patch from dan Thu, 09 Feb 2006 13:39:41 -0500

This commit is contained in:
Chris PeBenito 2006-02-13 22:05:08 +00:00
parent e60b983b42
commit b0d2243c21
42 changed files with 204 additions and 80 deletions

View File

@ -1,5 +1,5 @@
policy_module(kudzu,1.1.1) policy_module(kudzu,1.1.2)
######################################## ########################################
# #
@ -24,7 +24,6 @@ files_pid_file(kudzu_var_run_t)
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config; dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:process { signal_perms execmem };
auditallow kudzu_t self:process execmem;
allow kudzu_t self:fifo_file rw_file_perms; allow kudzu_t self:fifo_file rw_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms; allow kudzu_t self:unix_dgram_socket create_socket_perms;
@ -72,6 +71,7 @@ modutils_rename_module_config(kudzu_t)
storage_read_scsi_generic(kudzu_t) storage_read_scsi_generic(kudzu_t)
storage_read_tape(kudzu_t) storage_read_tape(kudzu_t)
storage_raw_write_fixed_disk(kudzu_t) storage_raw_write_fixed_disk(kudzu_t)
storage_raw_write_removable_device(kudzu_t)
storage_raw_read_fixed_disk(kudzu_t) storage_raw_read_fixed_disk(kudzu_t)
storage_raw_read_removable_device(kudzu_t) storage_raw_read_removable_device(kudzu_t)

View File

@ -1,5 +1,5 @@
policy_module(prelink,1.0.1) policy_module(prelink,1.0.2)
######################################## ########################################
# #
@ -65,6 +65,7 @@ files_read_etc_runtime_files(prelink_t)
fs_getattr_xattr_fs(prelink_t) fs_getattr_xattr_fs(prelink_t)
libs_use_ld_so(prelink_t) libs_use_ld_so(prelink_t)
libs_exec_ld_so(prelink_t)
libs_manage_ld_so(prelink_t) libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t) libs_relabel_ld_so(prelink_t)
libs_use_shared_libs(prelink_t) libs_use_shared_libs(prelink_t)

View File

@ -1,5 +1,5 @@
policy_module(readahead,1.1.1) policy_module(readahead,1.1.2)
######################################## ########################################
# #
@ -47,7 +47,9 @@ fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t) fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t) fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t) fs_getattr_all_files(readahead_t)
fs_search_ramfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t) fs_read_tmpfs_symlinks(readahead_t)
term_dontaudit_use_console(readahead_t) term_dontaudit_use_console(readahead_t)

View File

@ -22,7 +22,6 @@ template(`su_restricted_domain_template', `
# Transition from the user domain to this domain. # Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t) domain_auto_trans($2, su_exec_t, $1_su_t)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use; allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms; allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld; allow $1_su_t $2:process sigchld;
@ -30,9 +29,8 @@ template(`su_restricted_domain_template', `
# By default, revert to the calling domain when a shell is executed. # By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2) corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use; allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use; allow $2 $1_su_t:fifo_file rw_file_perms;
allow $1_su_t $2:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld;
allow $1_su_t $2:process sigchld;
kernel_read_system_state($1_su_t) kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t) kernel_read_kernel_sysctls($1_su_t)

View File

@ -1,5 +1,5 @@
policy_module(su,1.2.0) policy_module(su,1.2.1)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(bootloader,1.1.2) policy_module(bootloader,1.1.3)
######################################## ########################################
# #
@ -71,7 +71,7 @@ logging_log_file(var_log_ksyms_t)
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file { getattr read write }; allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t boot_t:dir { create rw_dir_perms }; allow bootloader_t boot_t:dir { create rw_dir_perms };
allow bootloader_t boot_t:file create_file_perms; allow bootloader_t boot_t:file create_file_perms;
@ -110,7 +110,7 @@ dev_getattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t) dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t) dev_read_urand(bootloader_t)
dev_getattr_sysfs_dirs(bootloader_t) dev_read_sysfs(bootloader_t)
# for reading BIOS data # for reading BIOS data
dev_read_raw_memory(bootloader_t) dev_read_raw_memory(bootloader_t)

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.0.2) policy_module(corenetwork,1.0.3)
######################################## ########################################
# #
@ -46,6 +46,7 @@ network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0) network_port(amavisd_send, tcp,10025,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0) network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(clamd, tcp,3310,s0) network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0) network_port(clockspeed, udp,4041,s0)

View File

@ -58,6 +58,8 @@ ifdef(`distro_suse', `
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(devices,1.0.0) policy_module(devices,1.0.1)
######################################## ########################################
# #
@ -159,6 +159,12 @@ fs_noxattr_type(usbfs_t)
genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
#
# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
#
type usb_device_t;
dev_node(usb_device_t)
type v4l_device_t; type v4l_device_t;
dev_node(v4l_device_t) dev_node(v4l_device_t)

View File

@ -173,6 +173,8 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>> /usr/\.journal <<none>>
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@ -192,6 +194,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
/usr/tmp/.* <<none>> /usr/tmp/.* <<none>>

View File

@ -2292,7 +2292,7 @@ interface(`files_setattr_all_tmp_dirs',`
attribute tmpfile; attribute tmpfile;
') ')
allow $1 tmpfile:dir { search getattr }; allow $1 tmpfile:dir { search setattr };
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(files,1.1.0) policy_module(files,1.1.1)
######################################## ########################################
# #

View File

@ -1031,6 +1031,24 @@ interface(`fs_search_inotifyfs',`
allow $1 inotifyfs_t:dir search_dir_perms; allow $1 inotifyfs_t:dir search_dir_perms;
') ')
########################################
## <summary>
## List inotifyfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_list_inotifyfs',`
gen_require(`
type inotifyfs_t;
')
allow $1 inotifyfs_t:dir r_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Mount an iso9660 filesystem, which ## Mount an iso9660 filesystem, which
@ -1963,6 +1981,42 @@ interface(`fs_dontaudit_search_ramfs',`
dontaudit $1 ramfs_t:dir search; dontaudit $1 ramfs_t:dir search;
') ')
########################################
## <summary>
## Dontaudit read on a ramfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:file read;
')
########################################
## <summary>
## Dontaudit read on a ramfs fifo_files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_dontaudit_read_ramfs_pipes',`
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:fifo_file read;
')
######################################## ########################################
## <summary> ## <summary>
## Write to named pipe on a ramfs filesystem. ## Write to named pipe on a ramfs filesystem.

View File

@ -1,5 +1,5 @@
policy_module(filesystem,1.2.1) policy_module(filesystem,1.2.2)
######################################## ########################################
# #

View File

@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t; type devpts_t;
') ')
dontaudit $1 devpts_t:chr_file { read write }; dontaudit $1 devpts_t:chr_file { getattr read write };
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(terminal,1.0.0) policy_module(terminal,1.0.1)
######################################## ########################################
# #

View File

@ -45,6 +45,7 @@ ifdef(`distro_suse', `
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -53,6 +54,7 @@ ifdef(`distro_suse', `
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', ` ifdef(`distro_debian', `

View File

@ -1,5 +1,5 @@
policy_module(apache,1.2.0) policy_module(apache,1.2.1)
# #
# NOTES: # NOTES:

View File

@ -43,3 +43,22 @@ interface(`automount_exec_config',`
corecmd_search_sbin($1) corecmd_search_sbin($1)
can_exec($1,automount_etc_t) can_exec($1,automount_etc_t)
') ')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of automount temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`automount_dontaudit_getattr_tmp_dirs',`
gen_require(`
type automount_tmp_t;
')
dontaudit $1 automount_tmp_t:dir getattr;
')

View File

@ -1,5 +1,5 @@
policy_module(automount,1.1.1) policy_module(automount,1.1.2)
######################################## ########################################
# #

View File

@ -429,7 +429,7 @@ interface(`cron_rw_pipes',`
type crond_t; type crond_t;
') ')
allow $1 crond_t:fifo_file { read write }; allow $1 crond_t:fifo_file { getattr read write };
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(cron,1.2.0) policy_module(cron,1.2.1)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -108,6 +108,7 @@ auth_domtrans_chk_passwd(crond_t)
corecmd_exec_shell(crond_t) corecmd_exec_shell(crond_t)
corecmd_list_sbin(crond_t) corecmd_list_sbin(crond_t)
corecmd_read_sbin_symlinks(crond_t)
domain_use_wide_inherit_fd(crond_t) domain_use_wide_inherit_fd(crond_t)

View File

@ -1,5 +1,5 @@
policy_module(fetchmail,1.0.1) policy_module(fetchmail,1.0.2)
######################################## ########################################
# #
@ -44,6 +44,7 @@ kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t) kernel_list_proc(fetchmail_t)
kernel_getattr_proc_files(fetchmail_t) kernel_getattr_proc_files(fetchmail_t)
kernel_read_proc_symlinks(fetchmail_t) kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
corenet_non_ipsec_sendrecv(fetchmail_t) corenet_non_ipsec_sendrecv(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t)

View File

@ -1,5 +1,5 @@
policy_module(hal,1.2.3) policy_module(hal,1.2.4)
######################################## ########################################
# #
@ -112,12 +112,15 @@ storage_raw_write_fixed_disk(hald_t)
term_dontaudit_use_console(hald_t) term_dontaudit_use_console(hald_t)
term_dontaudit_ioctl_unallocated_ttys(hald_t) term_dontaudit_ioctl_unallocated_ttys(hald_t)
term_dontaudit_use_unallocated_ttys(hald_t) term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
init_use_fd(hald_t) init_use_fd(hald_t)
init_use_script_ptys(hald_t) init_use_script_ptys(hald_t)
init_domtrans_script(hald_t) init_domtrans_script(hald_t)
init_write_initctl(hald_t) init_write_initctl(hald_t)
init_read_utmp(hald_t) init_read_utmp(hald_t)
#hal runs shutdown, probably need a shutdown domain
init_rw_utmp(hald_t)
libs_use_ld_so(hald_t) libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t) libs_use_shared_libs(hald_t)
@ -150,6 +153,10 @@ optional_policy(`apm',`
apm_stream_connect(hald_t) apm_stream_connect(hald_t)
') ')
optional_policy(`automount', `
automount_dontaudit_getattr_tmp_dirs(hald_t)
')
optional_policy(`bind',` optional_policy(`bind',`
bind_search_cache(hald_t) bind_search_cache(hald_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(mta,1.2.0) policy_module(mta,1.2.1)
######################################## ########################################
# #
@ -145,6 +145,8 @@ optional_policy(`postfix',`
files_getattr_tmp_dirs(system_mail_t) files_getattr_tmp_dirs(system_mail_t)
postfix_exec_master(system_mail_t) postfix_exec_master(system_mail_t)
postfix_read_config(system_mail_t)
postfix_search_spool(system_mail_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# compatability for old default main.cf # compatability for old default main.cf

View File

@ -1,5 +1,5 @@
policy_module(networkmanager,1.2.1) policy_module(networkmanager,1.2.2)
######################################## ########################################
# #
@ -30,8 +30,9 @@ allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms; allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms; allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t) allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
kernel_read_system_state(NetworkManager_t) kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t)

View File

@ -1,5 +1,5 @@
policy_module(postfix,1.1.0) policy_module(postfix,1.1.1)
######################################## ########################################
# #
@ -418,10 +418,13 @@ allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms; allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
corenet_udp_sendrecv_all_if(postfix_postdrop_t)
corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
term_dontaudit_use_all_user_ptys(postfix_postdrop_t) term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
term_dontaudit_use_all_user_ttys(postfix_postdrop_t) term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
sysnet_dontaudit_read_config(postfix_postdrop_t) sysnet_dns_name_resolve(postfix_postdrop_t)
mta_rw_user_mail_stream_sockets(postfix_postdrop_t) mta_rw_user_mail_stream_sockets(postfix_postdrop_t)

View File

@ -1,5 +1,5 @@
policy_module(remotelogin,1.1.0) policy_module(remotelogin,1.1.1)
######################################## ########################################
# #
@ -96,6 +96,7 @@ files_read_world_readable_symlinks(remote_login_t)
files_read_world_readable_pipes(remote_login_t) files_read_world_readable_pipes(remote_login_t)
files_read_world_readable_sockets(remote_login_t) files_read_world_readable_sockets(remote_login_t)
files_list_mnt(remote_login_t) files_list_mnt(remote_login_t)
files_polyinstantiate_all(remote_login_t)
# for when /var/mail is a sym-link # for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t) files_read_var_symlinks(remote_login_t)
@ -152,6 +153,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(remote_login_t) fs_read_cifs_symlinks(remote_login_t)
') ')
optional_policy(`alsa',`
alsa_domtrans(remote_login_t)
')
optional_policy(`nis',` optional_policy(`nis',`
nis_use_ypbind(remote_login_t) nis_use_ypbind(remote_login_t)
') ')
@ -163,30 +168,3 @@ optional_policy(`nscd',`
optional_policy(`usermanage',` optional_policy(`usermanage',`
usermanage_read_crack_db(remote_login_t) usermanage_read_crack_db(remote_login_t)
') ')
ifdef(`TODO',`
# this goes to xdm:
optional_policy(`remotelogin',`
# FIXME: what is this for?
remotelogin_signull(xdm_t)
')
# Login can polyinstantiate
polyinstantiater(remote_login_t)
ifdef(`alsa.te', `
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
allow remote_login_t userpty_type:chr_file { setattr write };
allow remote_login_t ptyfile:chr_file { getattr ioctl };
optional_policy(`rlogind',`
allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
')
optional_policy(`telnetd',`
allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
')
') dnl endif TODO

View File

@ -65,6 +65,7 @@ term_dontaudit_use_console(sendmail_t)
# for piping mail to a command # for piping mail to a command
corecmd_exec_shell(sendmail_t) corecmd_exec_shell(sendmail_t)
corecmd_search_sbin(sendmail_t)
domain_use_wide_inherit_fd(sendmail_t) domain_use_wide_inherit_fd(sendmail_t)

View File

@ -1,5 +1,5 @@
policy_module(spamassassin,1.2.1) policy_module(spamassassin,1.2.2)
######################################## ########################################
# #
@ -77,6 +77,7 @@ corenet_tcp_bind_spamd_port(spamd_t)
# DnsResolver.pm module which binds to # DnsResolver.pm module which binds to
# random ports >= 1024. # random ports >= 1024.
corenet_udp_bind_generic_port(spamd_t) corenet_udp_bind_generic_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
dev_read_sysfs(spamd_t) dev_read_sysfs(spamd_t)
dev_read_urand(spamd_t) dev_read_urand(spamd_t)

View File

@ -1,5 +1,5 @@
policy_module(zebra,1.1.0) policy_module(zebra,1.1.1)
######################################## ########################################
# #
@ -34,7 +34,7 @@ allow zebra_t self:file { ioctl read write getattr lock append };
allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
allow zebra_t self:tcp_socket connected_stream_socket_perms; allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
allow zebra_t self:udp_socket create_socket_perms; allow zebra_t self:udp_socket create_socket_perms;
allow zebra_t self:rawip_socket create_socket_perms; allow zebra_t self:rawip_socket create_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(fstools,1.2.0) policy_module(fstools,1.2.1)
######################################## ########################################
# #
@ -57,6 +57,8 @@ kernel_getattr_proc(fsadm_t)
kernel_rw_unlabeled_dirs(fsadm_t) kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t) kernel_rw_unlabeled_blk_files(fsadm_t)
bootloader_getattr_boot_dirs(fsadm_t)
dev_getattr_all_chr_files(fsadm_t) dev_getattr_all_chr_files(fsadm_t)
# mkreiserfs and other programs need this for UUID # mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t) dev_read_rand(fsadm_t)

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.2.0) policy_module(libraries,1.2.1)
######################################## ########################################
# #
@ -71,6 +71,7 @@ domain_use_wide_inherit_fd(ldconfig_t)
files_search_var_lib(ldconfig_t) files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t) files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t) files_search_tmp(ldconfig_t)
files_search_usr(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled: # for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t) files_delete_etc_files(ldconfig_t)

View File

@ -1,5 +1,5 @@
policy_module(locallogin,1.1.2) policy_module(locallogin,1.1.3)
######################################## ########################################
# #
@ -141,6 +141,8 @@ files_read_world_readable_pipes(local_login_t)
files_read_world_readable_sockets(local_login_t) files_read_world_readable_sockets(local_login_t)
# for when /var/mail is a symlink # for when /var/mail is a symlink
files_read_var_symlinks(local_login_t) files_read_var_symlinks(local_login_t)
# Login can polyinstantiate
files_polyinstantiate_all(local_login_t)
init_rw_utmp(local_login_t) init_rw_utmp(local_login_t)
init_dontaudit_use_fd(local_login_t) init_dontaudit_use_fd(local_login_t)
@ -214,11 +216,6 @@ optional_policy(`alsa',`
alsa_domtrans(local_login_t) alsa_domtrans(local_login_t)
') ')
ifdef(`TODO',`
# Login can polyinstantiate
polyinstantiater(local_login_t)
') dnl endif TODO
################################# #################################
# #
# Sulogin local policy # Sulogin local policy

View File

@ -1,5 +1,5 @@
policy_module(logging,1.2.1) policy_module(logging,1.2.2)
######################################## ########################################
# #
@ -80,6 +80,8 @@ domain_use_wide_inherit_fd(auditctl_t)
mls_file_read_up(auditctl_t) mls_file_read_up(auditctl_t)
term_use_all_terms(auditctl_t)
init_use_script_ptys(auditctl_t) init_use_script_ptys(auditctl_t)
init_dontaudit_use_fd(auditctl_t) init_dontaudit_use_fd(auditctl_t)
@ -114,7 +116,7 @@ allow auditctl_t admin_tty_type:chr_file rw_file_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config; dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setsched }; allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write }; allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };

View File

@ -1,5 +1,5 @@
policy_module(mount,1.2.1) policy_module(mount,1.2.2)
######################################## ########################################
# #
@ -33,6 +33,8 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
dev_getattr_all_blk_files(mount_t) dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t) dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t) dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
storage_raw_read_fixed_disk(mount_t) storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t)

View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.1.3) policy_module(selinuxutil,1.1.4)
gen_require(` gen_require(`
bool secure_mode; bool secure_mode;
@ -249,6 +249,7 @@ term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t) term_use_all_user_ptys(newrole_t)
term_relabel_all_user_ttys(newrole_t) term_relabel_all_user_ttys(newrole_t)
term_relabel_all_user_ptys(newrole_t) term_relabel_all_user_ptys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
auth_domtrans_chk_passwd(newrole_t) auth_domtrans_chk_passwd(newrole_t)
@ -354,6 +355,7 @@ init_use_fd(restorecon_t)
init_use_script_ptys(restorecon_t) init_use_script_ptys(restorecon_t)
domain_use_wide_inherit_fd(restorecon_t) domain_use_wide_inherit_fd(restorecon_t)
domain_dontaudit_search_all_domains_state(restorecon_t)
files_read_etc_runtime_files(restorecon_t) files_read_etc_runtime_files(restorecon_t)
files_read_etc_files(restorecon_t) files_read_etc_files(restorecon_t)

View File

@ -1,5 +1,5 @@
policy_module(udev,1.2.1) policy_module(udev,1.2.2)
######################################## ########################################
# #
@ -90,7 +90,7 @@ dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t) dev_delete_generic_files(udev_t)
fs_getattr_all_fs(udev_t) fs_getattr_all_fs(udev_t)
fs_search_inotifyfs(udev_t) fs_list_inotifyfs(udev_t)
selinux_get_fs_mount(udev_t) selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t) selinux_validate_context(udev_t)
@ -106,7 +106,7 @@ corecmd_exec_sbin(udev_t)
corecmd_exec_shell(udev_t) corecmd_exec_shell(udev_t)
domain_exec_all_entry_files(udev_t) domain_exec_all_entry_files(udev_t)
domain_dontaudit_list_all_domains_state(udev_t) domain_read_all_domains_state(udev_t)
files_read_etc_runtime_files(udev_t) files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t) files_read_etc_files(udev_t)

View File

@ -19,6 +19,7 @@ interface(`unconfined_domain_noaudit',`
# Use any Linux capability. # Use any Linux capability.
allow $1 self:capability *; allow $1 self:capability *;
allow $1 self:fifo_file create_file_perms;
# Transition to myself, to make get_ordered_context_list happy. # Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition; allow $1 self:process transition;

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.2.3) policy_module(unconfined,1.2.4)
######################################## ########################################
# #
@ -89,6 +89,10 @@ ifdef(`targeted_policy',`
firstboot_domtrans(unconfined_t) firstboot_domtrans(unconfined_t)
') ')
optional_policy(`fstools',`
fstools_domtrans(unconfined_t)
')
optional_policy(`lpd',` optional_policy(`lpd',`
lpd_domtrans_checkpc(unconfined_t) lpd_domtrans_checkpc(unconfined_t)
') ')
@ -101,6 +105,10 @@ ifdef(`targeted_policy',`
mono_domtrans(unconfined_t) mono_domtrans(unconfined_t)
') ')
optional_policy(`mount',`
mount_domtrans(unconfined_t)
')
optional_policy(`netutils',` optional_policy(`netutils',`
netutils_domtrans_ping(unconfined_t) netutils_domtrans_ping(unconfined_t)
') ')

View File

@ -3047,6 +3047,25 @@ interface(`userdom_dontaudit_search_staff_home_dir',`
dontaudit $1 staff_home_dir_t:dir search; dontaudit $1 staff_home_dir_t:dir search;
') ')
########################################
## <summary>
## Do not audit attempts to append to the staff
## users home directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_dontaudit_append_staff_home_files',`
gen_require(`
type staff_home_t;
')
dontaudit $1 staff_home_t:file append;
')
######################################## ########################################
## <summary> ## <summary>
## Read files in the staff users home directory. ## Read files in the staff users home directory.

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.2.6) policy_module(userdomain,1.2.7)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;
@ -156,6 +156,8 @@ ifdef(`targeted_policy',`
mls_process_read_up(sysadm_t) mls_process_read_up(sysadm_t)
init_exec(sysadm_t)
ifdef(`direct_sysadm_daemon',` ifdef(`direct_sysadm_daemon',`
optional_policy(`init',` optional_policy(`init',`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal) init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
@ -166,6 +168,7 @@ ifdef(`targeted_policy',`
logging_read_audit_log(secadm_t) logging_read_audit_log(secadm_t)
logging_domtrans_auditctl(secadm_t) logging_domtrans_auditctl(secadm_t)
mls_process_read_up(secadm_t) mls_process_read_up(secadm_t)
userdom_dontaudit_append_staff_home_files(secadm_t)
', ` ', `
logging_domtrans_auditctl(sysadm_t) logging_domtrans_auditctl(sysadm_t)
logging_read_audit_log(sysadm_t) logging_read_audit_log(sysadm_t)
@ -224,6 +227,10 @@ ifdef(`targeted_policy',`
optional_policy(`dmesg',` optional_policy(`dmesg',`
dmesg_exec(sysadm_t) dmesg_exec(sysadm_t)
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
')
') ')
optional_policy(`dmidecode',` optional_policy(`dmidecode',`