renaming insanity
This commit is contained in:
parent
b2bf0b5c98
commit
c9428d33dc
@ -434,9 +434,6 @@ clean:
|
|||||||
rm -f $(FC)
|
rm -f $(FC)
|
||||||
|
|
||||||
bare: clean
|
bare: clean
|
||||||
find . -name *~ -exec rm -f {} \;
|
|
||||||
find . -name "*#*" -exec rm -f {} \;
|
|
||||||
find . -name ".*#*" -exec rm -f {} \;
|
|
||||||
rm -f $(POLXML)
|
rm -f $(POLXML)
|
||||||
rm -f $(SUPPORT)/*.pyc
|
rm -f $(SUPPORT)/*.pyc
|
||||||
rm -f $(FCSORT)
|
rm -f $(FCSORT)
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# consoletype_transition(domain)
|
# consoletype_domtrans(domain)
|
||||||
#
|
#
|
||||||
define(`consoletype_transition',`
|
define(`consoletype_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
|
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
|
||||||
@ -14,7 +14,7 @@ define(`consoletype_transition',`
|
|||||||
allow consoletype_t $1:process sigchld;
|
allow consoletype_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`consoletype_transition_depend',`
|
define(`consoletype_domtrans_depend',`
|
||||||
type consoletype_t, consoletype_exec_t;
|
type consoletype_t, consoletype_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -25,16 +25,16 @@ define(`consoletype_transition_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# consoletype_execute(domain)
|
# consoletype_exec(domain)
|
||||||
#
|
#
|
||||||
define(`consoletype_execute',`
|
define(`consoletype_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,consoletype_exec_t)
|
can_exec($1,consoletype_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`consoletype_execute_depend',`
|
define(`consoletype_exec_depend',`
|
||||||
type consoletype_exec_t;
|
type consoletype_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -8,8 +8,8 @@ policy_module(consoletype, 1.0)
|
|||||||
|
|
||||||
type consoletype_t;
|
type consoletype_t;
|
||||||
type consoletype_exec_t;
|
type consoletype_exec_t;
|
||||||
init_make_init_domain(consoletype_t,consoletype_exec_t)
|
init_domain(consoletype_t,consoletype_exec_t)
|
||||||
init_make_system_domain(consoletype_t,consoletype_exec_t)
|
init_system_domain(consoletype_t,consoletype_exec_t)
|
||||||
role system_r types consoletype_t;
|
role system_r types consoletype_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -39,27 +39,27 @@ fs_getattr_all_fs(consoletype_t)
|
|||||||
term_use_console(consoletype_t)
|
term_use_console(consoletype_t)
|
||||||
term_use_unallocated_tty(consoletype_t)
|
term_use_unallocated_tty(consoletype_t)
|
||||||
|
|
||||||
init_use_file_descriptors(consoletype_t)
|
init_use_fd(consoletype_t)
|
||||||
init_script_use_pseudoterminal(consoletype_t)
|
init_use_script_pty(consoletype_t)
|
||||||
init_script_use_file_descriptors(consoletype_t)
|
init_use_script_fd(consoletype_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(consoletype_t)
|
domain_use_wide_inherit_fd(consoletype_t)
|
||||||
|
|
||||||
files_ignore_read_rootfs_file(consoletype_t)
|
files_dontaudit_read_root_file(consoletype_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(consoletype_t)
|
libs_use_ld_so(consoletype_t)
|
||||||
libraries_use_shared_libraries(consoletype_t)
|
libs_use_shared_libs(consoletype_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
fs_use_tmpfs_character_devices(consoletype_t)
|
fs_use_tmpfs_character_devices(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`authlogin.te', `
|
optional_policy(`authlogin.te', `
|
||||||
authlogin_pam_read_runtime_data(consoletype_t)
|
auth_read_pam_pid(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
|
userdom_use_unpriv_users_fd(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for dmesg.</summary>
|
## <summary>Policy for dmesg.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="dmesg_transition">
|
## <interface name="dmesg_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute dmesg in the dmesg domain.
|
## Execute dmesg in the dmesg domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`dmesg_transition',`
|
define(`dmesg_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 dmesg_exec_t:file rx_file_perms;
|
allow $1 dmesg_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`dmesg_transition',`
|
|||||||
allow dmesg_t $1:process sigchld;
|
allow dmesg_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dmesg_transition_depend',`
|
define(`dmesg_domtrans_depend',`
|
||||||
type dmesg_t, dmesg_exec_t;
|
type dmesg_t, dmesg_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -35,7 +35,7 @@ define(`dmesg_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="dmesg_execute">
|
## <interface name="dmesg_exec">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute dmesg in the caller domain.
|
## Execute dmesg in the caller domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -44,14 +44,14 @@ define(`dmesg_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`dmesg_execute',`
|
define(`dmesg_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,dmesg_exec_t)
|
can_exec($1,dmesg_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dmesg_execute_depend',`
|
define(`dmesg_exec_depend',`
|
||||||
type dmesg_exec_t;
|
type dmesg_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -8,7 +8,7 @@ policy_module(dmesg, 1.0)
|
|||||||
|
|
||||||
type dmesg_t;
|
type dmesg_t;
|
||||||
type dmesg_exec_t;
|
type dmesg_exec_t;
|
||||||
init_make_system_domain(dmesg_t,dmesg_exec_t)
|
init_system_domain(dmesg_t,dmesg_exec_t)
|
||||||
role system_r types dmesg_t;
|
role system_r types dmesg_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -29,30 +29,30 @@ kernel_change_ring_buffer_level(dmesg_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(dmesg_t)
|
term_dontaudit_use_console(dmesg_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(dmesg_t)
|
domain_use_wide_inherit_fd(dmesg_t)
|
||||||
|
|
||||||
files_read_general_system_config_directory(dmesg_t)
|
files_read_generic_etc_files_directory(dmesg_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_ignore_search_isid_type_dir(dmesg_t)
|
files_dontaudit_search_isid_type_dir(dmesg_t)
|
||||||
|
|
||||||
init_use_file_descriptors(dmesg_t)
|
init_use_fd(dmesg_t)
|
||||||
init_script_use_pseudoterminal(dmesg_t)
|
init_use_script_pty(dmesg_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(dmesg_t)
|
libs_use_ld_so(dmesg_t)
|
||||||
libraries_use_shared_libraries(dmesg_t)
|
libs_use_shared_libs(dmesg_t)
|
||||||
|
|
||||||
logging_send_system_log_message(dmesg_t)
|
logging_send_syslog_msg(dmesg_t)
|
||||||
logging_write_system_logs(dmesg_t)
|
logging_write_generic_logs(dmesg_t)
|
||||||
|
|
||||||
miscfiles_read_localization(dmesg_t)
|
miscfiles_read_localization(dmesg_t)
|
||||||
|
|
||||||
userdomain_use_admin_terminals(dmesg_t)
|
userdom_use_sysadm_terms(dmesg_t)
|
||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
|
userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(dmesg_t)
|
term_dontaudit_use_unallocated_tty(dmesg_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(dmesg_t)
|
terminal_ignore_use_general_pseudoterminal(dmesg_t)
|
||||||
files_ignore_read_rootfs_file(dmesg_t)
|
files_dontaudit_read_root_file(dmesg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -60,7 +60,7 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(dmesg_t)
|
udev_read_db(dmesg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# netutils_transition(domain)
|
# netutils_domtrans(domain)
|
||||||
#
|
#
|
||||||
define(`netutils_transition',`
|
define(`netutils_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 netutils_exec_t:file rx_file_perms;
|
allow $1 netutils_exec_t:file rx_file_perms;
|
||||||
@ -17,7 +17,7 @@ define(`netutils_transition',`
|
|||||||
allow netutils_t $1:process sigchld;
|
allow netutils_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`netutils_transition_depend',`
|
define(`netutils_domtrans_depend',`
|
||||||
type netutils_t, netutils_exec_t;
|
type netutils_t, netutils_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -28,16 +28,16 @@ define(`netutils_transition_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# netutils_execute(domain)
|
# netutils_exec(domain)
|
||||||
#
|
#
|
||||||
define(`netutils_execute',`
|
define(`netutils_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,netutils_exec_t)
|
can_exec($1,netutils_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`netutils_execute_depend',`
|
define(`netutils_exec_depend',`
|
||||||
type netutils_exec_t;
|
type netutils_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -8,20 +8,20 @@ policy_module(devices,1.0)
|
|||||||
|
|
||||||
type netutils_t;
|
type netutils_t;
|
||||||
type netutils_exec_t;
|
type netutils_exec_t;
|
||||||
init_make_system_domain(netutils_t,netutils_exec_t)
|
init_system_domain(netutils_t,netutils_exec_t)
|
||||||
role system_r types netutils_t;
|
role system_r types netutils_t;
|
||||||
|
|
||||||
type netutils_tmp_t;
|
type netutils_tmp_t;
|
||||||
files_make_temporary_file(netutils_tmp_t)
|
files_tmp_file(netutils_tmp_t)
|
||||||
|
|
||||||
type ping_t; #, nscd_client_domain;
|
type ping_t; #, nscd_client_domain;
|
||||||
type ping_exec_t;
|
type ping_exec_t;
|
||||||
init_make_system_domain(ping_t,ping_exec_t)
|
init_system_domain(ping_t,ping_exec_t)
|
||||||
role system_r types ping_t;
|
role system_r types ping_t;
|
||||||
|
|
||||||
type traceroute_t; #, nscd_client_domain;
|
type traceroute_t; #, nscd_client_domain;
|
||||||
type traceroute_exec_t;
|
type traceroute_exec_t;
|
||||||
init_make_system_domain(traceroute_t,traceroute_exec_t)
|
init_system_domain(traceroute_t,traceroute_exec_t)
|
||||||
role system_r types traceroute_t;
|
role system_r types traceroute_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -44,7 +44,7 @@ allow netutils_t self:tcp_socket create_socket_perms;
|
|||||||
|
|
||||||
allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
||||||
allow netutils_t netutils_tmp_t:file create_file_perms;
|
allow netutils_t netutils_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
|
files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(netutils_t)
|
corenet_tcp_sendrecv_all_if(netutils_t)
|
||||||
corenet_raw_sendrecv_all_if(netutils_t)
|
corenet_raw_sendrecv_all_if(netutils_t)
|
||||||
@ -59,19 +59,19 @@ corenet_udp_bind_all_nodes(netutils_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(netutils_t)
|
fs_getattr_xattr_fs(netutils_t)
|
||||||
|
|
||||||
init_use_file_descriptors(netutils_t)
|
init_use_fd(netutils_t)
|
||||||
init_script_use_pseudoterminal(netutils_t)
|
init_use_script_pty(netutils_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(netutils_t)
|
domain_use_wide_inherit_fd(netutils_t)
|
||||||
|
|
||||||
files_read_general_system_config(netutils_t)
|
files_read_generic_etc_files(netutils_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_ignore_search_system_state_data_directory(netutils_t)
|
files_dontaudit_search_var(netutils_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(netutils_t)
|
libs_use_ld_so(netutils_t)
|
||||||
libraries_use_shared_libraries(netutils_t)
|
libs_use_shared_libs(netutils_t)
|
||||||
|
|
||||||
logging_send_system_log_message(netutils_t)
|
logging_send_syslog_msg(netutils_t)
|
||||||
|
|
||||||
miscfiles_read_localization(netutils_t)
|
miscfiles_read_localization(netutils_t)
|
||||||
|
|
||||||
@ -117,17 +117,17 @@ corenet_tcp_bind_all_nodes(ping_t)
|
|||||||
|
|
||||||
fs_dontaudit_getattr_xattr_fs(ping_t)
|
fs_dontaudit_getattr_xattr_fs(ping_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(ping_t)
|
domain_use_wide_inherit_fd(ping_t)
|
||||||
|
|
||||||
files_read_general_system_config(ping_t)
|
files_read_generic_etc_files(ping_t)
|
||||||
files_ignore_search_system_state_data_directory(ping_t)
|
files_dontaudit_search_var(ping_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(ping_t)
|
libs_use_ld_so(ping_t)
|
||||||
libraries_use_shared_libraries(ping_t)
|
libs_use_shared_libs(ping_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(ping_t)
|
sysnet_read_config(ping_t)
|
||||||
|
|
||||||
logging_send_system_log_message(ping_t)
|
logging_send_syslog_msg(ping_t)
|
||||||
|
|
||||||
if (user_ping) {
|
if (user_ping) {
|
||||||
term_use_all_user_ttys(ping_t)
|
term_use_all_user_ttys(ping_t)
|
||||||
@ -175,22 +175,22 @@ corenet_tcp_bind_all_nodes(traceroute_t)
|
|||||||
|
|
||||||
fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(traceroute_t)
|
domain_use_wide_inherit_fd(traceroute_t)
|
||||||
|
|
||||||
files_read_general_system_config(traceroute_t)
|
files_read_generic_etc_files(traceroute_t)
|
||||||
files_ignore_search_system_state_data_directory(traceroute_t)
|
files_dontaudit_search_var(traceroute_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(traceroute_t)
|
libs_use_ld_so(traceroute_t)
|
||||||
libraries_use_shared_libraries(traceroute_t)
|
libs_use_shared_libs(traceroute_t)
|
||||||
|
|
||||||
logging_send_system_log_message(traceroute_t)
|
logging_send_syslog_msg(traceroute_t)
|
||||||
|
|
||||||
miscfiles_read_localization(traceroute_t)
|
miscfiles_read_localization(traceroute_t)
|
||||||
|
|
||||||
#rules needed for nmap
|
#rules needed for nmap
|
||||||
dev_read_rand(traceroute_t)
|
dev_read_rand(traceroute_t)
|
||||||
dev_read_urand(traceroute_t)
|
dev_read_urand(traceroute_t)
|
||||||
files_read_general_application_resources(traceroute_t)
|
files_read_usr_files(traceroute_t)
|
||||||
|
|
||||||
if (user_ping) {
|
if (user_ping) {
|
||||||
term_use_all_user_ttys(traceroute_t)
|
term_use_all_user_ttys(traceroute_t)
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for the RPM package manager.</summary>
|
## <summary>Policy for the RPM package manager.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="rpm_transition">
|
## <interface name="rpm_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute rpm programs in the rpm domain.
|
## Execute rpm programs in the rpm domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_transition',`
|
define(`rpm_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 rpm_exec_t:file rx_file_perms;
|
allow $1 rpm_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`rpm_transition',`
|
|||||||
allow rpm_t $1:process sigchld;
|
allow rpm_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_transition_depend',`
|
define(`rpm_domtrans_depend',`
|
||||||
type rpm_t, rpm_exec_t;
|
type rpm_t, rpm_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -35,7 +35,7 @@ define(`rpm_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="rpm_transition_add_role_use_terminal">
|
## <interface name="rpm_run">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute RPM programs in the RPM domain.
|
## Execute RPM programs in the RPM domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -50,23 +50,23 @@ define(`rpm_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_transition_add_role_use_terminal',`
|
define(`rpm_run',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
rpm_transition($1)
|
rpm_domtrans($1)
|
||||||
role $2 types rpm_t;
|
role $2 types rpm_t;
|
||||||
role $2 types rpm_script_t;
|
role $2 types rpm_script_t;
|
||||||
allow rpm_t $3:chr_file { getattr read write ioctl };
|
allow rpm_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_transition_add_role_use_terminal_depend',`
|
define(`rpm_run_depend',`
|
||||||
type rpm_t, rpm_script_t;
|
type rpm_t, rpm_script_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="rpm_use_file_descriptors">
|
## <interface name="rpm_use_fd">
|
||||||
## <description>
|
## <description>
|
||||||
## Inherit and use file descriptors from RPM.
|
## Inherit and use file descriptors from RPM.
|
||||||
## </description>
|
## </description>
|
||||||
@ -75,13 +75,13 @@ define(`rpm_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_use_file_descriptors',`
|
define(`rpm_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 rpm_t:fd use;
|
allow $1 rpm_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_use_file_descriptors_depend',`
|
define(`rpm_use_fd_depend',`
|
||||||
type rpm_t;
|
type rpm_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -110,7 +110,7 @@ define(`rpm_read_pipe_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="rpm_read_package_database">
|
## <interface name="rpm_read_db">
|
||||||
## <description>
|
## <description>
|
||||||
## Read RPM package database.
|
## Read RPM package database.
|
||||||
## </description>
|
## </description>
|
||||||
@ -119,7 +119,7 @@ define(`rpm_read_pipe_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_read_package_database',`
|
define(`rpm_read_db',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 rpm_var_lib_t:dir r_dir_perms;
|
allow $1 rpm_var_lib_t:dir r_dir_perms;
|
||||||
@ -127,7 +127,7 @@ define(`rpm_read_package_database',`
|
|||||||
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
|
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_read_package_database_depend',`
|
define(`rpm_read_db_depend',`
|
||||||
type rpm_var_lib_t_t;
|
type rpm_var_lib_t_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -137,9 +137,9 @@ define(`rpm_read_package_database_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# rpm_manage_package_database(domain)
|
# rpm_manage_db(domain)
|
||||||
#
|
#
|
||||||
define(`rpm_manage_package_database',`
|
define(`rpm_manage_db',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 rpm_var_lib_t:dir rw_dir_perms;
|
allow $1 rpm_var_lib_t:dir rw_dir_perms;
|
||||||
@ -147,7 +147,7 @@ define(`rpm_manage_package_database',`
|
|||||||
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_manage_package_database_depend',`
|
define(`rpm_manage_db_depend',`
|
||||||
type rpm_var_lib_t_t;
|
type rpm_var_lib_t_t;
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
|
@ -8,47 +8,47 @@ policy_module(rpm,1.0)
|
|||||||
|
|
||||||
type rpm_t; #, admin, privmem, priv_system_role;
|
type rpm_t; #, admin, privmem, priv_system_role;
|
||||||
type rpm_exec_t;
|
type rpm_exec_t;
|
||||||
init_make_system_domain(rpm_t,rpm_exec_t)
|
init_system_domain(rpm_t,rpm_exec_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(rpm_t)
|
kernel_obj_id_change_exempt(rpm_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(rpm_t)
|
domain_wide_inherit_fd(rpm_t)
|
||||||
role system_r types rpm_t;
|
role system_r types rpm_t;
|
||||||
|
|
||||||
type rpm_file_t;
|
type rpm_file_t;
|
||||||
files_make_file(rpm_file_t)
|
files_file_type(rpm_file_t)
|
||||||
|
|
||||||
type rpm_tmp_t;
|
type rpm_tmp_t;
|
||||||
files_make_temporary_file(rpm_tmp_t)
|
files_tmp_file(rpm_tmp_t)
|
||||||
|
|
||||||
type rpm_tmpfs_t;
|
type rpm_tmpfs_t;
|
||||||
files_make_tmpfs_file(rpm_tmpfs_t)
|
files_tmpfs_file(rpm_tmpfs_t)
|
||||||
|
|
||||||
type rpm_log_t;
|
type rpm_log_t;
|
||||||
logging_make_log_file(rpm_log_t)
|
logging_log_file(rpm_log_t)
|
||||||
|
|
||||||
type rpm_var_lib_t;
|
type rpm_var_lib_t;
|
||||||
files_make_file(rpm_var_lib_t)
|
files_file_type(rpm_var_lib_t)
|
||||||
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
||||||
|
|
||||||
type rpm_script_t; #, admin, privmem, priv_system_role;
|
type rpm_script_t; #, admin, privmem, priv_system_role;
|
||||||
type rpm_script_exec_t;
|
type rpm_script_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(rpm_script_t)
|
kernel_obj_id_change_exempt(rpm_script_t)
|
||||||
corecommands_make_shell_entrypoint(rpm_script_t)
|
corecmd_shell_entry_type(rpm_script_t)
|
||||||
domain_make_domain(rpm_script_t)
|
domain_type(rpm_script_t)
|
||||||
domain_make_entrypoint_file(rpm_t,rpm_script_t)
|
domain_entry_file(rpm_t,rpm_script_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(rpm_script_t)
|
domain_wide_inherit_fd(rpm_script_t)
|
||||||
role system_r types rpm_script_t;
|
role system_r types rpm_script_t;
|
||||||
|
|
||||||
type rpm_script_tmp_t;
|
type rpm_script_tmp_t;
|
||||||
files_make_temporary_file(rpm_script_tmp_t)
|
files_tmp_file(rpm_script_tmp_t)
|
||||||
|
|
||||||
type rpm_script_tmpfs_t;
|
type rpm_script_tmpfs_t;
|
||||||
files_make_tmpfs_file(rpm_script_tmpfs_t)
|
files_tmpfs_file(rpm_script_tmpfs_t)
|
||||||
|
|
||||||
type rpmbuild_t;
|
type rpmbuild_t;
|
||||||
domain_make_domain(rpmbuild_t)
|
domain_type(rpmbuild_t)
|
||||||
|
|
||||||
type rpmbuild_exec_t;
|
type rpmbuild_exec_t;
|
||||||
domain_make_entrypoint_file(rpmbuild_t,rpmbuild_exec_t)
|
domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -75,11 +75,11 @@ allow rpm_t self:dir search;
|
|||||||
allow rpm_t self:file rw_file_perms;;
|
allow rpm_t self:file rw_file_perms;;
|
||||||
|
|
||||||
allow rpm_t rpm_log_t:file create_file_perms;
|
allow rpm_t rpm_log_t:file create_file_perms;
|
||||||
logging_create_private_log(rpm_t,rpm_log_t)
|
logging_create_log(rpm_t,rpm_log_t)
|
||||||
|
|
||||||
allow rpm_t rpm_tmp_t:dir create_dir_perms;
|
allow rpm_t rpm_tmp_t:dir create_dir_perms;
|
||||||
allow rpm_t rpm_tmp_t:file create_file_perms;
|
allow rpm_t rpm_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir })
|
files_create_tmp_files(rpm_t, rpm_tmp_t, { file dir })
|
||||||
|
|
||||||
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
|
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
|
||||||
allow rpm_t rpm_tmpfs_t:file create_file_perms;
|
allow rpm_t rpm_tmpfs_t:file create_file_perms;
|
||||||
@ -126,35 +126,35 @@ storage_raw_read_fixed_disk(rpm_t)
|
|||||||
|
|
||||||
term_list_ptys(rpm_t)
|
term_list_ptys(rpm_t)
|
||||||
|
|
||||||
authlogin_ignore_read_shadow_passwords(rpm_t)
|
auth_dontaudit_read_shadow(rpm_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(rpm_t)
|
corecmd_exec_bin(rpm_t)
|
||||||
corecommands_execute_system_programs(rpm_t)
|
corecmd_exec_sbin(rpm_t)
|
||||||
corecommands_shell_transition(rpm_t,rpm_script_t)
|
corecmd_domtrans_shell(rpm_t,rpm_script_t)
|
||||||
|
|
||||||
domain_execute_all_entrypoint_programs(rpm_t)
|
domain_exec_all_entry_files(rpm_t)
|
||||||
domain_read_all_domains_process_state(rpm_t)
|
domain_read_all_domains_state(rpm_t)
|
||||||
domain_use_widely_inheritable_file_descriptors(rpm_t)
|
domain_use_wide_inherit_fd(rpm_t)
|
||||||
|
|
||||||
files_execute_system_config_script(rpm_t)
|
files_exec_generic_etc_files(rpm_t)
|
||||||
|
|
||||||
init_script_transition(rpm_t)
|
init_domtrans_script(rpm_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(rpm_t)
|
libs_use_ld_so(rpm_t)
|
||||||
libraries_use_shared_libraries(rpm_t)
|
libs_use_shared_libs(rpm_t)
|
||||||
libraries_execute_dynamic_loader(rpm_t)
|
libs_exec_ld_so(rpm_t)
|
||||||
libraries_execute_library_scripts(rpm_t)
|
libs_exec_lib_files(rpm_t)
|
||||||
libraries_ldconfig_transition(rpm_t)
|
libs_domtrans_ldconfig(rpm_t)
|
||||||
|
|
||||||
logging_send_system_log_message(rpm_t)
|
logging_send_syslog_msg(rpm_t)
|
||||||
|
|
||||||
# allow compiling and loading new policy
|
# allow compiling and loading new policy
|
||||||
selinux_manage_source_policy(rpm_t)
|
selinux_manage_src_pol(rpm_t)
|
||||||
selinux_manage_binary_policy(rpm_t)
|
selinux_manage_binary_pol(rpm_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(rpm_t)
|
sysnet_read_config(rpm_t)
|
||||||
|
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(rpm_t)
|
userdom_use_unpriv_users_fd(rpm_t)
|
||||||
|
|
||||||
#cron_transition_from(rpm,rpm_exec_t)
|
#cron_transition_from(rpm,rpm_exec_t)
|
||||||
|
|
||||||
@ -235,11 +235,11 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms;
|
|||||||
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
||||||
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
|
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
|
||||||
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
|
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir })
|
files_create_tmp_files(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||||
|
|
||||||
allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms;
|
allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
|
||||||
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
|
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
|
||||||
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
|
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
|
||||||
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
|
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
|
||||||
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
||||||
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||||
@ -272,41 +272,41 @@ storage_raw_write_fixed_disk(rpm_script_t)
|
|||||||
term_getattr_unallocated_ttys(rpm_script_t)
|
term_getattr_unallocated_ttys(rpm_script_t)
|
||||||
term_list_ptys(rpm_script_t)
|
term_list_ptys(rpm_script_t)
|
||||||
|
|
||||||
authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
|
auth_dontaudit_getattr_shadow(rpm_script_t)
|
||||||
# ideally we would not need this
|
# ideally we would not need this
|
||||||
authlogin_manage_all_files_except_shadow(rpm_script_t)
|
auth_manage_all_files_except_shadow(rpm_script_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(rpm_script_t)
|
corecmd_exec_bin(rpm_script_t)
|
||||||
corecommands_execute_system_programs(rpm_script_t)
|
corecmd_exec_sbin(rpm_script_t)
|
||||||
|
|
||||||
domain_read_all_domains_process_state(rpm_script_t)
|
domain_read_all_domains_state(rpm_script_t)
|
||||||
domain_use_widely_inheritable_file_descriptors(rpm_script_t)
|
domain_use_wide_inherit_fd(rpm_script_t)
|
||||||
domain_execute_all_entrypoint_programs(rpm_script_t)
|
domain_exec_all_entry_files(rpm_script_t)
|
||||||
domain_signal_all_domains(rpm_script_t)
|
domain_signal_all_domains(rpm_script_t)
|
||||||
domain_signull_all_domains(rpm_script_t)
|
domain_signull_all_domains(rpm_script_t)
|
||||||
|
|
||||||
files_execute_system_config_script(rpm_script_t)
|
files_exec_generic_etc_files(rpm_script_t)
|
||||||
files_read_runtime_system_config(rpm_script_t)
|
files_read_etc_runtime_files(rpm_script_t)
|
||||||
|
|
||||||
init_script_transition(rpm_script_t)
|
init_domtrans_script(rpm_script_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(rpm_script_t)
|
libs_use_ld_so(rpm_script_t)
|
||||||
libraries_use_shared_libraries(rpm_script_t)
|
libs_use_shared_libs(rpm_script_t)
|
||||||
libraries_execute_dynamic_loader(rpm_script_t)
|
libs_exec_ld_so(rpm_script_t)
|
||||||
libraries_execute_library_scripts(rpm_script_t)
|
libs_exec_lib_files(rpm_script_t)
|
||||||
libraries_ldconfig_transition(rpm_script_t)
|
libs_domtrans_ldconfig(rpm_script_t)
|
||||||
|
|
||||||
logging_send_system_log_message(rpm_script_t)
|
logging_send_syslog_msg(rpm_script_t)
|
||||||
|
|
||||||
miscfiles_read_localization(rpm_script_t)
|
miscfiles_read_localization(rpm_script_t)
|
||||||
|
|
||||||
modutils_depmod_transition(rpm_script_t)
|
modutils_domtrans_depmod(rpm_script_t)
|
||||||
modutils_insmod_transition(rpm_script_t)
|
modutils_domtrans_insmod(rpm_script_t)
|
||||||
|
|
||||||
selinux_load_policy_transition(rpm_script_t)
|
selinux_domtrans_loadpol(rpm_script_t)
|
||||||
selinux_restorecon_transition(rpm_script_t)
|
selinux_domtrans_restorecon(rpm_script_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(rpm_script_t)
|
userdom_use_all_user_fd(rpm_script_t)
|
||||||
|
|
||||||
optional_policy(`bootloader.te', `
|
optional_policy(`bootloader.te', `
|
||||||
bootloader_domtrans(rpm_script_t)
|
bootloader_domtrans(rpm_script_t)
|
||||||
@ -354,7 +354,7 @@ kernel_compute_create_context(rpmbuild_t)
|
|||||||
kernel_compute_relabel_context(rpmbuild_t)
|
kernel_compute_relabel_context(rpmbuild_t)
|
||||||
kernel_compute_reachable_user_contexts(rpmbuild_t)
|
kernel_compute_reachable_user_contexts(rpmbuild_t)
|
||||||
|
|
||||||
selinux_read_source_policy(rpmbuild_t)
|
selinux_read_src_pol(rpmbuild_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for managing user accounts.</summary>
|
## <summary>Policy for managing user accounts.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_chfn_transition">
|
## <interface name="usermanage_domtrans_chfn">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute chfn in the chfn domain.
|
## Execute chfn in the chfn domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_chfn_transition',`
|
define(`usermanage_domtrans_chfn',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 chfn_exec_t:file rx_file_perms;
|
allow $1 chfn_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`usermanage_chfn_transition',`
|
|||||||
allow chfn_t $1:process sigchld;
|
allow chfn_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_chfn_transition_depend',`
|
define(`usermanage_domtrans_chfn_depend',`
|
||||||
type chfn_t, chfn_exec_t;
|
type chfn_t, chfn_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -35,7 +35,7 @@ define(`usermanage_chfn_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_chfn_transition_add_role_use_terminal">
|
## <interface name="usermanage_run_chfn">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute chfn in the chfn domain, and
|
## Execute chfn in the chfn domain, and
|
||||||
## allow the specified role the chfn domain.
|
## allow the specified role the chfn domain.
|
||||||
@ -51,22 +51,22 @@ define(`usermanage_chfn_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_chfn_transition_add_role_use_terminal',`
|
define(`usermanage_run_chfn',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
usermanage_chfn_transition($1)
|
usermanage_domtrans_chfn($1)
|
||||||
role $2 types chfn_t;
|
role $2 types chfn_t;
|
||||||
allow chfn_t $3:chr_file { getattr read write ioctl };
|
allow chfn_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
|
define(`usermanage_run_chfn_depend',`
|
||||||
type chfn_t;
|
type chfn_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_groupadd_transition">
|
## <interface name="usermanage_domtrans_groupadd">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute groupadd in the groupadd domain.
|
## Execute groupadd in the groupadd domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -75,7 +75,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_groupadd_transition',`
|
define(`usermanage_domtrans_groupadd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
|
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
|
||||||
@ -86,7 +86,7 @@ define(`usermanage_groupadd_transition',`
|
|||||||
allow groupadd_t $1:process sigchld;
|
allow groupadd_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_groupadd_transition_depend',`
|
define(`usermanage_domtrans_groupadd_depend',`
|
||||||
type groupadd_t, groupadd_exec_t;
|
type groupadd_t, groupadd_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -96,7 +96,7 @@ define(`usermanage_groupadd_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_groupadd_transition_add_role_use_terminal">
|
## <interface name="usermanage_run_groupadd">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute groupadd in the groupadd domain, and
|
## Execute groupadd in the groupadd domain, and
|
||||||
## allow the specified role the groupadd domain.
|
## allow the specified role the groupadd domain.
|
||||||
@ -112,22 +112,22 @@ define(`usermanage_groupadd_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_groupadd_transition_add_role_use_terminal',`
|
define(`usermanage_run_groupadd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
usermanage_groupadd_transition($1)
|
usermanage_domtrans_groupadd($1)
|
||||||
role $2 types groupadd_t;
|
role $2 types groupadd_t;
|
||||||
allow groupadd_t $3:chr_file { getattr read write ioctl };
|
allow groupadd_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
|
define(`usermanage_run_groupadd_depend',`
|
||||||
type groupadd_t;
|
type groupadd_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_passwd_transition">
|
## <interface name="usermanage_domtrans_passwd">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute passwd in the passwd domain.
|
## Execute passwd in the passwd domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -136,7 +136,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_passwd_transition',`
|
define(`usermanage_domtrans_passwd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 passwd_exec_t:file rx_file_perms;
|
allow $1 passwd_exec_t:file rx_file_perms;
|
||||||
@ -150,7 +150,7 @@ define(`usermanage_passwd_transition',`
|
|||||||
allow passwd_t $1:process sigchld;
|
allow passwd_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_passwd_transition_depend',`
|
define(`usermanage_domtrans_passwd_depend',`
|
||||||
type passwd_t, passwd_exec_t;
|
type passwd_t, passwd_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -160,7 +160,7 @@ define(`usermanage_passwd_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_passwd_transition_add_role_use_terminal">
|
## <interface name="usermanage_run_passwd">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute passwd in the passwd domain, and
|
## Execute passwd in the passwd domain, and
|
||||||
## allow the specified role the passwd domain.
|
## allow the specified role the passwd domain.
|
||||||
@ -176,22 +176,22 @@ define(`usermanage_passwd_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_passwd_transition_add_role_use_terminal',`
|
define(`usermanage_run_passwd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
usermanage_passwd_transition($1)
|
usermanage_domtrans_passwd($1)
|
||||||
role $2 types passwd_t;
|
role $2 types passwd_t;
|
||||||
allow passwd_t $3:chr_file { getattr read write ioctl };
|
allow passwd_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
|
define(`usermanage_run_passwd_depend',`
|
||||||
type passwd_t;
|
type passwd_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_useradd_transition">
|
## <interface name="usermanage_domtrans_useradd">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute useradd in the useradd domain.
|
## Execute useradd in the useradd domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -200,7 +200,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_useradd_transition',`
|
define(`usermanage_domtrans_useradd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 useradd_exec_t:file rx_file_perms;
|
allow $1 useradd_exec_t:file rx_file_perms;
|
||||||
@ -214,7 +214,7 @@ define(`usermanage_useradd_transition',`
|
|||||||
allow useradd_t $1:process sigchld;
|
allow useradd_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_useradd_transition_depend',`
|
define(`usermanage_domtrans_useradd_depend',`
|
||||||
type useradd_t, useradd_exec_t;
|
type useradd_t, useradd_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -224,7 +224,7 @@ define(`usermanage_useradd_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="usermanage_useradd_transition_add_role_use_terminal">
|
## <interface name="usermanage_run_useradd">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute useradd in the useradd domain, and
|
## Execute useradd in the useradd domain, and
|
||||||
## allow the specified role the useradd domain.
|
## allow the specified role the useradd domain.
|
||||||
@ -240,15 +240,15 @@ define(`usermanage_useradd_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_useradd_transition_add_role_use_terminal',`
|
define(`usermanage_run_useradd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
usermanage_useradd_transition($1)
|
usermanage_domtrans_useradd($1)
|
||||||
role $2 types useradd_t;
|
role $2 types useradd_t;
|
||||||
allow useradd_t $3:chr_file { getattr read write ioctl };
|
allow useradd_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
|
define(`usermanage_run_useradd_depend',`
|
||||||
type useradd_t;
|
type useradd_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
|
@ -7,54 +7,54 @@ policy_module(usermanage,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type admin_passwd_exec_t;
|
type admin_passwd_exec_t;
|
||||||
files_make_file(admin_passwd_exec_t)
|
files_file_type(admin_passwd_exec_t)
|
||||||
|
|
||||||
type chfn_t;
|
type chfn_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(chfn_t)
|
kernel_obj_id_change_exempt(chfn_t)
|
||||||
domain_make_domain(chfn_t)
|
domain_type(chfn_t)
|
||||||
role system_r types chfn_t;
|
role system_r types chfn_t;
|
||||||
|
|
||||||
type chfn_exec_t;
|
type chfn_exec_t;
|
||||||
domain_make_entrypoint_file(chfn_t,chfn_exec_t)
|
domain_entry_file(chfn_t,chfn_exec_t)
|
||||||
|
|
||||||
type crack_t;
|
type crack_t;
|
||||||
role system_r types crack_t;
|
role system_r types crack_t;
|
||||||
|
|
||||||
type crack_exec_t;
|
type crack_exec_t;
|
||||||
domain_make_entrypoint_file(crack_t,crack_exec_t)
|
domain_entry_file(crack_t,crack_exec_t)
|
||||||
|
|
||||||
type crack_db_t; #, usercanread;
|
type crack_db_t; #, usercanread;
|
||||||
files_make_file(crack_db_t)
|
files_file_type(crack_db_t)
|
||||||
|
|
||||||
type crack_tmp_t;
|
type crack_tmp_t;
|
||||||
files_make_temporary_file(crack_tmp_t)
|
files_tmp_file(crack_tmp_t)
|
||||||
|
|
||||||
type groupadd_t; #, nscd_client_domain;
|
type groupadd_t; #, nscd_client_domain;
|
||||||
type groupadd_exec_t;
|
type groupadd_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(groupadd_t)
|
kernel_obj_id_change_exempt(groupadd_t)
|
||||||
init_make_system_domain(groupadd_t,groupadd_exec_t)
|
init_system_domain(groupadd_t,groupadd_exec_t)
|
||||||
role system_r types groupadd_t;
|
role system_r types groupadd_t;
|
||||||
|
|
||||||
type passwd_t;
|
type passwd_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(passwd_t)
|
kernel_obj_id_change_exempt(passwd_t)
|
||||||
domain_make_domain(passwd_t)
|
domain_type(passwd_t)
|
||||||
role system_r types passwd_t;
|
role system_r types passwd_t;
|
||||||
|
|
||||||
type passwd_exec_t;
|
type passwd_exec_t;
|
||||||
domain_make_entrypoint_file(passwd_t,passwd_exec_t)
|
domain_entry_file(passwd_t,passwd_exec_t)
|
||||||
|
|
||||||
type sysadm_passwd_t;
|
type sysadm_passwd_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
|
kernel_obj_id_change_exempt(sysadm_passwd_t)
|
||||||
domain_make_domain(sysadm_passwd_t)
|
domain_type(sysadm_passwd_t)
|
||||||
domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
|
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
|
||||||
|
|
||||||
type sysadm_passwd_tmp_t;
|
type sysadm_passwd_tmp_t;
|
||||||
files_make_file(sysadm_passwd_tmp_t)
|
files_file_type(sysadm_passwd_tmp_t)
|
||||||
|
|
||||||
type useradd_t; # nscd_client_domain;
|
type useradd_t; # nscd_client_domain;
|
||||||
type useradd_exec_t;
|
type useradd_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(useradd_t)
|
kernel_obj_id_change_exempt(useradd_t)
|
||||||
init_make_system_domain(useradd_t,useradd_exec_t)
|
init_system_domain(useradd_t,useradd_exec_t)
|
||||||
role system_r types useradd_t;
|
role system_r types useradd_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -94,22 +94,22 @@ dev_read_urand(chfn_t)
|
|||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
init_script_ignore_modify_runtime_data(chfn_t)
|
init_dontaudit_rw_script_pid(chfn_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(chfn_t)
|
domain_use_wide_inherit_fd(chfn_t)
|
||||||
|
|
||||||
files_manage_general_system_config(chfn_t)
|
files_manage_generic_etc_files(chfn_t)
|
||||||
files_read_runtime_system_config(chfn_t)
|
files_read_etc_runtime_files(chfn_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(chfn_t)
|
libs_use_ld_so(chfn_t)
|
||||||
libraries_use_shared_libraries(chfn_t)
|
libs_use_shared_libs(chfn_t)
|
||||||
|
|
||||||
miscfiles_read_localization(chfn_t)
|
miscfiles_read_localization(chfn_t)
|
||||||
|
|
||||||
logging_send_system_log_message(chfn_t)
|
logging_send_syslog_msg(chfn_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(chfn_t)
|
auth_domtrans_chk_passwd(chfn_t)
|
||||||
authlogin_ignore_read_shadow_passwords(chfn_t)
|
auth_dontaudit_read_shadow(chfn_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types chfn_t;
|
role sysadm_r types chfn_t;
|
||||||
@ -152,11 +152,11 @@ allow crack_t self:fifo_file rw_file_perms;
|
|||||||
allow crack_t crack_db_t:dir rw_dir_perms;
|
allow crack_t crack_db_t:dir rw_dir_perms;
|
||||||
allow crack_t crack_db_t:file create_file_perms;
|
allow crack_t crack_db_t:file create_file_perms;
|
||||||
allow crack_t crack_db_t:lnk_file create_file_perms;
|
allow crack_t crack_db_t:lnk_file create_file_perms;
|
||||||
files_search_system_state_data_directory(crack_t)
|
files_search_var(crack_t)
|
||||||
|
|
||||||
allow crack_t crack_tmp_t:dir create_dir_perms;
|
allow crack_t crack_tmp_t:dir create_dir_perms;
|
||||||
allow crack_t crack_tmp_t:file create_file_perms;
|
allow crack_t crack_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir })
|
files_create_tmp_files(crack_t, crack_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(crack_t)
|
kernel_read_system_state(crack_t)
|
||||||
|
|
||||||
@ -165,17 +165,17 @@ dev_read_urand(crack_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(crack_t)
|
fs_getattr_xattr_fs(crack_t)
|
||||||
|
|
||||||
files_read_general_system_config(crack_t)
|
files_read_generic_etc_files(crack_t)
|
||||||
files_read_runtime_system_config(crack_t)
|
files_read_etc_runtime_files(crack_t)
|
||||||
# for dictionaries
|
# for dictionaries
|
||||||
files_read_general_application_resources(crack_t)
|
files_read_usr_files(crack_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(crack_t)
|
corecmd_exec_bin(crack_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(crack_t)
|
libs_use_ld_so(crack_t)
|
||||||
libraries_use_shared_libraries(crack_t)
|
libs_use_shared_libs(crack_t)
|
||||||
|
|
||||||
logging_send_system_log_message(crack_t)
|
logging_send_syslog_msg(crack_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
ifdef(`crond.te', `
|
ifdef(`crond.te', `
|
||||||
@ -222,26 +222,26 @@ fs_getattr_xattr_fs(groupadd_t)
|
|||||||
term_use_all_user_ttys(groupadd_t)
|
term_use_all_user_ttys(groupadd_t)
|
||||||
term_use_all_user_ptys(groupadd_t)
|
term_use_all_user_ptys(groupadd_t)
|
||||||
|
|
||||||
init_use_file_descriptors(groupadd_t)
|
init_use_fd(groupadd_t)
|
||||||
init_script_read_runtime_data(groupadd_t)
|
init_read_script_pid(groupadd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(groupadd_t)
|
domain_use_wide_inherit_fd(groupadd_t)
|
||||||
|
|
||||||
files_manage_general_system_config(groupadd_t)
|
files_manage_generic_etc_files(groupadd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(groupadd_t)
|
libs_use_ld_so(groupadd_t)
|
||||||
libraries_use_shared_libraries(groupadd_t)
|
libs_use_shared_libs(groupadd_t)
|
||||||
|
|
||||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||||
corecommands_execute_general_programs(groupadd_t)
|
corecmd_exec_bin(groupadd_t)
|
||||||
corecommands_execute_system_programs(groupadd_t)
|
corecmd_exec_sbin(groupadd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(groupadd_t)
|
logging_send_syslog_msg(groupadd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(groupadd_t)
|
miscfiles_read_localization(groupadd_t)
|
||||||
|
|
||||||
authlogin_manage_shadow_passwords(groupadd_t)
|
auth_manage_shadow(groupadd_t)
|
||||||
authlogin_modify_last_login_log(groupadd_t)
|
auth_rw_lastlog(groupadd_t)
|
||||||
|
|
||||||
selinux_read_config(groupadd_t)
|
selinux_read_config(groupadd_t)
|
||||||
|
|
||||||
@ -299,21 +299,21 @@ fs_getattr_xattr_fs(passwd_t)
|
|||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
init_script_ignore_modify_runtime_data(passwd_t)
|
init_dontaudit_rw_script_pid(passwd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(passwd_t)
|
domain_use_wide_inherit_fd(passwd_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(passwd_t)
|
files_read_etc_runtime_files(passwd_t)
|
||||||
files_manage_general_system_config(passwd_t)
|
files_manage_generic_etc_files(passwd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(passwd_t)
|
libs_use_ld_so(passwd_t)
|
||||||
libraries_use_shared_libraries(passwd_t)
|
libs_use_shared_libs(passwd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(passwd_t)
|
logging_send_syslog_msg(passwd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(passwd_t)
|
miscfiles_read_localization(passwd_t)
|
||||||
|
|
||||||
authlogin_manage_shadow_passwords(passwd_t)
|
auth_manage_shadow(passwd_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
@ -379,8 +379,8 @@ allow sysadm_passwd_t self:msg { send receive };
|
|||||||
# allow vipw to create temporary files under /var/tmp/vi.recover
|
# allow vipw to create temporary files under /var/tmp/vi.recover
|
||||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
|
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
|
||||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||||
files_search_system_state_data_directory(sysadm_passwd_t)
|
files_search_var(sysadm_passwd_t)
|
||||||
|
|
||||||
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
|
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
|
||||||
kernel_validate_context(sysadm_passwd_t)
|
kernel_validate_context(sysadm_passwd_t)
|
||||||
@ -401,26 +401,26 @@ term_use_all_user_ptys(sysadm_passwd_t)
|
|||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
init_script_ignore_modify_runtime_data(sysadm_passwd_t)
|
init_dontaudit_rw_script_pid(sysadm_passwd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(sysadm_passwd_t)
|
domain_use_wide_inherit_fd(sysadm_passwd_t)
|
||||||
|
|
||||||
files_manage_general_system_config(sysadm_passwd_t)
|
files_manage_generic_etc_files(sysadm_passwd_t)
|
||||||
files_read_runtime_system_config(sysadm_passwd_t)
|
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||||
|
|
||||||
# allow vipw to exec the editor
|
# allow vipw to exec the editor
|
||||||
corecommands_execute_general_programs(sysadm_passwd_t)
|
corecmd_exec_bin(sysadm_passwd_t)
|
||||||
corecommands_execute_shell(sysadm_passwd_t)
|
corecmd_exec_shell(sysadm_passwd_t)
|
||||||
files_read_general_application_resources(sysadm_passwd_t)
|
files_read_usr_files(sysadm_passwd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(sysadm_passwd_t)
|
libs_use_ld_so(sysadm_passwd_t)
|
||||||
libraries_use_shared_libraries(sysadm_passwd_t)
|
libs_use_shared_libs(sysadm_passwd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(sysadm_passwd_t)
|
miscfiles_read_localization(sysadm_passwd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(sysadm_passwd_t)
|
logging_send_syslog_msg(sysadm_passwd_t)
|
||||||
|
|
||||||
authlogin_manage_shadow_passwords(sysadm_passwd_t)
|
auth_manage_shadow(sysadm_passwd_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types sysadm_passwd_t;
|
role sysadm_r types sysadm_passwd_t;
|
||||||
@ -488,29 +488,29 @@ fs_getattr_xattr_fs(useradd_t)
|
|||||||
term_use_all_user_ttys(useradd_t)
|
term_use_all_user_ttys(useradd_t)
|
||||||
term_use_all_user_ptys(useradd_t)
|
term_use_all_user_ptys(useradd_t)
|
||||||
|
|
||||||
init_use_file_descriptors(useradd_t)
|
init_use_fd(useradd_t)
|
||||||
init_script_modify_runtime_data(useradd_t)
|
init_rw_script_pid(useradd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(useradd_t)
|
domain_use_wide_inherit_fd(useradd_t)
|
||||||
|
|
||||||
files_manage_general_system_config(useradd_t)
|
files_manage_generic_etc_files(useradd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(useradd_t)
|
libs_use_ld_so(useradd_t)
|
||||||
libraries_use_shared_libraries(useradd_t)
|
libs_use_shared_libs(useradd_t)
|
||||||
|
|
||||||
corecommands_execute_shell(useradd_t)
|
corecmd_exec_shell(useradd_t)
|
||||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||||
corecommands_execute_general_programs(useradd_t)
|
corecmd_exec_bin(useradd_t)
|
||||||
corecommands_execute_system_programs(useradd_t)
|
corecmd_exec_sbin(useradd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(useradd_t)
|
miscfiles_read_localization(useradd_t)
|
||||||
|
|
||||||
selinux_read_config(useradd_t)
|
selinux_read_config(useradd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(useradd_t)
|
logging_send_syslog_msg(useradd_t)
|
||||||
|
|
||||||
authlogin_manage_shadow_passwords(useradd_t)
|
auth_manage_shadow(useradd_t)
|
||||||
authlogin_modify_last_login_log(useradd_t)
|
auth_rw_lastlog(useradd_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
@ -14,27 +14,27 @@ define(`gpg_per_userdomain_template',`
|
|||||||
#
|
#
|
||||||
|
|
||||||
type $1_gpg_t;
|
type $1_gpg_t;
|
||||||
domain_make_domain($1_gpg_t)
|
domain_type($1_gpg_t)
|
||||||
domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
|
domain_entry_file($1_gpg_t,gpg_exec_t)
|
||||||
role $1_r types $1_gpg_t;
|
role $1_r types $1_gpg_t;
|
||||||
|
|
||||||
type $1_gpg_agent_t;
|
type $1_gpg_agent_t;
|
||||||
domain_make_domain($1_gpg_agent_t)
|
domain_type($1_gpg_agent_t)
|
||||||
domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
|
domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
|
||||||
role $1_r types $1_gpg_agent_t;
|
role $1_r types $1_gpg_agent_t;
|
||||||
|
|
||||||
type $1_gpg_agent_tmp_t;
|
type $1_gpg_agent_tmp_t;
|
||||||
files_make_temporary_file($1_gpg_agent_tmp_t)
|
files_tmp_file($1_gpg_agent_tmp_t)
|
||||||
|
|
||||||
type $1_gpg_secret_t; #, $1_file_type;
|
type $1_gpg_secret_t; #, $1_file_type;
|
||||||
files_make_file($1_gpg_secret_t)
|
files_file_type($1_gpg_secret_t)
|
||||||
|
|
||||||
type $1_gpg_helper_t;
|
type $1_gpg_helper_t;
|
||||||
domain_make_domain($1_gpg_helper_t)
|
domain_type($1_gpg_helper_t)
|
||||||
role $1_r types $1_gpg_helper_t;
|
role $1_r types $1_gpg_helper_t;
|
||||||
|
|
||||||
type $1_gpg_pinentry_t;
|
type $1_gpg_pinentry_t;
|
||||||
domain_make_domain($1_gpg_pinentry_t)
|
domain_type($1_gpg_pinentry_t)
|
||||||
role $1_r types $1_gpg_pinentry_t;
|
role $1_r types $1_gpg_pinentry_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -81,23 +81,23 @@ define(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs($1_gpg_t)
|
fs_getattr_xattr_fs($1_gpg_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_gpg_t)
|
files_read_generic_etc_files($1_gpg_t)
|
||||||
files_read_general_application_resources($1_gpg_t)
|
files_read_usr_files($1_gpg_t)
|
||||||
|
|
||||||
libraries_use_shared_libraries($1_gpg_t)
|
libs_use_shared_libs($1_gpg_t)
|
||||||
libraries_use_dynamic_loader($1_gpg_t)
|
libs_use_ld_so($1_gpg_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_gpg_t)
|
miscfiles_read_localization($1_gpg_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_gpg_t)
|
logging_send_syslog_msg($1_gpg_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config($1_gpg_t)
|
sysnet_read_config($1_gpg_t)
|
||||||
|
|
||||||
# Legacy
|
# Legacy
|
||||||
if (allow_gpg_execstack) {
|
if (allow_gpg_execstack) {
|
||||||
allow $1_gpg_t self:process execmem;
|
allow $1_gpg_t self:process execmem;
|
||||||
libraries_legacy_use_shared_libraries($1_gpg_t)
|
libs_legacy_use_shared_libs($1_gpg_t)
|
||||||
libraries_legacy_use_dynamic_loader($1_gpg_t)
|
libs_legacy_use_ld_so($1_gpg_t)
|
||||||
miscfiles_legacy_read_localization($1_gpg_t)
|
miscfiles_legacy_read_localization($1_gpg_t)
|
||||||
# Not quite sure why this is needed...
|
# Not quite sure why this is needed...
|
||||||
allow $1_gpg_t gpg_exec_t:file execmod;
|
allow $1_gpg_t gpg_exec_t:file execmod;
|
||||||
@ -188,14 +188,14 @@ define(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
dev_read_urand($1_gpg_helper_t)
|
dev_read_urand($1_gpg_helper_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_gpg_helper_t)
|
files_read_generic_etc_files($1_gpg_helper_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_ignore_search_system_state_data_directory($1_gpg_helper_t)
|
files_dontaudit_search_var($1_gpg_helper_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_gpg_helper_t)
|
libs_use_ld_so($1_gpg_helper_t)
|
||||||
libraries_use_shared_libraries($1_gpg_helper_t)
|
libs_use_shared_libs($1_gpg_helper_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config($1_gpg_helper_t)
|
sysnet_read_config($1_gpg_helper_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
@ -230,12 +230,12 @@ define(`gpg_per_userdomain_template',`
|
|||||||
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
|
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
|
||||||
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
|
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
|
||||||
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
|
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
|
||||||
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
|
domain_use_wide_inherit_fd($1_gpg_agent_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_gpg_agent_t)
|
libs_use_ld_so($1_gpg_agent_t)
|
||||||
libraries_use_shared_libraries($1_gpg_agent_t)
|
libs_use_shared_libs($1_gpg_agent_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_gpg_agent_t)
|
miscfiles_read_localization($1_gpg_agent_t)
|
||||||
|
|
||||||
@ -297,12 +297,12 @@ define(`gpg_per_userdomain_template',`
|
|||||||
# read /proc/meminfo
|
# read /proc/meminfo
|
||||||
kernel_read_system_state($1_gpg_pinentry_t)
|
kernel_read_system_state($1_gpg_pinentry_t)
|
||||||
|
|
||||||
files_read_general_application_resources($1_gpg_pinentry_t)
|
files_read_usr_files($1_gpg_pinentry_t)
|
||||||
# read /etc/X11/qtrc
|
# read /etc/X11/qtrc
|
||||||
files_read_general_system_config($1_gpg_pinentry_t)
|
files_read_generic_etc_files($1_gpg_pinentry_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_gpg_pinentry_t)
|
libs_use_ld_so($1_gpg_pinentry_t)
|
||||||
libraries_use_shared_libraries($1_gpg_pinentry_t)
|
libs_use_shared_libs($1_gpg_pinentry_t)
|
||||||
|
|
||||||
miscfiles_read_fonts($1_gpg_pinentry_t)
|
miscfiles_read_fonts($1_gpg_pinentry_t)
|
||||||
miscfiles_read_localization($1_gpg_pinentry_t)
|
miscfiles_read_localization($1_gpg_pinentry_t)
|
||||||
|
@ -12,16 +12,16 @@ bool allow_gpg_execstack false;
|
|||||||
# Type for gpg or pgp executables.
|
# Type for gpg or pgp executables.
|
||||||
type gpg_exec_t;
|
type gpg_exec_t;
|
||||||
type gpg_helper_exec_t;
|
type gpg_helper_exec_t;
|
||||||
files_make_file(gpg_exec_t)
|
files_file_type(gpg_exec_t)
|
||||||
files_make_file(gpg_helper_exec_t)
|
files_file_type(gpg_helper_exec_t)
|
||||||
|
|
||||||
# Type for the gpg-agent executable.
|
# Type for the gpg-agent executable.
|
||||||
type gpg_agent_exec_t;
|
type gpg_agent_exec_t;
|
||||||
files_make_file(gpg_agent_exec_t)
|
files_file_type(gpg_agent_exec_t)
|
||||||
|
|
||||||
# type for the pinentry executable
|
# type for the pinentry executable
|
||||||
type pinentry_exec_t;
|
type pinentry_exec_t;
|
||||||
files_make_file(pinentry_exec_t)
|
files_file_type(pinentry_exec_t)
|
||||||
|
|
||||||
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
|
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
|
||||||
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
||||||
|
@ -412,11 +412,11 @@ define(`bootloader_write_kernel_modules',`
|
|||||||
allow $1 modules_object_t:dir r_dir_perms;
|
allow $1 modules_object_t:dir r_dir_perms;
|
||||||
allow $1 modules_object_t:file { write append };
|
allow $1 modules_object_t:file { write append };
|
||||||
|
|
||||||
typeattribute $1 can_modify_kernel_modules;
|
typeattribute $1 rw_kern_modules;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_write_kernel_modules_depend',`
|
define(`bootloader_write_kernel_modules_depend',`
|
||||||
attribute can_modify_kernel_modules;
|
attribute rw_kern_modules;
|
||||||
|
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
|
|
||||||
@ -441,11 +441,11 @@ define(`bootloader_manage_kernel_modules',`
|
|||||||
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
|
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
|
||||||
allow $1 modules_object_t:dir rw_dir_perms;
|
allow $1 modules_object_t:dir rw_dir_perms;
|
||||||
|
|
||||||
typeattribute $1 can_modify_kernel_modules;
|
typeattribute $1 rw_kern_modules;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`bootloader_manage_kernel_modules_depend',`
|
define(`bootloader_manage_kernel_modules_depend',`
|
||||||
attribute can_modify_kernel_modules;
|
attribute rw_kern_modules;
|
||||||
|
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
|
|
||||||
|
@ -6,14 +6,14 @@ policy_module(bootloader,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
attribute can_modify_kernel_modules;
|
attribute rw_kern_modules;
|
||||||
|
|
||||||
#
|
#
|
||||||
# boot_t is the type for files in /boot
|
# boot_t is the type for files in /boot
|
||||||
#
|
#
|
||||||
type boot_t;
|
type boot_t;
|
||||||
files_make_file(boot_t)
|
files_file_type(boot_t)
|
||||||
files_make_mountpoint(boot_t)
|
files_mountpoint(boot_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# boot_runtime_t is the type for /boot/kernel.h,
|
# boot_runtime_t is the type for /boot/kernel.h,
|
||||||
@ -21,41 +21,41 @@ files_make_mountpoint(boot_t)
|
|||||||
# only for Red Hat
|
# only for Red Hat
|
||||||
#
|
#
|
||||||
type boot_runtime_t;
|
type boot_runtime_t;
|
||||||
files_make_file(boot_runtime_t)
|
files_file_type(boot_runtime_t)
|
||||||
|
|
||||||
type bootloader_t;
|
type bootloader_t;
|
||||||
domain_make_domain(bootloader_t)
|
domain_type(bootloader_t)
|
||||||
role system_r types bootloader_t;
|
role system_r types bootloader_t;
|
||||||
|
|
||||||
type bootloader_exec_t;
|
type bootloader_exec_t;
|
||||||
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
|
domain_entry_file(bootloader_t,bootloader_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# bootloader_etc_t is the configuration file,
|
# bootloader_etc_t is the configuration file,
|
||||||
# grub.conf, lilo.conf, etc.
|
# grub.conf, lilo.conf, etc.
|
||||||
#
|
#
|
||||||
type bootloader_etc_t alias etc_bootloader_t;
|
type bootloader_etc_t alias etc_bootloader_t;
|
||||||
files_make_file(bootloader_etc_t)
|
files_file_type(bootloader_etc_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# The temp file is used for initrd creation;
|
# The temp file is used for initrd creation;
|
||||||
# it consists of files and device nodes
|
# it consists of files and device nodes
|
||||||
#
|
#
|
||||||
type bootloader_tmp_t;
|
type bootloader_tmp_t;
|
||||||
files_make_temporary_file(bootloader_tmp_t)
|
files_tmp_file(bootloader_tmp_t)
|
||||||
dev_node(bootloader_tmp_t)
|
dev_node(bootloader_tmp_t)
|
||||||
|
|
||||||
# kernel modules
|
# kernel modules
|
||||||
type modules_object_t;
|
type modules_object_t;
|
||||||
files_make_file(modules_object_t)
|
files_file_type(modules_object_t)
|
||||||
|
|
||||||
neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
|
neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
||||||
|
|
||||||
#
|
#
|
||||||
# system_map_t is for the system.map files in /boot
|
# system_map_t is for the system.map files in /boot
|
||||||
#
|
#
|
||||||
type system_map_t;
|
type system_map_t;
|
||||||
files_make_file(system_map_t)
|
files_file_type(system_map_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -73,16 +73,16 @@ allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
|
|||||||
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||||
# uncomment the following lines if you use "lilo -p"
|
# uncomment the following lines if you use "lilo -p"
|
||||||
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
#files_create_private_config(bootloader_t,bootloader_etc_t)
|
#files_create_etc_config(bootloader_t,bootloader_etc_t)
|
||||||
|
|
||||||
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
|
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:file create_file_perms;
|
allow bootloader_t bootloader_tmp_t:file create_file_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
|
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
|
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
|
||||||
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
|
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
|
||||||
files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
||||||
# for tune2fs (cjp: ?)
|
# for tune2fs (cjp: ?)
|
||||||
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
|
files_create_root(bootloader_t,bootloader_tmp_t)
|
||||||
|
|
||||||
allow bootloader_t modules_object_t:dir r_dir_perms;
|
allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||||
allow bootloader_t modules_object_t:file r_file_perms;
|
allow bootloader_t modules_object_t:file r_file_perms;
|
||||||
@ -110,34 +110,34 @@ fs_getattr_xattr_fs(bootloader_t)
|
|||||||
|
|
||||||
term_getattr_all_user_ttys(bootloader_t)
|
term_getattr_all_user_ttys(bootloader_t)
|
||||||
|
|
||||||
init_get_control_channel_attributes(bootloader_t)
|
init_getattr_initctl(bootloader_t)
|
||||||
init_script_use_pseudoterminal(bootloader_t)
|
init_use_script_pty(bootloader_t)
|
||||||
init_script_use_file_descriptors(bootloader_t)
|
init_use_script_fd(bootloader_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(bootloader_t)
|
domain_use_wide_inherit_fd(bootloader_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(bootloader_t)
|
libs_use_ld_so(bootloader_t)
|
||||||
libraries_use_shared_libraries(bootloader_t)
|
libs_use_shared_libs(bootloader_t)
|
||||||
libraries_read_library_resources(bootloader_t)
|
libs_read_lib(bootloader_t)
|
||||||
|
|
||||||
files_read_general_system_config(bootloader_t)
|
files_read_generic_etc_files(bootloader_t)
|
||||||
files_read_runtime_system_config(bootloader_t)
|
files_read_etc_runtime_files(bootloader_t)
|
||||||
files_read_system_source_code(bootloader_t)
|
files_read_usr_src(bootloader_t)
|
||||||
files_read_general_application_resources(bootloader_t)
|
files_read_usr_files(bootloader_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_ignore_search_runtime_data_directory(bootloader_t)
|
files_dontaudit_search_pids(bootloader_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(bootloader_t)
|
corecmd_exec_bin(bootloader_t)
|
||||||
corecommands_execute_system_programs(bootloader_t)
|
corecmd_exec_sbin(bootloader_t)
|
||||||
corecommands_execute_shell(bootloader_t)
|
corecmd_exec_shell(bootloader_t)
|
||||||
|
|
||||||
logging_send_system_log_message(bootloader_t)
|
logging_send_syslog_msg(bootloader_t)
|
||||||
logging_modify_system_logs(bootloader_t)
|
logging_rw_generic_logs(bootloader_t)
|
||||||
|
|
||||||
miscfiles_read_localization(bootloader_t)
|
miscfiles_read_localization(bootloader_t)
|
||||||
|
|
||||||
selinux_read_binary_policy(bootloader_t)
|
selinux_read_binary_pol(bootloader_t)
|
||||||
selinux_read_load_policy_binary(bootloader_t)
|
selinux_read_loadpol(bootloader_t)
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||||
@ -153,10 +153,10 @@ ifdef(`distro_redhat', `
|
|||||||
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
|
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
|
||||||
|
|
||||||
# mkinitrd mount initrd on bootloader temp dir
|
# mkinitrd mount initrd on bootloader temp dir
|
||||||
files_make_mountpoint(bootloader_tmp_t)
|
files_mountpoint(bootloader_tmp_t)
|
||||||
|
|
||||||
# for mke2fs
|
# for mke2fs
|
||||||
mount_transition(bootloader_t)
|
mount_domtrans(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`filesystemtools.te', `
|
optional_policy(`filesystemtools.te', `
|
||||||
@ -168,17 +168,17 @@ optional_policy(`filesystemtools.te', `
|
|||||||
optional_policy(`lvm.te', `
|
optional_policy(`lvm.te', `
|
||||||
dev_rw_lvm_control(bootloader_t)
|
dev_rw_lvm_control(bootloader_t)
|
||||||
|
|
||||||
lvm_transition(bootloader_t)
|
lvm_domtrans(bootloader_t)
|
||||||
lvm_read_config(bootloader_t)
|
lvm_read_config(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_insmod_execute(insmod_t)
|
modutils_exec_insmod(insmod_t)
|
||||||
modutils_read_kernel_module_dependencies(bootloader_t)
|
modutils_read_kernel_module_dependencies(bootloader_t)
|
||||||
modutils_read_kernel_module_loading_config(bootloader_t)
|
modutils_read_module_conf(bootloader_t)
|
||||||
modutils_insmod_execute(bootloader_t)
|
modutils_exec_insmod(bootloader_t)
|
||||||
modutils_depmod_execute(bootloader_t)
|
modutils_exec_depmod(bootloader_t)
|
||||||
modutils_update_modules_execute(bootloader_t)
|
modutils_exec_update_mods(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -7,13 +7,13 @@ attribute port_type;
|
|||||||
attribute reserved_port_type;
|
attribute reserved_port_type;
|
||||||
|
|
||||||
type ppp_device_t;
|
type ppp_device_t;
|
||||||
devices_make_device_node(ppp_device_t)
|
dev_node(ppp_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
|
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
|
||||||
#
|
#
|
||||||
type tun_tap_device_t;
|
type tun_tap_device_t;
|
||||||
devices_make_device_node(tun_tap_device_t)
|
dev_node(tun_tap_device_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -153,6 +153,28 @@ define(`dev_create_dir_depend',`
|
|||||||
class dir { ra_dir_perms create };
|
class dir { ra_dir_perms create };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="dev_relabel_dev_dirs">
|
||||||
|
## <description>
|
||||||
|
## Allow full relabeling (to and from) of directories in /dev.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Domain allowed to relabel.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`dev_relabel_dev_dirs',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
|
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`dev_relabel_dev_dirs_depend',`
|
||||||
|
type device_t;
|
||||||
|
|
||||||
|
class dir { r_dir_perms relabelfrom relabelto };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="dev_dontaudit_getattr_generic_pipe">
|
## <interface name="dev_dontaudit_getattr_generic_pipe">
|
||||||
## <description>
|
## <description>
|
||||||
@ -209,13 +231,13 @@ define(`ddev_getattr_generic_blk_file_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`ddev_dontaudit_getattr_generic_blk_files',`
|
define(`dev_dontaudit_getattr_generic_blk_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 device_t:blk_file getattr;
|
dontaudit $1 device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dev_dontaudit_getattr_generic_blk_files_depend',`
|
define(`dev_dontaudit_getattr_generic_blk_file_depend',`
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
@ -258,7 +280,7 @@ define(`dev_manage_generic_blk_file_depend',`
|
|||||||
define(`dev_create_generic_chr_file',`
|
define(`dev_create_generic_chr_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { getattr search read write add_name };
|
allow $1 device_t:dir ra_dir_perms;
|
||||||
allow $1 device_t:chr_file create;
|
allow $1 device_t:chr_file create;
|
||||||
|
|
||||||
allow $1 self:capability mknod;
|
allow $1 self:capability mknod;
|
||||||
@ -267,7 +289,7 @@ define(`dev_create_generic_chr_file',`
|
|||||||
define(`dev_create_generic_chr_file_depend',`
|
define(`dev_create_generic_chr_file_depend',`
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class dir { getattr search read write add_name };
|
class dir ra_dir_perms;
|
||||||
class chr_file create;
|
class chr_file create;
|
||||||
class capability mknod;
|
class capability mknod;
|
||||||
')
|
')
|
||||||
@ -312,7 +334,7 @@ define(`dev_dontaudit_getattr_generic_chr_file',`
|
|||||||
dontaudit $1 device_t:chr_file getattr;
|
dontaudit $1 device_t:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dev_dontaudit_getattr_generic_chr_file',`
|
define(`dev_dontaudit_getattr_generic_chr_file_depend',`
|
||||||
type device_t;
|
type device_t;
|
||||||
|
|
||||||
class chr_file getattr;
|
class chr_file getattr;
|
||||||
@ -369,7 +391,7 @@ define(`dev_manage_generic_symlinks_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="dev_manage_all_dev_nodes">
|
## <interface name="dev_manage_dev_nodes">
|
||||||
## <description>
|
## <description>
|
||||||
## Create, delete, read, and write device nodes in device directories.
|
## Create, delete, read, and write device nodes in device directories.
|
||||||
## </description>
|
## </description>
|
||||||
@ -378,7 +400,7 @@ define(`dev_manage_generic_symlinks_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`dev_manage_all_dev_nodes',`
|
define(`dev_manage_dev_nodes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
||||||
@ -398,7 +420,7 @@ define(`dev_manage_all_dev_nodes',`
|
|||||||
typeattribute $1 memory_raw_write;
|
typeattribute $1 memory_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dev_manage_all_dev_nodes_depend',`
|
define(`dev_manage_dev_nodes_depend',`
|
||||||
attribute device_node, memory_raw_read, memory_raw_write;
|
attribute device_node, memory_raw_read, memory_raw_write;
|
||||||
|
|
||||||
type device_t;
|
type device_t;
|
||||||
|
@ -9,8 +9,8 @@ attribute memory_raw_write;
|
|||||||
# device_t is the type of /dev.
|
# device_t is the type of /dev.
|
||||||
#
|
#
|
||||||
type device_t;
|
type device_t;
|
||||||
files_make_file(device_t)
|
files_file_type(device_t)
|
||||||
files_make_mountpoint(device_t)
|
files_mountpoint(device_t)
|
||||||
fs_associate_tmpfs(device_t)
|
fs_associate_tmpfs(device_t)
|
||||||
|
|
||||||
# Only directories and symlinks should be labeled device_t.
|
# Only directories and symlinks should be labeled device_t.
|
||||||
|
@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
|
|||||||
# tmpfs_t is the type for tmpfs filesystems
|
# tmpfs_t is the type for tmpfs filesystems
|
||||||
#
|
#
|
||||||
type tmpfs_t, fs_type;
|
type tmpfs_t, fs_type;
|
||||||
files_make_file(tmpfs_t)
|
files_file_type(tmpfs_t)
|
||||||
|
|
||||||
# Use a transition SID based on the allocating task SID and the
|
# Use a transition SID based on the allocating task SID and the
|
||||||
# filesystem SID to label inodes in the following filesystem types,
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
@ -124,7 +124,7 @@ allow removable_t noxattrfs:filesystem associate;
|
|||||||
# and their files.
|
# and their files.
|
||||||
#
|
#
|
||||||
type nfs_t, fs_type, noxattrfs;
|
type nfs_t, fs_type, noxattrfs;
|
||||||
files_make_mountpoint(nfs_t)
|
files_mountpoint(nfs_t)
|
||||||
allow nfs_t self:filesystem associate;
|
allow nfs_t self:filesystem associate;
|
||||||
genfscon nfs / context_template(system_u:object_r:nfs_t,s0)
|
genfscon nfs / context_template(system_u:object_r:nfs_t,s0)
|
||||||
genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0)
|
genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0)
|
||||||
|
@ -130,7 +130,7 @@ define(`kernel_dontaudit_use_fd_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="kernel_make_process_identity_change_constraint_exception">
|
## <interface name="kernel_subj_id_change_exempt">
|
||||||
## <description>
|
## <description>
|
||||||
## Makes caller an exception to the constraint preventing
|
## Makes caller an exception to the constraint preventing
|
||||||
## changing of user identity.
|
## changing of user identity.
|
||||||
@ -140,18 +140,18 @@ define(`kernel_dontaudit_use_fd_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`kernel_make_process_identity_change_constraint_exception',`
|
define(`kernel_subj_id_change_exempt',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
typeattribute $1 can_change_process_identity;
|
typeattribute $1 can_change_process_identity;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_make_process_identity_change_constraint_exception_depend',`
|
define(`kernel_subj_id_change_exempt_depend',`
|
||||||
attribute can_change_process_identity;
|
attribute can_change_process_identity;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="kernel_make_role_change_constraint_exception">
|
## <interface name="kernel_role_change_exempt">
|
||||||
## <description>
|
## <description>
|
||||||
## Makes caller an exception to the constraint preventing
|
## Makes caller an exception to the constraint preventing
|
||||||
## changing of role.
|
## changing of role.
|
||||||
@ -161,18 +161,18 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`kernel_make_role_change_constraint_exception',`
|
define(`kernel_role_change_exempt',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
typeattribute $1 can_change_process_role;
|
typeattribute $1 can_change_process_role;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_make_role_change_constraint_exception_depend',`
|
define(`kernel_role_change_exempt_depend',`
|
||||||
attribute can_change_process_role;
|
attribute can_change_process_role;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="kernel_make_object_identity_change_constraint_exception">
|
## <interface name="kernel_obj_id_change_exempt">
|
||||||
## <description>
|
## <description>
|
||||||
## Makes caller an exception to the constraint preventing
|
## Makes caller an exception to the constraint preventing
|
||||||
## changing the user identity in object contexts.
|
## changing the user identity in object contexts.
|
||||||
@ -182,13 +182,13 @@ define(`kernel_make_role_change_constraint_exception_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`kernel_make_object_identity_change_constraint_exception',`
|
define(`kernel_obj_id_change_exempt',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
typeattribute $1 can_change_object_identity;
|
typeattribute $1 can_change_object_identity;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`kernel_make_object_identity_change_constraint_exception_depend',`
|
define(`kernel_obj_id_change_exempt_depend',`
|
||||||
attribute can_change_object_identity;
|
attribute can_change_object_identity;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@ attribute can_change_object_identity;
|
|||||||
#
|
#
|
||||||
type kernel_t, can_load_kernmodule, can_load_policy;
|
type kernel_t, can_load_kernmodule, can_load_policy;
|
||||||
role system_r types kernel_t;
|
role system_r types kernel_t;
|
||||||
domain_make_domain(kernel_t)
|
domain_type(kernel_t)
|
||||||
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -63,7 +63,7 @@ genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
|||||||
# sysfs_t is the type for /sys
|
# sysfs_t is the type for /sys
|
||||||
#
|
#
|
||||||
type sysfs_t;
|
type sysfs_t;
|
||||||
files_make_mountpoint(sysfs_t)
|
files_mountpoint(sysfs_t)
|
||||||
fs_make_fs(sysfs_t)
|
fs_make_fs(sysfs_t)
|
||||||
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
||||||
|
|
||||||
@ -72,7 +72,7 @@ genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type proc_t;
|
type proc_t;
|
||||||
files_make_mountpoint(proc_t)
|
files_mountpoint(proc_t)
|
||||||
fs_make_fs(proc_t)
|
fs_make_fs(proc_t)
|
||||||
genfscon proc / context_template(system_u:object_r:proc_t,s0)
|
genfscon proc / context_template(system_u:object_r:proc_t,s0)
|
||||||
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
|
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
|
||||||
@ -107,13 +107,13 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
|
|||||||
|
|
||||||
# /proc/sys directory, base directory of sysctls
|
# /proc/sys directory, base directory of sysctls
|
||||||
type sysctl_t;
|
type sysctl_t;
|
||||||
files_make_mountpoint(sysctl_t)
|
files_mountpoint(sysctl_t)
|
||||||
sid sysctl context_template(system_u:object_r:sysctl_t,s0)
|
sid sysctl context_template(system_u:object_r:sysctl_t,s0)
|
||||||
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
|
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
|
||||||
|
|
||||||
# /proc/sys/fs directory and files
|
# /proc/sys/fs directory and files
|
||||||
type sysctl_fs_t;
|
type sysctl_fs_t;
|
||||||
files_make_mountpoint(sysctl_fs_t)
|
files_mountpoint(sysctl_fs_t)
|
||||||
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
|
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
|
||||||
|
|
||||||
# /proc/sys/kernel directory and files
|
# /proc/sys/kernel directory and files
|
||||||
@ -148,7 +148,7 @@ genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
|
|||||||
# usbfs_t is the type for /proc/bus/usb
|
# usbfs_t is the type for /proc/bus/usb
|
||||||
#
|
#
|
||||||
type usbfs_t alias usbdevfs_t;
|
type usbfs_t alias usbdevfs_t;
|
||||||
files_make_mountpoint(usbfs_t)
|
files_mountpoint(usbfs_t)
|
||||||
fs_make_noxattr_fs(usbfs_t)
|
fs_make_noxattr_fs(usbfs_t)
|
||||||
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||||
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||||
@ -206,26 +206,26 @@ term_use_console(kernel_t)
|
|||||||
# from initrd, then mounting the root filesystem
|
# from initrd, then mounting the root filesystem
|
||||||
fs_mount_all_fs(kernel_t)
|
fs_mount_all_fs(kernel_t)
|
||||||
|
|
||||||
corecommands_execute_shell(kernel_t)
|
corecmd_exec_shell(kernel_t)
|
||||||
corecommands_read_system_programs_directory(kernel_t)
|
corecmd_list_sbin(kernel_t)
|
||||||
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
||||||
corecommands_execute_general_programs(kernel_t)
|
corecmd_exec_bin(kernel_t)
|
||||||
|
|
||||||
domain_signal_all_domains(kernel_t)
|
domain_signal_all_domains(kernel_t)
|
||||||
|
|
||||||
files_read_root_dir(kernel_t)
|
files_list_root(kernel_t)
|
||||||
files_list_home_directories(kernel_t)
|
files_list_home(kernel_t)
|
||||||
files_read_general_application_resources(kernel_t)
|
files_read_usr_files(kernel_t)
|
||||||
|
|
||||||
init_sigchld(kernel_t)
|
init_sigchld(kernel_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(kernel_t)
|
libs_use_ld_so(kernel_t)
|
||||||
libraries_use_shared_libraries(kernel_t)
|
libs_use_shared_libs(kernel_t)
|
||||||
|
|
||||||
logging_send_system_log_message(kernel_t)
|
logging_send_syslog_msg(kernel_t)
|
||||||
|
|
||||||
selinux_read_config(kernel_t)
|
selinux_read_config(kernel_t)
|
||||||
selinux_read_binary_policy(kernel_t)
|
selinux_read_binary_pol(kernel_t)
|
||||||
|
|
||||||
neverallow ~can_load_policy security_t:security load_policy;
|
neverallow ~can_load_policy security_t:security load_policy;
|
||||||
neverallow ~can_setenforce security_t:security setenforce;
|
neverallow ~can_setenforce security_t:security setenforce;
|
||||||
|
@ -33,6 +33,9 @@ define(`term_pty_depend',`
|
|||||||
## pty type. This allows it to be relabeled via
|
## pty type. This allows it to be relabeled via
|
||||||
## type change by login programs such as ssh.
|
## type change by login programs such as ssh.
|
||||||
## </description>
|
## </description>
|
||||||
|
## <parameter name="userdomaing">
|
||||||
|
## The type of the user domain associated with
|
||||||
|
## this pty.
|
||||||
## <parameter name="object_type">
|
## <parameter name="object_type">
|
||||||
## An object type that will applied to a pty.
|
## An object type that will applied to a pty.
|
||||||
## </parameter>
|
## </parameter>
|
||||||
@ -42,7 +45,7 @@ define(`term_user_pty',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
term_pty($1)
|
term_pty($1)
|
||||||
typeattribute $1 server_ptynode;
|
type_change $1 server_ptynode:chr_file $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`term_user_pty_depend',`
|
define(`term_user_pty_depend',`
|
||||||
@ -683,7 +686,7 @@ define(`term_dontaudit_getattr_all_user_ttys_depend',`
|
|||||||
define(`term_setattr_all_user_ttys',`
|
define(`term_setattr_all_user_ttys',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 ttynode:chr_file setattr;
|
allow $1 ttynode:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ dev_node(console_device_t)
|
|||||||
# the type of the root directory of the file system.
|
# the type of the root directory of the file system.
|
||||||
#
|
#
|
||||||
type devpts_t;
|
type devpts_t;
|
||||||
files_make_mountpoint(devpts_t)
|
files_mountpoint(devpts_t)
|
||||||
fs_make_fs(devpts_t)
|
fs_make_fs(devpts_t)
|
||||||
fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
|
fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
|
||||||
|
|
||||||
|
@ -8,16 +8,16 @@ define(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
# Type of user crontabs once moved to cron spool.
|
# Type of user crontabs once moved to cron spool.
|
||||||
type $1_cron_spool_t;
|
type $1_cron_spool_t;
|
||||||
files_make_file($1_cron_spool_t)
|
files_file_type($1_cron_spool_t)
|
||||||
|
|
||||||
type $1_crond_t; # user_crond_domain;
|
type $1_crond_t; # user_crond_domain;
|
||||||
domain_make_domain($1_crond_t);
|
domain_type($1_crond_t);
|
||||||
corecommands_make_shell_entrypoint($1_crond_t)
|
corecmd_shell_entry_type($1_crond_t)
|
||||||
role $1_r types $1_crond_t;
|
role $1_r types $1_crond_t;
|
||||||
|
|
||||||
type $1_crontab_t;
|
type $1_crontab_t;
|
||||||
domain_make_domain($1_crontab_t)
|
domain_type($1_crontab_t)
|
||||||
domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
|
domain_entry_file($1_crontab_t,crontab_exec_t)
|
||||||
role $1_r types $1_crontab_t;
|
role $1_r types $1_crontab_t;
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@ -72,24 +72,24 @@ define(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
fs_getattr_all_fs($1_crond_t)
|
fs_getattr_all_fs($1_crond_t)
|
||||||
|
|
||||||
domain_execute_all_entrypoint_programs($1_crond_t)
|
domain_exec_all_entry_files($1_crond_t)
|
||||||
|
|
||||||
files_read_general_application_resources($1_crond_t)
|
files_read_usr_files($1_crond_t)
|
||||||
files_execute_system_config_script($1_crond_t)
|
files_exec_generic_etc_files($1_crond_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_ignore_search_runtime_data_directory($1_crond_t)
|
files_dontaudit_search_pids($1_crond_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs($1_crond_t)
|
corecmd_exec_bin($1_crond_t)
|
||||||
corecommands_execute_system_programs($1_crond_t)
|
corecmd_exec_sbin($1_crond_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_crond_t)
|
libs_use_ld_so($1_crond_t)
|
||||||
libraries_use_shared_libraries($1_crond_t)
|
libs_use_shared_libs($1_crond_t)
|
||||||
libraries_execute_library_scripts($1_crond_t)
|
libs_exec_lib_files($1_crond_t)
|
||||||
libraries_execute_dynamic_loader($1_crond_t)
|
libs_exec_ld_so($1_crond_t)
|
||||||
|
|
||||||
files_read_runtime_system_config($1_crond_t)
|
files_read_etc_runtime_files($1_crond_t)
|
||||||
|
|
||||||
logging_search_system_log_directory($1_crond_t)
|
logging_search_logs($1_crond_t)
|
||||||
|
|
||||||
selinux_read_config($1_crond_t)
|
selinux_read_config($1_crond_t)
|
||||||
|
|
||||||
@ -155,14 +155,14 @@ define(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs($1_crontab_t)
|
fs_getattr_xattr_fs($1_crontab_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_crontab_t)
|
domain_use_wide_inherit_fd($1_crontab_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_crontab_t)
|
files_read_generic_etc_files($1_crontab_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_crontab_t)
|
libs_use_ld_so($1_crontab_t)
|
||||||
libraries_use_shared_libraries($1_crontab_t)
|
libs_use_shared_libs($1_crontab_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_crontab_t)
|
logging_send_syslog_msg($1_crontab_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_crontab_t)
|
miscfiles_read_localization($1_crontab_t)
|
||||||
|
|
||||||
@ -218,7 +218,7 @@ define(`cron_per_userdomain_template',`
|
|||||||
#
|
#
|
||||||
|
|
||||||
define(`cron_admin_template',`
|
define(`cron_admin_template',`
|
||||||
logging_read_system_logs($1_crond_t)
|
logging_read_generic_logs($1_crond_t)
|
||||||
|
|
||||||
# Allow our crontab domain to unlink a user cron spool file.
|
# Allow our crontab domain to unlink a user cron spool file.
|
||||||
#allow $1_crontab_t user_cron_spool_t:file unlink;
|
#allow $1_crontab_t user_cron_spool_t:file unlink;
|
||||||
@ -241,15 +241,15 @@ define(`cron_admin_template',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# cron_modify_log(domain)
|
# cron_rw_log(domain)
|
||||||
#
|
#
|
||||||
define(`cron_modify_log',`
|
define(`cron_rw_log',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 crond_log_t:file rw_file_perms;
|
allow $1 crond_log_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`cron_modify_log_depend',`
|
define(`cron_rw_log_depend',`
|
||||||
type crond_log_t;
|
type crond_log_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
|
@ -10,39 +10,39 @@ policy_module(cron, 1.0)
|
|||||||
bool cron_can_relabel false;
|
bool cron_can_relabel false;
|
||||||
|
|
||||||
type anacron_exec_t;
|
type anacron_exec_t;
|
||||||
files_make_file(anacron_exec_t)
|
files_file_type(anacron_exec_t)
|
||||||
|
|
||||||
type cron_spool_t;
|
type cron_spool_t;
|
||||||
files_make_file(cron_spool_t)
|
files_file_type(cron_spool_t)
|
||||||
|
|
||||||
type crond_t; #, privmail, nscd_client_domain
|
type crond_t; #, privmail, nscd_client_domain
|
||||||
type crond_exec_t;
|
type crond_exec_t;
|
||||||
init_make_daemon_domain(crond_t,crond_exec_t)
|
init_daemon_domain(crond_t,crond_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(crond_t)
|
domain_wide_inherit_fd(crond_t)
|
||||||
|
|
||||||
type crond_log_t;
|
type crond_log_t;
|
||||||
logging_make_log_file(crond_log_t)
|
logging_log_file(crond_log_t)
|
||||||
|
|
||||||
type crond_tmp_t;
|
type crond_tmp_t;
|
||||||
files_make_temporary_file(crond_tmp_t)
|
files_tmp_file(crond_tmp_t)
|
||||||
|
|
||||||
type crond_var_run_t;
|
type crond_var_run_t;
|
||||||
files_make_daemon_runtime_file(crond_var_run_t)
|
files_pid_file(crond_var_run_t)
|
||||||
|
|
||||||
type crontab_exec_t;
|
type crontab_exec_t;
|
||||||
files_make_file(crontab_exec_t)
|
files_file_type(crontab_exec_t)
|
||||||
|
|
||||||
type system_cron_spool_t;
|
type system_cron_spool_t;
|
||||||
type system_crond_t; #, privmail, nscd_client_domain;
|
type system_crond_t; #, privmail, nscd_client_domain;
|
||||||
init_make_daemon_domain(system_crond_t,anacron_exec_t)
|
init_daemon_domain(system_crond_t,anacron_exec_t)
|
||||||
corecommands_make_shell_entrypoint(system_crond_t)
|
corecmd_shell_entry_type(system_crond_t)
|
||||||
role system_r types system_crond_t;
|
role system_r types system_crond_t;
|
||||||
|
|
||||||
type system_crond_lock_t;
|
type system_crond_lock_t;
|
||||||
files_make_lock_file(system_crond_lock_t)
|
files_lock_file(system_crond_lock_t)
|
||||||
|
|
||||||
type system_crond_tmp_t;
|
type system_crond_tmp_t;
|
||||||
files_make_temporary_file(system_crond_tmp_t)
|
files_tmp_file(system_crond_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -67,11 +67,11 @@ allow crond_t self:msg { send receive };
|
|||||||
allow crond_t crond_log_t:file create_file_perms;
|
allow crond_t crond_log_t:file create_file_perms;
|
||||||
|
|
||||||
allow crond_t crond_var_run_t:file create_file_perms;
|
allow crond_t crond_var_run_t:file create_file_perms;
|
||||||
files_create_daemon_runtime_data(crond_t,crond_var_run_t)
|
files_create_pid(crond_t,crond_var_run_t)
|
||||||
|
|
||||||
allow crond_t crond_tmp_t:dir create_dir_perms;
|
allow crond_t crond_tmp_t:dir create_dir_perms;
|
||||||
allow crond_t crond_tmp_t:file create_file_perms;
|
allow crond_t crond_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })
|
files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
|
||||||
|
|
||||||
allow crond_t cron_spool_t:dir r_dir_perms;
|
allow crond_t cron_spool_t:dir r_dir_perms;
|
||||||
allow crond_t cron_spool_t:file r_file_perms;
|
allow crond_t cron_spool_t:file r_file_perms;
|
||||||
@ -94,23 +94,23 @@ fs_getattr_all_fs(crond_t)
|
|||||||
term_dontaudit_use_console(crond_t)
|
term_dontaudit_use_console(crond_t)
|
||||||
|
|
||||||
# need auth_chkpwd to check for locked accounts.
|
# need auth_chkpwd to check for locked accounts.
|
||||||
authlogin_check_password_transition(crond_t)
|
auth_domtrans_chk_passwd(crond_t)
|
||||||
|
|
||||||
corecommands_execute_shell(crond_t)
|
corecmd_exec_shell(crond_t)
|
||||||
corecommands_read_system_programs_directory(crond_t)
|
corecmd_list_sbin(crond_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(crond_t)
|
domain_use_wide_inherit_fd(crond_t)
|
||||||
|
|
||||||
files_read_general_system_config(crond_t)
|
files_read_generic_etc_files(crond_t)
|
||||||
files_read_system_spools(crond_t)
|
files_read_spools(crond_t)
|
||||||
|
|
||||||
init_use_file_descriptors(crond_t)
|
init_use_fd(crond_t)
|
||||||
init_script_use_pseudoterminal(crond_t)
|
init_use_script_pty(crond_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(crond_t)
|
libs_use_ld_so(crond_t)
|
||||||
libraries_use_shared_libraries(crond_t)
|
libs_use_shared_libs(crond_t)
|
||||||
|
|
||||||
logging_send_system_log_message(crond_t)
|
logging_send_syslog_msg(crond_t)
|
||||||
|
|
||||||
selinux_read_config(crond_t)
|
selinux_read_config(crond_t)
|
||||||
selinux_read_default_contexts(crond_t)
|
selinux_read_default_contexts(crond_t)
|
||||||
@ -118,7 +118,7 @@ selinux_newrole_sigchld(crond_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(crond_t)
|
miscfiles_read_localization(crond_t)
|
||||||
|
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
|
userdom_use_unpriv_users_fd(crond_t)
|
||||||
|
|
||||||
tunable_policy(`fcron_crond', `
|
tunable_policy(`fcron_crond', `
|
||||||
allow crond_t system_cron_spool_t:file create_file_perms;
|
allow crond_t system_cron_spool_t:file create_file_perms;
|
||||||
@ -127,11 +127,11 @@ tunable_policy(`fcron_crond', `
|
|||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(crond_t)
|
term_dontaudit_use_unallocated_tty(crond_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(crond_t)
|
terminal_ignore_use_general_pseudoterminal(crond_t)
|
||||||
files_ignore_read_rootfs_file(crond_t)
|
files_dontaudit_read_root_file(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(crond_t)
|
udev_read_db(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -212,11 +212,11 @@ allow system_crond_t crond_t:process sigchld;
|
|||||||
|
|
||||||
# Write /var/lock/makewhatis.lock.
|
# Write /var/lock/makewhatis.lock.
|
||||||
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
||||||
files_create_private_lock_file(system_crond_t,system_crond_lock_t)
|
files_create_lock_file(system_crond_t,system_crond_lock_t)
|
||||||
|
|
||||||
# write temporary files
|
# write temporary files
|
||||||
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
|
files_create_tmp_files(system_crond_t,system_crond_tmp_t)
|
||||||
|
|
||||||
# write temporary files in crond tmp dir:
|
# write temporary files in crond tmp dir:
|
||||||
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
|
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
|
||||||
@ -228,7 +228,7 @@ allow system_crond_t cron_spool_t:file r_file_perms;
|
|||||||
|
|
||||||
# Access crond log files
|
# Access crond log files
|
||||||
allow system_crond_t crond_log_t:file create_file_perms;
|
allow system_crond_t crond_log_t:file create_file_perms;
|
||||||
logging_create_private_log(system_crond_t,crond_log_t)
|
logging_create_log(system_crond_t,crond_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(system_crond_t)
|
kernel_read_kernel_sysctl(system_crond_t)
|
||||||
kernel_read_system_state(system_crond_t)
|
kernel_read_system_state(system_crond_t)
|
||||||
@ -255,45 +255,45 @@ dev_read_urand(system_crond_t)
|
|||||||
fs_getattr_all_fs(system_crond_t)
|
fs_getattr_all_fs(system_crond_t)
|
||||||
fs_getattr_all_files(system_crond_t)
|
fs_getattr_all_files(system_crond_t)
|
||||||
|
|
||||||
init_use_file_descriptors(system_crond_t)
|
init_use_fd(system_crond_t)
|
||||||
init_script_use_file_descriptors(system_crond_t)
|
init_use_script_fd(system_crond_t)
|
||||||
init_script_use_pseudoterminal(system_crond_t)
|
init_use_script_pty(system_crond_t)
|
||||||
init_script_read_runtime_data(system_crond_t)
|
init_read_script_pid(system_crond_t)
|
||||||
init_script_ignore_modify_runtime_data(system_crond_t)
|
init_dontaudit_rw_script_pid(system_crond_t)
|
||||||
|
|
||||||
domain_execute_all_entrypoint_programs(system_crond_t)
|
domain_exec_all_entry_files(system_crond_t)
|
||||||
|
|
||||||
files_execute_system_config_script(system_crond_t)
|
files_exec_generic_etc_files(system_crond_t)
|
||||||
files_read_general_system_config(system_crond_t)
|
files_read_generic_etc_files(system_crond_t)
|
||||||
files_read_runtime_system_config(system_crond_t)
|
files_read_etc_runtime_files(system_crond_t)
|
||||||
files_read_all_directories(system_crond_t)
|
files_list_all_dirs(system_crond_t)
|
||||||
files_get_all_file_attributes(system_crond_t)
|
files_getattr_all_files(system_crond_t)
|
||||||
files_read_general_application_resources(system_crond_t)
|
files_read_usr_files(system_crond_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_ignore_search_runtime_data_directory(system_crond_t)
|
files_dontaudit_search_pids(system_crond_t)
|
||||||
# Access other spool directories like
|
# Access other spool directories like
|
||||||
# /var/spool/anacron and /var/spool/slrnpull.
|
# /var/spool/anacron and /var/spool/slrnpull.
|
||||||
files_manage_system_spools(system_crond_t)
|
files_manage_spools(system_crond_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(system_crond_t)
|
corecmd_exec_bin(system_crond_t)
|
||||||
corecommands_execute_system_programs(system_crond_t)
|
corecmd_exec_sbin(system_crond_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(system_crond_t)
|
libs_use_ld_so(system_crond_t)
|
||||||
libraries_use_shared_libraries(system_crond_t)
|
libs_use_shared_libs(system_crond_t)
|
||||||
libraries_execute_library_scripts(system_crond_t)
|
libs_exec_lib_files(system_crond_t)
|
||||||
libraries_execute_dynamic_loader(system_crond_t)
|
libs_exec_ld_so(system_crond_t)
|
||||||
|
|
||||||
logging_read_system_logs(system_crond_t)
|
logging_read_generic_logs(system_crond_t)
|
||||||
logging_send_system_log_message(system_crond_t)
|
logging_send_syslog_msg(system_crond_t)
|
||||||
|
|
||||||
miscfiles_read_localization(system_crond_t)
|
miscfiles_read_localization(system_crond_t)
|
||||||
miscfiles_read_man_pages(system_crond_t)
|
miscfiles_read_man_pages(system_crond_t)
|
||||||
miscfiles_manage_man_page_cache(system_crond_t)
|
miscfiles_rw_man_cache(system_crond_t)
|
||||||
|
|
||||||
selinux_read_config(system_crond_t)
|
selinux_read_config(system_crond_t)
|
||||||
|
|
||||||
if (cron_can_relabel) {
|
if (cron_can_relabel) {
|
||||||
selinux_setfiles_transition(system_crond_t)
|
selinux_domtrans_setfiles(system_crond_t)
|
||||||
} else {
|
} else {
|
||||||
kernel_get_selinuxfs_mount_point(system_crond_t)
|
kernel_get_selinuxfs_mount_point(system_crond_t)
|
||||||
kernel_validate_context(system_crond_t)
|
kernel_validate_context(system_crond_t)
|
||||||
|
@ -11,11 +11,11 @@ define(`mta_per_userdomain_template',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
type $1_mail_t; # , user_mail_domain, nscd_client_domain;
|
type $1_mail_t; # , user_mail_domain, nscd_client_domain;
|
||||||
domain_make_domain($1_mail_t)
|
domain_type($1_mail_t)
|
||||||
role $1_r types $1_mail_t;
|
role $1_r types $1_mail_t;
|
||||||
|
|
||||||
type $1_mail_tmp_t;
|
type $1_mail_tmp_t;
|
||||||
files_make_temporary_file($1_mail_tmp_t)
|
files_tmp_file($1_mail_tmp_t)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@ -50,20 +50,20 @@ define(`mta_per_userdomain_template',`
|
|||||||
corenet_tcp_sendrecv_all_ports($1_mail_t)
|
corenet_tcp_sendrecv_all_ports($1_mail_t)
|
||||||
corenet_tcp_bind_all_nodes($1_mail_t)
|
corenet_tcp_bind_all_nodes($1_mail_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_mail_t)
|
domain_use_wide_inherit_fd($1_mail_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_mail_t)
|
libs_use_ld_so($1_mail_t)
|
||||||
libraries_use_shared_libraries($1_mail_t)
|
libs_use_shared_libs($1_mail_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs($1_mail_t)
|
corecmd_exec_bin($1_mail_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_mail_t)
|
files_read_generic_etc_files($1_mail_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_mail_t)
|
logging_send_syslog_msg($1_mail_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_mail_t)
|
miscfiles_read_localization($1_mail_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config($1_mail_t)
|
sysnet_read_config($1_mail_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow $1_mail_t self:udp_socket create_socket_perms;
|
allow $1_mail_t self:udp_socket create_socket_perms;
|
||||||
@ -142,30 +142,30 @@ define(`mta_per_userdomain_template_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_make_mailserver_domain(domain,entrypointtype)
|
# mta_mailserver(domain,entrypointtype)
|
||||||
#
|
#
|
||||||
define(`mta_make_mailserver_domain',`
|
define(`mta_mailserver',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
init_make_daemon_domain($1,$2)
|
init_daemon_domain($1,$2)
|
||||||
typeattribute $1 mailserver_domain;
|
typeattribute $1 mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_make_mailserver_domain_depend',`
|
define(`mta_mailserver_depend',`
|
||||||
attribute mailserver_domain;
|
attribute mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_make_sendmail_mailserver_domain(domain,entrypointtype)
|
# mta_sendmail_mailserver(domain,entrypointtype)
|
||||||
#
|
#
|
||||||
define(`mta_make_sendmail_mailserver_domain',`
|
define(`mta_sendmail_mailserver',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
mta_make_mailserver_domain($1,sendmail_exec_t)
|
mta_mailserver($1,sendmail_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_make_sendmail_mailserver_domain_depend',`
|
define(`mta_sendmail_mailserver_depend',`
|
||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -197,22 +197,22 @@ define(`mta_send_mail_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_execute(domain)
|
# mta_exec(domain)
|
||||||
#
|
#
|
||||||
define(`mta_execute',`
|
define(`mta_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1, sendmail_exec_t)
|
can_exec($1, sendmail_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_execute_depend',`
|
define(`mta_exec_depend',`
|
||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="mta_read_mail_aliases">
|
## <interface name="mta_read_aliases">
|
||||||
## <description>
|
## <description>
|
||||||
## Read mail address aliases.
|
## Read mail address aliases.
|
||||||
## </description>
|
## </description>
|
||||||
@ -221,13 +221,13 @@ define(`mta_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mta_read_mail_aliases',`
|
define(`mta_read_aliases',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 etc_aliases_t:file r_file_perms;
|
allow $1 etc_aliases_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_read_mail_aliases_depend',`
|
define(`mta_read_aliases_depend',`
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
@ -235,15 +235,15 @@ define(`mta_read_mail_aliases_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_modify_mail_aliases(domain)
|
# mta_rw_aliases(domain)
|
||||||
#
|
#
|
||||||
define(`mta_modify_mail_aliases',`
|
define(`mta_rw_aliases',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
|
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_modify_mail_aliases_depend',`
|
define(`mta_rw_aliases_depend',`
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
|
|
||||||
class file { rw_file_perms setattr };
|
class file { rw_file_perms setattr };
|
||||||
@ -251,18 +251,18 @@ define(`mta_modify_mail_aliases_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_get_mail_spool_attributes(domain)
|
# mta_getattr_spool(domain)
|
||||||
#
|
#
|
||||||
define(`mta_get_mail_spool_attributes',`
|
define(`mta_getattr_spool',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_spool_directory($1)
|
files_search_spool($1)
|
||||||
allow $1 mail_spool_t:dir r_dir_perms;
|
allow $1 mail_spool_t:dir r_dir_perms;
|
||||||
allow $1 mail_spool_t:lnk_file read;
|
allow $1 mail_spool_t:lnk_file read;
|
||||||
allow $1 mail_spool_t:file getattr;
|
allow $1 mail_spool_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_get_mail_spool_attributes_depend',`
|
define(`mta_getattr_spool_depend',`
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -272,17 +272,17 @@ define(`mta_get_mail_spool_attributes_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_modify_mail_spool(domain)
|
# mta_rw_spool(domain)
|
||||||
#
|
#
|
||||||
define(`mta_modify_mail_spool',`
|
define(`mta_rw_spool',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_spool_directory($1)
|
files_search_spool($1)
|
||||||
allow $1 mail_spool_t:dir rw_dir_perms;
|
allow $1 mail_spool_t:dir rw_dir_perms;
|
||||||
allow $1 mail_spool_t:file { rw_file_perms setattr };
|
allow $1 mail_spool_t:file { rw_file_perms setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_modify_mail_spool_depend',`
|
define(`mta_rw_spool_depend',`
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -291,17 +291,17 @@ define(`mta_modify_mail_spool_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_manage_mail_spool(domain)
|
# mta_manage_spool(domain)
|
||||||
#
|
#
|
||||||
define(`mta_manage_mail_spool',`
|
define(`mta_manage_spool',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_spool_directory($1)
|
files_search_spool($1)
|
||||||
allow $1 mail_spool_t:dir rw_dir_perms;
|
allow $1 mail_spool_t:dir rw_dir_perms;
|
||||||
allow $1 mail_spool_t:file create_file_perms;
|
allow $1 mail_spool_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_manage_mail_spool_depend',`
|
define(`mta_manage_spool_depend',`
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -310,16 +310,16 @@ define(`mta_manage_mail_spool_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_manage_mail_queue(domain)
|
# mta_manage_queue(domain)
|
||||||
#
|
#
|
||||||
define(`mta_manage_mail_queue',`
|
define(`mta_manage_queue',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 mqueue_spool_t:dir rw_dir_perms;
|
allow $1 mqueue_spool_t:dir rw_dir_perms;
|
||||||
allow $1 mqueue_spool_t:file create_file_perms;
|
allow $1 mqueue_spool_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_manage_mail_queue_depend',`
|
define(`mta_manage_queue_depend',`
|
||||||
type mqueue_spool_t;
|
type mqueue_spool_t;
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
|
@ -7,31 +7,31 @@ policy_module(mta,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
files_make_file(etc_aliases_t)
|
files_file_type(etc_aliases_t)
|
||||||
|
|
||||||
type etc_mail_t;
|
type etc_mail_t;
|
||||||
files_make_file(etc_mail_t)
|
files_file_type(etc_mail_t)
|
||||||
|
|
||||||
attribute mailserver_domain;
|
attribute mailserver_domain;
|
||||||
|
|
||||||
type mqueue_spool_t;
|
type mqueue_spool_t;
|
||||||
files_make_file(mqueue_spool_t)
|
files_file_type(mqueue_spool_t)
|
||||||
|
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
files_make_file(mail_spool_t)
|
files_file_type(mail_spool_t)
|
||||||
|
|
||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
files_make_file(sendmail_exec_t)
|
files_file_type(sendmail_exec_t)
|
||||||
|
|
||||||
type system_mail_t; #, user_mail_domain, nscd_client_domain;
|
type system_mail_t; #, user_mail_domain, nscd_client_domain;
|
||||||
domain_make_domain(system_mail_t)
|
domain_type(system_mail_t)
|
||||||
role system_r types system_mail_t;
|
role system_r types system_mail_t;
|
||||||
|
|
||||||
ifdef(`targeted_policy',`',`
|
ifdef(`targeted_policy',`',`
|
||||||
optional_policy(`sendmail.te', `
|
optional_policy(`sendmail.te', `
|
||||||
domain_make_entrypoint_file(system_mail_t,sendmail_exec_t)
|
domain_entry_file(system_mail_t,sendmail_exec_t)
|
||||||
', `
|
', `
|
||||||
init_make_system_domain(system_mail_t,sendmail_exec_t)
|
init_system_domain(system_mail_t,sendmail_exec_t)
|
||||||
') dnl end if sendmail
|
') dnl end if sendmail
|
||||||
') dnl end targeted_policy
|
') dnl end targeted_policy
|
||||||
|
|
||||||
@ -64,23 +64,23 @@ dev_read_urand(system_mail_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(system_mail_t)
|
fs_getattr_xattr_fs(system_mail_t)
|
||||||
|
|
||||||
init_script_use_pseudoterminal(system_mail_t)
|
init_use_script_pty(system_mail_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(system_mail_t)
|
files_read_etc_runtime_files(system_mail_t)
|
||||||
files_read_general_system_config(system_mail_t)
|
files_read_generic_etc_files(system_mail_t)
|
||||||
# It wants to check for nscd
|
# It wants to check for nscd
|
||||||
files_ignore_search_runtime_data_directory(system_mail_t)
|
files_dontaudit_search_pids(system_mail_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(system_mail_t)
|
corecmd_exec_bin(system_mail_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(system_mail_t)
|
libs_use_ld_so(system_mail_t)
|
||||||
libraries_use_shared_libraries(system_mail_t)
|
libs_use_shared_libs(system_mail_t)
|
||||||
|
|
||||||
logging_send_system_log_message(system_mail_t)
|
logging_send_syslog_msg(system_mail_t)
|
||||||
|
|
||||||
miscfiles_read_localization(system_mail_t)
|
miscfiles_read_localization(system_mail_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(system_mail_t)
|
sysnet_read_config(system_mail_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow system_mail_t self:udp_socket create_socket_perms;
|
allow system_mail_t self:udp_socket create_socket_perms;
|
||||||
@ -144,14 +144,14 @@ ifdef(`targeted_policy', `
|
|||||||
# targeted policy. We could move these rules permanantly here.
|
# targeted policy. We could move these rules permanantly here.
|
||||||
|
|
||||||
ifdef(`postfix.te', `', `
|
ifdef(`postfix.te', `', `
|
||||||
domain_execute_all_entrypoint_programs(system_mail_t)
|
domain_exec_all_entry_files(system_mail_t)
|
||||||
files_execute_system_config_script(system_mail_t)
|
files_exec_generic_etc_files(system_mail_t)
|
||||||
corecommands_execute_general_programs(system_mail_t)
|
corecmd_exec_bin(system_mail_t)
|
||||||
corecommands_execute_system_programs(system_mail_t)
|
corecmd_exec_sbin(system_mail_t)
|
||||||
libraries_use_dynamic_loader(system_mail_t)
|
libs_use_ld_so(system_mail_t)
|
||||||
libraries_use_shared_libraries(system_mail_t)
|
libs_use_shared_libs(system_mail_t)
|
||||||
libraries_execute_dynamic_loader(system_mail_t)
|
libs_exec_ld_so(system_mail_t)
|
||||||
libraries_execute_library_scripts(system_mail_t)
|
libs_exec_lib_files(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
define(`remotelogin_domtrans',`
|
define(`remotelogin_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
authlogin_login_program_transition($1,remote_login_t)
|
auth_domtrans_login_program($1,remote_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`remotelogin_domtrans_depend',`
|
define(`remotelogin_domtrans_depend',`
|
||||||
|
@ -7,16 +7,16 @@ policy_module(authlogin,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type remote_login_t; #, nscd_client_domain;
|
type remote_login_t; #, nscd_client_domain;
|
||||||
kernel_make_object_identity_change_constraint_exception(remote_login_t)
|
kernel_obj_id_change_exempt(remote_login_t)
|
||||||
kernel_make_process_identity_change_constraint_exception(remote_login_t)
|
kernel_subj_id_change_exempt(remote_login_t)
|
||||||
kernel_make_role_change_constraint_exception(remote_login_t)
|
kernel_role_change_exempt(remote_login_t)
|
||||||
domain_make_domain(remote_login_t)
|
domain_type(remote_login_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(remote_login_t)
|
domain_wide_inherit_fd(remote_login_t)
|
||||||
authlogin_make_login_program_entrypoint(remote_login_t)
|
auth_login_entry_type(remote_login_t)
|
||||||
role system_r types remote_login_t;
|
role system_r types remote_login_t;
|
||||||
|
|
||||||
type remote_login_tmp_t;
|
type remote_login_tmp_t;
|
||||||
files_make_temporary_file(remote_login_tmp_t)
|
files_tmp_file(remote_login_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -39,7 +39,7 @@ allow remote_login_t self:msg { send receive };
|
|||||||
|
|
||||||
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
|
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
|
||||||
allow remote_login_t remote_login_tmp_t:file create_file_perms;
|
allow remote_login_t remote_login_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir })
|
files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(remote_login_t)
|
kernel_read_system_state(remote_login_t)
|
||||||
kernel_read_kernel_sysctl(remote_login_t)
|
kernel_read_kernel_sysctl(remote_login_t)
|
||||||
@ -55,29 +55,29 @@ dev_read_urand(remote_login_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(remote_login_t)
|
fs_getattr_xattr_fs(remote_login_t)
|
||||||
|
|
||||||
init_script_modify_runtime_data(remote_login_t)
|
init_rw_script_pid(remote_login_t)
|
||||||
|
|
||||||
domain_read_all_entrypoint_programs(remote_login_t)
|
domain_read_all_entry_files(remote_login_t)
|
||||||
|
|
||||||
files_read_general_system_config(remote_login_t)
|
files_read_generic_etc_files(remote_login_t)
|
||||||
files_read_runtime_system_config(remote_login_t)
|
files_read_etc_runtime_files(remote_login_t)
|
||||||
files_list_home_directories(remote_login_t)
|
files_list_home(remote_login_t)
|
||||||
files_read_general_application_resources(remote_login_t)
|
files_read_usr_files(remote_login_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(remote_login_t)
|
libs_use_ld_so(remote_login_t)
|
||||||
libraries_use_shared_libraries(remote_login_t)
|
libs_use_shared_libs(remote_login_t)
|
||||||
|
|
||||||
logging_send_system_log_message(remote_login_t)
|
logging_send_syslog_msg(remote_login_t)
|
||||||
|
|
||||||
selinux_read_config(remote_login_t)
|
selinux_read_config(remote_login_t)
|
||||||
selinux_read_default_contexts(remote_login_t)
|
selinux_read_default_contexts(remote_login_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(remote_login_t)
|
auth_domtrans_chk_passwd(remote_login_t)
|
||||||
authlogin_ignore_read_shadow_passwords(remote_login_t)
|
auth_dontaudit_read_shadow(remote_login_t)
|
||||||
authlogin_modify_login_records(remote_login_t)
|
auth_rw_login_records(remote_login_t)
|
||||||
authlogin_modify_last_login_log(remote_login_t)
|
auth_rw_lastlog(remote_login_t)
|
||||||
authlogin_pam_execute(remote_login_t)
|
auth_exec_pam(remote_login_t)
|
||||||
authlogin_pam_console_manage_runtime_data(remote_login_t)
|
auth_manage_pam_console_data(remote_login_t)
|
||||||
|
|
||||||
miscfiles_read_localization(remote_login_t)
|
miscfiles_read_localization(remote_login_t)
|
||||||
|
|
||||||
|
@ -7,16 +7,16 @@ policy_module(sendmail,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm)
|
type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm)
|
||||||
mta_make_sendmail_mailserver_domain(sendmail_t)
|
mta_sendmail_mailserver(sendmail_t)
|
||||||
|
|
||||||
type sendmail_log_t;
|
type sendmail_log_t;
|
||||||
logging_make_log_file(sendmail_log_t)
|
logging_log_file(sendmail_log_t)
|
||||||
|
|
||||||
type sendmail_tmp_t;
|
type sendmail_tmp_t;
|
||||||
files_make_temporary_file(sendmail_tmp_t)
|
files_tmp_file(sendmail_tmp_t)
|
||||||
|
|
||||||
type sendmail_var_run_t;
|
type sendmail_var_run_t;
|
||||||
files_make_daemon_runtime_file(sendmail_var_run_t)
|
files_pid_file(sendmail_var_run_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -30,14 +30,14 @@ allow sendmail_t self:unix_dgram_socket create_socket_perms;
|
|||||||
|
|
||||||
allow sendmail_t sendmail_log_t:file create_file_perms;
|
allow sendmail_t sendmail_log_t:file create_file_perms;
|
||||||
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
|
||||||
logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir })
|
logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
|
||||||
|
|
||||||
allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
|
allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
|
||||||
allow sendmail_t sendmail_tmp_t:file create_file_perms;
|
allow sendmail_t sendmail_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir })
|
files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
|
||||||
|
|
||||||
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
|
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
|
||||||
files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t)
|
files_create_pid(sendmail_t,sendmail_var_run_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(sendmail_t)
|
kernel_read_kernel_sysctl(sendmail_t)
|
||||||
kernel_read_hardware_state(sendmail_t)
|
kernel_read_hardware_state(sendmail_t)
|
||||||
@ -60,38 +60,38 @@ fs_getattr_all_fs(sendmail_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(sendmail_t)
|
term_dontaudit_use_console(sendmail_t)
|
||||||
|
|
||||||
init_use_file_descriptors(sendmail_t)
|
init_use_fd(sendmail_t)
|
||||||
init_script_use_pseudoterminal(sendmail_t)
|
init_use_script_pty(sendmail_t)
|
||||||
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
|
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
|
||||||
init_script_read_runtime_data(sendmail_t)
|
init_read_script_pid(sendmail_t)
|
||||||
init_script_ignore_write_runtime_data(sendmail_t)
|
init_dontaudit_write_script_pid(sendmail_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(sendmail_t)
|
domain_use_wide_inherit_fd(sendmail_t)
|
||||||
|
|
||||||
files_read_general_system_config(sendmail_t)
|
files_read_generic_etc_files(sendmail_t)
|
||||||
files_search_system_spool_directory(sendmail_t)
|
files_search_spool(sendmail_t)
|
||||||
|
|
||||||
logging_send_system_log_message(sendmail_t)
|
logging_send_syslog_msg(sendmail_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(sendmail_t)
|
libs_use_ld_so(sendmail_t)
|
||||||
libraries_use_shared_libraries(sendmail_t)
|
libs_use_shared_libs(sendmail_t)
|
||||||
# Read /usr/lib/sasl2/.*
|
# Read /usr/lib/sasl2/.*
|
||||||
libraries_read_library_resources(sendmail_t)
|
libs_read_lib(sendmail_t)
|
||||||
|
|
||||||
miscfiles_read_localization(sendmail_t)
|
miscfiles_read_localization(sendmail_t)
|
||||||
|
|
||||||
# Write to /etc/aliases and /etc/mail.
|
# Write to /etc/aliases and /etc/mail.
|
||||||
mta_modify_mail_aliases(sendmail_t)
|
mta_rw_aliases(sendmail_t)
|
||||||
# Write to /var/spool/mail and /var/spool/mqueue.
|
# Write to /var/spool/mail and /var/spool/mqueue.
|
||||||
mta_manage_mail_queue(sendmail_t)
|
mta_manage_queue(sendmail_t)
|
||||||
mta_manage_mail_spool(sendmail_t)
|
mta_manage_spool(sendmail_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(sendmail_t)
|
sysnet_read_config(sendmail_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(sendmail_t)
|
term_dontaudit_use_unallocated_tty(sendmail_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(sendmail_t)
|
terminal_ignore_use_general_pseudoterminal(sendmail_t)
|
||||||
files_ignore_read_rootfs_file(sendmail_t)
|
files_dontaudit_read_root_file(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -99,7 +99,7 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(sendmail_t)
|
udev_read_db(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -143,7 +143,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
|
|||||||
|
|
||||||
# Run procmail in its own domain, if defined.
|
# Run procmail in its own domain, if defined.
|
||||||
ifdef(`procmail.te',`
|
ifdef(`procmail.te',`
|
||||||
corecommands_search_general_programs_directory(sendmail_t)
|
corecmd_search_bin(sendmail_t)
|
||||||
procmail_transition(sendmail_t)
|
procmail_transition(sendmail_t)
|
||||||
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
|
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
|
||||||
')
|
')
|
||||||
|
@ -26,15 +26,15 @@ define(`authlogin_per_userdomain_template',`
|
|||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
||||||
domain_make_domain($1_chkpwd_t)
|
domain_type($1_chkpwd_t)
|
||||||
domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
|
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
|
||||||
role $1_r types $1_chkpwd_t;
|
role $1_r types $1_chkpwd_t;
|
||||||
role $1_r types system_chkpwd_t;
|
role $1_r types system_chkpwd_t;
|
||||||
|
|
||||||
allow $1_chkpwd_t self:capability setuid;
|
allow $1_chkpwd_t self:capability setuid;
|
||||||
allow $1_chkpwd_t self:process getattr;
|
allow $1_chkpwd_t self:process getattr;
|
||||||
|
|
||||||
files_read_general_system_config_directory($1_chkpwd_t)
|
files_read_generic_etc_files_directory($1_chkpwd_t)
|
||||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
@ -42,16 +42,16 @@ define(`authlogin_per_userdomain_template',`
|
|||||||
|
|
||||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
|
domain_use_wide_inherit_fd($1_chkpwd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_chkpwd_t)
|
libs_use_ld_so($1_chkpwd_t)
|
||||||
libraries_use_shared_libraries($1_chkpwd_t)
|
libs_use_shared_libs($1_chkpwd_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_chkpwd_t)
|
files_read_generic_etc_files($1_chkpwd_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_ignore_search_system_state_data_directory($1_chkpwd_t)
|
files_dontaudit_search_var($1_chkpwd_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_chkpwd_t)
|
logging_send_syslog_msg($1_chkpwd_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_chkpwd_t)
|
miscfiles_read_localization($1_chkpwd_t)
|
||||||
|
|
||||||
@ -84,11 +84,11 @@ define(`authlogin_per_userdomain_template',`
|
|||||||
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
||||||
corenet_udp_bind_all_nodes($1_chkpwd_t)
|
corenet_udp_bind_all_nodes($1_chkpwd_t)
|
||||||
corenet_udp_sendrecv_dns_port($1_chkpwd_t)
|
corenet_udp_sendrecv_dns_port($1_chkpwd_t)
|
||||||
sysnetwork_read_network_config($1_chkpwd_t)
|
sysnet_read_config($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_use_file_descriptors($1_chkpwd_t)
|
selinux_use_newrole_fd($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
') dnl end authlogin_per_userdomain_template
|
') dnl end authlogin_per_userdomain_template
|
||||||
@ -108,7 +108,7 @@ define(`authlogin_per_userdomain_template_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_make_login_program_entrypoint">
|
## <interface name="auth_login_entry_type">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -123,20 +123,20 @@ define(`authlogin_per_userdomain_template_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_make_login_program_entrypoint(domain)
|
# auth_login_entry_type(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_make_login_program_entrypoint',`
|
define(`auth_login_entry_type',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_make_entrypoint_file($1,login_exec_t)
|
domain_entry_file($1,login_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_make_login_program_entrypoint_depend',`
|
define(`auth_login_entry_type_depend',`
|
||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_login_program_transition">
|
## <interface name="auth_domtrans_login_program">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute a login_program in the target domain.
|
## Execute a login_program in the target domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -148,7 +148,7 @@ define(`authlogin_make_login_program_entrypoint_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_login_program_transition',`
|
define(`auth_domtrans_login_program',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search bin_t
|
# FIXME: search bin_t
|
||||||
@ -163,7 +163,7 @@ define(`authlogin_login_program_transition',`
|
|||||||
allow $2 $1:process sigchld;
|
allow $2 $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_login_program_transition_depend',`
|
define(`auth_domtrans_login_program_depend',`
|
||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -173,7 +173,7 @@ define(`authlogin_login_program_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_check_password_transition">
|
## <interface name="auth_domtrans_chk_passwd">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -187,9 +187,9 @@ define(`authlogin_login_program_transition_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_check_password_transition(domain)
|
# auth_domtrans_chk_passwd(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_check_password_transition',`
|
define(`auth_domtrans_chk_passwd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
||||||
@ -213,11 +213,11 @@ define(`authlogin_check_password_transition',`
|
|||||||
corenet_raw_sendrecv_all_nodes($1)
|
corenet_raw_sendrecv_all_nodes($1)
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
corenet_udp_sendrecv_dns_port($1)
|
corenet_udp_sendrecv_dns_port($1)
|
||||||
sysnetwork_read_network_config($1)
|
sysnet_read_config($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_check_password_transition_depend',`
|
define(`auth_domtrans_chk_passwd_depend',`
|
||||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -228,7 +228,7 @@ define(`authlogin_check_password_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_ignore_get_shadow_passwords_attributes">
|
## <interface name="auth_dontaudit_getattr_shadow">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -242,22 +242,22 @@ define(`authlogin_check_password_transition_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_ignore_get_shadow_passwords_attributes(domain)
|
# auth_dontaudit_getattr_shadow(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_ignore_get_shadow_passwords_attributes',`
|
define(`auth_dontaudit_getattr_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 shadow_t:file getattr;
|
dontaudit $1 shadow_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
|
define(`auth_dontaudit_getattr_shadow_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
|
|
||||||
class file stat_file_perms;
|
class file stat_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_read_shadow_passwords">
|
## <interface name="auth_read_shadow">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -271,17 +271,17 @@ define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_read_shadow_passwords(domain)
|
# auth_read_shadow(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_read_shadow_passwords',`
|
define(`auth_read_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_read_general_system_config_directory($1)
|
files_read_generic_etc_files_directory($1)
|
||||||
allow $1 shadow_t:file r_file_perms;
|
allow $1 shadow_t:file r_file_perms;
|
||||||
typeattribute $1 can_read_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_read_shadow_passwords_depend',`
|
define(`auth_read_shadow_depend',`
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords;
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
@ -290,7 +290,7 @@ define(`authlogin_read_shadow_passwords_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_ignore_read_shadow_passwords">
|
## <interface name="auth_dontaudit_read_shadow">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -304,22 +304,22 @@ define(`authlogin_read_shadow_passwords_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_ignore_read_shadow_passwords(domain)
|
# auth_dontaudit_read_shadow(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_ignore_read_shadow_passwords',`
|
define(`auth_dontaudit_read_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 shadow_t:file { getattr read };
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_ignore_read_shadow_passwords_depend',`
|
define(`auth_dontaudit_read_shadow_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_modify_shadow_passwords">
|
## <interface name="auth_rw_shadow">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -333,17 +333,17 @@ define(`authlogin_ignore_read_shadow_passwords_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_modify_shadow_passwords(domain)
|
# auth_rw_shadow(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_shadow_passwords',`
|
define(`auth_rw_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_read_general_system_config_directory($1)
|
files_read_generic_etc_files_directory($1)
|
||||||
allow $1 shadow_t:file rw_file_perms;
|
allow $1 shadow_t:file rw_file_perms;
|
||||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_shadow_passwords_depend',`
|
define(`auth_rw_shadow_depend',`
|
||||||
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
@ -352,18 +352,18 @@ define(`authlogin_modify_shadow_passwords_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_manage_shadow_passwords(domain)
|
# auth_manage_shadow(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_manage_shadow_passwords',`
|
define(`auth_manage_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 shadow_t:file create_file_perms;
|
allow $1 shadow_t:file create_file_perms;
|
||||||
files_create_private_config($1,shadow_t,file)
|
files_create_etc_config($1,shadow_t,file)
|
||||||
|
|
||||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_manage_shadow_passwords_depend',`
|
define(`auth_manage_shadow_depend',`
|
||||||
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
@ -373,17 +373,17 @@ define(`authlogin_manage_shadow_passwords_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_relabel_to_shadow_passwords(domain)
|
# auth_relabelto_shadow(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_relabel_to_shadow_passwords',`
|
define(`auth_relabelto_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_general_system_config_directory($1)
|
files_search_etc($1)
|
||||||
allow $1 shadow_t:file relabelto;
|
allow $1 shadow_t:file relabelto;
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_relabel_to_shadow_passwords_depend',`
|
define(`auth_relabelto_shadow_depend',`
|
||||||
attribute can_relabelto_shadow_passwords;
|
attribute can_relabelto_shadow_passwords;
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
@ -393,16 +393,16 @@ define(`authlogin_relabel_to_shadow_passwords_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_modify_login_failure_records(domain)
|
# auth_rw_faillog(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_login_failure_records',`
|
define(`auth_rw_faillog',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 faillog_t:file rw_file_perms;
|
allow $1 faillog_t:file rw_file_perms;
|
||||||
logging_search_system_log_directory($1)
|
logging_search_logs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_login_failure_records_depend',`
|
define(`auth_rw_faillog_depend',`
|
||||||
type faillog_t;
|
type faillog_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
@ -410,23 +410,23 @@ define(`authlogin_modify_login_failure_records_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_modify_last_login_log(domain)
|
# auth_rw_lastlog(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_last_login_log',`
|
define(`auth_rw_lastlog',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
logging_search_system_log_directory($1)
|
logging_search_logs($1)
|
||||||
allow $1 lastlog_t:file { getattr read write setattr };
|
allow $1 lastlog_t:file { getattr read write setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_last_login_log_depend',`
|
define(`auth_rw_lastlog_depend',`
|
||||||
type lastlog_t;
|
type lastlog_t;
|
||||||
|
|
||||||
class file { getattr read write setattr };
|
class file { getattr read write setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_pam_transition">
|
## <interface name="auth_domtrans_pam">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute pam programs in the pam domain.
|
## Execute pam programs in the pam domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -435,7 +435,7 @@ define(`authlogin_modify_last_login_log_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_transition',`
|
define(`auth_domtrans_pam',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,pam_exec_t,pam_t)
|
domain_auto_trans($1,pam_exec_t,pam_t)
|
||||||
@ -446,7 +446,7 @@ define(`authlogin_pam_transition',`
|
|||||||
allow pam_t $1:process sigchld;
|
allow pam_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_transition_depend',`
|
define(`auth_domtrans_pam_depend',`
|
||||||
type pam_t, pam_exec_t;
|
type pam_t, pam_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -456,7 +456,7 @@ define(`authlogin_pam_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_pam_transition_add_role_use_terminal">
|
## <interface name="auth_run_pam">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute pam programs in the PAM domain.
|
## Execute pam programs in the PAM domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -471,22 +471,22 @@ define(`authlogin_pam_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_transition_add_role_use_terminal',`
|
define(`auth_run_pam',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
authlogin_pam_transition($1)
|
auth_domtrans_pam($1)
|
||||||
role $2 types pam_t;
|
role $2 types pam_t;
|
||||||
allow pam_t $3:chr_file rw_file_perms;
|
allow pam_t $3:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_transition_add_role_use_terminal_depend',`
|
define(`auth_run_pam_depend',`
|
||||||
type pam_t;
|
type pam_t;
|
||||||
|
|
||||||
class chr_file rw_file_perms;
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_pam_execute">
|
## <interface name="auth_exec_pam">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -500,15 +500,15 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_execute(domain)
|
# auth_exec_pam(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_execute',`
|
define(`auth_exec_pam',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,pam_exec_t)
|
can_exec($1,pam_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_execute_depend',`
|
define(`auth_exec_pam_depend',`
|
||||||
type pam_exec_t;
|
type pam_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
@ -516,18 +516,18 @@ define(`authlogin_pam_execute_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_read_runtime_data(domain)
|
# auth_read_pam_pid(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_read_runtime_data',`
|
define(`auth_read_pam_pid',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
files_search_runtime_data_directory($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_run_t:dir r_dir_perms;
|
allow $1 pam_var_run_t:dir r_dir_perms;
|
||||||
allow $1 pam_var_run_t:file r_file_perms;
|
allow $1 pam_var_run_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_read_runtime_data_depend',`
|
define(`auth_read_pam_pid_depend',`
|
||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -535,7 +535,7 @@ define(`authlogin_pam_read_runtime_data_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_pam_remove_runtime_data">
|
## <interface name="auth_delete_pam_pid">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -549,18 +549,18 @@ define(`authlogin_pam_read_runtime_data_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_remove_runtime_data(domain)
|
# auth_delete_pam_pid(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_remove_runtime_data',`
|
define(`auth_delete_pam_pid',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
files_search_runtime_data_directory($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
||||||
allow $1 pam_var_run_t:file { getattr unlink };
|
allow $1 pam_var_run_t:file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_remove_runtime_data_depend',`
|
define(`auth_delete_pam_pid_depend',`
|
||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
|
|
||||||
class dir { getattr search read write remove_name };
|
class dir { getattr search read write remove_name };
|
||||||
@ -569,9 +569,9 @@ define(`authlogin_pam_remove_runtime_data_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_console_transition(domain)
|
# auth_domtrans_pam_console(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_transition',`
|
define(`auth_domtrans_pam_console',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
|
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
|
||||||
@ -582,7 +582,7 @@ define(`authlogin_pam_console_transition',`
|
|||||||
allow pam_console_t $1:process sigchld;
|
allow pam_console_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_transition_depend',`
|
define(`auth_domtrans_pam_console_depend',`
|
||||||
type pam_console_t, pam_console_exec_t;
|
type pam_console_t, pam_console_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -592,7 +592,7 @@ define(`authlogin_pam_console_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_pam_console_read_runtime_data_dir">
|
## <interface name="auth_list_pam_console_data">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -606,17 +606,17 @@ define(`authlogin_pam_console_transition_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_console_read_runtime_data_dir(domain)
|
# auth_list_pam_console_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_read_runtime_data_dir',`
|
define(`auth_list_pam_console_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
files_search_runtime_data_directory($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir r_dir_perms;
|
allow $1 pam_var_console_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_read_runtime_data_dir_depend',`
|
define(`auth_list_pam_console_data_depend',`
|
||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -624,18 +624,18 @@ define(`authlogin_pam_console_read_runtime_data_dir_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_console_read_runtime_data(domain)
|
# auth_read_pam_console_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_read_runtime_data',`
|
define(`auth_read_pam_console_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
files_search_runtime_data_directory($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir r_dir_perms;
|
allow $1 pam_var_console_t:dir r_dir_perms;
|
||||||
allow $1 pam_var_console_t:file r_file_perms;
|
allow $1 pam_var_console_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_read_runtime_data_depend',`
|
define(`auth_read_pam_console_data_depend',`
|
||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -644,19 +644,19 @@ define(`authlogin_pam_console_read_runtime_data_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_pam_console_manage_runtime_data(domain)
|
# auth_manage_pam_console_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_manage_runtime_data',`
|
define(`auth_manage_pam_console_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
files_search_runtime_data_directory($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir rw_dir_perms;
|
allow $1 pam_var_console_t:dir rw_dir_perms;
|
||||||
allow $1 pam_var_console_t:file create_file_perms;
|
allow $1 pam_var_console_t:file create_file_perms;
|
||||||
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_manage_runtime_data_depend',`
|
define(`auth_manage_pam_console_data_depend',`
|
||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -665,7 +665,7 @@ define(`authlogin_pam_console_manage_runtime_data_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_relabel_all_files_except_shadow">
|
## <interface name="auth_relabel_all_files_except_shadow">
|
||||||
## <description>
|
## <description>
|
||||||
## Relabel all files on the filesystem, except
|
## Relabel all files on the filesystem, except
|
||||||
## the shadow passwords and listed exceptions.
|
## the shadow passwords and listed exceptions.
|
||||||
@ -680,18 +680,18 @@ define(`authlogin_pam_console_manage_runtime_data_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
|
|
||||||
define(`authlogin_relabel_all_files_except_shadow',`
|
define(`auth_relabel_all_files_except_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_relabel_all_files($1,$2 -shadow_t)
|
files_relabel_all_files($1,$2 -shadow_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_relabel_all_files_except_shadow_depend',`
|
define(`auth_relabel_all_files_except_shadow_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_manage_all_files_except_shadow">
|
## <interface name="auth_manage_all_files_except_shadow">
|
||||||
## <description>
|
## <description>
|
||||||
## Manage all files on the filesystem, except
|
## Manage all files on the filesystem, except
|
||||||
## the shadow passwords and listed exceptions.
|
## the shadow passwords and listed exceptions.
|
||||||
@ -706,18 +706,18 @@ define(`authlogin_relabel_all_files_except_shadow_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
|
|
||||||
define(`authlogin_manage_all_files_except_shadow',`
|
define(`auth_manage_all_files_except_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_manage_all_files($1,$2 -shadow_t)
|
files_manage_all_files($1,$2 -shadow_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_manage_all_files_except_shadow_depend',`
|
define(`auth_manage_all_files_except_shadow_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_utempter_transition">
|
## <interface name="auth_domtrans_utempter">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute utempter programs in the utempter domain.
|
## Execute utempter programs in the utempter domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -726,7 +726,7 @@ define(`authlogin_manage_all_files_except_shadow_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_utempter_transition',`
|
define(`auth_domtrans_utempter',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,utempter_exec_t,utempter_t)
|
domain_auto_trans($1,utempter_exec_t,utempter_t)
|
||||||
@ -737,7 +737,7 @@ define(`authlogin_utempter_transition',`
|
|||||||
allow utempter_t $1:process sigchld;
|
allow utempter_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_utempter_transition_depend',`
|
define(`auth_domtrans_utempter_depend',`
|
||||||
type utempter_t, utempter_exec_t;
|
type utempter_t, utempter_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -747,7 +747,7 @@ define(`authlogin_utempter_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_utempter_transition_add_role_use_terminal">
|
## <interface name="auth_run_utempter">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute utempter programs in the utempter domain.
|
## Execute utempter programs in the utempter domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -762,22 +762,22 @@ define(`authlogin_utempter_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_utempter_transition_add_role_use_terminal',`
|
define(`auth_run_utempter',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
authlogin_utempter_transition($1)
|
auth_domtrans_utempter($1)
|
||||||
role $2 types utempter_t;
|
role $2 types utempter_t;
|
||||||
allow utempter_t $3:chr_file rw_file_perms;
|
allow utempter_t $3:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
|
define(`auth_run_utempter_depend',`
|
||||||
type utempter_t;
|
type utempter_t;
|
||||||
|
|
||||||
class chr_file rw_file_perms;
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_read_login_records">
|
## <interface name="auth_read_login_records">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -791,23 +791,23 @@ define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_read_login_records(domain)
|
# auth_read_login_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_read_login_records',`
|
define(`auth_read_login_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
logging_search_system_log_directory($1)
|
logging_search_logs($1)
|
||||||
allow $1 wtmp_t:file r_file_perms;
|
allow $1 wtmp_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_read_login_records_depend',`
|
define(`auth_read_login_records_depend',`
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="authlogin_ignore_write_login_records">
|
## <interface name="auth_dontaudit_write_login_records">
|
||||||
## <description>
|
## <description>
|
||||||
##
|
##
|
||||||
## </description>
|
## </description>
|
||||||
@ -818,15 +818,15 @@ define(`authlogin_read_login_records_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_ignore_write_login_records(domain)
|
# auth_dontaudit_write_login_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_ignore_write_login_records',`
|
define(`auth_dontaudit_write_login_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 wtmp_t:file write;
|
dontaudit $1 wtmp_t:file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_read_login_records_depend',`
|
define(`auth_read_login_records_depend',`
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
|
|
||||||
class file write;
|
class file write;
|
||||||
@ -834,16 +834,16 @@ define(`authlogin_read_login_records_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_modify_login_records(domain)
|
# auth_rw_login_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_login_records',`
|
define(`auth_rw_login_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 wtmp_t:file rw_file_perms;
|
allow $1 wtmp_t:file rw_file_perms;
|
||||||
logging_search_system_log_directory($1)
|
logging_search_logs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_login_records_depend',`
|
define(`auth_rw_login_records_depend',`
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
@ -11,59 +11,59 @@ attribute can_write_shadow_passwords;
|
|||||||
attribute can_relabelto_shadow_passwords;
|
attribute can_relabelto_shadow_passwords;
|
||||||
|
|
||||||
type chkpwd_exec_t;
|
type chkpwd_exec_t;
|
||||||
files_make_file(chkpwd_exec_t)
|
files_file_type(chkpwd_exec_t)
|
||||||
|
|
||||||
type faillog_t;
|
type faillog_t;
|
||||||
logging_make_log_file(faillog_t)
|
logging_log_file(faillog_t)
|
||||||
|
|
||||||
type lastlog_t;
|
type lastlog_t;
|
||||||
logging_make_log_file(lastlog_t)
|
logging_log_file(lastlog_t)
|
||||||
|
|
||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
files_make_file(login_exec_t)
|
files_file_type(login_exec_t)
|
||||||
|
|
||||||
type pam_console_t;
|
type pam_console_t;
|
||||||
type pam_console_exec_t;
|
type pam_console_exec_t;
|
||||||
init_make_system_domain(pam_console_t,pam_console_exec_t)
|
init_system_domain(pam_console_t,pam_console_exec_t)
|
||||||
role system_r types pam_console_t;
|
role system_r types pam_console_t;
|
||||||
|
|
||||||
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
|
domain_entry_file(pam_console_t,pam_console_exec_t)
|
||||||
|
|
||||||
type pam_t; #, nscd_client_domain;
|
type pam_t; #, nscd_client_domain;
|
||||||
domain_make_domain(pam_t)
|
domain_type(pam_t)
|
||||||
role system_r types pam_t;
|
role system_r types pam_t;
|
||||||
|
|
||||||
type pam_exec_t;
|
type pam_exec_t;
|
||||||
domain_make_entrypoint_file(pam_t,pam_exec_t)
|
domain_entry_file(pam_t,pam_exec_t)
|
||||||
|
|
||||||
type pam_tmp_t;
|
type pam_tmp_t;
|
||||||
files_make_temporary_file(pam_tmp_t)
|
files_tmp_file(pam_tmp_t)
|
||||||
|
|
||||||
type pam_var_console_t; #, nscd_client_domain
|
type pam_var_console_t; #, nscd_client_domain
|
||||||
files_make_file(pam_var_console_t)
|
files_file_type(pam_var_console_t)
|
||||||
|
|
||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
files_make_daemon_runtime_file(pam_var_run_t)
|
files_pid_file(pam_var_run_t)
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
files_make_file(shadow_t)
|
files_file_type(shadow_t)
|
||||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||||
|
|
||||||
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
||||||
domain_make_domain(system_chkpwd_t)
|
domain_type(system_chkpwd_t)
|
||||||
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
|
domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
|
||||||
role system_r types system_chkpwd_t;
|
role system_r types system_chkpwd_t;
|
||||||
|
|
||||||
type utempter_t; #, nscd_client_domain;
|
type utempter_t; #, nscd_client_domain;
|
||||||
domain_make_domain(utempter_t)
|
domain_type(utempter_t)
|
||||||
|
|
||||||
type utempter_exec_t;
|
type utempter_exec_t;
|
||||||
domain_make_entrypoint_file(utempter_t,utempter_exec_t)
|
domain_entry_file(utempter_t,utempter_exec_t)
|
||||||
|
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
logging_make_log_file(wtmp_t)
|
logging_log_file(wtmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -89,27 +89,27 @@ allow pam_t pam_var_run_t:file { getattr read unlink };
|
|||||||
|
|
||||||
allow pam_t pam_tmp_t:dir create_dir_perms;
|
allow pam_t pam_tmp_t:dir create_dir_perms;
|
||||||
allow pam_t pam_tmp_t:file create_file_perms;
|
allow pam_t pam_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
|
files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(pam_t)
|
kernel_read_system_state(pam_t)
|
||||||
|
|
||||||
term_use_all_user_ttys(pam_t)
|
term_use_all_user_ttys(pam_t)
|
||||||
term_use_all_user_ptys(pam_t)
|
term_use_all_user_ptys(pam_t)
|
||||||
|
|
||||||
init_script_ignore_modify_runtime_data(pam_t)
|
init_dontaudit_rw_script_pid(pam_t)
|
||||||
|
|
||||||
files_read_general_system_config(pam_t)
|
files_read_generic_etc_files(pam_t)
|
||||||
files_read_runtime_data_directory(pam_t)
|
files_list_pids(pam_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(pam_t)
|
libs_use_ld_so(pam_t)
|
||||||
libraries_use_shared_libraries(pam_t)
|
libs_use_shared_libs(pam_t)
|
||||||
|
|
||||||
logging_send_system_log_message(pam_t)
|
logging_send_syslog_msg(pam_t)
|
||||||
|
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
|
userdom_use_unpriv_users_fd(pam_t)
|
||||||
|
|
||||||
optional_policy(`locallogin.te',`
|
optional_policy(`locallogin.te',`
|
||||||
locallogin_use_file_descriptors(pam_t)
|
locallogin_use_fd(pam_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -151,38 +151,38 @@ term_use_console(pam_console_t)
|
|||||||
term_getattr_unallocated_ttys(pam_console_t)
|
term_getattr_unallocated_ttys(pam_console_t)
|
||||||
term_setattr_unallocated_ttys(pam_console_t)
|
term_setattr_unallocated_ttys(pam_console_t)
|
||||||
|
|
||||||
init_use_file_descriptors(pam_console_t)
|
init_use_fd(pam_console_t)
|
||||||
init_use_file_descriptors(pam_console_t)
|
init_use_fd(pam_console_t)
|
||||||
init_script_use_pseudoterminal(pam_console_t)
|
init_use_script_pty(pam_console_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(pam_console_t)
|
domain_use_wide_inherit_fd(pam_console_t)
|
||||||
|
|
||||||
files_read_general_system_config(pam_console_t)
|
files_read_generic_etc_files(pam_console_t)
|
||||||
files_search_runtime_data_directory(pam_console_t)
|
files_search_pids(pam_console_t)
|
||||||
files_read_mnt_dir(pam_console_t)
|
files_list_mnt(pam_console_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(pam_console_t)
|
libs_use_ld_so(pam_console_t)
|
||||||
libraries_use_shared_libraries(pam_console_t)
|
libs_use_shared_libs(pam_console_t)
|
||||||
|
|
||||||
logging_send_system_log_message(pam_console_t)
|
logging_send_syslog_msg(pam_console_t)
|
||||||
|
|
||||||
selinux_read_file_contexts(pam_console_t)
|
selinux_read_file_contexts(pam_console_t)
|
||||||
|
|
||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
|
userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
|
||||||
|
|
||||||
ifdef(`direct_sysadm_daemon', `
|
ifdef(`direct_sysadm_daemon', `
|
||||||
userdomain_dontaudit_use_admin_terminals(pam_console_t)
|
userdom_dontaudit_use_sysadm_terms(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(pam_console_t)
|
term_dontaudit_use_unallocated_tty(pam_console_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
||||||
files_ignore_read_rootfs_file(pam_console_t)
|
files_dontaudit_read_root_file(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te', `
|
optional_policy(`hotplug.te', `
|
||||||
hotplug_use_file_descriptors(pam_console_t)
|
hotplug_use_fd(pam_console_t)
|
||||||
hotplug_ignore_search_config_directory(pam_console_t)
|
hotplug_dontaudit_search_config(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -190,7 +190,7 @@ selinux_newrole_sigchld(pam_console_t)
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(pam_console_t)
|
udev_read_db(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -240,14 +240,14 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
|
|||||||
|
|
||||||
term_use_unallocated_tty(system_chkpwd_t)
|
term_use_unallocated_tty(system_chkpwd_t)
|
||||||
|
|
||||||
files_read_general_system_config(system_chkpwd_t)
|
files_read_generic_etc_files(system_chkpwd_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_ignore_search_system_state_data_directory(system_chkpwd_t)
|
files_dontaudit_search_var(system_chkpwd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(system_chkpwd_t)
|
libs_use_ld_so(system_chkpwd_t)
|
||||||
libraries_use_shared_libraries(system_chkpwd_t)
|
libs_use_shared_libs(system_chkpwd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(system_chkpwd_t)
|
logging_send_syslog_msg(system_chkpwd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(system_chkpwd_t)
|
miscfiles_read_localization(system_chkpwd_t)
|
||||||
|
|
||||||
@ -261,7 +261,7 @@ tunable_policy(`use_dns',`
|
|||||||
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
||||||
corenet_udp_bind_all_nodes(system_chkpwd_t)
|
corenet_udp_bind_all_nodes(system_chkpwd_t)
|
||||||
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
|
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
|
||||||
sysnetwork_read_network_config(system_chkpwd_t)
|
sysnet_read_config(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -288,16 +288,16 @@ term_dontaudit_use_all_user_ttys(utempter_t)
|
|||||||
term_dontaudit_use_all_user_ptys(utempter_t)
|
term_dontaudit_use_all_user_ptys(utempter_t)
|
||||||
term_dontaudit_use_ptmx(utempter_t)
|
term_dontaudit_use_ptmx(utempter_t)
|
||||||
|
|
||||||
init_script_modify_runtime_data(utempter_t)
|
init_rw_script_pid(utempter_t)
|
||||||
|
|
||||||
files_read_general_system_config(utempter_t)
|
files_read_generic_etc_files(utempter_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(utempter_t)
|
domain_use_wide_inherit_fd(utempter_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(utempter_t)
|
libs_use_ld_so(utempter_t)
|
||||||
libraries_use_shared_libraries(utempter_t)
|
libs_use_shared_libs(utempter_t)
|
||||||
|
|
||||||
logging_search_system_log_directory(utempter_t)
|
logging_search_logs(utempter_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Allow utemper to write to /tmp/.xses-*
|
# Allow utemper to write to /tmp/.xses-*
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for reading and setting the hardware clock.</summary>
|
## <summary>Policy for reading and setting the hardware clock.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="clock_transition">
|
## <interface name="clock_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute hwclock in the clock domain.
|
## Execute hwclock in the clock domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_transition',`
|
define(`clock_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
|
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
|
||||||
@ -22,7 +22,7 @@ define(`clock_transition',`
|
|||||||
allow hwclock_t $1:process sigchld;
|
allow hwclock_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_transition_depend',`
|
define(`clock_domtrans_depend',`
|
||||||
type hwclock_t, hwclock_exec_t;
|
type hwclock_t, hwclock_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -32,7 +32,7 @@ define(`clock_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="clock_transition_add_role_use_terminal">
|
## <interface name="clock_run">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute hwclock in the clock domain, and
|
## Execute hwclock in the clock domain, and
|
||||||
## allow the specified role the hwclock domain.
|
## allow the specified role the hwclock domain.
|
||||||
@ -48,22 +48,22 @@ define(`clock_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_transition_add_role_use_terminal',`
|
define(`clock_run',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
clock_transition($1)
|
clock_domtrans($1)
|
||||||
role $2 types hwclock_t;
|
role $2 types hwclock_t;
|
||||||
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_transition_add_role_use_terminal_depend',`
|
define(`clock_run_depend',`
|
||||||
type hwclock_t;
|
type hwclock_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="clock_execute">
|
## <interface name="clock_exec">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute hwclock
|
## Execute hwclock
|
||||||
## </description>
|
## </description>
|
||||||
@ -72,20 +72,20 @@ define(`clock_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_execute',`
|
define(`clock_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,hwclock_exec_t)
|
can_exec($1,hwclock_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_execute_depend',`
|
define(`clock_exec_depend',`
|
||||||
type hwclock_exec_t;
|
type hwclock_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="clock_modify_drift_records">
|
## <interface name="clock_rw_adjtime">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow executing domain to modify clock drift
|
## Allow executing domain to modify clock drift
|
||||||
## </description>
|
## </description>
|
||||||
@ -94,14 +94,14 @@ define(`clock_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_modify_drift_records',`
|
define(`clock_rw_adjtime',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 adjtime_t:file rw_file_perms;
|
allow $1 adjtime_t:file rw_file_perms;
|
||||||
files_read_general_system_config_directory($1)
|
files_read_generic_etc_files_directory($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_modify_drift_records_depend',`
|
define(`clock_rw_adjtime_depend',`
|
||||||
type adjtime_t;
|
type adjtime_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
|
@ -7,11 +7,11 @@ policy_module(clock,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type adjtime_t;
|
type adjtime_t;
|
||||||
files_make_file(adjtime_t)
|
files_file_type(adjtime_t)
|
||||||
|
|
||||||
type hwclock_t;
|
type hwclock_t;
|
||||||
type hwclock_exec_t;
|
type hwclock_exec_t;
|
||||||
init_make_system_domain(hwclock_t,hwclock_exec_t)
|
init_system_domain(hwclock_t,hwclock_exec_t)
|
||||||
role system_r types hwclock_t;
|
role system_r types hwclock_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -41,26 +41,26 @@ term_use_unallocated_tty(hwclock_t)
|
|||||||
term_use_all_user_ttys(hwclock_t)
|
term_use_all_user_ttys(hwclock_t)
|
||||||
term_use_all_user_ptys(hwclock_t)
|
term_use_all_user_ptys(hwclock_t)
|
||||||
|
|
||||||
init_use_file_descriptors(hwclock_t)
|
init_use_fd(hwclock_t)
|
||||||
init_script_use_pseudoterminal(hwclock_t)
|
init_use_script_pty(hwclock_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(hwclock_t)
|
domain_use_wide_inherit_fd(hwclock_t)
|
||||||
|
|
||||||
files_read_general_system_config_directory(hwclock_t)
|
files_read_generic_etc_files_directory(hwclock_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_ignore_search_isid_type_dir(hwclock_t)
|
files_dontaudit_search_isid_type_dir(hwclock_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(hwclock_t)
|
libs_use_ld_so(hwclock_t)
|
||||||
libraries_use_shared_libraries(hwclock_t)
|
libs_use_shared_libs(hwclock_t)
|
||||||
|
|
||||||
logging_send_system_log_message(hwclock_t)
|
logging_send_syslog_msg(hwclock_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hwclock_t)
|
miscfiles_read_localization(hwclock_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(hwclock_t)
|
term_dontaudit_use_unallocated_tty(hwclock_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(hwclock_t)
|
terminal_ignore_use_general_pseudoterminal(hwclock_t)
|
||||||
files_ignore_read_rootfs_file(hwclock_t)
|
files_dontaudit_read_root_file(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -68,11 +68,11 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(hwclock_t)
|
udev_read_db(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
|
userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -6,29 +6,29 @@
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# corecommands_make_shell_entrypoint(domain)
|
# corecmd_shell_entry_type(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_make_shell_entrypoint',`
|
define(`corecmd_shell_entry_type',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_make_entrypoint_file($1,shell_exec_t)
|
domain_entry_file($1,shell_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_make_shell_entrypoint_depend',`
|
define(`corecmd_shell_entry_type_depend',`
|
||||||
type shell_exec_t;
|
type shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_search_general_programs_directory(domain)
|
# corecmd_search_bin(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_search_general_programs_directory',`
|
define(`corecmd_search_bin',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bin_t:dir search;
|
allow $1 bin_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_search_general_programs_directory_depend',`
|
define(`corecmd_search_bin_depend',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
|
|
||||||
class dir search;
|
class dir search;
|
||||||
@ -36,15 +36,15 @@ define(`corecommands_search_general_programs_directory_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_read_general_programs_directory(domain)
|
# corecmd_list_bin(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_read_general_programs_directory',`
|
define(`corecmd_list_bin',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_read_general_programs_directory_depend',`
|
define(`corecmd_list_bin_depend',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -52,9 +52,9 @@ define(`corecommands_read_general_programs_directory_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_execute_general_programs(domain)
|
# corecmd_exec_bin(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_general_programs',`
|
define(`corecmd_exec_bin',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
@ -63,7 +63,7 @@ define(`corecommands_execute_general_programs',`
|
|||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_general_programs_depend',`
|
define(`corecmd_exec_bin_depend',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -73,15 +73,15 @@ define(`corecommands_execute_general_programs_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_search_system_programs_directory(domain)
|
# corecmd_search_sbin(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_search_system_programs_directory',`
|
define(`corecmd_search_sbin',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 sbin_t:dir search;
|
allow $1 sbin_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_search_system_programs_directory_depend',`
|
define(`corecmd_search_sbin_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
|
|
||||||
class dir search;
|
class dir search;
|
||||||
@ -89,15 +89,15 @@ define(`corecommands_search_system_programs_directory_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_read_system_programs_directory(domain)
|
# corecmd_list_sbin(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_read_system_programs_directory',`
|
define(`corecmd_list_sbin',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
allow $1 sbin_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_read_system_programs_directory_depend',`
|
define(`corecmd_list_sbin_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -105,15 +105,15 @@ define(`corecommands_read_system_programs_directory_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_ignore_get_system_programs_attributes(domain)
|
# corecmd_dontaudit_getattr_sbin_file(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_ignore_get_system_programs_attributes',`
|
define(`corecmd_dontaudit_getattr_sbin_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 sbin_t:file getattr;
|
allow $1 sbin_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_ignore_get_system_programs_attributes_depend',`
|
define(`corecmd_dontaudit_getattr_sbin_file_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
|
|
||||||
class file getattr;
|
class file getattr;
|
||||||
@ -121,9 +121,9 @@ define(`corecommands_ignore_get_system_programs_attributes_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_execute_system_programs(domain)
|
# corecmd_exec_sbin(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_system_programs',`
|
define(`corecmd_exec_sbin',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
allow $1 sbin_t:dir r_dir_perms;
|
||||||
@ -132,7 +132,7 @@ define(`corecommands_execute_system_programs',`
|
|||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_system_programs_depend',`
|
define(`corecmd_exec_sbin_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -142,9 +142,9 @@ define(`corecommands_execute_system_programs_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_execute_shell(domain)
|
# corecmd_exec_shell(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_shell',`
|
define(`corecmd_exec_shell',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
@ -152,7 +152,7 @@ define(`corecommands_execute_shell',`
|
|||||||
can_exec($1,shell_exec_t)
|
can_exec($1,shell_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_shell_depend',`
|
define(`corecmd_exec_shell_depend',`
|
||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -162,9 +162,9 @@ define(`corecommands_execute_shell_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_execute_ls(domain)
|
# corecmd_exec_ls(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_ls',`
|
define(`corecmd_exec_ls',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
@ -172,7 +172,7 @@ define(`corecommands_execute_ls',`
|
|||||||
can_exec($1,ls_exec_t)
|
can_exec($1,ls_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_shell_depend',`
|
define(`corecmd_exec_shell_depend',`
|
||||||
type bin_t, ls_exec_t;
|
type bin_t, ls_exec_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -181,7 +181,7 @@ define(`corecommands_execute_shell_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="corecommands_shell_explicit_transition">
|
## <interface name="corecmd_shell_spec_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute a shell in the target domain. This
|
## Execute a shell in the target domain. This
|
||||||
## is an explicit transition, requiring the
|
## is an explicit transition, requiring the
|
||||||
@ -195,7 +195,7 @@ define(`corecommands_execute_shell_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`corecommands_shell_explicit_transition',`
|
define(`corecmd_shell_spec_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
@ -209,7 +209,7 @@ define(`corecommands_shell_explicit_transition',`
|
|||||||
allow $2 $1:process sigchld;
|
allow $2 $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_shell_explicit_transition_depend',`
|
define(`corecmd_shell_spec_domtrans_depend',`
|
||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -221,7 +221,7 @@ define(`corecommands_shell_explicit_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="corecommands_shell_transition">
|
## <interface name="corecmd_domtrans_shell">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute a shell in the target domain.
|
## Execute a shell in the target domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -233,29 +233,29 @@ define(`corecommands_shell_explicit_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`corecommands_shell_transition',`
|
define(`corecmd_domtrans_shell',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
corecommands_shell_explicit_transition($1,$2)
|
corecmd_shell_spec_domtrans($1,$2)
|
||||||
type_transition $1 shell_exec_t:process $2;
|
type_transition $1 shell_exec_t:process $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_shell_transition_depend',`
|
define(`corecmd_domtrans_shell_depend',`
|
||||||
type shell_exec_t;
|
type shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# corecommands_chroot(domain)
|
# corecmd_chroot_exec_chroot(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_chroot',`
|
define(`corecmd_chroot_exec_chroot',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
|
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
|
||||||
allow $1 self:capability sys_chroot;
|
allow $1 self:capability sys_chroot;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_chroot_depend',`
|
define(`corecmd_chroot_exec_chroot_depend',`
|
||||||
type chroot_exec_t;
|
type chroot_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -5,25 +5,25 @@ policy_module(corecommands,1.0)
|
|||||||
# bin_t is the type of files in the system bin directories.
|
# bin_t is the type of files in the system bin directories.
|
||||||
#
|
#
|
||||||
type bin_t;
|
type bin_t;
|
||||||
files_make_file(bin_t)
|
files_file_type(bin_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# sbin_t is the type of files in the system sbin directories.
|
# sbin_t is the type of files in the system sbin directories.
|
||||||
#
|
#
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
files_make_file(sbin_t)
|
files_file_type(sbin_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# ls_exec_t is the type of the ls program.
|
# ls_exec_t is the type of the ls program.
|
||||||
#
|
#
|
||||||
type ls_exec_t;
|
type ls_exec_t;
|
||||||
files_make_file(ls_exec_t)
|
files_file_type(ls_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# shell_exec_t is the type of user shells such as /bin/bash.
|
# shell_exec_t is the type of user shells such as /bin/bash.
|
||||||
#
|
#
|
||||||
type shell_exec_t;
|
type shell_exec_t;
|
||||||
files_make_file(shell_exec_t)
|
files_file_type(shell_exec_t)
|
||||||
|
|
||||||
type chroot_exec_t;
|
type chroot_exec_t;
|
||||||
files_make_file(chroot_exec_t)
|
files_file_type(chroot_exec_t)
|
||||||
|
@ -3,9 +3,9 @@
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_make_base_domain(domain)
|
# domain_base_domain_type(domain)
|
||||||
#
|
#
|
||||||
define(`domain_make_base_domain',`
|
define(`domain_base_domain_type',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# mark as a domain
|
# mark as a domain
|
||||||
@ -19,7 +19,7 @@ define(`domain_make_base_domain',`
|
|||||||
allow $1 self:process { fork sigchld };
|
allow $1 self:process { fork sigchld };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_make_base_domain_depend',`
|
define(`domain_base_domain_type_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -29,11 +29,11 @@ define(`domain_make_base_domain_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_make_domain(domain)
|
# domain_type(domain)
|
||||||
#
|
#
|
||||||
define(`domain_make_domain',`
|
define(`domain_type',`
|
||||||
# start with basic domain
|
# start with basic domain
|
||||||
domain_make_base_domain($1)
|
domain_base_domain_type($1)
|
||||||
|
|
||||||
# Use trusted objects in /dev
|
# Use trusted objects in /dev
|
||||||
dev_rw_null_dev($1)
|
dev_rw_null_dev($1)
|
||||||
@ -41,31 +41,31 @@ define(`domain_make_domain',`
|
|||||||
term_use_controlling_term($1)
|
term_use_controlling_term($1)
|
||||||
|
|
||||||
# read the root directory
|
# read the root directory
|
||||||
files_read_root_dir($1)
|
files_list_root($1)
|
||||||
|
|
||||||
# send init a sigchld
|
# send init a sigchld
|
||||||
init_sigchld($1)
|
init_sigchld($1)
|
||||||
|
|
||||||
# this seems highly questionable:
|
# this seems highly questionable:
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
rpm_use_file_descriptors($1)
|
rpm_use_fd($1)
|
||||||
rpm_read_pipe($1)
|
rpm_read_pipe($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_make_entrypoint_file(domain,entrypointfile)
|
# domain_entry_file(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`domain_make_entrypoint_file',`
|
define(`domain_entry_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_make_file($2)
|
files_file_type($2)
|
||||||
allow $1 $2:file entrypoint;
|
allow $1 $2:file entrypoint;
|
||||||
typeattribute $2 entry_type;
|
typeattribute $2 entry_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_make_entrypoint_file_depend',`
|
define(`domain_entry_file_depend',`
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
|
|
||||||
class file entrypoint;
|
class file entrypoint;
|
||||||
@ -73,29 +73,29 @@ define(`domain_make_entrypoint_file_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_make_file_descriptors_widely_inheritable(domain)
|
# domain_wide_inherit_fd(domain)
|
||||||
#
|
#
|
||||||
define(`domain_make_file_descriptors_widely_inheritable',`
|
define(`domain_wide_inherit_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
typeattribute $1 privfd;
|
typeattribute $1 privfd;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_make_file_descriptors_widely_inheritable_depend',`
|
define(`domain_wide_inherit_fd_depend',`
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_use_widely_inheritable_file_descriptors(domain)
|
# domain_use_wide_inherit_fd(domain)
|
||||||
#
|
#
|
||||||
define(`domain_use_widely_inheritable_file_descriptors',`
|
define(`domain_use_wide_inherit_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 privfd:fd use;
|
allow $1 privfd:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_use_widely_inheritable_file_descriptors_depend',`
|
define(`domain_use_wide_inherit_fd_depend',`
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -103,15 +103,15 @@ define(`domain_use_widely_inheritable_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_ignore_use_widely_inheritable_file_descriptors(domain)
|
# domain_dontaudit_use_wide_inherit_fd(domain)
|
||||||
#
|
#
|
||||||
define(`domain_ignore_use_widely_inheritable_file_descriptors',`
|
define(`domain_dontaudit_use_wide_inherit_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 privfd:fd use;
|
dontaudit $1 privfd:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
|
define(`domain_dontaudit_use_wide_inherit_fd_depend',`
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -119,15 +119,15 @@ define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_set_all_domains_priorities(domain)
|
# domain_setpriority_all_domains(domain)
|
||||||
#
|
#
|
||||||
define(`domain_set_all_domains_priorities',`
|
define(`domain_setpriority_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 domain:process setsched;
|
allow $1 domain:process setsched;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_set_all_domains_priorities_depend',`
|
define(`domain_setpriority_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class process setsched;
|
class process setsched;
|
||||||
@ -246,7 +246,7 @@ define(`domain_kill_all_domains_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_read_all_domains_process_state">
|
## <interface name="domain_read_all_domains_state">
|
||||||
## <description>
|
## <description>
|
||||||
## Read the process state (/proc/pid) of all domains.
|
## Read the process state (/proc/pid) of all domains.
|
||||||
## </description>
|
## </description>
|
||||||
@ -255,7 +255,7 @@ define(`domain_kill_all_domains_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_read_all_domains_process_state',`
|
define(`domain_read_all_domains_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 domain:dir r_dir_perms;
|
allow $1 domain:dir r_dir_perms;
|
||||||
@ -270,7 +270,7 @@ define(`domain_read_all_domains_process_state',`
|
|||||||
dontaudit $1 domain:process ptrace;
|
dontaudit $1 domain:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_read_all_domains_process_state_depend',`
|
define(`domain_read_all_domains_state_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -280,7 +280,7 @@ define(`domain_read_all_domains_process_state_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_ignore_read_all_domains_process_dirs">
|
## <interface name="domain_dontaudit_list_all_domains_proc">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to read the process state
|
## Do not audit attempts to read the process state
|
||||||
## directories of all domains.
|
## directories of all domains.
|
||||||
@ -290,13 +290,13 @@ define(`domain_read_all_domains_process_state_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_read_all_domains_process_dirs',`
|
define(`domain_dontaudit_list_all_domains_proc',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 domain:dir r_dir_perms;
|
dontaudit $1 domain:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_read_all_domains_process_dirs_depend',`
|
define(`domain_dontaudit_list_all_domains_proc_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -304,7 +304,7 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',`
|
|||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_get_all_domains_session_id">
|
## <interface name="domain_getsession_all_domains">
|
||||||
## <description>
|
## <description>
|
||||||
## Get the session ID of all domains.
|
## Get the session ID of all domains.
|
||||||
## </description>
|
## </description>
|
||||||
@ -313,20 +313,20 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_get_all_domains_session_id',`
|
define(`domain_getsession_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 domain:process getsession;
|
allow $1 domain:process getsession;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_get_all_domains_session_id_depend',`
|
define(`domain_getsession_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class process getsession;
|
class process getsession;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_ignore_get_all_domains_udp_socket_attributes">
|
## <interface name="domain_dontaudit_getattr_all_udp_sockets">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
## of all domains UDP sockets.
|
## of all domains UDP sockets.
|
||||||
@ -336,20 +336,20 @@ define(`domain_get_all_domains_session_id_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_udp_socket_attributes',`
|
define(`domain_dontaudit_getattr_all_udp_sockets',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 domain:udp_socket getattr;
|
dontaudit $1 domain:udp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
|
define(`domain_dontaudit_getattr_all_udp_sockets_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class udp_socket getattr;
|
class udp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_ignore_get_all_domains_tcp_socket_attributes">
|
## <interface name="domain_dontaudit_getattr_all_tcp_sockets">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
## of all domains TCP sockets.
|
## of all domains TCP sockets.
|
||||||
@ -359,20 +359,20 @@ define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
|
define(`domain_dontaudit_getattr_all_tcp_sockets',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 domain:tcp_socket getattr;
|
dontaudit $1 domain:tcp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
|
define(`domain_dontaudit_getattr_all_tcp_sockets_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class tcp_socket getattr;
|
class tcp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_ignore_get_all_domains_unix_dgram_socket_attributes">
|
## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
## of all domains unix datagram sockets.
|
## of all domains unix datagram sockets.
|
||||||
@ -382,20 +382,20 @@ define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
|
define(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 domain:unix_dgram_socket getattr;
|
dontaudit $1 domain:unix_dgram_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
|
define(`domain_dontaudit_getattr_all_unix_dgram_sockets_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class unix_dgram_socket getattr;
|
class unix_dgram_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="domain_ignore_get_all_domains_pipe_attributes">
|
## <interface name="domain_dontaudit_getattr_all_unnamed_pipes">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
## of all domains unnamed pipes.
|
## of all domains unnamed pipes.
|
||||||
@ -405,13 +405,13 @@ define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_pipe_attributes',`
|
define(`domain_dontaudit_getattr_all_unnamed_pipes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 domain:fifo_file getattr;
|
dontaudit $1 domain:fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
|
define(`domain_dontaudit_getattr_all_unnamed_pipes_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
class fifo_file getattr;
|
class fifo_file getattr;
|
||||||
@ -419,16 +419,16 @@ define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_execute_all_entrypoint_programs(domain)
|
# domain_exec_all_entry_files(domain)
|
||||||
#
|
#
|
||||||
define(`domain_execute_all_entrypoint_programs',`
|
define(`domain_exec_all_entry_files',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,entry_type)
|
can_exec($1,entry_type)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_execute_all_entrypoint_programs_depend',`
|
define(`domain_exec_all_entry_files_depend',`
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
|
|
||||||
class file { getattr read ioctl lock execute execute_no_trans };
|
class file { getattr read ioctl lock execute execute_no_trans };
|
||||||
@ -436,16 +436,16 @@ define(`domain_execute_all_entrypoint_programs_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# domain_read_all_entrypoint_programs(domain)
|
# domain_read_all_entry_files(domain)
|
||||||
#
|
#
|
||||||
define(`domain_read_all_entrypoint_programs',`
|
define(`domain_read_all_entry_files',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 entry_type:lnk_file r_file_perms;
|
allow $1 entry_type:lnk_file r_file_perms;
|
||||||
allow $1 entry_type:file r_file_perms;
|
allow $1 entry_type:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_read_all_entrypoint_programs_depend',`
|
define(`domain_read_all_entry_files_depend',`
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for getty.</summary>
|
## <summary>Policy for getty.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="getty_transition">
|
## <interface name="getty_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute gettys in the getty domain.
|
## Execute gettys in the getty domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_transition',`
|
define(`getty_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 getty_exec_t:file { getattr read execute };
|
allow $1 getty_exec_t:file { getattr read execute };
|
||||||
@ -25,7 +25,7 @@ define(`getty_transition',`
|
|||||||
allow getty_t $1:process sigchld;
|
allow getty_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_transition_depend',`
|
define(`getty_domtrans_depend',`
|
||||||
type getty_t, getty_exec_t;
|
type getty_t, getty_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -35,7 +35,7 @@ define(`getty_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="getty_read_log_file">
|
## <interface name="getty_read_log">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read getty log file.
|
## Allow process to read getty log file.
|
||||||
## </description>
|
## </description>
|
||||||
@ -44,20 +44,20 @@ define(`getty_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_read_log_file',`
|
define(`getty_read_log',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 getty_log_t:file { getattr read };
|
allow $1 getty_log_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_read_log_file_depend',`
|
define(`getty_read_log_depend',`
|
||||||
type getty_log_t;
|
type getty_log_t;
|
||||||
|
|
||||||
class file { getattr read };
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="getty_read_config_file">
|
## <interface name="getty_read_config">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read getty config file.
|
## Allow process to read getty config file.
|
||||||
## </description>
|
## </description>
|
||||||
@ -66,20 +66,20 @@ define(`getty_read_log_file_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_read_config_file',`
|
define(`getty_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 getty_etc_t:file { getattr read };
|
allow $1 getty_etc_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_read_config_file_depend',`
|
define(`getty_read_config_depend',`
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
|
|
||||||
class file { getattr read };
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="getty_modify_config_file">
|
## <interface name="getty_modify_config">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to edit getty config file.
|
## Allow process to edit getty config file.
|
||||||
## </description>
|
## </description>
|
||||||
@ -88,13 +88,13 @@ define(`getty_read_config_file_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_modify_config_file',`
|
define(`getty_modify_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 getty_etc_t:file { getattr read write };
|
allow $1 getty_etc_t:file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_modify_config_file_depend',`
|
define(`getty_modify_config_depend',`
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
|
|
||||||
class file { getattr read write };
|
class file { getattr read write };
|
||||||
|
@ -8,17 +8,17 @@ policy_module(getty,1.0)
|
|||||||
|
|
||||||
type getty_t;
|
type getty_t;
|
||||||
type getty_exec_t;
|
type getty_exec_t;
|
||||||
init_make_init_domain(getty_t,getty_exec_t)
|
init_domain(getty_t,getty_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(getty_t)
|
domain_wide_inherit_fd(getty_t)
|
||||||
|
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
typealias getty_etc_t alias etc_getty_t;
|
typealias getty_etc_t alias etc_getty_t;
|
||||||
|
|
||||||
type getty_log_t;
|
type getty_log_t;
|
||||||
logging_make_log_file(getty_log_t)
|
logging_log_file(getty_log_t)
|
||||||
|
|
||||||
type getty_tmp_t;
|
type getty_tmp_t;
|
||||||
files_make_temporary_file(getty_tmp_t)
|
files_tmp_file(getty_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -34,11 +34,11 @@ allow getty_t self:process { getpgid getsession };
|
|||||||
|
|
||||||
allow getty_t getty_etc_t:dir r_dir_perms;
|
allow getty_t getty_etc_t:dir r_dir_perms;
|
||||||
allow getty_t getty_etc_t:file r_file_perms;
|
allow getty_t getty_etc_t:file r_file_perms;
|
||||||
files_create_private_config(getty_t,getty_etc_t,{ file dir })
|
files_create_etc_config(getty_t,getty_etc_t,{ file dir })
|
||||||
|
|
||||||
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
|
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
|
||||||
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
|
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
|
||||||
files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir })
|
files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
|
||||||
|
|
||||||
allow getty_t getty_log_t:file { getattr append setattr };
|
allow getty_t getty_log_t:file { getattr append setattr };
|
||||||
|
|
||||||
@ -54,23 +54,23 @@ term_setattr_all_user_ttys(getty_t)
|
|||||||
term_setattr_unallocated_ttys(getty_t)
|
term_setattr_unallocated_ttys(getty_t)
|
||||||
term_setattr_console(getty_t)
|
term_setattr_console(getty_t)
|
||||||
|
|
||||||
authlogin_modify_login_records(getty_t)
|
auth_rw_login_records(getty_t)
|
||||||
|
|
||||||
corecommands_search_general_programs_directory(getty_t)
|
corecmd_search_bin(getty_t)
|
||||||
|
|
||||||
files_modify_system_runtime_data(getty_t)
|
files_rw_generic_pids(getty_t)
|
||||||
files_manage_system_lock_files(getty_t)
|
files_manage_generic_lock_files(getty_t)
|
||||||
files_read_runtime_system_config(getty_t)
|
files_read_etc_runtime_files(getty_t)
|
||||||
files_read_general_system_config(getty_t)
|
files_read_generic_etc_files(getty_t)
|
||||||
|
|
||||||
init_script_modify_runtime_data(getty_t)
|
init_rw_script_pid(getty_t)
|
||||||
init_script_use_pseudoterminal(getty_t)
|
init_use_script_pty(getty_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(getty_t)
|
libs_use_ld_so(getty_t)
|
||||||
libraries_use_shared_libraries(getty_t)
|
libs_use_shared_libs(getty_t)
|
||||||
|
|
||||||
locallogin_transition(getty_t)
|
locallogin_domtrans(getty_t)
|
||||||
|
|
||||||
logging_send_system_log_message(getty_t)
|
logging_send_syslog_msg(getty_t)
|
||||||
|
|
||||||
miscfiles_read_localization(getty_t)
|
miscfiles_read_localization(getty_t)
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for changing the system host name.</summary>
|
## <summary>Policy for changing the system host name.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="hostname_transition">
|
## <interface name="hostname_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute hostname in the hostname domain.
|
## Execute hostname in the hostname domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -12,7 +12,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_transition',`
|
define(`hostname_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 hostname_exec_t:file rx_file_perms;
|
allow $1 hostname_exec_t:file rx_file_perms;
|
||||||
@ -26,7 +26,7 @@ define(`hostname_transition',`
|
|||||||
allow hostname_t $1:process sigchld;
|
allow hostname_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_transition_depend',`
|
define(`hostname_domtrans_depend',`
|
||||||
type hostname_t, hostname_exec_t;
|
type hostname_t, hostname_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -36,7 +36,7 @@ define(`hostname_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="hostname_transition_add_role_use_terminal">
|
## <interface name="hostname_run">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute hostname in the hostname domain, and
|
## Execute hostname in the hostname domain, and
|
||||||
## allow the specified role the hostname domain.
|
## allow the specified role the hostname domain.
|
||||||
@ -53,22 +53,22 @@ define(`hostname_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_transition_add_role_use_terminal',`
|
define(`hostname_run',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
hostname_transition($1)
|
hostname_domtrans($1)
|
||||||
role $2 types hostname_t;
|
role $2 types hostname_t;
|
||||||
allow hostname_t $3:chr_file { getattr read write ioctl };
|
allow hostname_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_transition_add_role_use_terminal_depend',`
|
define(`hostname_run_depend',`
|
||||||
type hostname_t;
|
type hostname_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="hostname_execute">
|
## <interface name="hostname_exec">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute hostname in the hostname domain, and
|
## Execute hostname in the hostname domain, and
|
||||||
## Has a sigchld signal backchannel.
|
## Has a sigchld signal backchannel.
|
||||||
@ -80,16 +80,16 @@ define(`hostname_transition_add_role_use_terminal_depend',`
|
|||||||
#
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hostname_execute(domain)
|
# hostname_exec(domain)
|
||||||
#
|
#
|
||||||
define(`hostname_execute',`
|
define(`hostname_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,hostname_exec_t)
|
can_exec($1,hostname_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_execute_depend',`
|
define(`hostname_exec_depend',`
|
||||||
type hostname_exec_t;
|
type hostname_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -8,7 +8,7 @@ policy_module(hostname,1.0)
|
|||||||
|
|
||||||
type hostname_t;
|
type hostname_t;
|
||||||
type hostname_exec_t;
|
type hostname_exec_t;
|
||||||
init_make_system_domain(hostname_t,hostname_exec_t)
|
init_system_domain(hostname_t,hostname_exec_t)
|
||||||
role system_r types hostname_t;
|
role system_r types hostname_t;
|
||||||
|
|
||||||
|
|
||||||
@ -23,36 +23,36 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
|
|||||||
allow hostname_t self:capability sys_admin;
|
allow hostname_t self:capability sys_admin;
|
||||||
dontaudit hostname_t self:capability sys_tty_config;
|
dontaudit hostname_t self:capability sys_tty_config;
|
||||||
|
|
||||||
sysnetwork_read_network_config(hostname_t)
|
sysnet_read_config(hostname_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(hostname_t)
|
kernel_read_kernel_sysctl(hostname_t)
|
||||||
kernel_read_hardware_state(hostname_t)
|
kernel_read_hardware_state(hostname_t)
|
||||||
kernel_dontaudit_use_fd(hostname_t)
|
kernel_dontaudit_use_fd(hostname_t)
|
||||||
|
|
||||||
files_read_general_system_config(hostname_t)
|
files_read_generic_etc_files(hostname_t)
|
||||||
files_ignore_search_system_state_data_directory(hostname_t)
|
files_dontaudit_search_var(hostname_t)
|
||||||
fs_getattr_xattr_fs(hostname_t)
|
fs_getattr_xattr_fs(hostname_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(hostname_t)
|
term_dontaudit_use_console(hostname_t)
|
||||||
term_use_all_user_ttys(hostname_t)
|
term_use_all_user_ttys(hostname_t)
|
||||||
term_use_all_user_ptys(hostname_t)
|
term_use_all_user_ptys(hostname_t)
|
||||||
|
|
||||||
init_use_file_descriptors(hostname_t)
|
init_use_fd(hostname_t)
|
||||||
init_script_use_pseudoterminal(hostname_t)
|
init_use_script_pty(hostname_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(hostname_t)
|
domain_use_wide_inherit_fd(hostname_t)
|
||||||
|
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_ignore_search_isid_type_dir(hostname_t)
|
files_dontaudit_search_isid_type_dir(hostname_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(hostname_t)
|
libs_use_ld_so(hostname_t)
|
||||||
libraries_use_shared_libraries(hostname_t)
|
libs_use_shared_libs(hostname_t)
|
||||||
|
|
||||||
logging_send_system_log_message(hostname_t)
|
logging_send_syslog_msg(hostname_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hostname_t)
|
miscfiles_read_localization(hostname_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(hostname_t)
|
userdom_use_all_user_fd(hostname_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
fs_use_tmpfs_character_devices(hostname_t)
|
fs_use_tmpfs_character_devices(hostname_t)
|
||||||
@ -61,7 +61,7 @@ ifdef(`distro_redhat', `
|
|||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(hostname_t)
|
term_dontaudit_use_unallocated_tty(hostname_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(hostname_t)
|
terminal_ignore_use_general_pseudoterminal(hostname_t)
|
||||||
files_ignore_read_rootfs_file(hostname_t)
|
files_dontaudit_read_root_file(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
@ -72,11 +72,11 @@ tunable_policy(`use_dns',`
|
|||||||
corenet_raw_sendrecv_all_nodes(hostname_t)
|
corenet_raw_sendrecv_all_nodes(hostname_t)
|
||||||
corenet_udp_bind_all_nodes(hostname_t)
|
corenet_udp_bind_all_nodes(hostname_t)
|
||||||
corenet_udp_sendrecv_dns_port(hostname_t)
|
corenet_udp_sendrecv_dns_port(hostname_t)
|
||||||
sysnetwork_read_network_config(hostname_t)
|
sysnet_read_config(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_ignore_use_file_descriptors(hostname_t)
|
hotplug_dontaudit_use_fd(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -84,7 +84,7 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(hostname_t)
|
udev_read_db(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -6,9 +6,9 @@
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hotplug_transition(domain)
|
# hotplug_domtrans(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_transition',`
|
define(`hotplug_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 hotplug_exec_t:file rx_file_perms;
|
allow $1 hotplug_exec_t:file rx_file_perms;
|
||||||
@ -22,7 +22,7 @@ define(`hotplug_transition',`
|
|||||||
allow hotplug_t $1:process sigchld;
|
allow hotplug_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_transition_depend',`
|
define(`hotplug_domtrans_depend',`
|
||||||
type hotplug_t, hotplug_exec_t;
|
type hotplug_t, hotplug_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -33,16 +33,16 @@ define(`hotplug_transition_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hotplug_execute(domain)
|
# hotplug_exec(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_execute',`
|
define(`hotplug_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,hotplug_exec_t)
|
can_exec($1,hotplug_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_execute_depend',`
|
define(`hotplug_exec_depend',`
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
@ -50,15 +50,15 @@ define(`hotplug_execute_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hotplug_use_file_descriptors(domain)
|
# hotplug_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_use_file_descriptors',`
|
define(`hotplug_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 hotplug_t:fd use;
|
allow $1 hotplug_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_use_file_descriptors_depend',`
|
define(`hotplug_use_fd_depend',`
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -66,15 +66,15 @@ define(`hotplug_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hotplug_ignore_use_file_descriptors(domain)
|
# hotplug_dontaudit_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_ignore_use_file_descriptors',`
|
define(`hotplug_dontaudit_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 hotplug_t:fd use;
|
dontaudit $1 hotplug_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_ignore_use_file_descriptors_depend',`
|
define(`hotplug_dontaudit_use_fd_depend',`
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -82,15 +82,15 @@ define(`hotplug_ignore_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# hotplug_ignore_search_config_directory(domain)
|
# hotplug_dontaudit_search_config(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_ignore_search_config_directory',`
|
define(`hotplug_dontaudit_search_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 hotplug_etc_t:dir search;
|
dontaudit $1 hotplug_etc_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_ignore_search_config_directory_depend',`
|
define(`hotplug_dontaudit_search_config_depend',`
|
||||||
type hotplug_etc_t;
|
type hotplug_etc_t;
|
||||||
|
|
||||||
class dir search;
|
class dir search;
|
||||||
@ -109,7 +109,7 @@ define(`hotplug_ignore_search_config_directory_depend',`
|
|||||||
define(`hotplug_read_config',`
|
define(`hotplug_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_general_system_config_directory($1)
|
files_search_etc($1)
|
||||||
allow $1 hotplug_etc_t:file r_file_perms;
|
allow $1 hotplug_etc_t:file r_file_perms;
|
||||||
allow $1 hotplug_etc_t:dir r_dir_perms;
|
allow $1 hotplug_etc_t:dir r_dir_perms;
|
||||||
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
||||||
|
@ -9,13 +9,13 @@ policy_module(hotplug, 1.0)
|
|||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
type hotplug_exec_t;
|
type hotplug_exec_t;
|
||||||
kernel_userland_entry(hotplug_t,hotplug_exec_t)
|
kernel_userland_entry(hotplug_t,hotplug_exec_t)
|
||||||
init_make_system_domain(hotplug_t,hotplug_exec_t)
|
init_system_domain(hotplug_t,hotplug_exec_t)
|
||||||
|
|
||||||
type hotplug_etc_t; #, usercanread;
|
type hotplug_etc_t; #, usercanread;
|
||||||
files_make_file(hotplug_etc_t)
|
files_file_type(hotplug_etc_t)
|
||||||
|
|
||||||
type hotplug_var_run_t;
|
type hotplug_var_run_t;
|
||||||
files_make_daemon_runtime_file(hotplug_var_run_t)
|
files_pid_file(hotplug_var_run_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -41,7 +41,7 @@ allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_tran
|
|||||||
allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
|
allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
|
||||||
|
|
||||||
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
|
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
|
||||||
files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)
|
files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||||
|
|
||||||
kernel_read_system_state(hotplug_t)
|
kernel_read_system_state(hotplug_t)
|
||||||
kernel_read_kernel_sysctl(hotplug_t)
|
kernel_read_kernel_sysctl(hotplug_t)
|
||||||
@ -68,71 +68,71 @@ storage_set_removable_device_attributes(hotplug_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(hotplug_t)
|
term_dontaudit_use_console(hotplug_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(hotplug_t)
|
corecmd_exec_bin(hotplug_t)
|
||||||
corecommands_execute_shell(hotplug_t)
|
corecmd_exec_shell(hotplug_t)
|
||||||
corecommands_execute_system_programs(hotplug_t)
|
corecmd_exec_sbin(hotplug_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(hotplug_t)
|
domain_use_wide_inherit_fd(hotplug_t)
|
||||||
|
|
||||||
files_read_general_system_config(hotplug_t)
|
files_read_generic_etc_files(hotplug_t)
|
||||||
files_manage_runtime_system_config(hotplug_t)
|
files_manage_etc_runtime_files(hotplug_t)
|
||||||
files_execute_system_config_script(hotplug_t)
|
files_exec_generic_etc_files(hotplug_t)
|
||||||
# for when filesystems are not mounted early in the boot:
|
# for when filesystems are not mounted early in the boot:
|
||||||
files_ignore_search_isid_type_dir(hotplug_t)
|
files_dontaudit_search_isid_type_dir(hotplug_t)
|
||||||
|
|
||||||
init_use_file_descriptors(hotplug_t)
|
init_use_fd(hotplug_t)
|
||||||
init_script_use_pseudoterminal(hotplug_t)
|
init_use_script_pty(hotplug_t)
|
||||||
init_script_read_process_state(hotplug_t)
|
init_read_script_process_state(hotplug_t)
|
||||||
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
|
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
|
||||||
# run sendmail -q
|
# run sendmail -q
|
||||||
init_script_transition(hotplug_t)
|
init_domtrans_script(hotplug_t)
|
||||||
# kernel threads inherit from shared descriptor table used by init
|
# kernel threads inherit from shared descriptor table used by init
|
||||||
init_ignore_use_control_channel(hotplug_t)
|
init_dontaudit_use_initctl(hotplug_t)
|
||||||
|
|
||||||
logging_send_system_log_message(hotplug_t)
|
logging_send_syslog_msg(hotplug_t)
|
||||||
logging_search_system_log_directory(hotplug_t)
|
logging_search_logs(hotplug_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(hotplug_t)
|
libs_use_ld_so(hotplug_t)
|
||||||
libraries_use_shared_libraries(hotplug_t)
|
libs_use_shared_libs(hotplug_t)
|
||||||
# Read /usr/lib/gconv/.*
|
# Read /usr/lib/gconv/.*
|
||||||
libraries_read_library_resources(hotplug_t)
|
libs_read_lib(hotplug_t)
|
||||||
|
|
||||||
modutils_insmod_transition(hotplug_t)
|
modutils_domtrans_insmod(hotplug_t)
|
||||||
modutils_read_kernel_module_dependencies(hotplug_t)
|
modutils_read_kernel_module_dependencies(hotplug_t)
|
||||||
|
|
||||||
miscfiles_read_localization(hotplug_t)
|
miscfiles_read_localization(hotplug_t)
|
||||||
|
|
||||||
mount_transition(hotplug_t)
|
mount_domtrans(hotplug_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(hotplug_t)
|
sysnet_read_config(hotplug_t)
|
||||||
|
|
||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
|
userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
optional_policy(`netutils.te', `
|
optional_policy(`netutils.te', `
|
||||||
# for arping used for static IP addresses on PCMCIA ethernet
|
# for arping used for static IP addresses on PCMCIA ethernet
|
||||||
netutils_transition(hotplug_t)
|
netutils_domtrans(hotplug_t)
|
||||||
fs_use_tmpfs_character_devices(hotplug_t)
|
fs_use_tmpfs_character_devices(hotplug_t)
|
||||||
')
|
')
|
||||||
files_get_system_lock_file_attributes(hotplug_t)
|
files_getattr_generic_lock_files(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(hotplug_t)
|
term_dontaudit_use_unallocated_tty(hotplug_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(hotplug_t)
|
terminal_ignore_use_general_pseudoterminal(hotplug_t)
|
||||||
files_ignore_read_rootfs_file(hotplug_t)
|
files_dontaudit_read_root_file(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_transition(hotplug_t)
|
consoletype_domtrans(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_execute(hotplug_t)
|
hostname_exec(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`iptables.te',`
|
optional_policy(`iptables.te',`
|
||||||
iptables_transition(hotplug_t)
|
iptables_domtrans(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mta.te', `
|
optional_policy(`mta.te', `
|
||||||
@ -144,12 +144,12 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
sysnetwork_ifconfig_transition(hotplug_t)
|
sysnet_domtrans_ifconfig(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_transition(hotplug_t)
|
udev_domtrans(hotplug_t)
|
||||||
udev_read_database(hotplug_t)
|
udev_read_db(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`updfstab.te', `
|
optional_policy(`updfstab.te', `
|
||||||
|
@ -3,13 +3,13 @@
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_make_init_domain(domain,entrypointfile)
|
# init_domain(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`init_make_init_domain',`
|
define(`init_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_make_domain($1)
|
domain_type($1)
|
||||||
domain_make_entrypoint_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
@ -27,11 +27,11 @@ define(`init_make_init_domain',`
|
|||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
optional_policy(`distro_redhat',`
|
optional_policy(`distro_redhat',`
|
||||||
kernel_dontaudit_use_fd($1)
|
kernel_dontaudit_use_fd($1)
|
||||||
files_ignore_read_rootfs_file($1)
|
files_dontaudit_read_root_file($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_make_init_domain_depend',`
|
define(`init_domain_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -42,13 +42,13 @@ define(`init_make_init_domain_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_make_daemon_domain(domain,entrypointfile)
|
# init_daemon_domain(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`init_make_daemon_domain',`
|
define(`init_daemon_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_make_domain($1)
|
domain_type($1)
|
||||||
domain_make_entrypoint_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
@ -66,11 +66,11 @@ define(`init_make_daemon_domain',`
|
|||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
optional_policy(`distro_redhat',`
|
optional_policy(`distro_redhat',`
|
||||||
kernel_dontaudit_use_fd($1)
|
kernel_dontaudit_use_fd($1)
|
||||||
files_ignore_read_rootfs_file($1)
|
files_dontaudit_read_root_file($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_make_daemon_domain_depend',`
|
define(`init_daemon_domain_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
|
|
||||||
role system_r;
|
role system_r;
|
||||||
@ -83,13 +83,13 @@ define(`init_make_daemon_domain_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_make_system_domain(domain,entrypointfile)
|
# init_system_domain(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`init_make_system_domain',`
|
define(`init_system_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_make_domain($1)
|
domain_type($1)
|
||||||
domain_make_entrypoint_file($1,$2)
|
domain_entry_file($1,$2)
|
||||||
|
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
@ -107,11 +107,11 @@ define(`init_make_system_domain',`
|
|||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
optional_policy(`distro_redhat',`
|
optional_policy(`distro_redhat',`
|
||||||
kernel_dontaudit_use_fd($1)
|
kernel_dontaudit_use_fd($1)
|
||||||
files_ignore_read_rootfs_file($1)
|
files_dontaudit_read_root_file($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_make_system_domain_depend',`
|
define(`init_system_domain_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
role system_r;
|
role system_r;
|
||||||
|
|
||||||
@ -123,9 +123,9 @@ define(`init_make_system_domain_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_transition(domain)
|
# init_domtrans(domain)
|
||||||
#
|
#
|
||||||
define(`init_transition',`
|
define(`init_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 init_exec_t:file rx_file_perms;
|
allow $1 init_exec_t:file rx_file_perms;
|
||||||
@ -139,7 +139,7 @@ define(`init_transition',`
|
|||||||
allow init_t $1:process sigchld;
|
allow init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_transition_depend',`
|
define(`init_domtrans_depend',`
|
||||||
type init_t, init_exec_t;
|
type init_t, init_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -166,15 +166,15 @@ define(`init_get_process_group_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_get_control_channel_attributes(domain)
|
# init_getattr_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_get_control_channel_attributes',`
|
define(`init_getattr_initctl',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 initctl_t:fifo_file getattr;
|
allow $1 initctl_t:fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_control_channel_attributes_depend',`
|
define(`init_getattr_initctl_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
|
|
||||||
class fifo_file getattr;
|
class fifo_file getattr;
|
||||||
@ -182,15 +182,15 @@ define(`init_get_control_channel_attributes_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_ignore_get_control_channel_attributes(domain)
|
# init_dontaudit_getattr_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_ignore_get_control_channel_attributes',`
|
define(`init_dontaudit_getattr_initctl',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 initctl_t:fifo_file getattr;
|
dontaudit $1 initctl_t:fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_control_channel_attributes_depend',`
|
define(`init_getattr_initctl_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
|
|
||||||
class fifo_file getattr;
|
class fifo_file getattr;
|
||||||
@ -198,16 +198,16 @@ define(`init_get_control_channel_attributes_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_use_control_channel(domain)
|
# init_use_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_control_channel',`
|
define(`init_use_initctl',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 initctl_t:fifo_file rw_file_perms;
|
allow $1 initctl_t:fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_control_channel_depend',`
|
define(`init_use_initctl_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
|
|
||||||
class fifo_file rw_file_perms;
|
class fifo_file rw_file_perms;
|
||||||
@ -215,15 +215,15 @@ define(`init_use_control_channel_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_ignore_use_control_channel(domain)
|
# init_dontaudit_use_initctl(domain)
|
||||||
#
|
#
|
||||||
define(`init_ignore_use_control_channel',`
|
define(`init_dontaudit_use_initctl',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 initctl_t:fifo_file { read write };
|
dontaudit $1 initctl_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_ignore_use_control_channel_depend',`
|
define(`init_dontaudit_use_initctl_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
|
|
||||||
class fifo_file { read write };
|
class fifo_file { read write };
|
||||||
@ -247,15 +247,15 @@ define(`init_sigchld_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_use_file_descriptors(domain)
|
# init_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_file_descriptors',`
|
define(`init_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 init_t:fd use;
|
allow $1 init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_file_descriptors_depend',`
|
define(`init_use_fd_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -263,15 +263,15 @@ define(`init_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_ignore_use_file_descriptors(domain)
|
# init_dontaudit_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_ignore_use_file_descriptors',`
|
define(`init_dontaudit_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 init_t:fd use;
|
dontaudit $1 init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_ignore_use_file_descriptors_depend',`
|
define(`init_dontaudit_use_fd_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -279,9 +279,9 @@ define(`init_ignore_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_transition(domain)
|
# init_domtrans_script(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_transition',`
|
define(`init_domtrans_script',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 initrc_exec_t:file rx_file_perms;
|
allow $1 initrc_exec_t:file rx_file_perms;
|
||||||
@ -295,7 +295,7 @@ define(`init_script_transition',`
|
|||||||
allow initrc_t $1:process sigchld;
|
allow initrc_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_transition_depend',`
|
define(`init_domtrans_script_depend',`
|
||||||
type initrc_t, initrc_exec_t;
|
type initrc_t, initrc_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -306,23 +306,23 @@ define(`init_script_transition_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_execute(domain)
|
# init_exec_script(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_execute',`
|
define(`init_exec_script',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,initrc_exec_t)
|
can_exec($1,initrc_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_execute_depend',`
|
define(`init_exec_script_depend',`
|
||||||
type initrc_exec_t;
|
type initrc_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="init_script_read_process_state">
|
## <interface name="init_read_script_process_state">
|
||||||
## <description>
|
## <description>
|
||||||
## Read the process state (/proc/pid) of the init scripts.
|
## Read the process state (/proc/pid) of the init scripts.
|
||||||
## </description>
|
## </description>
|
||||||
@ -331,7 +331,7 @@ define(`init_script_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`init_script_read_process_state',`
|
define(`init_read_script_process_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 initrc_t:dir r_dir_perms;
|
allow $1 initrc_t:dir r_dir_perms;
|
||||||
@ -345,7 +345,7 @@ define(`init_script_read_process_state',`
|
|||||||
dontaudit $1 initrc_t:process ptrace;
|
dontaudit $1 initrc_t:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_read_process_state_depend',`
|
define(`init_read_script_process_state_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -356,15 +356,15 @@ define(`init_script_read_process_state_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_use_file_descriptors(domain)
|
# init_use_script_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_use_file_descriptors',`
|
define(`init_use_script_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 initrc_t:fd use;
|
allow $1 initrc_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_use_file_descriptors_depend',`
|
define(`init_use_script_fd_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -372,15 +372,15 @@ define(`init_script_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_ignore_use_file_descriptors(domain)
|
# init_dontaudit_use_script_fd(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_use_file_descriptors',`
|
define(`init_dontaudit_use_script_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 initrc_t:fd use;
|
dontaudit $1 initrc_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_use_file_descriptors_depend',`
|
define(`init_dontaudit_use_script_fd_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
@ -388,15 +388,15 @@ define(`init_script_ignore_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_get_process_group(domain)
|
# init_get_script_process_group(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_get_process_group',`
|
define(`init_get_script_process_group',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 initrc_t:process getpgid;
|
allow $1 initrc_t:process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_get_process_group_depend',`
|
define(`init_get_script_process_group_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
|
|
||||||
class process getpgid;
|
class process getpgid;
|
||||||
@ -404,16 +404,16 @@ define(`init_script_get_process_group_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_use_pseudoterminal(domain)
|
# init_use_script_pty(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_use_pseudoterminal',`
|
define(`init_use_script_pty',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
term_list_ptys($1)
|
term_list_ptys($1)
|
||||||
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_use_pseudoterminal_depend',`
|
define(`init_use_script_pty_depend',`
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -421,22 +421,22 @@ define(`init_script_use_pseudoterminal_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_ignore_use_pseudoterminal(domain)
|
# init_dontaudit_use_script_pty(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_use_pseudoterminal',`
|
define(`init_dontaudit_use_script_pty',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
|
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_use_pseudoterminal_depend',`
|
define(`init_dontaudit_use_script_pty_depend',`
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
|
|
||||||
class chr_file { read write ioctl };
|
class chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="init_script_modify_temporary_data">
|
## <interface name="init_rw_script_tmp_files">
|
||||||
## <description>
|
## <description>
|
||||||
## Read and write init script temporary data.
|
## Read and write init script temporary data.
|
||||||
## </description>
|
## </description>
|
||||||
@ -445,14 +445,14 @@ define(`init_script_ignore_use_pseudoterminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`init_script_modify_temporary_data',`
|
define(`init_rw_script_tmp_files',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: read tmp_t
|
# FIXME: read tmp_t
|
||||||
allow $1 initrc_tmp_t:file rw_file_perms;
|
allow $1 initrc_tmp_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_modify_temporary_data_depend',`
|
define(`init_rw_script_tmp_files_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
@ -460,16 +460,16 @@ define(`init_script_modify_temporary_data_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_read_runtime_data(domain)
|
# init_read_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_read_runtime_data',`
|
define(`init_read_script_pid',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_read_runtime_data_directory($1)
|
files_list_pids($1)
|
||||||
allow $1 initrc_var_run_t:file r_file_perms;
|
allow $1 initrc_var_run_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_read_runtime_data_depend',`
|
define(`init_read_script_pid_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
@ -477,15 +477,15 @@ define(`init_script_read_runtime_data_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_ignore_write_runtime_data(domain)
|
# init_dontaudit_write_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_write_runtime_data',`
|
define(`init_dontaudit_write_script_pid',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 initrc_var_run_t:file { write lock };
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_write_runtime_data_depend',`
|
define(`init_dontaudit_write_script_pid_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
|
|
||||||
class file { write lock };
|
class file { write lock };
|
||||||
@ -493,16 +493,16 @@ define(`init_script_ignore_write_runtime_data_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_modify_runtime_data(domain)
|
# init_rw_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_modify_runtime_data',`
|
define(`init_rw_script_pid',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_read_runtime_data_directory($1)
|
files_list_pids($1)
|
||||||
allow $1 initrc_var_run_t:file rw_file_perms;
|
allow $1 initrc_var_run_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_modify_runtime_data_depend',`
|
define(`init_rw_script_pid_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
@ -510,15 +510,15 @@ define(`init_script_modify_runtime_data_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# init_script_ignore_modify_runtime_data(domain)
|
# init_dontaudit_rw_script_pid(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_modify_runtime_data',`
|
define(`init_dontaudit_rw_script_pid',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_modify_runtime_data_depend',`
|
define(`init_dontaudit_rw_script_pid_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
|
@ -10,7 +10,7 @@ policy_module(init,1.0)
|
|||||||
# init_t is the domain of the init process.
|
# init_t is the domain of the init process.
|
||||||
#
|
#
|
||||||
type init_t;
|
type init_t;
|
||||||
domain_make_domain(init_t)
|
domain_type(init_t)
|
||||||
role system_r types init_t;
|
role system_r types init_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -18,13 +18,13 @@ role system_r types init_t;
|
|||||||
#
|
#
|
||||||
type init_exec_t;
|
type init_exec_t;
|
||||||
kernel_userland_entry(init_t,init_exec_t)
|
kernel_userland_entry(init_t,init_exec_t)
|
||||||
domain_make_entrypoint_file(init_t,init_exec_t)
|
domain_entry_file(init_t,init_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# init_var_run_t is the type for /var/run/shutdown.pid.
|
# init_var_run_t is the type for /var/run/shutdown.pid.
|
||||||
#
|
#
|
||||||
type init_var_run_t;
|
type init_var_run_t;
|
||||||
files_make_daemon_runtime_file(init_var_run_t)
|
files_pid_file(init_var_run_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# initctl_t is the type of the named pipe created
|
# initctl_t is the type of the named pipe created
|
||||||
@ -32,14 +32,14 @@ files_make_daemon_runtime_file(init_var_run_t)
|
|||||||
# to communicate with init.
|
# to communicate with init.
|
||||||
#
|
#
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
files_make_file(initctl_t)
|
files_file_type(initctl_t)
|
||||||
|
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
domain_make_domain(initrc_t)
|
domain_type(initrc_t)
|
||||||
role system_r types initrc_t;
|
role system_r types initrc_t;
|
||||||
|
|
||||||
type initrc_exec_t;
|
type initrc_exec_t;
|
||||||
domain_make_entrypoint_file(initrc_t,initrc_exec_t)
|
domain_entry_file(initrc_t,initrc_exec_t)
|
||||||
|
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
fs_associate(initrc_devpts_t)
|
fs_associate(initrc_devpts_t)
|
||||||
@ -47,13 +47,13 @@ fs_associate_noxattr(initrc_devpts_t)
|
|||||||
term_pty(initrc_devpts_t)
|
term_pty(initrc_devpts_t)
|
||||||
|
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
files_make_daemon_runtime_file(initrc_var_run_t)
|
files_pid_file(initrc_var_run_t)
|
||||||
|
|
||||||
type initrc_state_t;
|
type initrc_state_t;
|
||||||
files_make_file(initrc_state_t)
|
files_file_type(initrc_state_t)
|
||||||
|
|
||||||
type initrc_tmp_t;
|
type initrc_tmp_t;
|
||||||
files_make_temporary_file(initrc_tmp_t)
|
files_tmp_file(initrc_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -67,7 +67,7 @@ allow init_t self:capability ~sys_module;
|
|||||||
# sys_tty_config
|
# sys_tty_config
|
||||||
# kill: now provided by domain_kill_all_domains()
|
# kill: now provided by domain_kill_all_domains()
|
||||||
# setuid (from /sbin/shutdown)
|
# setuid (from /sbin/shutdown)
|
||||||
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
|
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
|
||||||
|
|
||||||
allow init_t self:fifo_file rw_file_perms;
|
allow init_t self:fifo_file rw_file_perms;
|
||||||
|
|
||||||
@ -76,7 +76,7 @@ allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
|
|||||||
|
|
||||||
# For /var/run/shutdown.pid.
|
# For /var/run/shutdown.pid.
|
||||||
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
|
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
|
||||||
files_create_daemon_runtime_data(init_t,init_var_run_t)
|
files_create_pid(init_t,init_var_run_t)
|
||||||
|
|
||||||
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
||||||
fs_associate_tmpfs(initctl_t)
|
fs_associate_tmpfs(initctl_t)
|
||||||
@ -95,9 +95,9 @@ kernel_share_state(init_t)
|
|||||||
|
|
||||||
term_use_all_terms(init_t)
|
term_use_all_terms(init_t)
|
||||||
|
|
||||||
corecommands_chroot(init_t)
|
corecmd_chroot_exec_chroot(init_t)
|
||||||
corecommands_execute_general_programs(init_t)
|
corecmd_exec_bin(init_t)
|
||||||
corecommands_execute_system_programs(init_t)
|
corecmd_exec_sbin(init_t)
|
||||||
|
|
||||||
domain_kill_all_domains(init_t)
|
domain_kill_all_domains(init_t)
|
||||||
domain_signal_all_domains(init_t)
|
domain_signal_all_domains(init_t)
|
||||||
@ -106,22 +106,22 @@ domain_sigstop_all_domains(init_t)
|
|||||||
domain_sigstop_all_domains(init_t)
|
domain_sigstop_all_domains(init_t)
|
||||||
domain_sigchld_all_domains(init_t)
|
domain_sigchld_all_domains(init_t)
|
||||||
|
|
||||||
files_read_general_system_config(init_t)
|
files_read_generic_etc_files(init_t)
|
||||||
files_modify_system_runtime_data(init_t)
|
files_rw_generic_pids(init_t)
|
||||||
files_ignore_search_isid_type_dir(init_t)
|
files_dontaudit_search_isid_type_dir(init_t)
|
||||||
files_manage_runtime_system_config(init_t)
|
files_manage_etc_runtime_files(init_t)
|
||||||
# Run /etc/X11/prefdm:
|
# Run /etc/X11/prefdm:
|
||||||
files_execute_system_config_script(init_t)
|
files_exec_generic_etc_files(init_t)
|
||||||
# file descriptors inherited from the rootfs:
|
# file descriptors inherited from the rootfs:
|
||||||
files_ignore_modify_rootfs_file(init_t)
|
files_dontaudit_rw_root_file(init_t)
|
||||||
files_ignore_modify_rootfs_device(init_t)
|
files_dontaudit_rw_root_chr_dev(init_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(init_t)
|
libs_use_ld_so(init_t)
|
||||||
libraries_use_shared_libraries(init_t)
|
libs_use_shared_libs(init_t)
|
||||||
libraries_modify_dynamic_loader_cache(init_t)
|
libs_rw_ld_so_cache(init_t)
|
||||||
|
|
||||||
logging_send_system_log_message(init_t)
|
logging_send_syslog_msg(init_t)
|
||||||
logging_modify_system_logs(init_t)
|
logging_rw_generic_logs(init_t)
|
||||||
|
|
||||||
selinux_read_config(init_t)
|
selinux_read_config(init_t)
|
||||||
|
|
||||||
@ -133,12 +133,12 @@ ifdef(`distro_redhat',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
authlogin_modify_login_records(init_t)
|
auth_rw_login_records(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# Run the shell in the sysadm_t domain for single-user mode.
|
# Run the shell in the sysadm_t domain for single-user mode.
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdomain_sysadm_shell_transition(init_t)
|
userdom_shell_domtrans_sysadm(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -167,11 +167,11 @@ allow initrc_t initrc_state_t:file create_file_perms;
|
|||||||
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
|
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
|
||||||
|
|
||||||
allow initrc_t initrc_var_run_t:file create_file_perms;
|
allow initrc_t initrc_var_run_t:file create_file_perms;
|
||||||
files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
|
files_create_pid(initrc_t,initrc_var_run_t)
|
||||||
|
|
||||||
allow initrc_t initrc_tmp_t:file create_file_perms;
|
allow initrc_t initrc_tmp_t:file create_file_perms;
|
||||||
allow initrc_t initrc_tmp_t:dir create_dir_perms;
|
allow initrc_t initrc_tmp_t:dir create_dir_perms;
|
||||||
files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir })
|
files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(initrc_t)
|
kernel_read_system_state(initrc_t)
|
||||||
kernel_read_software_raid_state(initrc_t)
|
kernel_read_software_raid_state(initrc_t)
|
||||||
@ -230,16 +230,16 @@ storage_set_removable_device_attributes(initrc_t)
|
|||||||
term_use_all_terms(initrc_t)
|
term_use_all_terms(initrc_t)
|
||||||
term_reset_tty_labels(initrc_t)
|
term_reset_tty_labels(initrc_t)
|
||||||
|
|
||||||
authlogin_modify_login_records(initrc_t)
|
auth_rw_login_records(initrc_t)
|
||||||
authlogin_modify_last_login_log(initrc_t)
|
auth_rw_lastlog(initrc_t)
|
||||||
authlogin_pam_read_runtime_data(initrc_t)
|
auth_read_pam_pid(initrc_t)
|
||||||
authlogin_pam_remove_runtime_data(initrc_t)
|
auth_delete_pam_pid(initrc_t)
|
||||||
authlogin_pam_console_read_runtime_data_dir(initrc_t)
|
auth_list_pam_console_data(initrc_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(initrc_t)
|
corecmd_exec_bin(initrc_t)
|
||||||
corecommands_execute_system_programs(initrc_t)
|
corecmd_exec_sbin(initrc_t)
|
||||||
corecommands_execute_shell(initrc_t)
|
corecmd_exec_shell(initrc_t)
|
||||||
corecommands_execute_ls(initrc_t)
|
corecmd_exec_ls(initrc_t)
|
||||||
|
|
||||||
domain_kill_all_domains(initrc_t)
|
domain_kill_all_domains(initrc_t)
|
||||||
domain_signal_all_domains(initrc_t)
|
domain_signal_all_domains(initrc_t)
|
||||||
@ -247,53 +247,53 @@ domain_signull_all_domains(initrc_t)
|
|||||||
domain_sigstop_all_domains(initrc_t)
|
domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigstop_all_domains(initrc_t)
|
domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_process_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
domain_get_all_domains_session_id(initrc_t)
|
domain_getsession_all_domains(initrc_t)
|
||||||
domain_use_widely_inheritable_file_descriptors(initrc_t)
|
domain_use_wide_inherit_fd(initrc_t)
|
||||||
# for lsof which is used by alsa shutdown:
|
# for lsof which is used by alsa shutdown:
|
||||||
domain_ignore_get_all_domains_udp_socket_attributes(initrc_t)
|
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||||
domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t)
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||||
domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t)
|
domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
|
||||||
domain_ignore_get_all_domains_pipe_attributes(initrc_t)
|
domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
|
||||||
|
|
||||||
files_get_all_file_attributes(initrc_t)
|
files_getattr_all_files(initrc_t)
|
||||||
files_remove_all_tmp_data(initrc_t)
|
files_delete_all_tmp_files(initrc_t)
|
||||||
files_remove_all_lock_files(initrc_t)
|
files_delete_all_lock_files(initrc_t)
|
||||||
files_read_all_daemon_runtime_data(initrc_t)
|
files_read_all_pids(initrc_t)
|
||||||
files_remove_all_daemon_runtime_data(initrc_t)
|
files_delete_all_pids(initrc_t)
|
||||||
files_read_general_system_config(initrc_t)
|
files_read_generic_etc_files(initrc_t)
|
||||||
files_manage_runtime_system_config(initrc_t)
|
files_manage_etc_runtime_files(initrc_t)
|
||||||
files_manage_system_lock_files(initrc_t)
|
files_manage_generic_lock_files(initrc_t)
|
||||||
files_execute_system_config_script(initrc_t)
|
files_exec_generic_etc_files(initrc_t)
|
||||||
files_read_general_application_resources(initrc_t)
|
files_read_usr_files(initrc_t)
|
||||||
files_manage_pseudorandom_saved_seed(initrc_t)
|
files_manage_urandom_seed(initrc_t)
|
||||||
files_manage_system_spools(initrc_t)
|
files_manage_spools(initrc_t)
|
||||||
|
|
||||||
libraries_modify_dynamic_loader_cache(initrc_t)
|
libs_rw_ld_so_cache(initrc_t)
|
||||||
libraries_use_dynamic_loader(initrc_t)
|
libs_use_ld_so(initrc_t)
|
||||||
libraries_use_shared_libraries(initrc_t)
|
libs_use_shared_libs(initrc_t)
|
||||||
libraries_execute_library_scripts(initrc_t)
|
libs_exec_lib_files(initrc_t)
|
||||||
|
|
||||||
logging_send_system_log_message(initrc_t)
|
logging_send_syslog_msg(initrc_t)
|
||||||
logging_modify_system_logs(initrc_t)
|
logging_rw_generic_logs(initrc_t)
|
||||||
logging_read_all_logs(initrc_t)
|
logging_read_all_logs(initrc_t)
|
||||||
logging_append_all_logs(initrc_t)
|
logging_append_all_logs(initrc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(initrc_t)
|
miscfiles_read_localization(initrc_t)
|
||||||
|
|
||||||
modutils_read_kernel_module_loading_config(initrc_t)
|
modutils_read_module_conf(initrc_t)
|
||||||
|
|
||||||
selinux_read_config(initrc_t)
|
selinux_read_config(initrc_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(initrc_t)
|
sysnet_read_config(initrc_t)
|
||||||
|
|
||||||
udev_modify_database(initrc_t)
|
udev_rw_db(initrc_t)
|
||||||
|
|
||||||
userdomain_read_all_users_data(initrc_t)
|
userdom_read_all_user_data(initrc_t)
|
||||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||||
# started from init should be placed in their own domain.
|
# started from init should be placed in their own domain.
|
||||||
userdomain_use_admin_terminals(initrc_t)
|
userdom_use_sysadm_terms(initrc_t)
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
|
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
|
||||||
@ -306,7 +306,7 @@ ifdef(`distro_redhat',`
|
|||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
kernel_dontaudit_use_fd(initrc_t)
|
kernel_dontaudit_use_fd(initrc_t)
|
||||||
files_ignore_read_rootfs_file(initrc_t)
|
files_dontaudit_read_root_file(initrc_t)
|
||||||
|
|
||||||
kernel_set_enforcement_mode(initrc_t)
|
kernel_set_enforcement_mode(initrc_t)
|
||||||
|
|
||||||
@ -329,7 +329,7 @@ ifdef(`distro_redhat',`
|
|||||||
files_create_boot_flag(initrc_t)
|
files_create_boot_flag(initrc_t)
|
||||||
|
|
||||||
# readahead asks for these
|
# readahead asks for these
|
||||||
mta_read_mail_aliases(initrc_t)
|
mta_read_aliases(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
@ -349,7 +349,7 @@ optional_policy(`lvm.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
corecommands_make_shell_entrypoint(initrc_t)
|
corecmd_shell_entry_type(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
@ -357,13 +357,13 @@ optional_policy(`rpm.te',`
|
|||||||
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
|
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
|
||||||
|
|
||||||
# for a bug in rm
|
# for a bug in rm
|
||||||
files_ignore_write_all_daemon_runtime_data(initrc_t)
|
files_dontaudit_write_all_pids(initrc_t)
|
||||||
|
|
||||||
# bash tries ioctl for some reason
|
# bash tries ioctl for some reason
|
||||||
files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||||
|
|
||||||
# why is this needed:
|
# why is this needed:
|
||||||
rpm_manage_package_database(initrc_t)
|
rpm_manage_db(initrc_t)
|
||||||
') dnl end rpm.te
|
') dnl end rpm.te
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for iptables.</summary>
|
## <summary>Policy for iptables.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="iptables_transition">
|
## <interface name="iptables_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute iptables in the iptables domain.
|
## Execute iptables in the iptables domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_transition',`
|
define(`iptables_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 iptables_exec_t:file rx_file_perms;
|
allow $1 iptables_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`iptables_transition',`
|
|||||||
allow iptables_t $1:process sigchld;
|
allow iptables_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_transition_depend',`
|
define(`iptables_domtrans_depend',`
|
||||||
type iptables_t, iptables_exec_t;
|
type iptables_t, iptables_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -35,7 +35,7 @@ define(`iptables_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="iptables_transition_add_role_use_terminal">
|
## <interface name="iptables_run">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute iptables in the iptables domain, and
|
## Execute iptables in the iptables domain, and
|
||||||
## allow the specified role the iptables domain.
|
## allow the specified role the iptables domain.
|
||||||
@ -51,22 +51,22 @@ define(`iptables_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_transition_add_role_use_terminal',`
|
define(`iptables_run',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
iptables_transition($1)
|
iptables_domtrans($1)
|
||||||
role $2 types iptables_t;
|
role $2 types iptables_t;
|
||||||
allow iptables_t $3:chr_file { getattr read write ioctl };
|
allow iptables_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_transition_add_role_use_terminal_depend',`
|
define(`iptables_run_depend',`
|
||||||
type iptables_t;
|
type iptables_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="iptables_execute">
|
## <interface name="iptables_exec">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute iptables in the caller domain.
|
## Execute iptables in the caller domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -75,14 +75,14 @@ define(`iptables_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_execute',`
|
define(`iptables_exec',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,iptables_exec_t)
|
can_exec($1,iptables_exec_t)
|
||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_execute_depend',`
|
define(`iptables_exec_depend',`
|
||||||
type iptables_t, iptables_exec_t;
|
type iptables_t, iptables_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -8,14 +8,14 @@ policy_module(iptables, 1.0)
|
|||||||
|
|
||||||
type iptables_t;
|
type iptables_t;
|
||||||
type iptables_exec_t;
|
type iptables_exec_t;
|
||||||
init_make_system_domain(iptables_t,iptables_exec_t)
|
init_system_domain(iptables_t,iptables_exec_t)
|
||||||
role system_r types iptables_t;
|
role system_r types iptables_t;
|
||||||
|
|
||||||
type iptables_tmp_t;
|
type iptables_tmp_t;
|
||||||
files_make_temporary_file(iptables_tmp_t)
|
files_tmp_file(iptables_tmp_t)
|
||||||
|
|
||||||
type iptables_var_run_t;
|
type iptables_var_run_t;
|
||||||
files_make_daemon_runtime_file(iptables_var_run_t)
|
files_pid_file(iptables_var_run_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -27,13 +27,13 @@ dontaudit iptables_t self:capability sys_tty_config;
|
|||||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
|
|
||||||
allow iptables_t iptables_var_run_t:dir rw_dir_perms;
|
allow iptables_t iptables_var_run_t:dir rw_dir_perms;
|
||||||
files_create_daemon_runtime_data(iptables_t,iptables_var_run_t)
|
files_create_pid(iptables_t,iptables_var_run_t)
|
||||||
|
|
||||||
can_exec(iptables_t,iptables_exec_t)
|
can_exec(iptables_t,iptables_exec_t)
|
||||||
|
|
||||||
allow iptables_t iptables_tmp_t:dir create_dir_perms;
|
allow iptables_t iptables_tmp_t:dir create_dir_perms;
|
||||||
allow iptables_t iptables_tmp_t:file create_file_perms;
|
allow iptables_t iptables_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir })
|
files_create_tmp_files(iptables_t, iptables_tmp_t, { file dir })
|
||||||
|
|
||||||
allow iptables_t self:rawip_socket create_socket_perms;
|
allow iptables_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
@ -48,27 +48,27 @@ fs_getattr_xattr_fs(iptables_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(iptables_t)
|
term_dontaudit_use_console(iptables_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(iptables_t)
|
domain_use_wide_inherit_fd(iptables_t)
|
||||||
|
|
||||||
files_read_general_system_config(iptables_t)
|
files_read_generic_etc_files(iptables_t)
|
||||||
|
|
||||||
init_use_file_descriptors(iptables_t)
|
init_use_fd(iptables_t)
|
||||||
init_script_use_pseudoterminal(iptables_t)
|
init_use_script_pty(iptables_t)
|
||||||
# to allow rules to be saved on reboot:
|
# to allow rules to be saved on reboot:
|
||||||
init_script_modify_temporary_data(iptables_t)
|
init_rw_script_tmp_files(iptables_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(iptables_t)
|
libs_use_ld_so(iptables_t)
|
||||||
libraries_use_shared_libraries(iptables_t)
|
libs_use_shared_libs(iptables_t)
|
||||||
|
|
||||||
logging_send_system_log_message(iptables_t)
|
logging_send_syslog_msg(iptables_t)
|
||||||
# system-config-network appends to /var/log
|
# system-config-network appends to /var/log
|
||||||
#logging_append_system_logs(iptables_t)
|
#logging_append_system_logs(iptables_t)
|
||||||
|
|
||||||
miscfiles_read_localization(iptables_t)
|
miscfiles_read_localization(iptables_t)
|
||||||
|
|
||||||
sysnetwork_ifconfig_transition(iptables_t)
|
sysnet_domtrans_ifconfig(iptables_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(iptables_t)
|
userdom_use_all_user_fd(iptables_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow iptables_t self:udp_socket create_socket_perms;
|
allow iptables_t self:udp_socket create_socket_perms;
|
||||||
@ -80,12 +80,12 @@ tunable_policy(`use_dns',`
|
|||||||
corenet_udp_bind_all_nodes(iptables_t)
|
corenet_udp_bind_all_nodes(iptables_t)
|
||||||
corenet_udp_sendrecv_dns_port(iptables_t)
|
corenet_udp_sendrecv_dns_port(iptables_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(iptables_t)
|
sysnet_read_config(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`modutils.te', `
|
optional_policy(`modutils.te', `
|
||||||
corecommands_search_system_programs_directory(iptables_t)
|
corecmd_search_sbin(iptables_t)
|
||||||
modutils_insmod_transition(iptables_t)
|
modutils_domtrans_insmod(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -93,14 +93,14 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(iptables_t)
|
udev_read_db(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(iptables_t)
|
term_dontaudit_use_unallocated_tty(iptables_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(iptables_t)
|
terminal_ignore_use_general_pseudoterminal(iptables_t)
|
||||||
|
|
||||||
files_ignore_read_rootfs_file(iptables_t)
|
files_dontaudit_read_root_file(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for system libraries.</summary>
|
## <summary>Policy for system libraries.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_ldconfig_transition">
|
## <interface name="libs_domtrans_ldconfig">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute ldconfig in the ldconfig domain.
|
## Execute ldconfig in the ldconfig domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_ldconfig_transition',`
|
define(`libs_domtrans_ldconfig',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
|
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
|
||||||
@ -22,7 +22,7 @@ define(`libraries_ldconfig_transition',`
|
|||||||
allow ldconfig_t $1:process sigchld;
|
allow ldconfig_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_ldconfig_transition_depend',`
|
define(`libs_domtrans_ldconfig_depend',`
|
||||||
type ldconfig_t, ldconfig_exec_t;
|
type ldconfig_t, ldconfig_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -32,7 +32,7 @@ define(`libraries_ldconfig_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_ldconfig_transition_add_role_use_terminal">
|
## <interface name="libs_run_ldconfig">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute ldconfig in the ldconfig domain.
|
## Execute ldconfig in the ldconfig domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -47,22 +47,22 @@ define(`libraries_ldconfig_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_ldconfig_transition_add_role_use_terminal',`
|
define(`libs_run_ldconfig',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
libraries_ldconfig_transition($1)
|
libs_domtrans_ldconfig($1)
|
||||||
role $2 types ldconfig_t;
|
role $2 types ldconfig_t;
|
||||||
allow ldconfig_t $3:chr_file { getattr read write ioctl };
|
allow ldconfig_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
|
define(`libs_run_ldconfig_depend',`
|
||||||
type ldconfig_t;
|
type ldconfig_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_use_dynamic_loader">
|
## <interface name="libs_use_ld_so">
|
||||||
## <description>
|
## <description>
|
||||||
## Use the dynamic link/loader for automatic loading
|
## Use the dynamic link/loader for automatic loading
|
||||||
## of shared libraries.
|
## of shared libraries.
|
||||||
@ -72,10 +72,10 @@ define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_use_dynamic_loader',`
|
define(`libs_use_ld_so',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_read_general_system_config_directory($1)
|
files_read_generic_etc_files_directory($1)
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||||
@ -83,7 +83,7 @@ define(`libraries_use_dynamic_loader',`
|
|||||||
allow $1 ld_so_cache_t:file r_file_perms;
|
allow $1 ld_so_cache_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_use_dynamic_loader_depend',`
|
define(`libs_use_ld_so_depend',`
|
||||||
type lib_t, ld_so_t, ld_so_cache_t;
|
type lib_t, ld_so_t, ld_so_cache_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -92,7 +92,7 @@ define(`libraries_use_dynamic_loader_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_legacy_use_dynamic_loader">
|
## <interface name="libs_legacy_use_ld_so">
|
||||||
## <description>
|
## <description>
|
||||||
## Use the dynamic link/loader for automatic loading
|
## Use the dynamic link/loader for automatic loading
|
||||||
## of shared libraries with legacy support.
|
## of shared libraries with legacy support.
|
||||||
@ -102,22 +102,22 @@ define(`libraries_use_dynamic_loader_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_legacy_use_dynamic_loader',`
|
define(`libs_legacy_use_ld_so',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1)
|
libs_use_ld_so($1)
|
||||||
allow $1 ld_so_t:file execmod;
|
allow $1 ld_so_t:file execmod;
|
||||||
allow $1 ld_so_cache_t:file execute;
|
allow $1 ld_so_cache_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_legacy_use_dynamic_loader_depend',`
|
define(`libs_legacy_use_ld_so_depend',`
|
||||||
type ld_so_t, ld_so_cache_t;
|
type ld_so_t, ld_so_cache_t;
|
||||||
|
|
||||||
class file { execute execmod };
|
class file { execute execmod };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_execute_dynamic_loader">
|
## <interface name="libs_exec_ld_so">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute the dynamic link/loader in the caller's
|
## Execute the dynamic link/loader in the caller's
|
||||||
## domain. This is commonly needed for the
|
## domain. This is commonly needed for the
|
||||||
@ -131,7 +131,7 @@ define(`libraries_legacy_use_dynamic_loader_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_execute_dynamic_loader',`
|
define(`libs_exec_ld_so',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
@ -140,7 +140,7 @@ define(`libraries_execute_dynamic_loader',`
|
|||||||
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
|
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_execute_dynamic_loader_depend',`
|
define(`libs_exec_ld_so_depend',`
|
||||||
type lib_t, ld_so_t;
|
type lib_t, ld_so_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -149,7 +149,7 @@ define(`libraries_execute_dynamic_loader_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_modify_dynamic_loader_cache">
|
## <interface name="libs_rw_ld_so_cache">
|
||||||
## <description>
|
## <description>
|
||||||
## Modify the dynamic link/loader's cached listing
|
## Modify the dynamic link/loader's cached listing
|
||||||
## of shared libraries.
|
## of shared libraries.
|
||||||
@ -159,21 +159,21 @@ define(`libraries_execute_dynamic_loader_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_modify_dynamic_loader_cache',`
|
define(`libs_rw_ld_so_cache',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_read_general_system_config_directory($1)
|
files_read_generic_etc_files_directory($1)
|
||||||
allow $1 ld_so_cache_t:file rw_file_perms;
|
allow $1 ld_so_cache_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_modify_dynamic_loader_cache_depend',`
|
define(`libs_rw_ld_so_cache_depend',`
|
||||||
type ld_so_cache_t;
|
type ld_so_cache_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_read_library_resources">
|
## <interface name="libs_read_lib">
|
||||||
## <description>
|
## <description>
|
||||||
## Read files in the library directories, such
|
## Read files in the library directories, such
|
||||||
## as static libraries.
|
## as static libraries.
|
||||||
@ -183,14 +183,14 @@ define(`libraries_modify_dynamic_loader_cache_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_read_library_resources',`
|
define(`libs_read_lib',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 lib_t:{ file lnk_file } r_file_perms;
|
allow $1 lib_t:{ file lnk_file } r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_read_library_resources_depend',`
|
define(`libs_read_lib_depend',`
|
||||||
type lib_t;
|
type lib_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -199,7 +199,7 @@ define(`libraries_read_library_resources_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_execute_library_scripts">
|
## <interface name="libs_exec_lib_files">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute library scripts in the caller domain.
|
## Execute library scripts in the caller domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -208,7 +208,7 @@ define(`libraries_read_library_resources_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_execute_library_scripts',`
|
define(`libs_exec_lib_files',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
@ -216,7 +216,7 @@ define(`libraries_execute_library_scripts',`
|
|||||||
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_execute_library_scripts_depend',`
|
define(`libs_exec_lib_files_depend',`
|
||||||
type lib_t;
|
type lib_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -225,7 +225,7 @@ define(`libraries_execute_library_scripts_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_use_shared_libraries">
|
## <interface name="libs_use_shared_libs">
|
||||||
## <description>
|
## <description>
|
||||||
## Load and execute functions from shared libraries.
|
## Load and execute functions from shared libraries.
|
||||||
## </description>
|
## </description>
|
||||||
@ -234,17 +234,17 @@ define(`libraries_execute_library_scripts_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_use_shared_libraries',`
|
define(`libs_use_shared_libs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_general_application_resources_dir($1)
|
files_search_usr($1)
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
||||||
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_use_shared_libraries_depend',`
|
define(`libs_use_shared_libs_depend',`
|
||||||
type lib_t, shlib_t, texrel_shlib_t;
|
type lib_t, shlib_t, texrel_shlib_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -253,7 +253,7 @@ define(`libraries_use_shared_libraries_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="libraries_legacy_use_shared_libraries">
|
## <interface name="libs_legacy_use_shared_libs">
|
||||||
## <description>
|
## <description>
|
||||||
## Load and execute functions from shared libraries,
|
## Load and execute functions from shared libraries,
|
||||||
## with legacy support.
|
## with legacy support.
|
||||||
@ -263,14 +263,14 @@ define(`libraries_use_shared_libraries_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_legacy_use_shared_libraries',`
|
define(`libs_legacy_use_shared_libs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
libraries_use_shared_libraries($1)
|
libs_use_shared_libs($1)
|
||||||
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_legacy_use_shared_libraries_depend',`
|
define(`libs_legacy_use_shared_libs_depend',`
|
||||||
type shlib_t, texrel_shlib_t;
|
type shlib_t, texrel_shlib_t;
|
||||||
|
|
||||||
class file execmod;
|
class file execmod;
|
||||||
|
@ -10,33 +10,33 @@ policy_module(libraries,1.0)
|
|||||||
# ld_so_cache_t is the type of /etc/ld.so.cache.
|
# ld_so_cache_t is the type of /etc/ld.so.cache.
|
||||||
#
|
#
|
||||||
type ld_so_cache_t;
|
type ld_so_cache_t;
|
||||||
files_make_file(ld_so_cache_t)
|
files_file_type(ld_so_cache_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# ld_so_t is the type of the system dynamic loaders.
|
# ld_so_t is the type of the system dynamic loaders.
|
||||||
#
|
#
|
||||||
type ld_so_t;
|
type ld_so_t;
|
||||||
files_make_file(ld_so_t)
|
files_file_type(ld_so_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# lib_t is the type of files in the system lib directories.
|
# lib_t is the type of files in the system lib directories.
|
||||||
#
|
#
|
||||||
type lib_t;
|
type lib_t;
|
||||||
files_make_file(lib_t)
|
files_file_type(lib_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# shlib_t is the type of shared objects in the system lib
|
# shlib_t is the type of shared objects in the system lib
|
||||||
# directories.
|
# directories.
|
||||||
#
|
#
|
||||||
type shlib_t;
|
type shlib_t;
|
||||||
files_make_file(shlib_t)
|
files_file_type(shlib_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# texrel_shlib_t is the type of shared objects in the system lib
|
# texrel_shlib_t is the type of shared objects in the system lib
|
||||||
# directories, which require text relocation.
|
# directories, which require text relocation.
|
||||||
#
|
#
|
||||||
type texrel_shlib_t;
|
type texrel_shlib_t;
|
||||||
files_make_file(texrel_shlib_t)
|
files_file_type(texrel_shlib_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -44,11 +44,11 @@ files_make_file(texrel_shlib_t)
|
|||||||
#
|
#
|
||||||
type ldconfig_t;
|
type ldconfig_t;
|
||||||
type ldconfig_exec_t;
|
type ldconfig_exec_t;
|
||||||
init_make_system_domain(ldconfig_t,ldconfig_exec_t)
|
init_system_domain(ldconfig_t,ldconfig_exec_t)
|
||||||
role system_r types ldconfig_t;
|
role system_r types ldconfig_t;
|
||||||
|
|
||||||
allow ldconfig_t ld_so_cache_t:file create_file_perms;
|
allow ldconfig_t ld_so_cache_t:file create_file_perms;
|
||||||
files_create_private_config(ldconfig_t,ld_so_cache_t,file)
|
files_create_etc_config(ldconfig_t,ld_so_cache_t,file)
|
||||||
|
|
||||||
allow ldconfig_t lib_t:dir rw_dir_perms;
|
allow ldconfig_t lib_t:dir rw_dir_perms;
|
||||||
allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
|
allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
|
||||||
@ -62,17 +62,17 @@ kernel_read_system_state(ldconfig_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(ldconfig_t)
|
fs_getattr_xattr_fs(ldconfig_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(ldconfig_t)
|
domain_use_wide_inherit_fd(ldconfig_t)
|
||||||
|
|
||||||
files_read_general_system_config(ldconfig_t)
|
files_read_generic_etc_files(ldconfig_t)
|
||||||
# for when /etc/ld.so.cache is mislabeled:
|
# for when /etc/ld.so.cache is mislabeled:
|
||||||
files_remove_general_system_config(ldconfig_t)
|
files_delete_generic_etc_files(ldconfig_t)
|
||||||
|
|
||||||
init_script_use_pseudoterminal(ldconfig_t)
|
init_use_script_pty(ldconfig_t)
|
||||||
|
|
||||||
logging_send_system_log_message(ldconfig_t)
|
logging_send_syslog_msg(ldconfig_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(ldconfig_t)
|
userdom_use_all_user_fd(ldconfig_t)
|
||||||
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for local logins.</summary>
|
## <summary>Policy for local logins.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="locallogin_transition">
|
## <interface name="locallogin_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute local logins in the locallogin domain.
|
## Execute local logins in the locallogin domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,18 +11,18 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`locallogin_transition',`
|
define(`locallogin_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
authlogin_login_program_transition($1,local_login_t)
|
auth_domtrans_login_program($1,local_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`locallogin_transition_depend',`
|
define(`locallogin_domtrans_depend',`
|
||||||
type local_login_t;
|
type local_login_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="locallogin_use_file_descriptors">
|
## <interface name="locallogin_use_fd">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow processes to inherit local login file descriptors
|
## Allow processes to inherit local login file descriptors
|
||||||
## </description>
|
## </description>
|
||||||
@ -33,15 +33,15 @@ define(`locallogin_transition_depend',`
|
|||||||
#
|
#
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# locallogin_use_file_descriptors(domain)
|
# locallogin_use_fd(domain)
|
||||||
#
|
#
|
||||||
define(`locallogin_use_file_descriptors',`
|
define(`locallogin_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 local_login_t:fd use;
|
allow $1 local_login_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`locallogin_use_file_descriptors_depend',`
|
define(`locallogin_use_fd_depend',`
|
||||||
type local_login_t;
|
type local_login_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
|
@ -7,25 +7,25 @@ policy_module(locallogin,1.0)
|
|||||||
#
|
#
|
||||||
|
|
||||||
type local_login_t; #, nscd_client_domain;
|
type local_login_t; #, nscd_client_domain;
|
||||||
kernel_make_object_identity_change_constraint_exception(local_login_t)
|
kernel_obj_id_change_exempt(local_login_t)
|
||||||
kernel_make_process_identity_change_constraint_exception(local_login_t)
|
kernel_subj_id_change_exempt(local_login_t)
|
||||||
kernel_make_role_change_constraint_exception(local_login_t)
|
kernel_role_change_exempt(local_login_t)
|
||||||
authlogin_make_login_program_entrypoint(local_login_t)
|
auth_login_entry_type(local_login_t)
|
||||||
domain_make_domain(local_login_t)
|
domain_type(local_login_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(local_login_t)
|
domain_wide_inherit_fd(local_login_t)
|
||||||
role system_r types local_login_t;
|
role system_r types local_login_t;
|
||||||
|
|
||||||
type local_login_tmp_t;
|
type local_login_tmp_t;
|
||||||
files_make_file(local_login_tmp_t)
|
files_file_type(local_login_tmp_t)
|
||||||
|
|
||||||
type sulogin_t;
|
type sulogin_t;
|
||||||
type sulogin_exec_t;
|
type sulogin_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(sulogin_t)
|
kernel_obj_id_change_exempt(sulogin_t)
|
||||||
kernel_make_process_identity_change_constraint_exception(sulogin_t)
|
kernel_subj_id_change_exempt(sulogin_t)
|
||||||
kernel_make_role_change_constraint_exception(sulogin_t)
|
kernel_role_change_exempt(sulogin_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(sulogin_t)
|
domain_wide_inherit_fd(sulogin_t)
|
||||||
init_make_init_domain(sulogin_t,sulogin_exec_t)
|
init_domain(sulogin_t,sulogin_exec_t)
|
||||||
init_make_system_domain(sulogin_t,sulogin_exec_t)
|
init_system_domain(sulogin_t,sulogin_exec_t)
|
||||||
role system_r types sulogin_t;
|
role system_r types sulogin_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -49,7 +49,7 @@ allow local_login_t self:msg { send receive };
|
|||||||
|
|
||||||
allow local_login_t local_login_tmp_t:dir create_dir_perms;
|
allow local_login_t local_login_tmp_t:dir create_dir_perms;
|
||||||
allow local_login_t local_login_tmp_t:file create_file_perms;
|
allow local_login_t local_login_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
|
files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(local_login_t)
|
kernel_read_system_state(local_login_t)
|
||||||
kernel_read_kernel_sysctl(local_login_t)
|
kernel_read_kernel_sysctl(local_login_t)
|
||||||
@ -70,47 +70,47 @@ term_relabel_all_user_ttys(local_login_t)
|
|||||||
term_setattr_all_user_ttys(local_login_t)
|
term_setattr_all_user_ttys(local_login_t)
|
||||||
term_setattr_unallocated_ttys(local_login_t)
|
term_setattr_unallocated_ttys(local_login_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(local_login_t)
|
auth_domtrans_chk_passwd(local_login_t)
|
||||||
authlogin_ignore_read_shadow_passwords(local_login_t)
|
auth_dontaudit_read_shadow(local_login_t)
|
||||||
authlogin_modify_login_records(local_login_t)
|
auth_rw_login_records(local_login_t)
|
||||||
authlogin_modify_last_login_log(local_login_t)
|
auth_rw_lastlog(local_login_t)
|
||||||
authlogin_modify_login_failure_records(local_login_t)
|
auth_rw_faillog(local_login_t)
|
||||||
authlogin_pam_execute(local_login_t)
|
auth_exec_pam(local_login_t)
|
||||||
authlogin_pam_console_manage_runtime_data(local_login_t)
|
auth_manage_pam_console_data(local_login_t)
|
||||||
|
|
||||||
domain_read_all_entrypoint_programs(local_login_t)
|
domain_read_all_entry_files(local_login_t)
|
||||||
|
|
||||||
files_read_general_system_config(local_login_t)
|
files_read_generic_etc_files(local_login_t)
|
||||||
files_read_runtime_system_config(local_login_t)
|
files_read_etc_runtime_files(local_login_t)
|
||||||
files_read_general_application_resources(local_login_t)
|
files_read_usr_files(local_login_t)
|
||||||
files_manage_system_lock_files(var_lock_t)
|
files_manage_generic_lock_files(var_lock_t)
|
||||||
|
|
||||||
init_script_modify_runtime_data(local_login_t)
|
init_rw_script_pid(local_login_t)
|
||||||
init_ignore_use_file_descriptors(local_login_t)
|
init_dontaudit_use_fd(local_login_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(local_login_t)
|
libs_use_ld_so(local_login_t)
|
||||||
libraries_use_shared_libraries(local_login_t)
|
libs_use_shared_libs(local_login_t)
|
||||||
|
|
||||||
logging_send_system_log_message(local_login_t)
|
logging_send_syslog_msg(local_login_t)
|
||||||
|
|
||||||
miscfiles_read_localization(local_login_t)
|
miscfiles_read_localization(local_login_t)
|
||||||
|
|
||||||
selinux_read_config(local_login_t)
|
selinux_read_config(local_login_t)
|
||||||
selinux_read_default_contexts(local_login_t)
|
selinux_read_default_contexts(local_login_t)
|
||||||
|
|
||||||
userdomain_all_users_explicit_transition(local_login_t)
|
userdom_spec_domtrans_all_users(local_login_t)
|
||||||
userdomain_signal_all_userdomains(local_login_t)
|
userdom_signal_all_users(local_login_t)
|
||||||
userdomain_search_all_users_home_dirs(local_login_t)
|
userdom_search_all_users_home(local_login_t)
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
|
userdom_use_unpriv_users_fd(local_login_t)
|
||||||
|
|
||||||
# Search for mail spool file.
|
# Search for mail spool file.
|
||||||
mta_get_mail_spool_attributes(local_login_t)
|
mta_getattr_spool(local_login_t)
|
||||||
|
|
||||||
# Red Hat systems seem to have a stray
|
# Red Hat systems seem to have a stray
|
||||||
# fd open from the initrd
|
# fd open from the initrd
|
||||||
optional_policy(`distro_redhat',`
|
optional_policy(`distro_redhat',`
|
||||||
kernel_dontaudit_use_fd(local_login_t)
|
kernel_dontaudit_use_fd(local_login_t)
|
||||||
files_ignore_read_rootfs_file(local_login_t)
|
files_dontaudit_read_root_file(local_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -210,24 +210,24 @@ allow sulogin_t self:msg { send receive };
|
|||||||
|
|
||||||
kernel_read_system_state(sulogin_t)
|
kernel_read_system_state(sulogin_t)
|
||||||
|
|
||||||
init_script_get_process_group(sulogin_t)
|
init_get_script_process_group(sulogin_t)
|
||||||
|
|
||||||
files_read_general_system_config(sulogin_t)
|
files_read_generic_etc_files(sulogin_t)
|
||||||
# because file systems are not mounted:
|
# because file systems are not mounted:
|
||||||
files_ignore_search_isid_type_dir(sulogin_t)
|
files_dontaudit_search_isid_type_dir(sulogin_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(sulogin_t)
|
libs_use_ld_so(sulogin_t)
|
||||||
libraries_use_shared_libraries(sulogin_t)
|
libs_use_shared_libs(sulogin_t)
|
||||||
|
|
||||||
logging_send_system_log_message(sulogin_t)
|
logging_send_syslog_msg(sulogin_t)
|
||||||
|
|
||||||
selinux_read_config(sulogin_t)
|
selinux_read_config(sulogin_t)
|
||||||
selinux_read_default_contexts(sulogin_t)
|
selinux_read_default_contexts(sulogin_t)
|
||||||
|
|
||||||
authlogin_read_shadow_passwords(sulogin_t)
|
auth_read_shadow(sulogin_t)
|
||||||
|
|
||||||
userdomain_sysadm_shell_transition(sulogin_t)
|
userdom_shell_domtrans_sysadm(sulogin_t)
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
|
userdom_use_unpriv_users_fd(sulogin_t)
|
||||||
|
|
||||||
# suse and debian do not use pam with sulogin...
|
# suse and debian do not use pam with sulogin...
|
||||||
ifdef(`monolithic_policy',`
|
ifdef(`monolithic_policy',`
|
||||||
|
@ -3,24 +3,24 @@
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_make_log_file(domain)
|
# logging_log_file(domain)
|
||||||
#
|
#
|
||||||
define(`logging_make_log_file',`
|
define(`logging_log_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_make_file($1)
|
files_file_type($1)
|
||||||
typeattribute $1 logfile;
|
typeattribute $1 logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_make_log_file_depend',`
|
define(`logging_log_file_depend',`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# logging_create_private_log(domain,privatetype,[class(es)])
|
# logging_create_log(domain,privatetype,[class(es)])
|
||||||
#
|
#
|
||||||
define(`logging_create_private_log',`
|
define(`logging_create_log',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 var_log_t:dir rw_dir_perms;
|
allow $1 var_log_t:dir rw_dir_perms;
|
||||||
@ -32,7 +32,7 @@ define(`logging_create_private_log',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_create_private_log_depend',`
|
define(`logging_create_log_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
|
|
||||||
class dir rw_dir_perms;
|
class dir rw_dir_perms;
|
||||||
@ -40,9 +40,9 @@ define(`logging_create_private_log_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_send_system_log_message(domain)
|
# logging_send_syslog_msg(domain)
|
||||||
#
|
#
|
||||||
define(`logging_send_system_log_message',`
|
define(`logging_send_syslog_msg',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 devlog_t:lnk_file read;
|
allow $1 devlog_t:lnk_file read;
|
||||||
@ -58,7 +58,7 @@ define(`logging_send_system_log_message',`
|
|||||||
term_use_console($1)
|
term_use_console($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_send_system_log_message_depend',`
|
define(`logging_send_syslog_msg_depend',`
|
||||||
type syslogd_t, devlog_t;
|
type syslogd_t, devlog_t;
|
||||||
|
|
||||||
class sock_file rw_file_perms;
|
class sock_file rw_file_perms;
|
||||||
@ -67,7 +67,7 @@ define(`logging_send_system_log_message_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="logging_search_system_log_directory">
|
## <interface name="logging_search_logs">
|
||||||
## <description>
|
## <description>
|
||||||
## Allows the domain to open a file in the
|
## Allows the domain to open a file in the
|
||||||
## log directory, but does not allow the listing
|
## log directory, but does not allow the listing
|
||||||
@ -78,14 +78,14 @@ define(`logging_send_system_log_message_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`logging_search_system_log_directory',`
|
define(`logging_search_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir search;
|
allow $1 var_log_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_search_system_log_directory_depend',`
|
define(`logging_search_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
|
|
||||||
class dir search;
|
class dir search;
|
||||||
@ -93,15 +93,15 @@ define(`logging_search_system_log_directory_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_ignore_get_all_logs_attributes(domain)
|
# logging_dontaudit_getattr_all_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_ignore_get_all_logs_attributes',`
|
define(`logging_dontaudit_getattr_all_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 logfile:file getattr;
|
dontaudit $1 logfile:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_ignore_get_all_logs_attributes_depend',`
|
define(`logging_dontaudit_getattr_all_logs_depend',`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
|
|
||||||
class file getattr;
|
class file getattr;
|
||||||
@ -114,7 +114,7 @@ define(`logging_ignore_get_all_logs_attributes_depend',`
|
|||||||
define(`logging_append_all_logs',`
|
define(`logging_append_all_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 logfile:file { getattr append };
|
allow $1 logfile:file { getattr append };
|
||||||
')
|
')
|
||||||
@ -135,7 +135,7 @@ define(`logging_append_all_logs_depend',`
|
|||||||
define(`logging_read_all_logs',`
|
define(`logging_read_all_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 logfile:file r_file_perms;
|
allow $1 logfile:file r_file_perms;
|
||||||
')
|
')
|
||||||
@ -151,17 +151,17 @@ define(`logging_read_all_logs_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_read_system_logs(domain)
|
# logging_read_generic_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_read_system_logs',`
|
define(`logging_read_generic_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 var_log_t:file r_file_perms;
|
allow $1 var_log_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_read_system_logs_depend',`
|
define(`logging_read_generic_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -170,17 +170,17 @@ define(`logging_read_system_logs_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_write_system_logs(domain)
|
# logging_write_generic_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_write_system_logs',`
|
define(`logging_write_generic_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 var_log_t:file { getattr write };
|
allow $1 var_log_t:file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_write_system_logs_depend',`
|
define(`logging_write_generic_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -189,17 +189,17 @@ define(`logging_write_system_logs_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# logging_modify_system_logs(domain)
|
# logging_rw_generic_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_modify_system_logs',`
|
define(`logging_rw_generic_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_system_state_data_directory($1)
|
files_search_var($1)
|
||||||
allow $1 var_log_t:dir r_dir_perms;
|
allow $1 var_log_t:dir r_dir_perms;
|
||||||
allow $1 var_log_t:file rw_file_perms;
|
allow $1 var_log_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_modify_system_logs_depend',`
|
define(`logging_rw_generic_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
|
@ -9,40 +9,40 @@ policy_module(logging,1.0)
|
|||||||
attribute logfile;
|
attribute logfile;
|
||||||
|
|
||||||
type auditd_log_t;
|
type auditd_log_t;
|
||||||
logging_make_log_file(auditd_t,auditd_log_t)
|
logging_log_file(auditd_t,auditd_log_t)
|
||||||
|
|
||||||
type auditd_t;
|
type auditd_t;
|
||||||
type auditd_exec_t;
|
type auditd_exec_t;
|
||||||
init_make_daemon_domain(auditd_t,auditd_exec_t)
|
init_daemon_domain(auditd_t,auditd_exec_t)
|
||||||
|
|
||||||
type auditd_var_run_t;
|
type auditd_var_run_t;
|
||||||
files_make_daemon_runtime_file(auditd_var_run_t)
|
files_pid_file(auditd_var_run_t)
|
||||||
|
|
||||||
type devlog_t;
|
type devlog_t;
|
||||||
files_make_file(devlog_t)
|
files_file_type(devlog_t)
|
||||||
|
|
||||||
type klogd_t;
|
type klogd_t;
|
||||||
type klogd_exec_t;
|
type klogd_exec_t;
|
||||||
init_make_daemon_domain(klogd_t,klogd_exec_t)
|
init_daemon_domain(klogd_t,klogd_exec_t)
|
||||||
|
|
||||||
type klogd_tmp_t;
|
type klogd_tmp_t;
|
||||||
files_make_temporary_file(klogd_tmp_t)
|
files_tmp_file(klogd_tmp_t)
|
||||||
|
|
||||||
type klogd_var_run_t;
|
type klogd_var_run_t;
|
||||||
files_make_daemon_runtime_file(klogd_var_run_t)
|
files_pid_file(klogd_var_run_t)
|
||||||
|
|
||||||
type syslogd_t;
|
type syslogd_t;
|
||||||
type syslogd_exec_t;
|
type syslogd_exec_t;
|
||||||
init_make_daemon_domain(syslogd_t,syslogd_exec_t)
|
init_daemon_domain(syslogd_t,syslogd_exec_t)
|
||||||
|
|
||||||
type syslogd_tmp_t;
|
type syslogd_tmp_t;
|
||||||
files_make_temporary_file(syslogd_tmp_t)
|
files_tmp_file(syslogd_tmp_t)
|
||||||
|
|
||||||
type syslogd_var_run_t;
|
type syslogd_var_run_t;
|
||||||
files_make_daemon_runtime_file(syslogd_var_run_t)
|
files_pid_file(syslogd_var_run_t)
|
||||||
|
|
||||||
type var_log_t, logfile;
|
type var_log_t, logfile;
|
||||||
files_make_file(var_log_t)
|
files_file_type(var_log_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -56,7 +56,7 @@ allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_
|
|||||||
allow auditd_t auditd_log_t:file create_file_perms;
|
allow auditd_t auditd_log_t:file create_file_perms;
|
||||||
|
|
||||||
allow auditd_t auditd_var_run_t:file create_file_perms;
|
allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||||
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
|
files_create_pid(auditd_t,auditd_var_run_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(auditd_t)
|
kernel_read_kernel_sysctl(auditd_t)
|
||||||
kernel_read_hardware_state(auditd_t)
|
kernel_read_hardware_state(auditd_t)
|
||||||
@ -65,24 +65,24 @@ fs_getattr_all_fs(auditd_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(auditd_t)
|
term_dontaudit_use_console(auditd_t)
|
||||||
|
|
||||||
init_use_file_descriptors(auditd_t)
|
init_use_fd(auditd_t)
|
||||||
init_script_use_pseudoterminal(auditd_t)
|
init_use_script_pty(auditd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(auditd_t)
|
domain_use_wide_inherit_fd(auditd_t)
|
||||||
|
|
||||||
files_read_general_system_config(auditd_t)
|
files_read_generic_etc_files(auditd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(auditd_t)
|
logging_send_syslog_msg(auditd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(auditd_t)
|
libs_use_ld_so(auditd_t)
|
||||||
libraries_use_shared_libraries(auditd_t)
|
libs_use_shared_libs(auditd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(auditd_t)
|
miscfiles_read_localization(auditd_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(auditd_t)
|
term_dontaudit_use_unallocated_tty(auditd_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
||||||
files_ignore_read_rootfs_file(auditd_t)
|
files_dontaudit_read_root_file(auditd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -90,7 +90,7 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(auditd_t)
|
udev_read_db(auditd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -115,7 +115,7 @@ allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow klogd_t klogd_tmp_t:file create_file_perms;
|
allow klogd_t klogd_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
|
files_create_tmp_files(klogd_t,klogd_tmp_t)
|
||||||
|
|
||||||
allow klogd_t klogd_var_run_t:file create_file_perms;
|
allow klogd_t klogd_var_run_t:file create_file_perms;
|
||||||
|
|
||||||
@ -134,17 +134,17 @@ dev_read_raw_memory(klogd_t)
|
|||||||
|
|
||||||
fs_getattr_all_fs(klogd_t)
|
fs_getattr_all_fs(klogd_t)
|
||||||
|
|
||||||
files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
|
files_create_pid(klogd_t,klogd_var_run_t)
|
||||||
files_read_runtime_system_config(klogd_t)
|
files_read_etc_runtime_files(klogd_t)
|
||||||
# read /etc/nsswitch.conf
|
# read /etc/nsswitch.conf
|
||||||
files_read_general_system_config(klogd_t)
|
files_read_generic_etc_files(klogd_t)
|
||||||
|
|
||||||
init_use_file_descriptors(klogd_t)
|
init_use_fd(klogd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(klogd_t)
|
libs_use_ld_so(klogd_t)
|
||||||
libraries_use_shared_libraries(klogd_t)
|
libs_use_shared_libs(klogd_t)
|
||||||
|
|
||||||
logging_send_system_log_message(klogd_t)
|
logging_send_syslog_msg(klogd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(klogd_t)
|
miscfiles_read_localization(klogd_t)
|
||||||
|
|
||||||
@ -170,21 +170,21 @@ allow syslogd_t var_log_t:file create_file_perms;
|
|||||||
|
|
||||||
# manage temporary files
|
# manage temporary files
|
||||||
allow syslogd_t syslogd_tmp_t:file create_file_perms;
|
allow syslogd_t syslogd_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
|
files_create_tmp_files(syslogd_t,syslogd_tmp_t)
|
||||||
|
|
||||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||||
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
|
files_create_pid(syslogd_t,syslogd_var_run_t,file)
|
||||||
|
|
||||||
# Create and bind to /dev/log or /var/run/log.
|
# Create and bind to /dev/log or /var/run/log.
|
||||||
allow syslogd_t devlog_t:sock_file create_file_perms;
|
allow syslogd_t devlog_t:sock_file create_file_perms;
|
||||||
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
|
files_create_pid(syslogd_t,devlog_t,sock_file)
|
||||||
# I belive these are not needed:
|
# I belive these are not needed:
|
||||||
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
||||||
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
||||||
|
|
||||||
# manage pid file
|
# manage pid file
|
||||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||||
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
|
files_create_pid(syslogd_t,syslogd_var_run_t)
|
||||||
|
|
||||||
kernel_read_hardware_state(syslogd_t)
|
kernel_read_hardware_state(syslogd_t)
|
||||||
kernel_read_kernel_sysctl(syslogd_t)
|
kernel_read_kernel_sysctl(syslogd_t)
|
||||||
@ -196,8 +196,8 @@ term_dontaudit_use_console(syslogd_t)
|
|||||||
term_write_unallocated_ttys(syslogd_t)
|
term_write_unallocated_ttys(syslogd_t)
|
||||||
|
|
||||||
# for sending messages to logged in users
|
# for sending messages to logged in users
|
||||||
init_script_read_runtime_data(syslogd_t)
|
init_read_script_pid(syslogd_t)
|
||||||
init_script_ignore_write_runtime_data(syslogd_t)
|
init_dontaudit_write_script_pid(syslogd_t)
|
||||||
term_write_all_user_ttys(syslogd_t)
|
term_write_all_user_ttys(syslogd_t)
|
||||||
|
|
||||||
corenet_raw_sendrecv_all_if(syslogd_t)
|
corenet_raw_sendrecv_all_if(syslogd_t)
|
||||||
@ -210,26 +210,26 @@ corenet_udp_bind_syslogd_port(syslogd_t)
|
|||||||
|
|
||||||
fs_getattr_all_fs(syslogd_t)
|
fs_getattr_all_fs(syslogd_t)
|
||||||
|
|
||||||
init_use_file_descriptors(syslogd_t)
|
init_use_fd(syslogd_t)
|
||||||
init_script_use_pseudoterminal(syslogd_t)
|
init_use_script_pty(syslogd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(syslogd_t)
|
domain_use_wide_inherit_fd(syslogd_t)
|
||||||
|
|
||||||
files_read_general_system_config(syslogd_t)
|
files_read_generic_etc_files(syslogd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(syslogd_t)
|
libs_use_ld_so(syslogd_t)
|
||||||
libraries_use_shared_libraries(syslogd_t)
|
libs_use_shared_libs(syslogd_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config(syslogd_t)
|
sysnet_read_config(syslogd_t)
|
||||||
|
|
||||||
miscfiles_read_localization(syslogd_t)
|
miscfiles_read_localization(syslogd_t)
|
||||||
|
|
||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
|
userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /initrd is not umounted before minilog starts
|
# /initrd is not umounted before minilog starts
|
||||||
#
|
#
|
||||||
files_ignore_search_isid_type_dir(syslogd_t)
|
files_dontaudit_search_isid_type_dir(syslogd_t)
|
||||||
#allow syslogd_t tmpfs_t:dir search;
|
#allow syslogd_t tmpfs_t:dir search;
|
||||||
#dontaudit syslogd_t unlabeled_t:file read;
|
#dontaudit syslogd_t unlabeled_t:file read;
|
||||||
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||||
@ -246,7 +246,7 @@ ifdef(`klogd.te', `', `
|
|||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(syslogd_t)
|
term_dontaudit_use_unallocated_tty(syslogd_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
||||||
files_ignore_read_rootfs_file(syslogd_t)
|
files_dontaudit_read_root_file(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -254,11 +254,11 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(syslogd_t)
|
udev_read_db(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`cron.te',`
|
optional_policy(`cron.te',`
|
||||||
cron_modify_log(syslogd_t)
|
cron_rw_log(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for logical volume management programs.</summary>
|
## <summary>Policy for logical volume management programs.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="lvm_transition">
|
## <interface name="lvm_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute lvm programs in the lvm domain.
|
## Execute lvm programs in the lvm domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_transition',`
|
define(`lvm_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, lvm_exec_t, lvm_t)
|
domain_auto_trans($1, lvm_exec_t, lvm_t)
|
||||||
@ -22,7 +22,7 @@ define(`lvm_transition',`
|
|||||||
allow lvm_t $1:process sigchld;
|
allow lvm_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`lvm_transition_depend',`
|
define(`lvm_domtrans_depend',`
|
||||||
type lvm_t, lvm_exec_t;
|
type lvm_t, lvm_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -32,7 +32,7 @@ define(`lvm_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="lvm_transition_add_role_use_terminal">
|
## <interface name="lvm_run">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute lvm programs in the lvm domain.
|
## Execute lvm programs in the lvm domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -47,15 +47,15 @@ define(`lvm_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_transition_add_role_use_terminal',`
|
define(`lvm_run',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
lvm_transition($1)
|
lvm_domtrans($1)
|
||||||
role $2 types lvm_t;
|
role $2 types lvm_t;
|
||||||
allow lvm_t $3:chr_file { getattr read write ioctl };
|
allow lvm_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`lvm_transition_add_role_use_terminal_depend',`
|
define(`lvm_run_depend',`
|
||||||
type lvm_t;
|
type lvm_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
|
@ -8,23 +8,23 @@ policy_module(lvm,1.0)
|
|||||||
|
|
||||||
type lvm_t;
|
type lvm_t;
|
||||||
type lvm_exec_t;
|
type lvm_exec_t;
|
||||||
init_make_system_domain(lvm_t,lvm_exec_t)
|
init_system_domain(lvm_t,lvm_exec_t)
|
||||||
# needs privowner because it assigns the identity system_u to device nodes
|
# needs privowner because it assigns the identity system_u to device nodes
|
||||||
# but runs as the identity of the sysadmin
|
# but runs as the identity of the sysadmin
|
||||||
kernel_make_object_identity_change_constraint_exception(lvm_t)
|
kernel_obj_id_change_exempt(lvm_t)
|
||||||
role system_r types lvm_t;
|
role system_r types lvm_t;
|
||||||
|
|
||||||
type lvm_etc_t;
|
type lvm_etc_t;
|
||||||
files_make_file(lvm_etc_t)
|
files_file_type(lvm_etc_t)
|
||||||
|
|
||||||
type lvm_lock_t;
|
type lvm_lock_t;
|
||||||
files_make_lock_file(lvm_lock_t)
|
files_lock_file(lvm_lock_t)
|
||||||
|
|
||||||
type lvm_metadata_t;
|
type lvm_metadata_t;
|
||||||
files_make_file(lvm_metadata_t)
|
files_file_type(lvm_metadata_t)
|
||||||
|
|
||||||
type lvm_tmp_t;
|
type lvm_tmp_t;
|
||||||
files_make_temporary_file(lvm_tmp_t)
|
files_tmp_file(lvm_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -45,7 +45,7 @@ allow lvm_t self:unix_dgram_socket create_socket_perms;
|
|||||||
|
|
||||||
allow lvm_t lvm_tmp_t:dir create_dir_perms;
|
allow lvm_t lvm_tmp_t:dir create_dir_perms;
|
||||||
allow lvm_t lvm_tmp_t:file create_file_perms;
|
allow lvm_t lvm_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir })
|
files_create_tmp_files(lvm_t, lvm_tmp_t, { file dir })
|
||||||
|
|
||||||
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
|
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
|
||||||
allow lvm_t lvm_exec_t:dir search;
|
allow lvm_t lvm_exec_t:dir search;
|
||||||
@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t)
|
|||||||
# Creating lock files
|
# Creating lock files
|
||||||
allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
||||||
allow lvm_t lvm_lock_t:file create_file_perms;
|
allow lvm_t lvm_lock_t:file create_file_perms;
|
||||||
files_create_private_lock_file(lvm_t,lvm_lock_t)
|
files_create_lock_file(lvm_t,lvm_lock_t)
|
||||||
|
|
||||||
allow lvm_t lvm_etc_t:file r_file_perms;
|
allow lvm_t lvm_etc_t:file r_file_perms;
|
||||||
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
|
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
|
||||||
@ -66,7 +66,7 @@ allow lvm_t lvm_etc_t:dir rw_dir_perms;
|
|||||||
allow lvm_t lvm_metadata_t:file create_file_perms;
|
allow lvm_t lvm_metadata_t:file create_file_perms;
|
||||||
allow lvm_t lvm_metadata_t:dir rw_dir_perms;
|
allow lvm_t lvm_metadata_t:dir rw_dir_perms;
|
||||||
type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
|
type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
|
||||||
files_create_private_config(lvm_t,lvm_metadata_t,file)
|
files_create_etc_config(lvm_t,lvm_metadata_t,file)
|
||||||
|
|
||||||
kernel_read_system_state(lvm_t)
|
kernel_read_system_state(lvm_t)
|
||||||
kernel_get_selinuxfs_mount_point(lvm_t)
|
kernel_get_selinuxfs_mount_point(lvm_t)
|
||||||
@ -89,8 +89,8 @@ dev_read_rand(lvm_t)
|
|||||||
dev_read_urand(lvm_t)
|
dev_read_urand(lvm_t)
|
||||||
dev_rw_lvm_control(lvm_t)
|
dev_rw_lvm_control(lvm_t)
|
||||||
dev_manage_generic_symlinks(lvm_t)
|
dev_manage_generic_symlinks(lvm_t)
|
||||||
devices_relabel_dev_dirs(lvm_t)
|
dev_relabel_dev_dirs(lvm_t)
|
||||||
devices_manage_generic_block_device(lvm_t)
|
dev_manage_generic_blk_file(lvm_t)
|
||||||
|
|
||||||
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
||||||
dev_dontaudit_getattr_all_chr_files(lvm_t)
|
dev_dontaudit_getattr_all_chr_files(lvm_t)
|
||||||
@ -110,25 +110,25 @@ storage_create_fixed_disk_dev_entry(lvm_t)
|
|||||||
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
||||||
storage_manage_fixed_disk(lvm_t)
|
storage_manage_fixed_disk(lvm_t)
|
||||||
|
|
||||||
corecommands_search_system_programs_directory(lvm_t)
|
corecmd_search_sbin(lvm_t)
|
||||||
corecommands_ignore_get_system_programs_attributes(lvm_t)
|
corecmd_dontaudit_getattr_sbin_file(lvm_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(lvm_t)
|
domain_use_wide_inherit_fd(lvm_t)
|
||||||
|
|
||||||
files_search_system_state_data_directory(lvm_t)
|
files_search_var(lvm_t)
|
||||||
files_read_general_system_config(lvm_t)
|
files_read_generic_etc_files(lvm_t)
|
||||||
files_read_runtime_system_config(lvm_t)
|
files_read_etc_runtime_files(lvm_t)
|
||||||
# for when /usr is not mounted:
|
# for when /usr is not mounted:
|
||||||
files_ignore_search_isid_type_dir(lvm_t)
|
files_dontaudit_search_isid_type_dir(lvm_t)
|
||||||
|
|
||||||
init_use_file_descriptors(lvm_t)
|
init_use_fd(lvm_t)
|
||||||
init_ignore_get_control_channel_attributes(lvm_t)
|
init_dontaudit_getattr_initctl(lvm_t)
|
||||||
init_script_use_pseudoterminal(lvm_t)
|
init_use_script_pty(lvm_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(lvm_t)
|
libs_use_ld_so(lvm_t)
|
||||||
libraries_use_shared_libraries(lvm_t)
|
libs_use_shared_libs(lvm_t)
|
||||||
|
|
||||||
logging_send_system_log_message(lvm_t)
|
logging_send_syslog_msg(lvm_t)
|
||||||
|
|
||||||
miscfiles_read_localization(lvm_t)
|
miscfiles_read_localization(lvm_t)
|
||||||
|
|
||||||
@ -138,14 +138,14 @@ selinux_newrole_sigchld(lvm_t)
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# this is from the initrd:
|
# this is from the initrd:
|
||||||
files_modify_isid_type_dir(lvm_t)
|
files_rw_isid_type_dir(lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(lvm_t)
|
term_dontaudit_use_unallocated_tty(lvm_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(lvm_t)
|
terminal_ignore_use_general_pseudoterminal(lvm_t)
|
||||||
|
|
||||||
files_ignore_read_rootfs_file(lvm_t)
|
files_dontaudit_read_root_file(lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`bootloader.te',`
|
optional_policy(`bootloader.te',`
|
||||||
@ -153,7 +153,7 @@ optional_policy(`bootloader.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(lvm_t)
|
udev_read_db(lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Miscelaneous files.</summary>
|
## <summary>Miscelaneous files.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="miscfiles_manage_man_page_cache">
|
## <interface name="miscfiles_rw_man_cache">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to create files and dirs in /var/cache/man
|
## Allow process to create files and dirs in /var/cache/man
|
||||||
## and /var/catman/
|
## and /var/catman/
|
||||||
@ -15,7 +15,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_manage_man_page_cache',`
|
define(`miscfiles_rw_man_cache',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search var_t dir
|
# FIXME: search var_t dir
|
||||||
@ -23,7 +23,7 @@ define(`miscfiles_manage_man_page_cache',`
|
|||||||
allow $1 catman_t:file create_file_perms;
|
allow $1 catman_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_manage_man_page_cache_depend',`
|
define(`miscfiles_rw_man_cache_depend',`
|
||||||
type catman_t;
|
type catman_t;
|
||||||
|
|
||||||
class dir create_dir_perms;
|
class dir create_dir_perms;
|
||||||
@ -83,7 +83,7 @@ define(`miscfiles_read_localization',`
|
|||||||
allow $1 locale_t:file r_file_perms;
|
allow $1 locale_t:file r_file_perms;
|
||||||
|
|
||||||
# why?
|
# why?
|
||||||
libraries_read_library_resources($1)
|
libs_read_lib($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_localization_depend',`
|
define(`miscfiles_read_localization_depend',`
|
||||||
|
@ -5,41 +5,41 @@ policy_module(miscfiles,1.0)
|
|||||||
# catman_t is the type for /var/catman.
|
# catman_t is the type for /var/catman.
|
||||||
#
|
#
|
||||||
type catman_t; # , tmpfile;
|
type catman_t; # , tmpfile;
|
||||||
files_make_file(catman_t)
|
files_file_type(catman_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# cert_t is the type of files in the system certs directories.
|
# cert_t is the type of files in the system certs directories.
|
||||||
#
|
#
|
||||||
type cert_t;
|
type cert_t;
|
||||||
files_make_file(cert_t)
|
files_file_type(cert_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# fonts_t is the type of various font
|
# fonts_t is the type of various font
|
||||||
# files in /usr
|
# files in /usr
|
||||||
#
|
#
|
||||||
type fonts_t;
|
type fonts_t;
|
||||||
files_make_file(fonts_t)
|
files_file_type(fonts_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# locale_t is the type for system localization
|
# locale_t is the type for system localization
|
||||||
#
|
#
|
||||||
type locale_t;
|
type locale_t;
|
||||||
files_make_file(locale_t)
|
files_file_type(locale_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# man_t is the type for the man directories.
|
# man_t is the type for the man directories.
|
||||||
#
|
#
|
||||||
type man_t;
|
type man_t;
|
||||||
files_make_file(man_t)
|
files_file_type(man_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Base type for the tests directory.
|
# Base type for the tests directory.
|
||||||
#
|
#
|
||||||
type test_file_t;
|
type test_file_t;
|
||||||
files_make_file(test_file_t)
|
files_file_type(test_file_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# for /var/{spool,lib}/texmf index files
|
# for /var/{spool,lib}/texmf index files
|
||||||
#
|
#
|
||||||
type tetex_data_t; # , tmpfile;
|
type tetex_data_t; # , tmpfile;
|
||||||
files_make_file(tetex_data_t)
|
files_file_type(tetex_data_t)
|
||||||
|
@ -26,7 +26,7 @@ define(`modutils_read_kernel_module_dependencies_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_read_kernel_module_loading_config">
|
## <interface name="modutils_read_module_conf">
|
||||||
## <description>
|
## <description>
|
||||||
## Read the configuration options used when
|
## Read the configuration options used when
|
||||||
## loading modules.
|
## loading modules.
|
||||||
@ -36,20 +36,20 @@ define(`modutils_read_kernel_module_dependencies_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_read_kernel_module_loading_config',`
|
define(`modutils_read_module_conf',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 modules_conf_t:file r_file_perms;
|
allow $1 modules_conf_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_read_kernel_module_loading_config_depend',`
|
define(`modutils_read_module_conf_depend',`
|
||||||
type modules_conf_t;
|
type modules_conf_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_insmod_transition">
|
## <interface name="modutils_domtrans_insmod">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute insmod in the insmod domain. Has a
|
## Execute insmod in the insmod domain. Has a
|
||||||
## sigchld backchannel.
|
## sigchld backchannel.
|
||||||
@ -59,7 +59,7 @@ define(`modutils_read_kernel_module_loading_config_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_insmod_transition',`
|
define(`modutils_domtrans_insmod',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, insmod_exec_t, insmod_t)
|
domain_auto_trans($1, insmod_exec_t, insmod_t)
|
||||||
@ -70,7 +70,7 @@ define(`modutils_insmod_transition',`
|
|||||||
allow insmod_t $1:process sigchld;
|
allow insmod_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_insmod_transition_depend',`
|
define(`modutils_domtrans_insmod_depend',`
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -80,7 +80,7 @@ define(`modutils_insmod_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_insmod_transition_add_role_use_terminal">
|
## <interface name="modutils_run_insmod">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute insmod in the insmod domain, and
|
## Execute insmod in the insmod domain, and
|
||||||
## allow the specified role the insmod domain,
|
## allow the specified role the insmod domain,
|
||||||
@ -98,15 +98,15 @@ define(`modutils_insmod_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_insmod_transition_add_role_use_terminal',`
|
define(`modutils_run_insmod',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
modutils_insmod_transition($1)
|
modutils_domtrans_insmod($1)
|
||||||
role $2 types insmod_t;
|
role $2 types insmod_t;
|
||||||
allow insmod_t $3:chr_file { getattr read write ioctl };
|
allow insmod_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_insmod_transition_add_role_use_terminal_depend',`
|
define(`modutils_run_insmod_depend',`
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -114,22 +114,22 @@ define(`modutils_insmod_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# modutils_insmod_execute(domain)
|
# modutils_exec_insmod(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_insmod_execute',`
|
define(`modutils_exec_insmod',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1, insmod_exec_t)
|
can_exec($1, insmod_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_insmod_execute_depend',`
|
define(`modutils_exec_insmod_depend',`
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_depmod_transition">
|
## <interface name="modutils_domtrans_depmod">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute depmod in the depmod domain.
|
## Execute depmod in the depmod domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -138,7 +138,7 @@ define(`modutils_insmod_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_depmod_transition',`
|
define(`modutils_domtrans_depmod',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, depmod_exec_t, depmod_t)
|
domain_auto_trans($1, depmod_exec_t, depmod_t)
|
||||||
@ -149,7 +149,7 @@ define(`modutils_depmod_transition',`
|
|||||||
allow depmod_t $1:process sigchld;
|
allow depmod_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_depmod_transition_depend',`
|
define(`modutils_domtrans_depmod_depend',`
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -159,7 +159,7 @@ define(`modutils_depmod_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_depmod_transition_add_role_use_terminal">
|
## <interface name="modutils_run_depmod">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute depmod in the depmod domain.
|
## Execute depmod in the depmod domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -174,15 +174,15 @@ define(`modutils_depmod_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_depmod_transition_add_role_use_terminal',`
|
define(`modutils_run_depmod',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
modutils_depmod_transition($1)
|
modutils_domtrans_depmod($1)
|
||||||
role $2 types insmod_t;
|
role $2 types insmod_t;
|
||||||
allow insmod_t $3:chr_file { getattr read write ioctl };
|
allow insmod_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_depmod_transition_add_role_use_terminal_depend',`
|
define(`modutils_run_depmod_depend',`
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -190,22 +190,22 @@ define(`modutils_depmod_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# modutils_depmod_execute(domain)
|
# modutils_exec_depmod(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_depmod_execute',`
|
define(`modutils_exec_depmod',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1, depmod_exec_t)
|
can_exec($1, depmod_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_depmod_execute_depend',`
|
define(`modutils_exec_depmod_depend',`
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_update_modules_transition">
|
## <interface name="modutils_domtrans_update_mods">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute depmod in the depmod domain.
|
## Execute depmod in the depmod domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -214,7 +214,7 @@ define(`modutils_depmod_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_update_modules_transition',`
|
define(`modutils_domtrans_update_mods',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
|
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
|
||||||
@ -225,7 +225,7 @@ define(`modutils_update_modules_transition',`
|
|||||||
allow update_modules_t $1:process sigchld;
|
allow update_modules_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_update_modules_transition_depend',`
|
define(`modutils_domtrans_update_mods_depend',`
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -235,7 +235,7 @@ define(`modutils_update_modules_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="modutils_update_modules_transition_add_role_use_terminal">
|
## <interface name="modutils_run_update_mods">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute update_modules in the update_modules domain.
|
## Execute update_modules in the update_modules domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -250,15 +250,15 @@ define(`modutils_update_modules_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_update_modules_transition_add_role_use_terminal',`
|
define(`modutils_run_update_mods',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
modutils_update_modules_transition($1)
|
modutils_domtrans_update_mods($1)
|
||||||
role $2 types update_modules_t;
|
role $2 types update_modules_t;
|
||||||
allow update_modules_t $3:chr_file rw_file_perms;
|
allow update_modules_t $3:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
|
define(`modutils_run_update_mods_depend',`
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
|
|
||||||
class chr_file rw_file_perms;
|
class chr_file rw_file_perms;
|
||||||
@ -266,15 +266,15 @@ define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# modutils_update_modules_execute(domain)
|
# modutils_exec_update_mods(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_update_modules_execute',`
|
define(`modutils_exec_update_mods',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1, update_modules_exec_t)
|
can_exec($1, update_modules_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_update_modules_execute_depend',`
|
define(`modutils_exec_update_mods_depend',`
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
|
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
|
@ -8,30 +8,30 @@ policy_module(modutils,1.0)
|
|||||||
|
|
||||||
# module loading config
|
# module loading config
|
||||||
type modules_conf_t;
|
type modules_conf_t;
|
||||||
files_make_file(modules_conf_t)
|
files_file_type(modules_conf_t)
|
||||||
|
|
||||||
# module dependencies
|
# module dependencies
|
||||||
type modules_dep_t;
|
type modules_dep_t;
|
||||||
files_make_file(modules_dep_t)
|
files_file_type(modules_dep_t)
|
||||||
|
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
type insmod_exec_t;
|
type insmod_exec_t;
|
||||||
kernel_userland_entry(insmod_t,insmod_exec_t)
|
kernel_userland_entry(insmod_t,insmod_exec_t)
|
||||||
init_make_system_domain(insmod_t,insmod_exec_t)
|
init_system_domain(insmod_t,insmod_exec_t)
|
||||||
role system_r types insmod_t;
|
role system_r types insmod_t;
|
||||||
|
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
type depmod_exec_t;
|
type depmod_exec_t;
|
||||||
init_make_system_domain(depmod_t,depmod_exec_t)
|
init_system_domain(depmod_t,depmod_exec_t)
|
||||||
role system_r types depmod_t;
|
role system_r types depmod_t;
|
||||||
|
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
type update_modules_exec_t;
|
type update_modules_exec_t;
|
||||||
init_make_system_domain(update_modules_t,update_modules_exec_t)
|
init_system_domain(update_modules_t,update_modules_exec_t)
|
||||||
role system_r types update_modules_t;
|
role system_r types update_modules_t;
|
||||||
|
|
||||||
type update_modules_tmp_t;
|
type update_modules_tmp_t;
|
||||||
files_make_temporary_file(update_modules_tmp_t)
|
files_tmp_file(update_modules_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -68,37 +68,37 @@ dev_rw_agp_dev(insmod_t)
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(insmod_t)
|
fs_getattr_xattr_fs(insmod_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(insmod_t)
|
corecmd_exec_bin(insmod_t)
|
||||||
corecommands_execute_system_programs(insmod_t)
|
corecmd_exec_sbin(insmod_t)
|
||||||
corecommands_execute_shell(insmod_t)
|
corecmd_exec_shell(insmod_t)
|
||||||
|
|
||||||
domain_signal_all_domains(insmod_t)
|
domain_signal_all_domains(insmod_t)
|
||||||
domain_use_widely_inheritable_file_descriptors(insmod_t)
|
domain_use_wide_inherit_fd(insmod_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(insmod_t)
|
files_read_etc_runtime_files(insmod_t)
|
||||||
files_read_general_system_config(insmod_t)
|
files_read_generic_etc_files(insmod_t)
|
||||||
files_read_general_application_resources(insmod_t)
|
files_read_usr_files(insmod_t)
|
||||||
files_execute_system_config_script(insmod_t)
|
files_exec_generic_etc_files(insmod_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_ignore_search_runtime_data_directory(insmod_t)
|
files_dontaudit_search_pids(insmod_t)
|
||||||
# for when /var is not mounted early in the boot:
|
# for when /var is not mounted early in the boot:
|
||||||
files_ignore_search_isid_type_dir(insmod_t)
|
files_dontaudit_search_isid_type_dir(insmod_t)
|
||||||
|
|
||||||
init_use_control_channel(insmod_t)
|
init_use_initctl(insmod_t)
|
||||||
init_use_file_descriptors(insmod_t)
|
init_use_fd(insmod_t)
|
||||||
init_script_use_file_descriptors(insmod_t)
|
init_use_script_fd(insmod_t)
|
||||||
init_script_use_pseudoterminal(insmod_t)
|
init_use_script_pty(insmod_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(insmod_t)
|
libs_use_ld_so(insmod_t)
|
||||||
libraries_use_shared_libraries(insmod_t)
|
libs_use_shared_libs(insmod_t)
|
||||||
|
|
||||||
logging_send_system_log_message(insmod_t)
|
logging_send_syslog_msg(insmod_t)
|
||||||
logging_search_system_log_directory(insmod_t)
|
logging_search_logs(insmod_t)
|
||||||
|
|
||||||
miscfiles_read_localization(insmod_t)
|
miscfiles_read_localization(insmod_t)
|
||||||
|
|
||||||
optional_policy(`mount.te',`
|
optional_policy(`mount.te',`
|
||||||
mount_transition(insmod_t)
|
mount_domtrans(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -138,18 +138,18 @@ term_use_console(depmod_t)
|
|||||||
bootloader_read_kernel_symbol_table(depmod_t)
|
bootloader_read_kernel_symbol_table(depmod_t)
|
||||||
bootloader_read_kernel_modules(depmod_t)
|
bootloader_read_kernel_modules(depmod_t)
|
||||||
|
|
||||||
init_use_file_descriptors(depmod_t)
|
init_use_fd(depmod_t)
|
||||||
init_script_use_file_descriptors(depmod_t)
|
init_use_script_fd(depmod_t)
|
||||||
init_script_use_pseudoterminal(depmod_t)
|
init_use_script_pty(depmod_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(depmod_t)
|
domain_use_wide_inherit_fd(depmod_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(depmod_t)
|
files_read_etc_runtime_files(depmod_t)
|
||||||
files_read_general_system_config(depmod_t)
|
files_read_generic_etc_files(depmod_t)
|
||||||
files_read_system_source_code(depmod_t)
|
files_read_usr_src(depmod_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(depmod_t)
|
libs_use_ld_so(depmod_t)
|
||||||
libraries_use_shared_libraries(depmod_t)
|
libs_use_shared_libs(depmod_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
@ -177,14 +177,14 @@ can_exec(update_modules_t, update_modules_exec_t)
|
|||||||
# manage module loading configuration
|
# manage module loading configuration
|
||||||
allow update_modules_t modules_conf_t:file create_file_perms;
|
allow update_modules_t modules_conf_t:file create_file_perms;
|
||||||
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
|
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
|
||||||
files_create_private_config(update_modules_t,modules_conf_t)
|
files_create_etc_config(update_modules_t,modules_conf_t)
|
||||||
|
|
||||||
# transition to depmod
|
# transition to depmod
|
||||||
domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
|
domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
|
||||||
|
|
||||||
allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
|
allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
|
||||||
allow update_modules_t update_modules_tmp_t:file create_file_perms;
|
allow update_modules_t update_modules_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
|
files_create_tmp_files(update_modules_t, update_modules_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(update_modules_t)
|
kernel_read_kernel_sysctl(update_modules_t)
|
||||||
kernel_read_system_state(update_modules_t)
|
kernel_read_system_state(update_modules_t)
|
||||||
@ -195,24 +195,24 @@ fs_getattr_xattr_fs(update_modules_t)
|
|||||||
|
|
||||||
term_use_console(update_modules_t)
|
term_use_console(update_modules_t)
|
||||||
|
|
||||||
init_use_file_descriptors(depmod_t)
|
init_use_fd(depmod_t)
|
||||||
init_script_use_file_descriptors(depmod_t)
|
init_use_script_fd(depmod_t)
|
||||||
init_script_use_pseudoterminal(depmod_t)
|
init_use_script_pty(depmod_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(depmod_t)
|
domain_use_wide_inherit_fd(depmod_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(update_modules_t)
|
files_read_etc_runtime_files(update_modules_t)
|
||||||
files_read_general_system_config(update_modules_t)
|
files_read_generic_etc_files(update_modules_t)
|
||||||
files_execute_system_config_script(update_modules_t)
|
files_exec_generic_etc_files(update_modules_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(update_modules_t)
|
corecmd_exec_bin(update_modules_t)
|
||||||
corecommands_execute_system_programs(update_modules_t)
|
corecmd_exec_sbin(update_modules_t)
|
||||||
corecommands_execute_shell(update_modules_t)
|
corecmd_exec_shell(update_modules_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(update_modules_t)
|
libs_use_ld_so(update_modules_t)
|
||||||
libraries_use_shared_libraries(update_modules_t)
|
libs_use_shared_libs(update_modules_t)
|
||||||
|
|
||||||
logging_send_system_log_message(update_modules_t)
|
logging_send_syslog_msg(update_modules_t)
|
||||||
|
|
||||||
miscfiles_read_localization(update_modules_t)
|
miscfiles_read_localization(update_modules_t)
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for mount.</summary>
|
## <summary>Policy for mount.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="mount_transition">
|
## <interface name="mount_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute mount in the mount domain.
|
## Execute mount in the mount domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_transition',`
|
define(`mount_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 mount_exec_t:file rx_file_perms;
|
allow $1 mount_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`mount_transition',`
|
|||||||
allow mount_t $1:process sigchld;
|
allow mount_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_transition_depend',`
|
define(`mount_domtrans_depend',`
|
||||||
type mount_t, mount_exec_t;
|
type mount_t, mount_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -35,7 +35,7 @@ define(`mount_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="mount_transition_add_role_use_terminal">
|
## <interface name="mount_run">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute mount in the mount domain, and
|
## Execute mount in the mount domain, and
|
||||||
## allow the specified role the mount domain,
|
## allow the specified role the mount domain,
|
||||||
@ -52,22 +52,22 @@ define(`mount_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_transition_add_role_use_terminal',`
|
define(`mount_run',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
mount_transition($1)
|
mount_domtrans($1)
|
||||||
role $2 types mount_t;
|
role $2 types mount_t;
|
||||||
allow mount_t $3:chr_file rw_file_perms;
|
allow mount_t $3:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_transition_add_role_use_terminal_depend',`
|
define(`mount_run_depend',`
|
||||||
type mount_t;
|
type mount_t;
|
||||||
|
|
||||||
class chr_file rw_file_perms;
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="mount_use_file_descriptors">
|
## <interface name="mount_use_fd">
|
||||||
## <description>
|
## <description>
|
||||||
## Use file descriptors for mount.
|
## Use file descriptors for mount.
|
||||||
## </description>
|
## </description>
|
||||||
@ -76,13 +76,13 @@ define(`mount_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_use_file_descriptors',`
|
define(`mount_use_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 mount_t:fd use;
|
allow $1 mount_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_use_file_descriptors_depend',`
|
define(`mount_use_fd_depend',`
|
||||||
type mount_t;
|
type mount_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
|
|
||||||
type mount_t;
|
type mount_t;
|
||||||
type mount_exec_t;
|
type mount_exec_t;
|
||||||
init_make_system_domain(mount_t,mount_exec_t)
|
init_system_domain(mount_t,mount_exec_t)
|
||||||
role system_r types mount_t;
|
role system_r types mount_t;
|
||||||
|
|
||||||
type mount_tmp_t;
|
type mount_tmp_t;
|
||||||
files_make_temporary_file(mount_tmp_t)
|
files_tmp_file(mount_tmp_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -16,7 +16,7 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown
|
|||||||
|
|
||||||
allow mount_t mount_tmp_t:file create_file_perms;
|
allow mount_t mount_tmp_t:file create_file_perms;
|
||||||
allow mount_t mount_tmp_t:dir create_dir_perms;
|
allow mount_t mount_tmp_t:dir create_dir_perms;
|
||||||
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
|
files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
|
||||||
|
|
||||||
kernel_read_system_state(mount_t)
|
kernel_read_system_state(mount_t)
|
||||||
kernel_dontaudit_use_fd(mount_t)
|
kernel_dontaudit_use_fd(mount_t)
|
||||||
@ -41,39 +41,39 @@ fs_relabelfrom_xattr_fs(mount_t)
|
|||||||
term_use_console(mount_t)
|
term_use_console(mount_t)
|
||||||
|
|
||||||
# required for mount.smbfs
|
# required for mount.smbfs
|
||||||
corecommands_execute_system_programs(mount_t)
|
corecmd_exec_sbin(mount_t)
|
||||||
corecommands_execute_general_programs(mount_t)
|
corecmd_exec_bin(mount_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(mount_t)
|
domain_use_wide_inherit_fd(mount_t)
|
||||||
|
|
||||||
files_search_all_directories(mount_t)
|
files_search_all_dirs(mount_t)
|
||||||
files_read_general_system_config(mount_t)
|
files_read_generic_etc_files(mount_t)
|
||||||
files_manage_runtime_system_config(mount_t)
|
files_manage_etc_runtime_files(mount_t)
|
||||||
files_mount_on_all_mountpoints(mount_t)
|
files_mounton_all_mountpoints(mount_t)
|
||||||
files_unmount_root_fs(mount_t)
|
files_unmount_rootfs(mount_t)
|
||||||
# These rules need to be generalized. Only admin, initrc should have it:
|
# These rules need to be generalized. Only admin, initrc should have it:
|
||||||
files_relabelto_all_file_type_fs(mount_t)
|
files_relabelto_all_file_type_fs(mount_t)
|
||||||
files_mount_all_file_type_fs(mount_t)
|
files_mount_all_file_type_fs(mount_t)
|
||||||
files_mount_all_file_type_fs(mount_t)
|
files_mount_all_file_type_fs(mount_t)
|
||||||
|
|
||||||
init_use_file_descriptors(mount_t)
|
init_use_fd(mount_t)
|
||||||
init_script_use_pseudoterminal(mount_t)
|
init_use_script_pty(mount_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(mount_t)
|
libs_use_ld_so(mount_t)
|
||||||
libraries_use_shared_libraries(mount_t)
|
libs_use_shared_libs(mount_t)
|
||||||
|
|
||||||
logging_send_system_log_message(mount_t)
|
logging_send_syslog_msg(mount_t)
|
||||||
|
|
||||||
miscfiles_read_localization(mount_t)
|
miscfiles_read_localization(mount_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(mount_t)
|
userdom_use_all_user_fd(mount_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
fs_use_tmpfs_character_devices(mount_t)
|
fs_use_tmpfs_character_devices(mount_t)
|
||||||
allow mount_t tmpfs_t:dir mounton;
|
allow mount_t tmpfs_t:dir mounton;
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
authlogin_pam_console_read_runtime_data(mount_t)
|
auth_read_pam_console_data(mount_t)
|
||||||
# mount config by default sets fscontext=removable_t
|
# mount config by default sets fscontext=removable_t
|
||||||
fs_relabelfrom_dos_fs(mount_t)
|
fs_relabelfrom_dos_fs(mount_t)
|
||||||
')
|
')
|
||||||
@ -103,7 +103,7 @@ optional_policy(`portmap.te', `
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# this goes to the nfs/rpc module
|
# this goes to the nfs/rpc module
|
||||||
files_make_mountpoint(var_lib_nfs_t)
|
files_mountpoint(var_lib_nfs_t)
|
||||||
|
|
||||||
# TODO: Need to examine this further. Not sure how to handle this
|
# TODO: Need to examine this further. Not sure how to handle this
|
||||||
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
|
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for SELinux policy and userland applications.</summary>
|
## <summary>Policy for SELinux policy and userland applications.</summary>
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_checkpolicy_transition">
|
## <interface name="selinux_domtrans_checkpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute checkpolicy in the checkpolicy domain.
|
## Execute checkpolicy in the checkpolicy domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition',`
|
define(`selinux_domtrans_checkpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',`
|
|||||||
allow checkpolicy_t $1:process sigchld;
|
allow checkpolicy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_depend',`
|
define(`selinux_domtrans_checkpol_depend',`
|
||||||
type checkpolicy_t, checkpolicy_exec_t;
|
type checkpolicy_t, checkpolicy_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms
|
class file rx_file_perms
|
||||||
@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
|
## <interface name="selinux_run_checkpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute checkpolicy in the checkpolicy domain, and
|
## Execute checkpolicy in the checkpolicy domain, and
|
||||||
## allow the specified role the checkpolicy domain,
|
## allow the specified role the checkpolicy domain,
|
||||||
@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
|
define(`selinux_run_checkpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_checkpolicy_transition($1)
|
selinux_domtrans_checkpol($1)
|
||||||
role $2 types checkpolicy_t;
|
role $2 types checkpolicy_t;
|
||||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_checkpol_depend',`
|
||||||
type checkpolicy_t;
|
type checkpolicy_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_checkpolicy_execute(domain)
|
# selinux_exec_checkpol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_execute',`
|
define(`selinux_exec_checkpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,checkpolicy_exec_t)
|
can_exec($1,checkpolicy_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_execute_depend',`
|
define(`selinux_exec_checkpol_depend',`
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_load_policy_transition">
|
## <interface name="selinux_domtrans_loadpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute load_policy in the load_policy domain.
|
## Execute load_policy in the load_policy domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition',`
|
define(`selinux_domtrans_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 load_policy_exec_t:file rx_file_perms;
|
allow $1 load_policy_exec_t:file rx_file_perms;
|
||||||
@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',`
|
|||||||
allow load_policy_t $1:process sigchld;
|
allow load_policy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_depend',`
|
define(`selinux_domtrans_loadpol_depend',`
|
||||||
type load_policy_t, load_policy_exec_t;
|
type load_policy_t, load_policy_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_load_policy_transition_add_role_use_terminal">
|
## <interface name="selinux_run_loadpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute load_policy in the load_policy domain, and
|
## Execute load_policy in the load_policy domain, and
|
||||||
## allow the specified role the load_policy domain,
|
## allow the specified role the load_policy domain,
|
||||||
@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal',`
|
define(`selinux_run_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_load_policy_transition($1)
|
selinux_domtrans_loadpol($1)
|
||||||
role $2 types load_policy_t;
|
role $2 types load_policy_t;
|
||||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_loadpol_depend',`
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_load_policy_execute(domain)
|
# selinux_exec_loadpol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_execute',`
|
define(`selinux_exec_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,load_policy_exec_t)
|
can_exec($1,load_policy_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_execute_depend',`
|
define(`selinux_exec_loadpol_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_read_load_policy_binary(domain)
|
# selinux_read_loadpol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_load_policy_binary',`
|
define(`selinux_read_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 load_policy_exec_t:file r_file_perms;
|
allow $1 load_policy_exec_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_load_policy_binary_depend',`
|
define(`selinux_read_loadpol_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
|
|
||||||
class file r_file_perms
|
class file r_file_perms
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_newrole_transition">
|
## <interface name="selinux_domtrans_newrole">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute newrole in the load_policy domain.
|
## Execute newrole in the load_policy domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition',`
|
define(`selinux_domtrans_newrole',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 newrole_exec_t:file rx_file_perms;
|
allow $1 newrole_exec_t:file rx_file_perms;
|
||||||
@ -205,7 +205,7 @@ define(`selinux_newrole_transition',`
|
|||||||
allow newrole_t $1:process sigchld;
|
allow newrole_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_depend',`
|
define(`selinux_domtrans_newrole_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_newrole_transition_add_role_use_terminal">
|
## <interface name="selinux_run_newrole">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute newrole in the newrole domain, and
|
## Execute newrole in the newrole domain, and
|
||||||
## allow the specified role the newrole domain,
|
## allow the specified role the newrole domain,
|
||||||
@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal',`
|
define(`selinux_run_newrole',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_newrole_transition($1)
|
selinux_domtrans_newrole($1)
|
||||||
role $2 types newrole_t;
|
role $2 types newrole_t;
|
||||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
allow newrole_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_newrole_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_newrole_execute(domain)
|
# selinux_exec_newrole(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_execute',`
|
define(`selinux_exec_newrole',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,newrole_exec_t)
|
can_exec($1,newrole_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_execute_depend',`
|
define(`selinux_exec_newrole_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_newrole_ignore_signal">
|
## <interface name="selinux_dontaudit_newrole_signal">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit the caller attempts to send
|
## Do not audit the caller attempts to send
|
||||||
## a signal to newrole.
|
## a signal to newrole.
|
||||||
@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_ignore_signal',`
|
define(`selinux_dontaudit_newrole_signal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 newrole_t:process signal;
|
dontaudit $1 newrole_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_ignore_signal_depend',`
|
define(`selinux_dontaudit_newrole_signal_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
|
|
||||||
class process signal;
|
class process signal;
|
||||||
@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_newrole_use_file_descriptors(domain)
|
# selinux_use_newrole_fd(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_use_file_descriptors',`
|
define(`selinux_use_newrole_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 newrole_t:fd use;
|
allow $1 newrole_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_use_file_descriptors_depend',`
|
define(`selinux_use_newrole_fd_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_restorecon_transition">
|
## <interface name="selinux_domtrans_restorecon">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute restorecon in the restorecon domain.
|
## Execute restorecon in the restorecon domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition',`
|
define(`selinux_domtrans_restorecon',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 restorecon_exec_t:file rx_file_perms;
|
allow $1 restorecon_exec_t:file rx_file_perms;
|
||||||
@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',`
|
|||||||
allow restorecon_t $1:process sigchld;
|
allow restorecon_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_depend',`
|
define(`selinux_domtrans_restorecon_depend',`
|
||||||
type restorecon_t, restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_restorecon_transition_add_role_use_terminal">
|
## <interface name="selinux_run_restorecon">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute restorecon in the restorecon domain, and
|
## Execute restorecon in the restorecon domain, and
|
||||||
## allow the specified role the restorecon domain,
|
## allow the specified role the restorecon domain,
|
||||||
@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal',`
|
define(`selinux_run_restorecon',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_restorecon_transition($1)
|
selinux_domtrans_restorecon($1)
|
||||||
role $2 types restorecon_t;
|
role $2 types restorecon_t;
|
||||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_restorecon_depend',`
|
||||||
type restorecon_t;
|
type restorecon_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_restorecon_execute(domain)
|
# selinux_exec_restorecon(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_execute',`
|
define(`selinux_exec_restorecon',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
can_exec($1,restorecon_exec_t)
|
can_exec($1,restorecon_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_execute_depend',`
|
define(`selinux_exec_restorecon_depend',`
|
||||||
type restorecon_t, restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_run_init_transition">
|
## <interface name="selinux_domtrans_runinit">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute run_init in the run_init domain.
|
## Execute run_init in the run_init domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition',`
|
define(`selinux_domtrans_runinit',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 run_init_exec_t:file rx_file_perms;
|
allow $1 run_init_exec_t:file rx_file_perms;
|
||||||
@ -421,7 +421,7 @@ define(`selinux_run_init_transition',`
|
|||||||
allow run_init_t $1:process sigchld;
|
allow run_init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_depend',`
|
define(`selinux_domtrans_runinit_depend',`
|
||||||
type run_init_t, run_init_exec_t;
|
type run_init_t, run_init_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_run_init_transition_add_role_use_terminal">
|
## <interface name="selinux_run_runinit">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute run_init in the run_init domain, and
|
## Execute run_init in the run_init domain, and
|
||||||
## allow the specified role the run_init domain,
|
## allow the specified role the run_init domain,
|
||||||
@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal',`
|
define(`selinux_run_runinit',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_run_init_transition($1)
|
selinux_domtrans_runinit($1)
|
||||||
role $2 types run_init_t;
|
role $2 types run_init_t;
|
||||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
allow run_init_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_runinit_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_run_init_use_file_descriptors(domain)
|
# selinux_use_runinit_fd(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_use_file_descriptors',`
|
define(`selinux_use_runinit_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 run_init_t:fd use;
|
allow $1 run_init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_use_file_descriptors_depend',`
|
define(`selinux_use_runinit_fd_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_setfiles_transition">
|
## <interface name="selinux_domtrans_setfiles">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute setfiles in the setfiles domain.
|
## Execute setfiles in the setfiles domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition',`
|
define(`selinux_domtrans_setfiles',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 setfiles_exec_t:file rx_file_perms;
|
allow $1 setfiles_exec_t:file rx_file_perms;
|
||||||
@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',`
|
|||||||
allow setfiles_t $1:process sigchld;
|
allow setfiles_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_depend',`
|
define(`selinux_domtrans_setfiles_depend',`
|
||||||
type setfiles_t, setfiles_exec_t;
|
type setfiles_t, setfiles_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_setfiles_transition_add_role_use_terminal">
|
## <interface name="selinux_run_setfiles">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute setfiles in the setfiles domain, and
|
## Execute setfiles in the setfiles domain, and
|
||||||
## allow the specified role the setfiles domain,
|
## allow the specified role the setfiles domain,
|
||||||
@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal',`
|
define(`selinux_run_setfiles',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_setfiles_transition($1)
|
selinux_domtrans_setfiles($1)
|
||||||
role $2 types setfiles_t;
|
role $2 types setfiles_t;
|
||||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_setfiles_depend',`
|
||||||
type setfiles_t;
|
type setfiles_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_setfiles_execute(domain)
|
# selinux_exec_setfiles(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_execute',`
|
define(`selinux_exec_setfiles',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,setfiles_exec_t)
|
can_exec($1,setfiles_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_execute_depend',`
|
define(`selinux_exec_setfiles_depend',`
|
||||||
type setfiles_exec_t;
|
type setfiles_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_read_binary_policy(domain)
|
# selinux_read_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_binary_policy',`
|
define(`selinux_read_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 policy_config_t:dir r_dir_perms;
|
allow $1 policy_config_t:dir r_dir_perms;
|
||||||
allow $1 policy_config_t:file r_file_perms;
|
allow $1 policy_config_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_binary_policy_depend',`
|
define(`selinux_read_binary_pol_depend',`
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_write_binary_policy(domain)
|
# selinux_write_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_write_binary_policy',`
|
define(`selinux_write_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 policy_config_t:dir rw_dir_perms;
|
allow $1 policy_config_t:dir rw_dir_perms;
|
||||||
@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',`
|
|||||||
typeattribute $1 can_write_binary_policy;
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_write_binary_policy_depend',`
|
define(`selinux_write_binary_pol_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
|
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_relabelto_binary_policy">
|
## <interface name="selinux_relabelto_binary_pol">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow the caller to relabel a file to the binary policy type.
|
## Allow the caller to relabel a file to the binary policy type.
|
||||||
## </description>
|
## </description>
|
||||||
@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_relabelto_binary_policy',`
|
define(`selinux_relabelto_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 policy_config_t:file relabelto;
|
allow $1 policy_config_t:file relabelto;
|
||||||
typeattribute $1 can_relabelto_binary_policy;
|
typeattribute $1 can_relabelto_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_relabelto_binary_policy_depend',`
|
define(`selinux_relabelto_binary_pol_depend',`
|
||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
|
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_manage_binary_policy(domain)
|
# selinux_manage_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_binary_policy',`
|
define(`selinux_manage_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
# FIXME: search etc_t:dir
|
||||||
@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',`
|
|||||||
typeattribute $1 can_write_binary_policy;
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_binary_policy_depend',`
|
define(`selinux_manage_binary_pol_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
|
|
||||||
type selinux_config_t, policy_config_t;
|
type selinux_config_t, policy_config_t;
|
||||||
@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_read_source_policy(domain)
|
# selinux_read_src_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_source_policy',`
|
define(`selinux_read_src_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
# FIXME: search etc_t:dir
|
||||||
@ -714,7 +714,7 @@ define(`selinux_read_source_policy',`
|
|||||||
allow $1 policy_src_t:file r_file_perms;
|
allow $1 policy_src_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_source_policy_depend',`
|
define(`selinux_read_src_pol_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_manage_source_policy(domain)
|
# selinux_manage_src_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_source_policy',`
|
define(`selinux_manage_src_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
# FIXME: search etc_t:dir
|
||||||
@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',`
|
|||||||
allow $1 policy_src_t:file create_file_perms;
|
allow $1 policy_src_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_source_policy_depend',`
|
define(`selinux_manage_src_pol_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
|
|
||||||
class dir create_dir_perms;
|
class dir create_dir_perms;
|
||||||
|
@ -10,48 +10,48 @@ attribute can_write_binary_policy;
|
|||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
|
|
||||||
type checkpolicy_t, can_write_binary_policy;
|
type checkpolicy_t, can_write_binary_policy;
|
||||||
domain_make_domain(checkpolicy_t)
|
domain_type(checkpolicy_t)
|
||||||
role system_r types checkpolicy_t;
|
role system_r types checkpolicy_t;
|
||||||
|
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t)
|
domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# default_context_t is the type applied to
|
# default_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/*
|
# /etc/selinux/*/contexts/*
|
||||||
#
|
#
|
||||||
type default_context_t;
|
type default_context_t;
|
||||||
files_make_file(default_context_t)
|
files_file_type(default_context_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# file_context_t is the type applied to
|
# file_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/files
|
# /etc/selinux/*/contexts/files
|
||||||
#
|
#
|
||||||
type file_context_t;
|
type file_context_t;
|
||||||
files_make_file(file_context_t)
|
files_file_type(file_context_t)
|
||||||
|
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
domain_make_domain(load_policy_t)
|
domain_type(load_policy_t)
|
||||||
role system_r types load_policy_t;
|
role system_r types load_policy_t;
|
||||||
|
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
domain_entry_file(load_policy_t,load_policy_exec_t)
|
||||||
|
|
||||||
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||||
kernel_make_role_change_constraint_exception(newrole_t)
|
kernel_role_change_exempt(newrole_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
kernel_obj_id_change_exempt(newrole_t)
|
||||||
domain_make_domain(newrole_t)
|
domain_type(newrole_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(newrole_t)
|
domain_wide_inherit_fd(newrole_t)
|
||||||
|
|
||||||
type newrole_exec_t;
|
type newrole_exec_t;
|
||||||
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
|
domain_entry_file(newrole_t,newrole_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# policy_config_t is the type of /etc/security/selinux/*
|
# policy_config_t is the type of /etc/security/selinux/*
|
||||||
# the security server policy configuration.
|
# the security server policy configuration.
|
||||||
#
|
#
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
files_make_file(policy_config_t)
|
files_file_type(policy_config_t)
|
||||||
|
|
||||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||||
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||||
@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||||||
# files.
|
# files.
|
||||||
#
|
#
|
||||||
type policy_src_t;
|
type policy_src_t;
|
||||||
files_make_file(policy_src_t)
|
files_file_type(policy_src_t)
|
||||||
|
|
||||||
type restorecon_t, can_relabelto_binary_policy;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
kernel_obj_id_change_exempt(restorecon_t)
|
||||||
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
init_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
role system_r types restorecon_t;
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
domain_make_domain(run_init_t)
|
domain_type(run_init_t)
|
||||||
|
|
||||||
type run_init_exec_t;
|
type run_init_exec_t;
|
||||||
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
domain_entry_file(run_init_t,run_init_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
# /etc/selinux/config
|
# /etc/selinux/config
|
||||||
#
|
#
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_make_file(selinux_config_t)
|
files_file_type(selinux_config_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
kernel_obj_id_change_exempt(setfiles_t)
|
||||||
domain_make_domain(setfiles_t)
|
domain_type(setfiles_t)
|
||||||
role system_r types setfiles_t;
|
role system_r types setfiles_t;
|
||||||
|
|
||||||
type setfiles_exec_t;
|
type setfiles_exec_t;
|
||||||
domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
|
domain_entry_file(setfiles_t,setfiles_exec_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t)
|
|||||||
|
|
||||||
term_use_console(checkpolicy_t)
|
term_use_console(checkpolicy_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
domain_use_wide_inherit_fd(checkpolicy_t)
|
||||||
|
|
||||||
# directory search permissions for path to source and binary policy files
|
# directory search permissions for path to source and binary policy files
|
||||||
files_search_general_system_config_directory(checkpolicy_t)
|
files_search_etc(checkpolicy_t)
|
||||||
|
|
||||||
init_use_file_descriptors(checkpolicy_t)
|
init_use_fd(checkpolicy_t)
|
||||||
init_script_use_pseudoterminal(checkpolicy_t)
|
init_use_script_pty(checkpolicy_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(checkpolicy_t)
|
libs_use_ld_so(checkpolicy_t)
|
||||||
libraries_use_shared_libraries(checkpolicy_t)
|
libs_use_shared_libs(checkpolicy_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(checkpolicy_t)
|
userdom_use_all_user_fd(checkpolicy_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Read the devpts root directory.
|
# Read the devpts root directory.
|
||||||
@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t)
|
|||||||
term_use_console(load_policy_t)
|
term_use_console(load_policy_t)
|
||||||
term_list_ptys(load_policy_t)
|
term_list_ptys(load_policy_t)
|
||||||
|
|
||||||
init_script_use_file_descriptors(load_policy_t)
|
init_use_script_fd(load_policy_t)
|
||||||
init_script_use_pseudoterminal(load_policy_t)
|
init_use_script_pty(load_policy_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(load_policy_t)
|
domain_use_wide_inherit_fd(load_policy_t)
|
||||||
|
|
||||||
files_search_general_system_config_directory(load_policy_t)
|
files_search_etc(load_policy_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(load_policy_t)
|
libs_use_ld_so(load_policy_t)
|
||||||
libraries_use_shared_libraries(load_policy_t)
|
libs_use_shared_libs(load_policy_t)
|
||||||
|
|
||||||
miscfiles_read_localization(load_policy_t)
|
miscfiles_read_localization(load_policy_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(load_policy_t)
|
userdom_use_all_user_fd(load_policy_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t)
|
|||||||
term_use_all_user_ttys(newrole_t)
|
term_use_all_user_ttys(newrole_t)
|
||||||
term_use_all_user_ptys(newrole_t)
|
term_use_all_user_ptys(newrole_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(newrole_t)
|
auth_domtrans_chk_passwd(newrole_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(newrole_t)
|
domain_use_wide_inherit_fd(newrole_t)
|
||||||
|
|
||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
init_script_modify_runtime_data(newrole_t)
|
init_rw_script_pid(newrole_t)
|
||||||
|
|
||||||
files_read_general_system_config(newrole_t)
|
files_read_generic_etc_files(newrole_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(newrole_t)
|
libs_use_ld_so(newrole_t)
|
||||||
libraries_use_shared_libraries(newrole_t)
|
libs_use_shared_libs(newrole_t)
|
||||||
|
|
||||||
logging_send_system_log_message(newrole_t)
|
logging_send_syslog_msg(newrole_t)
|
||||||
|
|
||||||
miscfiles_read_localization(newrole_t)
|
miscfiles_read_localization(newrole_t)
|
||||||
|
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
|
userdom_use_unpriv_users_fd(newrole_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t)
|
|||||||
|
|
||||||
term_use_unallocated_tty(restorecon_t)
|
term_use_unallocated_tty(restorecon_t)
|
||||||
|
|
||||||
init_use_file_descriptors(restorecon_t)
|
init_use_fd(restorecon_t)
|
||||||
init_script_use_pseudoterminal(restorecon_t)
|
init_use_script_pty(restorecon_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(restorecon_t)
|
domain_use_wide_inherit_fd(restorecon_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(restorecon_t)
|
files_read_etc_runtime_files(restorecon_t)
|
||||||
files_read_general_system_config(restorecon_t)
|
files_read_generic_etc_files(restorecon_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(restorecon_t)
|
libs_use_ld_so(restorecon_t)
|
||||||
libraries_use_shared_libraries(restorecon_t)
|
libs_use_shared_libs(restorecon_t)
|
||||||
|
|
||||||
logging_send_system_log_message(restorecon_t)
|
logging_send_syslog_msg(restorecon_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(restorecon_t)
|
userdom_use_all_user_fd(restorecon_t)
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_use_file_descriptors(restorecon_t)
|
hotplug_use_fd(restorecon_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t)
|
|||||||
dev_relabel_all_dev_nodes(restorecon_t)
|
dev_relabel_all_dev_nodes(restorecon_t)
|
||||||
|
|
||||||
files_relabel_all_files(restorecon_t)
|
files_relabel_all_files(restorecon_t)
|
||||||
files_read_all_directories(restorecon_t)
|
files_list_all_dirs(restorecon_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
authlogin_relabel_to_shadow_passwords(restorecon_t)
|
auth_relabelto_shadow(restorecon_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
fs_use_tmpfs_character_devices(restorecon_t)
|
fs_use_tmpfs_character_devices(restorecon_t)
|
||||||
@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(run_init_t)
|
fs_getattr_xattr_fs(run_init_t)
|
||||||
|
|
||||||
dev_dontaudit_list_all_nodes(run_init_t)
|
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||||
|
|
||||||
term_dontaudit_list_ptys(run_init_t)
|
term_dontaudit_list_ptys(run_init_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(run_init_t)
|
auth_domtrans_chk_passwd(run_init_t)
|
||||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
auth_dontaudit_read_shadow(run_init_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(run_init_t)
|
corecmd_exec_bin(run_init_t)
|
||||||
corecommands_execute_shell(run_init_t)
|
corecmd_exec_shell(run_init_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
domain_use_wide_inherit_fd(run_init_t)
|
||||||
|
|
||||||
files_read_general_system_config(run_init_t)
|
files_read_generic_etc_files(run_init_t)
|
||||||
files_ignore_search_all_directories(run_init_t)
|
files_dontaudit_search_all_dirs(run_init_t)
|
||||||
|
|
||||||
init_script_transition(run_init_t)
|
init_domtrans_script(run_init_t)
|
||||||
# for utmp
|
# for utmp
|
||||||
init_script_modify_runtime_data(run_init_t)
|
init_rw_script_pid(run_init_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(run_init_t)
|
libs_use_ld_so(run_init_t)
|
||||||
libraries_use_shared_libraries(run_init_t)
|
libs_use_shared_libs(run_init_t)
|
||||||
|
|
||||||
selinux_read_config(run_init_t)
|
selinux_read_config(run_init_t)
|
||||||
selinux_read_default_contexts(run_init_t)
|
selinux_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
miscfiles_read_localization(run_init_t)
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
logging_send_system_log_message(run_init_t)
|
logging_send_syslog_msg(run_init_t)
|
||||||
') dnl end ifdef targeted policy
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -398,7 +398,7 @@ ifdef(`TODO',`
|
|||||||
ifdef(`distro_gentoo', `
|
ifdef(`distro_gentoo', `
|
||||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
domain_entry_file(run_init_t,initrc_exec_t)
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t)
|
|||||||
term_use_all_user_ptys(setfiles_t)
|
term_use_all_user_ptys(setfiles_t)
|
||||||
term_use_unallocated_tty(setfiles_t)
|
term_use_unallocated_tty(setfiles_t)
|
||||||
|
|
||||||
init_use_file_descriptors(setfiles_t)
|
init_use_fd(setfiles_t)
|
||||||
init_script_use_file_descriptors(setfiles_t)
|
init_use_script_fd(setfiles_t)
|
||||||
init_script_use_pseudoterminal(setfiles_t)
|
init_use_script_pty(setfiles_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(setfiles_t)
|
domain_use_wide_inherit_fd(setfiles_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(setfiles_t)
|
libs_use_ld_so(setfiles_t)
|
||||||
libraries_use_shared_libraries(setfiles_t)
|
libs_use_shared_libs(setfiles_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(setfiles_t)
|
files_read_etc_runtime_files(setfiles_t)
|
||||||
files_read_general_system_config(setfiles_t)
|
files_read_generic_etc_files(setfiles_t)
|
||||||
|
|
||||||
logging_send_system_log_message(setfiles_t)
|
logging_send_syslog_msg(setfiles_t)
|
||||||
|
|
||||||
miscfiles_read_localization(setfiles_t)
|
miscfiles_read_localization(setfiles_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(setfiles_t)
|
userdom_use_all_user_fd(setfiles_t)
|
||||||
# for config files in a home directory
|
# for config files in a home directory
|
||||||
userdomain_read_all_users_data(setfiles_t)
|
userdom_read_all_user_data(setfiles_t)
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(setfiles_t)
|
kernel_relabel_unlabeled(setfiles_t)
|
||||||
dev_relabel_all_dev_nodes(setfiles_t)
|
dev_relabel_all_dev_nodes(setfiles_t)
|
||||||
|
files_list_all_dirs(setfiles_t)
|
||||||
files_read_all_directories(setfiles_t)
|
|
||||||
files_relabel_all_files(setfiles_t)
|
files_relabel_all_files(setfiles_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
authlogin_relabel_to_shadow_passwords(setfiles_t)
|
auth_relabelto_shadow(setfiles_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# for upgrading glibc and other shared objects - without this the upgrade
|
# for upgrading glibc and other shared objects - without this the upgrade
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for SELinux policy and userland applications.</summary>
|
## <summary>Policy for SELinux policy and userland applications.</summary>
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_checkpolicy_transition">
|
## <interface name="selinux_domtrans_checkpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute checkpolicy in the checkpolicy domain.
|
## Execute checkpolicy in the checkpolicy domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition',`
|
define(`selinux_domtrans_checkpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
||||||
@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',`
|
|||||||
allow checkpolicy_t $1:process sigchld;
|
allow checkpolicy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_depend',`
|
define(`selinux_domtrans_checkpol_depend',`
|
||||||
type checkpolicy_t, checkpolicy_exec_t;
|
type checkpolicy_t, checkpolicy_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms
|
class file rx_file_perms
|
||||||
@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
|
## <interface name="selinux_run_checkpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute checkpolicy in the checkpolicy domain, and
|
## Execute checkpolicy in the checkpolicy domain, and
|
||||||
## allow the specified role the checkpolicy domain,
|
## allow the specified role the checkpolicy domain,
|
||||||
@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
|
define(`selinux_run_checkpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_checkpolicy_transition($1)
|
selinux_domtrans_checkpol($1)
|
||||||
role $2 types checkpolicy_t;
|
role $2 types checkpolicy_t;
|
||||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_checkpol_depend',`
|
||||||
type checkpolicy_t;
|
type checkpolicy_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_checkpolicy_execute(domain)
|
# selinux_exec_checkpol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_execute',`
|
define(`selinux_exec_checkpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,checkpolicy_exec_t)
|
can_exec($1,checkpolicy_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_execute_depend',`
|
define(`selinux_exec_checkpol_depend',`
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_load_policy_transition">
|
## <interface name="selinux_domtrans_loadpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute load_policy in the load_policy domain.
|
## Execute load_policy in the load_policy domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition',`
|
define(`selinux_domtrans_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 load_policy_exec_t:file rx_file_perms;
|
allow $1 load_policy_exec_t:file rx_file_perms;
|
||||||
@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',`
|
|||||||
allow load_policy_t $1:process sigchld;
|
allow load_policy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_depend',`
|
define(`selinux_domtrans_loadpol_depend',`
|
||||||
type load_policy_t, load_policy_exec_t;
|
type load_policy_t, load_policy_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_load_policy_transition_add_role_use_terminal">
|
## <interface name="selinux_run_loadpol">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute load_policy in the load_policy domain, and
|
## Execute load_policy in the load_policy domain, and
|
||||||
## allow the specified role the load_policy domain,
|
## allow the specified role the load_policy domain,
|
||||||
@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal',`
|
define(`selinux_run_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_load_policy_transition($1)
|
selinux_domtrans_loadpol($1)
|
||||||
role $2 types load_policy_t;
|
role $2 types load_policy_t;
|
||||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_loadpol_depend',`
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_load_policy_execute(domain)
|
# selinux_exec_loadpol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_execute',`
|
define(`selinux_exec_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,load_policy_exec_t)
|
can_exec($1,load_policy_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_execute_depend',`
|
define(`selinux_exec_loadpol_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_read_load_policy_binary(domain)
|
# selinux_read_loadpol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_load_policy_binary',`
|
define(`selinux_read_loadpol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 load_policy_exec_t:file r_file_perms;
|
allow $1 load_policy_exec_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_load_policy_binary_depend',`
|
define(`selinux_read_loadpol_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
|
|
||||||
class file r_file_perms
|
class file r_file_perms
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_newrole_transition">
|
## <interface name="selinux_domtrans_newrole">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute newrole in the load_policy domain.
|
## Execute newrole in the load_policy domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition',`
|
define(`selinux_domtrans_newrole',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 newrole_exec_t:file rx_file_perms;
|
allow $1 newrole_exec_t:file rx_file_perms;
|
||||||
@ -205,7 +205,7 @@ define(`selinux_newrole_transition',`
|
|||||||
allow newrole_t $1:process sigchld;
|
allow newrole_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_depend',`
|
define(`selinux_domtrans_newrole_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_newrole_transition_add_role_use_terminal">
|
## <interface name="selinux_run_newrole">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute newrole in the newrole domain, and
|
## Execute newrole in the newrole domain, and
|
||||||
## allow the specified role the newrole domain,
|
## allow the specified role the newrole domain,
|
||||||
@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal',`
|
define(`selinux_run_newrole',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_newrole_transition($1)
|
selinux_domtrans_newrole($1)
|
||||||
role $2 types newrole_t;
|
role $2 types newrole_t;
|
||||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
allow newrole_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_newrole_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_newrole_execute(domain)
|
# selinux_exec_newrole(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_execute',`
|
define(`selinux_exec_newrole',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,newrole_exec_t)
|
can_exec($1,newrole_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_execute_depend',`
|
define(`selinux_exec_newrole_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_newrole_ignore_signal">
|
## <interface name="selinux_dontaudit_newrole_signal">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit the caller attempts to send
|
## Do not audit the caller attempts to send
|
||||||
## a signal to newrole.
|
## a signal to newrole.
|
||||||
@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_ignore_signal',`
|
define(`selinux_dontaudit_newrole_signal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 newrole_t:process signal;
|
dontaudit $1 newrole_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_ignore_signal_depend',`
|
define(`selinux_dontaudit_newrole_signal_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
|
|
||||||
class process signal;
|
class process signal;
|
||||||
@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_newrole_use_file_descriptors(domain)
|
# selinux_use_newrole_fd(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_use_file_descriptors',`
|
define(`selinux_use_newrole_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 newrole_t:fd use;
|
allow $1 newrole_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_use_file_descriptors_depend',`
|
define(`selinux_use_newrole_fd_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="selinux_restorecon_transition">
|
## <interface name="selinux_domtrans_restorecon">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute restorecon in the restorecon domain.
|
## Execute restorecon in the restorecon domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition',`
|
define(`selinux_domtrans_restorecon',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 restorecon_exec_t:file rx_file_perms;
|
allow $1 restorecon_exec_t:file rx_file_perms;
|
||||||
@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',`
|
|||||||
allow restorecon_t $1:process sigchld;
|
allow restorecon_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_depend',`
|
define(`selinux_domtrans_restorecon_depend',`
|
||||||
type restorecon_t, restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_restorecon_transition_add_role_use_terminal">
|
## <interface name="selinux_run_restorecon">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute restorecon in the restorecon domain, and
|
## Execute restorecon in the restorecon domain, and
|
||||||
## allow the specified role the restorecon domain,
|
## allow the specified role the restorecon domain,
|
||||||
@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal',`
|
define(`selinux_run_restorecon',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_restorecon_transition($1)
|
selinux_domtrans_restorecon($1)
|
||||||
role $2 types restorecon_t;
|
role $2 types restorecon_t;
|
||||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_restorecon_depend',`
|
||||||
type restorecon_t;
|
type restorecon_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_restorecon_execute(domain)
|
# selinux_exec_restorecon(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_execute',`
|
define(`selinux_exec_restorecon',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
can_exec($1,restorecon_exec_t)
|
can_exec($1,restorecon_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_execute_depend',`
|
define(`selinux_exec_restorecon_depend',`
|
||||||
type restorecon_t, restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_run_init_transition">
|
## <interface name="selinux_domtrans_runinit">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute run_init in the run_init domain.
|
## Execute run_init in the run_init domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition',`
|
define(`selinux_domtrans_runinit',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 run_init_exec_t:file rx_file_perms;
|
allow $1 run_init_exec_t:file rx_file_perms;
|
||||||
@ -421,7 +421,7 @@ define(`selinux_run_init_transition',`
|
|||||||
allow run_init_t $1:process sigchld;
|
allow run_init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_depend',`
|
define(`selinux_domtrans_runinit_depend',`
|
||||||
type run_init_t, run_init_exec_t;
|
type run_init_t, run_init_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_run_init_transition_add_role_use_terminal">
|
## <interface name="selinux_run_runinit">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute run_init in the run_init domain, and
|
## Execute run_init in the run_init domain, and
|
||||||
## allow the specified role the run_init domain,
|
## allow the specified role the run_init domain,
|
||||||
@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal',`
|
define(`selinux_run_runinit',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_run_init_transition($1)
|
selinux_domtrans_runinit($1)
|
||||||
role $2 types run_init_t;
|
role $2 types run_init_t;
|
||||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
allow run_init_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_runinit_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_run_init_use_file_descriptors(domain)
|
# selinux_use_runinit_fd(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_use_file_descriptors',`
|
define(`selinux_use_runinit_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 run_init_t:fd use;
|
allow $1 run_init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_use_file_descriptors_depend',`
|
define(`selinux_use_runinit_fd_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_setfiles_transition">
|
## <interface name="selinux_domtrans_setfiles">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute setfiles in the setfiles domain.
|
## Execute setfiles in the setfiles domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition',`
|
define(`selinux_domtrans_setfiles',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 setfiles_exec_t:file rx_file_perms;
|
allow $1 setfiles_exec_t:file rx_file_perms;
|
||||||
@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',`
|
|||||||
allow setfiles_t $1:process sigchld;
|
allow setfiles_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_depend',`
|
define(`selinux_domtrans_setfiles_depend',`
|
||||||
type setfiles_t, setfiles_exec_t;
|
type setfiles_t, setfiles_exec_t;
|
||||||
|
|
||||||
class file rx_file_perms;
|
class file rx_file_perms;
|
||||||
@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_setfiles_transition_add_role_use_terminal">
|
## <interface name="selinux_run_setfiles">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute setfiles in the setfiles domain, and
|
## Execute setfiles in the setfiles domain, and
|
||||||
## allow the specified role the setfiles domain,
|
## allow the specified role the setfiles domain,
|
||||||
@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal',`
|
define(`selinux_run_setfiles',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
selinux_setfiles_transition($1)
|
selinux_domtrans_setfiles($1)
|
||||||
role $2 types setfiles_t;
|
role $2 types setfiles_t;
|
||||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_setfiles_depend',`
|
||||||
type setfiles_t;
|
type setfiles_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
|||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# selinux_setfiles_execute(domain)
|
# selinux_exec_setfiles(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_execute',`
|
define(`selinux_exec_setfiles',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
can_exec($1,setfiles_exec_t)
|
can_exec($1,setfiles_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_execute_depend',`
|
define(`selinux_exec_setfiles_depend',`
|
||||||
type setfiles_exec_t;
|
type setfiles_exec_t;
|
||||||
|
|
||||||
class file { rx_file_perms execute_no_trans };
|
class file { rx_file_perms execute_no_trans };
|
||||||
@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_read_binary_policy(domain)
|
# selinux_read_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_binary_policy',`
|
define(`selinux_read_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 policy_config_t:dir r_dir_perms;
|
allow $1 policy_config_t:dir r_dir_perms;
|
||||||
allow $1 policy_config_t:file r_file_perms;
|
allow $1 policy_config_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_binary_policy_depend',`
|
define(`selinux_read_binary_pol_depend',`
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_write_binary_policy(domain)
|
# selinux_write_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_write_binary_policy',`
|
define(`selinux_write_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 policy_config_t:dir rw_dir_perms;
|
allow $1 policy_config_t:dir rw_dir_perms;
|
||||||
@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',`
|
|||||||
typeattribute $1 can_write_binary_policy;
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_write_binary_policy_depend',`
|
define(`selinux_write_binary_pol_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
|
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="selinux_relabelto_binary_policy">
|
## <interface name="selinux_relabelto_binary_pol">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow the caller to relabel a file to the binary policy type.
|
## Allow the caller to relabel a file to the binary policy type.
|
||||||
## </description>
|
## </description>
|
||||||
@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_relabelto_binary_policy',`
|
define(`selinux_relabelto_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 policy_config_t:file relabelto;
|
allow $1 policy_config_t:file relabelto;
|
||||||
typeattribute $1 can_relabelto_binary_policy;
|
typeattribute $1 can_relabelto_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_relabelto_binary_policy_depend',`
|
define(`selinux_relabelto_binary_pol_depend',`
|
||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
|
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_manage_binary_policy(domain)
|
# selinux_manage_binary_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_binary_policy',`
|
define(`selinux_manage_binary_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
# FIXME: search etc_t:dir
|
||||||
@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',`
|
|||||||
typeattribute $1 can_write_binary_policy;
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_binary_policy_depend',`
|
define(`selinux_manage_binary_pol_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
|
|
||||||
type selinux_config_t, policy_config_t;
|
type selinux_config_t, policy_config_t;
|
||||||
@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_read_source_policy(domain)
|
# selinux_read_src_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_source_policy',`
|
define(`selinux_read_src_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
# FIXME: search etc_t:dir
|
||||||
@ -714,7 +714,7 @@ define(`selinux_read_source_policy',`
|
|||||||
allow $1 policy_src_t:file r_file_perms;
|
allow $1 policy_src_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_source_policy_depend',`
|
define(`selinux_read_src_pol_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# selinux_manage_source_policy(domain)
|
# selinux_manage_src_pol(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_source_policy',`
|
define(`selinux_manage_src_pol',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# FIXME: search etc_t:dir
|
# FIXME: search etc_t:dir
|
||||||
@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',`
|
|||||||
allow $1 policy_src_t:file create_file_perms;
|
allow $1 policy_src_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_source_policy_depend',`
|
define(`selinux_manage_src_pol_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
|
|
||||||
class dir create_dir_perms;
|
class dir create_dir_perms;
|
||||||
|
@ -10,48 +10,48 @@ attribute can_write_binary_policy;
|
|||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
|
|
||||||
type checkpolicy_t, can_write_binary_policy;
|
type checkpolicy_t, can_write_binary_policy;
|
||||||
domain_make_domain(checkpolicy_t)
|
domain_type(checkpolicy_t)
|
||||||
role system_r types checkpolicy_t;
|
role system_r types checkpolicy_t;
|
||||||
|
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t)
|
domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# default_context_t is the type applied to
|
# default_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/*
|
# /etc/selinux/*/contexts/*
|
||||||
#
|
#
|
||||||
type default_context_t;
|
type default_context_t;
|
||||||
files_make_file(default_context_t)
|
files_file_type(default_context_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# file_context_t is the type applied to
|
# file_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/files
|
# /etc/selinux/*/contexts/files
|
||||||
#
|
#
|
||||||
type file_context_t;
|
type file_context_t;
|
||||||
files_make_file(file_context_t)
|
files_file_type(file_context_t)
|
||||||
|
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
domain_make_domain(load_policy_t)
|
domain_type(load_policy_t)
|
||||||
role system_r types load_policy_t;
|
role system_r types load_policy_t;
|
||||||
|
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
domain_entry_file(load_policy_t,load_policy_exec_t)
|
||||||
|
|
||||||
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||||
kernel_make_role_change_constraint_exception(newrole_t)
|
kernel_role_change_exempt(newrole_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
kernel_obj_id_change_exempt(newrole_t)
|
||||||
domain_make_domain(newrole_t)
|
domain_type(newrole_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(newrole_t)
|
domain_wide_inherit_fd(newrole_t)
|
||||||
|
|
||||||
type newrole_exec_t;
|
type newrole_exec_t;
|
||||||
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
|
domain_entry_file(newrole_t,newrole_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# policy_config_t is the type of /etc/security/selinux/*
|
# policy_config_t is the type of /etc/security/selinux/*
|
||||||
# the security server policy configuration.
|
# the security server policy configuration.
|
||||||
#
|
#
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
files_make_file(policy_config_t)
|
files_file_type(policy_config_t)
|
||||||
|
|
||||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||||
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||||
@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||||||
# files.
|
# files.
|
||||||
#
|
#
|
||||||
type policy_src_t;
|
type policy_src_t;
|
||||||
files_make_file(policy_src_t)
|
files_file_type(policy_src_t)
|
||||||
|
|
||||||
type restorecon_t, can_relabelto_binary_policy;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
kernel_obj_id_change_exempt(restorecon_t)
|
||||||
init_make_system_domain(restorecon_t,restorecon_exec_t)
|
init_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
role system_r types restorecon_t;
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
domain_make_domain(run_init_t)
|
domain_type(run_init_t)
|
||||||
|
|
||||||
type run_init_exec_t;
|
type run_init_exec_t;
|
||||||
domain_make_entrypoint_file(run_init_t,run_init_exec_t)
|
domain_entry_file(run_init_t,run_init_exec_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
# /etc/selinux/config
|
# /etc/selinux/config
|
||||||
#
|
#
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_make_file(selinux_config_t)
|
files_file_type(selinux_config_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
kernel_obj_id_change_exempt(setfiles_t)
|
||||||
domain_make_domain(setfiles_t)
|
domain_type(setfiles_t)
|
||||||
role system_r types setfiles_t;
|
role system_r types setfiles_t;
|
||||||
|
|
||||||
type setfiles_exec_t;
|
type setfiles_exec_t;
|
||||||
domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
|
domain_entry_file(setfiles_t,setfiles_exec_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t)
|
|||||||
|
|
||||||
term_use_console(checkpolicy_t)
|
term_use_console(checkpolicy_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
domain_use_wide_inherit_fd(checkpolicy_t)
|
||||||
|
|
||||||
# directory search permissions for path to source and binary policy files
|
# directory search permissions for path to source and binary policy files
|
||||||
files_search_general_system_config_directory(checkpolicy_t)
|
files_search_etc(checkpolicy_t)
|
||||||
|
|
||||||
init_use_file_descriptors(checkpolicy_t)
|
init_use_fd(checkpolicy_t)
|
||||||
init_script_use_pseudoterminal(checkpolicy_t)
|
init_use_script_pty(checkpolicy_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(checkpolicy_t)
|
libs_use_ld_so(checkpolicy_t)
|
||||||
libraries_use_shared_libraries(checkpolicy_t)
|
libs_use_shared_libs(checkpolicy_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(checkpolicy_t)
|
userdom_use_all_user_fd(checkpolicy_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Read the devpts root directory.
|
# Read the devpts root directory.
|
||||||
@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t)
|
|||||||
term_use_console(load_policy_t)
|
term_use_console(load_policy_t)
|
||||||
term_list_ptys(load_policy_t)
|
term_list_ptys(load_policy_t)
|
||||||
|
|
||||||
init_script_use_file_descriptors(load_policy_t)
|
init_use_script_fd(load_policy_t)
|
||||||
init_script_use_pseudoterminal(load_policy_t)
|
init_use_script_pty(load_policy_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(load_policy_t)
|
domain_use_wide_inherit_fd(load_policy_t)
|
||||||
|
|
||||||
files_search_general_system_config_directory(load_policy_t)
|
files_search_etc(load_policy_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(load_policy_t)
|
libs_use_ld_so(load_policy_t)
|
||||||
libraries_use_shared_libraries(load_policy_t)
|
libs_use_shared_libs(load_policy_t)
|
||||||
|
|
||||||
miscfiles_read_localization(load_policy_t)
|
miscfiles_read_localization(load_policy_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(load_policy_t)
|
userdom_use_all_user_fd(load_policy_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t)
|
|||||||
term_use_all_user_ttys(newrole_t)
|
term_use_all_user_ttys(newrole_t)
|
||||||
term_use_all_user_ptys(newrole_t)
|
term_use_all_user_ptys(newrole_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(newrole_t)
|
auth_domtrans_chk_passwd(newrole_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(newrole_t)
|
domain_use_wide_inherit_fd(newrole_t)
|
||||||
|
|
||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
init_script_modify_runtime_data(newrole_t)
|
init_rw_script_pid(newrole_t)
|
||||||
|
|
||||||
files_read_general_system_config(newrole_t)
|
files_read_generic_etc_files(newrole_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(newrole_t)
|
libs_use_ld_so(newrole_t)
|
||||||
libraries_use_shared_libraries(newrole_t)
|
libs_use_shared_libs(newrole_t)
|
||||||
|
|
||||||
logging_send_system_log_message(newrole_t)
|
logging_send_syslog_msg(newrole_t)
|
||||||
|
|
||||||
miscfiles_read_localization(newrole_t)
|
miscfiles_read_localization(newrole_t)
|
||||||
|
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
|
userdom_use_unpriv_users_fd(newrole_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t)
|
|||||||
|
|
||||||
term_use_unallocated_tty(restorecon_t)
|
term_use_unallocated_tty(restorecon_t)
|
||||||
|
|
||||||
init_use_file_descriptors(restorecon_t)
|
init_use_fd(restorecon_t)
|
||||||
init_script_use_pseudoterminal(restorecon_t)
|
init_use_script_pty(restorecon_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(restorecon_t)
|
domain_use_wide_inherit_fd(restorecon_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(restorecon_t)
|
files_read_etc_runtime_files(restorecon_t)
|
||||||
files_read_general_system_config(restorecon_t)
|
files_read_generic_etc_files(restorecon_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(restorecon_t)
|
libs_use_ld_so(restorecon_t)
|
||||||
libraries_use_shared_libraries(restorecon_t)
|
libs_use_shared_libs(restorecon_t)
|
||||||
|
|
||||||
logging_send_system_log_message(restorecon_t)
|
logging_send_syslog_msg(restorecon_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(restorecon_t)
|
userdom_use_all_user_fd(restorecon_t)
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_use_file_descriptors(restorecon_t)
|
hotplug_use_fd(restorecon_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t)
|
|||||||
dev_relabel_all_dev_nodes(restorecon_t)
|
dev_relabel_all_dev_nodes(restorecon_t)
|
||||||
|
|
||||||
files_relabel_all_files(restorecon_t)
|
files_relabel_all_files(restorecon_t)
|
||||||
files_read_all_directories(restorecon_t)
|
files_list_all_dirs(restorecon_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
authlogin_relabel_to_shadow_passwords(restorecon_t)
|
auth_relabelto_shadow(restorecon_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
fs_use_tmpfs_character_devices(restorecon_t)
|
fs_use_tmpfs_character_devices(restorecon_t)
|
||||||
@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',`
|
|||||||
|
|
||||||
fs_getattr_xattr_fs(run_init_t)
|
fs_getattr_xattr_fs(run_init_t)
|
||||||
|
|
||||||
dev_dontaudit_list_all_nodes(run_init_t)
|
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||||
|
|
||||||
term_dontaudit_list_ptys(run_init_t)
|
term_dontaudit_list_ptys(run_init_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(run_init_t)
|
auth_domtrans_chk_passwd(run_init_t)
|
||||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
auth_dontaudit_read_shadow(run_init_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(run_init_t)
|
corecmd_exec_bin(run_init_t)
|
||||||
corecommands_execute_shell(run_init_t)
|
corecmd_exec_shell(run_init_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
domain_use_wide_inherit_fd(run_init_t)
|
||||||
|
|
||||||
files_read_general_system_config(run_init_t)
|
files_read_generic_etc_files(run_init_t)
|
||||||
files_ignore_search_all_directories(run_init_t)
|
files_dontaudit_search_all_dirs(run_init_t)
|
||||||
|
|
||||||
init_script_transition(run_init_t)
|
init_domtrans_script(run_init_t)
|
||||||
# for utmp
|
# for utmp
|
||||||
init_script_modify_runtime_data(run_init_t)
|
init_rw_script_pid(run_init_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(run_init_t)
|
libs_use_ld_so(run_init_t)
|
||||||
libraries_use_shared_libraries(run_init_t)
|
libs_use_shared_libs(run_init_t)
|
||||||
|
|
||||||
selinux_read_config(run_init_t)
|
selinux_read_config(run_init_t)
|
||||||
selinux_read_default_contexts(run_init_t)
|
selinux_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
miscfiles_read_localization(run_init_t)
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
logging_send_system_log_message(run_init_t)
|
logging_send_syslog_msg(run_init_t)
|
||||||
') dnl end ifdef targeted policy
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -398,7 +398,7 @@ ifdef(`TODO',`
|
|||||||
ifdef(`distro_gentoo', `
|
ifdef(`distro_gentoo', `
|
||||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
domain_entry_file(run_init_t,initrc_exec_t)
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t)
|
|||||||
term_use_all_user_ptys(setfiles_t)
|
term_use_all_user_ptys(setfiles_t)
|
||||||
term_use_unallocated_tty(setfiles_t)
|
term_use_unallocated_tty(setfiles_t)
|
||||||
|
|
||||||
init_use_file_descriptors(setfiles_t)
|
init_use_fd(setfiles_t)
|
||||||
init_script_use_file_descriptors(setfiles_t)
|
init_use_script_fd(setfiles_t)
|
||||||
init_script_use_pseudoterminal(setfiles_t)
|
init_use_script_pty(setfiles_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(setfiles_t)
|
domain_use_wide_inherit_fd(setfiles_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(setfiles_t)
|
libs_use_ld_so(setfiles_t)
|
||||||
libraries_use_shared_libraries(setfiles_t)
|
libs_use_shared_libs(setfiles_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(setfiles_t)
|
files_read_etc_runtime_files(setfiles_t)
|
||||||
files_read_general_system_config(setfiles_t)
|
files_read_generic_etc_files(setfiles_t)
|
||||||
|
|
||||||
logging_send_system_log_message(setfiles_t)
|
logging_send_syslog_msg(setfiles_t)
|
||||||
|
|
||||||
miscfiles_read_localization(setfiles_t)
|
miscfiles_read_localization(setfiles_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(setfiles_t)
|
userdom_use_all_user_fd(setfiles_t)
|
||||||
# for config files in a home directory
|
# for config files in a home directory
|
||||||
userdomain_read_all_users_data(setfiles_t)
|
userdom_read_all_user_data(setfiles_t)
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(setfiles_t)
|
kernel_relabel_unlabeled(setfiles_t)
|
||||||
dev_relabel_all_dev_nodes(setfiles_t)
|
dev_relabel_all_dev_nodes(setfiles_t)
|
||||||
|
files_list_all_dirs(setfiles_t)
|
||||||
files_read_all_directories(setfiles_t)
|
|
||||||
files_relabel_all_files(setfiles_t)
|
files_relabel_all_files(setfiles_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
authlogin_relabel_to_shadow_passwords(setfiles_t)
|
auth_relabelto_shadow(setfiles_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# for upgrading glibc and other shared objects - without this the upgrade
|
# for upgrading glibc and other shared objects - without this the upgrade
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
|
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="sysnetwork_dhcpc_transition">
|
## <interface name="sysnet_domtrans_dhcpc">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute dhcp client in dhcpc domain.
|
## Execute dhcp client in dhcpc domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_dhcpc_transition',`
|
define(`sysnet_domtrans_dhcpc',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
|
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
|
||||||
@ -22,7 +22,7 @@ define(`sysnetwork_dhcpc_transition',`
|
|||||||
allow dhcpc_t $1:process sigchld;
|
allow dhcpc_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_dhcpc_transition_depend',`
|
define(`sysnet_domtrans_dhcpc_depend',`
|
||||||
type dhcpc_t, dhcpc_exec_t;
|
type dhcpc_t, dhcpc_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -32,7 +32,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="sysnetwork_ifconfig_transition">
|
## <interface name="sysnet_domtrans_ifconfig">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute ifconfig in the ifconfig domain.
|
## Execute ifconfig in the ifconfig domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -41,7 +41,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_ifconfig_transition',`
|
define(`sysnet_domtrans_ifconfig',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
|
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
|
||||||
@ -52,7 +52,7 @@ define(`sysnetwork_ifconfig_transition',`
|
|||||||
allow ifconfig_t $1:process sigchld;
|
allow ifconfig_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_ifconfig_transition_depend',`
|
define(`sysnet_domtrans_ifconfig_depend',`
|
||||||
type ifconfig_t, ifconfig_exec_t;
|
type ifconfig_t, ifconfig_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -62,7 +62,7 @@ define(`sysnetwork_ifconfig_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="sysnetwork_ifconfig_transition_add_role_use_terminal">
|
## <interface name="sysnet_run_ifconfig">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute ifconfig in the ifconfig domain, and
|
## Execute ifconfig in the ifconfig domain, and
|
||||||
## allow the specified role the ifconfig domain,
|
## allow the specified role the ifconfig domain,
|
||||||
@ -79,22 +79,22 @@ define(`sysnetwork_ifconfig_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
|
define(`sysnet_run_ifconfig',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
sysnetwork_ifconfig_transition($1)
|
sysnet_domtrans_ifconfig($1)
|
||||||
role $2 types ifconfig_t;
|
role $2 types ifconfig_t;
|
||||||
allow ifconfig_t $3:chr_file { getattr read write ioctl };
|
allow ifconfig_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
|
define(`sysnet_run_ifconfig_depend',`
|
||||||
type ifconfig_t;
|
type ifconfig_t;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <interface name="sysnetwork_read_network_config">
|
## <interface name="sysnet_read_config">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow network init to read network config files.
|
## Allow network init to read network config files.
|
||||||
## </description>
|
## </description>
|
||||||
@ -103,14 +103,14 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_read_network_config',`
|
define(`sysnet_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_search_general_system_config_directory($1)
|
files_search_etc($1)
|
||||||
allow $1 net_conf_t:file r_file_perms;
|
allow $1 net_conf_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_read_network_config_depend',`
|
define(`sysnet_read_config_depend',`
|
||||||
type net_conf_t;
|
type net_conf_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
|
@ -9,33 +9,33 @@ policy_module(sysnetwork,1.0)
|
|||||||
# this is shared between dhcpc and dhcpd:
|
# this is shared between dhcpc and dhcpd:
|
||||||
type dhcp_etc_t; #, usercanread;
|
type dhcp_etc_t; #, usercanread;
|
||||||
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
|
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
|
||||||
files_make_file(dhcp_etc_t)
|
files_file_type(dhcp_etc_t)
|
||||||
|
|
||||||
# this is shared between dhcpc and dhcpd:
|
# this is shared between dhcpc and dhcpd:
|
||||||
type dhcp_state_t;
|
type dhcp_state_t;
|
||||||
files_make_file(dhcp_state_t)
|
files_file_type(dhcp_state_t)
|
||||||
|
|
||||||
type dhcpc_t;
|
type dhcpc_t;
|
||||||
type dhcpc_exec_t;
|
type dhcpc_exec_t;
|
||||||
init_make_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||||
role system_r types dhcpc_t;
|
role system_r types dhcpc_t;
|
||||||
|
|
||||||
type dhcpc_state_t;
|
type dhcpc_state_t;
|
||||||
files_make_file(dhcpc_state_t)
|
files_file_type(dhcpc_state_t)
|
||||||
|
|
||||||
type dhcpc_tmp_t;
|
type dhcpc_tmp_t;
|
||||||
files_make_temporary_file(dhcpc_tmp_t)
|
files_tmp_file(dhcpc_tmp_t)
|
||||||
|
|
||||||
type dhcpc_var_run_t;
|
type dhcpc_var_run_t;
|
||||||
files_make_daemon_runtime_file(dhcpc_var_run_t)
|
files_pid_file(dhcpc_var_run_t)
|
||||||
|
|
||||||
type ifconfig_t;
|
type ifconfig_t;
|
||||||
type ifconfig_exec_t;
|
type ifconfig_exec_t;
|
||||||
init_make_system_domain(ifconfig_t, ifconfig_exec_t)
|
init_system_domain(ifconfig_t, ifconfig_exec_t)
|
||||||
role system_r types ifconfig_t;
|
role system_r types ifconfig_t;
|
||||||
|
|
||||||
type net_conf_t alias resolv_conf_t;
|
type net_conf_t alias resolv_conf_t;
|
||||||
files_make_file(net_conf_t)
|
files_file_type(net_conf_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -62,17 +62,17 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
|
|||||||
|
|
||||||
# create pid file
|
# create pid file
|
||||||
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
|
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
|
||||||
files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
|
files_create_pid(dhcpc_t,dhcpc_var_run_t)
|
||||||
|
|
||||||
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
||||||
# in /etc created by dhcpcd will be labelled net_conf_t.
|
# in /etc created by dhcpcd will be labelled net_conf_t.
|
||||||
allow dhcpc_t net_conf_t:file create_file_perms;
|
allow dhcpc_t net_conf_t:file create_file_perms;
|
||||||
files_create_private_config(dhcpc_t,net_conf_t,file)
|
files_create_etc_config(dhcpc_t,net_conf_t,file)
|
||||||
|
|
||||||
# create temp files
|
# create temp files
|
||||||
allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
|
allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
|
||||||
allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
|
allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
|
||||||
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
|
files_create_tmp_files(dhcpc_t, dhcpc_tmp_t, { file dir })
|
||||||
|
|
||||||
can_exec(dhcpc_t, dhcpc_exec_t)
|
can_exec(dhcpc_t, dhcpc_exec_t)
|
||||||
|
|
||||||
@ -111,45 +111,45 @@ term_dontaudit_use_all_user_ttys(dhcpc_t)
|
|||||||
term_dontaudit_use_all_user_ptys(dhcpc_t)
|
term_dontaudit_use_all_user_ptys(dhcpc_t)
|
||||||
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(dhcpc_t)
|
corecmd_exec_bin(dhcpc_t)
|
||||||
corecommands_execute_system_programs(dhcpc_t)
|
corecmd_exec_sbin(dhcpc_t)
|
||||||
corecommands_execute_shell(dhcpc_t)
|
corecmd_exec_shell(dhcpc_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(dhcpc_t)
|
domain_use_wide_inherit_fd(dhcpc_t)
|
||||||
|
|
||||||
files_read_general_system_config(dhcpc_t)
|
files_read_generic_etc_files(dhcpc_t)
|
||||||
files_read_runtime_system_config(dhcpc_t)
|
files_read_etc_runtime_files(dhcpc_t)
|
||||||
|
|
||||||
init_use_file_descriptors(dhcpc_t)
|
init_use_fd(dhcpc_t)
|
||||||
init_script_use_pseudoterminal(dhcpc_t)
|
init_use_script_pty(dhcpc_t)
|
||||||
init_script_modify_runtime_data(dhcpc_t)
|
init_rw_script_pid(dhcpc_t)
|
||||||
|
|
||||||
logging_send_system_log_message(dhcpc_t)
|
logging_send_syslog_msg(dhcpc_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(dhcpc_t)
|
libs_use_ld_so(dhcpc_t)
|
||||||
libraries_use_shared_libraries(dhcpc_t)
|
libs_use_shared_libs(dhcpc_t)
|
||||||
|
|
||||||
miscfiles_read_localization(dhcpc_t)
|
miscfiles_read_localization(dhcpc_t)
|
||||||
|
|
||||||
modutils_insmod_transition(dhcpc_t)
|
modutils_domtrans_insmod(dhcpc_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
files_execute_system_config_script(dhcpc_t)
|
files_exec_generic_etc_files(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
|
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
|
||||||
|
|
||||||
files_ignore_read_rootfs_file(dhcpc_t)
|
files_dontaudit_read_root_file(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_transition(dhcpc_t)
|
consoletype_domtrans(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_transition(dhcpc_t)
|
hostname_domtrans(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
optional_policy(`nscd.te',`
|
||||||
@ -161,17 +161,17 @@ optional_policy(`selinux.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te',`
|
optional_policy(`udev.te',`
|
||||||
udev_read_database(dhcpc_t)
|
udev_read_db(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdomain_use_all_users_file_descriptors(dhcpc_t)
|
userdom_use_all_user_fd(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
# dhclient sometimes starts ypbind and ntpd
|
# dhclient sometimes starts ypbind and ntpd
|
||||||
#
|
#
|
||||||
init_script_execute(dhcpc_t)
|
init_exec_script(dhcpc_t)
|
||||||
optional_policy(`ypbind.te',`
|
optional_policy(`ypbind.te',`
|
||||||
ypbind_transition(dhcpc_t)
|
ypbind_transition(dhcpc_t)
|
||||||
')
|
')
|
||||||
@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
|
|||||||
# for /sbin/ip
|
# for /sbin/ip
|
||||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||||
files_read_general_system_config(ifconfig_t);
|
files_read_generic_etc_files(ifconfig_t);
|
||||||
|
|
||||||
kernel_use_fd(ifconfig_t)
|
kernel_use_fd(ifconfig_t)
|
||||||
kernel_read_system_state(ifconfig_t)
|
kernel_read_system_state(ifconfig_t)
|
||||||
@ -270,24 +270,24 @@ fs_getattr_xattr_fs(ifconfig_t)
|
|||||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(ifconfig_t)
|
domain_use_wide_inherit_fd(ifconfig_t)
|
||||||
|
|
||||||
files_ignore_read_rootfs_file(ifconfig_t)
|
files_dontaudit_read_root_file(ifconfig_t)
|
||||||
|
|
||||||
init_use_file_descriptors(ifconfig_t)
|
init_use_fd(ifconfig_t)
|
||||||
init_script_use_pseudoterminal(ifconfig_t)
|
init_use_script_pty(ifconfig_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(ifconfig_t)
|
libs_use_ld_so(ifconfig_t)
|
||||||
libraries_use_shared_libraries(ifconfig_t)
|
libs_use_shared_libs(ifconfig_t)
|
||||||
libraries_read_library_resources(ifconfig_t)
|
libs_read_lib(ifconfig_t)
|
||||||
|
|
||||||
logging_send_system_log_message(ifconfig_t)
|
logging_send_syslog_msg(ifconfig_t)
|
||||||
|
|
||||||
miscfiles_read_localization(ifconfig_t)
|
miscfiles_read_localization(ifconfig_t)
|
||||||
|
|
||||||
selinux_run_init_use_file_descriptors(ifconfig_t)
|
selinux_use_runinit_fd(ifconfig_t)
|
||||||
|
|
||||||
userdomain_use_all_users_file_descriptors(ifconfig_t)
|
userdom_use_all_user_fd(ifconfig_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy for udev.</summary>
|
## <summary>Policy for udev.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="udev_transition">
|
## <interface name="udev_domtrans">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute udev in the udev domain.
|
## Execute udev in the udev domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -11,7 +11,7 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_transition',`
|
define(`udev_domtrans',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
domain_auto_trans($1, udev_exec_t, udev_t)
|
domain_auto_trans($1, udev_exec_t, udev_t)
|
||||||
@ -22,7 +22,7 @@ define(`udev_transition',`
|
|||||||
allow udev_t $1:process sigchld;
|
allow udev_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_transition_depend',`
|
define(`udev_domtrans_depend',`
|
||||||
type udev_t, udev_exec_t;
|
type udev_t, udev_exec_t;
|
||||||
|
|
||||||
class file { getattr read execute };
|
class file { getattr read execute };
|
||||||
@ -32,7 +32,7 @@ define(`udev_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="udev_read_database">
|
## <interface name="udev_read_db">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to read list of devices.
|
## Allow process to read list of devices.
|
||||||
## </description>
|
## </description>
|
||||||
@ -41,20 +41,20 @@ define(`udev_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_read_database',`
|
define(`udev_read_db',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 udev_tdb_t:file r_file_perms;
|
allow $1 udev_tdb_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_read_database_depend',`
|
define(`udev_read_db_depend',`
|
||||||
type udev_tdb_t;
|
type udev_tdb_t;
|
||||||
|
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="udev_modify_database">
|
## <interface name="udev_rw_db">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow process to modify list of devices.
|
## Allow process to modify list of devices.
|
||||||
## </description>
|
## </description>
|
||||||
@ -63,13 +63,13 @@ define(`udev_read_database_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_modify_database',`
|
define(`udev_rw_db',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 udev_tdb_t:file rw_file_perms;
|
allow $1 udev_tdb_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_modify_database_depend',`
|
define(`udev_rw_db_depend',`
|
||||||
type udev_tdb_t;
|
type udev_tdb_t;
|
||||||
|
|
||||||
class file rw_file_perms;
|
class file rw_file_perms;
|
||||||
|
@ -10,24 +10,24 @@ type udev_t; # nscd_client_domain
|
|||||||
type udev_exec_t;
|
type udev_exec_t;
|
||||||
type udev_helper_exec_t;
|
type udev_helper_exec_t;
|
||||||
kernel_userland_entry(udev_t,udev_exec_t)
|
kernel_userland_entry(udev_t,udev_exec_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(udev_t)
|
kernel_obj_id_change_exempt(udev_t)
|
||||||
domain_make_entrypoint_file(udev_t,udev_helper_exec_t)
|
domain_entry_file(udev_t,udev_helper_exec_t)
|
||||||
domain_make_file_descriptors_widely_inheritable(udev_t)
|
domain_wide_inherit_fd(udev_t)
|
||||||
init_make_daemon_domain(udev_t,udev_exec_t)
|
init_daemon_domain(udev_t,udev_exec_t)
|
||||||
|
|
||||||
type udev_etc_t alias etc_udev_t;
|
type udev_etc_t alias etc_udev_t;
|
||||||
files_make_file(udev_etc_t)
|
files_file_type(udev_etc_t)
|
||||||
|
|
||||||
# udev_runtime_t is the type of the udev table file
|
# udev_runtime_t is the type of the udev table file
|
||||||
# cjp: this is probably a copy of udev_tbl_t and can be removed
|
# cjp: this is probably a copy of udev_tbl_t and can be removed
|
||||||
type udev_runtime_t;
|
type udev_runtime_t;
|
||||||
files_make_file(udev_runtime_t)
|
files_file_type(udev_runtime_t)
|
||||||
|
|
||||||
type udev_tbl_t alias udev_tdb_t;
|
type udev_tbl_t alias udev_tdb_t;
|
||||||
files_make_file(udev_tbl_t)
|
files_file_type(udev_tbl_t)
|
||||||
|
|
||||||
type udev_var_run_t;
|
type udev_var_run_t;
|
||||||
files_make_daemon_runtime_file(udev_var_run_t)
|
files_pid_file(udev_var_run_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -82,53 +82,53 @@ dev_manage_dev_nodes(udev_t)
|
|||||||
|
|
||||||
fs_getattr_all_fs(udev_t)
|
fs_getattr_all_fs(udev_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(udev_t)
|
corecmd_exec_bin(udev_t)
|
||||||
corecommands_execute_system_programs(udev_t)
|
corecmd_exec_sbin(udev_t)
|
||||||
corecommands_execute_shell(udev_t)
|
corecmd_exec_shell(udev_t)
|
||||||
|
|
||||||
domain_execute_all_entrypoint_programs(udev_t)
|
domain_exec_all_entry_files(udev_t)
|
||||||
domain_ignore_read_all_domains_process_dirs(udev_t)
|
domain_dontaudit_list_all_domains_proc(udev_t)
|
||||||
|
|
||||||
files_read_runtime_system_config(udev_t)
|
files_read_etc_runtime_files(udev_t)
|
||||||
files_read_general_system_config(udev_t)
|
files_read_generic_etc_files(udev_t)
|
||||||
files_execute_system_config_script(udev_t)
|
files_exec_generic_etc_files(udev_t)
|
||||||
files_ignore_search_isid_type_dir(udev_t)
|
files_dontaudit_search_isid_type_dir(udev_t)
|
||||||
|
|
||||||
init_use_file_descriptors(udev_t)
|
init_use_fd(udev_t)
|
||||||
init_script_read_runtime_data(udev_t)
|
init_read_script_pid(udev_t)
|
||||||
init_script_ignore_write_runtime_data(udev_t)
|
init_dontaudit_write_script_pid(udev_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(udev_t)
|
libs_use_ld_so(udev_t)
|
||||||
libraries_use_shared_libraries(udev_t)
|
libs_use_shared_libs(udev_t)
|
||||||
|
|
||||||
logging_send_system_log_message(udev_t)
|
logging_send_syslog_msg(udev_t)
|
||||||
|
|
||||||
miscfiles_read_localization(udev_t)
|
miscfiles_read_localization(udev_t)
|
||||||
|
|
||||||
modutils_insmod_transition(udev_t)
|
modutils_domtrans_insmod(udev_t)
|
||||||
|
|
||||||
selinux_read_config(udev_t)
|
selinux_read_config(udev_t)
|
||||||
selinux_read_default_contexts(udev_t)
|
selinux_read_default_contexts(udev_t)
|
||||||
selinux_read_file_contexts(udev_t)
|
selinux_read_file_contexts(udev_t)
|
||||||
selinux_restorecon_transition(udev_t)
|
selinux_domtrans_restorecon(udev_t)
|
||||||
|
|
||||||
sysnetwork_ifconfig_transition(udev_t)
|
sysnet_domtrans_ifconfig(udev_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
fs_manage_tmpfs_block_devices(udev_t)
|
fs_manage_tmpfs_block_devices(udev_t)
|
||||||
fs_manage_tmpfs_character_devices(udev_t)
|
fs_manage_tmpfs_character_devices(udev_t)
|
||||||
|
|
||||||
# for arping used for static IP addresses on PCMCIA ethernet
|
# for arping used for static IP addresses on PCMCIA ethernet
|
||||||
netutils_transition(udev_t)
|
netutils_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
authlogin_pam_console_read_runtime_data(udev_t)
|
auth_read_pam_console_data(udev_t)
|
||||||
authlogin_pam_console_transition(udev_t)
|
auth_domtrans_pam_console(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_execute(udev_t)
|
consoletype_exec(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
@ -136,7 +136,7 @@ optional_policy(`hotplug.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
sysnetwork_dhcpc_transition(udev_t)
|
sysnet_domtrans_dhcpc(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -12,8 +12,8 @@ define(`base_user_domain',`
|
|||||||
attribute $1_file_type;
|
attribute $1_file_type;
|
||||||
|
|
||||||
type $1_t, userdomain;
|
type $1_t, userdomain;
|
||||||
domain_make_domain($1_t)
|
domain_type($1_t)
|
||||||
corecommands_make_shell_entrypoint($1_t)
|
corecmd_shell_entry_type($1_t)
|
||||||
role $1_r types $1_t;
|
role $1_r types $1_t;
|
||||||
allow system_r $1_r;
|
allow system_r $1_r;
|
||||||
|
|
||||||
@ -23,17 +23,17 @@ define(`base_user_domain',`
|
|||||||
|
|
||||||
# type for contents of home directory
|
# type for contents of home directory
|
||||||
type $1_home_t, $1_file_type, home_type;
|
type $1_home_t, $1_file_type, home_type;
|
||||||
files_make_file($1_home_t)
|
files_file_type($1_home_t)
|
||||||
|
|
||||||
# type of home directory
|
# type of home directory
|
||||||
type $1_home_dir_t, home_dir_type, home_type;
|
type $1_home_dir_t, home_dir_type, home_type;
|
||||||
files_make_file($1_home_t)
|
files_file_type($1_home_t)
|
||||||
|
|
||||||
type $1_tmp_t, $1_file_type;
|
type $1_tmp_t, $1_file_type;
|
||||||
files_make_temporary_file($1_tmp_t)
|
files_tmp_file($1_tmp_t)
|
||||||
|
|
||||||
type $1_tmpfs_t;
|
type $1_tmpfs_t;
|
||||||
files_make_tmpfs_file($1_tmpfs_t)
|
files_tmpfs_file($1_tmpfs_t)
|
||||||
|
|
||||||
type $1_tty_device_t;
|
type $1_tty_device_t;
|
||||||
term_tty($1_t,$1_tty_device_t)
|
term_tty($1_t,$1_tty_device_t)
|
||||||
@ -142,37 +142,37 @@ define(`base_user_domain',`
|
|||||||
# for eject
|
# for eject
|
||||||
storage_getattr_fixed_disk($1_t)
|
storage_getattr_fixed_disk($1_t)
|
||||||
|
|
||||||
authlogin_read_login_records($1_t)
|
auth_read_login_records($1_t)
|
||||||
authlogin_ignore_write_login_records($1_t)
|
auth_dontaudit_write_login_records($1_t)
|
||||||
authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
|
|
||||||
corecommands_execute_general_programs($1_t)
|
corecmd_exec_bin($1_t)
|
||||||
corecommands_execute_system_programs($1_t)
|
corecmd_exec_sbin($1_t)
|
||||||
corecommands_execute_ls($1_t)
|
corecmd_exec_ls($1_t)
|
||||||
|
|
||||||
domain_execute_all_entrypoint_programs($1_t)
|
domain_exec_all_entry_files($1_t)
|
||||||
domain_use_widely_inheritable_file_descriptors($1_t)
|
domain_use_wide_inherit_fd($1_t)
|
||||||
|
|
||||||
files_execute_system_config_script($1_t)
|
files_exec_generic_etc_files($1_t)
|
||||||
files_read_system_source_code($1_t)
|
files_read_usr_src($1_t)
|
||||||
|
|
||||||
# Caused by su - init scripts
|
# Caused by su - init scripts
|
||||||
init_script_ignore_use_pseudoterminal($1_t)
|
init_dontaudit_use_script_pty($1_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_t)
|
libs_use_ld_so($1_t)
|
||||||
libraries_use_shared_libraries($1_t)
|
libs_use_shared_libs($1_t)
|
||||||
libraries_execute_dynamic_loader($1_t)
|
libs_exec_ld_so($1_t)
|
||||||
libraries_execute_library_scripts($1_t)
|
libs_exec_lib_files($1_t)
|
||||||
|
|
||||||
logging_ignore_get_all_logs_attributes($1_t)
|
logging_dontaudit_getattr_all_logs($1_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_t)
|
miscfiles_read_localization($1_t)
|
||||||
miscfiles_manage_man_page_cache($1_t)
|
miscfiles_rw_man_cache($1_t)
|
||||||
|
|
||||||
selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
|
|
||||||
mta_modify_mail_spool($1_t)
|
mta_rw_spool($1_t)
|
||||||
|
|
||||||
if (allow_execmem) {
|
if (allow_execmem) {
|
||||||
# Allow loading DSOs that require executable stack.
|
# Allow loading DSOs that require executable stack.
|
||||||
@ -206,8 +206,8 @@ define(`base_user_domain',`
|
|||||||
}
|
}
|
||||||
|
|
||||||
optional_policy(`usermanage.te',`
|
optional_policy(`usermanage.te',`
|
||||||
usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -411,7 +411,7 @@ define(`user_domain_template', `
|
|||||||
base_user_domain($1)
|
base_user_domain($1)
|
||||||
|
|
||||||
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
|
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
|
||||||
domain_make_file_descriptors_widely_inheritable($1_t)
|
domain_wide_inherit_fd($1_t)
|
||||||
|
|
||||||
#typeattribute $1_devpts_t userpty_type, user_tty_type;
|
#typeattribute $1_devpts_t userpty_type, user_tty_type;
|
||||||
#typeattribute $1_home_dir_t user_home_dir_type;
|
#typeattribute $1_home_dir_t user_home_dir_type;
|
||||||
@ -439,7 +439,7 @@ define(`user_domain_template', `
|
|||||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||||
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
||||||
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
||||||
files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
||||||
|
|
||||||
# privileged home directory writers
|
# privileged home directory writers
|
||||||
allow privhome $1_home_t:file create_file_perms;
|
allow privhome $1_home_t:file create_file_perms;
|
||||||
@ -459,24 +459,24 @@ define(`user_domain_template', `
|
|||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_t)
|
files_read_generic_etc_files($1_t)
|
||||||
files_list_home_directories($1_t)
|
files_list_home($1_t)
|
||||||
files_read_general_application_resources($1_t)
|
files_read_usr_files($1_t)
|
||||||
|
|
||||||
init_script_read_runtime_data($1_t)
|
init_read_script_pid($1_t)
|
||||||
# The library functions always try to open read-write first,
|
# The library functions always try to open read-write first,
|
||||||
# then fall back to read-only if it fails.
|
# then fall back to read-only if it fails.
|
||||||
init_script_ignore_write_runtime_data($1_t)
|
init_dontaudit_write_script_pid($1_t)
|
||||||
# Stop warnings about access to /dev/console
|
# Stop warnings about access to /dev/console
|
||||||
init_ignore_use_file_descriptors($1_t)
|
init_dontaudit_use_fd($1_t)
|
||||||
init_script_ignore_use_file_descriptors($1_t)
|
init_dontaudit_use_script_fd($1_t)
|
||||||
|
|
||||||
miscfiles_read_man_pages($1_t)
|
miscfiles_read_man_pages($1_t)
|
||||||
|
|
||||||
selinux_read_config($1_t)
|
selinux_read_config($1_t)
|
||||||
# Allow users to execute checkpolicy without a domain transition
|
# Allow users to execute checkpolicy without a domain transition
|
||||||
# so it can be used without privilege to write real binary policy file
|
# so it can be used without privilege to write real binary policy file
|
||||||
selinux_checkpolicy_execute($1_t)
|
selinux_exec_checkpol($1_t)
|
||||||
|
|
||||||
if (user_dmesg) {
|
if (user_dmesg) {
|
||||||
kernel_read_ring_buffer($1_t)
|
kernel_read_ring_buffer($1_t)
|
||||||
@ -493,12 +493,12 @@ define(`user_domain_template', `
|
|||||||
|
|
||||||
# for running depmod as part of the kernel packaging process
|
# for running depmod as part of the kernel packaging process
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_read_kernel_module_loading_config($1_t)
|
modutils_read_module_conf($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
# for when the network connection is killed
|
# for when the network connection is killed
|
||||||
selinux_newrole_ignore_signal($1_t)
|
selinux_dontaudit_newrole_signal($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# Need the following rule to allow users to run vpnc
|
# Need the following rule to allow users to run vpnc
|
||||||
@ -612,7 +612,7 @@ define(`admin_domain_template',`
|
|||||||
base_user_domain($1)
|
base_user_domain($1)
|
||||||
|
|
||||||
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
|
||||||
kernel_make_object_identity_change_constraint_exception($1_t)
|
kernel_obj_id_change_exempt($1_t)
|
||||||
role system_r types $1_t;
|
role system_r types $1_t;
|
||||||
|
|
||||||
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
|
||||||
@ -650,7 +650,7 @@ define(`admin_domain_template',`
|
|||||||
allow $1_t $1_tmp_t:lnk_file create_file_perms;
|
allow $1_t $1_tmp_t:lnk_file create_file_perms;
|
||||||
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
allow $1_t $1_tmp_t:fifo_file create_file_perms;
|
||||||
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
allow $1_t $1_tmp_t:sock_file create_file_perms;
|
||||||
files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
|
||||||
|
|
||||||
kernel_read_system_state($1_t)
|
kernel_read_system_state($1_t)
|
||||||
kernel_read_network_state($1_t)
|
kernel_read_network_state($1_t)
|
||||||
@ -698,12 +698,12 @@ define(`admin_domain_template',`
|
|||||||
term_use_all_user_ttys($1_t)
|
term_use_all_user_ttys($1_t)
|
||||||
|
|
||||||
# Manage almost all files
|
# Manage almost all files
|
||||||
authlogin_manage_all_files_except_shadow($1_t)
|
auth_manage_all_files_except_shadow($1_t)
|
||||||
# Relabel almost all files
|
# Relabel almost all files
|
||||||
authlogin_relabel_all_files_except_shadow($1_t)
|
auth_relabel_all_files_except_shadow($1_t)
|
||||||
|
|
||||||
domain_set_all_domains_priorities($1_t)
|
domain_setpriority_all_domains($1_t)
|
||||||
domain_read_all_domains_process_state($1_t)
|
domain_read_all_domains_state($1_t)
|
||||||
# signal all domains:
|
# signal all domains:
|
||||||
domain_kill_all_domains($1_t)
|
domain_kill_all_domains($1_t)
|
||||||
domain_signal_all_domains($1_t)
|
domain_signal_all_domains($1_t)
|
||||||
@ -712,22 +712,22 @@ define(`admin_domain_template',`
|
|||||||
domain_sigstop_all_domains($1_t)
|
domain_sigstop_all_domains($1_t)
|
||||||
domain_sigchld_all_domains($1_t)
|
domain_sigchld_all_domains($1_t)
|
||||||
|
|
||||||
files_execute_system_source_code_scripts($1_t)
|
files_exec_usr_files($1_t)
|
||||||
|
|
||||||
init_use_control_channel($1_t)
|
init_use_initctl($1_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_t)
|
logging_send_syslog_msg($1_t)
|
||||||
|
|
||||||
modutils_insmod_transition($1_t)
|
modutils_domtrans_insmod($1_t)
|
||||||
|
|
||||||
selinux_read_config($1_t)
|
selinux_read_config($1_t)
|
||||||
# The following rule is temporary until such time that a complete
|
# The following rule is temporary until such time that a complete
|
||||||
# policy management infrastructure is in place so that an administrator
|
# policy management infrastructure is in place so that an administrator
|
||||||
# cannot directly manipulate policy files with arbitrary programs.
|
# cannot directly manipulate policy files with arbitrary programs.
|
||||||
selinux_manage_source_policy($1_t)
|
selinux_manage_src_pol($1_t)
|
||||||
# Violates the goal of limiting write access to checkpolicy.
|
# Violates the goal of limiting write access to checkpolicy.
|
||||||
# But presently necessary for installing the file_contexts file.
|
# But presently necessary for installing the file_contexts file.
|
||||||
selinux_manage_binary_policy($1_t)
|
selinux_manage_binary_pol($1_t)
|
||||||
|
|
||||||
optional_policy(`cron.te',`
|
optional_policy(`cron.te',`
|
||||||
cron_admin_template($1)
|
cron_admin_template($1)
|
||||||
@ -807,7 +807,7 @@ define(`admin_domain_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_all_users_explicit_transition">
|
## <interface name="userdom_spec_domtrans_all_users">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute a shell in all user domains. This
|
## Execute a shell in all user domains. This
|
||||||
## is an explicit transition, requiring the
|
## is an explicit transition, requiring the
|
||||||
@ -818,17 +818,17 @@ define(`admin_domain_template',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_all_users_explicit_transition',`
|
define(`userdom_spec_domtrans_all_users',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
corecommands_shell_explicit_transition($1,userdomain)
|
corecmd_shell_spec_domtrans($1,userdomain)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_all_users_explicit_transition_depend',`
|
define(`userdom_spec_domtrans_all_users_depend',`
|
||||||
type sysadm_t;
|
type sysadm_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_sysadm_shell_transition">
|
## <interface name="userdom_shell_domtrans_sysadm">
|
||||||
## <description>
|
## <description>
|
||||||
## Execute a shell in the sysadm domain.
|
## Execute a shell in the sysadm domain.
|
||||||
## </description>
|
## </description>
|
||||||
@ -837,18 +837,18 @@ define(`userdomain_all_users_explicit_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_sysadm_shell_transition',`
|
define(`userdom_shell_domtrans_sysadm',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
corecommands_shell_transition($1,sysadm_t)
|
corecmd_domtrans_shell($1,sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_sysadm_shell_transition_depend',`
|
define(`userdom_shell_domtrans_sysadm_depend',`
|
||||||
type sysadm_t;
|
type sysadm_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_use_admin_terminals">
|
## <interface name="userdom_use_sysadm_terms">
|
||||||
## <description>
|
## <description>
|
||||||
## Read and write administrative users
|
## Read and write administrative users
|
||||||
## physical and pseudo terminals.
|
## physical and pseudo terminals.
|
||||||
@ -858,7 +858,7 @@ define(`userdomain_sysadm_shell_transition_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_use_admin_terminals',`
|
define(`userdom_use_sysadm_terms',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
@ -866,14 +866,14 @@ define(`userdomain_use_admin_terminals',`
|
|||||||
allow $1 admin_terminal:chr_file { getattr read write ioctl };
|
allow $1 admin_terminal:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_use_admin_terminals_depend',`
|
define(`userdom_use_sysadm_terms_depend',`
|
||||||
attribute admin_terminal;
|
attribute admin_terminal;
|
||||||
|
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_dontaudit_use_admin_terminals">
|
## <interface name="userdom_dontaudit_use_sysadm_terms">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to use admin ttys and ptys.
|
## Do not audit attempts to use admin ttys and ptys.
|
||||||
## </description>
|
## </description>
|
||||||
@ -882,20 +882,20 @@ define(`userdomain_use_admin_terminals_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_dontaudit_use_admin_terminals',`
|
define(`userdom_dontaudit_use_sysadm_terms',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 admin_terminal:chr_file { read write };
|
dontaudit $1 admin_terminal:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_dontaudit_use_admin_terminals_depend',`
|
define(`userdom_dontaudit_use_sysadm_terms_depend',`
|
||||||
attribute admin_terminal;
|
attribute admin_terminal;
|
||||||
|
|
||||||
class chr_file { read write };
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_search_all_users_home_dirs">
|
## <interface name="userdom_search_all_users_home">
|
||||||
## <description>
|
## <description>
|
||||||
## Search all users home directories.
|
## Search all users home directories.
|
||||||
## </description>
|
## </description>
|
||||||
@ -904,21 +904,21 @@ define(`userdomain_dontaudit_use_admin_terminals_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_search_all_users_home_dirs',`
|
define(`userdom_search_all_users_home',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_list_home_directories($1)
|
files_list_home($1)
|
||||||
allow $1 { home_dir_type home_type }:dir search;
|
allow $1 { home_dir_type home_type }:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_search_all_users_home_dirs_depend',`
|
define(`userdom_search_all_users_home_depend',`
|
||||||
attribute home_dir_type, home_type;
|
attribute home_dir_type, home_type;
|
||||||
|
|
||||||
class dir search;
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_read_all_users_data">
|
## <interface name="userdom_read_all_user_data">
|
||||||
## <description>
|
## <description>
|
||||||
## Read all files in all users home directories.
|
## Read all files in all users home directories.
|
||||||
## </description>
|
## </description>
|
||||||
@ -927,15 +927,15 @@ define(`userdomain_search_all_users_home_dirs_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_read_all_users_data',`
|
define(`userdom_read_all_user_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
files_list_home_directories($1)
|
files_list_home($1)
|
||||||
allow $1 home_type:dir r_dir_perms;
|
allow $1 home_type:dir r_dir_perms;
|
||||||
allow $1 home_type:file r_file_perms;
|
allow $1 home_type:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_read_all_users_data_depend',`
|
define(`userdom_read_all_user_data_depend',`
|
||||||
attribute home_type;
|
attribute home_type;
|
||||||
|
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
@ -943,7 +943,7 @@ define(`userdomain_read_all_users_data_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_use_all_users_file_descriptors">
|
## <interface name="userdom_use_all_user_fd">
|
||||||
## <description>
|
## <description>
|
||||||
## Inherit the file descriptors from all user domains
|
## Inherit the file descriptors from all user domains
|
||||||
## </description>
|
## </description>
|
||||||
@ -952,20 +952,20 @@ define(`userdomain_read_all_users_data_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_use_all_users_file_descriptors',`
|
define(`userdom_use_all_user_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 userdomain:fd use;
|
allow $1 userdomain:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_use_all_users_file_descriptors_depend',`
|
define(`userdom_use_all_user_fd_depend',`
|
||||||
attribute userdomain;
|
attribute userdomain;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_signal_all_userdomains">
|
## <interface name="userdom_signal_all_users">
|
||||||
## <description>
|
## <description>
|
||||||
## Send general signals to all user domains.
|
## Send general signals to all user domains.
|
||||||
## </description>
|
## </description>
|
||||||
@ -974,20 +974,20 @@ define(`userdomain_use_all_users_file_descriptors_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_signal_all_userdomains',`
|
define(`userdom_signal_all_users',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 userdomain:process signal;
|
allow $1 userdomain:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_signal_all_userdomains_depend',`
|
define(`userdom_signal_all_users_depend',`
|
||||||
attribute userdomain;
|
attribute userdomain;
|
||||||
|
|
||||||
class process signal;
|
class process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_use_all_unprivileged_users_file_descriptors">
|
## <interface name="userdom_use_unpriv_users_fd">
|
||||||
## <description>
|
## <description>
|
||||||
## Inherit the file descriptors from all user domains.
|
## Inherit the file descriptors from all user domains.
|
||||||
## </description>
|
## </description>
|
||||||
@ -996,20 +996,20 @@ define(`userdomain_signal_all_userdomains_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_use_all_unprivileged_users_file_descriptors',`
|
define(`userdom_use_unpriv_users_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
allow $1 unpriv_userdomain:fd use;
|
allow $1 unpriv_userdomain:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
|
define(`userdom_use_unpriv_users_fd_depend',`
|
||||||
attribute unpriv_userdomain;
|
attribute unpriv_userdomain;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="userdomain_ignore_use_all_unprivileged_users_file_descriptors">
|
## <interface name="userdom_dontaudit_use_unpriv_user_fd">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts to inherit the
|
## Do not audit attempts to inherit the
|
||||||
## file descriptors from all user domains.
|
## file descriptors from all user domains.
|
||||||
@ -1019,13 +1019,13 @@ define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
|
define(`userdom_dontaudit_use_unpriv_user_fd',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 unpriv_userdomain:fd use;
|
dontaudit $1 unpriv_userdomain:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
|
define(`userdom_dontaudit_use_unpriv_user_fd_depend',`
|
||||||
attribute unpriv_userdomain;
|
attribute unpriv_userdomain;
|
||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
|
@ -126,54 +126,54 @@ optional_policy(`bootloader.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`clock.te',`
|
optional_policy(`clock.te',`
|
||||||
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`iptables.te',`
|
optional_policy(`iptables.te',`
|
||||||
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
iptables_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`libraries.te',`
|
optional_policy(`libraries.te',`
|
||||||
libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`lvm.te',`
|
optional_policy(`lvm.te',`
|
||||||
lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
lvm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
|
||||||
modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
|
||||||
modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mount.te',`
|
optional_policy(`mount.te',`
|
||||||
mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
mount_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
||||||
selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||||
selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||||
selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||||
optional_policy(`targeted_policy',`',`
|
optional_policy(`targeted_policy',`',`
|
||||||
selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`usermanage.te',`
|
optional_policy(`usermanage.te',`
|
||||||
usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
||||||
usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user