fix several modular build problems

This commit is contained in:
Chris PeBenito 2005-11-29 21:27:15 +00:00
parent ac9aa26d2e
commit 9fd4b818fc
33 changed files with 471 additions and 171 deletions

View File

@ -1,5 +1,5 @@
policy_module(logrotate,1.0) policy_module(logrotate,1.0.1)
######################################## ########################################
# #
@ -148,6 +148,10 @@ optional_policy(`consoletype',`
') ')
optional_policy(`cups',`
cups_domtrans(logrotate_t)
')
optional_policy(`hostname',` optional_policy(`hostname',`
hostname_exec(logrotate_t) hostname_exec(logrotate_t)
') ')

View File

@ -151,6 +151,7 @@ interface(`rpm_read_db',`
type rpm_var_lib_t; type rpm_var_lib_t;
') ')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir r_dir_perms; allow $1 rpm_var_lib_t:dir r_dir_perms;
allow $1 rpm_var_lib_t:file { getattr read }; allow $1 rpm_var_lib_t:file { getattr read };
allow $1 rpm_var_lib_t:lnk_file r_file_perms; allow $1 rpm_var_lib_t:lnk_file r_file_perms;
@ -169,8 +170,8 @@ interface(`rpm_manage_db',`
type rpm_var_lib_t; type rpm_var_lib_t;
') ')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir rw_dir_perms; allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
') ')

View File

@ -22,3 +22,22 @@ interface(`updfstab_domtrans',`
allow updfstab_t $1:fifo_file rw_file_perms; allow updfstab_t $1:fifo_file rw_file_perms;
allow updfstab_t $1:process sigchld; allow updfstab_t $1:process sigchld;
') ')
########################################
## <summary>
## Send and receive messages from
## updfstab over dbus.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`updfstab_dbus_chat',`
gen_require(`
type updfstab_t;
class dbus send_msg;
')
allow $1 updfstab_t:dbus send_msg;
allow updfstab_t $1:dbus send_msg;
')

View File

@ -1,5 +1,5 @@
policy_module(updfstab,1.0.1) policy_module(updfstab,1.0.2)
######################################## ########################################
# #
@ -100,6 +100,7 @@ optional_policy(`dbus',`
optional_policy(`hal',` optional_policy(`hal',`
hal_stream_connect(updfstab_t) hal_stream_connect(updfstab_t)
hal_dbus_chat(updfstab_t)
') ')
optional_policy(`modutils',` optional_policy(`modutils',`
@ -123,8 +124,3 @@ optional_policy(`udev',`
ifdef(`TODO',` ifdef(`TODO',`
allow updfstab_t tmpfs_t:dir getattr; allow updfstab_t tmpfs_t:dir getattr;
') ')
optional_policy(`dbus',`
allow initrc_t updfstab_t:dbus send_msg;
allow updfstab_t initrc_t:dbus send_msg;
')

View File

@ -824,6 +824,44 @@ interface(`dev_dontaudit_rw_cardmgr',`
dontaudit $1 cardmgr_dev_t:chr_file { read write }; dontaudit $1 cardmgr_dev_t:chr_file { read write };
') ')
########################################
## <summary>
## Create, read, write, and delete
## the PCMCIA card manager device.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_manage_cardmgr',`
gen_require(`
type device_t, cardmgr_dev_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## the PCMCIA card manager device
## with the correct type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_create_cardmgr',`
gen_require(`
type device_t, cardmgr_dev_t;
')
allow $1 device_t:dir rw_dir_perms;
allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the CPU ## Get the attributes of the CPU

View File

@ -1679,6 +1679,22 @@ interface(`fs_write_ramfs_pipe',`
allow $1 ramfs_t:fifo_file write; allow $1 ramfs_t:fifo_file write;
') ')
########################################
## <summary>
## Read and write a named pipe on a ramfs filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_rw_ramfs_pipe',`
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:fifo_file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Write to named socket on a ramfs filesystem. ## Write to named socket on a ramfs filesystem.
@ -2049,6 +2065,23 @@ interface(`fs_create_tmpfs_data',`
') ')
') ')
########################################
## <summary>
## Read and write generic tmpfs files.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`fs_rw_tmpfs_file',`
gen_require(`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write character nodes on tmpfs filesystems. ## Read and write character nodes on tmpfs filesystems.

View File

@ -21,6 +21,15 @@ attribute proc_type;
# sysctls # sysctls
attribute sysctl_type; attribute sysctl_type;
role system_r;
role sysadm_r;
role staff_r;
role user_r;
ifdef(`enable_mls',`
role secadm_r;
')
# #
# kernel_t is the domain of kernel threads. # kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class. # It is also the target type when checking permissions in the system class.

View File

@ -703,3 +703,19 @@ interface(`apache_append_squirrelmail_data',`
allow $1 httpd_squirrelmail_t:file { getattr append }; allow $1 httpd_squirrelmail_t:file { getattr append };
') ')
########################################
## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`apache_search_sys_script_state',`
gen_require(`
type httpd_sys_script_t;
')
allow $1 httpd_sys_script_t:dir search;
')

View File

@ -97,7 +97,7 @@ interface(`apm_append_log',`
# #
interface(`apm_stream_connect',` interface(`apm_stream_connect',`
gen_require(` gen_require(`
type apmd_t; type apmd_t, apmd_var_run_t;
') ')
files_search_pids($1) files_search_pids($1)

View File

@ -1 +1,20 @@
## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary> ## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
########################################
## <summary>
## Send and receive messages from
## avahi over dbus.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`avahi_dbus_chat',`
gen_require(`
type avahi_t;
class dbus send_msg;
')
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')

View File

@ -1,5 +1,5 @@
policy_module(avahi,1.0.1) policy_module(avahi,1.0.2)
######################################## ########################################
# #
@ -90,10 +90,6 @@ optional_policy(`dbus',`
dbus_system_bus_client_template(avahi,avahi_t) dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t) dbus_connect_system_bus(avahi_t)
dbus_send_system_bus_msg(avahi_t) dbus_send_system_bus_msg(avahi_t)
# FIXME:
allow avahi_t unconfined_t:dbus send_msg;
allow unconfined_t avahi_t:dbus send_msg;
') ')
optional_policy(`nis',` optional_policy(`nis',`
@ -107,4 +103,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',` optional_policy(`udev',`
udev_read_db(avahi_t) udev_read_db(avahi_t)
') ')

View File

@ -289,9 +289,9 @@ optional_policy(`networkmanager',`
') ')
# optional_policy(`dbus',` # optional_policy(`dbus',`
# gen_require(` gen_require(`
# class dbus send_msg; class dbus send_msg;
# ') ')
allow NetworkManager_t named_t:dbus send_msg; allow NetworkManager_t named_t:dbus send_msg;
allow named_t NetworkManager_t:dbus send_msg; allow named_t NetworkManager_t:dbus send_msg;

View File

@ -1,5 +1,26 @@
## <summary>Common UNIX printing system</summary> ## <summary>Common UNIX printing system</summary>
########################################
## <summary>
## Execute cups in the cups domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`cups_domtrans',`
gen_require(`
type cupsd_t, cupsd_exec_t;
')
domain_auto_trans($1,cupsd_exec_t,cupsd_t)
allow $1 cupsd_t:fd use;
allow cupsd_t $1:fd use;
allow cupsd_t $1:fifo_file rw_file_perms;
allow cupsd_t $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Execute cups_config in the cups_config domain. ## Execute cups_config in the cups_config domain.
@ -21,6 +42,42 @@ interface(`cups_domtrans_config',`
allow cupsd_config_t $1:process sigchld; allow cupsd_config_t $1:process sigchld;
') ')
########################################
## <summary>
## Send generic signals to the cups
## configuration daemon.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cups_signal_config',`
gen_require(`
type cupsd_config_t;
')
allow $1 cupsd_config_t:process signal;
')
########################################
## <summary>
## Send and receive messages from
## cupsd_config over dbus.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cups_dbus_chat_config',`
gen_require(`
type cupsd_config_t;
class dbus send_msg;
')
allow $1 cupsd_config_t:dbus send_msg;
allow cupsd_config_t $1:dbus send_msg;
')
######################################## ########################################
## <summary> ## <summary>
## Read cups-writable configuration files. ## Read cups-writable configuration files.
@ -38,3 +95,39 @@ interface(`cups_read_rw_config',`
allow $1 cupsd_etc_t:dir search_dir_perms; allow $1 cupsd_etc_t:dir search_dir_perms;
allow $1 cupsd_rw_etc_t:file { getattr read }; allow $1 cupsd_rw_etc_t:file { getattr read };
') ')
########################################
## <summary>
## Read cups log files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cups_read_log',`
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
allow $1 cupsd_log_t:file { getattr read };
')
########################################
## <summary>
## Connect to ptal over an unix domain stream socket.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cups_stream_connect_ptal',`
gen_require(`
type ptal_t, ptal_var_run_t;
')
files_search_pids($1)
allow $1 ptal_var_run_t:dir search;
allow $1 ptal_var_run_t:sock_file write;
allow $1 ptal_t:unix_stream_socket connectto;
')

View File

@ -1,5 +1,5 @@
policy_module(cups,1.0) policy_module(cups,1.0.1)
######################################## ########################################
# #
@ -149,6 +149,7 @@ fs_search_auto_mountpoints(cupsd_t)
term_dontaudit_use_console(cupsd_t) term_dontaudit_use_console(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t) auth_domtrans_chk_passwd(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t) corecmd_exec_shell(cupsd_t)
@ -187,7 +188,7 @@ seutil_dontaudit_read_config(cupsd_t)
sysnet_read_config(cupsd_t) sysnet_read_config(cupsd_t)
userdom_dontaudit_use_unpriv_user_fd(cupsd_t) userdom_dontaudit_use_unpriv_user_fd(cupsd_t)
userdom_dontaudit_search_sysadm_home_dir(cupsd_t) userdom_dontaudit_search_all_users_home(cupsd_t)
# Write to /var/spool/cups. # Write to /var/spool/cups.
lpd_manage_spool(cupsd_t) lpd_manage_spool(cupsd_t)
@ -198,17 +199,30 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(cupsd_t) files_dontaudit_read_root_file(cupsd_t)
') ')
optional_policy(`cron',`
cron_use_fd(cupsd_t)
cron_read_pipe(cupsd_t)
')
optional_policy(`dbus',` optional_policy(`dbus',`
dbus_system_bus_client_template(cupsd,cupsd_t) dbus_system_bus_client_template(cupsd,cupsd_t)
dbus_send_system_bus_msg(cupsd_t) dbus_send_system_bus_msg(cupsd_t)
allow cupsd_t userdomain:dbus send_msg; userdom_dbus_send_all_users(cupsd_t)
optional_policy(`hal',`
hal_dbus_chat(cupsd_t)
')
') ')
optional_policy(`hostname',` optional_policy(`hostname',`
hostname_exec(cupsd_t) hostname_exec(cupsd_t)
') ')
optional_policy(`inetd',`
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
')
optional_policy(`mount',` optional_policy(`mount',`
mount_send_nfs_client_request(cupsd_t) mount_send_nfs_client_request(cupsd_t)
') ')
@ -217,6 +231,15 @@ optional_policy(`nscd',`
nscd_use_socket(cupsd_t) nscd_use_socket(cupsd_t)
') ')
optional_policy(`portmap',`
portmap_udp_sendrecv(cupsd_t)
')
optional_policy(`samba',`
samba_rw_var_files(cupsd_t)
# cjp: rw_dir_perms was here, but doesnt make sense
')
optional_policy(`selinuxutil',` optional_policy(`selinuxutil',`
seutil_sigchld_newrole(cupsd_t) seutil_sigchld_newrole(cupsd_t)
') ')
@ -241,56 +264,18 @@ allow cupsd_t devpts_t:dir search;
dontaudit cupsd_t random_device_t:chr_file ioctl; dontaudit cupsd_t random_device_t:chr_file ioctl;
# temporary solution, we need something better # temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms; #allow cupsd_t serial_device:chr_file rw_file_perms;
optional_policy(`logrotate',`
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
')
optional_policy(`inetd',`
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
# for /etc/printcap # for /etc/printcap
dontaudit cupsd_t etc_t:file write; dontaudit cupsd_t etc_t:file write;
# Send to portmap.
optional_policy(`portmap', `
allow cupsd_t portmap_t:udp_socket sendto;
allow portmap_t cupsd_t:udp_socket recvfrom;
allow portmap_t cupsd_t:udp_socket sendto;
allow cupsd_t portmap_t:udp_socket recvfrom;
')
# #
# Satisfy readahead # Satisfy readahead
# #
allow initrc_t cupsd_log_t:file { getattr read };
allow cupsd_t var_t:dir { getattr read search }; allow cupsd_t var_t:dir { getattr read search };
allow cupsd_t var_t:file r_file_perms; allow cupsd_t var_t:file r_file_perms;
allow cupsd_t var_t:lnk_file { getattr read }; allow cupsd_t var_t:lnk_file { getattr read };
optional_policy(`samba',`
# cjp: rw_dir_perms here doesnt make sense
allow cupsd_t samba_var_t:dir rw_dir_perms;
allow cupsd_t samba_var_t:file rw_file_perms;
allow cupsd_t samba_var_t:lnk_file { getattr read };
allow smbd_t cupsd_etc_t:dir search;
')
optional_policy(`authlogin',`
dontaudit cupsd_t pam_var_run_t:file { getattr read };
')
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
######################################## ########################################
# #
# PTAL local policy # PTAL local policy
@ -358,7 +343,7 @@ miscfiles_read_localization(ptal_t)
sysnet_read_config(ptal_t) sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fd(ptal_t) userdom_dontaudit_use_unpriv_user_fd(ptal_t)
userdom_dontaudit_search_sysadm_home_dir(ptal_t) userdom_dontaudit_search_all_users_home(ptal_t)
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(ptal_t) term_dontaudit_use_unallocated_tty(ptal_t)
@ -374,14 +359,8 @@ optional_policy(`udev',`
udev_read_db(ptal_t) udev_read_db(ptal_t)
') ')
allow userdomain ptal_t:unix_stream_socket connectto;
allow userdomain ptal_var_run_t:sock_file write;
allow userdomain ptal_var_run_t:dir search;
allow initrc_t printer_device_t:chr_file getattr; allow initrc_t printer_device_t:chr_file getattr;
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
allow initrc_t ptal_var_run_t:dir rmdir; allow initrc_t ptal_var_run_t:dir rmdir;
allow initrc_t ptal_var_run_t:fifo_file unlink; allow initrc_t ptal_var_run_t:fifo_file unlink;
@ -555,6 +534,8 @@ corecmd_exec_sbin(cupsd_config_t)
corecmd_exec_shell(cupsd_config_t) corecmd_exec_shell(cupsd_config_t)
domain_use_wide_inherit_fd(cupsd_config_t) domain_use_wide_inherit_fd(cupsd_config_t)
# killall causes the following
domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t) files_read_usr_files(cupsd_config_t)
files_read_etc_files(cupsd_config_t) files_read_etc_files(cupsd_config_t)
@ -577,12 +558,35 @@ sysnet_read_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t)
userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t) userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
ifdef(`distro_redhat',`
init_getattr_script_entry_file(cupsd_config_t)
optional_policy(`rpm',`
rpm_read_db(cupsd_config_t)
')
')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(cupsd_config_t) term_dontaudit_use_unallocated_tty(cupsd_config_t)
term_dontaudit_use_generic_pty(cupsd_config_t) term_dontaudit_use_generic_pty(cupsd_config_t)
files_dontaudit_read_root_file(cupsd_config_t) files_dontaudit_read_root_file(cupsd_config_t)
') ')
optional_policy(`cron',`
cron_use_system_job_fd(cupsd_config_t)
cron_read_pipe(cupsd_config_t)
')
optional_policy(`dbus',`
dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
dbus_connect_system_bus(cupsd_config_t)
dbus_send_system_bus_msg(cupsd_config_t)
optional_policy(`hal',`
hal_dbus_chat(cupsd_config_t)
')
')
optional_policy(`hal',` optional_policy(`hal',`
hal_domtrans(cupsd_config_t) hal_domtrans(cupsd_config_t)
') ')
@ -603,6 +607,10 @@ optional_policy(`nscd',`
nscd_use_socket(cupsd_config_t) nscd_use_socket(cupsd_config_t)
') ')
optional_policy(`rpm',`
rpm_read_db(cupsd_config_t)
')
optional_policy(`selinuxutil',` optional_policy(`selinuxutil',`
seutil_sigchld_newrole(cupsd_config_t) seutil_sigchld_newrole(cupsd_config_t)
') ')
@ -611,49 +619,10 @@ optional_policy(`udev',`
udev_read_db(cupsd_config_t) udev_read_db(cupsd_config_t)
') ')
allow cupsd_config_t devpts_t:dir search;
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
ifdef(`distro_redhat', `
optional_policy(`rpm',`
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
')
allow cupsd_config_t initrc_exec_t:file getattr;
')
allow cupsd_config_t var_t:lnk_file read; allow cupsd_config_t var_t:lnk_file read;
optional_policy(`dbus',`
dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
dbus_connect_system_bus(cupsd_config_t)
dbus_send_system_bus_msg(cupsd_config_t)
allow cupsd_config_t userdomain:dbus send_msg;
allow userdomain cupsd_config_t:dbus send_msg;
')
optional_policy(`hal', `
optional_policy(`dbus',`
allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
')
allow hald_t cupsd_config_t:process signal;
')
# killall causes the following
dontaudit cupsd_config_t domain:dir { getattr search };
allow cupsd_config_t var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
allow cupsd_config_t printconf_t:file { getattr read }; allow cupsd_config_t printconf_t:file { getattr read };
allow cupsd_config_t system_crond_t:fd use;
allow cupsd_config_t crond_t:fifo_file r_file_perms;
allow cupsd_t crond_t:fifo_file read;
allow cupsd_t crond_t:fd use;
# Alternatives asks for this # Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr; allow cupsd_config_t initrc_exec_t:file getattr;
@ -664,6 +633,7 @@ ifdef(`targeted_policy', `
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
allow unconfined_t cupsd_config_t:dbus send_msg; allow unconfined_t cupsd_config_t:dbus send_msg;
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
term_use_generic_pty(cupsd_config_t)
') ')
######################################## ########################################

View File

@ -100,6 +100,9 @@ miscfiles_read_localization(fingerd_t)
userdom_read_unpriv_user_home_files(fingerd_t) userdom_read_unpriv_user_home_files(fingerd_t)
userdom_dontaudit_use_unpriv_user_fd(fingerd_t) userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
userdom_dontaudit_search_sysadm_home_dir(fingerd_t) userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
userdom_dontaudit_search_user_home_dirs(fingerd_t)
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(fingerd_t) term_dontaudit_use_unallocated_tty(fingerd_t)
@ -130,7 +133,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',` optional_policy(`udev',`
udev_read_db(fingerd_t) udev_read_db(fingerd_t)
') ')
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
dontaudit fingerd_t user_home_t:dir search;

View File

@ -1,5 +1,5 @@
policy_module(hal,1.0.1) policy_module(hal,1.0.2)
######################################## ########################################
# #
@ -134,6 +134,7 @@ optional_policy(`apm',`
optional_policy(`cups',` optional_policy(`cups',`
cups_domtrans_config(hald_t) cups_domtrans_config(hald_t)
cups_signal_config(hald_t)
') ')
optional_policy(`dbus',` optional_policy(`dbus',`
@ -187,21 +188,4 @@ optional_policy(`updfstab',`
ifdef(`TODO',` ifdef(`TODO',`
allow hald_t device_t:dir create_dir_perms; allow hald_t device_t:dir create_dir_perms;
optional_policy(`hald',`
allow udev_t hald_t:unix_dgram_socket sendto;
')
') dnl end TODO ') dnl end TODO
ifdef(`targeted_policy', `
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
')
optional_policy(`updfstab',`
allow updfstab_t hald_t:dbus send_msg;
allow hald_t updfstab_t:dbus send_msg;
')
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;

View File

@ -51,9 +51,7 @@ optional_policy(`apache',`
apache_sigchld(mailman_cgi_t) apache_sigchld(mailman_cgi_t)
apache_use_fd(mailman_cgi_t) apache_use_fd(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
# FIXME:
allow mailman_cgi_t httpd_sys_script_t:dir search;
') ')
######################################## ########################################

View File

@ -36,6 +36,11 @@ interface(`mta_stub',`
# #
template(`mta_base_mail_template',` template(`mta_base_mail_template',`
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
')
############################## ##############################
# #
# $1_mail_t declarations # $1_mail_t declarations
@ -45,13 +50,9 @@ template(`mta_base_mail_template',`
domain_type($1_mail_t) domain_type($1_mail_t)
domain_entry_file($1_mail_t,sendmail_exec_t) domain_entry_file($1_mail_t,sendmail_exec_t)
optional_policy(`sendmail',`
type $1_mail_tmp_t; type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t) files_tmp_file($1_mail_tmp_t)
sendmail_stub($1_mail_t)
')
############################## ##############################
# #
# $1_mail_t local policy # $1_mail_t local policy
@ -107,6 +108,10 @@ template(`mta_base_mail_template',`
') ')
optional_policy(`sendmail',` optional_policy(`sendmail',`
gen_require(`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
allow $1_mail_t $1_mail_tmp_t:file create_file_perms; allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir }) files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
@ -166,7 +171,8 @@ template(`mta_base_mail_template',`
# #
template(`mta_per_userdomain_template',` template(`mta_per_userdomain_template',`
gen_require(` gen_require(`
attribute mailserver_domain, mta_user_agent, user_mail_domain; attribute mailserver_domain, mta_user_agent;
attribute mailserver_delivery, user_mail_domain;
type sendmail_exec_t; type sendmail_exec_t;
') ')

View File

@ -6,8 +6,7 @@ policy_module(procmail,1.0.0)
# Declarations # Declarations
# #
# privhome only works until we define a different type for maildir type procmail_t;
type procmail_t, privhome;
type procmail_exec_t; type procmail_exec_t;
domain_type(procmail_t) domain_type(procmail_t)
domain_entry_file(procmail_t,procmail_exec_t) domain_entry_file(procmail_t,procmail_exec_t)
@ -61,6 +60,7 @@ libs_use_shared_libs(procmail_t)
miscfiles_read_localization(procmail_t) miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
userdom_priveleged_home_dir_manager(procmail_t) userdom_priveleged_home_dir_manager(procmail_t)
# Do not audit attempts to access /root. # Do not audit attempts to access /root.
userdom_dontaudit_search_sysadm_home_dir(procmail_t) userdom_dontaudit_search_sysadm_home_dir(procmail_t)

View File

@ -10,7 +10,7 @@
# #
interface(`radius_use',` interface(`radius_use',`
gen_require(` gen_require(`
type radius_t; type radiusd_t;
') ')
allow $1 radiusd_t:udp_socket sendto; allow $1 radiusd_t:udp_socket sendto;

View File

@ -213,6 +213,25 @@ interface(`samba_search_var',`
allow $1 samba_var_t:dir search_dir_perms; allow $1 samba_var_t:dir search_dir_perms;
') ')
########################################
## <summary>
## Allow the specified domain to
## read and write samba /var files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`samba_rw_var_files',`
gen_require(`
type samba_var_t;
')
files_search_var($1)
allow $1 samba_var_t:dir search_dir_perms;
allow $1 samba_var_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to write to smbmount tcp sockets. ## Allow the specified domain to write to smbmount tcp sockets.

View File

@ -559,8 +559,6 @@ interface(`auth_exec_pam',`
interface(`auth_read_pam_pid',` interface(`auth_read_pam_pid',`
gen_require(` gen_require(`
type pam_var_run_t; type pam_var_run_t;
class dir r_dir_perms;
class file r_file_perms;
') ')
files_search_var($1) files_search_var($1)
@ -569,6 +567,22 @@ interface(`auth_read_pam_pid',`
allow $1 pam_var_run_t:file r_file_perms; allow $1 pam_var_run_t:file r_file_perms;
') ')
#######################################
## <summary>
## Do not audit attemps to read PAM pid files.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`auth_dontaudit_read_pam_pid',`
gen_require(`
type pam_var_run_t;
')
dontaudit $1 pam_var_run_t:file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Delete pam PID files. ## Delete pam PID files.

View File

@ -471,6 +471,7 @@ interface(`domain_kill_all_domains',`
allow $1 domain:process sigkill; allow $1 domain:process sigkill;
allow $1 self:capability kill; allow $1 self:capability kill;
') ')
######################################## ########################################
## <summary> ## <summary>
## Search the process state directory (/proc/pid) of all domains. ## Search the process state directory (/proc/pid) of all domains.
@ -489,6 +490,23 @@ interface(`domain_search_all_domains_state',`
allow $1 domain:dir search; allow $1 domain:dir search;
') ')
########################################
## <summary>
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`domain_dontaudit_search_all_domains_state',`
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir search_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read the process state (/proc/pid) of all domains. ## Read the process state (/proc/pid) of all domains.

View File

@ -1,5 +1,5 @@
policy_module(fstools,1.0) policy_module(fstools,1.0.1)
######################################## ########################################
# #
@ -72,6 +72,8 @@ dev_getattr_usbfs_dir(fsadm_t)
fs_search_auto_mountpoints(fsadm_t) fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t) fs_getattr_xattr_fs(fsadm_t)
fs_rw_ramfs_pipe(fsadm_t)
fs_rw_tmpfs_file(fsadm_t)
# remount file system to apply changes # remount file system to apply changes
fs_remount_xattr_fs(fsadm_t) fs_remount_xattr_fs(fsadm_t)
# for /dev/shm # for /dev/shm
@ -155,10 +157,3 @@ optional_policy(`cron',`
optional_policy(`nis',` optional_policy(`nis',`
nis_use_ypbind(fsadm_t) nis_use_ypbind(fsadm_t)
') ')
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
') dnl end TODO
allow fsadm_t tmpfs_t:file { read write };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;

View File

@ -475,6 +475,23 @@ interface(`init_dontaudit_unix_connect_script',`
dontaudit $1 initrc_t:unix_stream_socket connectto; dontaudit $1 initrc_t:unix_stream_socket connectto;
') ')
########################################
## <summary>
## Get the attribute of init script entrypoint files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`init_getattr_script_entry_file',`
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
allow $1 initrc_exec_t:file getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Read init scripts. ## Read init scripts.

View File

@ -1,5 +1,5 @@
policy_module(init,1.0.1) policy_module(init,1.0.2)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -494,6 +494,10 @@ optional_policy(`cpucontrol',`
dev_getattr_cpu(initrc_t) dev_getattr_cpu(initrc_t)
') ')
optional_policy(`cups',`
cups_read_log(initrc_t)
')
optional_policy(`dbus',` optional_policy(`dbus',`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_send_system_bus_msg(initrc_t) dbus_send_system_bus_msg(initrc_t)
@ -502,6 +506,10 @@ optional_policy(`dbus',`
optional_policy(`networkmanager',` optional_policy(`networkmanager',`
networkmanager_dbus_chat(initrc_t) networkmanager_dbus_chat(initrc_t)
') ')
optional_policy(`updfstab',`
updfstab_dbus_chat(initrc_t)
')
') ')
optional_policy(`ftp',` optional_policy(`ftp',`

View File

@ -1,6 +1,10 @@
policy_module(modutils,1.0) policy_module(modutils,1.0)
gen_require(`
bool secure_mode_insmod;
')
######################################## ########################################
# #
# Declarations # Declarations

View File

@ -55,6 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t)
bootloader_search_kernel_modules(cardmgr_t) bootloader_search_kernel_modules(cardmgr_t)
dev_read_sysfs(cardmgr_t) dev_read_sysfs(cardmgr_t)
dev_manage_cardmgr(cardmgr_t)
dev_create_cardmgr(cardmgr_t)
dev_getattr_all_chr_files(cardmgr_t) dev_getattr_all_chr_files(cardmgr_t)
dev_getattr_all_blk_files(cardmgr_t) dev_getattr_all_blk_files(cardmgr_t)
# for SSP # for SSP
@ -149,6 +151,5 @@ optional_policy(`udev',`
# Create device files in /tmp. # Create device files in /tmp.
# cjp: why is this created all over the place? # cjp: why is this created all over the place?
allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms; allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms; type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;

View File

@ -13,6 +13,18 @@ gen_require(`
attribute can_write_binary_policy; attribute can_write_binary_policy;
attribute can_relabelto_binary_policy; attribute can_relabelto_binary_policy;
#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
# cjp: this is out of order due to rules
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
files_type(selinux_config_t)
kernel_list_from(selinux_config_t)
kernel_read_file_from(selinux_config_t)
type checkpolicy_t, can_write_binary_policy; type checkpolicy_t, can_write_binary_policy;
domain_type(checkpolicy_t) domain_type(checkpolicy_t)
role system_r types checkpolicy_t; role system_r types checkpolicy_t;
@ -81,15 +93,6 @@ domain_type(run_init_t)
type run_init_exec_t; type run_init_exec_t;
domain_entry_file(run_init_t,run_init_exec_t) domain_entry_file(run_init_t,run_init_exec_t)
#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
type selinux_config_t;
files_type(selinux_config_t)
kernel_list_from(selinux_config_t)
kernel_read_file_from(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy; type setfiles_t, can_relabelto_binary_policy;
domain_obj_id_change_exempt(setfiles_t) domain_obj_id_change_exempt(setfiles_t)
domain_type(setfiles_t) domain_type(setfiles_t)

View File

@ -173,8 +173,12 @@ optional_policy(`dbus',`
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t) domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg; allow initrc_t dhcpc_t:dbus send_msg;
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg; allow dhcpc_t initrc_t:dbus send_msg;
optional_policy(`networkmanager',`
networkmanager_dbus_chat(dhcpc_t)
')
ifdef(`unconfined.te', ` ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg; allow unconfined_t dhcpc_t:dbus send_msg;

View File

@ -1,5 +1,5 @@
policy_module(udev,1.0) policy_module(udev,1.0.1)
######################################## ########################################
# #
@ -176,6 +176,10 @@ optional_policy(`dbus',`
dbus_system_bus_client_template(udev,udev_t) dbus_system_bus_client_template(udev,udev_t)
') ')
optional_policy(`hal',`
hal_dgram_sendto(udev_t)
')
optional_policy(`hotplug',` optional_policy(`hotplug',`
hotplug_read_config(udev_t) hotplug_read_config(udev_t)
') ')
@ -192,8 +196,8 @@ optional_policy(`sysnetwork',`
sysnet_domtrans_dhcpc(udev_t) sysnet_domtrans_dhcpc(udev_t)
') ')
#optional_policy(`xserver',` #optional_policy(`xdm',`
# xserver_read_xdm_pid(udev_t) # xdm_read_pid(udev_t)
#') #')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.0.2) policy_module(unconfined,1.0.3)
######################################## ########################################
# #
@ -60,6 +60,14 @@ ifdef(`targeted_policy',`
optional_policy(`dbus',` optional_policy(`dbus',`
dbus_stub(unconfined_t) dbus_stub(unconfined_t)
optional_policy(`avahi',`
avahi_dbus_chat(unconfined_t)
')
optional_policy(`hal',`
hal_dbus_chat(unconfined_t)
')
optional_policy(`networkmanager',` optional_policy(`networkmanager',`
networkmanager_dbus_chat(unconfined_t) networkmanager_dbus_chat(unconfined_t)
') ')

View File

@ -322,9 +322,17 @@ template(`base_user_template',`
canna_stream_connect($1_t) canna_stream_connect($1_t)
') ')
optional_policy(`cups',`
cups_stream_connect_ptal($1_t)
')
optional_policy(`dbus',` optional_policy(`dbus',`
dbus_system_bus_client_template($1,$1_t) dbus_system_bus_client_template($1,$1_t)
optional_policy(`cups',`
cups_dbus_chat_config($1_t)
')
optional_policy(`hal',` optional_policy(`hal',`
hal_dbus_chat($1_t) hal_dbus_chat($1_t)
') ')
@ -2569,7 +2577,7 @@ interface(`userdom_signal_all_users',`
## Domain allowed access. ## Domain allowed access.
## </param> ## </param>
# #
interface(`userdom_sigcld_all_users',` interface(`userdom_sigchld_all_users',`
gen_require(` gen_require(`
attribute userdomain; attribute userdomain;
') ')
@ -2577,6 +2585,23 @@ interface(`userdom_sigcld_all_users',`
allow $1 userdomain:process sigchld; allow $1 userdomain:process sigchld;
') ')
########################################
## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_dbus_send_all_users',`
gen_require(`
attribute userdomain;
class dbus send_msg;
')
allow $1 userdomain:dbus send_msg;
')
######################################## ########################################
## <summary> ## <summary>
## Unconfined access to user domains. ## Unconfined access to user domains.