patch from dan Fri, 17 Mar 2006 15:22:53 -0500
This commit is contained in:
parent
dcd174aeef
commit
a3cf80d85b
@ -1,3 +1,4 @@
|
||||
- Numerous fixes from Dan Walsh.
|
||||
- Change build order to preserve m4 line number information so policy
|
||||
compile errors are useful again.
|
||||
- Additional MLS interfaces from Chad Hanson.
|
||||
@ -23,6 +24,7 @@
|
||||
rhgb
|
||||
thunderbird
|
||||
tor (Erich Schubert)
|
||||
xen (Dan Walsh)
|
||||
|
||||
* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
|
||||
- Make all interface parameters required.
|
||||
|
@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF)
|
||||
#
|
||||
$(APPDIR)/customizable_types: $(BASE_CONF)
|
||||
@mkdir -p $(APPDIR)
|
||||
$(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
|
||||
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
|
||||
|
||||
########################################
|
||||
|
@ -213,7 +213,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
|
||||
#
|
||||
$(APPDIR)/customizable_types: $(POLICY_CONF)
|
||||
@mkdir -p $(APPDIR)
|
||||
$(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
|
||||
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
|
||||
|
||||
########################################
|
||||
|
@ -141,9 +141,7 @@ mlsconstrain file { write setattr append unlink link rename
|
||||
|
||||
mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
|
||||
|
||||
mlsconstrain file { read } ((h1 dom h2) or
|
||||
( t1 == mlsfileread ));
|
||||
|
||||
mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread ));
|
||||
|
||||
# new file labels must be dominated by the relabeling subject clearance
|
||||
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bootloader,1.2.0)
|
||||
policy_module(bootloader,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -103,13 +103,14 @@ files_manage_boot_files(bootloader_t)
|
||||
files_manage_boot_symlinks(bootloader_t)
|
||||
files_read_etc_files(bootloader_t)
|
||||
files_exec_etc_files(bootloader_t)
|
||||
files_read_etc_runtime_files(bootloader_t)
|
||||
files_read_usr_src_files(bootloader_t)
|
||||
files_read_usr_files(bootloader_t)
|
||||
files_read_var_files(bootloader_t)
|
||||
files_read_kernel_modules(bootloader_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_pids(bootloader_t)
|
||||
# for blkid.tab
|
||||
files_manage_etc_runtime_files(bootloader_t)
|
||||
|
||||
init_getattr_initctl(bootloader_t)
|
||||
init_use_script_ptys(bootloader_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dmidecode,1.0.0)
|
||||
policy_module(dmidecode,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -23,6 +23,8 @@ allow dmidecode_t self:capability sys_rawio;
|
||||
# Allow dmidecode to read /dev/mem
|
||||
dev_read_raw_memory(dmidecode_t)
|
||||
|
||||
mls_file_read_up(dmidecode_t)
|
||||
|
||||
term_list_ptys(dmidecode_t)
|
||||
|
||||
files_list_usr(dmidecode_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(readahead,1.2.0)
|
||||
policy_module(readahead,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,7 +18,7 @@ files_pid_file(readahead_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit readahead_t self:capability sys_tty_config;
|
||||
dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
|
||||
allow readahead_t self:process signal_perms;
|
||||
|
||||
allow readahead_t readahead_var_run_t:file create_file_perms;
|
||||
|
@ -22,7 +22,7 @@ ifdef(`distro_redhat', `
|
||||
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
|
||||
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
|
||||
/var/log/yum\.log -- gen_context(system_u:object_r:rpm_log_t,s0)
|
||||
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
|
||||
|
||||
# SuSE
|
||||
ifdef(`distro_suse', `
|
||||
|
@ -78,6 +78,9 @@ interface(`rpm_run',`
|
||||
role $2 types rpm_t;
|
||||
role $2 types rpm_script_t;
|
||||
seutil_run_loadpolicy(rpm_script_t,$2,$3)
|
||||
seutil_run_semanage(rpm_script_t,$2,$3)
|
||||
seutil_run_setfiles(rpm_script_t,$2,$3)
|
||||
seutil_run_restorecon(rpm_script_t,$2,$3)
|
||||
allow rpm_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpm,1.3.1)
|
||||
policy_module(rpm,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -326,6 +326,7 @@ modutils_domtrans_insmod(rpm_script_t)
|
||||
|
||||
seutil_domtrans_loadpolicy(rpm_script_t)
|
||||
seutil_domtrans_restorecon(rpm_script_t)
|
||||
seutil_domtrans_semanage(rpm_script_t)
|
||||
|
||||
userdom_use_all_users_fds(rpm_script_t)
|
||||
|
||||
|
@ -2,3 +2,4 @@
|
||||
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
|
||||
/usr(/local)?/bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
|
@ -134,7 +134,6 @@ template(`su_per_userdomain_template',`
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans($2, su_exec_t, $1_su_t)
|
||||
allow $2 $1_su_t:fd use;
|
||||
allow $1_su_t $2:fd use;
|
||||
allow $1_su_t $2:fifo_file rw_file_perms;
|
||||
allow $1_su_t $2:process sigchld;
|
||||
@ -142,9 +141,8 @@ template(`su_per_userdomain_template',`
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_su_t,$2)
|
||||
allow $2 $1_su_t:fd use;
|
||||
allow $1_su_t $2:fd use;
|
||||
allow $1_su_t $2:fifo_file rw_file_perms;
|
||||
allow $1_su_t $2:process sigchld;
|
||||
allow $2 $1_su_t:fifo_file rw_file_perms;
|
||||
allow $2 $1_su_t:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(su,1.3.0)
|
||||
policy_module(su,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(updfstab,1.2.0)
|
||||
policy_module(updfstab,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -102,6 +102,10 @@ optional_policy(`dbus',`
|
||||
dbus_send_system_bus(updfstab_t)
|
||||
')
|
||||
|
||||
optional_policy(`fstools',`
|
||||
fstools_getattr_swap_files(updfstab_t)
|
||||
')
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_stream_connect(updfstab_t)
|
||||
hal_dbus_chat(updfstab_t)
|
||||
@ -124,7 +128,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(updfstab_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow updfstab_t tmpfs_t:dir getattr;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(vbetool,1.0.0)
|
||||
policy_module(vbetool,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -15,6 +15,7 @@ init_system_domain(vbetool_t,vbetool_exec_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow vbetool_t self:capability { sys_tty_config sys_admin };
|
||||
allow vbetool_t self:process execmem;
|
||||
|
||||
dev_wx_raw_memory(vbetool_t)
|
||||
@ -22,5 +23,13 @@ dev_read_raw_memory(vbetool_t)
|
||||
dev_rwx_zero(vbetool_t)
|
||||
dev_read_sysfs(vbetool_t)
|
||||
|
||||
term_use_unallocated_ttys(vbetool_t)
|
||||
|
||||
libs_use_ld_so(vbetool_t)
|
||||
libs_use_shared_libs(vbetool_t)
|
||||
|
||||
miscfiles_read_localization(vbetool_t)
|
||||
|
||||
optional_policy(`hal',`
|
||||
hal_rw_pid_files(vbetool_t)
|
||||
')
|
||||
|
@ -32,11 +32,14 @@ ifdef(`distro_redhat',`
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
|
||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
|
||||
|
||||
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
|
||||
|
||||
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -44,6 +47,8 @@ ifdef(`distro_redhat',`
|
||||
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -52,6 +57,8 @@ ifdef(`distro_redhat',`
|
||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
@ -132,6 +139,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.3.3)
|
||||
policy_module(corecommands,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.1.2)
|
||||
policy_module(corenetwork,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -126,6 +126,7 @@ network_port(transproxy, tcp,8081,s0)
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
network_port(zebra, tcp,2601,s0)
|
||||
network_port(zope, tcp,8021,s0)
|
||||
|
@ -15,6 +15,7 @@
|
||||
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
@ -47,6 +48,7 @@
|
||||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@ -86,6 +88,8 @@ ifdef(`distro_suse', `
|
||||
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
|
||||
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# originally from named.fc
|
||||
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
|
@ -2382,7 +2382,7 @@ interface(`dev_rw_generic_usb_dev',`
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 usb_device_t:chr_file { read write };
|
||||
allow $1 usb_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2632,6 +2632,64 @@ interface(`dev_read_video_dev',`
|
||||
allow $1 v4l_device_t:chr_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write Xen devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_rw_xen',`
|
||||
gen_require(`
|
||||
type device_t, xen_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 xen_device_t:chr_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete Xen devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_manage_xen',`
|
||||
gen_require(`
|
||||
type device_t, xen_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 xen_device_t:chr_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Automatic type transition to the type
|
||||
## for xen device nodes when created in /dev.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_filetrans_xen',`
|
||||
gen_require(`
|
||||
type device_t, xen_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir rw_dir_perms;
|
||||
type_transition $1 device_t:chr_file xen_device_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of X server miscellaneous devices.
|
||||
@ -2768,4 +2826,3 @@ interface(`dev_unconfined',`
|
||||
allow $1 self:capability sys_rawio;
|
||||
typeattribute $1 memory_raw_write, memory_raw_read;
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.1.1)
|
||||
policy_module(devices,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -168,6 +168,9 @@ dev_node(usb_device_t)
|
||||
type v4l_device_t;
|
||||
dev_node(v4l_device_t)
|
||||
|
||||
type xen_device_t;
|
||||
dev_node(xen_device_t)
|
||||
|
||||
type xserver_misc_device_t;
|
||||
dev_node(xserver_misc_device_t)
|
||||
|
||||
|
@ -45,7 +45,7 @@ ifdef(`distro_redhat',`
|
||||
/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/blkid\.tab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
@ -60,7 +60,6 @@ ifdef(`distro_redhat',`
|
||||
|
||||
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/etc/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
@ -68,8 +67,6 @@ ifdef(`distro_redhat',`
|
||||
|
||||
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
@ -93,7 +90,7 @@ ifdef(`distro_suse',`
|
||||
# HOME_ROOT
|
||||
# expanded by genhomedircon
|
||||
#
|
||||
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s15:c0.c255)
|
||||
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
|
||||
HOME_ROOT/\.journal <<none>>
|
||||
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
HOME_ROOT/lost\+found/.* <<none>>
|
||||
|
@ -1726,6 +1726,7 @@ interface(`files_manage_etc_runtime_files',`
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir rw_dir_perms;
|
||||
allow $1 etc_runtime_t:dir rw_dir_perms;
|
||||
allow $1 etc_runtime_t:file create_file_perms;
|
||||
type_transition $1 etc_t:file etc_runtime_t;
|
||||
')
|
||||
@ -3808,12 +3809,13 @@ interface(`files_polyinstantiate_all',`
|
||||
|
||||
# Need to give permission to create directories where applicable
|
||||
allow $1 self:process setfscreate;
|
||||
allow $1 polymember: dir { create setattr };
|
||||
allow $1 polymember: dir { create setattr relabelto };
|
||||
allow $1 polydir: dir { write add_name };
|
||||
allow $1 polyparent:dir { write add_name };
|
||||
allow $1 polyparent:dir { write add_name relabelfrom relabelto };
|
||||
|
||||
# Default type for mountpoints
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
fs_unmount_xattr_fs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.2.1)
|
||||
policy_module(files,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.3.0)
|
||||
policy_module(filesystem,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -167,3 +167,5 @@ files_mountpoint(nfs_t)
|
||||
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
|
||||
|
@ -907,6 +907,110 @@ interface(`kernel_read_network_state_symlinks',`
|
||||
allow $1 proc_net_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow searching of xen state directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type reading the state.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_search_xen_state',`
|
||||
gen_require(`
|
||||
type proc_t, proc_xen_t;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search_dir_perms;
|
||||
allow $1 proc_xen_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the xen
|
||||
## state directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type reading the state.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_dontaudit_search_xen_state',`
|
||||
gen_require(`
|
||||
type proc_xen_t;
|
||||
')
|
||||
|
||||
dontaudit $1 proc_xen_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read the xen state information.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type reading the state.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_read_xen_state',`
|
||||
gen_require(`
|
||||
type proc_t, proc_xen_t;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search_dir_perms;
|
||||
allow $1 proc_xen_t:dir r_dir_perms;
|
||||
allow $1 proc_xen_t:file r_file_perms;
|
||||
allow $1 proc_xen_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read the xen state symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type reading the state.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_read_xen_state_symlinks',`
|
||||
gen_require(`
|
||||
type proc_t, proc_xen_t;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_xen_t:dir r_dir_perms;
|
||||
allow $1 proc_xen_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to write xen state information.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The process type writing the state.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_write_xen_state',`
|
||||
gen_require(`
|
||||
type proc_t, proc_xen_t;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_xen_t:dir r_dir_perms;
|
||||
allow $1 proc_xen_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to search
|
||||
@ -1044,6 +1148,7 @@ interface(`kernel_rw_vm_sysctls',`
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir r_dir_perms;
|
||||
allow $1 sysctl_vm_t:dir list_dir_perms;
|
||||
allow $1 sysctl_vm_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.0)
|
||||
policy_module(kernel,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -75,6 +75,9 @@ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
|
||||
type proc_net_t, proc_type;
|
||||
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
|
||||
|
||||
type proc_xen_t, proc_type;
|
||||
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
|
||||
|
||||
#
|
||||
# Sysctl types
|
||||
#
|
||||
|
@ -15,6 +15,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
|
||||
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
|
||||
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
||||
|
||||
@ -75,3 +76,4 @@ ifdef(`targeted_policy', `', `
|
||||
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
@ -12,6 +12,11 @@
|
||||
## </param>
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
attribute httpd_exec_scripts;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
')
|
||||
# allow write access to public file transfer
|
||||
# services files.
|
||||
gen_tunable(allow_httpd_$1_script_anon_write,false)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.3.3)
|
||||
policy_module(apache,1.3.4)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
|
@ -11,7 +11,7 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/log/acpid -- gen_context(system_u:object_r:apmd_log_t,s0)
|
||||
/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
|
||||
|
||||
/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
|
||||
/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apm,1.2.0)
|
||||
policy_module(apm,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bluetooth,1.2.0)
|
||||
policy_module(bluetooth,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -115,6 +115,7 @@ corecmd_exec_bin(bluetooth_t)
|
||||
corecmd_exec_shell(bluetooth_t)
|
||||
|
||||
domain_use_interactive_fds(bluetooth_t)
|
||||
domain_dontaudit_search_all_domains_state(bluetooth_t)
|
||||
|
||||
files_read_etc_files(bluetooth_t)
|
||||
files_read_etc_runtime_files(bluetooth_t)
|
||||
@ -145,6 +146,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(bluetooth,bluetooth_t)
|
||||
dbus_connect_system_bus(bluetooth_t)
|
||||
dbus_send_system_bus(bluetooth_t)
|
||||
')
|
||||
|
||||
@ -170,6 +172,7 @@ allow bluetooth_helper_t self:process getsched;
|
||||
allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||
|
||||
@ -202,20 +205,23 @@ logging_send_syslog_msg(bluetooth_helper_t)
|
||||
miscfiles_read_localization(bluetooth_helper_t)
|
||||
miscfiles_read_fonts(bluetooth_helper_t)
|
||||
|
||||
userdom_search_all_users_home_content(bluetooth_helper_t)
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
|
||||
dbus_connect_system_bus(bluetooth_helper_t)
|
||||
dbus_send_system_bus(bluetooth_helper_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_socket_use(bluetooth_helper_t)
|
||||
')
|
||||
|
||||
optional_policy(`xserver',`
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow bluetooth_helper_t tmp_t:dir search;
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
allow bluetooth_helper_t xserver_log_t:dir search;
|
||||
allow bluetooth_helper_t xserver_log_t:file { getattr read };
|
||||
')
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
ifdef(`xdm.te',`
|
||||
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
@ -227,4 +233,9 @@ ifdef(`targeted_policy',`
|
||||
files_rw_generic_tmp_sockets(bluetooth_helper_t)
|
||||
allow bluetooth_helper_t tmpfs_t:file { read write };
|
||||
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
|
||||
userdom_read_all_users_home_content_files(bluetooth_helper_t)
|
||||
|
||||
optional_policy(`xserver',`
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
')
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.3.1)
|
||||
policy_module(cron,1.3.2)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -166,6 +166,10 @@ ifdef(`targeted_policy',`
|
||||
|
||||
allow crond_t unconfined_t:dbus send_msg;
|
||||
allow crond_t initrc_t:dbus send_msg;
|
||||
|
||||
optional_policy(`mono',`
|
||||
mono_domtrans(crond_t)
|
||||
')
|
||||
',`
|
||||
allow crond_t crond_tmp_t:dir create_dir_perms;
|
||||
allow crond_t crond_tmp_t:file create_file_perms;
|
||||
|
@ -43,7 +43,7 @@
|
||||
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
|
||||
|
||||
/var/run/cups/printcap -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
||||
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
||||
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
||||
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||
|
@ -23,6 +23,47 @@ interface(`cups_domtrans',`
|
||||
allow cupsd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to cupsd over an unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_stream_connect',`
|
||||
gen_require(`
|
||||
type cupsd_t, cupsd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 cupsd_var_run_t:dir search;
|
||||
allow $1 cupsd_var_run_t:sock_file write;
|
||||
allow $1 cupsd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to cups over TCP.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_tcp_connect',`
|
||||
gen_require(`
|
||||
type cupsd_t;
|
||||
')
|
||||
|
||||
allow $1 cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
@ -206,23 +247,3 @@ interface(`cups_stream_connect_ptal',`
|
||||
allow $1 ptal_var_run_t:sock_file write;
|
||||
allow $1 ptal_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to cups over TCP.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cups_tcp_connect',`
|
||||
gen_require(`
|
||||
type cupsd_t;
|
||||
')
|
||||
|
||||
allow $1 cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.3.0)
|
||||
policy_module(cups,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -77,7 +77,7 @@ allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fse
|
||||
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
||||
allow cupsd_t self:process { setsched signal_perms };
|
||||
allow cupsd_t self:fifo_file rw_file_perms;
|
||||
allow cupsd_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
@ -110,6 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
|
||||
|
||||
allow cupsd_t cupsd_var_run_t:file create_file_perms;
|
||||
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
|
||||
allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
|
||||
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
|
||||
|
||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||
@ -119,6 +120,7 @@ allow cupsd_t ptal_var_run_t:sock_file { write setattr };
|
||||
allow cupsd_t ptal_t:unix_stream_socket connectto;
|
||||
|
||||
kernel_read_system_state(cupsd_t)
|
||||
kernel_read_network_state(cupsd_t)
|
||||
kernel_read_all_sysctls(cupsd_t)
|
||||
kernel_tcp_recvfrom(cupsd_t)
|
||||
|
||||
@ -383,6 +385,8 @@ allow hplip_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow hplip_t cupsd_etc_t:dir search;
|
||||
|
||||
cups_stream_connect(hplip_t)
|
||||
|
||||
allow hplip_t hplip_etc_t:file r_file_perms;
|
||||
allow hplip_t hplip_etc_t:dir r_dir_perms;
|
||||
allow hplip_t hplip_etc_t:lnk_file { getattr read };
|
||||
@ -649,7 +653,7 @@ ifdef(`targeted_policy', `
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_ptys(cupsd_config_t)
|
||||
|
||||
unconfined_read_pipes(cupsd_config_t)
|
||||
unconfined_rw_pipes(cupsd_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -100,3 +100,43 @@ interface(`hal_dbus_chat',`
|
||||
allow $1 hald_t:dbus send_msg;
|
||||
allow hald_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read hald state files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_read_pid_files',`
|
||||
gen_require(`
|
||||
type hald_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 hald_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read/Write hald state files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_rw_pid_files',`
|
||||
gen_require(`
|
||||
type hald_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 hald_var_run_t:file rw_file_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.0)
|
||||
policy_module(hal,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
|
||||
#
|
||||
|
||||
# execute openvt which needs setuid
|
||||
allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
|
||||
allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
|
||||
dontaudit hald_t self:capability sys_tty_config;
|
||||
allow hald_t self:process signal_perms;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
@ -48,6 +48,7 @@ kernel_read_system_state(hald_t)
|
||||
kernel_read_network_state(hald_t)
|
||||
kernel_read_kernel_sysctls(hald_t)
|
||||
kernel_read_fs_sysctls(hald_t)
|
||||
kernel_rw_vm_sysctls(hald_t)
|
||||
kernel_write_proc_files(hald_t)
|
||||
|
||||
files_search_boot(hald_t)
|
||||
@ -75,6 +76,8 @@ dev_rw_printer(hald_t)
|
||||
dev_read_lvm_control(hald_t)
|
||||
dev_getattr_all_chr_files(hald_t)
|
||||
dev_manage_generic_chr_files(hald_t)
|
||||
dev_rw_generic_usb_dev(hald_t)
|
||||
|
||||
# hal is now execing pm-suspend
|
||||
dev_rw_sysfs(hald_t)
|
||||
|
||||
@ -110,9 +113,8 @@ storage_raw_read_fixed_disk(hald_t)
|
||||
storage_raw_write_fixed_disk(hald_t)
|
||||
|
||||
term_dontaudit_use_console(hald_t)
|
||||
term_dontaudit_ioctl_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_generic_ptys(hald_t)
|
||||
term_use_unallocated_ttys(hald_t)
|
||||
|
||||
init_use_fds(hald_t)
|
||||
init_use_script_ptys(hald_t)
|
||||
@ -144,6 +146,7 @@ userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_setattr_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_generic_ptys(hald_t)
|
||||
files_dontaudit_read_root_files(hald_t)
|
||||
@ -195,6 +198,10 @@ optional_policy(`hotplug',`
|
||||
hotplug_read_config(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`lvm', `
|
||||
lvm_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount',`
|
||||
mount_domtrans(hald_t)
|
||||
')
|
||||
|
@ -1,3 +1,4 @@
|
||||
|
||||
/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
||||
/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ktalk,1.2.0)
|
||||
policy_module(ktalk,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -11,6 +11,9 @@ type ktalkd_exec_t;
|
||||
inetd_udp_service_domain(ktalkd_t,ktalkd_exec_t)
|
||||
role system_r types ktalkd_t;
|
||||
|
||||
type ktalkd_log_t;
|
||||
logging_log_file(ktalkd_log_t)
|
||||
|
||||
type ktalkd_tmp_t;
|
||||
files_tmp_file(ktalkd_tmp_t)
|
||||
|
||||
@ -38,6 +41,9 @@ optional_policy(`kerberos',`
|
||||
')
|
||||
#end for identd
|
||||
|
||||
allow ktalkd_t ktalkd_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(ktalkd_t,ktalkd_log_t,file)
|
||||
|
||||
allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
|
||||
allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
|
||||
@ -68,6 +74,8 @@ fs_getattr_xattr_fs(ktalkd_t)
|
||||
|
||||
files_read_etc_files(ktalkd_t)
|
||||
|
||||
init_read_utmp(ktalkd_t)
|
||||
|
||||
libs_use_ld_so(ktalkd_t)
|
||||
libs_use_shared_libs(ktalkd_t)
|
||||
logging_send_syslog_msg(ktalkd_t)
|
||||
|
@ -275,3 +275,28 @@ interface(`mailman_read_archive',`
|
||||
allow $1 mailman_archive_t:file r_file_perms;
|
||||
allow $1 mailman_archive_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute mailman_queue in the mailman_queue domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mailman_domtrans_queue',`
|
||||
gen_require(`
|
||||
type mailman_queue_exec_t, mailman_queue_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
|
||||
|
||||
allow $1 mailman_queue_t:fd use;
|
||||
allow mailman_queue_t $1:fd use;
|
||||
allow mailman_queue_t $1:fifo_file rw_file_perms;
|
||||
allow mailman_queue_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mailman,1.1.0)
|
||||
policy_module(mailman,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -4,6 +4,7 @@
|
||||
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
|
||||
|
||||
/usr/sbin/rpc.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
|
||||
/usr/sbin/rpc.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
||||
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
|
||||
|
||||
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
|
||||
|
@ -277,3 +277,27 @@ interface(`nis_read_ypserv_config',`
|
||||
files_search_etc($1)
|
||||
allow $1 ypserv_conf_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ypxfr in the ypxfr domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nis_domtrans_ypxfr',`
|
||||
gen_require(`
|
||||
type ypxfr_t, ypxfr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
|
||||
|
||||
allow $1 ypxfr_t:fd use;
|
||||
allow ypxfr_t $1:fd use;
|
||||
allow ypxfr_t $1:fifo_file rw_file_perms;
|
||||
allow ypxfr_t $1:process sigchld;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nis,1.1.0)
|
||||
policy_module(nis,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -40,6 +40,10 @@ files_tmp_file(ypserv_tmp_t)
|
||||
type ypserv_var_run_t;
|
||||
files_pid_file(ypserv_var_run_t)
|
||||
|
||||
type ypxfr_t;
|
||||
type ypxfr_exec_t;
|
||||
init_daemon_domain(ypxfr_t,ypxfr_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# ypbind local policy
|
||||
@ -245,6 +249,7 @@ dontaudit ypserv_t self:capability sys_tty_config;
|
||||
allow ypserv_t self:fifo_file rw_file_perms;
|
||||
allow ypserv_t self:process signal_perms;
|
||||
allow ypserv_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow ypserv_t self:udp_socket create_socket_perms;
|
||||
@ -306,6 +311,8 @@ logging_send_syslog_msg(ypserv_t)
|
||||
|
||||
miscfiles_read_localization(ypserv_t)
|
||||
|
||||
nis_domtrans_ypxfr(ypserv_t)
|
||||
|
||||
sysnet_read_config(ypserv_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
|
||||
@ -326,3 +333,29 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(ypserv_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# ypxfr local policy
|
||||
#
|
||||
|
||||
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ypxfr_t)
|
||||
corenet_udp_sendrecv_all_if(ypxfr_t)
|
||||
corenet_raw_sendrecv_all_if(ypxfr_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ypxfr_t)
|
||||
corenet_udp_sendrecv_all_nodes(ypxfr_t)
|
||||
corenet_raw_sendrecv_all_nodes(ypxfr_t)
|
||||
corenet_tcp_sendrecv_all_ports(ypxfr_t)
|
||||
corenet_udp_sendrecv_all_ports(ypxfr_t)
|
||||
corenet_non_ipsec_sendrecv(ypxfr_t)
|
||||
corenet_tcp_bind_all_nodes(ypxfr_t)
|
||||
corenet_udp_bind_all_nodes(ypxfr_t)
|
||||
corenet_tcp_bind_reserved_port(ypxfr_t)
|
||||
corenet_udp_bind_reserved_port(ypxfr_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
|
||||
corenet_tcp_connect_all_ports(ypxfr_t)
|
||||
|
||||
files_read_etc_files(ypxfr_t)
|
||||
|
@ -49,8 +49,8 @@ interface(`nscd_socket_use',`
|
||||
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 nscd_var_run_t:dir r_dir_perms;
|
||||
allow $1 nscd_var_run_t:sock_file rw_file_perms;
|
||||
dontaudit $1 nscd_var_run_t:dir { search getattr };
|
||||
dontaudit $1 nscd_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(nscd,1.2.0)
|
||||
policy_module(nscd,1.2.1)
|
||||
|
||||
gen_require(`
|
||||
class nscd all_nscd_perms;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix,1.2.0)
|
||||
policy_module(postfix,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -406,6 +406,10 @@ optional_policy(`procmail',`
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
|
||||
optional_policy(`mailman',`
|
||||
mailman_domtrans_queue(postfix_pipe_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix postdrop local policy
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(samba,1.2.0)
|
||||
policy_module(samba,1.2.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -32,7 +32,7 @@ files_tmp_file(samba_net_tmp_t)
|
||||
type samba_secrets_t;
|
||||
files_type(samba_secrets_t)
|
||||
|
||||
type samba_share_t;
|
||||
type samba_share_t; # customizable
|
||||
files_config_file(samba_share_t)
|
||||
|
||||
type samba_var_t;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sendmail,1.2.0)
|
||||
policy_module(sendmail,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -125,6 +125,7 @@ optional_policy(`nscd',`
|
||||
')
|
||||
|
||||
optional_policy(`postfix',`
|
||||
postfix_exec_master(sendmail_t)
|
||||
postfix_read_config(sendmail_t)
|
||||
postfix_search_spool(sendmail_t)
|
||||
')
|
||||
|
@ -110,3 +110,21 @@ interface(`fstools_manage_entry_files',`
|
||||
|
||||
allow $1 fsadm_exec_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr swapfile
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fstools_getattr_swap_files',`
|
||||
gen_require(`
|
||||
type swapfile_t;
|
||||
')
|
||||
|
||||
allow $1 swapfile_t:file getattr;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(fstools,1.3.0)
|
||||
policy_module(fstools,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -53,6 +53,7 @@ kernel_read_kernel_sysctls(fsadm_t)
|
||||
kernel_change_ring_buffer_level(fsadm_t)
|
||||
# mkreiserfs needs this
|
||||
kernel_getattr_proc(fsadm_t)
|
||||
kernel_getattr_core_if(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
kernel_rw_unlabeled_dirs(fsadm_t)
|
||||
kernel_rw_unlabeled_blk_files(fsadm_t)
|
||||
@ -60,6 +61,7 @@ kernel_rw_unlabeled_blk_files(fsadm_t)
|
||||
files_getattr_boot_dirs(fsadm_t)
|
||||
|
||||
dev_getattr_all_chr_files(fsadm_t)
|
||||
dev_dontaudit_getattr_all_blk_files(fsadm_t)
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
dev_read_rand(fsadm_t)
|
||||
dev_read_urand(fsadm_t)
|
||||
@ -127,6 +129,7 @@ files_search_all(fsadm_t)
|
||||
|
||||
init_use_fds(fsadm_t)
|
||||
init_use_script_ptys(fsadm_t)
|
||||
init_dontaudit_getattr_initctl(fsadm_t)
|
||||
|
||||
libs_use_ld_so(fsadm_t)
|
||||
libs_use_shared_libs(fsadm_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.3.1)
|
||||
policy_module(init,1.3.2)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -482,6 +482,10 @@ ifdef(`distro_suse',`
|
||||
ifdef(`targeted_policy',`
|
||||
domain_subj_id_change_exemption(initrc_t)
|
||||
unconfined_domain(initrc_t)
|
||||
|
||||
optional_policy(`mono',`
|
||||
mono_domtrans(initrc_t)
|
||||
')
|
||||
',`
|
||||
# cjp: require doesnt work in optionals :\
|
||||
# this also would result in a type transition
|
||||
|
@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -74,6 +75,7 @@ ifdef(`distro_redhat',`
|
||||
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.3.0)
|
||||
policy_module(libraries,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(locallogin,1.2.0)
|
||||
policy_module(locallogin,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -20,6 +20,7 @@ files_lock_file(local_login_lock_t)
|
||||
|
||||
type local_login_tmp_t;
|
||||
files_tmp_file(local_login_tmp_t)
|
||||
files_poly_parent(local_login_tmp_t)
|
||||
|
||||
type sulogin_t;
|
||||
type sulogin_exec_t;
|
||||
|
@ -25,6 +25,7 @@
|
||||
# /sbin
|
||||
#
|
||||
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lvm,1.3.0)
|
||||
policy_module(lvm,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -128,7 +128,8 @@ optional_policy(`udev',`
|
||||
#
|
||||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource };
|
||||
# rawio needed for dmraid
|
||||
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
|
||||
dontaudit lvm_t self:capability sys_tty_config;
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
@ -199,6 +200,7 @@ dev_dontaudit_read_all_blk_files(lvm_t)
|
||||
dev_dontaudit_getattr_generic_chr_files(lvm_t)
|
||||
dev_dontaudit_getattr_generic_blk_files(lvm_t)
|
||||
dev_dontaudit_getattr_generic_pipes(lvm_t)
|
||||
dev_create_generic_dirs(lvm_t)
|
||||
|
||||
fs_getattr_xattr_fs(lvm_t)
|
||||
fs_search_auto_mountpoints(lvm_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mount,1.3.0)
|
||||
policy_module(mount,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,6 +26,7 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
|
||||
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
|
||||
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_dontaudit_getattr_core_if(mount_t)
|
||||
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||
@ -33,6 +34,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||
dev_getattr_all_blk_files(mount_t)
|
||||
dev_list_all_dev_nodes(mount_t)
|
||||
dev_rw_lvm_control(mount_t)
|
||||
dev_dontaudit_getattr_all_chr_files(mount_t)
|
||||
dev_dontaudit_getattr_memory_dev(mount_t)
|
||||
dev_getattr_sound_dev(mount_t)
|
||||
|
||||
@ -73,6 +75,7 @@ files_read_isid_type_files(mount_t)
|
||||
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
init_dontaudit_getattr_initctl(mount_t)
|
||||
|
||||
libs_use_ld_so(mount_t)
|
||||
libs_use_shared_libs(mount_t)
|
||||
|
@ -8,9 +8,9 @@
|
||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
|
||||
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
||||
/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)? -- gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/etc/selinux([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/etc/selinux([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
||||
|
||||
#
|
||||
|
@ -606,6 +606,28 @@ interface(`seutil_read_config',`
|
||||
allow $1 selinux_config_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## the general selinux configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_manage_selinux_config',`
|
||||
gen_require(`
|
||||
type selinux_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 selinux_config_t:dir rw_dir_perms;
|
||||
allow $1 selinux_config_t:file manage_file_perms;
|
||||
allow $1 selinux_config_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the policy directory with default_context files.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.2.0)
|
||||
policy_module(selinuxutil,1.2.1)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
@ -267,6 +267,7 @@ term_use_all_user_ttys(newrole_t)
|
||||
term_use_all_user_ptys(newrole_t)
|
||||
term_relabel_all_user_ttys(newrole_t)
|
||||
term_relabel_all_user_ptys(newrole_t)
|
||||
term_getattr_unallocated_ttys(newrole_t)
|
||||
term_dontaudit_use_unallocated_ttys(newrole_t)
|
||||
|
||||
auth_domtrans_chk_passwd(newrole_t)
|
||||
@ -476,6 +477,11 @@ ifdef(`targeted_policy',`',`
|
||||
optional_policy(`daemontools',`
|
||||
daemontools_domtrans_start(run_init_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_socket_use(run_init_t)
|
||||
')
|
||||
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
########################################
|
||||
@ -499,6 +505,7 @@ files_list_pids(semanage_t)
|
||||
|
||||
mls_file_write_down(semanage_t)
|
||||
mls_rangetrans_target(semanage_t)
|
||||
mls_file_read_up(semanage_t)
|
||||
|
||||
selinux_get_enforce_mode(semanage_t)
|
||||
|
||||
@ -510,6 +517,7 @@ libs_use_lib_files(semanage_t)
|
||||
|
||||
seutil_search_default_contexts(semanage_t)
|
||||
seutil_rw_file_contexts(semanage_t)
|
||||
seutil_manage_selinux_config(semanage_t)
|
||||
seutil_domtrans_setfiles(semanage_t)
|
||||
seutil_domtrans_loadpolicy(semanage_t)
|
||||
seutil_read_config(semanage_t)
|
||||
@ -519,6 +527,10 @@ seutil_manage_module_store(semanage_t)
|
||||
seutil_get_semanage_trans_lock(semanage_t)
|
||||
seutil_get_semanage_read_lock(semanage_t)
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_socket_use(semanage_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setfiles local policy
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sysnetwork,1.1.0)
|
||||
policy_module(sysnetwork,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -246,6 +246,10 @@ optional_policy(`userdomain',`
|
||||
userdom_use_all_users_fds(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`xen',`
|
||||
xen_append_log(dhcpc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Ifconfig local policy
|
||||
@ -339,3 +343,7 @@ optional_policy(`nis',`
|
||||
optional_policy(`ppp',`
|
||||
ppp_use_fds(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`xen',`
|
||||
xen_append_log(ifconfig_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(udev,1.3.0)
|
||||
policy_module(udev,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,7 +39,7 @@ files_pid_file(udev_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource sys_nice };
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
|
||||
dontaudit udev_t self:capability sys_tty_config;
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.3.0)
|
||||
policy_module(unconfined,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -89,10 +89,6 @@ ifdef(`targeted_policy',`
|
||||
firstboot_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`fstools',`
|
||||
fstools_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`java',`
|
||||
java_domtrans(unconfined_t)
|
||||
')
|
||||
@ -109,10 +105,6 @@ ifdef(`targeted_policy',`
|
||||
mono_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount',`
|
||||
mount_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`netutils',`
|
||||
netutils_domtrans_ping(unconfined_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.3.4)
|
||||
policy_module(userdomain,1.3.5)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
@ -177,6 +177,7 @@ ifdef(`targeted_policy',`
|
||||
mls_file_write_down(secadm_t)
|
||||
mls_file_upgrade(secadm_t)
|
||||
mls_file_downgrade(secadm_t)
|
||||
init_exec(secadm_t)
|
||||
logging_read_audit_log(secadm_t)
|
||||
logging_domtrans_auditctl(secadm_t)
|
||||
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
||||
|
16
refpolicy/policy/modules/system/xen.fc
Normal file
16
refpolicy/policy/modules/system/xen.fc
Normal file
@ -0,0 +1,16 @@
|
||||
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
||||
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
||||
|
||||
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
|
||||
|
||||
/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||
|
||||
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
|
||||
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
|
||||
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
||||
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
67
refpolicy/policy/modules/system/xen.if
Normal file
67
refpolicy/policy/modules/system/xen.if
Normal file
@ -0,0 +1,67 @@
|
||||
## <summary>Xen hypervisor</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run xend.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xen_domtrans',`
|
||||
gen_requires(`
|
||||
type xend_t, xend_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,xend_exec_t,xend_t)
|
||||
|
||||
allow $1 xend_t:fd use;
|
||||
allow xend_t $1:fd use;
|
||||
allow xend_t $1:fifo_file rw_file_perms;
|
||||
allow xend_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to append
|
||||
## xend log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xen_append_log',`
|
||||
gen_require(`
|
||||
type var_log_t, xend_var_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 xend_var_log_t:file { getattr append };
|
||||
dontaudit $1 xend_var_log_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to xenstored over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xen_stream_connect_xenstore',`
|
||||
gen_require(`
|
||||
type xenstored_t, xenstored_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 xenstored_var_run_t:dir search;
|
||||
allow $1 xenstored_var_run_t:sock_file { getattr write };
|
||||
allow $1 xenstored_t:unix_stream_socket connectto;
|
||||
')
|
221
refpolicy/policy/modules/system/xen.te
Normal file
221
refpolicy/policy/modules/system/xen.te
Normal file
@ -0,0 +1,221 @@
|
||||
|
||||
policy_module(xen,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# console ptys
|
||||
type xen_devpts_t;
|
||||
term_pty(xen_devpts_t);
|
||||
files_type(xen_devpts_t);
|
||||
|
||||
type xend_t;
|
||||
type xend_exec_t;
|
||||
domain_type(xend_t)
|
||||
init_daemon_domain(xend_t, xend_exec_t)
|
||||
|
||||
# var/lib files
|
||||
type xend_var_lib_t;
|
||||
files_type(xend_var_lib_t)
|
||||
|
||||
# log files
|
||||
type xend_var_log_t;
|
||||
logging_log_file(xend_var_log_t)
|
||||
|
||||
# pid files
|
||||
type xend_var_run_t;
|
||||
files_pid_file(xend_var_run_t)
|
||||
|
||||
type xenstored_t;
|
||||
type xenstored_exec_t;
|
||||
domain_type(xenstored_t)
|
||||
domain_entry_file(xenstored_t,xenstored_exec_t)
|
||||
role system_r types xenstored_t;
|
||||
|
||||
# var/lib files
|
||||
type xenstored_var_lib_t;
|
||||
files_type(xenstored_var_lib_t)
|
||||
|
||||
# pid files
|
||||
type xenstored_var_run_t;
|
||||
files_pid_file(xenstored_var_run_t)
|
||||
|
||||
type xenconsoled_t;
|
||||
type xenconsoled_exec_t;
|
||||
domain_type(xenconsoled_t)
|
||||
domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
|
||||
role system_r types xenconsoled_t;
|
||||
|
||||
# pid files
|
||||
type xenconsoled_var_run_t;
|
||||
files_pid_file(xenconsoled_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# xend local policy
|
||||
#
|
||||
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
|
||||
allow xend_t self:process { signal sigkill };
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow xend_t self:fifo_file rw_file_perms;
|
||||
allow xend_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xend_t self:unix_dgram_socket create_socket_perms;
|
||||
allow xend_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow xend_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xend_t self:packet_socket create_socket_perms;
|
||||
|
||||
# pid file
|
||||
allow xend_t xend_var_run_t:file manage_file_perms;
|
||||
allow xend_t xend_var_run_t:sock_file manage_file_perms;
|
||||
allow xend_t xend_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
|
||||
|
||||
# log files
|
||||
allow xend_t xend_var_log_t:file create_file_perms;
|
||||
allow xend_t xend_var_log_t:sock_file create_file_perms;
|
||||
allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
|
||||
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
|
||||
|
||||
# var/lib files for xend
|
||||
allow xend_t xend_var_lib_t:file create_file_perms;
|
||||
allow xend_t xend_var_lib_t:sock_file create_file_perms;
|
||||
allow xend_t xend_var_lib_t:dir create_dir_perms;
|
||||
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
|
||||
|
||||
# transition to store
|
||||
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
|
||||
allow xenstored_t xend_t:fd use;
|
||||
allow xenstored_t xend_t:process sigchld;
|
||||
allow xenstored_t xend_t:fifo_file write;
|
||||
|
||||
# transition to console
|
||||
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
|
||||
allow xenconsoled_t xend_t:fd use;
|
||||
|
||||
kernel_read_kernel_sysctls(xend_t)
|
||||
kernel_read_system_state(xend_t)
|
||||
kernel_write_xen_state(xend_t)
|
||||
kernel_read_xen_state(xend_t)
|
||||
kernel_rw_net_sysctls(xend_t)
|
||||
kernel_read_network_state(xend_t)
|
||||
|
||||
corecmd_exec_sbin(xend_t)
|
||||
corecmd_exec_bin(xend_t)
|
||||
corecmd_exec_shell(xend_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(xend_t)
|
||||
corenet_tcp_sendrecv_all_nodes(xend_t)
|
||||
corenet_tcp_sendrecv_all_ports(xend_t)
|
||||
corenet_non_ipsec_sendrecv(xend_t)
|
||||
corenet_tcp_bind_xen_port(xend_t)
|
||||
corenet_tcp_bind_soundd_port(xend_t)
|
||||
|
||||
dev_read_urand(xend_t)
|
||||
dev_manage_xen(xend_t)
|
||||
dev_filetrans_xen(xend_t)
|
||||
dev_rw_sysfs(xend_t)
|
||||
|
||||
domain_read_all_domains_state(xend_t)
|
||||
domain_dontaudit_read_all_domains_state(xend_t)
|
||||
|
||||
files_read_etc_files(xend_t)
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
|
||||
term_dontaudit_getattr_all_user_ptys(xend_t)
|
||||
term_dontaudit_use_generic_ptys(xend_t)
|
||||
|
||||
init_use_fds(xend_t)
|
||||
|
||||
libs_use_ld_so(xend_t)
|
||||
libs_use_shared_libs(xend_t)
|
||||
|
||||
logging_send_syslog_msg(xend_t)
|
||||
|
||||
miscfiles_read_localization(xend_t)
|
||||
|
||||
sysnet_domtrans_dhcpc(xend_t)
|
||||
sysnet_signal_dhcpc(xend_t)
|
||||
sysnet_domtrans_ifconfig(xend_t)
|
||||
sysnet_dns_name_resolve(xend_t)
|
||||
sysnet_delete_dhcpc_pid(xend_t)
|
||||
sysnet_read_dhcpc_pid(xend_t)
|
||||
|
||||
consoletype_exec(xend_t)
|
||||
|
||||
xen_stream_connect_xenstore(xend_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Xen console local policy
|
||||
#
|
||||
|
||||
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenconsoled_t self:fifo_file { read write };
|
||||
|
||||
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
|
||||
|
||||
# pid file
|
||||
allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
|
||||
allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
|
||||
allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(xenconsoled_t)
|
||||
kernel_write_xen_state(xenconsoled_t)
|
||||
kernel_read_xen_state(xenconsoled_t)
|
||||
|
||||
term_create_pty(xenconsoled_t,xen_devpts_t);
|
||||
term_dontaudit_use_generic_ptys(xenconsoled_t)
|
||||
|
||||
init_use_fds(xenconsoled_t)
|
||||
|
||||
libs_use_ld_so(xenconsoled_t)
|
||||
libs_use_shared_libs(xenconsoled_t)
|
||||
|
||||
miscfiles_read_localization(xenconsoled_t)
|
||||
|
||||
xen_append_log(xenconsoled_t)
|
||||
xen_stream_connect_xenstore(xenconsoled_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Xen store local policy
|
||||
#
|
||||
|
||||
allow xenstored_t self:capability { dac_override mknod ipc_lock };
|
||||
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# pid file
|
||||
allow xenstored_t xenstored_var_run_t:file manage_file_perms;
|
||||
allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
|
||||
allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
|
||||
|
||||
# var/lib files for xenstored
|
||||
allow xenstored_t xenstored_var_lib_t:file create_file_perms;
|
||||
allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
|
||||
allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
|
||||
files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
|
||||
|
||||
kernel_write_xen_state(xenstored_t)
|
||||
kernel_read_xen_state(xenstored_t)
|
||||
|
||||
dev_create_generic_dirs(xenstored_t)
|
||||
dev_manage_xen(xenconsoled_t)
|
||||
dev_filetrans_xen(xenstored_t)
|
||||
|
||||
term_dontaudit_use_generic_ptys(xenstored_t)
|
||||
|
||||
init_use_fds(xenstored_t)
|
||||
|
||||
libs_use_ld_so(xenstored_t)
|
||||
libs_use_shared_libs(xenstored_t)
|
||||
|
||||
miscfiles_read_localization(xenstored_t)
|
||||
|
||||
xen_append_log(xenstored_t)
|
Loading…
Reference in New Issue
Block a user