This commit is contained in:
Chris PeBenito 2005-06-09 18:08:26 +00:00
parent 7591e83cba
commit cc41a97c99
11 changed files with 270 additions and 306 deletions

View File

@ -44,7 +44,7 @@ define(`gpg_per_userdomain_template',`
# transition from the userdomain to the derived domain
allow $1_t $1_gpg_t:process transition;
allow $1_t gpg_exec_t:file { getattr read execute };
allow $1_t gpg_exec_t:file rx_file_perms;
type_transition $1_t gpg_exec_t:process $1_gpg_t;
dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
@ -58,12 +58,12 @@ define(`gpg_per_userdomain_template',`
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap };
allow $1_gpg_t self:fifo_file { getattr read write };
allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow $1_gpg_t self:fifo_file rw_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
@ -159,7 +159,7 @@ define(`gpg_per_userdomain_template',`
# transition from the gpg domain to the helper domain
allow $1_gpg_t $1_gpg_helper_t:process transition;
allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
@ -168,10 +168,10 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
@ -224,12 +224,12 @@ define(`gpg_per_userdomain_template',`
# rlimit: gpg-agent wants to prevent coredumps
allow $1_gpg_agent_t self:process setrlimit;
allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow $1_gpg_agent_t self:fifo_file { getattr read write };
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
@ -256,7 +256,7 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t proc_t:dir search;
allow $1_gpg_agent_t proc_t:lnk_file read;
allow $1_gpg_agent_t device_t:dir { getattr read };
allow $1_gpg_agent_t device_t:dir r_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
@ -282,7 +282,7 @@ define(`gpg_per_userdomain_template',`
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
@ -292,7 +292,7 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
@ -322,21 +322,21 @@ define(`gpg_per_userdomain_template',`
# for .Xauthority
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
allow $1_gpg_pinentry_t $1_home_t:file r_file_perms;
# wants to put some lock files into the user home dir, seems to work fine without
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
if (use_nfs_home_dirs) {
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
allow $1_gpg_pinentry_t nfs_t:file { getattr read };
allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write;
}
if (use_samba_home_dirs) {
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
allow $1_gpg_pinentry_t cifs_t:file { getattr read };
allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
dontaudit $1_gpg_pinentry_t cifs_t:file write;
}

View File

@ -10,9 +10,6 @@
## Gives kernel an entrypoint to the caller via
## the entrypoint type.
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
## The process type entered by kernel.
## </parameter>
@ -47,10 +44,6 @@ define(`kernel_make_userland_entrypoint_depend',`
## Allows the kernel to share state information with
## the caller.
## </description>
## <securitydesc>
## Gives a type access to state information about
## kernel processes
## </securitydesc>
## <parameter name="domain">
## The type of the process with which to share state information.
## </parameter>
@ -73,9 +66,6 @@ define(`kernel_share_state_depend',`
## <description>
## Permits caller to use kernel file descriptors.
## </description>
## <securitydesc>
## Permits use of kernel file descriptors.
## </securitydesc>
## <parameter name="domain">
## The type of the process using the descriptors.
## </parameter>
@ -99,10 +89,6 @@ define(`kernel_use_file_descriptors_depend',`
## Do not audit attempts by the caller to use
## kernel file descriptors.
## </description>
## <securitydesc>
## Causes attempts to use kernel file descriptors
## to not be audited for caller.
## </securitydesc>
## <parameter name="domain">
## The type of process not to audit.
## </parameter>
@ -126,10 +112,6 @@ define(`kernel_ignore_use_file_descriptors_depend',`
## Allows the kernel to mount filesystems on
## the caller.
## </description>
## <securitydesc>
## Givers kernel permission to mount on directories
## of the calling type.
## </securitydesc>
## <parameter name="mountpoint">
## The type of the directory to use as a mountpoint.
## </parameter>
@ -153,9 +135,6 @@ define(`kernel_make_root_fs_mountpoint_depend',`
## Makes caller an exception to the constraint preventing
## changing of user identity.
## </description>
## <securitydesc>
## Allows changing of user identity in context of the calling process.
## </securitydesc>
## <parameter name="domain">
## The process type to make an exception to the constraint.
## </parameter>
@ -177,9 +156,6 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
## Makes caller an exception to the constraint preventing
## changing of role.
## </description>
## <securitydesc>
## Allows changing of role in the context of the calling process.
## </securitydesc>
## <parameter name="domain">
## The process type to make an exception to the constraint.
## </parameter>
@ -201,9 +177,6 @@ define(`kernel_make_role_change_constraint_exception_depend',`
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
## </description>
## <securitydesc>
## Allows caller to change user identities on objects
## </securitydesc>
## <parameter name="domain">
## The process type to make an exception to the constraint.
## </parameter>
@ -225,9 +198,6 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',`
## <description>
## Allows caller to load kernel modules
## </description>
## <securitydesc>
## Allows loading of kernel modules.
## </securitydesc>
## <parameter name="domain">
## The process type to allow to load kernel modules.
## </parameter>
@ -253,9 +223,6 @@ define(`kernel_load_module_depend',`
## Allows the caller to get the mode of policy enforcement
## (enforcing or permissive mode).
## </description>
## <securitydesc>
## Gives caller access to system state data.
## </securitydesc>
## <parameter name="domain">
## The process type to allow to get the enforcing mode.
## </parameter>
@ -281,9 +248,6 @@ define(`kernel_get_selinux_enforcement_mode_depend',`
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
## </description>
## <securitydesc>
## Caller becomes able to disable enforcement of policy.
## </securitydesc>
## <parameter name="domain">
## The process type to allow to set the enforcement mode.
## </parameter>

View File

@ -46,13 +46,13 @@ define(`logging_send_system_log_message',`
requires_block_template(`$0'_depend)
allow $1 devlog_t:lnk_file read;
allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
allow $1 devlog_t:sock_file rw_file_perms;
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;
allow $1 syslogd_t:unix_stream_socket connectto;
allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_socket_perms;
# cjp: this should most likely be removed:
terminal_use_console($1)
@ -61,9 +61,9 @@ define(`logging_send_system_log_message',`
define(`logging_send_system_log_message_depend',`
type syslogd_t, devlog_t;
class sock_file { ioctl read getattr lock write append };
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
class sock_file rw_file_perms;
class unix_dgram_socket { create_socket_perms sendto };
class unix_stream_socket { create_socket_perms connectto };
')
########################################
@ -115,7 +115,7 @@ define(`logging_append_all_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file { getattr append };
')
@ -124,7 +124,7 @@ define(`logging_append_all_logs_depend',`
type var_log_t;
class dir { getattr search read };
class dir r_dir_perms;
class file { getattr append };
')
@ -136,8 +136,8 @@ define(`logging_read_all_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 logfile:file { getattr read };
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file r_file_perms;
')
define(`logging_read_all_logs_depend',`
@ -145,8 +145,8 @@ define(`logging_read_all_logs_depend',`
type var_log_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
#######################################
@ -157,15 +157,15 @@ define(`logging_read_system_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 var_log_t:file { getattr read };
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file r_file_perms;
')
define(`logging_read_system_logs_depend',`
type var_log_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
#######################################
@ -176,14 +176,14 @@ define(`logging_write_system_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file { getattr write };
')
define(`logging_write_system_logs_depend',`
type var_log_t;
class dir { getattr search read };
class dir r_dir_perms;
class file { getattr write };
')
@ -195,15 +195,15 @@ define(`logging_modify_system_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
allow $1 var_log_t:dir { getattr search read };
allow $1 var_log_t:file { getattr read write append };
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms;
')
define(`logging_modify_system_logs_depend',`
type var_log_t;
class dir { getattr search read };
class file { getattr read write append };
class dir r_dir_perms;
class file rw_file_perms;
')
## </module>

View File

@ -53,9 +53,9 @@ allow auditd_t self:capability { audit_write audit_control };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
@ -158,11 +158,11 @@ dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:process signal_perms;
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file { getattr read write ioctl lock };
allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket { connected_socket_perms connect };
# create/append log files.
allow syslogd_t var_log_t:dir rw_dir_perms;
@ -176,14 +176,14 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow syslogd_t devlog_t:sock_file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
# I belive these are not needed:
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# manage pid file
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
kernel_read_hardware_state(syslogd_t)
@ -234,7 +234,7 @@ files_ignore_search_isid_type_dir(syslogd_t)
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`klogd.te', `', `
# Allow access to /proc/kmsg for syslog-ng

View File

@ -14,7 +14,7 @@
define(`mount_transition',`
requires_block_template(`$0'_depend)
allow $1 mount_exec_t:file { getattr read execute };
allow $1 mount_exec_t:file rx_file_perms;
allow $1 mount_t:process transition;
type_transition $1 mount_exec_t:process mount_t;
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
@ -28,7 +28,7 @@ define(`mount_transition',`
define(`mount_transition_depend',`
type mount_t, mount_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -57,13 +57,13 @@ define(`mount_transition_add_role_use_terminal',`
mount_transition($1)
role $2 types mount_t;
allow mount_t $3:chr_file { getattr read write ioctl };
allow mount_t $3:chr_file rw_file_perms;
')
define(`mount_transition_add_role_use_terminal_depend',`
type mount_t;
class chr_file { getattr read write ioctl };
class chr_file rw_file_perms;
')
########################################
@ -102,13 +102,13 @@ define(`mount_use_file_descriptors_depend',`
define(`mount_send_nfs_client_request',`
requires_block_template(`$0'_depend)
allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
allow $1 mount_t:udp_socket rw_socket_perms;
')
define(`mount_send_nfs_client_request_depend',`
type mount_t;
class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
class udp_socket rw_socket_perms;
')
## </module>

View File

@ -14,8 +14,8 @@ files_make_temporary_file(mount_tmp_t)
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown };
allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlink };
allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
kernel_read_system_state(mount_t)
kernel_ignore_use_file_descriptors(mount_t)
@ -113,7 +113,7 @@ files_make_mountpoint(var_lib_nfs_t)
# TODO: Probably need a macro for reading/unlinking files
# for when /etc/mtab loses its type
allow mount_t file_t:file { getattr read unlink };
allow mount_t file_t:file { r_file_perms unlink };
ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use;

View File

@ -14,7 +14,7 @@
define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file { getattr read execute };
allow $1 checkpolicy_exec_t:file rx_file_perms;
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',`
define(`selinux_checkpolicy_transition_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file { getattr read execute };
class file rx_file_perms
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
define(`selinux_checkpolicy_execute',`
requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,checkpolicy_exec_t)
')
define(`selinux_checkpolicy_execute_depend',`
type checkpolicy_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
#######################################
@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',`
define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file { getattr read execute };
allow $1 load_policy_exec_t:file rx_file_perms;
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',`
define(`selinux_load_policy_transition_depend',`
type load_policy_t, load_policy_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
define(`selinux_load_policy_execute',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,load_policy_exec_t)
')
define(`selinux_load_policy_execute_depend',`
type load_policy_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
#######################################
@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',`
define(`selinux_read_load_policy_binary',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file { getattr read };
allow $1 load_policy_exec_t:file r_file_perms;
')
define(`selinux_read_load_policy_binary_depend',`
type load_policy_exec_t;
class file { getattr read };
class file r_file_perms
')
#######################################
@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',`
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file { getattr read execute };
allow $1 newrole_exec_t:file rx_file_perms;
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
@ -208,7 +208,7 @@ define(`selinux_newrole_transition',`
define(`selinux_newrole_transition_depend',`
type newrole_t, newrole_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
define(`selinux_newrole_execute',`
requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,newrole_exec_t)
')
define(`selinux_newrole_execute_depend',`
type newrole_t, newrole_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
########################################
@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file { getattr read execute };
allow $1 restorecon_exec_t:file rx_file_perms;
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',`
define(`selinux_restorecon_transition_depend',`
type restorecon_t, restorecon_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
#
define(`selinux_restorecon_execute',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,restorecon_exec_t)
')
define(`selinux_restorecon_execute_depend',`
type restorecon_t, restorecon_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
########################################
@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',`
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_exec_t:file rx_file_perms;
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
@ -424,7 +424,7 @@ define(`selinux_run_init_transition',`
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file { getattr read execute };
allow $1 setfiles_exec_t:file rx_file_perms;
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',`
define(`selinux_setfiles_transition_depend',`
type setfiles_t, setfiles_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
define(`selinux_setfiles_execute',`
requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,setfiles_exec_t)
')
define(`selinux_setfiles_execute_depend',`
type setfiles_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
########################################
@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',`
define(`selinux_read_config',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir { getattr search read };
allow $1 selinux_config_t:file { getattr read };
allow $1 selinux_config_t:dir r_dir_perms;
allow $1 selinux_config_t:file r_file_perms;
')
define(`selinux_read_config_depend',`
type selinux_config_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
allow $1 default_context_t:dir { getattr search read };
allow $1 default_context_t:file { getattr read };
allow $1 default_context_t:dir r_dir_perms;
allow $1 default_context_t:file r_file_perms;
')
define(`selinux_read_default_contexts_depend',`
type selinux_config_t, default_context_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir { getattr search read };
allow $1 file_context_t:file { getattr read };
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file r_file_perms;
')
define(`selinux_read_file_contexts_depend',`
type selinux_config_t, file_context_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',`
define(`selinux_read_binary_policy',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir { getattr search read };
allow $1 policy_config_t:file { getattr read };
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
')
define(`selinux_read_binary_policy_depend',`
type policy_config_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',`
define(`selinux_write_binary_policy',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file { getattr create write unlink };
typeattribute $1 can_write_binary_policy;
')
@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',`
type policy_config_t;
class dir { getattr search read write add_name remove_name };
class dir rw_dir_perms;
class file { getattr create write unlink };
')
@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir { getattr search read };
allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
')
@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
class file { create ioctl read getattr lock write setattr append link unlink rename };
class dir create_dir_perms;
class file create_file_perms;
')
########################################
@ -710,15 +710,15 @@ define(`selinux_read_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir { getattr search read };
allow $1 policy_src_t:file { getattr read };
allow $1 policy_src_t:dir r_dir_perms;
allow $1 policy_src_t:file r_file_perms;
')
define(`selinux_read_source_policy_depend',`
type selinux_config_t, policy_src_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
define(`selinux_manage_source_policy_depend',`
type selinux_config_t, policy_src_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
class file { create ioctl read getattr lock write setattr append link unlink rename };
class dir create_dir_perms;
class file create_file_perms;
')
## </module>

View File

@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
allow checkpolicy_t self:capability dac_override;
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
allow checkpolicy_t policy_config_t:file create_file_perms;
# allow test policies to be created in src directories
allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
allow checkpolicy_t policy_src_t:dir rw_dir_perms;
type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir { getattr search read };
allow checkpolicy_t policy_src_t:file { getattr read ioctl };
allow checkpolicy_t policy_src_t:lnk_file { getattr read };
allow checkpolicy_t policy_src_t:dir r_dir_perms;
allow checkpolicy_t policy_src_t:file r_file_perms;
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
fs_get_persistent_fs_attributes(checkpolicy_t)
@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
allow load_policy_t policy_config_t:dir { getattr search read };
allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
allow load_policy_t policy_config_t:dir r_dir_perms;
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
allow load_policy_t selinux_config_t:dir { getattr read search };
allow load_policy_t selinux_config_t:file { read getattr };
allow load_policy_t selinux_config_t:lnk_file { getattr read };
allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file { read getattr lock ioctl write append };
allow newrole_t self:fifo_file rw_file_perms;
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
allow restorecon_t self:capability { dac_override dac_read_search fowner };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_file_descriptors(restorecon_t)
kernel_read_system_state(restorecon_t)
@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file { getattr read write };
allow run_init_t self:fifo_file rw_file_perms;
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@ -408,9 +408,9 @@ ifdef(`distro_gentoo', `
allow setfiles_t self:capability { dac_override dac_read_search fowner };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t)

View File

@ -14,7 +14,7 @@
define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file { getattr read execute };
allow $1 checkpolicy_exec_t:file rx_file_perms;
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',`
define(`selinux_checkpolicy_transition_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file { getattr read execute };
class file rx_file_perms
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
define(`selinux_checkpolicy_execute',`
requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,checkpolicy_exec_t)
')
define(`selinux_checkpolicy_execute_depend',`
type checkpolicy_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
#######################################
@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',`
define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file { getattr read execute };
allow $1 load_policy_exec_t:file rx_file_perms;
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',`
define(`selinux_load_policy_transition_depend',`
type load_policy_t, load_policy_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
define(`selinux_load_policy_execute',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,load_policy_exec_t)
')
define(`selinux_load_policy_execute_depend',`
type load_policy_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
#######################################
@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',`
define(`selinux_read_load_policy_binary',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file { getattr read };
allow $1 load_policy_exec_t:file r_file_perms;
')
define(`selinux_read_load_policy_binary_depend',`
type load_policy_exec_t;
class file { getattr read };
class file r_file_perms
')
#######################################
@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',`
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file { getattr read execute };
allow $1 newrole_exec_t:file rx_file_perms;
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
@ -208,7 +208,7 @@ define(`selinux_newrole_transition',`
define(`selinux_newrole_transition_depend',`
type newrole_t, newrole_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
define(`selinux_newrole_execute',`
requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,newrole_exec_t)
')
define(`selinux_newrole_execute_depend',`
type newrole_t, newrole_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
########################################
@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file { getattr read execute };
allow $1 restorecon_exec_t:file rx_file_perms;
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',`
define(`selinux_restorecon_transition_depend',`
type restorecon_t, restorecon_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
#
define(`selinux_restorecon_execute',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,restorecon_exec_t)
')
define(`selinux_restorecon_execute_depend',`
type restorecon_t, restorecon_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
########################################
@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',`
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file { getattr read execute };
allow $1 run_init_exec_t:file rx_file_perms;
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
@ -424,7 +424,7 @@ define(`selinux_run_init_transition',`
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file { getattr read execute };
allow $1 setfiles_exec_t:file rx_file_perms;
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',`
define(`selinux_setfiles_transition_depend',`
type setfiles_t, setfiles_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
define(`selinux_setfiles_execute',`
requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,setfiles_exec_t)
')
define(`selinux_setfiles_execute_depend',`
type setfiles_exec_t;
class file { getattr read execute execute_no_trans };
class file { rx_file_perms execute_no_trans };
')
########################################
@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',`
define(`selinux_read_config',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir { getattr search read };
allow $1 selinux_config_t:file { getattr read };
allow $1 selinux_config_t:dir r_dir_perms;
allow $1 selinux_config_t:file r_file_perms;
')
define(`selinux_read_config_depend',`
type selinux_config_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
allow $1 default_context_t:dir { getattr search read };
allow $1 default_context_t:file { getattr read };
allow $1 default_context_t:dir r_dir_perms;
allow $1 default_context_t:file r_file_perms;
')
define(`selinux_read_default_contexts_depend',`
type selinux_config_t, default_context_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir { getattr search read };
allow $1 file_context_t:file { getattr read };
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file r_file_perms;
')
define(`selinux_read_file_contexts_depend',`
type selinux_config_t, file_context_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',`
define(`selinux_read_binary_policy',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir { getattr search read };
allow $1 policy_config_t:file { getattr read };
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
')
define(`selinux_read_binary_policy_depend',`
type policy_config_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',`
define(`selinux_write_binary_policy',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file { getattr create write unlink };
typeattribute $1 can_write_binary_policy;
')
@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',`
type policy_config_t;
class dir { getattr search read write add_name remove_name };
class dir rw_dir_perms;
class file { getattr create write unlink };
')
@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir { getattr search read };
allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
')
@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
class file { create ioctl read getattr lock write setattr append link unlink rename };
class dir create_dir_perms;
class file create_file_perms;
')
########################################
@ -710,15 +710,15 @@ define(`selinux_read_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir { getattr search read };
allow $1 policy_src_t:file { getattr read };
allow $1 policy_src_t:dir r_dir_perms;
allow $1 policy_src_t:file r_file_perms;
')
define(`selinux_read_source_policy_depend',`
type selinux_config_t, policy_src_t;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################
@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
define(`selinux_manage_source_policy_depend',`
type selinux_config_t, policy_src_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
class file { create ioctl read getattr lock write setattr append link unlink rename };
class dir create_dir_perms;
class file create_file_perms;
')
## </module>

View File

@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
allow checkpolicy_t self:capability dac_override;
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
allow checkpolicy_t policy_config_t:file create_file_perms;
# allow test policies to be created in src directories
allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
allow checkpolicy_t policy_src_t:dir rw_dir_perms;
type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir { getattr search read };
allow checkpolicy_t policy_src_t:file { getattr read ioctl };
allow checkpolicy_t policy_src_t:lnk_file { getattr read };
allow checkpolicy_t policy_src_t:dir r_dir_perms;
allow checkpolicy_t policy_src_t:file r_file_perms;
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
fs_get_persistent_fs_attributes(checkpolicy_t)
@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
allow load_policy_t policy_config_t:dir { getattr search read };
allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
allow load_policy_t policy_config_t:dir r_dir_perms;
allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
allow load_policy_t selinux_config_t:dir { getattr read search };
allow load_policy_t selinux_config_t:file { read getattr };
allow load_policy_t selinux_config_t:lnk_file { getattr read };
allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file { read getattr lock ioctl write append };
allow newrole_t self:fifo_file rw_file_perms;
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
allow restorecon_t self:capability { dac_override dac_read_search fowner };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_file_descriptors(restorecon_t)
kernel_read_system_state(restorecon_t)
@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file { getattr read write };
allow run_init_t self:fifo_file rw_file_perms;
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@ -408,9 +408,9 @@ ifdef(`distro_gentoo', `
allow setfiles_t self:capability { dac_override dac_read_search fowner };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t)

View File

@ -48,14 +48,14 @@ define(`base_user_domain',`
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow $1_t self:process { ptrace setfscreate };
allow $1_t self:fd use;
allow $1_t self:fifo_file { read getattr lock ioctl write append };
allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket rw_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
# Irrelevant until we have labeled networking.
@ -66,31 +66,31 @@ define(`base_user_domain',`
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
# execute files in the home directory
allow $1_t $1_home_t:file { getattr read execute execute_no_trans };
allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
# full control of the home directory
allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto };
allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_dir_t:dir create_dir_perms;
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
# Bind to a Unix domain socket in /tmp.
# cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_t $1_tmpfs_t:dir rw_dir_perms;
allow $1_t $1_tmpfs_t:file create_file_perms;
allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
allow $1_t $1_tmpfs_t:sock_file create_file_perms;
allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
allow $1_t unpriv_userdomain:fd use;
@ -223,7 +223,7 @@ define(`base_user_domain',`
dontaudit $1_t usr_t:file setattr;
# Access the power device.
allow $1_t power_device_t:chr_file { getattr read write ioctl };
allow $1_t power_device_t:chr_file rw_file_perms;
# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };
@ -272,7 +272,7 @@ define(`base_user_domain',`
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search };
allow $1_t autofs_t:dir { search getattr };
allow $1_t autofs_t:dir { getattr search };
can_exec($1_t, { removable_t noexattrfile } )
if (user_rw_noexattrfile) {
@ -320,7 +320,7 @@ define(`base_user_domain',`
# Gnome pannel binds to the following
ifdef(`cups.te', `
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
')
# Connect to inetd.
@ -350,13 +350,13 @@ define(`base_user_domain',`
can_unix_connect($1_t, xdm_t)
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
allow $1_t xdm_tmp_t:dir r_dir_perms;
allow $1_t xdm_tmp_t:file { getattr read };
allow $1_t xdm_tmp_t:file r_file_perms;
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_t xdm_xserver_tmp_t:dir search;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file { getattr read };
allow $1_t xdm_var_lib_t:file r_file_perms;
allow xdm_t $1_home_dir_t:dir getattr;
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
@ -373,7 +373,7 @@ define(`base_user_domain',`
ifdef(`cardmgr.te', `
# to allow monitoring of pcmcia status
allow $1_t cardmgr_var_run_t:file { getattr read };
allow $1_t cardmgr_var_run_t:file r_file_perms;
')
#
@ -385,7 +385,7 @@ define(`base_user_domain',`
')
ifdef(`automount.te', `
allow $1_t autofs_t:dir { search getattr };
allow $1_t autofs_t:dir { getattr search };
')
ifdef(`pamconsole.te', `
@ -434,20 +434,20 @@ define(`user_domain_template', `
allow $1_file_type $1_home_t:filesystem associate;
# user temporary files
allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file })
allow $1_t $1_tmp_t:file create_file_perms;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
# privileged home directory writers
allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename };
allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
allow privhome $1_home_t:file create_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
allow privhome $1_home_t:dir create_dir_perms;
allow privhome $1_home_t:sock_file create_file_perms;
allow privhome $1_home_t:fifo_file create_file_perms;
type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
@ -645,12 +645,12 @@ define(`admin_domain_template',`
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file })
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:file create_file_perms;
allow $1_t $1_tmp_t:lnk_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
@ -931,15 +931,15 @@ define(`userdomain_read_all_users_data',`
requires_block_template(`$0'_depend)
files_list_home_directories($1)
allow $1 home_type:dir { getattr search read };
allow $1 home_type:file { getattr read };
allow $1 home_type:dir r_dir_perms;
allow $1 home_type:file r_file_perm;
')
define(`userdomain_read_all_users_data_depend',`
attribute home_type;
class dir { getattr search read };
class file { getattr read };
class dir r_dir_perms;
class file r_file_perms;
')
########################################