rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

more testing fixes

Browse Source
This commit is contained in:
Chris PeBenito 2006-08-28 02:46:20 +00:00
parent e539a49638
commit ce6bf7cc23
7 changed files with 83 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
policy/modules/kernel/terminal.if
View File

@ -90,6 +90,7 @@ interface(`term_tty',`
typeattribute $2 ttynode, serial_device; typeattribute $2 ttynode, serial_device;
type_change $1 tty_device_t:chr_file $2; type_change $1 tty_device_t:chr_file $2;
fs_associate($1)
files_associate_tmp($1) files_associate_tmp($1)
# Debian login is from shadow utils and does not allow resetting the perms. # Debian login is from shadow utils and does not allow resetting the perms.
@ -713,6 +714,25 @@ interface(`term_setattr_unallocated_ttys',`
allow $1 tty_device_t:chr_file setattr; allow $1 tty_device_t:chr_file setattr;
') ')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of unallocated tty device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`term_dontaudit_setattr_unallocated_ttys',`
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file setattr;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to ioctl ## Do not audit attempts to ioctl
@ -774,6 +794,25 @@ interface(`term_reset_tty_labels',`
allow $1 tty_device_t:chr_file relabelto; allow $1 tty_device_t:chr_file relabelto;
') ')
########################################
## <summary>
## Append to unallocated ttys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`term_append_unallocated_ttys',`
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file { getattr append };
')
######################################## ########################################
## <summary> ## <summary>
## Write to unallocated ttys. ## Write to unallocated ttys.

2
policy/modules/kernel/terminal.te
View File

@ -1,5 +1,5 @@
policy_module(terminal,1.1.4) policy_module(terminal,1.1.5)
######################################## ########################################
# #

1
policy/modules/system/authlogin.te
View File

@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
term_dontaudit_use_generic_ptys(system_chkpwd_t) term_dontaudit_use_generic_ptys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
######################################## ########################################
# #

43
policy/modules/system/clock.if
View File

@ -55,14 +55,14 @@ interface(`clock_run',`
') ')
######################################## ########################################
## <summary> ## <summary>
## Execute hwclock in the caller domain. ## Execute hwclock in the caller domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## The type of the process performing this action. ## The type of the process performing this action.
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`clock_exec',` interface(`clock_exec',`
gen_require(` gen_require(`
@ -73,14 +73,32 @@ interface(`clock_exec',`
') ')
######################################## ########################################
## <summary> ## <summary>
## Allow executing domain to modify clock drift ## Do not audit attempts to write clock drift adjustments.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## The type of the process performing this action. ## Domain to not audit.
## </summary> ## </summary>
## </param> ## </param>
#
interface(`clock_dontaudit_write_adjtime',`
gen_require(`
type adjtime_t;
')
dontaudit $1 adjtime_t:file write;
')
########################################
## <summary>
## Read and write clock drift adjustments.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
# #
interface(`clock_rw_adjtime',` interface(`clock_rw_adjtime',`
gen_require(` gen_require(`
@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',`
allow $1 adjtime_t:file rw_file_perms; allow $1 adjtime_t:file rw_file_perms;
files_list_etc($1) files_list_etc($1)
') ')

2
policy/modules/system/clock.te
View File

@ -1,5 +1,5 @@
policy_module(clock,1.0.1) policy_module(clock,1.0.2)
######################################## ########################################
# #

3
policy/modules/system/init.te
View File

@ -416,6 +416,9 @@ ifdef(`distro_gentoo',`
# mounting tmpfs on /dev # mounting tmpfs on /dev
fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
optional_policy(` optional_policy(`
arpwatch_manage_data_files(initrc_t) arpwatch_manage_data_files(initrc_t)
') ')

9
policy/modules/system/logging.te
View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.9) policy_module(logging,1.3.10)
######################################## ########################################
# #
@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_sysadm_home_dirs(syslogd_t) userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12
term_append_unallocated_ttys(syslogd_t)
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
')
ifdef(`distro_suse',` ifdef(`distro_suse',`
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)