another round of TODO cleanup

This commit is contained in:
Chris PeBenito 2005-07-08 20:44:57 +00:00
parent 4d0d4157f4
commit a42ca7ebec
19 changed files with 844 additions and 384 deletions

View File

@ -96,6 +96,23 @@ interface(`dev_list_all_dev_nodes',`
allow $1 device_t:lnk_file { getattr read };
')
########################################
## <summary>
## Set the attributes of /dev directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_setattr_dev_dir',`
gen_require(`
type device_t;
class dir setattr;
')
allow $1 device_t:dir setattr;
')
########################################
## <summary>
## Dontaudit attempts to list all device nodes.
@ -1574,7 +1591,26 @@ interface(`dev_read_mouse',`
########################################
## <summary>
## Read the multiplexed input device (/dev/input).
## Set the attributes of the printer device nodes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_setattr_printer',`
gen_require(`
type device_t, printer_device_t;
class dir search;
class chr_file setattr;
')
allow $1 device_t:dir search;
allow $1 printer_device_t:chr_file setattr;
')
########################################
## <summary>
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## Domain allowed access.
@ -1889,6 +1925,23 @@ interface(`dev_mount_usbfs',`
allow $1 usbfs_t:filesystem mount;
')
########################################
## <summary>
## Get the attributes of a directory in the usb filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_getattr_usbfs_dir',`
gen_require(`
type usbfs_t;
class dir getattr;
')
allow $1 usbfs_t:dir getattr;
')
########################################
## <summary>
## Search the directory containing USB hardware information.

File diff suppressed because it is too large Load Diff

View File

@ -6,10 +6,10 @@
## </required>
########################################
## <desc>
## <summary>
## Allows to start userland processes
## by transitioning to the specified domain.
## </desc>
## </summary>
## <param name="domain">
## The process type entered by kernel.
## </param>
@ -34,10 +34,10 @@ interface(`kernel_userland_entry',`
')
########################################
## <desc>
## <summary>
## Allows the kernel to mount filesystems on
## the specified directory type.
## </desc>
## </summary>
## <param name="directory_type">
## The type of the directory to use as a mountpoint.
## </param>
@ -52,9 +52,9 @@ interface(`kernel_rootfs_mountpoint',`
')
########################################
## <desc>
## <summary>
## Send a SIGCHLD signal to kernel threads.
## </desc>
## </summary>
## <param name="domain">
## The type of the process sending the signal.
## </param>
@ -69,10 +69,10 @@ interface(`kernel_sigchld',`
')
########################################
## <desc>
## <summary>
## Allows the kernel to share state information with
## the caller.
## </desc>
## </summary>
## <param name="domain">
## The type of the process with which to share state information.
## </param>
@ -87,9 +87,9 @@ interface(`kernel_share_state',`
')
########################################
## <desc>
## <summary>
## Permits caller to use kernel file descriptors.
## </desc>
## </summary>
## <param name="domain">
## The type of the process using the descriptors.
## </param>
@ -104,10 +104,10 @@ interface(`kernel_use_fd',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to use
## kernel file descriptors.
## </desc>
## </summary>
## <param name="domain">
## The type of process not to audit.
## </param>
@ -122,9 +122,9 @@ interface(`kernel_dontaudit_use_fd',`
')
########################################
## <desc>
## <summary>
## Allows caller to load kernel modules
## </desc>
## </summary>
## <param name="domain">
## The process type to allow to load kernel modules.
## </param>
@ -140,9 +140,9 @@ interface(`kernel_load_module',`
')
########################################
## <desc>
## <summary>
## Allows caller to read the ring buffer.
## </desc>
## </summary>
## <param name="domain">
## The process type allowed to read the ring buffer.
## </param>
@ -157,9 +157,9 @@ interface(`kernel_read_ring_buffer',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to read the ring buffer.
## </desc>
## </summary>
## <param name="domain">
## The domain to not audit.
## </param>
@ -191,9 +191,9 @@ interface(`kernel_change_ring_buffer_level',`
')
########################################
## <desc>
## <summary>
## Allows the caller to clear the ring buffer.
## </desc>
## </summary>
## <param name="domain">
## The process type clearing the buffer.
## </param>
@ -208,9 +208,9 @@ interface(`kernel_clear_ring_buffer',`
')
########################################
## <desc>
## <summary>
## Get information on all System V IPC objects.
## </desc>
## </summary>
## <param name="domain">
##
## </param>
@ -225,9 +225,79 @@ interface(`kernel_get_sysvipc_info',`
')
########################################
## <desc>
## Allows caller to read system state information.
## </desc>
## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_getattr_proc',`
gen_require(`
type proc_t;
class filesystem getattr;
')
allow $1 proc_t:filesystem getattr;
')
########################################
## <summary>
## Search directories in /proc.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_search_proc',`
gen_require(`
type proc_t;
class dir search;
')
allow $1 proc_t:dir search;
')
########################################
## <summary>
## List the contents of directories in /proc.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_list_proc',`
gen_require(`
type proc_t;
class dir r_dir_perms;
')
allow $1 proc_t:dir r_dir_perms;
')
########################################
## <summary>
## Read symbolic links in /proc.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_read_proc_symlinks',`
gen_require(`
type proc_t;
class dir search;
class lnk_file { getattr read };
')
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file { getattr read };
')
########################################
## <summary>
## Allows caller to read system state information in proc.
## </summary>
## <param name="domain">
## The process type reading the system state information.
## </param>
@ -246,10 +316,10 @@ interface(`kernel_read_system_state',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts by caller to
## read system state information.
## </desc>
## read system state information in proc.
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
@ -264,9 +334,9 @@ interface(`kernel_dontaudit_read_system_state',`
')
#######################################
## <desc>
## <summary>
## Allow caller to read the state information for software raid.
## </desc>
## </summary>
## <param name="domain">
## The process type reading software raid state.
## </param>
@ -283,9 +353,9 @@ interface(`kernel_read_software_raid_state',`
')
########################################
## <desc>
## <summary>
## Allows caller to get attribues of core kernel interface.
## </desc>
## </summary>
## <param name="domain">
## The process type getting the attibutes.
## </param>
@ -302,10 +372,10 @@ interface(`kernel_getattr_core',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to get the attributes of
## core kernel interfaces.
## </desc>
## </summary>
## <param name="domain">
## The process type to not audit.
## </param>
@ -320,10 +390,10 @@ interface(`kernel_dontaudit_getattr_core',`
')
########################################
## <desc>
## <summary>
## Allow caller to read kernel messages
## using the /proc/kmsg interface.
## </desc>
## </summary>
## <param name="domain">
## The process type reading the messages.
## </param>
@ -342,10 +412,10 @@ interface(`kernel_read_messages',`
')
########################################
## <desc>
## <summary>
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </desc>
## </summary>
## <param name="domain">
## The process type getting the attributes.
## </param>
@ -362,10 +432,10 @@ interface(`kernel_getattr_message_if',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts by caller to get the attributes of kernel
## message interfaces.
## </desc>
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
@ -380,9 +450,9 @@ interface(`kernel_dontaudit_getattr_message_if',`
')
########################################
## <desc>
## <summary>
## Allow caller to read the network state information.
## </desc>
## </summary>
## <param name="domain">
## The process type reading the state.
## </param>
@ -401,9 +471,9 @@ interface(`kernel_read_network_state',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts by caller to search the sysctl directory.
## </desc>
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
@ -419,9 +489,9 @@ interface(`kernel_dontaudit_search_sysctl_dir',`
')
########################################
## <desc>
## <summary>
## Allow caller to read the device sysctls.
## </desc>
## </summary>
## <param name="domain">
## The process type to allow to read the device sysctls.
## </param>
@ -440,9 +510,9 @@ interface(`kernel_read_device_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write device sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -460,9 +530,9 @@ interface(`kernel_rw_device_sysctl',`
')
########################################
## <desc>
## <summary>
## Allow caller to read virtual memory sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -481,9 +551,9 @@ interface(`kernel_read_vm_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write virtual memory sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -501,9 +571,9 @@ interface(`kernel_rw_vm_sysctl',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts by caller to search sysctl network directories.
## </desc>
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
@ -518,9 +588,9 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',`
')
########################################
## <desc>
## <summary>
## Allow caller to read network sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -540,9 +610,9 @@ interface(`kernel_read_net_sysctl',`
')
########################################
## <desc>
## <summary>
## Allow caller to modiry contents of sysctl network files.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -561,10 +631,10 @@ interface(`kernel_rw_net_sysctl',`
')
########################################
## <desc>
## <summary>
## Allow caller to read unix domain
## socket sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -583,10 +653,10 @@ interface(`kernel_read_unix_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write unix domain
## socket sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -605,9 +675,9 @@ interface(`kernel_rw_unix_sysctl',`
')
########################################
## <desc>
## <summary>
## Read the hotplug sysctl.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -626,9 +696,9 @@ interface(`kernel_read_hotplug_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write the hotplug sysctl.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -647,9 +717,9 @@ interface(`kernel_rw_hotplug_sysctl',`
')
########################################
## <desc>
## <summary>
## Read the modprobe sysctl.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -668,9 +738,9 @@ interface(`kernel_read_modprobe_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write the modprobe sysctl.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -689,9 +759,9 @@ interface(`kernel_rw_modprobe_sysctl',`
')
########################################
## <desc>
## <summary>
## Read generic kernel sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -710,9 +780,9 @@ interface(`kernel_read_kernel_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write generic kernel sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -731,9 +801,9 @@ interface(`kernel_rw_kernel_sysctl',`
')
########################################
## <desc>
## <summary>
## Read filesystem sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -752,9 +822,9 @@ interface(`kernel_read_fs_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write fileystem sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -773,9 +843,9 @@ interface(`kernel_rw_fs_sysctl',`
')
########################################
## <desc>
## <summary>
## Read IRQ sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -793,9 +863,9 @@ interface(`kernel_read_irq_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write IRQ sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -848,9 +918,9 @@ interface(`kernel_rw_rpc_sysctl',`
')
########################################
## <desc>
## <summary>
## Allow caller to read all sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -869,9 +939,9 @@ interface(`kernel_read_all_sysctl',`
')
########################################
## <desc>
## <summary>
## Read and write all sysctls.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -890,9 +960,9 @@ interface(`kernel_rw_all_sysctl',`
')
########################################
## <desc>
## <summary>
## Send a kill signal to unlabeled processes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -907,9 +977,9 @@ interface(`kernel_kill_unlabeled',`
')
########################################
## <desc>
## <summary>
## Send general signals to unlabeled processes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -924,9 +994,9 @@ interface(`kernel_signal_unlabeled',`
')
########################################
## <desc>
## <summary>
## Send a null signal to unlabeled processes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -941,9 +1011,9 @@ interface(`kernel_signull_unlabeled',`
')
########################################
## <desc>
## <summary>
## Send a stop signal to unlabeled processes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -958,9 +1028,9 @@ interface(`kernel_sigstop_unlabeled',`
')
########################################
## <desc>
## <summary>
## Send a child terminated signal to unlabeled processes.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -975,10 +1045,10 @@ interface(`kernel_sigchld_unlabeled',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
## </desc>
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
@ -986,16 +1056,50 @@ interface(`kernel_sigchld_unlabeled',`
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
gen_require(`
type unlabeled_t;
class process getattr;
class blk_file getattr;
')
allow $1 unlabeled_t:blk_file getattr;
')
########################################
## <desc>
## <summary>
## Read and write unlabeled directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_rw_unlabeled_dir',`
gen_require(`
type unlabeled_t;
class dir rw_dir_perms;
')
allow $1 unlabeled_t:dir rw_dir_perms;
')
########################################
## <summary>
## Read and write unlabeled block device nodes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_use_unlabeled_blk_dev',`
gen_require(`
type unlabeled_t;
class blk_file rw_file_perms;
')
allow $1 unlabeled_t:blk_file getattr;
')
########################################
## <summary>
## Allow caller to relabel unlabeled objects.
## </desc>
## </summary>
## <param name="domain">
## The process type relabeling the objects.
## </param>

View File

@ -160,6 +160,27 @@ interface(`storage_manage_fixed_disk',`
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
########################################
## <summary>
## Create fixed disk device nodes on a tmpfs filesystem.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_create_fixed_disk_tmpfs',`
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file create_file_perms;
')
allow $1 fixed_disk_device_t:blk_file create_file_perms;
fs_create_tmpfs_data($1,fixed_disk_device_t,blk_file)
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
########################################
## <summary>
## Relabel fixed disk device nodes.

View File

@ -248,6 +248,24 @@ interface(`mta_rw_aliases',`
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
')
#######################################
## <summary>
## Do not audit attempts to read a symlink
## in the mail spool.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`mta_dontaudit_read_spool_symlink',`
gen_require(`
type mail_spool_t;
class lnk_file read;
')
dontaudit $1 mail_spool_t:lnk_file read;
')
#######################################
#
# mta_getattr_spool(domain)
@ -313,4 +331,3 @@ interface(`mta_manage_queue',`
allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms;
')

View File

@ -318,5 +318,5 @@ optional_policy(`xserver.te', `
#allow utempter_t xdm_t:fd use;
xserver_use_xdm_fd(utempter_t)
#allow utempter_t xdm_t:fifo_file { write getattr };
xserver_write_xdm_fifo(utempter_t)
xdm_write_fifo(utempter_t)
')

View File

@ -30,6 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
kernel_read_kernel_sysctl(hwclock_t)
kernel_list_proc(hwclock_t)
kernel_read_proc_symlinks(hwclock_t)
dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
@ -77,10 +79,6 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
allow hwclock_t proc_t:dir r_dir_perms;
allow hwclock_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
rhgb_domain(hwclock_t)
')

View File

@ -86,10 +86,10 @@ interface(`files_tmp_file',`
')
########################################
## <desc>
## <summary>
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
## </desc>
## </summary>
## <param name="type">
## The type to be transformed.
## </param>
@ -126,10 +126,10 @@ interface(`files_getattr_all_files',`
')
########################################
## <desc>
## <summary>
## Relabel all files on the filesystem, except
## the listed exceptions.
## </desc>
## </summary>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
@ -163,10 +163,10 @@ interface(`files_relabel_all_files',`
')
########################################
## <desc>
## <summary>
## Manage all files on the filesystem, except
## the listed exceptions.
## </desc>
## </summary>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
@ -303,11 +303,11 @@ interface(`files_list_root',`
')
########################################
## <desc>
## <summary>
## Create an object in the root directory, with a private
## type. If no object class is specified, the
## default is file.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -415,6 +415,108 @@ interface(`files_unmount_rootfs',`
allow $1 root_t:filesystem unmount;
')
########################################
## <summary>
## List contents of directories with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_list_default',`
gen_require(`
type default_t;
class dir r_dir_perms;
')
allow $1 default_t:dir r_dir_perms;
')
########################################
## <summary>
## Mount a filesystem on a directory with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_mounton_default',`
gen_require(`
type default_t;
class dir { getattr search mounton };
')
allow $1 default_t:dir { getattr search mounton };
')
########################################
## <summary>
## Read files with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_default_files',`
gen_require(`
type default_t;
class file r_file_perms;
')
allow $1 default_t:file r_file_perms;
')
########################################
## <summary>
## Read symbolic links with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_default_symlinks',`
gen_require(`
type default_t;
class lnk_file r_file_perms;
')
allow $1 default_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Read sockets with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_default_sockets',`
gen_require(`
type default_t;
class sock_file r_file_perms;
')
allow $1 default_t:sock_file r_file_perms;
')
########################################
## <summary>
## Read named pipes with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_default_pipes',`
gen_require(`
type default_t;
class fifo_file r_file_perms;
')
allow $1 default_t:fifo_file r_file_perms;
')
########################################
#
# files_search_etc(domain)
@ -428,6 +530,23 @@ interface(`files_search_etc',`
allow $1 etc_t:dir search;
')
########################################
## <summary>
## Set the attributes of the /etc directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_setattr_etc_dir',`
gen_require(`
type etc_t;
class dir setattr;
')
allow $1 etc_t:dir setattr;
')
########################################
#
# files_list_etc(domain)
@ -493,9 +612,9 @@ interface(`files_manage_etc_files',`
')
########################################
## <desc>
## <summary>
## Delete system configuration files in /etc.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -613,6 +732,24 @@ interface(`files_dontaudit_search_isid_type_dir',`
dontaudit $1 file_t:dir search;
')
########################################
## <summary>
## List the contents of directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_list_isid_type_dir',`
gen_require(`
type file_t;
class dir r_dir_perms;
')
allow $1 file_t:dir r_dir_perms;
')
########################################
## <summary>
## Read and write directories on new filesystems
@ -649,6 +786,24 @@ interface(`files_manage_isid_type_dir',`
allow $1 file_t:dir create_dir_perms;
')
########################################
## <summary>
## Mount a filesystem on a directory on new filesystems
## that has not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_mounton_isid_type_dir',`
gen_require(`
type file_t;
class dir { getattr search mounton };
')
allow $1 file_t:dir { getattr search mounton };
')
########################################
## <summary>
## Create, read, write, and delete files
@ -856,6 +1011,23 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir r_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete directories in /mnt.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_manage_mnt_dirs',`
gen_require(`
type mnt_t;
class dir create_dir_perms;
')
allow $1 mnt_t:dir create_dir_perms;
')
########################################
## <summary>
## Search the tmp directory (/tmp)
@ -943,9 +1115,9 @@ interface(`files_read_usr_files',`
')
########################################
## <desc>
## <summary>
## Execute programs in /usr/src in the caller domain.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -1027,9 +1199,9 @@ interface(`files_read_var_files',`
')
########################################
## <desc>
## <summary>
## Search the /var/lib directory.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -1140,6 +1312,24 @@ interface(`files_create_lock',`
')
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of the /var/run directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_getattr_pid_dir',`
gen_require(`
type var_run_t;
class dir getattr;
')
dontaudit $1 var_run_t:dir getattr;
')
########################################
#
# files_search_pids(domain)
@ -1218,9 +1408,9 @@ interface(`files_rw_generic_pids',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to write to daemon runtime data files.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -1235,9 +1425,9 @@ interface(`files_dontaudit_write_all_pids',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to ioctl daemon runtime data files.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>

View File

@ -49,6 +49,11 @@ kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctl(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
kernel_getattr_proc(fsadm_t)
# Access to /initrd devices
kernel_rw_unlabeled_dir(fsadm_t)
kernel_use_unlabeled_blk_dev(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
@ -60,11 +65,16 @@ dev_search_usbfs(fsadm_t)
# for swapon
dev_getattr_sysfs_dir(fsadm_t)
dev_search_sysfs(fsadm_t)
# Access to /initrd devices
dev_getattr_usbfs_dir(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dir(fsadm_t)
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
@ -78,13 +88,15 @@ domain_use_wide_inherit_fd(fsadm_t)
files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_list_mnt(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dir(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
# Access to /initrd devices
files_rw_isid_type_dir(fsadm_t)
files_rw_isid_type_blk_node(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
init_use_fd(fsadm_t)
init_use_script_pty(fsadm_t)
@ -102,6 +114,14 @@ seutil_read_config(fsadm_t)
userdom_use_unpriv_users_fd(fsadm_t)
tunable_policy(`read_default_t',`
files_list_default(fsadm_t)
files_read_default_files(fsadm_t)
files_read_default_symlinks(fsadm_t)
files_read_default_sockets(fsadm_t)
files_read_default_pipes(fsadm_t)
')
optional_policy(`cron.te',`
# for smartctl cron jobs
cron_system_entry(fsadm_t,fsadm_exec_t)
@ -112,32 +132,13 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t bin_t:dir r_dir_perms;
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
allow fsadm_t sbin_t:dir r_dir_perms;
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
if (read_default_t) {
allow fsadm_t default_t:dir r_dir_perms;
allow fsadm_t default_t:notdevfile_class_set r_file_perms;
}
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { rmdir create };
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
# Access to /initrd devices
allow fsadm_t unlabeled_t:dir rw_dir_perms;
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir getattr;
') dnl end TODO

View File

@ -26,6 +26,8 @@ sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
dev_read_sysfs(hostname_t)
@ -89,14 +91,7 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
##daemon_base_domain(hostname, , nosysadm)
##must remembe to go back and take care of the nosysadm part
allow hostname_t proc_t:dir r_dir_perms;
allow hostname_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
rhgb_domain(hostname_t)
')
##end daemon_base_domain
') dnl end TODO

View File

@ -59,6 +59,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
dev_read_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
dev_setattr_printer(hotplug_t)
dev_setattr_snd_dev(hotplug_t)
# for SSP:
dev_read_urand(hotplug_t)
@ -197,8 +198,4 @@ optional_policy(`hald.te', `
optional_policy(`hotplug.te',`
hotplug_read_config(hald_t)
')
optional_policy(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
') dnl end TODO

View File

@ -276,6 +276,12 @@ files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spools(initrc_t)
# Mount and unmount file systems.
# cjp: not sure why these are here; should use mount policy
files_list_isid_type_dir(initrc_t)
files_mounton_isid_type_dir(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
@ -304,7 +310,15 @@ userdom_read_all_user_files(initrc_t)
userdom_use_sysadm_terms(initrc_t)
ifdef(`distro_debian', `
dev_setattr_dev_dir(initrc_t)
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
# for storing state under /dev/shm
fs_setattr_tmpfs_dir(initrc_t)
storage_create_fixed_disk_tmpfs(initrc_t)
files_setattr_etc_dir(initrc_t)
')
ifdef(`distro_redhat',`
@ -340,6 +354,10 @@ ifdef(`distro_redhat',`
mta_read_aliases(initrc_t)
')
ifdef(`targeted_policy',`
unconfined_shell_domtrans(initrc_t)
')
optional_policy(`hotplug.te',`
dev_read_usbfs(initrc_t)
@ -360,6 +378,10 @@ optional_policy(`lvm.te',`
dev_create_generic_chr_file(initrc_t)
')
optional_policy(`mta.te',`
mta_dontaudit_read_spool_symlink(initrc_t)
')
optional_policy(`nis.te',`
nis_udp_sendto_ypbind(initrc_t)
nis_list_var_yp(initrc_t)
@ -381,7 +403,7 @@ optional_policy(`rpm.te',`
# why is this needed:
rpm_manage_db(initrc_t)
') dnl end rpm.te
')
optional_policy(`ssh.te',`
optional_policy(`inetd.te',`
@ -402,10 +424,6 @@ optional_policy(`sysnetwork.te',`
')
ifdef(`TODO',`
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
@ -417,29 +435,13 @@ su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
ifdef(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
')
ifdef(`distro_redhat', `
# readahead asks for these
allow initrc_t var_lib_nfs_t:file r_file_perms;
')
ifdef(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
ifdef(`targeted_policy',`
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
')
#
# Shutting down xinet causes these
#
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
') dnl end TODO

View File

@ -76,22 +76,20 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_user_fd(ldconfig_t)
ifdef(`TODO',`
ifdef(`apache.te', `
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
')
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
ifdef(`hide_broken_symptoms',`
optional_policy(`unconfined.te',`
unconfined_dontaudit_rw_tcp_socket(ldconfig_t)
')
')
ifdef(`targeted_policy', `
ifdef(`targeted_policy',`
allow ldconfig_t lib_t:file r_file_perms;
unconfined_domain(ldconfig_t)
unconfined_domain_template(ldconfig_t)
')
ifdef(`TODO',`
optional_policy(`apache.te',`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
')
') dnl end TODO

View File

@ -143,6 +143,19 @@ ifdef(`distro_redhat',`
files_dontaudit_read_root_file(local_login_t)
')
ifdef(`targeted_policy',`
unconfined_domain_template(local_login_t)
unconfined_shell_domtrans(local_login_t)
')
tunable_policy(`read_default_t',`
files_list_default(local_login_t)
files_read_default_files(local_login_t)
files_read_default_symlinks(local_login_t)
files_read_default_sockets(local_login_t)
files_read_default_pipes(local_login_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(local_login_t)
fs_read_nfs_symlinks(local_login_t)
@ -168,11 +181,6 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
tunable_policy(`read_default_t',`
allow local_login_t default_t:dir r_dir_perms;
allow local_login_t default_t:notdevfile_class_set r_file_perms;
')
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow local_login_t readable_t:dir r_dir_perms;
@ -181,19 +189,14 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
# for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read;
dontaudit local_login_t device_t:lnk_file { getattr setattr };
dontaudit local_login_t device_t:lnk_file setattr;
# this goes to xserver:
# this goes to xdm:
optional_policy(`locallogin.te',`
# FIXME: what is this for?
locallogin_signull(xdm_t)
')
ifdef(`targeted_policy',`
unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
')

View File

@ -59,6 +59,8 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
kernel_list_proc(auditd_t)
kernel_read_proc_symlinks(auditd_t)
dev_read_sysfs(auditd_t)
@ -100,9 +102,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
allow auditd_t proc_t:dir r_dir_perms;
allow auditd_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
rhgb_domain(auditd_t)
')
@ -188,6 +187,7 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
kernel_read_kernel_sysctl(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
@ -269,7 +269,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
allow syslogd_t proc_t:lnk_file read;
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)

View File

@ -125,6 +125,7 @@ domain_use_wide_inherit_fd(lvm_t)
files_search_var(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
files_dontaudit_getattr_pid_dir(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(lvm_t)
@ -165,7 +166,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
dontaudit lvm_t var_run_t:dir getattr;
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;

View File

@ -82,7 +82,7 @@ template(`unconfined_domain_template',`
## Domain allowed access.
## </param>
#
interface(`unconfined_domtrans_shell',`
interface(`unconfined_shell_domtrans',`
gen_require(`
unconfined_t;
@ -142,6 +142,34 @@ interface(`unconfined_rw_pipe',`
allow $1 unconfined_t:fifo_file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
## <desc>
## <p>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </p>
## <p>
## This interface was added due to a broken
## symptom in ldconfig.
## </p>
## </desc>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`unconfined_dontaudit_rw_tcp_socket',`
gen_require(`
type unconfined_t;
class tcp_socket { read write };
')
dontaudit $1 unconfined_t:tcp_socket { read write };
')
########################################
## <summary>
## Add the unconfined domain to the specified role.

View File

@ -17,6 +17,7 @@ role system_r types unconfined_t;
#
unconfined_domain_template(unconfined_t)
logging_send_syslog_msg(unconfined_t)
#role sysadm_r types unconfined_t;
@ -29,6 +30,8 @@ ifdef(`targeted_policy',`
# macros and domains from the "strict" policy.
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
init_domtrans_script(unconfined_t)
userdom_unconfined(unconfined_t)
ifdef(`TODO',`

View File

@ -904,7 +904,7 @@ interface(`userdom_spec_domtrans_unpriv_users',`
interface(`userdom_shell_domtrans_sysadm',`
ifdef(`targeted_policy',`
#cjp: need to doublecheck this one
unconfined_domtrans_shell($1)
unconfined_shell_domtrans($1)
',`
gen_require(`
type sysadm_t;