trunk: another pile of misc fixes.

This commit is contained in:
Chris PeBenito 2008-05-22 15:24:52 +00:00
parent 8f3a0a95e0
commit b34db7a8ec
20 changed files with 77 additions and 66 deletions

View File

@ -188,5 +188,5 @@ interface(`apt_dontaudit_manage_db',`
dontaudit $1 apt_var_lib_t:dir rw_dir_perms; dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file manage_file_perms; dontaudit $1 apt_var_lib_t:file manage_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms; dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
') ')

View File

@ -34,7 +34,7 @@
# #
template(`gnome_per_role_template',` template(`gnome_per_role_template',`
gen_require(` gen_require(`
type gconfd_exec_t; type gconfd_exec_t, gconf_etc_t;
attribute gnomedomain; attribute gnomedomain;
') ')

View File

@ -75,7 +75,7 @@ template(`mplayer_per_role_template',`
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t) domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
# Allow the user domain to signal/ps. # Allow the user domain to signal/ps.
ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t) ps_process_pattern($2,$1_mencoder_t)
allow $2 $1_mencoder_t:process signal_perms; allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories # Read /proc files and directories
@ -235,9 +235,8 @@ template(`mplayer_per_role_template',`
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file) files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir) files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file) userdom_manage_user_untrusted_content_dirs($1,$1_mencoder_t)
userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir) userdom_manage_user_untrusted_content_files($1,$1_mencoder_t)
',` ',`
files_dontaudit_list_home($1_mencoder_t) files_dontaudit_list_home($1_mencoder_t)
files_dontaudit_list_tmp($1_mencoder_t) files_dontaudit_list_tmp($1_mencoder_t)

View File

@ -24,6 +24,11 @@
## </param> ## </param>
# #
template(`rssh_per_role_template',` template(`rssh_per_role_template',`
gen_require(`
type rssh_exec_t;
attribute rssh_domain_type;
attribute rssh_ro_content_type;
')
############################## ##############################
# #

View File

@ -473,10 +473,10 @@ interface(`fs_manage_autofs_symlinks',`
# #
interface(`fs_getattr_binfmt_misc_dirs',` interface(`fs_getattr_binfmt_misc_dirs',`
gen_require(` gen_require(`
type binfmt_misc_t; type binfmt_misc_fs_t;
') ')
allow $1 binfmt_misc_t:dir getattr; allow $1 binfmt_misc_fs_tt:dir getattr;
') ')

View File

@ -110,7 +110,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
cron_admin_template(sysadm, sysadm_t, sysadm_r) cron_admin_template(sysadm)
') ')
optional_policy(` optional_policy(`
@ -141,7 +141,7 @@ optional_policy(`
optional_policy(` optional_policy(`
ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
ethereal_admin_template(sysadm, sysadm_t, sysadm_r) ethereal_admin_template(sysadm)
') ')
optional_policy(` optional_policy(`
@ -184,7 +184,7 @@ optional_policy(`
optional_policy(` optional_policy(`
lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
lpr_admin_template(sysadm, sysadm_t, sysadm_r) lpr_admin_template(sysadm)
') ')
optional_policy(` optional_policy(`
@ -202,7 +202,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
mta_admin_template(sysadm, sysadm_t, sysadm_r) mta_admin_template(sysadm, sysadm_t)
') ')
optional_policy(` optional_policy(`
@ -296,7 +296,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) unconfined_domtrans(sysadm_t)
') ')
optional_policy(` optional_policy(`

View File

@ -60,16 +60,6 @@ interface(`aide_run',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the aide domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`aide_admin',` interface(`aide_admin',`
@ -84,5 +74,5 @@ interface(`aide_admin',`
manage_files_pattern($1, aide_db_t, aide_db_t) manage_files_pattern($1, aide_db_t, aide_db_t)
logging_list_logs($1) logging_list_logs($1)
manage_all_pattern($1, aide_log_t, aide_log_t) manage_files_pattern($1, aide_log_t, aide_log_t)
') ')

View File

@ -197,21 +197,11 @@ interface(`amavis_create_pid_files',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the amavis domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the user terminal.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`amavis_admin',` interface(`amavis_admin',`
gen_require(` gen_require(`
type amavis_t, amavis_tmp_t, amavis_log_t; type amavis_t, amavis_tmp_t, amavis_var_log_t;
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
type amavis_etc_t, amavis_quarantine_t; type amavis_etc_t, amavis_quarantine_t;
') ')
@ -228,7 +218,7 @@ interface(`amavis_admin',`
manage_files_pattern($1, amavis_etc_t, amavis_etc_t) manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
logging_list_logs($1) logging_list_logs($1)
manage_files_pattern($1, amavis_log_t, amavis_log_t) manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
files_list_spool($1) files_list_spool($1)
manage_files_pattern($1, amavis_spool_t, amavis_spool_t) manage_files_pattern($1, amavis_spool_t, amavis_spool_t)

View File

@ -72,7 +72,7 @@ interface(`apcupsd_read_log',`
# #
interface(`apcupsd_append_log',` interface(`apcupsd_append_log',`
gen_require(` gen_require(`
type var_log_t, apcupsd_log_t; type apcupsd_log_t;
') ')
logging_search_logs($1) logging_search_logs($1)

View File

@ -36,6 +36,7 @@ template(`bluetooth_per_role_template',`
gen_require(` gen_require(`
attribute bluetooth_helper_domain; attribute bluetooth_helper_domain;
type bluetooth_helper_exec_t; type bluetooth_helper_exec_t;
type bluetooth_t;
') ')
type $1_bluetooth_t, bluetooth_helper_domain; type $1_bluetooth_t, bluetooth_helper_domain;

View File

@ -255,7 +255,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t) inetd_core_service_domain(cupsd_t, cupsd_exec_t)
') ')
optional_policy(` optional_policy(`

View File

@ -42,7 +42,7 @@ allow cvs_t self:capability { setuid setgid };
manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t) manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t) manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t) manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t) manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t) manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)

View File

@ -172,6 +172,7 @@ template(`mta_per_role_template',`
gen_require(` gen_require(`
attribute mta_user_agent; attribute mta_user_agent;
attribute mailserver_delivery; attribute mailserver_delivery;
type sendmail_exec_t;
') ')
############################## ##############################
@ -332,11 +333,7 @@ interface(`mta_mailserver',`
## The type to be used for the mail server. ## The type to be used for the mail server.
## </summary> ## </summary>
## </param> ## </param>
## <param name="entry_point"> #
## <summary>
## The type to be used for the domain entry point program.
## </summary>
## </param>
interface(`mta_sendmail_mailserver',` interface(`mta_sendmail_mailserver',`
gen_require(` gen_require(`
attribute mailserver_domain; attribute mailserver_domain;

View File

@ -33,17 +33,17 @@ interface(`sasl_connect',`
# #
interface(`sasl_admin',` interface(`sasl_admin',`
gen_require(` gen_require(`
type sasl_t; type saslauthd_t;
type sasl_tmp_t; type saslauthd_tmp_t;
type sasl_var_run_t; type saslauthd_var_run_t;
') ')
allow $1 sasl_t:process { ptrace signal_perms getattr }; allow $1 saslauthd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, sasl_t) ps_process_pattern($1, saslauthd_t)
files_list_tmp($1) files_list_tmp($1)
manage_files_pattern($1, sasl_tmp_t, sasl_tmp_t) manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, sasl_var_run_t, sasl_var_run_t) manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
') ')

View File

@ -32,15 +32,15 @@ interface(`smartmon_read_tmp_files',`
# #
interface(`smartmon_admin',` interface(`smartmon_admin',`
gen_require(` gen_require(`
type smartmon_t, smartmon_tmp_t, smartmon_var_run_t; type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
') ')
allow $1 smartmon_t:process { ptrace signal_perms getattr }; allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, smartmon_t) ps_process_pattern($1, fsdaemon_t)
files_list_tmp($1) files_list_tmp($1)
manage_files_pattern($1, smartmon_tmp_t, smartmon_tmp_t) manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, smartmon_var_run_t, smartmon_var_run_t) manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
') ')

View File

@ -202,7 +202,7 @@ template(`ssh_basic_client_template',`
# #
template(`ssh_per_role_template',` template(`ssh_per_role_template',`
gen_require(` gen_require(`
type ssh_agent_exec_t, ssh_keysign_exec_t; type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t;
') ')
############################## ##############################

View File

@ -51,7 +51,7 @@ interface(`zabbix_read_log',`
# #
interface(`zabbix_append_log',` interface(`zabbix_append_log',`
gen_require(` gen_require(`
type var_log_t, zabbix_log_t; type zabbix_log_t;
') ')
logging_search_logs($1) logging_search_logs($1)

View File

@ -1402,11 +1402,6 @@ template(`userdom_admin_user_template',`
## The role of the object to create. ## The role of the object to create.
## </summary> ## </summary>
## </param> ## </param>
## <param name="object_class">
## <summary>
## The terminal
## </summary>
## </param>
# #
template(`userdom_security_admin_template',` template(`userdom_security_admin_template',`
allow $1 self:capability { dac_read_search dac_override }; allow $1 self:capability { dac_read_search dac_override };
@ -3274,6 +3269,39 @@ template(`userdom_dontaudit_list_user_untrusted_content',`
dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
') ')
########################################
## <summary>
## Create, read, write, and delete users untrusted directories.
## </summary>
## <desc>
## <p>
## Create, read, write, and delete users untrusted directories.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`userdom_manage_user_untrusted_content_dirs',`
gen_require(`
type $1_untrusted_content_t;
')
allow $2 $1_untrusted_content_t:dir manage_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read user untrusted files. ## Read user untrusted files.

View File

@ -87,7 +87,7 @@ interface(`xen_read_image_files',`
# #
interface(`xen_append_log',` interface(`xen_append_log',`
gen_require(` gen_require(`
type var_log_t, xend_var_log_t; type xend_var_log_t;
') ')
logging_search_logs($1) logging_search_logs($1)
@ -108,7 +108,7 @@ interface(`xen_append_log',`
# #
interface(`xen_manage_log',` interface(`xen_manage_log',`
gen_require(` gen_require(`
type var_log_t, xend_var_log_t; type xend_var_log_t;
') ')
logging_search_logs($1) logging_search_logs($1)

View File

@ -223,7 +223,8 @@ define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
define(`getattr_lnk_file_perms',`{ getattr }') define(`getattr_lnk_file_perms',`{ getattr }')
define(`setattr_lnk_file_perms',`{ setattr }') define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }') define(`read_lnk_file_perms',`{ getattr read }')
define(`write_lnk_file_perms',`{ getattr write lock ioctl }') define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }') define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }') define(`rename_lnk_file_perms',`{ getattr rename }')