Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
This commit is contained in:
commit
a55bb56954
@ -131,6 +131,7 @@ interface(`samba_run_net',`
|
||||
## The role to be allowed the samba_net domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
template(`samba_role_notrans',`
|
||||
gen_require(`
|
||||
@ -490,8 +491,7 @@ interface(`samba_manage_var_files',`
|
||||
#
|
||||
interface(`samba_domtrans_smbcontrol',`
|
||||
gen_require(`
|
||||
type smbcontrol_t;
|
||||
type smbcontrol_exec_t;
|
||||
type smbcontrol_t, smbcontrol_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
|
||||
@ -721,7 +721,9 @@ interface(`samba_stream_connect_winbind',`
|
||||
template(`samba_helper_template',`
|
||||
gen_require(`
|
||||
type smbd_t;
|
||||
role system_r;
|
||||
')
|
||||
|
||||
#This type is for samba helper scripts
|
||||
type samba_$1_script_t;
|
||||
domain_type(samba_$1_script_t)
|
||||
@ -734,7 +736,6 @@ template(`samba_helper_template',`
|
||||
|
||||
domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
|
||||
allow smbd_t samba_$1_script_exec_t:file ioctl;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -756,20 +757,12 @@ template(`samba_helper_template',`
|
||||
#
|
||||
interface(`samba_admin',`
|
||||
gen_require(`
|
||||
type nmbd_t, nmbd_var_run_t;
|
||||
type smbd_t, smbd_tmp_t;
|
||||
type smbd_var_run_t;
|
||||
type samba_initrc_exec_t;
|
||||
|
||||
type samba_log_t, samba_var_t;
|
||||
type samba_etc_t, samba_share_t;
|
||||
type samba_secrets_t;
|
||||
|
||||
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
|
||||
type smbd_t, smbd_tmp_t, samba_secrets_t;
|
||||
type samba_initrc_exec_t, samba_log_t, samba_var_t;
|
||||
type samba_etc_t, samba_share_t, winbind_log_t;
|
||||
type swat_var_run_t, swat_tmp_t;
|
||||
|
||||
type winbind_var_run_t, winbind_tmp_t;
|
||||
type winbind_log_t;
|
||||
|
||||
type samba_unconfined_script_t, samba_unconfined_script_exec_t;
|
||||
')
|
||||
|
||||
@ -779,8 +772,8 @@ interface(`samba_admin',`
|
||||
allow $1 nmbd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, nmbd_t)
|
||||
|
||||
allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
|
||||
allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, samba_unconfined_script_t)
|
||||
|
||||
samba_run_smbcontrol($1, $2, $3)
|
||||
samba_run_winbind_helper($1, $2, $3)
|
||||
|
@ -42,7 +42,7 @@ interface(`sasl_admin',`
|
||||
type saslauthd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 saslauthd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 saslauthd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, saslauthd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
|
||||
|
@ -51,10 +51,6 @@ interface(`sendmail_domtrans',`
|
||||
')
|
||||
|
||||
mta_sendmail_domtrans($1, sendmail_t)
|
||||
|
||||
allow sendmail_t $1:fd use;
|
||||
allow sendmail_t $1:fifo_file rw_file_perms;
|
||||
allow sendmail_t $1:process sigchld;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -67,7 +63,7 @@ interface(`sendmail_domtrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sendmail_initrc_domtrans', `
|
||||
interface(`sendmail_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type sendmail_initrc_exec_t;
|
||||
')
|
||||
@ -170,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
|
||||
type sendmail_t;
|
||||
')
|
||||
|
||||
allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
|
||||
allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -189,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
|
||||
type sendmail_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
|
||||
dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -338,11 +334,11 @@ interface(`sendmail_admin',`
|
||||
type mail_spool_t;
|
||||
')
|
||||
|
||||
allow $1 sendmail_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, sendmail_t, sendmail_t)
|
||||
allow $1 sendmail_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, sendmail_t)
|
||||
|
||||
allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
|
||||
allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, unconfined_sendmail_t)
|
||||
|
||||
sendmail_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
|
@ -109,7 +109,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
|
||||
type fsdaemon_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 fsdaemon_tmp_t:file read_file_perms;
|
||||
')
|
||||
|
||||
@ -41,7 +42,7 @@ interface(`smartmon_admin',`
|
||||
type fsdaemon_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
|
||||
allow $1 fsdaemon_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, fsdaemon_t)
|
||||
|
||||
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
|
||||
|
@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
|
||||
type snmpd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
||||
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
||||
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
||||
@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
|
||||
gen_require(`
|
||||
type snmpd_var_lib_t;
|
||||
')
|
||||
|
||||
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
|
||||
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
|
||||
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
|
||||
dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -128,7 +130,7 @@ interface(`snmp_admin',`
|
||||
type snmpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 snmpd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 snmpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, snmpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
|
||||
|
@ -14,6 +14,7 @@
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`spamassassin_role',`
|
||||
gen_require(`
|
||||
@ -25,9 +26,13 @@ interface(`spamassassin_role',`
|
||||
role $1 types { spamc_t spamassassin_t };
|
||||
|
||||
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
|
||||
|
||||
allow $2 spamassassin_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($2, spamassassin_t)
|
||||
|
||||
domtrans_pattern($2, spamc_exec_t, spamc_t)
|
||||
|
||||
allow $2 spamc_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($2, spamc_t)
|
||||
|
||||
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
||||
@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
|
||||
')
|
||||
|
||||
can_exec($1, spamassassin_exec_t)
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -147,6 +151,7 @@ interface(`spamassassin_manage_home_client',`
|
||||
type spamc_home_t;
|
||||
')
|
||||
|
||||
userdom_search_user_home_dirs($1)
|
||||
manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
|
||||
manage_files_pattern($1, spamc_home_t, spamc_home_t)
|
||||
manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
|
||||
@ -245,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
|
||||
type spamd_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 spamd_tmp_t:file read_file_perms;
|
||||
')
|
||||
|
||||
@ -264,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
||||
type spamd_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 spamd_tmp_t:sock_file getattr;
|
||||
dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -279,9 +285,10 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
||||
#
|
||||
interface(`spamd_stream_connect',`
|
||||
gen_require(`
|
||||
type spamd_t, spamd_var_run_t, spamd_spool_t;
|
||||
type spamd_t, spamd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
|
||||
')
|
||||
|
||||
|
@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
|
||||
type squid_t;
|
||||
')
|
||||
|
||||
allow $1 squid_t:unix_stream_socket { getattr read write };
|
||||
allow $1 squid_t:unix_stream_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`squid_dontaudit_search_cache',`
|
||||
gen_require(`
|
||||
|
@ -32,7 +32,6 @@
|
||||
## </param>
|
||||
#
|
||||
template(`ssh_basic_client_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute ssh_server;
|
||||
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
|
||||
@ -167,7 +166,7 @@ template(`ssh_basic_client_template',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ssh_server_template', `
|
||||
template(`ssh_server_template',`
|
||||
type $1_t, ssh_server;
|
||||
auth_login_pgm_domain($1_t)
|
||||
|
||||
@ -189,7 +188,7 @@ template(`ssh_server_template', `
|
||||
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_t self:shm create_shm_perms;
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
|
||||
term_create_pty($1_t, $1_devpts_t)
|
||||
|
||||
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
||||
@ -248,7 +247,6 @@ template(`ssh_server_template', `
|
||||
miscfiles_read_localization($1_t)
|
||||
|
||||
userdom_dontaudit_relabelfrom_user_ptys($1_t)
|
||||
userdom_search_user_home_dirs($1_t)
|
||||
userdom_read_user_home_content_files($1_t)
|
||||
|
||||
# Allow checking users mail at login
|
||||
@ -302,11 +300,11 @@ template(`ssh_server_template', `
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
template(`ssh_role_template',`
|
||||
gen_require(`
|
||||
attribute ssh_server, ssh_agent_type;
|
||||
|
||||
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
|
||||
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
|
||||
type ssh_agent_tmp_t;
|
||||
@ -339,7 +337,7 @@ template(`ssh_role_template',`
|
||||
|
||||
# allow ps to show ssh
|
||||
ps_process_pattern($3, ssh_t)
|
||||
allow $3 ssh_t:process signal;
|
||||
allow $3 ssh_t:process { ptrace signal_perms };
|
||||
|
||||
# for rsync
|
||||
allow ssh_t $3:unix_stream_socket rw_socket_perms;
|
||||
@ -372,7 +370,7 @@ template(`ssh_role_template',`
|
||||
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
|
||||
|
||||
# Allow the user shell to signal the ssh program.
|
||||
allow $3 $1_ssh_agent_t:process signal;
|
||||
allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
|
||||
|
||||
# allow ps to show ssh
|
||||
ps_process_pattern($3, $1_ssh_agent_t)
|
||||
@ -394,7 +392,6 @@ template(`ssh_role_template',`
|
||||
|
||||
files_read_etc_files($1_ssh_agent_t)
|
||||
files_read_etc_runtime_files($1_ssh_agent_t)
|
||||
files_search_home($1_ssh_agent_t)
|
||||
|
||||
libs_read_lib_files($1_ssh_agent_t)
|
||||
|
||||
@ -411,9 +408,6 @@ template(`ssh_role_template',`
|
||||
# for the transition back to normal privs upon exec
|
||||
userdom_search_user_home_content($1_ssh_agent_t)
|
||||
userdom_user_home_domtrans($1_ssh_agent_t, $3)
|
||||
allow $3 $1_ssh_agent_t:fd use;
|
||||
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
|
||||
allow $3 $1_ssh_agent_t:process sigchld;
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_ssh_agent_t)
|
||||
@ -490,8 +484,9 @@ interface(`ssh_read_pipes',`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
allow $1 sshd_t:fifo_file { getattr read };
|
||||
allow $1 sshd_t:fifo_file read_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a ssh server unnamed pipe.
|
||||
@ -507,7 +502,7 @@ interface(`ssh_rw_pipes',`
|
||||
type sshd_t;
|
||||
')
|
||||
|
||||
allow $1 sshd_t:fifo_file { write read getattr ioctl };
|
||||
allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -597,7 +592,6 @@ interface(`ssh_domtrans',`
|
||||
domtrans_pattern($1, sshd_exec_t, sshd_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute sshd server in the sshd domain.
|
||||
@ -650,7 +644,7 @@ interface(`ssh_setattr_key_files',`
|
||||
type sshd_key_t;
|
||||
')
|
||||
|
||||
allow $1 sshd_key_t:file setattr;
|
||||
allow $1 sshd_key_t:file setattr_file_perms;
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
||||
@ -727,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
|
||||
type sshd_key_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sshd_key_t:file { getattr read };
|
||||
dontaudit $1 sshd_key_t:file read_file_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
@ -785,4 +779,3 @@ interface(`ssh_signull',`
|
||||
|
||||
allow $1 sshd_t:process signull;
|
||||
')
|
||||
|
||||
|
@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
|
||||
type sssd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||
')
|
||||
@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
|
||||
')
|
||||
|
||||
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
|
||||
## The role to be allowed to manage the sssd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`sssd_admin',`
|
||||
gen_require(`
|
||||
type sssd_t, sssd_public_t;
|
||||
type sssd_initrc_exec_t;
|
||||
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 sssd_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, sssd_t, sssd_t)
|
||||
allow $1 sssd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, sssd_t)
|
||||
|
||||
# Allow sssd_t to restart the apache service
|
||||
sssd_initrc_domtrans($1)
|
||||
|
@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
|
||||
type stunnel_t;
|
||||
')
|
||||
|
||||
domtrans_pattern(stunnel_t,$2,$1)
|
||||
domtrans_pattern(stunnel_t, $2, $1)
|
||||
allow $1 stunnel_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
|
@ -105,9 +105,10 @@ interface(`tftp_admin',`
|
||||
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 tftpd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 tftpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, tftpd_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, tftpdir_rw_t)
|
||||
|
||||
admin_pattern($1, tftpdir_t)
|
||||
|
@ -42,7 +42,7 @@ interface(`tor_admin',`
|
||||
type tor_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 tor_t:process { ptrace signal_perms getattr };
|
||||
allow $1 tor_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, tor_t)
|
||||
|
||||
init_labeled_script_domtrans($1, tor_initrc_exec_t)
|
||||
|
@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
|
||||
#
|
||||
interface(`tuned_admin',`
|
||||
gen_require(`
|
||||
type tuned_t, tuned_var_run_t;
|
||||
type tuned_initrc_exec_t;
|
||||
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 tuned_t:process { ptrace signal_perms };
|
||||
|
@ -20,7 +20,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ucspitcp_service_domain', `
|
||||
interface(`ucspitcp_service_domain',`
|
||||
gen_require(`
|
||||
type ucspitcp_t;
|
||||
role system_r;
|
||||
@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
|
||||
|
||||
role system_r types $1;
|
||||
|
||||
domain_auto_trans(ucspitcp_t, $2, $1)
|
||||
allow $1 ucspitcp_t:fd use;
|
||||
allow $1 ucspitcp_t:process sigchld;
|
||||
allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
|
||||
domtrans_pattern(ucspitcp_t, $2, $1)
|
||||
')
|
||||
|
@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
|
||||
#
|
||||
interface(`ulogd_admin',`
|
||||
gen_require(`
|
||||
type ulogd_t, ulogd_etc_t;
|
||||
type ulogd_t, ulogd_etc_t, ulogd_modules_t;
|
||||
type ulogd_var_log_t, ulogd_initrc_exec_t;
|
||||
type ulogd_modules_t;
|
||||
')
|
||||
|
||||
allow $1 ulogd_t:process { ptrace signal_perms };
|
||||
|
@ -99,7 +99,7 @@ interface(`uucp_admin',`
|
||||
type uucpd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 uucpd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 uucpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, uucpd_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
|
@ -151,9 +151,8 @@ interface(`varnishd_manage_log',`
|
||||
#
|
||||
interface(`varnishd_admin_varnishlog',`
|
||||
gen_require(`
|
||||
type varnishlog_t;
|
||||
type varnishlog_t, varnishlog_initrc_exec_t;
|
||||
type varnishlog_var_run_t, varnishlog_log_t;
|
||||
type varnishlog_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 varnishlog_t:process { ptrace signal_perms };
|
||||
@ -169,7 +168,6 @@ interface(`varnishd_admin_varnishlog',`
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, varnishlog_log_t)
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -215,5 +213,4 @@ interface(`varnishd_admin',`
|
||||
|
||||
files_search_tmp($1)
|
||||
admin_pattern($1, varnishd_tmp_t)
|
||||
|
||||
')
|
||||
|
@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
|
||||
')
|
||||
|
||||
allow $1 vhostmd_tmpfs_t:file read_file_perms;
|
||||
files_search_tmp($1)
|
||||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
|
||||
')
|
||||
|
||||
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
|
||||
files_search_tmp($1)
|
||||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
|
||||
')
|
||||
|
||||
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
|
||||
files_search_tmp($1)
|
||||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -146,6 +146,7 @@ interface(`vhostmd_manage_pid_files',`
|
||||
type vhostmd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
|
||||
')
|
||||
|
||||
@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
|
||||
vhostmd_manage_tmpfs_files($1)
|
||||
|
||||
vhostmd_manage_pid_files($1)
|
||||
|
||||
')
|
||||
|
@ -14,8 +14,7 @@
|
||||
template(`virt_domain_template',`
|
||||
gen_require(`
|
||||
type virtd_t;
|
||||
attribute virt_image_type;
|
||||
attribute virt_domain;
|
||||
attribute virt_image_type, virt_domain;
|
||||
')
|
||||
|
||||
type $1_t, virt_domain;
|
||||
@ -38,7 +37,7 @@ template(`virt_domain_template',`
|
||||
dev_node($1_image_t)
|
||||
dev_associate_sysfs($1_image_t)
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
term_create_pty($1_t, $1_devpts_t)
|
||||
|
||||
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
||||
@ -154,8 +153,7 @@ interface(`virt_attach_tun_iface',`
|
||||
#
|
||||
interface(`virt_read_config',`
|
||||
gen_require(`
|
||||
type virt_etc_t;
|
||||
type virt_etc_rw_t;
|
||||
type virt_etc_t, virt_etc_rw_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -176,8 +174,7 @@ interface(`virt_read_config',`
|
||||
#
|
||||
interface(`virt_manage_config',`
|
||||
gen_require(`
|
||||
type virt_etc_t;
|
||||
type virt_etc_rw_t;
|
||||
type virt_etc_t, virt_etc_rw_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -227,7 +224,7 @@ interface(`virt_read_content',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -578,6 +575,7 @@ interface(`virt_admin',`
|
||||
## The role to be allowed the sandbox domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`virt_transition_svirt',`
|
||||
gen_require(`
|
||||
@ -609,4 +607,3 @@ interface(`virt_dontaudit_write_pipes',`
|
||||
|
||||
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
|
||||
')
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
## <summary>X Windows Font Server </summary>
|
||||
## <summary>X Windows Font Server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
@ -59,10 +59,6 @@ interface(`xserver_restricted_role',`
|
||||
|
||||
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit iceauth_t $2:socket_class_set { read write };
|
||||
')
|
||||
|
||||
allow $2 iceauth_home_t:file read_file_perms;
|
||||
|
||||
domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
@ -77,11 +73,11 @@ ifdef(`hide_broken_symptoms', `
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
allow $2 xdm_t:fifo_file { getattr read write ioctl };
|
||||
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow $2 xdm_tmp_t:dir search_dir_perms;
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
dontaudit $2 xdm_tmp_t:dir setattr;
|
||||
dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
|
||||
|
||||
allow $2 xdm_t:dbus send_msg;
|
||||
allow xdm_t $2:dbus send_msg;
|
||||
@ -91,7 +87,7 @@ ifdef(`hide_broken_symptoms', `
|
||||
allow $2 xserver_tmpfs_t:file read_file_perms;
|
||||
|
||||
# Read /tmp/.X0-lock
|
||||
allow $2 xserver_tmp_t:file { getattr read };
|
||||
allow $2 xserver_tmp_t:file read_inherited_file_perms;
|
||||
|
||||
dev_rw_xserver_misc($2)
|
||||
dev_rw_power_management($2)
|
||||
@ -100,9 +96,6 @@ ifdef(`hide_broken_symptoms', `
|
||||
dev_write_misc($2)
|
||||
# open office is looking for the following
|
||||
dev_getattr_agp_dev($2)
|
||||
tunable_policy(`user_direct_dri',`
|
||||
dev_rw_dri($2)
|
||||
')
|
||||
|
||||
# GNOME checks for usb and other devices:
|
||||
dev_rw_usbfs($2)
|
||||
@ -121,11 +114,19 @@ ifdef(`hide_broken_symptoms', `
|
||||
# Needed for escd, remove if we get escd policy
|
||||
xserver_manage_xdm_tmp_files($2)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit iceauth_t $2:socket_class_set { read write };
|
||||
')
|
||||
|
||||
# Client write xserver shm
|
||||
tunable_policy(`allow_write_xshm',`
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`user_direct_dri',`
|
||||
dev_rw_dri($2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -157,10 +158,10 @@ interface(`xserver_role',`
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
|
||||
allow $2 iceauth_home_t:file manage_file_perms;
|
||||
allow $2 iceauth_home_t:file { relabelfrom relabelto };
|
||||
allow $2 iceauth_home_t:file relabel_file_perms;
|
||||
|
||||
allow $2 xauth_home_t:file manage_file_perms;
|
||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
allow $2 xauth_home_t:file relabel_file_perms;
|
||||
|
||||
mls_xwin_read_to_clearance($2)
|
||||
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||
@ -178,7 +179,6 @@ interface(`xserver_role',`
|
||||
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -363,9 +363,8 @@ template(`xserver_common_x_domain_template',`
|
||||
type xevent_t, client_xevent_t;
|
||||
type input_xevent_t, $1_input_xevent_t;
|
||||
|
||||
attribute x_domain;
|
||||
attribute x_domain, input_xevent_type;
|
||||
attribute xdrawable_type, xcolormap_type;
|
||||
attribute input_xevent_type;
|
||||
|
||||
class x_drawable all_x_drawable_perms;
|
||||
class x_property all_x_property_perms;
|
||||
@ -489,9 +488,9 @@ template(`xserver_user_x_domain_template',`
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
allow $2 xdm_t:fifo_file { getattr read write ioctl };
|
||||
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow $2 xdm_tmp_t:dir search_dir_perms;
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
# Allow connections to X server.
|
||||
@ -503,7 +502,7 @@ template(`xserver_user_x_domain_template',`
|
||||
# for .xsession-errors
|
||||
userdom_dontaudit_write_user_home_content_files($2)
|
||||
|
||||
xserver_ro_session($2,$3)
|
||||
xserver_ro_session($2, $3)
|
||||
xserver_use_user_fonts($2)
|
||||
|
||||
xserver_read_xdm_tmp_files($2)
|
||||
@ -511,17 +510,17 @@ template(`xserver_user_x_domain_template',`
|
||||
|
||||
# X object manager
|
||||
xserver_object_types_template($1)
|
||||
xserver_common_x_domain_template($1,$2)
|
||||
|
||||
tunable_policy(`user_direct_dri',`
|
||||
dev_rw_dri($2)
|
||||
')
|
||||
xserver_common_x_domain_template($1, $2)
|
||||
|
||||
# Client write xserver shm
|
||||
tunable_policy(`allow_write_xshm',`
|
||||
allow $2 xserver_t:shm rw_shm_perms;
|
||||
allow $2 xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`user_direct_dri',`
|
||||
dev_rw_dri($2)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -582,7 +581,8 @@ interface(`xserver_domtrans_xauth',`
|
||||
')
|
||||
|
||||
domtrans_pattern($1, xauth_exec_t, xauth_t)
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit xauth_t $1:socket_class_set { read write };
|
||||
')
|
||||
')
|
||||
@ -674,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
allow $1 xconsole_device_t:fifo_file setattr;
|
||||
allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -747,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
|
||||
type xdm_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_t:fifo_file { getattr read write };
|
||||
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -762,7 +762,6 @@ interface(`xserver_rw_xdm_pipes',`
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_dontaudit_rw_xdm_pipes',`
|
||||
|
||||
gen_require(`
|
||||
type xdm_t;
|
||||
')
|
||||
@ -783,11 +782,11 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
|
||||
#
|
||||
interface(`xserver_stream_connect_xdm',`
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
type xdm_var_run_t;
|
||||
type xdm_t, xdm_tmp_t, xdm_var_run_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
|
||||
stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
|
||||
')
|
||||
@ -826,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_tmp_t:dir setattr;
|
||||
allow $1 xdm_tmp_t:dir setattr_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -958,7 +957,7 @@ interface(`xserver_getattr_log',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 xserver_log_t:file getattr;
|
||||
allow $1 xserver_log_t:file getattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1151,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
|
||||
type xdm_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 xdm_tmp_t:sock_file getattr;
|
||||
dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1322,13 +1321,12 @@ interface(`xserver_read_tmp_files',`
|
||||
#
|
||||
interface(`xserver_manage_core_devices',`
|
||||
gen_require(`
|
||||
type xserver_t;
|
||||
type xserver_t, root_xdrawable_t;
|
||||
class x_device all_x_device_perms;
|
||||
class x_pointer all_x_pointer_perms;
|
||||
class x_keyboard all_x_keyboard_perms;
|
||||
class x_screen all_x_screen_perms;
|
||||
class x_drawable { manage };
|
||||
type root_xdrawable_t;
|
||||
attribute x_domain;
|
||||
class x_drawable { read manage setattr show };
|
||||
class x_resource { write read };
|
||||
@ -1356,8 +1354,7 @@ interface(`xserver_manage_core_devices',`
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
attribute x_domain;
|
||||
attribute xserver_unconfined_type;
|
||||
attribute x_domain, xserver_unconfined_type;
|
||||
')
|
||||
|
||||
typeattribute $1 x_domain;
|
||||
@ -1376,8 +1373,7 @@ interface(`xserver_unconfined',`
|
||||
#
|
||||
interface(`xserver_dontaudit_append_xdm_home_files',`
|
||||
gen_require(`
|
||||
type xdm_home_t;
|
||||
type xserver_tmp_t;
|
||||
type xdm_home_t, xserver_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
|
||||
@ -1404,8 +1400,7 @@ interface(`xserver_dontaudit_append_xdm_home_files',`
|
||||
#
|
||||
interface(`xserver_append_xdm_home_files',`
|
||||
gen_require(`
|
||||
type xdm_home_t;
|
||||
type xserver_tmp_t;
|
||||
type xdm_home_t, xserver_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_home_t:file append_file_perms;
|
||||
@ -1566,12 +1561,10 @@ template(`xserver_read_user_iceauth',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`xserver_rw_inherited_user_fonts',`
|
||||
gen_require(`
|
||||
type user_fonts_t;
|
||||
type user_fonts_config_t;
|
||||
type user_fonts_t, user_fonts_config_t;
|
||||
')
|
||||
|
||||
allow $1 user_fonts_t:file rw_inherited_file_perms;
|
||||
@ -1598,7 +1591,6 @@ interface(`xserver_search_xdm_lib',`
|
||||
allow $1 xdm_var_lib_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make an X executable an entrypoint for the specified domain.
|
||||
@ -1632,6 +1624,7 @@ interface(`xserver_entry_type',`
|
||||
## The role to be allowed the xserver domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`xserver_run',`
|
||||
gen_require(`
|
||||
@ -1657,6 +1650,7 @@ interface(`xserver_run',`
|
||||
## The role to be allowed the xserver domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`xserver_run_xauth',`
|
||||
gen_require(`
|
||||
@ -1679,8 +1673,7 @@ interface(`xserver_run_xauth',`
|
||||
#
|
||||
interface(`xserver_manage_home_fonts',`
|
||||
gen_require(`
|
||||
type user_fonts_t;
|
||||
type user_fonts_config_t;
|
||||
type user_fonts_t, user_fonts_config_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
|
||||
|
@ -1,4 +1,3 @@
|
||||
|
||||
## <summary>policy for zarafa services</summary>
|
||||
|
||||
######################################
|
||||
@ -13,7 +12,6 @@
|
||||
## </param>
|
||||
#
|
||||
template(`zarafa_domain_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute zarafa_domain;
|
||||
')
|
||||
@ -66,7 +64,6 @@ interface(`zarafa_server_domtrans',`
|
||||
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run zarafa_deliver.
|
||||
@ -94,12 +91,12 @@ interface(`zarafa_deliver_domtrans',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zarafa_stream_connect_server',`
|
||||
gen_require(`
|
||||
type zarafa_server_t, zarafa_server_var_run_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
|
||||
')
|
||||
|
@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 zebra_var_run_t:sock_file write;
|
||||
allow $1 zebra_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
Loading…
Reference in New Issue
Block a user