add 1.27.1-22 targeted policy

This commit is contained in:
Chris PeBenito 2005-10-21 18:05:21 +00:00
parent 23a4442bf1
commit ab58ad00cd
467 changed files with 25724 additions and 0 deletions

340
targeted/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

391
targeted/ChangeLog Normal file
View File

@ -0,0 +1,391 @@
1.27.1 2005-09-15
* Merged small patches from Russell Coker for the apostrophe,
dhcpc, fsadm, and setfiles policy.
* Merged a patch from Russell Coker with some minor fixes to a
multitude of policy files.
* Merged patch from Dan Walsh from August 15th. Adds certwatch
policy. Adds mcs support to Makefile. Adds mcs file which
defines sensitivities and categories for the MSC policy. Creates
an authentication_domain macro in global_macros.te for domains
that use pam_authentication. Creates the anonymous_domain macro
so that the ftpd, rsync, httpd, and smbd domains can share the
ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
start isolating individual ethernet devices. Changes vpnc from a
daemon to an application_domain. Adds audit_control capability to
crond_t. Adds dac_override and dac_read_search capabilities to
fsadm_t to allow the manipulation of removable media. Adds
read_sysctl macro to the base_passwd_domain macro. Adds rules to
allow alsa_t to communicate with userspace. Allows networkmanager
to communicate with isakmp_port and to use vpnc. For targeted
policy, removes transitions of sysadm_t to apm_t, backup_t,
bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
Makes other minor cleanups and fixes.
1.26 2005-09-06
* Updated version for release.
1.25.4 2005-08-10
* Merged small patches from Russell Coker for the restorecon,
kudzu, lvm, radvd, and spamassasin policies.
* Added fs_use_trans rule for mqueue from Mark Gebhart to support
the work he has done on providing SELinux support for mqueue.
* Merged a patch from Dan Walsh. Removes the user_can_mount
tunable. Adds disable_evolution_trans and disable_thunderbird_trans
booleans. Adds the nscd_client_domain attribute to insmod_t.
Removes the user_ping boolean from targeted policy. Adds
hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
Allows getty to run sbin_t for pppd. Allows initrc to write to
default_t for booting. Allows Hotplug_t sys_rawio for prism54
card at boot. Other minor fixes.
1.25.3 2005-07-18
* Merged patch from Dan Walsh. Adds auth_bool attribute to allow
domains to have read access to shadow_t. Creates pppd_can_insmod
boolean to control the loading of modem kernel modules. Allows
nfs to export noexattrfile types. Allows unix_chpwd to access
cert files and random devices for encryption purposes. Other
minor cleanups and fixes.
1.25.2 2005-07-11
* Merged patch from Dan Walsh. Added allow_ptrace boolean to
allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
audit_control and audit_write capabilities. Stops targeted policy
from transitioning from unconfined_t to netutils. Allows cupsd to
audit messages. Gives prelink the execheap, execmem, and execstack
permissions by default. Adds can_winbind boolean and functions to
better handle samba and winbind communications. Eliminates
allow_execmod checks around texrel_shlib_t libraries. Other minor
cleanups and fixes.
1.25.1 2005-07-05
* Moved role_tty_type_change, reach_sysadm, and priv_user macros
from user.te to user_macros.te as suggested by Steve.
* Modified admin_domain macro so autrace would work and removed
privuser attribute for dhcpc as suggested by Russell Coker.
* Merged rather large patch from Dan Walsh. Moves
targeted/strict/mls policies closer together. Adds local.te for
users to customize. Includes minor fixes to auditd, cups,
cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
that defines all ports in network.te. Ports are always defined
now, no ifdefs are used in network.te. Also includes Ivan
Gyurdiev's user home directory policy patches. These patches add
alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
iceauth, orbit, and thunderbird policy. They create read_content,
write_trusted, and write_untrusted macros in content.te. They
create network_home, write_network_home, read_network_home,
base_domain_ro_access, home_domain_access, home_domain, and
home_domain_ro macros in home_macros.te. They also create
$3_read_content, $3_write_content, and write_untrusted booleans.
1.24 2005-06-20
* Updated version for release.
1.23.18 2005-05-31
* Merged minor fixes to pppd.fc and courier.te by Russell Coker.
* Removed devfsd policy as suggested by Russell Coker.
* Merged patch from Dan Walsh. Includes beginnings of Ivan
Gyurdiev's Font Config policy. Don't transition to fsadm_t from
unconfined_t (sysadm_t) in targeted policy. Add support for
debugfs in modutil. Allow automount to create and delete
directories in /root and /home dirs. Move can_ypbind to
chkpwd_macro.te. Allow useradd to create additional files and
types via the skell mechanism. Other minor cleanups and fixes.
1.23.17 2005-05-23
* Merged minor fixes by Petre Rodan to the daemontools, dante,
gpg, kerberos, and ucspi-tcp policies.
* Merged minor fixes by Russell Coker to the bluetooth, crond,
initrc, postfix, and udev policies. Modifies constraints so that
newaliases can be run. Modifies types.fc so that objects in
lost+found directories will not be relabled.
* Modified fc rules for nvidia.
* Added Chad Sellers policy for polyinstantiation support, which
creates the polydir, polyparent, and polymember attributes. Also
added the support_polyinstantiation tunable.
* Merged patch from Dan Walsh. Includes mount_point attribute,
read_font macros and some other policy fixes from Ivan Gyurdiev.
Adds privkmsg and secadmfile attributes and ddcprobe policy.
Removes the use_syslogng boolean. Many other minor fixes.
1.23.16 2005-05-13
* Added rdisc policy from Russell Coker.
* Merged minor fix to named policy by Petre Rodan.
* Merged minor fixes to policy from Russell Coker for kudzu,
named, screen, setfiles, telnet, and xdm.
* Merged minor fix to Makefile from Russell Coker.
1.23.15 2005-05-06
* Added tripwire and yam policy from David Hampton.
* Merged minor fixes to amavid and a clarification to the
httpdcontent attribute comments from David Hampton.
* Merged patch from Dan Walsh. Includes fixes for restorecon,
games, and postfix from Russell Coker. Adds support for debugfs.
Restores support for reiserfs. Allows udev to work with tmpfs_t
before /dev is labled. Removes transition from sysadm_t
(unconfined_t) to ifconfig_t for the targeted policy. Other minor
cleanups and fixes.
1.23.14 2005-04-29
* Added afs policy from Andrew Reisse.
* Merged patch from Lorenzo Hernández García-Hierro which defines
execstack and execheap permissions. The patch excludes these
permissions from general_domain_access and updates the macros for
X, legacy binaries, users, and unconfined domains.
* Added nlmsg_relay permisison where netlink_audit_socket class is
used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
* Merged some minor cleanups from Russell Coker and David Hampton.
* Merged patch from Dan Walsh. Many changes made to allow
targeted policy to run closer to strict and now almost all of
non-userspace is protected via SELinux. Kernel is now in
unconfined_domain for targeted and runs as root:system_r:kernel_t.
Added transitionbool to daemon_sub_domain, mainly to turn off
httpd_suexec transitioning. Implemented web_client_domain
name_connect rules. Added yp support for cups. Now the real
hotplug, udev, initial_sid_contexts are used for the targeted
policy. Other minor cleanups and fixes. Auditd fixes by Paul
Moore.
1.23.13 2005-04-22
* Merged more changes from Dan Walsh to initrc_t for removal of
unconfined_domain.
* Merged Dan Walsh's split of auditd policy into auditd_t for the
audit daemon and auditctl_t for the autoctl program.
* Added use of name_connect to uncond_can_ypbind macro by Dan
Walsh.
* Merged other cleanup and fixes by Dan Walsh.
1.23.12 2005-04-20
* Merged Dan Walsh's Netlink changes to handle new auditing pam
modules.
* Merged Dan Walsh's patch removing the sysadmfile attribute from
policy files to separate sysadm_t from secadm_t.
* Added CVS and uucpd policy from Dan Walsh.
* Cleanup by Dan Walsh to handle turning off unlimitedRC.
* Merged Russell Coker's fixes to ntpd, postgrey, and named
policy.
* Cleanup of chkpwd_domain and added permissions to su_domain
macro due to pam changes to support audit.
* Added nlmsg_relay and nlmsg_readpriv permissions to the
netlink_audit_socket class.
1.23.11 2005-04-14
* Merged Dan Walsh's separation of the security manager and system
administrator.
* Removed screensaver.te as suggested by Thomas Bleher
* Cleanup of typealiases that are no longer used by Thomas Bleher.
* Cleanup of fc files and additional rules for SuSE by Thomas
Bleher.
* Merged changes to auditd and named policy by Russell Coker.
* Merged MLS change from Darrel Goeddel to support the policy
hierarchy patch.
1.23.10 2005-04-08
* Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
1.23.9 2005-04-07
* Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
of x_client apps.
* Added dmidecode policy from Ivan Gyurdiev.
1.23.8 2005-04-05
* Added netlink_kobject_uevent_socket class.
* Removed empty files pump.te and pump.fc.
* Added NetworkManager policy from Dan Walsh.
* Merged Dan Walsh's major restructuring of Apache's policy.
1.23.7 2005-04-04
* Merged David Hampton's amavis and clamav cleanups.
* Added David Hampton's dcc, pyzor, and razor policy.
1.23.6 2005-04-01
* Merged cleanup of the Makefile and other stuff from Dan Walsh.
Dan's patch includes some desktop changes from Ivan Gyurdiev.
* Merged Thomas Bleher's patches which increase the usage of
lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
possible.
* Merged Greg Norris's cleanup of fetchmail.
1.23.5 2005-03-23
* Added name_connect support from Dan Walsh.
* Added httpd_unconfined_t from Dan Walsh.
* Merged cleanup of assert.te to allow unresticted full access
from Dan Walsh.
1.23.4 2005-03-21
* Merged diffs from Dan Walsh:
* Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
Gyurdiev.
* Added syslogng support to syslog.te.
1.23.3 2005-03-15
* Added policy for nx_server from Thomas Bleher.
* Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
publicfile from Petre Rodan.
1.23.2 2005-03-14
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
gift policy.
* Made sysadm_r the first role for root, so root's home will be labled
as sysadm_home_dir_t instead of staff_home_dir_t.
* Modified fs_use and Makefile to reflect jfs now supporting security
xattrs.
1.23.1 2005-03-10
* Merged diffs from Dan Walsh. Dan's patch includes Ivan
Gyurdiev's cleanup of homedir macros and more extensive use of
read_sysctl()
1.22 2005-03-09
* Updated version for release.
1.21 2005-02-24
* Added secure_file_type attribute from Dan Walsh
* Added access_terminal() macro from Ivan Gyurdiev
* Updated capability access vector for audit capabilities.
* Added mlsconvert Makefile target to help generate MLS policies
(see selinux-doc/README.MLS for instructions).
* Changed policy Makefile to still generate policy.18 as well,
and use it for make load if the kernel doesn't support 19.
* Merged enhanced MLS support from Darrel Goeddel (TCS).
* Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
* Merged man pages from Dan Walsh.
1.20 2005-01-04
* Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
Petre Rodan.
* Merged can_create() macro used for file_type_{,auto_}trans()
from Thomas Bleher.
* Merged dante and stunnel policy by Petre Rodan.
* Merged $1_file_type attribute from Thomas Bleher.
* Merged network_macros from Dan Walsh.
1.18 2004-10-25
* Merged diffs from Russell Coker and Dan Walsh.
* Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
* Added reserved_port_t type and portcon entries to map all other
reserved ports to this type.
* Added distro_ prefix to distro tunables to avoid conflicts.
* Merged diffs from Russell Coker.
1.16 2004-08-16
* Added nscd definitions.
* Converted many tunables to policy booleans.
* Added crontab permission.
* Merged diffs from Dan Walsh.
This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
* Merged diffs from Russell Coker.
* Adjusted constraints for crond restart.
* Merged dbus/userspace object manager policy from Colin Walters.
* Merged dbus definitions from Matthew Rickard.
* Merged dnsmasq policy from Greg Norris.
* Merged gpg-agent policy from Thomas Bleher.
1.14 2004-06-28
* Removed vmware-config.pl from vmware.fc.
* Added crond entry to root_default_contexts.
* Merged patch from Dan Walsh.
* Merged mdadm and postfix changes from Colin Walters.
* Merged reiserfs and rpm changes from Russell Coker.
* Merged runaway .* glob fix from Valdis Kletnieks.
* Merged diff from Dan Walsh.
* Merged fine-grained netlink classes and permissions.
* Merged changes for new /etc/selinux layout.
* Changed mkaccess_vector.sh to provide stable order.
* Merged diff from Dan Walsh.
* Fix restorecon path in restorecon.fc.
* Merged pax class and access vector definition from Joshua Brindle.
1.12 2004-05-12
* Added targeted policy.
* Merged atd/at into crond/crontab domains.
* Exclude bind mounts from relabeling to avoid aliasing.
* Removed some obsolete types and remapped their initial SIDs to unlabeled.
* Added SE-X related security classes and policy framework.
* Added devnull initial SID and context.
* Merged diffs from Fedora policy.
1.10 2004-04-07
* Merged ipv6 support from James Morris of RedHat.
* Merged policy diffs from Dan Walsh.
* Updated call to genhomedircon to reflect new usage.
* Merged policy diffs from Dan Walsh and Russell Coker.
* Removed config-users and config-services per Dan's request.
1.8 2004-03-09
* Merged genhomedircon patch from Karl MacMillan of Tresys.
* Added restorecon domain.
* Added unconfined_domain macro.
* Added default_t for /.* file_contexts entry and replaced some
uses of file_t with default_t in the policy.
* Added su_restricted_domain() macro and use it for initrc_t.
* Merged policy diffs from Dan Walsh and Russell Coker.
These included a merge of an earlier patch by Chris PeBenito
to rename the etc types to be consistent with other types.
1.6 2004-02-18
* Merged xfs support from Chris PeBenito.
* Merged conditional rules for ping.te.
* Defined setbool permission, added can_setbool macro.
* Partial network policy cleanup.
* Merged with Russell Coker's policy.
* Renamed netscape macro and domain to mozilla and renamed
ipchains domain to iptables for consistency with Russell.
* Merged rhgb macro and domain from Russell Coker.
* Merged tunable.te from Russell Coker.
Only define direct_sysadm_daemon by default in our copy.
* Added rootok permission to passwd class.
* Merged Makefile change from Dan Walsh to generate /home
file_contexts entries for staff users.
* Added automatic role and domain transitions for init scripts and
daemons. Added an optional third argument (nosysadm) to
daemon_domain to omit the direct transition from sysadm_r when
the same executable is also used as an application, in which
case the daemon must be restarted via the init script to obtain
the proper security context. Added system_r to the authorized roles
for admin users at least until support for automatic user identity
transitions exist so that a transition to system_u can be provided
transparently.
* Added support to su domain for using pam_selinux.
Added entries to default_contexts for the su domains to
provide reasonable defaults. Removed user_su_t.
* Tighten restriction on user identity and role transitions in constraints.
* Merged macro for newrole-like domains from Russell Coker.
* Merged stub dbusd domain from Russell Coker.
* Merged stub prelink domain from Dan Walsh.
* Merged updated userhelper and config tool domains from Dan Walsh.
* Added send_msg/recv_msg permissions to can_network macro.
* Merged patch by Chris PeBenito for sshd subsystems.
* Merged patch by Chris PeBenito for passing class to var_run_domain.
* Merged patch by Yuichi Nakamura for append_log_domain macros.
* Merged patch by Chris PeBenito for rpc_pipefs labeling.
* Merged patch by Colin Walters to apply m4 once so that
source file info is preserved for checkpolicy.
1.4 2003-12-01
* Merged patches from Russell Coker.
* Revised networking permissions.
* Added new node_bind permission.
* Added new siginh, rlimitinh, and setrlimit permissions.
* Added proc_t:file read permission for new is_selinux_enabled logic.
* Added failsafe_context configuration file to appconfig.
* Moved newrules.pl to policycoreutils, renamed to audit2allow.
* Merged newrules.pl patch from Yuichi Nakamura.
1.2 2003-09-30
* More policy merging with Russell Coker.
* Transferred newrules.pl script from the old SELinux.
* Merged MLS configuration patch from Karl MacMillan of Tresys.
* Limit staff_t to reading /proc entries for unpriv_userdomain.
* Updated Makefile and spec file to allow non-root builds,
based on patch by Paul Nasrat.
1.1 2003-08-13
* Merged Makefile check-all and te-includes patches from Colin Walters.
* Merged x-debian-packages.patch from Colin Walters.
* Folded read permission into domain_trans.
1.0 2003-07-11
* Initial public release.

368
targeted/Makefile Normal file
View File

@ -0,0 +1,368 @@
#
# Makefile for the security policy.
#
# Targets:
#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# policy - compile the policy configuration locally for testing/development.
#
# The default target is 'install'.
#
# Set to y if MLS is enabled in the policy.
MLS=n
# Set to y if MCS is enabled in the policy
MCS=y
FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
SBINDIR = $(PREFIX)/sbin
LOADPOLICY = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PREVERS := 19
KERNVERS := $(shell cat /selinux/policyvers)
MLSENABLED := $(shell cat /selinux/mls)
POLICYVER := policy.$(VERS)
TOPDIR = $(DESTDIR)/etc/selinux
TYPE=targeted
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
ALL_TYPES := $(wildcard types/*.te)
ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
TE_RBAC_FILES := $(ALLTEFILES) rbac
ALL_TUNABLES := $(wildcard tunables/*.tun )
USER_FILES := users
POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
CHECKPOLMLS += -M
endif
ifeq ($(MCS), y)
POLICYFILES += mcs
CHECKPOLMLS += -M
endif
DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
POLICYFILES += $(DEFCONTEXTFILES)
CONTEXTFILES = $(DEFCONTEXTFILES)
POLICY_DIRS = domains domains/program domains/misc macros macros/program
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
HOMEDIR_TEMPLATE = file_contexts/homedir_template
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
CONTEXTFILES += $(FCFILES)
APPDIR=$(CONTEXTPATH)
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
all: policy
tmp/valid_fc: $(LOADPATH) $(FC)
ifeq ($(CHECKPOLMLS), -M)
ifeq ($(MLSENABLED),1)
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(LOADPATH) $(FC)
endif
endif
@touch tmp/valid_fc
install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@echo "# " > tmp/system.users
@echo "# Do not edit this file. " >> tmp/system.users
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
@m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
install -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
@mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
@mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
$(APPDIR)/port_types: policy.conf
@mkdir -p $(APPDIR)
@grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
install -m 644 tmp/port_types $@
$(APPDIR)/default_type: appconfig/default_type
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
@mkdir -p $(APPDIR)/users
install -m 644 $< $@
$(LOADPATH): policy.conf $(CHECKPOLICY)
@echo "Compiling policy ..."
@mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(VERS),$(PREVERS))
$(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
endif
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
policy: $(POLICYVER)
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifeq ($(CHECKPOLMLS), -M)
ifeq (1, $(MLSENABLED))
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
endif
endif
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
ifeq ($(VERS), $(KERNVERS))
$(LOADPOLICY) $(LOADPATH)
else
$(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
endif
touch tmp/load
load: tmp/load $(FCPATH)
enableaudit: policy.conf
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
@echo "Building policy.conf ..."
@mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
@mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
@mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
@mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
checklabels: $(SETFILES)
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
restorelabels: $(SETFILES)
$(SETFILES) -v $(FC) $(FILESYSTEMS)
relabel: $(FC) $(SETFILES)
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
@mkdir -p file_contexts/misc
$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
@echo "Installing file contexts files..."
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
install -m 644 $(FC) $(FCPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file contexts files..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
@grep -v -e HOME -e ROLE -e USER $@.tmp > $@
@grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
@-rm $@.tmp
# Create a tags-file for the policy:
# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
ifeq ($(strip $(CTAGS)),)
CTAGS := $(call pathsearch,ctags) # suse naming scheme
endif
tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
@LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
--regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
--regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
--regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
clean:
rm -f policy.conf $(POLICYVER)
rm -f tags
rm -f tmp/*
rm -f $(FC)
rm -f flask/*.h
# for the policy regression tester
find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
# Policy regression tester.
# Written by Colin Walters <walters@debian.org>
cur_te = $(filter-out %/,$(subst /,/ ,$@))
TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
define compute_depends
export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
endef
ifeq ($(TE_DEPENDS_DEFINED),)
ifeq ($(MAKECMDGOALS),check-all)
GENRULES := $(TESTED_TE_FILES)
export TE_DEPENDS_DEFINED := yes
else
# Handle the case where checkunused/blah.te is run directly.
ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
GENRULES := $(TESTED_TE_FILES)
export TE_DEPENDS_DEFINED := yes
endif
endif
endif
# Test for a new enough version of GNU Make.
$(eval have_eval := yes)
ifneq ($(GENRULES),)
ifeq ($(have_eval),)
$(error Need GNU Make 3.80 or better!)
Need GNU Make 3.80 or better
endif
endif
$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
PHONIES :=
define compute_presymlinks
PHONIES += presymlink/$(1)
presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
@if ! test -L domains/program/$(1); then \
cd domains/program && ln -s unused/$(1) .; \
fi
endef
# Compute dependencies.
$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
@$(MAKE) -s clean
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
@if test -n "$(TE_DEPENDS_$(cur_te))"; then \
echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
fi
@echo "Testing $(cur_te)...";
@if ! make -s policy 1>/dev/null; then \
echo "Testing $(cur_te)...FAILED"; \
exit 1; \
fi;
@echo "Testing $(cur_te)...success."; \
check-all:
@for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
$(MAKE) --no-print-directory $$goal; \
done
.PHONY: clean $(PHONIES)
mlsconvert:
@for file in $(CONTEXTFILES); do \
echo "Converting $$file"; \
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
mv $$file.new $$file; \
done
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
mv $$file.new $$file; \
done
@sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
@echo "Enabling MLS in the Makefile"
@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"
mcsconvert:
@for file in $(CONTEXTFILES); do \
echo "Converting $$file"; \
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
mv $$file.new $$file; \
done
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
sed -r -e 's/\;/ level s0 range s0;/' $$file | \
sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
mv $$file.new $$file; \
done
@echo "Enabling MCS in the Makefile"
@sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"

125
targeted/README Normal file
View File

@ -0,0 +1,125 @@
The Makefile targets are:
policy - compile the policy configuration.
install - compile and install the policy configuration.
load - compile, install, and load the policy configuration.
relabel - relabel the filesystem.
check-all - check individual additional policy files in domains/program/unused.
checkunused/FILE.te - check individual file FILE from domains/program/unused.
If you have configured MLS into your module, then set MLS=y in the
Makefile prior to building the policy. Of course, you must have also
built checkpolicy with MLS enabled.
Three of the configuration files are independent of the particular
security policy:
1) flask/security_classes -
This file has a simple declaration for each security class.
The corresponding symbol definitions are in the automatically
generated header file <selinux/flask.h>.
2) flask/initial_sids -
This file has a simple declaration for each initial SID.
The corresponding symbol definitions are in the automatically
generated header file <selinux/flask.h>.
3) access_vectors -
This file defines the access vectors. Common prefixes for
access vectors may be defined at the beginning of the file.
After the common prefixes are defined, an access vector
may be defined for each security class.
The corresponding symbol definitions are in the automatically
generated header file <selinux/av_permissions.h>.
In addition to being read by the security server, these configuration
files are used during the kernel build to automatically generate
symbol definitions used by the kernel for security classes, initial
SIDs and permissions. Since the symbol definitions generated from
these files are used during the kernel build, the values of existing
security classes and permissions may not be modified by load_policy.
However, new classes may be appended to the list of classes and new
permissions may be appended to the list of permissions associated with
each access vector definition.
The policy-dependent configuration files are:
1) tmp/all.te -
This file defines the Type Enforcement (TE) configuration.
This file is automatically generated from a collection of files.
The macros subdirectory contains a collection of m4 macro definitions
used by the TE configuration. The global_macros.te file contains global
macros used throughout the configuration for common groupings of classes
and permissions and for common sets of rules. The user_macros.te file
contains macros used in defining user domains. The admin_macros.te file
contains macros used in defining admin domains. The macros/program
subdirectory contains macros that are used to instantiate derived domains
for certain programs that encode information about both the calling user
domain and the program, permitting the policy to maintain separation
between different instances of the program.
The types subdirectory contains several files with declarations for
general types (types not associated with a particular domain) and
some rules defining relationships among those types. Related types
are grouped together into each file in this directory, e.g. all
device type declarations are in the device.te file.
The domains subdirectory contains several files and directories
with declarations and rules for each domain. User domains are defined in
user.te. Administrator domains are defined in admin.te. Domains for
specific programs, including both system daemons and other programs, are
in the .te files within the domains/program subdirectory. The domains/misc
subdirectory is for miscellaneous domains such as the kernel domain and
the kernel module loader domain.
The assert.te file contains assertions that are checked after evaluating
the entire TE configuration.
2) rbac -
This file defines the Role-Based Access Control (RBAC) configuration.
3) mls -
This file defines the Multi-Level Security (MLS) configuration.
4) users -
This file defines the users recognized by the security policy.
5) constraints -
This file defines additional constraints on permissions
in the form of boolean expressions that must be satisfied in order
for specified permissions to be granted. These constraints
are used to further refine the type enforcement tables and
the role allow rules. Typically, these constraints are used
to restrict changes in user identity or role to certain domains.
6) initial_sid_contexts -
This file defines the security context for each initial SID.
A security context consists of a user identity, a role, a type and
optionally a MLS range if the MLS policy is enabled. If left unspecified,
the high MLS level defaults to the low MLS level. The syntax of a valid
security context is:
user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
7) fs_use -
This file defines the labeling behavior for inodes in particular
filesystem types.
8) genfs_contexts -
This file defines security contexts for files in filesystems that
cannot support persistent label mappings or use one of the fixed
labeling schemes specified in fs_use.
8) net_contexts -
This file defines the security contexts of network objects
such as ports, interfaces, and nodes.
9) file_contexts/{types.fc,program/*.fc}
These files define the security contexts for persistent files.
It is possible to test the security server functions on a given policy
configuration by running the checkpolicy program with the -d option.
This program is built from the same sources as the security server
component of the kernel, so it may be used both to verify that a
policy configuration will load successfully and to determine how the
security server would respond if it were using that policy
configuration. A menu-based interface is provided for calling any of
the security server functions after the policy is loaded.

1
targeted/VERSION Normal file
View File

@ -0,0 +1 @@
1.27.1

View File

@ -0,0 +1,6 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

View File

@ -0,0 +1,6 @@
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0

View File

@ -0,0 +1 @@
system_r:unconfined_t

View File

@ -0,0 +1 @@
system_r:unconfined_t:s0

View File

@ -0,0 +1 @@
user_u:system_r:unconfined_t:s0

3
targeted/appconfig/media Normal file
View File

@ -0,0 +1,3 @@
cdrom system_u:object_r:removable_device_t:s0
floppy system_u:object_r:removable_device_t:s0
disk system_u:object_r:fixed_disk_device_t:s0

View File

@ -0,0 +1 @@
system_u:object_r:removable_t:s0

View File

@ -0,0 +1,6 @@
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0

View File

@ -0,0 +1 @@
system_u:system_r:unconfined_t:s0

40
targeted/assert.te Normal file
View File

@ -0,0 +1,40 @@
##############################
#
# Assertions for the type enforcement (TE) configuration.
#
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
##################################
#
# Access vector assertions.
#
# An access vector assertion specifies permissions that should not be in
# an access vector based on a source type, a target type, and a class.
# If any of the specified permissions are in the corresponding access
# vector, then the policy compiler will reject the policy configuration.
# Currently, there is only one kind of access vector assertion, neverallow,
# but support for the other kinds of vectors could be easily added. Access
# vector assertions use the same syntax as access vector rules.
#
# Confined domains must never touch an unconfined domain except to
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;
# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
#
# Verify that every type that can be entered by
# a domain is also tagged as a domain.
#
neverallow domain ~domain:process { transition dyntransition};
# for gross mistakes in policy
neverallow domain domain:dir ~r_dir_perms;
neverallow domain domain:file_class_set ~rw_file_perms;
neverallow domain file_type:process *;
neverallow ~{ domain unlabeled_t } *:process *;

563
targeted/attrib.te Normal file
View File

@ -0,0 +1,563 @@
#
# Declarations for type attributes.
#
# A type attribute can be used to identify a set of types with a similar
# property. Each type can have any number of attributes, and each
# attribute can be associated with any number of types. Attributes are
# explicitly declared here, and can then be associated with particular
# types in type declarations. Attribute names can then be used throughout
# the configuration to express the set of types that are associated with
# the attribute. Attributes have no implicit meaning to SELinux. The
# meaning of all attributes are completely defined through their
# usage within the configuration, but should be documented here as
# comments preceding the attribute declaration.
#####################
# Attributes for MLS:
#
# Common Terminology
# MLS Range: low-high
# low referred to as "Effective Sensitivity Label (SL)"
# high referred to as "Clearance SL"
#
# File System MLS attributes/privileges
#
# Grant MLS read access to files not dominated by the process Effective SL
attribute mlsfileread;
# Grant MLS read access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilereadtoclr;
# Grant MLS write access to files not equal to the Effective SL
attribute mlsfilewrite;
# Grant MLS write access to files which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsfilewritetoclr;
# Grant MLS ability to change file label to a new label which dominates
# the old label
attribute mlsfileupgrade;
# Grant MLS ability to change file label to a new label which is
# dominated by or incomparable to the old label
attribute mlsfiledowngrade;
#
# Network MLS attributes/privileges
#
# Grant MLS read access to packets not dominated by the process Effective SL
attribute mlsnetread;
# Grant MLS read access to packets which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetreadtoclr;
# Grant MLS write access to packets not equal to the Effective SL
attribute mlsnetwrite;
# Grant MLS write access to packets which dominate the Effective SL
# and are dominated by the process Clearance SL
attribute mlsnetwritetoclr;
# Grant MLS read access to packets from hosts or interfaces which dominate
# or incomparable to the process Effective SL
attribute mlsnetrecvall;
# Grant MLS ability to change socket label to a new label which dominates
# the old label
attribute mlsnetupgrade;
# Grant MLS ability to change socket label to a new label which is
# dominated by or incomparable to the old label
attribute mlsnetdowngrade;
#
# IPC MLS attributes/privileges
#
# Grant MLS read access to IPC objects not dominated by the process Effective SL
attribute mlsipcread;
# Grant MLS read access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcreadtoclr;
# Grant MLS write access to IPC objects not equal to the process Effective SL
attribute mlsipcwrite;
# Grant MLS write access to IPC objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsipcwritetoclr;
#
# Process MLS attributes/privileges
#
# Grant MLS read access to processes not dominated by the process Effective SL
attribute mlsprocread;
# Grant MLS read access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocreadtoclr;
# Grant MLS write access to processes not equal to the Effective SL
attribute mlsprocwrite;
# Grant MLS write access to processes which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsprocwritetoclr;
# Grant MLS ability to change Effective SL or Clearance SL of process to a
# label dominated by the Clearance SL
attribute mlsprocsetsl;
#
# X Window MLS attributes/privileges
#
# Grant MLS read access to X objects not dominated by the process Effective SL
attribute mlsxwinread;
# Grant MLS read access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinreadtoclr;
# Grant MLS write access to X objects not equal to the process Effective SL
attribute mlsxwinwrite;
# Grant MLS write access to X objects which dominate the process Effective SL
# and are dominated by the process Clearance SL
attribute mlsxwinwritetoclr;
# Grant MLS read access to X properties not dominated by
# the process Effective SL
attribute mlsxwinreadproperty;
# Grant MLS write access to X properties not equal to the process Effective SL
attribute mlsxwinwriteproperty;
# Grant MLS read access to X colormaps not dominated by
# the process Effective SL
attribute mlsxwinreadcolormap;
# Grant MLS write access to X colormaps not equal to the process Effective SL
attribute mlsxwinwritecolormap;
# Grant MLS write access to X xinputs not equal to the process Effective SL
attribute mlsxwinwritexinput;
# Grant MLS read/write access to objects which internally arbitrate MLS
attribute mlstrustedobject;
#
# Both of the following attributes are needed for a range transition to succeed
#
# Grant ability for the current domain to change SL upon process transition
attribute privrangetrans;
# Grant ability for the new process domain to change SL upon process transition
attribute mlsrangetrans;
#########################
# Attributes for domains:
#
# The domain attribute identifies every type that can be
# assigned to a process. This attribute is used in TE rules
# that should be applied to all domains, e.g. permitting
# init to kill all processes.
attribute domain;
# The daemon attribute identifies domains for system processes created via
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
attribute daemon;
# The privuser attribute identifies every domain that can
# change its SELinux user identity. This attribute is used
# in the constraints configuration. NOTE: This attribute
# is not required for domains that merely change the Linux
# uid attributes, only for domains that must change the
# SELinux user identity. Also note that this attribute makes
# no sense without the privrole attribute.
attribute privuser;
# The privrole attribute identifies every domain that can
# change its SELinux role. This attribute is used in the
# constraints configuration.
attribute privrole;
# The userspace_objmgr attribute identifies every domain
# which enforces its own policy.
attribute userspace_objmgr;
# The priv_system_role attribute identifies every domain that can
# change role from a user role to system_r role, and identity from a user
# identity to system_u. It is used in the constraints configuration.
attribute priv_system_role;
# The privowner attribute identifies every domain that can
# assign a different SELinux user identity to a file, or that
# can create a file with an identity that is not the same as the
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
# The privlog attribute identifies every domain that can
# communicate with syslogd through its Unix domain socket.
# There is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privlog;
# The privmodule attribute identifies every domain that can run
# modprobe, there is an assertion that other domains can not do it,
# and an allow rule to permit it
attribute privmodule;
# The privsysmod attribute identifies every domain that can have the
# sys_module capability
attribute privsysmod;
# The privmem attribute identifies every domain that can
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privmem;
# The privkmsg attribute identifies every domain that can
# read kernel messages (/proc/kmsg)
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privkmsg;
# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;
# The auth attribute identifies every domain that needs
# to read /etc/shadow, and grants the permission.
attribute auth;
# The auth_bool attribute identifies every domain that can
# read /etc/shadow if its boolean is set;
attribute auth_bool;
# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;
# The auth_chkpwd attribute identifies every system domain that can
# authenticate users by running unix_chkpwd
attribute auth_chkpwd;
# The change_context attribute identifies setfiles_t, restorecon_t, and other
# system domains that change the context of most/all files on the system
attribute change_context;
# The etc_writer attribute identifies every domain that can write to etc_t
attribute etc_writer;
# The sysctl_kernel_writer attribute identifies domains that can write to
# sysctl_kernel_t, in addition the admin attribute is permitted write access
attribute sysctl_kernel_writer;
# the sysctl_net_writer attribute identifies domains that can write to
# sysctl_net_t files.
attribute sysctl_net_writer;
# The sysctl_type attribute identifies every type that is assigned
# to a sysctl entry. This can be used in allow rules to grant
# permissions to all sysctl entries without enumerating each individual
# type, but should be used with care.
attribute sysctl_type;
# The admin attribute identifies every administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and
# certain administrator utility domains.
# XXX The use of this attribute should be reviewed for consistency.
# XXX Might want to partition into several finer-grained attributes
# XXX used in different assertions within assert.te.
attribute admin;
# The secadmin attribute identifies every security administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and secadm_t
attribute secadmin;
# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t. It is used in TE rules that should be applied
# to all user domains.
attribute userdomain;
# for a small domain that can only be used for newrole
attribute user_mini_domain;
# pty for the mini domain
attribute mini_pty_type;
# pty created by a server such as sshd
attribute server_pty;
# attribute for all non-administrative devpts types
attribute userpty_type;
# The user_tty_type identifies every type for a tty or pty owned by an
# unpriviledged user
attribute user_tty_type;
# The admin_tty_type identifies every type for a tty or pty owned by a
# priviledged user
attribute admin_tty_type;
# The user_crond_domain attribute identifies every user_crond domain, presently
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
# applied to all user domains.
attribute user_crond_domain;
# The unpriv_userdomain identifies non-administrative users (default user_t)
attribute unpriv_userdomain;
# This attribute is for the main user home directory for unpriv users
attribute user_home_dir_type;
# The gphdomain attribute identifies every gnome-pty-helper derived
# domain. It is used in TE rules to permit inheritance and use of
# descriptors created by these domains.
attribute gphdomain;
# The fs_domain identifies every domain that may directly access a fixed disk
attribute fs_domain;
# This attribute is for all domains for the userhelper program.
attribute userhelperdomain;
############################
# Attributes for file types:
#
# The file_type attribute identifies all types assigned to files
# in persistent filesystems. It is used in TE rules to permit
# the association of all such file types with persistent filesystem
# types, and to permit certain domains to access all such types as
# appropriate.
attribute file_type;
# The secure_file_type attribute identifies files
# which will be treated with a higer level of security.
# Most domains will be prevented from manipulating files in this domain
attribute secure_file_type;
# The device_type attribute identifies all types assigned to device nodes
attribute device_type;
# The proc_fs attribute identifies all types that may be assigned to
# files under /proc.
attribute proc_fs;
# The dev_fs attribute identifies all types that may be assigned to
# files, sockets, or pipes under /dev.
attribute dev_fs;
# The sysadmfile attribute identifies all types assigned to files
# that should be completely accessible to administrators. It is used
# in TE rules to grant such access for administrator domains.
attribute sysadmfile;
# The secadmfile attribute identifies all types assigned to files
# that should be only accessible to security administrators. It is used
# in TE rules to grant such access for security administrator domains.
attribute secadmfile;
# The fs_type attribute identifies all types assigned to filesystems
# (not limited to persistent filesystems).
# It is used in TE rules to permit certain domains to mount
# any filesystem and to permit most domains to obtain the
# overall filesystem statistics.
attribute fs_type;
# The mount_point attribute identifies all types that can serve
# as a mount point (for the mount binary). It is used in the mount
# policy to grant mounton permission, and in other domains to grant
# getattr permission over all the mount points.
attribute mount_point;
# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains. This attribute is
# used in TE rules and assertions that should be applied to all
# such executables.
attribute exec_type;
# The tmpfile attribute identifies all types assigned to temporary
# files. This attribute is used in TE rules to grant certain
# domains the ability to remove all such files (e.g. init, crond).
attribute tmpfile;
# The user_tmpfile attribute identifies all types associated with temporary
# files for unpriv_userdomain domains.
attribute user_tmpfile;
# for the user_xserver_tmp_t etc
attribute xserver_tmpfile;
# The tmpfsfile attribute identifies all types defined for tmpfs
# type transitions.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute tmpfsfile;
# The home_type attribute identifies all types assigned to home
# directories. This attribute is used in TE rules to grant certain
# domains the ability to access all home directory types.
attribute home_type;
# This attribute is for the main user home directory /home/user, to
# distinguish it from sub-dirs. Often you want a process to be able to
# read the user home directory but not read the regular directories under it.
attribute home_dir_type;
# The ttyfile attribute identifies all types assigned to ttys.
# It is used in TE rules to grant certain domains the ability to
# access all ttys.
attribute ttyfile;
# The ptyfile attribute identifies all types assigned to ptys.
# It is used in TE rules to grant certain domains the ability to
# access all ptys.
attribute ptyfile;
# The pidfile attribute identifies all types assigned to pid files.
# It is used in TE rules to grant certain domains the ability to
# access all such files.
attribute pidfile;
############################
# Attributes for network types:
#
# The socket_type attribute identifies all types assigned to
# kernel-created sockets. Ordinary sockets are assigned the
# domain of the creating process.
# XXX This attribute is unused. Remove?
attribute socket_type;
# Identifies all types assigned to port numbers to control binding.
attribute port_type;
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
attribute reserved_port_type;
# Identifies all types assigned to network interfaces to control
# operations on the interface (XXX obsolete, not supported via LSM)
# and to control traffic sent or received on the interface.
attribute netif_type;
# Identifies all default types assigned to packets received
# on network interfaces.
attribute netmsg_type;
# Identifies all types assigned to network nodes/hosts to control
# traffic sent to or received from the node.
attribute node_type;
# Identifier for log files or directories that only exist for log files.
attribute logfile;
# Identifier for lock files (/var/lock/*) or directories that only exist for
# lock files.
attribute lockfile;
##############################
# Attributes for security policy types:
#
# The login_contexts attribute idenitifies the files used
# to define default contexts for login types (e.g., login, cron).
attribute login_contexts;
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
# sysadm_mail_t, etc)
attribute user_mail_domain;
# Identifies domains that can transition to system_mail_t
attribute privmail;
# Type for non-sysadm home directory
attribute user_home_type;
# For domains that are part of a mail server and need to read user files and
# fifos, and inherit file handles to enable user email to get to the mail
# spool
attribute mta_user_agent;
# For domains that are part of a mail server for delivering messages to the
# user
attribute mta_delivery_agent;
# For domains that make outbound TCP port 25 connections to send mail from the
# mail server.
attribute mail_server_sender;
# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;
# For web clients such as netscape and squid
attribute web_client_domain;
# For X Window System server domains
attribute xserver;
# For X Window System client domains
attribute xclient;
# For X Window System protocol extensions
attribute xextension;
# For X Window System property types
attribute xproperty;
#
# For file systems that do not have extended attributes but need to be
# r/w by users
#
attribute noexattrfile;
#
# For filetypes that the usercan read
#
attribute usercanread;
#
# For serial devices
#
attribute serial_device;
# Attribute to designate unrestricted access
attribute unrestricted;
# Attribute to designate can transition to unconfined_t
attribute unconfinedtrans;
# For clients of nscd.
attribute nscd_client_domain;
# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;
# For labeling of content for httpd. This attribute is only used by
# the httpd_unified domain, which says treat all httpdcontent the
# same. If you want content to be served in a "non-unified" system
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
# your policy.
attribute httpdcontent;
# For labeling of domains whos transition can be disabled
attribute transitionbool;
# For labeling of file_context domains which users can change files to rather
# then the default file context. These file_context can survive a relabeling
# of the file system.
attribute customizable;
##############################
# Attributes for polyinstatiation support:
#
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;

54
targeted/constraints Normal file
View File

@ -0,0 +1,54 @@
#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#
constrain process transition
( u1 == u2 or t1 == privuser );
constrain process transition
( r1 == r2 or t1 == privrole );
constrain process dyntransition
( u1 == u2 and r1 == r2);
#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );

View File

@ -0,0 +1,75 @@
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
#################################
#
# Rules for the kernel_t domain.
#
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
r_dir_file(kernel_t, sysfs_t)
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
ifdef(`mls_policy', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
')
# Share state with the init process.
allow kernel_t init_t:process share;
# Mount and unmount file systems.
allow kernel_t fs_type:filesystem mount_fs_perms;
# Send signal to any process.
allow kernel_t domain:process signal;
allow kernel_t domain:dir search;
# Access the console.
allow kernel_t device_t:dir search;
allow kernel_t console_device_t:chr_file rw_file_perms;
# Access the initrd filesystem.
allow kernel_t file_t:chr_file rw_file_perms;
can_exec(kernel_t, file_t)
ifdef(`chroot.te', `
can_exec(kernel_t, chroot_exec_t)
')
allow kernel_t self:capability sys_chroot;
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
allow kernel_t file_t:dir rw_dir_perms;
allow kernel_t file_t:blk_file create_file_perms;
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
# Lookup the policy.
allow kernel_t policy_config_t:dir r_dir_perms;
# Load the policy configuration.
can_loadpol(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
ifdef(`targeted_policy', `
unconfined_domain(kernel_t)
')

View File

@ -0,0 +1,5 @@
# Local customization of existing policy should be done in this file.
# If you are creating brand new policy for a new "target" domain, you
# need to create a type enforcement (.te) file in domains/program
# and a file context (.fc) file in file_context/program.

View File

@ -0,0 +1,117 @@
#DESC NetworkManager -
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the NetworkManager_t domain.
#
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
#
daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
can_network(NetworkManager_t)
allow NetworkManager_t port_type:tcp_socket name_connect;
allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
allow NetworkManager_t dhcpc_t:process signal;
can_ypbind(NetworkManager_t)
uses_shlib(NetworkManager_t)
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
allow NetworkManager_t self:process { setcap getsched };
allow NetworkManager_t self:fifo_file rw_file_perms;
allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
allow NetworkManager_t self:file { getattr read };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
#
# Communicate with Caching Name Server
#
ifdef(`named.te', `
allow NetworkManager_t named_zone_t:dir search;
rw_dir_create_file(NetworkManager_t, named_cache_t)
domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
allow named_t NetworkManager_t:udp_socket { read write };
allow named_t NetworkManager_t:netlink_route_socket { read write };
allow NetworkManager_t named_t:process signal;
allow named_t NetworkManager_t:packet_socket { read write };
')
allow NetworkManager_t selinux_config_t:dir search;
allow NetworkManager_t selinux_config_t:file { getattr read };
ifdef(`dbusd.te', `
dbusd_client(system, NetworkManager)
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
allow NetworkManager_t self:dbus send_msg;
ifdef(`hald.te', `
allow NetworkManager_t hald_t:dbus send_msg;
allow hald_t NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t initrc_t:dbus send_msg;
allow initrc_t NetworkManager_t:dbus send_msg;
ifdef(`targeted_policy', `
allow NetworkManager_t unconfined_t:dbus send_msg;
allow unconfined_t NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t userdomain:dbus send_msg;
allow userdomain NetworkManager_t:dbus send_msg;
')
allow NetworkManager_t usr_t:file { getattr read };
ifdef(`ifconfig.te', `
domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
')dnl end if def ifconfig
allow NetworkManager_t { sbin_t bin_t }:dir search;
allow NetworkManager_t bin_t:lnk_file read;
can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
# in /etc created by NetworkManager will be labelled net_conf_t.
file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
allow NetworkManager_t proc_t:file { getattr read };
r_dir_file(NetworkManager_t, proc_net_t)
allow NetworkManager_t { domain -unrestricted }:dir search;
allow NetworkManager_t { domain -unrestricted }:file { getattr read };
dontaudit NetworkManager_t unrestricted:dir search;
dontaudit NetworkManager_t unrestricted:file { getattr read };
allow NetworkManager_t howl_t:process signal;
allow NetworkManager_t initrc_var_run_t:file { getattr read };
domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
# allow vpnc connections
allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
ifdef(`vpnc.te', `
domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
')
ifdef(`dhcpc.te', `
allow NetworkManager_t dhcp_state_t:dir search;
allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
')
allow NetworkManager_t var_lib_t:dir search;
dontaudit NetworkManager_t user_tty_type:chr_file { read write };
dontaudit NetworkManager_t security_t:dir search;
ifdef(`consoletype.te', `
can_exec(NetworkManager_t, consoletype_exec_t)
')

View File

@ -0,0 +1,66 @@
#DESC Acct - BSD process accounting
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: acct
#
#################################
#
# Rules for the acct_t domain.
#
# acct_exec_t is the type of the acct executable.
#
daemon_base_domain(acct)
ifdef(`crond.te', `
system_crond_entry(acct_exec_t, acct_t)
# for monthly cron job
file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
')
# for SSP
allow acct_t urandom_device_t:chr_file read;
type acct_data_t, file_type, logfile, sysadmfile;
# not sure why we need this, the command "last" is reported as using it
dontaudit acct_t self:capability kill;
# gzip needs chown capability for some reason
allow acct_t self:capability { chown fsetid sys_pacct };
allow acct_t var_t:dir { getattr search };
rw_dir_create_file(acct_t, acct_data_t)
can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
allow acct_t { bin_t sbin_t }:dir search;
allow acct_t bin_t:lnk_file read;
read_locale(acct_t)
allow acct_t fs_t:filesystem getattr;
allow acct_t self:unix_stream_socket create_socket_perms;
allow acct_t self:fifo_file { read write getattr };
allow acct_t { self proc_t }:file { read getattr };
read_sysctl(acct_t)
dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
# for nscd
dontaudit acct_t var_run_t:dir search;
allow acct_t devtty_t:chr_file { read write };
allow acct_t { etc_t etc_runtime_t }:file { read getattr };
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
rw_dir_create_file(logrotate_t, acct_data_t)
can_exec(logrotate_t, acct_data_t)
')

View File

@ -0,0 +1,284 @@
#DESC Amanda - Automated backup program
#
# This policy file sets the rigths for amanda client started by inetd_t
# and amrecover
#
# X-Debian-Packages: amanda-common amanda-server
# Depends: inetd.te
# Author : Carsten Grohmann <carstengrohmann@gmx.de>
#
# License : GPL
#
# last change: 27. August 2002
#
# state : complete and tested
#
# Hints :
# - amanda.fc is the appendant file context file
# - If you use amrecover please extract the files and directories to the
# directory speficified in amanda.fc as type amanda_recover_dir_t.
# - The type amanda_user_exec_t is defined to label the files but not used.
# This configuration works only as an client and a amanda client does not need
# this programs.
#
# Enhancements/Corrections:
# - set tighter permissions to /bin/tar instead bin_t
##############################################################################
# AMANDA CLIENT DECLARATIONS
##############################################################################
# General declarations
######################
type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
role system_r types amanda_t;
# type for the amanda executables
type amanda_exec_t, file_type, sysadmfile, exec_type;
# type for the amanda executables started by inetd
type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
# type for amanda configurations files
type amanda_config_t, file_type, sysadmfile;
# type for files in /usr/lib/amanda
type amanda_usr_lib_t, file_type, sysadmfile;
# type for all files in /var/lib/amanda
type amanda_var_lib_t, file_type, sysadmfile;
# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t, file_type, sysadmfile;
# type for user startable files
type amanda_user_exec_t, file_type, sysadmfile, exec_type;
# type for same awk and other scripts
type amanda_script_exec_t, file_type, sysadmfile, exec_type;
# type for the shell configuration files
type amanda_shellconfig_t, file_type, sysadmfile;
tmp_domain(amanda)
# type for /etc/amandates
type amanda_amandates_t, file_type, sysadmfile;
# type for /etc/dumpdates
type amanda_dumpdates_t, file_type, sysadmfile;
# type for amanda data
type amanda_data_t, file_type, sysadmfile;
# Domain transitions
####################
domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
##################
# File permissions
##################
# configuration files -> read only
allow amanda_t amanda_config_t:file { getattr read };
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
# access to amandas data structure
allow amanda_t amanda_data_t:dir { read search write };
allow amanda_t amanda_data_t:file { read write };
# access to proc_t
allow amanda_t proc_t:file { getattr read };
# access to etc_t and similar
allow amanda_t etc_t:file { getattr read };
allow amanda_t etc_runtime_t:file { getattr read };
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
# access to device_t and similar
allow amanda_t devtty_t:chr_file { read write };
# access to fs_t
allow amanda_t fs_t:filesystem getattr;
# access to sysctl_kernel_t ( proc/sys/kernel/* )
read_sysctl(amanda_t)
#####################
# process permissions
#####################
# Allow to use shared libs
uses_shlib(amanda_t)
# Allow to execute a amanda executable file
allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
# Allow to run a shell
allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
# access to bin_t (tar)
allow amanda_t bin_t:file { execute execute_no_trans };
allow amanda_t self:capability { chown dac_override setuid };
allow amanda_t self:process { fork sigchld setpgid signal };
allow amanda_t self:dir search;
allow amanda_t self:file { getattr read };
###################################
# Network and process communication
###################################
can_network_server(amanda_t);
can_ypbind(amanda_t);
can_exec(amanda_t, sbin_t);
allow amanda_t self:fifo_file { getattr read write ioctl lock };
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
allow amanda_t self:unix_dgram_socket create_socket_perms;
##########################
# Communication with inetd
##########################
allow amanda_t inetd_t:udp_socket { read write };
###################
# inetd permissions
###################
allow inetd_t amanda_usr_lib_t:dir search;
########################
# Access to to save data
########################
# access to user_home_t
allow amanda_t user_home_type:file { getattr read };
##############################################################################
# AMANDA RECOVER DECLARATIONS
##############################################################################
# General declarations
######################
# type for amrecover
type amanda_recover_t, domain;
role sysadm_r types amanda_recover_t;
role system_r types amanda_recover_t;
# exec types for amrecover
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
# type for recover files ( restored data )
type amanda_recover_dir_t, file_type, sysadmfile;
file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
# domain transsition
domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
# file type auto trans to write debug messages
file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
# amanda recover process permissions
####################################
uses_shlib(amanda_recover_t)
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
can_exec(amanda_recover_t, shell_exec_t)
allow amanda_recover_t privfd:fd use;
# amrecover network and process communication
#############################################
can_network(amanda_recover_t);
allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
can_ypbind(amanda_recover_t);
read_locale(amanda_recover_t);
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t var_log_t:dir search;
rw_dir_create_file(amanda_recover_t, amanda_log_t)
# amrecover file permissions
############################
# access to etc_t and similar
allow amanda_recover_t etc_t:dir search;
allow amanda_recover_t etc_t:file { getattr read };
allow amanda_recover_t etc_runtime_t:file { getattr read };
# access to amanda_recover_dir_t
allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
# access to var_t and var_run_t
allow amanda_recover_t var_t:dir search;
allow amanda_recover_t var_run_t:dir search;
# access to proc_t
allow amanda_recover_t proc_t:dir search;
allow amanda_recover_t proc_t:file { getattr read };
# access to sysctl_kernel_t
read_sysctl(amanda_recover_t)
# access to dev_t and similar
allow amanda_recover_t device_t:dir search;
allow amanda_recover_t devtty_t:chr_file { read write };
allow amanda_recover_t null_device_t:chr_file { getattr write };
# access to bin_t
allow amanda_recover_t bin_t:file { execute execute_no_trans };
# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
# in the sysadm home directory
allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
# access to use sysadm_tty_device_t (/dev/tty?)
allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
# access to amanda_tmp_t and tmp_t
allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
allow amanda_recover_t tmp_t:dir search;
#
# Rules to allow amanda to be run as a service in xinetd
#
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
#amanda needs to look at fs_type directories to decide whether it should backup
allow amanda_t { fs_type file_type }:dir {getattr read search };
allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
allow amanda_t device_type:{ blk_file chr_file } getattr;
allow amanda_t fixed_disk_device_t:blk_file read;
domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
allow amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
dontaudit amanda_t proc_t:lnk_file read;
dontaudit amanda_t unlabeled_t:file getattr;
#amanda wants to check attributes on fifo_files
allow amanda_t file_type:fifo_file getattr;

View File

@ -0,0 +1,48 @@
#DESC Anaconda - Red Hat Installation program
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the anaconda_t domain.
#
# anaconda_t is the domain of the installation program
#
type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
role system_r types anaconda_t;
unconfined_domain(anaconda_t)
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
# Run other rc scripts in the anaconda_t domain.
domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
ifdef(`dmesg.te', `
domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
')
ifdef(`distro_redhat', `
file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
')
ifdef(`rpm.te', `
# Access /var/lib/rpm.
domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
')
file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
ifdef(`udev.te', `
domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
')
ifdef(`ssh-agent.te', `
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
ifdef(`passwd.te', `
domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
')

View File

@ -0,0 +1,414 @@
#DESC Apache - Web server
#
# X-Debian-Packages: apache2-common apache
#
###############################################################################
#
# Policy file for running the Apache web server
#
# NOTES:
# This policy will work with SUEXEC enabled as part of the Apache
# configuration. However, the user CGI scripts will run under the
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
# of the creating user.
#
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
# type, and the directory containing the scripts should also be labeled
# with these types. This policy allows user_r role to perform that
# relabeling. If it is desired that only sysadm_r should be able to relabel
# the user CGI scripts, then relabel rule for user_r should be removed.
#
###############################################################################
define(`httpd_home_dirs', `
r_dir_file(httpd_t, $1)
r_dir_file(httpd_suexec_t, $1)
can_exec(httpd_suexec_t, $1)
')
bool httpd_unified false;
# Allow httpd to use built in scripting (usually php)
bool httpd_builtin_scripting false;
# Allow httpd cgi support
bool httpd_enable_cgi false;
# Allow httpd to read home directories
bool httpd_enable_homedirs false;
# Run SSI execs in system CGI script domain.
bool httpd_ssi_exec false;
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
# Allow http daemon to tcp connect
bool httpd_can_network_connect false;
#########################################################
# Apache types
#########################################################
# httpd_config_t is the type given to the configuration
# files for apache /etc/httpd/conf
#
type httpd_config_t, file_type, sysadmfile;
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
#
type httpd_modules_t, file_type, sysadmfile;
# httpd_cache_t is the type given to the /var/cache/httpd
# directory and the files under that directory
#
type httpd_cache_t, file_type, sysadmfile;
# httpd_exec_t is the type give to the httpd executable.
#
daemon_domain(httpd, `, privmail, nscd_client_domain')
append_logdir_domain(httpd)
#can read /etc/httpd/logs
allow httpd_t httpd_log_t:lnk_file read;
# For /etc/init.d/apache2 reload
can_tcp_connect(httpd_t, httpd_t)
can_tcp_connect(web_client_domain, httpd_t)
can_exec(httpd_t, httpd_exec_t)
file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
general_domain_access(httpd_t)
allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
read_sysctl(httpd_t)
allow httpd_t crypt_device_t:chr_file rw_file_perms;
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
# for apache2 memory mapped files
var_lib_domain(httpd)
# for tomcat
r_dir_file(httpd_t, var_lib_t)
# execute perl
allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
########################################
# Set up networking
########################################
can_network_server(httpd_t)
can_kerberos(httpd_t)
can_resolve(httpd_t)
nsswitch_domain(httpd_t)
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
# allow httpd to connect to mysql/posgresql
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
# allow httpd to work as a relay
allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
if (httpd_can_network_connect) {
can_network_client(httpd_t)
allow httpd_t port_type:tcp_socket name_connect;
}
##########################################
# Legacy: remove when it's fixed #
# Allow libphp5.so with text relocations #
##########################################
allow httpd_t texrel_shlib_t:file execmod;
#########################################
# Allow httpd to search users directories
#########################################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
############################################################################
# Allow the httpd_t the capability to bind to a port and various other stuff
############################################################################
allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
dontaudit httpd_t self:capability net_admin;
#################################################
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
allow logrotate_t httpd_t:process signull;
')
r_dir_file(initrc_t, httpd_config_t)
##################################################
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
create_dir_file(httpd_t, httpd_cache_t)
###############################
# Allow httpd_t to access the tmpfs file system
##############################
tmpfs_domain(httpd)
#####################
# Allow httpd_t to access
# libraries for its modules
###############################
allow httpd_t httpd_modules_t:file rx_file_perms;
allow httpd_t httpd_modules_t:dir r_dir_perms;
allow httpd_t httpd_modules_t:lnk_file r_file_perms;
######################################################################
# Allow initrc_t to access the Apache modules directory.
######################################################################
allow initrc_t httpd_modules_t:dir r_dir_perms;
##############################################
# Allow httpd_t to have access to files
# such as nisswitch.conf
# need ioctl for php
###############################################
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
# setup the system domain for system CGI scripts
apache_domain(sys)
dontaudit httpd_sys_script_t httpd_config_t:dir search;
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
#
# PHP Directives
##################################################
type httpd_php_exec_t, file_type, sysadmfile, exec_type;
type httpd_php_t, domain;
# Transition from the user domain to this domain.
domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
# The system role is authorized for this domain.
role system_r types httpd_php_t;
general_domain_access(httpd_php_t)
uses_shlib(httpd_php_t)
can_exec(httpd_php_t, lib_t)
# allow php to read and append to apache logfiles
allow httpd_php_t httpd_log_t:file ra_file_perms;
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
# Creation of lock files for apache2
lock_domain(httpd)
# Allow apache to used public_content_t
anonymous_domain(httpd)
# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(httpd_php_t, mysqld_t)
can_unix_connect(httpd_t, mysqld_t)
can_unix_connect(httpd_sys_script_t, mysqld_t)
allow httpd_php_t mysqld_var_run_t:dir search;
allow httpd_php_t mysqld_var_run_t:sock_file write;
allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
')
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
read_fonts(httpd_t)
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
}
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
if (httpd_enable_homedirs) {
allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
}
') dnl targeted policy
# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
# This is a bug but it still exists in FC2
#
typealias httpd_log_t alias httpd_runtime_t;
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
dontaudit httpd_t httpd_runtime_t:file ioctl;
') dnl distro_redhat
#
# Customer reported the following
#
ifdef(`snmpd.te', `
dontaudit httpd_t snmpd_var_lib_t:dir search;
dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
', `
dontaudit httpd_t usr_t:dir write;
')
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
########################################
# When the admin starts the server, the server wants to access
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
##################################################
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir search;
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
} else {
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
read_sysctl(httpd_sys_script_t)
allow httpd_sys_script_t var_lib_t:dir search;
dontaudit httpd_t selinux_config_t:dir search;
r_dir_file(httpd_t, cert_t)
#
# unconfined domain for apache scripts. Only to be used as a last resort
#
type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
type httpd_unconfined_script_t, domain, nscd_client_domain;
role system_r types httpd_unconfined_script_t;
unconfined_domain(httpd_unconfined_script_t)
# The following are types for SUEXEC,which runs user scripts as their
# own user ID
#
daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
allow httpd_t httpd_suexec_exec_t:file { getattr read };
#########################################################
# Permissions for running child processes and scripts
##########################################################
allow httpd_suexec_t self:capability { setuid setgid };
dontaudit httpd_suexec_t var_run_t:dir search;
allow httpd_suexec_t { var_t var_log_t }:dir search;
allow httpd_suexec_t home_root_t:dir search;
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
allow httpd_suexec_t httpd_t:fifo_file getattr;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t etc_t:file { getattr read };
read_locale(httpd_suexec_t)
read_sysctl(httpd_suexec_t)
allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
# for shell scripts
allow httpd_suexec_t bin_t:dir search;
allow httpd_suexec_t bin_t:lnk_file read;
can_exec(httpd_suexec_t, { bin_t shell_exec_t })
if (httpd_can_network_connect) {
can_network(httpd_suexec_t)
allow httpd_suexec_t port_type:tcp_socket name_connect;
}
can_ypbind(httpd_suexec_t)
allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_suexec_t autofs_t:dir { search getattr };
tmp_domain(httpd_suexec)
if (httpd_enable_cgi && httpd_unified) {
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
')
}
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
}
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
}
#
# Types for squirrelmail
#
type httpd_squirrelmail_t, file_type, sysadmfile;
create_dir_file(httpd_t, httpd_squirrelmail_t)
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
# File Type of squirrelmail attachments
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
create_dir_file(httpd_t, squirrelmail_spool_t)
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
dontaudit system_mail_t httpd_log_t:file { append getattr };
allow system_mail_t httpd_squirrelmail_t:file { append read };
dontaudit system_mail_t httpd_t:tcp_socket { read write };
')
bool httpd_enable_ftp_server false;
if (httpd_enable_ftp_server) {
allow httpd_t ftp_port_t:tcp_socket name_bind;
}

View File

@ -0,0 +1,161 @@
#DESC Apmd - Automatic Power Management daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: apmd
#
#################################
#
# Rules for the apmd_t domain.
#
daemon_domain(apmd, `, privmodule, nscd_client_domain')
# for SSP
allow apmd_t urandom_device_t:chr_file read;
type apm_t, domain, privlog;
type apm_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
')
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
allow apm_t self:capability { dac_override sys_admin };
allow apm_t proc_t:dir search;
allow apm_t proc_t:file r_file_perms;
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
role system_r types apm_t;
allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read write };
can_sysctl(apmd_t)
allow apmd_t sysfs_t:file write;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
allow apmd_t etc_t:lnk_file read;
# acpid wants a socket
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
# acpid also has a logfile
log_domain(apmd)
tmp_domain(apmd)
ifdef(`distro_suse', `
var_lib_domain(apmd)
')
allow apmd_t self:file { getattr read ioctl };
allow apmd_t self:process getsession;
# Use capabilities.
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
# controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
allow apmd_t self:capability mknod;
# Access /dev/apm_bios.
allow apmd_t apm_bios_t:chr_file rw_file_perms;
# Run helper programs.
can_exec_any(apmd_t)
# apmd calls hwclock.sh on suspend and resume
allow apmd_t clock_device_t:chr_file r_file_perms;
ifdef(`hwclock.te', `
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
allow apmd_t adjtime_t:file rw_file_perms;
allow hwclock_t apmd_log_t:file append;
allow hwclock_t apmd_t:unix_stream_socket { read write };
')
# to quiet fuser and ps
# setuid for fuser, dac* for ps
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
dontaudit apmd_t domain:socket_class_set getattr;
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
dontaudit apmd_t device_type:devfile_class_set getattr;
dontaudit apmd_t home_type:dir { search getattr };
dontaudit apmd_t domain:key_socket getattr;
dontaudit apmd_t domain:dir search;
ifdef(`distro_redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
lock_domain(apmd)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
', `
# for ifconfig which is run all the time
dontaudit apmd_t sysctl_t:dir search;
')
ifdef(`udev.te', `
allow apmd_t udev_t:file { getattr read };
allow apmd_t udev_t:lnk_file { getattr read };
')
#
# apmd tells the machine to shutdown requires the following
#
allow apmd_t initctl_t:fifo_file write;
allow apmd_t initrc_var_run_t:file { read write lock };
#
# Allow it to run killof5 and pidof
#
typeattribute apmd_t unrestricted;
r_dir_file(apmd_t, domain)
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
ifdef(`consoletype.te', `
allow consoletype_t apmd_t:fd use;
allow consoletype_t apmd_t:fifo_file write;
')
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
ifdef(`crond.te', `
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
ifdef(`mta.te', `
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
')
# for a find /dev operation that gets /dev/shm
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
dontaudit apmd_t selinux_config_t:dir search;
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
ifdef(`logrotate.te', `
allow apmd_t logrotate_t:fd use;
')dnl end if logrotate.te
allow apmd_t devpts_t:dir { getattr search };
allow apmd_t security_t:dir search;
allow apmd_t usr_t:dir search;
r_dir_file(apmd_t, hwdata_t)
ifdef(`targeted_policy', `
unconfined_domain(apmd_t)
')
ifdef(`NetworkManager.te', `
ifdef(`dbusd.te', `
allow apmd_t NetworkManager_t:dbus send_msg;
allow NetworkManager_t apmd_t:dbus send_msg;
')
')

View File

@ -0,0 +1,48 @@
#DESC arpwatch - keep track of ethernet/ip address pairings
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the arpwatch_t domain.
#
# arpwatch_exec_t is the type of the arpwatch executable.
#
daemon_domain(arpwatch, `, privmail')
# for files created by arpwatch
type arpwatch_data_t, file_type, sysadmfile;
create_dir_file(arpwatch_t,arpwatch_data_t)
tmp_domain(arpwatch)
allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
can_network_server(arpwatch_t)
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
allow arpwatch_t { sbin_t var_lib_t }:dir search;
allow arpwatch_t sbin_t:lnk_file read;
r_dir_file(arpwatch_t, etc_t)
r_dir_file(arpwatch_t, usr_t)
can_ypbind(arpwatch_t)
ifdef(`qmail.te', `
allow arpwatch_t bin_t:dir search;
')
ifdef(`distro_gentoo', `
allow initrc_t arpwatch_data_t:dir { add_name write };
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo
# why is mail delivered to a directory of type arpwatch_data_t?
allow mta_delivery_agent arpwatch_data_t:dir search;
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
ifdef(`hide_broken_symptoms', `
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
')

View File

@ -0,0 +1,69 @@
#DESC auditd - System auditing daemon
#
# Authors: Colin Walters <walters@verbum.org>
#
# Some fixes by Paul Moore <paul.moore@hp.com>
#
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
')
daemon_domain(auditd)
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
allow auditd_t self:process setsched;
allow auditd_t self:file { getattr read write };
allow auditd_t etc_t:file { getattr read };
# Do not use logdir_domain since this is a security file
type auditd_log_t, file_type, secure_file_type;
allow auditd_t var_log_t:dir search;
rw_dir_create_file(auditd_t, auditd_log_t)
can_exec(auditd_t, init_exec_t)
allow auditd_t initctl_t:fifo_file write;
ifdef(`targeted_policy', `
dontaudit auditd_t unconfined_t:fifo_file read;
')
type auditctl_t, domain, privlog;
type auditctl_exec_t, file_type, exec_type, sysadmfile;
uses_shlib(auditctl_t)
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditctl_t self:capability { audit_write audit_control };
allow auditctl_t etc_t:file { getattr read };
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
type auditd_etc_t, file_type, secure_file_type;
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
allow initrc_t auditd_etc_t:file r_file_perms;
role secadm_r types auditctl_t;
role sysadm_r types auditctl_t;
audit_manager_domain(secadm_t)
ifdef(`targeted_policy', `', `
ifdef(`separate_secadm', `', `
audit_manager_domain(sysadm_t)
')
')
role system_r types auditctl_t;
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
dontaudit auditctl_t local_login_t:fd use;
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
allow auditctl_t sysctl_kernel_t:file { getattr read };
dontaudit auditctl_t init_t:fd use;
allow auditctl_t initrc_devpts_t:chr_file { read write };
allow auditctl_t privfd:fd use;
allow auditd_t sbin_t:dir search;
can_exec(auditd_t, sbin_t)

View File

@ -0,0 +1,116 @@
#DESC Bluetooth
#
# Authors: Dan Walsh
# RH-Packages: Bluetooth
#
#################################
#
# Rules for the bluetooth_t domain.
#
daemon_domain(bluetooth)
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
tmp_domain(bluetooth)
var_lib_domain(bluetooth)
# Use capabilities.
allow bluetooth_t self:file read;
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
allow bluetooth_t self:process getsched;
allow bluetooth_t proc_t:file { getattr read };
allow bluetooth_t self:shm create_shm_perms;
lock_domain(bluetooth)
# Use the network.
can_network(bluetooth_t)
can_ypbind(bluetooth_t)
ifdef(`dbusd.te', `
dbusd_client(system, bluetooth)
allow bluetooth_t system_dbusd_t:dbus send_msg;
')
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
type bluetooth_conf_t, file_type, sysadmfile;
type bluetooth_conf_rw_t, file_type, sysadmfile;
# Read /etc/bluetooth
allow bluetooth_t bluetooth_conf_t:dir search;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
#/usr/sbin/hid2hci causes the following
allow initrc_t usbfs_t:file { getattr read };
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms;
allow bluetooth_t bin_t:dir search;
can_exec(bluetooth_t, { bin_t shell_exec_t })
allow bluetooth_t bin_t:lnk_file read;
#Handle bluetooth serial devices
allow bluetooth_t tty_device_t:chr_file rw_file_perms;
allow bluetooth_t self:fifo_file rw_file_perms;
allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(bluetooth_t, fonts_t)
allow bluetooth_t urandom_device_t:chr_file r_file_perms;
allow bluetooth_t usr_t:file { getattr read };
application_domain(bluetooth_helper, `, nscd_client_domain')
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
role system_r types bluetooth_helper_t;
read_locale(bluetooth_helper_t)
typeattribute bluetooth_helper_t unrestricted;
r_dir_file(bluetooth_helper_t, domain)
allow bluetooth_helper_t bin_t:dir { getattr search };
can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
allow bluetooth_helper_t bin_t:lnk_file read;
allow bluetooth_helper_t self:capability sys_nice;
allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:process { fork getsched sigchld };
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(bluetooth_helper_t, fonts_t)
r_dir_file(bluetooth_helper_t, proc_t)
read_sysctl(bluetooth_helper_t)
allow bluetooth_helper_t tmp_t:dir search;
allow bluetooth_helper_t usr_t:file { getattr read };
allow bluetooth_helper_t home_dir_type:dir search;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
ifdef(`targeted_policy', `
allow bluetooth_helper_t tmp_t:sock_file { read write };
allow bluetooth_helper_t tmpfs_t:file { read write };
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
allow bluetooth_t unconfined_t:dbus send_msg;
allow unconfined_t bluetooth_t:dbus send_msg;
', `
ifdef(`xdm.te', `
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
')
allow bluetooth_t unpriv_userdomain:dbus send_msg;
allow unpriv_userdomain bluetooth_t:dbus send_msg;
')
allow bluetooth_helper_t bluetooth_t:socket { read write };
allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_helper_t self:unix_stream_socket connectto;
tmp_domain(bluetooth_helper)
allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
dontaudit bluetooth_helper_t default_t:dir { read search };
dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')

View File

@ -0,0 +1,46 @@
#DESC canna - A Japanese character set input system.
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the canna_t domain.
#
daemon_domain(canna)
file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
logdir_domain(canna)
var_lib_domain(canna)
allow canna_t self:capability { setgid setuid net_bind_service };
allow canna_t tmp_t:dir { search };
allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t etc_t:file { getattr read };
allow canna_t usr_t:file { getattr read };
allow canna_t proc_t:file r_file_perms;
allow canna_t etc_runtime_t:file r_file_perms;
allow canna_t canna_var_lib_t:dir create;
rw_dir_create_file(canna_t, canna_var_lib_t)
can_network_tcp(canna_t)
allow canna_t port_type:tcp_socket name_connect;
can_ypbind(canna_t)
allow userdomain canna_var_run_t:dir search;
allow userdomain canna_var_run_t:sock_file write;
can_unix_connect(userdomain, canna_t)
ifdef(`i18n_input.te', `
allow i18n_input_t canna_var_run_t:dir search;
allow i18n_input_t canna_var_run_t:sock_file write;
can_unix_connect(i18n_input_t, canna_t)
')
dontaudit canna_t kernel_t:fd use;
dontaudit canna_t root_t:file read;

View File

@ -0,0 +1,90 @@
#DESC Cardmgr - PCMCIA control programs
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pcmcia-cs
#
#################################
#
# Rules for the cardmgr_t domain.
#
daemon_domain(cardmgr, `, privmodule')
# for SSP
allow cardmgr_t urandom_device_t:chr_file read;
type cardctl_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
')
role sysadm_r types cardmgr_t;
allow cardmgr_t admin_tty_type:chr_file { read write };
allow cardmgr_t sysfs_t:dir search;
allow cardmgr_t home_root_t:dir search;
# Use capabilities (net_admin for route), setuid for cardctl
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
# for /etc/resolv.conf
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
allow cardmgr_t etc_runtime_t:file { getattr read };
allow cardmgr_t modules_object_t:dir search;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
allow cardmgr_t self:fifo_file rw_file_perms;
# Create stab file
var_lib_domain(cardmgr)
# for /var/lib/misc/pcmcia-scheme
# would be better to have it in a different type if I knew how it was created..
allow cardmgr_t var_lib_t:file { getattr read };
# Create device files in /tmp.
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
# Create symbolic links in /dev.
type cardmgr_lnk_t, file_type, sysadmfile;
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
# Run a shell, normal commands, /etc/pcmcia scripts.
can_exec_any(cardmgr_t)
allow cardmgr_t etc_t:lnk_file read;
# Run ifconfig.
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
allow ifconfig_t cardmgr_t:fd use;
allow cardmgr_t proc_t:file { getattr read ioctl };
# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain -unrestricted)
dontaudit cardmgr_t unrestricted:dir search;
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
allow cardmgr_t ttyfile:chr_file getattr;
dontaudit cardmgr_t ptyfile:chr_file getattr;
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
dontaudit cardmgr_t proc_kmsg_t:file getattr;
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
ifdef(`apmd.te', `
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
')
ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hald.te', `
rw_dir_file(hald_t, cardmgr_var_run_t)
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
')
allow cardmgr_t device_t:lnk_file { getattr read };

View File

@ -0,0 +1,64 @@
#DESC Checkpolicy - SELinux policy compliler
#
# Authors: Frank Mayer, mayerf@tresys.com
# X-Debian-Packages: checkpolicy
#
###########################
#
# checkpolicy_t is the domain type for checkpolicy
# checkpolicy_exec_t if file type for the executable
type checkpolicy_t, domain;
role sysadm_r types checkpolicy_t;
role system_r types checkpolicy_t;
role secadm_r types checkpolicy_t;
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
##########################
#
# Rules
domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
allow checkpolicy_t policy_config_t:file create_file_perms;
###########################
# constrain what checkpolicy can use as source files
#
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir r_dir_perms;
allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
# allow test policies to be created in src directories
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
# directory search permissions for path to source and binary policy files
allow checkpolicy_t root_t:dir search;
allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
allow checkpolicy_t devpts_t:dir r_dir_perms;
ifdef(`sshd.te',
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
##########################
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
allow checkpolicy_t { userdomain privfd }:fd use;
allow checkpolicy_t fs_t:filesystem getattr;
allow checkpolicy_t console_device_t:chr_file { read write };
allow checkpolicy_t init_t:fd use;
allow checkpolicy_t selinux_config_t:dir search;

View File

@ -0,0 +1,18 @@
#DESC Chkpwd - PAM password checking programs
# X-Debian-Packages: libpam-modules
#
# Domains for the /sbin/.*_chkpwd utilities.
#
#
# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
#
type chkpwd_exec_t, file_type, sysadmfile, exec_type;
chkpwd_domain(system)
dontaudit system_chkpwd_t privfd:fd use;
role sysadm_r types system_chkpwd_t;
in_user_role(system_chkpwd_t)
# Everything else is in the chkpwd_domain macro in
# macros/program/chkpwd_macros.te.

View File

@ -0,0 +1,3 @@
typealias bin_t alias mount_exec_t;
typealias bin_t alias dmesg_exec_t;
typealias bin_t alias loadkeys_exec_t;

View File

@ -0,0 +1,20 @@
#DESC comsat - biff server
#
# Author: Dan Walsh <dwalsh@redhat.com>
# Depends: inetd.te
#
#################################
#
# Rules for the comsat_t domain.
#
# comsat_exec_t is the type of the comsat executable.
#
inetd_child_domain(comsat, udp)
allow comsat_t initrc_var_run_t:file r_file_perms;
dontaudit comsat_t initrc_var_run_t:file write;
allow comsat_t mail_spool_t:dir r_dir_perms;
allow comsat_t mail_spool_t:lnk_file read;
allow comsat_t var_spool_t:dir search;
dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;

View File

@ -0,0 +1,65 @@
#DESC consoletype - determine the type of a console device
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages:
#
#################################
#
# Rules for the consoletype_t domain.
#
# consoletype_t is the domain for the consoletype program.
# consoletype_exec_t is the type of the corresponding program.
#
type consoletype_t, domain, mlsfileread, mlsfilewrite;
type consoletype_exec_t, file_type, sysadmfile, exec_type;
role system_r types consoletype_t;
uses_shlib(consoletype_t)
general_domain_access(consoletype_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
')
')
allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
# Use capabilities.
allow consoletype_t self:capability sys_admin;
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
allow consoletype_t initrc_t:fifo_file write;
allow consoletype_t nfs_t:file write;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
ifdef(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read };
')
ifdef(`pam.te', `
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
allow consoletype_t tmpfs_t:chr_file rw_file_perms;
')
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
dontaudit consoletype_t proc_t:dir search;
dontaudit consoletype_t proc_t:file read;
dontaudit consoletype_t root_t:file read;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
allow consoletype_t system_crond_t:fd use;
allow consoletype_t fs_t:filesystem getattr;

View File

@ -0,0 +1,17 @@
#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
#
# Author: Russell Coker <russell@coker.com.au>
#
type cpucontrol_conf_t, file_type, sysadmfile;
daemon_base_domain(cpucontrol)
# Access cpu devices.
allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
allow cpucontrol_t device_t:lnk_file { getattr read };
allow initrc_t cpu_device_t:chr_file getattr;
allow cpucontrol_t self:capability sys_rawio;
r_dir_file(cpucontrol_t, cpucontrol_conf_t)

View File

@ -0,0 +1,17 @@
#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
#
# Authors: Russell Coker <russell@coker.com.au>
# Thomas Bleher <ThomasBleher@gmx.de>
#
daemon_base_domain(cpuspeed)
read_locale(cpuspeed_t)
allow cpuspeed_t sysfs_t:dir search;
allow cpuspeed_t sysfs_t:file rw_file_perms;
allow cpuspeed_t proc_t:dir r_dir_perms;
allow cpuspeed_t proc_t:file { getattr read };
allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
allow cpuspeed_t self:process setsched;
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;

View File

@ -0,0 +1,33 @@
#DESC crond
#
# Authors: Daniel Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the crond domain.
#
# crond_exec_t is the type of the /usr/sbin/crond and other programs.
# This domain is defined just for targeted policy.
#
type crond_exec_t, file_type, sysadmfile, exec_type;
type crond_t, domain, privuser, privrole, privfd, privowner;
typealias crond_t alias system_crond_t;
type anacron_exec_t, file_type, sysadmfile, exec_type;
type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
type system_cron_spool_t, file_type, sysadmfile;
type sysadm_cron_spool_t, file_type, sysadmfile;
role system_r types crond_t;
domain_auto_trans(initrc_t, crond_exec_t, crond_t)
domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
# Access log files
file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
var_run_domain(crond)
ifdef(`targeted_policy', `
unconfined_domain(crond_t)
allow crond_t initrc_t:dbus send_msg;
allow crond_t unconfined_t:dbus send_msg;
allow crond_t unconfined_t:process transition;
')

View File

@ -0,0 +1,321 @@
#DESC Cups - Common Unix Printing System
#
# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
# Depends: lpd.te lpr.te
#################################
#
# Rules for the cupsd_t domain.
#
# cupsd_t is the domain of cupsd.
# cupsd_exec_t is the type of the cupsd executable.
#
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
etcdir_domain(cupsd)
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
can_network(cupsd_t)
allow cupsd_t port_type:tcp_socket name_connect;
logdir_domain(cupsd)
tmp_domain(cupsd, `', { file dir fifo_file })
allow cupsd_t devpts_t:dir search;
allow cupsd_t device_t:lnk_file read;
allow cupsd_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t urandom_device_t:chr_file { getattr read };
dontaudit cupsd_t random_device_t:chr_file ioctl;
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
r_dir_file(cupsd_t, usbdevfs_t)
r_dir_file(cupsd_t, usbfs_t)
ifdef(`logrotate.te', `
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
')
ifdef(`inetd.te', `
allow inetd_t printer_port_t:tcp_socket name_bind;
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
# write to spool
allow cupsd_t var_spool_t:dir search;
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file })
allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
allow cupsd_t cupsd_etc_t:file setattr;
allow cupsd_t cupsd_etc_t:dir setattr;
allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
can_exec(cupsd_t, initrc_exec_t)
allow cupsd_t proc_t:file r_file_perms;
allow cupsd_t proc_t:dir r_dir_perms;
allow cupsd_t self:file { getattr read };
read_sysctl(cupsd_t)
allow cupsd_t sysctl_dev_t:dir search;
allow cupsd_t sysctl_dev_t:file { getattr read };
# for /etc/printcap
dontaudit cupsd_t etc_t:file write;
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
allow cupsd_t reserved_port_t:tcp_socket name_bind;
dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:fifo_file rw_file_perms;
# Use capabilities.
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
dontaudit cupsd_t self:capability net_admin;
#
# /usr/lib/cups/backend/serial needs sys_admin
# Need new context to run under???
allow cupsd_t self:capability sys_admin;
allow cupsd_t self:process setsched;
# for /var/lib/defoma
allow cupsd_t var_lib_t:dir search;
r_dir_file(cupsd_t, readable_t)
# Bind to the cups/ipp port (631).
allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
can_tcp_connect(web_client_domain, cupsd_t)
can_tcp_connect(cupsd_t, cupsd_t)
# Send to portmap.
ifdef(`portmap.te', `
can_udp_send(cupsd_t, portmap_t)
can_udp_send(portmap_t, cupsd_t)
')
# Write to /var/spool/cups.
allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
allow cupsd_t print_spool_t:file create_file_perms;
allow cupsd_t print_spool_t:file rw_file_perms;
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
allow cupsd_t { bin_t sbin_t }:dir { search getattr };
allow cupsd_t bin_t:lnk_file read;
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
# They will also invoke ghostscript, which needs to read fonts
read_fonts(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
allow cupsd_t lib_t:file { read getattr };
# read python modules
allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
#
# lots of errors generated requiring the following
#
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
#
# Satisfy readahead
#
allow initrc_t cupsd_log_t:file { getattr read };
r_dir_file(cupsd_t, var_t)
r_dir_file(cupsd_t, usercanread)
ifdef(`samba.te', `
rw_dir_file(cupsd_t, samba_var_t)
allow smbd_t cupsd_etc_t:dir search;
')
ifdef(`pam.te', `
dontaudit cupsd_t pam_var_run_t:file { getattr read };
')
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
# PTAL
daemon_domain(ptal)
etcdir_domain(ptal)
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
can_network_server_tcp(ptal_t)
allow ptal_t ptal_port_t:tcp_socket name_bind;
allow userdomain ptal_t:unix_stream_socket connectto;
allow userdomain ptal_var_run_t:sock_file write;
allow userdomain ptal_var_run_t:dir search;
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
allow ptal_t printer_device_t:chr_file rw_file_perms;
allow initrc_t printer_device_t:chr_file getattr;
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
rw_dir_file(ptal_t, usbfs_t)
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket connectto;
allow cupsd_t ptal_var_run_t:dir search;
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
allow initrc_t ptal_var_run_t:dir rmdir;
allow initrc_t ptal_var_run_t:fifo_file unlink;
# HPLIP
daemon_domain(hplip)
etcdir_domain(hplip)
allow hplip_t etc_t:file r_file_perms;
allow hplip_t etc_runtime_t:file { read getattr };
allow hplip_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t hplip_var_run_t:file { read getattr };
allow hplip_t cupsd_etc_t:dir search;
can_network(hplip_t)
allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
allow hplip_t hplip_port_t:tcp_socket name_bind;
# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
allow hplip_t self:unix_stream_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
# for python
can_exec(hplip_t, bin_t)
allow hplip_t { sbin_t bin_t }:dir search;
allow hplip_t self:file { getattr read };
allow hplip_t proc_t:file r_file_perms;
allow hplip_t urandom_device_t:chr_file { getattr read };
allow hplip_t usr_t:{ file lnk_file } r_file_perms;
allow hplip_t devpts_t:dir search;
allow hplip_t devpts_t:chr_file { getattr ioctl };
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
allow cupsd_t printconf_t:file { getattr read };
ifdef(`dbusd.te', `
dbusd_client(system, cupsd)
allow cupsd_t system_dbusd_t:dbus send_msg;
allow cupsd_t userdomain:dbus send_msg;
')
# CUPS configuration daemon
daemon_domain(cupsd_config, `, nscd_client_domain')
allow cupsd_config_t devpts_t:dir search;
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
')
allow cupsd_config_t initrc_exec_t:file getattr;
')dnl end distro_redhat
allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
allow cupsd_config_t self:file { getattr read };
allow cupsd_config_t proc_t:file { getattr read };
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
allow cupsd_config_t cupsd_t:process { signal };
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
can_ps(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:capability { chown sys_tty_config };
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
allow cupsd_config_t var_t:lnk_file read;
can_network_tcp(cupsd_config_t)
can_ypbind(cupsd_config_t)
allow cupsd_config_t port_type:tcp_socket name_connect;
can_tcp_connect(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
dbusd_client(system, cupsd_config)
allow cupsd_config_t userdomain:dbus send_msg;
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
allow userdomain cupsd_config_t:dbus send_msg;
')dnl end if dbusd.te
ifdef(`hald.te', `
ifdef(`dbusd.te', `
allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
')dnl end if dbusd.te
allow hald_t cupsd_config_t:process signal;
domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
') dnl end if hald.te
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(cupsd_t, hostname_exec_t)
can_exec(cupsd_config_t, hostname_exec_t)
')
allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
# killall causes the following
dontaudit cupsd_config_t domain:dir { getattr search };
dontaudit cupsd_config_t selinux_config_t:dir search;
can_exec(cupsd_config_t, cupsd_config_exec_t)
allow cupsd_config_t usr_t:file { getattr read };
allow cupsd_config_t var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
allow cupsd_config_t printconf_t:file { getattr read };
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
ifdef(`logrotate.te', `
allow cupsd_config_t logrotate_t:fd use;
')dnl end if logrotate.te
allow cupsd_config_t system_crond_t:fd use;
allow cupsd_config_t crond_t:fifo_file r_file_perms;
allow cupsd_t crond_t:fifo_file read;
allow cupsd_t crond_t:fd use;
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
ifdef(`targeted_policy', `
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
allow unconfined_t cupsd_config_t:dbus send_msg;
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
')
typealias printer_port_t alias cupsd_lpd_port_t;
inetd_child_domain(cupsd_lpd)
allow inetd_t printer_port_t:tcp_socket name_bind;
r_dir_file(cupsd_lpd_t, cupsd_etc_t)
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
ifdef(`use_mcs', `
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
')

View File

@ -0,0 +1,31 @@
#DESC cvs - Concurrent Versions System
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te
#################################
#
# Rules for the cvs_t domain.
#
# cvs_exec_t is the type of the cvs executable.
#
inetd_child_domain(cvs, tcp)
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;
type cvs_data_t, file_type, sysadmfile, customizable;
create_dir_file(cvs_t, cvs_data_t)
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
allow cvs_t bin_t:dir search;
allow cvs_t { bin_t sbin_t }:lnk_file read;
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
dontaudit cvs_t devtty_t:chr_file { read write };
ifdef(`kerberos.te', `
# Allow kerberos to work
allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
dontaudit cvs_t krb5_conf_t:file write;
')

View File

@ -0,0 +1,52 @@
#DESC cyrus-imapd
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# cyrusd_exec_t is the type of the cyrusd executable.
# cyrusd_key_t is the type of the cyrus private key files
daemon_domain(cyrus)
general_domain_access(cyrus_t)
file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
type cyrus_var_lib_t, file_type, sysadmfile;
allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
allow cyrus_t self:process setrlimit;
can_network(cyrus_t)
allow cyrus_t port_type:tcp_socket name_connect;
can_ypbind(cyrus_t)
can_exec(cyrus_t, bin_t)
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
allow cyrus_t etc_t:file { getattr read };
allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
read_locale(cyrus_t)
read_sysctl(cyrus_t)
tmp_domain(cyrus)
allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
allow cyrus_t proc_t:dir search;
allow cyrus_t proc_t:file { getattr read };
allow cyrus_t sysadm_devpts_t:chr_file { read write };
allow cyrus_t var_lib_t:dir search;
allow cyrus_t etc_runtime_t:file { read getattr };
ifdef(`crond.te', `
system_crond_entry(cyrus_exec_t, cyrus_t)
allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
allow system_crond_t cyrus_var_lib_t:file create_file_perms;
')
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
ifdef(`saslauthd.te', `
allow cyrus_t saslauthd_var_run_t:dir search;
allow cyrus_t saslauthd_var_run_t:sock_file { read write };
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
')
r_dir_file(cyrus_t, cert_t)
allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };

View File

@ -0,0 +1,14 @@
#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the dbskkd_t domain.
#
# dbskkd_exec_t is the type of the dbskkd executable.
#
# Depends: inetd.te
inetd_child_domain(dbskkd)

View File

@ -0,0 +1,27 @@
#DESC dbus-daemon-1 server for dbus desktop bus protocol
#
# Author: Russell Coker <russell@coker.com.au>
dbusd_domain(system)
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
ifdef(`pamconsole.te', `
r_dir_file(system_dbusd_t, pam_var_console_t)
')
# dac_override: /var/run/dbus is owned by messagebus on Debian
allow system_dbusd_t self:capability { dac_override setgid setuid };
nsswitch_domain(system_dbusd_t)
# I expect we need more than this
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_t system_dbusd_var_run_t:sock_file write;
can_exec(system_dbusd_t, sbin_t)
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:unix_stream_socket connectto;
allow system_dbusd_t self:unix_stream_socket connectto;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

View File

@ -0,0 +1,168 @@
#DESC DHCPC - DHCP client
#
# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: pump dhcp-client udhcpc
#
#################################
#
# Rules for the dhcpc_t domain.
#
# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
# network configurator daemon started by /etc/sysconfig/network-scripts
# rc scripts, runs in this domain.
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
daemon_domain(dhcpc)
# for SSP
allow dhcpc_t urandom_device_t:chr_file read;
can_network(dhcpc_t)
allow dhcpc_t port_type:tcp_socket name_connect;
can_ypbind(dhcpc_t)
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
allow dhcpc_t self:unix_stream_socket create_socket_perms;
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t devpts_t:dir search;
# for localization
allow dhcpc_t lib_t:file { getattr read };
ifdef(`consoletype.te', `
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
')
ifdef(`nscd.te', `
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
allow dhcpc_t nscd_var_run_t:file { getattr read };
')
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
allow cardmgr_t dhcpc_var_run_t:file unlink;
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
allow hotplug_t dhcpc_t:process signal_perms;
allow hotplug_t dhcpc_var_run_t:file { getattr read };
allow hotplug_t dhcp_etc_t:file rw_file_perms;
allow dhcpc_t hotplug_etc_t:dir { getattr search };
ifdef(`distro_redhat', `
domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
')
')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
ifdef(`ping.te', `
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
ifdef(`hotplug.te', `
allow ping_t hotplug_t:fd use;
') dnl end if hotplug
ifdef(`cardmgr.te', `
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
', `
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
') dnl end if ping
ifdef(`dhcpd.te', `', `
type dhcp_state_t, file_type, sysadmfile;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
')
type dhcpc_state_t, file_type, sysadmfile;
allow dhcpc_t etc_t:lnk_file read;
allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
allow dhcpc_t proc_net_t:dir search;
allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
allow dhcpc_t self:file { getattr read };
read_sysctl(dhcpc_t)
allow dhcpc_t userdomain:fd use;
ifdef(`run_init.te', `
allow dhcpc_t run_init_t:fd use;
')
# Use capabilities
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
# for udp port 68
allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
# Allow access to the dhcpc file types
r_dir_file(dhcpc_t, dhcp_etc_t)
allow dhcpc_t sbin_t:dir search;
can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
ifdef(`distro_redhat', `
can_exec(dhcpc_t, etc_t)
allow initrc_t dhcp_etc_t:file rw_file_perms;
')
ifdef(`ifconfig.te', `
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
')dnl end if def ifconfig
tmp_domain(dhcpc)
# Allow dhcpc_t to use packet sockets
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
allow dhcpc_t dhcp_state_t:file { getattr read };
allow dhcpc_t bin_t:dir { getattr search };
allow dhcpc_t bin_t:lnk_file read;
can_exec(dhcpc_t, { bin_t shell_exec_t })
ifdef(`hostname.te', `
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
')
dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir search;
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit dhcpc_t domain:dir getattr;
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
#
# dhclient sometimes starts ypbind and ntdp
#
can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
allow dhcpc_t ypbind_t:process signal;
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
')
role sysadm_r types dhcpc_t;
domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
ifdef(`dbusd.te', `
dbusd_client(system, dhcpc)
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
allow dhcpc_t self:dbus send_msg;
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg;
allow dhcpc_t unconfined_t:dbus send_msg;
')
')
ifdef(`netutils.te', `domain_auto_trans(dhcpd_t, netutils_exec_t, netutils_t)')
allow dhcpc_t locale_t:file write;

View File

@ -0,0 +1,78 @@
#DESC DHCPD - DHCP server
#
# Author: Russell Coker <russell@coker.com.au>
# based on the dhcpc_t policy from:
# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
# X-Debian-Packages: dhcp dhcp3-server
#
#################################
#
# Rules for the dhcpd_t domain.
#
# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
# server daemon rc scripts, runs in this domain.
# dhcpd_exec_t is the type of the dhcpdd executable.
# The dhcpd_t can be used for other DHCPC related files as well.
#
daemon_domain(dhcpd, `, nscd_client_domain')
# for UDP port 4011
allow dhcpd_t pxe_port_t:udp_socket name_bind;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
# Use the network.
can_network(dhcpd_t)
allow dhcpd_t port_type:tcp_socket name_connect;
allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
can_ypbind(dhcpd_t)
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
allow dhcpd_t var_lib_t:dir search;
allow dhcpd_t devtty_t:chr_file { read write };
# Use capabilities
allow dhcpd_t self:capability { net_raw net_bind_service };
dontaudit dhcpd_t self:capability net_admin;
# Allow access to the dhcpd file types
type dhcp_state_t, file_type, sysadmfile;
type dhcpd_state_t, file_type, sysadmfile;
allow dhcpd_t dhcp_etc_t:file { read getattr };
allow dhcpd_t dhcp_etc_t:dir search;
file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
allow dhcpd_t etc_t:lnk_file read;
allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
# Allow dhcpd_t to use packet sockets
allow dhcpd_t self:packet_socket create_socket_perms;
allow dhcpd_t self:rawip_socket create_socket_perms;
# allow to run utilities and scripts
allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
allow dhcpd_t self:fifo_file { read write getattr };
# allow reading /proc
allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
tmp_domain(dhcpd)
ifdef(`distro_gentoo', `
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
allow initrc_t dhcpd_state_t:file setattr;
')
r_dir_file(dhcpd_t, usr_t)
allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
ifdef(`named.te', `
allow dhcpd_t { named_conf_t named_zone_t }:dir search;
allow dhcpd_t dnssec_t:file { getattr read };
')

View File

@ -0,0 +1,48 @@
#DESC Dictd - Dictionary daemon
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dictd
#
#################################
#
# Rules for the dictd_t domain.
#
# dictd_exec_t is the type of the dictd executable.
#
daemon_base_domain(dictd)
type dictd_var_lib_t, file_type, sysadmfile;
typealias dictd_var_lib_t alias var_lib_dictd_t;
etc_domain(dictd)
# for checking for nscd
dontaudit dictd_t var_run_t:dir search;
# read config files
allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
read_locale(dictd_t)
allow dictd_t { var_t var_lib_t }:dir search;
allow dictd_t dictd_var_lib_t:dir r_dir_perms;
allow dictd_t dictd_var_lib_t:file r_file_perms;
allow dictd_t self:capability { setuid setgid };
allow dictd_t usr_t:file r_file_perms;
allow dictd_t self:process { setpgid fork sigchld };
allow dictd_t proc_t:file r_file_perms;
allow dictd_t dict_port_t:tcp_socket name_bind;
allow dictd_t devtty_t:chr_file rw_file_perms;
allow dictd_t self:unix_stream_socket create_stream_socket_perms;
can_network_server(dictd_t)
can_ypbind(dictd_t)
can_tcp_connect(userdomain, dictd_t)
allow dictd_t fs_t:filesystem getattr;

View File

@ -0,0 +1,22 @@
#DESC dmidecode - decodes DMI data for x86/ia64 bioses
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
type dmidecode_t, domain, privmem;
type dmidecode_exec_t, file_type, exec_type, sysadmfile;
# Allow execution by the sysadm
role sysadm_r types dmidecode_t;
role system_r types dmidecode_t;
domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
uses_shlib(dmidecode_t)
# Allow terminal access
access_terminal(dmidecode_t, sysadm)
# Allow dmidecode to read /dev/mem
allow dmidecode_t memory_device_t:chr_file read;
allow dmidecode_t self:capability sys_rawio;

View File

@ -0,0 +1,75 @@
#DESC Dovecot POP and IMAP servers
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
#
# Main dovecot daemon
#
daemon_domain(dovecot, `, privhome')
etc_domain(dovecot);
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
can_exec(dovecot_t, dovecot_exec_t)
type dovecot_cert_t, file_type, sysadmfile;
type dovecot_passwd_t, file_type, sysadmfile;
type dovecot_spool_t, file_type, sysadmfile;
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process setrlimit;
can_network_tcp(dovecot_t)
allow dovecot_t port_type:tcp_socket name_connect;
can_ypbind(dovecot_t)
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(dovecot_t, self)
allow dovecot_t etc_t:file { getattr read };
allow dovecot_t initrc_var_run_t:file getattr;
allow dovecot_t bin_t:dir { getattr search };
can_exec(dovecot_t, bin_t)
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file { getattr read };
allow dovecot_t cert_t:dir search;
r_dir_file(dovecot_t, dovecot_cert_t)
r_dir_file(dovecot_t, cert_t)
allow dovecot_t { self proc_t }:file { getattr read };
allow dovecot_t self:fifo_file rw_file_perms;
can_kerberos(dovecot_t)
allow dovecot_t tmp_t:dir search;
rw_dir_create_file(dovecot_t, mail_spool_t)
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
allow dovecot_t var_spool_t:dir { search };
#
# Dovecot auth daemon
#
daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
can_ldap(dovecot_auth_t)
can_ypbind(dovecot_auth_t)
can_kerberos(dovecot_auth_t)
can_resolve(dovecot_auth_t)
allow dovecot_auth_t self:process { fork signal_perms };
allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
allow dovecot_auth_t self:fifo_file rw_file_perms;
allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
allow dovecot_auth_t etc_t:file { getattr read };
allow dovecot_auth_t { self proc_t }:file { getattr read };
read_locale(dovecot_auth_t)
read_sysctl(dovecot_auth_t)
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
dontaudit dovecot_auth_t selinux_config_t:dir search;

View File

@ -0,0 +1,80 @@
#DESC Fingerd - Finger daemon
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
#
#################################
#
# Rules for the fingerd_t domain.
#
# fingerd_exec_t is the type of the fingerd executable.
#
daemon_domain(fingerd)
etcdir_domain(fingerd)
allow fingerd_t etc_t:lnk_file read;
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
log_domain(fingerd)
system_crond_entry(fingerd_exec_t, fingerd_t)
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
allow fingerd_t fingerd_port_t:tcp_socket name_bind;
ifdef(`inetd.te', `
allow inetd_t fingerd_port_t:tcp_socket name_bind;
# can be run from inetd
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
')
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
')
allow fingerd_t self:capability { setgid setuid };
# for gzip from logrotate
dontaudit fingerd_t self:capability fsetid;
# cfingerd runs shell scripts
allow fingerd_t { bin_t sbin_t }:dir search;
allow fingerd_t bin_t:lnk_file read;
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
allow fingerd_t devtty_t:chr_file { read write };
allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
# Use the network.
can_network_server(fingerd_t)
can_ypbind(fingerd_t)
allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms;
allow fingerd_t self:fifo_file { read write getattr };
# allow any user domain to connect to the finger server
can_tcp_connect(userdomain, fingerd_t)
# for .finger, .plan. etc
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
# should really have a different type for .plan etc
allow fingerd_t user_home_type:file { getattr read };
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
dontaudit fingerd_t user_home_t:dir search;
# for mail
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
allow fingerd_t mail_spool_t:file getattr;
allow fingerd_t mail_spool_t:lnk_file read;
# see who is logged in and when users last logged in
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
dontaudit fingerd_t initrc_var_run_t:file lock;
allow fingerd_t devpts_t:dir search;
allow fingerd_t ptyfile:chr_file getattr;
allow fingerd_t proc_t:file { read getattr };
# for date command
read_sysctl(fingerd_t)

View File

@ -0,0 +1,131 @@
#DESC firstboot
#
# Author: Dan Walsh <dwalsh@redhat.com>
# X-Debian-Packages: firstboot
#
#################################
#
# Rules for the firstboot_t domain.
#
# firstboot_exec_t is the type of the firstboot executable.
#
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
ifdef(`xserver.te', `
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
')
etc_domain(firstboot)
allow firstboot_t proc_t:file r_file_perms;
allow firstboot_t urandom_device_t:chr_file { getattr read };
allow firstboot_t proc_t:file { getattr read write };
domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
can_exec_any(firstboot_t)
ifdef(`useradd.te',`
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
')
allow firstboot_t etc_runtime_t:file { getattr read };
r_dir_file(firstboot_t, etc_t)
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
allow firstboot_t firstboot_rw_t:file create_file_perms;
allow firstboot_t self:fifo_file { getattr read write };
allow firstboot_t self:process { fork sigchld };
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t initrc_exec_t:file { getattr read };
allow firstboot_t initrc_var_run_t:file r_file_perms;
allow firstboot_t lib_t:file { getattr read };
allow firstboot_t local_login_t:fd use;
read_locale(firstboot_t)
allow firstboot_t proc_t:dir search;
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
allow firstboot_t usr_t:file r_file_perms;
allow firstboot_t etc_t:file write;
# Allow write to utmp file
allow firstboot_t initrc_var_run_t:file write;
ifdef(`samba.te', `
rw_dir_file(firstboot_t, samba_etc_t)
')
dontaudit firstboot_t shadow_t:file getattr;
role system_r types initrc_t;
#role_transition firstboot_r initrc_exec_t system_r;
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
allow firstboot_t self:passwd rootok;
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')
ifdef(`consoletype.te', `
allow consoletype_t devtty_t:chr_file { read write };
allow consoletype_t etc_t:file { getattr read };
allow consoletype_t firstboot_t:fd use;
')
allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:dir search;
allow firstboot_t self:file { read write };
allow firstboot_t self:lnk_file read;
can_setfscreate(firstboot_t)
allow firstboot_t krb5_conf_t:file rw_file_perms;
allow firstboot_t modules_conf_t:file { getattr read };
allow firstboot_t modules_dep_t:file { getattr read };
allow firstboot_t modules_object_t:dir search;
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
allow firstboot_t proc_t:lnk_file read;
can_getsecurity(firstboot_t)
dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
read_sysctl(firstboot_t)
allow firstboot_t var_run_t:dir getattr;
allow firstboot_t var_t:dir getattr;
ifdef(`hostname.te', `
allow hostname_t devtty_t:chr_file { read write };
allow hostname_t firstboot_t:fd use;
')
ifdef(`iptables.te', `
allow iptables_t devtty_t:chr_file { read write };
allow iptables_t firstboot_t:fd use;
allow iptables_t firstboot_t:fifo_file write;
')
can_network_server(firstboot_t)
can_ypbind(firstboot_t)
ifdef(`printconf.te', `
can_exec(firstboot_t, printconf_t)
')
create_dir_file(firstboot_t, var_t)
# Add/remove user home directories
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
#
# The big hammer
#
unconfined_domain(firstboot_t)
ifdef(`targeted_policy', `
allow firstboot_t unconfined_t:process transition;
')

View File

@ -0,0 +1,123 @@
#DESC Fsadm - Disk and file system administration
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
#
#################################
#
# Rules for the fsadm_t domain.
#
# fsadm_t is the domain for disk and file system
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
type fsadm_t, domain, privlog, fs_domain, mlsfileread;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
# Read system variables in /proc/sys
read_sysctl(fsadm_t)
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t tmpfs_t:file { read write };
base_file_read_access(fsadm_t)
# Read /etc.
r_dir_file(fsadm_t, etc_t)
# Read module-related files.
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow fsadm_t device_t:dir r_dir_perms;
allow fsadm_t device_t:lnk_file r_file_perms;
uses_shlib(fsadm_t)
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
')
tmp_domain(fsadm)
# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;
allow fsadm_t fs_t:filesystem getattr;
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
# mkreiserfs and other programs need this for UUID
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
# Inherit and use descriptors from init.
allow fsadm_t init_t:fd use;
# Run other fs admin programs in the fsadm_t domain.
can_exec(fsadm_t, fsadm_exec_t)
# Access disk devices.
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
# Recreate /dev/cdrom.
allow fsadm_t device_t:dir rw_dir_perms;
allow fsadm_t device_t:lnk_file { unlink create };
# Enable swapping to devices and files
allow fsadm_t swapfile_t:file { getattr swapon };
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
# Allow console log change (updfstab)
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
can_access_pty(fsadm_t, initrc)
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
read_locale(fsadm_t)
# for smartctl cron jobs
system_crond_entry(fsadm_exec_t, fsadm_t)
# Access to /initrd devices
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
allow fsadm_t device_type:chr_file getattr;
# for tune2fs
allow fsadm_t file_type:dir { getattr search };

View File

@ -0,0 +1,116 @@
#DESC Ftpd - Ftp daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
#
#################################
#
# Rules for the ftpd_t domain
#
daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
etc_domain(ftpd)
can_network(ftpd_t)
allow ftpd_t port_type:tcp_socket name_connect;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_file_perms;
allow ftpd_t bin_t:dir search;
can_exec(ftpd_t, bin_t)
allow ftpd_t bin_t:lnk_file read;
read_sysctl(ftpd_t)
allow ftpd_t urandom_device_t:chr_file { getattr read };
ifdef(`crond.te', `
system_crond_entry(ftpd_exec_t, ftpd_t)
allow system_crond_t xferlog_t:file r_file_perms;
can_exec(ftpd_t, { sbin_t shell_exec_t })
allow ftpd_t usr_t:file { getattr read };
ifdef(`logrotate.te', `
can_exec(ftpd_t, logrotate_exec_t)
')dnl end if logrotate.te
')dnl end if crond.te
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
allow ftpd_t port_t:tcp_socket name_bind;
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t, file_type, sysadmfile, lockfile;
# Allow ftpd to run directly without inetd.
bool ftpd_is_daemon false;
if (ftpd_is_daemon) {
file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
# Allows it to check exec privs on daemon
allow inetd_t ftpd_exec_t:file x_file_perms;
}
ifdef(`inetd.te', `
if (!ftpd_is_daemon) {
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
# Use sockets inherited from inetd.
allow ftpd_t inetd_t:fd use;
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
# Send SIGCHLD to inetd on death.
allow ftpd_t inetd_t:process sigchld;
}
') dnl end inetd.te
# Access shared memory tmpfs instance.
tmpfs_domain(ftpd)
# Use capabilities.
allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
# Append to /var/log/wtmp.
allow ftpd_t wtmp_t:file { getattr append };
#kerberized ftp requires the following
allow ftpd_t wtmp_t:file { write lock };
# Create and modify /var/log/xferlog.
type xferlog_t, file_type, sysadmfile, logfile;
file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
can_exec(ftpd_t, ls_exec_t)
allow initrc_t ftpd_etc_t:file { getattr read };
allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
allow ftpd_t proc_t:file { getattr read };
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
dontaudit ftpd_t selinux_config_t:dir search;
allow ftpd_t autofs_t:dir search;
allow ftpd_t self:file { getattr read };
tmp_domain(ftpd)
# Allow ftp to read/write files in the user home directories.
bool ftp_home_dir false;
if (ftp_home_dir) {
# allow access to /home
allow ftpd_t home_root_t:dir r_dir_perms;
create_dir_file(ftpd_t, home_type)
ifdef(`targeted_policy', `
file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
')
}
if (use_nfs_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, nfs_t)
}
if (use_samba_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, cifs_t)
}
dontaudit ftpd_t selinux_config_t:dir search;
anonymous_domain(ftpd)

View File

@ -0,0 +1,61 @@
#DESC Getty - Manage ttys
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
#
#################################
#
# Rules for the getty_t domain.
#
init_service_domain(getty, `, privfd')
etcdir_domain(getty)
allow getty_t console_device_t:chr_file setattr;
tmp_domain(getty)
log_domain(getty)
allow getty_t { etc_t etc_runtime_t }:file { getattr read };
allow getty_t etc_t:lnk_file read;
allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
read_locale(getty_t)
# Run login in local_login_t domain.
allow getty_t { sbin_t bin_t }:dir search;
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
allow getty_t { var_t var_run_t }:dir search;
allow getty_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow getty_t wtmp_t:file rw_file_perms;
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
# for error condition handling
allow getty_t fs_t:filesystem getattr;
lock_domain(getty)
r_dir_file(getty_t, sysfs_t)
# for mgetty
var_run_domain(getty)
allow getty_t self:capability { fowner fsetid };
#
# getty needs to be able to run pppd
#
ifdef(`pppd.te', `
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
')

View File

@ -0,0 +1,104 @@
#DESC hald - server for device info
#
# Author: Russell Coker <rcoker@redhat.com>
# X-Debian-Packages:
#
#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, fs_domain, nscd_client_domain')
can_exec_any(hald_t)
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow hald_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
dbusd_client(system, hald)
allow hald_t self:dbus send_msg;
')
allow hald_t self:file { getattr read };
allow hald_t proc_t:file rw_file_perms;
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
can_network_server(hald_t)
can_ypbind(hald_t)
allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t removable_device_t:blk_file write;
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
allow hald_t mouse_device_t:chr_file r_file_perms;
allow hald_t device_type:chr_file getattr;
can_getsecurity(hald_t)
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
allow updfstab_t hald_t:dbus send_msg;
allow hald_t updfstab_t:dbus send_msg;
')
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
allow hald_t udev_tbl_t:file { getattr read };
')
ifdef(`hotplug.te', `
r_dir_file(hald_t, hotplug_etc_t)
')
allow hald_t fs_type:dir { search getattr };
allow hald_t usbfs_t:dir r_dir_perms;
allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
allow hald_t bin_t:lnk_file read;
r_dir_file(hald_t, { selinux_config_t default_context_t } )
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;
allow hald_t etc_runtime_t:file rw_file_perms;
allow hald_t var_lib_t:dir search;
allow hald_t device_t:dir create_dir_perms;
allow hald_t device_t:chr_file create_file_perms;
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
ifdef(`apmd.te', `
allow hald_t apmd_var_run_t:sock_file write;
allow hald_t apmd_t:unix_stream_socket connectto;
')
# For /usr/libexec/hald-probe-smbios
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
# ??
ifdef(`lvm.te', `
allow hald_t lvm_control_t:chr_file r_file_perms;
')
ifdef(`targeted_policy', `
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
')
ifdef(`mount.te', `
domain_auto_trans(hald_t, mount_exec_t, mount_t)
')
r_dir_file(hald_t, hwdata_t)

View File

@ -0,0 +1,28 @@
#DESC hostname - show or set the system host name
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hostname
# for setting the hostname
daemon_core_rules(hostname, , nosysadm)
allow hostname_t self:capability sys_admin;
allow hostname_t etc_t:file { getattr read };
allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
read_locale(hostname_t)
can_resolve(hostname_t)
allow hostname_t userdomain:fd use;
dontaudit hostname_t kernel_t:fd use;
allow hostname_t net_conf_t:file { getattr read };
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t var_t:dir search;
allow hostname_t fs_t:filesystem getattr;
# for when /usr is not mounted
dontaudit hostname_t file_t:dir search;
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')
can_access_pty(hostname_t, initrc)
allow hostname_t initrc_t:fd use;

View File

@ -0,0 +1,163 @@
#DESC Hotplug - Hardware event manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: hotplug
#
#################################
#
# Rules for the hotplug_t domain.
#
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
', `
daemon_domain(hotplug, `, privmodule, nscd_client_domain')
')
etcdir_domain(hotplug)
allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:unix_dgram_socket create_socket_perms;
allow hotplug_t self:unix_stream_socket create_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
read_sysctl(hotplug_t)
allow hotplug_t sysctl_net_t:dir r_dir_perms;
allow hotplug_t sysctl_net_t:file { getattr read };
# get info from /proc
r_dir_file(hotplug_t, proc_t)
allow hotplug_t self:file { getattr read ioctl };
allow hotplug_t devtty_t:chr_file rw_file_perms;
allow hotplug_t device_t:dir r_dir_perms;
# for SSP
allow hotplug_t urandom_device_t:chr_file read;
allow hotplug_t { bin_t sbin_t }:dir search;
allow hotplug_t { bin_t sbin_t }:lnk_file read;
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
ifdef(`hostname.te', `
can_exec(hotplug_t, hostname_exec_t)
dontaudit hostname_t hotplug_t:fd use;
')
ifdef(`netutils.te', `
ifdef(`distro_redhat', `
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
')dnl end if distro_redhat
')dnl end if netutils.te
allow initrc_t usbdevfs_t:file { getattr read ioctl };
allow initrc_t modules_dep_t:file { getattr read ioctl };
r_dir_file(hotplug_t, usbdevfs_t)
allow hotplug_t usbfs_t:dir r_dir_perms;
allow hotplug_t usbfs_t:file { getattr read };
# read config files
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
allow hotplug_t kernel_t:process { sigchld setpgid };
ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')
ifdef(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
')
# for killall
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
ifdef(`mount.te', `
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
')
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
')
# init scripts run /etc/hotplug/usb.rc
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
allow initrc_t hotplug_etc_t:dir r_dir_perms;
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
r_dir_file(hotplug_t, modules_object_t)
allow hotplug_t modules_dep_t:file { getattr read ioctl };
# for lsmod
dontaudit hotplug_t self:capability { sys_module sys_admin };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
ifdef(`fsadm.te', `
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
')
allow hotplug_t var_log_t:dir search;
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
ifdef(`initrc.te', `
can_ps(hotplug_t, initrc_t)
')
# for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr };
# kernel threads inherit from shared descriptor table used by init
dontaudit hotplug_t initctl_t:fifo_file { read write };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
allow hotplug_t sysfs_t:dir { getattr read search write };
allow hotplug_t sysfs_t:file rw_file_perms;
allow hotplug_t sysfs_t:lnk_file { getattr read };
r_dir_file(hotplug_t, hwdata_t)
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
allow hotplug_t fixed_disk_device_t:blk_file setattr;
allow hotplug_t removable_device_t:blk_file setattr;
allow hotplug_t sound_device_t:chr_file setattr;
ifdef(`udev.te', `
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
')
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
can_network_server(hotplug_t)
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
ifdef(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit hotplug_t selinux_config_t:dir search;

View File

@ -0,0 +1,21 @@
#DESC howl - port of Apple Rendezvous multicast DNS
#
# Author: Russell Coker <rcoker@redhat.com>
#
daemon_domain(howl, `, privsysmod')
r_dir_file(howl_t, proc_net_t)
can_network_server(howl_t)
can_ypbind(howl_t)
allow howl_t self:unix_dgram_socket create_socket_perms;
allow howl_t self:capability { kill net_admin sys_module };
allow howl_t self:fifo_file rw_file_perms;
allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
allow howl_t self:unix_dgram_socket create_socket_perms;
allow howl_t etc_t:file { getattr read };
allow howl_t initrc_var_run_t:file rw_file_perms;

View File

@ -0,0 +1,49 @@
#DESC Hwclock - Hardware clock manager
#
# Author: David A. Wheeler <dwheeler@ida.org>
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: util-linux
#
#################################
#
# Rules for the hwclock_t domain.
# This domain moves time information between the "hardware clock"
# (which runs when the system is off) and the "system clock",
# and it stores adjustment values in /etc/adjtime so that errors in the
# hardware clock are corrected.
# Note that any errors from this domain are NOT recorded by the system logger,
# because the system logger isnt running when this domain is active.
#
daemon_base_domain(hwclock)
role sysadm_r types hwclock_t;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
')
type adjtime_t, file_type, sysadmfile;
allow hwclock_t fs_t:filesystem getattr;
read_locale(hwclock_t)
# Give hwclock the capabilities it requires. dac_override is a surprise,
# but hwclock does require it.
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
# Allow hwclock to set the hardware clock.
allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { setattr rw_file_perms };
# Read and write console and ttys.
allow hwclock_t tty_device_t:chr_file rw_file_perms;
allow hwclock_t ttyfile:chr_file rw_file_perms;
allow hwclock_t ptyfile:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
read_locale(hwclock_t)
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
r_dir_file(hwclock_t, etc_t)

View File

@ -0,0 +1,74 @@
#DESC Ifconfig - Configure network interfaces
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: net-tools
#
#################################
#
# Rules for the ifconfig_t domain.
#
# ifconfig_t is the domain for the ifconfig program.
# ifconfig_exec_t is the type of the corresponding program.
#
type ifconfig_t, domain, privlog, privmodule;
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
role system_r types ifconfig_t;
role sysadm_r types ifconfig_t;
uses_shlib(ifconfig_t)
general_domain_access(ifconfig_t)
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
')
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
allow ifconfig_t etc_t:file { getattr read };
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
allow ifconfig_t self:capability { net_raw net_admin };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:capability sys_tty_config;
# Inherit and use descriptors from init.
allow ifconfig_t { kernel_t init_t }:fd use;
# Access /proc
r_dir_file(ifconfig_t, proc_t)
r_dir_file(ifconfig_t, proc_net_t)
allow ifconfig_t privfd:fd use;
allow ifconfig_t run_init_t:fd use;
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
can_access_pty(ifconfig_t, initrc)
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
# ifconfig attempts to search some sysctl entries.
# Do not audit those attempts; comment out these rules if it is desired to
# see the denials.
allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
allow ifconfig_t fs_t:filesystem getattr;
read_locale(ifconfig_t)
allow ifconfig_t lib_t:file { getattr read };
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;
r_dir_file(ifconfig_t, sysfs_t)

View File

@ -0,0 +1,64 @@
#DESC Inetd - Internet services daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
#
#################################
#
# Rules for the inetd_t domain and
# the inetd_child_t domain.
#
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
allow inetd_t port_type:tcp_socket name_connect;
allow inetd_t self:unix_dgram_socket create_socket_perms;
allow inetd_t self:unix_stream_socket create_socket_perms;
allow inetd_t self:fifo_file rw_file_perms;
allow inetd_t etc_t:file { getattr read ioctl };
allow inetd_t self:process setsched;
log_domain(inetd)
tmp_domain(inetd)
# Use capabilities.
allow inetd_t self:capability { setuid setgid net_bind_service };
# allow any domain to connect to inetd
can_tcp_connect(userdomain, inetd_t)
# Run each daemon with a defined domain in its own domain.
# These rules have been moved to the individual target domain .te files.
# Run other daemons in the inetd_child_t domain.
allow inetd_t { bin_t sbin_t }:dir search;
allow inetd_t sbin_t:lnk_file read;
# Bind to the telnet, ftp, rlogin and rsh ports.
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
')
allow inetd_t auth_port_t:tcp_socket name_bind;
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
inetd_child_domain(inetd_child)
allow inetd_child_t proc_net_t:dir search;
allow inetd_child_t proc_net_t:file { getattr read };
ifdef(`unconfined.te', `
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
')
ifdef(`unlimitedInetd', `
unconfined_domain(inetd_t)
')

View File

@ -0,0 +1,147 @@
#DESC Init - Process initialization
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit
#
#################################
#
# Rules for the init_t domain.
#
# init_t is the domain of the init process.
# init_exec_t is the type of the init program.
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
#
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
allow init_t security_t:dir search;
allow init_t security_t:file { getattr read };
# for mount points
allow init_t file_t:dir search;
# Use capabilities.
allow init_t self:capability ~sys_module;
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
# Run the shell in the sysadm_t domain for single-user mode.
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
# Run /sbin/update in the init_t domain.
can_exec(init_t, sbin_t)
# Run init.
can_exec(init_t, init_exec_t)
# Run chroot from initrd scripts.
ifdef(`chroot.te', `
can_exec(init_t, chroot_exec_t)
')
# Create /dev/initctl.
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
ifdef(`distro_redhat', `
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
')
# Create ioctl.save.
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache
allow init_t ld_so_cache_t:file rw_file_perms;
# Allow access to log files
allow init_t var_t:dir search;
allow init_t var_log_t:dir search;
allow init_t var_log_t:file rw_file_perms;
read_locale(init_t)
# Create unix sockets
allow init_t self:unix_dgram_socket create_socket_perms;
allow init_t self:unix_stream_socket create_socket_perms;
allow init_t self:fifo_file rw_file_perms;
# Permissions required for system startup
allow init_t { bin_t sbin_t }:dir r_dir_perms;
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
# allow init to fork
allow init_t self:process { fork sigchld };
# Modify utmp.
allow init_t var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
can_unix_connect(init_t, initrc_t)
# For /var/run/shutdown.pid.
var_run_domain(init)
# Shutdown permissions
r_dir_file(init_t, proc_t)
r_dir_file(init_t, self)
allow init_t devpts_t:dir r_dir_perms;
# Modify wtmp.
allow init_t wtmp_t:file rw_file_perms;
# Kill all processes.
allow init_t domain:process signal_perms;
# Allow all processes to send SIGCHLD to init.
allow domain init_t:process { sigchld signull };
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
allow unlabeled_t init_t:process sigchld;
# for loading policy
allow init_t policy_config_t:file r_file_perms;
# Set booleans.
can_setbool(init_t)
# Read and write the console and ttys.
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
ifdef(`distro_redhat', `
allow init_t tmpfs_t:chr_file rw_file_perms;
')
allow init_t ttyfile:chr_file rw_file_perms;
allow init_t ptyfile:chr_file rw_file_perms;
# Run system executables.
can_exec(init_t,bin_t)
ifdef(`consoletype.te', `
can_exec(init_t, consoletype_exec_t)
')
# Run /etc/X11/prefdm.
can_exec(init_t,etc_t)
allow init_t lib_t:file { getattr read };
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
allow init_t ramfs_t:sock_file write;
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
ifdef(`targeted_policy', `
unconfined_domain(init_t)
')

View File

@ -0,0 +1,342 @@
#DESC Initrc - System initialization scripts
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: sysvinit policycoreutils
#
#################################
#
# Rules for the initrc_t domain.
#
# initrc_t is the domain of the init rc scripts.
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
role system_r types initrc_t;
uses_shlib(initrc_t);
can_network(initrc_t)
allow initrc_t port_type:tcp_socket name_connect;
can_ypbind(initrc_t)
type initrc_exec_t, file_type, sysadmfile, exec_type;
# for halt to down interfaces
allow initrc_t self:udp_socket create_socket_perms;
# read files in /etc/init.d
allow initrc_t etc_t:lnk_file r_file_perms;
read_locale(initrc_t)
r_dir_file(initrc_t, usr_t)
# Read system information files in /proc.
r_dir_file(initrc_t, { proc_t proc_net_t })
allow initrc_t proc_mdstat_t:file { getattr read };
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow initrc_t self:fifo_file rw_file_perms;
# Read the root directory of a usbdevfs filesystem, and
# the devices and drivers files. Permit stating of the
# device nodes, but nothing else.
allow initrc_t usbdevfs_t:dir r_dir_perms;
allow initrc_t usbdevfs_t:lnk_file r_file_perms;
allow initrc_t usbdevfs_t:file getattr;
allow initrc_t usbfs_t:dir r_dir_perms;
allow initrc_t usbfs_t:file getattr;
# allow initrc to fork and renice itself
allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
# Can create ptys for open_init_pty
can_create_pty(initrc)
tmp_domain(initrc)
#
# Some initscripts generate scripts that they need to execute (ldap)
#
can_exec(initrc_t, initrc_tmp_t)
var_run_domain(initrc)
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
allow initrc_t var_run_t:dir { create rmdir };
ifdef(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
')
allow initrc_t framebuf_device_t:chr_file r_file_perms;
# Use capabilities.
allow initrc_t self:capability ~{ sys_admin sys_module };
# Use system operations.
allow initrc_t kernel_t:system *;
# Set values in /proc/sys.
can_sysctl(initrc_t)
# Run helper programs in the initrc_t domain.
allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
allow initrc_t {bin_t sbin_t }:lnk_file read;
can_exec(initrc_t, etc_t)
can_exec(initrc_t, lib_t)
can_exec(initrc_t, bin_t)
can_exec(initrc_t, sbin_t)
can_exec(initrc_t, exec_type)
#
# These rules are here to allow init scripts to su
#
ifdef(`su.te', `
su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
allow initrc_t self:passwd rootok;
# read /lib/modules
allow initrc_t modules_object_t:dir { search read };
# Read conf.modules.
allow initrc_t modules_conf_t:file r_file_perms;
# Run other rc scripts in the initrc_t domain.
can_exec(initrc_t, initrc_exec_t)
# Run init (telinit) in the initrc_t domain.
can_exec(initrc_t, init_exec_t)
# Communicate with the init process.
allow initrc_t initctl_t:fifo_file rw_file_perms;
# Read /proc/PID directories for all domains.
r_dir_file(initrc_t, domain)
allow initrc_t domain:process { getattr getsession };
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
allow initrc_t file_t:dir { read search getattr mounton };
# during boot up initrc needs to do the following
allow initrc_t default_t:dir { write read search getattr mounton };
# rhgb-console writes to ramfs
allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache.
allow initrc_t ld_so_cache_t:file rw_file_perms;
# Update /var/log/wtmp and /var/log/dmesg.
allow initrc_t wtmp_t:file { setattr rw_file_perms };
allow initrc_t var_log_t:dir rw_dir_perms;
allow initrc_t var_log_t:file create_file_perms;
allow initrc_t lastlog_t:file { setattr rw_file_perms };
allow initrc_t logfile:file { read append };
# remove old locks
allow initrc_t lockfile:dir rw_dir_perms;
allow initrc_t lockfile:file { getattr unlink };
# Access /var/lib/random-seed.
allow initrc_t var_lib_t:file rw_file_perms;
allow initrc_t var_lib_t:file unlink;
# Create lock file.
allow initrc_t var_lock_t:dir create_dir_perms;
allow initrc_t var_lock_t:file create_file_perms;
# Set the clock.
allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
# Kill all processes.
allow initrc_t domain:process signal_perms;
# Write to /dev/urandom.
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
# for cryptsetup
allow initrc_t fixed_disk_device_t:blk_file getattr;
# Set device ownerships/modes.
allow initrc_t framebuf_device_t:chr_file setattr;
allow initrc_t misc_device_t:devfile_class_set setattr;
allow initrc_t device_t:devfile_class_set setattr;
allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
allow initrc_t removable_device_t:devfile_class_set setattr;
allow initrc_t device_t:lnk_file read;
allow initrc_t xconsole_device_t:fifo_file setattr;
# Stat any file.
allow initrc_t file_type:notdevfile_class_set getattr;
allow initrc_t file_type:dir { search getattr };
# Read and write console and ttys.
allow initrc_t devtty_t:chr_file rw_file_perms;
allow initrc_t console_device_t:chr_file rw_file_perms;
allow initrc_t tty_device_t:chr_file rw_file_perms;
allow initrc_t ttyfile:chr_file rw_file_perms;
allow initrc_t ptyfile:chr_file rw_file_perms;
# Reset tty labels.
allow initrc_t ttyfile:chr_file relabelfrom;
allow initrc_t tty_device_t:chr_file relabelto;
ifdef(`distro_redhat', `
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms;
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
allow initrc_t tmpfs_t:chr_file rw_file_perms;
allow initrc_t tmpfs_t:dir r_dir_perms;
# Allow initrc domain to set the enforcing flag.
can_setenforce(initrc_t)
#
# readahead asks for these
#
allow initrc_t etc_aliases_t:file { getattr read };
allow initrc_t var_lib_nfs_t:file { getattr read };
# for /halt /.autofsck and other flag files
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
allow initrc_t device_t:dir create;
# wants to delete /poweroff and other files
allow initrc_t root_t:file unlink;
# wants to read /.fonts directory
allow initrc_t default_t:file { getattr read };
ifdef(`xserver.te', `
# wants to cleanup xserver log dir
allow initrc_t xserver_log_t:dir rw_dir_perms;
allow initrc_t xserver_log_t:file unlink;
')
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
allow initrc_t var_spool_t:file rw_file_perms;
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
allow initrc_t admin_tty_type:chr_file rw_file_perms;
# Access sound device and files.
allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
# Read user home directories.
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
allow initrc_t home_type:file r_file_perms;
# Read and unlink /var/run/*.pid files.
allow initrc_t pidfile:file { getattr read unlink };
# for system start scripts
allow initrc_t pidfile:dir { rmdir rw_dir_perms };
allow initrc_t pidfile:sock_file unlink;
rw_dir_create_file(initrc_t, var_lib_t)
# allow start scripts to clean /tmp
allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
# for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
dontaudit initrc_t proc_kmsg_t:file getattr;
#################################
#
# Rules for the run_init_t domain.
#
ifdef(`targeted_policy', `
type run_init_exec_t, file_type, sysadmfile, exec_type;
type run_init_t, domain;
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
typeattribute initrc_t privuser;
domain_trans(initrc_t, shell_exec_t, unconfined_t)
allow initrc_t unconfined_t:system syslog_mod;
', `
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
')
allow initrc_t privfd:fd use;
# Transition to system_r:initrc_t upon executing init scripts.
ifdef(`direct_sysadm_daemon', `
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
')
#
# Shutting down xinet causes these
#
# Fam
dontaudit initrc_t device_t:dir { read write };
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
allow initrc_t sysfs_t:dir { getattr read search };
allow initrc_t sysfs_t:file { getattr read write };
allow initrc_t sysfs_t:lnk_file { getattr read };
allow initrc_t udev_runtime_t:file rw_file_perms;
allow initrc_t device_type:chr_file setattr;
allow initrc_t binfmt_misc_fs_t:dir { getattr search };
allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
# for lsof in shutdown scripts
can_kerberos(initrc_t)
#
# Wants to remove udev.tbl
#
allow initrc_t device_t:dir rw_dir_perms;
allow initrc_t device_t:lnk_file unlink;
r_dir_file(initrc_t,selinux_config_t)
ifdef(`unlimitedRC', `
unconfined_domain(initrc_t)
')
#
# initrc script does a cat /selinux/enforce
#
allow initrc_t security_t:dir { getattr search };
allow initrc_t security_t:file { getattr read };
# init script state
type initrc_state_t, file_type, sysadmfile;
create_dir_file(initrc_t,initrc_state_t)
ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
ifdef(`dbusd.te', `
allow initrc_t system_dbusd_var_run_t:sock_file write;
')
# Slapd needs to read cert files from its initscript
r_dir_file(initrc_t, cert_t)
ifdef(`use_mcs', `
range_transition sysadm_t initrc_exec_t s0;
')

View File

@ -0,0 +1,81 @@
#DESC INN - InterNetNews server
#
# Author: Faye Coker <faye@lurking-grue.org>
# X-Debian-Packages: inn
#
################################
# Types for the server port and news spool.
#
type news_spool_t, file_type, sysadmfile;
# need privmail attribute so innd can access system_mail_t
daemon_domain(innd, `, privmail')
# allow innd to create files and directories of type news_spool_t
create_dir_file(innd_t, news_spool_t)
# allow user domains to read files and directories these types
r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
can_exec(initrc_t, innd_etc_t)
can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(innd_t, hostname_exec_t)
')
allow innd_t var_spool_t:dir { getattr search };
can_network(innd_t)
allow innd_t port_type:tcp_socket name_connect;
can_ypbind(innd_t)
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
allow innd_t self:unix_dgram_socket create_socket_perms;
allow innd_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(innd_t, self)
allow innd_t self:fifo_file rw_file_perms;
allow innd_t innd_port_t:tcp_socket name_bind;
allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
allow innd_t self:process setsched;
allow innd_t { bin_t sbin_t }:dir search;
allow innd_t usr_t:lnk_file read;
allow innd_t usr_t:file { getattr read ioctl };
allow innd_t lib_t:file ioctl;
allow innd_t etc_t:file { getattr read };
allow innd_t { proc_t etc_runtime_t }:file { getattr read };
allow innd_t urandom_device_t:chr_file read;
allow innd_t innd_var_run_t:sock_file create_file_perms;
# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
etcdir_domain(innd)
# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
# it can write to
logdir_domain(innd)
# allow innd read-write directory permissions to /var/lib/news.
var_lib_domain(innd)
ifdef(`crond.te', `
system_crond_entry(innd_exec_t, innd_t)
allow system_crond_t innd_etc_t:file { getattr read };
rw_dir_create_file(system_crond_t, innd_log_t)
rw_dir_create_file(system_crond_t, innd_var_run_t)
')
ifdef(`syslogd.te', `
allow syslogd_t innd_log_t:dir search;
allow syslogd_t innd_log_t:file create_file_perms;
')
allow innd_t self:file { getattr read };
dontaudit innd_t selinux_config_t:dir { search };
allow system_crond_t innd_etc_t:file { getattr read };
allow innd_t bin_t:lnk_file { read };
allow innd_t sbin_t:lnk_file { read };

View File

@ -0,0 +1,91 @@
#DESC Kerberos5 - MIT Kerberos5
# supports krb5kdc and kadmind daemons
# kinit, kdestroy, klist clients
# ksu support not complete
#
# includes rules for OpenSSH daemon compiled with both
# kerberos5 and SELinux support
#
# Not supported : telnetd, ftpd, kprop/kpropd daemons
#
# Author: Kerry Thompson <kerry@crypt.gen.nz>
# Modified by Colin Walters <walters@redhat.com>
#
#################################
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
daemon_domain(krb5kdc)
daemon_domain(kadmind)
can_exec(krb5kdc_t, krb5kdc_exec_t)
can_exec(kadmind_t, kadmind_exec_t)
# types for general configuration files in /etc
type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
# types for KDC configs and principal file(s)
type krb5kdc_conf_t, file_type, sysadmfile;
type krb5kdc_principal_t, file_type, sysadmfile;
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
# krb5kdc and kadmind can use network
can_network_server( { krb5kdc_t kadmind_t } )
can_ypbind( { krb5kdc_t kadmind_t } )
# allow UDP transfer to/from any program
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
# Bind to the kerberos, kerberos-adm ports.
allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
allow kadmind_t reserved_port_t:tcp_socket name_bind;
dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
#
# Rules for Kerberos5 KDC daemon
allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
allow krb5kdc_t self:unix_stream_socket create_socket_perms;
allow kadmind_t self:unix_stream_socket create_socket_perms;
allow krb5kdc_t krb5kdc_conf_t:dir search;
allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
allow krb5kdc_t locale_t:file { getattr read };
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
tmp_domain(krb5kdc)
log_domain(krb5kdc)
allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
allow kadmind_t random_device_t:chr_file { getattr read };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t proc_t:dir r_dir_perms;
allow krb5kdc_t proc_t:file { getattr read };
#
# Rules for Kerberos5 Kadmin daemon
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t krb5kdc_conf_t:dir search;
allow kadmind_t krb5kdc_conf_t:file r_file_perms;
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
read_locale(kadmind_t)
dontaudit kadmind_t krb5kdc_conf_t:file write;
tmp_domain(kadmind)
log_domain(kadmind)
#
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom;
allow initrc_t krb5_conf_t:file ioctl;

View File

@ -0,0 +1,48 @@
#DESC Klogd - Kernel log daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: klogd
#
#################################
#
# Rules for the klogd_t domain.
#
daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
allow klogd_t proc_t:lnk_file r_file_perms;
allow klogd_t proc_t:file { getattr read };
allow klogd_t self:dir r_dir_perms;
allow klogd_t self:lnk_file r_file_perms;
# read /etc/nsswitch.conf
allow klogd_t etc_t:lnk_file read;
allow klogd_t etc_t:file r_file_perms;
read_locale(klogd_t)
allow klogd_t etc_runtime_t:file { getattr read };
# Create unix sockets
allow klogd_t self:unix_dgram_socket create_socket_perms;
# Use the sys_admin and sys_rawio capabilities.
allow klogd_t self:capability { sys_admin sys_rawio };
dontaudit klogd_t self:capability sys_resource;
# Read /proc/kmsg and /dev/mem.
allow klogd_t proc_kmsg_t:file r_file_perms;
allow klogd_t memory_device_t:chr_file r_file_perms;
# Control syslog and console logging
allow klogd_t kernel_t:system { syslog_mod syslog_console };
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
ifdef(`targeted_policy', `
allow klogd_t unconfined_t:system syslog_mod;
')

View File

@ -0,0 +1,14 @@
#DESC ktalkd - KDE version of the talk server
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te
#################################
#
# Rules for the ktalkd_t domain.
#
# ktalkd_exec_t is the type of the ktalkd executable.
#
inetd_child_domain(ktalkd, udp)

View File

@ -0,0 +1,117 @@
#DESC kudzu - Red Hat utility to recognise new hardware
#
# Author: Russell Coker <russell@coker.com.au>
#
daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
read_locale(kudzu_t)
# for /etc/sysconfig/hwconf - probably need a new type
allow kudzu_t etc_runtime_t:file rw_file_perms;
# for kmodule
if (allow_execmem) {
allow kudzu_t self:process execmem;
}
allow kudzu_t zero_device_t:chr_file rx_file_perms;
allow kudzu_t memory_device_t:chr_file { read write execute };
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
allow kudzu_t modules_conf_t:file { getattr read unlink rename };
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
allow kudzu_t { bin_t sbin_t }:lnk_file read;
read_sysctl(kudzu_t)
allow kudzu_t sysctl_dev_t:dir { getattr search read };
allow kudzu_t sysctl_dev_t:file { getattr read };
allow kudzu_t sysctl_kernel_t:file write;
allow kudzu_t usbdevfs_t:dir search;
allow kudzu_t usbdevfs_t:file { getattr read };
allow kudzu_t usbfs_t:dir search;
allow kudzu_t usbfs_t:file { getattr read };
var_run_domain(kudzu)
allow kudzu_t kernel_t:system syslog_console;
allow kudzu_t self:udp_socket { create ioctl };
allow kudzu_t var_lock_t:dir search;
allow kudzu_t devpts_t:dir search;
# so it can write messages to the console
allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
role sysadm_r types kudzu_t;
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
')
ifdef(`anaconda.te', `
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
')
allow kudzu_t sysadm_home_dir_t:dir search;
rw_dir_create_file(kudzu_t, etc_t)
rw_dir_create_file(kudzu_t, mnt_t)
can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
# Read /usr/lib/gconv/gconv-modules.*
allow kudzu_t lib_t:file { read getattr };
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
allow kudzu_t usr_t:file { read getattr };
r_dir_file(kudzu_t, hwdata_t)
# Communicate with rhgb-client.
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
ifdef(`rhgb.te', `
allow kudzu_t rhgb_t:unix_stream_socket connectto;
')
allow kudzu_t self:file { getattr read };
allow kudzu_t self:fifo_file rw_file_perms;
ifdef(`gpm.te', `
allow kudzu_t gpmctl_t:sock_file getattr;
')
can_exec(kudzu_t, shell_exec_t)
# Write to /proc/sys/kernel/hotplug. Why?
allow kudzu_t sysctl_hotplug_t:file { read write };
allow kudzu_t sysfs_t:dir { getattr read search };
allow kudzu_t sysfs_t:file { getattr read };
allow kudzu_t sysfs_t:lnk_file read;
file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
allow kudzu_t tape_device_t:chr_file r_file_perms;
tmp_domain(kudzu, `', `{ file dir chr_file }')
# for file systems that are not yet mounted
dontaudit kudzu_t file_t:dir search;
ifdef(`lpd.te', `
allow kudzu_t printconf_t:file { getattr read };
')
ifdef(`cups.te', `
allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
')
dontaudit kudzu_t src_t:dir search;
ifdef(`xserver.te', `
allow kudzu_t xserver_exec_t:file getattr;
')
ifdef(`userhelper.te', `
role system_r types sysadm_userhelper_t;
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
', `
unconfined_domain(kudzu_t)
')
allow kudzu_t initrc_t:unix_stream_socket connectto;
allow kudzu_t net_conf_t:file { getattr read };

View File

@ -0,0 +1,52 @@
#DESC Ldconfig - Configure dynamic linker bindings
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: libc6
#
#################################
#
# Rules for the ldconfig_t domain.
#
type ldconfig_t, domain, privlog, etc_writer;
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types ldconfig_t;
role system_r types ldconfig_t;
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
dontaudit ldconfig_t device_t:dir search;
can_access_pty(ldconfig_t, initrc)
allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
uses_shlib(ldconfig_t)
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
allow ldconfig_t lib_t:dir rw_dir_perms;
allow ldconfig_t lib_t:lnk_file create_lnk_perms;
allow ldconfig_t userdomain:fd use;
# unlink for when /etc/ld.so.cache is mislabeled
allow ldconfig_t etc_t:file { getattr read unlink };
allow ldconfig_t etc_t:lnk_file read;
allow ldconfig_t fs_t:filesystem getattr;
allow ldconfig_t tmp_t:dir search;
ifdef(`apache.te', `
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
')
allow ldconfig_t { var_t var_lib_t }:dir search;
allow ldconfig_t proc_t:file { getattr read };
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
');
')dnl end hide_broken_symptoms
ifdef(`targeted_policy', `
allow ldconfig_t lib_t:file r_file_perms;
unconfined_domain(ldconfig_t)
')

View File

@ -0,0 +1,61 @@
#DESC LoadPolicy - SELinux policy loading utilities
#
# Authors: Frank Mayer, mayerf@tresys.com
# X-Debian-Packages: policycoreutils
#
###########################
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
type load_policy_t, domain;
role sysadm_r types load_policy_t;
role secadm_r types load_policy_t;
role system_r types load_policy_t;
type load_policy_exec_t, file_type, exec_type, sysadmfile;
##########################
#
# Rules
domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
allow load_policy_t console_device_t:chr_file { read write };
# Reload the policy configuration (sysadm_t no longer has this ability)
can_loadpol(load_policy_t)
# Reset policy boolean values.
can_setbool(load_policy_t)
###########################
# constrain from where load_policy can load a policy, specifically
# policy_config_t files
#
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
r_dir_file(load_policy_t, policy_config_t)
r_dir_file(load_policy_t, selinux_config_t)
# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
# for mcs.conf
allow load_policy_t etc_t:file { getattr read };
# Other access
can_access_pty(load_policy_t, initrc)
allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
allow load_policy_t { userdomain privfd initrc_t }:fd use;
allow load_policy_t fs_t:filesystem getattr;
read_locale(load_policy_t)

View File

@ -0,0 +1,234 @@
#DESC Login - Local/remote login utilities
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Macroised by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: login
#
#################################
#
# Rules for the local_login_t domain
# and the remote_login_t domain.
#
# $1 is the name of the domain (local or remote)
define(`login_domain', `
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
general_domain_access($1_login_t);
# Read system information files in /proc.
r_dir_file($1_login_t, proc_t)
base_file_read_access($1_login_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow $1_login_t readable_t:dir r_dir_perms;
allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
# Read /var, /var/spool
allow $1_login_t { var_t var_spool_t }:dir search;
# for when /var/mail is a sym-link
allow $1_login_t var_t:lnk_file read;
# Read /etc.
r_dir_file($1_login_t, etc_t)
allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
read_locale($1_login_t)
# for SSP/ProPolice
allow $1_login_t urandom_device_t:chr_file { getattr read };
# Read executable types.
allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow $1_login_t device_t:dir r_dir_perms;
allow $1_login_t device_t:lnk_file r_file_perms;
uses_shlib($1_login_t);
tmp_domain($1_login)
ifdef(`pam.te', `
can_exec($1_login_t, pam_exec_t)
')
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
')
ifdef(`alsa.te', `
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
# Use capabilities
allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
allow $1_login_t self:process setrlimit;
dontaudit $1_login_t sysfs_t:dir search;
# Set exec context.
can_setexec($1_login_t)
allow $1_login_t autofs_t:dir { search read getattr };
allow $1_login_t mnt_t:dir r_dir_perms;
if (use_nfs_home_dirs) {
r_dir_file($1_login_t, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file($1_login_t, cifs_t)
}
# Login can polyinstantiate
polyinstantiater($1_login_t)
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
')
ifdef(`crack.te', `
allow $1_login_t crack_db_t:file r_file_perms;
')
# Permit login to search the user home directories.
allow $1_login_t home_root_t:dir search;
allow $1_login_t home_dir_type:dir search;
# Write to /var/run/utmp.
allow $1_login_t var_run_t:dir search;
allow $1_login_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow $1_login_t var_log_t:dir search;
allow $1_login_t wtmp_t:file rw_file_perms;
# Write to /var/log/lastlog.
allow $1_login_t lastlog_t:file rw_file_perms;
# Write to /var/log/btmp
allow $1_login_t faillog_t:file { lock append read write };
# Search for mail spool file.
allow $1_login_t mail_spool_t:dir r_dir_perms;
allow $1_login_t mail_spool_t:file getattr;
allow $1_login_t mail_spool_t:lnk_file read;
# Get security policy decisions.
can_getsecurity($1_login_t)
# allow read access to default_contexts in /etc/security
allow $1_login_t default_context_t:file r_file_perms;
allow $1_login_t default_context_t:dir search;
r_dir_file($1_login_t, selinux_config_t)
allow $1_login_t mouse_device_t:chr_file { getattr setattr };
ifdef(`targeted_policy',`
unconfined_domain($1_login_t)
domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
')
')dnl end login_domain macro
#################################
#
# Rules for the local_login_t domain.
#
# local_login_t is the domain of a login process
# spawned by getty.
#
# remote_login_t is the domain of a login process
# spawned by rlogind.
#
# login_exec_t is the type of the login program
#
type login_exec_t, file_type, sysadmfile, exec_type;
login_domain(local)
# But also permit other user domains to be entered by login.
login_spawn_domain(local_login, userdomain)
# Do not audit denied attempts to access devices.
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms;
# Create lock file.
lock_domain(local_login)
# Read and write ttys.
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
# Relabel ttys.
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
ifdef(`gpm.te',
`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
# Allow setting of attributes on sound devices.
allow local_login_t sound_device_t:chr_file { getattr setattr };
# Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr };
dontaudit local_login_t init_t:fd use;
#################################
#
# Rules for the remote_login_t domain.
#
login_domain(remote)
# Only permit unprivileged user domains to be entered via rlogin,
# since very weak authentication is used.
login_spawn_domain(remote_login, unpriv_userdomain)
allow remote_login_t userpty_type:chr_file { setattr write };
# Use the pty created by rlogind.
ifdef(`rlogind.te', `
can_access_pty(remote_login_t, rlogind)
# Relabel ptys created by rlogind.
allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
')
# Use the pty created by telnetd.
ifdef(`telnetd.te', `
can_access_pty(remote_login_t, telnetd)
# Relabel ptys created by telnetd.
allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
')
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
allow remote_login_t fs_t:filesystem { getattr };
# Allow remote login to resolve host names (passed in via the -h switch)
can_resolve(remote_login_t)
ifdef(`use_mcs', `
ifdef(`getty.te', `
range_transition getty_t login_exec_t s0 - s0:c0.c255;
')
')

View File

@ -0,0 +1,161 @@
#DESC Lpd - Print server
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
# Modified by Russell Coker <russell@coker.com.au>
# X-Debian-Packages: lpr
#
#################################
#
# Rules for the lpd_t domain.
#
# lpd_t is the domain of lpd.
# lpd_exec_t is the type of the lpd executable.
# printer_t is the type of the Unix domain socket created
# by lpd.
#
daemon_domain(lpd)
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
read_fonts(lpd_t)
type printer_t, file_type, sysadmfile, dev_fs;
type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
tmp_domain(lpd);
# for postscript include files
allow lpd_t usr_t:{ file lnk_file } { getattr read };
# Allow checkpc to access the lpd spool so it can check & fix it.
# This requires that /usr/sbin/checkpc have type checkpc_t.
type checkpc_t, domain, privlog;
role system_r types checkpc_t;
uses_shlib(checkpc_t)
can_network_client(checkpc_t)
allow checkpc_t port_type:tcp_socket name_connect;
can_ypbind(checkpc_t)
log_domain(checkpc)
type checkpc_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
role sysadm_r types checkpc_t;
allow checkpc_t admin_tty_type:chr_file { read write };
allow checkpc_t privfd:fd use;
ifdef(`crond.te', `
system_crond_entry(checkpc_exec_t, checkpc_t)
')
allow checkpc_t self:capability { setgid setuid dac_override };
allow checkpc_t self:process { fork signal_perms };
allow checkpc_t proc_t:dir search;
allow checkpc_t proc_t:lnk_file read;
allow checkpc_t proc_t:file { getattr read };
r_dir_file(checkpc_t, self)
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
allow checkpc_t etc_t:lnk_file read;
allow checkpc_t { var_t var_spool_t }:dir { getattr search };
allow checkpc_t print_spool_t:file { rw_file_perms unlink };
allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
allow checkpc_t device_t:dir search;
allow checkpc_t printer_device_t:chr_file { getattr append };
allow checkpc_t devtty_t:chr_file rw_file_perms;
allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
# Allow access to /dev/console through the fd:
allow checkpc_t init_t:fd use;
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
allow checkpc_t { bin_t sbin_t }:dir search;
allow checkpc_t bin_t:lnk_file read;
can_exec(checkpc_t, shell_exec_t)
can_exec(checkpc_t, bin_t)
# bash wants access to /proc/meminfo
allow lpd_t proc_t:file { getattr read };
# gs-gnu wants to read some sysctl entries, it seems to work without though
dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
# for defoma
r_dir_file(lpd_t, var_lib_t)
allow checkpc_t var_run_t:dir search;
allow checkpc_t lpd_var_run_t:dir { search getattr };
# This is needed to permit chown to read /var/spool/lpd/lp.
# This is opens up security more than necessary; this means that ANYTHING
# running in the initrc_t domain can read the printer spool directory.
# Perhaps executing /etc/rc.d/init.d/lpd should transition
# to domain lpd_t, instead of waiting for executing lpd.
allow initrc_t print_spool_t:dir read;
# for defoma
r_dir_file(lpd_t, readable_t)
# Use capabilities.
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
# Use the network.
can_network_server(lpd_t)
can_ypbind(lpd_t)
allow lpd_t self:fifo_file rw_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;
allow lpd_t self:file { getattr read };
allow lpd_t etc_runtime_t:file { getattr read };
# Bind to the printer port.
allow lpd_t printer_port_t:tcp_socket name_bind;
# Send to portmap.
ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
ifdef(`ypbind.te',
`# Connect to ypbind.
can_tcp_connect(lpd_t, ypbind_t)')
# Create and bind to /dev/printer.
file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
allow lpd_t printer_t:unix_stream_socket name_bind;
allow lpd_t printer_t:unix_dgram_socket name_bind;
allow lpd_t printer_device_t:chr_file rw_file_perms;
# Write to /var/spool/lpd.
allow lpd_t var_spool_t:dir search;
allow lpd_t print_spool_t:dir rw_dir_perms;
allow lpd_t print_spool_t:file create_file_perms;
allow lpd_t print_spool_t:file rw_file_perms;
# Execute filter scripts.
# can_exec(lpd_t, print_spool_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
allow lpd_t bin_t:dir search;
allow lpd_t bin_t:lnk_file read;
can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
# lpd must be able to execute the filter utilities in /usr/share/printconf.
can_exec(lpd_t, printconf_t)
allow lpd_t printconf_t:file rx_file_perms;
allow lpd_t printconf_t:dir { getattr search read };
# config files for lpd are of type etc_t, probably should change this
allow lpd_t etc_t:file { getattr read };
allow lpd_t etc_t:lnk_file read;
# checkpc needs similar permissions.
allow checkpc_t printconf_t:file getattr;
allow checkpc_t printconf_t:dir { getattr search read };
# Read printconf files.
allow initrc_t printconf_t:dir r_dir_perms;
allow initrc_t printconf_t:file r_file_perms;

View File

@ -0,0 +1,113 @@
#DESC Mailman - GNU Mailman mailing list manager
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: mailman
type mailman_data_t, file_type, sysadmfile;
type mailman_archive_t, file_type, sysadmfile;
type mailman_log_t, file_type, sysadmfile, logfile;
type mailman_lock_t, file_type, sysadmfile, lockfile;
define(`mailman_domain', `
type mailman_$1_t, domain, privlog $2;
type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
role system_r types mailman_$1_t;
file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
create_dir_file(mailman_$1_t, mailman_data_t)
uses_shlib(mailman_$1_t)
can_exec_any(mailman_$1_t)
read_sysctl(mailman_$1_t)
allow mailman_$1_t proc_t:dir search;
allow mailman_$1_t proc_t:file { read getattr };
allow mailman_$1_t var_lib_t:dir r_dir_perms;
allow mailman_$1_t var_lib_t:lnk_file read;
allow mailman_$1_t device_t:dir search;
allow mailman_$1_t etc_runtime_t:file { read getattr };
read_locale(mailman_$1_t)
file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
tmp_domain(mailman_$1)
')
mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
can_tcp_connect(mailman_queue_t, mail_server_domain)
can_exec(mailman_queue_t, su_exec_t)
allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:fifo_file rw_file_perms;
dontaudit mailman_queue_t var_run_t:dir search;
allow mailman_queue_t proc_t:lnk_file { getattr read };
# for su
dontaudit mailman_queue_t selinux_config_t:dir search;
allow mailman_queue_t self:dir search;
allow mailman_queue_t self:file { getattr read };
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
allow mailman_queue_t self:lnk_file { getattr read };
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
mailman_domain(mail)
dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
allow mailman_mail_t mta_delivery_agent:fd use;
ifdef(`qmail.te', `
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
')
create_dir_file(mailman_queue_t, mailman_archive_t)
ifdef(`apache.te', `
mailman_domain(cgi)
can_tcp_connect(mailman_cgi_t, mail_server_domain)
domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
# should have separate types for public and private archives
r_dir_file(httpd_t, mailman_archive_t)
create_dir_file(mailman_cgi_t, mailman_archive_t)
allow httpd_t mailman_data_t:dir { getattr search };
dontaudit mailman_cgi_t httpd_log_t:file append;
allow httpd_t mailman_cgi_t:process signal;
allow mailman_cgi_t httpd_t:process sigchld;
allow mailman_cgi_t httpd_t:fd use;
allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
allow mailman_cgi_t httpd_sys_script_t:dir search;
allow mailman_cgi_t devtty_t:chr_file { read write };
allow mailman_cgi_t self:process { fork sigchld };
allow mailman_cgi_t var_spool_t:dir search;
')
allow mta_delivery_agent mailman_data_t:dir search;
allow mta_delivery_agent mailman_data_t:lnk_file read;
allow initrc_t mailman_data_t:lnk_file read;
allow initrc_t mailman_data_t:dir r_dir_perms;
domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
ifdef(`direct_sysadm_daemon', `
domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
')
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
allow mailman_queue_t devtty_t:chr_file { read write };
allow mailman_queue_t self:process { fork signal sigchld };
allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
# so MTA can access /var/lib/mailman/mail/wrapper
allow mta_delivery_agent var_lib_t:dir search;
# Handle mailman log files
rw_dir_create_file(logrotate_t, mailman_log_t)
allow logrotate_t mailman_data_t:dir search;
can_exec(logrotate_t, mailman_mail_exec_t)

View File

@ -0,0 +1,236 @@
#DESC Modutil - Dynamic module utilities
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: modutils
#
#################################
#
# Rules for the module utility domains.
#
type modules_dep_t, file_type, sysadmfile;
type modules_conf_t, file_type, sysadmfile;
type modules_object_t, file_type, sysadmfile;
ifdef(`IS_INITRD', `', `
#################################
#
# Rules for the depmod_t domain.
#
type depmod_t, domain;
role system_r types depmod_t;
role sysadm_r types depmod_t;
uses_shlib(depmod_t)
r_dir_file(depmod_t, src_t)
type depmod_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
allow depmod_t { bin_t sbin_t }:dir search;
can_exec(depmod_t, depmod_exec_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
')
# Inherit and use descriptors from init and login programs.
allow depmod_t { init_t privfd }:fd use;
allow depmod_t { etc_t etc_runtime_t }:file { getattr read };
allow depmod_t { device_t proc_t }:dir search;
allow depmod_t proc_t:file { getattr read };
allow depmod_t fs_t:filesystem getattr;
# read system.map
allow depmod_t boot_t:dir search;
allow depmod_t boot_t:file { getattr read };
allow depmod_t system_map_t:file { getattr read };
# Read conf.modules.
allow depmod_t modules_conf_t:file r_file_perms;
# Create modules.dep.
file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
# Read module objects.
allow depmod_t modules_object_t:dir r_dir_perms;
allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
allow depmod_t modules_object_t:file unlink;
# Access terminals.
can_access_pty(depmod_t, initrc)
allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.
allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
')dnl end IS_INITRD
#################################
#
# Rules for the insmod_t domain.
#
type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
ifdef(`unlimitedUtils', `
unconfined_domain(insmod_t)
')
can_ypbind(insmod_t)
uses_shlib(insmod_t)
read_locale(insmod_t)
# for SSP
allow insmod_t urandom_device_t:chr_file read;
allow insmod_t lib_t:file { getattr read };
allow insmod_t { bin_t sbin_t }:dir search;
allow insmod_t { bin_t sbin_t }:lnk_file read;
allow insmod_t self:dir search;
allow insmod_t self:lnk_file read;
allow insmod_t usr_t:file { getattr read };
allow insmod_t privfd:fd use;
can_access_pty(insmod_t, initrc)
allow insmod_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
allow insmod_t sound_device_t:chr_file { read ioctl write };
allow insmod_t zero_device_t:chr_file read;
allow insmod_t memory_device_t:chr_file rw_file_perms;
# Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
# Read module objects.
r_dir_file(insmod_t, modules_object_t)
# for locking
allow insmod_t modules_object_t:file write;
allow insmod_t { var_t var_log_t }:dir search;
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
allow insmod_t xserver_misc_device_t:chr_file { read write };
')
rw_dir_create_file(insmod_t, var_log_ksyms_t)
allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:unix_dgram_socket create_socket_perms;
allow insmod_t self:unix_stream_socket create_stream_socket_perms;
allow insmod_t self:rawip_socket create_socket_perms;
allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
allow insmod_t domain:process signal;
allow insmod_t self:process { fork signal_perms };
allow insmod_t device_t:dir search;
allow insmod_t etc_runtime_t:file { getattr read };
# for loading modules at boot time
allow insmod_t { init_t initrc_t }:fd use;
allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t fs_t:filesystem getattr;
allow insmod_t sysfs_t:dir search;
allow insmod_t { usbfs_t usbdevfs_t }:dir search;
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
r_dir_file(insmod_t, debugfs_t)
# Rules for /proc/sys/kernel/tainted
read_sysctl(insmod_t)
allow insmod_t proc_t:dir search;
allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
allow insmod_t proc_t:file rw_file_perms;
allow insmod_t proc_t:lnk_file read;
# Write to /proc/mtrr.
allow insmod_t mtrr_device_t:file write;
# Read /proc/sys/kernel/hotplug.
allow insmod_t sysctl_hotplug_t:file { getattr read };
allow insmod_t device_t:dir read;
allow insmod_t devpts_t:dir { getattr search };
type insmod_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
allow insmod_t devtty_t:chr_file rw_file_perms;
allow insmod_t privmodule:process sigchld;
dontaudit sysadm_t self:capability sys_module;
ifdef(`mount.te', `
# Run mount in the mount_t domain.
domain_auto_trans(insmod_t, mount_exec_t, mount_t)
')
# for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search;
# for nscd
dontaudit insmod_t var_run_t:dir search;
ifdef(`crond.te', `
rw_dir_create_file(system_crond_t, var_log_ksyms_t)
')
ifdef(`IS_INITRD', `', `
#################################
#
# Rules for the update_modules_t domain.
#
type update_modules_t, domain, privlog;
type update_modules_exec_t, file_type, exec_type, sysadmfile;
role system_r types update_modules_t;
role sysadm_r types update_modules_t;
domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
allow update_modules_t privfd:fd use;
allow update_modules_t init_t:fd use;
allow update_modules_t device_t:dir { getattr search };
allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
can_access_pty(update_modules_t, initrc)
allow update_modules_t admin_tty_type:chr_file rw_file_perms;
can_exec(update_modules_t, insmod_exec_t)
allow update_modules_t urandom_device_t:chr_file { getattr read };
dontaudit update_modules_t sysadm_home_dir_t:dir search;
uses_shlib(update_modules_t)
read_locale(update_modules_t)
allow update_modules_t lib_t:file { getattr read };
allow update_modules_t self:process { fork sigchld };
allow update_modules_t self:fifo_file rw_file_perms;
allow update_modules_t self:file { getattr read };
allow update_modules_t modules_dep_t:file rw_file_perms;
file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file)
domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
allow update_modules_t { sbin_t bin_t }:lnk_file read;
allow update_modules_t { sbin_t bin_t }:dir search;
allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
allow update_modules_t etc_t:lnk_file read;
allow update_modules_t fs_t:filesystem getattr;
allow update_modules_t proc_t:dir search;
allow update_modules_t proc_t:file r_file_perms;
allow update_modules_t { self proc_t }:lnk_file read;
read_sysctl(update_modules_t)
allow update_modules_t self:dir search;
allow update_modules_t self:unix_stream_socket create_socket_perms;
file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
tmp_domain(update_modules)
')dnl end IS_INITRD

View File

@ -0,0 +1,82 @@
#DESC MTA - Mail agents
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postfix exim sendmail sendmail-wide
#
# policy for all mail servers, including allowing user to send mail from the
# command-line and for cron jobs to use sendmail -t
#
# sendmail_exec_t is the type of /usr/sbin/sendmail
#
# define sendmail_exec_t if sendmail.te does not do it for us
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')
# create a system_mail_t domain for daemons, init scripts, etc when they run
# "mail user@domain"
mail_domain(system)
ifdef(`targeted_policy', `
# rules are currently defined in sendmail.te, but it is not included in
# targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
allow system_mail_t self:dir search;
allow system_mail_t self:lnk_file read;
r_dir_file(system_mail_t, { proc_t proc_net_t })
allow system_mail_t fs_t:filesystem getattr;
allow system_mail_t { var_t var_spool_t }:dir getattr;
create_dir_file(system_mail_t, mqueue_spool_t)
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
allow system_mail_t etc_mail_t:file { getattr read };
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t)
', `
ifdef(`sendmail.te', `
# sendmail has an ugly design, the one process parses input from the user and
# then does system things with it.
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
', `
domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
')
allow initrc_t sendmail_exec_t:lnk_file { getattr read };
# allow the sysadmin to do "mail someone < /home/user/whatever"
allow sysadm_mail_t user_home_dir_type:dir search;
r_dir_file(sysadm_mail_t, user_home_type)
')
# for a mail server process that does things in response to a user command
allow mta_user_agent userdomain:process sigchld;
allow mta_user_agent { userdomain privfd }:fd use;
ifdef(`crond.te', `
allow mta_user_agent crond_t:process sigchld;
')
allow mta_user_agent sysadm_t:fifo_file { read write };
allow { system_mail_t mta_user_agent } privmail:fd use;
allow { system_mail_t mta_user_agent } privmail:process sigchld;
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
allow mta_delivery_agent home_root_t:dir { getattr search };
# for /var/spool/mail
ra_dir_create_file(mta_delivery_agent, mail_spool_t)
# for piping mail to a command
can_exec(mta_delivery_agent, shell_exec_t)
allow mta_delivery_agent bin_t:dir search;
allow mta_delivery_agent bin_t:lnk_file read;
allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
allow system_mail_t etc_runtime_t:file { getattr read };
allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
ifdef(`targeted_policy', `
typealias system_mail_t alias sysadm_mail_t;
')

View File

@ -0,0 +1,94 @@
#DESC Mysqld - Database server
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: mysql-server
#
#################################
#
# Rules for the mysqld_t domain.
#
# mysqld_exec_t is the type of the mysqld executable.
#
daemon_domain(mysqld, `, nscd_client_domain')
allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
etcdir_domain(mysqld)
type mysqld_db_t, file_type, sysadmfile;
log_domain(mysqld)
# for temporary tables
tmp_domain(mysqld)
allow mysqld_t usr_t:file { getattr read };
allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow initrc_t mysqld_t:unix_stream_socket connectto;
allow initrc_t mysqld_var_run_t:sock_file write;
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource };
allow mysqld_t self:process { setrlimit setsched getsched };
allow mysqld_t proc_t:file { getattr read };
# Allow access to the mysqld databases
create_dir_file(mysqld_t, mysqld_db_t)
file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
can_network(mysqld_t)
can_ypbind(mysqld_t)
# read config files
r_dir_file(initrc_t, mysqld_etc_t)
allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
allow mysqld_t etc_t:dir search;
read_sysctl(mysqld_t)
can_unix_connect(sysadm_t, mysqld_t)
# for /root/.my.cnf - should not be needed
allow mysqld_t sysadm_home_dir_t:dir search;
allow mysqld_t sysadm_home_t:file { read getattr };
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, mysqld_etc_t)
allow logrotate_t mysqld_db_t:dir search;
allow logrotate_t mysqld_var_run_t:dir search;
allow logrotate_t mysqld_var_run_t:sock_file write;
can_unix_connect(logrotate_t, mysqld_t)
')
ifdef(`daemontools.te', `
domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
allow svc_start_t mysqld_t:process signal;
svc_ipc_domain(mysqld_t)
')dnl end ifdef daemontools
ifdef(`distro_redhat', `
allow initrc_t mysqld_db_t:dir create_dir_perms;
# because Fedora has the sock_file in the database directory
file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
')
ifdef(`targeted_policy', `', `
bool allow_user_mysql_connect false;
if (allow_user_mysql_connect) {
allow userdomain mysqld_var_run_t:dir search;
allow userdomain mysqld_var_run_t:sock_file write;
}
')
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`crond.te', `
allow system_crond_t mysqld_etc_t:file { getattr read };
')

View File

@ -0,0 +1,186 @@
#DESC BIND - Name server
#
# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
# Russell Coker
# X-Debian-Packages: bind bind9
#
#
#################################
#
# Rules for the named_t domain.
#
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
# For /var/run/ndc used in BIND 8
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
# ndc_t is the domain for the ndc program
type ndc_t, domain, privlog, nscd_client_domain;
role sysadm_r types ndc_t;
role system_r types ndc_t;
ifdef(`targeted_policy', `
dontaudit ndc_t root_t:file { getattr read };
dontaudit ndc_t unlabeled_t:file { getattr read };
')
can_exec(named_t, named_exec_t)
allow named_t sbin_t:dir search;
allow named_t self:process { setsched setcap setrlimit };
# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile, mount_point;
# for primary zone files
type named_zone_t, file_type, sysadmfile;
# for secondary zone files
type named_cache_t, file_type, sysadmfile;
# for DNSSEC key files
type dnssec_t, file_type, sysadmfile, secure_file_type;
allow { ndc_t named_t } dnssec_t:file { getattr read };
# Use capabilities. Surplus capabilities may be allowed.
allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
allow named_t etc_t:file { getattr read };
allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
#Named can use network
can_network(named_t)
allow named_t port_type:tcp_socket name_connect;
can_ypbind(named_t)
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
log_domain(named)
# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
bool named_write_master_zones false;
#read configuration files
r_dir_file(named_t, named_conf_t)
if (named_write_master_zones) {
#create and modify zone files
create_dir_file(named_t, named_zone_t)
}
#read zone files
r_dir_file(named_t, named_zone_t)
#write cache for secondary zones
rw_dir_create_file(named_t, named_cache_t)
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:netlink_route_socket r_netlink_socket_perms;
# Read sysctl kernel variables.
read_sysctl(named_t)
# Read /proc/cpuinfo and /proc/net
r_dir_file(named_t, proc_t)
r_dir_file(named_t, proc_net_t)
# Read /dev/random.
allow named_t device_t:dir r_dir_perms;
allow named_t random_device_t:chr_file r_file_perms;
# Use a pipe created by self.
allow named_t self:fifo_file rw_file_perms;
# Enable named dbus support:
ifdef(`dbusd.te', `
dbusd_client(system, named)
domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
allow named_t self:dbus send_msg;
allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
ifdef(`unconfined.te', `
allow unconfined_t named_t:dbus send_msg;
allow named_t unconfined_t:dbus send_msg;
')
')
# Set own capabilities.
#A type for /usr/sbin/ndc
type ndc_exec_t, file_type,sysadmfile, exec_type;
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
can_tcp_connect(ndc_t, named_t)
ifdef(`distro_redhat', `
# for /etc/rndc.key
allow { ndc_t initrc_t } named_conf_t:dir search;
# Allow init script to cp localtime to named_conf_t
allow initrc_t named_conf_t:file { setattr write };
allow initrc_t named_conf_t:dir create_dir_perms;
allow initrc_t var_run_t:lnk_file create_file_perms;
ifdef(`automount.te', `
# automount has no need to search the /proc file system for the named chroot
dontaudit automount_t named_zone_t:dir search;
')dnl end ifdef automount.te
')dnl end ifdef distro_redhat
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
allow ndc_t etc_t:dir r_dir_perms;
allow ndc_t etc_t:file r_file_perms;
allow ndc_t self:unix_stream_socket create_stream_socket_perms;
allow ndc_t self:unix_stream_socket connect;
allow ndc_t self:capability { dac_override net_admin };
allow ndc_t var_t:dir search;
allow ndc_t var_run_t:dir search;
allow ndc_t named_var_run_t:sock_file rw_file_perms;
allow ndc_t named_t:unix_stream_socket connectto;
allow ndc_t { privfd init_t }:fd use;
# seems to need read as well for some reason
allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
allow ndc_t fs_t:filesystem getattr;
# Read sysctl kernel variables.
read_sysctl(ndc_t)
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file { read write getattr ioctl };
allow ndc_t named_zone_t:dir search;
# for chmod in start script
dontaudit initrc_t named_var_run_t:dir setattr;
# for ndc_t to be used for restart shell scripts
ifdef(`ndc_shell_script', `
system_crond_entry(ndc_exec_t, ndc_t)
allow ndc_t devtty_t:chr_file { read write ioctl };
allow ndc_t etc_runtime_t:file { getattr read };
allow ndc_t proc_t:dir search;
allow ndc_t proc_t:file { getattr read };
can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
allow ndc_t named_var_run_t:file getattr;
allow ndc_t named_zone_t:dir { read getattr };
allow ndc_t named_zone_t:file getattr;
dontaudit ndc_t sysadm_home_t:dir { getattr search read };
')
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };

View File

@ -0,0 +1,64 @@
#DESC Netutils - Network utilities
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
# X-Debian-Packages: netbase iputils arping tcpdump
#
#
# Rules for the netutils_t domain.
# This domain is for network utilities that require access to
# special protocol families.
#
type netutils_t, domain, privlog;
type netutils_exec_t, file_type, sysadmfile, exec_type;
role system_r types netutils_t;
role sysadm_r types netutils_t;
uses_shlib(netutils_t)
can_network(netutils_t)
allow netutils_t port_type:tcp_socket name_connect;
can_ypbind(netutils_t)
tmp_domain(netutils)
domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
')
# Inherit and use descriptors from init.
allow netutils_t { userdomain init_t }:fd use;
allow netutils_t self:process { fork signal_perms };
# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
# Create and use netlink sockets.
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
# Create and use packet sockets.
allow netutils_t self:packet_socket create_socket_perms;
# Create and use UDP sockets.
allow netutils_t self:udp_socket create_socket_perms;
# Create and use TCP sockets.
allow netutils_t self:tcp_socket create_socket_perms;
allow netutils_t self:unix_stream_socket create_socket_perms;
# Read certain files in /etc
allow netutils_t etc_t:file r_file_perms;
read_locale(netutils_t)
allow netutils_t fs_t:filesystem getattr;
# Access terminals.
allow netutils_t privfd:fd use;
can_access_pty(netutils_t, initrc)
allow netutils_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
allow netutils_t proc_t:dir search;
# for nscd
dontaudit netutils_t var_t:dir search;

View File

@ -0,0 +1,24 @@
#DESC Newrole - SELinux utility to run a shell with a new role
#
# Authors: Anthony Colatrella (NSA)
# Maintained by Stephen Smalley <sds@epoch.ncsc.mil>
# X-Debian-Packages: policycoreutils
#
# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t
bool secure_mode false;
type newrole_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(userdomain, newrole_exec_t, newrole_t)
newrole_domain(newrole)
# Write to utmp.
allow newrole_t var_run_t:dir r_dir_perms;
allow newrole_t initrc_var_run_t:file rw_file_perms;
role secadm_r types newrole_t;
ifdef(`targeted_policy', `
typeattribute newrole_t unconfinedtrans;
')

View File

@ -0,0 +1,79 @@
#DESC NSCD - Name service cache daemon cache lookup of user-name
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: nscd
#
define(`nscd_socket_domain', `
can_unix_connect($1, nscd_t)
allow $1 nscd_var_run_t:sock_file rw_file_perms;
allow $1 { var_run_t var_t }:dir search;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_var_run_t:dir { search getattr };
dontaudit $1 nscd_var_run_t:file { getattr read };
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
')
#################################
#
# Rules for the nscd_t domain.
#
# nscd is both the client program and the daemon.
daemon_domain(nscd, `, userspace_objmgr')
allow nscd_t etc_t:file r_file_perms;
allow nscd_t etc_t:lnk_file read;
can_network_client(nscd_t)
allow nscd_t port_type:tcp_socket name_connect;
can_ypbind(nscd_t)
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
nscd_socket_domain(nscd_client_domain)
nscd_socket_domain(daemon)
# Clients that are allowed to map the database via a fd obtained from nscd.
nscd_socket_domain(nscd_shmem_domain)
allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
# Receive fd from nscd and map the backing file with read access.
allow nscd_shmem_domain nscd_t:fd use;
# For client program operation, invoked from sysadm_t.
# Transition occurs to nscd_t due to direct_sysadm_daemon.
allow nscd_t self:nscd { admin getstat };
allow nscd_t admin_tty_type:chr_file rw_file_perms;
read_sysctl(nscd_t)
allow nscd_t self:process { getattr setsched };
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:fifo_file { read write };
allow nscd_t self:capability { kill setgid setuid net_bind_service };
# for when /etc/passwd has just been updated and has the wrong type
allow nscd_t shadow_t:file getattr;
dontaudit nscd_t sysadm_home_dir_t:dir search;
ifdef(`winbind.te', `
#
# Handle winbind for samba, Might only be needed for targeted policy
#
allow nscd_t winbind_var_run_t:sock_file { read write getattr };
can_unix_connect(nscd_t, winbind_t)
allow nscd_t samba_var_t:dir search;
allow nscd_t winbind_var_run_t:dir { getattr search };
')
r_dir_file(nscd_t, selinux_config_t)
can_getsecurity(nscd_t)
allow nscd_t self:netlink_selinux_socket create_socket_perms;
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
allow nscd_t tun_tap_device_t:chr_file { read write };
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

View File

@ -0,0 +1,88 @@
#DESC NTPD - Time synchronisation daemon
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: ntp ntp-simple
#
#################################
#
# Rules for the ntpd_t domain.
#
daemon_domain(ntpd, `, nscd_client_domain')
type ntp_drift_t, file_type, sysadmfile;
type ntpdate_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
logdir_domain(ntpd)
allow ntpd_t var_lib_t:dir r_dir_perms;
allow ntpd_t usr_t:file r_file_perms;
# reading /usr/share/ssl/cert.pem requires
allow ntpd_t usr_t:lnk_file read;
allow ntpd_t ntp_drift_t:dir rw_dir_perms;
allow ntpd_t ntp_drift_t:file create_file_perms;
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
# sys_resource and setrlimit is for locking memory
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { fsetid net_admin };
allow ntpd_t self:process { setcap setsched setrlimit };
# ntpdate wants sys_nice
# for some reason it creates a file in /tmp
tmp_domain(ntpd)
allow ntpd_t etc_t:dir r_dir_perms;
allow ntpd_t etc_t:file { read getattr };
# Use the network.
can_network(ntpd_t)
allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow sysadm_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
# so the start script can change firewall entries
allow initrc_t net_conf_t:file { getattr read ioctl };
# for cron jobs
# system_crond_t is not right, cron is not doing what it should
ifdef(`crond.te', `
system_crond_entry(ntpdate_exec_t, ntpd_t)
')
can_exec(ntpd_t, initrc_exec_t)
allow ntpd_t self:fifo_file { read write getattr };
allow ntpd_t etc_runtime_t:file r_file_perms;
can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
allow ntpd_t { sbin_t bin_t }:dir search;
allow ntpd_t bin_t:lnk_file read;
read_sysctl(ntpd_t);
allow ntpd_t proc_t:file r_file_perms;
allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
allow ntpd_t self:file { getattr read };
dontaudit ntpd_t domain:dir search;
ifdef(`logrotate.te', `
can_exec(ntpd_t, logrotate_exec_t)
')
allow ntpd_t devtty_t:chr_file rw_file_perms;
can_udp_send(ntpd_t, sysadm_t)
can_udp_send(sysadm_t, ntpd_t)
can_udp_send(ntpd_t, ntpd_t)
ifdef(`firstboot.te', `
dontaudit ntpd_t firstboot_t:fd use;
')
ifdef(`winbind.te', `
allow ntpd_t winbind_var_run_t:dir r_dir_perms;
allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
')
# For clock devices like wwvb1
allow ntpd_t device_t:lnk_file read;

View File

@ -0,0 +1,156 @@
#DESC Passwd - Password utilities
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: passwd
#
#################################
#
# Rules for the passwd_t domain.
#
define(`base_passwd_domain', `
type $1_t, domain, privlog, $2;
# for SSP
allow $1_t urandom_device_t:chr_file read;
allow $1_t self:process setrlimit;
general_domain_access($1_t);
uses_shlib($1_t);
# Inherit and use descriptors from login.
allow $1_t privfd:fd use;
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
read_locale($1_t)
allow $1_t fs_t:filesystem getattr;
# allow checking if a shell is executable
allow $1_t shell_exec_t:file execute;
# Obtain contexts
can_getsecurity($1_t)
allow $1_t etc_t:file create_file_perms;
# read /etc/mtab
allow $1_t etc_runtime_t:file { getattr read };
# Allow etc_t symlinks for /etc/alternatives on Debian.
allow $1_t etc_t:lnk_file read;
# Use capabilities.
allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
# Access terminals.
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
allow $1_t devtty_t:chr_file rw_file_perms;
dontaudit $1_t devpts_t:dir getattr;
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
dontaudit $1_t initrc_var_run_t:file { read write };
# user generally runs this from their home directory, so do not audit a search
# on user home dir
dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
# When the wrong current passwd is entered, passwd, for some reason,
# attempts to access /proc and /dev, but handles failure appropriately. So
# do not audit those denials.
dontaudit $1_t { proc_t device_t }:dir { search read };
allow $1_t device_t:dir getattr;
read_sysctl($1_t)
')
#################################
#
# Rules for the passwd_t domain.
#
define(`passwd_domain', `
base_passwd_domain($1, `auth_write, privowner')
# Update /etc/shadow and /etc/passwd
file_type_auto_trans($1_t, etc_t, shadow_t, file)
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
can_setfscreate($1_t)
')
passwd_domain(passwd)
passwd_domain(sysadm_passwd)
base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
can_setfscreate(chfn_t)
# can exec /sbin/unix_chkpwd
allow chfn_t { bin_t sbin_t }:dir search;
# uses unix_chkpwd for checking passwords
dontaudit chfn_t shadow_t:file read;
allow chfn_t etc_t:dir rw_dir_perms;
allow chfn_t etc_t:file create_file_perms;
allow chfn_t proc_t:file { getattr read };
allow chfn_t self:file write;
in_user_role(passwd_t)
in_user_role(chfn_t)
role sysadm_r types passwd_t;
role sysadm_r types sysadm_passwd_t;
role sysadm_r types chfn_t;
role system_r types passwd_t;
role system_r types chfn_t;
type admin_passwd_exec_t, file_type, sysadmfile;
type passwd_exec_t, file_type, sysadmfile, exec_type;
type chfn_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
dontaudit chfn_t var_t:dir search;
ifdef(`crack.te', `
allow passwd_t var_t:dir search;
dontaudit passwd_t var_run_t:dir search;
allow passwd_t crack_db_t:dir r_dir_perms;
allow passwd_t crack_db_t:file r_file_perms;
', `
dontaudit passwd_t var_t:dir search;
')
# allow vipw to exec the editor
allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
allow sysadm_passwd_t bin_t:lnk_file read;
can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
r_dir_file(sysadm_passwd_t, usr_t)
# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t var_t:dir search;
tmp_domain(sysadm_passwd)
# for vipw - vi looks in the root home directory for config
dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
# for /etc/alternatives/vi
allow sysadm_passwd_t etc_t:lnk_file read;
# for nscd lookups
dontaudit sysadm_passwd_t var_run_t:dir search;
# for /proc/meminfo
allow sysadm_passwd_t proc_t:file { getattr read };
dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
dontaudit sysadm_passwd_t devpts_t:dir search;
# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file { getattr read };
allow passwd_t userdomain:process getattr;
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
ifdef(`targeted_policy', `
role system_r types sysadm_passwd_t;
')

View File

@ -0,0 +1,37 @@
#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
#
# Author: Jason Vas Dias <jvdias@redhat.com>
# Package: tog-pegasus
#
#################################
#
# Rules for the pegasus domain
#
daemon_domain(pegasus, `, nscd_client_domain, auth')
type pegasus_data_t, file_type, sysadmfile;
type pegasus_conf_t, file_type, sysadmfile;
type pegasus_mof_t, file_type, sysadmfile;
type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
allow pegasus_t self:capability { dac_override net_bind_service audit_write };
can_network_tcp(pegasus_t);
nsswitch_domain(pegasus_t);
allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
allow pegasus_t self:unix_dgram_socket create_socket_perms;
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:file { read getattr };
allow pegasus_t self:fifo_file rw_file_perms;
allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
allow pegasus_t proc_t:file { getattr read };
allow pegasus_t sysctl_vm_t:dir search;
allow pegasus_t initrc_var_run_t:file { read write lock };
allow pegasus_t urandom_device_t:chr_file { getattr read };
r_dir_file(pegasus_t, etc_t)
r_dir_file(pegasus_t, var_lib_t)
r_dir_file(pegasus_t, pegasus_mof_t)
rw_dir_create_file(pegasus_t, pegasus_conf_t)
rw_dir_create_file(pegasus_t, pegasus_data_t)
rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
allow pegasus_t shadow_t:file { getattr read };
dontaudit pegasus_t selinux_config_t:dir search;

View File

@ -0,0 +1,64 @@
#DESC Ping - Send ICMP messages to network hosts
#
# Author: David A. Wheeler <dwheeler@ida.org>
# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
#
#################################
#
# Rules for the ping_t domain.
#
# ping_t is the domain for the ping program.
# ping_exec_t is the type of the corresponding program.
#
type ping_t, domain, privlog, nscd_client_domain;
role sysadm_r types ping_t;
role system_r types ping_t;
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `
allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
', `
bool user_ping false;
if (user_ping) {
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
# allow access to the terminal
allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
}
')
# Transition into this domain when you run this program.
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
domain_auto_trans(initrc_t, ping_exec_t, ping_t)
uses_shlib(ping_t)
can_network_client(ping_t)
can_resolve(ping_t)
allow ping_t dns_port_t:tcp_socket name_connect;
can_ypbind(ping_t)
allow ping_t etc_t:file { getattr read };
allow ping_t self:unix_stream_socket create_socket_perms;
# Let ping create raw ICMP packets.
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
# Use capabilities.
allow ping_t self:capability { net_raw setuid };
# Access the terminal.
allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
allow ping_t privfd:fd use;
dontaudit ping_t fs_t:filesystem getattr;
# it tries to access /var/run
dontaudit ping_t var_t:dir search;
dontaudit ping_t devtty_t:chr_file { read write };
dontaudit ping_t self:capability sys_tty_config;
ifdef(`hide_broken_symptoms', `
dontaudit ping_t init_t:fd use;
')

View File

@ -0,0 +1,71 @@
#DESC Portmap - Maintain RPC program number map
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: portmap
#
#################################
#
# Rules for the portmap_t domain.
#
daemon_domain(portmap, `, nscd_client_domain')
can_network(portmap_t)
allow portmap_t port_type:tcp_socket name_connect;
can_ypbind(portmap_t)
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
tmp_domain(portmap)
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
# portmap binds to arbitary ports
allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
allow portmap_t etc_t:file { getattr read };
# Send to ypbind, initrc, rpc.statd, xinetd.
ifdef(`ypbind.te',
`can_udp_send(portmap_t, ypbind_t)')
can_udp_send(portmap_t, { initrc_t init_t })
can_udp_send(init_t, portmap_t)
ifdef(`rpcd.te',
`can_udp_send(portmap_t, rpcd_t)')
ifdef(`inetd.te',
`can_udp_send(portmap_t, inetd_t)')
ifdef(`lpd.te',
`can_udp_send(portmap_t, lpd_t)')
ifdef(`tcpd.te', `
can_udp_send(tcpd_t, portmap_t)
')
can_udp_send(portmap_t, kernel_t)
can_udp_send(kernel_t, portmap_t)
can_udp_send(sysadm_t, portmap_t)
can_udp_send(portmap_t, sysadm_t)
# Use capabilities
allow portmap_t self:capability { net_bind_service setuid setgid };
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
application_domain(portmap_helper)
role system_r types portmap_helper_t;
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
dontaudit portmap_helper_t self:capability { net_admin };
allow portmap_helper_t self:capability { net_bind_service };
allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
can_network(portmap_helper_t)
allow portmap_helper_t port_type:tcp_socket name_connect;
can_ypbind(portmap_helper_t)
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
allow portmap_helper_t etc_t:file { getattr read };
dontaudit portmap_helper_t { userdomain privfd }:fd use;
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;

View File

@ -0,0 +1,368 @@
#DESC Postfix - Mail server
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postfix
# Depends: mta.te
#
# Type for files created during execution of postfix.
type postfix_var_run_t, file_type, sysadmfile, pidfile;
type postfix_etc_t, file_type, sysadmfile;
type postfix_exec_t, file_type, sysadmfile, exec_type;
type postfix_public_t, file_type, sysadmfile;
type postfix_private_t, file_type, sysadmfile;
type postfix_spool_t, file_type, sysadmfile;
type postfix_spool_maildrop_t, file_type, sysadmfile;
type postfix_spool_flush_t, file_type, sysadmfile;
type postfix_prng_t, file_type, sysadmfile;
# postfix needs this for newaliases
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
#################################
#
# Rules for the postfix_$1_t domain.
#
# postfix_$1_exec_t is the type of the postfix_$1 executables.
#
define(`postfix_domain', `
daemon_core_rules(postfix_$1, `$2')
allow postfix_$1_t self:process setpgid;
allow postfix_$1_t postfix_master_t:process sigchld;
allow postfix_master_t postfix_$1_t:process signal;
allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
allow postfix_$1_t postfix_etc_t:file r_file_perms;
read_locale(postfix_$1_t)
allow postfix_$1_t etc_t:file { getattr read };
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
allow postfix_$1_t shell_exec_t:file rx_file_perms;
allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
allow postfix_$1_t devtty_t:chr_file rw_file_perms;
allow postfix_$1_t etc_runtime_t:file r_file_perms;
allow postfix_$1_t proc_t:dir r_dir_perms;
allow postfix_$1_t proc_t:file r_file_perms;
allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
allow postfix_$1_t fs_t:filesystem getattr;
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
can_exec(postfix_$1_t, postfix_$1_exec_t)
r_dir_file(postfix_$1_t, cert_t)
allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
allow postfix_$1_t tmp_t:dir getattr;
file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
read_sysctl(postfix_$1_t)
')dnl end postfix_domain
ifdef(`crond.te',
`allow system_mail_t crond_t:tcp_socket { read write create };')
postfix_domain(master, `, mail_server_domain')
rhgb_domain(postfix_master_t)
# for a find command
dontaudit postfix_master_t security_t:dir search;
read_sysctl(postfix_master_t)
ifdef(`targeted_policy', `
bool disable_postfix_trans false;
if (!disable_postfix_trans) {
')
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
ifdef(`targeted_policy', `', `
role_transition sysadm_r postfix_master_exec_t system_r;
')
allow postfix_master_t postfix_etc_t:file rw_file_perms;
dontaudit postfix_master_t admin_tty_type:chr_file { read write };
allow postfix_master_t devpts_t:dir search;
domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
allow system_mail_t sysadm_t:process sigchld;
allow system_mail_t privfd:fd use;
ifdef(`pppd.te', `
domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
')
ifdef(`targeted_policy', `
}
')
allow postfix_master_t privfd:fd use;
ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
# postfix does a "find" on startup for some reason - keep it quiet
dontaudit postfix_master_t selinux_config_t:dir search;
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
ifdef(`distro_redhat', `
# compatability for old default main.cf
file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
# for newer main.cf that uses /etc/aliases
file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
')
file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
allow postfix_master_t sendmail_exec_t:file r_file_perms;
allow postfix_master_t sbin_t:lnk_file { getattr read };
can_exec(postfix_master_t, { ls_exec_t sbin_t })
allow postfix_master_t self:fifo_file rw_file_perms;
allow postfix_master_t usr_t:file r_file_perms;
can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
allow postfix_master_t postfix_public_t:sock_file create_file_perms;
allow postfix_master_t postfix_public_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
can_network(postfix_master_t)
allow postfix_master_t port_type:tcp_socket name_connect;
can_ypbind(postfix_master_t)
allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
allow postfix_master_t postfix_prng_t:file getattr;
allow postfix_master_t privfd:fd use;
allow postfix_master_t etc_aliases_t:file rw_file_perms;
ifdef(`saslauthd.te',`
allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
can_unix_connect(postfix_smtpd_t,saslauthd_t)
')
create_dir_file(postfix_master_t, postfix_spool_flush_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
# for ls to get the current context
allow postfix_master_t self:file { getattr read };
# allow access to deferred queue and allow removing bogus incoming entries
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_t:file create_file_perms;
dontaudit postfix_master_t man_t:dir search;
define(`postfix_server_domain', `
postfix_domain($1, `$2')
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:capability { setuid setgid dac_override };
can_network_client(postfix_$1_t)
allow postfix_$1_t port_type:tcp_socket name_connect;
can_ypbind(postfix_$1_t)
')
postfix_server_domain(smtp, `, mail_server_sender')
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
# if you have two different mail servers on the same host let them talk via
# SMTP, also if one mail server wants to talk to itself then allow it and let
# the SMTP protocol sort it out (SE Linux is not to prevent mail server
# misconfiguration)
can_tcp_connect(postfix_smtp_t, mail_server_domain)
postfix_server_domain(smtpd)
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
# for OpenSSL certificates
r_dir_file(postfix_smtpd_t,usr_t)
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
allow postfix_smtpd_t self:file { getattr read };
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
postfix_server_domain(local, `, mta_delivery_agent')
ifdef(`procmail.te', `
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
# for a bug in the postfix local program
dontaudit procmail_t postfix_local_t:tcp_socket { read write };
dontaudit procmail_t postfix_master_t:fd use;
')
allow postfix_local_t etc_aliases_t:file r_file_perms;
allow postfix_local_t self:fifo_file rw_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
allow postfix_local_t postfix_private_t:dir search;
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
allow postfix_local_t postfix_public_t:dir search;
allow postfix_local_t postfix_public_t:sock_file write;
tmp_domain(postfix_local)
can_exec(postfix_local_t,{ shell_exec_t bin_t })
allow postfix_local_t mail_spool_t:dir { remove_name };
allow postfix_local_t mail_spool_t:file { unlink };
# For reading spamassasin
r_dir_file(postfix_local_t, etc_mail_t)
define(`postfix_public_domain',`
postfix_server_domain($1)
allow postfix_$1_t postfix_public_t:dir search;
')
postfix_public_domain(cleanup)
create_dir_file(postfix_cleanup_t, postfix_spool_t)
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
allow postfix_cleanup_t postfix_private_t:dir search;
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
allow postfix_cleanup_t self:process setrlimit;
allow user_mail_domain postfix_spool_t:dir r_dir_perms;
allow user_mail_domain postfix_etc_t:dir r_dir_perms;
allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
allow user_mail_domain self:capability dac_override;
define(`postfix_user_domain', `
postfix_domain($1, `$2')
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
in_user_role(postfix_$1_t)
role sysadm_r types postfix_$1_t;
allow postfix_$1_t userdomain:process sigchld;
allow postfix_$1_t userdomain:fifo_file { write getattr };
allow postfix_$1_t { userdomain privfd }:fd use;
allow postfix_$1_t self:capability dac_override;
')
postfix_user_domain(postqueue)
allow postfix_postqueue_t postfix_public_t:dir search;
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
allow postfix_postqueue_t self:udp_socket { create ioctl };
allow postfix_postqueue_t self:tcp_socket create;
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_postqueue_t initrc_t:process sigchld;
allow postfix_postqueue_t initrc_t:fd use;
# to write the mailq output, it really should not need read access!
allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
# wants to write to /var/spool/postfix/public/showq
allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
# write to /var/spool/postfix/public/qmgr
allow postfix_postqueue_t postfix_public_t:fifo_file write;
dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
postfix_user_domain(showq)
# the following auto_trans is usually in postfix server domain
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
can_resolve(postfix_showq_t)
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
allow postfix_showq_t self:capability { setuid setgid };
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
allow postfix_showq_t postfix_spool_t:file r_file_perms;
allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
dontaudit postfix_showq_t net_conf_t:file r_file_perms;
postfix_user_domain(postdrop, `, mta_user_agent')
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
allow postfix_postdrop_t postfix_public_t:dir search;
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
ifdef(`crond.te',
`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
# usually it does not need a UDP socket
allow postfix_postdrop_t self:udp_socket create_socket_perms;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
postfix_public_domain(pickup)
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
allow postfix_pickup_t postfix_private_t:dir search;
allow postfix_pickup_t postfix_private_t:sock_file write;
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
allow postfix_pickup_t self:tcp_socket create_socket_perms;
postfix_public_domain(qmgr)
allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_qmgr_t postfix_public_t:sock_file write;
allow postfix_qmgr_t postfix_private_t:dir search;
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
# for /var/spool/postfix/active
create_dir_file(postfix_qmgr_t, postfix_spool_t)
postfix_public_domain(bounce)
type postfix_spool_bounce_t, file_type, sysadmfile;
create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
create_dir_file(postfix_bounce_t, postfix_spool_t)
allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
postfix_public_domain(pipe)
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
allow postfix_pipe_t self:fifo_file { read write };
allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write;
ifdef(`procmail.te', `
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
')
ifdef(`sendmail.te', `
r_dir_file(sendmail_t, postfix_etc_t)
allow sendmail_t postfix_spool_t:dir search;
')
# Program for creating database files
application_domain(postfix_map)
base_file_read_access(postfix_map_t)
allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
tmp_domain(postfix_map)
create_dir_file(postfix_map_t, postfix_etc_t)
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
dontaudit postfix_map_t proc_t:dir { getattr read search };
dontaudit postfix_map_t local_login_t:fd use;
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
read_locale(postfix_map_t)
allow postfix_map_t self:capability setgid;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
dontaudit postfix_map_t var_t:dir search;
can_network_server(postfix_map_t)
allow postfix_map_t port_type:tcp_socket name_connect;

View File

@ -0,0 +1,138 @@
#DESC Postgresql - Database server
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: postgresql
#
#################################
#
# Rules for the postgresql_t domain.
#
# postgresql_exec_t is the type of the postgresql executable.
#
daemon_domain(postgresql)
allow initrc_t postgresql_exec_t:lnk_file read;
allow postgresql_t usr_t:file { getattr read };
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
ifdef(`distro_debian', `
can_exec(postgresql_t, initrc_exec_t)
# gross hack
domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
can_exec(postgresql_t, dpkg_exec_t)
')
dontaudit postgresql_t sysadm_home_dir_t:dir search;
# quiet ps and killall
dontaudit postgresql_t domain:dir { getattr search };
# for currect directory of scripts
allow postgresql_t { var_spool_t cron_spool_t }:dir search;
# capability kill is for shutdown script
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
dontaudit postgresql_t self:capability sys_admin;
etcdir_domain(postgresql)
type postgresql_db_t, file_type, sysadmfile;
logdir_domain(postgresql)
ifdef(`crond.te', `
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
allow crond_t postgresql_db_t:dir search;
system_crond_entry(postgresql_exec_t, postgresql_t)
')
tmp_domain(postgresql, `', `{ dir file sock_file }')
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
# Use the network.
can_network(postgresql_t)
can_ypbind(postgresql_t)
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(postgresql_t, self)
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:shm create_shm_perms;
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;
if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`consoletype.te', `
can_exec(postgresql_t, consoletype_exec_t)
')
ifdef(`hostname.te', `
can_exec(postgresql_t, hostname_exec_t)
')
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
allow postgresql_t auth_port_t:tcp_socket name_connect;
allow postgresql_t { proc_t self }:file { getattr read };
# Allow access to the postgresql databases
create_dir_file(postgresql_t, postgresql_db_t)
file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
allow postgresql_t var_lib_t:dir { getattr search };
# because postgresql start scripts are broken and put the pid file in the DB
# directory
rw_dir_file(initrc_t, postgresql_db_t)
# read config files
allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
r_dir_file(initrc_t, postgresql_etc_t)
allow postgresql_t etc_t:dir rw_dir_perms;
read_sysctl(postgresql_t)
allow postgresql_t devtty_t:chr_file { read write };
allow postgresql_t devpts_t:dir search;
allow postgresql_t { bin_t sbin_t }:dir search;
allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t initrc_var_run_t:file { getattr read lock };
dontaudit postgresql_t selinux_config_t:dir search;
allow postgresql_t mail_spool_t:dir search;
lock_domain(postgresql)
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
ifdef(`apache.te', `
#
# Allow httpd to work with postgresql
#
allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
can_unix_connect(httpd_t, postgresql_t)
')
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
allow initrc_su_t postgresql_db_t:dir search;
allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
if (allow_execmem) {
allow postgresql_t self:process execmem;
}

View File

@ -0,0 +1,148 @@
#DESC PPPD - PPP daemon
#
# Author: Russell Coker
# X-Debian-Packages: ppp
#
#################################
#
# Rules for the pppd_t domain, et al.
#
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
# pppd_secret_t is the type of the pap and chap password files
#
bool pppd_for_user false;
daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
type pppd_secret_t, file_type, sysadmfile;
# Define a separate type for /etc/ppp
etcdir_domain(pppd)
# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t, file_type, sysadmfile;
# Automatically label newly created files under /etc/ppp with this type
file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
# for SSP
allow pppd_t urandom_device_t:chr_file read;
allow pppd_t sysfs_t:dir search;
log_domain(pppd)
# Use the network.
can_network_server(pppd_t)
can_ypbind(pppd_t)
# Use capabilities.
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
lock_domain(pppd)
# Access secret files
allow pppd_t pppd_secret_t:file r_file_perms;
ifdef(`postfix.te', `
allow pppd_t postfix_etc_t:dir search;
allow pppd_t postfix_etc_t:file r_file_perms;
allow pppd_t postfix_master_exec_t:file { getattr read };
allow postfix_postqueue_t pppd_t:fd use;
allow postfix_postqueue_t pppd_t:process sigchld;
')
# allow running ip-up and ip-down scripts and running chat.
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
allow pppd_t { bin_t sbin_t }:dir search;
allow pppd_t { sbin_t bin_t }:lnk_file read;
allow ifconfig_t pppd_t:fd use;
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
allow pppd_t devtty_t:chr_file { read write };
allow pppd_t self:unix_dgram_socket create_socket_perms;
allow pppd_t self:unix_stream_socket create_socket_perms;
allow pppd_t proc_t:dir search;
allow pppd_t proc_t:{ file lnk_file } r_file_perms;
allow pppd_t proc_net_t:dir { read search };
allow pppd_t proc_net_t:file r_file_perms;
allow pppd_t etc_runtime_t:file r_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
allow pppd_t devpts_t:dir search;
# for scripts
allow pppd_t self:fifo_file rw_file_perms;
allow pppd_t etc_t:lnk_file read;
# for ~/.ppprc - if it actually exists then you need some policy to read it
allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
in_user_role(pppd_t)
if (pppd_for_user) {
# Run pppd in pppd_t by default for user
domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
allow unpriv_userdomain pppd_t:process signal;
}
# for pppoe
can_create_pty(pppd)
allow pppd_t self:file { read getattr };
allow pppd_t self:packet_socket create_socket_perms;
file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
tmp_domain(pppd)
allow pppd_t sysctl_net_t:dir search;
allow pppd_t sysctl_net_t:file r_file_perms;
allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
allow pppd_t initrc_var_run_t:file r_file_perms;
dontaudit pppd_t initrc_var_run_t:file { lock write };
# pppd needs to load kernel modules for certain modems
bool pppd_can_insmod false;
if (pppd_can_insmod) {
ifdef(`modutil.te', `
domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
')
}
daemon_domain(pptp, `, nscd_client_domain')
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:unix_dgram_socket create_socket_perms;
can_exec(pptp_t, pppd_etc_rw_t)
allow pptp_t devpts_t:chr_file ioctl;
r_dir_file(pptp_t, pppd_etc_rw_t)
r_dir_file(pptp_t, pppd_etc_t)
allow pptp_t devpts_t:dir search;
allow pppd_t devpts_t:chr_file ioctl;
allow pppd_t pptp_t:process signal;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
allow pptp_t ptmx_t:chr_file rw_file_perms;
log_domain(pptp)
# Fix sockets
allow pptp_t pptp_var_run_t:sock_file create_file_perms;
# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append;
ifdef(`named.te', `
dontaudit ndc_t pppd_t:fd use;
')
# Allow /etc/ppp/ip-{up,down} to run most anything
type pppd_script_exec_t, file_type, sysadmfile;
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
allow pppd_t initrc_t:process noatsecure;

View File

@ -0,0 +1,27 @@
#DESC privoxy - privacy enhancing proxy
#
# Authors: Dan Walsh <dwalsh@redhat.com>
#
#
#################################
#
# Rules for the privoxy_t domain.
#
daemon_domain(privoxy, `, web_client_domain')
logdir_domain(privoxy)
# Use capabilities.
allow privoxy_t self:capability net_bind_service;
# Use the network.
can_network_tcp(privoxy_t)
can_ypbind(privoxy_t)
can_resolve(privoxy_t)
allow privoxy_t http_cache_port_t:tcp_socket name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
allow privoxy_t self:unix_stream_socket create_socket_perms ;
allow privoxy_t admin_tty_type:chr_file { read write };

View File

@ -0,0 +1,66 @@
#DESC RADIUS - Radius server
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius
#
#################################
#
# Rules for the radiusd_t domain.
#
# radiusd_exec_t is the type of the radiusd executable.
#
daemon_domain(radiusd, `, auth')
etcdir_domain(radiusd)
system_crond_entry(radiusd_exec_t, radiusd_t)
allow radiusd_t self:process setsched;
allow radiusd_t proc_t:file { read getattr };
dontaudit radiusd_t sysadm_home_dir_t:dir getattr;
# allow pthreads to read kernel version
read_sysctl(radiusd_t)
# read config files
allow radiusd_t etc_t:dir r_dir_perms;
allow radiusd_t { etc_t etc_runtime_t }:file { read getattr };
allow radiusd_t etc_t:lnk_file read;
# write log files
logdir_domain(radiusd)
allow radiusd_t radiusd_log_t:dir create;
allow radiusd_t usr_t:file r_file_perms;
can_exec(radiusd_t, lib_t)
can_exec(radiusd_t, { bin_t shell_exec_t })
allow radiusd_t { bin_t sbin_t }:dir search;
allow radiusd_t bin_t:lnk_file read;
allow radiusd_t devtty_t:chr_file { read write };
allow radiusd_t self:fifo_file rw_file_perms;
# fsetid is for gzip which needs it when run from scripts
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
can_network_server(radiusd_t)
can_ypbind(radiusd_t)
allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
# for RADIUS proxy port
allow radiusd_t port_t:udp_socket name_bind;
ifdef(`snmpd.te', `
can_tcp_connect(radiusd_t, snmpd_t)
')
ifdef(`logrotate.te', `
can_exec(radiusd_t, logrotate_exec_t)
')
can_udp_send(sysadm_t, radiusd_t)
can_udp_send(radiusd_t, sysadm_t)
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;

View File

@ -0,0 +1,30 @@
#DESC Radv - IPv6 route advisory daemon
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: radvd
#
#################################
#
# Rules for the radvd_t domain.
#
daemon_domain(radvd)
etc_domain(radvd)
allow radvd_t etc_t:file { getattr read };
allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
allow radvd_t self:capability { setgid setuid net_raw };
allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
allow radvd_t self:unix_stream_socket create_socket_perms;
can_network_server(radvd_t)
can_ypbind(radvd_t)
allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
allow radvd_t { proc_t proc_net_t }:file { getattr read };
allow radvd_t etc_t:lnk_file read;
allow radvd_t sysctl_net_t:file r_file_perms;
allow radvd_t sysctl_net_t:dir r_dir_perms;

View File

@ -0,0 +1,66 @@
#DESC restorecon - Restore or check the context of a file
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: policycoreutils
#
#################################
#
# Rules for the restorecon_t domain.
#
# restorecon_exec_t is the type of the restorecon executable.
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type restorecon_exec_t, file_type, sysadmfile, exec_type;
role system_r types restorecon_t;
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
can_access_pty(restorecon_t, initrc)
allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
allow restorecon_t { userdomain init_t privfd }:fd use;
uses_shlib(restorecon_t)
allow restorecon_t self:capability { dac_override dac_read_search fowner };
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
# Get security policy decisions.
can_getsecurity(restorecon_t)
r_dir_file(restorecon_t, policy_config_t)
allow restorecon_t file_type:dir r_dir_perms;
allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
allow restorecon_t unlabeled_t:dir read;
allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
ifdef(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
')
ifdef(`dpkg.te', `
domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
')
allow restorecon_t ptyfile:chr_file getattr;
allow restorecon_t fs_t:filesystem getattr;
allow restorecon_t etc_runtime_t:file { getattr read };
allow restorecon_t etc_t:file { getattr read };
allow restorecon_t proc_t:file { getattr read };
dontaudit restorecon_t proc_t:lnk_file { getattr read };
allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fd use;
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
allow restorecon_t autofs_t:dir search;

View File

@ -0,0 +1,40 @@
#DESC Rlogind - Remote login daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: rsh-client rsh-redone-client
# Depends: inetd.te
#
#################################
#
# Rules for the rlogind_t domain.
#
remote_login_daemon(rlogind)
typeattribute rlogind_t auth_chkpwd;
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t)
')
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
# Use capabilities.
allow rlogind_t self:capability { net_bind_service };
# Run login in remote_login_t.
allow remote_login_t inetd_t:fd use;
allow remote_login_t inetd_t:tcp_socket rw_file_perms;
# Send SIGCHLD to inetd on death.
allow rlogind_t inetd_t:process sigchld;
allow rlogind_t home_dir_type:dir search;
allow rlogind_t home_type:file { getattr read };
allow rlogind_t self:file { getattr read };
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
read_sysctl(rlogind_t);
ifdef(`kerberos.te', `
allow rlogind_t krb5_keytab_t:file { getattr read };
')

View File

@ -0,0 +1,167 @@
#DESC Rpcd - RPC daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# Depends: portmap.te
# X-Debian-Packages: nfs-common
#
#################################
#
# Rules for the rpcd_t and nfsd_t domain.
#
define(`rpc_domain', `
ifdef(`targeted_policy', `
daemon_base_domain($1, `, transitionbool')
', `
daemon_base_domain($1)
')
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
can_ypbind($1_t)
allow $1_t { etc_runtime_t etc_t }:file { getattr read };
read_locale($1_t)
allow $1_t self:capability net_bind_service;
dontaudit $1_t self:capability net_admin;
allow $1_t var_t:dir { getattr search };
allow $1_t var_lib_t:dir search;
allow $1_t var_lib_nfs_t:dir create_dir_perms;
allow $1_t var_lib_nfs_t:file create_file_perms;
# do not log when it tries to bind to a port belonging to another domain
dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
allow $1_t self:netlink_route_socket r_netlink_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
# bind to arbitary unused ports
allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
allow $1_t sysctl_rpc_t:dir search;
allow $1_t sysctl_rpc_t:file rw_file_perms;
')
type exports_t, file_type, sysadmfile;
dontaudit userdomain exports_t:file getattr;
# rpcd_t is the domain of rpc daemons.
# rpcd_exec_t is the type of rpc daemon programs.
#
rpc_domain(rpcd)
var_run_domain(rpcd)
allow rpcd_t rpcd_var_run_t:dir setattr;
# for rpc.rquotad
allow rpcd_t sysctl_t:dir r_dir_perms;
allow rpcd_t self:fifo_file rw_file_perms;
# rpcd_t needs to talk to the portmap_t domain
can_udp_send(rpcd_t, portmap_t)
allow initrc_t exports_t:file r_file_perms;
ifdef(`distro_redhat', `
allow rpcd_t self:capability { chown dac_override setgid setuid };
# for /etc/rc.d/init.d/nfs to create /etc/exports
allow initrc_t exports_t:file write;
')
allow rpcd_t self:file { getattr read };
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
can_network_server(kernel_t)
#can_udp_send(kernel_t, rpcd_t)
#can_udp_send(rpcd_t, kernel_t)
rpc_domain(nfsd)
domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
role sysadm_r types nfsd_t;
# for /proc/fs/nfs/exports - should we have a new type?
allow nfsd_t proc_t:file r_file_perms;
allow nfsd_t proc_net_t:dir search;
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t nfsd_fs_t:filesystem mount;
allow nfsd_t nfsd_fs_t:dir search;
allow nfsd_t nfsd_fs_t:file rw_file_perms;
allow initrc_t sysctl_rpc_t:dir search;
allow initrc_t sysctl_rpc_t:file rw_file_perms;
type nfsd_rw_t, file_type, sysadmfile, usercanread;
type nfsd_ro_t, file_type, sysadmfile, usercanread;
bool nfs_export_all_rw false;
if(nfs_export_all_rw) {
allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
r_dir_file(kernel_t, noexattrfile)
create_dir_file(kernel_t,{ file_type -shadow_t })
}
dontaudit kernel_t shadow_t:file getattr;
bool nfs_export_all_ro false;
if(nfs_export_all_ro) {
allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
}
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
create_dir_file(kernel_t, nfsd_rw_t);
r_dir_file(kernel_t, nfsd_ro_t);
allow kernel_t nfsd_t:udp_socket rw_socket_perms;
can_udp_send(kernel_t, nfsd_t)
can_udp_send(nfsd_t, kernel_t)
# does not really need this, but it is easier to just allow it
allow nfsd_t var_run_t:dir search;
allow nfsd_t self:capability { sys_admin sys_resource };
allow nfsd_t fs_type:filesystem getattr;
can_udp_send(nfsd_t, portmap_t)
can_udp_send(portmap_t, nfsd_t)
can_tcp_connect(nfsd_t, portmap_t)
# for exportfs and rpc.mountd
allow nfsd_t tmp_t:dir getattr;
r_dir_file(rpcd_t, rpc_pipefs_t)
allow rpcd_t rpc_pipefs_t:sock_file { read write };
dontaudit rpcd_t selinux_config_t:dir { search };
allow rpcd_t proc_net_t:dir search;
rpc_domain(gssd)
can_kerberos(gssd_t)
ifdef(`kerberos.te', `
allow gssd_t krb5_keytab_t:file r_file_perms;
')
allow gssd_t urandom_device_t:chr_file { getattr read };
r_dir_file(gssd_t, tmp_t)
tmp_domain(gssd)
allow gssd_t self:fifo_file { read write };
r_dir_file(gssd_t, proc_net_t)
allow gssd_t rpc_pipefs_t:dir r_dir_perms;
allow gssd_t rpc_pipefs_t:sock_file { read write };
allow gssd_t rpc_pipefs_t:file r_file_perms;
allow gssd_t self:capability { dac_override dac_read_search setuid };
allow nfsd_t devtty_t:chr_file rw_file_perms;
allow rpcd_t devtty_t:chr_file rw_file_perms;
bool allow_gssd_read_tmp true;
if (allow_gssd_read_tmp) {
#
#needs to be able to udpate the kerberos ticket file
#
ifdef(`targeted_policy', `
r_dir_file(gssd_t, tmp_t)
allow gssd_t tmp_t:file write;
', `
r_dir_file(gssd_t, user_tmpfile)
allow gssd_t user_tmpfile:file write;
')
}

View File

@ -0,0 +1,16 @@
#DESC rpm - Linux configurable dynamic device naming support
#
# Authors: Daniel Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the rpm domain.
#
# rpm_exec_t is the type of the /bin/rpm and other programs.
# This domain is defined just for targeted policy to labeld /var/lib/rpm
#
type rpm_exec_t, file_type, sysadmfile, exec_type;
type rpm_var_lib_t, file_type, sysadmfile;
typealias var_log_t alias rpm_log_t;
type rpm_tmpfs_t, file_type, sysadmfile;

View File

@ -0,0 +1,65 @@
#DESC RSHD - RSH daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: rsh-server rsh-redone-server
# Depends: inetd.te
#
#################################
#
# Rules for the rshd_t domain.
#
daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
')
# Use sockets inherited from inetd.
allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
# Use capabilities.
allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
# Use the network.
can_network_server(rshd_t)
allow rshd_t rsh_port_t:tcp_socket name_bind;
allow rshd_t etc_t:file { getattr read };
read_locale(rshd_t)
allow rshd_t self:unix_dgram_socket create_socket_perms;
allow rshd_t self:unix_stream_socket create_stream_socket_perms;
allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
can_kerberos(rshd_t)
allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
ifdef(`rlogind.te', `
allow rshd_t rlogind_tmp_t:file rw_file_perms;
')
allow rshd_t urandom_device_t:chr_file { getattr read };
# Read the user's .rhosts file.
allow rshd_t home_type:file r_file_perms ;
# Random reasons
can_getsecurity(rshd_t)
can_setexec(rshd_t)
r_dir_file(rshd_t, selinux_config_t)
r_dir_file(rshd_t, default_context_t)
read_sysctl(rshd_t);
if (use_nfs_home_dirs) {
r_dir_file(rshd_t, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file(rshd_t, cifs_t)
}
allow rshd_t self:process { fork signal setsched setpgid };
allow rshd_t self:fifo_file rw_file_perms;
ifdef(`targeted_policy', `
unconfined_domain(rshd_t)
domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
')

View File

@ -0,0 +1,18 @@
#DESC rsync - flexible replacement for rcp
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
# Depends: inetd.te
#################################
#
# Rules for the rsync_t domain.
#
# rsync_exec_t is the type of the rsync executable.
#
inetd_child_domain(rsync)
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
anonymous_domain(rsync)
allow rsync_t self:capability sys_chroot;

View File

@ -0,0 +1,225 @@
#DESC SAMBA - SMB file server
#
# Author: Ryan Bergauer (bergauer@rice.edu)
# X-Debian-Packages: samba
#
#################################
#
# Declarations for Samba
#
daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
daemon_domain(nmbd)
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_share_t, file_type, sysadmfile, customizable;
type samba_secrets_t, file_type, sysadmfile;
# for /var/run/samba/messages.tdb
allow smbd_t nmbd_var_run_t:file rw_file_perms;
allow smbd_t self:process setrlimit;
# not sure why it needs this
tmp_domain(smbd)
# Allow samba to search mnt_t for potential mounted dirs
allow smbd_t mnt_t:dir r_dir_perms;
ifdef(`crond.te', `
allow system_crond_t samba_etc_t:file { read getattr lock };
allow system_crond_t samba_log_t:file { read getattr lock };
#allow system_crond_t samba_secrets_t:file { read getattr lock };
')
#################################
#
# Rules for the smbd_t domain.
#
# Permissions normally found in every_domain.
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
allow smbd_t smbd_port_t:tcp_socket name_bind;
# Use capabilities.
allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
# Use the network.
can_network(smbd_t)
nsswitch_domain(smbd_t)
can_kerberos(smbd_t)
allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
# Permissions for Samba files in /etc/samba
# either allow read access to the directory or allow the auto_trans rule to
# allow creation of the secrets.tdb file and the MACHINE.SID file
#allow smbd_t samba_etc_t:dir { search getattr };
file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
allow smbd_t var_lib_t:dir search;
create_dir_file(smbd_t, samba_var_t)
# Needed for shared printers
allow smbd_t var_spool_t:dir search;
# Permissions to write log files.
allow smbd_t samba_log_t:file { create ra_file_perms };
allow smbd_t var_log_t:dir search;
allow smbd_t samba_log_t:dir ra_dir_perms;
dontaudit smbd_t samba_log_t:dir remove_name;
ifdef(`hide_broken_symptoms', `
dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr;
dontaudit smbd_t devpts_t:dir getattr;
')
allow smbd_t fs_t:filesystem quotaget;
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
create_dir_file(smbd_t, samba_share_t)
anonymous_domain(smbd)
ifdef(`logrotate.te', `
# the application should be changed
can_exec(logrotate_t, samba_log_t)
')
#################################
#
# Rules for the nmbd_t domain.
#
# Permissions normally found in every_domain.
general_domain_access(nmbd_t)
general_proc_read_access(nmbd_t)
allow nmbd_t nmbd_port_t:udp_socket name_bind;
# Use capabilities.
allow nmbd_t self:capability net_bind_service;
# Use the network.
can_network_server(nmbd_t)
# Permissions for Samba files in /etc/samba
allow nmbd_t samba_etc_t:file { getattr read };
allow nmbd_t samba_etc_t:dir { search getattr };
# Permissions for Samba cache files in /var/cache/samba
allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
allow nmbd_t usr_t:file { getattr read };
# Permissions to write log files.
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t var_log_t:dir search;
allow nmbd_t samba_log_t:dir ra_dir_perms;
allow nmbd_t etc_t:file { getattr read };
ifdef(`cups.te', `
allow smbd_t cupsd_rw_etc_t:file { getattr read };
')
# Needed for winbindd
allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
# Support Samba sharing of home directories
bool samba_enable_home_dirs false;
ifdef(`mount.te', `
#
# Domain for running smbmount
#
# Derive from app. domain. Transition from mount.
application_domain(smbmount, `, fs_domain, nscd_client_domain')
domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
# Capabilities
# FIXME: is all of this really necessary?
allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
# Access samba config
allow smbmount_t samba_etc_t:file r_file_perms;
allow smbmount_t samba_etc_t:dir r_dir_perms;
allow initrc_t samba_etc_t:file rw_file_perms;
# Write samba log
allow smbmount_t samba_log_t:file create_file_perms;
allow smbmount_t samba_log_t:dir r_dir_perms;
# Write stuff in var
allow smbmount_t var_log_t:dir r_dir_perms;
rw_dir_create_file(smbmount_t, samba_var_t)
# Access mtab
file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
# Read nsswitch.conf
allow smbmount_t etc_t:file r_file_perms;
# Networking
can_network(smbmount_t)
allow smbmount_t port_type:tcp_socket name_connect;
can_ypbind(smbmount_t)
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;
allow kernel_t smbmount_t:tcp_socket { read write };
allow userdomain smbmount_t:tcp_socket write;
# Proc
# FIXME: is this necessary?
r_dir_file(smbmount_t, proc_t)
# Fork smbmnt
allow smbmount_t bin_t:dir r_dir_perms;
can_exec(smbmount_t, smbmount_exec_t)
allow smbmount_t self:process { fork signal_perms };
# Mount
allow smbmount_t cifs_t:filesystem mount_fs_perms;
allow smbmount_t cifs_t:dir r_dir_perms;
allow smbmount_t mnt_t:dir r_dir_perms;
allow smbmount_t mnt_t:dir mounton;
# Terminal
read_locale(smbmount_t)
access_terminal(smbmount_t, sysadm)
allow smbmount_t userdomain:fd use;
allow smbmount_t local_login_t:fd use;
')
# Derive from app. domain. Transition from mount.
application_domain(samba_net, `, nscd_client_domain')
role system_r types samba_net_t;
in_user_role(samba_net_t)
file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
read_locale(samba_net_t)
allow samba_net_t samba_etc_t:file r_file_perms;
r_dir_file(samba_net_t, samba_var_t)
can_network_udp(samba_net_t)
access_terminal(samba_net_t, sysadm)
allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
rw_dir_create_file(samba_net_t, samba_var_t)
allow samba_net_t etc_t:file { getattr read };
can_network_client(samba_net_t)
allow samba_net_t smbd_port_t:tcp_socket name_connect;
can_ldap(samba_net_t)
can_kerberos(samba_net_t)
allow samba_net_t urandom_device_t:chr_file r_file_perms;
allow samba_net_t proc_t:dir search;
allow samba_net_t proc_t:lnk_file read;
allow samba_net_t self:dir search;
allow samba_net_t self:file read;
allow samba_net_t self:process signal;
tmp_domain(samba_net)
dontaudit samba_net_t sysadm_home_dir_t:dir search;
allow samba_net_t privfd:fd use;

View File

@ -0,0 +1,41 @@
#DESC saslauthd - Authentication daemon for SASL
#
# Author: Colin Walters <walters@verbum.org>
#
daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
allow saslauthd_t self:fifo_file { read write };
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
allow saslauthd_t var_lib_t:dir search;
allow saslauthd_t etc_t:dir { getattr search };
allow saslauthd_t etc_t:file r_file_perms;
allow saslauthd_t net_conf_t:file r_file_perms;
allow saslauthd_t self:file r_file_perms;
allow saslauthd_t proc_t:file { getattr read };
allow saslauthd_t urandom_device_t:chr_file { getattr read };
# Needs investigation
dontaudit saslauthd_t home_root_t:dir getattr;
can_network_client_tcp(saslauthd_t)
allow saslauthd_t pop_port_t:tcp_socket name_connect;
bool allow_saslauthd_read_shadow false;
if (allow_saslauthd_read_shadow) {
allow saslauthd_t shadow_t:file r_file_perms;
}
dontaudit saslauthd_t selinux_config_t:dir search;
dontaudit saslauthd_t selinux_config_t:file { getattr read };
dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
ifdef(`mysqld.te', `
allow saslauthd_t mysqld_db_t:dir search;
allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
')

View File

@ -0,0 +1,17 @@
#DESC sendmail
#
# Authors: Daniel Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the sendmaild domain.
#
# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs.
# This domain is defined just for targeted policy.
#
type sendmail_exec_t, file_type, sysadmfile, exec_type;
type sendmail_log_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
var_run_domain(sendmail)

View File

@ -0,0 +1,66 @@
#DESC Setfiles - SELinux filesystem labeling utilities
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: policycoreutils
#
#################################
#
# Rules for the setfiles_t domain.
#
# setfiles_exec_t is the type of the setfiles executable.
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type setfiles_exec_t, file_type, sysadmfile, exec_type;
role system_r types setfiles_t;
role sysadm_r types setfiles_t;
role secadm_r types setfiles_t;
ifdef(`distro_redhat', `
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
')
can_access_pty(hostname_t, initrc)
allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
allow setfiles_t self:unix_dgram_socket create_socket_perms;
domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
uses_shlib(setfiles_t)
allow setfiles_t self:capability { dac_override dac_read_search fowner };
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute };
# Get security policy decisions.
can_getsecurity(setfiles_t)
r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
allow setfiles_t file_type:dir r_dir_perms;
allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
allow setfiles_t unlabeled_t:dir read;
allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
dontaudit setfiles_t ttyfile:chr_file relabelfrom;
allow setfiles_t fs_t:filesystem getattr;
allow setfiles_t fs_type:dir r_dir_perms;
read_locale(setfiles_t)
allow setfiles_t etc_runtime_t:file { getattr read };
allow setfiles_t etc_t:file { getattr read };
allow setfiles_t proc_t:file { getattr read };
dontaudit setfiles_t proc_t:lnk_file { getattr read };
# for config files in a home directory
allow setfiles_t home_type:file r_file_perms;
dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;

Some files were not shown because too many files have changed in this diff Show More