patch from dan Fri, 17 Mar 2006 15:22:53 -0500

This commit is contained in:
Chris PeBenito 2006-03-23 19:19:38 +00:00
parent dcd174aeef
commit a3cf80d85b
70 changed files with 873 additions and 111 deletions

View File

@ -1,3 +1,4 @@
- Numerous fixes from Dan Walsh.
- Change build order to preserve m4 line number information so policy
compile errors are useful again.
- Additional MLS interfaces from Chad Hanson.
@ -23,6 +24,7 @@
rhgb
thunderbird
tor (Erich Schubert)
xen (Dan Walsh)
* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
- Make all interface parameters required.

View File

@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF)
#
$(APPDIR)/customizable_types: $(BASE_CONF)
@mkdir -p $(APPDIR)
$(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
########################################

View File

@ -213,7 +213,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
#
$(APPDIR)/customizable_types: $(POLICY_CONF)
@mkdir -p $(APPDIR)
$(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
########################################

View File

@ -141,9 +141,7 @@ mlsconstrain file { write setattr append unlink link rename
mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
mlsconstrain file { read } ((h1 dom h2) or
( t1 == mlsfileread ));
mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }

View File

@ -1,5 +1,5 @@
policy_module(bootloader,1.2.0)
policy_module(bootloader,1.2.1)
########################################
#
@ -103,13 +103,14 @@ files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
files_exec_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
files_read_kernel_modules(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
files_manage_etc_runtime_files(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)

View File

@ -1,5 +1,5 @@
policy_module(dmidecode,1.0.0)
policy_module(dmidecode,1.0.1)
########################################
#
@ -23,6 +23,8 @@ allow dmidecode_t self:capability sys_rawio;
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
mls_file_read_up(dmidecode_t)
term_list_ptys(dmidecode_t)
files_list_usr(dmidecode_t)

View File

@ -1,5 +1,5 @@
policy_module(readahead,1.2.0)
policy_module(readahead,1.2.1)
########################################
#
@ -18,7 +18,7 @@ files_pid_file(readahead_var_run_t)
# Local policy
#
dontaudit readahead_t self:capability sys_tty_config;
dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
allow readahead_t self:process signal_perms;
allow readahead_t readahead_var_run_t:file create_file_perms;

View File

@ -22,7 +22,7 @@ ifdef(`distro_redhat', `
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
# SuSE
ifdef(`distro_suse', `

View File

@ -78,6 +78,9 @@ interface(`rpm_run',`
role $2 types rpm_t;
role $2 types rpm_script_t;
seutil_run_loadpolicy(rpm_script_t,$2,$3)
seutil_run_semanage(rpm_script_t,$2,$3)
seutil_run_setfiles(rpm_script_t,$2,$3)
seutil_run_restorecon(rpm_script_t,$2,$3)
allow rpm_t $3:chr_file rw_term_perms;
')

View File

@ -1,5 +1,5 @@
policy_module(rpm,1.3.1)
policy_module(rpm,1.3.2)
########################################
#
@ -326,6 +326,7 @@ modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_restorecon(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)

View File

@ -2,3 +2,4 @@
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
/usr(/local)?/bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)

View File

@ -134,7 +134,6 @@ template(`su_per_userdomain_template',`
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
@ -142,9 +141,8 @@ template(`su_per_userdomain_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)

View File

@ -1,5 +1,5 @@
policy_module(su,1.3.0)
policy_module(su,1.3.1)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(updfstab,1.2.0)
policy_module(updfstab,1.2.1)
########################################
#
@ -102,6 +102,10 @@ optional_policy(`dbus',`
dbus_send_system_bus(updfstab_t)
')
optional_policy(`fstools',`
fstools_getattr_swap_files(updfstab_t)
')
optional_policy(`hal',`
hal_stream_connect(updfstab_t)
hal_dbus_chat(updfstab_t)
@ -124,7 +128,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(updfstab_t)
')
ifdef(`TODO',`
allow updfstab_t tmpfs_t:dir getattr;
')

View File

@ -1,5 +1,5 @@
policy_module(vbetool,1.0.0)
policy_module(vbetool,1.0.1)
########################################
#
@ -15,6 +15,7 @@ init_system_domain(vbetool_t,vbetool_exec_t)
# Local policy
#
allow vbetool_t self:capability { sys_tty_config sys_admin };
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
@ -22,5 +23,13 @@ dev_read_raw_memory(vbetool_t)
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
term_use_unallocated_ttys(vbetool_t)
libs_use_ld_so(vbetool_t)
libs_use_shared_libs(vbetool_t)
miscfiles_read_localization(vbetool_t)
optional_policy(`hal',`
hal_rw_pid_files(vbetool_t)
')

View File

@ -32,11 +32,14 @@ ifdef(`distro_redhat',`
#
# /etc
#
/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
@ -44,6 +47,8 @@ ifdef(`distro_redhat',`
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
@ -52,6 +57,8 @@ ifdef(`distro_redhat',`
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
@ -132,6 +139,8 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.3.3)
policy_module(corecommands,1.3.4)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.1.2)
policy_module(corenetwork,1.1.3)
########################################
#
@ -126,6 +126,7 @@ network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
network_port(zebra, tcp,2601,s0)
network_port(zope, tcp,8021,s0)

View File

@ -15,6 +15,7 @@
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
@ -47,6 +48,7 @@
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
@ -86,6 +88,8 @@ ifdef(`distro_suse', `
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)

View File

@ -2382,7 +2382,7 @@ interface(`dev_rw_generic_usb_dev',`
')
allow $1 device_t:dir r_dir_perms;
allow $1 usb_device_t:chr_file { read write };
allow $1 usb_device_t:chr_file rw_file_perms;
')
########################################
@ -2632,6 +2632,64 @@ interface(`dev_read_video_dev',`
allow $1 v4l_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_xen',`
gen_require(`
type device_t, xen_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xen_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete Xen devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_xen',`
gen_require(`
type device_t, xen_device_t;
')
allow $1 device_t:dir r_dir_perms;
allow $1 xen_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Automatic type transition to the type
## for xen device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_filetrans_xen',`
gen_require(`
type device_t, xen_device_t;
')
allow $1 device_t:dir rw_dir_perms;
type_transition $1 device_t:chr_file xen_device_t;
')
########################################
## <summary>
## Get the attributes of X server miscellaneous devices.
@ -2768,4 +2826,3 @@ interface(`dev_unconfined',`
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write, memory_raw_read;
')

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.1)
policy_module(devices,1.1.2)
########################################
#
@ -168,6 +168,9 @@ dev_node(usb_device_t)
type v4l_device_t;
dev_node(v4l_device_t)
type xen_device_t;
dev_node(xen_device_t)
type xserver_misc_device_t;
dev_node(xserver_misc_device_t)

View File

@ -45,7 +45,7 @@ ifdef(`distro_redhat',`
/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid\.tab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@ -60,7 +60,6 @@ ifdef(`distro_redhat',`
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
@ -68,8 +67,6 @@ ifdef(`distro_redhat',`
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
@ -93,7 +90,7 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s15:c0.c255)
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
HOME_ROOT/lost\+found/.* <<none>>

View File

@ -1726,6 +1726,7 @@ interface(`files_manage_etc_runtime_files',`
')
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_runtime_t:dir rw_dir_perms;
allow $1 etc_runtime_t:file create_file_perms;
type_transition $1 etc_t:file etc_runtime_t;
')
@ -3808,12 +3809,13 @@ interface(`files_polyinstantiate_all',`
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr };
allow $1 polymember: dir { create setattr relabelto };
allow $1 polydir: dir { write add_name };
allow $1 polyparent:dir { write add_name };
allow $1 polyparent:dir { write add_name relabelfrom relabelto };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(files,1.2.1)
policy_module(files,1.2.2)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(filesystem,1.3.0)
policy_module(filesystem,1.3.1)
########################################
#
@ -167,3 +167,5 @@ files_mountpoint(nfs_t)
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)

View File

@ -907,6 +907,110 @@ interface(`kernel_read_network_state_symlinks',`
allow $1 proc_net_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Allow searching of xen state directory.
## </summary>
## <param name="domain">
## <summary>
## The process type reading the state.
## </summary>
## </param>
##
#
interface(`kernel_search_xen_state',`
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 proc_xen_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search the xen
## state directory.
## </summary>
## <param name="domain">
## <summary>
## The process type reading the state.
## </summary>
## </param>
##
#
interface(`kernel_dontaudit_search_xen_state',`
gen_require(`
type proc_xen_t;
')
dontaudit $1 proc_xen_t:dir search;
')
########################################
## <summary>
## Allow caller to read the xen state information.
## </summary>
## <param name="domain">
## <summary>
## The process type reading the state.
## </summary>
## </param>
##
#
interface(`kernel_read_xen_state',`
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:file r_file_perms;
allow $1 proc_xen_t:lnk_file { getattr read };
')
########################################
## <summary>
## Allow caller to read the xen state symbolic links.
## </summary>
## <param name="domain">
## <summary>
## The process type reading the state.
## </summary>
## </param>
##
#
interface(`kernel_read_xen_state_symlinks',`
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Allow caller to write xen state information.
## </summary>
## <param name="domain">
## <summary>
## The process type writing the state.
## </summary>
## </param>
##
#
interface(`kernel_write_xen_state',`
gen_require(`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:file write;
')
########################################
## <summary>
## Do not audit attempts by caller to search
@ -1044,6 +1148,7 @@ interface(`kernel_rw_vm_sysctls',`
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:dir list_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms;
')

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.0)
policy_module(kernel,1.3.1)
########################################
#
@ -75,6 +75,9 @@ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
type proc_net_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
type proc_xen_t, proc_type;
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
#
# Sysctl types
#

View File

@ -15,6 +15,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
@ -75,3 +76,4 @@ ifdef(`targeted_policy', `', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)

View File

@ -12,6 +12,11 @@
## </param>
#
template(`apache_content_template',`
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
# allow write access to public file transfer
# services files.
gen_tunable(allow_httpd_$1_script_anon_write,false)

View File

@ -1,5 +1,5 @@
policy_module(apache,1.3.3)
policy_module(apache,1.3.4)
#
# NOTES:

View File

@ -11,7 +11,7 @@
#
# /var
#
/var/log/acpid -- gen_context(system_u:object_r:apmd_log_t,s0)
/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(apm,1.2.0)
policy_module(apm,1.2.1)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(bluetooth,1.2.0)
policy_module(bluetooth,1.2.1)
########################################
#
@ -115,6 +115,7 @@ corecmd_exec_bin(bluetooth_t)
corecmd_exec_shell(bluetooth_t)
domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_files(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
@ -145,6 +146,7 @@ ifdef(`targeted_policy',`
optional_policy(`dbus',`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
dbus_send_system_bus(bluetooth_t)
')
@ -170,6 +172,7 @@ allow bluetooth_helper_t self:process getsched;
allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
@ -202,20 +205,23 @@ logging_send_syslog_msg(bluetooth_helper_t)
miscfiles_read_localization(bluetooth_helper_t)
miscfiles_read_fonts(bluetooth_helper_t)
userdom_search_all_users_home_content(bluetooth_helper_t)
optional_policy(`dbus',`
dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
dbus_connect_system_bus(bluetooth_helper_t)
dbus_send_system_bus(bluetooth_helper_t)
')
optional_policy(`nscd',`
nscd_socket_use(bluetooth_helper_t)
')
optional_policy(`xserver',`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
ifdef(`TODO',`
allow bluetooth_helper_t tmp_t:dir search;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
ifdef(`strict_policy',`
ifdef(`xdm.te',`
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
@ -227,4 +233,9 @@ ifdef(`targeted_policy',`
files_rw_generic_tmp_sockets(bluetooth_helper_t)
allow bluetooth_helper_t tmpfs_t:file { read write };
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
userdom_read_all_users_home_content_files(bluetooth_helper_t)
optional_policy(`xserver',`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
')

View File

@ -1,5 +1,5 @@
policy_module(cron,1.3.1)
policy_module(cron,1.3.2)
gen_require(`
class passwd rootok;
@ -166,6 +166,10 @@ ifdef(`targeted_policy',`
allow crond_t unconfined_t:dbus send_msg;
allow crond_t initrc_t:dbus send_msg;
optional_policy(`mono',`
mono_domtrans(crond_t)
')
',`
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;

View File

@ -43,7 +43,7 @@
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
/var/run/cups/printcap -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)

View File

@ -23,6 +23,47 @@ interface(`cups_domtrans',`
allow cupsd_t $1:process sigchld;
')
########################################
## <summary>
## Connect to cupsd over an unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cups_stream_connect',`
gen_require(`
type cupsd_t, cupsd_var_run_t;
')
files_search_pids($1)
allow $1 cupsd_var_run_t:dir search;
allow $1 cupsd_var_run_t:sock_file write;
allow $1 cupsd_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Connect to cups over TCP.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cups_tcp_connect',`
gen_require(`
type cupsd_t;
')
allow $1 cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')
########################################
## <summary>
## Send and receive messages from
@ -206,23 +247,3 @@ interface(`cups_stream_connect_ptal',`
allow $1 ptal_var_run_t:sock_file write;
allow $1 ptal_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Connect to cups over TCP.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cups_tcp_connect',`
gen_require(`
type cupsd_t;
')
allow $1 cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')

View File

@ -1,5 +1,5 @@
policy_module(cups,1.3.0)
policy_module(cups,1.3.1)
########################################
#
@ -77,7 +77,7 @@ allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fse
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
@ -110,6 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:file create_file_perms;
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
allow cupsd_t hplip_var_run_t:file { read getattr };
@ -119,6 +120,7 @@ allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket connectto;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_tcp_recvfrom(cupsd_t)
@ -383,6 +385,8 @@ allow hplip_t self:rawip_socket create_socket_perms;
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
allow hplip_t hplip_etc_t:file r_file_perms;
allow hplip_t hplip_etc_t:dir r_dir_perms;
allow hplip_t hplip_etc_t:lnk_file { getattr read };
@ -649,7 +653,7 @@ ifdef(`targeted_policy', `
ifdef(`targeted_policy',`
term_use_generic_ptys(cupsd_config_t)
unconfined_read_pipes(cupsd_config_t)
unconfined_rw_pipes(cupsd_config_t)
')
########################################

View File

@ -100,3 +100,43 @@ interface(`hal_dbus_chat',`
allow $1 hald_t:dbus send_msg;
allow hald_t $1:dbus send_msg;
')
########################################
## <summary>
## Read hald state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`hal_read_pid_files',`
gen_require(`
type hald_var_run_t;
')
files_search_pids($1)
allow $1 hald_var_run_t:file r_file_perms;
')
########################################
## <summary>
## Read/Write hald state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`hal_rw_pid_files',`
gen_require(`
type hald_var_run_t;
')
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
')

View File

@ -1,5 +1,5 @@
policy_module(hal,1.3.0)
policy_module(hal,1.3.1)
########################################
#
@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
#
# execute openvt which needs setuid
allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
@ -48,6 +48,7 @@ kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
kernel_read_kernel_sysctls(hald_t)
kernel_read_fs_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
files_search_boot(hald_t)
@ -75,6 +76,8 @@ dev_rw_printer(hald_t)
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_files(hald_t)
dev_rw_generic_usb_dev(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
@ -110,9 +113,8 @@ storage_raw_read_fixed_disk(hald_t)
storage_raw_write_fixed_disk(hald_t)
term_dontaudit_use_console(hald_t)
term_dontaudit_ioctl_unallocated_ttys(hald_t)
term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
term_use_unallocated_ttys(hald_t)
init_use_fds(hald_t)
init_use_script_ptys(hald_t)
@ -144,6 +146,7 @@ userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
ifdef(`targeted_policy', `
term_setattr_unallocated_ttys(hald_t)
term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
files_dontaudit_read_root_files(hald_t)
@ -195,6 +198,10 @@ optional_policy(`hotplug',`
hotplug_read_config(hald_t)
')
optional_policy(`lvm', `
lvm_domtrans(hald_t)
')
optional_policy(`mount',`
mount_domtrans(hald_t)
')

View File

@ -1,3 +1,4 @@
/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(ktalk,1.2.0)
policy_module(ktalk,1.2.1)
########################################
#
@ -11,6 +11,9 @@ type ktalkd_exec_t;
inetd_udp_service_domain(ktalkd_t,ktalkd_exec_t)
role system_r types ktalkd_t;
type ktalkd_log_t;
logging_log_file(ktalkd_log_t)
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
@ -38,6 +41,9 @@ optional_policy(`kerberos',`
')
#end for identd
allow ktalkd_t ktalkd_log_t:file manage_file_perms;
logging_log_filetrans(ktalkd_t,ktalkd_log_t,file)
allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
@ -68,6 +74,8 @@ fs_getattr_xattr_fs(ktalkd_t)
files_read_etc_files(ktalkd_t)
init_read_utmp(ktalkd_t)
libs_use_ld_so(ktalkd_t)
libs_use_shared_libs(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)

View File

@ -275,3 +275,28 @@ interface(`mailman_read_archive',`
allow $1 mailman_archive_t:file r_file_perms;
allow $1 mailman_archive_t:lnk_file { getattr read };
')
#######################################
## <summary>
## Execute mailman_queue in the mailman_queue domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mailman_domtrans_queue',`
gen_require(`
type mailman_queue_exec_t, mailman_queue_t;
')
domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
allow $1 mailman_queue_t:fd use;
allow mailman_queue_t $1:fd use;
allow mailman_queue_t $1:fifo_file rw_file_perms;
allow mailman_queue_t $1:process sigchld;
')

View File

@ -1,5 +1,5 @@
policy_module(mailman,1.1.0)
policy_module(mailman,1.1.1)
########################################
#

View File

@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/rpc.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)

View File

@ -277,3 +277,27 @@ interface(`nis_read_ypserv_config',`
files_search_etc($1)
allow $1 ypserv_conf_t:file { getattr read };
')
########################################
## <summary>
## Execute ypxfr in the ypxfr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nis_domtrans_ypxfr',`
gen_require(`
type ypxfr_t, ypxfr_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
allow $1 ypxfr_t:fd use;
allow ypxfr_t $1:fd use;
allow ypxfr_t $1:fifo_file rw_file_perms;
allow ypxfr_t $1:process sigchld;
')

View File

@ -1,5 +1,5 @@
policy_module(nis,1.1.0)
policy_module(nis,1.1.1)
########################################
#
@ -40,6 +40,10 @@ files_tmp_file(ypserv_tmp_t)
type ypserv_var_run_t;
files_pid_file(ypserv_var_run_t)
type ypxfr_t;
type ypxfr_exec_t;
init_daemon_domain(ypxfr_t,ypxfr_exec_t)
########################################
#
# ypbind local policy
@ -245,6 +249,7 @@ dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_file_perms;
allow ypserv_t self:process signal_perms;
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
@ -306,6 +311,8 @@ logging_send_syslog_msg(ypserv_t)
miscfiles_read_localization(ypserv_t)
nis_domtrans_ypxfr(ypserv_t)
sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
@ -326,3 +333,29 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(ypserv_t)
')
########################################
#
# ypxfr local policy
#
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
corenet_raw_sendrecv_all_if(ypxfr_t)
corenet_tcp_sendrecv_all_nodes(ypxfr_t)
corenet_udp_sendrecv_all_nodes(ypxfr_t)
corenet_raw_sendrecv_all_nodes(ypxfr_t)
corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_bind_all_nodes(ypxfr_t)
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
files_read_etc_files(ypxfr_t)

View File

@ -49,8 +49,8 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
files_search_pids($1)
allow $1 nscd_var_run_t:dir r_dir_perms;
allow $1 nscd_var_run_t:sock_file rw_file_perms;
dontaudit $1 nscd_var_run_t:dir { search getattr };
dontaudit $1 nscd_var_run_t:file { getattr read };
')

View File

@ -1,5 +1,5 @@
policy_module(nscd,1.2.0)
policy_module(nscd,1.2.1)
gen_require(`
class nscd all_nscd_perms;

View File

@ -1,5 +1,5 @@
policy_module(postfix,1.2.0)
policy_module(postfix,1.2.1)
########################################
#
@ -406,6 +406,10 @@ optional_policy(`procmail',`
procmail_domtrans(postfix_pipe_t)
')
optional_policy(`mailman',`
mailman_domtrans_queue(postfix_pipe_t)
')
########################################
#
# Postfix postdrop local policy

View File

@ -1,5 +1,5 @@
policy_module(samba,1.2.0)
policy_module(samba,1.2.1)
#################################
#
@ -32,7 +32,7 @@ files_tmp_file(samba_net_tmp_t)
type samba_secrets_t;
files_type(samba_secrets_t)
type samba_share_t;
type samba_share_t; # customizable
files_config_file(samba_share_t)
type samba_var_t;

View File

@ -1,5 +1,5 @@
policy_module(sendmail,1.2.0)
policy_module(sendmail,1.2.1)
########################################
#
@ -125,6 +125,7 @@ optional_policy(`nscd',`
')
optional_policy(`postfix',`
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')

View File

@ -110,3 +110,21 @@ interface(`fstools_manage_entry_files',`
allow $1 fsadm_exec_t:file create_file_perms;
')
########################################
## <summary>
## Getattr swapfile
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`fstools_getattr_swap_files',`
gen_require(`
type swapfile_t;
')
allow $1 swapfile_t:file getattr;
')

View File

@ -1,5 +1,5 @@
policy_module(fstools,1.3.0)
policy_module(fstools,1.3.1)
########################################
#
@ -53,6 +53,7 @@ kernel_read_kernel_sysctls(fsadm_t)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
kernel_getattr_proc(fsadm_t)
kernel_getattr_core_if(fsadm_t)
# Access to /initrd devices
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)
@ -60,6 +61,7 @@ kernel_rw_unlabeled_blk_files(fsadm_t)
files_getattr_boot_dirs(fsadm_t)
dev_getattr_all_chr_files(fsadm_t)
dev_dontaudit_getattr_all_blk_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
@ -127,6 +129,7 @@ files_search_all(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
libs_use_ld_so(fsadm_t)
libs_use_shared_libs(fsadm_t)

View File

@ -1,5 +1,5 @@
policy_module(init,1.3.1)
policy_module(init,1.3.2)
gen_require(`
class passwd rootok;
@ -482,6 +482,10 @@ ifdef(`distro_suse',`
ifdef(`targeted_policy',`
domain_subj_id_change_exemption(initrc_t)
unconfined_domain(initrc_t)
optional_policy(`mono',`
mono_domtrans(initrc_t)
')
',`
# cjp: require doesnt work in optionals :\
# this also would result in a type transition

View File

@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -74,6 +75,7 @@ ifdef(`distro_redhat',`
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.3.0)
policy_module(libraries,1.3.1)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(locallogin,1.2.0)
policy_module(locallogin,1.2.1)
########################################
#
@ -20,6 +20,7 @@ files_lock_file(local_login_lock_t)
type local_login_tmp_t;
files_tmp_file(local_login_tmp_t)
files_poly_parent(local_login_tmp_t)
type sulogin_t;
type sulogin_exec_t;

View File

@ -25,6 +25,7 @@
# /sbin
#
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(lvm,1.3.0)
policy_module(lvm,1.3.1)
########################################
#
@ -128,7 +128,8 @@ optional_policy(`udev',`
#
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource };
# rawio needed for dmraid
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
@ -199,6 +200,7 @@ dev_dontaudit_read_all_blk_files(lvm_t)
dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)

View File

@ -1,5 +1,5 @@
policy_module(mount,1.3.0)
policy_module(mount,1.3.1)
########################################
#
@ -26,6 +26,7 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
@ -33,6 +34,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
@ -73,6 +75,7 @@ files_read_isid_type_files(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)

View File

@ -8,9 +8,9 @@
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)? -- gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
#

View File

@ -606,6 +606,28 @@ interface(`seutil_read_config',`
allow $1 selinux_config_t:lnk_file { getattr read };
')
#######################################
## <summary>
## Create, read, write, and delete
## the general selinux configuration files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`seutil_manage_selinux_config',`
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir rw_dir_perms;
allow $1 selinux_config_t:file manage_file_perms;
allow $1 selinux_config_t:lnk_file { getattr read };
')
########################################
## <summary>
## Search the policy directory with default_context files.

View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.2.0)
policy_module(selinuxutil,1.2.1)
gen_require(`
bool secure_mode;
@ -267,6 +267,7 @@ term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
term_relabel_all_user_ttys(newrole_t)
term_relabel_all_user_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
@ -476,6 +477,11 @@ ifdef(`targeted_policy',`',`
optional_policy(`daemontools',`
daemontools_domtrans_start(run_init_t)
')
optional_policy(`nscd',`
nscd_socket_use(run_init_t)
')
') dnl end ifdef targeted policy
########################################
@ -499,6 +505,7 @@ files_list_pids(semanage_t)
mls_file_write_down(semanage_t)
mls_rangetrans_target(semanage_t)
mls_file_read_up(semanage_t)
selinux_get_enforce_mode(semanage_t)
@ -510,6 +517,7 @@ libs_use_lib_files(semanage_t)
seutil_search_default_contexts(semanage_t)
seutil_rw_file_contexts(semanage_t)
seutil_manage_selinux_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
seutil_domtrans_loadpolicy(semanage_t)
seutil_read_config(semanage_t)
@ -519,6 +527,10 @@ seutil_manage_module_store(semanage_t)
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
optional_policy(`nscd',`
nscd_socket_use(semanage_t)
')
########################################
#
# Setfiles local policy

View File

@ -1,5 +1,5 @@
policy_module(sysnetwork,1.1.0)
policy_module(sysnetwork,1.1.1)
########################################
#
@ -246,6 +246,10 @@ optional_policy(`userdomain',`
userdom_use_all_users_fds(dhcpc_t)
')
optional_policy(`xen',`
xen_append_log(dhcpc_t)
')
########################################
#
# Ifconfig local policy
@ -339,3 +343,7 @@ optional_policy(`nis',`
optional_policy(`ppp',`
ppp_use_fds(ifconfig_t)
')
optional_policy(`xen',`
xen_append_log(ifconfig_t)
')

View File

@ -1,5 +1,5 @@
policy_module(udev,1.3.0)
policy_module(udev,1.3.1)
########################################
#
@ -39,7 +39,7 @@ files_pid_file(udev_var_run_t)
# Local policy
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource sys_nice };
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.3.0)
policy_module(unconfined,1.3.1)
########################################
#
@ -89,10 +89,6 @@ ifdef(`targeted_policy',`
firstboot_domtrans(unconfined_t)
')
optional_policy(`fstools',`
fstools_domtrans(unconfined_t)
')
optional_policy(`java',`
java_domtrans(unconfined_t)
')
@ -109,10 +105,6 @@ ifdef(`targeted_policy',`
mono_domtrans(unconfined_t)
')
optional_policy(`mount',`
mount_domtrans(unconfined_t)
')
optional_policy(`netutils',`
netutils_domtrans_ping(unconfined_t)
')

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.4)
policy_module(userdomain,1.3.5)
gen_require(`
role sysadm_r, staff_r, user_r;
@ -177,6 +177,7 @@ ifdef(`targeted_policy',`
mls_file_write_down(secadm_t)
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
logging_domtrans_auditctl(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)

View File

@ -0,0 +1,16 @@
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)

View File

@ -0,0 +1,67 @@
## <summary>Xen hypervisor</summary>
########################################
## <summary>
## Execute a domain transition to run xend.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`xen_domtrans',`
gen_requires(`
type xend_t, xend_exec_t;
')
domain_auto_trans($1,xend_exec_t,xend_t)
allow $1 xend_t:fd use;
allow xend_t $1:fd use;
allow xend_t $1:fifo_file rw_file_perms;
allow xend_t $1:process sigchld;
')
########################################
## <summary>
## Allow the specified domain to append
## xend log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`xen_append_log',`
gen_require(`
type var_log_t, xend_var_log_t;
')
logging_search_logs($1)
allow $1 xend_var_log_t:file { getattr append };
dontaudit $1 xend_var_log_t:file write;
')
########################################
## <summary>
## Connect to xenstored over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xen_stream_connect_xenstore',`
gen_require(`
type xenstored_t, xenstored_var_run_t;
')
files_search_pids($1)
allow $1 xenstored_var_run_t:dir search;
allow $1 xenstored_var_run_t:sock_file { getattr write };
allow $1 xenstored_t:unix_stream_socket connectto;
')

View File

@ -0,0 +1,221 @@
policy_module(xen,1.0.0)
########################################
#
# Declarations
#
# console ptys
type xen_devpts_t;
term_pty(xen_devpts_t);
files_type(xen_devpts_t);
type xend_t;
type xend_exec_t;
domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)
# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
# log files
type xend_var_log_t;
logging_log_file(xend_var_log_t)
# pid files
type xend_var_run_t;
files_pid_file(xend_var_run_t)
type xenstored_t;
type xenstored_exec_t;
domain_type(xenstored_t)
domain_entry_file(xenstored_t,xenstored_exec_t)
role system_r types xenstored_t;
# var/lib files
type xenstored_var_lib_t;
files_type(xenstored_var_lib_t)
# pid files
type xenstored_var_run_t;
files_pid_file(xenstored_var_run_t)
type xenconsoled_t;
type xenconsoled_exec_t;
domain_type(xenconsoled_t)
domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
role system_r types xenconsoled_t;
# pid files
type xenconsoled_var_run_t;
files_pid_file(xenconsoled_var_run_t)
########################################
#
# xend local policy
#
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
allow xend_t self:process { signal sigkill };
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
allow xend_t self:unix_dgram_socket create_socket_perms;
allow xend_t self:netlink_route_socket r_netlink_socket_perms;
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
allow xend_t xend_var_run_t:sock_file manage_file_perms;
allow xend_t xend_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
# log files
allow xend_t xend_var_log_t:file create_file_perms;
allow xend_t xend_var_log_t:sock_file create_file_perms;
allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
# var/lib files for xend
allow xend_t xend_var_lib_t:file create_file_perms;
allow xend_t xend_var_lib_t:sock_file create_file_perms;
allow xend_t xend_var_lib_t:dir create_dir_perms;
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
# transition to store
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
allow xenstored_t xend_t:fd use;
allow xenstored_t xend_t:process sigchld;
allow xenstored_t xend_t:fifo_file write;
# transition to console
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
allow xenconsoled_t xend_t:fd use;
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
corecmd_exec_sbin(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)
corenet_non_ipsec_sendrecv(xend_t)
corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t)
dev_read_urand(xend_t)
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
files_read_etc_files(xend_t)
storage_raw_read_fixed_disk(xend_t)
term_dontaudit_getattr_all_user_ptys(xend_t)
term_dontaudit_use_generic_ptys(xend_t)
init_use_fds(xend_t)
libs_use_ld_so(xend_t)
libs_use_shared_libs(xend_t)
logging_send_syslog_msg(xend_t)
miscfiles_read_localization(xend_t)
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
sysnet_dns_name_resolve(xend_t)
sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)
consoletype_exec(xend_t)
xen_stream_connect_xenstore(xend_t)
########################################
#
# Xen console local policy
#
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file { read write };
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
# pid file
allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)
term_create_pty(xenconsoled_t,xen_devpts_t);
term_dontaudit_use_generic_ptys(xenconsoled_t)
init_use_fds(xenconsoled_t)
libs_use_ld_so(xenconsoled_t)
libs_use_shared_libs(xenconsoled_t)
miscfiles_read_localization(xenconsoled_t)
xen_append_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
########################################
#
# Xen store local policy
#
allow xenstored_t self:capability { dac_override mknod ipc_lock };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
# pid file
allow xenstored_t xenstored_var_run_t:file manage_file_perms;
allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
# var/lib files for xenstored
allow xenstored_t xenstored_var_lib_t:file create_file_perms;
allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
dev_create_generic_dirs(xenstored_t)
dev_manage_xen(xenconsoled_t)
dev_filetrans_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t)
init_use_fds(xenstored_t)
libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)
miscfiles_read_localization(xenstored_t)
xen_append_log(xenstored_t)