add snmp
This commit is contained in:
parent
a0824843c2
commit
ccc5978224
|
@ -6,6 +6,7 @@
|
||||||
ktalk
|
ktalk
|
||||||
portmap
|
portmap
|
||||||
samba
|
samba
|
||||||
|
snmp
|
||||||
zebra
|
zebra
|
||||||
|
|
||||||
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
||||||
|
|
|
@ -142,6 +142,8 @@ corecmd_shell_domtrans(rpm_t,rpm_script_t)
|
||||||
|
|
||||||
domain_exec_all_entry_files(rpm_t)
|
domain_exec_all_entry_files(rpm_t)
|
||||||
domain_read_all_domains_state(rpm_t)
|
domain_read_all_domains_state(rpm_t)
|
||||||
|
domain_getattr_all_domains(rpm_t)
|
||||||
|
domain_dontaudit_ptrace_all_domains(rpm_t)
|
||||||
domain_use_wide_inherit_fd(rpm_t)
|
domain_use_wide_inherit_fd(rpm_t)
|
||||||
|
|
||||||
files_exec_etc_files(rpm_t)
|
files_exec_etc_files(rpm_t)
|
||||||
|
@ -276,6 +278,8 @@ corecmd_exec_bin(rpm_script_t)
|
||||||
corecmd_exec_sbin(rpm_script_t)
|
corecmd_exec_sbin(rpm_script_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(rpm_script_t)
|
domain_read_all_domains_state(rpm_script_t)
|
||||||
|
domain_getattr_all_domains(rpm_script_t)
|
||||||
|
domain_dontaudit_ptrace_all_domains(rpm_script_t)
|
||||||
domain_use_wide_inherit_fd(rpm_script_t)
|
domain_use_wide_inherit_fd(rpm_script_t)
|
||||||
domain_exec_all_entry_files(rpm_script_t)
|
domain_exec_all_entry_files(rpm_script_t)
|
||||||
domain_signal_all_domains(rpm_script_t)
|
domain_signal_all_domains(rpm_script_t)
|
||||||
|
|
|
@ -74,6 +74,25 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
|
||||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts made by the caller to read
|
||||||
|
## fixed disk device nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`storage_dontaudit_read_fixed_disk',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_device_t;
|
||||||
|
class blk_file { getattr ioctl read };
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the caller to directly read from a fixed disk.
|
## Allow the caller to directly read from a fixed disk.
|
||||||
|
@ -424,6 +443,25 @@ interface(`storage_dontaudit_getattr_removable_device',`
|
||||||
dontaudit $1 removable_device_t:blk_file getattr;
|
dontaudit $1 removable_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts made by the caller to read
|
||||||
|
## removable devices device nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`storage_dontaudit_read_removable_device',`
|
||||||
|
gen_require(`
|
||||||
|
type removable_device_t;
|
||||||
|
class blk_file { getattr ioctl read };
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the caller to set the attributes of removable
|
## Allow the caller to set the attributes of removable
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
|
||||||
|
#
|
||||||
|
# /etc
|
||||||
|
#
|
||||||
|
|
||||||
|
/etc/snmp/snmp(trap)?d\.conf -- context_template(system_u:object_r:snmpd_etc_t,s0)
|
||||||
|
|
||||||
|
#
|
||||||
|
# /usr
|
||||||
|
#
|
||||||
|
/usr/sbin/snmp(trap)?d -- context_template(system_u:object_r:snmpd_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/share/snmp/mibs/\.index -- context_template(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
|
||||||
|
#
|
||||||
|
# /var
|
||||||
|
#
|
||||||
|
/var/lib/net-snmp(/.*)? context_template(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
/var/lib/snmp(/.*)? context_template(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
|
||||||
|
/var/log/snmpd\.log -- context_template(system_u:object_r:snmpd_log_t,s0)
|
||||||
|
|
||||||
|
/var/net-snmp(/.*) context_template(system_u:object_r:snmpd_var_lib_t,s0)
|
||||||
|
|
||||||
|
/var/run/snmpd -d context_template(system_u:object_r:snmpd_var_run_t,s0)
|
||||||
|
/var/run/snmpd\.pid -- context_template(system_u:object_r:snmpd_var_run_t,s0)
|
|
@ -0,0 +1 @@
|
||||||
|
## <summary>Simple network management protocol services</summary>
|
|
@ -0,0 +1,165 @@
|
||||||
|
|
||||||
|
policy_module(snmp,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
type snmpd_t;
|
||||||
|
type snmpd_exec_t;
|
||||||
|
init_daemon_domain(snmpd_t,snmpd_exec_t)
|
||||||
|
|
||||||
|
type snmpd_etc_t; #, usercanread;
|
||||||
|
files_type(snmpd_etc_t)
|
||||||
|
|
||||||
|
type snmpd_log_t;
|
||||||
|
logging_log_file(snmpd_log_t)
|
||||||
|
|
||||||
|
type snmpd_var_run_t;
|
||||||
|
files_pid_file(snmpd_var_run_t)
|
||||||
|
|
||||||
|
type snmpd_var_lib_t;
|
||||||
|
files_type(snmpd_var_lib_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
|
||||||
|
allow snmpd_t self:file { getattr read };
|
||||||
|
allow snmpd_t self:fifo_file rw_file_perms;
|
||||||
|
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
allow snmpd_t self:unix_stream_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow snmpd_t snmpd_etc_t:file { getattr read };
|
||||||
|
|
||||||
|
allow snmpd_t snmpd_log_t:file create_file_perms;
|
||||||
|
logging_create_log(snmpd_t,snmpd_log_t)
|
||||||
|
|
||||||
|
allow snmpd_t snmpd_var_lib_t:file create_file_perms;
|
||||||
|
allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
|
||||||
|
files_create_usr(snmpd_t,snmpd_var_lib_t)
|
||||||
|
files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir })
|
||||||
|
files_create_var_lib(snmpd_t,snmpd_var_lib_t)
|
||||||
|
|
||||||
|
allow snmpd_t snmpd_var_run_t:file create_file_perms;
|
||||||
|
allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
|
||||||
|
files_create_pid(snmpd_t,snmpd_var_run_t)
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctl(snmpd_t)
|
||||||
|
kernel_read_net_sysctl(snmpd_t)
|
||||||
|
kernel_read_proc_symlinks(snmpd_t)
|
||||||
|
kernel_read_system_state(snmpd_t)
|
||||||
|
kernel_read_network_state(snmpd_t)
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_all_if(snmpd_t)
|
||||||
|
corenet_raw_sendrecv_all_if(snmpd_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(snmpd_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(snmpd_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(snmpd_t)
|
||||||
|
corenet_tcp_bind_all_nodes(snmpd_t)
|
||||||
|
corenet_tcp_bind_snmp_port(snmpd_t)
|
||||||
|
corenet_udp_bind_snmp_port(snmpd_t)
|
||||||
|
|
||||||
|
dev_list_sysfs(snmpd_t)
|
||||||
|
dev_read_sysfs(snmpd_t)
|
||||||
|
dev_read_urand(snmpd_t)
|
||||||
|
dev_read_rand(snmpd_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs(snmpd_t)
|
||||||
|
fs_search_auto_mountpoints(snmpd_t)
|
||||||
|
|
||||||
|
storage_dontaudit_read_fixed_disk(snmpd_t)
|
||||||
|
storage_dontaudit_read_removable_device(snmpd_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(snmpd_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(snmpd_t)
|
||||||
|
corecmd_exec_sbin(snmpd_t)
|
||||||
|
corecmd_exec_shell(snmpd_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(snmpd_t)
|
||||||
|
domain_read_all_domains_state(snmpd_t)
|
||||||
|
|
||||||
|
files_read_etc_files(snmpd_t)
|
||||||
|
files_read_usr_files(snmpd_t)
|
||||||
|
files_read_etc_runtime_files(snmpd_t)
|
||||||
|
files_search_home(snmpd_t)
|
||||||
|
|
||||||
|
init_read_script_pid(snmpd_t)
|
||||||
|
init_use_fd(snmpd_t)
|
||||||
|
init_use_script_pty(snmpd_t)
|
||||||
|
init_dontaudit_write_script_pid(snmpd_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(snmpd_t)
|
||||||
|
libs_use_shared_libs(snmpd_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(snmpd_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(snmpd_t)
|
||||||
|
|
||||||
|
seutil_dontaudit_search_config(snmpd_t)
|
||||||
|
|
||||||
|
sysnet_read_config(snmpd_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(snmpd_t)
|
||||||
|
userdom_dontaudit_search_sysadm_home_dir(snmpd_t)
|
||||||
|
|
||||||
|
ifdef(`distro_redhat', `
|
||||||
|
optional_policy(`rpm.te', `
|
||||||
|
rpm_read_db(snmpd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`targeted_policy', `
|
||||||
|
term_dontaudit_use_unallocated_tty(snmpd_t)
|
||||||
|
term_dontaudit_use_generic_pty(snmpd_t)
|
||||||
|
files_dontaudit_read_root_file(snmpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(snmpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinuxutil.te',`
|
||||||
|
seutil_sigchld_newrole(snmpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`udev.te', `
|
||||||
|
udev_read_db(snmpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(snmpd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
can_udp_send(sysadm_t, snmpd_t)
|
||||||
|
can_udp_send(snmpd_t, sysadm_t)
|
||||||
|
|
||||||
|
ifdef(`distro_redhat', `
|
||||||
|
optional_policy(`rpm.te', `
|
||||||
|
dontaudit snmpd_t rpm_var_lib_t:dir write;
|
||||||
|
dontaudit snmpd_t rpm_var_lib_t:file write;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
|
||||||
|
allow snmpd_t rpc_pipefs_t:dir getattr;
|
||||||
|
|
||||||
|
optional_policy(`amanda.te', `
|
||||||
|
dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`cupsd.te', `
|
||||||
|
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
|
allow snmpd_t var_lib_nfs_t:dir search;
|
||||||
|
|
||||||
|
optional_policy(`rhgb.te',`
|
||||||
|
rhgb_domain(snmpd_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
|
@ -455,25 +455,34 @@ interface(`domain_read_all_domains_state',`
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
class process { getattr ptrace };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
allow $1 domain:dir r_dir_perms;
|
allow $1 domain:dir r_dir_perms;
|
||||||
allow $1 domain:lnk_file r_file_perms;
|
allow $1 domain:lnk_file r_file_perms;
|
||||||
allow $1 domain:file r_file_perms;
|
allow $1 domain:file r_file_perms;
|
||||||
allow $1 domain:process getattr;
|
|
||||||
|
|
||||||
# We need to suppress this denial because procps tries to access
|
|
||||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
||||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
||||||
# running in a privileged domain.
|
|
||||||
dontaudit $1 domain:process ptrace;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the process state (/proc/pid) of all domains.
|
## Get the attributes of all domains of all domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_getattr_all_domains',`
|
||||||
|
gen_require(`
|
||||||
|
attribute domain;
|
||||||
|
class process getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 domain:process getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the process state (/proc/pid) of all confined domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
|
@ -485,7 +494,6 @@ interface(`domain_read_confined_domains_state',`
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
class process { getattr ptrace };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
|
@ -495,11 +503,76 @@ interface(`domain_read_confined_domains_state',`
|
||||||
allow $1 { domain -unconfined_domain }:process getattr;
|
allow $1 { domain -unconfined_domain }:process getattr;
|
||||||
|
|
||||||
dontaudit $1 unconfined_domain:dir search;
|
dontaudit $1 unconfined_domain:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of all confined domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_getattr_confined_domains',`
|
||||||
|
gen_require(`
|
||||||
|
attribute domain, unconfined_domain;
|
||||||
|
class process getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 { domain -unconfined_domain }:process getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to ptrace all domains.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to ptrace all domains.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Generally this needs to be suppressed because procps tries to access
|
||||||
|
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||||
|
## (2.4 and 2.6).
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_dontaudit_ptrace_all_domains',`
|
||||||
|
gen_require(`
|
||||||
|
attribute domain;
|
||||||
|
class process ptrace;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 domain:process ptrace;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to ptrace confined domains.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to ptrace confined domains.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Generally this needs to be suppressed because procps tries to access
|
||||||
|
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||||
|
## (2.4 and 2.6).
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_dontaudit_ptrace_confined_domains',`
|
||||||
|
gen_require(`
|
||||||
|
attribute domain, unconfined_domain;
|
||||||
|
class process ptrace;
|
||||||
|
')
|
||||||
|
|
||||||
# We need to suppress this denial because procps tries to access
|
|
||||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
||||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
||||||
# running in a privileged domain.
|
|
||||||
dontaudit $1 { domain -unconfined_domain }:process ptrace;
|
dontaudit $1 { domain -unconfined_domain }:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -518,19 +591,12 @@ interface(`domain_dontaudit_read_all_domains_state',`
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class lnk_file r_file_perms;
|
class lnk_file r_file_perms;
|
||||||
class file r_file_perms;
|
class file r_file_perms;
|
||||||
class process { getattr ptrace };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 domain:dir r_dir_perms;
|
dontaudit $1 domain:dir r_dir_perms;
|
||||||
dontaudit $1 domain:lnk_file r_file_perms;
|
dontaudit $1 domain:lnk_file r_file_perms;
|
||||||
dontaudit $1 domain:file r_file_perms;
|
dontaudit $1 domain:file r_file_perms;
|
||||||
dontaudit $1 domain:process getattr;
|
dontaudit $1 domain:process getattr;
|
||||||
|
|
||||||
# We need to suppress this denial because procps tries to access
|
|
||||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
||||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
||||||
# running in a privileged domain.
|
|
||||||
dontaudit $1 domain:process ptrace;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1714,6 +1714,35 @@ interface(`files_read_usr_symlinks',`
|
||||||
allow $1 usr_t:lnk_file r_file_perms;
|
allow $1 usr_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create objects in the /usr directory
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="file_type">
|
||||||
|
## The type of the object to be created
|
||||||
|
## </param>
|
||||||
|
## <param name="object_class" optional="true">
|
||||||
|
## The object class. If not specified, file is used.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_create_usr',`
|
||||||
|
gen_require(`
|
||||||
|
type usr_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 usr_t:dir rw_dir_perms;
|
||||||
|
|
||||||
|
ifelse(`$3',`',`
|
||||||
|
type_transition $1 usr_t:file $2;
|
||||||
|
',`
|
||||||
|
type_transition $1 usr_t:$3 $2;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute programs in /usr/src in the caller domain.
|
## Execute programs in /usr/src in the caller domain.
|
||||||
|
@ -1874,6 +1903,35 @@ interface(`files_manage_var_symlinks',`
|
||||||
allow $1 var_t:lnk_file create_lnk_perms;
|
allow $1 var_t:lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create objects in the /var directory
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
## <param name="file_type">
|
||||||
|
## The type of the object to be created
|
||||||
|
## </param>
|
||||||
|
## <param name="object_class" optional="true">
|
||||||
|
## The object class. If not specified, file is used.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_create_var',`
|
||||||
|
gen_require(`
|
||||||
|
type var_t;
|
||||||
|
class dir rw_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 var_t:dir rw_dir_perms;
|
||||||
|
|
||||||
|
ifelse(`$3',`',`
|
||||||
|
type_transition $1 var_t:file $2;
|
||||||
|
',`
|
||||||
|
type_transition $1 var_t:$3 $2;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of the /var/lib directory.
|
## Get the attributes of the /var/lib directory.
|
||||||
|
|
|
@ -277,6 +277,8 @@ domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigstop_all_domains(initrc_t)
|
domain_sigstop_all_domains(initrc_t)
|
||||||
domain_sigchld_all_domains(initrc_t)
|
domain_sigchld_all_domains(initrc_t)
|
||||||
domain_read_all_domains_state(initrc_t)
|
domain_read_all_domains_state(initrc_t)
|
||||||
|
domain_getattr_all_domains(initrc_t)
|
||||||
|
domain_dontaudit_ptrace_all_domains(initrc_t)
|
||||||
domain_getsession_all_domains(initrc_t)
|
domain_getsession_all_domains(initrc_t)
|
||||||
domain_use_wide_inherit_fd(initrc_t)
|
domain_use_wide_inherit_fd(initrc_t)
|
||||||
domain_exec_all_entry_files(initrc_t)
|
domain_exec_all_entry_files(initrc_t)
|
||||||
|
|
|
@ -73,6 +73,8 @@ domain_use_wide_inherit_fd(cardmgr_t)
|
||||||
domain_exec_all_entry_files(cardmgr_t)
|
domain_exec_all_entry_files(cardmgr_t)
|
||||||
# Read /proc/PID directories for all domains (for fuser).
|
# Read /proc/PID directories for all domains (for fuser).
|
||||||
domain_read_confined_domains_state(cardmgr_t)
|
domain_read_confined_domains_state(cardmgr_t)
|
||||||
|
domain_getattr_confined_domains(cardmgr_t)
|
||||||
|
domain_dontaudit_ptrace_confined_domains(cardmgr_t)
|
||||||
# cjp: these look excessive:
|
# cjp: these look excessive:
|
||||||
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
|
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
|
||||||
domain_dontaudit_getattr_all_sockets(cardmgr_t)
|
domain_dontaudit_getattr_all_sockets(cardmgr_t)
|
||||||
|
|
|
@ -787,6 +787,8 @@ template(`admin_user_template',`
|
||||||
|
|
||||||
domain_setpriority_all_domains($1_t)
|
domain_setpriority_all_domains($1_t)
|
||||||
domain_read_all_domains_state($1_t)
|
domain_read_all_domains_state($1_t)
|
||||||
|
domain_getattr_all_domains($1_t)
|
||||||
|
domain_dontaudit_ptrace_all_domains($1_t)
|
||||||
# signal all domains:
|
# signal all domains:
|
||||||
domain_kill_all_domains($1_t)
|
domain_kill_all_domains($1_t)
|
||||||
domain_signal_all_domains($1_t)
|
domain_signal_all_domains($1_t)
|
||||||
|
|
Loading…
Reference in New Issue