fix several modular build problems
This commit is contained in:
parent
ac9aa26d2e
commit
9fd4b818fc
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logrotate,1.0)
|
||||
policy_module(logrotate,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -148,6 +148,10 @@ optional_policy(`consoletype',`
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`cups',`
|
||||
cups_domtrans(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`hostname',`
|
||||
hostname_exec(logrotate_t)
|
||||
')
|
||||
|
@ -151,6 +151,7 @@ interface(`rpm_read_db',`
|
||||
type rpm_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 rpm_var_lib_t:dir r_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file { getattr read };
|
||||
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
|
||||
@ -169,8 +170,8 @@ interface(`rpm_manage_db',`
|
||||
type rpm_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 rpm_var_lib_t:dir rw_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
|
||||
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
||||
')
|
||||
|
||||
|
@ -22,3 +22,22 @@ interface(`updfstab_domtrans',`
|
||||
allow updfstab_t $1:fifo_file rw_file_perms;
|
||||
allow updfstab_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## updfstab over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`updfstab_dbus_chat',`
|
||||
gen_require(`
|
||||
type updfstab_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 updfstab_t:dbus send_msg;
|
||||
allow updfstab_t $1:dbus send_msg;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(updfstab,1.0.1)
|
||||
policy_module(updfstab,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -100,6 +100,7 @@ optional_policy(`dbus',`
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_stream_connect(updfstab_t)
|
||||
hal_dbus_chat(updfstab_t)
|
||||
')
|
||||
|
||||
optional_policy(`modutils',`
|
||||
@ -123,8 +124,3 @@ optional_policy(`udev',`
|
||||
ifdef(`TODO',`
|
||||
allow updfstab_t tmpfs_t:dir getattr;
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
allow initrc_t updfstab_t:dbus send_msg;
|
||||
allow updfstab_t initrc_t:dbus send_msg;
|
||||
')
|
||||
|
@ -824,6 +824,44 @@ interface(`dev_dontaudit_rw_cardmgr',`
|
||||
dontaudit $1 cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## the PCMCIA card manager device.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_manage_cardmgr',`
|
||||
gen_require(`
|
||||
type device_t, cardmgr_dev_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## the PCMCIA card manager device
|
||||
## with the correct type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_create_cardmgr',`
|
||||
gen_require(`
|
||||
type device_t, cardmgr_dev_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
|
||||
type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the CPU
|
||||
|
@ -1679,6 +1679,22 @@ interface(`fs_write_ramfs_pipe',`
|
||||
allow $1 ramfs_t:fifo_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a named pipe on a ramfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_rw_ramfs_pipe',`
|
||||
gen_require(`
|
||||
type ramfs_t;
|
||||
')
|
||||
|
||||
allow $1 ramfs_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to named socket on a ramfs filesystem.
|
||||
@ -2049,6 +2065,23 @@ interface(`fs_create_tmpfs_data',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write generic tmpfs files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_rw_tmpfs_file',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
allow $1 tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write character nodes on tmpfs filesystems.
|
||||
|
@ -21,6 +21,15 @@ attribute proc_type;
|
||||
# sysctls
|
||||
attribute sysctl_type;
|
||||
|
||||
role system_r;
|
||||
role sysadm_r;
|
||||
role staff_r;
|
||||
role user_r;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
role secadm_r;
|
||||
')
|
||||
|
||||
#
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
|
@ -703,3 +703,19 @@ interface(`apache_append_squirrelmail_data',`
|
||||
|
||||
allow $1 httpd_squirrelmail_t:file { getattr append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search system script state directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_search_sys_script_state',`
|
||||
gen_require(`
|
||||
type httpd_sys_script_t;
|
||||
')
|
||||
|
||||
allow $1 httpd_sys_script_t:dir search;
|
||||
')
|
||||
|
@ -97,7 +97,7 @@ interface(`apm_append_log',`
|
||||
#
|
||||
interface(`apm_stream_connect',`
|
||||
gen_require(`
|
||||
type apmd_t;
|
||||
type apmd_t, apmd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
|
@ -1 +1,20 @@
|
||||
## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## avahi over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`avahi_dbus_chat',`
|
||||
gen_require(`
|
||||
type avahi_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 avahi_t:dbus send_msg;
|
||||
allow avahi_t $1:dbus send_msg;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(avahi,1.0.1)
|
||||
policy_module(avahi,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -90,10 +90,6 @@ optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(avahi,avahi_t)
|
||||
dbus_connect_system_bus(avahi_t)
|
||||
dbus_send_system_bus_msg(avahi_t)
|
||||
|
||||
# FIXME:
|
||||
allow avahi_t unconfined_t:dbus send_msg;
|
||||
allow unconfined_t avahi_t:dbus send_msg;
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
@ -107,4 +103,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(avahi_t)
|
||||
')
|
||||
|
||||
|
@ -289,9 +289,9 @@ optional_policy(`networkmanager',`
|
||||
')
|
||||
|
||||
# optional_policy(`dbus',`
|
||||
# gen_require(`
|
||||
# class dbus send_msg;
|
||||
# ')
|
||||
gen_require(`
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow NetworkManager_t named_t:dbus send_msg;
|
||||
allow named_t NetworkManager_t:dbus send_msg;
|
||||
|
@ -1,5 +1,26 @@
|
||||
## <summary>Common UNIX printing system</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute cups in the cups domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_domtrans',`
|
||||
gen_require(`
|
||||
type cupsd_t, cupsd_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,cupsd_exec_t,cupsd_t)
|
||||
|
||||
allow $1 cupsd_t:fd use;
|
||||
allow cupsd_t $1:fd use;
|
||||
allow cupsd_t $1:fifo_file rw_file_perms;
|
||||
allow cupsd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute cups_config in the cups_config domain.
|
||||
@ -21,6 +42,42 @@ interface(`cups_domtrans_config',`
|
||||
allow cupsd_config_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to the cups
|
||||
## configuration daemon.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_signal_config',`
|
||||
gen_require(`
|
||||
type cupsd_config_t;
|
||||
')
|
||||
|
||||
allow $1 cupsd_config_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## cupsd_config over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_dbus_chat_config',`
|
||||
gen_require(`
|
||||
type cupsd_config_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 cupsd_config_t:dbus send_msg;
|
||||
allow cupsd_config_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cups-writable configuration files.
|
||||
@ -38,3 +95,39 @@ interface(`cups_read_rw_config',`
|
||||
allow $1 cupsd_etc_t:dir search_dir_perms;
|
||||
allow $1 cupsd_rw_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cups log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_read_log',`
|
||||
gen_require(`
|
||||
type cupsd_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 cupsd_log_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to ptal over an unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_stream_connect_ptal',`
|
||||
gen_require(`
|
||||
type ptal_t, ptal_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 ptal_var_run_t:dir search;
|
||||
allow $1 ptal_var_run_t:sock_file write;
|
||||
allow $1 ptal_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.0)
|
||||
policy_module(cups,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -149,6 +149,7 @@ fs_search_auto_mountpoints(cupsd_t)
|
||||
term_dontaudit_use_console(cupsd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(cupsd_t)
|
||||
auth_dontaudit_read_pam_pid(cupsd_t)
|
||||
|
||||
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
||||
corecmd_exec_shell(cupsd_t)
|
||||
@ -187,7 +188,7 @@ seutil_dontaudit_read_config(cupsd_t)
|
||||
sysnet_read_config(cupsd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(cupsd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cupsd_t)
|
||||
userdom_dontaudit_search_all_users_home(cupsd_t)
|
||||
|
||||
# Write to /var/spool/cups.
|
||||
lpd_manage_spool(cupsd_t)
|
||||
@ -198,17 +199,30 @@ ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_file(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_use_fd(cupsd_t)
|
||||
cron_read_pipe(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(cupsd,cupsd_t)
|
||||
dbus_send_system_bus_msg(cupsd_t)
|
||||
|
||||
allow cupsd_t userdomain:dbus send_msg;
|
||||
userdom_dbus_send_all_users(cupsd_t)
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_dbus_chat(cupsd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`hostname',`
|
||||
hostname_exec(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`inetd',`
|
||||
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount',`
|
||||
mount_send_nfs_client_request(cupsd_t)
|
||||
')
|
||||
@ -217,6 +231,15 @@ optional_policy(`nscd',`
|
||||
nscd_use_socket(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`portmap',`
|
||||
portmap_udp_sendrecv(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba',`
|
||||
samba_rw_var_files(cupsd_t)
|
||||
# cjp: rw_dir_perms was here, but doesnt make sense
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_sigchld_newrole(cupsd_t)
|
||||
')
|
||||
@ -241,56 +264,18 @@ allow cupsd_t devpts_t:dir search;
|
||||
dontaudit cupsd_t random_device_t:chr_file ioctl;
|
||||
|
||||
# temporary solution, we need something better
|
||||
allow cupsd_t serial_device:chr_file rw_file_perms;
|
||||
|
||||
optional_policy(`logrotate',`
|
||||
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`inetd',`
|
||||
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
|
||||
')
|
||||
#allow cupsd_t serial_device:chr_file rw_file_perms;
|
||||
|
||||
# for /etc/printcap
|
||||
dontaudit cupsd_t etc_t:file write;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Send to portmap.
|
||||
optional_policy(`portmap', `
|
||||
allow cupsd_t portmap_t:udp_socket sendto;
|
||||
allow portmap_t cupsd_t:udp_socket recvfrom;
|
||||
allow portmap_t cupsd_t:udp_socket sendto;
|
||||
allow cupsd_t portmap_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Satisfy readahead
|
||||
#
|
||||
allow initrc_t cupsd_log_t:file { getattr read };
|
||||
allow cupsd_t var_t:dir { getattr read search };
|
||||
allow cupsd_t var_t:file r_file_perms;
|
||||
allow cupsd_t var_t:lnk_file { getattr read };
|
||||
|
||||
optional_policy(`samba',`
|
||||
# cjp: rw_dir_perms here doesnt make sense
|
||||
allow cupsd_t samba_var_t:dir rw_dir_perms;
|
||||
allow cupsd_t samba_var_t:file rw_file_perms;
|
||||
allow cupsd_t samba_var_t:lnk_file { getattr read };
|
||||
allow smbd_t cupsd_etc_t:dir search;
|
||||
')
|
||||
|
||||
optional_policy(`authlogin',`
|
||||
dontaudit cupsd_t pam_var_run_t:file { getattr read };
|
||||
')
|
||||
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
|
||||
|
||||
########################################
|
||||
#
|
||||
# PTAL local policy
|
||||
@ -358,7 +343,7 @@ miscfiles_read_localization(ptal_t)
|
||||
sysnet_read_config(ptal_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ptal_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ptal_t)
|
||||
userdom_dontaudit_search_all_users_home(ptal_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(ptal_t)
|
||||
@ -374,14 +359,8 @@ optional_policy(`udev',`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
|
||||
allow userdomain ptal_t:unix_stream_socket connectto;
|
||||
allow userdomain ptal_var_run_t:sock_file write;
|
||||
allow userdomain ptal_var_run_t:dir search;
|
||||
|
||||
allow initrc_t printer_device_t:chr_file getattr;
|
||||
|
||||
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
|
||||
|
||||
allow initrc_t ptal_var_run_t:dir rmdir;
|
||||
allow initrc_t ptal_var_run_t:fifo_file unlink;
|
||||
|
||||
@ -555,6 +534,8 @@ corecmd_exec_sbin(cupsd_config_t)
|
||||
corecmd_exec_shell(cupsd_config_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cupsd_config_t)
|
||||
# killall causes the following
|
||||
domain_dontaudit_search_all_domains_state(cupsd_config_t)
|
||||
|
||||
files_read_usr_files(cupsd_config_t)
|
||||
files_read_etc_files(cupsd_config_t)
|
||||
@ -577,12 +558,35 @@ sysnet_read_config(cupsd_config_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
init_getattr_script_entry_file(cupsd_config_t)
|
||||
|
||||
optional_policy(`rpm',`
|
||||
rpm_read_db(cupsd_config_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(cupsd_config_t)
|
||||
term_dontaudit_use_generic_pty(cupsd_config_t)
|
||||
files_dontaudit_read_root_file(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_use_system_job_fd(cupsd_config_t)
|
||||
cron_read_pipe(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
|
||||
dbus_connect_system_bus(cupsd_config_t)
|
||||
dbus_send_system_bus_msg(cupsd_config_t)
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_dbus_chat(cupsd_config_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_domtrans(cupsd_config_t)
|
||||
')
|
||||
@ -603,6 +607,10 @@ optional_policy(`nscd',`
|
||||
nscd_use_socket(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm',`
|
||||
rpm_read_db(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_sigchld_newrole(cupsd_config_t)
|
||||
')
|
||||
@ -611,49 +619,10 @@ optional_policy(`udev',`
|
||||
udev_read_db(cupsd_config_t)
|
||||
')
|
||||
|
||||
allow cupsd_config_t devpts_t:dir search;
|
||||
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
optional_policy(`rpm',`
|
||||
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
|
||||
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
|
||||
')
|
||||
allow cupsd_config_t initrc_exec_t:file getattr;
|
||||
')
|
||||
|
||||
allow cupsd_config_t var_t:lnk_file read;
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
|
||||
dbus_connect_system_bus(cupsd_config_t)
|
||||
dbus_send_system_bus_msg(cupsd_config_t)
|
||||
|
||||
allow cupsd_config_t userdomain:dbus send_msg;
|
||||
allow userdomain cupsd_config_t:dbus send_msg;
|
||||
')
|
||||
|
||||
optional_policy(`hal', `
|
||||
optional_policy(`dbus',`
|
||||
allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
|
||||
allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
|
||||
')
|
||||
|
||||
allow hald_t cupsd_config_t:process signal;
|
||||
')
|
||||
|
||||
# killall causes the following
|
||||
dontaudit cupsd_config_t domain:dir { getattr search };
|
||||
|
||||
allow cupsd_config_t var_lib_t:dir { getattr search };
|
||||
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
|
||||
allow cupsd_config_t printconf_t:file { getattr read };
|
||||
|
||||
allow cupsd_config_t system_crond_t:fd use;
|
||||
allow cupsd_config_t crond_t:fifo_file r_file_perms;
|
||||
allow cupsd_t crond_t:fifo_file read;
|
||||
allow cupsd_t crond_t:fd use;
|
||||
|
||||
# Alternatives asks for this
|
||||
allow cupsd_config_t initrc_exec_t:file getattr;
|
||||
|
||||
@ -664,6 +633,7 @@ ifdef(`targeted_policy', `
|
||||
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
|
||||
allow unconfined_t cupsd_config_t:dbus send_msg;
|
||||
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
|
||||
term_use_generic_pty(cupsd_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -100,6 +100,9 @@ miscfiles_read_localization(fingerd_t)
|
||||
userdom_read_unpriv_user_home_files(fingerd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
|
||||
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
||||
# have to change this when we create a type for Maildir
|
||||
userdom_dontaudit_search_user_home_dirs(fingerd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(fingerd_t)
|
||||
@ -130,7 +133,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(fingerd_t)
|
||||
')
|
||||
|
||||
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
||||
# have to change this when we create a type for Maildir
|
||||
dontaudit fingerd_t user_home_t:dir search;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.0.1)
|
||||
policy_module(hal,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -134,6 +134,7 @@ optional_policy(`apm',`
|
||||
|
||||
optional_policy(`cups',`
|
||||
cups_domtrans_config(hald_t)
|
||||
cups_signal_config(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
@ -187,21 +188,4 @@ optional_policy(`updfstab',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow hald_t device_t:dir create_dir_perms;
|
||||
|
||||
optional_policy(`hald',`
|
||||
allow udev_t hald_t:unix_dgram_socket sendto;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
allow unconfined_t hald_t:dbus send_msg;
|
||||
allow hald_t unconfined_t:dbus send_msg;
|
||||
')
|
||||
|
||||
optional_policy(`updfstab',`
|
||||
allow updfstab_t hald_t:dbus send_msg;
|
||||
allow hald_t updfstab_t:dbus send_msg;
|
||||
')
|
||||
|
||||
allow hald_t initrc_t:dbus send_msg;
|
||||
allow initrc_t hald_t:dbus send_msg;
|
||||
|
@ -51,9 +51,7 @@ optional_policy(`apache',`
|
||||
apache_sigchld(mailman_cgi_t)
|
||||
apache_use_fd(mailman_cgi_t)
|
||||
apache_dontaudit_append_log(mailman_cgi_t)
|
||||
|
||||
# FIXME:
|
||||
allow mailman_cgi_t httpd_sys_script_t:dir search;
|
||||
apache_search_sys_script_state(mailman_cgi_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -36,6 +36,11 @@ interface(`mta_stub',`
|
||||
#
|
||||
template(`mta_base_mail_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute user_mail_domain;
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# $1_mail_t declarations
|
||||
@ -45,12 +50,8 @@ template(`mta_base_mail_template',`
|
||||
domain_type($1_mail_t)
|
||||
domain_entry_file($1_mail_t,sendmail_exec_t)
|
||||
|
||||
optional_policy(`sendmail',`
|
||||
type $1_mail_tmp_t;
|
||||
files_tmp_file($1_mail_tmp_t)
|
||||
|
||||
sendmail_stub($1_mail_t)
|
||||
')
|
||||
type $1_mail_tmp_t;
|
||||
files_tmp_file($1_mail_tmp_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
@ -107,6 +108,10 @@ template(`mta_base_mail_template',`
|
||||
')
|
||||
|
||||
optional_policy(`sendmail',`
|
||||
gen_require(`
|
||||
type etc_mail_t, mail_spool_t, mqueue_spool_t;
|
||||
')
|
||||
|
||||
allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
|
||||
allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
|
||||
@ -166,7 +171,8 @@ template(`mta_base_mail_template',`
|
||||
#
|
||||
template(`mta_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute mailserver_domain, mta_user_agent, user_mail_domain;
|
||||
attribute mailserver_domain, mta_user_agent;
|
||||
attribute mailserver_delivery, user_mail_domain;
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
|
@ -6,8 +6,7 @@ policy_module(procmail,1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# privhome only works until we define a different type for maildir
|
||||
type procmail_t, privhome;
|
||||
type procmail_t;
|
||||
type procmail_exec_t;
|
||||
domain_type(procmail_t)
|
||||
domain_entry_file(procmail_t,procmail_exec_t)
|
||||
@ -61,6 +60,7 @@ libs_use_shared_libs(procmail_t)
|
||||
|
||||
miscfiles_read_localization(procmail_t)
|
||||
|
||||
# only works until we define a different type for maildir
|
||||
userdom_priveleged_home_dir_manager(procmail_t)
|
||||
# Do not audit attempts to access /root.
|
||||
userdom_dontaudit_search_sysadm_home_dir(procmail_t)
|
||||
|
@ -10,7 +10,7 @@
|
||||
#
|
||||
interface(`radius_use',`
|
||||
gen_require(`
|
||||
type radius_t;
|
||||
type radiusd_t;
|
||||
')
|
||||
|
||||
allow $1 radiusd_t:udp_socket sendto;
|
||||
|
@ -213,6 +213,25 @@ interface(`samba_search_var',`
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
## read and write samba /var files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_rw_var_files',`
|
||||
gen_require(`
|
||||
type samba_var_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
allow $1 samba_var_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to write to smbmount tcp sockets.
|
||||
|
@ -559,8 +559,6 @@ interface(`auth_exec_pam',`
|
||||
interface(`auth_read_pam_pid',`
|
||||
gen_require(`
|
||||
type pam_var_run_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
@ -569,6 +567,22 @@ interface(`auth_read_pam_pid',`
|
||||
allow $1 pam_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attemps to read PAM pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_dontaudit_read_pam_pid',`
|
||||
gen_require(`
|
||||
type pam_var_run_t;
|
||||
')
|
||||
|
||||
dontaudit $1 pam_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete pam PID files.
|
||||
|
@ -471,6 +471,7 @@ interface(`domain_kill_all_domains',`
|
||||
allow $1 domain:process sigkill;
|
||||
allow $1 self:capability kill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the process state directory (/proc/pid) of all domains.
|
||||
@ -489,6 +490,23 @@ interface(`domain_search_all_domains_state',`
|
||||
allow $1 domain:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the process
|
||||
## state directory (/proc/pid) of all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_search_all_domains_state',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
dontaudit $1 domain:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid) of all domains.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(fstools,1.0)
|
||||
policy_module(fstools,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -72,6 +72,8 @@ dev_getattr_usbfs_dir(fsadm_t)
|
||||
|
||||
fs_search_auto_mountpoints(fsadm_t)
|
||||
fs_getattr_xattr_fs(fsadm_t)
|
||||
fs_rw_ramfs_pipe(fsadm_t)
|
||||
fs_rw_tmpfs_file(fsadm_t)
|
||||
# remount file system to apply changes
|
||||
fs_remount_xattr_fs(fsadm_t)
|
||||
# for /dev/shm
|
||||
@ -155,10 +157,3 @@ optional_policy(`cron',`
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind(fsadm_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
') dnl end TODO
|
||||
|
||||
allow fsadm_t tmpfs_t:file { read write };
|
||||
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
|
||||
|
@ -475,6 +475,23 @@ interface(`init_dontaudit_unix_connect_script',`
|
||||
dontaudit $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attribute of init script entrypoint files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_getattr_script_entry_file',`
|
||||
gen_require(`
|
||||
type initrc_exec_t;
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
allow $1 initrc_exec_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read init scripts.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.0.1)
|
||||
policy_module(init,1.0.2)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -494,6 +494,10 @@ optional_policy(`cpucontrol',`
|
||||
dev_getattr_cpu(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`cups',`
|
||||
cups_read_log(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_send_system_bus_msg(initrc_t)
|
||||
@ -502,6 +506,10 @@ optional_policy(`dbus',`
|
||||
optional_policy(`networkmanager',`
|
||||
networkmanager_dbus_chat(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`updfstab',`
|
||||
updfstab_dbus_chat(initrc_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`ftp',`
|
||||
|
@ -1,6 +1,10 @@
|
||||
|
||||
policy_module(modutils,1.0)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode_insmod;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
@ -55,6 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t)
|
||||
bootloader_search_kernel_modules(cardmgr_t)
|
||||
|
||||
dev_read_sysfs(cardmgr_t)
|
||||
dev_manage_cardmgr(cardmgr_t)
|
||||
dev_create_cardmgr(cardmgr_t)
|
||||
dev_getattr_all_chr_files(cardmgr_t)
|
||||
dev_getattr_all_blk_files(cardmgr_t)
|
||||
# for SSP
|
||||
@ -149,6 +151,5 @@ optional_policy(`udev',`
|
||||
|
||||
# Create device files in /tmp.
|
||||
# cjp: why is this created all over the place?
|
||||
allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
|
||||
allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms;
|
||||
type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
|
||||
allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
|
||||
type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
|
||||
|
@ -13,6 +13,18 @@ gen_require(`
|
||||
attribute can_write_binary_policy;
|
||||
attribute can_relabelto_binary_policy;
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
# /etc/selinux/config
|
||||
#
|
||||
# cjp: this is out of order due to rules
|
||||
# in the domain_type interface
|
||||
# (fix dup decl)
|
||||
type selinux_config_t;
|
||||
files_type(selinux_config_t)
|
||||
kernel_list_from(selinux_config_t)
|
||||
kernel_read_file_from(selinux_config_t)
|
||||
|
||||
type checkpolicy_t, can_write_binary_policy;
|
||||
domain_type(checkpolicy_t)
|
||||
role system_r types checkpolicy_t;
|
||||
@ -81,15 +93,6 @@ domain_type(run_init_t)
|
||||
type run_init_exec_t;
|
||||
domain_entry_file(run_init_t,run_init_exec_t)
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
# /etc/selinux/config
|
||||
#
|
||||
type selinux_config_t;
|
||||
files_type(selinux_config_t)
|
||||
kernel_list_from(selinux_config_t)
|
||||
kernel_read_file_from(selinux_config_t)
|
||||
|
||||
type setfiles_t, can_relabelto_binary_policy;
|
||||
domain_obj_id_change_exempt(setfiles_t)
|
||||
domain_type(setfiles_t)
|
||||
|
@ -173,8 +173,12 @@ optional_policy(`dbus',`
|
||||
|
||||
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
|
||||
|
||||
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
|
||||
allow initrc_t dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t initrc_t:dbus send_msg;
|
||||
|
||||
optional_policy(`networkmanager',`
|
||||
networkmanager_dbus_chat(dhcpc_t)
|
||||
')
|
||||
|
||||
ifdef(`unconfined.te', `
|
||||
allow unconfined_t dhcpc_t:dbus send_msg;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(udev,1.0)
|
||||
policy_module(udev,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -176,6 +176,10 @@ optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(udev,udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_dgram_sendto(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug',`
|
||||
hotplug_read_config(udev_t)
|
||||
')
|
||||
@ -192,8 +196,8 @@ optional_policy(`sysnetwork',`
|
||||
sysnet_domtrans_dhcpc(udev_t)
|
||||
')
|
||||
|
||||
#optional_policy(`xserver',`
|
||||
# xserver_read_xdm_pid(udev_t)
|
||||
#optional_policy(`xdm',`
|
||||
# xdm_read_pid(udev_t)
|
||||
#')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.0.2)
|
||||
policy_module(unconfined,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -60,6 +60,14 @@ ifdef(`targeted_policy',`
|
||||
optional_policy(`dbus',`
|
||||
dbus_stub(unconfined_t)
|
||||
|
||||
optional_policy(`avahi',`
|
||||
avahi_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`networkmanager',`
|
||||
networkmanager_dbus_chat(unconfined_t)
|
||||
')
|
||||
|
@ -322,9 +322,17 @@ template(`base_user_template',`
|
||||
canna_stream_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`cups',`
|
||||
cups_stream_connect_ptal($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template($1,$1_t)
|
||||
|
||||
optional_policy(`cups',`
|
||||
cups_dbus_chat_config($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_dbus_chat($1_t)
|
||||
')
|
||||
@ -2569,7 +2577,7 @@ interface(`userdom_signal_all_users',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sigcld_all_users',`
|
||||
interface(`userdom_sigchld_all_users',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
')
|
||||
@ -2577,6 +2585,23 @@ interface(`userdom_sigcld_all_users',`
|
||||
allow $1 userdomain:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dbus_send_all_users',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to user domains.
|
||||
|
Loading…
Reference in New Issue
Block a user