rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

merge policy patterns to trunk

This commit is contained in:
Chris PeBenito 2006-12-12 20:08:08 +00:00
parent d6d16b9796
commit c0868a7a3b
356 changed files with 4378 additions and 5585 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Changelog
View File

@ -1,3 +1,5 @@
- Add policy patterns support macros. This changes the behavior of
the create_dir_perms and create_file_perms permission sets.
- Association polmatch MLS constraint making unlabeled_t an exception
is no longer needed, patch from Venkat Yekkirala.
- Context contains checking for PAM and cron from James Antill.

12
policy/modules/admin/acct.if
View File

@ -16,12 +16,7 @@ interface(`acct_domtrans',`
')
corecmd_search_sbin($1)
domain_auto_trans($1,acct_exec_t,acct_t)
allow $1 acct_t:fd use;
allow acct_t $1:fd use;
allow acct_t $1:fifo_file rw_file_perms;
allow acct_t $1:process sigchld;
domtrans_pattern($1,acct_exec_t,acct_t)
')
########################################
@ -80,7 +75,6 @@ interface(`acct_manage_data',`
')
files_search_var($1)
allow $1 acct_data_t:dir rw_dir_perms;
allow $1 acct_data_t:file create_file_perms;
allow $1 acct_data_t:lnk_file create_lnk_perms;
manage_files_pattern($1,acct_data_t,acct_data_t)
manage_lnk_files_pattern($1,acct_data_t,acct_data_t)
')

6
policy/modules/admin/acct.te
View File

@ -26,9 +26,8 @@ dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file { read write getattr };
allow acct_t self:process signal_perms;
allow acct_t acct_data_t:dir rw_dir_perms;
allow acct_t acct_data_t:file create_file_perms;
allow acct_t acct_data_t:lnk_file create_lnk_perms;
manage_files_pattern(acct_t,acct_data_t,acct_data_t)
manage_lnk_files_pattern(acct_t,acct_data_t,acct_data_t)
can_exec(acct_t,acct_exec_t)
@ -98,4 +97,3 @@ optional_policy(`
optional_policy(`
udev_read_db(acct_t)
')

13
policy/modules/admin/alsa.if
View File

@ -16,12 +16,7 @@ interface(`alsa_domtrans',`
type alsa_exec_t;
')
domain_auto_trans($1, alsa_exec_t, alsa_t)
allow $1 alsa_t:fd use;
allow alsa_t $1:fd use;
allow alsa_t $1:fifo_file rw_file_perms;
allow alsa_t $1:process sigchld;
domtrans_pattern($1, alsa_exec_t, alsa_t)
')
########################################
@ -75,7 +70,7 @@ interface(`alsa_read_rw_config',`
type alsa_etc_rw_t;
')
allow $1 alsa_etc_rw_t:dir r_dir_perms;
allow $1 alsa_etc_rw_t:file r_file_perms;
allow $1 alsa_etc_rw_t:lnk_file { getattr read };
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
')

5
policy/modules/admin/alsa.te
View File

@ -27,9 +27,8 @@ allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
allow alsa_t alsa_etc_rw_t:file create_file_perms;
allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
files_read_etc_files(alsa_t)

13
policy/modules/admin/amanda.if
View File

@ -15,12 +15,7 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
allow $1 amanda_recover_t:fd use;
allow amanda_recover_t $1:fd use;
allow amanda_recover_t $1:fifo_file rw_file_perms;
allow amanda_recover_t $1:process sigchld;
domtrans_pattern($1,amanda_recover_exec_t,amanda_recover_t)
')
########################################
@ -70,7 +65,7 @@ interface(`amanda_search_lib',`
type amanda_usr_lib_t;
')
allow $1 amanda_usr_lib_t:dir search;
allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
')
@ -144,7 +139,5 @@ interface(`amanda_append_log_files',`
type amanda_log_t;
')
allow $1 amanda_log_t:file ra_file_perms;
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')

33
policy/modules/admin/amanda.te
View File

@ -97,12 +97,12 @@ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
allow amanda_t amanda_log_t:file create_file_perms;
allow amanda_t amanda_log_t:dir manage_dir_perms;
manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t)
manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t)
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
allow amanda_t amanda_tmp_t:dir create_dir_perms;
allow amanda_t amanda_tmp_t:file create_file_perms;
manage_files_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
kernel_read_system_state(amanda_t)
@ -180,23 +180,22 @@ allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;
allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
allow amanda_recover_t amanda_log_t:file manage_file_perms;
allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
manage_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
# access to amanda_recover_dir_t
allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
manage_dirs_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
allow amanda_recover_t amanda_tmp_t:file create_file_perms;
allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_lnk_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_fifo_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state(amanda_recover_t)

27
policy/modules/admin/apt.if
View File

@ -17,13 +17,7 @@ interface(`apt_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,apt_exec_t,apt_t)
# allow basic communication
allow $1 apt_t:fd use;
allow apt_t $1:fd use;
allow apt_t $1:fifo_file rw_file_perms;
allow apt_t $1:process sigchld;
domtrans_pattern($1,apt_exec_t,apt_t)
')
########################################
@ -92,7 +86,7 @@ interface(`apt_read_pipes',`
type apt_t;
')
allow $1 apt_t:fifo_file r_file_perms;
allow $1 apt_t:fifo_file read_fifo_file_perms;
# TODO: enforce dpkg_read_pipes?
')
@ -131,9 +125,9 @@ interface(`apt_read_db',`
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir r_dir_perms;
allow $1 apt_var_lib_t:file { getattr read };
allow $1 apt_var_lib_t:lnk_file r_file_perms;
allow $1 apt_var_lib_t:dir list_dir_perms;
read_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
')
########################################
@ -152,9 +146,10 @@ interface(`apt_manage_db',`
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir rw_dir_perms;
allow $1 apt_var_lib_t:file { getattr create read write append unlink };
allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
# cjp: shouldnt this be manage_lnk_files?
rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
')
########################################
@ -174,6 +169,6 @@ interface(`apt_dontaudit_manage_db',`
')
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file create_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
dontaudit $1 apt_var_lib_t:file manage_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms;
')

22
policy/modules/admin/apt.te
View File

@ -34,7 +34,7 @@ files_type(apt_var_cache_t)
allow apt_t self:capability { chown dac_override fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_file_perms;
allow apt_t self:fifo_file rw_fifo_file_perms;
allow apt_t self:unix_dgram_socket create_socket_perms;
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
allow apt_t self:unix_dgram_socket sendto;
@ -47,24 +47,22 @@ allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
# Access /var/cache/apt files
allow apt_t apt_var_cache_t:file create_file_perms;
allow apt_t apt_var_cache_t:dir rw_dir_perms;
manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
files_var_filetrans(apt_t,apt_var_cache_t,dir)
allow apt_t apt_tmp_t:dir create_dir_perms;
allow apt_t apt_tmp_t:file create_file_perms;
manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
allow apt_t apt_tmpfs_t:dir create_dir_perms;
allow apt_t apt_tmpfs_t:file create_file_perms;
allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
allow apt_t apt_tmpfs_t:sock_file create_file_perms;
allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/apt files
allow apt_t apt_var_lib_t:file create_file_perms;
allow apt_t apt_var_lib_t:dir rw_dir_perms;
manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
kernel_read_system_state(apt_t)

5
policy/modules/admin/backup.if
View File

@ -15,10 +15,7 @@ interface(`backup_domtrans',`
type backup_t, backup_exec_t;
')
domain_auto_trans($1,backup_exec_t,backup_t)
allow backup_t $1:fd use;
allow backup_t $1:fifo_file rw_file_perms;
allow backup_t $1:process sigchld;
domtrans_pattern($1,backup_exec_t,backup_t)
')
########################################

9
policy/modules/admin/backup.te
View File

@ -22,13 +22,14 @@ files_type(backup_store_t)
allow backup_t self:capability dac_override;
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_file_perms;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;
allow backup_t backup_store_t:dir ra_dir_perms;
allow backup_t backup_store_t:file { create rw_file_perms setattr };
allow backup_t backup_store_t:lnk_file { getattr read };
allow backup_t backup_store_t:file setattr;
create_files_pattern(backup_t,backup_store_t,backup_store_t)
rw_files_pattern(backup_t,backup_store_t,backup_store_t)
read_lnk_files_pattern(backup_t,backup_store_t,backup_store_t)
kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)

18
policy/modules/admin/bootloader.if
View File

@ -15,12 +15,7 @@ interface(`bootloader_domtrans',`
type bootloader_t, bootloader_exec_t;
')
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
allow $1 bootloader_t:fd use;
allow bootloader_t $1:fd use;
allow bootloader_t $1:fifo_file rw_file_perms;
allow bootloader_t $1:process sigchld;
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
')
########################################
@ -53,7 +48,7 @@ interface(`bootloader_run',`
bootloader_domtrans($1)
role $2 types bootloader_t;
allow bootloader_t $3:chr_file rw_file_perms;
allow bootloader_t $3:chr_file rw_term_perms;
')
########################################
@ -71,7 +66,7 @@ interface(`bootloader_read_config',`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file r_file_perms;
allow $1 bootloader_etc_t:file read_file_perms;
')
########################################
@ -127,10 +122,9 @@ interface(`bootloader_rw_tmp_files',`
#
interface(`bootloader_create_runtime_file',`
gen_require(`
type boot_t, boot_runtime_t;
type boot_runtime_t;
')
allow $1 boot_t:dir rw_dir_perms;
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
type_transition $1 boot_t:file boot_runtime_t;
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1,boot_runtime_t,file)
')

16
policy/modules/admin/bootloader.te
View File

@ -50,18 +50,18 @@ logging_log_file(var_log_ksyms_t)
allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t self:fifo_file rw_fifo_file_perms;
allow bootloader_t bootloader_etc_t:file r_file_perms;
allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms;
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
manage_dirs_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_lnk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_blk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
manage_chr_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
@ -161,7 +161,7 @@ ifdef(`distro_redhat',`
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)

7
policy/modules/admin/certwatch.if
View File

@ -17,12 +17,7 @@ interface(`certwatch_domtrans',`
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,certwatch_exec_t,certwatch_t)
allow $1 certwatch_t:fd use;
allow certwatch_t $1:fd use;
allow certwatch_t $1:fifo_file rw_file_perms;
allow certwatch_t $1:process sigchld;
domtrans_pattern($1,certwatch_exec_t,certwatch_t)
')
########################################

7
policy/modules/admin/consoletype.if
View File

@ -18,12 +18,7 @@ interface(`consoletype_domtrans',`
')
corecmd_search_sbin($1)
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
allow $1 consoletype_t:fd use;
allow consoletype_t $1:fd use;
allow consoletype_t $1:fifo_file rw_file_perms;
allow consoletype_t $1:process sigchld;
domtrans_pattern($1,consoletype_exec_t,consoletype_t)
')
########################################

4
policy/modules/admin/consoletype.te
View File

@ -25,8 +25,8 @@ ifdef(`targeted_policy',`',`
allow consoletype_t self:capability sys_admin;
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_file_perms;
allow consoletype_t self:sock_file r_file_perms;
allow consoletype_t self:fifo_file rw_fifo_file_perms;
allow consoletype_t self:sock_file read_sock_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;

7
policy/modules/admin/ddcprobe.if
View File

@ -15,12 +15,7 @@ interface(`ddcprobe_domtrans',`
type ddcprobe_t, ddcprobe_exec_t;
')
domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
allow $1 ddcprobe_t:fd use;
allow ddcprobe_t $1:fd use;
allow ddcprobe_t $1:fifo_file rw_file_perms;
allow ddcprobe_t $1:process sigchld;
domtrans_pattern($1,ddcprobe_exec_t,ddcprobe_t)
')
########################################

29
policy/modules/admin/dpkg.if
View File

@ -19,13 +19,7 @@ interface(`dpkg_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,dpkg_exec_t,dpkg_t)
# allow basic communication
allow $1 dpkg_t:fd use;
allow dpkg_t $1:fd use;
allow dpkg_t $1:fifo_file rw_file_perms;
allow dpkg_t $1:process sigchld;
domtrans_pattern($1,dpkg_exec_t,dpkg_t)
')
########################################
@ -45,8 +39,6 @@ interface(`dpkg_domtrans_script',`
# transition to dpkg script:
corecmd_shell_domtrans($1,dpkg_script_t)
allow $1 dpkg_script_t:fd use;
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
@ -118,7 +110,7 @@ interface(`dpkg_read_pipes',`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file r_file_perms;
allow $1 dpkg_t:fifo_file read_fifo_file_perms;
')
########################################
@ -136,7 +128,7 @@ interface(`dpkg_rw_pipes',`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file rw_file_perms;
allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
')
########################################
@ -173,9 +165,9 @@ interface(`dpkg_read_db',`
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir r_dir_perms;
allow $1 dpkg_var_lib_t:file { getattr read };
allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
allow $1 dpkg_var_lib_t:dir list_dir_perms;
read_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
read_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
')
########################################
@ -194,9 +186,8 @@ interface(`dpkg_manage_db',`
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir rw_dir_perms;
allow $1 dpkg_var_lib_t:file manage_file_perms;
allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
manage_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
manage_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
')
########################################
@ -217,7 +208,7 @@ interface(`dpkg_dontaudit_manage_db',`
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
')
########################################
@ -236,6 +227,6 @@ interface(`dpkg_lock_db',`
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir r_dir_perms;
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
')

19
policy/modules/admin/dpkg.te
View File

@ -55,7 +55,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_file_perms;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
@ -69,20 +69,19 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
allow dpkg_t dpkg_tmp_t:file manage_file_perms;
manage_dirs_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
manage_files_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
manage_dirs_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/dpkg files
allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
manage_files_pattern(dpkg_t,dpkg_var_lib_t,dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
kernel_read_system_state(dpkg_t)

7
policy/modules/admin/firstboot.if
View File

@ -18,12 +18,7 @@ interface(`firstboot_domtrans',`
type firstboot_t, firstboot_exec_t;
')
domain_auto_trans($1,firstboot_exec_t,firstboot_t)
allow $1 firstboot_t:fd use;
allow firstboot_t $1:fd use;
allow firstboot_t $1:fifo_file rw_file_perms;
allow firstboot_t $1:process sigchld;
domtrans_pattern($1,firstboot_exec_t,firstboot_t)
')
########################################

7
policy/modules/admin/kudzu.if
View File

@ -15,12 +15,7 @@ interface(`kudzu_domtrans',`
type kudzu_t, kudzu_exec_t;
')
domain_auto_trans($1,kudzu_exec_t,kudzu_t)
allow $1 kudzu_t:fd use;
allow kudzu_t $1:fd use;
allow kudzu_t $1:fifo_file rw_file_perms;
allow kudzu_t $1:process sigchld;
domtrans_pattern($1,kudzu_exec_t,kudzu_t)
')
########################################

11
policy/modules/admin/kudzu.te
View File

@ -24,17 +24,18 @@ files_pid_file(kudzu_var_run_t)
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_file_perms;
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
allow kudzu_t self:udp_socket { create ioctl };
allow kudzu_t kudzu_tmp_t:dir create_file_perms;
allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
manage_dirs_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
manage_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
manage_chr_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
allow kudzu_t kudzu_var_run_t:file create_file_perms;
allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
manage_dirs_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
manage_files_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
kernel_change_ring_buffer_level(kudzu_t)

9
policy/modules/admin/logrotate.if
View File

@ -15,12 +15,7 @@ interface(`logrotate_domtrans',`
type logrotate_t, logrotate_exec_t;
')
domain_auto_trans($1,logrotate_exec_t,logrotate_t)
allow $1 logrotate_t:fd use;
allow logrotate_t $1:fd use;
allow logrotate_t $1:fifo_file rw_file_perms;
allow logrotate_t $1:process sigchld;
domtrans_pattern($1,logrotate_exec_t,logrotate_t)
')
########################################
@ -125,5 +120,5 @@ interface(`logrotate_read_tmp_files',`
')
files_search_tmp($1)
allow $1 logrotate_tmp_t:file r_file_perms;
allow $1 logrotate_tmp_t:file read_file_perms;
')

12
policy/modules/admin/logrotate.te
View File

@ -40,7 +40,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
allow logrotate_t self:process setfscreate;
allow logrotate_t self:fd use;
allow logrotate_t self:fifo_file rw_file_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
@ -50,18 +50,18 @@ allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file create_file_perms;
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
can_exec(logrotate_t, logrotate_tmp_t)
allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
allow logrotate_t logrotate_tmp_t:file create_file_perms;
manage_dirs_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
manage_files_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
allow logrotate_t logrotate_var_lib_t:file create_file_perms;
create_dirs_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
manage_files_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)

4
policy/modules/admin/logwatch.if
View File

@ -16,7 +16,7 @@ interface(`logwatch_read_tmp_files',`
')
files_search_tmp($1)
allow $1 logwatch_tmp_t:file r_file_perms;
allow $1 logwatch_tmp_t:file read_file_perms;
')
########################################
@ -34,5 +34,5 @@ interface(`logwatch_search_cache_dir',`
type logwatch_cache_t;
')
allow $1 logwatch_cache_t:dir search;
allow $1 logwatch_cache_t:dir search_dir_perms;
')

8
policy/modules/admin/logwatch.te
View File

@ -31,14 +31,14 @@ allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
allow logwatch_t logwatch_cache_t:dir create_dir_perms;
allow logwatch_t logwatch_cache_t:file create_file_perms;
manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
allow logwatch_t logwatch_lock_t:file manage_file_perms;
files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
allow logwatch_t logwatch_tmp_t:file create_file_perms;
manage_dirs_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
kernel_read_fs_sysctls(logwatch_t)

5
policy/modules/admin/mrtg.if
View File

@ -14,6 +14,7 @@ interface(`mrtg_append_create_logs',`
gen_require(`
type mrtg_log_t;
')
allow $1 mrtg_log_t:dir rw_dir_perms;
allow $1 mrtg_log_t:file { create append getattr };
append_files_pattern($1,mrtg_log_t,mrtg_log_t)
create_files_pattern($1,mrtg_log_t,mrtg_log_t)
')

34
policy/modules/admin/mrtg.te
View File

@ -38,31 +38,24 @@ allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;
allow mrtg_t mrtg_etc_t:file r_file_perms;
allow mrtg_t mrtg_etc_t:dir r_dir_perms;
allow mrtg_t mrtg_etc_t:lnk_file { getattr read };
files_search_etc(mrtg_t)
allow mrtg_t mrtg_etc_t:dir list_dir_perms;
read_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
read_lnk_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
allow mrtg_t mrtg_lock_t:dir rw_dir_perms;
allow mrtg_t mrtg_lock_t:file create_file_perms;
allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms;
manage_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
allow mrtg_t mrtg_log_t:file create_file_perms;
allow mrtg_t mrtg_log_t:dir rw_dir_perms;
manage_files_pattern(mrtg_t,mrtg_log_t,mrtg_log_t)
logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
allow mrtg_t mrtg_var_lib_t:file create_file_perms;
allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
manage_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
manage_lnk_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
allow mrtg_t mrtg_var_run_t:file manage_file_perms;
files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
# read config files
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
files_read_etc_files(mrtg_t)
kernel_read_system_state(mrtg_t)
kernel_read_network_state(mrtg_t)
kernel_read_kernel_sysctls(mrtg_t)
@ -94,6 +87,8 @@ files_search_spool(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
# for uptime
files_read_etc_runtime_files(mrtg_t)
# read config files
files_read_etc_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
fs_getattr_xattr_fs(mrtg_t)
@ -127,9 +122,8 @@ ifdef(`enable_mls',`
')
ifdef(`distro_redhat',`
allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
allow mrtg_t mrtg_lock_t:file create_file_perms;
type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t;
allow mrtg_t mrtg_lock_t:file manage_file_perms;
filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
')
ifdef(`targeted_policy',`

21
policy/modules/admin/netutils.if
View File

@ -15,12 +15,7 @@ interface(`netutils_domtrans',`
type netutils_t, netutils_exec_t;
')
domain_auto_trans($1,netutils_exec_t,netutils_t)
allow $1 netutils_t:fd use;
allow netutils_t $1:fd use;
allow netutils_t $1:fifo_file rw_file_perms;
allow netutils_t $1:process sigchld;
domtrans_pattern($1,netutils_exec_t,netutils_t)
')
########################################
@ -88,12 +83,7 @@ interface(`netutils_domtrans_ping',`
type ping_t, ping_exec_t;
')
domain_auto_trans($1,ping_exec_t,ping_t)
allow $1 ping_t:fd use;
allow ping_t $1:fd use;
allow ping_t $1:fifo_file rw_file_perms;
allow ping_t $1:process sigchld;
domtrans_pattern($1,ping_exec_t,ping_t)
')
########################################
@ -233,12 +223,7 @@ interface(`netutils_domtrans_traceroute',`
type traceroute_t, traceroute_exec_t;
')
domain_auto_trans($1,traceroute_exec_t,traceroute_t)
allow $1 traceroute_t:fd use;
allow traceroute_t $1:fd use;
allow traceroute_t $1:fifo_file rw_file_perms;
allow traceroute_t $1:process sigchld;
domtrans_pattern($1,traceroute_exec_t,traceroute_t)
')
########################################

9
policy/modules/admin/netutils.te
View File

@ -37,8 +37,8 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
@ -98,7 +98,6 @@ optional_policy(`
allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
@ -120,11 +119,11 @@ files_dontaudit_search_var(ping_t)
libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)
logging_send_syslog_msg(ping_t)
sysnet_read_config(ping_t)
sysnet_dns_name_resolve(ping_t)
logging_send_syslog_msg(ping_t)
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
')

45
policy/modules/admin/portage.if
View File

@ -28,10 +28,7 @@ interface(`portage_domtrans',`
allow portage_t $1:process sigchld;
# transition to portage
domain_auto_trans($1,portage_exec_t,portage_t.merge)
allow portage_t.merge $1:fd use;
allow portage_t.merge $1:fifo_file rw_file_perms;
allow portage_t.merge $1:process sigchld;
domtrans_pattern($1,portage_exec_t,portage_t.merge)
')
########################################
@ -102,7 +99,7 @@ interface(`portage_compile_domain',`
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1 self:fd use;
allow $1 self:fifo_file rw_file_perms;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
@ -120,7 +117,7 @@ interface(`portage_compile_domain',`
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1,portage_devpts_t)
# write compile logs
@ -130,18 +127,17 @@ interface(`portage_compile_domain',`
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
allow $1 portage_tmp_t:dir manage_dir_perms;
allow $1 portage_tmp_t:file manage_file_perms;
allow $1 portage_tmp_t:lnk_file create_lnk_perms;
allow $1 portage_tmp_t:fifo_file manage_file_perms;
allow $1 portage_tmp_t:sock_file manage_file_perms;
manage_dirs_pattern($1,portage_tmp_t,portage_tmp_t)
manage_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_lnk_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_fifo_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_sock_files_pattern($1,portage_tmp_t,portage_tmp_t)
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
allow $1 portage_tmpfs_t:dir rw_dir_perms;
allow $1 portage_tmpfs_t:file manage_file_perms;
allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
allow $1 portage_tmpfs_t:sock_file manage_file_perms;
allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
manage_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_lnk_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_fifo_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_sock_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
@ -229,13 +225,13 @@ interface(`portage_fetch_domain',`
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
allow $1 portage_conf_t:file read_file_perms;
read_files_pattern($1,portage_conf_t,portage_conf_t)
allow $1 portage_ebuild_t:dir manage_dir_perms;
allow $1 portage_ebuild_t:file manage_file_perms;
manage_dirs_pattern($1,portage_ebuild_t,portage_ebuild_t)
manage_files_pattern($1,portage_ebuild_t,portage_ebuild_t)
allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
allow $1 portage_fetch_tmp_t:file manage_file_perms;
manage_dirs_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
manage_files_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
@ -302,7 +298,7 @@ interface(`portage_main_domain',`
# performed in the main domain
portage_compile_domain($1)
allow $1 portage_log_t:file create_file_perms;
allow $1 portage_log_t:file manage_file_perms;
logging_log_filetrans($1,portage_log_t,file)
# run scripts out of the build directory
@ -371,10 +367,7 @@ interface(`portage_domtrans_gcc_config',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
allow gcc_config_t $1:fd use;
allow gcc_config_t $1:fifo_file rw_file_perms;
allow gcc_config_t $1:process sigchld;
domtrans_pattern($1,gcc_config_exec_t,gcc_config_t)
')
########################################

8
policy/modules/admin/portage.te
View File

@ -75,14 +75,12 @@ files_tmpfs_file(portage_tmpfs_t)
allow gcc_config_t self:capability { chown fsetid };
allow gcc_config_t self:fifo_file rw_file_perms;
allow gcc_config_t portage_cache_t:dir rw_dir_perms;
allow gcc_config_t portage_cache_t:file create_file_perms;
manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t)
allow gcc_config_t portage_conf_t:dir search_dir_perms;
allow gcc_config_t portage_conf_t:file read_file_perms;
read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
allow gcc_config_t portage_ebuild_t:file read_file_perms;
read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t)
allow gcc_config_t portage_exec_t:file { execute getattr };

10
policy/modules/admin/prelink.if
View File

@ -16,12 +16,7 @@ interface(`prelink_domtrans',`
')
corecmd_search_sbin($1)
domain_auto_trans($1, prelink_exec_t, prelink_t)
allow $1 prelink_t:fd use;
allow prelink_t $1:fd use;
allow prelink_t $1:fifo_file rw_file_perms;
allow prelink_t $1:process sigchld;
domtrans_pattern($1, prelink_exec_t, prelink_t)
')
########################################
@ -98,6 +93,5 @@ interface(`prelink_manage_log',`
')
logging_search_logs($1)
allow $1 prelink_log_t:dir rw_dir_perms;
allow $1 prelink_log_t:file create_file_perms;
manage_files_pattern($1,prelink_log_t,prelink_log_t)
')

11
policy/modules/admin/prelink.te
View File

@ -25,20 +25,21 @@ logging_log_file(prelink_log_t)
allow prelink_t self:capability { chown dac_override fowner fsetid };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_file_perms;
allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
allow prelink_t prelink_log_t:file { create ra_file_perms };
allow prelink_t prelink_log_t:lnk_file read;
allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
append_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
kernel_read_system_state(prelink_t)
kernel_dontaudit_search_kernel_sysctl(prelink_t)

10
policy/modules/admin/quota.if
View File

@ -15,12 +15,7 @@ interface(`quota_domtrans',`
type quota_t, quota_exec_t;
')
domain_auto_trans($1,quota_exec_t,quota_t)
allow $1 quota_t:fd use;
allow quota_t $1:fd use;
allow quota_t $1:fifo_file rw_file_perms;
allow quota_t $1:process sigchld;
domtrans_pattern($1,quota_exec_t,quota_t)
')
########################################
@ -91,6 +86,5 @@ interface(`quota_manage_flags',`
')
files_search_var_lib($1)
allow $1 quota_flag_t:dir rw_dir_perms;
allow $1 quota_flag_t:file create_file_perms;
manage_files_pattern($1,quota_flag_t,quota_flag_t)
')

5
policy/modules/admin/quota.te
View File

@ -16,6 +16,11 @@ files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
########################################
#
# Local policy
#
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;

3
policy/modules/admin/readahead.te
View File

@ -21,8 +21,7 @@ files_pid_file(readahead_var_run_t)
dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
allow readahead_t self:process signal_perms;
allow readahead_t readahead_var_run_t:file create_file_perms;
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
kernel_read_kernel_sysctls(readahead_t)

30
policy/modules/admin/rpm.if
View File

@ -17,12 +17,7 @@ interface(`rpm_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,rpm_exec_t,rpm_t)
allow $1 rpm_t:fd use;
allow rpm_t $1:fd use;
allow rpm_t $1:fifo_file rw_file_perms;
allow rpm_t $1:process sigchld;
domtrans_pattern($1,rpm_exec_t,rpm_t)
')
########################################
@ -42,8 +37,6 @@ interface(`rpm_domtrans_script',`
# transition to rpm script:
corecmd_shell_domtrans($1,rpm_script_t)
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
@ -137,7 +130,7 @@ interface(`rpm_read_pipes',`
type rpm_t;
')
allow $1 rpm_t:fifo_file r_file_perms;
allow $1 rpm_t:fifo_file read_fifo_file_perms;
')
########################################
@ -155,7 +148,7 @@ interface(`rpm_rw_pipes',`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_file_perms;
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
@ -195,7 +188,7 @@ interface(`rpm_manage_log',`
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file create_file_perms;
allow $1 rpm_log_t:file manage_file_perms;
')
########################################
@ -232,9 +225,9 @@ interface(`rpm_read_db',`
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir r_dir_perms;
allow $1 rpm_var_lib_t:file r_file_perms;
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
read_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
')
########################################
@ -253,9 +246,8 @@ interface(`rpm_manage_db',`
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file manage_file_perms;
allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
manage_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
manage_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
')
########################################
@ -275,6 +267,6 @@ interface(`rpm_dontaudit_manage_db',`
')
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')

44
policy/modules/admin/rpm.te
View File

@ -56,7 +56,7 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_file_perms;
allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket create_socket_perms;
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
@ -71,20 +71,19 @@ allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_tmp_t:dir create_dir_perms;
allow rpm_t rpm_tmp_t:file create_file_perms;
manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
allow rpm_t rpm_tmpfs_t:file create_file_perms;
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
manage_dirs_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_lnk_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
allow rpm_t rpm_var_lib_t:file create_file_perms;
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t)
files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
@ -184,7 +183,7 @@ ifdef(`targeted_policy',`
# cjp: these are here to stop type_transition
# conflicts since rpm_t is an alias of
# unconfined in the targeted policy
allow rpm_t rpm_log_t:file create_file_perms;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t,rpm_log_t,file)
')
@ -230,7 +229,7 @@ allow rpm_t sysadm_gph_t:fd use;
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_file_perms;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
@ -240,25 +239,20 @@ allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t rpm_tmp_t:file r_file_perms;
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
manage_dirs_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
manage_dirs_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_lnk_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow rpm_t rpm_script_t:fd use;
allow rpm_script_t rpm_t:fd use;
allow rpm_script_t rpm_t:fifo_file rw_file_perms;
allow rpm_script_t rpm_t:process sigchld;
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)

16
policy/modules/admin/su.if
View File

@ -45,15 +45,12 @@ template(`su_restricted_domain_template', `
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
@ -178,14 +175,11 @@ template(`su_per_role_template',`
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
@ -310,7 +304,7 @@ template(`su_per_role_template',`
')
ifdef(`TODO',`
allow $1_su_t $1_home_t:file create_file_perms;
allow $1_su_t $1_home_t:file manage_file_perms;
# Access sshd cookie files.
allow $1_su_t sshd_tmp_t:file rw_file_perms;

17
policy/modules/admin/sudo.if
View File

@ -61,7 +61,7 @@ template(`sudo_per_role_template',`
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_file_perms;
allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms;
@ -73,18 +73,13 @@ template(`sudo_per_role_template',`
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
# Enter this derived domain from the user domain
domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
allow $1_sudo_t $2:fd use;
allow $2 $1_sudo_t:fd use;
allow $2 $1_sudo_t:fifo_file rw_file_perms;
allow $2 $1_sudo_t:process sigchld;
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
allow $2 $1_sudo_t:fd use;
allow $1_sudo_t $2:fd use;
allow $1_sudo_t $2:fifo_file rw_file_perms;
allow $1_sudo_t $2:process sigchld;
allow $2 $1_sudo_t:fifo_file rw_file_perms;
allow $2 $1_sudo_t:process sigchld;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@ -146,8 +141,8 @@ template(`sudo_per_role_template',`
')
ifdef(`pam.te', `
allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
allow $1_sudo_t pam_var_run_t:file create_file_perms;
allow $1_sudo_t pam_var_run_t:dir manage_dir_perms;
allow $1_sudo_t pam_var_run_t:file manage_file_perms;
')
') dnl end TODO
')

2
policy/modules/admin/sxid.if
View File

@ -18,5 +18,5 @@ interface(`sxid_read_log',`
')
logging_search_logs($1)
allow $1 sxid_log_t:file r_file_perms;
allow $1 sxid_log_t:file read_file_perms;
')

8
policy/modules/admin/sxid.te
View File

@ -25,15 +25,15 @@ files_tmp_file(sxid_tmp_t)
allow sxid_t self:capability { dac_override dac_read_search fsetid };
dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
allow sxid_t self:process signal_perms;
allow sxid_t self:fifo_file rw_file_perms;
allow sxid_t self:fifo_file rw_fifo_file_perms;
allow sxid_t self:tcp_socket create_stream_socket_perms;
allow sxid_t self:udp_socket create_socket_perms;
allow sxid_t sxid_log_t:file create_file_perms;
allow sxid_t sxid_log_t:file manage_file_perms;
logging_log_filetrans(sxid_t,sxid_log_t,file)
allow sxid_t sxid_tmp_t:dir create_dir_perms;
allow sxid_t sxid_tmp_t:file create_file_perms;
manage_dirs_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
manage_files_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
kernel_read_system_state(sxid_t)

20
policy/modules/admin/tripwire.if
View File

@ -28,10 +28,7 @@ interface(`tripwire_domtrans_tripwire',`
type tripwire_t, tripwire_exec_t;
')
domain_auto_trans($1,tripwire_exec_t,tripwire_t)
allow tripwire_t $1:fd use;
allow tripwire_t $1:fifo_file rw_file_perms;
allow tripwire_t $1:process sigchld;
domtrans_pattern($1,tripwire_exec_t,tripwire_t)
')
########################################
@ -81,10 +78,7 @@ interface(`tripwire_domtrans_twadmin',`
type twadmin_t, twadmin_exec_t;
')
domain_auto_trans($1,twadmin_exec_t,twadmin_t)
allow twadmin_t $1:fd use;
allow twadmin_t $1:fifo_file rw_file_perms;
allow twadmin_t $1:process sigchld;
domtrans_pattern($1,twadmin_exec_t,twadmin_t)
')
########################################
@ -134,10 +128,7 @@ interface(`tripwire_domtrans_twprint',`
type twprint_t, twprint_exec_t;
')
domain_auto_trans($1,twprint_exec_t,twprint_t)
allow twprint_t $1:fd use;
allow twprint_t $1:fifo_file rw_file_perms;
allow twprint_t $1:process sigchld;
domtrans_pattern($1,twprint_exec_t,twprint_t)
')
########################################
@ -187,10 +178,7 @@ interface(`tripwire_domtrans_siggen',`
type siggen_t, siggen_exec_t;
')
domain_auto_trans($1,siggen_exec_t,siggen_t)
allow siggen_t $1:fd use;
allow siggen_t $1:fifo_file rw_file_perms;
allow siggen_t $1:process sigchld;
domtrans_pattern($1,siggen_exec_t,siggen_t)
')
########################################

55
policy/modules/admin/tripwire.te
View File

@ -46,29 +46,24 @@ domain_entry_file(twprint_t,twprint_exec_t)
allow tripwire_t self:capability { setgid setuid dac_override };
allow tripwire_t tripwire_etc_t:file r_file_perms;
allow tripwire_t tripwire_etc_t:dir r_dir_perms;
allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
read_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
read_lnk_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
files_search_etc(tripwire_t)
allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
allow tripwire_t tripwire_tmp_t:file manage_file_perms;
files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
# Tripwire report files
allow tripwire_t tripwire_report_t:dir manage_dir_perms;
allow tripwire_t tripwire_report_t:file manage_file_perms;
allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
manage_dirs_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
manage_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
manage_lnk_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
allow tripwire_t tripwire_tmp_t:file manage_file_perms;
allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
manage_dirs_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_lnk_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_fifo_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
manage_sock_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
manage_files_pattern(tripwire_t,tripwire_var_lib_t,tripwire_var_lib_t)
files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
kernel_read_system_state(tripwire_t)
@ -102,9 +97,9 @@ optional_policy(`
# Twadmin local policy
#
allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
allow twadmin_t tripwire_etc_t:file manage_file_perms;
allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
manage_dirs_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
manage_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
manage_lnk_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
domain_use_interactive_fds(twadmin_t)
@ -120,17 +115,17 @@ miscfiles_read_localization(twadmin_t)
# Twprint local policy
#
allow twprint_t tripwire_etc_t:dir r_dir_perms;
allow twprint_t tripwire_etc_t:file r_file_perms;
allow twprint_t tripwire_etc_t:lnk_file { getattr read };
allow twprint_t tripwire_etc_t:dir list_dir_perms;
read_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
read_lnk_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
allow twprint_t tripwire_report_t:dir r_dir_perms;
allow twprint_t tripwire_report_t:file r_file_perms;
allow twprint_t tripwire_report_t:lnk_file { getattr read };
allow twprint_t tripwire_report_t:dir list_dir_perms;
read_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
read_lnk_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
allow twprint_t tripwire_var_lib_t:file r_file_perms;
allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
read_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
read_lnk_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
files_search_var_lib(twprint_t)
domain_use_interactive_fds(twprint_t)

7
policy/modules/admin/updfstab.if
View File

@ -17,10 +17,5 @@ interface(`updfstab_domtrans',`
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,updfstab_exec_t,updfstab_t)
allow $1 updfstab_t:fd use;
allow updfstab_t $1:fd use;
allow updfstab_t $1:fifo_file rw_file_perms;
allow updfstab_t $1:process sigchld;
domtrans_pattern($1,updfstab_exec_t,updfstab_t)
')

8
policy/modules/admin/usbmodules.if
View File

@ -15,13 +15,7 @@ interface(`usbmodules_domtrans',`
type usbmodules_t, usbmodules_exec_t;
')
domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
allow $1 usbmodules_t:fd use;
allow usbmodules_t $1:fd use;
allow usbmodules_t $1:fifo_file rw_file_perms;
allow usbmodules_t $1:process sigchld;
domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
')
########################################

37
policy/modules/admin/usermanage.if
View File

@ -17,12 +17,7 @@ interface(`usermanage_domtrans_chfn',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,chfn_exec_t,chfn_t)
allow $1 chfn_t:fd use;
allow chfn_t $1:fd use;
allow chfn_t $1:fifo_file rw_file_perms;
allow chfn_t $1:process sigchld;
domtrans_pattern($1,chfn_exec_t,chfn_t)
')
########################################
@ -73,12 +68,7 @@ interface(`usermanage_domtrans_groupadd',`
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
allow $1 groupadd_t:fd use;
allow groupadd_t $1:fd use;
allow groupadd_t $1:fifo_file rw_file_perms;
allow groupadd_t $1:process sigchld;
domtrans_pattern($1,groupadd_exec_t,groupadd_t)
')
########################################
@ -130,12 +120,7 @@ interface(`usermanage_domtrans_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,passwd_exec_t,passwd_t)
allow $1 passwd_t:fd use;
allow passwd_t $1:fd use;
allow passwd_t $1:fifo_file rw_file_perms;
allow passwd_t $1:process sigchld;
domtrans_pattern($1,passwd_exec_t,passwd_t)
')
########################################
@ -187,12 +172,7 @@ interface(`usermanage_domtrans_admin_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t)
allow $1 sysadm_passwd_t:fd use;
allow sysadm_passwd_t $1:fd use;
allow sysadm_passwd_t $1:fifo_file rw_file_perms;
allow sysadm_passwd_t $1:process sigchld;
domtrans_pattern($1,admin_passwd_exec_t,sysadm_passwd_t)
')
########################################
@ -245,12 +225,7 @@ interface(`usermanage_domtrans_useradd',`
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,useradd_exec_t,useradd_t)
allow $1 useradd_t:fd use;
allow useradd_t $1:fd use;
allow useradd_t $1:fifo_file rw_file_perms;
allow useradd_t $1:process sigchld;
domtrans_pattern($1,useradd_exec_t,useradd_t)
')
########################################
@ -300,5 +275,5 @@ interface(`usermanage_read_crack_db',`
type crack_db_t;
')
allow $1 crack_db_t:file r_file_perms;
allow $1 crack_db_t:file read_file_perms;
')

35
policy/modules/admin/usermanage.te
View File

@ -68,8 +68,8 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file rw_file_perms;
allow chfn_t self:sock_file r_file_perms;
allow chfn_t self:fifo_file rw_fifo_file_perms;
allow chfn_t self:sock_file read_sock_file_perms;
allow chfn_t self:shm create_shm_perms;
allow chfn_t self:sem create_sem_perms;
allow chfn_t self:msgq create_msgq_perms;
@ -146,15 +146,14 @@ optional_policy(`
#
allow crack_t self:process { sigkill sigstop signull signal };
allow crack_t self:fifo_file rw_file_perms;
allow crack_t self:fifo_file rw_fifo_file_perms;
allow crack_t crack_db_t:dir rw_dir_perms;
allow crack_t crack_db_t:file create_file_perms;
allow crack_t crack_db_t:lnk_file create_file_perms;
manage_files_pattern(crack_t,crack_db_t,crack_db_t)
manage_lnk_files_pattern(crack_t,crack_db_t,crack_db_t)
files_search_var(crack_t)
allow crack_t crack_tmp_t:dir create_dir_perms;
allow crack_t crack_tmp_t:file create_file_perms;
manage_dirs_pattern(crack_t,crack_tmp_t,crack_tmp_t)
manage_files_pattern(crack_t,crack_tmp_t,crack_tmp_t)
files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t)
@ -193,7 +192,7 @@ dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file rw_file_perms;
allow groupadd_t self:fifo_file rw_fifo_file_perms;
allow groupadd_t self:shm create_shm_perms;
allow groupadd_t self:sem create_sem_perms;
allow groupadd_t self:msgq create_msgq_perms;
@ -274,8 +273,8 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
allow passwd_t self:fifo_file rw_file_perms;
allow passwd_t self:sock_file r_file_perms;
allow passwd_t self:fifo_file rw_fifo_file_perms;
allow passwd_t self:sock_file read_sock_file_perms;
allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
@ -286,8 +285,8 @@ allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir r_dir_perms;
allow passwd_t crack_db_t:file r_file_perms;
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t,crack_db_t,crack_db_t)
kernel_read_kernel_sysctls(passwd_t)
@ -363,8 +362,8 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
allow sysadm_passwd_t self:fifo_file rw_file_perms;
allow sysadm_passwd_t self:sock_file r_file_perms;
allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
allow sysadm_passwd_t self:sock_file read_sock_file_perms;
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow sysadm_passwd_t self:unix_dgram_socket sendto;
@ -375,8 +374,8 @@ allow sysadm_passwd_t self:msgq create_msgq_perms;
allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
manage_dirs_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
manage_files_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_var(sysadm_passwd_t)
files_dontaudit_search_home(sysadm_passwd_t)
@ -458,7 +457,7 @@ dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
allow useradd_t self:fifo_file rw_file_perms;
allow useradd_t self:fifo_file rw_fifo_file_perms;
allow useradd_t self:shm create_shm_perms;
allow useradd_t self:sem create_sem_perms;
allow useradd_t self:msgq create_msgq_perms;

8
policy/modules/admin/vbetool.if
View File

@ -16,11 +16,5 @@ interface(`vbetool_domtrans',`
')
corecmd_search_sbin($1)
domain_auto_trans($1,vbetool_exec_t,vbetool_t)
allow $1 vbetool_t:fd use;
allow vbetool_t $1:fd use;
allow vbetool_t $1:fifo_file rw_file_perms;
allow vbetool_t $1:process sigchld;
domtrans_pattern($1,vbetool_exec_t,vbetool_t)
')

7
policy/modules/admin/vpn.if
View File

@ -15,12 +15,7 @@ interface(`vpn_domtrans',`
type vpnc_t, vpnc_exec_t;
')
domain_auto_trans($1,vpnc_exec_t,vpnc_t)
allow $1 vpnc_t:fd use;
allow vpnc_t $1:fd use;
allow vpnc_t $1:fifo_file rw_file_perms;
allow vpnc_t $1:process sigchld;
domtrans_pattern($1,vpnc_exec_t,vpnc_t)
')
########################################

7
policy/modules/admin/vpn.te
View File

@ -36,12 +36,11 @@ allow vpnc_t self:unix_stream_socket create_socket_perms;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
allow vpnc_t vpnc_tmp_t:file create_file_perms;
manage_dirs_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
allow vpnc_t vpnc_var_run_t:file create_file_perms;
allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
kernel_read_system_state(vpnc_t)

7
policy/modules/apps/ada.if
View File

@ -17,12 +17,7 @@ interface(`ada_domtrans',`
')
corecmd_search_bin($1)
domain_auto_trans($1, ada_exec_t, ada_t)
allow $1 ada_t:fd use;
allow ada_t $1:fd use;
allow ada_t $1:fifo_file rw_file_perms;
allow ada_t $1:process sigchld;
domtrans_pattern($1, ada_exec_t, ada_t)
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')

5
policy/modules/apps/authbind.if
View File

@ -15,9 +15,6 @@ interface(`authbind_domtrans',`
type authbind_t, authbind_exec_t;
')
domain_auto_trans($1,authbind_exec_t,authbind_t)
allow authbind_t $1:fd use;
allow authbind_t $1:fifo_file rw_file_perms;
allow authbind_t $1:process sigchld;
domtrans_pattern($1,authbind_exec_t,authbind_t)
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
')

8
policy/modules/apps/authbind.te
View File

@ -22,10 +22,10 @@ files_config_file(authbind_etc_t)
allow authbind_t self:capability net_bind_service;
can_exec(authbind_t, authbind_etc_t)
allow authbind_t authbind_etc_t:file r_file_perms;
allow authbind_t authbind_etc_t:dir r_dir_perms;
allow authbind_t authbind_etc_t:lnk_file { getattr read };
allow authbind_t authbind_etc_t:dir list_dir_perms;
exec_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
read_lnk_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
files_list_etc(authbind_t)
term_use_console(authbind_t)

6
policy/modules/apps/calamaris.if
View File

@ -15,7 +15,7 @@ interface(`calamaris_read_www_files',`
type calamaris_www_t;
')
allow $1 calamaris_www_t:dir r_dir_perms;
allow $1 calamaris_www_t:file r_file_perms;
allow $1 calamaris_www_t:lnk_file { getattr read };
allow $1 calamaris_www_t:dir list_dir_perms;
read_files_pattern($1,calamaris_www_t,calamaris_www_t)
read_lnk_files_pattern($1,calamaris_www_t,calamaris_www_t)
')

8
policy/modules/apps/calamaris.te
View File

@ -29,12 +29,10 @@ allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
allow calamaris_t self:tcp_socket create_stream_socket_perms;
allow calamaris_t self:udp_socket create_socket_perms;
allow calamaris_t calamaris_www_t:dir rw_dir_perms;
allow calamaris_t calamaris_www_t:file manage_file_perms;
allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms;
manage_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
manage_lnk_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
allow calamaris_t calamaris_log_t:file create_file_perms;
allow calamaris_t calamaris_log_t:dir rw_dir_perms;
manage_files_pattern(calamaris_t,calamaris_log_t,calamaris_log_t)
logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
kernel_read_all_sysctls(calamaris_t)

10
policy/modules/apps/cdrecord.if
View File

@ -61,17 +61,11 @@ template(`cdrecord_per_role_template', `
allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
# allow ps to show cdrecord and allow the user to kill it
allow $2 $1_cdrecord_t:dir { search getattr read };
allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
allow $2 $1_cdrecord_t:process getattr;
ps_process_pattern($2,$1_cdrecord_t)
allow $2 $1_cdrecord_t:process signal;
# Transition from the user domain to the derived domain.
domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
allow $2 $1_cdrecord_t:fd use;
allow $1_cdrecord_t $2:fd use;
allow $1_cdrecord_t $2:fifo_file rw_file_perms;
allow $1_cdrecord_t $2:process sigchld;
domtrans_pattern($2,cdrecord_exec_t,$1_cdrecord_t)
# allow searching for cdrom-drive
dev_list_all_dev_nodes($1_cdrecord_t)

50
policy/modules/apps/ethereal.if
View File

@ -70,36 +70,38 @@ template(`ethereal_per_role_template',`
allow $1_ethereal_t self:tcp_socket create_socket_perms;
allow $1_ethereal_t self:udp_socket create_socket_perms;
# Store temporary files
allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
# Re-execute itself (why?)
can_exec($1_ethereal_t, ethereal_exec_t)
corecmd_search_sbin($1_ethereal_t)
# /home/.ethereal
allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
manage_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
# Store temporary files
manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
manage_files_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_sock_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
manage_fifo_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
allow $1_ethereal_t $2:fd use;
allow $1_ethereal_t $2:process sigchld;
allow $2 $1_ethereal_home_t:dir manage_dir_perms;
allow $2 $1_ethereal_home_t:file manage_file_perms;
allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
manage_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
manage_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
manage_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
relabel_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
relabel_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
relabel_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
kernel_read_kernel_sysctls($1_ethereal_t)
kernel_read_system_state($1_ethereal_t)
@ -240,12 +242,7 @@ template(`ethereal_domtrans_user_ethereal',`
type $1_ethereal_t, ethereal_exec_t;
')
domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
allow $2 $1_ethereal_t:fd use;
allow $1_ethereal_t $2:fd use;
allow $1_ethereal_t $2:fifo_file rw_file_perms;
allow $1_ethereal_t $2:process sigchld;
domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t)
')
########################################
@ -263,12 +260,7 @@ template(`ethereal_domtrans_tethereal',`
type tethereal_t, tethereal_exec_t;
')
domain_auto_trans($1,tethereal_exec_t,tethereal_t)
allow $1 tethereal_t:fd use;
allow tethereal_t $1:fd use;
allow tethereal_t $1:fifo_file rw_file_perms;
allow tethereal_t $1:process sigchld;
domtrans_pattern($1,tethereal_exec_t,tethereal_t)
')
########################################

4
policy/modules/apps/ethereal.te
View File

@ -30,8 +30,8 @@ allow tethereal_t self:tcp_socket create_socket_perms;
allow tethereal_t self:udp_socket create_socket_perms;
# Store temporary files
allow tethereal_t tethereal_tmp_t:dir create_dir_perms;
allow tethereal_t tethereal_tmp_t:file create_file_perms;
manage_dirs_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
manage_files_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
# /proc

14
policy/modules/apps/evolution.if
View File

@ -442,7 +442,7 @@ template(`evolution_per_role_template',`
# Put secret files in .gnome2_private
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms;
allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
allow $2 $1_evolution_secret_t:file unlink;
@ -535,16 +535,16 @@ template(`evolution_per_role_template',`
allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
# /tmp/.exchange-$USER
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
@ -619,8 +619,8 @@ template(`evolution_per_role_template',`
allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Access evolution home
allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms;
allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms;
allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;

30
policy/modules/apps/games.if
View File

@ -62,23 +62,21 @@ template(`games_per_role_template',`
allow $1_games_t self:tcp_socket create_stream_socket_perms;
allow $1_games_t self:udp_socket create_socket_perms;
allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_games_t,games_data_t,games_data_t)
manage_lnk_files_pattern($1_games_t,games_data_t,games_data_t)
allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
allow $1_games_t $1_games_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_games_t,$1_games_devpts_t)
allow $1_games_t games_data_t:dir rw_dir_perms;
allow $1_games_t games_data_t:file manage_file_perms;
allow $1_games_t games_data_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
manage_files_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
manage_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
manage_lnk_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
manage_fifo_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
manage_sock_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ file lnk_file sock_file fifo_file })
can_exec($1_games_t, games_exec_t)
@ -159,8 +157,8 @@ template(`games_per_role_template',`
gnome_file_dialog($1_games, $1)
# Access /home/user/.gnome2
# FIXME: Change to use per app types
allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
allow $1_games_t $1_gnome_settings_t:file create_file_perms;
allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
#missing policy
optional_policy(`

8
policy/modules/apps/games.te
View File

@ -26,12 +26,10 @@ files_pid_file(games_var_run_t)
dontaudit games_t self:capability sys_tty_config;
allow games_t self:process signal_perms;
allow games_t games_data_t:dir rw_dir_perms;
allow games_t games_data_t:file manage_file_perms;
allow games_t games_data_t:lnk_file create_lnk_perms;
manage_files_pattern(games_t,games_data_t,games_data_t)
manage_lnk_files_pattern(games_t,games_data_t,games_data_t)
allow games_t games_var_run_t:file manage_file_perms;
allow games_t games_var_run_t:dir rw_dir_perms;
manage_files_pattern(games_t,games_var_run_t,games_var_run_t)
files_pid_filetrans(games_t,games_var_run_t,file)
can_exec(games_t,games_exec_t)

51
policy/modules/apps/gift.if
View File

@ -63,40 +63,34 @@ template(`gift_per_role_template',`
allow $1_gift_t self:tcp_socket create_socket_perms;
allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms;
allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms;
allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms;
allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms;
allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms;
manage_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
manage_lnk_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
manage_fifo_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_gift_t $1_gift_home_t:dir manage_dir_perms;
allow $1_gift_t $1_gift_home_t:file manage_file_perms;
allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
# Launch gift daemon
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
allow $1_giftd_t $1_gift_t:fd use;
allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms;
allow $1_giftd_t $1_gift_t:process sigchld;
domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
# transition from user domain
domain_auto_trans($2, gift_exec_t, $1_gift_t)
allow $1_gift_t $2:fd use;
allow $1_gift_t $2:fifo_file rw_file_perms;
allow $1_gift_t $2:process sigchld;
domtrans_pattern($2, gift_exec_t, $1_gift_t)
# user managed content
allow $2 $1_gift_home_t:dir manage_dir_perms;
allow $2 $1_gift_home_t:file manage_file_perms;
allow $2 $1_gift_home_t:lnk_file create_lnk_perms;
allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto };
manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
# Allow the user domain to signal/ps.
allow $2 $1_gift_t:dir { search getattr read };
allow $2 $1_gift_t:{ file lnk_file } { read getattr };
allow $2 $1_gift_t:process { getattr signal_perms };
ps_process_pattern($2,$1_gift_t)
allow $2 $1_gift_t:process signal_perms;
# Read /proc/meminfo
kernel_read_system_state($1_giftd_t)
@ -150,15 +144,12 @@ template(`gift_per_role_template',`
allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
allow $1_giftd_t self:udp_socket create_socket_perms;
allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms;
allow $1_giftd_t $1_gift_home_t:file manage_file_perms;
allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
domain_auto_trans($2, giftd_exec_t, $1_giftd_t)
allow $1_giftd_t $2:fd use;
allow $1_giftd_t $2:fifo_file rw_file_perms;
allow $1_giftd_t $2:process sigchld;
domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
kernel_read_system_state($1_giftd_t)
kernel_read_kernel_sysctls($1_giftd_t)

12
policy/modules/apps/gnome.if
View File

@ -59,12 +59,12 @@ template(`gnome_per_role_template',`
allow $1_gconfd_t self:process getsched;
allow $1_gconfd_t $1_gconf_home_t:dir manage_dir_perms;
allow $1_gconfd_t $1_gconf_home_t:file manage_file_perms;
manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
allow $1_gconfd_t $1_gconf_tmp_t:dir manage_dir_perms;
allow $1_gconfd_t $1_gconf_tmp_t:file manage_file_perms;
manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
@ -73,7 +73,7 @@ template(`gnome_per_role_template',`
allow $1_gconfd_t $2:unix_stream_socket connectto;
allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
allow $1_gconfd_t gconf_etc_t:file read_file_perms;
read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
dev_read_urand($1_gconfd_t)
@ -125,5 +125,5 @@ template(`gnome_stream_connect_gconf_template',`
')
allow $2 $1_gconfd_t:unix_stream_socket connectto;
allow $2 $1_gconf_tmp_t:file r_file_perms;
allow $2 $1_gconf_tmp_t:file read_file_perms;
')

78
policy/modules/apps/gpg.if
View File

@ -81,23 +81,20 @@ template(`gpg_per_role_template',`
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap setpgid };
allow $1_gpg_t self:fifo_file rw_file_perms;
allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
# transition from the gpg domain to the helper domain
domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
# transition from the userdomain to the derived domain
domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
allow $1_gpg_t $2:fd use;
allow $1_gpg_t $2:fifo_file rw_file_perms;
allow $1_gpg_t $2:process sigchld;
domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
# allow ps to show gpg
allow $2 $1_gpg_t:dir { search getattr read };
allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
allow $2 $1_gpg_t:process getattr;
ps_process_pattern($2,$1_gpg_t)
corenet_non_ipsec_sendrecv($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
@ -152,21 +149,14 @@ template(`gpg_per_role_template',`
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
# communicate with the user
allow $1_gpg_helper_t $2:fd use;
allow $1_gpg_helper_t $2:fifo_file write;
# transition from the gpg domain to the helper domain
domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
allow $1_gpg_helper_t $1_gpg_t:fd use;
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
@ -215,36 +205,29 @@ template(`gpg_per_role_template',`
allow $1_gpg_agent_t self:process setrlimit;
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
# allow gpg to connect to the gpg agent
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
# allow ps to show gpg-agent
allow $2 $1_gpg_agent_t:dir { search getattr read };
allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
allow $2 $1_gpg_agent_t:process getattr;
ps_process_pattern($2,$1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
allow $2 $1_gpg_agent_t:process { signal sigkill };
allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the derived domain.
domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
allow $1_gpg_agent_t $2:fd use;
allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
allow $1_gpg_agent_t $2:process sigchld;
domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
corecmd_search_bin($1_gpg_agent_t)
@ -277,15 +260,12 @@ template(`gpg_per_role_template',`
# Pinentry local policy
#
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
@ -366,11 +346,7 @@ template(`gpg_domtrans_user_gpg',`
type $1_gpg_t, gpg_exec_t;
')
domain_auto_trans($2, gpg_exec_t, $1_gpg_t)
allow $2 $1_gpg_t:fd use;
allow $1_gpg_t $2:fd use;
allow $1_gpg_t $2:fifo_file rw_file_perms;
allow $1_gpg_t $2:process sigchld;
domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
')
########################################

33
policy/modules/apps/irc.if
View File

@ -62,40 +62,31 @@ template(`irc_per_role_template',`
# Local policy
#
allow $1_irc_t self:dir search;
allow $1_irc_t self:lnk_file read;
allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
allow $1_irc_t $1_irc_home_t:file create_file_perms;
allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
# access files under /tmp
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domain_auto_trans($2,irc_exec_t,$1_irc_t)
allow $2 $1_irc_t:fd use;
allow $1_irc_t $2:fd use;
allow $1_irc_t $2:fifo_file rw_file_perms;
allow $1_irc_t $2:process sigchld;
domtrans_pattern($2,irc_exec_t,$1_irc_t)
allow $2 $1_irc_t:process signal;
allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
# allow ps to show irc
allow $2 $1_irc_t:dir { search getattr read };
allow $2 $1_irc_t:{ file lnk_file } { read getattr };
allow $2 $1_irc_t:process getattr;
ps_process_pattern($2,$1_irc_t)
allow $2 $1_irc_t:process signal;
kernel_read_proc_symlinks($1_irc_t)

30
policy/modules/apps/java.if
View File

@ -59,7 +59,7 @@ template(`java_per_role_template',`
#
allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
@ -67,21 +67,18 @@ template(`java_per_role_template',`
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_fifo_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
# cjp: rw_dir_perms here doesnt make sense
allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
allow $1_javaplugin_t $1_home_t:file rw_file_perms;
allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
can_exec($1_javaplugin_t, java_exec_t)
@ -189,12 +186,7 @@ interface(`java_domtrans',`
')
corecmd_search_bin($1)
domain_auto_trans($1, java_exec_t, java_t)
allow $1 java_t:fd use;
allow java_t $1:fd use;
allow java_t $1:fifo_file rw_file_perms;
allow java_t $1:process sigchld;
domtrans_pattern($1, java_exec_t, java_t)
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')

7
policy/modules/apps/loadkeys.if
View File

@ -17,12 +17,7 @@ interface(`loadkeys_domtrans',`
')
corecmd_search_bin($1)
domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
allow $1 loadkeys_t:fd use;
allow loadkeys_t $1:fd use;
allow loadkeys_t $1:fifo_file rw_file_perms;
allow loadkeys_t $1:process sigchld;
domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')

2
policy/modules/apps/loadkeys.te
View File

@ -30,7 +30,7 @@ ifdef(`targeted_policy',`
# loadkeys domain disabled in targeted policy
',`
allow loadkeys_t self:capability { setuid sys_tty_config };
allow loadkeys_t self:fifo_file rw_file_perms;
allow loadkeys_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(loadkeys_t)

8
policy/modules/apps/lockdev.if
View File

@ -61,13 +61,9 @@ template(`lockdev_per_role_template',`
allow $1_lockdev_t $2:process signull;
# Transition from the user domain to the derived domain.
domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
allow $2 $1_lockdev_t:fd use;
allow $1_lockdev_t $2:fd use;
allow $1_lockdev_t $2:fifo_file rw_file_perms;
allow $1_lockdev_t $2:process sigchld;
domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
files_read_all_locks($1_lockdev_t)

7
policy/modules/apps/mono.if
View File

@ -16,10 +16,5 @@ interface(`mono_domtrans',`
')
corecmd_search_bin($1)
domain_auto_trans($1, mono_exec_t, mono_t)
allow $1 mono_t:fd use;
allow mono_t $1:fd use;
allow mono_t $1:fifo_file rw_file_perms;
allow mono_t $1:process sigchld;
domtrans_pattern($1, mono_exec_t, mono_t)
')

43
policy/modules/apps/mozilla.if
View File

@ -57,6 +57,7 @@ template(`mozilla_per_role_template',`
#
# Local policy
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file { getattr read write };
@ -72,13 +73,13 @@ template(`mozilla_per_role_template',`
can_exec($1_mozilla_t, mozilla_exec_t)
# X access, Home files
allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms;
allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms;
allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms;
fs_search_auto_mountpoints($1_mozilla_t)
manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
# Mozpluggerrc
allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
allow $1_mozilla_t $2:fd use;
allow $1_mozilla_t $2:process sigchld;
@ -89,28 +90,23 @@ template(`mozilla_per_role_template',`
allow $2 $1_mozilla_t:unix_stream_socket connectto;
# X access, Home files
allow $2 $1_mozilla_home_t:dir manage_dir_perms;
allow $2 $1_mozilla_home_t:file manage_file_perms;
allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
userdom_search_user_home_dirs($1,$1_mozilla_t)
manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
allow $1_mozilla_t $2:process signull;
# Allow the user domain to signal/ps.
allow $2 $1_mozilla_t:dir { search getattr read };
allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
allow $2 $1_mozilla_t:process getattr;
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
kernel_read_kernel_sysctls($1_mozilla_t)
@ -164,6 +160,7 @@ template(`mozilla_per_role_template',`
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_search_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
@ -208,6 +205,8 @@ template(`mozilla_per_role_template',`
# Type transition
tunable_policy(`! disable_mozilla_trans',`
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
')
# Uploads, local html

65
policy/modules/apps/mplayer.if
View File

@ -61,26 +61,20 @@ template(`mplayer_per_role_template',`
# mencoder local policy
#
allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms;
allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms;
allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
# Read global config
allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms;
allow $1_mencoder_t mplayer_etc_t:file r_file_perms;
allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read };
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
read_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
read_lnk_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
# domain transition
domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t)
allow $2 $1_mencoder_t:fd use;
allow $1_mencoder_t $2:fd use;
allow $1_mencoder_t $2:fifo_file rw_file_perms;
allow $1_mencoder_t $2:process sigchld;
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
# Allow the user domain to signal/ps.
allow $2 $1_mencoder_t:dir { search getattr read };
allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
allow $2 $1_mencoder_t:process getattr;
ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t)
allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories
@ -254,42 +248,37 @@ template(`mplayer_per_role_template',`
#
allow $1_mplayer_t self:process { signal_perms getsched };
allow $1_mplayer_t self:fifo_file rw_file_perms;
allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
userdom_search_user_home_dirs($1,$1_mplayer_t)
allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms;
allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms;
manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
manage_fifo_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
manage_sock_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Read global config
allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms;
allow $1_mplayer_t mplayer_etc_t:file r_file_perms;
allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read };
allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms;
read_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
# Home access
allow $2 $1_mplayer_home_t:dir manage_dir_perms;
allow $2 $1_mplayer_home_t:file manage_file_perms;
allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms;
allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto };
manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
# domain transition
domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t)
allow $2 $1_mplayer_t:fd use;
allow $1_mplayer_t $2:fd use;
allow $1_mplayer_t $2:fifo_file rw_file_perms;
allow $1_mplayer_t $2:process sigchld;
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
# Allow the user domain to signal/ps.
allow $2 $1_mplayer_t:dir { search getattr read };
allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
allow $2 $1_mplayer_t:process getattr;
ps_process_pattern($2,$1_mplayer_t)
allow $2 $1_mplayer_t:process signal_perms;
kernel_dontaudit_list_unlabeled($1_mplayer_t)

19
policy/modules/apps/rssh.if
View File

@ -53,7 +53,7 @@ template(`rssh_per_role_template',`
allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_rssh_t self:fd use;
allow $1_rssh_t self:fifo_file rw_file_perms;
allow $1_rssh_t self:fifo_file rw_fifo_file_perms;
allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
allow $1_rssh_t self:unix_dgram_socket sendto;
@ -67,10 +67,10 @@ template(`rssh_per_role_template',`
term_create_pty($1_rssh_t,$1_rssh_devpts_t)
allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
read_files_pattern($1_rssh_t,$1_rssh_ro_t,$1_rssh_ro_t)
allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
manage_dirs_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t)
manage_files_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t)
kernel_read_system_state($1_rssh_t)
kernel_read_kernel_sysctls($1_rssh_t)
@ -116,10 +116,7 @@ interface(`rssh_spec_domtrans_all_users',`
type rssh_exec_t;
')
domain_trans($1,rssh_exec_t,rssh_domain_type)
allow rssh_domain_type $1:fd use;
allow rssh_domain_type $1:fifo_file rw_file_perms;
allow rssh_domain_type $1:process sigchld;
spec_domtrans_pattern($1,rssh_exec_t,rssh_domain_type)
')
########################################
@ -137,7 +134,7 @@ interface(`rssh_read_all_users_ro_content',`
attribute rssh_ro_content_type;
')
allow $1 rssh_ro_content_type:dir r_dir_perms;
allow $1 rssh_ro_content_type:file r_file_perms;
allow $1 rssh_ro_content_type:lnk_file { getattr read };
allow $1 rssh_ro_content_type:dir list_dir_perms;
read_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type)
read_lnk_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type)
')

45
policy/modules/apps/screen.if
View File

@ -71,33 +71,33 @@ template(`screen_per_role_template',`
allow $1_screen_t self:unix_stream_socket create_socket_perms;
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
manage_dirs_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
manage_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
manage_fifo_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
# Create fifo
allow $1_screen_t screen_dir_t:dir rw_dir_perms;
allow $1_screen_t screen_dir_t:dir create_dir_perms;
allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
manage_fifo_files_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t)
manage_dirs_pattern($1_screen_t,screen_dir_t,screen_dir_t)
filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
domain_auto_trans($2, screen_exec_t, $1_screen_t)
allow $1_screen_t $2:process signal;
domtrans_pattern($2, screen_exec_t, $1_screen_t)
allow $2 $1_screen_t:process signal;
allow $1_screen_t $2:process { signal sigchld };
allow $1_screen_t $2:fd use;
allow $1_screen_t $2:fifo_file rw_file_perms;
allow $1_screen_t $1_home_dir_t:dir { search getattr };
allow $1_screen_t $2:process signal;
allow $2 $1_screen_ro_home_t:dir create_dir_perms;
allow $2 $1_screen_ro_home_t:file create_file_perms;
allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
@ -190,11 +190,4 @@ template(`screen_per_role_template',`
optional_policy(`
nscd_socket_use($1_screen_t)
')
ifdef(`TODO',`
# Inherit and use descriptors from gnome-pty-helper.
optional_policy(`
allow $1_screen_t $1_gph_t:fd use;
')
') dnl TODO
')

4
policy/modules/apps/slocate.if
View File

@ -16,6 +16,6 @@ interface(`slocate_create_append_log',`
')
logging_search_logs($1)
allow $1 locate_log_t:dir ra_dir_perms;
allow $1 locate_log_t:file { create append getattr };
create_files_pattern($1,locate_log_t,locate_log_t)
append_files_pattern($1,locate_log_t,locate_log_t)
')

6
policy/modules/apps/slocate.te
View File

@ -23,11 +23,11 @@ files_type(locate_var_lib_t)
allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
allow locate_t self:process { execmem execheap execstack };
allow locate_t self:fifo_file rw_file_perms;
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
allow locate_t locate_var_lib_t:dir create_dir_perms;
allow locate_t locate_var_lib_t:file create_file_perms;
manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)

29
policy/modules/apps/thunderbird.if
View File

@ -64,16 +64,15 @@ template(`thunderbird_per_role_template',`
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
# Access ~/.thunderbird
allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
userdom_search_user_home_dirs($1,$1_thunderbird_t)
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms;
manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
manage_fifo_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $2 $1_thunderbird_t:fd use;
@ -84,15 +83,15 @@ template(`thunderbird_per_role_template',`
allow $1_thunderbird_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
allow $2 $1_thunderbird_t:dir { search getattr read };
allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
allow $2 $1_thunderbird_t:process getattr;
ps_process_pattern($2,$1_thunderbird_t)
# Access ~/.thunderbird
allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
allow $2 $1_thunderbird_home_t:file manage_file_perms;
allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms;
allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto };
manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
# Allow netstat
kernel_read_network_state($1_thunderbird_t)

44
policy/modules/apps/tvtime.if
View File

@ -65,40 +65,34 @@ template(`tvtime_per_role_template',`
allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
# X access, Home files
allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir })
allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
manage_fifo_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
manage_sock_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
# Type transition
domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
allow $2 $1_tvtime_t:fd use;
allow $1_tvtime_t $2:fd use;
allow $1_tvtime_t $2:fifo_file rw_file_perms;
allow $1_tvtime_t $2:process sigchld;
domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
# X access, Home files
allow $2 $1_tvtime_home_t:dir manage_dir_perms;
allow $2 $1_tvtime_home_t:file manage_file_perms;
allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
# Allow the user domain to signal/ps.
allow $2 $1_tvtime_t:dir { search getattr read };
allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
allow $2 $1_tvtime_t:process getattr;
ps_process_pattern($2,$1_tvtime_t)
allow $2 $1_tvtime_t:process signal_perms;
kernel_read_all_sysctls($1_tvtime_t)

78
policy/modules/apps/uml.if
View File

@ -64,7 +64,8 @@ template(`uml_per_role_template',`
#
# Local policy
#
allow $1_uml_t self:fifo_file rw_file_perms;
allow $1_uml_t self:fifo_file rw_fifo_file_perms;
allow $1_uml_t self:process { signal_perms ptrace };
allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
allow $1_uml_t self:unix_dgram_socket create_socket_perms;
@ -79,52 +80,58 @@ template(`uml_per_role_template',`
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_uml_t,$1_uml_devpts_t)
allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
manage_dirs_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t)
manage_files_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t)
files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
can_exec($1_uml_t, $1_uml_tmp_t)
allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
manage_lnk_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
manage_fifo_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
manage_sock_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ file lnk_file sock_file fifo_file })
can_exec($1_uml_t, $1_uml_tmpfs_t)
# access config files
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms;
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms;
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read };
allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms;
read_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t })
read_lnk_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t })
allow $1_uml_t $1_uml_rw_t:dir create_dir_perms;
allow $1_uml_t $1_uml_rw_t:file create_file_perms;
allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
manage_dirs_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
manage_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
manage_lnk_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
manage_fifo_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
manage_sock_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
allow $2 uml_ro_t:dir r_dir_perms;
allow $2 uml_ro_t:file r_file_perms;
allow $2 uml_ro_t:lnk_file { getattr read };
allow $2 uml_ro_t:dir list_dir_perms;
read_files_pattern($2,uml_ro_t,uml_ro_t)
read_lnk_files_pattern($2,uml_ro_t,uml_ro_t)
allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
manage_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
manage_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
manage_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
relabel_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
relabel_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
relabel_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
allow $2 $1_uml_t:process ptrace;
allow $2 $1_uml_t:process signal_perms;
manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
# allow ps, ptrace, signal
allow $2 $1_uml_t:dir { search getattr read };
allow $2 $1_uml_t:{ file lnk_file } { read getattr };
allow $2 $1_uml_t:process getattr;
ps_process_pattern($2,$1_uml_t)
allow $2 $1_uml_t:process { ptrace signal_perms };
allow $2 $1_uml_tmp_t:dir create_dir_perms;
allow $2 $1_uml_tmp_t:file create_file_perms;
allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms;
allow $2 $1_uml_tmp_t:sock_file create_file_perms;
manage_dirs_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
manage_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
manage_lnk_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
manage_sock_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
# Transition from the user domain to this domain.
domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
@ -245,7 +252,6 @@ interface(`uml_manage_util_files',`
type uml_switch_var_run_t;
')
allow $1 uml_switch_var_run_t:dir rw_dir_perms;
allow $1 uml_switch_var_run_t:file create_file_perms;
allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms;
manage_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t)
manage_lnk_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t)
')

5
policy/modules/apps/uml.te
View File

@ -29,9 +29,8 @@ allow uml_switch_t self:process signal_perms;
allow uml_switch_t self:unix_dgram_socket create_socket_perms;
allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
allow uml_switch_t uml_switch_var_run_t:file create_file_perms;
allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms;
manage_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t)
manage_sock_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t)
files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file)
kernel_read_kernel_sysctls(uml_switch_t)

20
policy/modules/apps/userhelper.if
View File

@ -57,8 +57,9 @@ template(`userhelper_per_role_template',`
#
allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_userhelper_t self:process setexec;
allow $1_userhelper_t self:fd use;
allow $1_userhelper_t self:fifo_file rw_file_perms;
allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
allow $1_userhelper_t self:shm create_shm_perms;
allow $1_userhelper_t self:sem create_sem_perms;
allow $1_userhelper_t self:msgq create_msgq_perms;
@ -67,19 +68,13 @@ template(`userhelper_per_role_template',`
allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_userhelper_t self:unix_dgram_socket sendto;
allow $1_userhelper_t self:unix_stream_socket connectto;
allow $1_userhelper_t self:sock_file r_file_perms;
allow $1_userhelper_t self:sock_file read_sock_file_perms;
#Transition to the derived domain.
domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
allow $2 $1_userhelper_t:fd use;
allow $1_userhelper_t $2:fd use;
allow $1_userhelper_t $2:fifo_file rw_file_perms;
allow $1_userhelper_t $2:process sigchld;
domtrans_pattern($2,userhelper_exec_t,$1_userhelper_t)
allow $1_userhelper_t self:process setexec;
allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
rw_files_pattern($1_userhelper_t,userhelper_conf_t,userhelper_conf_t)
can_exec($1_userhelper_t, userhelper_exec_t)
@ -199,11 +194,11 @@ template(`userhelper_per_role_template',`
allow $1_userhelper_t gphdomain:fd use;
')
optional_policy(`
domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
')
optional_policy(`
domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
')
# for when the network connection is killed
dontaudit unpriv_userdomain $1_userhelper_t:process signal;
@ -269,6 +264,7 @@ template(`userhelper_use_user_fd',`
allow $2 $1_userhelper_t:fd use;
')
########################################
## <summary>
## Allow domain to send sigchld to userhelper.

7
policy/modules/apps/usernetctl.if
View File

@ -16,12 +16,7 @@ interface(`usernetctl_domtrans',`
')
tunable_policy(`user_net_control',`
domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
allow $1 usernetctl_t:fd use;
allow usernetctl_t $1:fd use;
allow usernetctl_t $1:fifo_file rw_file_perms;
allow usernetctl_t $1:process sigchld;
domtrans_pattern($1,usernetctl_exec_t,usernetctl_t)
',`
can_exec($1,usernetctl_exec_t)
')

2
policy/modules/apps/usernetctl.te
View File

@ -20,7 +20,7 @@ domain_interactive_fd(usernetctl_t)
allow usernetctl_t self:capability { setuid setgid dac_override };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_file_perms;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
allow usernetctl_t self:shm create_shm_perms;
allow usernetctl_t self:sem create_sem_perms;
allow usernetctl_t self:msgq create_msgq_perms;

44
policy/modules/apps/vmware.if
View File

@ -64,17 +64,12 @@ template(`vmware_per_role_template',`
# Local policy
#
domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
allow $1_vmware_t $2:fd use;
allow $1_vmware_t $2:fifo_file rw_file_perms;
allow $1_vmware_t $2:process sigchld;
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
dontaudit $1_vmware_t self:capability sys_tty_config;
allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_vmware_t self:process { execmem execstack };
allow $1_vmware_t self:fd use;
allow $1_vmware_t self:fifo_file rw_file_perms;
allow $1_vmware_t self:fifo_file rw_fifo_file_perms;
allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
allow $1_vmware_t self:unix_dgram_socket sendto;
@ -90,33 +85,34 @@ template(`vmware_per_role_template',`
allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
# VMWare disks
allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
manage_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
manage_lnk_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
allow $1_vmware_t $1_vmware_tmp_t:file execute;
manage_dirs_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
manage_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
manage_sock_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
manage_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
manage_lnk_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
manage_fifo_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
manage_sock_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Read clobal configuration files
allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms;
read_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t)
read_lnk_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t)
allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
manage_dirs_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
manage_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
manage_lnk_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
manage_sock_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
domtrans_pattern($2, vmware_exec_t, $1_vmware_t)
kernel_read_system_state($1_vmware_t)
kernel_read_network_state($1_vmware_t)
kernel_read_kernel_sysctls($1_vmware_t)

10
policy/modules/apps/vmware.te
View File

@ -30,17 +30,15 @@ files_pid_file(vmware_var_run_t)
allow vmware_host_t self:capability { setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process signal_perms;
allow vmware_host_t self:fifo_file rw_file_perms;
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
# cjp: the ro and rw files should be split up
allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
allow vmware_host_t vmware_var_run_t:file manage_file_perms;
allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
manage_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(vmware_host_t)

7
policy/modules/apps/webalizer.if
View File

@ -15,12 +15,7 @@ interface(`webalizer_domtrans',`
type webalizer_t, webalizer_exec_t;
')
domain_auto_trans($1,webalizer_exec_t,webalizer_t)
allow $1 webalizer_t:fd use;
allow webalizer_t $1:fd use;
allow webalizer_t $1:fifo_file rw_file_perms;
allow webalizer_t $1:process sigchld;
domtrans_pattern($1,webalizer_exec_t,webalizer_t)
')
########################################

21
policy/modules/apps/webalizer.te
View File

@ -5,6 +5,7 @@ policy_module(webalizer,1.3.0)
#
# Declarations
#
type webalizer_t;
type webalizer_exec_t;
domain_type(webalizer_t)
@ -30,11 +31,12 @@ files_type(webalizer_write_t)
#
# Local policy
#
allow webalizer_t self:capability dac_override;
allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow webalizer_t self:fd use;
allow webalizer_t self:fifo_file rw_file_perms;
allow webalizer_t self:sock_file r_file_perms;
allow webalizer_t self:fifo_file rw_fifo_file_perms;
allow webalizer_t self:sock_file read_sock_file_perms;
allow webalizer_t self:shm create_shm_perms;
allow webalizer_t self:sem create_sem_perms;
allow webalizer_t self:msgq create_msgq_perms;
@ -49,12 +51,11 @@ allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
allow webalizer_t webalizer_etc_t:file { getattr read };
allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
allow webalizer_t webalizer_tmp_t:file create_file_perms;
manage_dirs_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
manage_files_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
allow webalizer_t webalizer_var_lib_t:file create_file_perms;
allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
manage_files_pattern(webalizer_t,webalizer_var_lib_t,webalizer_var_lib_t)
files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
kernel_read_kernel_sysctls(webalizer_t)
@ -92,6 +93,10 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(webalizer_t)
')
optional_policy(`
cron_system_entry(webalizer_t,webalizer_exec_t)
')
optional_policy(`
ftp_read_log(webalizer_t)
')
@ -103,7 +108,3 @@ optional_policy(`
optional_policy(`
nscd_socket_use(webalizer_t)
')
optional_policy(`
cron_system_entry(webalizer_t,webalizer_exec_t)
')

7
policy/modules/apps/wine.if
View File

@ -16,10 +16,5 @@ interface(`wine_domtrans',`
')
corecmd_search_bin($1)
domain_auto_trans($1, wine_exec_t, wine_t)
allow $1 wine_t:fd use;
allow wine_t $1:fd use;
allow wine_t $1:fifo_file rw_file_perms;
allow wine_t $1:process sigchld;
domtrans_pattern($1, wine_exec_t, wine_t)
')

11
policy/modules/apps/yam.if
View File

@ -16,12 +16,7 @@ interface(`yam_domtrans',`
')
corecmd_search_sbin($1)
domain_auto_trans($1,yam_exec_t,yam_t)
allow $1 yam_t:fd use;
allow yam_t $1:fd use;
allow yam_t $1:fifo_file rw_file_perms;
allow yam_t $1:process sigchld;
domtrans_pattern($1,yam_exec_t,yam_t)
')
########################################
@ -72,6 +67,6 @@ interface(`yam_read_content',`
')
allow $1 yam_content_t:dir list_dir_perms;
allow $1 yam_content_t:file read_file_perms;
allow $1 yam_content_t:lnk_file { getattr read };
read_files_pattern($1,yam_content_t,yam_content_t)
read_lnk_files_pattern($1,yam_content_t,yam_content_t)
')

12
policy/modules/apps/yam.te
View File

@ -29,7 +29,7 @@ allow yam_t self:capability { chown fowner fsetid dac_override };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow yam_t self:process execmem;
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_file_perms;
allow yam_t self:fifo_file rw_fifo_file_perms;
allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
allow yam_t self:shm create_shm_perms;
@ -39,15 +39,15 @@ allow yam_t self:msg { send receive };
allow yam_t self:tcp_socket create_socket_perms;
# Update the content being managed by yam.
allow yam_t yam_content_t:dir create_dir_perms;
allow yam_t yam_content_t:file create_file_perms;
allow yam_t yam_content_t:lnk_file create_lnk_perms;
manage_dirs_pattern(yam_t,yam_content_t,yam_content_t)
manage_files_pattern(yam_t,yam_content_t,yam_content_t)
manage_lnk_files_pattern(yam_t,yam_content_t,yam_content_t)
allow yam_t yam_etc_t:file { getattr read };
files_search_etc(yam_t)
allow yam_t yam_tmp_t:dir create_dir_perms;
allow yam_t yam_tmp_t:file create_file_perms;
manage_files_pattern(yam_t,yam_tmp_t,yam_tmp_t)
manage_dirs_pattern(yam_t,yam_tmp_t,yam_tmp_t)
files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
kernel_read_kernel_sysctls(yam_t)

104
policy/modules/kernel/corecommands.if
View File

@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
search_dirs_pattern($1,bin_t,bin_t)
')
########################################
@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
type bin_t;
')
allow $1 bin_t:dir list_dir_perms;
list_dirs_pattern($1,bin_t,bin_t)
')
########################################
@ -169,7 +169,7 @@ interface(`corecmd_getattr_bin_files',`
type bin_t;
')
allow $1 bin_t:file getattr;
getattr_files_pattern($1,bin_t,bin_t)
')
########################################
@ -187,8 +187,7 @@ interface(`corecmd_read_bin_files',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file read_file_perms;
read_files_pattern($1,bin_t,bin_t)
')
########################################
@ -206,8 +205,7 @@ interface(`corecmd_read_bin_symlinks',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
read_lnk_files_pattern($1,bin_t,bin_t)
')
########################################
@ -225,8 +223,7 @@ interface(`corecmd_read_bin_pipes',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:fifo_file read_file_perms;
read_fifo_files_pattern($1,bin_t,bin_t)
')
########################################
@ -244,8 +241,7 @@ interface(`corecmd_read_bin_sockets',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:sock_file read_file_perms;
read_sock_files_pattern($1,bin_t,bin_t)
')
########################################
@ -264,10 +260,9 @@ interface(`corecmd_exec_bin',`
type bin_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
read_lnk_files_pattern($1,bin_t,bin_t)
list_dirs_pattern($1,bin_t,bin_t)
can_exec($1,bin_t)
')
########################################
@ -285,8 +280,7 @@ interface(`corecmd_manage_bin_files',`
type bin_t;
')
allow $1 bin_t:dir rw_dir_perms;
allow $1 bin_t:file manage_file_perms;
manage_files_pattern($1,bin_t,bin_t)
')
########################################
@ -304,8 +298,7 @@ interface(`corecmd_relabel_bin_files',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { relabelfrom relabelto };
relabel_files_pattern($1,bin_t,bin_t)
')
########################################
@ -368,10 +361,8 @@ interface(`corecmd_bin_spec_domtrans',`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:lnk_file { getattr read };
domain_trans($1,bin_t,$2)
read_lnk_files_pattern($1,bin_t,bin_t)
domain_transition_pattern($1,bin_t,$2)
')
########################################
@ -469,7 +460,7 @@ interface(`corecmd_list_sbin',`
type sbin_t;
')
allow $1 sbin_t:dir list_dir_perms;
list_dirs_pattern($1,sbin_t,sbin_t)
')
########################################
@ -487,7 +478,7 @@ interface(`corecmd_getattr_sbin_files',`
type sbin_t;
')
allow $1 sbin_t:file getattr;
getattr_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -524,8 +515,7 @@ interface(`corecmd_read_sbin_files',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file read_file_perms;
read_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -543,8 +533,7 @@ interface(`corecmd_read_sbin_symlinks',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file read_file_perms;
read_lnk_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -562,8 +551,7 @@ interface(`corecmd_read_sbin_pipes',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:fifo_file read_file_perms;
read_fifo_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -581,8 +569,7 @@ interface(`corecmd_read_sbin_sockets',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:sock_file read_file_perms;
read_sock_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -601,8 +588,8 @@ interface(`corecmd_exec_sbin',`
type sbin_t;
')
allow $1 sbin_t:dir list_dir_perms;
allow $1 sbin_t:lnk_file read_file_perms;
list_dirs_pattern($1,sbin_t,sbin_t)
read_lnk_files_pattern($1,sbin_t,sbin_t)
can_exec($1,sbin_t)
')
@ -622,8 +609,7 @@ interface(`corecmd_manage_sbin_files',`
type sbin_t;
')
allow $1 sbin_t:dir rw_dir_perms;
allow $1 sbin_t:file manage_file_perms;
manage_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -642,8 +628,7 @@ interface(`corecmd_relabel_sbin_files',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:file { relabelfrom relabelto };
relabel_files_pattern($1,sbin_t,sbin_t)
')
########################################
@ -705,10 +690,8 @@ interface(`corecmd_sbin_domtrans',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file { getattr read };
domain_auto_trans($1,sbin_t,$2)
read_lnk_files_pattern($1,sbin_t,sbin_t)
domain_auto_transition_pattern($1,sbin_t,$2)
')
########################################
@ -752,10 +735,8 @@ interface(`corecmd_sbin_spec_domtrans',`
type sbin_t;
')
allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file { getattr read };
domain_trans($1,sbin_t,$2)
read_lnk_files_pattern($1,sbin_t,sbin_t)
domain_transition_pattern($1,sbin_t,$2)
')
########################################
@ -773,8 +754,8 @@ interface(`corecmd_check_exec_shell',`
type bin_t, shell_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
allow $1 shell_exec_t:file execute;
')
@ -793,8 +774,8 @@ interface(`corecmd_exec_shell',`
type bin_t, shell_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,shell_exec_t)
')
@ -813,8 +794,8 @@ interface(`corecmd_exec_ls',`
type bin_t, ls_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,ls_exec_t)
')
@ -852,10 +833,9 @@ interface(`corecmd_shell_spec_domtrans',`
type bin_t, shell_exec_t;
')
allow $1 bin_t:dir list_dir_perms;
allow $1 bin_t:lnk_file read_file_perms;
domain_trans($1,shell_exec_t,$2)
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
domain_transition_pattern($1,shell_exec_t,$2)
')
########################################
@ -907,6 +887,7 @@ interface(`corecmd_exec_chroot',`
type chroot_exec_t;
')
read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')
@ -929,8 +910,8 @@ interface(`corecmd_exec_all_executables',`
')
can_exec($1,exec_type)
allow $1 { bin_t sbin_t }:dir list_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
')
########################################
@ -950,9 +931,8 @@ interface(`corecmd_manage_all_executables',`
type bin_t, sbin_t;
')
allow $1 exec_type:file manage_file_perms;
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
manage_files_pattern($1,{ bin_t sbin_t },exec_type)
manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
')
########################################
@ -971,7 +951,7 @@ interface(`corecmd_relabel_all_executables',`
attribute exec_type;
')
allow $1 exec_type:file { relabelfrom relabelto };
allow $1 exec_type:file relabel_file_perms;
')
########################################

445
policy/modules/kernel/devices.if
View File

File diff suppressed because it is too large Load Diff

99
policy/modules/kernel/domain.if
View File

@ -562,9 +562,9 @@ interface(`domain_read_all_domains_state',`
')
kernel_search_proc($1)
allow $1 domain:dir r_dir_perms;
allow $1 domain:lnk_file r_file_perms;
allow $1 domain:file r_file_perms;
allow $1 domain:dir list_dir_perms;
read_files_pattern($1,domain,domain)
read_lnk_files_pattern($1,domain,domain)
')
########################################
@ -621,11 +621,11 @@ interface(`domain_read_confined_domains_state',`
')
kernel_search_proc($1)
allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
allow $1 { domain -unconfined_domain_type }:file r_file_perms;
allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
read_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type })
read_lnk_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type })
dontaudit $1 unconfined_domain_type:dir search;
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file { getattr read };
')
@ -740,13 +740,13 @@ interface(`domain_dontaudit_read_all_domains_state',`
attribute domain;
')
dontaudit $1 domain:dir r_dir_perms;
dontaudit $1 domain:lnk_file r_file_perms;
dontaudit $1 domain:file r_file_perms;
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_file_perms;
dontaudit $1 domain:file read_file_perms;
# cjp: these should be removed:
dontaudit $1 domain:sock_file r_file_perms;
dontaudit $1 domain:fifo_file r_file_perms;
dontaudit $1 domain:sock_file read_file_perms;
dontaudit $1 domain:fifo_file read_file_perms;
')
########################################
@ -765,7 +765,7 @@ interface(`domain_dontaudit_list_all_domains_state',`
attribute domain;
')
dontaudit $1 domain:dir r_dir_perms;
dontaudit $1 domain:dir list_dir_perms;
')
########################################
@ -1069,8 +1069,8 @@ interface(`domain_getattr_all_entry_files',`
attribute entry_type;
')
allow $1 entry_type:lnk_file getattr;
allow $1 entry_type:file r_file_perms;
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file getattr;
')
########################################
@ -1088,8 +1088,8 @@ interface(`domain_read_all_entry_files',`
attribute entry_type;
')
allow $1 entry_type:lnk_file r_file_perms;
allow $1 entry_type:file r_file_perms;
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file read_file_perms;
')
########################################
@ -1149,7 +1149,7 @@ interface(`domain_relabel_all_entry_files',`
attribute entry_type;
')
allow $1 entry_type:file { relabelfrom relabelto };
allow $1 entry_type:file relabel_file_perms;
')
########################################
@ -1168,7 +1168,7 @@ interface(`domain_mmap_all_entry_files',`
attribute entry_type;
')
allow $1 entry_type:file { getattr read execute };
allow $1 entry_type:file mmap_file_perms;
')
########################################
@ -1187,7 +1187,7 @@ interface(`domain_entry_file_spec_domtrans',`
attribute entry_type;
')
domain_trans($1,entry_type,$2)
domain_transition_pattern($1,entry_type,$2)
')
########################################
@ -1217,62 +1217,3 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
')
#
# These next macros are not templates, but actually are
# support macros. Due to the domain_ prefix, they
# are placed in this module, to try to prevent confusion.
# They are called templates since regular m4 defines
# wont work here.
#
########################################
## <summary>
## Specified domain transition requiring setexeccon.
## </summary>
## <param name="source_domain">
## <summary>
## Domain to transition from.
## </summary>
## </param>
## <param name="entry_file">
## <summary>
## Type of program to execute.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
#
template(`domain_trans',`
allow $1 $2:file { getattr read execute };
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
########################################
## <summary>
## Automatic domain transition by type_transition.
## </summary>
## <param name="source_domain">
## <summary>
## Domain to transition from.
## </summary>
## </param>
## <param name="entry_file">
## <summary>
## Type of program to execute.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
#
template(`domain_auto_trans',`
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')

526
policy/modules/kernel/files.if
View File

File diff suppressed because it is too large Load Diff

252
policy/modules/kernel/filesystem.if
View File

@ -360,7 +360,7 @@ interface(`fs_search_auto_mountpoints',`
type autofs_t;
')
allow $1 autofs_t:dir { getattr search };
allow $1 autofs_t:dir search_dir_perms;
')
########################################
@ -380,7 +380,7 @@ interface(`fs_list_auto_mountpoints',`
type autofs_t;
')
allow $1 autofs_t:dir r_dir_perms;
allow $1 autofs_t:dir list_dir_perms;
')
########################################
@ -399,7 +399,7 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
type autofs_t;
')
dontaudit $1 autofs_t:dir r_dir_perms;
dontaudit $1 autofs_t:dir list_dir_perms;
')
########################################
@ -418,8 +418,7 @@ interface(`fs_manage_autofs_symlinks',`
type autofs_t;
')
allow $1 autofs_t:dir rw_dir_perms;
allow $1 autofs_t:lnk_file create_lnk_perms;
manage_lnk_files_pattern($1,autofs_t,autofs_t)
')
########################################
@ -474,8 +473,7 @@ interface(`fs_register_binary_executable_type',`
type binfmt_misc_fs_t;
')
allow $1 binfmt_misc_fs_t:dir { getattr search };
allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
rw_files_pattern($1,binfmt_misc_fs_t,binfmt_misc_fs_t)
')
########################################
@ -568,7 +566,7 @@ interface(`fs_search_cifs',`
type cifs_t;
')
allow $1 cifs_t:dir search;
allow $1 cifs_t:dir search_dir_perms;
')
########################################
@ -587,7 +585,7 @@ interface(`fs_list_cifs',`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:dir list_dir_perms;
')
########################################
@ -606,7 +604,7 @@ interface(`fs_dontaudit_list_cifs',`
type cifs_t;
')
dontaudit $1 cifs_t:dir r_dir_perms;
dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
@ -625,8 +623,8 @@ interface(`fs_read_cifs_files',`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:file r_file_perms;
allow $1 cifs_t:dir list_dir_perms;
read_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -664,8 +662,7 @@ interface(`fs_list_noxattr_fs',`
attribute noxattrfs;
')
allow $1 noxattrfs:dir r_dir_perms;
allow $1 noxattrfs:dir list_dir_perms;
')
########################################
@ -701,9 +698,7 @@ interface(`fs_read_noxattr_fs_files',`
attribute noxattrfs;
')
allow $1 noxattrfs:dir search_dir_perms;
allow $1 noxattrfs:file r_file_perms;
read_files_pattern($1,noxattrfs,noxattrfs)
')
########################################
@ -721,8 +716,7 @@ interface(`fs_manage_noxattr_fs_files',`
attribute noxattrfs;
')
allow $1 noxattrfs:dir rw_dir_perms;
allow $1 noxattrfs:file manage_file_perms;
manage_files_pattern($1,noxattrfs,noxattrfs)
')
########################################
@ -740,8 +734,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
attribute noxattrfs;
')
allow $1 noxattrfs:dir search_dir_perms;
allow $1 noxattrfs:lnk_file r_file_perms;
read_lnk_files_pattern($1,noxattrfs,noxattrfs)
')
########################################
@ -760,7 +753,7 @@ interface(`fs_dontaudit_read_cifs_files',`
type cifs_t;
')
dontaudit $1 cifs_t:file r_file_perms;
dontaudit $1 cifs_t:file read_file_perms;
')
########################################
@ -797,8 +790,8 @@ interface(`fs_read_cifs_symlinks',`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:lnk_file r_file_perms;
allow $1 cifs_t:dir list_dir_perms;
read_lnk_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -819,8 +812,8 @@ interface(`fs_exec_cifs_files',`
type cifs_t;
')
allow $1 cifs_t:dir r_dir_perms;
can_exec($1, cifs_t)
allow $1 cifs_t:dir list_dir_perms;
exec_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -840,7 +833,7 @@ interface(`fs_manage_cifs_dirs',`
type cifs_t;
')
allow $1 cifs_t:dir create_dir_perms;
allow $1 cifs_t:dir manage_dir_perms;
')
########################################
@ -860,7 +853,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
type cifs_t;
')
dontaudit $1 cifs_t:dir create_dir_perms;
dontaudit $1 cifs_t:dir manage_dir_perms;
')
########################################
@ -880,8 +873,7 @@ interface(`fs_manage_cifs_files',`
type cifs_t;
')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:file create_file_perms;
manage_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -901,7 +893,7 @@ interface(`fs_dontaudit_manage_cifs_files',`
type cifs_t;
')
dontaudit $1 cifs_t:file create_file_perms;
dontaudit $1 cifs_t:file manage_file_perms;
')
########################################
@ -920,8 +912,7 @@ interface(`fs_manage_cifs_symlinks',`
type cifs_t;
')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:lnk_file create_lnk_perms;
manage_lnk_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -940,8 +931,7 @@ interface(`fs_manage_cifs_named_pipes',`
type cifs_t;
')
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:fifo_file create_file_perms;
manage_fifo_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -960,8 +950,7 @@ interface(`fs_manage_cifs_named_sockets',`
type cifs_t;
')
allow $1 cifs_t:dir rw_file_perms;
allow $1 cifs_t:sock_file create_file_perms;
manage_sock_files_pattern($1,cifs_t,cifs_t)
')
########################################
@ -1004,9 +993,8 @@ interface(`fs_cifs_domtrans',`
type cifs_t;
')
allow $1 cifs_t:dir search;
domain_auto_trans($1,cifs_t,$2)
allow $1 cifs_t:dir search_dir_perms;
domain_auto_transition_pattern($1,cifs_t,$2)
')
########################################
@ -1122,8 +1110,7 @@ interface(`fs_manage_dos_files',`
type dosfs_t;
')
allow $1 dosfs_t:dir rw_dir_perms;
allow $1 dosfs_t:file manage_file_perms;
manage_files_pattern($1,dosfs_t,dosfs_t)
')
########################################
@ -1182,7 +1169,7 @@ interface(`fs_list_inotifyfs',`
type inotifyfs_t;
')
allow $1 inotifyfs_t:dir r_dir_perms;
allow $1 inotifyfs_t:dir list_dir_perms;
')
########################################
@ -1280,8 +1267,8 @@ interface(`fs_read_iso9660_files',`
')
allow $1 iso9660_t:dir list_dir_perms;
allow $1 iso9660_t:file read_file_perms;
allow $1 iso9660_t:lnk_file { getattr read };
read_files_pattern($1,iso9660_t,iso9660_t)
read_lnk_files_pattern($1,iso9660_t,iso9660_t)
')
########################################
@ -1373,7 +1360,7 @@ interface(`fs_search_nfs',`
type nfs_t;
')
allow $1 nfs_t:dir search;
allow $1 nfs_t:dir search_dir_perms;
')
########################################
@ -1391,7 +1378,7 @@ interface(`fs_list_nfs',`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:dir list_dir_perms;
')
########################################
@ -1410,7 +1397,7 @@ interface(`fs_dontaudit_list_nfs',`
type nfs_t;
')
dontaudit $1 nfs_t:dir r_dir_perms;
dontaudit $1 nfs_t:dir list_dir_perms;
')
########################################
@ -1429,8 +1416,8 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:file r_file_perms;
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1,nfs_t,nfs_t)
')
########################################
@ -1449,7 +1436,7 @@ interface(`fs_dontaudit_read_nfs_files',`
type nfs_t;
')
dontaudit $1 nfs_t:file r_file_perms;
dontaudit $1 nfs_t:file read_file_perms;
')
########################################
@ -1467,8 +1454,8 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:file write;
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1,nfs_t,nfs_t)
')
########################################
@ -1487,8 +1474,8 @@ interface(`fs_exec_nfs_files',`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
can_exec($1, nfs_t)
allow $1 nfs_t:dir list_dir_perms;
exec_files_pattern($1,nfs_t,nfs_t)
')
########################################
@ -1525,8 +1512,8 @@ interface(`fs_read_nfs_symlinks',`
type nfs_t;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:lnk_file r_file_perms;
allow $1 nfs_t:dir list_dir_perms;
read_lnk_files_pattern($1,nfs_t,nfs_t)
')
########################################
@ -1581,8 +1568,7 @@ interface(`fs_search_removable',`
type removable_t;
')
allow $1 removable_t:dir { getattr read search };
allow $1 removable_t:dir search_dir_perms;
')
########################################
@ -1599,7 +1585,8 @@ interface(`fs_dontaudit_list_removable',`
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:dir r_dir_perms;
dontaudit $1 removable_t:dir list_dir_perms;
')
########################################
@ -1617,8 +1604,7 @@ interface(`fs_read_removable_files',`
type removable_t;
')
allow $1 removable_t:file { read getattr };
read_files_pattern($1,removable_t,removable_t)
')
########################################
@ -1635,7 +1621,8 @@ interface(`fs_dontaudit_read_removable_files',`
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:file r_file_perms;
dontaudit $1 removable_t:file read_file_perms;
')
########################################
@ -1653,8 +1640,7 @@ interface(`fs_read_removable_symlinks',`
type removable_t;
')
allow $1 removable_t:lnk_file { getattr read };
read_lnk_files_pattern($1,removable_t,removable_t)
')
########################################
@ -1672,8 +1658,7 @@ interface(`fs_list_rpc',`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir { getattr read search };
allow $1 rpc_pipefs_t:dir list_dir_perms;
')
########################################
@ -1691,8 +1676,7 @@ interface(`fs_read_rpc_files',`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:file { read getattr };
read_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t)
')
########################################
@ -1710,8 +1694,7 @@ interface(`fs_read_rpc_symlinks',`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:lnk_file { getattr read };
read_lnk_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t)
')
########################################
@ -1750,7 +1733,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
allow $1 nfs_t:dir create_dir_perms;
allow $1 nfs_t:dir manage_dir_perms;
')
########################################
@ -1770,7 +1753,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
type nfs_t;
')
dontaudit $1 nfs_t:dir create_dir_perms;
dontaudit $1 nfs_t:dir manage_dir_perms;
')
########################################
@ -1790,8 +1773,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:file create_file_perms;
manage_files_pattern($1,nfs_t,nfs_t)
')
########################################
@ -1811,7 +1793,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
type nfs_t;
')
dontaudit $1 nfs_t:file create_file_perms;
dontaudit $1 nfs_t:file manage_file_perms;
')
#########################################
@ -1831,8 +1813,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:lnk_file create_lnk_perms;
manage_lnk_files_pattern($1,nfs_t,nfs_t)
')
#########################################
@ -1851,8 +1832,7 @@ interface(`fs_manage_nfs_named_pipes',`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:fifo_file create_file_perms;
manage_fifo_files_pattern($1,nfs_t,nfs_t)
')
#########################################
@ -1871,8 +1851,7 @@ interface(`fs_manage_nfs_named_sockets',`
type nfs_t;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:sock_file create_file_perms;
manage_sock_files_pattern($1,nfs_t,nfs_t)
')
########################################
@ -1915,9 +1894,8 @@ interface(`fs_nfs_domtrans',`
type nfs_t;
')
allow $1 nfs_t:dir search;
domain_auto_trans($1,nfs_t,$2)
allow $1 nfs_t:dir search_dir_perms;
domain_auto_transition_pattern($1,nfs_t,$2)
')
########################################
@ -2009,7 +1987,7 @@ interface(`fs_search_nfsd_fs',`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir search;
allow $1 nfsd_fs_t:dir search_dir_perms;
')
########################################
@ -2027,7 +2005,7 @@ interface(`fs_rw_nfsd_fs',`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:file rw_file_perms;
rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
')
########################################
@ -2136,7 +2114,7 @@ interface(`fs_dontaudit_search_ramfs',`
type ramfs_t;
')
dontaudit $1 ramfs_t:dir search;
dontaudit $1 ramfs_t:dir search_dir_perms;
')
########################################
@ -2210,8 +2188,7 @@ interface(`fs_manage_ramfs_files',`
type ramfs_t;
')
allow $1 ramfs_t:dir rw_dir_perms;
allow $1 ramfs_t:file manage_file_perms;
manage_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@ -2229,8 +2206,7 @@ interface(`fs_write_ramfs_pipes',`
type ramfs_t;
')
allow $1 ramfs_t:dir search_dir_perms;
allow $1 ramfs_t:fifo_file write;
write_fifo_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@ -2267,8 +2243,7 @@ interface(`fs_rw_ramfs_pipes',`
type ramfs_t;
')
allow $1 ramfs_t:dir search_dir_perms;
allow $1 ramfs_t:fifo_file rw_file_perms;
rw_fifo_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@ -2287,8 +2262,7 @@ interface(`fs_manage_ramfs_pipes',`
type ramfs_t;
')
allow $1 ramfs_t:dir rw_dir_perms;
allow $1 ramfs_t:fifo_file manage_file_perms;
manage_fifo_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@ -2306,7 +2280,7 @@ interface(`fs_write_ramfs_sockets',`
type ramfs_t;
')
allow $1 ramfs_t:sock_file write;
write_sock_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@ -2325,8 +2299,7 @@ interface(`fs_manage_ramfs_sockets',`
type ramfs_t;
')
allow $1 ramfs_t:dir rw_dir_perms;
allow $1 ramfs_t:sock_file manage_file_perms;
manage_sock_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@ -2657,7 +2630,7 @@ interface(`fs_search_tmpfs',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir search;
allow $1 tmpfs_t:dir search_dir_perms;
')
########################################
@ -2675,7 +2648,7 @@ interface(`fs_list_tmpfs',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:dir list_dir_perms;
')
########################################
@ -2694,7 +2667,7 @@ interface(`fs_dontaudit_list_tmpfs',`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir r_dir_perms;
dontaudit $1 tmpfs_t:dir list_dir_perms;
')
########################################
@ -2713,7 +2686,7 @@ interface(`fs_manage_tmpfs_dirs',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir create_dir_perms;
allow $1 tmpfs_t:dir manage_dir_perms;
')
########################################
@ -2743,8 +2716,7 @@ interface(`fs_tmpfs_filetrans',`
')
allow $2 tmpfs_t:filesystem associate;
allow $1 tmpfs_t:dir rw_dir_perms;
type_transition $1 tmpfs_t:$3 $2;
filetrans_pattern($1,tmpfs_t,$2,$3)
')
########################################
@ -2800,8 +2772,7 @@ interface(`fs_rw_tmpfs_files',`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:file rw_file_perms;
rw_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2819,8 +2790,7 @@ interface(`fs_read_tmpfs_symlinks',`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:lnk_file read;
read_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2838,8 +2808,8 @@ interface(`fs_rw_tmpfs_chr_files',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:chr_file rw_file_perms;
allow $1 tmpfs_t:dir list_dir_perms;
rw_chr_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2857,8 +2827,8 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir r_dir_perms;
dontaudit $1 tmpfs_t:chr_file rw_file_perms;
dontaudit $1 tmpfs_t:dir list_dir_perms;
dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
')
########################################
@ -2876,8 +2846,8 @@ interface(`fs_relabel_tmpfs_chr_file',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
allow $1 tmpfs_t:dir list_dir_perms;
relabel_chr_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2895,8 +2865,8 @@ interface(`fs_rw_tmpfs_blk_files',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:blk_file rw_file_perms;
allow $1 tmpfs_t:dir list_dir_perms;
rw_blk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2914,8 +2884,8 @@ interface(`fs_relabel_tmpfs_blk_file',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
allow $1 tmpfs_t:dir list_dir_perms;
relabel_blk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2934,8 +2904,7 @@ interface(`fs_manage_tmpfs_files',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:file create_file_perms;
manage_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2954,8 +2923,7 @@ interface(`fs_manage_tmpfs_symlinks',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:lnk_file create_lnk_perms;
manage_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2974,8 +2942,7 @@ interface(`fs_manage_tmpfs_sockets',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:sock_file create_file_perms;
manage_sock_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -2994,8 +2961,7 @@ interface(`fs_manage_tmpfs_chr_files',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:chr_file create_file_perms;
manage_chr_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -3014,8 +2980,7 @@ interface(`fs_manage_tmpfs_blk_files',`
type tmpfs_t;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:blk_file create_file_perms;
manage_blk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@ -3220,7 +3185,7 @@ interface(`fs_list_all',`
attribute filesystem_type;
')
allow $1 filesystem_type:dir r_dir_perms;
allow $1 filesystem_type:dir list_dir_perms;
')
########################################
@ -3239,8 +3204,7 @@ interface(`fs_getattr_all_files',`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:file getattr;
getattr_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@ -3259,8 +3223,7 @@ interface(`fs_getattr_all_symlinks',`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:lnk_file getattr;
getattr_lnk_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@ -3279,8 +3242,7 @@ interface(`fs_getattr_all_pipes',`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:fifo_file getattr;
getattr_fifo_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@ -3299,8 +3261,7 @@ interface(`fs_getattr_all_sockets',`
attribute filesystem_type;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:sock_file getattr;
getattr_sock_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@ -3413,11 +3374,12 @@ interface(`fs_relabelfrom_noxattr_fs',`
attribute noxattrfs;
')
allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
allow $1 noxattrfs:file { getattr relabelfrom };
allow $1 noxattrfs:lnk_file { getattr relabelfrom };
allow $1 noxattrfs:fifo_file { getattr relabelfrom };
allow $1 noxattrfs:sock_file { getattr relabelfrom };
allow $1 noxattrfs:blk_file { getattr relabelfrom };
allow $1 noxattrfs:chr_file { getattr relabelfrom };
allow $1 noxattrfs:dir list_dir_perms;
relabelfrom_dirs_pattern($1,noxattrfs,noxattrfs)
relabelfrom_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_lnk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_fifo_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_sock_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')

249
policy/modules/kernel/kernel.if
View File

@ -27,12 +27,7 @@ interface(`kernel_domtrans_to',`
type kernel_t;
')
domain_auto_trans(kernel_t, $2, $1)
allow kernel_t $1:fd use;
allow $1 kernel_t:fd use;
allow $1 kernel_t:fifo_file rw_file_perms;
allow $1 kernel_t:process sigchld;
domtrans_pattern(kernel_t, $2, $1)
')
########################################
@ -534,7 +529,7 @@ interface(`kernel_search_debugfs',`
type debugfs_t;
')
allow $1 debugfs_t:dir search;
search_dirs_pattern($1,debugfs_t,debugfs_t)
')
########################################
@ -552,9 +547,9 @@ interface(`kernel_read_debugfs',`
type debugfs_t;
')
allow $1 debugfs_t:dir r_dir_perms;
allow $1 debugfs_t:file r_file_perms;
allow $1 debugfs_t:lnk_file { getattr read };
read_files_pattern($1,debugfs_t,debugfs_t)
read_lnk_files_pattern($1,debugfs_t,debugfs_t)
list_dirs_pattern($1,debugfs_t,debugfs_t)
')
########################################
@ -608,7 +603,7 @@ interface(`kernel_search_proc',`
type proc_t;
')
allow $1 proc_t:dir search;
search_dirs_pattern($1,proc_t,proc_t)
')
########################################
@ -626,7 +621,7 @@ interface(`kernel_list_proc',`
type proc_t;
')
allow $1 proc_t:dir r_dir_perms;
list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@ -663,8 +658,7 @@ interface(`kernel_getattr_proc_files',`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:file getattr;
getattr_files_pattern($1,proc_t,proc_t)
')
########################################
@ -682,8 +676,7 @@ interface(`kernel_read_proc_symlinks',`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file { getattr read };
read_lnk_files_pattern($1,proc_t,proc_t)
')
########################################
@ -702,9 +695,10 @@ interface(`kernel_read_system_state',`
type proc_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_t:lnk_file { getattr read };
allow $1 proc_t:file r_file_perms;
read_files_pattern($1,proc_t,proc_t)
read_lnk_files_pattern($1,proc_t,proc_t)
list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@ -727,8 +721,7 @@ interface(`kernel_write_proc_files',`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:file { append write };
write_files_pattern($1,proc_t,proc_t)
')
########################################
@ -785,8 +778,9 @@ interface(`kernel_read_software_raid_state',`
type proc_t, proc_mdstat_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file r_file_perms;
read_files_pattern($1,proc_t,proc_mdstat_t)
list_dirs_pattern($1,proc_t,proc_t)
')
#######################################
@ -804,8 +798,9 @@ interface(`kernel_rw_software_raid_state',`
type proc_t, proc_mdstat_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_mdstat_t:file rw_file_perms;
rw_files_pattern($1,proc_t,proc_mdstat_t)
list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@ -823,8 +818,9 @@ interface(`kernel_getattr_core_if',`
type proc_t, proc_kcore_t;
')
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_kcore_t:file getattr;
getattr_files_pattern($1,proc_t,proc_kcore_t)
list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@ -863,8 +859,8 @@ interface(`kernel_read_messages',`
type proc_kmsg_t, proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file r_file_perms;
read_files_pattern($1,proc_t,proc_kmsg_t)
typeattribute $1 can_receive_kernel_messages;
')
@ -884,8 +880,7 @@ interface(`kernel_getattr_message_if',`
type proc_kmsg_t, proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_kmsg_t:file getattr;
getattr_files_pattern($1,proc_t,proc_kmsg_t)
')
########################################
@ -943,7 +938,7 @@ interface(`kernel_search_network_state',`
type proc_net_t;
')
allow $1 proc_net_t:dir search;
search_dirs_pattern($1,proc_t,proc_net_t)
')
########################################
@ -962,10 +957,10 @@ interface(`kernel_read_network_state',`
type proc_t, proc_net_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir r_dir_perms;
allow $1 proc_net_t:file r_file_perms;
allow $1 proc_net_t:lnk_file { getattr read };
read_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
list_dirs_pattern($1,proc_t,proc_net_t)
')
########################################
@ -983,9 +978,9 @@ interface(`kernel_read_network_state_symlinks',`
type proc_t, proc_net_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir r_dir_perms;
allow $1 proc_net_t:lnk_file r_file_perms;
read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
list_dirs_pattern($1,proc_t,proc_net_t)
')
########################################
@ -1004,8 +999,7 @@ interface(`kernel_search_xen_state',`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 proc_xen_t:dir search_dir_perms;
search_dirs_pattern($1,proc_t,proc_xen_t)
')
########################################
@ -1044,10 +1038,10 @@ interface(`kernel_read_xen_state',`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:file r_file_perms;
allow $1 proc_xen_t:lnk_file { getattr read };
read_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
list_dirs_pattern($1,proc_t,proc_xen_t)
')
########################################
@ -1066,9 +1060,9 @@ interface(`kernel_read_xen_state_symlinks',`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:lnk_file r_file_perms;
read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
list_dirs_pattern($1,proc_t,proc_xen_t)
')
########################################
@ -1087,9 +1081,7 @@ interface(`kernel_write_xen_state',`
type proc_t, proc_xen_t;
')
allow $1 proc_t:dir search;
allow $1 proc_xen_t:dir r_dir_perms;
allow $1 proc_xen_t:file write;
write_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
')
########################################
@ -1146,7 +1138,7 @@ interface(`kernel_read_sysctl',`
type sysctl_t;
')
allow $1 sysctl_t:dir r_dir_perms;
list_dirs_pattern($1,proc_t,sysctl_t)
')
########################################
@ -1165,10 +1157,9 @@ interface(`kernel_read_device_sysctls',`
type proc_t, sysctl_t, sysctl_dev_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
')
########################################
@ -1187,9 +1178,9 @@ interface(`kernel_rw_device_sysctls',`
type proc_t, sysctl_t, sysctl_dev_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
')
########################################
@ -1207,7 +1198,7 @@ interface(`kernel_search_vm_sysctl',`
type proc_t, sysctl_t, sysctl_vm_t;
')
allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms;
search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
')
########################################
@ -1226,9 +1217,9 @@ interface(`kernel_read_vm_sysctls',`
type proc_t, sysctl_t, sysctl_vm_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
')
########################################
@ -1247,10 +1238,8 @@ interface(`kernel_rw_vm_sysctls',`
type proc_t, sysctl_t, sysctl_vm_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:dir list_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
# hal needs this
allow $1 sysctl_vm_t:dir write;
@ -1271,7 +1260,7 @@ interface(`kernel_search_network_sysctl',`
type proc_t, sysctl_t, sysctl_net_t;
')
allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@ -1308,10 +1297,9 @@ interface(`kernel_read_net_sysctls',`
type proc_t, sysctl_t, sysctl_net_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@ -1330,10 +1318,9 @@ interface(`kernel_rw_net_sysctls',`
type proc_t, sysctl_t, sysctl_net_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@ -1353,10 +1340,9 @@ interface(`kernel_read_unix_sysctls',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@ -1376,10 +1362,9 @@ interface(`kernel_rw_unix_sysctls',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@ -1398,10 +1383,9 @@ interface(`kernel_read_hotplug_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_hotplug_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@ -1420,10 +1404,9 @@ interface(`kernel_rw_hotplug_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_hotplug_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@ -1442,10 +1425,9 @@ interface(`kernel_read_modprobe_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_modprobe_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@ -1464,10 +1446,9 @@ interface(`kernel_rw_modprobe_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_modprobe_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@ -1503,10 +1484,9 @@ interface(`kernel_read_kernel_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t;
')
allow $1 proc_t:dir search_dir_perms;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@ -1543,10 +1523,9 @@ interface(`kernel_rw_kernel_sysctl',`
type proc_t, sysctl_t, sysctl_kernel_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@ -1565,10 +1544,9 @@ interface(`kernel_read_fs_sysctls',`
type proc_t, sysctl_t, sysctl_fs_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
')
########################################
@ -1587,10 +1565,9 @@ interface(`kernel_rw_fs_sysctls',`
type proc_t, sysctl_t, sysctl_fs_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
')
########################################
@ -1609,9 +1586,9 @@ interface(`kernel_read_irq_sysctls',`
type proc_t, sysctl_irq_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file r_file_perms;
read_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
list_dirs_pattern($1,proc_t,sysctl_irq_t)
')
########################################
@ -1630,9 +1607,9 @@ interface(`kernel_rw_irq_sysctls',`
type proc_t, sysctl_irq_t;
')
allow $1 proc_t:dir search;
allow $1 sysctl_irq_t:dir r_dir_perms;
allow $1 sysctl_irq_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
list_dirs_pattern($1,proc_t,sysctl_irq_t)
')
########################################
@ -1651,10 +1628,9 @@ interface(`kernel_read_rpc_sysctls',`
type proc_t, proc_net_t, sysctl_rpc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
allow $1 sysctl_rpc_t:dir r_dir_perms;
allow $1 sysctl_rpc_t:file r_file_perms;
read_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
')
########################################
@ -1673,10 +1649,9 @@ interface(`kernel_rw_rpc_sysctls',`
type proc_t, proc_net_t, sysctl_rpc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
allow $1 sysctl_rpc_t:dir r_dir_perms;
allow $1 sysctl_rpc_t:file rw_file_perms;
rw_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
')
########################################
@ -1715,10 +1690,9 @@ interface(`kernel_read_all_sysctls',`
')
# proc_net_t for /proc/net/rpc sysctls
allow $1 { proc_t proc_net_t }:dir search;
read_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
allow $1 sysctl_type:dir r_dir_perms;
allow $1 sysctl_type:file r_file_perms;
list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_type)
')
########################################
@ -1739,10 +1713,11 @@ interface(`kernel_rw_all_sysctls',`
')
# proc_net_t for /proc/net/rpc sysctls
allow $1 { proc_t proc_net_t }:dir search;
rw_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
allow $1 sysctl_type:dir r_dir_perms;
allow $1 sysctl_type:file { rw_file_perms setattr };
allow $1 sysctl_type:dir list_dir_perms;
# why is setattr needed?
allow $1 sysctl_type:file setattr;
')
########################################
@ -1850,7 +1825,7 @@ interface(`kernel_list_unlabeled',`
type unlabeled_t;
')
allow $1 unlabeled_t:dir r_dir_perms;
allow $1 unlabeled_t:dir list_dir_perms;
')
########################################

26
policy/modules/kernel/storage.if
View File

@ -99,7 +99,7 @@ interface(`storage_raw_read_fixed_disk',`
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file r_file_perms;
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@ -143,7 +143,7 @@ interface(`storage_raw_write_fixed_disk',`
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
typeattribute $1 fixed_disk_raw_write;
')
@ -164,7 +164,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
')
dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
')
########################################
@ -184,7 +184,7 @@ interface(`storage_manage_fixed_disk',`
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file create_file_perms;
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
@ -242,7 +242,7 @@ interface(`storage_relabel_fixed_disk',`
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
')
########################################
@ -325,7 +325,7 @@ interface(`storage_read_scsi_generic',`
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file r_file_perms;
allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
typeattribute $1 scsi_generic_read;
')
@ -350,7 +350,7 @@ interface(`storage_write_scsi_generic',`
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
typeattribute $1 scsi_generic_write;
')
@ -511,7 +511,7 @@ interface(`storage_raw_read_removable_device',`
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file r_file_perms;
allow $1 removable_device_t:blk_file read_blk_file_perms;
')
########################################
@ -529,7 +529,7 @@ interface(`storage_dontaudit_raw_read_removable_device',`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file r_file_perms;
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
')
########################################
@ -552,7 +552,7 @@ interface(`storage_raw_write_removable_device',`
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file { getattr write ioctl };
allow $1 removable_device_t:blk_file write_blk_file_perms;
')
########################################
@ -570,7 +570,7 @@ interface(`storage_dontaudit_raw_write_removable_device',`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file { write append ioctl };
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
########################################
@ -590,7 +590,7 @@ interface(`storage_read_tape',`
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file r_file_perms;
allow $1 tape_device_t:chr_file read_chr_file_perms;
')
########################################
@ -610,7 +610,7 @@ interface(`storage_write_tape',`
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file { getattr write ioctl };
allow $1 tape_device_t:chr_file write_chr_file_perms;
')
########################################

35
policy/modules/kernel/terminal.if
View File

@ -153,7 +153,7 @@ interface(`term_create_pty',`
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
type_transition $1 devpts_t:chr_file $2;
@ -178,7 +178,7 @@ interface(`term_use_all_terms',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:dir list_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
@ -199,7 +199,7 @@ interface(`term_write_console',`
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file { getattr write append };
allow $1 console_device_t:chr_file write_chr_file_perms;
')
########################################
@ -219,7 +219,7 @@ interface(`term_read_console',`
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file read;
allow $1 console_device_t:chr_file read_chr_file_perms;
')
########################################
@ -239,7 +239,7 @@ interface(`term_use_console',`
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file rw_file_perms;
allow $1 console_device_t:chr_file rw_chr_file_perms;
')
########################################
@ -258,7 +258,7 @@ interface(`term_dontaudit_use_console',`
type console_device_t;
')
dontaudit $1 console_device_t:chr_file rw_file_perms;
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
')
########################################
@ -294,12 +294,11 @@ interface(`term_setattr_console',`
#
interface(`term_create_console_dev',`
gen_require(`
type device_t, console_device_t;
type console_device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
dev_add_entry_generic_dirs($1)
allow $1 console_device_t:chr_file create;
allow $1 self:capability mknod;
')
@ -356,7 +355,7 @@ interface(`term_search_ptys',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 devpts_t:dir search_dir_perms;
')
########################################
@ -376,7 +375,7 @@ interface(`term_dontaudit_search_ptys',`
')
dev_dontaudit_list_all_dev_nodes($1)
dontaudit $1 devpts_t:dir search;
dontaudit $1 devpts_t:dir search_dir_perms;
')
########################################
@ -396,7 +395,7 @@ interface(`term_list_ptys',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:dir list_dir_perms;
')
########################################
@ -434,7 +433,7 @@ interface(`term_dontaudit_manage_pty_dirs',`
type devpts_t;
')
dontaudit $1 devpts_t:dir create_dir_perms;
dontaudit $1 devpts_t:dir manage_dir_perms;
')
########################################
@ -575,6 +574,7 @@ interface(`term_use_ptmx',`
type ptmx_t;
')
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
')
@ -615,7 +615,7 @@ interface(`term_getattr_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file getattr;
')
@ -657,7 +657,7 @@ interface(`term_setattr_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file setattr;
')
@ -697,7 +697,7 @@ interface(`term_use_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file { rw_term_perms lock append };
')
@ -738,8 +738,7 @@ interface(`term_relabel_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 ptynode:chr_file { relabelfrom relabelto };
relabel_chr_files_pattern($1,devpts_t,ptynode)
')
########################################

Some files were not shown because too many files have changed in this diff Show More