rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

Browse Source
This commit is contained in:
Dan Walsh 2010-09-16 06:38:13 -04:00
commit a55bb56954
30 changed files with 223 additions and 259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
policy/modules/services/samba.if
View File

@ -131,6 +131,7 @@ interface(`samba_run_net',`
## The role to be allowed the samba_net domain.
## </summary>
## </param>
## <rolecap/>
#
template(`samba_role_notrans',`
gen_require(`
@ -483,15 +484,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`samba_domtrans_smbcontrol',`
gen_require(`
type smbcontrol_t;
type smbcontrol_exec_t;
type smbcontrol_t, smbcontrol_exec_t;
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@ -721,7 +721,9 @@ interface(`samba_stream_connect_winbind',`
template(`samba_helper_template',`
gen_require(`
type smbd_t;
role system_r;
')
#This type is for samba helper scripts
type samba_$1_script_t;
domain_type(samba_$1_script_t)
@ -734,7 +736,6 @@ template(`samba_helper_template',`
domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
allow smbd_t samba_$1_script_exec_t:file ioctl;
')
########################################
@ -756,20 +757,12 @@ template(`samba_helper_template',`
#
interface(`samba_admin',`
gen_require(`
type nmbd_t, nmbd_var_run_t;
type smbd_t, smbd_tmp_t;
type smbd_var_run_t;
type samba_initrc_exec_t;
type samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t;
type samba_secrets_t;
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
type smbd_t, smbd_tmp_t, samba_secrets_t;
type samba_initrc_exec_t, samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t, winbind_log_t;
type swat_var_run_t, swat_tmp_t;
type winbind_var_run_t, winbind_tmp_t;
type winbind_log_t;
type samba_unconfined_script_t, samba_unconfined_script_exec_t;
')
@ -779,9 +772,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
ps_process_pattern($1, samba_unconfined_script_t)
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)

2
policy/modules/services/sasl.if
View File

@ -42,7 +42,7 @@ interface(`sasl_admin',`
type saslauthd_initrc_exec_t;
')
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)

32
policy/modules/services/sendmail.if
View File

@ -51,10 +51,6 @@ interface(`sendmail_domtrans',`
')
mta_sendmail_domtrans($1, sendmail_t)
allow sendmail_t $1:fd use;
allow sendmail_t $1:fifo_file rw_file_perms;
allow sendmail_t $1:process sigchld;
')
#######################################
@ -62,17 +58,17 @@ interface(`sendmail_domtrans',`
## Execute sendmail in the sendmail domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sendmail_initrc_domtrans', `
gen_require(`
type sendmail_initrc_exec_t;
')
interface(`sendmail_initrc_domtrans',`
gen_require(`
type sendmail_initrc_exec_t;
')
init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
########################################
@ -170,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
type sendmail_t;
')
allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@ -189,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
type sendmail_t;
')
dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@ -338,11 +334,11 @@ interface(`sendmail_admin',`
type mail_spool_t;
')
allow $1 sendmail_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sendmail_t, sendmail_t)
allow $1 sendmail_t:process { ptrace signal_perms };
ps_process_pattern($1, sendmail_t)
allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
ps_process_pattern($1, unconfined_sendmail_t)
sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)

2
policy/modules/services/setroubleshoot.if
View File

@ -109,7 +109,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#

3
policy/modules/services/smartmon.if
View File

@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
type fsdaemon_tmp_t;
')
files_search_tmp($1)
allow $1 fsdaemon_tmp_t:file read_file_perms;
')
@ -41,7 +42,7 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)

4
policy/modules/services/smokeping.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run smokeping.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`smokeping_domtrans',`

14
policy/modules/services/snmp.if
View File

@ -11,12 +11,12 @@
## </param>
#
interface(`snmp_stream_connect',`
gen_require(`
gen_require(`
type snmpd_t, snmpd_var_lib_t;
')
')
files_search_var_lib($1)
stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
files_search_var_lib($1)
stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')
########################################
@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
@ -128,7 +130,7 @@ interface(`snmp_admin',`
type snmpd_initrc_exec_t;
')
allow $1 snmpd_t:process { ptrace signal_perms getattr };
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)

4
policy/modules/services/snort.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run snort.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`snort_domtrans',`

15
policy/modules/services/spamassassin.if
View File

@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`spamassassin_role',`
gen_require(`
@ -25,9 +26,13 @@ interface(`spamassassin_role',`
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
allow $2 spamassassin_t:process { ptrace signal_perms };
ps_process_pattern($2, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
allow $2 spamc_t:process { ptrace signal_perms };
ps_process_pattern($2, spamc_t)
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
')
can_exec($1, spamassassin_exec_t)
')
########################################
@ -147,6 +151,7 @@ interface(`spamassassin_manage_home_client',`
type spamc_home_t;
')
userdom_search_user_home_dirs($1)
manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
manage_files_pattern($1, spamc_home_t, spamc_home_t)
manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
@ -245,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
type spamd_tmp_t;
')
files_search_tmp($1)
allow $1 spamd_tmp_t:file read_file_perms;
')
@ -264,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
dontaudit $1 spamd_tmp_t:sock_file getattr;
dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@ -279,9 +285,10 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
#
interface(`spamd_stream_connect',`
gen_require(`
type spamd_t, spamd_var_run_t, spamd_spool_t;
type spamd_t, spamd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
@ -311,7 +318,7 @@ interface(`spamassassin_spamd_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 spamd_initrc_exec_t system_r;

3
policy/modules/services/squid.if
View File

@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
type squid_t;
')
allow $1 squid_t:unix_stream_socket { getattr read write };
allow $1 squid_t:unix_stream_socket rw_socket_perms;
')
########################################
@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`squid_dontaudit_search_cache',`
gen_require(`

27
policy/modules/services/ssh.if
View File

@ -32,7 +32,6 @@
## </param>
#
template(`ssh_basic_client_template',`
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
@ -167,7 +166,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
template(`ssh_server_template', `
template(`ssh_server_template',`
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
@ -189,7 +188,7 @@ template(`ssh_server_template', `
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@ -248,7 +247,6 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_search_user_home_dirs($1_t)
userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
@ -302,11 +300,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
template(`ssh_role_template',`
gen_require(`
attribute ssh_server, ssh_agent_type;
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
@ -339,7 +337,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
allow $3 ssh_t:process signal;
allow $3 ssh_t:process { ptrace signal_perms };
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
@ -372,7 +370,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
allow $3 $1_ssh_agent_t:process signal;
allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
@ -394,7 +392,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
files_search_home($1_ssh_agent_t)
libs_read_lib_files($1_ssh_agent_t)
@ -411,9 +408,6 @@ template(`ssh_role_template',`
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
allow $3 $1_ssh_agent_t:process sigchld;
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@ -490,8 +484,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
allow $1 sshd_t:fifo_file { getattr read };
allow $1 sshd_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
@ -507,7 +502,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
allow $1 sshd_t:fifo_file { write read getattr ioctl };
allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@ -597,7 +592,6 @@ interface(`ssh_domtrans',`
domtrans_pattern($1, sshd_exec_t, sshd_t)
')
########################################
## <summary>
## Execute sshd server in the sshd domain.
@ -650,7 +644,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
allow $1 sshd_key_t:file setattr;
allow $1 sshd_key_t:file setattr_file_perms;
files_search_pids($1)
')
@ -727,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
dontaudit $1 sshd_key_t:file { getattr read };
dontaudit $1 sshd_key_t:file read_file_perms;
')
######################################
@ -785,4 +779,3 @@ interface(`ssh_signull',`
allow $1 sshd_t:process signull;
')

18
policy/modules/services/sssd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run sssd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`sssd_domtrans',`
@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t;
type sssd_initrc_exec_t;
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)

2
policy/modules/services/stunnel.if
View File

@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
type stunnel_t;
')
domtrans_pattern(stunnel_t,$2,$1)
domtrans_pattern(stunnel_t, $2, $1)
allow $1 stunnel_t:tcp_socket rw_socket_perms;
')

15
policy/modules/services/tftp.if
View File

@ -64,19 +64,19 @@ interface(`tftp_manage_rw_content',`
## with specified types.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
## <param name="file_type">
## <summary>
## <summary>
## Private file type.
## </summary>
## </summary>
## </param>
## <param name="object_class">
## <summary>
## <summary>
## Class of the object being created.
## </summary>
## </summary>
## </param>
#
interface(`tftp_filetrans_tftpdir',`
@ -105,9 +105,10 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
allow $1 tftpd_t:process { ptrace signal_perms getattr };
allow $1 tftpd_t:process { ptrace signal_perms };
ps_process_pattern($1, tftpd_t)
files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)

32
policy/modules/services/tgtd.if
View File

@ -11,36 +11,36 @@
#####################################
## <summary>
## Allow read and write access to tgtd semaphores.
## Allow read and write access to tgtd semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tgtd_rw_semaphores',`
gen_require(`
type tgtd_t;
')
gen_require(`
type tgtd_t;
')
allow $1 tgtd_t:sem rw_sem_perms;
allow $1 tgtd_t:sem rw_sem_perms;
')
######################################
## <summary>
## Manage tgtd sempaphores.
## Manage tgtd sempaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tgtd_manage_semaphores',`
gen_require(`
type tgtd_t;
')
gen_require(`
type tgtd_t;
')
allow $1 tgtd_t:sem create_sem_perms;
allow $1 tgtd_t:sem create_sem_perms;
')

2
policy/modules/services/tor.if
View File

@ -42,7 +42,7 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
allow $1 tor_t:process { ptrace signal_perms getattr };
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
init_labeled_script_domtrans($1, tor_initrc_exec_t)

7
policy/modules/services/tuned.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run tuned.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`tuned_domtrans',`
@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
#
interface(`tuned_admin',`
gen_require(`
type tuned_t, tuned_var_run_t;
type tuned_initrc_exec_t;
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
allow $1 tuned_t:process { ptrace signal_perms };

7
policy/modules/services/ucspitcp.if
View File

@ -20,7 +20,7 @@
## </summary>
## </param>
#
interface(`ucspitcp_service_domain', `
interface(`ucspitcp_service_domain',`
gen_require(`
type ucspitcp_t;
role system_r;
@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
role system_r types $1;
domain_auto_trans(ucspitcp_t, $2, $1)
allow $1 ucspitcp_t:fd use;
allow $1 ucspitcp_t:process sigchld;
allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
domtrans_pattern(ucspitcp_t, $2, $1)
')

11
policy/modules/services/ulogd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run ulogd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ulogd_domtrans',`
@ -65,9 +65,9 @@ interface(`ulogd_read_log',`
## Allow the specified domain to search ulogd's log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`ulogd_search_log',`
@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
#
interface(`ulogd_admin',`
gen_require(`
type ulogd_t, ulogd_etc_t;
type ulogd_t, ulogd_etc_t, ulogd_modules_t;
type ulogd_var_log_t, ulogd_initrc_exec_t;
type ulogd_modules_t;
')
allow $1 ulogd_t:process { ptrace signal_perms };

4
policy/modules/services/usbmuxd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run usbmuxd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`usbmuxd_domtrans',`

2
policy/modules/services/uucp.if
View File

@ -99,7 +99,7 @@ interface(`uucp_admin',`
type uucpd_var_run_t;
')
allow $1 uucpd_t:process { ptrace signal_perms getattr };
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
logging_list_logs($1)

27
policy/modules/services/varnishd.if
View File

@ -21,7 +21,7 @@ interface(`varnishd_domtrans',`
#######################################
## <summary>
## Execute varnishd
## Execute varnishd
## </summary>
## <param name="domain">
## <summary>
@ -61,18 +61,18 @@ interface(`varnishd_read_config',`
## Read varnish lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`varnishd_read_lib_files',`
gen_require(`
type varnishd_var_lib_t;
')
gen_require(`
type varnishd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
files_search_var_lib($1)
read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
')
#######################################
@ -151,9 +151,8 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
type varnishlog_t;
type varnishlog_t, varnishlog_initrc_exec_t;
type varnishlog_var_run_t, varnishlog_log_t;
type varnishlog_initrc_exec_t;
')
allow $1 varnishlog_t:process { ptrace signal_perms };
@ -165,11 +164,10 @@ interface(`varnishd_admin_varnishlog',`
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, varnishlog_var_run_t)
admin_pattern($1, varnishlog_var_run_t)
logging_list_logs($1)
admin_pattern($1, varnishlog_log_t)
')
#######################################
@ -192,7 +190,7 @@ interface(`varnishd_admin_varnishlog',`
interface(`varnishd_admin',`
gen_require(`
type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
type varnishd_var_run_t, varnishd_tmp_t;
type varnishd_var_run_t, varnishd_tmp_t;
type varnishd_initrc_exec_t;
')
@ -215,5 +213,4 @@ interface(`varnishd_admin',`
files_search_tmp($1)
admin_pattern($1, varnishd_tmp_t)
')

14
policy/modules/services/vhostmd.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run vhostmd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`vhostmd_domtrans',`
@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
')
allow $1 vhostmd_tmpfs_t:file read_file_perms;
files_search_tmp($1)
fs_search_tmpfs($1)
')
########################################
@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
')
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
files_search_tmp($1)
fs_search_tmpfs($1)
')
########################################
@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
')
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
files_search_tmp($1)
fs_search_tmpfs($1)
')
########################################
@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
type vhostmd_var_run_t;
')
manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
files_search_pids($1)
manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
')
########################################
@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
vhostmd_manage_tmpfs_files($1)
vhostmd_manage_pid_files($1)
')

23
policy/modules/services/virt.if
View File

@ -14,8 +14,7 @@
template(`virt_domain_template',`
gen_require(`
type virtd_t;
attribute virt_image_type;
attribute virt_domain;
attribute virt_image_type, virt_domain;
')
type $1_t, virt_domain;
@ -38,7 +37,7 @@ template(`virt_domain_template',`
dev_node($1_image_t)
dev_associate_sysfs($1_image_t)
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
@ -91,9 +90,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`virt_domtrans',`
@ -154,8 +153,7 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
@ -176,8 +174,7 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
@ -227,7 +224,7 @@ interface(`virt_read_content',`
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## Domain allowed access.
## </summary>
## </param>
#
@ -380,9 +377,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`virt_append_log',`
@ -578,6 +575,7 @@ interface(`virt_admin',`
## The role to be allowed the sandbox domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`virt_transition_svirt',`
gen_require(`
@ -609,4 +607,3 @@ interface(`virt_dontaudit_write_pipes',`
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')

2
policy/modules/services/xfs.if
View File

@ -1,4 +1,4 @@
## <summary>X Windows Font Server </summary>
## <summary>X Windows Font Server</summary>
########################################
## <summary>

103
policy/modules/services/xserver.if
View File

@ -59,10 +59,6 @@ interface(`xserver_restricted_role',`
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
ifdef(`hide_broken_symptoms', `
dontaudit iceauth_t $2:socket_class_set { read write };
')
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
@ -77,11 +73,11 @@ ifdef(`hide_broken_symptoms', `
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
dontaudit $2 xdm_tmp_t:dir setattr;
dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
allow $2 xdm_t:dbus send_msg;
allow xdm_t $2:dbus send_msg;
@ -91,7 +87,7 @@ ifdef(`hide_broken_symptoms', `
allow $2 xserver_tmpfs_t:file read_file_perms;
# Read /tmp/.X0-lock
allow $2 xserver_tmp_t:file { getattr read };
allow $2 xserver_tmp_t:file read_inherited_file_perms;
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
@ -100,9 +96,6 @@ ifdef(`hide_broken_symptoms', `
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
@ -121,11 +114,19 @@ ifdef(`hide_broken_symptoms', `
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
ifdef(`hide_broken_symptoms',`
dontaudit iceauth_t $2:socket_class_set { read write };
')
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
')
########################################
@ -157,10 +158,10 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
allow $2 iceauth_home_t:file { relabelfrom relabelto };
allow $2 iceauth_home_t:file relabel_file_perms;
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
allow $2 xauth_home_t:file relabel_file_perms;
mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
@ -178,7 +179,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
')
#######################################
@ -363,9 +363,8 @@ template(`xserver_common_x_domain_template',`
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
attribute x_domain;
attribute x_domain, input_xevent_type;
attribute xdrawable_type, xcolormap_type;
attribute input_xevent_type;
class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
@ -489,9 +488,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@ -503,7 +502,7 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
xserver_ro_session($2,$3)
xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@ -511,17 +510,17 @@ template(`xserver_user_x_domain_template',`
# X object manager
xserver_object_types_template($1)
xserver_common_x_domain_template($1,$2)
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
xserver_common_x_domain_template($1, $2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
')
########################################
@ -582,7 +581,8 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
dontaudit xauth_t $1:socket_class_set { read write };
')
')
@ -674,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
allow $1 xconsole_device_t:fifo_file setattr;
allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
')
########################################
@ -710,7 +710,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
allow $1 xdm_t:fd use;
allow $1 xdm_t:fd use;
')
########################################
@ -729,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
dontaudit $1 xdm_t:fd use;
dontaudit $1 xdm_t:fd use;
')
########################################
@ -747,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
allow $1 xdm_t:fifo_file { getattr read write };
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@ -762,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
gen_require(`
type xdm_t;
')
dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
')
########################################
@ -783,11 +782,11 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
type xdm_t, xdm_tmp_t;
type xdm_var_run_t;
type xdm_t, xdm_tmp_t, xdm_var_run_t;
')
files_search_tmp($1)
files_search_pids($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
')
@ -826,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
allow $1 xdm_tmp_t:dir setattr;
allow $1 xdm_tmp_t:dir setattr_dir_perms;
')
########################################
@ -958,7 +957,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
allow $1 xserver_log_t:file getattr;
allow $1 xserver_log_t:file getattr_file_perms;
')
########################################
@ -1037,7 +1036,7 @@ interface(`xserver_read_xdm_etc_files',`
type xdm_etc_t;
')
files_search_etc($1)
files_search_etc($1)
read_files_pattern($1, xdm_etc_t, xdm_etc_t)
')
@ -1056,7 +1055,7 @@ interface(`xserver_manage_xdm_etc_files',`
type xdm_etc_t;
')
files_search_etc($1)
files_search_etc($1)
manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
')
@ -1075,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
files_search_tmp($1)
files_search_tmp($1)
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
@ -1151,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
dontaudit $1 xdm_tmp_t:sock_file getattr;
dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@ -1169,7 +1168,7 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
allow $1 xserver_t:process siginh;
allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
allow xserver_t $1:process getpgid;
@ -1312,7 +1311,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
## virtual core keyboard and virtual core pointer devices.
## virtual core keyboard and virtual core pointer devices.
## </summary>
## <param name="domain">
## <summary>
@ -1322,13 +1321,12 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
type xserver_t;
type xserver_t, root_xdrawable_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
class x_screen all_x_screen_perms;
class x_drawable { manage };
type root_xdrawable_t;
attribute x_domain;
class x_drawable { read manage setattr show };
class x_resource { write read };
@ -1356,8 +1354,7 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
attribute x_domain;
attribute xserver_unconfined_type;
attribute x_domain, xserver_unconfined_type;
')
typeattribute $1 x_domain;
@ -1376,8 +1373,7 @@ interface(`xserver_unconfined',`
#
interface(`xserver_dontaudit_append_xdm_home_files',`
gen_require(`
type xdm_home_t;
type xserver_tmp_t;
type xdm_home_t, xserver_tmp_t;
')
dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
@ -1404,8 +1400,7 @@ interface(`xserver_dontaudit_append_xdm_home_files',`
#
interface(`xserver_append_xdm_home_files',`
gen_require(`
type xdm_home_t;
type xserver_tmp_t;
type xdm_home_t, xserver_tmp_t;
')
allow $1 xdm_home_t:file append_file_perms;
@ -1566,12 +1561,10 @@ template(`xserver_read_user_iceauth',`
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`xserver_rw_inherited_user_fonts',`
gen_require(`
type user_fonts_t;
type user_fonts_config_t;
type user_fonts_t, user_fonts_config_t;
')
allow $1 user_fonts_t:file rw_inherited_file_perms;
@ -1598,7 +1591,6 @@ interface(`xserver_search_xdm_lib',`
allow $1 xdm_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Make an X executable an entrypoint for the specified domain.
@ -1632,6 +1624,7 @@ interface(`xserver_entry_type',`
## The role to be allowed the xserver domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`xserver_run',`
gen_require(`
@ -1657,6 +1650,7 @@ interface(`xserver_run',`
## The role to be allowed the xserver domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`xserver_run_xauth',`
gen_require(`
@ -1679,8 +1673,7 @@ interface(`xserver_run_xauth',`
#
interface(`xserver_manage_home_fonts',`
gen_require(`
type user_fonts_t;
type user_fonts_config_t;
type user_fonts_t, user_fonts_config_t;
')
manage_dirs_pattern($1, user_fonts_t, user_fonts_t)

8
policy/modules/services/zabbix.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run zabbix.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`zabbix_domtrans',`
@ -44,9 +44,9 @@ interface(`zabbix_read_log',`
## zabbix log files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`zabbix_append_log',`

59
policy/modules/services/zarafa.if
View File

@ -1,30 +1,28 @@
## <summary>policy for zarafa services</summary>
######################################
## <summary>
## Creates types and rules for a basic
## zararfa init daemon domain.
## Creates types and rules for a basic
## zararfa init daemon domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`zarafa_domain_template',`
gen_require(`
attribute zarafa_domain;
')
##############################
#
# $1_t declarations
#
#
# $1_t declarations
#
type zarafa_$1_t, zarafa_domain;
type zarafa_$1_exec_t;
type zarafa_$1_exec_t;
init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
type zarafa_$1_log_t;
@ -34,28 +32,28 @@ template(`zarafa_domain_template',`
files_pid_file(zarafa_$1_var_run_t)
##############################
#
#
# $1_t local policy
#
#
manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
#stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t)
manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
#manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
')
')
########################################
## <summary>
## Execute a domain transition to run zarafa_server.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`zarafa_server_domtrans',`
@ -66,15 +64,14 @@ interface(`zarafa_server_domtrans',`
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
')
########################################
## <summary>
## Execute a domain transition to run zarafa_deliver.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`zarafa_deliver_domtrans',`
@ -87,19 +84,19 @@ interface(`zarafa_deliver_domtrans',`
#######################################
## <summary>
## Connect to zarafa-server unix domain stream socket.
## Connect to zarafa-server unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`zarafa_stream_connect_server',`
gen_require(`
type zarafa_server_t, zarafa_server_var_run_t;
')
gen_require(`
type zarafa_server_t, zarafa_server_var_run_t;
')
stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
')

3
policy/modules/services/zebra.if
View File

@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
')
files_search_pids($1)
allow $1 zebra_var_run_t:sock_file write;
allow $1 zebra_t:unix_stream_socket connectto;
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
########################################

4
policy/modules/services/zosremote.if
View File

@ -5,9 +5,9 @@
## Execute a domain transition to run audispd-zos-remote.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`zosremote_domtrans',`