final updates from nsa cvs
This commit is contained in:
parent
41c4800de4
commit
a1fcff33f2
@ -5,9 +5,11 @@
|
||||
- Added policies:
|
||||
ktalk
|
||||
portmap
|
||||
postgresql
|
||||
samba
|
||||
snmp
|
||||
tftp
|
||||
vpn
|
||||
zebra
|
||||
|
||||
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
||||
|
@ -46,6 +46,11 @@ gen_tunable(named_write_master_zones,false)
|
||||
## Allow reading of default_t files.
|
||||
gen_tunable(read_default_t,false)
|
||||
|
||||
## Allow applications to read untrusted content
|
||||
## If this is disallowed, Internet content has
|
||||
## to be manually relabeled for read access to be granted
|
||||
gen_tunable(read_untrusted_content,false)
|
||||
|
||||
## Allow ssh to run from inetd instead of as a daemon.
|
||||
gen_tunable(run_ssh_inetd,false)
|
||||
|
||||
@ -97,3 +102,8 @@ gen_tunable(user_tcp_server,false)
|
||||
|
||||
## Allow w to display everyone
|
||||
gen_tunable(user_ttyfile_stat,false)
|
||||
|
||||
## Allow applications to write untrusted content
|
||||
## If this is disallowed, no Internet content
|
||||
## will be stored.
|
||||
gen_tunable(write_untrusted_content,false)
|
||||
|
9
refpolicy/policy/modules/admin/vpn.fc
Normal file
9
refpolicy/policy/modules/admin/vpn.fc
Normal file
@ -0,0 +1,9 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0)
|
||||
|
||||
#
|
||||
# sbin
|
||||
#
|
||||
/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0)
|
51
refpolicy/policy/modules/admin/vpn.if
Normal file
51
refpolicy/policy/modules/admin/vpn.if
Normal file
@ -0,0 +1,51 @@
|
||||
## <summary>Virtual Private Networking client</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute VPN clients in the vpnc domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`vpn_domtrans',`
|
||||
gen_require(`
|
||||
type vpnc_t, vpnc_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,vpnc_exec_t,vpnc_t)
|
||||
|
||||
allow $1 vpnc_t:fd use;
|
||||
allow vpnc_t $1:fd use;
|
||||
allow vpnc_t $1:fifo_file rw_file_perms;
|
||||
allow vpnc_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute VPN clients in the vpnc domain, and
|
||||
## allow the specified role the vpnc domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the vpnc domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the vpnc domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`vpn_run',`
|
||||
gen_require(`
|
||||
type vpnc_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
vpn_domtrans($1)
|
||||
role $2 types vpnc_t;
|
||||
allow vpnc_t $3:chr_file rw_term_perms;
|
||||
')
|
114
refpolicy/policy/modules/admin/vpn.te
Normal file
114
refpolicy/policy/modules/admin/vpn.te
Normal file
@ -0,0 +1,114 @@
|
||||
|
||||
policy_module(vpnc,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type vpnc_t;
|
||||
domain_type(vpnc_t)
|
||||
|
||||
type vpnc_exec_t;
|
||||
domain_entry_file(vpnc_t,vpnc_exec_t)
|
||||
|
||||
type vpnc_tmp_t;
|
||||
files_tmp_file(vpnc_tmp_t)
|
||||
|
||||
type vpnc_var_run_t;
|
||||
files_pid_file(vpnc_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow vpnc_t self:capability { net_admin ipc_lock net_raw };
|
||||
allow vpnc_t self:fifo_file { getattr ioctl read write };
|
||||
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow vpnc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow vpnc_t self:udp_socket create_socket_perms;
|
||||
allow vpnc_t self:rawip_socket create_socket_perms;
|
||||
allow vpnc_t self:unix_dgram_socket create_socket_perms;
|
||||
allow vpnc_t self:unix_stream_socket create_socket_perms;
|
||||
# cjp: this needs to be fixed
|
||||
allow vpnc_t self:socket create_socket_perms;
|
||||
|
||||
allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
|
||||
allow vpnc_t vpnc_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(vpnc_t, vpnc_tmp_t, { file dir })
|
||||
|
||||
allow vpnc_t vpnc_var_run_t:file create_file_perms;
|
||||
allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(vpnc_t,vpnc_var_run_t)
|
||||
|
||||
kernel_read_system_state(vpnc_t)
|
||||
kernel_read_network_state(vpnc_t)
|
||||
kernel_read_kernel_sysctl(vpnc_t)
|
||||
kernel_rw_net_sysctl(vpnc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(vpnc_t)
|
||||
corenet_udp_sendrecv_all_if(vpnc_t)
|
||||
corenet_raw_sendrecv_all_if(vpnc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(vpnc_t)
|
||||
corenet_udp_sendrecv_all_nodes(vpnc_t)
|
||||
corenet_raw_sendrecv_all_nodes(vpnc_t)
|
||||
corenet_tcp_sendrecv_all_ports(vpnc_t)
|
||||
corenet_udp_sendrecv_all_ports(vpnc_t)
|
||||
corenet_tcp_bind_all_nodes(vpnc_t)
|
||||
corenet_udp_bind_all_nodes(vpnc_t)
|
||||
corenet_udp_bind_generic_port(vpnc_t)
|
||||
corenet_udp_bind_isakmp_port(vpnc_t)
|
||||
corenet_tcp_connect_all_ports(vpnc_t)
|
||||
corenet_use_tun_tap_device(vpnc_t)
|
||||
|
||||
dev_read_rand(vpnc_t)
|
||||
dev_read_urand(vpnc_t)
|
||||
dev_read_sysfs(vpnc_t)
|
||||
|
||||
fs_getattr_xattr_fs(vpnc_t)
|
||||
|
||||
term_use_all_user_ptys(vpnc_t)
|
||||
term_use_all_user_ttys(vpnc_t)
|
||||
|
||||
corecmd_exec_bin(vpnc_t)
|
||||
corecmd_exec_sbin(vpnc_t)
|
||||
corecmd_exec_shell(vpnc_t)
|
||||
|
||||
domain_exec_all_entry_files(vpnc_t)
|
||||
|
||||
files_exec_etc_files(vpnc_t)
|
||||
files_read_etc_runtime_files(vpnc_t)
|
||||
files_read_etc_files(vpnc_t)
|
||||
files_dontaudit_search_home(vpnc_t)
|
||||
|
||||
libs_exec_ld_so(vpnc_t)
|
||||
libs_exec_lib_files(vpnc_t)
|
||||
libs_use_ld_so(vpnc_t)
|
||||
libs_use_shared_libs(vpnc_t)
|
||||
|
||||
miscfiles_read_localization(vpnc_t)
|
||||
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
|
||||
sysnet_exec_ifconfig(vpnc_t)
|
||||
sysnet_create_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
userdom_use_all_user_fd(vpnc_t)
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(vpnc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(vpnc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(vpnc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit vpnc_t user_home_dir_type:dir search;
|
||||
')
|
@ -20,5 +20,7 @@ files_type(gpg_agent_exec_t)
|
||||
type pinentry_exec_t;
|
||||
files_type(pinentry_exec_t)
|
||||
|
||||
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
|
||||
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
||||
ifdef(`TODO',`
|
||||
allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
|
||||
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
||||
')
|
||||
|
@ -472,6 +472,23 @@ interface(`fs_list_cifs',`
|
||||
allow $1 cifs_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to list the contents
|
||||
## of directories on a CIFS or SMB filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_list_cifs',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a CIFS or SMB filesystem.
|
||||
@ -483,14 +500,29 @@ interface(`fs_list_cifs',`
|
||||
interface(`fs_read_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:dir r_dir_perms;
|
||||
allow $1 cifs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read
|
||||
## files on a CIFS or SMB filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_read_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or
|
||||
@ -503,7 +535,6 @@ interface(`fs_read_cifs_files',`
|
||||
interface(`fs_dontaudit_rw_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file { read write };
|
||||
@ -578,10 +609,27 @@ interface(`fs_read_cifs_files',`
|
||||
interface(`fs_manage_cifs_dirs',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class dir create_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:dir create_file_perms;
|
||||
allow $1 cifs_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create, read,
|
||||
## write, and delete directories
|
||||
## on a CIFS or SMB network filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain managing the directories.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_manage_cifs_dirs',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -604,6 +652,24 @@ interface(`fs_manage_cifs_files',`
|
||||
allow $1 cifs_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create, read,
|
||||
## write, and delete files
|
||||
## on a CIFS or SMB network filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_manage_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links
|
||||
@ -959,6 +1025,23 @@ interface(`fs_search_nfs',`
|
||||
allow $1 nfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to list the contents
|
||||
## of directories on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_list_nfs',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a NFS filesystem.
|
||||
@ -978,6 +1061,23 @@ interface(`fs_read_nfs_files',`
|
||||
allow $1 nfs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read
|
||||
## files on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_read_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute files on a NFS filesystem.
|
||||
@ -1008,7 +1108,6 @@ interface(`fs_execute_nfs_files',`
|
||||
interface(`fs_dontaudit_rw_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:file { read write };
|
||||
@ -1051,6 +1150,24 @@ interface(`fs_manage_nfs_dirs',`
|
||||
allow $1 nfs_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create, read,
|
||||
## write, and delete directories
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_manage_nfs_dirs',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
@ -1071,6 +1188,24 @@ interface(`fs_manage_nfs_files',`
|
||||
allow $1 nfs_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to create,
|
||||
## read, write, and delete files
|
||||
## on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_dontaudit_manage_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 nfs_t:file create_file_perms;
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links
|
||||
@ -1984,6 +2119,23 @@ interface(`fs_relabelfrom_all_fs',`
|
||||
allow $1 filesystem_type:filesystem relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search all directories with a filesystem type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_search_all',`
|
||||
gen_require(`
|
||||
attribute filesystem_type;
|
||||
class dir { getattr search };
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List all directories with a filesystem type.
|
||||
@ -2001,7 +2153,6 @@ interface(`fs_list_all',`
|
||||
allow $1 filesystem_type:dir r_dir_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# fs_getattr_all_files(type)
|
||||
|
@ -44,9 +44,6 @@ type binfmt_misc_fs_t, filesystem_type;
|
||||
files_mountpoint(binfmt_misc_fs_t)
|
||||
genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||
|
||||
type debugfs_t, filesystem_type;
|
||||
allow debugfs_t self:filesystem associate;
|
||||
|
||||
type eventpollfs_t, filesystem_type;
|
||||
genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
|
||||
|
||||
|
@ -343,6 +343,86 @@ interface(`kernel_get_sysvipc_info',`
|
||||
allow $1 kernel_t:system ipc_info;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of a kernel debugging filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_getattr_debugfs',`
|
||||
gen_require(`
|
||||
type debugfs_t;
|
||||
')
|
||||
|
||||
allow $1 debugfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a kernel debugging filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain mounting the filesystem.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_mount_debugfs',`
|
||||
gen_require(`
|
||||
type debugfs_t;
|
||||
')
|
||||
|
||||
allow $1 debugfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unmount a kernel debugging filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain unmounting the filesystem.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_unmount_debugfs',`
|
||||
gen_require(`
|
||||
type debugfs_t;
|
||||
')
|
||||
|
||||
allow $1 debugfs_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Remount a kernel debugging filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain remounting the filesystem.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_remount_debugfs',`
|
||||
gen_require(`
|
||||
type debugfs_t;
|
||||
')
|
||||
|
||||
allow $1 debugfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of a kernel debugging filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_search_debugfs',`
|
||||
gen_require(`
|
||||
type debugfs_t;
|
||||
')
|
||||
|
||||
allow $1 debugfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the proc filesystem.
|
||||
|
@ -30,6 +30,15 @@ role system_r types kernel_t;
|
||||
domain_base_type(kernel_t)
|
||||
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
|
||||
|
||||
#
|
||||
# DebugFS
|
||||
#
|
||||
|
||||
type debugfs_t;
|
||||
fs_type(debugfs_t)
|
||||
allow debugfs_t self:filesystem associate;
|
||||
genfscon debugfs / context_template(system_u:object_r:debugfs_t,s0)
|
||||
|
||||
#
|
||||
# Procfs types
|
||||
#
|
||||
|
@ -152,6 +152,11 @@ optional_policy(`rpm.te',`
|
||||
rpm_read_pipe(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`postgresql.te', `
|
||||
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
|
||||
postgresql_search_db_dir(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(crond_t)
|
||||
')
|
||||
|
@ -1,6 +1,10 @@
|
||||
|
||||
policy_module(dbus,1.0)
|
||||
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Delcarations
|
||||
@ -29,8 +33,9 @@ files_pid_file(system_dbusd_var_run_t)
|
||||
allow system_dbusd_t self:capability { dac_override setgid setuid };
|
||||
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||
allow system_dbusd_t self:process getattr;
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
@ -75,6 +80,7 @@ corecmd_read_sbin_symlink(system_dbusd_t)
|
||||
corecmd_read_sbin_file(system_dbusd_t)
|
||||
corecmd_read_sbin_pipe(system_dbusd_t)
|
||||
corecmd_read_sbin_socket(system_dbusd_t)
|
||||
corecmd_exec_sbin(system_dbusd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(system_dbusd_t)
|
||||
|
||||
|
@ -16,6 +16,11 @@ files_tmp_file(hald_tmp_t)
|
||||
type hald_var_run_t;
|
||||
files_pid_file(hald_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
|
||||
dontaudit hald_t self:capability sys_tty_config;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
@ -46,15 +51,17 @@ corenet_tcp_sendrecv_all_ports(hald_t)
|
||||
corenet_tcp_bind_all_nodes(hald_t)
|
||||
|
||||
dev_read_sysfs(hald_t)
|
||||
dev_read_usbfs(hald_t)
|
||||
dev_rw_usbfs(hald_t)
|
||||
dev_read_urand(hald_t)
|
||||
dev_read_input(hald_t)
|
||||
dev_read_mouse(hald_t)
|
||||
dev_rw_printer(hald_t)
|
||||
dev_read_lvm_control(hald_t)
|
||||
dev_getattr_all_chr_files(hald_t)
|
||||
dev_manage_generic_chr_file(hald_t)
|
||||
|
||||
fs_getattr_all_fs(hald_t)
|
||||
fs_search_all(hald_t)
|
||||
fs_search_auto_mountpoints(hald_t)
|
||||
|
||||
selinux_get_fs_mount(hald_t)
|
||||
@ -120,6 +127,10 @@ optional_policy(`hotplug.te',`
|
||||
hotplug_read_config(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(hald_t)
|
||||
')
|
||||
@ -164,4 +175,18 @@ allow udev_t hald_t:unix_dgram_socket sendto;
|
||||
|
||||
allow hald_t initrc_t:dbus send_msg;
|
||||
allow initrc_t hald_t:dbus send_msg;
|
||||
|
||||
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
|
||||
ifdef(`apmd.te', `
|
||||
allow hald_t apmd_var_run_t:sock_file write;
|
||||
allow hald_t apmd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# For /usr/libexec/hald-probe-smbios
|
||||
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
allow unconfined_t hald_t:dbus send_msg;
|
||||
allow hald_t unconfined_t:dbus send_msg;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
36
refpolicy/policy/modules/services/postgresql.fc
Normal file
36
refpolicy/policy/modules/services/postgresql.fc
Normal file
@ -0,0 +1,36 @@
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/postgresql(/.*)? context_template(system_u:object_r:postgresql_etc_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/initdb -- context_template(system_u:object_r:postgresql_exec_t,s0)
|
||||
/usr/bin/postgres -- context_template(system_u:object_r:postgresql_exec_t,s0)
|
||||
|
||||
/usr/lib/pgsql/test/regres(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
|
||||
/usr/lib/pgsql/test/regress/pg_regress -- context_template(system_u:object_r:postgresql_exec_t,s0)
|
||||
|
||||
/usr/lib(64)?/postgresql/bin/.* -- context_template(system_u:object_r:postgresql_exec_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/share/jonas/pgsql(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/lib/postgres(ql)?(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
|
||||
|
||||
/var/lib/pgsql/data(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
|
||||
/var/lib/pgsql/pgstartup.log context_template(system_u:object_r:postgresql_log_t,s0)
|
||||
|
||||
/var/log/postgres\.log.* -- context_template(system_u:object_r:postgresql_log_t,s0)
|
||||
/var/log/postgresql(/.*)? context_template(system_u:object_r:postgresql_log_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
/var/log/rhdb/rhdb(/.*)? context_template(system_u:object_r:postgresql_log_t,s0)
|
||||
')
|
||||
|
||||
/var/run/postgresql(/.*)? context_template(system_u:object_r:postgresql_var_run_t,s0)
|
110
refpolicy/policy/modules/services/postgresql.if
Normal file
110
refpolicy/policy/modules/services/postgresql.if
Normal file
@ -0,0 +1,110 @@
|
||||
## <summary>PostgreSQL relational database</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to search postgresql's database directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_search_db_dir',`
|
||||
gen_require(`
|
||||
type postgresql_db_t;
|
||||
')
|
||||
|
||||
allow $1 postgresql_db_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage postgresql's database.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
interface(`postgresql_manage_db',`
|
||||
gen_require(`
|
||||
type postgresql_db_t;
|
||||
')
|
||||
|
||||
allow $1 postgresql_db_t:dir rw_dir_perms;
|
||||
allow $1 postgresql_db_t:file rw_file_perms;
|
||||
allow $1 postgresql_db_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute postgresql in the postgresql domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_domtrans',`
|
||||
gen_require(`
|
||||
type postgresql_t, postgresql_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,postgresql_exec_t,postgresql_t)
|
||||
|
||||
allow $1 postgresql_t:fd use;
|
||||
allow postgresql_t $1:fd use;
|
||||
allow postgresql_t $1:fifo_file rw_file_perms;
|
||||
allow postgresql_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read postgresql's etc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_read_config',`
|
||||
gen_require(`
|
||||
type postgresql_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 postgresql_etc_t:dir { getattr read search };
|
||||
allow $1 postgresql_etc_t:file { read getattr };
|
||||
allow $1 postgresql_etc_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to postgresql with a tcp socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_tcp_connect',`
|
||||
gen_require(`
|
||||
type postgresql_t;
|
||||
')
|
||||
|
||||
kernel_tcp_recvfrom($1)
|
||||
allow $1 postgresql_t:tcp_socket { connectto recvfrom };
|
||||
allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to postgresql with a unix socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_unix_connect',`
|
||||
gen_require(`
|
||||
type postgresql_t, postgresql_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 postgresql_t:unix_stream_socket connectto;
|
||||
allow $1 postgresql_var_run_t:sock_file write;
|
||||
')
|
223
refpolicy/policy/modules/services/postgresql.te
Normal file
223
refpolicy/policy/modules/services/postgresql.te
Normal file
@ -0,0 +1,223 @@
|
||||
|
||||
policy_module(postgresql,1.0)
|
||||
|
||||
#################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type postgresql_t;
|
||||
type postgresql_exec_t;
|
||||
init_daemon_domain(postgresql_t,postgresql_exec_t)
|
||||
|
||||
type postgresql_db_t;
|
||||
files_type(postgresql_db_t)
|
||||
|
||||
type postgresql_etc_t; #, usercanread;
|
||||
files_type(postgresql_etc_t)
|
||||
|
||||
type postgresql_lock_t;
|
||||
files_lock_file(postgresql_lock_t)
|
||||
|
||||
type postgresql_log_t;
|
||||
logging_log_file(postgresql_log_t)
|
||||
|
||||
type postgresql_tmp_t;
|
||||
files_tmp_file(postgresql_tmp_t)
|
||||
|
||||
type postgresql_var_run_t;
|
||||
files_pid_file(postgresql_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# postgresql Local policy
|
||||
#
|
||||
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
|
||||
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
||||
allow postgresql_t self:file { getattr read };
|
||||
allow postgresql_t self:sem create_sem_perms;
|
||||
allow postgresql_t self:shm create_shm_perms;
|
||||
allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:udp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
||||
|
||||
allow postgresql_t postgresql_db_t:dir create_dir_perms;
|
||||
allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
|
||||
allow postgresql_t postgresql_db_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
|
||||
allow postgresql_t postgresql_db_t:sock_file create_file_perms;
|
||||
files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow postgresql_t postgresql_etc_t:dir r_dir_perms;
|
||||
allow postgresql_t postgresql_etc_t:file r_file_perms;
|
||||
allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||||
can_exec(postgresql_t, postgresql_exec_t )
|
||||
|
||||
allow postgresql_t postgresql_lock_t:file create_file_perms;
|
||||
files_create_lock(postgresql_t,postgresql_lock_t)
|
||||
|
||||
allow postgresql_t postgresql_log_t:dir rw_dir_perms;
|
||||
allow postgresql_t postgresql_log_t:file create_file_perms;
|
||||
logging_create_log(postgresql_t,postgresql_log_t,{ file dir })
|
||||
|
||||
allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
|
||||
allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
|
||||
allow postgresql_t postgresql_tmp_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
|
||||
allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
|
||||
files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file })
|
||||
fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
|
||||
allow postgresql_t postgresql_var_run_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
|
||||
files_create_pid(postgresql_t,postgresql_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(postgresql_t)
|
||||
kernel_read_system_state(postgresql_t)
|
||||
kernel_list_proc(postgresql_t)
|
||||
kernel_read_all_sysctl(postgresql_t)
|
||||
kernel_read_proc_symlinks(postgresql_t)
|
||||
kernel_tcp_recvfrom(postgresql_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(postgresql_t)
|
||||
corenet_udp_sendrecv_all_if(postgresql_t)
|
||||
corenet_raw_sendrecv_all_if(postgresql_t)
|
||||
corenet_tcp_sendrecv_all_nodes(postgresql_t)
|
||||
corenet_udp_sendrecv_all_nodes(postgresql_t)
|
||||
corenet_raw_sendrecv_all_nodes(postgresql_t)
|
||||
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
||||
corenet_udp_sendrecv_all_ports(postgresql_t)
|
||||
corenet_tcp_bind_all_nodes(postgresql_t)
|
||||
corenet_udp_bind_all_nodes(postgresql_t)
|
||||
corenet_tcp_bind_postgresql_port(postgresql_t)
|
||||
corenet_tcp_connect_auth_port(postgresql_t)
|
||||
|
||||
dev_read_sysfs(postgresql_t)
|
||||
dev_read_urand(postgresql_t)
|
||||
|
||||
fs_getattr_all_fs(postgresql_t)
|
||||
fs_search_auto_mountpoints(postgresql_t)
|
||||
|
||||
term_use_controlling_term(postgresql_t)
|
||||
term_dontaudit_use_console(postgresql_t)
|
||||
|
||||
corecmd_exec_bin(postgresql_t)
|
||||
corecmd_exec_ls(postgresql_t)
|
||||
corecmd_exec_sbin(postgresql_t)
|
||||
corecmd_exec_shell(postgresql_t)
|
||||
|
||||
domain_dontaudit_list_all_domains_proc(postgresql_t)
|
||||
domain_use_wide_inherit_fd(postgresql_t)
|
||||
|
||||
files_dontaudit_search_home(postgresql_t)
|
||||
files_manage_etc_files(postgresql_t)
|
||||
files_search_etc(postgresql_t)
|
||||
files_read_etc_runtime_files(postgresql_t)
|
||||
files_read_usr_files(postgresql_t)
|
||||
|
||||
init_read_script_pid(postgresql_t)
|
||||
init_use_fd(postgresql_t)
|
||||
init_use_script_pty(postgresql_t)
|
||||
|
||||
libs_use_ld_so(postgresql_t)
|
||||
libs_use_shared_libs(postgresql_t)
|
||||
|
||||
logging_send_syslog_msg(postgresql_t)
|
||||
|
||||
miscfiles_read_localization(postgresql_t)
|
||||
|
||||
seutil_dontaudit_search_config(postgresql_t)
|
||||
|
||||
sysnet_read_config(postgresql_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
|
||||
userdom_dontaudit_use_sysadm_tty(postgresql_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(postgresql_t)
|
||||
|
||||
mta_getattr_spool(postgresql_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(postgresql_t)
|
||||
term_dontaudit_use_generic_pty(postgresql_t)
|
||||
term_dontaudit_use_unallocated_tty(postgresql_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow postgresql_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`consoletype.te', `
|
||||
consoletype_exec(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_search_spool(postgresql_t)
|
||||
cron_system_entry(postgresql_t,postgresql_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`hostname.te', `
|
||||
hostname_exec(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(postgresql_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(postgresql_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`targeted_policy', `', `
|
||||
bool allow_user_postgresql_connect false;
|
||||
|
||||
if (allow_user_postgresql_connect) {
|
||||
# allow any user domain to connect to the database server
|
||||
can_tcp_connect(userdomain, postgresql_t)
|
||||
allow userdomain postgresql_t:unix_stream_socket connectto;
|
||||
allow userdomain postgresql_var_run_t:sock_file write;
|
||||
allow userdomain postgresql_tmp_t:sock_file write;
|
||||
}
|
||||
')
|
||||
ifdef(`distro_debian', `
|
||||
init_exec_script(postgresql_t)
|
||||
# gross hack
|
||||
postgresql_domtrans(dpkg_t)
|
||||
can_exec(postgresql_t, dpkg_exec_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
allow postgresql_t initrc_su_t:process { sigchld };
|
||||
# "su - postgres ..." is called from initrc_t
|
||||
postgresql_search_db_dir(initrc_su_t)
|
||||
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
# Goes to apache.te:
|
||||
# Allow httpd to work with postgresql
|
||||
optional_policy(`postgresql.te', `
|
||||
# Original policy had apache connecting to postgresql_tmp_t:sock_file
|
||||
# instead of what is assumed to be correct: postgresql_var_run_t. -Don
|
||||
postgresql_unix_connect(httpd_t)
|
||||
')
|
||||
')
|
@ -600,6 +600,25 @@ interface(`auth_manage_pam_console_data',`
|
||||
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Delete pam_console data.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_delete_pam_console_data',`
|
||||
gen_require(`
|
||||
type pam_var_console_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_pids($1)
|
||||
allow $1 pam_var_console_t:dir rw_dir_perms;
|
||||
allow $1 pam_var_console_t:file unlink;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel all files on the filesystem, except
|
||||
|
@ -69,6 +69,8 @@ ifdef(`distro_suse', `
|
||||
/usr/lib/cron/run-crons -- context_template(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- context_template(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)
|
||||
|
@ -72,6 +72,85 @@ interface(`files_pid_file',`
|
||||
typeattribute $1 pidfile;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type a
|
||||
## polyinstantiated directory.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Type of the file to be used as a
|
||||
## polyinstantiated directory.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_poly',`
|
||||
gen_require(`
|
||||
attribute polydir;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
typeattribute $1 polydir;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type a parent
|
||||
## of a polyinstantiated directory.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Type of the file to be used as a
|
||||
## parent directory.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_poly_parent',`
|
||||
gen_require(`
|
||||
attribute polyparent;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
typeattribute $1 polyparent;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type a
|
||||
## polyinstantiation member directory.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Type of the file to be used as a
|
||||
## member directory.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_poly_member',`
|
||||
gen_require(`
|
||||
attribute polymember;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
typeattribute $1 polymember;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the domain use the specified
|
||||
## type of polyinstantiated directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain using the polyinstantiated
|
||||
## directory.
|
||||
## </param>
|
||||
## <param name="file_type">
|
||||
## Type of the file to be used as a
|
||||
## member directory.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_poly_member_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
type_member $1 tmp_t:dir $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type a file
|
||||
@ -81,14 +160,18 @@ interface(`files_pid_file',`
|
||||
## Type of the file to be used as a
|
||||
## temporary file.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_tmp_file',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
files_poly_member($1)
|
||||
fs_associate_tmpfs($1)
|
||||
typeattribute $1 tmpfile;
|
||||
allow $1 tmp_t:filesystem associate;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -648,7 +731,6 @@ interface(`files_unmount_rootfs',`
|
||||
interface(`files_dontaudit_getattr_default_dir',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 default_t:dir getattr;
|
||||
@ -665,12 +747,28 @@ interface(`files_dontaudit_getattr_default_dir',`
|
||||
interface(`files_list_default',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to list contents of
|
||||
## directories with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_list_default',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
')
|
||||
|
||||
dontaudit $1 default_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on a directory with the default file type.
|
||||
@ -682,7 +780,6 @@ interface(`files_list_default',`
|
||||
interface(`files_mounton_default',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class dir { getattr search mounton };
|
||||
')
|
||||
|
||||
allow $1 default_t:dir { getattr search mounton };
|
||||
@ -716,12 +813,28 @@ interface(`files_dontaudit_getattr_default_files',`
|
||||
interface(`files_read_default_files',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read files
|
||||
## with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_read_default_files',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
')
|
||||
|
||||
dontaudit $1 default_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links with the default file type.
|
||||
@ -1531,6 +1644,24 @@ interface(`files_read_world_readable_sockets',`
|
||||
allow $1 readable_t:sock_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified type to associate
|
||||
## to a filesystem with the type of the
|
||||
## temporary directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Type of the file to associate.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_associate_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:filesystem associate;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
@ -2322,6 +2453,20 @@ interface(`files_delete_all_pids',`
|
||||
allow $1 pidfile:sock_file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_delete_all_pid_dirs(domain)
|
||||
#
|
||||
interface(`files_delete_all_pid_dirs',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
type var_t;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 pidfile:dir { rw_dir_perms rmdir };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_spool(domain)
|
||||
|
@ -10,6 +10,18 @@ attribute file_type;
|
||||
attribute lockfile;
|
||||
attribute mountpoint;
|
||||
attribute pidfile;
|
||||
|
||||
# For labeling types that are to be polyinstantiated
|
||||
attribute polydir;
|
||||
|
||||
# And for labeling the parent directories of those polyinstantiated directories
|
||||
# This is necessary for remounting the original in the parent to give
|
||||
# security aware apps access
|
||||
attribute polyparent;
|
||||
|
||||
# And labeling for the member directories
|
||||
attribute polymember;
|
||||
|
||||
attribute tmpfile;
|
||||
attribute tmpfsfile;
|
||||
|
||||
|
@ -55,6 +55,7 @@ kernel_getattr_proc(fsadm_t)
|
||||
kernel_rw_unlabeled_dir(fsadm_t)
|
||||
kernel_use_unlabeled_blk_dev(fsadm_t)
|
||||
|
||||
dev_getattr_all_chr_files(fsadm_t)
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
dev_read_rand(fsadm_t)
|
||||
dev_read_urand(fsadm_t)
|
||||
@ -145,5 +146,7 @@ optional_policy(`nis.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow fsadm_t tmpfs_t:file { read write };
|
||||
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
') dnl end TODO
|
||||
|
@ -21,7 +21,6 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow hostname_t self:capability sys_admin;
|
||||
dontaudit hostname_t self:capability sys_tty_config;
|
||||
|
||||
kernel_read_kernel_sysctl(hostname_t)
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
kernel_list_proc(hostname_t)
|
||||
kernel_read_proc_symlinks(hostname_t)
|
||||
@ -84,9 +83,3 @@ optional_policy(`udev.te',`
|
||||
udev_dontaudit_use_fd(hostname_t)
|
||||
udev_read_db(hostname_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(hostname_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
@ -51,15 +51,15 @@ type initrc_devpts_t;
|
||||
term_pty(initrc_devpts_t)
|
||||
files_type(initrc_devpts_t)
|
||||
|
||||
type initrc_var_run_t;
|
||||
files_pid_file(initrc_var_run_t)
|
||||
|
||||
type initrc_state_t;
|
||||
files_type(initrc_state_t)
|
||||
|
||||
type initrc_tmp_t;
|
||||
files_tmp_file(initrc_tmp_t)
|
||||
|
||||
type initrc_var_run_t;
|
||||
files_pid_file(initrc_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Init local policy
|
||||
@ -263,7 +263,7 @@ auth_rw_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
auth_delete_pam_pid(initrc_t)
|
||||
auth_list_pam_console_data(initrc_t)
|
||||
auth_delete_pam_console_data(initrc_t)
|
||||
|
||||
corecmd_exec_bin(initrc_t)
|
||||
corecmd_exec_sbin(initrc_t)
|
||||
@ -297,6 +297,7 @@ files_purge_tmp(initrc_t)
|
||||
files_delete_all_locks(initrc_t)
|
||||
files_read_all_pids(initrc_t)
|
||||
files_delete_all_pids(initrc_t)
|
||||
files_delete_all_pid_dirs(initrc_t)
|
||||
files_read_etc_files(initrc_t)
|
||||
files_manage_etc_runtime_files(initrc_t)
|
||||
files_manage_generic_locks(initrc_t)
|
||||
@ -477,6 +478,11 @@ optional_policy(`raid.te',`
|
||||
raid_manage_mdadm_pid(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`postgresql.te',`
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`quota.te',`
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
@ -535,6 +541,14 @@ ifdef(`TODO',`
|
||||
allow initrc_t xconsole_device_t:fifo_file setattr;
|
||||
|
||||
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
|
||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
|
||||
# rhgb-console writes to ramfs
|
||||
allow initrc_t ramfs_t:fifo_file write;
|
||||
|
||||
# during boot up initrc needs to do the following
|
||||
allow initrc_t default_t:dir write;
|
||||
|
||||
#
|
||||
# These rules are here to allow init scripts to su
|
||||
|
@ -26,10 +26,6 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
@ -43,8 +39,14 @@
|
||||
|
||||
/usr(/.*)?/nvidia/.*\.so(\..*)? -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr/lib/pgsql/test/regress/.*\.so -- context_template(system_u:object_r:shlib_t,s0)
|
||||
|
||||
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
|
||||
|
||||
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
|
||||
|
@ -15,6 +15,7 @@ interface(`logging_log_file',`
|
||||
')
|
||||
|
||||
files_type($1)
|
||||
files_associate_tmp($1)
|
||||
fs_associate_tmpfs($1)
|
||||
typeattribute $1 logfile;
|
||||
')
|
||||
|
@ -51,6 +51,7 @@ files_pid_file(syslogd_var_run_t)
|
||||
|
||||
type var_log_t, logfile;
|
||||
files_type(var_log_t)
|
||||
files_associate_tmp(var_log_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t)
|
||||
type lvm_metadata_t;
|
||||
files_type(lvm_metadata_t)
|
||||
|
||||
type lvm_var_run_t;
|
||||
files_pid_file(lvm_var_run_t)
|
||||
|
||||
type lvm_tmp_t;
|
||||
files_tmp_file(lvm_tmp_t)
|
||||
|
||||
@ -148,6 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
||||
allow lvm_t lvm_lock_t:file create_file_perms;
|
||||
files_create_lock(lvm_t,lvm_lock_t)
|
||||
|
||||
allow lvm_t lvm_var_run_t:file create_file_perms;
|
||||
allow lvm_t lvm_var_run_t:dir create_dir_perms;
|
||||
files_create_pid(lvm_t,lvm_var_run_t)
|
||||
|
||||
allow lvm_t lvm_etc_t:file r_file_perms;
|
||||
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
|
||||
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
|
||||
@ -213,7 +220,6 @@ domain_use_wide_inherit_fd(lvm_t)
|
||||
|
||||
files_read_etc_files(lvm_t)
|
||||
files_read_etc_runtime_files(lvm_t)
|
||||
files_dontaudit_getattr_pid_dir(lvm_t)
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dir(lvm_t)
|
||||
|
||||
@ -258,6 +264,10 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# it has no reason to need this
|
||||
allow lvm_t var_t:dir { search getattr };
|
||||
allow lvm_t ramfs_t:filesystem unmount;
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `
|
||||
allow lvm_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
@ -51,6 +51,8 @@ can_exec(insmod_t, insmod_exec_t)
|
||||
|
||||
kernel_load_module(insmod_t)
|
||||
kernel_read_system_state(insmod_t)
|
||||
kernel_mount_debugfs(insmod_t)
|
||||
kernel_search_debugfs(insmod_t)
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
kernel_read_kernel_sysctl(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
@ -128,6 +130,7 @@ optional_policy(`rpm.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow insmod_t proc_t:file rw_file_perms;
|
||||
optional_policy(`xserver.te',`
|
||||
xserver_getattr_log(insmod_t)
|
||||
allow insmod_t xserver_misc_device_t:chr_file { read write };
|
||||
@ -182,6 +185,7 @@ optional_policy(`rpm.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow depmod_t modules_object_t:file unlink;
|
||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||
') dnl end ifdef TODO
|
||||
|
||||
|
@ -140,6 +140,10 @@ optional_policy(`udev.te', `
|
||||
ifdef(`TODO',`
|
||||
allow cardmgr_t modules_object_t:dir search;
|
||||
|
||||
ifdef(`dhcpc.te',`
|
||||
allow cardmgr_t dhcpc_var_run_t:file unlink;
|
||||
')
|
||||
|
||||
# Create device files in /tmp.
|
||||
# cjp: why is this created all over the place?
|
||||
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
|
||||
|
@ -25,6 +25,31 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||
allow dhcpc_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute DHCP clients in the dhcpc domain, and
|
||||
## allow the specified role the dhcpc domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the clock domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the clock domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_run_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
')
|
||||
|
||||
sysnet_domtrans_dhcpc($1)
|
||||
role $2 types dhcpc_t;
|
||||
allow dhcpc_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to the dhcp client.
|
||||
@ -227,9 +252,6 @@ interface(`sysnet_read_dhcpc_pid',`
|
||||
interface(`sysnet_domtrans_ifconfig',`
|
||||
gen_require(`
|
||||
type ifconfig_t, ifconfig_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -260,7 +282,6 @@ interface(`sysnet_domtrans_ifconfig',`
|
||||
interface(`sysnet_run_ifconfig',`
|
||||
gen_require(`
|
||||
type ifconfig_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
@ -269,6 +290,23 @@ interface(`sysnet_run_ifconfig',`
|
||||
allow ifconfig_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute ifconfig in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_exec_ifconfig',`
|
||||
gen_require(`
|
||||
type ifconfig_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
can_exec($1,ifconfig_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the DHCP configuration files.
|
||||
@ -280,8 +318,6 @@ interface(`sysnet_run_ifconfig',`
|
||||
interface(`sysnet_read_dhcp_config',`
|
||||
gen_require(`
|
||||
type dhcp_etc_t;
|
||||
class dir search;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
|
@ -112,6 +112,7 @@ term_dontaudit_use_console(dhcpc_t)
|
||||
term_dontaudit_use_all_user_ttys(dhcpc_t)
|
||||
term_dontaudit_use_all_user_ptys(dhcpc_t)
|
||||
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
||||
term_dontaudit_use_generic_pty(dhcpc_t)
|
||||
|
||||
corecmd_exec_bin(dhcpc_t)
|
||||
corecmd_exec_sbin(dhcpc_t)
|
||||
@ -209,6 +210,27 @@ optional_policy(`userdomain.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`cardmgr.te',`
|
||||
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
|
||||
ifdef(`ypbind.te',`
|
||||
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
|
||||
')
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, dhcpc)
|
||||
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
allow dhcpc_t self:dbus send_msg;
|
||||
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
|
||||
ifdef(`unconfined.te', `
|
||||
allow unconfined_t dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t unconfined_t:dbus send_msg;
|
||||
')dnl end ifdef unconfined.te
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(dhcpc_t)
|
||||
')
|
||||
|
@ -41,11 +41,13 @@ template(`base_user_template',`
|
||||
# type for contents of home directory
|
||||
type $1_home_t, $1_file_type, home_type;
|
||||
files_type($1_home_t)
|
||||
files_associate_tmp($1_home_t)
|
||||
fs_associate_tmpfs($1_home_t)
|
||||
|
||||
# type of home directory
|
||||
type $1_home_dir_t, home_dir_type, home_type;
|
||||
files_type($1_home_dir_t)
|
||||
files_associate_tmp($1_home_dir_t)
|
||||
fs_associate_tmpfs($1_home_dir_t)
|
||||
|
||||
type $1_tmp_t, $1_file_type;
|
||||
@ -54,6 +56,14 @@ template(`base_user_template',`
|
||||
type $1_tmpfs_t;
|
||||
files_tmpfs_file($1_tmpfs_t)
|
||||
|
||||
# types for network-obtained content
|
||||
type $1_untrusted_content_t, $1_file_type; #, customizable
|
||||
files_type($1_untrusted_content_t)
|
||||
files_poly_member($1_untrusted_content_t)
|
||||
|
||||
type $1_untrusted_content_tmp_t, $1_file_type; # customizable
|
||||
files_tmp_file($1_untrusted_content_tmp_t)
|
||||
|
||||
type $1_tty_device_t;
|
||||
term_tty($1_t,$1_tty_device_t)
|
||||
|
||||
@ -77,8 +87,7 @@ template(`base_user_template',`
|
||||
allow $1_t self:msgq create_msgq_perms;
|
||||
allow $1_t self:msg { send receive };
|
||||
dontaudit $1_t self:socket create;
|
||||
# Irrelevant until we have labeled networking.
|
||||
#allow $1_t self:udp_socket { sendto recvfrom };
|
||||
allow $1_t self:udp_socket { sendto recvfrom };
|
||||
|
||||
# evolution and gnome-session try to create a netlink socket
|
||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
@ -93,11 +102,19 @@ template(`base_user_template',`
|
||||
allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
|
||||
allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
|
||||
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
|
||||
allow $1_t $1_home_dir_t:dir create_dir_perms;
|
||||
allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
|
||||
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
|
||||
|
||||
can_exec($1_t,$1_tmp_t)
|
||||
|
||||
# user temporary files
|
||||
allow $1_t $1_tmp_t:file create_file_perms;
|
||||
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
||||
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
||||
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
||||
|
||||
# Bind to a Unix domain socket in /tmp.
|
||||
# cjp: this is combination is not checked and should be removed
|
||||
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
|
||||
@ -111,6 +128,10 @@ template(`base_user_template',`
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
# Allow user to relabel untrusted content
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
|
||||
|
||||
allow $1_t unpriv_userdomain:fd use;
|
||||
|
||||
# Instantiate derived domains for a number of programs.
|
||||
@ -160,7 +181,14 @@ template(`base_user_template',`
|
||||
fs_get_all_fs_quotas($1_t)
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_search_auto_mountpoints($1_t)
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
# cjp: some of this probably can be removed
|
||||
selinux_get_fs_mount($1_t)
|
||||
selinux_validate_context($1_t)
|
||||
selinux_compute_access_vector($1_t)
|
||||
selinux_compute_create_context($1_t)
|
||||
selinux_compute_relabel_context($1_t)
|
||||
selinux_compute_user_contexts($1_t)
|
||||
|
||||
# for eject
|
||||
storage_getattr_fixed_disk($1_t)
|
||||
@ -196,10 +224,13 @@ template(`base_user_template',`
|
||||
logging_dontaudit_getattr_all_logs($1_t)
|
||||
|
||||
miscfiles_read_localization($1_t)
|
||||
miscfiles_read_fonts($1_t)
|
||||
# for running TeX programs
|
||||
miscfiles_read_tetex_data($1_t)
|
||||
miscfiles_exec_tetex_data($1_t)
|
||||
|
||||
seutil_read_file_contexts($1_t)
|
||||
seutil_read_default_contexts($1_t)
|
||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
|
||||
mta_rw_spool($1_t)
|
||||
@ -209,12 +240,29 @@ template(`base_user_template',`
|
||||
allow $1_t self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem && allow_execstack',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1_t self:process execstack;
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_t)
|
||||
files_read_default_files($1_t)
|
||||
files_read_default_symlinks($1_t)
|
||||
files_read_default_sockets($1_t)
|
||||
files_read_default_pipes($1_t)
|
||||
',`
|
||||
files_dontaudit_list_default($1_t)
|
||||
files_dontaudit_read_default_files($1_t)
|
||||
')
|
||||
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
|
||||
',`
|
||||
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
|
||||
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -224,6 +272,9 @@ template(`base_user_template',`
|
||||
fs_manage_nfs_named_sockets($1_t)
|
||||
fs_manage_nfs_named_pipes($1_t)
|
||||
fs_execute_nfs_files($1_t)
|
||||
',`
|
||||
fs_dontaudit_manage_nfs_dirs($1_t)
|
||||
fs_dontaudit_manage_nfs_files($1_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
@ -233,6 +284,9 @@ template(`base_user_template',`
|
||||
fs_manage_cifs_named_sockets($1_t)
|
||||
fs_manage_cifs_named_pipes($1_t)
|
||||
fs_execute_cifs_files($1_t)
|
||||
',`
|
||||
fs_dontaudit_manage_cifs_dirs($1_t)
|
||||
fs_dontaudit_manage_cifs_files($1_t)
|
||||
')
|
||||
|
||||
tunable_policy(`user_direct_mouse',`
|
||||
@ -329,36 +383,17 @@ template(`base_user_template',`
|
||||
|
||||
r_dir_file($1_t, usercanread)
|
||||
|
||||
tunable_policy(`allow_execmod',`
|
||||
# Allow text relocations on system shared libraries, e.g. libGL.
|
||||
allow $1_t texrel_shlib_t:file execmod;
|
||||
')
|
||||
|
||||
allow $1_t fs_type:dir getattr;
|
||||
|
||||
# old "file_browse_domain":
|
||||
# Regular files/directories that are not security sensitive
|
||||
dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
|
||||
dontaudit $1_t file_type - secure_file_type:dir { read search };
|
||||
# /dev
|
||||
dontaudit $1_t dev_fs:dir_file_class_set getattr;
|
||||
dontaudit $1_t dev_fs:dir { read search };
|
||||
# /proc
|
||||
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
|
||||
dontaudit $1_t proc_fs:dir { read search };
|
||||
|
||||
tunable_policy(`user_rw_noexattrfile',`
|
||||
create_dir_file($1_t, noexattrfile)
|
||||
# Write floppies
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
# cjp: what does this have to do with removable devices?
|
||||
allow $1_t usbtty_device_t:chr_file write;
|
||||
',`
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
r_dir_file($1_t, removable_t)
|
||||
allow $1_t removable_device_t:blk_file r_file_perms;
|
||||
')
|
||||
dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
|
||||
dontaudit $1 file_type - secure_file_type:dir search;
|
||||
dontaudit $1 file_type - secure_file_type:dir read;
|
||||
dontaudit $1 unlabeled_t:dir_file_class_set getattr;
|
||||
dontaudit $1 unlabeled_t:dir search;
|
||||
dontaudit $1 unlabeled_t:dir read;
|
||||
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
|
||||
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
|
||||
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
|
||||
|
||||
allow $1_t usbtty_device_t:chr_file read;
|
||||
|
||||
@ -390,21 +425,16 @@ template(`base_user_template',`
|
||||
# Connect to portmap.
|
||||
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
|
||||
|
||||
# Use X
|
||||
x_client_domain($1, $1)
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
# for /tmp/.ICE-unix
|
||||
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
|
||||
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
# Connect to the X server run by the X Display Manager.
|
||||
can_unix_connect($1_t, xdm_t)
|
||||
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
|
||||
allow $1_t xdm_tmp_t:dir r_dir_perms;
|
||||
allow $1_t xdm_tmp_t:file r_file_perms;
|
||||
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
allow $1_t xdm_xserver_tmp_t:dir search;
|
||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
# certain apps want to read xdm.pid file
|
||||
r_dir_file($1_t, xdm_var_run_t)
|
||||
allow $1_t xdm_var_lib_t:file r_file_perms;
|
||||
@ -412,12 +442,26 @@ template(`base_user_template',`
|
||||
ifdef(`xauth.te', `
|
||||
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
|
||||
')
|
||||
|
||||
# for shared memory
|
||||
allow xdm_xserver_t $1_tmpfs_t:file { read write };
|
||||
|
||||
')
|
||||
|
||||
# start read_fonts()
|
||||
|
||||
# cjp: this macro is unconditional, though
|
||||
# its in a conditional file.
|
||||
|
||||
# Manipulate the global font cache
|
||||
create_dir_file($1, $1_fonts_cache_t)
|
||||
|
||||
# Read per user fonts and font config
|
||||
r_dir_file($1, $1_fonts_t)
|
||||
r_dir_file($1, $1_fonts_config_t)
|
||||
|
||||
# There are some fonts in .gnome2
|
||||
ifdef(`gnome.te', `
|
||||
allow $1 $2_gnome_settings_t:dir { getattr search };
|
||||
')
|
||||
# end read_fonts()
|
||||
|
||||
ifdef(`rpcd.te', `
|
||||
create_dir_file($1_t, nfsd_rw_t)
|
||||
')
|
||||
@ -467,8 +511,13 @@ template(`unpriv_user_template', `
|
||||
domain_wide_inherit_fd($1_t)
|
||||
|
||||
typeattribute $1_devpts_t user_ptynode;
|
||||
|
||||
typeattribute $1_home_dir_t user_home_dir_type;
|
||||
files_poly($1_home_dir_t)
|
||||
|
||||
typeattribute $1_home_t user_home_type;
|
||||
files_poly_member($1_home_t)
|
||||
|
||||
typeattribute $1_tmp_t user_tmpfile;
|
||||
typeattribute $1_tty_device_t user_ttynode;
|
||||
|
||||
@ -484,14 +533,6 @@ template(`unpriv_user_template', `
|
||||
allow $1_home_t self:filesystem associate;
|
||||
allow $1_file_type $1_home_t:filesystem associate;
|
||||
|
||||
# user temporary files
|
||||
allow $1_t $1_tmp_t:file create_file_perms;
|
||||
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
||||
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
||||
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
||||
|
||||
# privileged home directory writers
|
||||
allow privhome $1_home_t:file create_file_perms;
|
||||
allow privhome $1_home_t:lnk_file create_lnk_perms;
|
||||
@ -537,6 +578,11 @@ template(`unpriv_user_template', `
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
seutil_exec_checkpol($1_t)
|
||||
|
||||
ifdef(`enable_polyinstantiation',`
|
||||
type_member $1_t $1_home_dir_t:dir $1_home_t;
|
||||
files_poly_member_tmp($1_t)
|
||||
')
|
||||
|
||||
tunable_policy(`user_dmesg',`
|
||||
kernel_read_ring_buffer($1_t)
|
||||
',`
|
||||
@ -575,6 +621,22 @@ template(`unpriv_user_template', `
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`enable_mls',`',`
|
||||
fs_exec_noxattr($1_t)
|
||||
tunable_policy(`user_rw_noexattrfile',`
|
||||
create_dir_file($1_t, noexattrfile)
|
||||
# Write floppies
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
# cjp: what does this have to do with removable devices?
|
||||
allow $1_t usbtty_device_t:chr_file write;
|
||||
',`
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
r_dir_file($1_t, removable_t)
|
||||
allow $1_t removable_device_t:blk_file r_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
dontaudit $1_t boot_t:lnk_file read;
|
||||
dontaudit $1_t boot_t:file read;
|
||||
|
||||
@ -596,16 +658,20 @@ template(`unpriv_user_template', `
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`useradd.te', `
|
||||
# Useradd relabels /etc/skel files so needs these privs
|
||||
allow useradd_t $1_file_type:dir create_dir_perms;
|
||||
allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
|
||||
')
|
||||
|
||||
# Stat lost+found.
|
||||
allow $1_t lost_found_t:dir getattr;
|
||||
|
||||
# Read /var, /var/spool, /var/run.
|
||||
allow $1_t var_t:dir r_dir_perms;
|
||||
allow $1_t var_t:notdevfile_class_set r_file_perms;
|
||||
allow $1_t var_spool_t:dir r_dir_perms;
|
||||
allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
|
||||
allow $1_t var_run_t:dir r_dir_perms;
|
||||
allow $1_t var_run_t:{ file lnk_file } r_file_perms;
|
||||
r_dir_file($1_t, var_t)
|
||||
# what about pipes and sockets under /var/spool?
|
||||
r_dir_file($1_t, var_spool_t)
|
||||
r_dir_file($1_t, var_run_t)
|
||||
allow $1_t var_lib_t:dir r_dir_perms;
|
||||
allow $1_t var_lib_t:file { getattr read };
|
||||
|
||||
@ -631,23 +697,6 @@ template(`unpriv_user_template', `
|
||||
|
||||
allow $1_t initrc_t:fifo_file write;
|
||||
|
||||
ifdef(`user_can_mount', `
|
||||
#
|
||||
# Allow users to mount file systems like floppies and cdrom
|
||||
#
|
||||
mount_domain($1, $1_mount, `, fs_domain')
|
||||
r_dir_file($1_t, mnt_t)
|
||||
allow $1_mount_t device_t:lnk_file read;
|
||||
allow $1_mount_t removable_device_t:blk_file read;
|
||||
allow $1_mount_t iso9660_t:filesystem relabelfrom;
|
||||
allow $1_mount_t removable_t:filesystem { mount relabelto };
|
||||
allow $1_mount_t removable_t:dir mounton;
|
||||
ifdef(`xdm.te', `
|
||||
allow $1_mount_t xdm_t:fd use;
|
||||
allow $1_mount_t xdm_t:fifo_file { read write };
|
||||
')
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
@ -721,16 +770,11 @@ template(`admin_user_template',`
|
||||
# for the administrator to run TCP servers directly
|
||||
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
|
||||
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
|
||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||
allow $1_t $1_tmp_t:file create_file_perms;
|
||||
allow $1_t $1_tmp_t:lnk_file create_file_perms;
|
||||
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
||||
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
||||
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
||||
|
||||
kernel_read_system_state($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
kernel_read_software_raid_state($1_t)
|
||||
@ -761,6 +805,7 @@ template(`admin_user_template',`
|
||||
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_set_all_quotas($1_t)
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
selinux_set_enforce_mode($1_t)
|
||||
selinux_set_boolean($1_t)
|
||||
@ -847,7 +892,7 @@ template(`admin_user_template',`
|
||||
allow xdm_t $1_home_t:lnk_file read;
|
||||
allow xdm_t $1_home_t:dir search;
|
||||
')
|
||||
allow $1_t xdm_t:fifo_file rw_file_perms;
|
||||
can_pipe_xdm($1_t)
|
||||
')
|
||||
|
||||
# Connect data port to ftpd.
|
||||
@ -877,6 +922,21 @@ template(`admin_user_template',`
|
||||
# Run programs from staff home directories.
|
||||
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
|
||||
can_exec($1_t, staff_home_t)
|
||||
|
||||
tunable_policy(`user_rw_noexattrfile',`
|
||||
create_dir_file($1_t, noexattrfile)
|
||||
# Write floppies
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
# cjp: what does this have to do with removable devices?
|
||||
allow $1_t usbtty_device_t:chr_file write;
|
||||
',`
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
r_dir_file($1_t, removable_t)
|
||||
allow $1_t removable_device_t:blk_file r_file_perms;
|
||||
')
|
||||
allow $1 removable_t:filesystem getattr;
|
||||
|
||||
') dnl endif TODO
|
||||
')
|
||||
|
||||
@ -2037,7 +2097,7 @@ interface(`userdom_sigcld_all_users',`
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 userdomain:process sigghld;
|
||||
allow $1 userdomain:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -223,6 +223,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`unconfined.te',`
|
||||
@ -233,4 +234,8 @@ ifdef(`targeted_policy',`
|
||||
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
||||
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`vpn.te',`
|
||||
vpn_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
|
@ -17,19 +17,27 @@ general_proc_read_access(sysadm_t)
|
||||
# sysadm_t is also granted permissions specific to administrator domains.
|
||||
admin_domain(sysadm)
|
||||
|
||||
# Allow administrator domains to set the enforcing flag.
|
||||
can_setenforce(sysadm_t)
|
||||
|
||||
# Allow administrator domains to set policy booleans.
|
||||
can_setbool(sysadm_t)
|
||||
|
||||
# Allow administrator domains to set security parameters
|
||||
can_setsecparam(sysadm_t)
|
||||
|
||||
# for su
|
||||
allow sysadm_t userdomain:fd use;
|
||||
|
||||
define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
|
||||
ifdef(`separate_secadm', `', `
|
||||
security_manager_domain(sysadm_t)
|
||||
')
|
||||
|
||||
# Add/remove user home directories
|
||||
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||
|
||||
limited_user_role(secadm)
|
||||
typeattribute secadm_t admin;
|
||||
role secadm_r types secadm_t;
|
||||
security_manager_domain(secadm_t)
|
||||
r_dir_file(secadm_t, { var_t var_log_t })
|
||||
|
||||
typeattribute secadm_tty_device_t admin_tty_type;
|
||||
typeattribute secadm_devpts_t admin_tty_type;
|
||||
|
||||
bool allow_ptrace false;
|
||||
|
||||
if (allow_ptrace) {
|
||||
can_ptrace(sysadm_t, domain)
|
||||
}
|
||||
|
@ -1,18 +0,0 @@
|
||||
#
|
||||
# Alias file to stop blow up during policy upgrade, since
|
||||
# screensaver policy is being removed.
|
||||
#
|
||||
typealias bin_t alias screensaver_exec_t;
|
||||
typealias sysadm_home_t alias sysadm_screensaver_t;
|
||||
typealias sysadm_home_t alias sysadm_screensaver_rw_t;
|
||||
typealias sysadm_home_t alias sysadm_screensaver_ro_t;
|
||||
typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
|
||||
typealias user_home_t alias user_screensaver_t;
|
||||
typealias user_home_t alias user_screensaver_rw_t;
|
||||
typealias user_home_t alias user_screensaver_ro_t;
|
||||
typealias user_home_t alias user_screensaver_tmpfs_t;
|
||||
typealias staff_home_t alias staff_screensaver_t;
|
||||
typealias staff_home_t alias staff_screensaver_rw_t;
|
||||
typealias staff_home_t alias staff_screensaver_ro_t;
|
||||
typealias staff_home_t alias staff_screensaver_tmpfs_t;
|
||||
|
@ -17,4 +17,9 @@ can_ypbind(system_dbusd_t)
|
||||
# I expect we need more than this
|
||||
|
||||
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
|
||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
|
||||
can_exec(system_dbusd_t, sbin_t)
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:unix_stream_socket connectto;
|
||||
|
@ -43,6 +43,8 @@ ifdef(`cardmgr.te', `
|
||||
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
||||
allow cardmgr_t dhcpc_t:process signal_perms;
|
||||
allow cardmgr_t dhcpc_var_run_t:file unlink;
|
||||
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
ifdef(`hotplug.te', `
|
||||
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
|
||||
@ -126,7 +128,7 @@ can_exec(dhcpc_t, { bin_t shell_exec_t })
|
||||
ifdef(`hostname.te', `
|
||||
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
|
||||
')
|
||||
dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
|
||||
dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
|
||||
allow dhcpc_t { userdomain kernel_t }:fd use;
|
||||
|
||||
allow dhcpc_t home_root_t:dir search;
|
||||
@ -142,7 +144,22 @@ allow dhcpc_t initrc_var_run_t:file rw_file_perms;
|
||||
can_exec(dhcpc_t, initrc_exec_t)
|
||||
ifdef(`ypbind.te', `
|
||||
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
|
||||
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
|
||||
')
|
||||
ifdef(`ntpd.te', `
|
||||
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
|
||||
')
|
||||
role sysadm_r types dhcpc_t;
|
||||
domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, dhcpc)
|
||||
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
allow dhcpc_t self:dbus send_msg;
|
||||
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
|
||||
ifdef(`unconfined.te', `
|
||||
allow unconfined_t dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t unconfined_t:dbus send_msg;
|
||||
')dnl end ifdef unconfined.te
|
||||
')
|
||||
|
@ -29,6 +29,7 @@ read_sysctl(fsadm_t)
|
||||
|
||||
# for /dev/shm
|
||||
allow fsadm_t tmpfs_t:dir { getattr search };
|
||||
allow fsadm_t tmpfs_t:file { read write };
|
||||
|
||||
base_file_read_access(fsadm_t)
|
||||
|
||||
@ -115,3 +116,5 @@ system_crond_entry(fsadm_exec_t, fsadm_t)
|
||||
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
|
||||
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
|
||||
allow fsadm_t usbfs_t:dir { getattr search };
|
||||
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
|
||||
allow fsadm_t device_type:chr_file getattr;
|
||||
|
@ -8,11 +8,8 @@
|
||||
type gpg_exec_t, file_type, sysadmfile, exec_type;
|
||||
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
|
||||
allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
|
||||
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
||||
|
||||
# Allow gpg exec stack
|
||||
bool allow_gpg_execstack false;
|
||||
|
||||
# Everything else is in the gpg_domain macro in
|
||||
# macros/program/gpg_macros.te.
|
||||
|
@ -65,10 +65,9 @@ allow hald_t udev_tbl_t:file { getattr read };
|
||||
ifdef(`hotplug.te', `
|
||||
r_dir_file(hald_t, hotplug_etc_t)
|
||||
')
|
||||
allow hald_t usbdevfs_t:dir search;
|
||||
allow hald_t usbdevfs_t:file { getattr read };
|
||||
allow hald_t usbfs_t:dir search;
|
||||
allow hald_t usbfs_t:file { getattr read };
|
||||
allow hald_t fs_type:dir { search getattr };
|
||||
allow hald_t usbfs_t:dir r_dir_perms;
|
||||
allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
|
||||
allow hald_t bin_t:lnk_file read;
|
||||
r_dir_file(hald_t, { selinux_config_t default_context_t } )
|
||||
allow hald_t initrc_t:dbus send_msg;
|
||||
@ -80,3 +79,25 @@ allow hald_t device_t:chr_file create_file_perms;
|
||||
tmp_domain(hald)
|
||||
allow hald_t mnt_t:dir search;
|
||||
r_dir_file(hald_t, proc_net_t)
|
||||
|
||||
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
|
||||
ifdef(`apmd.te', `
|
||||
allow hald_t apmd_var_run_t:sock_file write;
|
||||
allow hald_t apmd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# For /usr/libexec/hald-probe-smbios
|
||||
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
|
||||
|
||||
# ??
|
||||
ifdef(`lvm.te', `
|
||||
allow hald_t lvm_control_t:chr_file r_file_perms;
|
||||
')
|
||||
ifdef(`targeted_policy', `
|
||||
allow unconfined_t hald_t:dbus send_msg;
|
||||
allow hald_t unconfined_t:dbus send_msg;
|
||||
')
|
||||
ifdef(`mount.te', `
|
||||
domain_auto_trans(hald_t, mount_exec_t, mount_t)
|
||||
')
|
||||
|
||||
|
@ -4,9 +4,7 @@
|
||||
# X-Debian-Packages: hostname
|
||||
|
||||
# for setting the hostname
|
||||
daemon_base_domain(hostname, , nosysadm)
|
||||
role sysadm_r types hostname_t;
|
||||
|
||||
daemon_core_rules(hostname, , nosysadm)
|
||||
allow hostname_t self:capability sys_admin;
|
||||
allow hostname_t etc_t:file { getattr read };
|
||||
|
||||
|
@ -123,7 +123,10 @@ allow initrc_t fs_type:filesystem mount_fs_perms;
|
||||
allow initrc_t file_t:dir { read search getattr mounton };
|
||||
|
||||
# during boot up initrc needs to do the following
|
||||
allow initrc_t default_t:dir { read search getattr mounton };
|
||||
allow initrc_t default_t:dir { write read search getattr mounton };
|
||||
|
||||
# rhgb-console writes to ramfs
|
||||
allow initrc_t ramfs_t:fifo_file write;
|
||||
|
||||
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
|
||||
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
|
||||
@ -233,7 +236,7 @@ allow initrc_t home_type:file r_file_perms;
|
||||
allow initrc_t pidfile:file { getattr read unlink };
|
||||
|
||||
# for system start scripts
|
||||
allow initrc_t pidfile:dir rw_dir_perms;
|
||||
allow initrc_t pidfile:dir { rmdir rw_dir_perms };
|
||||
allow initrc_t pidfile:sock_file unlink;
|
||||
|
||||
rw_dir_create_file(initrc_t, var_lib_t)
|
||||
@ -316,3 +319,6 @@ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
')
|
||||
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow initrc_t device_t:lnk_file create_file_perms;
|
||||
ifdef(`dbusd.te', `
|
||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
')
|
||||
|
@ -108,11 +108,11 @@ dontaudit lvm_t gpmctl_t:sock_file getattr;
|
||||
')
|
||||
dontaudit lvm_t initctl_t:fifo_file getattr;
|
||||
allow lvm_t sbin_t:dir search;
|
||||
dontaudit lvm_t sbin_t:file getattr;
|
||||
dontaudit lvm_t sbin_t:file { getattr read };
|
||||
allow lvm_t lvm_control_t:chr_file rw_file_perms;
|
||||
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
|
||||
allow initrc_t device_t:chr_file create;
|
||||
dontaudit lvm_t var_run_t:dir getattr;
|
||||
var_run_domain(lvm)
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit lvm_t file_t:dir search;
|
||||
@ -122,6 +122,8 @@ r_dir_file(lvm_t, selinux_config_t)
|
||||
|
||||
# it has no reason to need this
|
||||
dontaudit lvm_t proc_kcore_t:file getattr;
|
||||
allow lvm_t var_t:dir { search getattr };
|
||||
allow lvm_t ramfs_t:filesystem unmount;
|
||||
|
||||
# cluster LVM daemon
|
||||
daemon_domain(clvmd)
|
||||
|
@ -56,6 +56,7 @@ file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
|
||||
# Read module objects.
|
||||
allow depmod_t modules_object_t:dir r_dir_perms;
|
||||
allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
|
||||
allow depmod_t modules_object_t:file unlink;
|
||||
|
||||
# Access terminals.
|
||||
allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
@ -137,15 +138,15 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
|
||||
|
||||
allow insmod_t fs_t:filesystem getattr;
|
||||
allow insmod_t sysfs_t:dir search;
|
||||
allow insmod_t { usbfs_t usbdevfs_t }:dir search;
|
||||
allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
|
||||
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
|
||||
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
|
||||
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
read_sysctl(insmod_t)
|
||||
allow insmod_t proc_t:dir search;
|
||||
allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
|
||||
|
||||
allow insmod_t proc_t:file { getattr read };
|
||||
allow insmod_t proc_t:file rw_file_perms;
|
||||
allow insmod_t proc_t:lnk_file read;
|
||||
|
||||
# Write to /proc/mtrr.
|
||||
|
@ -45,5 +45,6 @@ allow pam_console_t hotplug_t:fd use;
|
||||
ifdef(`xdm.te', `
|
||||
allow pam_console_t xdm_var_run_t:file { getattr read };
|
||||
')
|
||||
allow initrc_t pam_var_console_t:dir r_dir_perms;
|
||||
allow initrc_t pam_var_console_t:dir rw_dir_perms;
|
||||
allow initrc_t pam_var_console_t:file unlink;
|
||||
allow pam_console_t file_context_t:file { getattr read };
|
||||
|
@ -10,7 +10,6 @@
|
||||
#
|
||||
# postgresql_exec_t is the type of the postgresql executable.
|
||||
#
|
||||
type postgresql_port_t, port_type;
|
||||
daemon_domain(postgresql)
|
||||
allow initrc_t postgresql_exec_t:lnk_file read;
|
||||
allow postgresql_t usr_t:file { getattr read };
|
||||
@ -37,7 +36,6 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
|
||||
dontaudit postgresql_t self:capability sys_admin;
|
||||
|
||||
etcdir_domain(postgresql)
|
||||
typealias postgresql_etc_t alias etc_postgresql_t;
|
||||
type postgresql_db_t, file_type, sysadmfile;
|
||||
|
||||
logdir_domain(postgresql)
|
||||
@ -52,7 +50,7 @@ tmp_domain(postgresql, `', `{ dir file sock_file }')
|
||||
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
|
||||
|
||||
# Use the network.
|
||||
can_network_server(postgresql_t)
|
||||
can_network(postgresql_t)
|
||||
can_ypbind(postgresql_t)
|
||||
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
||||
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -69,6 +67,7 @@ if (allow_user_postgresql_connect) {
|
||||
can_tcp_connect(userdomain, postgresql_t)
|
||||
allow userdomain postgresql_t:unix_stream_socket connectto;
|
||||
allow userdomain postgresql_var_run_t:sock_file write;
|
||||
allow userdomain postgresql_tmp_t:sock_file write;
|
||||
}
|
||||
')
|
||||
ifdef(`consoletype.te', `
|
||||
@ -80,6 +79,7 @@ can_exec(postgresql_t, hostname_exec_t)
|
||||
')
|
||||
|
||||
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
|
||||
allow postgresql_t auth_port_t:tcp_socket name_connect;
|
||||
|
||||
allow postgresql_t { proc_t self }:file { getattr read };
|
||||
|
||||
@ -110,9 +110,9 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||||
allow postgresql_t self:sem create_sem_perms;
|
||||
|
||||
allow postgresql_t initrc_var_run_t:file { getattr read lock };
|
||||
dontaudit postgresql_t selinux_config_t:dir { search };
|
||||
allow postgresql_t mail_spool_t:dir { search };
|
||||
rw_dir_create_file(postgresql_t, var_lock_t)
|
||||
dontaudit postgresql_t selinux_config_t:dir search;
|
||||
allow postgresql_t mail_spool_t:dir search;
|
||||
lock_domain(postgresql)
|
||||
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
|
||||
ifdef(`apache.te', `
|
||||
#
|
||||
@ -124,11 +124,15 @@ can_unix_connect(httpd_t, postgresql_t)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
# "su - postgres ..." is called from initrc_t
|
||||
allow initrc_su_t postgresql_db_t:dir { search };
|
||||
allow postgresql_t initrc_su_t:process { sigchld };
|
||||
allow initrc_su_t postgresql_db_t:dir search;
|
||||
allow postgresql_t initrc_su_t:process sigchld;
|
||||
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
dontaudit postgresql_t home_root_t:dir search;
|
||||
can_kerberos(postgresql_t)
|
||||
allow postgresql_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
if (allow_execmem) {
|
||||
allow postgresql_t self:process execmem;
|
||||
}
|
||||
|
@ -10,9 +10,9 @@
|
||||
# vpnc_t is the domain for the vpnc program.
|
||||
# vpnc_exec_t is the type of the vpnc executable.
|
||||
#
|
||||
daemon_domain(vpnc, `, sysctl_net_writer')
|
||||
application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
|
||||
|
||||
allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
|
||||
allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
||||
|
||||
# Use the network.
|
||||
can_network(vpnc_t)
|
||||
@ -31,7 +31,7 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
|
||||
allow vpnc_t self:rawip_socket create_socket_perms;
|
||||
allow vpnc_t self:unix_dgram_socket create_socket_perms;
|
||||
allow vpnc_t self:unix_stream_socket create_socket_perms;
|
||||
allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
||||
allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
||||
allow vpnc_t port_t:udp_socket name_bind;
|
||||
allow vpnc_t etc_runtime_t:file { getattr read };
|
||||
allow vpnc_t proc_t:file { getattr read };
|
||||
@ -42,6 +42,8 @@ allow vpnc_t sysctl_net_t:file write;
|
||||
allow vpnc_t sbin_t:dir search;
|
||||
allow vpnc_t bin_t:dir search;
|
||||
allow vpnc_t bin_t:lnk_file read;
|
||||
allow vpnc_t self:dir search;
|
||||
r_dir_file(vpnc_t, proc_t)
|
||||
r_dir_file(vpnc_t, proc_net_t)
|
||||
tmp_domain(vpnc)
|
||||
allow vpnc_t self:fifo_file { getattr ioctl read write };
|
||||
@ -49,3 +51,12 @@ allow vpnc_t self:file { getattr read };
|
||||
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
|
||||
allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
|
||||
dontaudit vpnc_t home_root_t:dir search;
|
||||
dontaudit vpnc_t user_home_dir_type:dir search;
|
||||
var_run_domain(vpnc)
|
||||
allow vpnc_t userdomain:fd use;
|
||||
r_dir_file(vpnc_t, sysfs_t)
|
||||
allow vpnc_t self:process { fork sigchld };
|
||||
read_locale(vpnc_t)
|
||||
read_sysctl(vpnc_t)
|
||||
allow vpnc_t fs_t:filesystem getattr;
|
||||
|
@ -4,6 +4,16 @@
|
||||
|
||||
# Booleans for user domains.
|
||||
|
||||
# Allow applications to read untrusted content
|
||||
# If this is disallowed, Internet content has
|
||||
# to be manually relabeled for read access to be granted
|
||||
bool read_untrusted_content false;
|
||||
|
||||
# Allow applications to write untrusted content
|
||||
# If this is disallowed, no Internet content
|
||||
# will be stored.
|
||||
bool write_untrusted_content false;
|
||||
|
||||
# Allow users to read system messages.
|
||||
bool user_dmesg false;
|
||||
|
||||
@ -54,54 +64,6 @@ bool read_default_t false;
|
||||
# files (such as ~/.bashrc)
|
||||
bool staff_read_sysadm_file false;
|
||||
|
||||
# change from role $1_r to $2_r and relabel tty appropriately
|
||||
define(`role_tty_type_change', `
|
||||
allow $1_r $2_r;
|
||||
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
||||
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
|
||||
# avoid annoying messages on terminal hangup
|
||||
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
||||
')
|
||||
|
||||
# Reach sysadm_t via programs like userhelper/sudo/su
|
||||
undefine(`reach_sysadm')
|
||||
define(`reach_sysadm', `
|
||||
ifdef(`userhelper.te', `userhelper_domain($1)')
|
||||
ifdef(`sudo.te', `sudo_domain($1)')
|
||||
ifdef(`su.te', `
|
||||
su_domain($1)
|
||||
# When an ordinary user domain runs su, su may try to
|
||||
# update the /root/.Xauthority file, and the user shell may
|
||||
# try to update the shell history. This is not allowed, but
|
||||
# we dont need to audit it.
|
||||
dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
|
||||
dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
|
||||
dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
|
||||
') dnl ifdef su.te
|
||||
')
|
||||
|
||||
# Privileged user domain
|
||||
undefine(`priv_user')
|
||||
define(`priv_user', `
|
||||
# Reach sysadm_t
|
||||
reach_sysadm($1)
|
||||
|
||||
# Read file_contexts for rpm and get security decisions.
|
||||
r_dir_file($1_t, file_context_t)
|
||||
can_getsecurity($1_t)
|
||||
|
||||
# Signal and see information about unprivileged user domains.
|
||||
allow $1_t unpriv_userdomain:process signal_perms;
|
||||
can_ps($1_t, unpriv_userdomain)
|
||||
allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
|
||||
|
||||
# Read /root files if boolean is enabled.
|
||||
if (staff_read_sysadm_file) {
|
||||
allow $1_t sysadm_home_dir_t:dir { getattr search };
|
||||
allow $1_t sysadm_home_t:file { getattr read };
|
||||
}
|
||||
|
||||
') dnl priv_user
|
||||
|
||||
full_user_role(user)
|
||||
|
||||
|
@ -14,3 +14,7 @@
|
||||
/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t
|
||||
/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
|
||||
ifdef(`distro_redhat', `
|
||||
/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t
|
||||
/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
|
||||
')
|
||||
|
@ -20,15 +20,19 @@ type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
|
||||
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
|
||||
|
||||
# Type and access for pty devices.
|
||||
can_create_pty($1)
|
||||
can_create_pty($1, `, admin_tty_type')
|
||||
|
||||
tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }')
|
||||
# Transition manually for { lnk sock fifo }. The rest is in content macros.
|
||||
tmp_domain_notrans($1, `, $1_file_type')
|
||||
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
|
||||
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
|
||||
|
||||
# Type for tty devices.
|
||||
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
|
||||
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
base_user_domain($1)
|
||||
access_removable_media($1_t)
|
||||
|
||||
allow $1_t self:capability setuid;
|
||||
|
||||
@ -36,11 +40,6 @@ ifdef(`su.te', `su_domain($1)')
|
||||
ifdef(`userhelper.te', `userhelper_domain($1)')
|
||||
ifdef(`sudo.te', `sudo_domain($1)')
|
||||
|
||||
# Violates the goal of limiting write access to checkpolicy.
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
create_dir_file($1_t, policy_config_t)
|
||||
r_dir_file($1_t, selinux_config_t)
|
||||
|
||||
# Let admin stat the shadow file.
|
||||
allow $1_t shadow_t:file getattr;
|
||||
|
||||
@ -51,12 +50,12 @@ allow $1_crond_t var_log_t:file r_file_perms;
|
||||
# Allow system log read
|
||||
allow $1_t kernel_t:system syslog_read;
|
||||
|
||||
# Allow autrace
|
||||
# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
# Use capabilities other than sys_module.
|
||||
allow $1_t self:capability ~sys_module;
|
||||
|
||||
# Get security policy decisions.
|
||||
can_getsecurity($1_t)
|
||||
|
||||
# Use system operations.
|
||||
allow $1_t kernel_t:system *;
|
||||
|
||||
@ -82,12 +81,6 @@ allow $1_t sysadmfile:dir create_dir_perms;
|
||||
allow $1_t mtrr_device_t:file getattr;
|
||||
allow $1_t fs_type:dir getattr;
|
||||
|
||||
# Set an exec context, e.g. for runcon.
|
||||
can_setexec($1_t)
|
||||
|
||||
# Set a context other than the default one for newly created files.
|
||||
can_setfscreate($1_t)
|
||||
|
||||
# Access removable devices.
|
||||
allow $1_t removable_device_t:devfile_class_set rw_file_perms;
|
||||
|
||||
@ -124,18 +117,6 @@ can_exec($1_t, staff_home_t)
|
||||
# Run programs from /usr/src.
|
||||
can_exec($1_t, src_t)
|
||||
|
||||
# Run admin programs that require different permissions in their own domain.
|
||||
# These rules were moved into the appropriate program domain file.
|
||||
|
||||
# added by mayerf@tresys.com
|
||||
# The following rules are temporary until such time that a complete
|
||||
# policy management infrastructure is in place so that an administrator
|
||||
# cannot directly manipulate policy files with arbitrary programs.
|
||||
#
|
||||
allow $1_t policy_src_t:file create_file_perms;
|
||||
allow $1_t policy_src_t:lnk_file create_lnk_perms;
|
||||
allow $1_t policy_src_t:dir create_dir_perms;
|
||||
|
||||
# Relabel all files.
|
||||
# Actually this will not allow relabeling ALL files unless you change
|
||||
# sysadmfile to file_type (and change the assertion in assert.te that
|
||||
@ -157,7 +138,7 @@ if (xdm_sysadm_login) {
|
||||
allow xdm_t $1_home_t:lnk_file read;
|
||||
allow xdm_t $1_home_t:dir search;
|
||||
}
|
||||
allow $1_t xdm_t:fifo_file rw_file_perms;
|
||||
can_pipe_xdm($1_t)
|
||||
')dnl end ifdef xauth.te
|
||||
')dnl end ifdef xdm.te
|
||||
|
||||
@ -205,3 +186,42 @@ allow $1_t device_t:lnk_file { create read };
|
||||
allow $1_t domain:socket_class_set getattr;
|
||||
allow $1_t eventpollfs_t:file getattr;
|
||||
')
|
||||
|
||||
define(`security_manager_domain', `
|
||||
|
||||
typeattribute $1 secadmin;
|
||||
# Allow administrator domains to set the enforcing flag.
|
||||
can_setenforce($1)
|
||||
|
||||
# Allow administrator domains to set policy booleans.
|
||||
can_setbool($1)
|
||||
|
||||
# Get security policy decisions.
|
||||
can_getsecurity($1)
|
||||
|
||||
# Allow administrator domains to set security parameters
|
||||
can_setsecparam($1)
|
||||
|
||||
# Run admin programs that require different permissions in their own domain.
|
||||
# These rules were moved into the appropriate program domain file.
|
||||
|
||||
# added by mayerf@tresys.com
|
||||
# The following rules are temporary until such time that a complete
|
||||
# policy management infrastructure is in place so that an administrator
|
||||
# cannot directly manipulate policy files with arbitrary programs.
|
||||
#
|
||||
allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
|
||||
allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
|
||||
allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
|
||||
|
||||
# Set an exec context, e.g. for runcon.
|
||||
can_setexec($1)
|
||||
|
||||
# Set a context other than the default one for newly created files.
|
||||
can_setfscreate($1)
|
||||
|
||||
allow $1 self:netlink_audit_socket nlmsg_readpriv;
|
||||
|
||||
')
|
||||
|
||||
|
||||
|
@ -2,12 +2,6 @@
|
||||
# Macros for all user login domains.
|
||||
#
|
||||
|
||||
define(`network_home_dir', `
|
||||
create_dir_file($1, $2)
|
||||
can_exec($1, $2)
|
||||
allow $1 $2:{ sock_file fifo_file } create_file_perms;
|
||||
')
|
||||
|
||||
#
|
||||
# base_user_domain(domain_prefix)
|
||||
#
|
||||
@ -22,6 +16,30 @@ allow $1 $2:{ sock_file fifo_file } create_file_perms;
|
||||
undefine(`base_user_domain')
|
||||
define(`base_user_domain', `
|
||||
|
||||
# Type for network-obtained content
|
||||
type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
|
||||
type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
|
||||
|
||||
# Allow user to relabel untrusted content
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
|
||||
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
|
||||
|
||||
# Read content
|
||||
read_content($1_t, $1)
|
||||
|
||||
# Write trusted content. This includes proper transition
|
||||
# for /home, and /tmp, so no other transition is necessary (or allowed)
|
||||
write_trusted($1_t, $1)
|
||||
|
||||
# Maybe the home directory is networked
|
||||
network_home($1_t)
|
||||
|
||||
# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
|
||||
# Relabel files in the home directory
|
||||
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
|
||||
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
|
||||
can_setfscreate($1_t)
|
||||
|
||||
allow $1_t self:capability { setgid chown fowner };
|
||||
dontaudit $1_t self:capability { sys_nice fsetid };
|
||||
|
||||
@ -40,10 +58,13 @@ if (allow_execmem) {
|
||||
allow $1_t self:process execmem;
|
||||
}
|
||||
|
||||
if (allow_execmod) {
|
||||
if (allow_execmem && allow_execstack) {
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1_t self:process execstack;
|
||||
}
|
||||
|
||||
# Allow text relocations on system shared libraries, e.g. libGL.
|
||||
allow $1_t texrel_shlib_t:file execmod;
|
||||
}
|
||||
|
||||
#
|
||||
# kdeinit wants this access
|
||||
@ -63,38 +84,23 @@ allow $1_t event_device_t:chr_file { getattr read ioctl };
|
||||
allow $1_t dri_device_t:chr_file getattr;
|
||||
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
|
||||
|
||||
file_browse_domain($1_t)
|
||||
# Supress ls denials:
|
||||
# getattr() - ls -l
|
||||
# search_dir() - symlink path resolution
|
||||
# read_dir() - deep ls: ls parent/...
|
||||
|
||||
dontaudit_getattr($1_t)
|
||||
dontaudit_search_dir($1_t)
|
||||
dontaudit_read_dir($1_t)
|
||||
|
||||
# allow ptrace
|
||||
can_ptrace($1_t, $1_t)
|
||||
|
||||
# Create, access, and remove files in home directory.
|
||||
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
|
||||
allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
|
||||
can_setfscreate($1_t)
|
||||
# Allow user to run restorecon and relabel files
|
||||
can_getsecurity($1_t)
|
||||
r_dir_file($1_t, default_context_t)
|
||||
r_dir_file($1_t, file_context_t)
|
||||
|
||||
allow $1_t autofs_t:dir { search getattr };
|
||||
|
||||
if (use_nfs_home_dirs) {
|
||||
network_home_dir($1_t, nfs_t)
|
||||
}
|
||||
|
||||
if (use_samba_home_dirs) {
|
||||
network_home_dir($1_t, cifs_t)
|
||||
}
|
||||
|
||||
can_exec($1_t, { removable_t noexattrfile } )
|
||||
if (user_rw_noexattrfile) {
|
||||
create_dir_file($1_t, noexattrfile)
|
||||
create_dir_file($1_t, removable_t)
|
||||
# Write floppies
|
||||
allow $1_t removable_device_t:blk_file rw_file_perms;
|
||||
allow $1_t usbtty_device_t:chr_file write;
|
||||
} else {
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
r_dir_file($1_t, removable_t)
|
||||
allow $1_t removable_device_t:blk_file r_file_perms;
|
||||
}
|
||||
allow $1_t usbtty_device_t:chr_file read;
|
||||
|
||||
# GNOME checks for usb and other devices
|
||||
@ -104,16 +110,9 @@ can_exec($1_t, noexattrfile)
|
||||
# Bind to a Unix domain socket in /tmp.
|
||||
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
|
||||
|
||||
# Access ttys.
|
||||
allow $1_t privfd:fd use;
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
# Use the type when relabeling terminal devices.
|
||||
type_change $1_t tty_device_t:chr_file $1_tty_device_t;
|
||||
|
||||
# read localization information
|
||||
read_locale($1_t)
|
||||
|
||||
# Debian login is from shadow utils and does not allow resetting the perms.
|
||||
# have to fix this!
|
||||
type_change $1_t ttyfile:chr_file $1_tty_device_t;
|
||||
@ -297,21 +296,16 @@ dontaudit $1_t domain:process { getattr getsession };
|
||||
#
|
||||
dontaudit $1_t usr_t:file setattr;
|
||||
|
||||
# Use X
|
||||
x_client_domain($1, $1)
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
# for /tmp/.ICE-unix
|
||||
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
|
||||
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
# Connect to the X server run by the X Display Manager.
|
||||
can_unix_connect($1_t, xdm_t)
|
||||
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
|
||||
allow $1_t xdm_tmp_t:dir r_dir_perms;
|
||||
allow $1_t xdm_tmp_t:file { getattr read };
|
||||
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
allow $1_t xdm_xserver_tmp_t:dir search;
|
||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
# certain apps want to read xdm.pid file
|
||||
r_dir_file($1_t, xdm_var_run_t)
|
||||
allow $1_t xdm_var_lib_t:file { getattr read };
|
||||
@ -320,9 +314,6 @@ ifdef(`xauth.te', `
|
||||
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
|
||||
')
|
||||
|
||||
# for shared memory
|
||||
allow xdm_xserver_t $1_tmpfs_t:file { read write };
|
||||
|
||||
')dnl end ifdef xdm.te
|
||||
|
||||
# Access the sound device.
|
||||
@ -375,6 +366,9 @@ allow $1_t default_t:dir r_dir_perms;
|
||||
allow $1_t default_t:notdevfile_class_set r_file_perms;
|
||||
}
|
||||
|
||||
# Read fonts
|
||||
read_fonts($1_t, $1)
|
||||
|
||||
read_sysctl($1_t);
|
||||
|
||||
#
|
||||
|
@ -437,7 +437,7 @@ allow $2_t device_t:dir getattr;
|
||||
# by default, only plain files and dirs may be stored there.
|
||||
# This can be overridden with a third parameter
|
||||
define(`tmp_domain', `
|
||||
type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
|
||||
type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
|
||||
ifelse($3, `',
|
||||
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
|
||||
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
|
||||
|
@ -2,6 +2,76 @@
|
||||
# Macros for all user login domains.
|
||||
#
|
||||
|
||||
# role_tty_type_change(starting_role, ending_role)
|
||||
#
|
||||
# change from role $1_r to $2_r and relabel tty appropriately
|
||||
#
|
||||
|
||||
undefine(`role_tty_type_change')
|
||||
define(`role_tty_type_change', `
|
||||
allow $1_r $2_r;
|
||||
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
||||
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
|
||||
# avoid annoying messages on terminal hangup
|
||||
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
||||
')
|
||||
|
||||
#
|
||||
# reach_sysadm(user)
|
||||
#
|
||||
# Reach sysadm_t via programs like userhelper/sudo/su
|
||||
#
|
||||
|
||||
undefine(`reach_sysadm')
|
||||
define(`reach_sysadm', `
|
||||
ifdef(`userhelper.te', `userhelper_domain($1)')
|
||||
ifdef(`sudo.te', `sudo_domain($1)')
|
||||
ifdef(`su.te', `
|
||||
su_domain($1)
|
||||
# When an ordinary user domain runs su, su may try to
|
||||
# update the /root/.Xauthority file, and the user shell may
|
||||
# try to update the shell history. This is not allowed, but
|
||||
# we dont need to audit it.
|
||||
dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
|
||||
dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
|
||||
dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
|
||||
') dnl ifdef su.te
|
||||
ifdef(`xauth.te', `
|
||||
file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
|
||||
ifdef(`userhelper.te', `
|
||||
file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
|
||||
') dnl userhelper.te
|
||||
') dnl xauth.te
|
||||
') dnl reach_sysadm
|
||||
|
||||
#
|
||||
# priv_user(user)
|
||||
#
|
||||
# Privileged user domain
|
||||
#
|
||||
|
||||
undefine(`priv_user')
|
||||
define(`priv_user', `
|
||||
# Reach sysadm_t
|
||||
reach_sysadm($1)
|
||||
|
||||
# Read file_contexts for rpm and get security decisions.
|
||||
r_dir_file($1_t, file_context_t)
|
||||
can_getsecurity($1_t)
|
||||
|
||||
# Signal and see information about unprivileged user domains.
|
||||
allow $1_t unpriv_userdomain:process signal_perms;
|
||||
can_ps($1_t, unpriv_userdomain)
|
||||
allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
|
||||
|
||||
# Read /root files if boolean is enabled.
|
||||
if (staff_read_sysadm_file) {
|
||||
allow $1_t sysadm_home_dir_t:dir { getattr search };
|
||||
allow $1_t sysadm_home_t:file { getattr read };
|
||||
}
|
||||
|
||||
') dnl priv_user
|
||||
|
||||
#
|
||||
# user_domain(domain_prefix)
|
||||
#
|
||||
@ -18,18 +88,23 @@ define(`user_domain', `
|
||||
# Use capabilities
|
||||
|
||||
# Type for home directory.
|
||||
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
|
||||
type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
|
||||
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
|
||||
type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
|
||||
|
||||
tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
|
||||
# Transition manually for { lnk sock fifo }. The rest is in content macros.
|
||||
tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
|
||||
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
|
||||
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
|
||||
|
||||
# Type and access for pty devices.
|
||||
can_create_pty($1, `, userpty_type, user_tty_type')
|
||||
ifdef(`support_polyinstantiation', `
|
||||
type_member $1_t tmp_t:dir $1_tmp_t;
|
||||
type_member $1_t $1_home_dir_t:dir $1_home_t;
|
||||
')
|
||||
|
||||
#Type for tty devices.
|
||||
type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
|
||||
|
||||
base_user_domain($1)
|
||||
ifdef(`mls_policy', `', `
|
||||
access_removable_media($1_t)
|
||||
')
|
||||
|
||||
# do not allow privhome access to sysadm_home_dir_t
|
||||
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
|
||||
@ -44,7 +119,9 @@ allow $1_t system_map_t:file { getattr read };
|
||||
# user domain and the program, and allow us to maintain separation
|
||||
# between different instances of the program being run by different
|
||||
# user domains.
|
||||
ifdef(`apache.te', `apache_domain($1)')
|
||||
ifelse($1, sysadm, `',`
|
||||
ifdef(`apache.te', `apache_user_domain($1)')
|
||||
')
|
||||
ifdef(`slocate.te', `locate_domain($1)')
|
||||
ifdef(`lockdev.te', `lockdev_domain($1)')
|
||||
|
||||
@ -110,19 +187,73 @@ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
|
||||
#
|
||||
# Domains for ordinary users.
|
||||
#
|
||||
undefine(`full_user_role')
|
||||
define(`full_user_role', `
|
||||
|
||||
undefine(`limited_user_role')
|
||||
define(`limited_user_role', `
|
||||
# user_t/$1_t is an unprivileged users domain.
|
||||
type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
|
||||
type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
|
||||
|
||||
#Type for tty devices.
|
||||
type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
|
||||
# Type and access for pty devices.
|
||||
can_create_pty($1, `, userpty_type, user_tty_type')
|
||||
|
||||
# Access ttys.
|
||||
allow $1_t privfd:fd use;
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
attribute $1_file_type;
|
||||
# Grant read/search permissions to some of /proc.
|
||||
r_dir_file($1_t, proc_t)
|
||||
r_dir_file($1_t, proc_net_t)
|
||||
|
||||
base_file_read_access($1_t)
|
||||
|
||||
# Execute from the system shared libraries.
|
||||
uses_shlib($1_t)
|
||||
|
||||
# Read /etc.
|
||||
r_dir_file($1_t, etc_t)
|
||||
allow $1_t etc_runtime_t:file r_file_perms;
|
||||
allow $1_t etc_runtime_t:lnk_file { getattr read };
|
||||
|
||||
allow $1_t self:process { fork sigchld setpgid signal_perms };
|
||||
|
||||
# read localization information
|
||||
read_locale($1_t)
|
||||
|
||||
read_sysctl($1_t)
|
||||
can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
|
||||
|
||||
allow $1_t self:dir search;
|
||||
allow $1_t self:file { getattr read };
|
||||
allow secadm_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow $1_t self:lnk_file read;
|
||||
allow $1_t self:unix_stream_socket create_socket_perms;
|
||||
allow $1_t urandom_device_t:chr_file { getattr read };
|
||||
dontaudit $1_t { var_spool_t var_log_t }:dir search;
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow $1_t device_t:dir r_dir_perms;
|
||||
allow $1_t device_t:lnk_file { getattr read };
|
||||
allow $1_t devtty_t:chr_file { read write };
|
||||
|
||||
')
|
||||
|
||||
undefine(`full_user_role')
|
||||
define(`full_user_role', `
|
||||
|
||||
limited_user_role($1)
|
||||
|
||||
typeattribute $1_t web_client_domain;
|
||||
|
||||
attribute $1_file_type;
|
||||
|
||||
ifdef(`useradd.te', `
|
||||
# Useradd relabels /etc/skel files so needs these privs
|
||||
allow useradd_t $1_file_type:dir create_dir_perms;
|
||||
allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
|
||||
')
|
||||
|
||||
can_exec($1_t, usr_t)
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
@ -134,28 +265,18 @@ allow $1_t readable_t:notdevfile_class_set r_file_perms;
|
||||
allow $1_t lost_found_t:dir getattr;
|
||||
|
||||
# Read /var, /var/spool, /var/run.
|
||||
allow $1_t var_t:dir r_dir_perms;
|
||||
allow $1_t var_t:notdevfile_class_set r_file_perms;
|
||||
allow $1_t var_spool_t:dir r_dir_perms;
|
||||
allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
|
||||
allow $1_t var_run_t:dir r_dir_perms;
|
||||
allow $1_t var_run_t:{ file lnk_file } r_file_perms;
|
||||
r_dir_file($1_t, var_t)
|
||||
# what about pipes and sockets under /var/spool?
|
||||
r_dir_file($1_t, var_spool_t)
|
||||
r_dir_file($1_t, var_run_t)
|
||||
allow $1_t var_lib_t:dir r_dir_perms;
|
||||
allow $1_t var_lib_t:file { getattr read };
|
||||
|
||||
read_sysctl($1_t)
|
||||
|
||||
# Read /etc.
|
||||
allow $1_t etc_t:dir r_dir_perms;
|
||||
allow $1_t etc_t:notdevfile_class_set r_file_perms;
|
||||
allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
# for running depmod as part of the kernel packaging process
|
||||
allow $1_t modules_conf_t:file { getattr read };
|
||||
|
||||
# Read man directories and files.
|
||||
allow $1_t man_t:dir r_dir_perms;
|
||||
allow $1_t man_t:notdevfile_class_set r_file_perms;
|
||||
r_dir_file($1_t, man_t)
|
||||
|
||||
# Allow users to rw usb devices
|
||||
if (user_rw_usb) {
|
||||
@ -166,16 +287,9 @@ r_dir_file($1_t,usbdevfs_t)
|
||||
|
||||
r_dir_file($1_t,sysfs_t)
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow $1_t device_t:dir r_dir_perms;
|
||||
allow $1_t device_t:lnk_file r_file_perms;
|
||||
|
||||
# Do not audit write denials to /etc/ld.so.cache.
|
||||
dontaudit $1_t ld_so_cache_t:file write;
|
||||
|
||||
# Execute from the system shared libraries.
|
||||
uses_shlib($1_t);
|
||||
|
||||
# $1_t is also granted permissions specific to user domains.
|
||||
user_domain($1)
|
||||
|
||||
@ -193,22 +307,6 @@ dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
|
||||
dontaudit $1_t init_t:fd use;
|
||||
dontaudit $1_t initrc_t:fd use;
|
||||
allow $1_t initrc_t:fifo_file write;
|
||||
ifdef(`user_can_mount', `
|
||||
#
|
||||
# Allow users to mount file systems like floppies and cdrom
|
||||
#
|
||||
mount_domain($1, $1_mount, `, fs_domain')
|
||||
r_dir_file($1_t, mnt_t)
|
||||
allow $1_mount_t device_t:lnk_file read;
|
||||
allow $1_mount_t removable_device_t:blk_file read;
|
||||
allow $1_mount_t iso9660_t:filesystem relabelfrom;
|
||||
allow $1_mount_t removable_t:filesystem { mount relabelto };
|
||||
allow $1_mount_t removable_t:dir mounton;
|
||||
ifdef(`xdm.te', `
|
||||
allow $1_mount_t xdm_t:fd use;
|
||||
allow $1_mount_t xdm_t:fifo_file { read write };
|
||||
')
|
||||
')
|
||||
|
||||
#
|
||||
# Rules used to associate a homedir as a mountpoint
|
||||
|
@ -278,7 +278,7 @@ allow devpts_t self:filesystem associate;
|
||||
|
||||
type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
|
||||
allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
|
||||
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
|
||||
allow { logfile tmpfile home_type } tmp_t:filesystem associate;
|
||||
ifdef(`distro_redhat', `
|
||||
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user