support for targeted policy
This commit is contained in:
Chris PeBenito
parent
83ce670b3d
commit
c98340cfeb
|
|
@ -117,7 +117,11 @@ MODDIR = $(POLDIR)/modules
|
|||
|
||||
BASE_MODULE = $(MODDIR)/kernel
|
||||
FLASKDIR = $(POLDIR)/flask
|
||||
APPCONF = config/appconfig
|
||||
ifneq ($(findstring targeted,$(TYPE)),)
|
||||
APPCONF := config/appconfig-targeted
|
||||
else
|
||||
APPCONF := config/appconfig-strict
|
||||
endif
|
||||
M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
|
||||
|
||||
GLOBALTUN := $(POLDIR)/global_tunables
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<selinux>
|
||||
</selinux>
|
||||
</busconfig>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
system_r:unconfined_t system_r:unconfined_t
|
||||
system_r:initrc_t system_r:unconfined_t
|
||||
system_r:local_login_t system_r:unconfined_t
|
||||
system_r:remote_login_t system_r:unconfined_t
|
||||
system_r:rshd_t system_r:unconfined_t
|
||||
system_r:crond_t system_r:unconfined_t
|
||||
|
|
@ -0,0 +1 @@
|
|||
system_r:unconfined_t
|
||||
|
|
@ -0,0 +1 @@
|
|||
system_r:unconfined_t
|
||||
|
|
@ -0,0 +1 @@
|
|||
user_u:system_r:unconfined_t
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
system_r:unconfined_t system_r:unconfined_t
|
||||
system_r:initrc_t system_r:unconfined_t
|
||||
|
|
@ -0,0 +1 @@
|
|||
system_u:system_r:unconfined_t
|
||||
|
|
@ -33,38 +33,65 @@
|
|||
# SELinux process identity change constraint:
|
||||
#
|
||||
constrain process transition
|
||||
( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
|
||||
ifdef(`crond.te', `
|
||||
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
|
||||
( u1 == u2 or
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
t1 == can_change_process_identity
|
||||
',`
|
||||
( t1 == can_change_process_identity and t2 == userdomain )
|
||||
ifdef(`crond.te',`
|
||||
or (
|
||||
t1 == crond_t
|
||||
and (
|
||||
t2 == user_crond_domain
|
||||
or u2 == system_u
|
||||
)
|
||||
)
|
||||
')
|
||||
|
||||
ifdef(`userhelper.te',`
|
||||
or (t1 == userhelperdomain)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
or (t1 == priv_system_role and u2 == system_u )
|
||||
') dnl end TODO
|
||||
')
|
||||
ifdef(`userhelper.te',
|
||||
`or (t1 == userhelperdomain)
|
||||
')
|
||||
ifdef(`TODO',`
|
||||
or (t1 == priv_system_role and u2 == system_u )
|
||||
') dnl end TODO
|
||||
);
|
||||
);
|
||||
|
||||
#
|
||||
# SELinux process role change constraint:
|
||||
#
|
||||
constrain process transition
|
||||
( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
|
||||
ifdef(`crond.te', `
|
||||
or (t1 == crond_t and t2 == user_crond_domain)
|
||||
( r1 == r2 or
|
||||
ifdef(`targeted_policy',`
|
||||
t1 == can_change_process_role
|
||||
',`
|
||||
( t1 == can_change_process_role and t2 == userdomain )
|
||||
|
||||
ifdef(`crond.te',`
|
||||
or (t1 == crond_t and t2 == user_crond_domain)
|
||||
')
|
||||
|
||||
ifdef(`userhelper.te',`
|
||||
or (t1 == userhelperdomain)
|
||||
')
|
||||
|
||||
ifdef(`postfix.te',`
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
or (
|
||||
t1 == sysadm_mail_t
|
||||
and t2 == system_mail_t
|
||||
and r2 == system_r
|
||||
)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
or (t1 == priv_system_role and r2 == system_r )
|
||||
') dnl end TODO
|
||||
')
|
||||
ifdef(`userhelper.te',
|
||||
`or (t1 == userhelperdomain)
|
||||
')
|
||||
ifdef(`postfix.te', `
|
||||
ifdef(`direct_sysadm_daemon',
|
||||
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )
|
||||
')
|
||||
')
|
||||
ifdef(`TODO',`
|
||||
or (t1 == priv_system_role and r2 == system_r )
|
||||
') dnl end TODO
|
||||
);
|
||||
);
|
||||
|
||||
#
|
||||
# SELinux dynamic transition constraint:
|
||||
|
|
|
|||
|
|
@ -1032,8 +1032,11 @@ interface(`kernel_unconfined',`
|
|||
# allow $1 proc_fs:{ dir file } *;
|
||||
|
||||
allow $1 sysctl_t:{ dir file } *;
|
||||
|
||||
allow $1 kernel_t:system *;
|
||||
|
||||
allow $1 unlabeled_t:{ dir lnk_file sock_file fifo_file blk_file } *;
|
||||
allow $1 unlabeled_t:filesystem *;
|
||||
|
||||
typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
|
||||
|
||||
|
|
|
|||
|
|
@ -211,3 +211,7 @@ neverallow ~can_load_kernmodule self:capability sys_module;
|
|||
# If you load an incompatible policy, you should probably reboot,
|
||||
# since you may have compromised system security.
|
||||
init_sigchld(unlabeled_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow unlabeled_t self:filesystem associate;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -12,6 +12,12 @@ policy_module(corecommands,1.0)
|
|||
type bin_t;
|
||||
files_type(bin_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# Define some type aliases to help with compatibility with
|
||||
# macros and domains from the "strict" policy.
|
||||
typealias bin_t alias su_exec_t;
|
||||
')
|
||||
|
||||
#
|
||||
# sbin_t is the type of files in the system sbin directories.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -47,6 +47,11 @@ interface(`domain_type',`
|
|||
# send init a sigchld
|
||||
init_sigchld($1)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_use_fd($1)
|
||||
unconfined_sigchld($1)
|
||||
')
|
||||
|
||||
# this seems highly questionable:
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_use_fd($1)
|
||||
|
|
|
|||
|
|
@ -783,6 +783,27 @@ interface(`files_list_home',`
|
|||
allow $1 home_root_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create home directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="home_type">
|
||||
## The type of the home directory
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_home_dirs',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
class dir rw_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir rw_dir_perms;
|
||||
type_transition $1 home_root_t:dir $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete objects in
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
## Domain to make unconfined.
|
||||
## </param>
|
||||
#
|
||||
template(`unconfined_access_template',`
|
||||
template(`unconfined_domain_template',`
|
||||
|
||||
# Use any Linux capability.
|
||||
allow $1 self:capability *;
|
||||
|
|
@ -73,3 +73,87 @@ template(`unconfined_access_template',`
|
|||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the unconfined domain by executing a shell.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_domtrans_shell',`
|
||||
|
||||
gen_require(`
|
||||
unconfined_t;
|
||||
')
|
||||
|
||||
corecmd_domtrans_shell($1,unconfined_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit file descriptors from the unconfined domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_use_fd',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to the unconfined domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_sigchld',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write unconfined domain unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_rw_pipe',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add the unconfined domain to the specified role.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_role',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
role $1 types unconfined_t;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -16,8 +16,23 @@ role system_r types unconfined_t;
|
|||
# Local policy
|
||||
#
|
||||
|
||||
unconfined_access_template(unconfined_t)
|
||||
unconfined_domain_template(unconfined_t)
|
||||
logging_send_syslog_msg(unconfined_t)
|
||||
|
||||
#role sysadm_r types unconfined_t;
|
||||
#domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow unconfined_t self:system syslog_read;
|
||||
|
||||
# Define some type aliases to help with compatibility with
|
||||
# macros and domains from the "strict" policy.
|
||||
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
||||
|
||||
userdom_unconfined(unconfined_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
#cjp: why is this needed?
|
||||
ifdef(`samba.te', `samba_domain(user)')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
|
|
|||
|
|
@ -902,11 +902,16 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_shell_domtrans_sysadm',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_domtrans_shell($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
corecmd_domtrans_shell($1,sysadm_t)
|
||||
corecmd_domtrans_shell($1,sysadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -939,14 +944,18 @@ interface(`userdom_read_staff_home_files',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_tty',`
|
||||
gen_require(`
|
||||
type sysadm_tty_device_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_unallocated_tty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_tty_device_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
|
||||
dev_list_all_dev_nodes($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -958,14 +967,18 @@ interface(`userdom_use_sysadm_tty',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_pty',`
|
||||
gen_require(`
|
||||
type sysadm_devpts_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_pty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_devpts_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
|
||||
dev_list_all_dev_nodes($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -977,14 +990,8 @@ interface(`userdom_use_sysadm_pty',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_terms',`
|
||||
gen_require(`
|
||||
attribute admin_terminal;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 admin_terminal:chr_file rw_term_perms;
|
||||
userdom_use_sysadm_tty($1)
|
||||
userdom_use_sysadm_pty($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -996,12 +1003,16 @@ interface(`userdom_use_sysadm_terms',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
gen_require(`
|
||||
attribute admin_terminal;
|
||||
class chr_file { read write };
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_pty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
attribute admin_terminal;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 admin_terminal:chr_file { read write };
|
||||
dontaudit $1 admin_terminal:chr_file { read write };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1013,12 +1024,17 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_fd',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
class fd use;
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_use_fd($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
allow $1 sysadm_t:fd use;
|
||||
allow $1 sysadm_t:fd use;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1030,12 +1046,17 @@ interface(`userdom_use_sysadm_fd',`
|
|||
## </param>
|
||||
#
|
||||
interface(`userdom_rw_sysadm_pipe',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
class fd use;
|
||||
')
|
||||
ifdef(`targeted_policy',`
|
||||
#cjp: need to doublecheck this one
|
||||
unconfined_rw_pipe($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 sysadm_t:fd use;
|
||||
allow $1 sysadm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1217,3 +1238,21 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
|
|||
|
||||
dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_unconfined',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
class dir create_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir create_dir_perms;
|
||||
files_create_home_dirs($1,user_home_dir_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -32,16 +32,11 @@ attribute userdomain;
|
|||
# unprivileged user domains
|
||||
attribute unpriv_userdomain;
|
||||
|
||||
admin_user_template(sysadm)
|
||||
unpriv_user_template(staff)
|
||||
unpriv_user_template(user)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
# user role change rules:
|
||||
define(`role_change',`
|
||||
allow $1_r $2_r;
|
||||
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
||||
|
|
@ -50,102 +45,129 @@ define(`role_change',`
|
|||
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
||||
')
|
||||
|
||||
# sysadm_r can change to user roles
|
||||
role_change(sysadm, user)
|
||||
role_change(sysadm, staff)
|
||||
ifdef(`targeted_policy',`
|
||||
# User home directory type.
|
||||
type user_home_t alias { staff_home_t sysadm_home_t}, home_type;
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
|
||||
|
||||
# only staff_r can change to sysadm_r
|
||||
role_change(staff, sysadm)
|
||||
unconfined_role(user_r)
|
||||
unconfined_role(sysadm_r)
|
||||
|
||||
# this should be tunable_policy, but
|
||||
# currently type_change and RBAC allow
|
||||
# do not work in conditionals
|
||||
ifdef(`user_canbe_sysadm',`
|
||||
role_change(user,sysadm)
|
||||
')
|
||||
# dont need to use the full role_change()
|
||||
allow sysadm_r system_r;
|
||||
allow user_r system_r;
|
||||
allow user_r sysadm_r;
|
||||
allow system_r sysadm_r;
|
||||
allow system_r sysadm_r;
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow privhome home_root_t:dir { getattr search };
|
||||
ifdef(`TODO',`
|
||||
allow privhome home_root_t:dir { getattr search };
|
||||
file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
|
||||
')
|
||||
',`
|
||||
admin_user_template(sysadm)
|
||||
unpriv_user_template(staff)
|
||||
unpriv_user_template(user)
|
||||
|
||||
# Add/remove user home directories
|
||||
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||
')
|
||||
# user role change rules:
|
||||
# sysadm_r can change to user roles
|
||||
role_change(sysadm, user)
|
||||
role_change(sysadm, staff)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Sysadm local policy
|
||||
#
|
||||
# only staff_r can change to sysadm_r
|
||||
role_change(staff, sysadm)
|
||||
|
||||
# for su
|
||||
allow sysadm_t userdomain:fd use;
|
||||
# this should be tunable_policy, but
|
||||
# currently type_change and RBAC allow
|
||||
# do not work in conditionals
|
||||
ifdef(`user_canbe_sysadm',`
|
||||
role_change(user,sysadm)
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
ifdef(`TODO',`
|
||||
allow privhome home_root_t:dir { getattr search };
|
||||
')
|
||||
|
||||
optional_policy(`clock.te',`
|
||||
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
########################################
|
||||
#
|
||||
# Sysadm local policy
|
||||
#
|
||||
|
||||
optional_policy(`fstools.te',`
|
||||
fstools_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
# for su
|
||||
allow sysadm_t userdomain:fd use;
|
||||
|
||||
optional_policy(`hostname.te',`
|
||||
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
# Add/remove user home directories
|
||||
allow sysadm_t user_home_dir_t:dir create_dir_perms;
|
||||
files_create_home_dirs(sysadm_t,user_home_dir_t)
|
||||
|
||||
optional_policy(`iptables.te',`
|
||||
iptables_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`libraries.te',`
|
||||
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`clock.te',`
|
||||
clock_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`lvm.te',`
|
||||
lvm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`fstools.te',`
|
||||
fstools_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`modutils.te',`
|
||||
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
|
||||
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
|
||||
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`hostname.te',`
|
||||
hostname_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
logrotate_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`iptables.te',`
|
||||
iptables_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`libraries.te',`
|
||||
libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
|
||||
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`lvm.te',`
|
||||
lvm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
optional_policy(`modutils.te',`
|
||||
modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
|
||||
modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
|
||||
modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||
optional_policy(`targeted_policy',`',`
|
||||
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||
optional_policy(`logrotate.te',`
|
||||
logrotate_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
|
||||
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||
optional_policy(`targeted_policy',`',`
|
||||
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
||||
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
||||
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -24,7 +24,11 @@ gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
|
|||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
|
||||
',`
|
||||
gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
|
||||
')
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
|
|
@ -33,4 +37,8 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
|
|||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
|
||||
',`
|
||||
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue