clean up some hacks
This commit is contained in:
parent
7b062eac78
commit
c6d4c8f186
@ -529,6 +529,23 @@ interface(`apache_dontaudit_append_log',`
|
|||||||
dontaudit $1 httpd_log_t:file { getattr append };
|
dontaudit $1 httpd_log_t:file { getattr append };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to search Apache
|
||||||
|
## module directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apache_dontaudit_search_modules',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_modules_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 httpd_modules_t:dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to list
|
## Allow the specified domain to list
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(apache,1.0)
|
policy_module(apache,1.0.1)
|
||||||
|
|
||||||
#
|
#
|
||||||
# NOTES:
|
# NOTES:
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(xdm,1.0)
|
policy_module(xdm,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -100,6 +100,10 @@ ifdef(`targeted_policy',`
|
|||||||
files_create_var_lib(xdm_t,xdm_var_lib_t)
|
files_create_var_lib(xdm_t,xdm_var_lib_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`locallogin.te',`
|
||||||
|
locallogin_signull(xdm_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# cjp: TODO: integrate strict policy:
|
# cjp: TODO: integrate strict policy:
|
||||||
daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
|
daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
|
||||||
|
@ -10,17 +10,31 @@
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create a aliased type to bin_t.
|
## Create a aliased type to generic bin files.
|
||||||
## </summary>
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Create a aliased type to generic bin files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is added to support targeted policy. Its
|
||||||
|
## use should be limited. It has no effect
|
||||||
|
## on the strict policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Alias type for bin_t.
|
## Alias type for bin_t.
|
||||||
## </param>
|
## </param>
|
||||||
interface(`corecmd_bin_alias',`
|
interface(`corecmd_bin_alias',`
|
||||||
gen_require(`
|
ifdef(`targeted_policy',`
|
||||||
type bin_t;
|
gen_require(`
|
||||||
')
|
type bin_t;
|
||||||
|
')
|
||||||
|
|
||||||
typealias bin_t alias $1;
|
typealias bin_t alias $1;
|
||||||
|
',`
|
||||||
|
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corecommands,1.0)
|
policy_module(corecommands,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -499,7 +499,6 @@ optional_policy(`dbus.te',`
|
|||||||
dbus_send_system_bus_msg(initrc_t)
|
dbus_send_system_bus_msg(initrc_t)
|
||||||
|
|
||||||
# FIXME
|
# FIXME
|
||||||
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
|
|
||||||
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
|
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
|
||||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(libraries,1.0)
|
policy_module(libraries,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -24,6 +24,9 @@ files_type(ld_so_t)
|
|||||||
type lib_t;
|
type lib_t;
|
||||||
files_type(lib_t)
|
files_type(lib_t)
|
||||||
|
|
||||||
|
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
|
||||||
|
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
|
||||||
|
|
||||||
#
|
#
|
||||||
# shlib_t is the type of shared objects in the system lib
|
# shlib_t is the type of shared objects in the system lib
|
||||||
# directories.
|
# directories.
|
||||||
@ -46,9 +49,6 @@ ifdef(`targeted_policy',`
|
|||||||
files_type(texrel_shlib_t)
|
files_type(texrel_shlib_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
|
|
||||||
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# ldconfig local policy
|
# ldconfig local policy
|
||||||
@ -100,5 +100,5 @@ ifdef(`targeted_policy',`
|
|||||||
|
|
||||||
optional_policy(`apache.te',`
|
optional_policy(`apache.te',`
|
||||||
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
||||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
apache_dontaudit_search_modules(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
@ -216,11 +216,6 @@ optional_policy(`usermanage.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# this goes to xdm:
|
|
||||||
optional_policy(`locallogin.te',`
|
|
||||||
# FIXME: what is this for?
|
|
||||||
locallogin_signull(xdm_t)
|
|
||||||
')
|
|
||||||
# Login can polyinstantiate
|
# Login can polyinstantiate
|
||||||
polyinstantiater(local_login_t)
|
polyinstantiater(local_login_t)
|
||||||
|
|
||||||
|
@ -195,7 +195,7 @@ ifdef(`targeted_policy', `
|
|||||||
# cjp: temporary hack to cover
|
# cjp: temporary hack to cover
|
||||||
# up stray file descriptors.
|
# up stray file descriptors.
|
||||||
dontaudit load_policy_t selinux_config_t:file write;
|
dontaudit load_policy_t selinux_config_t:file write;
|
||||||
dontaudit load_policy_t unconfined_t:fifo_file read;
|
unconfined_dontaudit_read_pipe(load_policy_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -256,7 +256,8 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
|
|||||||
## </p>
|
## </p>
|
||||||
## <p>
|
## <p>
|
||||||
## This is added to support targeted policy. Its
|
## This is added to support targeted policy. Its
|
||||||
## use should be very limited.
|
## use should be limited. It has no effect
|
||||||
|
## on the strict policy.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@ -264,9 +265,13 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`unconfined_alias_domain',`
|
interface(`unconfined_alias_domain',`
|
||||||
gen_require(`
|
ifdef(`targeted_policy',`
|
||||||
type unconfined_t;
|
gen_require(`
|
||||||
')
|
type unconfined_t;
|
||||||
|
')
|
||||||
|
|
||||||
typealias unconfined_t alias $1;
|
typealias unconfined_t alias $1;
|
||||||
|
',`
|
||||||
|
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(unconfined,1.0)
|
policy_module(unconfined,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -28,10 +28,6 @@ ifdef(`targeted_policy',`
|
|||||||
allow unconfined_t self:system syslog_read;
|
allow unconfined_t self:system syslog_read;
|
||||||
dontaudit unconfined_t self:capability sys_module;
|
dontaudit unconfined_t self:capability sys_module;
|
||||||
|
|
||||||
# Define some type aliases to help with compatibility with
|
|
||||||
# macros and domains from the "strict" policy.
|
|
||||||
typealias unconfined_t alias { secadm_t sysadm_t };
|
|
||||||
|
|
||||||
files_create_boot_flag(unconfined_t)
|
files_create_boot_flag(unconfined_t)
|
||||||
|
|
||||||
init_domtrans_script(unconfined_t)
|
init_domtrans_script(unconfined_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.0)
|
policy_module(userdomain,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -53,6 +53,11 @@ define(`role_change',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
|
# Define some type aliases to help with compatibility with
|
||||||
|
# macros and domains from the "strict" policy.
|
||||||
|
unconfined_alias_domain(secadm_t)
|
||||||
|
unconfined_alias_domain(sysadm_t)
|
||||||
|
|
||||||
# User home directory type.
|
# User home directory type.
|
||||||
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
|
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
|
||||||
files_type(user_home_t)
|
files_type(user_home_t)
|
||||||
|
@ -11,6 +11,16 @@
|
|||||||
#
|
#
|
||||||
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
|
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
|
||||||
|
|
||||||
|
#
|
||||||
|
# __endline__
|
||||||
|
#
|
||||||
|
# dummy macro to insert a newline. used for
|
||||||
|
# errprint, so the close parentheses can be
|
||||||
|
# indented correctly.
|
||||||
|
#
|
||||||
|
define(`__endline__',`
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
||||||
|
Loading…
Reference in New Issue
Block a user