autofs_t and ypbind cleanup
This commit is contained in:
Chris PeBenito
parent
e88003ffe3
commit
ab940a4cc1
@ -35,6 +35,7 @@ kernel_use_fd(consoletype_t)
|
||||
kernel_dontaudit_read_system_state(consoletype_t)
|
||||
|
||||
fs_getattr_all_fs(consoletype_t)
|
||||
fs_search_auto_mountpoints(consoletype_t)
|
||||
|
||||
term_use_console(consoletype_t)
|
||||
term_use_unallocated_tty(consoletype_t)
|
||||
@ -58,6 +59,10 @@ optional_policy(`authlogin.te', `
|
||||
auth_read_pam_pid(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`userdomain.te',`
|
||||
userdom_use_unpriv_users_fd(consoletype_t)
|
||||
')
|
||||
@ -73,12 +78,6 @@ allow consoletype_t nfs_t:file write;
|
||||
allow consoletype_t crond_t:fifo_file r_file_perms;
|
||||
allow consoletype_t system_crond_t:fd use;
|
||||
|
||||
can_ypbind(consoletype_t)
|
||||
|
||||
optional_policy(`automount.te', `
|
||||
allow consoletype_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
optional_policy(`xdm.te', `
|
||||
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
|
||||
allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
||||
|
||||
@ -22,11 +22,14 @@ dontaudit dmesg_t self:capability sys_tty_config;
|
||||
allow dmesg_t self:process signal_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(dmesg_t)
|
||||
dev_read_sysfs(dmesg_t)
|
||||
kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
kernel_change_ring_buffer_level(dmesg_t)
|
||||
|
||||
dev_read_sysfs(dmesg_t)
|
||||
|
||||
fs_search_auto_mountpoints(dmesg_t)
|
||||
|
||||
term_dontaudit_use_console(dmesg_t)
|
||||
|
||||
domain_use_wide_inherit_fd(dmesg_t)
|
||||
@ -67,11 +70,7 @@ ifdef(`TODO',`
|
||||
allow dmesg_t proc_t:dir r_dir_perms;
|
||||
allow dmesg_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow dmesg_t rhgb_t:process sigchld;
|
||||
allow dmesg_t rhgb_t:fd use;
|
||||
allow dmesg_t rhgb_t:fifo_file rw_file_perms;
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(dmesg_t)
|
||||
')
|
||||
|
||||
allow dmesg_t autofs_t:dir { search getattr };
|
||||
') dnl endif TODO
|
||||
|
||||
@ -1,8 +1,12 @@
|
||||
## <summary>Network analysis utilities</summary>
|
||||
|
||||
#######################################
|
||||
#
|
||||
# netutils_domtrans(domain)
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute network utilities in the netutils domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_domtrans',`
|
||||
gen_require(`
|
||||
@ -20,9 +24,39 @@ interface(`netutils_domtrans',`
|
||||
allow netutils_t $1:process sigchld;
|
||||
')
|
||||
|
||||
#######################################
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute network utilities in the netutils domain, and
|
||||
## allow the specified role the netutils domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the netutils domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the netutils domain to use.
|
||||
## </param>
|
||||
#
|
||||
# netutils_exec(domain)
|
||||
interface(`netutils_run',`
|
||||
gen_require(`
|
||||
type netutils_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
netutils_domtrans($1)
|
||||
role $2 types netutils_t;
|
||||
allow netutils_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute network utilities in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_exec',`
|
||||
gen_require(`
|
||||
@ -31,3 +65,135 @@ interface(`netutils_exec',`
|
||||
|
||||
can_exec($1,netutils_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute ping in the ping domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_domtrans_ping',`
|
||||
gen_require(`
|
||||
type ping_t, ping_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,ping_exec_t,ping_t)
|
||||
|
||||
allow $1 ping_t:fd use;
|
||||
allow ping_t $1:fd use;
|
||||
allow ping_t $1:fifo_file rw_file_perms;
|
||||
allow ping_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute ping in the ping domain, and
|
||||
## allow the specified role the ping domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the ping domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the ping domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_run_ping',`
|
||||
gen_require(`
|
||||
type ping_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
netutils_domtrans_ping($1)
|
||||
role $2 types ping_t;
|
||||
allow ping_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute ping in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_exec_ping',`
|
||||
gen_require(`
|
||||
type ping_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,ping_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute traceroute in the traceroute domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_domtrans_traceroute',`
|
||||
gen_require(`
|
||||
type traceroute_t, traceroute_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,traceroute_exec_t,traceroute_t)
|
||||
|
||||
allow $1 traceroute_t:fd use;
|
||||
allow traceroute_t $1:fd use;
|
||||
allow traceroute_t $1:fifo_file rw_file_perms;
|
||||
allow traceroute_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute traceroute in the traceroute domain, and
|
||||
## allow the specified role the traceroute domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the traceroute domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the traceroute domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_run_traceroute',`
|
||||
gen_require(`
|
||||
type traceroute_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
netutils_domtrans_traceroute($1)
|
||||
role $2 types traceroute_t;
|
||||
allow traceroute_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute traceroute in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_exec_traceroute',`
|
||||
gen_require(`
|
||||
type traceroute_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,traceroute_exec_t)
|
||||
')
|
||||
|
||||
@ -54,15 +54,15 @@ corenet_udp_bind_all_nodes(netutils_t)
|
||||
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
init_use_fd(netutils_t)
|
||||
init_use_script_pty(netutils_t)
|
||||
|
||||
domain_use_wide_inherit_fd(netutils_t)
|
||||
|
||||
files_read_generic_etc_files(netutils_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var(netutils_t)
|
||||
|
||||
init_use_fd(netutils_t)
|
||||
init_use_script_pty(netutils_t)
|
||||
|
||||
libs_use_ld_so(netutils_t)
|
||||
libs_use_shared_libs(netutils_t)
|
||||
|
||||
@ -70,18 +70,14 @@ logging_send_syslog_msg(netutils_t)
|
||||
|
||||
miscfiles_read_localization(netutils_t)
|
||||
|
||||
userdom_use_all_user_fd(netutils_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(netutils_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types netutils_t;
|
||||
|
||||
can_ypbind(netutils_t)
|
||||
|
||||
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
|
||||
|
||||
# Inherit and use descriptors from init.
|
||||
allow netutils_t userdomain:fd use;
|
||||
|
||||
# Access terminals.
|
||||
allow netutils_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
|
||||
allow netutils_t proc_t:dir search;
|
||||
|
||||
@ -129,14 +125,11 @@ tunable_policy(`user_ping',`
|
||||
term_use_all_user_ptys(ping_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(ping_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_ypbind(ping_t)
|
||||
|
||||
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
|
||||
role sysadm_r types ping_t;
|
||||
allow ping_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
|
||||
|
||||
in_user_role(ping_t)
|
||||
tunable_policy(`user_ping',`
|
||||
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
|
||||
@ -193,23 +186,16 @@ tunable_policy(`user_ping',`
|
||||
term_use_all_user_ptys(traceroute_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(traceroute_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types traceroute_t;
|
||||
|
||||
can_ypbind(traceroute_t)
|
||||
|
||||
# Transition into this domain when you run this program.
|
||||
domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
|
||||
|
||||
# Access the terminal.
|
||||
allow traceroute_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
|
||||
|
||||
in_user_role(traceroute_t)
|
||||
tunable_policy(`user_ping',`
|
||||
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
|
||||
')
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
|
||||
#rules needed for nmap
|
||||
dontaudit traceroute_t userdomain:dir search;
|
||||
') dnl end TODO
|
||||
|
||||
@ -117,9 +117,10 @@ dev_read_urand(rpm_t)
|
||||
#devices_manage_all_device_types(rpm_t)
|
||||
|
||||
#fs_manage_nfs_dir(rpm_t)
|
||||
#fs_manage_nfs_files(rpm_t)
|
||||
fs_manage_nfs_files(rpm_t)
|
||||
fs_manage_nfs_symlinks(rpm_t)
|
||||
fs_getattr_all_fs(rpm_t)
|
||||
fs_search_auto_mountpoints(rpm_t)
|
||||
|
||||
storage_raw_write_fixed_disk(rpm_t)
|
||||
# for installing kernel packages
|
||||
@ -159,6 +160,10 @@ userdom_use_unpriv_users_fd(rpm_t)
|
||||
|
||||
#cron_transition_from(rpm,rpm_exec_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(rpm_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
|
||||
@ -183,16 +188,10 @@ allow rpm_t usbdevfs_t:dir r_dir_perms;
|
||||
|
||||
allow rpm_t rpc_pipefs_t:dir search;
|
||||
|
||||
can_ypbind(rpm_t)
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `
|
||||
allow rpm_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
||||
optional_policy(`automount.te', `
|
||||
allow rpm_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
optional_policy(`mount.te', `
|
||||
allow rpm_t mount_t:udp_socket rw_socket_perms;
|
||||
')
|
||||
@ -265,6 +264,7 @@ fs_getattr_nfs(rpm_script_t)
|
||||
fs_getattr_xattr_fs(rpm_script_t)
|
||||
fs_mount_xattr_fs(rpm_script_t)
|
||||
fs_unmount_xattr_fs(rpm_script_t)
|
||||
fs_search_auto_mountpoints(rpm_script_t)
|
||||
|
||||
storage_raw_read_fixed_disk(rpm_script_t)
|
||||
storage_raw_write_fixed_disk(rpm_script_t)
|
||||
@ -309,7 +309,11 @@ seutil_domtrans_restorecon(rpm_script_t)
|
||||
userdom_use_all_user_fd(rpm_script_t)
|
||||
|
||||
optional_policy(`bootloader.te', `
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(rpm_script_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -318,22 +322,8 @@ allow rpm_script_t sysfs_t:dir r_dir_perms;
|
||||
|
||||
can_exec(rpm_script_t,usr_t)
|
||||
|
||||
|
||||
allow rpm_script_t autofs_t:dir { search getattr };
|
||||
|
||||
can_ypbind(rpm_script_t)
|
||||
|
||||
optional_policy(`automount.te', `
|
||||
allow rpm_script_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
can_exec(rpm_script_t,printconf_t)
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`ssh.te', `
|
||||
allow sshd_t rpm_script_t:fd use;
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
@ -88,18 +88,20 @@ term_use_all_user_ttys(chfn_t)
|
||||
term_use_all_user_ptys(chfn_t)
|
||||
|
||||
fs_getattr_xattr_fs(chfn_t)
|
||||
fs_search_auto_mountpoints(chfn_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(chfn_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(chfn_t)
|
||||
|
||||
domain_use_wide_inherit_fd(chfn_t)
|
||||
|
||||
files_manage_generic_etc_files(chfn_t)
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
files_dontaudit_search_var(chfn_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(chfn_t)
|
||||
|
||||
libs_use_ld_so(chfn_t)
|
||||
libs_use_shared_libs(chfn_t)
|
||||
@ -111,20 +113,18 @@ logging_send_syslog_msg(chfn_t)
|
||||
auth_domtrans_chk_passwd(chfn_t)
|
||||
auth_dontaudit_read_shadow(chfn_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(chfn_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(chfn_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types chfn_t;
|
||||
in_user_role(chfn_t)
|
||||
|
||||
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
|
||||
|
||||
dontaudit chfn_t var_t:dir search;
|
||||
|
||||
allow chfn_t unpriv_userdomain:fd use;
|
||||
can_ypbind(chfn_t)
|
||||
ifdef(`automount.te', `
|
||||
allow chfn_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
|
||||
|
||||
# allow checking if a shell is executable
|
||||
@ -181,7 +181,6 @@ ifdef(`TODO',`
|
||||
ifdef(`crond.te', `
|
||||
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
|
||||
allow crack_t crond_t:fifo_file rw_file_perms;
|
||||
# a rule for privfd may make this obsolete
|
||||
allow crack_t crond_t:fd use;
|
||||
allow crack_t crond_t:process sigchld;
|
||||
')
|
||||
@ -209,6 +208,9 @@ allow groupadd_t self:sem create_sem_perms;
|
||||
allow groupadd_t self:msgq create_msgq_perms;
|
||||
allow groupadd_t self:msg { send receive };
|
||||
|
||||
fs_getattr_xattr_fs(groupadd_t)
|
||||
fs_search_auto_mountpoints(groupadd_t)
|
||||
|
||||
# Allow access to context for shadow file
|
||||
selinux_get_fs_mount(groupadd_t)
|
||||
selinux_validate_context(groupadd_t)
|
||||
@ -217,13 +219,12 @@ selinux_compute_create_context(groupadd_t)
|
||||
selinux_compute_relabel_context(groupadd_t)
|
||||
selinux_compute_user_contexts(groupadd_t)
|
||||
|
||||
fs_getattr_xattr_fs(groupadd_t)
|
||||
|
||||
term_use_all_user_ttys(groupadd_t)
|
||||
term_use_all_user_ptys(groupadd_t)
|
||||
|
||||
init_use_fd(groupadd_t)
|
||||
init_read_script_pid(groupadd_t)
|
||||
init_dontaudit_write_script_pid(groupadd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(groupadd_t)
|
||||
|
||||
@ -245,16 +246,14 @@ auth_rw_lastlog(groupadd_t)
|
||||
|
||||
seutil_read_config(groupadd_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types groupadd_t;
|
||||
domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
|
||||
userdom_use_unpriv_users_fd(groupadd_t)
|
||||
|
||||
allow groupadd_t unpriv_userdomain:fd use;
|
||||
can_ypbind(groupadd_t)
|
||||
ifdef(`automount.te', `
|
||||
allow groupadd_t autofs_t:dir { search getattr };
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(groupadd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
@ -263,7 +262,6 @@ ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
|
||||
|
||||
# for when /root is the cwd
|
||||
dontaudit groupadd_t sysadm_home_dir_t:dir search;
|
||||
dontaudit groupadd_t initrc_var_run_t:file write;
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -285,6 +283,15 @@ allow passwd_t self:sem create_sem_perms;
|
||||
allow passwd_t self:msgq create_msgq_perms;
|
||||
allow passwd_t self:msg { send receive };
|
||||
|
||||
allow passwd_t crack_db_t:dir r_dir_perms;
|
||||
allow passwd_t crack_db_t:file r_file_perms;
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(passwd_t)
|
||||
|
||||
fs_getattr_xattr_fs(passwd_t)
|
||||
fs_search_auto_mountpoints(passwd_t)
|
||||
|
||||
selinux_get_fs_mount(passwd_t)
|
||||
selinux_validate_context(passwd_t)
|
||||
selinux_compute_access_vector(passwd_t)
|
||||
@ -292,11 +299,6 @@ selinux_compute_create_context(passwd_t)
|
||||
selinux_compute_relabel_context(passwd_t)
|
||||
selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(passwd_t)
|
||||
|
||||
fs_getattr_xattr_fs(passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(passwd_t)
|
||||
@ -305,6 +307,7 @@ domain_use_wide_inherit_fd(passwd_t)
|
||||
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
files_manage_generic_etc_files(passwd_t)
|
||||
files_search_var(passwd_t)
|
||||
|
||||
libs_use_ld_so(passwd_t)
|
||||
libs_use_shared_libs(passwd_t)
|
||||
@ -315,6 +318,12 @@ miscfiles_read_localization(passwd_t)
|
||||
|
||||
auth_manage_shadow(passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(passwd_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(passwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`firstboot.te',`
|
||||
@ -324,12 +333,6 @@ domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
allow passwd_t unpriv_userdomain:fd use;
|
||||
can_ypbind(passwd_t)
|
||||
ifdef(`automount.te', `
|
||||
allow passwd_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
# Inherit and use descriptors from login.
|
||||
ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
|
||||
|
||||
@ -347,14 +350,7 @@ allow passwd_t userdomain:process getattr;
|
||||
|
||||
dontaudit passwd_t selinux_config_t:dir search;
|
||||
|
||||
ifdef(`crack.te', `
|
||||
allow passwd_t var_t:dir search;
|
||||
dontaudit passwd_t var_run_t:dir search;
|
||||
allow passwd_t crack_db_t:dir r_dir_perms;
|
||||
allow passwd_t crack_db_t:file r_file_perms;
|
||||
', `
|
||||
dontaudit passwd_t var_t:dir search;
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -395,23 +391,26 @@ kernel_read_system_state(sysadm_passwd_t)
|
||||
dev_read_urand(sysadm_passwd_t)
|
||||
|
||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||
fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
|
||||
term_use_all_user_ttys(sysadm_passwd_t)
|
||||
term_use_all_user_ptys(sysadm_passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(sysadm_passwd_t)
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
|
||||
# allow vipw to exec the editor
|
||||
corecmd_exec_bin(sysadm_passwd_t)
|
||||
corecmd_exec_shell(sysadm_passwd_t)
|
||||
files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(sysadm_passwd_t)
|
||||
|
||||
files_manage_generic_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
|
||||
# allow vipw to exec the editor
|
||||
corecmd_exec_bin(sysadm_passwd_t)
|
||||
corecmd_exec_shell(sysadm_passwd_t)
|
||||
files_read_usr_files(sysadm_passwd_t)
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(sysadm_passwd_t)
|
||||
|
||||
libs_use_ld_so(sysadm_passwd_t)
|
||||
libs_use_shared_libs(sysadm_passwd_t)
|
||||
@ -420,18 +419,16 @@ miscfiles_read_localization(sysadm_passwd_t)
|
||||
|
||||
logging_send_syslog_msg(sysadm_passwd_t)
|
||||
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
userdom_use_unpriv_users_fd(sysadm_passwd_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(sysadm_passwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types sysadm_passwd_t;
|
||||
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
|
||||
|
||||
allow sysadm_passwd_t unpriv_userdomain:fd use;
|
||||
can_ypbind(sysadm_passwd_t)
|
||||
ifdef(`automount.te', `
|
||||
allow sysadm_passwd_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
# Inherit and use descriptors from login.
|
||||
ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
|
||||
|
||||
@ -483,46 +480,46 @@ selinux_compute_user_contexts(useradd_t)
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctl(useradd_t)
|
||||
|
||||
fs_search_auto_mountpoints(useradd_t)
|
||||
fs_getattr_xattr_fs(useradd_t)
|
||||
|
||||
term_use_all_user_ttys(useradd_t)
|
||||
term_use_all_user_ptys(useradd_t)
|
||||
|
||||
init_use_fd(useradd_t)
|
||||
init_rw_script_pid(useradd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(useradd_t)
|
||||
|
||||
files_manage_generic_etc_files(useradd_t)
|
||||
|
||||
libs_use_ld_so(useradd_t)
|
||||
libs_use_shared_libs(useradd_t)
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
|
||||
corecmd_exec_shell(useradd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(useradd_t)
|
||||
corecmd_exec_sbin(useradd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(useradd_t)
|
||||
|
||||
files_manage_generic_etc_files(useradd_t)
|
||||
|
||||
init_use_fd(useradd_t)
|
||||
init_rw_script_pid(useradd_t)
|
||||
|
||||
libs_use_ld_so(useradd_t)
|
||||
libs_use_shared_libs(useradd_t)
|
||||
|
||||
logging_send_syslog_msg(useradd_t)
|
||||
|
||||
miscfiles_read_localization(useradd_t)
|
||||
|
||||
seutil_read_config(useradd_t)
|
||||
|
||||
logging_send_syslog_msg(useradd_t)
|
||||
userdom_use_unpriv_users_fd(useradd_t)
|
||||
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
mta_manage_spool(useradd_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(useradd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
role sysadm_r types useradd_t;
|
||||
domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
|
||||
|
||||
allow useradd_t unpriv_userdomain:fd use;
|
||||
can_ypbind(useradd_t)
|
||||
ifdef(`automount.te', `
|
||||
allow useradd_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
@ -536,10 +533,7 @@ dontaudit useradd_t sysadm_home_dir_t:dir search;
|
||||
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
|
||||
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
|
||||
|
||||
# create/delete mail spool file in /var/mail
|
||||
allow useradd_t var_spool_t:dir search;
|
||||
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
|
||||
allow useradd_t mail_spool_t:file create_file_perms;
|
||||
# /var/mail is a link to /var/spool/mail
|
||||
allow useradd_t mail_spool_t:lnk_file read;
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
@ -129,9 +129,11 @@ template(`gpg_per_userdomain_template',`
|
||||
fs_manage_cifs_symlinks($1_gpg_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_gpg_t)
|
||||
')
|
||||
|
||||
can_ypbind($1_gpg_t)
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow $1_t $1_gpg_secret_t:file getattr;
|
||||
|
||||
|
||||
@ -266,6 +266,24 @@ interface(`fs_getattr_autofs',`
|
||||
allow $1 autofs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search automount filesystem to use automatically
|
||||
## mounted filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_search_auto_mountpoints',`
|
||||
gen_require(`
|
||||
type autofs_t;
|
||||
class dir { getattr search };
|
||||
')
|
||||
|
||||
allow $1 autofs_t:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Register an interpreter for new binary
|
||||
|
||||
@ -116,6 +116,10 @@ template(`cron_per_userdomain_template',`
|
||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_crond_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Access user files and dirs.
|
||||
allow $1_crond_t home_root_t:dir search;
|
||||
@ -135,8 +139,6 @@ template(`cron_per_userdomain_template',`
|
||||
allow mta_user_agent $1_crond_t:fd use;
|
||||
')
|
||||
|
||||
# This domain is granted permissions common to most domains.
|
||||
can_ypbind($1_crond_t)
|
||||
allow $1_crond_t var_spool_t:dir search;
|
||||
allow $1_crond_t var_t:dir r_dir_perms;
|
||||
allow $1_crond_t var_t:file r_file_perms;
|
||||
|
||||
@ -87,6 +87,7 @@ selinux_compute_user_contexts(crond_t)
|
||||
dev_read_urand(crond_t)
|
||||
|
||||
fs_getattr_all_fs(crond_t)
|
||||
fs_search_auto_mountpoints(crond_t)
|
||||
|
||||
term_dontaudit_use_console(crond_t)
|
||||
|
||||
@ -127,6 +128,10 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(crond_t)
|
||||
')
|
||||
@ -135,18 +140,10 @@ ifdef(`TODO',`
|
||||
# NB The constraints file has some entries for crond_t, this makes it
|
||||
# different from all other domains...
|
||||
|
||||
allow crond_t autofs_t:dir { search getattr };
|
||||
dontaudit crond_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow crond_t rhgb_t:process sigchld;
|
||||
allow crond_t rhgb_t:fd use;
|
||||
allow crond_t rhgb_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
can_ypbind(crond_t)
|
||||
ifdef(`automount.te', `
|
||||
allow crond_t autofs_t:dir { search getattr };
|
||||
rhgb_domain(crond_t)
|
||||
')
|
||||
|
||||
# Read from /var/spool/cron.
|
||||
@ -301,10 +298,11 @@ tunable_policy(`cron_can_relabel',`
|
||||
seutil_read_file_contexts(system_crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_crond_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(system_crond_t)
|
||||
|
||||
dontaudit userdomain system_crond_t:fd use;
|
||||
|
||||
# quiet other ps operations
|
||||
|
||||
@ -70,14 +70,15 @@ template(`mta_per_userdomain_template',`
|
||||
corenet_udp_sendrecv_dns_port($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_execute($1_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind($1_mail_t)
|
||||
|
||||
allow $1_mail_t device_t:dir search;
|
||||
allow $1_mail_t { var_t var_spool_t }:dir search;
|
||||
allow $1_mail_t sbin_t:dir search;
|
||||
|
||||
@ -90,8 +90,12 @@ tunable_policy(`use_dns',`
|
||||
corenet_udp_sendrecv_dns_port(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_execute(system_mail_t)
|
||||
procmail_exec(system_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -117,9 +121,6 @@ dontaudit system_mail_t system_crond_tmp_t:file append;
|
||||
')
|
||||
') dnl end if sendmail
|
||||
|
||||
|
||||
can_ypbind(system_mail_t)
|
||||
|
||||
allow system_mail_t device_t:dir search;
|
||||
allow system_mail_t { var_t var_spool_t }:dir search;
|
||||
allow system_mail_t sbin_t:dir search;
|
||||
|
||||
@ -77,6 +77,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
|
||||
dev_read_sysfs(ypbind_t)
|
||||
|
||||
fs_getattr_all_fs(ypbind_t)
|
||||
fs_search_auto_mountpoints(ypbind_t)
|
||||
|
||||
term_dontaudit_use_console(ypbind_t)
|
||||
|
||||
@ -121,7 +122,6 @@ ifdef(`TODO',`
|
||||
allow ypbind_t proc_t:dir r_dir_perms;
|
||||
allow ypbind_t proc_t:lnk_file read;
|
||||
|
||||
allow ypbind_t autofs_t:dir { search getattr };
|
||||
dontaudit ypbind_t sysadm_home_dir_t:dir search;
|
||||
|
||||
can_udp_send(ypbind_t, portmap_t)
|
||||
@ -172,6 +172,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
|
||||
dev_read_sysfs(ypserv_t)
|
||||
|
||||
fs_getattr_all_fs(ypserv_t)
|
||||
fs_search_auto_mountpoints(ypserv_t)
|
||||
|
||||
term_dontaudit_use_console(ypserv_t)
|
||||
|
||||
@ -214,7 +215,6 @@ rhgb_domain(ypserv_t)
|
||||
allow ypserv_t proc_t:dir r_dir_perms;
|
||||
allow ypserv_t proc_t:lnk_file read;
|
||||
|
||||
allow ypserv_t autofs_t:dir { search getattr };
|
||||
dontaudit ypserv_t sysadm_home_dir_t:dir search;
|
||||
|
||||
# Send to portmap and initrc.
|
||||
|
||||
@ -54,8 +54,14 @@ selinux_compute_user_contexts(remote_login_t)
|
||||
dev_read_urand(remote_login_t)
|
||||
|
||||
fs_getattr_xattr_fs(remote_login_t)
|
||||
fs_search_auto_mountpoints(remote_login_t)
|
||||
|
||||
init_rw_script_pid(remote_login_t)
|
||||
auth_domtrans_chk_passwd(remote_login_t)
|
||||
auth_dontaudit_read_shadow(remote_login_t)
|
||||
auth_rw_login_records(remote_login_t)
|
||||
auth_rw_lastlog(remote_login_t)
|
||||
auth_exec_pam(remote_login_t)
|
||||
auth_manage_pam_console_data(remote_login_t)
|
||||
|
||||
domain_read_all_entry_files(remote_login_t)
|
||||
|
||||
@ -64,6 +70,8 @@ files_read_etc_runtime_files(remote_login_t)
|
||||
files_list_home(remote_login_t)
|
||||
files_read_usr_files(remote_login_t)
|
||||
|
||||
init_rw_script_pid(remote_login_t)
|
||||
|
||||
libs_use_ld_so(remote_login_t)
|
||||
libs_use_shared_libs(remote_login_t)
|
||||
|
||||
@ -72,15 +80,10 @@ logging_send_syslog_msg(remote_login_t)
|
||||
seutil_read_config(remote_login_t)
|
||||
seutil_read_default_contexts(remote_login_t)
|
||||
|
||||
auth_domtrans_chk_passwd(remote_login_t)
|
||||
auth_dontaudit_read_shadow(remote_login_t)
|
||||
auth_rw_login_records(remote_login_t)
|
||||
auth_rw_lastlog(remote_login_t)
|
||||
auth_exec_pam(remote_login_t)
|
||||
auth_manage_pam_console_data(remote_login_t)
|
||||
|
||||
miscfiles_read_localization(remote_login_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(remote_login_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(remote_login_t)
|
||||
fs_read_nfs_symlinks(remote_login_t)
|
||||
@ -91,13 +94,12 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_read_cifs_symlinks(remote_login_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow remote_login_t unpriv_userdomain:fd use;
|
||||
can_ypbind(remote_login_t)
|
||||
ifdef(`automount.te', `
|
||||
allow remote_login_t autofs_t:dir { search getattr };
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(remote_login_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow remote_login_t bin_t:dir r_dir_perms;
|
||||
allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow remote_login_t sbin_t:dir r_dir_perms;
|
||||
@ -123,7 +125,6 @@ allow remote_login_t device_t:lnk_file r_file_perms;
|
||||
|
||||
dontaudit remote_login_t sysfs_t:dir search;
|
||||
|
||||
allow remote_login_t autofs_t:dir r_dir_perms;
|
||||
allow remote_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
# FIXME: what is this for?
|
||||
|
||||
@ -57,43 +57,48 @@ corenet_tcp_bind_smtp_port(sendmail_t)
|
||||
dev_read_urand(sendmail_t)
|
||||
|
||||
fs_getattr_all_fs(sendmail_t)
|
||||
fs_search_auto_mountpoints(sendmail_t)
|
||||
|
||||
term_dontaudit_use_console(sendmail_t)
|
||||
|
||||
domain_use_wide_inherit_fd(sendmail_t)
|
||||
|
||||
files_read_generic_etc_files(sendmail_t)
|
||||
files_search_spool(sendmail_t)
|
||||
|
||||
init_use_fd(sendmail_t)
|
||||
init_use_script_pty(sendmail_t)
|
||||
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
|
||||
init_read_script_pid(sendmail_t)
|
||||
init_dontaudit_write_script_pid(sendmail_t)
|
||||
|
||||
domain_use_wide_inherit_fd(sendmail_t)
|
||||
|
||||
files_read_generic_etc_files(sendmail_t)
|
||||
files_search_spool(sendmail_t)
|
||||
|
||||
logging_send_syslog_msg(sendmail_t)
|
||||
|
||||
libs_use_ld_so(sendmail_t)
|
||||
libs_use_shared_libs(sendmail_t)
|
||||
# Read /usr/lib/sasl2/.*
|
||||
libs_read_lib(sendmail_t)
|
||||
|
||||
logging_send_syslog_msg(sendmail_t)
|
||||
|
||||
miscfiles_read_localization(sendmail_t)
|
||||
|
||||
sysnet_read_config(sendmail_t)
|
||||
|
||||
# Write to /etc/aliases and /etc/mail.
|
||||
mta_rw_aliases(sendmail_t)
|
||||
# Write to /var/spool/mail and /var/spool/mqueue.
|
||||
mta_manage_queue(sendmail_t)
|
||||
mta_manage_spool(sendmail_t)
|
||||
|
||||
sysnet_read_config(sendmail_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(sendmail_t)
|
||||
term_dontaudit_use_generic_pty(sendmail_t)
|
||||
files_dontaudit_read_root_file(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_newrole_sigchld(sendmail_t)
|
||||
')
|
||||
@ -105,18 +110,13 @@ optional_policy(`udev.te', `
|
||||
ifdef(`TODO',`
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow sendmail_t rhgb_t:process sigchld;
|
||||
allow sendmail_t rhgb_t:fd use;
|
||||
allow sendmail_t rhgb_t:fifo_file { read write };
|
||||
rhgb_domain(sendmail_t)
|
||||
')
|
||||
allow sendmail_t proc_t:dir r_dir_perms;
|
||||
allow sendmail_t proc_t:lnk_file read;
|
||||
dontaudit sendmail_t unpriv_userdomain:fd use;
|
||||
allow sendmail_t autofs_t:dir { search getattr };
|
||||
dontaudit sendmail_t sysadm_home_dir_t:dir search;
|
||||
|
||||
can_ypbind(sendmail_t)
|
||||
|
||||
#
|
||||
# Need this transition to create /etc/aliases.db
|
||||
#
|
||||
@ -144,7 +144,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
|
||||
# Run procmail in its own domain, if defined.
|
||||
ifdef(`procmail.te',`
|
||||
corecmd_search_bin(sendmail_t)
|
||||
procmail_transition(sendmail_t)
|
||||
procmail_domtrans(sendmail_t)
|
||||
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
|
||||
')
|
||||
|
||||
|
||||
@ -98,6 +98,7 @@ template(`ssh_per_userdomain_template',`
|
||||
dev_read_urand($1_ssh_t)
|
||||
|
||||
fs_getattr_all_fs($1_ssh_t)
|
||||
fs_search_auto_mountpoints($1_ssh_t)
|
||||
|
||||
# run helper programs - needed eg for x11-ssh-askpass
|
||||
corecmd_exec_shell($1_ssh_t)
|
||||
@ -124,8 +125,6 @@ template(`ssh_per_userdomain_template',`
|
||||
|
||||
userdom_use_unpriv_users_fd($1_ssh_t)
|
||||
|
||||
nis_use_ypbind($1_ssh_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||
corenet_udp_sendrecv_all_if($1_ssh_t)
|
||||
@ -149,10 +148,11 @@ template(`ssh_per_userdomain_template',`
|
||||
corenet_tcp_bind_ssh_port($1_ssh_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_ypbind($1_ssh_t)
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_ssh_t)
|
||||
')
|
||||
|
||||
allow $1_ssh_t autofs_t:dir { search getattr };
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow $1 sbin_t:dir r_dir_perms;
|
||||
allow $1 sbin_t:notdevfile_class_set r_file_perms;
|
||||
@ -244,6 +244,8 @@ template(`ssh_per_userdomain_template',`
|
||||
dev_read_urand($1_ssh_agent_t)
|
||||
dev_read_rand($1_ssh_agent_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_ssh_agent_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_ssh_agent_t)
|
||||
|
||||
files_read_generic_etc_files($1_ssh_agent_t)
|
||||
@ -265,6 +267,10 @@ template(`ssh_per_userdomain_template',`
|
||||
fs_manage_cifs_files($1_ssh_agent_t)
|
||||
}
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_ssh_agent_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Write to the user domain tty.
|
||||
@ -275,9 +281,6 @@ template(`ssh_per_userdomain_template',`
|
||||
# allow ps to show ssh
|
||||
can_ps($1_t, $1_ssh_agent_t)
|
||||
|
||||
can_ypbind($1_ssh_agent_t)
|
||||
allow $1_ssh_agent_t autofs_t:dir { search getattr };
|
||||
|
||||
allow $1_ssh_agent_t proc_t:dir search;
|
||||
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
|
||||
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
|
||||
@ -449,7 +452,6 @@ template(`sshd_program_domain', `
|
||||
allow $1_t var_t:dir getattr;
|
||||
|
||||
allow $1_t { home_root_t home_dir_type }:dir getattr;
|
||||
allow $1_t autofs_t:dir { search getattr };
|
||||
|
||||
dontaudit sshd_t userpty_type:chr_file relabelfrom;
|
||||
|
||||
|
||||
@ -112,6 +112,9 @@ tunable_policy(`run_ssh_inetd',`
|
||||
# for when the network connection breaks after running newrole -r sysadm_r
|
||||
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
allow sshd_t rpm_script_t:fd use;
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
@ -187,6 +190,8 @@ files_create_etc_config(ssh_keygen_t,sshd_key_t,file)
|
||||
|
||||
kernel_read_kernel_sysctl(ssh_keygen_t)
|
||||
|
||||
fs_search_auto_mountpoints(ssh_keygen_t)
|
||||
|
||||
dev_read_sysfs(ssh_keygen_t)
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
@ -231,7 +236,3 @@ optional_policy(`selinux.te',`
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow ssh_keygen_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',`
|
||||
|
||||
seutil_read_config($1_chkpwd_t)
|
||||
|
||||
#can_ypbind($1_chkpwd_t)
|
||||
#can_kerberos($1_chkpwd_t)
|
||||
#can_ldap($1_chkpwd_t)
|
||||
|
||||
@ -97,6 +96,10 @@ template(`authlogin_per_userdomain_template',`
|
||||
sysnet_read_config($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_use_newrole_fd($1_chkpwd_t)
|
||||
')
|
||||
@ -173,9 +176,6 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
allow system_chkpwd_t $1:process sigchld;
|
||||
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
#can_ypbind($1_t)
|
||||
#can_kerberos($1_t)
|
||||
#can_ldap($1_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
@ -187,6 +187,13 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
corenet_udp_sendrecv_dns_port($1)
|
||||
sysnet_read_config($1)
|
||||
')
|
||||
|
||||
#can_kerberos($1)
|
||||
#can_ldap($1)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -93,6 +93,8 @@ files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(pam_t)
|
||||
|
||||
fs_search_auto_mountpoints(pam_t)
|
||||
|
||||
term_use_all_user_ttys(pam_t)
|
||||
term_use_all_user_ptys(pam_t)
|
||||
|
||||
@ -112,12 +114,11 @@ optional_policy(`locallogin.te',`
|
||||
locallogin_use_fd(pam_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_ypbind(pam_t)
|
||||
ifdef(`automount.te', `
|
||||
allow pam_t autofs_t:dir { search getattr };
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(pam_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
||||
') dnl endif TODO
|
||||
|
||||
@ -156,6 +157,8 @@ dev_setattr_snd_dev(pam_console_t)
|
||||
dev_getattr_video_dev(pam_console_t)
|
||||
dev_setattr_video_dev(pam_console_t)
|
||||
|
||||
fs_search_auto_mountpoints(pam_console_t)
|
||||
|
||||
storage_getattr_fixed_disk(pam_console_t)
|
||||
storage_setattr_fixed_disk(pam_console_t)
|
||||
storage_getattr_removable_device(pam_console_t)
|
||||
@ -210,11 +213,8 @@ optional_policy(`udev.te', `
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te', `
|
||||
allow pam_console_t rhgb_t:process sigchld;
|
||||
allow pam_console_t rhgb_t:fd use;
|
||||
allow pam_console_t rhgb_t:fifo_file { read write };
|
||||
rhgb_domain(pam_console_t)
|
||||
')
|
||||
allow pam_console_t autofs_t:dir { search getattr };
|
||||
|
||||
allow pam_console_t apm_bios_t:chr_file { getattr setattr };
|
||||
|
||||
@ -268,8 +268,11 @@ tunable_policy(`use_dns',`
|
||||
sysnet_read_config(system_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_chkpwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_ypbind(system_chkpwd_t)
|
||||
can_kerberos(system_chkpwd_t)
|
||||
can_ldap(system_chkpwd_t)
|
||||
|
||||
@ -303,10 +306,10 @@ libs_use_shared_libs(utempter_t)
|
||||
|
||||
logging_search_logs(utempter_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
allow utempter_t user_tmpfile:file { getattr write append };
|
||||
userdom_write_unpriv_user_tmp(utempter_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`xdm.te', `
|
||||
allow utempter_t xdm_t:fd use;
|
||||
allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
|
||||
@ -35,6 +35,7 @@ dev_read_sysfs(hwclock_t)
|
||||
dev_rw_realtime_clock(hwclock_t)
|
||||
|
||||
fs_getattr_xattr_fs(hwclock_t)
|
||||
fs_search_auto_mountpoints(hwclock_t)
|
||||
|
||||
term_dontaudit_use_console(hwclock_t)
|
||||
term_use_unallocated_tty(hwclock_t)
|
||||
@ -81,13 +82,9 @@ allow hwclock_t proc_t:dir r_dir_perms;
|
||||
allow hwclock_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow hwclock_t rhgb_t:process sigchld;
|
||||
allow hwclock_t rhgb_t:fd use;
|
||||
allow hwclock_t rhgb_t:fifo_file rw_file_perms;
|
||||
rhgb_domain(hwclock_t)
|
||||
')
|
||||
|
||||
allow hwclock_t autofs_t:dir { search getattr };
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
|
||||
|
||||
optional_policy(`apmd.te', `
|
||||
|
||||
@ -11,7 +11,6 @@ type hostname_exec_t;
|
||||
init_system_domain(hostname_t,hostname_exec_t)
|
||||
role system_r types hostname_t;
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -31,6 +30,7 @@ kernel_dontaudit_use_fd(hostname_t)
|
||||
dev_read_sysfs(hostname_t)
|
||||
|
||||
fs_getattr_xattr_fs(hostname_t)
|
||||
fs_search_auto_mountpoints(hostname_t)
|
||||
|
||||
term_dontaudit_use_console(hostname_t)
|
||||
term_use_all_user_ttys(hostname_t)
|
||||
@ -96,11 +96,7 @@ allow hostname_t proc_t:dir { read getattr lock search ioctl };
|
||||
allow hostname_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow hostname_t rhgb_t:process sigchld;
|
||||
allow hostname_t rhgb_t:fd use;
|
||||
allow hostname_t rhgb_t:fifo_file { read write };
|
||||
rhgb_domain(hostname_t)
|
||||
')
|
||||
|
||||
allow hostname_t autofs_t:dir { search getattr };
|
||||
##end daemon_base_domain
|
||||
') dnl end TODO
|
||||
|
||||
@ -65,6 +65,7 @@ dev_setattr_snd_dev(hotplug_t)
|
||||
dev_read_urand(hotplug_t)
|
||||
|
||||
fs_getattr_all_fs(hotplug_t)
|
||||
fs_search_auto_mountpoints(hotplug_t)
|
||||
|
||||
storage_setattr_fixed_disk(hotplug_t)
|
||||
storage_setattr_removable_device(hotplug_t)
|
||||
@ -142,6 +143,10 @@ optional_policy(`mta.te', `
|
||||
mta_send_mail(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_newrole_sigchld(hotplug_t)
|
||||
')
|
||||
@ -160,17 +165,13 @@ optional_policy(`updfstab.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow hotplug_t autofs_t:dir { search getattr };
|
||||
dontaudit hotplug_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te', `
|
||||
allow hotplug_t rhgb_t:process sigchld;
|
||||
allow hotplug_t rhgb_t:fd use;
|
||||
allow hotplug_t rhgb_t:fifo_file { read write };
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(hotplug_t)
|
||||
')
|
||||
|
||||
allow kernel_t hotplug_etc_t:dir search;
|
||||
|
||||
can_ypbind(hotplug_t)
|
||||
dbusd_client(system, hotplug)
|
||||
|
||||
# for ps
|
||||
@ -181,7 +182,7 @@ optional_policy(`hald.te', `
|
||||
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
# this goes to hald:
|
||||
# this block goes to hald:
|
||||
optional_policy(`hotplug.te',`
|
||||
allow hald_t hotplug_etc_t:dir search;
|
||||
allow hald_t hotplug_etc_t:file { getattr read };
|
||||
|
||||
@ -46,6 +46,7 @@ kernel_use_fd(iptables_t)
|
||||
dev_read_sysfs(iptables_t)
|
||||
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
fs_search_auto_mountpoints(iptables_t)
|
||||
|
||||
term_dontaudit_use_console(iptables_t)
|
||||
|
||||
@ -71,6 +72,13 @@ sysnet_domtrans_ifconfig(iptables_t)
|
||||
|
||||
userdom_use_all_user_fd(iptables_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(iptables_t)
|
||||
term_dontaudit_use_generic_pty(iptables_t)
|
||||
|
||||
files_dontaudit_read_root_file(iptables_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow iptables_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -89,6 +97,11 @@ optional_policy(`modutils.te', `
|
||||
modutils_domtrans_insmod(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
# for iptables -L
|
||||
nis_use_ypbind(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_newrole_sigchld(iptables_t)
|
||||
')
|
||||
@ -97,26 +110,11 @@ optional_policy(`udev.te', `
|
||||
udev_read_db(iptables_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(iptables_t)
|
||||
term_dontaudit_use_generic_pty(iptables_t)
|
||||
|
||||
files_dontaudit_read_root_file(iptables_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow iptables_t rhgb_t:process sigchld;
|
||||
allow iptables_t rhgb_t:fd use;
|
||||
allow iptables_t rhgb_t:fifo_file rw_file_perms;
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(iptables_t)
|
||||
')
|
||||
|
||||
allow iptables_t autofs_t:dir { search getattr };
|
||||
|
||||
# for iptables -L
|
||||
can_ypbind(iptables_t)
|
||||
|
||||
optional_policy(`gnome-pty-helper.te',`
|
||||
allow iptables_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
||||
@ -71,6 +71,8 @@ dev_dontaudit_setattr_scanner(local_login_t)
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(local_login_t)
|
||||
|
||||
fs_search_auto_mountpoints(local_login_t)
|
||||
|
||||
selinux_get_fs_mount(local_login_t)
|
||||
selinux_validate_context(local_login_t)
|
||||
selinux_compute_access_vector(local_login_t)
|
||||
@ -126,6 +128,13 @@ userdom_use_unpriv_users_fd(local_login_t)
|
||||
# Search for mail spool file.
|
||||
mta_getattr_spool(local_login_t)
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd(local_login_t)
|
||||
files_dontaudit_read_root_file(local_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(local_login_t)
|
||||
fs_read_nfs_symlinks(local_login_t)
|
||||
@ -136,20 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_read_cifs_symlinks(local_login_t)
|
||||
')
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd(local_login_t)
|
||||
files_dontaudit_read_root_file(local_login_t)
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(local_login_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(local_login_t)
|
||||
ifdef(`automount.te', `
|
||||
allow local_login_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
allow local_login_t bin_t:dir r_dir_perms;
|
||||
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow local_login_t sbin_t:dir r_dir_perms;
|
||||
@ -170,7 +171,6 @@ allow local_login_t var_t:lnk_file read;
|
||||
|
||||
dontaudit local_login_t sysfs_t:dir search;
|
||||
|
||||
allow local_login_t autofs_t:dir r_dir_perms;
|
||||
allow local_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
# FIXME: what is this for?
|
||||
@ -221,12 +221,14 @@ allow sulogin_t self:msg { send receive };
|
||||
|
||||
kernel_read_system_state(sulogin_t)
|
||||
|
||||
init_get_script_process_group(sulogin_t)
|
||||
fs_search_auto_mountpoints(sulogin_t)
|
||||
|
||||
files_read_generic_etc_files(sulogin_t)
|
||||
# because file systems are not mounted:
|
||||
files_dontaudit_search_isid_type_dir(sulogin_t)
|
||||
|
||||
init_get_script_process_group(sulogin_t)
|
||||
|
||||
libs_use_ld_so(sulogin_t)
|
||||
libs_use_shared_libs(sulogin_t)
|
||||
|
||||
@ -259,14 +261,11 @@ ifdef(`sulogin_no_pam', `
|
||||
selinux_compute_user_contexts(sulogin_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
|
||||
|
||||
can_ypbind(sulogin_t)
|
||||
ifdef(`automount.te', `
|
||||
allow sulogin_t autofs_t:dir { search getattr };
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(sulogin_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
|
||||
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||
') dnl endif TODO
|
||||
|
||||
@ -63,6 +63,7 @@ kernel_read_kernel_sysctl(auditd_t)
|
||||
dev_read_sysfs(auditd_t)
|
||||
|
||||
fs_getattr_all_fs(auditd_t)
|
||||
fs_search_auto_mountpoints(auditd_t)
|
||||
|
||||
term_dontaudit_use_console(auditd_t)
|
||||
|
||||
@ -80,6 +81,8 @@ libs_use_shared_libs(auditd_t)
|
||||
|
||||
miscfiles_read_localization(auditd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(auditd_t)
|
||||
term_dontaudit_use_generic_pty(auditd_t)
|
||||
@ -97,15 +100,13 @@ optional_policy(`udev.te', `
|
||||
ifdef(`TODO',`
|
||||
allow auditd_t proc_t:dir r_dir_perms;
|
||||
allow auditd_t proc_t:lnk_file read;
|
||||
dontaudit auditd_t unpriv_userdomain:fd use;
|
||||
allow auditd_t autofs_t:dir { search getattr };
|
||||
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow auditd_t rhgb_t:process sigchld;
|
||||
allow auditd_t rhgb_t:fd use;
|
||||
allow auditd_t rhgb_t:fifo_file { read write };
|
||||
rhgb_domain(auditd_t)
|
||||
')
|
||||
|
||||
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
||||
|
||||
# cjp: this is questionable:
|
||||
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
||||
') dnl endif TODO
|
||||
@ -192,6 +193,8 @@ kernel_read_kernel_sysctl(syslogd_t)
|
||||
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
|
||||
term_dontaudit_use_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
@ -250,6 +253,14 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_rw_log(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_newrole_sigchld(syslogd_t)
|
||||
')
|
||||
@ -258,18 +269,11 @@ optional_policy(`udev.te', `
|
||||
udev_read_db(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_rw_log(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow syslogd_t proc_t:lnk_file read;
|
||||
allow syslogd_t autofs_t:dir { search getattr };
|
||||
dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te', `
|
||||
allow syslogd_t rhgb_t:process sigchld;
|
||||
allow syslogd_t rhgb_t:fd use;
|
||||
allow syslogd_t rhgb_t:fifo_file { read write };
|
||||
rhgb_domain(syslogd_t)
|
||||
')
|
||||
tunable_policy(`direct_sysadm_daemon',`
|
||||
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
|
||||
@ -280,9 +284,6 @@ ifdef(`distro_suse', `
|
||||
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
||||
')
|
||||
|
||||
# can_network is for the UDP socket
|
||||
can_ypbind(syslogd_t)
|
||||
|
||||
# log to the xconsole
|
||||
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
||||
|
||||
|
||||
@ -101,6 +101,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t)
|
||||
term_dontaudit_getattr_all_user_ttys(lvm_t)
|
||||
|
||||
fs_getattr_xattr_fs(lvm_t)
|
||||
fs_search_auto_mountpoints(lvm_t)
|
||||
|
||||
# LVM creates block devices in /dev/mapper or /dev/<vg>
|
||||
# depending on its version
|
||||
@ -157,9 +158,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow lvm_t autofs_t:dir { search getattr };
|
||||
|
||||
allow lvm_t default_context_t:dir search;
|
||||
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
|
||||
|
||||
|
||||
@ -44,6 +44,7 @@ fs_mount_all_fs(mount_t)
|
||||
fs_unmount_all_fs(mount_t)
|
||||
fs_remount_all_fs(mount_t)
|
||||
fs_relabelfrom_xattr_fs(mount_t)
|
||||
fs_search_auto_mountpoints(mount_t)
|
||||
|
||||
term_use_console(mount_t)
|
||||
|
||||
@ -88,7 +89,6 @@ ifdef(`distro_redhat',`
|
||||
|
||||
optional_policy(`portmap.te', `
|
||||
# for nfs
|
||||
#can_ypbind(mount_t)
|
||||
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
|
||||
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
|
||||
#allow mount_t rpc_pipefs_t:dir search;
|
||||
@ -106,6 +106,10 @@ optional_policy(`portmap.te', `
|
||||
corenet_udp_bind_generic_port(mount_t)
|
||||
corenet_tcp_bind_reserved_port(mount_t)
|
||||
corenet_udp_bind_reserved_port(mount_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(mount_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -127,13 +131,7 @@ allow mount_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow mount_t rhgb_t:process sigchld;
|
||||
allow mount_t rhgb_t:fd use;
|
||||
allow mount_t rhgb_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
optional_policy(`automount.te', `
|
||||
allow mount_t autofs_t:dir read;
|
||||
rhgb_domain(mount_t)
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
@ -195,6 +195,7 @@ kernel_read_kernel_sysctl(newrole_t)
|
||||
dev_read_urand(newrole_t)
|
||||
|
||||
fs_getattr_xattr_fs(newrole_t)
|
||||
fs_search_auto_mountpoints(newrole_t)
|
||||
|
||||
selinux_get_fs_mount(newrole_t)
|
||||
selinux_validate_context(newrole_t)
|
||||
@ -234,13 +235,11 @@ if(secure_mode) {
|
||||
userdom_spec_domtrans_all_users(newrole_t)
|
||||
}
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(newrole)
|
||||
ifdef(`automount.te', `
|
||||
allow newrole_t autofs_t:dir { search getattr };
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(newrole_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for when the user types "exec newrole" at the command line
|
||||
allow newrole_t privfd:process sigchld;
|
||||
|
||||
|
||||
@ -105,6 +105,7 @@ dev_read_sysfs(dhcpc_t)
|
||||
dev_read_urand(dhcpc_t)
|
||||
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
fs_search_auto_mountpoints(dhcpc_t)
|
||||
|
||||
term_dontaudit_use_console(dhcpc_t)
|
||||
term_dontaudit_use_all_user_ttys(dhcpc_t)
|
||||
@ -152,10 +153,23 @@ optional_policy(`hostname.te',`
|
||||
hostname_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(dhcpc_t)
|
||||
# dhclient sometimes starts ypbind
|
||||
init_exec_script(dhcpc_t)
|
||||
#nis_domtrans_ypbind(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`ntpd.te',`
|
||||
# dhclient sometimes starts ntpd
|
||||
init_exec_script(dhcpc_t)
|
||||
ntpd_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_newrole_sigchld(dhcpc_t)
|
||||
')
|
||||
@ -168,29 +182,13 @@ optional_policy(`userdomain.te',`
|
||||
userdom_use_all_user_fd(dhcpc_t)
|
||||
')
|
||||
|
||||
#
|
||||
# dhclient sometimes starts ypbind and ntpd
|
||||
#
|
||||
init_exec_script(dhcpc_t)
|
||||
optional_policy(`ypbind.te',`
|
||||
ypbind_domtrans(dhcpc_t)
|
||||
')
|
||||
optional_policy(`ntpd.te',`
|
||||
ntpd_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow dhcpc_t autofs_t:dir { search getattr };
|
||||
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow dhcpc_t rhgb_t:process sigchld;
|
||||
allow dhcpc_t rhgb_t:fd use;
|
||||
allow dhcpc_t rhgb_t:fifo_file { read write };
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(dhcpc_t)
|
||||
')
|
||||
|
||||
can_ypbind(dhcpc_t)
|
||||
|
||||
ifdef(`cardmgr.te', `
|
||||
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
||||
@ -208,15 +206,17 @@ logging_syslogd_transition(dhcpc_t)
|
||||
')dnl end hotplug.te
|
||||
|
||||
# for the dhcp client to run ping to check IP addresses
|
||||
ifdef(`ping.te', `
|
||||
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
|
||||
ifdef(`hotplug.te',`
|
||||
allow ping_t hotplug_t:fd use;
|
||||
') dnl end if hotplug
|
||||
ifdef(`cardmgr.te', `
|
||||
allow ping_t cardmgr_t:fd use;
|
||||
') dnl end if cardmgr
|
||||
') dnl end if ping
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_domtrans_ping(dhcpc_t)
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
allow ping_t hotplug_t:fd use;
|
||||
')
|
||||
|
||||
ifdef(`cardmgr.te',`
|
||||
allow ping_t cardmgr_t:fd use;
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
allow initrc_t dhcp_etc_t:file rw_file_perms;
|
||||
@ -266,6 +266,7 @@ kernel_dontaudit_search_sysctl_dir(ifconfig_t)
|
||||
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||
@ -289,22 +290,18 @@ seutil_use_runinit_fd(ifconfig_t)
|
||||
|
||||
userdom_use_all_user_fd(ifconfig_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(ifconfig_t)
|
||||
ifdef(`automount.te', `
|
||||
allow ifconfig_t autofs_t:dir { search getattr };
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(ifconfig_t)
|
||||
')
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow ifconfig_t rhgb_t:process sigchld;
|
||||
allow ifconfig_t rhgb_t:fd use;
|
||||
allow ifconfig_t rhgb_t:fifo_file { read write };
|
||||
rhgb_domain(ifconfig_t)
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
@ -137,6 +137,7 @@ template(`base_user_domain',`
|
||||
|
||||
fs_get_all_fs_quotas($1_t)
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_search_auto_mountpoints($1_t)
|
||||
|
||||
# for eject
|
||||
storage_getattr_fixed_disk($1_t)
|
||||
@ -204,6 +205,10 @@ template(`base_user_domain',`
|
||||
term_getattr_all_user_ttys($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
@ -251,8 +256,6 @@ template(`base_user_domain',`
|
||||
|
||||
r_dir_file($1_t, usercanread)
|
||||
|
||||
can_ypbind($1_t)
|
||||
|
||||
tunable_policy(`allow_execmod',`
|
||||
# Allow text relocations on system shared libraries, e.g. libGL.
|
||||
allow $1_t texrel_shlib_t:file execmod;
|
||||
@ -271,8 +274,6 @@ template(`base_user_domain',`
|
||||
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
|
||||
dontaudit $1_t proc_fs:dir { read search };
|
||||
|
||||
allow $1_t autofs_t:dir { getattr search };
|
||||
|
||||
can_exec($1_t, { removable_t noexattrfile } )
|
||||
|
||||
tunable_policy(`user_rw_noexattrfile',`
|
||||
@ -299,8 +300,6 @@ template(`base_user_domain',`
|
||||
|
||||
can_resmgrd_connect($1_t)
|
||||
|
||||
can_ypbind($1_t)
|
||||
|
||||
allow $1_t var_lock_t:dir search;
|
||||
|
||||
# Grant permissions to access the system DBus
|
||||
@ -385,10 +384,6 @@ template(`base_user_domain',`
|
||||
allow $1_t apmd_var_run_t:sock_file write;
|
||||
')
|
||||
|
||||
ifdef(`automount.te', `
|
||||
allow $1_t autofs_t:dir { getattr search };
|
||||
')
|
||||
|
||||
ifdef(`pamconsole.te', `
|
||||
allow $1_t pam_var_console_t:dir search;
|
||||
')
|
||||
@ -418,7 +413,7 @@ template(`user_domain_template', `
|
||||
#typeattribute $1_home_dir_t user_home_dir_type;
|
||||
#typeattribute $1_home_t user_home_type;
|
||||
|
||||
#typeattribute $1_tmp_t, user_tmpfile;
|
||||
typeattribute $1_tmp_t user_tmpfile;
|
||||
|
||||
#typeattribute $1_tty_device_t user_tty_type;
|
||||
|
||||
@ -808,11 +803,11 @@ template(`admin_domain_template',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Execute a shell in all user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -826,11 +821,11 @@ interface(`userdom_spec_domtrans_all_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Execute a shell in all unprivileged user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -844,9 +839,9 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Execute a shell in the sysadm domain.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -860,9 +855,9 @@ interface(`userdom_shell_domtrans_sysadm',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write sysadm ttys.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -879,9 +874,9 @@ interface(`userdom_use_sysadm_tty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read and write sysadm ttys and ptys.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -898,9 +893,9 @@ interface(`userdom_use_sysadm_terms',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to use admin ttys and ptys.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -915,9 +910,9 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Search all users home directories.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -933,9 +928,9 @@ interface(`userdom_search_all_users_home',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read all files in all users home directories.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -953,9 +948,26 @@ interface(`userdom_read_all_user_data',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Write all unprivileged users files in /tmp
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_write_unpriv_user_tmp',`
|
||||
gen_require(`
|
||||
attribute user_tmpfile;
|
||||
class file { getattr write append };
|
||||
')
|
||||
|
||||
allow $1 user_tmpfile:file { getattr write append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit the file descriptors from all user domains
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -970,9 +982,9 @@ interface(`userdom_use_all_user_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send general signals to all user domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -987,9 +999,9 @@ interface(`userdom_signal_all_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Send general signals to unprivileged user domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -1004,9 +1016,9 @@ interface(`userdom_signal_unpriv_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Inherit the file descriptors from all user domains.
|
||||
## </desc>
|
||||
## <summary>
|
||||
## Inherit the file descriptors from unprivileged user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -1021,10 +1033,10 @@ interface(`userdom_use_unpriv_users_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Do not audit attempts to inherit the
|
||||
## file descriptors from all user domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
|
||||
@ -20,6 +20,9 @@ attribute home_type;
|
||||
# a user in writing regular files)
|
||||
attribute privhome;
|
||||
|
||||
# all unprivileged users tmp files
|
||||
attribute user_tmpfile;
|
||||
|
||||
# all user domains
|
||||
attribute userdomain;
|
||||
|
||||
@ -107,6 +110,12 @@ optional_policy(`mount.te',`
|
||||
mount_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
|
||||
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user