patch from dan Wed, 23 Aug 2006 14:03:49 -0400
This commit is contained in:
Chris PeBenito
parent
ce6bf7cc23
commit
a5e2133bc8
@ -63,6 +63,7 @@
|
||||
Mon, 12 Jun 2006
|
||||
Tue, 20 Jun 2006
|
||||
Wed, 26 Jul 2006
|
||||
Wed, 23 Aug 2006
|
||||
- Added modules:
|
||||
afs
|
||||
amavis (Erich Schubert)
|
||||
|
||||
@ -184,19 +184,12 @@ mlsconstrain dir search
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
# the "single level" file "write" ops
|
||||
mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
|
||||
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
( t1 == mlsfilewrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
# the "ranged" file "write" ops
|
||||
mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
( t1 == mlsfilewrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain dir { add_name remove_name reparent rmdir }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
|
||||
|
||||
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
|
||||
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
|
||||
/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amanda,1.3.4)
|
||||
policy_module(amanda,1.3.5)
|
||||
|
||||
#######################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(anaconda,1.0.0)
|
||||
policy_module(anaconda,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -7,6 +7,7 @@ policy_module(anaconda,1.0.0)
|
||||
#
|
||||
|
||||
type anaconda_t;
|
||||
type anaconda_exec_t;
|
||||
domain_type(anaconda_t)
|
||||
domain_obj_id_change_exemption(anaconda_t)
|
||||
role system_r types anaconda_t;
|
||||
@ -16,6 +17,10 @@ role system_r types anaconda_t;
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow anaconda_t self:process execmem;
|
||||
|
||||
kernel_domtrans_to(anaconda_t,anaconda_exec_t)
|
||||
|
||||
# Run other rc scripts in the anaconda_t domain.
|
||||
init_domtrans_script(anaconda_t)
|
||||
|
||||
@ -25,8 +30,12 @@ logging_send_syslog_msg(anaconda_t)
|
||||
|
||||
modutils_domtrans_insmod(anaconda_t)
|
||||
|
||||
seutil_domtrans_semanage(anaconda_t)
|
||||
|
||||
unconfined_domain(anaconda_t)
|
||||
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
bootloader_create_runtime_file(anaconda_t)
|
||||
')
|
||||
@ -41,6 +50,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
rpm_domtrans(anaconda_t)
|
||||
rpm_domtrans_script(anaconda_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -50,10 +60,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
usermanage_domtrans_admin_passwd(anaconda_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`
|
||||
role system_r types sysadm_ssh_agent_t;
|
||||
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bootloader,1.2.5)
|
||||
policy_module(bootloader,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -83,8 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
|
||||
dev_read_rand(bootloader_t)
|
||||
dev_read_urand(bootloader_t)
|
||||
dev_read_sysfs(bootloader_t)
|
||||
# for reading BIOS data
|
||||
dev_read_raw_memory(bootloader_t)
|
||||
# needed on some hardware
|
||||
dev_rw_nvram(bootloader_t)
|
||||
|
||||
fs_getattr_xattr_fs(bootloader_t)
|
||||
fs_getattr_tmpfs(bootloader_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(consoletype,1.0.1)
|
||||
policy_module(consoletype,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -113,4 +113,5 @@ optional_policy(`
|
||||
kernel_write_xen_state(consoletype_t)
|
||||
xen_append_log(consoletype_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
|
||||
xen_dontaudit_use_fds(consoletype_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(firstboot,1.1.3)
|
||||
policy_module(firstboot,1.1.4)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -106,7 +106,7 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_send(firstboot_t)
|
||||
hal_dbus_chat(firstboot_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(prelink,1.1.5)
|
||||
policy_module(prelink,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -60,6 +60,8 @@ files_read_etc_runtime_files(prelink_t)
|
||||
|
||||
fs_getattr_xattr_fs(prelink_t)
|
||||
|
||||
selinux_get_enforce_mode(prelink_t)
|
||||
|
||||
libs_use_ld_so(prelink_t)
|
||||
libs_exec_ld_so(prelink_t)
|
||||
libs_manage_ld_so(prelink_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage,1.3.8)
|
||||
policy_module(usermanage,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -256,7 +256,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_exec(groupadd_t)
|
||||
nscd_domtrans(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -481,6 +481,7 @@ auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_etc_filetrans_shadow(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
|
||||
corecmd_exec_shell(useradd_t)
|
||||
@ -526,7 +527,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_exec(useradd_t)
|
||||
nscd_domtrans(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -8,5 +8,12 @@
|
||||
#
|
||||
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(java,1.1.2)
|
||||
policy_module(java,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -63,6 +63,7 @@ template(`mozilla_per_userdomain_template',`
|
||||
allow $1_mozilla_t self:unix_stream_socket { listen accept };
|
||||
# Browse the web, connect to printer
|
||||
allow $1_mozilla_t self:tcp_socket create_socket_perms;
|
||||
allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# for bash - old mozilla binary
|
||||
can_exec($1_mozilla_t, mozilla_exec_t)
|
||||
@ -170,6 +171,7 @@ template(`mozilla_per_userdomain_template',`
|
||||
logging_send_syslog_msg($1_mozilla_t)
|
||||
|
||||
miscfiles_read_fonts($1_mozilla_t)
|
||||
miscfiles_read_localization($1_mozilla_t)
|
||||
|
||||
# Browse the web, connect to printer
|
||||
sysnet_dns_name_resolve($1_mozilla_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mozilla,1.0.4)
|
||||
policy_module(mozilla,1.0.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(wine,1.1.2)
|
||||
policy_module(wine,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,7 +18,7 @@ domain_entry_file(wine_t,wine_exec_t)
|
||||
#
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow wine_t self:process { execstack execmem };
|
||||
allow wine_t self:process { execstack execmem execheap };
|
||||
unconfined_domain_noaudit(wine_t)
|
||||
files_execmod_all_files(wine_t)
|
||||
|
||||
|
||||
@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
|
||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.3.12)
|
||||
policy_module(corecommands,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.1.13)
|
||||
policy_module(corenetwork,1.1.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -84,7 +84,7 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(i18n_input, tcp,9010,s0)
|
||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
@ -100,6 +100,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
||||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||
network_port(lmtp, tcp,24,s0, udp,24,s0)
|
||||
network_port(mail, tcp,2000,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(mysqld, tcp,3306,s0)
|
||||
|
||||
@ -36,7 +36,7 @@
|
||||
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||
/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
|
||||
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
|
||||
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
|
||||
|
||||
@ -1819,6 +1819,25 @@ interface(`dev_create_null_dev',`
|
||||
allow $1 self:capability mknod;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write BIOS non-volatile RAM.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_rw_nvram',`
|
||||
gen_require(`
|
||||
type nvram_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir search_dir_perms;
|
||||
allow $1 nvram_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the printer device nodes.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.1.18)
|
||||
policy_module(devices,1.1.19)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -105,6 +105,12 @@ dev_node(null_device_t)
|
||||
mls_trusted_object(null_device_t)
|
||||
sid devnull gen_context(system_u:object_r:null_device_t,s0)
|
||||
|
||||
#
|
||||
# Type for /dev/nvram
|
||||
#
|
||||
type nvram_device_t;
|
||||
dev_node(nvram_device_t)
|
||||
|
||||
#
|
||||
# Type for /dev/pmu
|
||||
#
|
||||
@ -166,7 +172,7 @@ type vmware_device_t;
|
||||
dev_node(vmware_device_t)
|
||||
|
||||
type watchdog_device_t;
|
||||
dev_node(vmware_device_t)
|
||||
dev_node(watchdog_device_t)
|
||||
|
||||
type xen_device_t;
|
||||
dev_node(xen_device_t)
|
||||
|
||||
@ -2932,6 +2932,24 @@ interface(`files_search_tmp',`
|
||||
allow $1 tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_search_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the tmp directory (/tmp).
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.2.13)
|
||||
policy_module(files,1.2.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -279,6 +279,42 @@ interface(`kernel_load_module',`
|
||||
typeattribute $1 can_load_kernmodule;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow search the kernel key ring.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_search_key',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:key search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow link to the kernel key ring.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_link_key',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:key link;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows caller to read the ring buffer.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.14)
|
||||
policy_module(kernel,1.3.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -276,6 +276,24 @@ interface(`term_create_console_dev',`
|
||||
allow $1 self:capability mknod;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of a pty filesystem
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`term_getattr_pty_fs',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
allow $1 devpts_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
@ -330,6 +348,7 @@ interface(`term_dontaudit_search_ptys',`
|
||||
type devpts_t;
|
||||
')
|
||||
|
||||
dev_dontaudit_list_all_dev_nodes($1)
|
||||
dontaudit $1 devpts_t:dir search;
|
||||
')
|
||||
|
||||
@ -1007,4 +1026,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
||||
|
||||
dontaudit $1 ttynode:chr_file { read write };
|
||||
')
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(terminal,1.1.5)
|
||||
policy_module(terminal,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amavis,1.0.6)
|
||||
policy_module(amavis,1.0.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -62,10 +62,12 @@ allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
|
||||
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
|
||||
|
||||
# Spool Files
|
||||
files_search_spool(amavis_t)
|
||||
allow amavis_t amavis_spool_t:dir manage_dir_perms;
|
||||
allow amavis_t amavis_spool_t:file manage_file_perms;
|
||||
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
|
||||
files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
|
||||
type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
|
||||
|
||||
# tmp files
|
||||
allow amavis_t amavis_tmp_t:file create_file_perms;
|
||||
@ -116,6 +118,7 @@ corenet_tcp_connect_amavisd_send_port(amavis_t)
|
||||
# bind to incoming port
|
||||
corenet_tcp_bind_amavisd_recv_port(amavis_t)
|
||||
corenet_udp_bind_generic_port(amavis_t)
|
||||
corenet_tcp_connect_razor_port(amavis_t)
|
||||
|
||||
dev_read_rand(amavis_t)
|
||||
dev_read_urand(amavis_t)
|
||||
@ -164,6 +167,10 @@ optional_policy(`
|
||||
dcc_stream_connect_dccifd(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postfix_read_config(amavis_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pyzor_domtrans(amavis_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.3.16)
|
||||
policy_module(apache,1.3.17)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -271,7 +271,6 @@ seutil_dontaudit_search_config(httpd_t)
|
||||
sysnet_read_config(httpd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
|
||||
|
||||
mta_send_mail(httpd_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(avahi,1.2.4)
|
||||
policy_module(avahi,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,6 +64,7 @@ domain_use_interactive_fds(avahi_t)
|
||||
|
||||
files_read_etc_files(avahi_t)
|
||||
files_read_etc_runtime_files(avahi_t)
|
||||
files_read_usr_files(avahi_t)
|
||||
|
||||
init_use_fds(avahi_t)
|
||||
init_use_script_ptys(avahi_t)
|
||||
@ -76,6 +77,7 @@ libs_use_shared_libs(avahi_t)
|
||||
logging_send_syslog_msg(avahi_t)
|
||||
|
||||
miscfiles_read_localization(avahi_t)
|
||||
miscfiles_read_certs(avahi_t)
|
||||
|
||||
sysnet_read_config(avahi_t)
|
||||
sysnet_use_ldap(avahi_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bind,1.1.8)
|
||||
policy_module(bind,1.1.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -218,6 +218,7 @@ allow ndc_t self:tcp_socket create_socket_perms;
|
||||
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ndc_t dnssec_t:file { getattr read };
|
||||
allow ndc_t dnssec_t:lnk_file { getattr read };
|
||||
|
||||
allow ndc_t named_t:unix_stream_socket connectto;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cpucontrol,1.0.1)
|
||||
policy_module(cpucontrol,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -25,7 +25,7 @@ files_pid_file(cpuspeed_var_run_t)
|
||||
# CPU microcode loader local policy
|
||||
#
|
||||
|
||||
allow cpucontrol_t self:capability sys_rawio;
|
||||
allow cpucontrol_t self:capability { ipc_lock sys_rawio };
|
||||
dontaudit cpucontrol_t self:capability sys_tty_config;
|
||||
allow cpucontrol_t self:process signal_perms;
|
||||
|
||||
|
||||
@ -194,13 +194,14 @@ template(`cron_per_userdomain_template',`
|
||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||
|
||||
# dac_override is to create the file in the directory under /tmp
|
||||
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
|
||||
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
|
||||
allow $1_crontab_t self:process signal_perms;
|
||||
|
||||
# create files in /var/spool/cron
|
||||
allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
|
||||
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
|
||||
type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
|
||||
allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
|
||||
type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
|
||||
files_search_spool($1_crontab_t)
|
||||
|
||||
# crontab signals crond by updating the mtime on the spooldir
|
||||
allow $1_crontab_t cron_spool_t:dir setattr;
|
||||
@ -238,12 +239,16 @@ template(`cron_per_userdomain_template',`
|
||||
# Read user crontabs
|
||||
userdom_read_user_home_content_files($1,$1_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
tunable_policy(`fcron_crond',`
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
# also crontab does a security check for crontab -u
|
||||
dontaudit $1_crontab_t crond_t:process signal;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_crontab_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.3.10)
|
||||
policy_module(cron,1.3.11)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -138,6 +138,8 @@ userdom_use_unpriv_users_fds(crond_t)
|
||||
# Not sure why this is needed
|
||||
userdom_list_all_users_home_dirs(crond_t)
|
||||
|
||||
mta_send_mail(crond_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
@ -173,8 +175,6 @@ ifdef(`targeted_policy',`
|
||||
allow crond_t crond_tmp_t:dir create_dir_perms;
|
||||
allow crond_t crond_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
|
||||
|
||||
mta_send_mail(crond_t)
|
||||
')
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
@ -341,8 +341,6 @@ ifdef(`targeted_policy',`
|
||||
|
||||
seutil_read_config(system_crond_t)
|
||||
|
||||
mta_send_mail(system_crond_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.3.11)
|
||||
policy_module(cups,1.3.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -74,13 +74,14 @@ files_pid_file(ptal_var_run_t)
|
||||
#
|
||||
|
||||
# /usr/lib/cups/backend/serial needs sys_admin(?!)
|
||||
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
|
||||
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config audit_write };
|
||||
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
||||
allow cupsd_t self:process { setsched signal_perms };
|
||||
allow cupsd_t self:fifo_file rw_file_perms;
|
||||
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow cupsd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cupsd_t self:udp_socket create_socket_perms;
|
||||
@ -152,6 +153,8 @@ dev_read_urand(cupsd_t)
|
||||
dev_read_sysfs(cupsd_t)
|
||||
dev_read_usbfs(cupsd_t)
|
||||
|
||||
domain_read_all_domains_state(cupsd_t)
|
||||
|
||||
fs_getattr_all_fs(cupsd_t)
|
||||
fs_search_auto_mountpoints(cupsd_t)
|
||||
# from old usercanread attrib:
|
||||
@ -186,6 +189,8 @@ files_read_var_symlinks(cupsd_t)
|
||||
# for /etc/printcap
|
||||
files_dontaudit_write_etc_files(cupsd_t)
|
||||
|
||||
selinux_compute_access_vector(cupsd_t)
|
||||
|
||||
init_use_fds(cupsd_t)
|
||||
init_use_script_ptys(cupsd_t)
|
||||
init_exec_script_files(cupsd_t)
|
||||
@ -201,7 +206,7 @@ miscfiles_read_localization(cupsd_t)
|
||||
# invoking ghostscript needs to read fonts
|
||||
miscfiles_read_fonts(cupsd_t)
|
||||
|
||||
seutil_dontaudit_read_config(cupsd_t)
|
||||
seutil_read_config(cupsd_t)
|
||||
|
||||
sysnet_read_config(cupsd_t)
|
||||
|
||||
@ -219,7 +224,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
init_stream_connect_script(cupsd_t)
|
||||
|
||||
unconfined_read_pipes(cupsd_t)
|
||||
unconfined_rw_pipes(cupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
init_dbus_chat_script(cupsd_t)
|
||||
@ -230,6 +235,10 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
apm_domtrans_client(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(cupsd_t, cupsd_exec_t)
|
||||
')
|
||||
@ -253,6 +262,10 @@ optional_policy(`
|
||||
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
logrotate_domtrans(cupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(cupsd_t)
|
||||
')
|
||||
@ -397,7 +410,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(cupsd_config_t)
|
||||
|
||||
term_dontaudit_use_unallocated_ttys(cupsd_config_t)
|
||||
@ -588,6 +601,7 @@ dev_rw_printer(hplip_t)
|
||||
dev_read_urand(hplip_t)
|
||||
dev_read_rand(hplip_t)
|
||||
dev_rw_generic_usb_dev(hplip_t)
|
||||
dev_read_usbfs(hplip_t)
|
||||
|
||||
fs_getattr_all_fs(hplip_t)
|
||||
fs_search_auto_mountpoints(hplip_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cyrus,1.1.4)
|
||||
policy_module(cyrus,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,10 +69,12 @@ corenet_tcp_sendrecv_all_ports(cyrus_t)
|
||||
corenet_udp_sendrecv_all_ports(cyrus_t)
|
||||
corenet_tcp_bind_all_nodes(cyrus_t)
|
||||
corenet_tcp_bind_mail_port(cyrus_t)
|
||||
corenet_tcp_bind_lmtp_port(cyrus_t)
|
||||
corenet_tcp_bind_pop_port(cyrus_t)
|
||||
corenet_tcp_connect_all_ports(cyrus_t)
|
||||
corenet_sendrecv_mail_server_packets(cyrus_t)
|
||||
corenet_sendrecv_pop_server_packets(cyrus_t)
|
||||
corenet_sendrecv_lmtp_server_packets(cyrus_t)
|
||||
corenet_sendrecv_all_client_packets(cyrus_t)
|
||||
|
||||
dev_read_rand(cyrus_t)
|
||||
@ -139,6 +141,10 @@ optional_policy(`
|
||||
seutil_sigchld_newrole(cyrus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_read_snmp_var_lib_files(cyrus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(cyrus_t)
|
||||
')
|
||||
|
||||
@ -139,6 +139,8 @@ template(`dbus_per_userdomain_template',`
|
||||
files_read_usr_files($1_dbusd_t)
|
||||
files_dontaudit_search_var($1_dbusd_t)
|
||||
|
||||
auth_read_pam_console_data($1_dbusd_t)
|
||||
|
||||
libs_use_ld_so($1_dbusd_t)
|
||||
libs_use_shared_libs($1_dbusd_t)
|
||||
|
||||
@ -160,7 +162,7 @@ template(`dbus_per_userdomain_template',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_read_pam_console_data($1_dbusd_t)
|
||||
hal_dbus_chat($1_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dbus,1.2.7)
|
||||
policy_module(dbus,1.2.8)
|
||||
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
@ -38,6 +38,7 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
|
||||
@ -102,6 +103,7 @@ libs_use_shared_libs(system_dbusd_t)
|
||||
logging_send_syslog_msg(system_dbusd_t)
|
||||
|
||||
miscfiles_read_localization(system_dbusd_t)
|
||||
miscfiles_read_certs(system_dbusd_t)
|
||||
|
||||
seutil_read_config(system_dbusd_t)
|
||||
seutil_read_default_contexts(system_dbusd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dovecot,1.2.5)
|
||||
policy_module(dovecot,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -193,6 +193,8 @@ miscfiles_read_localization(dovecot_auth_t)
|
||||
|
||||
seutil_dontaudit_search_config(dovecot_auth_t)
|
||||
|
||||
sysnet_dns_name_resolve(dovecot_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(dovecot_auth_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inn,1.1.3)
|
||||
policy_module(inn,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -36,6 +36,7 @@ allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow innd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow innd_t self:udp_socket create_socket_perms;
|
||||
allow innd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow innd_t innd_etc_t:file r_file_perms;
|
||||
allow innd_t innd_etc_t:dir r_dir_perms;
|
||||
|
||||
@ -2,6 +2,8 @@
|
||||
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
||||
/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
ifdef(`distro_redhat',`
|
||||
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mta,1.3.8)
|
||||
policy_module(mta,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn,1.0.3)
|
||||
policy_module(openvpn,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -33,7 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow openvpn_t self:udp_socket create_socket_perms;
|
||||
allow openvpn_t self:tcp_socket create_socket_perms;
|
||||
allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
||||
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
|
||||
allow openvpn_t openvpn_etc_t:file r_file_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix,1.2.11)
|
||||
policy_module(postfix,1.2.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -251,6 +251,8 @@ allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
|
||||
|
||||
corecmd_exec_bin(postfix_cleanup_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix local local policy
|
||||
@ -284,6 +286,10 @@ mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_local_t)
|
||||
|
||||
optional_policy(`
|
||||
clamav_search_lib(postfix_local_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_local_t)
|
||||
@ -520,6 +526,8 @@ allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
||||
|
||||
corecmd_exec_bin(postfix_qmgr_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Postfix showq local policy
|
||||
@ -578,6 +586,8 @@ allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_p
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
|
||||
|
||||
corecmd_exec_bin(postfix_smtpd_t)
|
||||
|
||||
# for OpenSSL certificates
|
||||
files_read_usr_files(postfix_smtpd_t)
|
||||
mta_read_aliases(postfix_smtpd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgresql,1.1.3)
|
||||
policy_module(postgresql,1.1.4)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -134,6 +134,7 @@ miscfiles_read_localization(postgresql_t)
|
||||
seutil_dontaudit_search_config(postgresql_t)
|
||||
|
||||
sysnet_read_config(postgresql_t)
|
||||
sysnet_use_ldap(postgresql_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radius,1.1.3)
|
||||
policy_module(radius,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,7 +31,7 @@ files_pid_file(radiusd_var_run_t)
|
||||
# gzip also needs chown access to preserve GID for radwtmp files
|
||||
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
|
||||
dontaudit radiusd_t self:capability sys_tty_config;
|
||||
allow radiusd_t self:process setsched;
|
||||
allow radiusd_t self:process { setsched signal };
|
||||
allow radiusd_t self:fifo_file rw_file_perms;
|
||||
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow radiusd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
@ -51,6 +51,8 @@ template(`rpc_domain_template', `
|
||||
kernel_rw_rpc_sysctls($1_t)
|
||||
|
||||
dev_read_sysfs($1_t)
|
||||
dev_read_urand($1_t)
|
||||
dev_read_rand($1_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_t)
|
||||
corenet_tcp_sendrecv_all_if($1_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpc,1.2.11)
|
||||
policy_module(rpc,1.2.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -48,9 +48,6 @@ kernel_search_network_state(rpcd_t)
|
||||
# for rpc.rquotad
|
||||
kernel_read_sysctl(rpcd_t)
|
||||
|
||||
dev_read_urand(rpcd_t)
|
||||
dev_read_rand(rpcd_t)
|
||||
|
||||
fs_list_rpc(rpcd_t)
|
||||
fs_read_rpc_files(rpcd_t)
|
||||
fs_read_rpc_symlinks(rpcd_t)
|
||||
@ -129,8 +126,6 @@ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
|
||||
dev_read_urand(gssd_t)
|
||||
|
||||
fs_list_rpc(gssd_t)
|
||||
fs_read_rpc_sockets(gssd_t)
|
||||
fs_read_rpc_files(gssd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(samba,1.2.9)
|
||||
policy_module(samba,1.2.10)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -171,7 +171,7 @@ optional_policy(`
|
||||
#
|
||||
# smbd Local policy
|
||||
#
|
||||
allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
|
||||
allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
|
||||
dontaudit smbd_t self:capability sys_tty_config;
|
||||
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow smbd_t self:process setrlimit;
|
||||
@ -191,7 +191,7 @@ allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow smbd_t samba_etc_t:dir rw_dir_perms;
|
||||
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
||||
|
||||
allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
|
||||
allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
|
||||
dontaudit smbd_t samba_log_t:dir remove_name;
|
||||
allow smbd_t samba_log_t:file { create ra_file_perms };
|
||||
|
||||
@ -359,7 +359,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
|
||||
allow nmbd_t samba_etc_t:dir { search getattr };
|
||||
allow nmbd_t samba_etc_t:file { getattr read };
|
||||
|
||||
allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
|
||||
allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
|
||||
allow nmbd_t samba_log_t:file { create ra_file_perms };
|
||||
|
||||
allow nmbd_t samba_var_t:dir rw_dir_perms;
|
||||
@ -638,8 +638,8 @@ allow winbind_t samba_secrets_t:file create_file_perms;
|
||||
allow winbind_t samba_etc_t:dir rw_dir_perms;
|
||||
type_transition winbind_t samba_etc_t:file samba_secrets_t;
|
||||
|
||||
allow winbind_t samba_log_t:dir rw_dir_perms;
|
||||
allow winbind_t samba_log_t:file create_file_perms;
|
||||
allow winbind_t samba_log_t:dir manage_dir_perms;
|
||||
allow winbind_t samba_log_t:file manage_file_perms;
|
||||
allow winbind_t samba_log_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow winbind_t samba_var_t:dir rw_dir_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(spamassassin,1.3.10)
|
||||
policy_module(spamassassin,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -169,6 +169,10 @@ optional_policy(`
|
||||
nis_use_ypbind(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postfix_read_config(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(spamd_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(squid,1.1.5)
|
||||
policy_module(squid,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,9 +28,9 @@ files_pid_file(squid_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow squid_t self:capability { setgid setuid dac_override };
|
||||
allow squid_t self:capability { setgid setuid dac_override sys_resource };
|
||||
dontaudit squid_t self:capability sys_tty_config;
|
||||
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
|
||||
allow squid_t self:fifo_file rw_file_perms;
|
||||
allow squid_t self:sock_file r_file_perms;
|
||||
allow squid_t self:fd use;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sysstat,1.0.0)
|
||||
policy_module(sysstat,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -50,6 +50,7 @@ files_read_etc_files(sysstat_t)
|
||||
fs_getattr_xattr_fs(sysstat_t)
|
||||
|
||||
term_use_console(sysstat_t)
|
||||
term_use_all_terms(sysstat_t)
|
||||
|
||||
init_use_fds(sysstat_t)
|
||||
init_use_script_ptys(sysstat_t)
|
||||
@ -57,6 +58,8 @@ init_use_script_ptys(sysstat_t)
|
||||
libs_use_ld_so(sysstat_t)
|
||||
libs_use_shared_libs(sysstat_t)
|
||||
|
||||
locallogin_use_fds(sysstat_t)
|
||||
|
||||
miscfiles_read_localization(sysstat_t)
|
||||
|
||||
userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
|
||||
|
||||
@ -109,7 +109,7 @@ template(`xserver_common_domain_template',`
|
||||
corenet_sendrecv_xserver_server_packets($1_xserver_t)
|
||||
corenet_sendrecv_all_client_packets($1_xserver_t)
|
||||
|
||||
dev_read_sysfs($1_xserver_t)
|
||||
dev_rw_sysfs($1_xserver_t)
|
||||
dev_rw_mouse($1_xserver_t)
|
||||
dev_rw_mtrr($1_xserver_t)
|
||||
dev_rw_apm_bios($1_xserver_t)
|
||||
@ -120,7 +120,7 @@ template(`xserver_common_domain_template',`
|
||||
dev_setattr_generic_dirs($1_xserver_t)
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
dev_read_raw_memory($1_xserver_t)
|
||||
dev_write_raw_memory($1_xserver_t)
|
||||
dev_wx_raw_memory($1_xserver_t)
|
||||
# for other device nodes such as the NVidia binary-only driver
|
||||
dev_rw_xserver_misc($1_xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
@ -159,6 +159,10 @@ template(`xserver_common_domain_template',`
|
||||
|
||||
sysnet_read_config($1_xserver_t)
|
||||
|
||||
optional_policy(`
|
||||
apm_stream_connect($1_xserver_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_search_pam_console_data($1_xserver_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xserver,1.1.13)
|
||||
policy_module(xserver,1.1.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -81,15 +81,18 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
||||
allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
|
||||
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
|
||||
allow xdm_t self:fifo_file rw_file_perms;
|
||||
allow xdm_t self:shm create_shm_perms;
|
||||
allow xdm_t self:sem create_sem_perms;
|
||||
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow xdm_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow xdm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow xdm_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xdm_t self:udp_socket create_socket_perms;
|
||||
allow xdm_t self:key write;
|
||||
allow xdm_t self:socket create_socket_perms;
|
||||
allow xdm_t self:appletalk_socket create_socket_perms;
|
||||
allow xdm_t self:key { search link write };
|
||||
|
||||
# Supress permission check on .ICE-unix
|
||||
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
|
||||
@ -106,6 +109,8 @@ allow xdm_t xdm_rw_etc_t:file create_file_perms;
|
||||
|
||||
kernel_read_system_state(xdm_t)
|
||||
kernel_read_kernel_sysctls(xdm_t)
|
||||
kernel_read_net_sysctls(xdm_t)
|
||||
kernel_read_network_state(xdm_t)
|
||||
|
||||
corecmd_exec_shell(xdm_t)
|
||||
corecmd_exec_bin(xdm_t)
|
||||
@ -154,6 +159,7 @@ domain_use_interactive_fds(xdm_t)
|
||||
domain_dontaudit_read_all_domains_state(xdm_t)
|
||||
|
||||
files_read_etc_files(xdm_t)
|
||||
files_read_var_files(xdm_t)
|
||||
files_read_etc_runtime_files(xdm_t)
|
||||
files_exec_etc_files(xdm_t)
|
||||
files_list_mnt(xdm_t)
|
||||
@ -180,6 +186,8 @@ term_setattr_unallocated_ttys(xdm_t)
|
||||
|
||||
auth_manage_pam_pid(xdm_t)
|
||||
auth_manage_pam_console_data(xdm_t)
|
||||
auth_rw_faillog(xdm_t)
|
||||
auth_write_login_records(xdm_t)
|
||||
|
||||
init_use_script_ptys(xdm_t)
|
||||
# Run telinit->init to shutdown.
|
||||
@ -257,7 +265,7 @@ ifdef(`strict_policy',`
|
||||
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
|
||||
allow xdm_t xdm_xserver_tmp_t:file unlink;
|
||||
|
||||
allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
|
||||
allow xdm_t xserver_log_t:dir manage_dir_perms;
|
||||
allow xdm_t xserver_log_t:file manage_file_perms;
|
||||
allow xdm_t xserver_log_t:fifo_file manage_file_perms;
|
||||
logging_log_filetrans(xdm_t,xserver_log_t,file)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.3.12)
|
||||
policy_module(authlogin,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -215,6 +215,7 @@ libs_use_shared_libs(pam_console_t)
|
||||
logging_send_syslog_msg(pam_console_t)
|
||||
|
||||
miscfiles_read_localization(pam_console_t)
|
||||
miscfiles_read_certs(pam_console_t)
|
||||
|
||||
seutil_read_file_contexts(pam_console_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hostname,1.2.0)
|
||||
policy_module(hostname,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -56,6 +56,6 @@ miscfiles_read_localization(hostname_t)
|
||||
sysnet_read_config(hostname_t)
|
||||
sysnet_dns_name_resolve(hostname_t)
|
||||
|
||||
|
||||
|
||||
|
||||
optional_policy(`
|
||||
xen_dontaudit_use_fds(hostname_t)
|
||||
')
|
||||
|
||||
@ -110,7 +110,6 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -122,6 +121,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -182,6 +183,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/seamonkey.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -213,8 +215,8 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.3.11)
|
||||
policy_module(libraries,1.3.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(locallogin,1.2.5)
|
||||
policy_module(locallogin,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -47,7 +47,7 @@ allow local_login_t self:shm create_shm_perms;
|
||||
allow local_login_t self:sem create_sem_perms;
|
||||
allow local_login_t self:msgq create_msgq_perms;
|
||||
allow local_login_t self:msg { send receive };
|
||||
allow local_login_t self:key write;
|
||||
allow local_login_t self:key { search write };
|
||||
|
||||
allow local_login_t local_login_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(local_login_t,local_login_lock_t,file)
|
||||
@ -58,6 +58,8 @@ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctls(local_login_t)
|
||||
kernel_search_key(local_login_t)
|
||||
kernel_link_key(local_login_t)
|
||||
|
||||
dev_setattr_mouse_dev(local_login_t)
|
||||
dev_getattr_mouse_dev(local_login_t)
|
||||
|
||||
@ -30,6 +30,8 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
|
||||
|
||||
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
|
||||
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
|
||||
@ -149,6 +149,27 @@ interface(`logging_run_auditd',`
|
||||
allow auditd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to auditdstored over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_stream_connect_auditd',`
|
||||
gen_require(`
|
||||
type auditd_t, auditd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 auditd_var_run_t:dir search_dir_perms;
|
||||
allow $1 auditd_var_run_t:sock_file rw_file_perms;
|
||||
allow $1 auditd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage the auditd configuration files.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.3.10)
|
||||
policy_module(logging,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -120,9 +120,10 @@ allow auditd_t auditd_log_t:file create_file_perms;
|
||||
allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
|
||||
allow auditd_t var_log_t:dir search;
|
||||
|
||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
allow auditd_t auditd_var_run_t:sock_file manage_file_perms;
|
||||
allow auditd_t auditd_var_run_t:file manage_file_perms;
|
||||
allow auditd_t auditd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(auditd_t,auditd_var_run_t,file)
|
||||
files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(auditd_t)
|
||||
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||
|
||||
@ -85,6 +85,6 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
|
||||
|
||||
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
|
||||
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
|
||||
/var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lvm,1.3.5)
|
||||
policy_module(lvm,1.3.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -133,6 +133,7 @@ allow lvm_t self:process setsched;
|
||||
allow lvm_t self:file rw_file_perms;
|
||||
allow lvm_t self:fifo_file rw_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
allow lvm_t lvm_tmp_t:dir create_dir_perms;
|
||||
allow lvm_t lvm_tmp_t:file create_file_perms;
|
||||
@ -150,9 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
||||
allow lvm_t lvm_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(lvm_t,lvm_lock_t,file)
|
||||
|
||||
allow lvm_t lvm_var_run_t:file create_file_perms;
|
||||
allow lvm_t lvm_var_run_t:dir create_dir_perms;
|
||||
files_pid_filetrans(lvm_t,lvm_var_run_t,file)
|
||||
allow lvm_t lvm_var_run_t:file manage_file_perms;
|
||||
allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
|
||||
allow lvm_t lvm_var_run_t:dir manage_dir_perms;
|
||||
files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file })
|
||||
|
||||
allow lvm_t lvm_etc_t:file r_file_perms;
|
||||
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
|
||||
|
||||
@ -8,6 +8,7 @@ ifdef(`distro_gentoo',`
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
|
||||
|
||||
@ -114,6 +114,26 @@ interface(`miscfiles_read_localization',`
|
||||
libs_read_lib_files($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to write localization info
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_rw_localization',`
|
||||
gen_require(`
|
||||
type locale_t;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
allow $1 locale_t:dir list_dir_perms;
|
||||
allow $1 locale_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to read legacy time localization info
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(miscfiles,1.0.2)
|
||||
policy_module(miscfiles,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mount,1.3.9)
|
||||
policy_module(mount,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -80,6 +80,7 @@ files_unmount_all_file_type_fs(mount_t)
|
||||
files_read_isid_type_files(mount_t)
|
||||
# For reading cert files
|
||||
files_read_usr_files(mount_t)
|
||||
files_list_mnt(mount_t)
|
||||
|
||||
init_use_fds(mount_t)
|
||||
init_use_script_ptys(mount_t)
|
||||
@ -97,6 +98,8 @@ mls_file_write_down(mount_t)
|
||||
|
||||
sysnet_use_portmap(mount_t)
|
||||
|
||||
selinux_get_enforce_mode(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -166,6 +169,10 @@ optional_policy(`
|
||||
samba_domtrans_smbmount(mount_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(mount_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined mount local policy
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.2.12)
|
||||
policy_module(selinuxutil,1.2.13)
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
@ -462,6 +462,10 @@ logging_send_syslog_msg(restorecond_t)
|
||||
|
||||
miscfiles_read_localization(restorecond_t)
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_script_fds(restorecond_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# restorecond watches for users logging in,
|
||||
# so it getspwnam when a user logs in to find his homedir
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
# udev
|
||||
|
||||
/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(udev,1.3.4)
|
||||
policy_module(udev,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
|
||||
dev_unconfined($1)
|
||||
domain_unconfined($1)
|
||||
domain_dontaudit_read_all_domains_state($1)
|
||||
domain_dontaudit_ptrace_all_domains($1)
|
||||
files_unconfined($1)
|
||||
fs_unconfined($1)
|
||||
selinux_unconfined($1)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.3.13)
|
||||
policy_module(unconfined,1.3.14)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -195,4 +195,11 @@ ifdef(`targeted_policy',`
|
||||
ifdef(`targeted_policy',`
|
||||
allow unconfined_execmem_t self:process { execstack execmem };
|
||||
unconfined_domain_noaudit(unconfined_execmem_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_stub(unconfined_execmem_t)
|
||||
|
||||
init_dbus_chat_script(unconfined_execmem_t)
|
||||
unconfined_dbus_chat(unconfined_execmem_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -23,6 +23,42 @@ interface(`xen_domtrans',`
|
||||
allow xend_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit and use xen file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xen_use_fds',`
|
||||
gen_require(`
|
||||
type xend_t;
|
||||
')
|
||||
|
||||
allow $1 xend_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to inherit
|
||||
## xen file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xen_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type xend_t;
|
||||
')
|
||||
|
||||
dontaudit $1 xend_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xen,1.0.8)
|
||||
policy_module(xen,1.0.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,7 +69,9 @@ init_daemon_domain(xm_t, xm_exec_t)
|
||||
#
|
||||
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
|
||||
dontaudit xend_t self:capability { sys_ptrace };
|
||||
allow xend_t self:process { signal sigkill };
|
||||
dontaudit xend_t self:process ptrace;
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow xend_t self:fifo_file rw_file_perms;
|
||||
allow xend_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -79,7 +81,7 @@ allow xend_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xend_t self:packet_socket create_socket_perms;
|
||||
|
||||
allow xend_t xen_image_t:dir r_dir_perms;
|
||||
allow xend_t xen_image_t:file r_file_perms;
|
||||
allow xend_t xen_image_t:file rw_file_perms;
|
||||
|
||||
# pid file
|
||||
allow xend_t xend_var_run_t:file manage_file_perms;
|
||||
@ -128,8 +130,10 @@ corenet_tcp_sendrecv_all_ports(xend_t)
|
||||
corenet_tcp_bind_all_nodes(xend_t)
|
||||
corenet_tcp_bind_xen_port(xend_t)
|
||||
corenet_tcp_bind_soundd_port(xend_t)
|
||||
corenet_tcp_bind_generic_port(xend_t)
|
||||
corenet_sendrecv_xen_server_packets(xend_t)
|
||||
corenet_sendrecv_soundd_server_packets(xend_t)
|
||||
corenet_rw_tun_tap_dev(xend_t)
|
||||
|
||||
dev_read_urand(xend_t)
|
||||
dev_manage_xen(xend_t)
|
||||
@ -138,19 +142,24 @@ dev_rw_sysfs(xend_t)
|
||||
|
||||
domain_read_all_domains_state(xend_t)
|
||||
domain_dontaudit_read_all_domains_state(xend_t)
|
||||
domain_dontaudit_ptrace_all_domains(xend_t)
|
||||
|
||||
files_read_etc_files(xend_t)
|
||||
files_read_kernel_symbol_table(xend_t)
|
||||
files_read_kernel_img(xend_t)
|
||||
files_manage_etc_runtime_files(xend_t)
|
||||
files_etc_filetrans_etc_runtime(xend_t,file)
|
||||
files_read_usr_files(xend_t)
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
|
||||
term_dontaudit_getattr_all_user_ptys(xend_t)
|
||||
term_dontaudit_use_generic_ptys(xend_t)
|
||||
term_getattr_all_user_ptys(xend_t)
|
||||
term_use_generic_ptys(xend_t)
|
||||
term_use_ptmx(xend_t)
|
||||
term_getattr_pty_fs(xend_t)
|
||||
|
||||
init_use_fds(xend_t)
|
||||
init_use_script_ptys(xend_t)
|
||||
|
||||
libs_use_ld_so(xend_t)
|
||||
libs_use_shared_libs(xend_t)
|
||||
@ -195,11 +204,14 @@ kernel_read_kernel_sysctls(xenconsoled_t)
|
||||
kernel_write_xen_state(xenconsoled_t)
|
||||
kernel_read_xen_state(xenconsoled_t)
|
||||
|
||||
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
|
||||
|
||||
term_create_pty(xenconsoled_t,xen_devpts_t);
|
||||
term_dontaudit_use_generic_ptys(xenconsoled_t)
|
||||
term_use_generic_ptys(xenconsoled_t)
|
||||
term_use_console(xenconsoled_t)
|
||||
|
||||
init_use_fds(xenconsoled_t)
|
||||
init_use_script_ptys(xenconsoled_t)
|
||||
|
||||
libs_use_ld_so(xenconsoled_t)
|
||||
libs_use_shared_libs(xenconsoled_t)
|
||||
@ -238,10 +250,11 @@ dev_manage_xen(xenconsoled_t)
|
||||
dev_filetrans_xen(xenstored_t)
|
||||
dev_rw_xen(xenstored_t)
|
||||
|
||||
term_dontaudit_use_generic_ptys(xenstored_t)
|
||||
term_dontaudit_use_console(xenconsoled_t)
|
||||
term_use_generic_ptys(xenstored_t)
|
||||
term_use_console(xenconsoled_t)
|
||||
|
||||
init_use_fds(xenstored_t)
|
||||
init_use_script_ptys(xenstored_t)
|
||||
|
||||
libs_use_ld_so(xenstored_t)
|
||||
libs_use_shared_libs(xenstored_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user