Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

This commit is contained in:
Dan Walsh 2010-09-16 06:38:13 -04:00
commit a55bb56954
30 changed files with 223 additions and 259 deletions

View File

@ -131,6 +131,7 @@ interface(`samba_run_net',`
## The role to be allowed the samba_net domain.
## </summary>
## </param>
## <rolecap/>
#
template(`samba_role_notrans',`
gen_require(`
@ -490,8 +491,7 @@ interface(`samba_manage_var_files',`
#
interface(`samba_domtrans_smbcontrol',`
gen_require(`
type smbcontrol_t;
type smbcontrol_exec_t;
type smbcontrol_t, smbcontrol_exec_t;
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@ -721,7 +721,9 @@ interface(`samba_stream_connect_winbind',`
template(`samba_helper_template',`
gen_require(`
type smbd_t;
role system_r;
')
#This type is for samba helper scripts
type samba_$1_script_t;
domain_type(samba_$1_script_t)
@ -734,7 +736,6 @@ template(`samba_helper_template',`
domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
allow smbd_t samba_$1_script_exec_t:file ioctl;
')
########################################
@ -756,20 +757,12 @@ template(`samba_helper_template',`
#
interface(`samba_admin',`
gen_require(`
type nmbd_t, nmbd_var_run_t;
type smbd_t, smbd_tmp_t;
type smbd_var_run_t;
type samba_initrc_exec_t;
type samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t;
type samba_secrets_t;
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
type smbd_t, smbd_tmp_t, samba_secrets_t;
type samba_initrc_exec_t, samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t, winbind_log_t;
type swat_var_run_t, swat_tmp_t;
type winbind_var_run_t, winbind_tmp_t;
type winbind_log_t;
type samba_unconfined_script_t, samba_unconfined_script_exec_t;
')
@ -779,8 +772,8 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
ps_process_pattern($1, samba_unconfined_script_t)
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)

View File

@ -42,7 +42,7 @@ interface(`sasl_admin',`
type saslauthd_initrc_exec_t;
')
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)

View File

@ -51,10 +51,6 @@ interface(`sendmail_domtrans',`
')
mta_sendmail_domtrans($1, sendmail_t)
allow sendmail_t $1:fd use;
allow sendmail_t $1:fifo_file rw_file_perms;
allow sendmail_t $1:process sigchld;
')
#######################################
@ -67,7 +63,7 @@ interface(`sendmail_domtrans',`
## </summary>
## </param>
#
interface(`sendmail_initrc_domtrans', `
interface(`sendmail_initrc_domtrans',`
gen_require(`
type sendmail_initrc_exec_t;
')
@ -170,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
type sendmail_t;
')
allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@ -189,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
type sendmail_t;
')
dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
')
########################################
@ -338,11 +334,11 @@ interface(`sendmail_admin',`
type mail_spool_t;
')
allow $1 sendmail_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sendmail_t, sendmail_t)
allow $1 sendmail_t:process { ptrace signal_perms };
ps_process_pattern($1, sendmail_t)
allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
ps_process_pattern($1, unconfined_sendmail_t)
sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)

View File

@ -109,7 +109,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#

View File

@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
type fsdaemon_tmp_t;
')
files_search_tmp($1)
allow $1 fsdaemon_tmp_t:file read_file_perms;
')
@ -41,7 +42,7 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)

View File

@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
@ -128,7 +130,7 @@ interface(`snmp_admin',`
type snmpd_initrc_exec_t;
')
allow $1 snmpd_t:process { ptrace signal_perms getattr };
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)

View File

@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`spamassassin_role',`
gen_require(`
@ -25,9 +26,13 @@ interface(`spamassassin_role',`
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
allow $2 spamassassin_t:process { ptrace signal_perms };
ps_process_pattern($2, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
allow $2 spamc_t:process { ptrace signal_perms };
ps_process_pattern($2, spamc_t)
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
')
can_exec($1, spamassassin_exec_t)
')
########################################
@ -147,6 +151,7 @@ interface(`spamassassin_manage_home_client',`
type spamc_home_t;
')
userdom_search_user_home_dirs($1)
manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
manage_files_pattern($1, spamc_home_t, spamc_home_t)
manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
@ -245,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
type spamd_tmp_t;
')
files_search_tmp($1)
allow $1 spamd_tmp_t:file read_file_perms;
')
@ -264,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
dontaudit $1 spamd_tmp_t:sock_file getattr;
dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@ -279,9 +285,10 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
#
interface(`spamd_stream_connect',`
gen_require(`
type spamd_t, spamd_var_run_t, spamd_spool_t;
type spamd_t, spamd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')

View File

@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
type squid_t;
')
allow $1 squid_t:unix_stream_socket { getattr read write };
allow $1 squid_t:unix_stream_socket rw_socket_perms;
')
########################################
@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
## Domain to not audit.
## </summary>
## </param>
## <rolecap/>
#
interface(`squid_dontaudit_search_cache',`
gen_require(`

View File

@ -32,7 +32,6 @@
## </param>
#
template(`ssh_basic_client_template',`
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
@ -167,7 +166,7 @@ template(`ssh_basic_client_template',`
## </summary>
## </param>
#
template(`ssh_server_template', `
template(`ssh_server_template',`
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
@ -189,7 +188,7 @@ template(`ssh_server_template', `
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@ -248,7 +247,6 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_search_user_home_dirs($1_t)
userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
@ -302,11 +300,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
template(`ssh_role_template',`
gen_require(`
attribute ssh_server, ssh_agent_type;
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
@ -339,7 +337,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
allow $3 ssh_t:process signal;
allow $3 ssh_t:process { ptrace signal_perms };
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
@ -372,7 +370,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
allow $3 $1_ssh_agent_t:process signal;
allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
@ -394,7 +392,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
files_search_home($1_ssh_agent_t)
libs_read_lib_files($1_ssh_agent_t)
@ -411,9 +408,6 @@ template(`ssh_role_template',`
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
allow $3 $1_ssh_agent_t:process sigchld;
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@ -490,8 +484,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
allow $1 sshd_t:fifo_file { getattr read };
allow $1 sshd_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
@ -507,7 +502,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
allow $1 sshd_t:fifo_file { write read getattr ioctl };
allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@ -597,7 +592,6 @@ interface(`ssh_domtrans',`
domtrans_pattern($1, sshd_exec_t, sshd_t)
')
########################################
## <summary>
## Execute sshd server in the sshd domain.
@ -650,7 +644,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
allow $1 sshd_key_t:file setattr;
allow $1 sshd_key_t:file setattr_file_perms;
files_search_pids($1)
')
@ -727,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
dontaudit $1 sshd_key_t:file { getattr read };
dontaudit $1 sshd_key_t:file read_file_perms;
')
######################################
@ -785,4 +779,3 @@ interface(`ssh_signull',`
allow $1 sshd_t:process signull;
')

View File

@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/>
#
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t;
type sssd_initrc_exec_t;
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)

View File

@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
type stunnel_t;
')
domtrans_pattern(stunnel_t,$2,$1)
domtrans_pattern(stunnel_t, $2, $1)
allow $1 stunnel_t:tcp_socket rw_socket_perms;
')

View File

@ -105,9 +105,10 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
allow $1 tftpd_t:process { ptrace signal_perms getattr };
allow $1 tftpd_t:process { ptrace signal_perms };
ps_process_pattern($1, tftpd_t)
files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)

View File

@ -42,7 +42,7 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
allow $1 tor_t:process { ptrace signal_perms getattr };
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
init_labeled_script_domtrans($1, tor_initrc_exec_t)

View File

@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
#
interface(`tuned_admin',`
gen_require(`
type tuned_t, tuned_var_run_t;
type tuned_initrc_exec_t;
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
allow $1 tuned_t:process { ptrace signal_perms };

View File

@ -20,7 +20,7 @@
## </summary>
## </param>
#
interface(`ucspitcp_service_domain', `
interface(`ucspitcp_service_domain',`
gen_require(`
type ucspitcp_t;
role system_r;
@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
role system_r types $1;
domain_auto_trans(ucspitcp_t, $2, $1)
allow $1 ucspitcp_t:fd use;
allow $1 ucspitcp_t:process sigchld;
allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
domtrans_pattern(ucspitcp_t, $2, $1)
')

View File

@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
#
interface(`ulogd_admin',`
gen_require(`
type ulogd_t, ulogd_etc_t;
type ulogd_t, ulogd_etc_t, ulogd_modules_t;
type ulogd_var_log_t, ulogd_initrc_exec_t;
type ulogd_modules_t;
')
allow $1 ulogd_t:process { ptrace signal_perms };

View File

@ -99,7 +99,7 @@ interface(`uucp_admin',`
type uucpd_var_run_t;
')
allow $1 uucpd_t:process { ptrace signal_perms getattr };
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
logging_list_logs($1)

View File

@ -151,9 +151,8 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
type varnishlog_t;
type varnishlog_t, varnishlog_initrc_exec_t;
type varnishlog_var_run_t, varnishlog_log_t;
type varnishlog_initrc_exec_t;
')
allow $1 varnishlog_t:process { ptrace signal_perms };
@ -169,7 +168,6 @@ interface(`varnishd_admin_varnishlog',`
logging_list_logs($1)
admin_pattern($1, varnishlog_log_t)
')
#######################################
@ -215,5 +213,4 @@ interface(`varnishd_admin',`
files_search_tmp($1)
admin_pattern($1, varnishd_tmp_t)
')

View File

@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
')
allow $1 vhostmd_tmpfs_t:file read_file_perms;
files_search_tmp($1)
fs_search_tmpfs($1)
')
########################################
@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
')
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
files_search_tmp($1)
fs_search_tmpfs($1)
')
########################################
@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
')
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
files_search_tmp($1)
fs_search_tmpfs($1)
')
########################################
@ -146,6 +146,7 @@ interface(`vhostmd_manage_pid_files',`
type vhostmd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
')
@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
vhostmd_manage_tmpfs_files($1)
vhostmd_manage_pid_files($1)
')

View File

@ -14,8 +14,7 @@
template(`virt_domain_template',`
gen_require(`
type virtd_t;
attribute virt_image_type;
attribute virt_domain;
attribute virt_image_type, virt_domain;
')
type $1_t, virt_domain;
@ -38,7 +37,7 @@ template(`virt_domain_template',`
dev_node($1_image_t)
dev_associate_sysfs($1_image_t)
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
@ -154,8 +153,7 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
@ -176,8 +174,7 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
@ -227,7 +224,7 @@ interface(`virt_read_content',`
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## Domain allowed access.
## </summary>
## </param>
#
@ -578,6 +575,7 @@ interface(`virt_admin',`
## The role to be allowed the sandbox domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`virt_transition_svirt',`
gen_require(`
@ -609,4 +607,3 @@ interface(`virt_dontaudit_write_pipes',`
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')

View File

@ -1,4 +1,4 @@
## <summary>X Windows Font Server </summary>
## <summary>X Windows Font Server</summary>
########################################
## <summary>

View File

@ -59,10 +59,6 @@ interface(`xserver_restricted_role',`
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
ifdef(`hide_broken_symptoms', `
dontaudit iceauth_t $2:socket_class_set { read write };
')
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
@ -77,11 +73,11 @@ ifdef(`hide_broken_symptoms', `
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
dontaudit $2 xdm_tmp_t:dir setattr;
dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
allow $2 xdm_t:dbus send_msg;
allow xdm_t $2:dbus send_msg;
@ -91,7 +87,7 @@ ifdef(`hide_broken_symptoms', `
allow $2 xserver_tmpfs_t:file read_file_perms;
# Read /tmp/.X0-lock
allow $2 xserver_tmp_t:file { getattr read };
allow $2 xserver_tmp_t:file read_inherited_file_perms;
dev_rw_xserver_misc($2)
dev_rw_power_management($2)
@ -100,9 +96,6 @@ ifdef(`hide_broken_symptoms', `
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
@ -121,11 +114,19 @@ ifdef(`hide_broken_symptoms', `
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
ifdef(`hide_broken_symptoms',`
dontaudit iceauth_t $2:socket_class_set { read write };
')
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
')
########################################
@ -157,10 +158,10 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
allow $2 iceauth_home_t:file { relabelfrom relabelto };
allow $2 iceauth_home_t:file relabel_file_perms;
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
allow $2 xauth_home_t:file relabel_file_perms;
mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
@ -178,7 +179,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
')
#######################################
@ -363,9 +363,8 @@ template(`xserver_common_x_domain_template',`
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
attribute x_domain;
attribute x_domain, input_xevent_type;
attribute xdrawable_type, xcolormap_type;
attribute input_xevent_type;
class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
@ -489,9 +488,9 @@ template(`xserver_user_x_domain_template',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@ -503,7 +502,7 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
xserver_ro_session($2,$3)
xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@ -511,17 +510,17 @@ template(`xserver_user_x_domain_template',`
# X object manager
xserver_object_types_template($1)
xserver_common_x_domain_template($1,$2)
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
xserver_common_x_domain_template($1, $2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
')
')
########################################
@ -582,7 +581,8 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
ifdef(`hide_broken_symptoms', `
ifdef(`hide_broken_symptoms',`
dontaudit xauth_t $1:socket_class_set { read write };
')
')
@ -674,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
allow $1 xconsole_device_t:fifo_file setattr;
allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
')
########################################
@ -747,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
allow $1 xdm_t:fifo_file { getattr read write };
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@ -762,7 +762,6 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
gen_require(`
type xdm_t;
')
@ -783,11 +782,11 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
type xdm_t, xdm_tmp_t;
type xdm_var_run_t;
type xdm_t, xdm_tmp_t, xdm_var_run_t;
')
files_search_tmp($1)
files_search_pids($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
')
@ -826,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
allow $1 xdm_tmp_t:dir setattr;
allow $1 xdm_tmp_t:dir setattr_dir_perms;
')
########################################
@ -958,7 +957,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
allow $1 xserver_log_t:file getattr;
allow $1 xserver_log_t:file getattr_file_perms;
')
########################################
@ -1151,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
dontaudit $1 xdm_tmp_t:sock_file getattr;
dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
')
########################################
@ -1322,13 +1321,12 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
type xserver_t;
type xserver_t, root_xdrawable_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
class x_screen all_x_screen_perms;
class x_drawable { manage };
type root_xdrawable_t;
attribute x_domain;
class x_drawable { read manage setattr show };
class x_resource { write read };
@ -1356,8 +1354,7 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
attribute x_domain;
attribute xserver_unconfined_type;
attribute x_domain, xserver_unconfined_type;
')
typeattribute $1 x_domain;
@ -1376,8 +1373,7 @@ interface(`xserver_unconfined',`
#
interface(`xserver_dontaudit_append_xdm_home_files',`
gen_require(`
type xdm_home_t;
type xserver_tmp_t;
type xdm_home_t, xserver_tmp_t;
')
dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
@ -1404,8 +1400,7 @@ interface(`xserver_dontaudit_append_xdm_home_files',`
#
interface(`xserver_append_xdm_home_files',`
gen_require(`
type xdm_home_t;
type xserver_tmp_t;
type xdm_home_t, xserver_tmp_t;
')
allow $1 xdm_home_t:file append_file_perms;
@ -1566,12 +1561,10 @@ template(`xserver_read_user_iceauth',`
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`xserver_rw_inherited_user_fonts',`
gen_require(`
type user_fonts_t;
type user_fonts_config_t;
type user_fonts_t, user_fonts_config_t;
')
allow $1 user_fonts_t:file rw_inherited_file_perms;
@ -1598,7 +1591,6 @@ interface(`xserver_search_xdm_lib',`
allow $1 xdm_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Make an X executable an entrypoint for the specified domain.
@ -1632,6 +1624,7 @@ interface(`xserver_entry_type',`
## The role to be allowed the xserver domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`xserver_run',`
gen_require(`
@ -1657,6 +1650,7 @@ interface(`xserver_run',`
## The role to be allowed the xserver domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`xserver_run_xauth',`
gen_require(`
@ -1679,8 +1673,7 @@ interface(`xserver_run_xauth',`
#
interface(`xserver_manage_home_fonts',`
gen_require(`
type user_fonts_t;
type user_fonts_config_t;
type user_fonts_t, user_fonts_config_t;
')
manage_dirs_pattern($1, user_fonts_t, user_fonts_t)

View File

@ -1,4 +1,3 @@
## <summary>policy for zarafa services</summary>
######################################
@ -13,7 +12,6 @@
## </param>
#
template(`zarafa_domain_template',`
gen_require(`
attribute zarafa_domain;
')
@ -66,7 +64,6 @@ interface(`zarafa_server_domtrans',`
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
')
########################################
## <summary>
## Execute a domain transition to run zarafa_deliver.
@ -94,12 +91,12 @@ interface(`zarafa_deliver_domtrans',`
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`zarafa_stream_connect_server',`
gen_require(`
type zarafa_server_t, zarafa_server_var_run_t;
')
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
')

View File

@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
')
files_search_pids($1)
allow $1 zebra_var_run_t:sock_file write;
allow $1 zebra_t:unix_stream_socket connectto;
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
########################################