another round of TODO cleanup
This commit is contained in:
parent
4d0d4157f4
commit
a42ca7ebec
@ -96,6 +96,23 @@ interface(`dev_list_all_dev_nodes',`
|
||||
allow $1 device_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of /dev directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_setattr_dev_dir',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit attempts to list all device nodes.
|
||||
@ -1574,7 +1591,26 @@ interface(`dev_read_mouse',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the multiplexed input device (/dev/input).
|
||||
## Set the attributes of the printer device nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_setattr_printer',`
|
||||
gen_require(`
|
||||
type device_t, printer_device_t;
|
||||
class dir search;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir search;
|
||||
allow $1 printer_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read input event devices (/dev/input).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
@ -1889,6 +1925,23 @@ interface(`dev_mount_usbfs',`
|
||||
allow $1 usbfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of a directory in the usb filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_getattr_usbfs_dir',`
|
||||
gen_require(`
|
||||
type usbfs_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
allow $1 usbfs_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the directory containing USB hardware information.
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -6,10 +6,10 @@
|
||||
## </required>
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows to start userland processes
|
||||
## by transitioning to the specified domain.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type entered by kernel.
|
||||
## </param>
|
||||
@ -34,10 +34,10 @@ interface(`kernel_userland_entry',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows the kernel to mount filesystems on
|
||||
## the specified directory type.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="directory_type">
|
||||
## The type of the directory to use as a mountpoint.
|
||||
## </param>
|
||||
@ -52,9 +52,9 @@ interface(`kernel_rootfs_mountpoint',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to kernel threads.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process sending the signal.
|
||||
## </param>
|
||||
@ -69,10 +69,10 @@ interface(`kernel_sigchld',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows the kernel to share state information with
|
||||
## the caller.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process with which to share state information.
|
||||
## </param>
|
||||
@ -87,9 +87,9 @@ interface(`kernel_share_state',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Permits caller to use kernel file descriptors.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process using the descriptors.
|
||||
## </param>
|
||||
@ -104,10 +104,10 @@ interface(`kernel_use_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to use
|
||||
## kernel file descriptors.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of process not to audit.
|
||||
## </param>
|
||||
@ -122,9 +122,9 @@ interface(`kernel_dontaudit_use_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows caller to load kernel modules
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type to allow to load kernel modules.
|
||||
## </param>
|
||||
@ -140,9 +140,9 @@ interface(`kernel_load_module',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows caller to read the ring buffer.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type allowed to read the ring buffer.
|
||||
## </param>
|
||||
@ -157,9 +157,9 @@ interface(`kernel_read_ring_buffer',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to read the ring buffer.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain to not audit.
|
||||
## </param>
|
||||
@ -191,9 +191,9 @@ interface(`kernel_change_ring_buffer_level',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows the caller to clear the ring buffer.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type clearing the buffer.
|
||||
## </param>
|
||||
@ -208,9 +208,9 @@ interface(`kernel_clear_ring_buffer',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Get information on all System V IPC objects.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
##
|
||||
## </param>
|
||||
@ -225,9 +225,79 @@ interface(`kernel_get_sysvipc_info',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allows caller to read system state information.
|
||||
## </desc>
|
||||
## <summary>
|
||||
## Get the attributes of the proc filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_getattr_proc',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
class filesystem getattr;
|
||||
')
|
||||
|
||||
allow $1 proc_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search directories in /proc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_search_proc',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of directories in /proc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_list_proc',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in /proc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_proc_symlinks',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
class dir search;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows caller to read system state information in proc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type reading the system state information.
|
||||
## </param>
|
||||
@ -246,10 +316,10 @@ interface(`kernel_read_system_state',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to
|
||||
## read system state information.
|
||||
## </desc>
|
||||
## read system state information in proc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
@ -264,9 +334,9 @@ interface(`kernel_dontaudit_read_system_state',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read the state information for software raid.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type reading software raid state.
|
||||
## </param>
|
||||
@ -283,9 +353,9 @@ interface(`kernel_read_software_raid_state',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allows caller to get attribues of core kernel interface.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type getting the attibutes.
|
||||
## </param>
|
||||
@ -302,10 +372,10 @@ interface(`kernel_getattr_core',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes of
|
||||
## core kernel interfaces.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type to not audit.
|
||||
## </param>
|
||||
@ -320,10 +390,10 @@ interface(`kernel_dontaudit_getattr_core',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read kernel messages
|
||||
## using the /proc/kmsg interface.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type reading the messages.
|
||||
## </param>
|
||||
@ -342,10 +412,10 @@ interface(`kernel_read_messages',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to get the attributes of kernel message
|
||||
## interface (/proc/kmsg).
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type getting the attributes.
|
||||
## </param>
|
||||
@ -362,10 +432,10 @@ interface(`kernel_getattr_message_if',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get the attributes of kernel
|
||||
## message interfaces.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
@ -380,9 +450,9 @@ interface(`kernel_dontaudit_getattr_message_if',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read the network state information.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type reading the state.
|
||||
## </param>
|
||||
@ -401,9 +471,9 @@ interface(`kernel_read_network_state',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to search the sysctl directory.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
@ -419,9 +489,9 @@ interface(`kernel_dontaudit_search_sysctl_dir',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read the device sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type to allow to read the device sysctls.
|
||||
## </param>
|
||||
@ -440,9 +510,9 @@ interface(`kernel_read_device_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write device sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -460,9 +530,9 @@ interface(`kernel_rw_device_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read virtual memory sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -481,9 +551,9 @@ interface(`kernel_read_vm_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write virtual memory sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -501,9 +571,9 @@ interface(`kernel_rw_vm_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to search sysctl network directories.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
@ -518,9 +588,9 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read network sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -540,9 +610,9 @@ interface(`kernel_read_net_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to modiry contents of sysctl network files.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -561,10 +631,10 @@ interface(`kernel_rw_net_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read unix domain
|
||||
## socket sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -583,10 +653,10 @@ interface(`kernel_read_unix_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write unix domain
|
||||
## socket sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -605,9 +675,9 @@ interface(`kernel_rw_unix_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read the hotplug sysctl.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -626,9 +696,9 @@ interface(`kernel_read_hotplug_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write the hotplug sysctl.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -647,9 +717,9 @@ interface(`kernel_rw_hotplug_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read the modprobe sysctl.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -668,9 +738,9 @@ interface(`kernel_read_modprobe_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write the modprobe sysctl.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -689,9 +759,9 @@ interface(`kernel_rw_modprobe_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read generic kernel sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -710,9 +780,9 @@ interface(`kernel_read_kernel_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write generic kernel sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -731,9 +801,9 @@ interface(`kernel_rw_kernel_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read filesystem sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -752,9 +822,9 @@ interface(`kernel_read_fs_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write fileystem sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -773,9 +843,9 @@ interface(`kernel_rw_fs_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read IRQ sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -793,9 +863,9 @@ interface(`kernel_read_irq_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write IRQ sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -848,9 +918,9 @@ interface(`kernel_rw_rpc_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Allow caller to read all sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -869,9 +939,9 @@ interface(`kernel_read_all_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write all sysctls.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -890,9 +960,9 @@ interface(`kernel_rw_all_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send a kill signal to unlabeled processes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -907,9 +977,9 @@ interface(`kernel_kill_unlabeled',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send general signals to unlabeled processes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -924,9 +994,9 @@ interface(`kernel_signal_unlabeled',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send a null signal to unlabeled processes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -941,9 +1011,9 @@ interface(`kernel_signull_unlabeled',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send a stop signal to unlabeled processes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -958,9 +1028,9 @@ interface(`kernel_sigstop_unlabeled',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send a child terminated signal to unlabeled processes.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -975,10 +1045,10 @@ interface(`kernel_sigchld_unlabeled',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled block devices.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
@ -986,16 +1056,50 @@ interface(`kernel_sigchld_unlabeled',`
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
class process getattr;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write unlabeled directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unlabeled_dir',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write unlabeled block device nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_use_unlabeled_blk_dev',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
class blk_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to relabel unlabeled objects.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type relabeling the objects.
|
||||
## </param>
|
||||
|
@ -160,6 +160,27 @@ interface(`storage_manage_fixed_disk',`
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create fixed disk device nodes on a tmpfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_create_fixed_disk_tmpfs',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
fs_create_tmpfs_data($1,fixed_disk_device_t,blk_file)
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel fixed disk device nodes.
|
||||
|
@ -248,6 +248,24 @@ interface(`mta_rw_aliases',`
|
||||
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read a symlink
|
||||
## in the mail spool.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_dontaudit_read_spool_symlink',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
class lnk_file read;
|
||||
')
|
||||
|
||||
dontaudit $1 mail_spool_t:lnk_file read;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_getattr_spool(domain)
|
||||
@ -313,4 +331,3 @@ interface(`mta_manage_queue',`
|
||||
allow $1 mqueue_spool_t:dir rw_dir_perms;
|
||||
allow $1 mqueue_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
|
@ -318,5 +318,5 @@ optional_policy(`xserver.te', `
|
||||
#allow utempter_t xdm_t:fd use;
|
||||
xserver_use_xdm_fd(utempter_t)
|
||||
#allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
xserver_write_xdm_fifo(utempter_t)
|
||||
xdm_write_fifo(utempter_t)
|
||||
')
|
||||
|
@ -30,6 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
|
||||
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
|
||||
|
||||
kernel_read_kernel_sysctl(hwclock_t)
|
||||
kernel_list_proc(hwclock_t)
|
||||
kernel_read_proc_symlinks(hwclock_t)
|
||||
|
||||
dev_read_sysfs(hwclock_t)
|
||||
dev_rw_realtime_clock(hwclock_t)
|
||||
@ -77,10 +79,6 @@ optional_policy(`userdomain.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow hwclock_t proc_t:dir r_dir_perms;
|
||||
allow hwclock_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(hwclock_t)
|
||||
')
|
||||
|
@ -86,10 +86,10 @@ interface(`files_tmp_file',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Transform the type into a file, for use on a
|
||||
## virtual memory filesystem (tmpfs).
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## The type to be transformed.
|
||||
## </param>
|
||||
@ -126,10 +126,10 @@ interface(`files_getattr_all_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Relabel all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
@ -163,10 +163,10 @@ interface(`files_relabel_all_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Manage all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
@ -303,11 +303,11 @@ interface(`files_list_root',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Create an object in the root directory, with a private
|
||||
## type. If no object class is specified, the
|
||||
## default is file.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -415,6 +415,108 @@ interface(`files_unmount_rootfs',`
|
||||
allow $1 root_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List contents of directories with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_default',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on a directory with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_mounton_default',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class dir { getattr search mounton };
|
||||
')
|
||||
|
||||
allow $1 default_t:dir { getattr search mounton };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_default_files',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_default_symlinks',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read sockets with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_default_sockets',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class sock_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:sock_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named pipes with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_default_pipes',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
class fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 default_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_etc(domain)
|
||||
@ -428,6 +530,23 @@ interface(`files_search_etc',`
|
||||
allow $1 etc_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of the /etc directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_setattr_etc_dir',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
class dir setattr;
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_list_etc(domain)
|
||||
@ -493,9 +612,9 @@ interface(`files_manage_etc_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Delete system configuration files in /etc.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -613,6 +732,24 @@ interface(`files_dontaudit_search_isid_type_dir',`
|
||||
dontaudit $1 file_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of directories on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_isid_type_dir',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 file_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write directories on new filesystems
|
||||
@ -649,6 +786,24 @@ interface(`files_manage_isid_type_dir',`
|
||||
allow $1 file_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on a directory on new filesystems
|
||||
## that has not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_mounton_isid_type_dir',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir { getattr search mounton };
|
||||
')
|
||||
|
||||
allow $1 file_t:dir { getattr search mounton };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
@ -856,6 +1011,23 @@ interface(`files_list_mnt',`
|
||||
allow $1 mnt_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories in /mnt.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_mnt_dirs',`
|
||||
gen_require(`
|
||||
type mnt_t;
|
||||
class dir create_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 mnt_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the tmp directory (/tmp)
|
||||
@ -943,9 +1115,9 @@ interface(`files_read_usr_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Execute programs in /usr/src in the caller domain.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -1027,9 +1199,9 @@ interface(`files_read_var_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Search the /var/lib directory.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -1140,6 +1312,24 @@ interface(`files_create_lock',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of the /var/run directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_pid_dir',`
|
||||
gen_require(`
|
||||
type var_run_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 var_run_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_pids(domain)
|
||||
@ -1218,9 +1408,9 @@ interface(`files_rw_generic_pids',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to write to daemon runtime data files.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -1235,9 +1425,9 @@ interface(`files_dontaudit_write_all_pids',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to ioctl daemon runtime data files.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
|
@ -49,6 +49,11 @@ kernel_read_system_state(fsadm_t)
|
||||
kernel_read_kernel_sysctl(fsadm_t)
|
||||
# Allow console log change (updfstab)
|
||||
kernel_change_ring_buffer_level(fsadm_t)
|
||||
# mkreiserfs needs this
|
||||
kernel_getattr_proc(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
kernel_rw_unlabeled_dir(fsadm_t)
|
||||
kernel_use_unlabeled_blk_dev(fsadm_t)
|
||||
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
dev_read_rand(fsadm_t)
|
||||
@ -60,11 +65,16 @@ dev_search_usbfs(fsadm_t)
|
||||
# for swapon
|
||||
dev_getattr_sysfs_dir(fsadm_t)
|
||||
dev_search_sysfs(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
dev_getattr_usbfs_dir(fsadm_t)
|
||||
|
||||
fs_search_auto_mountpoints(fsadm_t)
|
||||
fs_getattr_xattr_fs(fsadm_t)
|
||||
# remount file system to apply changes
|
||||
fs_remount_xattr_fs(fsadm_t)
|
||||
# for /dev/shm
|
||||
fs_search_tmpfs(fsadm_t)
|
||||
fs_getattr_tmpfs_dir(fsadm_t)
|
||||
|
||||
storage_raw_read_fixed_disk(fsadm_t)
|
||||
storage_raw_write_fixed_disk(fsadm_t)
|
||||
@ -78,13 +88,15 @@ domain_use_wide_inherit_fd(fsadm_t)
|
||||
files_list_home(fsadm_t)
|
||||
files_read_usr_files(fsadm_t)
|
||||
files_read_etc_files(fsadm_t)
|
||||
files_list_mnt(fsadm_t)
|
||||
files_manage_lost_found(fsadm_t)
|
||||
files_manage_isid_type_dir(fsadm_t)
|
||||
# Write to /etc/mtab.
|
||||
files_manage_etc_runtime_files(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
files_rw_isid_type_dir(fsadm_t)
|
||||
files_rw_isid_type_blk_node(fsadm_t)
|
||||
# Recreate /mnt/cdrom.
|
||||
files_manage_mnt_dirs(fsadm_t)
|
||||
|
||||
init_use_fd(fsadm_t)
|
||||
init_use_script_pty(fsadm_t)
|
||||
@ -102,6 +114,14 @@ seutil_read_config(fsadm_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(fsadm_t)
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(fsadm_t)
|
||||
files_read_default_files(fsadm_t)
|
||||
files_read_default_symlinks(fsadm_t)
|
||||
files_read_default_sockets(fsadm_t)
|
||||
files_read_default_pipes(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
# for smartctl cron jobs
|
||||
cron_system_entry(fsadm_t,fsadm_exec_t)
|
||||
@ -112,32 +132,13 @@ optional_policy(`nis.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for /dev/shm
|
||||
allow fsadm_t tmpfs_t:dir { getattr search };
|
||||
|
||||
allow fsadm_t bin_t:dir r_dir_perms;
|
||||
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow fsadm_t sbin_t:dir r_dir_perms;
|
||||
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
if (read_default_t) {
|
||||
allow fsadm_t default_t:dir r_dir_perms;
|
||||
allow fsadm_t default_t:notdevfile_class_set r_file_perms;
|
||||
}
|
||||
|
||||
# mkreiserfs needs this
|
||||
allow fsadm_t proc_t:filesystem getattr;
|
||||
|
||||
allow fsadm_t file_t:dir { search read getattr rmdir create };
|
||||
|
||||
# Recreate /mnt/cdrom.
|
||||
allow fsadm_t mnt_t:dir { rmdir create };
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
|
||||
# Access to /initrd devices
|
||||
allow fsadm_t unlabeled_t:dir rw_dir_perms;
|
||||
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
|
||||
allow fsadm_t usbfs_t:dir getattr;
|
||||
|
||||
') dnl end TODO
|
||||
|
@ -26,6 +26,8 @@ sysnet_read_config(hostname_t)
|
||||
|
||||
kernel_read_kernel_sysctl(hostname_t)
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
kernel_list_proc(hostname_t)
|
||||
kernel_read_proc_symlinks(hostname_t)
|
||||
|
||||
dev_read_sysfs(hostname_t)
|
||||
|
||||
@ -89,14 +91,7 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
##daemon_base_domain(hostname, , nosysadm)
|
||||
##must remembe to go back and take care of the nosysadm part
|
||||
allow hostname_t proc_t:dir r_dir_perms;
|
||||
allow hostname_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(hostname_t)
|
||||
')
|
||||
##end daemon_base_domain
|
||||
') dnl end TODO
|
||||
|
@ -59,6 +59,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
|
||||
|
||||
dev_read_sysfs(hotplug_t)
|
||||
dev_read_usbfs(hotplug_t)
|
||||
dev_setattr_printer(hotplug_t)
|
||||
dev_setattr_snd_dev(hotplug_t)
|
||||
# for SSP:
|
||||
dev_read_urand(hotplug_t)
|
||||
@ -197,8 +198,4 @@ optional_policy(`hald.te', `
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_read_config(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
allow hotplug_t printer_device_t:chr_file setattr;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
@ -276,6 +276,12 @@ files_exec_etc_files(initrc_t)
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spools(initrc_t)
|
||||
# Mount and unmount file systems.
|
||||
# cjp: not sure why these are here; should use mount policy
|
||||
files_list_isid_type_dir(initrc_t)
|
||||
files_mounton_isid_type_dir(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
|
||||
libs_rw_ld_so_cache(initrc_t)
|
||||
libs_use_ld_so(initrc_t)
|
||||
@ -304,7 +310,15 @@ userdom_read_all_user_files(initrc_t)
|
||||
userdom_use_sysadm_terms(initrc_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
dev_setattr_dev_dir(initrc_t)
|
||||
|
||||
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
|
||||
|
||||
# for storing state under /dev/shm
|
||||
fs_setattr_tmpfs_dir(initrc_t)
|
||||
storage_create_fixed_disk_tmpfs(initrc_t)
|
||||
|
||||
files_setattr_etc_dir(initrc_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -340,6 +354,10 @@ ifdef(`distro_redhat',`
|
||||
mta_read_aliases(initrc_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_shell_domtrans(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
dev_read_usbfs(initrc_t)
|
||||
|
||||
@ -360,6 +378,10 @@ optional_policy(`lvm.te',`
|
||||
dev_create_generic_chr_file(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`mta.te',`
|
||||
mta_dontaudit_read_spool_symlink(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_udp_sendto_ypbind(initrc_t)
|
||||
nis_list_var_yp(initrc_t)
|
||||
@ -381,7 +403,7 @@ optional_policy(`rpm.te',`
|
||||
|
||||
# why is this needed:
|
||||
rpm_manage_db(initrc_t)
|
||||
') dnl end rpm.te
|
||||
')
|
||||
|
||||
optional_policy(`ssh.te',`
|
||||
optional_policy(`inetd.te',`
|
||||
@ -402,10 +424,6 @@ optional_policy(`sysnetwork.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Mount and unmount file systems.
|
||||
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
|
||||
|
||||
# Set device ownerships/modes.
|
||||
allow initrc_t xconsole_device_t:fifo_file setattr;
|
||||
|
||||
@ -417,29 +435,13 @@ su_restricted_domain(initrc,system)
|
||||
role system_r types initrc_su_t;
|
||||
')
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow initrc_t { etc_t device_t }:dir setattr;
|
||||
|
||||
# for storing state under /dev/shm
|
||||
allow initrc_t tmpfs_t:dir setattr;
|
||||
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# readahead asks for these
|
||||
allow initrc_t var_lib_nfs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||
ifdef(`targeted_policy',`
|
||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
#
|
||||
# Shutting down xinet causes these
|
||||
#
|
||||
# Rsync
|
||||
dontaudit initrc_t mail_spool_t:lnk_file read;
|
||||
') dnl end TODO
|
||||
|
@ -76,22 +76,20 @@ logging_send_syslog_msg(ldconfig_t)
|
||||
|
||||
userdom_use_all_user_fd(ldconfig_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`apache.te', `
|
||||
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`unconfined.te',`
|
||||
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`unconfined.te',`
|
||||
unconfined_dontaudit_rw_tcp_socket(ldconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
ifdef(`targeted_policy',`
|
||||
allow ldconfig_t lib_t:file r_file_perms;
|
||||
unconfined_domain(ldconfig_t)
|
||||
unconfined_domain_template(ldconfig_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`apache.te',`
|
||||
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
@ -143,6 +143,19 @@ ifdef(`distro_redhat',`
|
||||
files_dontaudit_read_root_file(local_login_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(local_login_t)
|
||||
unconfined_shell_domtrans(local_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(local_login_t)
|
||||
files_read_default_files(local_login_t)
|
||||
files_read_default_symlinks(local_login_t)
|
||||
files_read_default_sockets(local_login_t)
|
||||
files_read_default_pipes(local_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(local_login_t)
|
||||
fs_read_nfs_symlinks(local_login_t)
|
||||
@ -168,11 +181,6 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow local_login_t sbin_t:dir r_dir_perms;
|
||||
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
allow local_login_t default_t:dir r_dir_perms;
|
||||
allow local_login_t default_t:notdevfile_class_set r_file_perms;
|
||||
')
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
allow local_login_t readable_t:dir r_dir_perms;
|
||||
@ -181,19 +189,14 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
|
||||
# for when /var/mail is a sym-link
|
||||
allow local_login_t var_t:lnk_file read;
|
||||
|
||||
dontaudit local_login_t device_t:lnk_file { getattr setattr };
|
||||
dontaudit local_login_t device_t:lnk_file setattr;
|
||||
|
||||
# this goes to xserver:
|
||||
# this goes to xdm:
|
||||
optional_policy(`locallogin.te',`
|
||||
# FIXME: what is this for?
|
||||
locallogin_signull(xdm_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(local_login_t)
|
||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`gpm.te',`
|
||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||
')
|
||||
|
@ -59,6 +59,8 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
files_create_pid(auditd_t,auditd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(auditd_t)
|
||||
kernel_list_proc(auditd_t)
|
||||
kernel_read_proc_symlinks(auditd_t)
|
||||
|
||||
dev_read_sysfs(auditd_t)
|
||||
|
||||
@ -100,9 +102,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow auditd_t proc_t:dir r_dir_perms;
|
||||
allow auditd_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(auditd_t)
|
||||
')
|
||||
@ -188,6 +187,7 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_pid(syslogd_t,syslogd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(syslogd_t)
|
||||
kernel_read_proc_symlinks(syslogd_t)
|
||||
|
||||
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
@ -269,7 +269,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow syslogd_t proc_t:lnk_file read;
|
||||
dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(syslogd_t)
|
||||
|
@ -125,6 +125,7 @@ domain_use_wide_inherit_fd(lvm_t)
|
||||
files_search_var(lvm_t)
|
||||
files_read_etc_files(lvm_t)
|
||||
files_read_etc_runtime_files(lvm_t)
|
||||
files_dontaudit_getattr_pid_dir(lvm_t)
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dir(lvm_t)
|
||||
|
||||
@ -165,7 +166,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit lvm_t var_run_t:dir getattr;
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `
|
||||
allow lvm_t sysadm_gph_t:fd use;
|
||||
|
@ -82,7 +82,7 @@ template(`unconfined_domain_template',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_domtrans_shell',`
|
||||
interface(`unconfined_shell_domtrans',`
|
||||
|
||||
gen_require(`
|
||||
unconfined_t;
|
||||
@ -142,6 +142,34 @@ interface(`unconfined_rw_pipe',`
|
||||
allow $1 unconfined_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or write
|
||||
## unconfined domain tcp sockets.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to read or write
|
||||
## unconfined domain tcp sockets.
|
||||
## </p>
|
||||
## <p>
|
||||
## This interface was added due to a broken
|
||||
## symptom in ldconfig.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_dontaudit_rw_tcp_socket',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class tcp_socket { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 unconfined_t:tcp_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add the unconfined domain to the specified role.
|
||||
|
@ -17,6 +17,7 @@ role system_r types unconfined_t;
|
||||
#
|
||||
|
||||
unconfined_domain_template(unconfined_t)
|
||||
|
||||
logging_send_syslog_msg(unconfined_t)
|
||||
|
||||
#role sysadm_r types unconfined_t;
|
||||
@ -29,6 +30,8 @@ ifdef(`targeted_policy',`
|
||||
# macros and domains from the "strict" policy.
|
||||
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
||||
|
||||
init_domtrans_script(unconfined_t)
|
||||
|
||||
userdom_unconfined(unconfined_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -904,7 +904,7 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
interface(`userdom_shell_domtrans_sysadm',`
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_domtrans_shell($1)
|
||||
unconfined_shell_domtrans($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
|
Loading…
Reference in New Issue
Block a user