patch from dan Wed, 23 Aug 2006 14:03:49 -0400

This commit is contained in:
Chris PeBenito 2006-08-29 02:41:00 +00:00
parent ce6bf7cc23
commit a5e2133bc8
75 changed files with 428 additions and 129 deletions

View File

@ -63,6 +63,7 @@
Mon, 12 Jun 2006
Tue, 20 Jun 2006
Wed, 26 Jul 2006
Wed, 23 Aug 2006
- Added modules:
afs
amavis (Erich Schubert)

View File

@ -184,19 +184,12 @@ mlsconstrain dir search
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# the "ranged" file "write" ops
mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or

View File

@ -9,6 +9,7 @@
/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(amanda,1.3.4)
policy_module(amanda,1.3.5)
#######################################
#

View File

@ -1,5 +1,5 @@
policy_module(anaconda,1.0.0)
policy_module(anaconda,1.0.1)
########################################
#
@ -7,6 +7,7 @@ policy_module(anaconda,1.0.0)
#
type anaconda_t;
type anaconda_exec_t;
domain_type(anaconda_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
@ -16,6 +17,10 @@ role system_r types anaconda_t;
# Local policy
#
allow anaconda_t self:process execmem;
kernel_domtrans_to(anaconda_t,anaconda_exec_t)
# Run other rc scripts in the anaconda_t domain.
init_domtrans_script(anaconda_t)
@ -25,8 +30,12 @@ logging_send_syslog_msg(anaconda_t)
modutils_domtrans_insmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
unconfined_domain(anaconda_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
ifdef(`distro_redhat',`
bootloader_create_runtime_file(anaconda_t)
')
@ -41,6 +50,7 @@ optional_policy(`
optional_policy(`
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
optional_policy(`
@ -50,10 +60,3 @@ optional_policy(`
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')
ifdef(`TODO',`
optional_policy(`
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
')

View File

@ -1,5 +1,5 @@
policy_module(bootloader,1.2.5)
policy_module(bootloader,1.2.6)
########################################
#
@ -83,8 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_read_sysfs(bootloader_t)
# for reading BIOS data
dev_read_raw_memory(bootloader_t)
# needed on some hardware
dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)

View File

@ -1,5 +1,5 @@
policy_module(consoletype,1.0.1)
policy_module(consoletype,1.0.2)
########################################
#
@ -113,4 +113,5 @@ optional_policy(`
kernel_write_xen_state(consoletype_t)
xen_append_log(consoletype_t)
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
xen_dontaudit_use_fds(consoletype_t)
')

View File

@ -1,5 +1,5 @@
policy_module(firstboot,1.1.3)
policy_module(firstboot,1.1.4)
gen_require(`
class passwd rootok;
@ -106,7 +106,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
hal_dbus_send(firstboot_t)
hal_dbus_chat(firstboot_t)
')
optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(prelink,1.1.5)
policy_module(prelink,1.1.6)
########################################
#
@ -60,6 +60,8 @@ files_read_etc_runtime_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
selinux_get_enforce_mode(prelink_t)
libs_use_ld_so(prelink_t)
libs_exec_ld_so(prelink_t)
libs_manage_ld_so(prelink_t)

View File

@ -1,5 +1,5 @@
policy_module(usermanage,1.3.8)
policy_module(usermanage,1.3.9)
########################################
#
@ -256,7 +256,7 @@ optional_policy(`
')
optional_policy(`
nscd_exec(groupadd_t)
nscd_domtrans(groupadd_t)
')
optional_policy(`
@ -481,6 +481,7 @@ auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
auth_rw_lastlog(useradd_t)
auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
corecmd_exec_shell(useradd_t)
@ -526,7 +527,7 @@ optional_policy(`
')
optional_policy(`
nscd_exec(useradd_t)
nscd_domtrans(useradd_t)
')
optional_policy(`

View File

@ -8,5 +8,12 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(java,1.1.2)
policy_module(java,1.1.3)
########################################
#

View File

@ -63,6 +63,7 @@ template(`mozilla_per_userdomain_template',`
allow $1_mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
allow $1_mozilla_t self:tcp_socket create_socket_perms;
allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
@ -170,6 +171,7 @@ template(`mozilla_per_userdomain_template',`
logging_send_syslog_msg($1_mozilla_t)
miscfiles_read_fonts($1_mozilla_t)
miscfiles_read_localization($1_mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve($1_mozilla_t)

View File

@ -1,5 +1,5 @@
policy_module(mozilla,1.0.4)
policy_module(mozilla,1.0.5)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(wine,1.1.2)
policy_module(wine,1.1.3)
########################################
#
@ -18,7 +18,7 @@ domain_entry_file(wine_t,wine_exec_t)
#
ifdef(`targeted_policy',`
allow wine_t self:process { execstack execmem };
allow wine_t self:process { execstack execmem execheap };
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)

View File

@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_debian',`

View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.3.12)
policy_module(corecommands,1.3.13)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.1.13)
policy_module(corenetwork,1.1.14)
########################################
#
@ -84,7 +84,7 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@ -100,6 +100,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0)

View File

@ -36,7 +36,7 @@
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)

View File

@ -1819,6 +1819,25 @@ interface(`dev_create_null_dev',`
allow $1 self:capability mknod;
')
########################################
## <summary>
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_nvram',`
gen_require(`
type nvram_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 nvram_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Get the attributes of the printer device nodes.

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.18)
policy_module(devices,1.1.19)
########################################
#
@ -105,6 +105,12 @@ dev_node(null_device_t)
mls_trusted_object(null_device_t)
sid devnull gen_context(system_u:object_r:null_device_t,s0)
#
# Type for /dev/nvram
#
type nvram_device_t;
dev_node(nvram_device_t)
#
# Type for /dev/pmu
#
@ -166,7 +172,7 @@ type vmware_device_t;
dev_node(vmware_device_t)
type watchdog_device_t;
dev_node(vmware_device_t)
dev_node(watchdog_device_t)
type xen_device_t;
dev_node(xen_device_t)

View File

@ -2932,6 +2932,24 @@ interface(`files_search_tmp',`
allow $1 tmp_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_dontaudit_search_tmp',`
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir search_dir_perms;
')
########################################
## <summary>
## Read the tmp directory (/tmp).

View File

@ -1,5 +1,5 @@
policy_module(files,1.2.13)
policy_module(files,1.2.14)
########################################
#

View File

@ -279,6 +279,42 @@ interface(`kernel_load_module',`
typeattribute $1 can_load_kernmodule;
')
########################################
## <summary>
## Allow search the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_search_key',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key search;
')
########################################
## <summary>
## Allow link to the kernel key ring.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_link_key',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key link;
')
########################################
## <summary>
## Allows caller to read the ring buffer.

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.14)
policy_module(kernel,1.3.15)
########################################
#

View File

@ -276,6 +276,24 @@ interface(`term_create_console_dev',`
allow $1 self:capability mknod;
')
########################################
## <summary>
## Get the attributes of a pty filesystem
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`term_getattr_pty_fs',`
gen_require(`
type devpts_t;
')
allow $1 devpts_t:filesystem getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
@ -330,6 +348,7 @@ interface(`term_dontaudit_search_ptys',`
type devpts_t;
')
dev_dontaudit_list_all_dev_nodes($1)
dontaudit $1 devpts_t:dir search;
')
@ -1007,4 +1026,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
dontaudit $1 ttynode:chr_file { read write };
')

View File

@ -1,5 +1,5 @@
policy_module(terminal,1.1.5)
policy_module(terminal,1.1.6)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(amavis,1.0.6)
policy_module(amavis,1.0.7)
########################################
#
@ -62,10 +62,12 @@ allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
# Spool Files
files_search_spool(amavis_t)
allow amavis_t amavis_spool_t:dir manage_dir_perms;
allow amavis_t amavis_spool_t:file manage_file_perms;
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
@ -116,6 +118,7 @@ corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
@ -164,6 +167,10 @@ optional_policy(`
dcc_stream_connect_dccifd(amavis_t)
')
optional_policy(`
postfix_read_config(amavis_t)
')
optional_policy(`
pyzor_domtrans(amavis_t)
')

View File

@ -1,5 +1,5 @@
policy_module(apache,1.3.16)
policy_module(apache,1.3.17)
#
# NOTES:
@ -271,7 +271,6 @@ seutil_dontaudit_search_config(httpd_t)
sysnet_read_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
mta_send_mail(httpd_t)

View File

@ -1,5 +1,5 @@
policy_module(avahi,1.2.4)
policy_module(avahi,1.2.5)
########################################
#
@ -64,6 +64,7 @@ domain_use_interactive_fds(avahi_t)
files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
files_read_usr_files(avahi_t)
init_use_fds(avahi_t)
init_use_script_ptys(avahi_t)
@ -76,6 +77,7 @@ libs_use_shared_libs(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
miscfiles_read_certs(avahi_t)
sysnet_read_config(avahi_t)
sysnet_use_ldap(avahi_t)

View File

@ -1,5 +1,5 @@
policy_module(bind,1.1.8)
policy_module(bind,1.1.9)
########################################
#
@ -218,6 +218,7 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file { getattr read };
allow ndc_t dnssec_t:lnk_file { getattr read };
allow ndc_t named_t:unix_stream_socket connectto;

View File

@ -1,5 +1,5 @@
policy_module(cpucontrol,1.0.1)
policy_module(cpucontrol,1.0.2)
########################################
#
@ -25,7 +25,7 @@ files_pid_file(cpuspeed_var_run_t)
# CPU microcode loader local policy
#
allow cpucontrol_t self:capability sys_rawio;
allow cpucontrol_t self:capability { ipc_lock sys_rawio };
dontaudit cpucontrol_t self:capability sys_tty_config;
allow cpucontrol_t self:process signal_perms;

View File

@ -194,13 +194,14 @@ template(`cron_per_userdomain_template',`
allow crond_t $1_cron_spool_t:file create_file_perms;
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
# create files in /var/spool/cron
allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
files_search_spool($1_crontab_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
@ -238,12 +239,16 @@ template(`cron_per_userdomain_template',`
# Read user crontabs
userdom_read_user_home_content_files($1,$1_crontab_t)
tunable_policy(`fcron_crond', `
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
dontaudit $1_crontab_t crond_t:process signal;
')
optional_policy(`
nscd_socket_use($1_crontab_t)
')
ifdef(`TODO',`
allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;

View File

@ -1,5 +1,5 @@
policy_module(cron,1.3.10)
policy_module(cron,1.3.11)
gen_require(`
class passwd rootok;
@ -138,6 +138,8 @@ userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_all_users_home_dirs(crond_t)
mta_send_mail(crond_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
@ -173,8 +175,6 @@ ifdef(`targeted_policy',`
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
mta_send_mail(crond_t)
')
tunable_policy(`fcron_crond', `
@ -341,8 +341,6 @@ ifdef(`targeted_policy',`
seutil_read_config(system_crond_t)
mta_send_mail(system_crond_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.

View File

@ -1,5 +1,5 @@
policy_module(cups,1.3.11)
policy_module(cups,1.3.12)
########################################
#
@ -74,13 +74,14 @@ files_pid_file(ptal_var_run_t)
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config audit_write };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
@ -152,6 +153,8 @@ dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
dev_read_usbfs(cupsd_t)
domain_read_all_domains_state(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
# from old usercanread attrib:
@ -186,6 +189,8 @@ files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
init_use_fds(cupsd_t)
init_use_script_ptys(cupsd_t)
init_exec_script_files(cupsd_t)
@ -201,7 +206,7 @@ miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
seutil_dontaudit_read_config(cupsd_t)
seutil_read_config(cupsd_t)
sysnet_read_config(cupsd_t)
@ -219,7 +224,7 @@ ifdef(`targeted_policy',`
init_stream_connect_script(cupsd_t)
unconfined_read_pipes(cupsd_t)
unconfined_rw_pipes(cupsd_t)
optional_policy(`
init_dbus_chat_script(cupsd_t)
@ -230,6 +235,10 @@ ifdef(`targeted_policy',`
')
')
optional_policy(`
apm_domtrans_client(cupsd_t)
')
optional_policy(`
cron_system_entry(cupsd_t, cupsd_exec_t)
')
@ -253,6 +262,10 @@ optional_policy(`
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
')
optional_policy(`
logrotate_domtrans(cupsd_t)
')
optional_policy(`
nscd_socket_use(cupsd_t)
')
@ -397,7 +410,7 @@ ifdef(`distro_redhat',`
')
')
ifdef(`targeted_policy', `
ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cupsd_config_t)
term_dontaudit_use_unallocated_ttys(cupsd_config_t)
@ -588,6 +601,7 @@ dev_rw_printer(hplip_t)
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_read_usbfs(hplip_t)
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)

View File

@ -1,5 +1,5 @@
policy_module(cyrus,1.1.4)
policy_module(cyrus,1.1.5)
########################################
#
@ -69,10 +69,12 @@ corenet_tcp_sendrecv_all_ports(cyrus_t)
corenet_udp_sendrecv_all_ports(cyrus_t)
corenet_tcp_bind_all_nodes(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
corenet_tcp_connect_all_ports(cyrus_t)
corenet_sendrecv_mail_server_packets(cyrus_t)
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_sendrecv_all_client_packets(cyrus_t)
dev_read_rand(cyrus_t)
@ -139,6 +141,10 @@ optional_policy(`
seutil_sigchld_newrole(cyrus_t)
')
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
')
optional_policy(`
udev_read_db(cyrus_t)
')

View File

@ -139,6 +139,8 @@ template(`dbus_per_userdomain_template',`
files_read_usr_files($1_dbusd_t)
files_dontaudit_search_var($1_dbusd_t)
auth_read_pam_console_data($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
@ -160,7 +162,7 @@ template(`dbus_per_userdomain_template',`
')
optional_policy(`
auth_read_pam_console_data($1_dbusd_t)
hal_dbus_chat($1_dbusd_t)
')
optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(dbus,1.2.7)
policy_module(dbus,1.2.8)
gen_require(`
class dbus { send_msg acquire_svc };
@ -38,6 +38,7 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@ -102,6 +103,7 @@ libs_use_shared_libs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
miscfiles_read_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)

View File

@ -1,5 +1,5 @@
policy_module(dovecot,1.2.5)
policy_module(dovecot,1.2.6)
########################################
#
@ -193,6 +193,8 @@ miscfiles_read_localization(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
sysnet_dns_name_resolve(dovecot_auth_t)
optional_policy(`
kerberos_use(dovecot_auth_t)
')

View File

@ -1,5 +1,5 @@
policy_module(inn,1.1.3)
policy_module(inn,1.1.4)
########################################
#
@ -36,6 +36,7 @@ allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow innd_t self:tcp_socket create_stream_socket_perms;
allow innd_t self:udp_socket create_socket_perms;
allow innd_t self:netlink_route_socket r_netlink_socket_perms;
allow innd_t innd_etc_t:file r_file_perms;
allow innd_t innd_etc_t:dir r_dir_perms;

View File

@ -2,6 +2,8 @@
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')

View File

@ -1,5 +1,5 @@
policy_module(mta,1.3.8)
policy_module(mta,1.3.9)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(openvpn,1.0.3)
policy_module(openvpn,1.0.4)
########################################
#
@ -33,7 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;
allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
allow openvpn_t openvpn_etc_t:file r_file_perms;

View File

@ -1,5 +1,5 @@
policy_module(postfix,1.2.11)
policy_module(postfix,1.2.12)
########################################
#
@ -251,6 +251,8 @@ allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
########################################
#
# Postfix local local policy
@ -284,6 +286,10 @@ mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
optional_policy(`
clamav_search_lib(postfix_local_t)
')
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@ -520,6 +526,8 @@ allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
corecmd_exec_bin(postfix_qmgr_t)
########################################
#
# Postfix showq local policy
@ -578,6 +586,8 @@ allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_p
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)

View File

@ -1,5 +1,5 @@
policy_module(postgresql,1.1.3)
policy_module(postgresql,1.1.4)
#################################
#
@ -134,6 +134,7 @@ miscfiles_read_localization(postgresql_t)
seutil_dontaudit_search_config(postgresql_t)
sysnet_read_config(postgresql_t)
sysnet_use_ldap(postgresql_t)
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
userdom_dontaudit_use_sysadm_ttys(postgresql_t)

View File

@ -1,5 +1,5 @@
policy_module(radius,1.1.3)
policy_module(radius,1.1.4)
########################################
#
@ -31,7 +31,7 @@ files_pid_file(radiusd_var_run_t)
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config;
allow radiusd_t self:process setsched;
allow radiusd_t self:process { setsched signal };
allow radiusd_t self:fifo_file rw_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;

View File

@ -51,6 +51,8 @@ template(`rpc_domain_template', `
kernel_rw_rpc_sysctls($1_t)
dev_read_sysfs($1_t)
dev_read_urand($1_t)
dev_read_rand($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)

View File

@ -1,5 +1,5 @@
policy_module(rpc,1.2.11)
policy_module(rpc,1.2.12)
########################################
#
@ -48,9 +48,6 @@ kernel_search_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
dev_read_urand(rpcd_t)
dev_read_rand(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
@ -129,8 +126,6 @@ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
dev_read_urand(gssd_t)
fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)

View File

@ -1,5 +1,5 @@
policy_module(samba,1.2.9)
policy_module(samba,1.2.10)
#################################
#
@ -171,7 +171,7 @@ optional_policy(`
#
# smbd Local policy
#
allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@ -191,7 +191,7 @@ allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };
@ -359,7 +359,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
allow nmbd_t samba_etc_t:dir { search getattr };
allow nmbd_t samba_etc_t:file { getattr read };
allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t samba_var_t:dir rw_dir_perms;
@ -638,8 +638,8 @@ allow winbind_t samba_secrets_t:file create_file_perms;
allow winbind_t samba_etc_t:dir rw_dir_perms;
type_transition winbind_t samba_etc_t:file samba_secrets_t;
allow winbind_t samba_log_t:dir rw_dir_perms;
allow winbind_t samba_log_t:file create_file_perms;
allow winbind_t samba_log_t:dir manage_dir_perms;
allow winbind_t samba_log_t:file manage_file_perms;
allow winbind_t samba_log_t:lnk_file create_lnk_perms;
allow winbind_t samba_var_t:dir rw_dir_perms;

View File

@ -1,5 +1,5 @@
policy_module(spamassassin,1.3.10)
policy_module(spamassassin,1.3.11)
########################################
#
@ -169,6 +169,10 @@ optional_policy(`
nis_use_ypbind(spamd_t)
')
optional_policy(`
postfix_read_config(spamd_t)
')
optional_policy(`
postgresql_stream_connect(spamd_t)
')

View File

@ -1,5 +1,5 @@
policy_module(squid,1.1.5)
policy_module(squid,1.1.6)
########################################
#
@ -28,9 +28,9 @@ files_pid_file(squid_var_run_t)
# Local policy
#
allow squid_t self:capability { setgid setuid dac_override };
allow squid_t self:capability { setgid setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_file_perms;
allow squid_t self:sock_file r_file_perms;
allow squid_t self:fd use;

View File

@ -1,5 +1,5 @@
policy_module(sysstat,1.0.0)
policy_module(sysstat,1.0.1)
########################################
#
@ -50,6 +50,7 @@ files_read_etc_files(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
term_use_console(sysstat_t)
term_use_all_terms(sysstat_t)
init_use_fds(sysstat_t)
init_use_script_ptys(sysstat_t)
@ -57,6 +58,8 @@ init_use_script_ptys(sysstat_t)
libs_use_ld_so(sysstat_t)
libs_use_shared_libs(sysstat_t)
locallogin_use_fds(sysstat_t)
miscfiles_read_localization(sysstat_t)
userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)

View File

@ -109,7 +109,7 @@ template(`xserver_common_domain_template',`
corenet_sendrecv_xserver_server_packets($1_xserver_t)
corenet_sendrecv_all_client_packets($1_xserver_t)
dev_read_sysfs($1_xserver_t)
dev_rw_sysfs($1_xserver_t)
dev_rw_mouse($1_xserver_t)
dev_rw_mtrr($1_xserver_t)
dev_rw_apm_bios($1_xserver_t)
@ -120,7 +120,7 @@ template(`xserver_common_domain_template',`
dev_setattr_generic_dirs($1_xserver_t)
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_write_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc($1_xserver_t)
# read events - the synaptics touchpad driver reads raw events
@ -159,6 +159,10 @@ template(`xserver_common_domain_template',`
sysnet_read_config($1_xserver_t)
optional_policy(`
apm_stream_connect($1_xserver_t)
')
optional_policy(`
auth_search_pam_console_data($1_xserver_t)
')

View File

@ -1,5 +1,5 @@
policy_module(xserver,1.1.13)
policy_module(xserver,1.1.14)
########################################
#
@ -81,15 +81,18 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:netlink_route_socket r_netlink_socket_perms;
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
allow xdm_t self:key write;
allow xdm_t self:socket create_socket_perms;
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@ -106,6 +109,8 @@ allow xdm_t xdm_rw_etc_t:file create_file_perms;
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@ -154,6 +159,7 @@ domain_use_interactive_fds(xdm_t)
domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
files_list_mnt(xdm_t)
@ -180,6 +186,8 @@ term_setattr_unallocated_ttys(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
init_use_script_ptys(xdm_t)
# Run telinit->init to shutdown.
@ -257,7 +265,7 @@ ifdef(`strict_policy',`
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
allow xdm_t xdm_xserver_tmp_t:file unlink;
allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
allow xdm_t xserver_log_t:dir manage_dir_perms;
allow xdm_t xserver_log_t:file manage_file_perms;
allow xdm_t xserver_log_t:fifo_file manage_file_perms;
logging_log_filetrans(xdm_t,xserver_log_t,file)

View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.3.12)
policy_module(authlogin,1.3.13)
########################################
#
@ -215,6 +215,7 @@ libs_use_shared_libs(pam_console_t)
logging_send_syslog_msg(pam_console_t)
miscfiles_read_localization(pam_console_t)
miscfiles_read_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)

View File

@ -1,5 +1,5 @@
policy_module(hostname,1.2.0)
policy_module(hostname,1.2.1)
########################################
#
@ -56,6 +56,6 @@ miscfiles_read_localization(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
optional_policy(`
xen_dontaudit_use_fds(hostname_t)
')

View File

@ -110,7 +110,6 @@ ifdef(`distro_gentoo',`
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -122,6 +121,8 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -182,6 +183,7 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/seamonkey.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -213,8 +215,8 @@ ifdef(`distro_redhat',`
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.3.11)
policy_module(libraries,1.3.12)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(locallogin,1.2.5)
policy_module(locallogin,1.2.6)
########################################
#
@ -47,7 +47,7 @@ allow local_login_t self:shm create_shm_perms;
allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
allow local_login_t self:key write;
allow local_login_t self:key { search write };
allow local_login_t local_login_lock_t:file create_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
@ -58,6 +58,8 @@ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
kernel_search_key(local_login_t)
kernel_link_key(local_login_t)
dev_setattr_mouse_dev(local_login_t)
dev_getattr_mouse_dev(local_login_t)

View File

@ -30,6 +30,8 @@ ifdef(`distro_suse', `
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)

View File

@ -149,6 +149,27 @@ interface(`logging_run_auditd',`
allow auditd_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Connect to auditdstored over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_stream_connect_auditd',`
gen_require(`
type auditd_t, auditd_var_run_t;
')
files_search_pids($1)
allow $1 auditd_var_run_t:dir search_dir_perms;
allow $1 auditd_var_run_t:sock_file rw_file_perms;
allow $1 auditd_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Manage the auditd configuration files.

View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.10)
policy_module(logging,1.3.11)
########################################
#
@ -120,9 +120,10 @@ allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
allow auditd_t var_log_t:dir search;
allow auditd_t auditd_var_run_t:file create_file_perms;
allow auditd_t auditd_var_run_t:sock_file manage_file_perms;
allow auditd_t auditd_var_run_t:file manage_file_perms;
allow auditd_t auditd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(auditd_t,auditd_var_run_t,file)
files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf

View File

@ -85,6 +85,6 @@
#
# /var
#
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
/var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(lvm,1.3.5)
policy_module(lvm,1.3.6)
########################################
#
@ -133,6 +133,7 @@ allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file create_file_perms;
@ -150,9 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
files_lock_filetrans(lvm_t,lvm_lock_t,file)
allow lvm_t lvm_var_run_t:file create_file_perms;
allow lvm_t lvm_var_run_t:dir create_dir_perms;
files_pid_filetrans(lvm_t,lvm_var_run_t,file)
allow lvm_t lvm_var_run_t:file manage_file_perms;
allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
allow lvm_t lvm_var_run_t:dir manage_dir_perms;
files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file })
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;

View File

@ -8,6 +8,7 @@ ifdef(`distro_gentoo',`
#
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)

View File

@ -114,6 +114,26 @@ interface(`miscfiles_read_localization',`
libs_read_lib_files($1)
')
########################################
## <summary>
## Allow process to write localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_rw_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file rw_file_perms;
')
########################################
## <summary>
## Allow process to read legacy time localization info

View File

@ -1,5 +1,5 @@
policy_module(miscfiles,1.0.2)
policy_module(miscfiles,1.0.3)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(mount,1.3.9)
policy_module(mount,1.3.10)
########################################
#
@ -80,6 +80,7 @@ files_unmount_all_file_type_fs(mount_t)
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
@ -97,6 +98,8 @@ mls_file_write_down(mount_t)
sysnet_use_portmap(mount_t)
selinux_get_enforce_mode(mount_t)
userdom_use_all_users_fds(mount_t)
ifdef(`distro_redhat',`
@ -166,6 +169,10 @@ optional_policy(`
samba_domtrans_smbmount(mount_t)
')
optional_policy(`
nscd_socket_use(mount_t)
')
########################################
#
# Unconfined mount local policy

View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.2.12)
policy_module(selinuxutil,1.2.13)
ifdef(`strict_policy',`
gen_require(`
@ -462,6 +462,10 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
optional_policy(`
# restorecond watches for users logging in,
# so it getspwnam when a user logs in to find his homedir

View File

@ -1,5 +1,6 @@
# udev
/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(udev,1.3.4)
policy_module(udev,1.3.5)
########################################
#

View File

@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
dev_unconfined($1)
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
domain_dontaudit_ptrace_all_domains($1)
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.3.13)
policy_module(unconfined,1.3.14)
########################################
#
@ -195,4 +195,11 @@ ifdef(`targeted_policy',`
ifdef(`targeted_policy',`
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
dbus_stub(unconfined_execmem_t)
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
')
')

View File

@ -23,6 +23,42 @@ interface(`xen_domtrans',`
allow xend_t $1:process sigchld;
')
########################################
## <summary>
## Inherit and use xen file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`xen_use_fds',`
gen_require(`
type xend_t;
')
allow $1 xend_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit
## xen file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`xen_dontaudit_use_fds',`
gen_require(`
type xend_t;
')
dontaudit $1 xend_t:fd use;
')
########################################
## <summary>

View File

@ -1,5 +1,5 @@
policy_module(xen,1.0.8)
policy_module(xen,1.0.9)
########################################
#
@ -69,7 +69,9 @@ init_daemon_domain(xm_t, xm_exec_t)
#
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
@ -79,7 +81,7 @@ allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
allow xend_t xen_image_t:dir r_dir_perms;
allow xend_t xen_image_t:file r_file_perms;
allow xend_t xen_image_t:file rw_file_perms;
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
@ -128,8 +130,10 @@ corenet_tcp_sendrecv_all_ports(xend_t)
corenet_tcp_bind_all_nodes(xend_t)
corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t)
corenet_tcp_bind_generic_port(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
dev_read_urand(xend_t)
dev_manage_xen(xend_t)
@ -138,19 +142,24 @@ dev_rw_sysfs(xend_t)
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
domain_dontaudit_ptrace_all_domains(xend_t)
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
files_read_kernel_img(xend_t)
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
storage_raw_read_fixed_disk(xend_t)
term_dontaudit_getattr_all_user_ptys(xend_t)
term_dontaudit_use_generic_ptys(xend_t)
term_getattr_all_user_ptys(xend_t)
term_use_generic_ptys(xend_t)
term_use_ptmx(xend_t)
term_getattr_pty_fs(xend_t)
init_use_fds(xend_t)
init_use_script_ptys(xend_t)
libs_use_ld_so(xend_t)
libs_use_shared_libs(xend_t)
@ -195,11 +204,14 @@ kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
term_create_pty(xenconsoled_t,xen_devpts_t);
term_dontaudit_use_generic_ptys(xenconsoled_t)
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
libs_use_ld_so(xenconsoled_t)
libs_use_shared_libs(xenconsoled_t)
@ -238,10 +250,11 @@ dev_manage_xen(xenconsoled_t)
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t)
term_dontaudit_use_console(xenconsoled_t)
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)