patch from Dan, sent Thu, 19 Jan 2006 14:16:26 -0500
This commit is contained in:
parent
85c20af3c1
commit
a225f9832d
|
@ -6,9 +6,11 @@
|
||||||
for greater clarity.
|
for greater clarity.
|
||||||
- Added modules:
|
- Added modules:
|
||||||
certwatch
|
certwatch
|
||||||
|
mono (Dan Walsh)
|
||||||
portage
|
portage
|
||||||
userhelper
|
userhelper
|
||||||
usernetctl
|
usernetctl
|
||||||
|
wine (Dan Walsh)
|
||||||
xserver
|
xserver
|
||||||
|
|
||||||
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
|
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
|
||||||
|
|
|
@ -12,6 +12,9 @@
|
||||||
## Allow cvs daemon to read shadow
|
## Allow cvs daemon to read shadow
|
||||||
gen_tunable(allow_cvs_read_shadow,false)
|
gen_tunable(allow_cvs_read_shadow,false)
|
||||||
|
|
||||||
|
## Allow making the heap executable.
|
||||||
|
gen_tunable(allow_execheap,false)
|
||||||
|
|
||||||
## Allow making anonymous memory executable, e.g.
|
## Allow making anonymous memory executable, e.g.
|
||||||
## for runtime-code generation or executable stack.
|
## for runtime-code generation or executable stack.
|
||||||
gen_tunable(allow_execmem,false)
|
gen_tunable(allow_execmem,false)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(logwatch,1.0.0)
|
policy_module(logwatch,1.0.1)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
|
@ -38,6 +38,7 @@ kernel_read_fs_sysctl(logwatch_t)
|
||||||
kernel_read_kernel_sysctl(logwatch_t)
|
kernel_read_kernel_sysctl(logwatch_t)
|
||||||
kernel_read_system_state(logwatch_t)
|
kernel_read_system_state(logwatch_t)
|
||||||
|
|
||||||
|
corecmd_read_sbin_symlink(logwatch_t)
|
||||||
corecmd_read_sbin_file(logwatch_t)
|
corecmd_read_sbin_file(logwatch_t)
|
||||||
corecmd_exec_bin(logwatch_t)
|
corecmd_exec_bin(logwatch_t)
|
||||||
corecmd_exec_shell(logwatch_t)
|
corecmd_exec_shell(logwatch_t)
|
||||||
|
@ -68,6 +69,8 @@ logging_read_all_logs(logwatch_t)
|
||||||
|
|
||||||
miscfiles_read_localization(logwatch_t)
|
miscfiles_read_localization(logwatch_t)
|
||||||
|
|
||||||
|
selinux_dontaudit_getattr_dir(logwatch_t)
|
||||||
|
|
||||||
userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
|
userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
|
||||||
userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
|
userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
|
||||||
|
|
||||||
|
@ -94,6 +97,10 @@ optional_policy(`nscd',`
|
||||||
nscd_use_socket(logwatch_t)
|
nscd_use_socket(logwatch_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`ntp',`
|
||||||
|
ntp_domtrans(logwatch_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`rpc',`
|
optional_policy(`rpc',`
|
||||||
rpc_search_nfs_state_data(logwatch_t)
|
rpc_search_nfs_state_data(logwatch_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
|
|
@ -0,0 +1,23 @@
|
||||||
|
## <summary>Run .NET server and client applications on Linux.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute the mono program in the mono domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mono_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type mono_t, mono_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domain_auto_trans($1, mono_exec_t, mono_t)
|
||||||
|
|
||||||
|
allow $1 mono_t:fd use;
|
||||||
|
allow mono_t $1:fd use;
|
||||||
|
allow mono_t $1:fifo_file rw_file_perms;
|
||||||
|
allow mono_t $1:process sigchld;
|
||||||
|
')
|
|
@ -0,0 +1,25 @@
|
||||||
|
|
||||||
|
policy_module(mono,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type mono_t;
|
||||||
|
domain_type(mono_t)
|
||||||
|
|
||||||
|
type mono_exec_t;
|
||||||
|
domain_entry_file(mono_t,mono_exec_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
allow mono_t self:process execheap;
|
||||||
|
unconfined_domain_template(mono_t)
|
||||||
|
role system_r types mono_t;
|
||||||
|
')
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
|
|
@ -0,0 +1,23 @@
|
||||||
|
## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute the wine program in the wine domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`wine_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type wine_t, wine_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domain_auto_trans($1, wine_exec_t, wine_t)
|
||||||
|
|
||||||
|
allow $1 wine_t:fd use;
|
||||||
|
allow wine_t $1:fd use;
|
||||||
|
allow wine_t $1:fifo_file rw_file_perms;
|
||||||
|
allow wine_t $1:process sigchld;
|
||||||
|
')
|
|
@ -0,0 +1,25 @@
|
||||||
|
|
||||||
|
policy_module(wine,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type wine_t;
|
||||||
|
domain_type(wine_t)
|
||||||
|
|
||||||
|
type wine_exec_t;
|
||||||
|
domain_entry_file(wine_t,wine_exec_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
allow wine_t self:process { execstack execmem };
|
||||||
|
unconfined_domain_template(wine_t)
|
||||||
|
role system_r types wine_t;
|
||||||
|
allow wine_t file_type:file execmod;
|
||||||
|
')
|
|
@ -1824,6 +1824,22 @@ interface(`fs_search_ramfs',`
|
||||||
allow $1 ramfs_t:dir search;
|
allow $1 ramfs_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Dontaudit Search directories on a ramfs
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_search_ramfs',`
|
||||||
|
gen_require(`
|
||||||
|
type ramfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 ramfs_t:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Write to named pipe on a ramfs filesystem.
|
## Write to named pipe on a ramfs filesystem.
|
||||||
|
|
|
@ -161,10 +161,11 @@ interface(`bind_manage_config_dir',`
|
||||||
#
|
#
|
||||||
interface(`bind_search_cache',`
|
interface(`bind_search_cache',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type named_cache_t, named_zone_t;
|
type named_conf_t, named_cache_t, named_zone_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
|
allow $1 named_conf_t:dir search_dir_perms;
|
||||||
allow $1 named_zone_t:dir search_dir_perms;
|
allow $1 named_zone_t:dir search_dir_perms;
|
||||||
allow $1 named_cache_t:dir search_dir_perms;
|
allow $1 named_cache_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
|
@ -68,7 +68,7 @@ selinux_compute_user_contexts(xdm_t)
|
||||||
files_read_etc_runtime_files(xdm_t)
|
files_read_etc_runtime_files(xdm_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
allow xdm_t self:process execmem;
|
allow xdm_t self:process { execheap execmem };
|
||||||
unconfined_domain_template(xdm_t)
|
unconfined_domain_template(xdm_t)
|
||||||
unconfined_domtrans(xdm_t)
|
unconfined_domtrans(xdm_t)
|
||||||
',`
|
',`
|
||||||
|
|
|
@ -166,7 +166,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
||||||
/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
# Java, Sun Microsystems (JPackage SRPM)
|
# Java, Sun Microsystems (JPackage SRPM)
|
||||||
/usr/.*/jre/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
|
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
|
@ -38,6 +38,12 @@ template(`unconfined_domain_template',`
|
||||||
fs_unconfined($1)
|
fs_unconfined($1)
|
||||||
selinux_unconfined($1)
|
selinux_unconfined($1)
|
||||||
|
|
||||||
|
tunable_policy(`allow_execheap',`
|
||||||
|
# Allow making the stack executable via mprotect.
|
||||||
|
allow $1 self:process execheap;
|
||||||
|
auditallow $1 self:process execheap;
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`allow_execmem',`
|
tunable_policy(`allow_execmem',`
|
||||||
# Allow making anonymous memory executable, e.g.
|
# Allow making anonymous memory executable, e.g.
|
||||||
# for runtime-code generation or executable stack.
|
# for runtime-code generation or executable stack.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(unconfined,1.2.0)
|
policy_module(unconfined,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -97,6 +97,10 @@ ifdef(`targeted_policy',`
|
||||||
modutils_domtrans_update_mods(unconfined_t)
|
modutils_domtrans_update_mods(unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`mono',`
|
||||||
|
mono_domtrans(unconfined_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`netutils',`
|
optional_policy(`netutils',`
|
||||||
netutils_domtrans_ping(unconfined_t)
|
netutils_domtrans_ping(unconfined_t)
|
||||||
')
|
')
|
||||||
|
@ -141,11 +145,7 @@ ifdef(`targeted_policy',`
|
||||||
webalizer_domtrans(unconfined_t)
|
webalizer_domtrans(unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`wine',`
|
||||||
ifdef(`use_mcs',`
|
wine_domtrans(unconfined_t)
|
||||||
rw_dir_create_file(sysadm_su_t, home_dir_type)
|
|
||||||
')
|
')
|
||||||
allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
|
|
||||||
allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
|
|
||||||
') dnl end TODO
|
|
||||||
')
|
')
|
||||||
|
|
Loading…
Reference in New Issue