autofs_t and ypbind cleanup

This commit is contained in:
Chris PeBenito 2005-06-27 16:30:55 +00:00
parent e88003ffe3
commit ab940a4cc1
31 changed files with 571 additions and 396 deletions

View File

@ -35,6 +35,7 @@ kernel_use_fd(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)
fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t)
term_use_console(consoletype_t)
term_use_unallocated_tty(consoletype_t)
@ -58,6 +59,10 @@ optional_policy(`authlogin.te', `
auth_read_pam_pid(consoletype_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(consoletype_t)
')
optional_policy(`userdomain.te',`
userdom_use_unpriv_users_fd(consoletype_t)
')
@ -73,12 +78,6 @@ allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use;
can_ypbind(consoletype_t)
optional_policy(`automount.te', `
allow consoletype_t autofs_t:dir { search getattr };
')
optional_policy(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file rw_file_perms;

View File

@ -22,11 +22,14 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctl(dmesg_t)
dev_read_sysfs(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
dev_read_sysfs(dmesg_t)
fs_search_auto_mountpoints(dmesg_t)
term_dontaudit_use_console(dmesg_t)
domain_use_wide_inherit_fd(dmesg_t)
@ -68,10 +71,6 @@ allow dmesg_t proc_t:dir r_dir_perms;
allow dmesg_t proc_t:lnk_file read;
optional_policy(`rhgb.te',`
allow dmesg_t rhgb_t:process sigchld;
allow dmesg_t rhgb_t:fd use;
allow dmesg_t rhgb_t:fifo_file rw_file_perms;
rhgb_domain(dmesg_t)
')
allow dmesg_t autofs_t:dir { search getattr };
') dnl endif TODO

View File

@ -1,8 +1,12 @@
## <summary>Network analysis utilities</summary>
#######################################
#
# netutils_domtrans(domain)
########################################
## <desc>
## Execute network utilities in the netutils domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`netutils_domtrans',`
gen_require(`
@ -20,9 +24,39 @@ interface(`netutils_domtrans',`
allow netutils_t $1:process sigchld;
')
#######################################
########################################
## <desc>
## Execute network utilities in the netutils domain, and
## allow the specified role the netutils domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the netutils domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the netutils domain to use.
## </param>
#
# netutils_exec(domain)
interface(`netutils_run',`
gen_require(`
type netutils_t;
class chr_file rw_term_perms;
')
netutils_domtrans($1)
role $2 types netutils_t;
allow netutils_t $3:chr_file rw_term_perms;
')
########################################
## <desc>
## Execute network utilities in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`netutils_exec',`
gen_require(`
@ -31,3 +65,135 @@ interface(`netutils_exec',`
can_exec($1,netutils_exec_t)
')
########################################
## <desc>
## Execute ping in the ping domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`netutils_domtrans_ping',`
gen_require(`
type ping_t, ping_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,ping_exec_t,ping_t)
allow $1 ping_t:fd use;
allow ping_t $1:fd use;
allow ping_t $1:fifo_file rw_file_perms;
allow ping_t $1:process sigchld;
')
########################################
## <desc>
## Execute ping in the ping domain, and
## allow the specified role the ping domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the ping domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the ping domain to use.
## </param>
#
interface(`netutils_run_ping',`
gen_require(`
type ping_t;
class chr_file rw_term_perms;
')
netutils_domtrans_ping($1)
role $2 types ping_t;
allow ping_t $3:chr_file rw_term_perms;
')
########################################
## <desc>
## Execute ping in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`netutils_exec_ping',`
gen_require(`
type ping_exec_t;
')
can_exec($1,ping_exec_t)
')
########################################
## <desc>
## Execute traceroute in the traceroute domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`netutils_domtrans_traceroute',`
gen_require(`
type traceroute_t, traceroute_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,traceroute_exec_t,traceroute_t)
allow $1 traceroute_t:fd use;
allow traceroute_t $1:fd use;
allow traceroute_t $1:fifo_file rw_file_perms;
allow traceroute_t $1:process sigchld;
')
########################################
## <desc>
## Execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the traceroute domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the traceroute domain to use.
## </param>
#
interface(`netutils_run_traceroute',`
gen_require(`
type traceroute_t;
class chr_file rw_term_perms;
')
netutils_domtrans_traceroute($1)
role $2 types traceroute_t;
allow traceroute_t $3:chr_file rw_term_perms;
')
########################################
## <desc>
## Execute traceroute in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`netutils_exec_traceroute',`
gen_require(`
type traceroute_exec_t;
')
can_exec($1,traceroute_exec_t)
')

View File

@ -54,15 +54,15 @@ corenet_udp_bind_all_nodes(netutils_t)
fs_getattr_xattr_fs(netutils_t)
init_use_fd(netutils_t)
init_use_script_pty(netutils_t)
domain_use_wide_inherit_fd(netutils_t)
files_read_generic_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
init_use_fd(netutils_t)
init_use_script_pty(netutils_t)
libs_use_ld_so(netutils_t)
libs_use_shared_libs(netutils_t)
@ -70,18 +70,14 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
userdom_use_all_user_fd(netutils_t)
optional_policy(`nis.te',`
nis_use_ypbind(netutils_t)
')
ifdef(`TODO',`
role sysadm_r types netutils_t;
can_ypbind(netutils_t)
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
# Inherit and use descriptors from init.
allow netutils_t userdomain:fd use;
# Access terminals.
allow netutils_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
allow netutils_t proc_t:dir search;
@ -129,14 +125,11 @@ tunable_policy(`user_ping',`
term_use_all_user_ptys(ping_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(ping_t)
')
ifdef(`TODO',`
can_ypbind(ping_t)
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
role sysadm_r types ping_t;
allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
in_user_role(ping_t)
tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
@ -193,23 +186,16 @@ tunable_policy(`user_ping',`
term_use_all_user_ptys(traceroute_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(traceroute_t)
')
ifdef(`TODO',`
role sysadm_r types traceroute_t;
can_ypbind(traceroute_t)
# Transition into this domain when you run this program.
domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
# Access the terminal.
allow traceroute_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
in_user_role(traceroute_t)
tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
')
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
#rules needed for nmap
dontaudit traceroute_t userdomain:dir search;
') dnl end TODO

View File

@ -117,9 +117,10 @@ dev_read_urand(rpm_t)
#devices_manage_all_device_types(rpm_t)
#fs_manage_nfs_dir(rpm_t)
#fs_manage_nfs_files(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
@ -159,6 +160,10 @@ userdom_use_unpriv_users_fd(rpm_t)
#cron_transition_from(rpm,rpm_exec_t)
optional_policy(`nis.te',`
nis_use_ypbind(rpm_t)
')
ifdef(`TODO',`
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
@ -183,16 +188,10 @@ allow rpm_t usbdevfs_t:dir r_dir_perms;
allow rpm_t rpc_pipefs_t:dir search;
can_ypbind(rpm_t)
optional_policy(`gnome-pty-helper.te', `
allow rpm_t sysadm_gph_t:fd use;
')
optional_policy(`automount.te', `
allow rpm_t autofs_t:dir { search getattr };
')
optional_policy(`mount.te', `
allow rpm_t mount_t:udp_socket rw_socket_perms;
')
@ -265,6 +264,7 @@ fs_getattr_nfs(rpm_script_t)
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@ -312,28 +312,18 @@ optional_policy(`bootloader.te', `
bootloader_domtrans(rpm_script_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(rpm_script_t)
')
ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
can_exec(rpm_script_t,usr_t)
allow rpm_script_t autofs_t:dir { search getattr };
can_ypbind(rpm_script_t)
optional_policy(`automount.te', `
allow rpm_script_t autofs_t:dir { search getattr };
')
optional_policy(`lpd.te', `
can_exec(rpm_script_t,printconf_t)
')
optional_policy(`ssh.te', `
allow sshd_t rpm_script_t:fd use;
')
') dnl end TODO

View File

@ -88,18 +88,20 @@ term_use_all_user_ttys(chfn_t)
term_use_all_user_ptys(chfn_t)
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(chfn_t)
domain_use_wide_inherit_fd(chfn_t)
files_manage_generic_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(chfn_t)
libs_use_ld_so(chfn_t)
libs_use_shared_libs(chfn_t)
@ -111,20 +113,18 @@ logging_send_syslog_msg(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
userdom_use_unpriv_users_fd(chfn_t)
optional_policy(`nis.te',`
nis_use_ypbind(chfn_t)
')
ifdef(`TODO',`
role sysadm_r types chfn_t;
in_user_role(chfn_t)
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
dontaudit chfn_t var_t:dir search;
allow chfn_t unpriv_userdomain:fd use;
can_ypbind(chfn_t)
ifdef(`automount.te', `
allow chfn_t autofs_t:dir { search getattr };
')
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
# allow checking if a shell is executable
@ -181,7 +181,6 @@ ifdef(`TODO',`
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
allow crack_t crond_t:fifo_file rw_file_perms;
# a rule for privfd may make this obsolete
allow crack_t crond_t:fd use;
allow crack_t crond_t:process sigchld;
')
@ -209,6 +208,9 @@ allow groupadd_t self:sem create_sem_perms;
allow groupadd_t self:msgq create_msgq_perms;
allow groupadd_t self:msg { send receive };
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
# Allow access to context for shadow file
selinux_get_fs_mount(groupadd_t)
selinux_validate_context(groupadd_t)
@ -217,13 +219,12 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
fs_getattr_xattr_fs(groupadd_t)
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
init_use_fd(groupadd_t)
init_read_script_pid(groupadd_t)
init_dontaudit_write_script_pid(groupadd_t)
domain_use_wide_inherit_fd(groupadd_t)
@ -245,16 +246,14 @@ auth_rw_lastlog(groupadd_t)
seutil_read_config(groupadd_t)
ifdef(`TODO',`
role sysadm_r types groupadd_t;
domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
userdom_use_unpriv_users_fd(groupadd_t)
allow groupadd_t unpriv_userdomain:fd use;
can_ypbind(groupadd_t)
ifdef(`automount.te', `
allow groupadd_t autofs_t:dir { search getattr };
optional_policy(`nis.te',`
nis_use_ypbind(groupadd_t)
')
ifdef(`TODO',`
# Update /etc/shadow and /etc/passwd
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@ -263,7 +262,6 @@ ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
# for when /root is the cwd
dontaudit groupadd_t sysadm_home_dir_t:dir search;
dontaudit groupadd_t initrc_var_run_t:file write;
') dnl end TODO
########################################
@ -285,6 +283,15 @@ allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir r_dir_perms;
allow passwd_t crack_db_t:file r_file_perms;
# for SSP
dev_read_urand(passwd_t)
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
selinux_get_fs_mount(passwd_t)
selinux_validate_context(passwd_t)
selinux_compute_access_vector(passwd_t)
@ -292,11 +299,6 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
# for SSP
dev_read_urand(passwd_t)
fs_getattr_xattr_fs(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(passwd_t)
@ -305,6 +307,7 @@ domain_use_wide_inherit_fd(passwd_t)
files_read_etc_runtime_files(passwd_t)
files_manage_generic_etc_files(passwd_t)
files_search_var(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@ -315,6 +318,12 @@ miscfiles_read_localization(passwd_t)
auth_manage_shadow(passwd_t)
userdom_use_unpriv_users_fd(passwd_t)
optional_policy(`nis.te',`
nis_use_ypbind(passwd_t)
')
ifdef(`TODO',`
ifdef(`firstboot.te',`
@ -324,12 +333,6 @@ domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
# Update /etc/shadow and /etc/passwd
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
allow passwd_t unpriv_userdomain:fd use;
can_ypbind(passwd_t)
ifdef(`automount.te', `
allow passwd_t autofs_t:dir { search getattr };
')
# Inherit and use descriptors from login.
ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
@ -347,14 +350,7 @@ allow passwd_t userdomain:process getattr;
dontaudit passwd_t selinux_config_t:dir search;
ifdef(`crack.te', `
allow passwd_t var_t:dir search;
dontaudit passwd_t var_run_t:dir search;
allow passwd_t crack_db_t:dir r_dir_perms;
allow passwd_t crack_db_t:file r_file_perms;
', `
dontaudit passwd_t var_t:dir search;
')
') dnl endif TODO
########################################
@ -395,23 +391,26 @@ kernel_read_system_state(sysadm_passwd_t)
dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
# allow vipw to exec the editor
corecmd_exec_bin(sysadm_passwd_t)
corecmd_exec_shell(sysadm_passwd_t)
files_read_usr_files(sysadm_passwd_t)
domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_generic_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# allow vipw to exec the editor
corecmd_exec_bin(sysadm_passwd_t)
corecmd_exec_shell(sysadm_passwd_t)
files_read_usr_files(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(sysadm_passwd_t)
libs_use_ld_so(sysadm_passwd_t)
libs_use_shared_libs(sysadm_passwd_t)
@ -420,18 +419,16 @@ miscfiles_read_localization(sysadm_passwd_t)
logging_send_syslog_msg(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
userdom_use_unpriv_users_fd(sysadm_passwd_t)
optional_policy(`nis.te',`
nis_use_ypbind(sysadm_passwd_t)
')
ifdef(`TODO',`
role sysadm_r types sysadm_passwd_t;
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
allow sysadm_passwd_t unpriv_userdomain:fd use;
can_ypbind(sysadm_passwd_t)
ifdef(`automount.te', `
allow sysadm_passwd_t autofs_t:dir { search getattr };
')
# Inherit and use descriptors from login.
ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
@ -483,46 +480,46 @@ selinux_compute_user_contexts(useradd_t)
# for getting the number of groups
kernel_read_kernel_sysctl(useradd_t)
fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)
init_use_fd(useradd_t)
init_rw_script_pid(useradd_t)
domain_use_wide_inherit_fd(useradd_t)
files_manage_generic_etc_files(useradd_t)
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)
auth_manage_shadow(useradd_t)
auth_rw_lastlog(useradd_t)
corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
corecmd_exec_sbin(useradd_t)
domain_use_wide_inherit_fd(useradd_t)
files_manage_generic_etc_files(useradd_t)
init_use_fd(useradd_t)
init_rw_script_pid(useradd_t)
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)
logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
seutil_read_config(useradd_t)
logging_send_syslog_msg(useradd_t)
userdom_use_unpriv_users_fd(useradd_t)
auth_manage_shadow(useradd_t)
auth_rw_lastlog(useradd_t)
mta_manage_spool(useradd_t)
optional_policy(`nis.te',`
nis_use_ypbind(useradd_t)
')
ifdef(`TODO',`
role sysadm_r types useradd_t;
domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
allow useradd_t unpriv_userdomain:fd use;
can_ypbind(useradd_t)
ifdef(`automount.te', `
allow useradd_t autofs_t:dir { search getattr };
')
# Update /etc/shadow and /etc/passwd
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@ -536,10 +533,7 @@ dontaudit useradd_t sysadm_home_dir_t:dir search;
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
# create/delete mail spool file in /var/mail
allow useradd_t var_spool_t:dir search;
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
allow useradd_t mail_spool_t:file create_file_perms;
# /var/mail is a link to /var/spool/mail
allow useradd_t mail_spool_t:lnk_file read;
') dnl end TODO

View File

@ -129,9 +129,11 @@ template(`gpg_per_userdomain_template',`
fs_manage_cifs_symlinks($1_gpg_t)
')
ifdef(`TODO',`
optional_policy(`nis.te',`
nis_use_ypbind($1_gpg_t)
')
can_ypbind($1_gpg_t)
ifdef(`TODO',`
allow $1_t $1_gpg_secret_t:file getattr;

View File

@ -266,6 +266,24 @@ interface(`fs_getattr_autofs',`
allow $1 autofs_t:filesystem getattr;
')
########################################
## <summary>
## Search automount filesystem to use automatically
## mounted filesystems.
## </summary>
## <param name="domain">
## The type of the domain performing this action.
## </param>
#
interface(`fs_search_auto_mountpoints',`
gen_require(`
type autofs_t;
class dir { getattr search };
')
allow $1 autofs_t:dir { getattr search };
')
########################################
## <desc>
## Register an interpreter for new binary

View File

@ -116,6 +116,10 @@ template(`cron_per_userdomain_template',`
allow crond_t $1_cron_spool_t:file create_file_perms;
')
optional_policy(`nis.te',`
nis_use_ypbind($1_crond_t)
')
ifdef(`TODO',`
# Access user files and dirs.
allow $1_crond_t home_root_t:dir search;
@ -135,8 +139,6 @@ template(`cron_per_userdomain_template',`
allow mta_user_agent $1_crond_t:fd use;
')
# This domain is granted permissions common to most domains.
can_ypbind($1_crond_t)
allow $1_crond_t var_spool_t:dir search;
allow $1_crond_t var_t:dir r_dir_perms;
allow $1_crond_t var_t:file r_file_perms;

View File

@ -87,6 +87,7 @@ selinux_compute_user_contexts(crond_t)
dev_read_urand(crond_t)
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
term_dontaudit_use_console(crond_t)
@ -127,6 +128,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(crond_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(crond_t)
')
optional_policy(`udev.te', `
udev_read_db(crond_t)
')
@ -135,18 +140,10 @@ ifdef(`TODO',`
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
allow crond_t autofs_t:dir { search getattr };
dontaudit crond_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
allow crond_t rhgb_t:process sigchld;
allow crond_t rhgb_t:fd use;
allow crond_t rhgb_t:fifo_file { read write };
')
can_ypbind(crond_t)
ifdef(`automount.te', `
allow crond_t autofs_t:dir { search getattr };
rhgb_domain(crond_t)
')
# Read from /var/spool/cron.
@ -301,10 +298,11 @@ tunable_policy(`cron_can_relabel',`
seutil_read_file_contexts(system_crond_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(system_crond_t)
')
ifdef(`TODO',`
can_ypbind(system_crond_t)
dontaudit userdomain system_crond_t:fd use;
# quiet other ps operations

View File

@ -70,14 +70,15 @@ template(`mta_per_userdomain_template',`
corenet_udp_sendrecv_dns_port($1_mail_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_mail_t)
')
optional_policy(`procmail.te',`
procmail_execute($1_mail_t)
')
ifdef(`TODO',`
can_ypbind($1_mail_t)
allow $1_mail_t device_t:dir search;
allow $1_mail_t { var_t var_spool_t }:dir search;
allow $1_mail_t sbin_t:dir search;

View File

@ -90,8 +90,12 @@ tunable_policy(`use_dns',`
corenet_udp_sendrecv_dns_port(system_mail_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(system_mail_t)
')
optional_policy(`procmail.te',`
procmail_execute(system_mail_t)
procmail_exec(system_mail_t)
')
ifdef(`TODO',`
@ -117,9 +121,6 @@ dontaudit system_mail_t system_crond_tmp_t:file append;
')
') dnl end if sendmail
can_ypbind(system_mail_t)
allow system_mail_t device_t:dir search;
allow system_mail_t { var_t var_spool_t }:dir search;
allow system_mail_t sbin_t:dir search;

View File

@ -77,6 +77,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
dev_read_sysfs(ypbind_t)
fs_getattr_all_fs(ypbind_t)
fs_search_auto_mountpoints(ypbind_t)
term_dontaudit_use_console(ypbind_t)
@ -121,7 +122,6 @@ ifdef(`TODO',`
allow ypbind_t proc_t:dir r_dir_perms;
allow ypbind_t proc_t:lnk_file read;
allow ypbind_t autofs_t:dir { search getattr };
dontaudit ypbind_t sysadm_home_dir_t:dir search;
can_udp_send(ypbind_t, portmap_t)
@ -172,6 +172,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
dev_read_sysfs(ypserv_t)
fs_getattr_all_fs(ypserv_t)
fs_search_auto_mountpoints(ypserv_t)
term_dontaudit_use_console(ypserv_t)
@ -214,7 +215,6 @@ rhgb_domain(ypserv_t)
allow ypserv_t proc_t:dir r_dir_perms;
allow ypserv_t proc_t:lnk_file read;
allow ypserv_t autofs_t:dir { search getattr };
dontaudit ypserv_t sysadm_home_dir_t:dir search;
# Send to portmap and initrc.

View File

@ -54,8 +54,14 @@ selinux_compute_user_contexts(remote_login_t)
dev_read_urand(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
fs_search_auto_mountpoints(remote_login_t)
init_rw_script_pid(remote_login_t)
auth_domtrans_chk_passwd(remote_login_t)
auth_dontaudit_read_shadow(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_lastlog(remote_login_t)
auth_exec_pam(remote_login_t)
auth_manage_pam_console_data(remote_login_t)
domain_read_all_entry_files(remote_login_t)
@ -64,6 +70,8 @@ files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
files_read_usr_files(remote_login_t)
init_rw_script_pid(remote_login_t)
libs_use_ld_so(remote_login_t)
libs_use_shared_libs(remote_login_t)
@ -72,15 +80,10 @@ logging_send_syslog_msg(remote_login_t)
seutil_read_config(remote_login_t)
seutil_read_default_contexts(remote_login_t)
auth_domtrans_chk_passwd(remote_login_t)
auth_dontaudit_read_shadow(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_lastlog(remote_login_t)
auth_exec_pam(remote_login_t)
auth_manage_pam_console_data(remote_login_t)
miscfiles_read_localization(remote_login_t)
userdom_use_unpriv_users_fd(remote_login_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
fs_read_nfs_symlinks(remote_login_t)
@ -91,13 +94,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(remote_login_t)
')
ifdef(`TODO',`
allow remote_login_t unpriv_userdomain:fd use;
can_ypbind(remote_login_t)
ifdef(`automount.te', `
allow remote_login_t autofs_t:dir { search getattr };
optional_policy(`nis.te',`
nis_use_ypbind(remote_login_t)
')
ifdef(`TODO',`
allow remote_login_t bin_t:dir r_dir_perms;
allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
allow remote_login_t sbin_t:dir r_dir_perms;
@ -123,7 +125,6 @@ allow remote_login_t device_t:lnk_file r_file_perms;
dontaudit remote_login_t sysfs_t:dir search;
allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?

View File

@ -57,43 +57,48 @@ corenet_tcp_bind_smtp_port(sendmail_t)
dev_read_urand(sendmail_t)
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
term_dontaudit_use_console(sendmail_t)
domain_use_wide_inherit_fd(sendmail_t)
files_read_generic_etc_files(sendmail_t)
files_search_spool(sendmail_t)
init_use_fd(sendmail_t)
init_use_script_pty(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_script_pid(sendmail_t)
init_dontaudit_write_script_pid(sendmail_t)
domain_use_wide_inherit_fd(sendmail_t)
files_read_generic_etc_files(sendmail_t)
files_search_spool(sendmail_t)
logging_send_syslog_msg(sendmail_t)
libs_use_ld_so(sendmail_t)
libs_use_shared_libs(sendmail_t)
# Read /usr/lib/sasl2/.*
libs_read_lib(sendmail_t)
logging_send_syslog_msg(sendmail_t)
miscfiles_read_localization(sendmail_t)
sysnet_read_config(sendmail_t)
# Write to /etc/aliases and /etc/mail.
mta_rw_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
sysnet_read_config(sendmail_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(sendmail_t)
term_dontaudit_use_generic_pty(sendmail_t)
files_dontaudit_read_root_file(sendmail_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(sendmail_t)
')
optional_policy(`selinux.te',`
seutil_newrole_sigchld(sendmail_t)
')
@ -105,18 +110,13 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
optional_policy(`rhgb.te', `
allow sendmail_t rhgb_t:process sigchld;
allow sendmail_t rhgb_t:fd use;
allow sendmail_t rhgb_t:fifo_file { read write };
rhgb_domain(sendmail_t)
')
allow sendmail_t proc_t:dir r_dir_perms;
allow sendmail_t proc_t:lnk_file read;
dontaudit sendmail_t unpriv_userdomain:fd use;
allow sendmail_t autofs_t:dir { search getattr };
dontaudit sendmail_t sysadm_home_dir_t:dir search;
can_ypbind(sendmail_t)
#
# Need this transition to create /etc/aliases.db
#
@ -144,7 +144,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
# Run procmail in its own domain, if defined.
ifdef(`procmail.te',`
corecmd_search_bin(sendmail_t)
procmail_transition(sendmail_t)
procmail_domtrans(sendmail_t)
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
')

View File

@ -98,6 +98,7 @@ template(`ssh_per_userdomain_template',`
dev_read_urand($1_ssh_t)
fs_getattr_all_fs($1_ssh_t)
fs_search_auto_mountpoints($1_ssh_t)
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell($1_ssh_t)
@ -124,8 +125,6 @@ template(`ssh_per_userdomain_template',`
userdom_use_unpriv_users_fd($1_ssh_t)
nis_use_ypbind($1_ssh_t)
tunable_policy(`use_dns',`
allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenet_udp_sendrecv_all_if($1_ssh_t)
@ -149,10 +148,11 @@ template(`ssh_per_userdomain_template',`
corenet_tcp_bind_ssh_port($1_ssh_t)
')
ifdef(`TODO',`
can_ypbind($1_ssh_t)
optional_policy(`nis.te',`
nis_use_ypbind($1_ssh_t)
')
allow $1_ssh_t autofs_t:dir { search getattr };
ifdef(`TODO',`
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:notdevfile_class_set r_file_perms;
@ -244,6 +244,8 @@ template(`ssh_per_userdomain_template',`
dev_read_urand($1_ssh_agent_t)
dev_read_rand($1_ssh_agent_t)
fs_search_auto_mountpoints($1_ssh_agent_t)
domain_use_wide_inherit_fd($1_ssh_agent_t)
files_read_generic_etc_files($1_ssh_agent_t)
@ -265,6 +267,10 @@ template(`ssh_per_userdomain_template',`
fs_manage_cifs_files($1_ssh_agent_t)
}
optional_policy(`nis.te',`
nis_use_ypbind($1_ssh_agent_t)
')
ifdef(`TODO',`
# Write to the user domain tty.
@ -275,9 +281,6 @@ template(`ssh_per_userdomain_template',`
# allow ps to show ssh
can_ps($1_t, $1_ssh_agent_t)
can_ypbind($1_ssh_agent_t)
allow $1_ssh_agent_t autofs_t:dir { search getattr };
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
@ -449,7 +452,6 @@ template(`sshd_program_domain', `
allow $1_t var_t:dir getattr;
allow $1_t { home_root_t home_dir_type }:dir getattr;
allow $1_t autofs_t:dir { search getattr };
dontaudit sshd_t userpty_type:chr_file relabelfrom;

View File

@ -112,6 +112,9 @@ tunable_policy(`run_ssh_inetd',`
# for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
optional_policy(`rpm.te',`
allow sshd_t rpm_script_t:fd use;
')
') dnl endif TODO
#################################
@ -187,6 +190,8 @@ files_create_etc_config(ssh_keygen_t,sshd_key_t,file)
kernel_read_kernel_sysctl(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)
@ -231,7 +236,3 @@ optional_policy(`selinux.te',`
optional_policy(`udev.te', `
udev_read_db(ssh_keygen_t)
')
ifdef(`TODO',`
allow ssh_keygen_t autofs_t:dir { search getattr };
')

View File

@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',`
seutil_read_config($1_chkpwd_t)
#can_ypbind($1_chkpwd_t)
#can_kerberos($1_chkpwd_t)
#can_ldap($1_chkpwd_t)
@ -97,6 +96,10 @@ template(`authlogin_per_userdomain_template',`
sysnet_read_config($1_chkpwd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_chkpwd_t)
')
optional_policy(`selinux.te',`
seutil_use_newrole_fd($1_chkpwd_t)
')
@ -173,9 +176,6 @@ interface(`auth_domtrans_chk_passwd',`
allow system_chkpwd_t $1:process sigchld;
dontaudit $1 shadow_t:file { getattr read };
#can_ypbind($1_t)
#can_kerberos($1_t)
#can_ldap($1_t)
tunable_policy(`use_dns',`
allow $1 self:udp_socket create_socket_perms;
@ -187,6 +187,13 @@ interface(`auth_domtrans_chk_passwd',`
corenet_udp_sendrecv_dns_port($1)
sysnet_read_config($1)
')
#can_kerberos($1)
#can_ldap($1)
optional_policy(`nis.te',`
nis_use_ypbind($1)
')
')
########################################

View File

@ -93,6 +93,8 @@ files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t)
fs_search_auto_mountpoints(pam_t)
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
@ -112,12 +114,11 @@ optional_policy(`locallogin.te',`
locallogin_use_fd(pam_t)
')
ifdef(`TODO',`
can_ypbind(pam_t)
ifdef(`automount.te', `
allow pam_t autofs_t:dir { search getattr };
optional_policy(`nis.te',`
nis_use_ypbind(pam_t)
')
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO
@ -156,6 +157,8 @@ dev_setattr_snd_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
fs_search_auto_mountpoints(pam_console_t)
storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
storage_getattr_removable_device(pam_console_t)
@ -210,11 +213,8 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
optional_policy(`rhgb.te', `
allow pam_console_t rhgb_t:process sigchld;
allow pam_console_t rhgb_t:fd use;
allow pam_console_t rhgb_t:fifo_file { read write };
rhgb_domain(pam_console_t)
')
allow pam_console_t autofs_t:dir { search getattr };
allow pam_console_t apm_bios_t:chr_file { getattr setattr };
@ -268,8 +268,11 @@ tunable_policy(`use_dns',`
sysnet_read_config(system_chkpwd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(system_chkpwd_t)
')
ifdef(`TODO',`
can_ypbind(system_chkpwd_t)
can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
@ -303,10 +306,10 @@ libs_use_shared_libs(utempter_t)
logging_search_logs(utempter_t)
ifdef(`TODO',`
# Allow utemper to write to /tmp/.xses-*
allow utempter_t user_tmpfile:file { getattr write append };
userdom_write_unpriv_user_tmp(utempter_t)
ifdef(`TODO',`
ifdef(`xdm.te', `
allow utempter_t xdm_t:fd use;
allow utempter_t xdm_t:fifo_file { write getattr };

View File

@ -35,6 +35,7 @@ dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_tty(hwclock_t)
@ -81,13 +82,9 @@ allow hwclock_t proc_t:dir r_dir_perms;
allow hwclock_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
allow hwclock_t rhgb_t:process sigchld;
allow hwclock_t rhgb_t:fd use;
allow hwclock_t rhgb_t:fifo_file rw_file_perms;
rhgb_domain(hwclock_t)
')
allow hwclock_t autofs_t:dir { search getattr };
optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
optional_policy(`apmd.te', `

View File

@ -11,7 +11,6 @@ type hostname_exec_t;
init_system_domain(hostname_t,hostname_exec_t)
role system_r types hostname_t;
########################################
#
# Local policy
@ -31,6 +30,7 @@ kernel_dontaudit_use_fd(hostname_t)
dev_read_sysfs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
@ -96,11 +96,7 @@ allow hostname_t proc_t:dir { read getattr lock search ioctl };
allow hostname_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
allow hostname_t rhgb_t:process sigchld;
allow hostname_t rhgb_t:fd use;
allow hostname_t rhgb_t:fifo_file { read write };
rhgb_domain(hostname_t)
')
allow hostname_t autofs_t:dir { search getattr };
##end daemon_base_domain
') dnl end TODO

View File

@ -65,6 +65,7 @@ dev_setattr_snd_dev(hotplug_t)
dev_read_urand(hotplug_t)
fs_getattr_all_fs(hotplug_t)
fs_search_auto_mountpoints(hotplug_t)
storage_setattr_fixed_disk(hotplug_t)
storage_setattr_removable_device(hotplug_t)
@ -142,6 +143,10 @@ optional_policy(`mta.te', `
mta_send_mail(hotplug_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(hotplug_t)
')
optional_policy(`selinux.te',`
seutil_newrole_sigchld(hotplug_t)
')
@ -160,17 +165,13 @@ optional_policy(`updfstab.te', `
')
ifdef(`TODO',`
allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te',`
allow hotplug_t rhgb_t:process sigchld;
allow hotplug_t rhgb_t:fd use;
allow hotplug_t rhgb_t:fifo_file { read write };
rhgb_domain(hotplug_t)
')
allow kernel_t hotplug_etc_t:dir search;
can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
# for ps
@ -181,7 +182,7 @@ optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
')
# this goes to hald:
# this block goes to hald:
optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };

View File

@ -46,6 +46,7 @@ kernel_use_fd(iptables_t)
dev_read_sysfs(iptables_t)
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
term_dontaudit_use_console(iptables_t)
@ -71,6 +72,13 @@ sysnet_domtrans_ifconfig(iptables_t)
userdom_use_all_user_fd(iptables_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(iptables_t)
term_dontaudit_use_generic_pty(iptables_t)
files_dontaudit_read_root_file(iptables_t)
')
tunable_policy(`use_dns',`
allow iptables_t self:udp_socket create_socket_perms;
@ -89,6 +97,11 @@ optional_policy(`modutils.te', `
modutils_domtrans_insmod(iptables_t)
')
optional_policy(`nis.te',`
# for iptables -L
nis_use_ypbind(iptables_t)
')
optional_policy(`selinux.te',`
seutil_newrole_sigchld(iptables_t)
')
@ -97,26 +110,11 @@ optional_policy(`udev.te', `
udev_read_db(iptables_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(iptables_t)
term_dontaudit_use_generic_pty(iptables_t)
files_dontaudit_read_root_file(iptables_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te',`
allow iptables_t rhgb_t:process sigchld;
allow iptables_t rhgb_t:fd use;
allow iptables_t rhgb_t:fifo_file rw_file_perms;
rhgb_domain(iptables_t)
')
allow iptables_t autofs_t:dir { search getattr };
# for iptables -L
can_ypbind(iptables_t)
optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use;
')

View File

@ -71,6 +71,8 @@ dev_dontaudit_setattr_scanner(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
fs_search_auto_mountpoints(local_login_t)
selinux_get_fs_mount(local_login_t)
selinux_validate_context(local_login_t)
selinux_compute_access_vector(local_login_t)
@ -126,6 +128,13 @@ userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
# Red Hat systems seem to have a stray
# fd open from the initrd
ifdef(`distro_redhat',`
kernel_dontaudit_use_fd(local_login_t)
files_dontaudit_read_root_file(local_login_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(local_login_t)
fs_read_nfs_symlinks(local_login_t)
@ -136,20 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd(local_login_t)
files_dontaudit_read_root_file(local_login_t)
optional_policy(`nis.te',`
nis_use_ypbind(local_login_t)
')
ifdef(`TODO',`
can_ypbind(local_login_t)
ifdef(`automount.te', `
allow local_login_t autofs_t:dir { search getattr };
')
allow local_login_t bin_t:dir r_dir_perms;
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
@ -170,7 +171,6 @@ allow local_login_t var_t:lnk_file read;
dontaudit local_login_t sysfs_t:dir search;
allow local_login_t autofs_t:dir r_dir_perms;
allow local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?
@ -221,12 +221,14 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
init_get_script_process_group(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
files_read_generic_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dir(sulogin_t)
init_get_script_process_group(sulogin_t)
libs_use_ld_so(sulogin_t)
libs_use_shared_libs(sulogin_t)
@ -259,14 +261,11 @@ ifdef(`sulogin_no_pam', `
selinux_compute_user_contexts(sulogin_t)
')
ifdef(`TODO',`
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
can_ypbind(sulogin_t)
ifdef(`automount.te', `
allow sulogin_t autofs_t:dir { search getattr };
optional_policy(`nis.te',`
nis_use_ypbind(sulogin_t)
')
ifdef(`TODO',`
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
') dnl endif TODO

View File

@ -63,6 +63,7 @@ kernel_read_kernel_sysctl(auditd_t)
dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
term_dontaudit_use_console(auditd_t)
@ -80,6 +81,8 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t)
term_dontaudit_use_generic_pty(auditd_t)
@ -97,15 +100,13 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
allow auditd_t proc_t:dir r_dir_perms;
allow auditd_t proc_t:lnk_file read;
dontaudit auditd_t unpriv_userdomain:fd use;
allow auditd_t autofs_t:dir { search getattr };
dontaudit auditd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
allow auditd_t rhgb_t:process sigchld;
allow auditd_t rhgb_t:fd use;
allow auditd_t rhgb_t:fifo_file { read write };
rhgb_domain(auditd_t)
')
dontaudit auditd_t sysadm_home_dir_t:dir search;
# cjp: this is questionable:
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
') dnl endif TODO
@ -192,6 +193,8 @@ kernel_read_kernel_sysctl(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
term_dontaudit_use_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@ -250,6 +253,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(syslogd_t)
')
optional_policy(`cron.te',`
cron_rw_log(syslogd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(syslogd_t)
')
optional_policy(`selinux.te',`
seutil_newrole_sigchld(syslogd_t)
')
@ -258,18 +269,11 @@ optional_policy(`udev.te', `
udev_read_db(syslogd_t)
')
optional_policy(`cron.te',`
cron_rw_log(syslogd_t)
')
ifdef(`TODO',`
allow syslogd_t proc_t:lnk_file read;
allow syslogd_t autofs_t:dir { search getattr };
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
allow syslogd_t rhgb_t:process sigchld;
allow syslogd_t rhgb_t:fd use;
allow syslogd_t rhgb_t:fifo_file { read write };
rhgb_domain(syslogd_t)
')
tunable_policy(`direct_sysadm_daemon',`
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
@ -280,9 +284,6 @@ ifdef(`distro_suse', `
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
')
# can_network is for the UDP socket
can_ypbind(syslogd_t)
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };

View File

@ -101,6 +101,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t)
term_dontaudit_getattr_all_user_ttys(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
@ -157,9 +158,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
allow lvm_t autofs_t:dir { search getattr };
allow lvm_t default_context_t:dir search;
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };

View File

@ -44,6 +44,7 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_xattr_fs(mount_t)
fs_search_auto_mountpoints(mount_t)
term_use_console(mount_t)
@ -88,7 +89,6 @@ ifdef(`distro_redhat',`
optional_policy(`portmap.te', `
# for nfs
#can_ypbind(mount_t)
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
#allow mount_t rpc_pipefs_t:dir search;
@ -106,6 +106,10 @@ optional_policy(`portmap.te', `
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
corenet_udp_bind_reserved_port(mount_t)
optional_policy(`nis.te',`
nis_use_ypbind(mount_t)
')
')
ifdef(`TODO',`
@ -127,13 +131,7 @@ allow mount_t sysadm_gph_t:fd use;
')
optional_policy(`rhgb.te', `
allow mount_t rhgb_t:process sigchld;
allow mount_t rhgb_t:fd use;
allow mount_t rhgb_t:fifo_file { read write };
')
optional_policy(`automount.te', `
allow mount_t autofs_t:dir read;
rhgb_domain(mount_t)
')
') dnl endif TODO

View File

@ -195,6 +195,7 @@ kernel_read_kernel_sysctl(newrole_t)
dev_read_urand(newrole_t)
fs_getattr_xattr_fs(newrole_t)
fs_search_auto_mountpoints(newrole_t)
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
@ -234,13 +235,11 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
ifdef(`TODO',`
can_ypbind(newrole)
ifdef(`automount.te', `
allow newrole_t autofs_t:dir { search getattr };
optional_policy(`nis.te',`
nis_use_ypbind(newrole_t)
')
ifdef(`TODO',`
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;

View File

@ -105,6 +105,7 @@ dev_read_sysfs(dhcpc_t)
dev_read_urand(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
term_dontaudit_use_console(dhcpc_t)
term_dontaudit_use_all_user_ttys(dhcpc_t)
@ -152,10 +153,23 @@ optional_policy(`hostname.te',`
hostname_domtrans(dhcpc_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(dhcpc_t)
# dhclient sometimes starts ypbind
init_exec_script(dhcpc_t)
#nis_domtrans_ypbind(dhcpc_t)
')
optional_policy(`nscd.te',`
nscd_domtrans(dhcpc_t)
')
optional_policy(`ntpd.te',`
# dhclient sometimes starts ntpd
init_exec_script(dhcpc_t)
ntpd_domtrans(dhcpc_t)
')
optional_policy(`selinux.te',`
seutil_newrole_sigchld(dhcpc_t)
')
@ -168,29 +182,13 @@ optional_policy(`userdomain.te',`
userdom_use_all_user_fd(dhcpc_t)
')
#
# dhclient sometimes starts ypbind and ntpd
#
init_exec_script(dhcpc_t)
optional_policy(`ypbind.te',`
ypbind_domtrans(dhcpc_t)
')
optional_policy(`ntpd.te',`
ntpd_domtrans(dhcpc_t)
')
ifdef(`TODO',`
allow dhcpc_t autofs_t:dir { search getattr };
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te',`
allow dhcpc_t rhgb_t:process sigchld;
allow dhcpc_t rhgb_t:fd use;
allow dhcpc_t rhgb_t:fifo_file { read write };
rhgb_domain(dhcpc_t)
')
can_ypbind(dhcpc_t)
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
@ -208,15 +206,17 @@ logging_syslogd_transition(dhcpc_t)
')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
ifdef(`ping.te', `
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
ifdef(`hotplug.te',`
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
optional_policy(`hotplug.te',`
allow ping_t hotplug_t:fd use;
') dnl end if hotplug
')
ifdef(`cardmgr.te',`
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
') dnl end if ping
')
')
ifdef(`distro_redhat', `
allow initrc_t dhcp_etc_t:file rw_file_perms;
@ -266,6 +266,7 @@ kernel_dontaudit_search_sysctl_dir(ifconfig_t)
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
@ -289,22 +290,18 @@ seutil_use_runinit_fd(ifconfig_t)
userdom_use_all_user_fd(ifconfig_t)
ifdef(`TODO',`
can_ypbind(ifconfig_t)
ifdef(`automount.te', `
allow ifconfig_t autofs_t:dir { search getattr };
optional_policy(`nis.te',`
nis_use_ypbind(ifconfig_t)
')
# Access terminals.
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
optional_policy(`rhgb.te', `
allow ifconfig_t rhgb_t:process sigchld;
allow ifconfig_t rhgb_t:fd use;
allow ifconfig_t rhgb_t:fifo_file { read write };
rhgb_domain(ifconfig_t)
')
') dnl endif TODO

View File

@ -137,6 +137,7 @@ template(`base_user_domain',`
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_search_auto_mountpoints($1_t)
# for eject
storage_getattr_fixed_disk($1_t)
@ -204,6 +205,10 @@ template(`base_user_domain',`
term_getattr_all_user_ttys($1_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_t)
')
optional_policy(`usermanage.te',`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@ -251,8 +256,6 @@ template(`base_user_domain',`
r_dir_file($1_t, usercanread)
can_ypbind($1_t)
tunable_policy(`allow_execmod',`
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;
@ -271,8 +274,6 @@ template(`base_user_domain',`
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search };
allow $1_t autofs_t:dir { getattr search };
can_exec($1_t, { removable_t noexattrfile } )
tunable_policy(`user_rw_noexattrfile',`
@ -299,8 +300,6 @@ template(`base_user_domain',`
can_resmgrd_connect($1_t)
can_ypbind($1_t)
allow $1_t var_lock_t:dir search;
# Grant permissions to access the system DBus
@ -385,10 +384,6 @@ template(`base_user_domain',`
allow $1_t apmd_var_run_t:sock_file write;
')
ifdef(`automount.te', `
allow $1_t autofs_t:dir { getattr search };
')
ifdef(`pamconsole.te', `
allow $1_t pam_var_console_t:dir search;
')
@ -418,7 +413,7 @@ template(`user_domain_template', `
#typeattribute $1_home_dir_t user_home_dir_type;
#typeattribute $1_home_t user_home_type;
#typeattribute $1_tmp_t, user_tmpfile;
typeattribute $1_tmp_t user_tmpfile;
#typeattribute $1_tty_device_t user_tty_type;
@ -808,11 +803,11 @@ template(`admin_domain_template',`
')
########################################
## <desc>
## <summary>
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -826,11 +821,11 @@ interface(`userdom_spec_domtrans_all_users',`
')
########################################
## <desc>
## <summary>
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -844,9 +839,9 @@ interface(`userdom_spec_domtrans_unpriv_users',`
')
########################################
## <desc>
## <summary>
## Execute a shell in the sysadm domain.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -860,9 +855,9 @@ interface(`userdom_shell_domtrans_sysadm',`
')
########################################
## <desc>
## <summary>
## Read and write sysadm ttys.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -879,9 +874,9 @@ interface(`userdom_use_sysadm_tty',`
')
########################################
## <desc>
## <summary>
## Read and write sysadm ttys and ptys.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -898,9 +893,9 @@ interface(`userdom_use_sysadm_terms',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to use admin ttys and ptys.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -915,9 +910,9 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
')
########################################
## <desc>
## <summary>
## Search all users home directories.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -933,9 +928,9 @@ interface(`userdom_search_all_users_home',`
')
########################################
## <desc>
## <summary>
## Read all files in all users home directories.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -953,9 +948,26 @@ interface(`userdom_read_all_user_data',`
')
########################################
## <desc>
## <summary>
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_write_unpriv_user_tmp',`
gen_require(`
attribute user_tmpfile;
class file { getattr write append };
')
allow $1 user_tmpfile:file { getattr write append };
')
########################################
## <summary>
## Inherit the file descriptors from all user domains
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -970,9 +982,9 @@ interface(`userdom_use_all_user_fd',`
')
########################################
## <desc>
## <summary>
## Send general signals to all user domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -987,9 +999,9 @@ interface(`userdom_signal_all_users',`
')
########################################
## <desc>
## <summary>
## Send general signals to unprivileged user domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -1004,9 +1016,9 @@ interface(`userdom_signal_unpriv_users',`
')
########################################
## <desc>
## Inherit the file descriptors from all user domains.
## </desc>
## <summary>
## Inherit the file descriptors from unprivileged user domains.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -1021,10 +1033,10 @@ interface(`userdom_use_unpriv_users_fd',`
')
########################################
## <desc>
## <summary>
## Do not audit attempts to inherit the
## file descriptors from all user domains.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>

View File

@ -20,6 +20,9 @@ attribute home_type;
# a user in writing regular files)
attribute privhome;
# all unprivileged users tmp files
attribute user_tmpfile;
# all user domains
attribute userdomain;
@ -107,6 +110,12 @@ optional_policy(`mount.te',`
mount_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`netutils.te',`
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')