more cleanup of current TODOs
This commit is contained in:
Chris PeBenito
parent
20a22759a7
commit
b24f35d8a3
@ -93,7 +93,7 @@ optional_policy(`xdm.te', `
|
||||
allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
# is goes to xserver module
|
||||
# this goes to xdm module
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_domtrans(xdm_t)
|
||||
')
|
||||
|
||||
@ -25,6 +25,8 @@ kernel_read_kernel_sysctl(dmesg_t)
|
||||
kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
kernel_change_ring_buffer_level(dmesg_t)
|
||||
kernel_list_proc(dmesg_t)
|
||||
kernel_read_proc_symlinks(dmesg_t)
|
||||
|
||||
dev_read_sysfs(dmesg_t)
|
||||
|
||||
@ -67,9 +69,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow dmesg_t proc_t:dir r_dir_perms;
|
||||
allow dmesg_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(dmesg_t)
|
||||
')
|
||||
|
||||
@ -140,11 +140,11 @@ allow logrotate_t domain:dir r_dir_perms;
|
||||
allow logrotate_t exec_type:file getattr;
|
||||
|
||||
#this should go to squid:
|
||||
ifdef(`squid.te', `
|
||||
allow squid_t { system_crond_t crond_t }:fd use;
|
||||
allow squid_t crond_t:fifo_file { read write };
|
||||
allow squid_t system_crond_t:fifo_file write;
|
||||
allow squid_t self:capability kill;
|
||||
optional_policy(`logrotate.te', `
|
||||
allow squid_t { system_crond_t crond_t }:fd use;
|
||||
allow squid_t crond_t:fifo_file { read write };
|
||||
allow squid_t system_crond_t:fifo_file write;
|
||||
allow squid_t self:capability kill;
|
||||
')
|
||||
|
||||
# for /var/lib/logrotate.status and /var/lib/logcheck
|
||||
|
||||
@ -41,6 +41,8 @@ allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
||||
allow netutils_t netutils_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
|
||||
|
||||
kernel_search_proc(netutils_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(netutils_t)
|
||||
corenet_raw_sendrecv_all_if(netutils_t)
|
||||
corenet_udp_sendrecv_all_if(netutils_t)
|
||||
@ -77,10 +79,7 @@ optional_policy(`nis.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
|
||||
allow netutils_t proc_t:dir search;
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
|
||||
@ -71,7 +71,7 @@ interface(`rpm_use_fd',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read from a RPM pipe.
|
||||
## Read from an unnamed RPM pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -86,6 +86,41 @@ interface(`rpm_read_pipe',`
|
||||
allow $1 rpm_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write an unnamed RPM pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_rw_pipe',`
|
||||
gen_require(`
|
||||
type rpm_t;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 rpm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete the RPM log.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_manage_log',`
|
||||
gen_require(`
|
||||
type rpm_log_t;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
logging_rw_log_dir($1)
|
||||
allow $1 rpm_log_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the RPM package database.
|
||||
@ -117,7 +152,7 @@ interface(`rpm_read_db',`
|
||||
#
|
||||
interface(`rpm_manage_db',`
|
||||
gen_require(`
|
||||
type rpm_var_lib_t_t;
|
||||
type rpm_var_lib_t;
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file { getattr read write unlink };
|
||||
class file { getattr create read write append unlink };
|
||||
|
||||
@ -96,13 +96,6 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctl(rpm_t)
|
||||
|
||||
selinux_get_fs_mount(rpm_t)
|
||||
selinux_validate_context(rpm_t)
|
||||
selinux_compute_access_vector(rpm_t)
|
||||
selinux_compute_create_context(rpm_t)
|
||||
selinux_compute_relabel_context(rpm_t)
|
||||
selinux_compute_user_contexts(rpm_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(rpm_t)
|
||||
corenet_raw_sendrecv_all_if(rpm_t)
|
||||
corenet_udp_sendrecv_all_if(rpm_t)
|
||||
@ -114,6 +107,8 @@ corenet_udp_sendrecv_all_ports(rpm_t)
|
||||
corenet_tcp_bind_all_nodes(rpm_t)
|
||||
corenet_udp_bind_all_nodes(rpm_t)
|
||||
|
||||
dev_list_sysfs(rpm_t)
|
||||
dev_list_usbfs(rpm_t)
|
||||
dev_read_urand(rpm_t)
|
||||
#devices_manage_all_device_types(rpm_t)
|
||||
|
||||
@ -123,6 +118,13 @@ fs_manage_nfs_symlinks(rpm_t)
|
||||
fs_getattr_all_fs(rpm_t)
|
||||
fs_search_auto_mountpoints(rpm_t)
|
||||
|
||||
selinux_get_fs_mount(rpm_t)
|
||||
selinux_validate_context(rpm_t)
|
||||
selinux_compute_access_vector(rpm_t)
|
||||
selinux_compute_create_context(rpm_t)
|
||||
selinux_compute_relabel_context(rpm_t)
|
||||
selinux_compute_user_contexts(rpm_t)
|
||||
|
||||
storage_raw_write_fixed_disk(rpm_t)
|
||||
# for installing kernel packages
|
||||
storage_raw_read_fixed_disk(rpm_t)
|
||||
@ -189,19 +191,11 @@ allow rpm_t fs_type:dir { setattr rw_dir_perms };
|
||||
|
||||
allow rpm_t mount_t:tcp_socket write;
|
||||
|
||||
allow rpm_t sysfs_t:dir r_dir_perms;
|
||||
allow rpm_t usbdevfs_t:dir r_dir_perms;
|
||||
|
||||
allow rpm_t rpc_pipefs_t:dir search;
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `
|
||||
allow rpm_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
||||
# for kernel package installation
|
||||
optional_policy(`mount.te', `
|
||||
allow mount_t rpm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -237,14 +231,10 @@ allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_kernel_sysctl(rpm_script_t)
|
||||
selinux_get_fs_mount(rpm_script_t)
|
||||
selinux_validate_context(rpm_script_t)
|
||||
selinux_compute_access_vector(rpm_script_t)
|
||||
selinux_compute_create_context(rpm_script_t)
|
||||
selinux_compute_relabel_context(rpm_script_t)
|
||||
selinux_compute_user_contexts(rpm_script_t)
|
||||
kernel_read_system_state(rpm_script_t)
|
||||
|
||||
dev_list_sysfs(rpm_script_t)
|
||||
|
||||
# ideally we would not need this
|
||||
dev_manage_generic_blk_file(rpm_script_t)
|
||||
dev_manage_generic_chr_file(rpm_script_t)
|
||||
@ -259,6 +249,13 @@ fs_mount_xattr_fs(rpm_script_t)
|
||||
fs_unmount_xattr_fs(rpm_script_t)
|
||||
fs_search_auto_mountpoints(rpm_script_t)
|
||||
|
||||
selinux_get_fs_mount(rpm_script_t)
|
||||
selinux_validate_context(rpm_script_t)
|
||||
selinux_compute_access_vector(rpm_script_t)
|
||||
selinux_compute_create_context(rpm_script_t)
|
||||
selinux_compute_relabel_context(rpm_script_t)
|
||||
selinux_compute_user_contexts(rpm_script_t)
|
||||
|
||||
storage_raw_read_fixed_disk(rpm_script_t)
|
||||
storage_raw_write_fixed_disk(rpm_script_t)
|
||||
|
||||
@ -302,7 +299,14 @@ seutil_domtrans_restorecon(rpm_script_t)
|
||||
|
||||
userdom_use_all_user_fd(rpm_script_t)
|
||||
|
||||
optional_policy(`bootloader.te', `
|
||||
# this should be tunable_policy, but
|
||||
# typeattribute does not work in conditionals
|
||||
ifdef(`unlimitedRPM',`
|
||||
unconfined_domain_template(rpm_t)
|
||||
unconfined_domain_template(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
')
|
||||
|
||||
@ -310,14 +314,15 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_domtrans_groupadd(rpm_script_t)
|
||||
usermanage_domtrans_useradd(rpm_script_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow rpm_script_t sysfs_t:dir r_dir_perms;
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
can_exec(rpm_script_t,printconf_t)
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -340,10 +345,6 @@ seutil_read_src_pol(rpmbuild_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow userdomain var_lib_t:dir { getattr search };
|
||||
|
||||
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
|
||||
|
||||
optional_policy(`cups.te', `
|
||||
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
|
||||
allow cupsd_t rpm_var_lib_t:file r_file_perms;
|
||||
@ -356,32 +357,14 @@ optional_policy(`ssh-agent.te', `
|
||||
domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
|
||||
')
|
||||
|
||||
optional_policy(`useradd.te', `
|
||||
domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
|
||||
domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
|
||||
role system_r types { useradd_t groupadd_t };
|
||||
allow { useradd_t groupadd_t } rpm_t:fd use;
|
||||
allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
allow bootloader_t rpm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`prelink.te', `
|
||||
domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
optional_policy(`pamconsole.te', `
|
||||
domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
|
||||
')
|
||||
optional_policy(`pamconsole.te', `
|
||||
domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`unlimitedRPM', `
|
||||
typeattribute rpm_t auth_write;
|
||||
unconfined_domain(rpm_t)
|
||||
typeattribute rpm_script_t auth_write;
|
||||
unconfined_domain(rpm_script_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -252,6 +252,11 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_use_fd(groupadd_t)
|
||||
rpm_rw_pipe(groupadd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
@ -518,6 +523,11 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_use_fd(useradd_t)
|
||||
rpm_rw_pipe(useradd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
|
||||
@ -193,6 +193,10 @@ optional_policy(`modutils.te',`
|
||||
modutils_exec_update_mods(bootloader_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_rw_pipe(bootloader_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
dontaudit bootloader_t selinux_config_t:dir search;
|
||||
|
||||
@ -1872,7 +1872,7 @@ interface(`dev_getattr_sysfs_dir',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search sysfs.
|
||||
## Search the sysfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -1904,6 +1904,23 @@ interface(`dev_dontaudit_search_sysfs',`
|
||||
dontaudit $1 sysfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of the sysfs directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_list_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 sysfs_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read hardware state information.
|
||||
|
||||
@ -118,8 +118,12 @@ miscfiles_read_localization(crond_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(crond_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t system_cron_spool_t:file create_file_perms;
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
optional_policy(`rpm.te', `
|
||||
rpm_manage_log(crond_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -128,11 +132,15 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(crond_t)
|
||||
')
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t system_cron_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
optional_policy(`rpm.te',`
|
||||
# Commonly used from postinst scripts
|
||||
rpm_read_pipe(crond_t)
|
||||
')
|
||||
@ -145,18 +153,12 @@ ifdef(`TODO',`
|
||||
# NB The constraints file has some entries for crond_t, this makes it
|
||||
# different from all other domains...
|
||||
|
||||
dontaudit crond_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(crond_t)
|
||||
')
|
||||
|
||||
# Read from /var/spool/cron.
|
||||
allow crond_t var_lib_t:dir search;
|
||||
allow crond_t mail_spool_t:dir search;
|
||||
# for if /var/mail is a symlink
|
||||
allow crond_t mail_spool_t:lnk_file read;
|
||||
|
||||
allow crond_t default_t:dir search;
|
||||
|
||||
# crond tries to search /root. Not sure why.
|
||||
@ -164,17 +166,6 @@ allow crond_t sysadm_home_dir_t:dir r_dir_perms;
|
||||
|
||||
# to search /home
|
||||
allow crond_t user_home_dir_type:dir r_dir_perms;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
ifdef(`rpm.te', `
|
||||
allow crond_t rpm_log_t: file create_file_perms;
|
||||
|
||||
system_crond_entry(rpm_exec_t, rpm_t)
|
||||
allow system_crond_t rpm_log_t:file create_file_perms;
|
||||
')
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -294,6 +285,14 @@ miscfiles_rw_man_cache(system_crond_t)
|
||||
|
||||
seutil_read_config(system_crond_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
optional_policy(`rpm.te', `
|
||||
rpm_manage_log(system_crond_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`cron_can_relabel',`
|
||||
seutil_domtrans_setfiles(system_crond_t)
|
||||
',`
|
||||
@ -345,12 +344,6 @@ ifdef(`apache.te', `
|
||||
allow system_crond_t httpd_log_t:file r_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
optional_policy(`rpm.te', `
|
||||
allow system_crond_t rpm_log_t:file create_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`mta.te', `
|
||||
mta_send_mail_transition(system_crond_t)
|
||||
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
## <summary>Internet services daemon.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Define the specified domain as a inetd service.
|
||||
## </summary>
|
||||
@ -16,8 +17,8 @@
|
||||
## <param name="entrypoint">
|
||||
## The type associated with the process program.
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_core_service_domain',`
|
||||
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
role system_r;
|
||||
@ -41,6 +42,7 @@ interface(`inetd_core_service_domain',`
|
||||
allow inetd_t $1:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Define the specified domain as a TCP inetd service.
|
||||
## </summary>
|
||||
@ -50,6 +52,7 @@ interface(`inetd_core_service_domain',`
|
||||
## <param name="entrypoint">
|
||||
## The type associated with the process program.
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_tcp_service_domain',`
|
||||
|
||||
gen_require(`
|
||||
@ -62,6 +65,7 @@ interface(`inetd_tcp_service_domain',`
|
||||
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Define the specified domain as a UDP inetd service.
|
||||
## </summary>
|
||||
@ -71,8 +75,8 @@ interface(`inetd_tcp_service_domain',`
|
||||
## <param name="entrypoint">
|
||||
## The type associated with the process program.
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_udp_service_domain',`
|
||||
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
class udp_socket rw_socket_perms;
|
||||
@ -83,6 +87,7 @@ interface(`inetd_udp_service_domain',`
|
||||
allow $1 inetd_t:udp_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Define the specified domain as a TCP and UDP inetd service.
|
||||
## </summary>
|
||||
@ -92,6 +97,7 @@ interface(`inetd_udp_service_domain',`
|
||||
## <param name="entrypoint">
|
||||
## The type associated with the process program.
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_service_domain',`
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
@ -104,3 +110,24 @@ interface(`inetd_service_domain',`
|
||||
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow $1 inetd_t:udp_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to the inetd service using a TCP connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_tcp_connectto',`
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
class tcp_socket { connectto acceptfrom recvfrom };
|
||||
')
|
||||
|
||||
allow $1 inetd_t:tcp_socket { connectto recvfrom };
|
||||
allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
#allow inetd_t kernel_t:tcp_socket recvfrom;
|
||||
#allow $1 kernel_t:tcp_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -53,6 +53,8 @@ allow inetd_t inetd_var_run_t:file create_file_perms;
|
||||
files_create_pid(inetd_t,inetd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
kernel_read_proc_symlinks(inetd_t)
|
||||
|
||||
# networking:
|
||||
corenet_tcp_sendrecv_all_if(inetd_t)
|
||||
@ -109,6 +111,7 @@ miscfiles_read_localization(inetd_t)
|
||||
sysnet_read_config(inetd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(inetd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(inetd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(inetd_t)
|
||||
@ -128,19 +131,24 @@ optional_policy(`udev.te', `
|
||||
udev_read_db(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`unconfined.te', `
|
||||
unconfined_domtrans(inetd_t)
|
||||
')
|
||||
|
||||
# This should be tunable_policy, but leaving
|
||||
# ifdef until typeattribute works in conditionals
|
||||
ifdef(`unlimitedInetd', `
|
||||
unconfined_domain_template(inetd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow inetd_t proc_t:dir r_dir_perms;
|
||||
allow inetd_t proc_t:lnk_file read;
|
||||
dontaudit inetd_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(inetd_t)
|
||||
')
|
||||
|
||||
# allow any domain to connect to inetd
|
||||
can_tcp_connect(userdomain, inetd_t)
|
||||
|
||||
# Bind to the telnet, ftp, rlogin and rsh ports.
|
||||
# cjp: these ports currently dont exist in the NSA example
|
||||
ifdef(`talk.te', `
|
||||
allow inetd_t talk_port_t:tcp_socket name_bind;
|
||||
allow inetd_t ntalk_port_t:tcp_socket name_bind;
|
||||
@ -148,15 +156,6 @@ allow inetd_t ntalk_port_t:tcp_socket name_bind;
|
||||
|
||||
# Communicate with the portmapper.
|
||||
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
|
||||
|
||||
ifdef(`unconfined.te', `
|
||||
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
ifdef(`unlimitedInetd', `
|
||||
unconfined_domain(inetd_t)
|
||||
')
|
||||
|
||||
') dnl TODO
|
||||
|
||||
########################################
|
||||
@ -173,7 +172,7 @@ allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow inetd_child_t self:capability { setuid setgid };
|
||||
allow inetd_child_t self:dir search;
|
||||
allow inetd_child_t self:{ lnk_file file } { getattr read };
|
||||
#allow inetd_child_t home_root_t:dir search;
|
||||
files_search_home(inetd_child_t)
|
||||
|
||||
allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
|
||||
allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
|
||||
|
||||
@ -81,6 +81,8 @@ allow kadmind_t kadmind_var_run_t:file { getattr create read write append setatt
|
||||
files_create_pid(kadmind_t,kadmind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(kadmind_t)
|
||||
kernel_list_proc(kadmind_t)
|
||||
kernel_read_proc_symlinks(kadmind_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(kadmind_t)
|
||||
corenet_raw_sendrecv_all_if(kadmind_t)
|
||||
@ -119,6 +121,7 @@ miscfiles_read_localization(kadmind_t)
|
||||
sysnet_read_config(kadmind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(kadmind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(kadmind_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(kadmind_t)
|
||||
@ -142,9 +145,6 @@ ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(kadmind_t)
|
||||
')
|
||||
allow kadmind_t proc_t:dir r_dir_perms;
|
||||
allow kadmind_t proc_t:lnk_file read;
|
||||
dontaudit kadmind_t sysadm_home_dir_t:dir search;
|
||||
|
||||
# cjp: not sure, but I think this has no effect
|
||||
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
|
||||
@ -185,6 +185,8 @@ files_create_pid(krb5kdc_t,krb5kdc_var_run_t)
|
||||
|
||||
kernel_read_system_state(krb5kdc_t)
|
||||
kernel_read_kernel_sysctl(krb5kdc_t)
|
||||
kernel_list_proc(krb5kdc_t)
|
||||
kernel_read_proc_symlinks(krb5kdc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
||||
corenet_raw_sendrecv_all_if(krb5kdc_t)
|
||||
@ -220,6 +222,7 @@ miscfiles_read_localization(krb5kdc_t)
|
||||
sysnet_read_config(krb5kdc_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(krb5kdc_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(krb5kdc_t)
|
||||
@ -240,10 +243,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow krb5kdc_t proc_t:dir r_dir_perms;
|
||||
allow krb5kdc_t proc_t:lnk_file read;
|
||||
dontaudit krb5kdc_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(krb5kdc_t)
|
||||
')
|
||||
|
||||
@ -53,8 +53,10 @@ template(`mta_per_userdomain_template',`
|
||||
libs_use_shared_libs($1_mail_t)
|
||||
|
||||
corecmd_exec_bin($1_mail_t)
|
||||
corecmd_search_sbin($1_mail_t)
|
||||
|
||||
files_read_etc_files($1_mail_t)
|
||||
files_search_spool($1_mail_t)
|
||||
|
||||
logging_send_syslog_msg($1_mail_t)
|
||||
|
||||
@ -70,6 +72,11 @@ template(`mta_per_userdomain_template',`
|
||||
corenet_udp_sendrecv_dns_port($1_mail_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_mail_t)
|
||||
fs_manage_cifs_symlinks($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_mail_t)
|
||||
')
|
||||
@ -80,8 +87,6 @@ template(`mta_per_userdomain_template',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_mail_t device_t:dir search;
|
||||
allow $1_mail_t { var_t var_spool_t }:dir search;
|
||||
allow $1_mail_t sbin_t:dir search;
|
||||
|
||||
# It wants to check for nscd
|
||||
dontaudit $1_mail_t var_run_t:dir search;
|
||||
@ -92,7 +97,7 @@ template(`mta_per_userdomain_template',`
|
||||
# Read user temporary files.
|
||||
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
||||
dontaudit $1_mail_t $1_tmp_t:file append;
|
||||
ifdef(`postfix.te', `
|
||||
ifdef(`postfix.te',`
|
||||
# postfix seems to need write access if the file handle is opened read/write
|
||||
allow $1_mail_t $1_tmp_t:file write;
|
||||
')
|
||||
@ -114,10 +119,6 @@ template(`mta_per_userdomain_template',`
|
||||
# Create dead.letter in user home directories.
|
||||
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
rw_dir_create_file($1_mail_t, cifs_t)
|
||||
')
|
||||
|
||||
# if you do not want to allow dead.letter then use the following instead
|
||||
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
||||
#allow $1_mail_t $1_home_t:file r_file_perms;
|
||||
@ -292,11 +293,13 @@ interface(`mta_rw_spool',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file { rw_file_perms setattr };
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir r_dir_perms;
|
||||
allow $1 mail_spool_t:lnk_file { getattr read };
|
||||
allow $1 mail_spool_t:file { rw_file_perms setattr };
|
||||
')
|
||||
|
||||
@ -308,11 +311,13 @@ interface(`mta_manage_spool',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir rw_dir_perms;
|
||||
allow $1 mail_spool_t:lnk_file { getattr read };
|
||||
allow $1 mail_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
@ -327,7 +332,7 @@ interface(`mta_manage_queue',`
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
# FIXME: search /var/spool dir
|
||||
files_search_spool($1)
|
||||
allow $1 mqueue_spool_t:dir rw_dir_perms;
|
||||
allow $1 mqueue_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
@ -56,6 +56,8 @@ allow ypbind_t var_yp_t:dir rw_dir_perms;
|
||||
allow ypbind_t var_yp_t:file create_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(ypbind_t)
|
||||
kernel_list_proc(ypbind_t)
|
||||
kernel_read_proc_symlinks(ypbind_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ypbind_t)
|
||||
corenet_udp_sendrecv_all_if(ypbind_t)
|
||||
@ -99,6 +101,7 @@ miscfiles_read_localization(ypbind_t)
|
||||
sysnet_read_config(ypbind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ypbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ypbind_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(ypbind_t)
|
||||
@ -119,17 +122,11 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow ypbind_t proc_t:dir r_dir_perms;
|
||||
allow ypbind_t proc_t:lnk_file read;
|
||||
|
||||
dontaudit ypbind_t sysadm_home_dir_t:dir search;
|
||||
|
||||
can_udp_send(ypbind_t, portmap_t)
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(ypbind_t)
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -157,6 +154,8 @@ allow ypserv_t ypserv_var_run_t:file { getattr create read write append setattr
|
||||
files_create_pid(ypserv_t,ypserv_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ypserv_t)
|
||||
kernel_list_proc(ypserv_t)
|
||||
kernel_read_proc_symlinks(ypserv_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ypserv_t)
|
||||
corenet_raw_sendrecv_all_if(ypserv_t)
|
||||
@ -192,6 +191,7 @@ miscfiles_read_localization(ypserv_t)
|
||||
sysnet_read_config(ypserv_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ypserv_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ypserv_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(ypserv_t)
|
||||
@ -212,11 +212,6 @@ optional_policy(`rhgb.te', `
|
||||
rhgb_domain(ypserv_t)
|
||||
')
|
||||
|
||||
allow ypserv_t proc_t:dir r_dir_perms;
|
||||
allow ypserv_t proc_t:lnk_file read;
|
||||
|
||||
dontaudit ypserv_t sysadm_home_dir_t:dir search;
|
||||
|
||||
# Send to portmap and initrc.
|
||||
can_udp_send(ypserv_t, portmap_t)
|
||||
|
||||
|
||||
@ -50,6 +50,9 @@ selinux_compute_create_context(remote_login_t)
|
||||
selinux_compute_relabel_context(remote_login_t)
|
||||
selinux_compute_user_contexts(remote_login_t)
|
||||
|
||||
dev_getattr_mouse(remote_login_t)
|
||||
dev_setattr_mouse(remote_login_t)
|
||||
dev_dontaudit_search_sysfs(remote_login_t)
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(remote_login_t)
|
||||
|
||||
@ -60,15 +63,36 @@ auth_domtrans_chk_passwd(remote_login_t)
|
||||
auth_dontaudit_read_shadow(remote_login_t)
|
||||
auth_rw_login_records(remote_login_t)
|
||||
auth_rw_lastlog(remote_login_t)
|
||||
auth_rw_faillog(remote_login_t)
|
||||
auth_exec_pam(remote_login_t)
|
||||
auth_manage_pam_console_data(remote_login_t)
|
||||
|
||||
corecmd_list_bin(remote_login_t)
|
||||
corecmd_list_sbin(remote_login_t)
|
||||
corecmd_read_bin_symlink(remote_login_t)
|
||||
corecmd_read_sbin_symlink(remote_login_t)
|
||||
# cjp: these are probably not needed:
|
||||
corecmd_read_bin_file(remote_login_t)
|
||||
corecmd_read_bin_pipe(remote_login_t)
|
||||
corecmd_read_bin_socket(remote_login_t)
|
||||
corecmd_read_sbin_file(remote_login_t)
|
||||
corecmd_read_sbin_pipe(remote_login_t)
|
||||
corecmd_read_sbin_socket(remote_login_t)
|
||||
|
||||
domain_read_all_entry_files(remote_login_t)
|
||||
|
||||
files_read_etc_files(remote_login_t)
|
||||
files_read_etc_runtime_files(remote_login_t)
|
||||
files_list_home(remote_login_t)
|
||||
files_read_usr_files(remote_login_t)
|
||||
files_list_world_readable(remote_login_t)
|
||||
files_read_world_readable_files(remote_login_t)
|
||||
files_read_world_readable_symlinks(remote_login_t)
|
||||
files_read_world_readable_pipes(remote_login_t)
|
||||
files_read_world_readable_sockets(remote_login_t)
|
||||
files_list_mnt(remote_login_t)
|
||||
# for when /var/mail is a sym-link
|
||||
files_read_var_symlink(remote_login_t)
|
||||
|
||||
init_rw_script_pid(remote_login_t)
|
||||
|
||||
@ -83,6 +107,39 @@ seutil_read_default_contexts(remote_login_t)
|
||||
miscfiles_read_localization(remote_login_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(remote_login_t)
|
||||
userdom_search_all_users_home(remote_login_t)
|
||||
# Only permit unprivileged user domains to be entered via rlogin,
|
||||
# since very weak authentication is used.
|
||||
userdom_signal_unpriv_users(remote_login_t)
|
||||
userdom_spec_domtrans_unpriv_users(remote_login_t)
|
||||
|
||||
# Search for mail spool file.
|
||||
mta_getattr_spool(remote_login_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(remote_login_t)
|
||||
unconfined_shell_domtrans(remote_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(remote_login_t)
|
||||
files_read_default_files(remote_login_t)
|
||||
files_read_default_symlinks(remote_login_t)
|
||||
files_read_default_sockets(remote_login_t)
|
||||
files_read_default_pipes(remote_login_t)
|
||||
')
|
||||
|
||||
# Allow remote login to resolve host names (passed in via the -h switch)
|
||||
tunable_policy(`use_dns',`
|
||||
allow remote_login_t self:udp_socket create_socket_perms;
|
||||
corenet_udp_sendrecv_all_if(remote_login_t)
|
||||
corenet_raw_sendrecv_all_if(remote_login_t)
|
||||
corenet_udp_sendrecv_all_nodes(remote_login_t)
|
||||
corenet_raw_sendrecv_all_nodes(remote_login_t)
|
||||
corenet_udp_sendrecv_dns_port(remote_login_t)
|
||||
corenet_udp_bind_all_nodes(remote_login_t)
|
||||
sysnet_read_config(remote_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(remote_login_t)
|
||||
@ -98,89 +155,28 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(remote_login_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_read_crack_db(remote_login_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow remote_login_t bin_t:dir r_dir_perms;
|
||||
allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow remote_login_t sbin_t:dir r_dir_perms;
|
||||
allow remote_login_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
tunable_policy(`read_default_t',`
|
||||
allow remote_login_t default_t:dir r_dir_perms;
|
||||
allow remote_login_t default_t:notdevfile_class_set r_file_perms;
|
||||
# this goes to xdm:
|
||||
optional_policy(`remotelogin.te',`
|
||||
# FIXME: what is this for?
|
||||
remotelogin_signull(xdm_t)
|
||||
')
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
allow remote_login_t readable_t:dir r_dir_perms;
|
||||
allow remote_login_t readable_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Read /var, /var/spool
|
||||
allow remote_login_t { var_t var_spool_t }:dir search;
|
||||
|
||||
# for when /var/mail is a sym-link
|
||||
allow remote_login_t var_t:lnk_file read;
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow remote_login_t device_t:lnk_file r_file_perms;
|
||||
|
||||
dontaudit remote_login_t sysfs_t:dir search;
|
||||
|
||||
allow remote_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
# FIXME: what is this for?
|
||||
ifdef(`xdm.te', `
|
||||
allow xdm_t remote_login_t:process signull;
|
||||
')
|
||||
|
||||
ifdef(`crack.te', `
|
||||
allow remote_login_t crack_db_t:file r_file_perms;
|
||||
')
|
||||
|
||||
# Permit login to search the user home directories.
|
||||
allow remote_login_t home_dir_type:dir search;
|
||||
|
||||
# Write to /var/log/btmp
|
||||
allow remote_login_t faillog_t:file { append read write };
|
||||
|
||||
# Search for mail spool file.
|
||||
allow remote_login_t mail_spool_t:dir r_dir_perms;
|
||||
allow remote_login_t mail_spool_t:file getattr;
|
||||
allow remote_login_t mail_spool_t:lnk_file read;
|
||||
|
||||
|
||||
allow remote_login_t mouse_device_t:chr_file { getattr setattr };
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(remote_login_t)
|
||||
domain_auto_trans(remote_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
# Only permit unprivileged user domains to be entered via rlogin,
|
||||
# since very weak authentication is used.
|
||||
login_spawn_domain(remote_login, unpriv_userdomain)
|
||||
|
||||
allow remote_login_t devpts_t:dir search;
|
||||
allow remote_login_t userpty_type:chr_file { setattr write };
|
||||
|
||||
# Use the pty created by rlogind.
|
||||
ifdef(`rlogind.te', `
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
# Relabel ptys created by rlogind.
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
# Use the pty created by telnetd.
|
||||
ifdef(`telnetd.te', `
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
# Relabel ptys created by telnetd.
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
|
||||
|
||||
# Allow remote login to resolve host names (passed in via the -h switch)
|
||||
can_resolve(remote_login_t)
|
||||
optional_policy(`rlogind.te', `
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
optional_policy(`telnetd.te', `
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
@ -40,7 +40,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
|
||||
files_create_pid(sendmail_t,sendmail_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(sendmail_t)
|
||||
dev_read_sysfs(sendmail_t)
|
||||
kernel_list_proc(sendmail_t)
|
||||
kernel_read_proc_symlinks(sendmail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(sendmail_t)
|
||||
corenet_raw_sendrecv_all_if(sendmail_t)
|
||||
@ -55,6 +56,7 @@ corenet_udp_bind_all_nodes(sendmail_t)
|
||||
corenet_tcp_bind_smtp_port(sendmail_t)
|
||||
|
||||
dev_read_urand(sendmail_t)
|
||||
dev_read_sysfs(sendmail_t)
|
||||
|
||||
fs_getattr_all_fs(sendmail_t)
|
||||
fs_search_auto_mountpoints(sendmail_t)
|
||||
@ -83,6 +85,9 @@ miscfiles_read_localization(sendmail_t)
|
||||
|
||||
sysnet_read_config(sendmail_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
|
||||
|
||||
# Write to /etc/aliases and /etc/mail.
|
||||
mta_rw_aliases(sendmail_t)
|
||||
# Write to /var/spool/mail and /var/spool/mqueue.
|
||||
@ -108,14 +113,9 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(sendmail_t)
|
||||
')
|
||||
allow sendmail_t proc_t:dir r_dir_perms;
|
||||
allow sendmail_t proc_t:lnk_file read;
|
||||
dontaudit sendmail_t unpriv_userdomain:fd use;
|
||||
dontaudit sendmail_t sysadm_home_dir_t:dir search;
|
||||
|
||||
#
|
||||
# Need this transition to create /etc/aliases.db
|
||||
|
||||
@ -1322,6 +1322,24 @@ interface(`files_read_var_symlink',`
|
||||
allow $1 var_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the /var/lib directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_var_lib_dir',`
|
||||
gen_require(`
|
||||
type var_t, var_lib_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_lib_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the /var/lib directory.
|
||||
|
||||
@ -107,6 +107,10 @@ optional_policy(`mount.te',`
|
||||
mount_domtrans(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_rw_pipe(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`xserver.te',`
|
||||
xserver_getattr_log(insmod_t)
|
||||
')
|
||||
@ -154,6 +158,9 @@ files_list_home(depmod_t)
|
||||
userdom_read_staff_home_files(depmod_t)
|
||||
userdom_read_sysadm_home_files(depmod_t)
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_rw_pipe(depmod_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||
|
||||
@ -115,6 +115,11 @@ optional_policy(`portmap.te', `
|
||||
')
|
||||
')
|
||||
|
||||
# for kernel package installation
|
||||
optional_policy(`mount.te', `
|
||||
rpm_rw_pipe(mount_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# this goes to the nfs/rpc module
|
||||
files_mountpoint(var_lib_nfs_t)
|
||||
|
||||
@ -74,6 +74,30 @@ template(`unconfined_domain_template',`
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the unconfined domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_domtrans',`
|
||||
gen_require(`
|
||||
type unconfined_t, unconfined_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,unconfined_exec_t,unconfined_t)
|
||||
|
||||
allow $1 unconfined_t:fd use;
|
||||
allow unconfined_t $1:fd use;
|
||||
allow unconfined_t $1:fifo_file rw_file_perms;
|
||||
allow unconfined_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the unconfined domain by executing a shell.
|
||||
@ -83,9 +107,8 @@ template(`unconfined_domain_template',`
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_shell_domtrans',`
|
||||
|
||||
gen_require(`
|
||||
unconfined_t;
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
corecmd_domtrans_shell($1,unconfined_t)
|
||||
|
||||
@ -224,10 +224,19 @@ template(`base_user_template',`
|
||||
term_getattr_all_user_ttys($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`inetd.te',`
|
||||
inetd_tcp_connectto($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
files_getattr_var_lib_dir($1_t)
|
||||
files_search_var_lib($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
|
||||
Loading…
Reference in New Issue
Block a user