fix more TODOs. fix selinux.te to selinuxutil.te in optionals
This commit is contained in:
parent
34bbe50d50
commit
ae9e2716c3
@ -58,7 +58,7 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(dmesg_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(dmesg_t)
|
||||
')
|
||||
|
||||
|
@ -164,6 +164,25 @@ interface(`dev_relabel_dev_dirs',`
|
||||
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write generic files in /dev.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_rw_generic_file',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class dir search;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir search;
|
||||
allow $1 device_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit getattr on generic pipes.
|
||||
@ -328,6 +347,24 @@ interface(`dev_dontaudit_setattr_generic_chr_file',`
|
||||
dontaudit $1 device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to set the attributes
|
||||
## of symbolic links in device directories (/dev).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_dontaudit_setattr_generic_symlink',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
class lnk_file setattr;
|
||||
')
|
||||
|
||||
dontaudit $1 device_t:lnk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete symbolic links in device directories.
|
||||
|
@ -1705,6 +1705,24 @@ interface(`fs_set_all_quotas',`
|
||||
allow $1 filesystem_type:filesystem quotamod;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List all directories with a filesystem type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_list_all',`
|
||||
gen_require(`
|
||||
attribute filesystem_type;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 filesystem_type:dir r_dir_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# fs_getattr_all_files(type)
|
||||
|
@ -121,6 +121,57 @@ interface(`kernel_dontaudit_use_fd',`
|
||||
dontaudit $1 kernel_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <system>
|
||||
## Read and write kernel unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_pipe',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class fifo_file { read write };
|
||||
')
|
||||
|
||||
allow $1 kernel_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write kernel unix datagram sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_rw_unix_dgram_socket',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class unix_dgram_socket { read write ioctl };
|
||||
')
|
||||
|
||||
allow $1 kernel_t:unix_dgram_socket { read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send messages to kernel unix datagram sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_sendto_unix_dgram_socket',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
allow $1 kernel_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows caller to load kernel modules
|
||||
@ -1046,20 +1097,19 @@ interface(`kernel_sigchld_unlabeled',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled block devices.
|
||||
## List unlabeled directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
||||
interface(`kernel_list_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
class blk_file getattr;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:blk_file getattr;
|
||||
allow $1 unlabeled_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1079,6 +1129,24 @@ interface(`kernel_rw_unlabeled_dir',`
|
||||
allow $1 unlabeled_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled block devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type not to audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write unlabeled block device nodes.
|
||||
|
@ -120,7 +120,7 @@ optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(inetd_t)
|
||||
')
|
||||
|
||||
|
@ -130,7 +130,7 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(kadmind_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(kadmind_t)
|
||||
')
|
||||
|
||||
@ -231,7 +231,7 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(krb5kdc_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(krb5kdc_t)
|
||||
')
|
||||
|
||||
|
@ -110,7 +110,7 @@ optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(ypbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(ypbind_t)
|
||||
')
|
||||
|
||||
@ -199,7 +199,7 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(ypserv_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(ypserv_t)
|
||||
')
|
||||
|
||||
|
@ -99,7 +99,7 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(sendmail_t)
|
||||
')
|
||||
|
||||
|
@ -223,7 +223,7 @@ optional_policy(`rhgb.te', `
|
||||
rhgb_domain(ssh_keygen_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
')
|
||||
|
||||
|
@ -103,7 +103,7 @@ template(`authlogin_per_userdomain_template',`
|
||||
nis_use_ypbind($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_use_newrole_fd($1_chkpwd_t)
|
||||
')
|
||||
|
||||
|
@ -207,7 +207,7 @@ optional_policy(`hotplug.te', `
|
||||
hotplug_dontaudit_search_config(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(pam_console_t)
|
||||
')
|
||||
|
||||
@ -314,9 +314,9 @@ logging_search_logs(utempter_t)
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
userdom_write_unpriv_user_tmp(utempter_t)
|
||||
|
||||
optional_policy(`xserver.te', `
|
||||
optional_policy(`xdm.te', `
|
||||
#allow utempter_t xdm_t:fd use;
|
||||
xserver_use_xdm_fd(utempter_t)
|
||||
xdm_use_fd(utempter_t)
|
||||
#allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
xdm_write_fifo(utempter_t)
|
||||
')
|
||||
|
@ -66,7 +66,7 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(hwclock_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(hwclock_t)
|
||||
')
|
||||
|
||||
|
@ -50,6 +50,7 @@ interface(`corecmd_list_bin',`
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_getattr_bin_file',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
@ -59,6 +60,25 @@ interface(`corecmd_getattr_bin_file',`
|
||||
allow $1 bin_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_bin_file',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
class dir search;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in bin directories.
|
||||
@ -66,15 +86,54 @@ interface(`corecmd_getattr_bin_file',`
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_bin_symlink',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
class dir search;
|
||||
class lnk_file read;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:lnk_file read;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read pipes in bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_bin_pipe',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
class dir search;
|
||||
class fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named sockets in bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_bin_socket',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
class dir search;
|
||||
class sock_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search;
|
||||
allow $1 bin_t:sock_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -146,6 +205,25 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
|
||||
dontaudit $1 sbin_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in sbin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_file',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
class dir search;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in sbin directories.
|
||||
@ -153,15 +231,54 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_symlink',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
class dir search;
|
||||
class lnk_file read;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:lnk_file read;
|
||||
allow $1 sbin_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named pipes in sbin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_pipe',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
class dir search;
|
||||
class fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read named sockets in sbin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_read_sbin_socket',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
class dir search;
|
||||
class sock_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search;
|
||||
allow $1 sbin_t:sock_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -804,6 +804,26 @@ interface(`files_mounton_isid_type_dir',`
|
||||
allow $1 file_t:dir { getattr search mounton };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on new filesystems
|
||||
## that have not yet been labeled.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_isid_type_file',`
|
||||
gen_require(`
|
||||
type file_t;
|
||||
class dir search;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 file_t:dir search;
|
||||
allow $1 file_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
@ -1028,6 +1048,86 @@ interface(`files_manage_mnt_dirs',`
|
||||
allow $1 mnt_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List world-readable directories.
|
||||
## </summary>
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_world_readable',`
|
||||
gen_require(`
|
||||
type readable_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 readable_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read world-readable files.
|
||||
## </summary>
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_world_readable_files',`
|
||||
gen_require(`
|
||||
type readable_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 readable_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read world-readable symbolic links.
|
||||
## </summary>
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_world_readable_symlinks',`
|
||||
gen_require(`
|
||||
type readable_t;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 readable_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read world-readable named pipes.
|
||||
## </summary>
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_world_readable_pipes',`
|
||||
gen_require(`
|
||||
type readable_t;
|
||||
class fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 readable_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read world-readable sockets.
|
||||
## </summary>
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_world_readable_sockets',`
|
||||
gen_require(`
|
||||
type readable_t;
|
||||
class sock_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 readable_t:sock_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the tmp directory (/tmp)
|
||||
@ -1198,6 +1298,25 @@ interface(`files_read_var_files',`
|
||||
allow $1 var_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in the /var directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_var_symlink',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
class dir search;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the /var/lib directory.
|
||||
@ -1233,9 +1352,9 @@ interface(`files_manage_urandom_seed',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_generic_locks(domain)
|
||||
# files_search_locks(domain)
|
||||
#
|
||||
interface(`files_search_generic_locks',`
|
||||
interface(`files_search_locks',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
type var_lock_t;
|
||||
@ -1245,6 +1364,24 @@ interface(`files_search_generic_locks',`
|
||||
allow $1 { var_t var_lock_t }:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the
|
||||
## locks directory (/var/lock).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_search_locks',`
|
||||
gen_require(`
|
||||
type var_lock_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 var_lock_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_getattr_generic_locks(domain)
|
||||
|
@ -83,6 +83,18 @@ storage_raw_write_removable_device(fsadm_t)
|
||||
storage_read_scsi_generic(fsadm_t)
|
||||
storage_swapon_fixed_disk(fsadm_t)
|
||||
|
||||
corecmd_list_bin(fsadm_t)
|
||||
corecmd_list_sbin(fsadm_t)
|
||||
corecmd_read_bin_symlink(fsadm_t)
|
||||
corecmd_read_sbin_symlink(fsadm_t)
|
||||
# cjp: these are probably not needed:
|
||||
corecmd_read_bin_file(fsadm_t)
|
||||
corecmd_read_bin_pipe(fsadm_t)
|
||||
corecmd_read_bin_socket(fsadm_t)
|
||||
corecmd_read_sbin_file(fsadm_t)
|
||||
corecmd_read_sbin_pipe(fsadm_t)
|
||||
corecmd_read_sbin_socket(fsadm_t)
|
||||
|
||||
domain_use_wide_inherit_fd(fsadm_t)
|
||||
|
||||
files_list_home(fsadm_t)
|
||||
@ -132,13 +144,5 @@ optional_policy(`nis.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow fsadm_t bin_t:dir r_dir_perms;
|
||||
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow fsadm_t sbin_t:dir r_dir_perms;
|
||||
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
|
||||
') dnl end TODO
|
||||
|
@ -82,7 +82,7 @@ optional_policy(`hotplug.te',`
|
||||
hotplug_dontaudit_use_fd(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(hostname_t)
|
||||
')
|
||||
|
||||
|
@ -77,9 +77,43 @@ interface(`hotplug_dontaudit_search_config',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Get the attributes of the hotplug configuration directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`hotplug_getattr_config_dir',`
|
||||
gen_require(`
|
||||
type hotplug_etc_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
allow $1 hotplug_etc_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the hotplug configuration directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`hotplug_search_config',`
|
||||
gen_require(`
|
||||
type hotplug_etc_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 hotplug_etc_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the configuration files for hotplug.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
|
@ -111,6 +111,7 @@ mount_domtrans(hotplug_t)
|
||||
sysnet_read_config(hotplug_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(hotplug_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
optional_policy(`netutils.te', `
|
||||
@ -151,7 +152,7 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(hotplug_t)
|
||||
')
|
||||
|
||||
@ -177,7 +178,6 @@ optional_policy(`updfstab.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit hotplug_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(hotplug_t)
|
||||
')
|
||||
|
@ -102,7 +102,7 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(iptables_t)
|
||||
')
|
||||
|
||||
|
@ -68,6 +68,7 @@ dev_dontaudit_getattr_generic_blk_file(local_login_t)
|
||||
dev_dontaudit_setattr_generic_blk_file(local_login_t)
|
||||
dev_dontaudit_getattr_generic_chr_file(local_login_t)
|
||||
dev_dontaudit_setattr_generic_chr_file(local_login_t)
|
||||
dev_dontaudit_setattr_generic_symlink(local_login_t)
|
||||
dev_dontaudit_getattr_misc(local_login_t)
|
||||
dev_dontaudit_setattr_misc(local_login_t)
|
||||
dev_dontaudit_getattr_scanner(local_login_t)
|
||||
@ -107,6 +108,18 @@ auth_rw_faillog(local_login_t)
|
||||
auth_exec_pam(local_login_t)
|
||||
auth_manage_pam_console_data(local_login_t)
|
||||
|
||||
corecmd_list_bin(local_login_t)
|
||||
corecmd_list_sbin(local_login_t)
|
||||
corecmd_read_bin_symlink(local_login_t)
|
||||
corecmd_read_sbin_symlink(local_login_t)
|
||||
# cjp: these are probably not needed:
|
||||
corecmd_read_bin_file(local_login_t)
|
||||
corecmd_read_bin_pipe(local_login_t)
|
||||
corecmd_read_bin_socket(local_login_t)
|
||||
corecmd_read_sbin_file(local_login_t)
|
||||
corecmd_read_sbin_pipe(local_login_t)
|
||||
corecmd_read_sbin_socket(local_login_t)
|
||||
|
||||
domain_read_all_entry_files(local_login_t)
|
||||
|
||||
files_read_etc_files(local_login_t)
|
||||
@ -114,6 +127,13 @@ files_read_etc_runtime_files(local_login_t)
|
||||
files_read_usr_files(local_login_t)
|
||||
files_manage_generic_locks(var_lock_t)
|
||||
files_list_mnt(local_login_t)
|
||||
files_list_world_readable(local_login_t)
|
||||
files_read_world_readable_files(local_login_t)
|
||||
files_read_world_readable_symlinks(local_login_t)
|
||||
files_read_world_readable_pipes(local_login_t)
|
||||
files_read_world_readable_sockets(local_login_t)
|
||||
# for when /var/mail is a symlink
|
||||
files_read_var_symlink(local_login_t)
|
||||
|
||||
init_rw_script_pid(local_login_t)
|
||||
init_dontaudit_use_fd(local_login_t)
|
||||
@ -175,22 +195,6 @@ optional_policy(`usermanage.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow local_login_t bin_t:dir r_dir_perms;
|
||||
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow local_login_t sbin_t:dir r_dir_perms;
|
||||
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
allow local_login_t readable_t:dir r_dir_perms;
|
||||
allow local_login_t readable_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# for when /var/mail is a sym-link
|
||||
allow local_login_t var_t:lnk_file read;
|
||||
|
||||
dontaudit local_login_t device_t:lnk_file setattr;
|
||||
|
||||
# this goes to xdm:
|
||||
optional_policy(`locallogin.te',`
|
||||
# FIXME: what is this for?
|
||||
@ -200,7 +204,6 @@ optional_policy(`locallogin.te',`
|
||||
optional_policy(`gpm.te',`
|
||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
@ -243,12 +246,14 @@ auth_read_shadow(sulogin_t)
|
||||
userdom_shell_domtrans_sysadm(sulogin_t)
|
||||
userdom_use_unpriv_users_fd(sulogin_t)
|
||||
userdom_use_sysadm_pty(sulogin_t)
|
||||
userdom_search_staff_home_dir(sulogin_t)
|
||||
userdom_search_sysadm_home_dir(sulogin_t)
|
||||
|
||||
# suse and debian do not use pam with sulogin...
|
||||
ifdef(`monolithic_policy',`
|
||||
ifdef(`distro_suse', `define(`sulogin_no_pam')')
|
||||
ifdef(`distro_debian', `define(`sulogin_no_pam')')
|
||||
') dnl end monolithic_policy
|
||||
')
|
||||
|
||||
ifdef(`sulogin_no_pam', `
|
||||
allow sulogin_t self:capability sys_tty_config;
|
||||
@ -266,7 +271,3 @@ ifdef(`sulogin_no_pam', `
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(sulogin_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||
') dnl endif TODO
|
||||
|
@ -84,6 +84,7 @@ libs_use_shared_libs(auditd_t)
|
||||
miscfiles_read_localization(auditd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(auditd_t)
|
||||
# cjp: this is questionable
|
||||
userdom_use_sysadm_tty(auditd_t)
|
||||
|
||||
@ -93,7 +94,7 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(auditd_t)
|
||||
')
|
||||
|
||||
@ -105,8 +106,6 @@ ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(auditd_t)
|
||||
')
|
||||
|
||||
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -228,6 +227,7 @@ sysnet_read_config(syslogd_t)
|
||||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
|
||||
|
||||
#
|
||||
# /initrd is not umounted before minilog starts
|
||||
@ -260,7 +260,7 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(syslogd_t)
|
||||
')
|
||||
|
||||
@ -269,7 +269,7 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(syslogd_t)
|
||||
')
|
||||
|
@ -213,6 +213,4 @@ logging_send_syslog_msg(update_modules_t)
|
||||
|
||||
miscfiles_read_localization(update_modules_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit update_modules_t sysadm_home_dir_t:dir search;
|
||||
') dnl endif TODO
|
||||
userdom_dontaudit_search_sysadm_home_dir(update_modules_t)
|
||||
|
@ -63,6 +63,9 @@ files_unmount_rootfs(mount_t)
|
||||
files_relabelto_all_file_type_fs(mount_t)
|
||||
files_mount_all_file_type_fs(mount_t)
|
||||
files_mount_all_file_type_fs(mount_t)
|
||||
# for when /etc/mtab loses its type
|
||||
# cjp: this seems wrong, the type should probably be etc
|
||||
files_read_isid_type_file(mount_t)
|
||||
|
||||
init_use_fd(mount_t)
|
||||
init_use_script_pty(mount_t)
|
||||
@ -122,9 +125,8 @@ files_mountpoint(var_lib_nfs_t)
|
||||
#allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
|
||||
#allow mount_t sysadm_mount_source_t:file rw_file_perms;
|
||||
|
||||
# TODO: Probably need a macro for reading/unlinking files
|
||||
# for when /etc/mtab loses its type
|
||||
allow mount_t file_t:file { r_file_perms unlink };
|
||||
allow mount_t file_t:file unlink;
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `
|
||||
allow mount_t sysadm_gph_t:fd use;
|
||||
|
@ -457,6 +457,24 @@ interface(`seutil_exec_setfiles',`
|
||||
can_exec($1,setfiles_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the SELinux
|
||||
## configuration directory (/etc/selinux).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_dontaudit_search_config',`
|
||||
gen_require(`
|
||||
type selinux_config_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 selinux_config_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# seutil_read_config(domain)
|
||||
|
@ -229,6 +229,8 @@ logging_send_syslog_msg(newrole_t)
|
||||
miscfiles_read_localization(newrole_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(newrole_t)
|
||||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_all_users_home(newrole_t)
|
||||
|
||||
# if secure mode is enabled, then newrole
|
||||
# can only transition to unprivileged users
|
||||
@ -244,9 +246,6 @@ optional_policy(`nis.te',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
||||
|
||||
# for some PAM modules and for cwd
|
||||
dontaudit newrole_t { home_root_t home_type }:dir search;
|
||||
') dnl ifdef TODO
|
||||
|
||||
########################################
|
||||
@ -261,9 +260,14 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_use_fd(restorecon_t)
|
||||
kernel_rw_pipe(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
|
||||
# cjp: why is this needed?
|
||||
dev_rw_generic_file(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
fs_list_all(restorecon_t)
|
||||
|
||||
selinux_get_fs_mount(restorecon_t)
|
||||
selinux_validate_context(restorecon_t)
|
||||
@ -305,24 +309,18 @@ ifdef(`distro_redhat', `
|
||||
fs_relabel_tmpfs_chr_dev(restorecon_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
udev_donaudit_rw_unix_dgram_socket(restorecon_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_fd(restorecon_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that restorecon can not be run!
|
||||
allow restorecon_t lib_t:file { read execute };
|
||||
|
||||
allow restorecon_t fs_type:dir r_dir_perms;
|
||||
|
||||
allow restorecon_t device_t:file { read write };
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
|
||||
tunable_policy(`hide_broken_symptoms',`
|
||||
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
@ -380,15 +378,12 @@ ifdef(`targeted_policy',`',`
|
||||
logging_send_syslog_msg(run_init_t)
|
||||
') dnl end ifdef targeted policy
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_entry_file(run_init_t,initrc_exec_t)
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -403,8 +398,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_list_unlabeled(setfiles_t)
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
fs_list_all(setfiles_t)
|
||||
|
||||
selinux_get_fs_mount(setfiles_t)
|
||||
selinux_validate_context(setfiles_t)
|
||||
@ -449,9 +446,4 @@ ifdef(`TODO',`
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that setfiles can not be run!
|
||||
allow setfiles_t lib_t:file { read execute };
|
||||
|
||||
allow setfiles_t unlabeled_t:dir read;
|
||||
|
||||
allow setfiles_t fs_type:dir r_dir_perms;
|
||||
|
||||
') dnl endif TODO
|
||||
|
@ -121,6 +121,8 @@ domain_use_wide_inherit_fd(dhcpc_t)
|
||||
files_read_etc_files(dhcpc_t)
|
||||
files_read_etc_runtime_files(dhcpc_t)
|
||||
files_search_home(dhcpc_t)
|
||||
files_search_var_lib(dhcpc_t)
|
||||
files_dontaudit_search_locks(dhcpc_t)
|
||||
|
||||
init_use_fd(dhcpc_t)
|
||||
init_use_script_pty(dhcpc_t)
|
||||
@ -135,6 +137,8 @@ miscfiles_read_localization(dhcpc_t)
|
||||
|
||||
modutils_domtrans_insmod(dhcpc_t)
|
||||
|
||||
userdom_dontaudit_search_staff_home_dir(sysadm_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
files_exec_etc_files(dhcpc_t)
|
||||
')
|
||||
@ -154,6 +158,15 @@ optional_policy(`hostname.te',`
|
||||
hostname_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_getattr_config_dir(dhcpc_t)
|
||||
hotplug_search_config(dhcpc_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
logging_syslogd_transition(dhcpc_t)
|
||||
')
|
||||
')
|
||||
|
||||
# for the dhcp client to run ping to check IP addresses
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_domtrans_ping(dhcpc_t)
|
||||
@ -176,8 +189,9 @@ optional_policy(`ntpd.te',`
|
||||
ntpd_domtrans(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(dhcpc_t)
|
||||
seutil_dontaudit_search_config(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te',`
|
||||
@ -189,18 +203,15 @@ optional_policy(`userdomain.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(dhcpc_t)
|
||||
')
|
||||
|
||||
ifdef(`cardmgr.te',`
|
||||
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||
')
|
||||
|
||||
#this goes to pcmcia module
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnet_domtrans_dhcpc(cardmgr_t)
|
||||
|
||||
sysnet_read_dhcpc_pid(cardmgr_t)
|
||||
sysnet_kill_dhcpc(cardmgr_t)
|
||||
sysnet_sigchld_dhcpc(cardmgr_t)
|
||||
@ -209,17 +220,6 @@ optional_policy(`sysnetwork.te',`
|
||||
sysnet_sigstop_dhcpc(cardmgr_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te', `
|
||||
allow dhcpc_t hotplug_etc_t:dir { getattr search };
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
logging_syslogd_transition(dhcpc_t)
|
||||
')
|
||||
')
|
||||
|
||||
allow dhcpc_t var_lib_t:dir search;
|
||||
dontaudit dhcpc_t var_lock_t:dir search;
|
||||
dontaudit dhcpc_t selinux_config_t:dir search;
|
||||
dontaudit dhcpc_t domain:dir getattr;
|
||||
') dnl endif TODO
|
||||
|
||||
@ -284,20 +284,17 @@ seutil_use_runinit_fd(ifconfig_t)
|
||||
|
||||
userdom_use_all_user_fd(ifconfig_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(ifconfig_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(ifconfig_t)
|
||||
')
|
||||
|
||||
tunable_policy(`hide_broken_symptoms',`
|
||||
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
@ -1,12 +1,12 @@
|
||||
## <summary>Policy for udev.</summary>
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Execute udev in the udev domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Execute udev in the udev domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_domtrans',`
|
||||
gen_require(`
|
||||
@ -25,12 +25,30 @@ interface(`udev_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to read list of devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Do not audit attempts to read or write
|
||||
## to a udev unix datagram socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_donaudit_rw_unix_dgram_socket',`
|
||||
gen_require(`
|
||||
type udev_t;
|
||||
class unix_dgram_socket { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 udev_t:unix_dgram_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to read list of devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_read_db',`
|
||||
gen_require(`
|
||||
@ -43,12 +61,12 @@ interface(`udev_read_db',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to modify list of devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Allow process to modify list of devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_rw_db',`
|
||||
gen_require(`
|
||||
|
@ -70,6 +70,8 @@ kernel_read_device_sysctl(udev_t)
|
||||
kernel_read_hotplug_sysctl(udev_t)
|
||||
kernel_read_modprobe_sysctl(udev_t)
|
||||
kernel_read_kernel_sysctl(udev_t)
|
||||
kernel_rw_unix_dgram_socket(udev_t)
|
||||
kernel_sendto_unix_dgram_socket(udev_t)
|
||||
|
||||
dev_read_sysfs(udev_t)
|
||||
dev_manage_dev_nodes(udev_t)
|
||||
@ -119,6 +121,7 @@ seutil_domtrans_restorecon(udev_t)
|
||||
sysnet_domtrans_ifconfig(udev_t)
|
||||
|
||||
userdom_use_sysadm_tty(udev_t)
|
||||
userdom_dontaudit_search_staff_home_dir(udev_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_manage_tmpfs_symlinks(udev_t)
|
||||
@ -154,14 +157,6 @@ optional_policy(`xserver.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow udev_t devpts_t:dir { getattr search };
|
||||
|
||||
# Dontaudits
|
||||
dontaudit udev_t staff_home_dir_t:dir search;
|
||||
dontaudit udev_t ttyfile:chr_file unlink;
|
||||
|
||||
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
||||
|
||||
dbusd_client(system, udev)
|
||||
|
||||
') dnl endif TODO
|
||||
|
@ -174,7 +174,7 @@ template(`base_user_template',`
|
||||
|
||||
files_exec_etc_files($1_t)
|
||||
files_read_usr_src_files($1_t)
|
||||
files_search_generic_locks($1_t)
|
||||
files_search_locks($1_t)
|
||||
|
||||
# Caused by su - init scripts
|
||||
init_dontaudit_use_script_pty($1_t)
|
||||
@ -521,7 +521,7 @@ template(`unpriv_user_template', `
|
||||
modutils_read_module_conf($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
# for when the network connection is killed
|
||||
seutil_dontaudit_signal_newrole($1_t)
|
||||
')
|
||||
@ -914,6 +914,42 @@ interface(`userdom_shell_domtrans_sysadm',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the staff users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_search_staff_home_dir',`
|
||||
gen_require(`
|
||||
type staff_home_dir_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 staff_home_dir_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the staff
|
||||
## users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_search_staff_home_dir',`
|
||||
gen_require(`
|
||||
type staff_home_dir_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 staff_home_dir_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the staff users home directory.
|
||||
@ -1059,6 +1095,42 @@ interface(`userdom_rw_sysadm_pipe',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the sysadm users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_search_sysadm_home_dir',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 sysadm_home_dir_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the sysadm
|
||||
## users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_search_sysadm_home_dir',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 sysadm_home_dir_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the sysadm users home directory.
|
||||
@ -1098,6 +1170,23 @@ interface(`userdom_search_all_users_home',`
|
||||
allow $1 { home_dir_type home_type }:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search all users home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_search_all_users_home',`
|
||||
gen_require(`
|
||||
attribute home_dir_type, home_type;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 { home_dir_type home_type }:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all files in all users home directories.
|
||||
|
@ -158,7 +158,7 @@ ifdef(`targeted_policy',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||
|
Loading…
Reference in New Issue
Block a user