
||||
|
||||
type snmpd_etc_t; #, usercanread;
|
||||
files_type(snmpd_etc_t)
|
||||
type snmpd_etc_t;
|
||||
files_config_file(snmpd_etc_t)
|
||||
|
||||
type snmpd_log_t;
|
||||
logging_log_file(snmpd_log_t)
|
||||
|
||||
@ -77,6 +77,26 @@ interface(`files_pid_file',`
|
||||
typeattribute $1 pidfile;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type a
|
||||
## configuration file.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Type to be used as a configuration file.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_config_file',`
|
||||
gen_require(`
|
||||
attribute usercanread;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
|
||||
# this is a hack and should be removed.
|
||||
typeattribute $1 usercanread;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type a
|
||||
@ -2947,11 +2967,10 @@ interface(`files_delete_all_pid_dirs',`
|
||||
interface(`files_search_spool',`
|
||||
gen_require(`
|
||||
type var_t, var_spool_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_spool_t:dir search;
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_spool_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -18,6 +18,9 @@ attribute pidfile;
|
||||
# For labeling types that are to be polyinstantiated
|
||||
attribute polydir;
|
||||
|
||||
# this is a hack and should be changed
|
||||
attribute usercanread;
|
||||
|
||||
# And for labeling the parent directories of those polyinstantiated directories
|
||||
# This is necessary for remounting the original in the parent to give
|
||||
# security aware apps access
|
||||
|
||||
@ -17,7 +17,7 @@ domain_wide_inherit_fd(getty_t)
|
||||
|
||||
type getty_etc_t;
|
||||
typealias getty_etc_t alias etc_getty_t;
|
||||
files_type(getty_etc_t)
|
||||
files_config_file(getty_etc_t)
|
||||
|
||||
type getty_lock_t;
|
||||
files_lock_file(getty_lock_t)
|
||||
|
||||
@ -11,8 +11,8 @@ type hotplug_exec_t;
|
||||
kernel_userland_entry(hotplug_t,hotplug_exec_t)
|
||||
init_daemon_domain(hotplug_t,hotplug_exec_t)
|
||||
|
||||
type hotplug_etc_t; #, usercanread;
|
||||
files_type(hotplug_etc_t)
|
||||
type hotplug_etc_t;
|
||||
files_config_file(hotplug_etc_t)
|
||||
kernel_search_from(hotplug_etc_t)
|
||||
domain_entry_file(hotplug_t,hotplug_etc_t)
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ files_type(cert_t)
|
||||
# files in /usr
|
||||
#
|
||||
type fonts_t;
|
||||
files_type(fonts_t)
|
||||
files_config_file(fonts_t)
|
||||
|
||||
#
|
||||
# type for /usr/share/hwdata
|
||||
|
||||
@ -191,10 +191,11 @@ optional_policy(`rpm.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow depmod_t modules_object_t:file unlink;
|
||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||
') dnl end ifdef TODO
|
||||
|
||||
allow depmod_t modules_object_t:file unlink;
|
||||
|
||||
#################################
|
||||
#
|
||||
# update-modules local policy
|
||||
|
||||
@ -144,11 +144,13 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Create device files in /tmp.
|
||||
# cjp: why is this created all over the place?
|
||||
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(cardmgr_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
# Create device files in /tmp.
|
||||
# cjp: why is this created all over the place?
|
||||
allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
|
||||
allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms;
|
||||
type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
|
||||
|
||||
@ -7,9 +7,9 @@ policy_module(sysnetwork,1.0)
|
||||
#
|
||||
|
||||
# this is shared between dhcpc and dhcpd:
|
||||
type dhcp_etc_t; #, usercanread;
|
||||
type dhcp_etc_t;
|
||||
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
|
||||
files_type(dhcp_etc_t)
|
||||
files_config_file(dhcp_etc_t)
|
||||
|
||||
# this is shared between dhcpc and dhcpd:
|
||||
type dhcp_state_t;
|
||||
@ -206,7 +206,7 @@ optional_policy(`nis.te',`
|
||||
nis_signal_ypbind(dhcpc_t)
|
||||
# dhclient sometimes starts ypbind
|
||||
init_exec_script(dhcpc_t)
|
||||
#nis_domtrans_ypbind(dhcpc_t)
|
||||
nis_domtrans_ypbind(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
|
||||
@ -21,7 +21,7 @@ domain_wide_inherit_fd(udev_t)
|
||||
init_daemon_domain(udev_t,udev_exec_t)
|
||||
|
||||
type udev_etc_t alias etc_udev_t;
|
||||
files_type(udev_etc_t)
|
||||
files_config_file(udev_etc_t)
|
||||
|
||||
# udev_runtime_t is the type of the udev table file
|
||||
# cjp: this is probably a copy of udev_tbl_t and can be removed
|
||||
|
||||
Loading…
Reference in New Issue
Block a user