first part of dans patch Fri, 14 Apr 2006 08:08:43 -0400

This commit is contained in:
Chris PeBenito 2006-04-17 17:32:54 +00:00
parent 2ba3de9690
commit cdc86ee57f
26 changed files with 168 additions and 27 deletions

View File

@ -278,6 +278,13 @@ gen_tunable(run_ssh_inetd,false)
## </desc> ## </desc>
gen_tunable(samba_enable_home_dirs,false) gen_tunable(samba_enable_home_dirs,false)
## <desc>
## <p>
## Allow samba to export NFS volumes.
## </p>
## </desc>
gen_tunable(samba_share_nfs,false)
## <desc> ## <desc>
## <p> ## <p>
## Allow spamassassin to do DNS lookups ## Allow spamassassin to do DNS lookups

View File

@ -134,14 +134,18 @@ level s0:c0.c255;
# the high range of the file. We use the high range of the process so # the high range of the file. We use the high range of the process so
# that processes can always simply run at s0. # that processes can always simply run at s0.
# #
# Only files are constrained by MCS at this stage. # Note that getattr on files is always permitted.
# #
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
( h1 dom h2 ); ( h1 dom h2 );
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto } mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 )); (( h1 dom h2 ) and ( l2 eq h2 ));
# At this time we do not restrict "ps" type operations via MCS. This
# will probably change in future.
mlsconstrain file { read } mlsconstrain file { read }
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));

View File

@ -1,5 +1,5 @@
policy_module(amanda,1.3.0) policy_module(amanda,1.3.1)
####################################### #######################################
# #
@ -8,7 +8,7 @@ policy_module(amanda,1.3.0)
type amanda_t; type amanda_t;
type amanda_inetd_exec_t; type amanda_inetd_exec_t;
inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t) inetd_service_domain(amanda_t,amanda_inetd_exec_t)
role system_r types amanda_t; role system_r types amanda_t;
type amanda_exec_t; type amanda_exec_t;
@ -189,7 +189,7 @@ optional_policy(`
# #
# Amanda recover local policy # Amanda recover local policy
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service }; allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal }; allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file { getattr ioctl read write }; allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write }; allow amanda_recover_t self:unix_stream_socket { connect create read write };
@ -229,6 +229,7 @@ corenet_udp_sendrecv_all_ports(amanda_recover_t)
corenet_non_ipsec_sendrecv(amanda_recover_t) corenet_non_ipsec_sendrecv(amanda_recover_t)
corenet_tcp_bind_all_nodes(amanda_recover_t) corenet_tcp_bind_all_nodes(amanda_recover_t)
corenet_udp_bind_all_nodes(amanda_recover_t) corenet_udp_bind_all_nodes(amanda_recover_t)
corenet_tcp_bind_reserved_port(amanda_recover_t)
corenet_tcp_connect_amanda_port(amanda_recover_t) corenet_tcp_connect_amanda_port(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t) corecmd_exec_shell(amanda_recover_t)
@ -261,3 +262,7 @@ optional_policy(`
optional_policy(` optional_policy(`
nis_use_ypbind(amanda_recover_t) nis_use_ypbind(amanda_recover_t)
') ')
optional_policy(`
nscd_socket_use(amanda_recover_t)
')

View File

@ -1,5 +1,5 @@
policy_module(bootloader,1.2.1) policy_module(bootloader,1.2.2)
######################################## ########################################
# #
@ -88,6 +88,8 @@ dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t) fs_getattr_xattr_fs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t) fs_read_tmpfs_symlinks(bootloader_t)
mls_file_read_up(bootloader_t)
term_getattr_all_user_ttys(bootloader_t) term_getattr_all_user_ttys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t) term_dontaudit_manage_pty_dirs(bootloader_t)

View File

@ -1,5 +1,5 @@
policy_module(usermanage,1.3.2) policy_module(usermanage,1.3.3)
######################################## ########################################
# #
@ -514,6 +514,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
# Add/remove user home directories # Add/remove user home directories
userdom_home_filetrans_generic_user_home_dir(useradd_t) userdom_home_filetrans_generic_user_home_dir(useradd_t)
userdom_manage_generic_user_home_content_dirs(useradd_t) userdom_manage_generic_user_home_content_dirs(useradd_t)
userdom_manage_staff_home_dirs(useradd_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set) userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
mta_manage_spool(useradd_t) mta_manage_spool(useradd_t)

View File

@ -1,5 +1,5 @@
policy_module(java,1.1.1) policy_module(java,1.1.2)
######################################## ########################################
# #
@ -7,10 +7,8 @@ policy_module(java,1.1.1)
# #
type java_t; type java_t;
domain_type(java_t)
type java_exec_t; type java_exec_t;
files_type(java_exec_t) init_system_domain(java_t,java_exec_t)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(mono,1.1.1) policy_module(mono,1.1.2)
######################################## ########################################
# #
@ -22,6 +22,8 @@ ifdef(`targeted_policy',`
unconfined_domain_noaudit(mono_t) unconfined_domain_noaudit(mono_t)
role system_r types mono_t; role system_r types mono_t;
init_dbus_chat_script(mono_t)
optional_policy(` optional_policy(`
avahi_dbus_chat(mono_t) avahi_dbus_chat(mono_t)
') ')
@ -29,4 +31,8 @@ ifdef(`targeted_policy',`
optional_policy(` optional_policy(`
hal_dbus_chat(mono_t) hal_dbus_chat(mono_t)
') ')
optional_policy(`
networkmanager_dbus_chat(mono_t)
')
') ')

View File

@ -2701,7 +2701,7 @@ interface(`dev_rw_xen',`
') ')
allow $1 device_t:dir r_dir_perms; allow $1 device_t:dir r_dir_perms;
allow $1 xen_device_t:chr_file r_file_perms; allow $1 xen_device_t:chr_file rw_file_perms;
') ')
######################################## ########################################
@ -2720,7 +2720,7 @@ interface(`dev_manage_xen',`
') ')
allow $1 device_t:dir r_dir_perms; allow $1 device_t:dir r_dir_perms;
allow $1 xen_device_t:chr_file r_file_perms; allow $1 xen_device_t:chr_file manage_file_perms;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.10) policy_module(devices,1.1.11)
######################################## ########################################
# #

View File

@ -946,6 +946,24 @@ interface(`files_mounton_all_mountpoints',`
allow $1 mountpoint:file { getattr mounton }; allow $1 mountpoint:file { getattr mounton };
') ')
########################################
## <summary>
## Get the attributes of all mount points.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_getattr_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir getattr;
')
######################################## ########################################
# #
# files_list_root(domain) # files_list_root(domain)

View File

@ -1,5 +1,5 @@
policy_module(files,1.2.6) policy_module(files,1.2.7)
######################################## ########################################
# #

View File

@ -1150,6 +1150,9 @@ interface(`kernel_rw_vm_sysctls',`
allow $1 sysctl_t:dir r_dir_perms; allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:dir list_dir_perms; allow $1 sysctl_vm_t:dir list_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms; allow $1 sysctl_vm_t:file rw_file_perms;
# hal needs this
allow $1 sysctl_vm_t:dir write;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.4) policy_module(kernel,1.3.5)
######################################## ########################################
# #

View File

@ -32,6 +32,10 @@ type unconfined_t;
type xdm_exec_t; type xdm_exec_t;
ifdef(`enable_mcs',` ifdef(`enable_mcs',`
# The eventual plan is to have a range_transition to s0 for the daemon by
# default and have the daemons which need to run with all categories be
# exceptions. But while range_transitions have to be in the base module
# this is not possible.
range_transition getty_t login_exec_t s0 - s0:c0.c255; range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255; range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255; range_transition initrc_t crond_exec_t s0 - s0:c0.c255;

View File

@ -1,5 +1,5 @@
policy_module(avahi,1.2.0) policy_module(avahi,1.2.1)
######################################## ########################################
# #
@ -92,6 +92,7 @@ optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t) dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t) dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t) dbus_send_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
') ')
optional_policy(` optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(hal,1.3.4) policy_module(hal,1.3.5)
######################################## ########################################
# #
@ -103,6 +103,7 @@ files_getattr_default_dirs(hald_t)
fs_getattr_all_fs(hald_t) fs_getattr_all_fs(hald_t)
fs_search_all(hald_t) fs_search_all(hald_t)
fs_list_auto_mountpoints(hald_t) fs_list_auto_mountpoints(hald_t)
files_getattr_all_mountpoints(hald_t)
mls_file_read_up(hald_t) mls_file_read_up(hald_t)

View File

@ -198,6 +198,45 @@ interface(`mailman_search_data',`
allow $1 mailman_data_t:dir search_dir_perms; allow $1 mailman_data_t:dir search_dir_perms;
') ')
#######################################
## <summary>
## Allow domain to to read mailman data files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mailman_read_data_files',`
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir search_dir_perms;
allow $1 mailman_data_t:file read_file_perms;
')
#######################################
## <summary>
## Allow domain to to create mailman data files
## and write the directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mailman_manage_data_files',`
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir rw_dir_perms;
allow $1 mailman_data_t:file manage_file_perms;
')
####################################### #######################################
## <summary> ## <summary>
## List the contents of mailman data directories. ## List the contents of mailman data directories.

View File

@ -1,5 +1,5 @@
policy_module(mailman,1.1.1) policy_module(mailman,1.1.2)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(postfix,1.2.1) policy_module(postfix,1.2.2)
######################################## ########################################
# #
@ -174,6 +174,11 @@ sysnet_read_config(postfix_master_t)
mta_rw_aliases(postfix_master_t) mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t) mta_read_sendmail_bin(postfix_master_t)
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_master_t)
')
optional_policy(` optional_policy(`
mount_send_nfs_client_request(postfix_master_t) mount_send_nfs_client_request(postfix_master_t)
') ')
@ -280,6 +285,11 @@ mta_delete_spool(postfix_local_t)
# For reading spamassasin # For reading spamassasin
mta_read_config(postfix_local_t) mta_read_config(postfix_local_t)
optional_policy(`
# for postalias
mailman_read_data_files(postfix_local_t)
')
optional_policy(` optional_policy(`
procmail_domtrans(postfix_local_t) procmail_domtrans(postfix_local_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(rpc,1.2.1) policy_module(rpc,1.2.2)
######################################## ########################################
# #
@ -110,13 +110,13 @@ portmap_tcp_connect(nfsd_t)
portmap_udp_chat(nfsd_t) portmap_udp_chat(nfsd_t)
tunable_policy(`nfs_export_all_rw',` tunable_policy(`nfs_export_all_rw',`
auth_read_all_dirs_except_shadow(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
') ')
tunable_policy(`nfs_export_all_ro',` tunable_policy(`nfs_export_all_ro',`
auth_read_all_dirs_except_shadow(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t)
auth_read_all_files_except_shadow(nfsd_t)
') ')
######################################## ########################################

View File

@ -33,6 +33,7 @@ template(`samba_per_userdomain_template',`
') ')
tunable_policy(`samba_enable_home_dirs',` tunable_policy(`samba_enable_home_dirs',`
userdom_manage_user_home_content_dirs($1,smbd_t)
userdom_manage_user_home_content_files($1,smbd_t) userdom_manage_user_home_content_files($1,smbd_t)
userdom_manage_user_home_content_symlinks($1,smbd_t) userdom_manage_user_home_content_symlinks($1,smbd_t)
userdom_manage_user_home_content_sockets($1,smbd_t) userdom_manage_user_home_content_sockets($1,smbd_t)

View File

@ -1,5 +1,5 @@
policy_module(samba,1.2.3) policy_module(samba,1.2.4)
################################# #################################
# #
@ -296,6 +296,12 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t) miscfiles_manage_public_files(smbd_t)
') ')
# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
')
optional_policy(` optional_policy(`
cups_read_rw_config(smbd_t) cups_read_rw_config(smbd_t)
') ')

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.3.5) policy_module(unconfined,1.3.6)
######################################## ########################################
# #
@ -62,6 +62,8 @@ ifdef(`targeted_policy',`
') ')
optional_policy(` optional_policy(`
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t) dbus_stub(unconfined_t)
optional_policy(` optional_policy(`

View File

@ -3400,6 +3400,35 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
dontaudit $1 staff_home_dir_t:dir search; dontaudit $1 staff_home_dir_t:dir search;
') ')
########################################
## <summary>
## Create, read, write, and delete staff
## home directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_staff_home_dirs',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir manage_dir_perms;
',`
gen_require(`
type staff_home_dir_t;
')
files_search_home($1)
allow $1 staff_home_dir_t:dir manage_dir_perms;
')
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to append to the staff ## Do not audit attempts to append to the staff

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.14) policy_module(userdomain,1.3.15)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;

View File

@ -1,5 +1,5 @@
policy_module(xen,1.0.0) policy_module(xen,1.0.1)
######################################## ########################################
# #
@ -19,6 +19,8 @@ init_daemon_domain(xend_t, xend_exec_t)
# var/lib files # var/lib files
type xend_var_lib_t; type xend_var_lib_t;
files_type(xend_var_lib_t) files_type(xend_var_lib_t)
# for mounting an NFS store
files_mountpoint(xend_var_lib_t)
# log files # log files
type xend_var_log_t; type xend_var_log_t;
@ -122,6 +124,7 @@ domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t) domain_dontaudit_read_all_domains_state(xend_t)
files_read_etc_files(xend_t) files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
storage_raw_read_fixed_disk(xend_t) storage_raw_read_fixed_disk(xend_t)
@ -208,6 +211,7 @@ kernel_read_xen_state(xenstored_t)
dev_create_generic_dirs(xenstored_t) dev_create_generic_dirs(xenstored_t)
dev_manage_xen(xenconsoled_t) dev_manage_xen(xenconsoled_t)
dev_filetrans_xen(xenstored_t) dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t) term_dontaudit_use_generic_ptys(xenstored_t)