fix more TODOs. fix selinux.te to selinuxutil.te in optionals

This commit is contained in:
Chris PeBenito 2005-07-11 19:02:50 +00:00
parent 34bbe50d50
commit ae9e2716c3
30 changed files with 670 additions and 145 deletions

View File

@ -58,7 +58,7 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(dmesg_t) files_dontaudit_read_root_file(dmesg_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(dmesg_t) seutil_sigchld_newrole(dmesg_t)
') ')

View File

@ -164,6 +164,25 @@ interface(`dev_relabel_dev_dirs',`
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
') ')
########################################
## <summary>
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_generic_file',`
gen_require(`
type device_t;
class dir search;
class file rw_file_perms;
')
allow $1 device_t:dir search;
allow $1 device_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Dontaudit getattr on generic pipes. ## Dontaudit getattr on generic pipes.
@ -328,6 +347,24 @@ interface(`dev_dontaudit_setattr_generic_chr_file',`
dontaudit $1 device_t:chr_file setattr; dontaudit $1 device_t:chr_file setattr;
') ')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_setattr_generic_symlink',`
gen_require(`
type device_t;
class lnk_file setattr;
')
dontaudit $1 device_t:lnk_file setattr;
')
######################################## ########################################
## <summary> ## <summary>
## Delete symbolic links in device directories. ## Delete symbolic links in device directories.

View File

@ -1705,6 +1705,24 @@ interface(`fs_set_all_quotas',`
allow $1 filesystem_type:filesystem quotamod; allow $1 filesystem_type:filesystem quotamod;
') ')
########################################
## <summary>
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`fs_list_all',`
gen_require(`
attribute filesystem_type;
class dir r_dir_perms;
')
allow $1 filesystem_type:dir r_dir_perms;
')
######################################## ########################################
# #
# fs_getattr_all_files(type) # fs_getattr_all_files(type)

View File

@ -121,6 +121,57 @@ interface(`kernel_dontaudit_use_fd',`
dontaudit $1 kernel_t:fd use; dontaudit $1 kernel_t:fd use;
') ')
########################################
## <system>
## Read and write kernel unnamed pipes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_rw_pipe',`
gen_require(`
type kernel_t;
class fifo_file { read write };
')
allow $1 kernel_t:fifo_file { read write };
')
########################################
## <summary>
## Read and write kernel unix datagram sockets.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_rw_unix_dgram_socket',`
gen_require(`
type kernel_t;
class unix_dgram_socket { read write ioctl };
')
allow $1 kernel_t:unix_dgram_socket { read write ioctl };
')
########################################
## <summary>
## Send messages to kernel unix datagram sockets.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_sendto_unix_dgram_socket',`
gen_require(`
type kernel_t;
class unix_dgram_socket sendto;
')
allow $1 kernel_t:unix_dgram_socket sendto;
')
######################################## ########################################
## <summary> ## <summary>
## Allows caller to load kernel modules ## Allows caller to load kernel modules
@ -1046,20 +1097,19 @@ interface(`kernel_sigchld_unlabeled',`
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts by caller to get attributes for ## List unlabeled directories.
## unlabeled block devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The process type not to audit. ## Domain allowed access.
## </param> ## </param>
# #
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` interface(`kernel_list_unlabeled',`
gen_require(` gen_require(`
type unlabeled_t; type unlabeled_t;
class blk_file getattr; class dir r_dir_perms;
') ')
allow $1 unlabeled_t:blk_file getattr; allow $1 unlabeled_t:dir r_dir_perms;
') ')
######################################## ########################################
@ -1079,6 +1129,24 @@ interface(`kernel_rw_unlabeled_dir',`
allow $1 unlabeled_t:dir rw_dir_perms; allow $1 unlabeled_t:dir rw_dir_perms;
') ')
########################################
## <summary>
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
## </summary>
## <param name="domain">
## The process type not to audit.
## </param>
#
interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
gen_require(`
type unlabeled_t;
class blk_file getattr;
')
allow $1 unlabeled_t:blk_file getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write unlabeled block device nodes. ## Read and write unlabeled block device nodes.

View File

@ -120,7 +120,7 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(inetd_t) mount_send_nfs_client_request(inetd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(inetd_t) seutil_sigchld_newrole(inetd_t)
') ')

View File

@ -130,7 +130,7 @@ optional_policy(`nis.te',`
nis_use_ypbind(kadmind_t) nis_use_ypbind(kadmind_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(kadmind_t) seutil_sigchld_newrole(kadmind_t)
') ')
@ -231,7 +231,7 @@ optional_policy(`nis.te',`
nis_use_ypbind(krb5kdc_t) nis_use_ypbind(krb5kdc_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(krb5kdc_t) seutil_sigchld_newrole(krb5kdc_t)
') ')

View File

@ -110,7 +110,7 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(ypbind_t) mount_send_nfs_client_request(ypbind_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ypbind_t) seutil_sigchld_newrole(ypbind_t)
') ')
@ -199,7 +199,7 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(ypserv_t) files_dontaudit_read_root_file(ypserv_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ypserv_t) seutil_sigchld_newrole(ypserv_t)
') ')

View File

@ -99,7 +99,7 @@ optional_policy(`nis.te',`
nis_use_ypbind(sendmail_t) nis_use_ypbind(sendmail_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(sendmail_t) seutil_sigchld_newrole(sendmail_t)
') ')

View File

@ -223,7 +223,7 @@ optional_policy(`rhgb.te', `
rhgb_domain(ssh_keygen_t) rhgb_domain(ssh_keygen_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ssh_keygen_t) seutil_sigchld_newrole(ssh_keygen_t)
') ')

View File

@ -103,7 +103,7 @@ template(`authlogin_per_userdomain_template',`
nis_use_ypbind($1_chkpwd_t) nis_use_ypbind($1_chkpwd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_use_newrole_fd($1_chkpwd_t) seutil_use_newrole_fd($1_chkpwd_t)
') ')

View File

@ -207,7 +207,7 @@ optional_policy(`hotplug.te', `
hotplug_dontaudit_search_config(pam_console_t) hotplug_dontaudit_search_config(pam_console_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(pam_console_t) seutil_sigchld_newrole(pam_console_t)
') ')
@ -314,9 +314,9 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-* # Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_user_tmp(utempter_t) userdom_write_unpriv_user_tmp(utempter_t)
optional_policy(`xserver.te', ` optional_policy(`xdm.te', `
#allow utempter_t xdm_t:fd use; #allow utempter_t xdm_t:fd use;
xserver_use_xdm_fd(utempter_t) xdm_use_fd(utempter_t)
#allow utempter_t xdm_t:fifo_file { write getattr }; #allow utempter_t xdm_t:fifo_file { write getattr };
xdm_write_fifo(utempter_t) xdm_write_fifo(utempter_t)
') ')

View File

@ -66,7 +66,7 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(hwclock_t) files_dontaudit_read_root_file(hwclock_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(hwclock_t) seutil_sigchld_newrole(hwclock_t)
') ')

View File

@ -50,6 +50,7 @@ interface(`corecmd_list_bin',`
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
#
interface(`corecmd_getattr_bin_file',` interface(`corecmd_getattr_bin_file',`
gen_require(` gen_require(`
type bin_t; type bin_t;
@ -59,6 +60,25 @@ interface(`corecmd_getattr_bin_file',`
allow $1 bin_t:file getattr; allow $1 bin_t:file getattr;
') ')
########################################
## <summary>
## Read files in bin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`corecmd_read_bin_file',`
gen_require(`
type bin_t;
class dir search;
class file r_file_perms;
')
allow $1 bin_t:dir search;
allow $1 bin_t:file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read symbolic links in bin directories. ## Read symbolic links in bin directories.
@ -66,15 +86,54 @@ interface(`corecmd_getattr_bin_file',`
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
#
interface(`corecmd_read_bin_symlink',` interface(`corecmd_read_bin_symlink',`
gen_require(` gen_require(`
type bin_t; type bin_t;
class dir search; class dir search;
class lnk_file read; class lnk_file r_file_perms;
') ')
allow $1 bin_t:dir search; allow $1 bin_t:dir search;
allow $1 bin_t:lnk_file read; allow $1 bin_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Read pipes in bin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`corecmd_read_bin_pipe',`
gen_require(`
type bin_t;
class dir search;
class fifo_file r_file_perms;
')
allow $1 bin_t:dir search;
allow $1 bin_t:fifo_file r_file_perms;
')
########################################
## <summary>
## Read named sockets in bin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`corecmd_read_bin_socket',`
gen_require(`
type bin_t;
class dir search;
class sock_file r_file_perms;
')
allow $1 bin_t:dir search;
allow $1 bin_t:sock_file r_file_perms;
') ')
######################################## ########################################
@ -146,6 +205,25 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
dontaudit $1 sbin_t:file getattr; dontaudit $1 sbin_t:file getattr;
') ')
########################################
## <summary>
## Read files in sbin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`corecmd_read_sbin_file',`
gen_require(`
type sbin_t;
class dir search;
class file r_file_perms;
')
allow $1 sbin_t:dir search;
allow $1 sbin_t:file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read symbolic links in sbin directories. ## Read symbolic links in sbin directories.
@ -153,15 +231,54 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
#
interface(`corecmd_read_sbin_symlink',` interface(`corecmd_read_sbin_symlink',`
gen_require(` gen_require(`
type sbin_t; type sbin_t;
class dir search; class dir search;
class lnk_file read; class lnk_file r_file_perms;
') ')
allow $1 sbin_t:dir search; allow $1 sbin_t:dir search;
allow $1 sbin_t:lnk_file read; allow $1 sbin_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Read named pipes in sbin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`corecmd_read_sbin_pipe',`
gen_require(`
type sbin_t;
class dir search;
class fifo_file r_file_perms;
')
allow $1 sbin_t:dir search;
allow $1 sbin_t:fifo_file r_file_perms;
')
########################################
## <summary>
## Read named sockets in sbin directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`corecmd_read_sbin_socket',`
gen_require(`
type sbin_t;
class dir search;
class sock_file r_file_perms;
')
allow $1 sbin_t:dir search;
allow $1 sbin_t:sock_file r_file_perms;
') ')
######################################## ########################################

View File

@ -804,6 +804,26 @@ interface(`files_mounton_isid_type_dir',`
allow $1 file_t:dir { getattr search mounton }; allow $1 file_t:dir { getattr search mounton };
') ')
########################################
## <summary>
## Read files on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_read_isid_type_file',`
gen_require(`
type file_t;
class dir search;
class file r_file_perms;
')
allow $1 file_t:dir search;
allow $1 file_t:file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete files ## Create, read, write, and delete files
@ -1028,6 +1048,86 @@ interface(`files_manage_mnt_dirs',`
allow $1 mnt_t:dir create_dir_perms; allow $1 mnt_t:dir create_dir_perms;
') ')
########################################
## <summary>
## List world-readable directories.
## </summary>
## Domain allowed access.
## </param>
#
interface(`files_list_world_readable',`
gen_require(`
type readable_t;
class dir r_dir_perms;
')
allow $1 readable_t:dir r_dir_perms;
')
########################################
## <summary>
## Read world-readable files.
## </summary>
## Domain allowed access.
## </param>
#
interface(`files_read_world_readable_files',`
gen_require(`
type readable_t;
class file r_file_perms;
')
allow $1 readable_t:file r_file_perms;
')
########################################
## <summary>
## Read world-readable symbolic links.
## </summary>
## Domain allowed access.
## </param>
#
interface(`files_read_world_readable_symlinks',`
gen_require(`
type readable_t;
class lnk_file r_file_perms;
')
allow $1 readable_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Read world-readable named pipes.
## </summary>
## Domain allowed access.
## </param>
#
interface(`files_read_world_readable_pipes',`
gen_require(`
type readable_t;
class fifo_file r_file_perms;
')
allow $1 readable_t:fifo_file r_file_perms;
')
########################################
## <summary>
## Read world-readable sockets.
## </summary>
## Domain allowed access.
## </param>
#
interface(`files_read_world_readable_sockets',`
gen_require(`
type readable_t;
class sock_file r_file_perms;
')
allow $1 readable_t:sock_file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Search the tmp directory (/tmp) ## Search the tmp directory (/tmp)
@ -1198,6 +1298,25 @@ interface(`files_read_var_files',`
allow $1 var_t:file r_file_perms; allow $1 var_t:file r_file_perms;
') ')
########################################
## <summary>
## Read symbolic links in the /var directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_read_var_symlink',`
gen_require(`
type var_t;
class dir search;
class lnk_file { getattr read };
')
allow $1 var_t:dir search;
allow $1 var_t:lnk_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Search the /var/lib directory. ## Search the /var/lib directory.
@ -1233,9 +1352,9 @@ interface(`files_manage_urandom_seed',`
######################################## ########################################
# #
# files_search_generic_locks(domain) # files_search_locks(domain)
# #
interface(`files_search_generic_locks',` interface(`files_search_locks',`
gen_require(` gen_require(`
type var_t; type var_t;
type var_lock_t; type var_lock_t;
@ -1245,6 +1364,24 @@ interface(`files_search_generic_locks',`
allow $1 { var_t var_lock_t }:dir search; allow $1 { var_t var_lock_t }:dir search;
') ')
########################################
## <summary>
## Do not audit attempts to search the
## locks directory (/var/lock).
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_search_locks',`
gen_require(`
type var_lock_t;
class dir search;
')
dontaudit $1 var_lock_t:dir search;
')
######################################## ########################################
# #
# files_getattr_generic_locks(domain) # files_getattr_generic_locks(domain)

View File

@ -83,6 +83,18 @@ storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t) storage_read_scsi_generic(fsadm_t)
storage_swapon_fixed_disk(fsadm_t) storage_swapon_fixed_disk(fsadm_t)
corecmd_list_bin(fsadm_t)
corecmd_list_sbin(fsadm_t)
corecmd_read_bin_symlink(fsadm_t)
corecmd_read_sbin_symlink(fsadm_t)
# cjp: these are probably not needed:
corecmd_read_bin_file(fsadm_t)
corecmd_read_bin_pipe(fsadm_t)
corecmd_read_bin_socket(fsadm_t)
corecmd_read_sbin_file(fsadm_t)
corecmd_read_sbin_pipe(fsadm_t)
corecmd_read_sbin_socket(fsadm_t)
domain_use_wide_inherit_fd(fsadm_t) domain_use_wide_inherit_fd(fsadm_t)
files_list_home(fsadm_t) files_list_home(fsadm_t)
@ -132,13 +144,5 @@ optional_policy(`nis.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow fsadm_t bin_t:dir r_dir_perms;
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
allow fsadm_t sbin_t:dir r_dir_perms;
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
') dnl end TODO ') dnl end TODO

View File

@ -82,7 +82,7 @@ optional_policy(`hotplug.te',`
hotplug_dontaudit_use_fd(hostname_t) hotplug_dontaudit_use_fd(hostname_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(hostname_t) seutil_sigchld_newrole(hostname_t)
') ')

View File

@ -77,9 +77,43 @@ interface(`hotplug_dontaudit_search_config',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Get the attributes of the hotplug configuration directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`hotplug_getattr_config_dir',`
gen_require(`
type hotplug_etc_t;
class dir getattr;
')
allow $1 hotplug_etc_t:dir getattr;
')
########################################
## <summary>
## Search the hotplug configuration directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`hotplug_search_config',`
gen_require(`
type hotplug_etc_t;
class dir search;
')
allow $1 hotplug_etc_t:dir search;
')
########################################
## <summary>
## Read the configuration files for hotplug. ## Read the configuration files for hotplug.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>

View File

@ -111,6 +111,7 @@ mount_domtrans(hotplug_t)
sysnet_read_config(hotplug_t) sysnet_read_config(hotplug_t)
userdom_dontaudit_use_unpriv_user_fd(hotplug_t) userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
userdom_dontaudit_search_sysadm_home_dir(hotplug_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
optional_policy(`netutils.te', ` optional_policy(`netutils.te', `
@ -151,7 +152,7 @@ optional_policy(`nis.te',`
nis_use_ypbind(hotplug_t) nis_use_ypbind(hotplug_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(hotplug_t) seutil_sigchld_newrole(hotplug_t)
') ')
@ -177,7 +178,6 @@ optional_policy(`updfstab.te', `
') ')
ifdef(`TODO',` ifdef(`TODO',`
dontaudit hotplug_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(hotplug_t) rhgb_domain(hotplug_t)
') ')

View File

@ -102,7 +102,7 @@ optional_policy(`nis.te',`
nis_use_ypbind(iptables_t) nis_use_ypbind(iptables_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(iptables_t) seutil_sigchld_newrole(iptables_t)
') ')

View File

@ -68,6 +68,7 @@ dev_dontaudit_getattr_generic_blk_file(local_login_t)
dev_dontaudit_setattr_generic_blk_file(local_login_t) dev_dontaudit_setattr_generic_blk_file(local_login_t)
dev_dontaudit_getattr_generic_chr_file(local_login_t) dev_dontaudit_getattr_generic_chr_file(local_login_t)
dev_dontaudit_setattr_generic_chr_file(local_login_t) dev_dontaudit_setattr_generic_chr_file(local_login_t)
dev_dontaudit_setattr_generic_symlink(local_login_t)
dev_dontaudit_getattr_misc(local_login_t) dev_dontaudit_getattr_misc(local_login_t)
dev_dontaudit_setattr_misc(local_login_t) dev_dontaudit_setattr_misc(local_login_t)
dev_dontaudit_getattr_scanner(local_login_t) dev_dontaudit_getattr_scanner(local_login_t)
@ -107,6 +108,18 @@ auth_rw_faillog(local_login_t)
auth_exec_pam(local_login_t) auth_exec_pam(local_login_t)
auth_manage_pam_console_data(local_login_t) auth_manage_pam_console_data(local_login_t)
corecmd_list_bin(local_login_t)
corecmd_list_sbin(local_login_t)
corecmd_read_bin_symlink(local_login_t)
corecmd_read_sbin_symlink(local_login_t)
# cjp: these are probably not needed:
corecmd_read_bin_file(local_login_t)
corecmd_read_bin_pipe(local_login_t)
corecmd_read_bin_socket(local_login_t)
corecmd_read_sbin_file(local_login_t)
corecmd_read_sbin_pipe(local_login_t)
corecmd_read_sbin_socket(local_login_t)
domain_read_all_entry_files(local_login_t) domain_read_all_entry_files(local_login_t)
files_read_etc_files(local_login_t) files_read_etc_files(local_login_t)
@ -114,6 +127,13 @@ files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t) files_read_usr_files(local_login_t)
files_manage_generic_locks(var_lock_t) files_manage_generic_locks(var_lock_t)
files_list_mnt(local_login_t) files_list_mnt(local_login_t)
files_list_world_readable(local_login_t)
files_read_world_readable_files(local_login_t)
files_read_world_readable_symlinks(local_login_t)
files_read_world_readable_pipes(local_login_t)
files_read_world_readable_sockets(local_login_t)
# for when /var/mail is a symlink
files_read_var_symlink(local_login_t)
init_rw_script_pid(local_login_t) init_rw_script_pid(local_login_t)
init_dontaudit_use_fd(local_login_t) init_dontaudit_use_fd(local_login_t)
@ -175,22 +195,6 @@ optional_policy(`usermanage.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow local_login_t bin_t:dir r_dir_perms;
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow local_login_t readable_t:dir r_dir_perms;
allow local_login_t readable_t:notdevfile_class_set r_file_perms;
# for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read;
dontaudit local_login_t device_t:lnk_file setattr;
# this goes to xdm: # this goes to xdm:
optional_policy(`locallogin.te',` optional_policy(`locallogin.te',`
# FIXME: what is this for? # FIXME: what is this for?
@ -200,7 +204,6 @@ optional_policy(`locallogin.te',`
optional_policy(`gpm.te',` optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr }; allow local_login_t gpmctl_t:sock_file { getattr setattr };
') ')
') dnl endif TODO ') dnl endif TODO
################################# #################################
@ -243,12 +246,14 @@ auth_read_shadow(sulogin_t)
userdom_shell_domtrans_sysadm(sulogin_t) userdom_shell_domtrans_sysadm(sulogin_t)
userdom_use_unpriv_users_fd(sulogin_t) userdom_use_unpriv_users_fd(sulogin_t)
userdom_use_sysadm_pty(sulogin_t) userdom_use_sysadm_pty(sulogin_t)
userdom_search_staff_home_dir(sulogin_t)
userdom_search_sysadm_home_dir(sulogin_t)
# suse and debian do not use pam with sulogin... # suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',` ifdef(`monolithic_policy',`
ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')')
') dnl end monolithic_policy ')
ifdef(`sulogin_no_pam', ` ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config; allow sulogin_t self:capability sys_tty_config;
@ -266,7 +271,3 @@ ifdef(`sulogin_no_pam', `
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(sulogin_t) nis_use_ypbind(sulogin_t)
') ')
ifdef(`TODO',`
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
') dnl endif TODO

View File

@ -84,6 +84,7 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t) miscfiles_read_localization(auditd_t)
userdom_dontaudit_use_unpriv_user_fd(auditd_t) userdom_dontaudit_use_unpriv_user_fd(auditd_t)
userdom_dontaudit_search_sysadm_home_dir(auditd_t)
# cjp: this is questionable # cjp: this is questionable
userdom_use_sysadm_tty(auditd_t) userdom_use_sysadm_tty(auditd_t)
@ -93,7 +94,7 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(auditd_t) files_dontaudit_read_root_file(auditd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(auditd_t) seutil_sigchld_newrole(auditd_t)
') ')
@ -105,8 +106,6 @@ ifdef(`TODO',`
optional_policy(`rhgb.te', ` optional_policy(`rhgb.te', `
rhgb_domain(auditd_t) rhgb_domain(auditd_t)
') ')
dontaudit auditd_t sysadm_home_dir_t:dir search;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -228,6 +227,7 @@ sysnet_read_config(syslogd_t)
miscfiles_read_localization(syslogd_t) miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fd(syslogd_t) userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
# #
# /initrd is not umounted before minilog starts # /initrd is not umounted before minilog starts
@ -260,7 +260,7 @@ optional_policy(`nis.te',`
nis_use_ypbind(syslogd_t) nis_use_ypbind(syslogd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(syslogd_t) seutil_sigchld_newrole(syslogd_t)
') ')
@ -269,7 +269,7 @@ optional_policy(`udev.te', `
') ')
ifdef(`TODO',` ifdef(`TODO',`
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', ` optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t) rhgb_domain(syslogd_t)
') ')

View File

@ -213,6 +213,4 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t) miscfiles_read_localization(update_modules_t)
ifdef(`TODO',` userdom_dontaudit_search_sysadm_home_dir(update_modules_t)
dontaudit update_modules_t sysadm_home_dir_t:dir search;
') dnl endif TODO

View File

@ -63,6 +63,9 @@ files_unmount_rootfs(mount_t)
files_relabelto_all_file_type_fs(mount_t) files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
# cjp: this seems wrong, the type should probably be etc
files_read_isid_type_file(mount_t)
init_use_fd(mount_t) init_use_fd(mount_t)
init_use_script_pty(mount_t) init_use_script_pty(mount_t)
@ -122,9 +125,8 @@ files_mountpoint(var_lib_nfs_t)
#allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom }; #allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
#allow mount_t sysadm_mount_source_t:file rw_file_perms; #allow mount_t sysadm_mount_source_t:file rw_file_perms;
# TODO: Probably need a macro for reading/unlinking files
# for when /etc/mtab loses its type # for when /etc/mtab loses its type
allow mount_t file_t:file { r_file_perms unlink }; allow mount_t file_t:file unlink;
ifdef(`gnome-pty-helper.te', ` ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use; allow mount_t sysadm_gph_t:fd use;

View File

@ -457,6 +457,24 @@ interface(`seutil_exec_setfiles',`
can_exec($1,setfiles_exec_t) can_exec($1,setfiles_exec_t)
') ')
########################################
## <summary>
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`seutil_dontaudit_search_config',`
gen_require(`
type selinux_config_t;
class dir search;
')
dontaudit $1 selinux_config_t:dir search;
')
######################################## ########################################
# #
# seutil_read_config(domain) # seutil_read_config(domain)

View File

@ -229,6 +229,8 @@ logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
userdom_use_unpriv_users_fd(newrole_t) userdom_use_unpriv_users_fd(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home(newrole_t)
# if secure mode is enabled, then newrole # if secure mode is enabled, then newrole
# can only transition to unprivileged users # can only transition to unprivileged users
@ -244,9 +246,6 @@ optional_policy(`nis.te',`
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
dontaudit newrole_t { home_root_t home_type }:dir search;
') dnl ifdef TODO ') dnl ifdef TODO
######################################## ########################################
@ -261,9 +260,14 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_fd(restorecon_t) kernel_use_fd(restorecon_t)
kernel_rw_pipe(restorecon_t)
kernel_read_system_state(restorecon_t) kernel_read_system_state(restorecon_t)
# cjp: why is this needed?
dev_rw_generic_file(restorecon_t)
fs_getattr_xattr_fs(restorecon_t) fs_getattr_xattr_fs(restorecon_t)
fs_list_all(restorecon_t)
selinux_get_fs_mount(restorecon_t) selinux_get_fs_mount(restorecon_t)
selinux_validate_context(restorecon_t) selinux_validate_context(restorecon_t)
@ -305,24 +309,18 @@ ifdef(`distro_redhat', `
fs_relabel_tmpfs_chr_dev(restorecon_t) fs_relabel_tmpfs_chr_dev(restorecon_t)
') ')
ifdef(`hide_broken_symptoms',`
udev_donaudit_rw_unix_dgram_socket(restorecon_t)
')
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_use_fd(restorecon_t) hotplug_use_fd(restorecon_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute }; allow restorecon_t lib_t:file { read execute };
allow restorecon_t fs_type:dir r_dir_perms;
allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write };
tunable_policy(`hide_broken_symptoms',`
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
')
') dnl endif TODO ') dnl endif TODO
################################# #################################
@ -380,15 +378,12 @@ ifdef(`targeted_policy',`',`
logging_send_syslog_msg(run_init_t) logging_send_syslog_msg(run_init_t)
') dnl end ifdef targeted policy ') dnl end ifdef targeted policy
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`distro_gentoo', ` ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript: # Gentoo integrated run_init+open_init_pty-runscript:
domain_entry_file(run_init_t,initrc_exec_t) domain_entry_file(run_init_t,initrc_exec_t)
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
') ')
') dnl end TODO ') dnl end TODO
######################################## ########################################
@ -403,8 +398,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t) kernel_read_system_state(setfiles_t)
kernel_list_unlabeled(setfiles_t)
fs_getattr_xattr_fs(setfiles_t) fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
selinux_get_fs_mount(setfiles_t) selinux_get_fs_mount(setfiles_t)
selinux_validate_context(setfiles_t) selinux_validate_context(setfiles_t)
@ -449,9 +446,4 @@ ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run! # scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute }; allow setfiles_t lib_t:file { read execute };
allow setfiles_t unlabeled_t:dir read;
allow setfiles_t fs_type:dir r_dir_perms;
') dnl endif TODO ') dnl endif TODO

View File

@ -121,6 +121,8 @@ domain_use_wide_inherit_fd(dhcpc_t)
files_read_etc_files(dhcpc_t) files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t)
files_search_home(dhcpc_t) files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
init_use_fd(dhcpc_t) init_use_fd(dhcpc_t)
init_use_script_pty(dhcpc_t) init_use_script_pty(dhcpc_t)
@ -135,6 +137,8 @@ miscfiles_read_localization(dhcpc_t)
modutils_domtrans_insmod(dhcpc_t) modutils_domtrans_insmod(dhcpc_t)
userdom_dontaudit_search_staff_home_dir(sysadm_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
files_exec_etc_files(dhcpc_t) files_exec_etc_files(dhcpc_t)
') ')
@ -154,6 +158,15 @@ optional_policy(`hostname.te',`
hostname_domtrans(dhcpc_t) hostname_domtrans(dhcpc_t)
') ')
optional_policy(`hotplug.te',`
hotplug_getattr_config_dir(dhcpc_t)
hotplug_search_config(dhcpc_t)
ifdef(`distro_redhat',`
logging_syslogd_transition(dhcpc_t)
')
')
# for the dhcp client to run ping to check IP addresses # for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',` optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t) netutils_domtrans_ping(dhcpc_t)
@ -176,8 +189,9 @@ optional_policy(`ntpd.te',`
ntpd_domtrans(dhcpc_t) ntpd_domtrans(dhcpc_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(dhcpc_t) seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
') ')
optional_policy(`udev.te',` optional_policy(`udev.te',`
@ -189,18 +203,15 @@ optional_policy(`userdomain.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(dhcpc_t) rhgb_domain(dhcpc_t)
') ')
ifdef(`cardmgr.te',`
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
')
#this goes to pcmcia module #this goes to pcmcia module
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(cardmgr_t)
sysnet_read_dhcpc_pid(cardmgr_t) sysnet_read_dhcpc_pid(cardmgr_t)
sysnet_kill_dhcpc(cardmgr_t) sysnet_kill_dhcpc(cardmgr_t)
sysnet_sigchld_dhcpc(cardmgr_t) sysnet_sigchld_dhcpc(cardmgr_t)
@ -209,17 +220,6 @@ optional_policy(`sysnetwork.te',`
sysnet_sigstop_dhcpc(cardmgr_t) sysnet_sigstop_dhcpc(cardmgr_t)
') ')
optional_policy(`hotplug.te', `
allow dhcpc_t hotplug_etc_t:dir { getattr search };
ifdef(`distro_redhat', `
logging_syslogd_transition(dhcpc_t)
')
')
allow dhcpc_t var_lib_t:dir search;
dontaudit dhcpc_t var_lock_t:dir search;
dontaudit dhcpc_t selinux_config_t:dir search;
dontaudit dhcpc_t domain:dir getattr; dontaudit dhcpc_t domain:dir getattr;
') dnl endif TODO ') dnl endif TODO
@ -284,20 +284,17 @@ seutil_use_runinit_fd(ifconfig_t)
userdom_use_all_user_fd(ifconfig_t) userdom_use_all_user_fd(ifconfig_t)
ifdef(`hide_broken_symptoms',`
udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
')
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(ifconfig_t) nis_use_ypbind(ifconfig_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
optional_policy(`rhgb.te', ` optional_policy(`rhgb.te', `
rhgb_domain(ifconfig_t) rhgb_domain(ifconfig_t)
') ')
tunable_policy(`hide_broken_symptoms',`
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
')
') dnl endif TODO ') dnl endif TODO

View File

@ -1,12 +1,12 @@
## <summary>Policy for udev.</summary> ## <summary>Policy for udev.</summary>
######################################## ########################################
## <desc> ## <summary>
## Execute udev in the udev domain. ## Execute udev in the udev domain.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`udev_domtrans',` interface(`udev_domtrans',`
gen_require(` gen_require(`
@ -25,12 +25,30 @@ interface(`udev_domtrans',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow process to read list of devices. ## Do not audit attempts to read or write
## </desc> ## to a udev unix datagram socket.
## <param name="domain"> ## </summary>
## The type of the process performing this action. ## <param name="domain">
## </param> ## Domain to not audit.
## </param>
#
interface(`udev_donaudit_rw_unix_dgram_socket',`
gen_require(`
type udev_t;
class unix_dgram_socket { read write };
')
dontaudit $1 udev_t:unix_dgram_socket { read write };
')
########################################
## <summary>
## Allow process to read list of devices.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
# #
interface(`udev_read_db',` interface(`udev_read_db',`
gen_require(` gen_require(`
@ -43,12 +61,12 @@ interface(`udev_read_db',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow process to modify list of devices. ## Allow process to modify list of devices.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`udev_rw_db',` interface(`udev_rw_db',`
gen_require(` gen_require(`

View File

@ -70,6 +70,8 @@ kernel_read_device_sysctl(udev_t)
kernel_read_hotplug_sysctl(udev_t) kernel_read_hotplug_sysctl(udev_t)
kernel_read_modprobe_sysctl(udev_t) kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t) kernel_read_kernel_sysctl(udev_t)
kernel_rw_unix_dgram_socket(udev_t)
kernel_sendto_unix_dgram_socket(udev_t)
dev_read_sysfs(udev_t) dev_read_sysfs(udev_t)
dev_manage_dev_nodes(udev_t) dev_manage_dev_nodes(udev_t)
@ -119,6 +121,7 @@ seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t) sysnet_domtrans_ifconfig(udev_t)
userdom_use_sysadm_tty(udev_t) userdom_use_sysadm_tty(udev_t)
userdom_dontaudit_search_staff_home_dir(udev_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
fs_manage_tmpfs_symlinks(udev_t) fs_manage_tmpfs_symlinks(udev_t)
@ -154,14 +157,6 @@ optional_policy(`xserver.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow udev_t devpts_t:dir { getattr search };
# Dontaudits
dontaudit udev_t staff_home_dir_t:dir search;
dontaudit udev_t ttyfile:chr_file unlink; dontaudit udev_t ttyfile:chr_file unlink;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev) dbusd_client(system, udev)
') dnl endif TODO ') dnl endif TODO

View File

@ -174,7 +174,7 @@ template(`base_user_template',`
files_exec_etc_files($1_t) files_exec_etc_files($1_t)
files_read_usr_src_files($1_t) files_read_usr_src_files($1_t)
files_search_generic_locks($1_t) files_search_locks($1_t)
# Caused by su - init scripts # Caused by su - init scripts
init_dontaudit_use_script_pty($1_t) init_dontaudit_use_script_pty($1_t)
@ -521,7 +521,7 @@ template(`unpriv_user_template', `
modutils_read_module_conf($1_t) modutils_read_module_conf($1_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
# for when the network connection is killed # for when the network connection is killed
seutil_dontaudit_signal_newrole($1_t) seutil_dontaudit_signal_newrole($1_t)
') ')
@ -914,6 +914,42 @@ interface(`userdom_shell_domtrans_sysadm',`
') ')
') ')
########################################
## <summary>
## Search the staff users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_search_staff_home_dir',`
gen_require(`
type staff_home_dir_t;
class dir search;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to search the staff
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_search_staff_home_dir',`
gen_require(`
type staff_home_dir_t;
class dir search;
')
dontaudit $1 staff_home_dir_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Read files in the staff users home directory. ## Read files in the staff users home directory.
@ -1059,6 +1095,42 @@ interface(`userdom_rw_sysadm_pipe',`
') ')
') ')
########################################
## <summary>
## Search the sysadm users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_search_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
class dir search;
')
files_search_home($1)
allow $1 sysadm_home_dir_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to search the sysadm
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_search_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
class dir search;
')
dontaudit $1 sysadm_home_dir_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Read files in the sysadm users home directory. ## Read files in the sysadm users home directory.
@ -1098,6 +1170,23 @@ interface(`userdom_search_all_users_home',`
allow $1 { home_dir_type home_type }:dir search; allow $1 { home_dir_type home_type }:dir search;
') ')
########################################
## <summary>
## Do not audit attempts to search all users home directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_search_all_users_home',`
gen_require(`
attribute home_dir_type, home_type;
class dir search;
')
dontaudit $1 { home_dir_type home_type }:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Read all files in all users home directories. ## Read all files in all users home directories.

View File

@ -158,7 +158,7 @@ ifdef(`targeted_policy',`
rpm_run(sysadm_t,sysadm_r,admin_terminal) rpm_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`selinux.te',` optional_policy(`selinuxutil.te',`
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal) seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)