rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

more upstream merging

Browse Source
This commit is contained in:
Chris PeBenito 2005-09-16 19:36:10 +00:00
parent a47ea60ca9
commit cff75c90ca
53 changed files with 878 additions and 482 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

310
refpolicy/policy/modules/admin/su.if
View File

@ -28,151 +28,171 @@
## </param>
#
template(`su_per_userdomain_template',`
# in optional since loadable modules do not natively
# support per-userdomain templates yet.
optional_policy(`su.te',`
gen_require(`
type su_exec_t;
')
gen_require(`
type su_exec_t;
type $1_su_t;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_role_change_exempt($1_su_t)
domain_subj_id_change_exempt($1_su_t)
domain_obj_id_change_exempt($1_su_t)
domain_wide_inherit_fd($1_su_t)
role $3 types $1_su_t;
allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctl($1_su_t)
# for SSP
dev_read_urand($1_su_t)
fs_search_auto_mountpoints($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
# Relabel ttys and ptys.
term_relabel_all_user_ttys($1_su_t)
term_relabel_all_user_ptys($1_su_t)
# Close and re-open ttys and ptys to get the fd into the correct domain.
term_use_all_user_ttys($1_su_t)
term_use_all_user_ptys($1_su_t)
auth_domtrans_user_chk_passwd($1_su_t,$1)
auth_dontaudit_read_shadow($1_su_t)
domain_wide_inherit_fd($1_su_t)
files_read_etc_files($1_su_t)
files_search_var_lib($1_su_t)
init_dontaudit_use_fd($1_su_t)
# Write to utmp.
init_rw_script_pid($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
userdom_use_user_terminals($1,$1_su_t)
if(secure_mode)
{
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
if (use_nfs_home_dirs) {
fs_search_nfs($1_su_t)
}
if (use_samba_home_dirs) {
fs_search_cifs($1_su_t)
}
optional_policy(`crond.te',`
cron_read_pipe($1_su_t)
')
optional_policy(`kerberos.te',`
kerberos_use($1_su_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_su_t)
')
optional_policy(`nscd.te',`
nscd_use_socket($1_su_t)
')
ifdef(`TODO',`
ifdef(`support_polyinstantiation', `
typeattribute $1_su_t mlsfileread;
typeattribute $1_su_t mlsfilewrite;
typeattribute $1_su_t mlsfileupgrade;
typeattribute $1_su_t mlsfiledowngrade;
typeattribute $1_su_t mlsprocsetsl;
# Su can polyinstantiate
polyinstantiater($1_su_t)
# Su has to unmount polyinstantiated directories (like home)
# that should not be polyinstantiated under the new user
allow $1_su_t fs_t:filesystem unmount;
# Su needs additional permission to mount over a previous mount
allow $1_su_t polymember:dir mounton;
')
# Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
allow $1_su_t $1_home_t:file create_file_perms;
ifdef(`user_canbe_sysadm', `
allow $1_su_t home_dir_type:dir { search write };
', `
dontaudit $1_su_t home_dir_type:dir { search write };
')
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
')
ifdef(`cyrus.te', `
allow $1_su_t cyrus_var_lib_t:dir search;
')
ifdef(`ssh.te', `
# Access sshd cookie files.
allow $1_su_t sshd_tmp_t:file rw_file_perms;
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
')
') dnl end TODO
')
type $1_su_t;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_role_change_exempt($1_su_t)
domain_subj_id_change_exempt($1_su_t)
domain_obj_id_change_exempt($1_su_t)
domain_wide_inherit_fd($1_su_t)
role $3 types $1_su_t;
allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $1_su_t $2:fd use;
allow $1_su_t $2:fifo_file rw_file_perms;
allow $1_su_t $2:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctl($1_su_t)
# for SSP
dev_read_urand($1_su_t)
fs_search_auto_mountpoints($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
# Relabel ttys and ptys.
term_relabel_all_user_ttys($1_su_t)
term_relabel_all_user_ptys($1_su_t)
# Close and re-open ttys and ptys to get the fd into the correct domain.
term_use_all_user_ttys($1_su_t)
term_use_all_user_ptys($1_su_t)
auth_domtrans_user_chk_passwd($1_su_t,$1)
auth_dontaudit_read_shadow($1_su_t)
domain_wide_inherit_fd($1_su_t)
files_read_etc_files($1_su_t)
files_search_var_lib($1_su_t)
init_dontaudit_use_fd($1_su_t)
# Write to utmp.
init_rw_script_pid($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
userdom_use_user_terminals($1,$1_su_t)
if(secure_mode)
{
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
if (use_nfs_home_dirs) {
fs_search_nfs($1_su_t)
}
if (use_samba_home_dirs) {
fs_search_cifs($1_su_t)
}
optional_policy(`crond.te',`
cron_read_pipe($1_su_t)
')
optional_policy(`kerberos.te',`
kerberos_use($1_su_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_su_t)
')
optional_policy(`nscd.te',`
nscd_use_socket($1_su_t)
')
ifdef(`TODO',`
# Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
allow $1_su_t $1_home_t:file create_file_perms;
ifdef(`user_canbe_sysadm', `
allow $1_su_t home_dir_type:dir { search write };
', `
dontaudit $1_su_t home_dir_type:dir { search write };
')
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
')
ifdef(`cyrus.te', `
allow $1_su_t cyrus_var_lib_t:dir search;
')
ifdef(`ssh.te', `
# Access sshd cookie files.
allow $1_su_t sshd_tmp_t:file rw_file_perms;
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
')
') dnl end TODO
')

2
refpolicy/policy/modules/admin/sudo.if
View File

@ -54,7 +54,7 @@ template(`sudo_per_userdomain_template',`
#
# Use capabilities.
allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;

59
refpolicy/policy/modules/apps/gpg.if
View File

@ -75,7 +75,7 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap };
allow $1_gpg_t self:process { setrlimit setcap setpgid };
allow $1_gpg_t self:fifo_file rw_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
@ -84,9 +84,6 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
allow $2 $1_gpg_secret_t:file getattr;
allow $2 $1_gpg_secret_t:dir rw_dir_perms;
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_raw_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
@ -97,6 +94,7 @@ template(`gpg_per_userdomain_template',`
corenet_udp_sendrecv_all_ports($1_gpg_t)
corenet_tcp_bind_all_nodes($1_gpg_t)
corenet_udp_bind_all_nodes($1_gpg_t)
corenet_tcp_connect_all_ports($1_gpg_t)
dev_read_rand($1_gpg_t)
dev_read_urand($1_gpg_t)
@ -108,8 +106,6 @@ template(`gpg_per_userdomain_template',`
files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t)
files_dontaudit_search_var($1_gpg_t)
# should not need read access...
files_list_home($1_gpg_t)
libs_use_shared_libs($1_gpg_t)
libs_use_ld_so($1_gpg_t)
@ -122,54 +118,22 @@ template(`gpg_per_userdomain_template',`
userdom_use_user_terminals($1,$1_gpg_t)
# Legacy
tunable_policy(`allow_gpg_execstack',`
allow $1_gpg_t self:process execmem;
libs_legacy_use_shared_libs($1_gpg_t)
libs_legacy_use_ld_so($1_gpg_t)
miscfiles_legacy_read_localization($1_gpg_t)
# Not quite sure why this is needed...
allow $1_gpg_t gpg_exec_t:file execmod;
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gpg_t)
fs_manage_nfs_files($1_gpg_t)
fs_manage_nfs_symlinks($1_gpg_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_gpg_t)
fs_manage_cifs_files($1_gpg_t)
fs_manage_cifs_symlinks($1_gpg_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_gpg_t)
')
ifdef(`TODO',`
# Read content to encrypt/decrypt/sign
read_content($1_gpg_t, $1)
# Write content to encrypt/decrypt/sign
write_trusted($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
# allow ps to show gpg
can_ps($1_t, $1_gpg_t)
# use $1_gpg_secret_t for files it creates
# NB we are doing the type transition for directory creation only!
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
# a file and write output to your home directory it will use user_home_t.
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
create_dir_file($1_gpg_t, $1_home_t)
# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
rw_dir_create_file($1_gpg_t, $1_file_type)
') dnl end TODO
########################################
@ -210,6 +174,7 @@ template(`gpg_per_userdomain_template',`
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
corenet_tcp_connect_all_ports($1_gpg_helper_t)
dev_read_urand($1_gpg_helper_t)
@ -232,9 +197,8 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
ifdef(`xdm.te', `
dontaudit $1_gpg_t xdm_t:fd use;
dontaudit $1_gpg_t xdm_t:fifo_file read;
ifdef(`xdm.te',`
can_pipe_xdm($1_gpg_t)
')
') dnl end TODO
@ -296,8 +260,6 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
allow $1_gpg_agent_t xdm_t:fd use;
# allow ps to show gpg-agent
can_ps($1_t, $1_gpg_agent_t)
@ -353,7 +315,6 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
allow $1_gpg_pinentry_t xdm_t:fd use;
')
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };

6
refpolicy/policy/modules/kernel/filesystem.te
View File

@ -62,10 +62,6 @@ type inotifyfs_t, filesystem_type;
allow inotifyfs_t self:filesystem associate;
genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
type mqueue_t, filesystem_type;
files_mountpoint(mqueue_t)
allow mqueue_t self:filesystem associate;
type nfsd_fs_t, filesystem_type;
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
@ -86,12 +82,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
#
type tmpfs_t, filesystem_type;
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
fs_use_trans mqueue context_template(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);

2
refpolicy/policy/modules/kernel/kernel.te
View File

@ -28,7 +28,7 @@ attribute sysctl_type;
type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
role system_r types kernel_t;
domain_base_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
#
# Procfs types

2
refpolicy/policy/modules/kernel/selinux.te
View File

@ -15,7 +15,7 @@ attribute can_setsecparam;
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
type security_t;
type security_t; #, mlstrustedobject;
fs_type(security_t)
sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)

5
refpolicy/policy/modules/services/cron.if
View File

@ -91,6 +91,7 @@ template(`cron_per_userdomain_template',`
corenet_udp_sendrecv_all_ports($1_crond_t)
corenet_tcp_bind_all_nodes($1_crond_t)
corenet_udp_bind_all_nodes($1_crond_t)
corenet_tcp_connect_all_ports($1_crond_t)
dev_read_urand($1_crond_t)
@ -188,6 +189,8 @@ template(`cron_per_userdomain_template',`
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
kernel_read_system_state($1_crontab_t)
# for the checks used by crontab -u
selinux_dontaudit_search_fs($1_crontab_t)
@ -210,7 +213,7 @@ template(`cron_per_userdomain_template',`
miscfiles_read_localization($1_crontab_t)
seutil_dontaudit_search_config($1_crontab_t)
seutil_read_config($1_crontab_t)
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)

9
refpolicy/policy/modules/services/dbus.if
View File

@ -46,12 +46,13 @@ template(`dbus_per_userdomain_template',`
#
allow $1_dbusd_t self:process { getattr sigkill signal };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow $1_dbusd_t self:netlink_selinux_socket { create bind read };
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
@ -141,6 +142,12 @@ template(`dbus_per_userdomain_template',`
optional_policy(`nscd.te',`
nscd_use_socket($1_dbusd_t)
')
ifdef(`TODO',`
ifdef(`xdm.te', `
can_pipe_xdm($1_dbusd_t)
')
')
')
#######################################

6
refpolicy/policy/modules/services/kerberos.fc
View File

@ -1,6 +1,10 @@
/etc/krb5\.conf -- context_template(system_u:object_r:krb5_conf_t,s0)
/etc/krb5\.keytab context_template(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc(/.*)? context_template(system_u:object_r:krb5kdc_conf_t,s0)
/etc/krb5kdc/kadm5.keytab -- context_template(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
/usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0)
/usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0)
@ -11,4 +15,4 @@
/var/kerberos/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
/var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0)
/var/log/kadmin(d)?\.log context_template(system_u:object_r:kadmind_log_t,s0)

1
refpolicy/policy/modules/services/kerberos.if
View File

@ -54,6 +54,7 @@ interface(`kerberos_use',`
corenet_udp_sendrecv_kerberos_port($1)
corenet_tcp_bind_all_nodes($1)
corenet_udp_bind_all_nodes($1)
corenet_tcp_connect_kerberos_port($1)
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
')

1
refpolicy/policy/modules/services/mta.if
View File

@ -70,6 +70,7 @@ template(`mta_per_userdomain_template',`
corenet_raw_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_bind_all_nodes($1_mail_t)
corenet_tcp_connect_all_ports($1_mail_t)
domain_use_wide_inherit_fd($1_mail_t)

56
refpolicy/policy/modules/services/ssh.if
View File

@ -110,6 +110,7 @@ template(`ssh_per_userdomain_template',`
corenet_raw_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_bind_all_nodes($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
dev_read_urand($1_ssh_t)
@ -132,6 +133,7 @@ template(`ssh_per_userdomain_template',`
files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t)
files_read_etc_files($1_ssh_t)
files_read_var_files($1_ssh_t)
libs_use_ld_so($1_ssh_t)
libs_use_shared_libs($1_ssh_t)
@ -184,9 +186,6 @@ template(`ssh_per_userdomain_template',`
')
ifdef(`TODO',`
# Read /var.
allow $1_ssh_t var_t:dir r_dir_perms;
allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
# Read /var/run, /var/log.
allow $1_ssh_t var_run_t:dir r_dir_perms;
@ -215,32 +214,33 @@ template(`ssh_per_userdomain_template',`
# allow ps to show ssh
can_ps($1_t, $1_ssh_t)
ifdef(`xserver.te', `
# Communicate with the X server.
can_unix_connect($1_ssh_t, $1_xserver_t)
allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
allow $1_ssh_t $1_xserver_tmp_t:dir search;
ifdef(`xdm.te', `
allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
allow $1_ssh_t { xdm_tmp_t }:sock_file write;
')
')dnl end if xserver
# Connect to X server
x_client_domain($1_ssh, $1)
#allow ssh to access keys stored on removable media
# Should we have a boolean around this?
files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t)
ifdef(`xdm.te', `
# should be able to remove these two later
allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_ssh_t xdm_xserver_tmp_t:dir search;
allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
allow $1_ssh_t xdm_xserver_t:fd use;
allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
allow $1_ssh_t xdm_t:fd use;
')dnl end if xdm.te
type $1_ssh_keysign_t, domain, nscd_client_domain;
role $1_r types $1_ssh_keysign_t;
if (allow_ssh_keysign) {
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
allow $1_ssh_keysign_t self:capability { setgid setuid };
allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
uses_shlib($1_ssh_keysign_t)
dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
dontaudit $1_ssh_keysign_t proc_t:dir search;
dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
allow $1_ssh_keysign_t usr_t:dir search;
allow $1_ssh_keysign_t etc_t:file { getattr read };
allow $1_ssh_keysign_t self:dir search;
allow $1_ssh_keysign_t self:file { getattr read };
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
}
') dnl endif TODO
##############################
@ -301,7 +301,7 @@ template(`ssh_per_userdomain_template',`
miscfiles_read_localization($1_ssh_agent_t)
seutil_dontaudit_search_config($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_agent_t)
@ -325,14 +325,14 @@ template(`ssh_per_userdomain_template',`
')
optional_policy(`xdm.te', `
xdm_use_fd($1_ssh_agent_t)
xdm_rw_pipe($1_ssh_agent_t)
# KDM:
xdm_sigchld($1_ssh_agent_t)
#xdm_sigchld($1_ssh_agent_t)
')
ifdef(`TODO',`
ifdef(`xdm.te',`
can_pipe_xdm($1_ssh_agent_t)
')
# allow ps to show ssh
can_ps($1_t, $1_ssh_agent_t)

49
refpolicy/policy/modules/system/authlogin.if
View File

@ -47,12 +47,14 @@ template(`authlogin_per_userdomain_template',`
role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# Transition from the user domain to this domain.
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
@ -64,6 +66,9 @@ template(`authlogin_per_userdomain_template',`
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
dev_read_rand($1_chkpwd_t)
dev_read_urand($1_chkpwd_t)
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
domain_use_wide_inherit_fd($1_chkpwd_t)
@ -82,6 +87,7 @@ template(`authlogin_per_userdomain_template',`
seutil_read_config($1_chkpwd_t)
sysnet_dns_name_resolve($1_chkpwd_t)
sysnet_use_ldap($1_chkpwd_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_chkpwd_t)
@ -93,17 +99,6 @@ template(`authlogin_per_userdomain_template',`
kerberos_use($1_chkpwd_t)
')
optional_policy(`ldap.te',`
allow $1_chkpwd_t self:tcp_socket create_socket_perms;
corenet_tcp_sendrecv_all_if($1_chkpwd_t)
corenet_raw_sendrecv_all_if($1_chkpwd_t)
corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
corenet_tcp_bind_all_nodes($1_chkpwd_t)
sysnet_read_config($1_chkpwd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind($1_chkpwd_t)
')
@ -115,6 +110,12 @@ template(`authlogin_per_userdomain_template',`
optional_policy(`selinuxutil.te',`
seutil_use_newrole_fd($1_chkpwd_t)
')
ifdef(`TODO',`
can_winbind($1)
r_dir_file($1, cert_t)
dontaudit $1 shadow_t:file { getattr read };
')
')
########################################
@ -221,6 +222,9 @@ interface(`auth_domtrans_chk_passwd',`
corecmd_search_sbin($1)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
allow $1 self:capability { audit_write audit_control };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow $1 system_chkpwd_t:fd use;
allow system_chkpwd_t $1:fd use;
allow system_chkpwd_t $1:fifo_file rw_file_perms;
@ -228,26 +232,25 @@ interface(`auth_domtrans_chk_passwd',`
dontaudit $1 shadow_t:file { getattr read };
dev_read_rand($1)
dev_read_urand($1)
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
optional_policy(`kerberos.te',`
kerberos_use($1)
')
optional_policy(`ldap.te',`
allow $1 self:tcp_socket create_socket_perms;
corenet_tcp_sendrecv_all_if($1)
corenet_raw_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_bind_all_nodes($1)
sysnet_read_config($1)
')
optional_policy(`nis.te',`
nis_use_ypbind($1)
')
ifdef(`TODO',`
can_winbind($1)
r_dir_file($1, cert_t)
dontaudit $1 shadow_t:file { getattr read };
')
')
########################################

19
refpolicy/policy/modules/system/corecommands.fc
View File

@ -46,11 +46,11 @@ ifdef(`targeted_policy',`
#
# /opt
#
/opt/.*/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
/opt/(.*)?/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
/opt/.*/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
/opt/(.*)?/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
/opt/.*/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
/opt/(.*)?/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
#
# /usr
@ -70,23 +70,20 @@ ifdef(`distro_suse', `
')
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)
/usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/news/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
ifdef(`distro_suse', `
/usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0)
')
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
/usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0)
@ -97,8 +94,8 @@ ifdef(`distro_suse', `
/usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- context_template(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)
#
# /var

34
refpolicy/policy/modules/system/files.fc
View File

@ -19,8 +19,8 @@ ifdef(`distro_redhat',`
# /boot
#
/boot/\.journal <<none>>
/boot/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/boot/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/boot/lost\+found/.* <<none>>
#
# /etc
@ -66,7 +66,8 @@ ifdef(`distro_gentoo', `
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
HOME_ROOT -d context_template(system_u:object_r:home_root_t,s0)
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
HOME_ROOT/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
HOME_ROOT/lost\+found/.* <<none>>
#
# /initrd
@ -77,7 +78,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
#
# /lost+found
#
/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/lost\+found/.* <<none>>
#
# /media
@ -98,7 +100,7 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
#
/opt(/.*)? context_template(system_u:object_r:usr_t,s0)
/opt/.*/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0)
/opt/(.*)?/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0)
#
# /proc
@ -110,6 +112,11 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
#
/selinux(/.*)? <<none>>
#
# /srv
#
/srv(/.*)? context_template(system_u:object_r:var_t,s0)
#
# /sys
#
@ -122,7 +129,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
/tmp/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/tmp/lost\+found/.* <<none>>
#
# /usr
@ -130,8 +138,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/usr(/.*)? context_template(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
/usr/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/usr/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
/usr/inclu.e(/.*)? context_template(system_u:object_r:usr_t,s0)
@ -140,10 +146,14 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/usr/local/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
/usr/local/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/usr/local/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/usr/local/lost\+found/.* <<none>>
/usr/local/src(/.*)? context_template(system_u:object_r:src_t,s0)
/usr/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/usr/lost\+found/.* <<none>>
/usr/share(/.*)?/lib(64)?(/.*)? context_template(system_u:object_r:usr_t,s0)
/usr/src(/.*)? context_template(system_u:object_r:src_t,s0)
@ -167,7 +177,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/var/lock(/.*)? context_template(system_u:object_r:var_lock_t,s0)
/var/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/var/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/var/lost\+found/.* <<none>>
/var/run(/.*)? context_template(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@ -176,5 +187,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/var/tmp -d context_template(system_u:object_r:tmp_t,s0)
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d context_template(system_u:object_r:tmp_t,s0)

12
refpolicy/policy/modules/system/files.if
View File

@ -73,15 +73,21 @@ interface(`files_pid_file',`
')
########################################
#
# files_tmp_file(type)
#
## <summary>
## Make the specified type a file
## used for temporary files.
## </summary>
## <param name="file_type">
## Type of the file to be used as a
## temporary file.
## </param>
interface(`files_tmp_file',`
gen_require(`
attribute tmpfile;
')
files_type($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfile;
')

12
refpolicy/policy/modules/system/libraries.fc
View File

@ -15,8 +15,8 @@
#
# /opt
#
/opt/.*/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0)
/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
/opt/(.*)?/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0)
/opt/(.*)?/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
#
# /sbin
@ -26,6 +26,10 @@
#
# /usr
#
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
@ -41,6 +45,10 @@
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)

10
refpolicy/policy/modules/system/logging.if
View File

@ -1,8 +1,13 @@
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
#######################################
#
# logging_log_file(domain)
## <summary>
## Make the specified type a file
## used for logs.
## </summary>
## <param name="file_type">
## Type of the file to be used as a log.
## </param>
#
interface(`logging_log_file',`
gen_require(`
@ -10,6 +15,7 @@ interface(`logging_log_file',`
')
files_type($1)
fs_associate_tmpfs($1)
typeattribute $1 logfile;
')

13
refpolicy/policy/modules/system/lvm.fc
View File

@ -8,23 +8,18 @@
#
/etc/lvm(/.*)? context_template(system_u:object_r:lvm_etc_t,s0)
/etc/lvm/\.cache -- context_template(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/archive(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/backup(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/lock(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
/etc/lvmtab(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
#
# /lib
#
/lib/lvm-10(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-10/.* -- context_template(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- context_template(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
@ -50,6 +45,7 @@
/sbin/lvresize -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/lvs -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/lvscan -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/multipathd -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/pvchange -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/pvcreate -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/pvdata -- context_template(system_u:object_r:lvm_exec_t,s0)
@ -82,9 +78,12 @@
#
# /usr
#
/usr/sbin/clvmd -- context_template(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/lvm -- context_template(system_u:object_r:lvm_exec_t,s0)
#
# /var
#
/var/lock/lvm(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
/var/cache/multipathd(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)

96
refpolicy/policy/modules/system/lvm.te
View File

@ -6,6 +6,13 @@ policy_module(lvm,1.0)
# Declarations
#
type clvmd_t;
type clvmd_exec_t;
init_daemon_domain(clvmd_t,clvmd_exec_t)
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
type lvm_t;
type lvm_exec_t;
init_system_domain(lvm_t,lvm_exec_t)
@ -28,7 +35,91 @@ files_tmp_file(lvm_tmp_t)
########################################
#
# Local policy
# Cluster LVM daemon local policy
#
dontaudit clvmd_t self:capability sys_tty_config;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file { read write };
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
allow clvmd_t clvmd_var_run_t:file create_file_perms;
allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
files_create_pid(clvmd_t,clvmd_var_run_t)
kernel_read_kernel_sysctl(clvmd_t)
kernel_list_proc(clvmd_t)
kernel_read_proc_symlinks(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t)
corenet_raw_sendrecv_all_if(clvmd_t)
corenet_tcp_sendrecv_all_nodes(clvmd_t)
corenet_udp_sendrecv_all_nodes(clvmd_t)
corenet_raw_sendrecv_all_nodes(clvmd_t)
corenet_tcp_sendrecv_all_ports(clvmd_t)
corenet_udp_sendrecv_all_ports(clvmd_t)
corenet_tcp_bind_all_nodes(clvmd_t)
corenet_udp_bind_all_nodes(clvmd_t)
corenet_tcp_bind_reserved_port(clvmd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
dev_read_sysfs(clvmd_t)
fs_getattr_all_fs(clvmd_t)
fs_search_auto_mountpoints(clvmd_t)
term_dontaudit_use_console(clvmd_t)
domain_use_wide_inherit_fd(clvmd_t)
init_use_fd(clvmd_t)
init_use_script_pty(clvmd_t)
libs_use_ld_so(clvmd_t)
libs_use_shared_libs(clvmd_t)
logging_send_syslog_msg(clvmd_t)
miscfiles_read_localization(clvmd_t)
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
sysnet_read_config(clvmd_t)
userdom_dontaudit_use_unpriv_user_fd(clvmd_t)
userdom_dontaudit_search_sysadm_home_dir(clvmd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(clvmd_t)
term_dontaudit_use_generic_pty(clvmd_t)
files_dontaudit_read_root_file(clvmd_t)
')
optional_policy(`mount.te',`
mount_send_nfs_client_request(clvmd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(clvmd_t)
')
optional_policy(`udev.te', `
udev_read_db(clvmd_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(clvmd_t)
')
') dnl end TODO
########################################
#
# LVM Local policy
#
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
@ -167,13 +258,10 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
')
optional_policy(`rhgb.te',`
rhgb_domain(lvm_t)
')
') dnl end TODO

6
refpolicy/policy/modules/system/miscfiles.fc
View File

@ -1,13 +1,15 @@
#
# /etc
#
/etc/localtime -- context_template(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? context_template(system_u:object_r:cert_t,s0)
#
# /opt
#
/opt/.*/man(/.*)? context_template(system_u:object_r:man_t,s0)
/opt/(.*)?/man(/.*)? context_template(system_u:object_r:man_t,s0)
/srv/([^/]*/)?rsync(/.*)? context_template(system_u:object_r:ftpd_anon_t,s0)
#
# /usr

3
refpolicy/policy/modules/system/miscfiles.te
View File

@ -25,6 +25,9 @@ files_type(fonts_t)
type ftpd_anon_t; #, customizable;
files_type(ftpd_anon_t)
type ftpd_anon_rw_t; #, customizable;
files_type(ftpd_anon_rw_t)
#
# type for /tmp/.ICE-unix
#

3
refpolicy/policy/modules/system/selinuxutil.te
View File

@ -181,8 +181,7 @@ userdom_use_all_user_fd(load_policy_t)
# Newrole local policy
#
allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
allow newrole_t self:capability { fowner setuid setgid dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;

2
refpolicy/policy/modules/system/userdomain.if
View File

@ -41,10 +41,12 @@ template(`base_user_template',`
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
fs_associate_tmpfs($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)

9
refpolicy/policy/support/misc_macros.spt
View File

@ -13,19 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
########################################
#
# gen_user(username, role_set, mls_defaultlevel, mls_range)
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
define(`gen_user',`
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
')
define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
########################################
#
# gen_con(context,mls_sensitivity,[mcs_categories])
#
# MLS: Optionally put the sensitivity for the file
# MCS: Optionally put the categories of the file
#
define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
########################################

7
refpolicy/policy/systemuser
View File

@ -4,11 +4,8 @@
#
#
# gen_user(username, role_set, mls_defaultlevel, mls_range)
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
define(`gen_user',`
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
')
#
# system_u is the user identity for system processes and objects.
@ -16,7 +13,7 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
# Normal users should not be added to this file,
# but instead added to the users file.

8
refpolicy/policy/users
View File

@ -5,7 +5,7 @@
#
#
# gen_user(username, role_set, mls_defaultlevel, mls_range)
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
#
@ -29,11 +29,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
# not in the sysadm_r.
#
ifdef(`targeted_policy',`
gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
',`
ifdef(`direct_sysadm_daemon',`
gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127)
gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
',`
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
')
')

54
strict/assert.te
View File

@ -30,58 +30,52 @@ neverallow domain ~domain:process { transition dyntransition };
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
#
neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
#
# Verify that executable types, the system dynamic loaders, and the
# system shared libraries can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
#
# Verify that only appropriate domains can access /etc/shadow
neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
#
# Verify that only appropriate domains can write to /etc (IE mess with
# /etc/passwd)
neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
#
# Verify that other system software can only be modified by administrators.
#
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
#
# Verify that only certain domains have access to the raw disk devices.
#
neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
#
# Verify that only the X server and klogd have access to memory devices.
#
neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
#
# Verify that only domains with the privlog attribute can actually syslog
#
neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
#
# Verify that /proc/kmsg is only accessible to klogd.
#
ifdef(`klogd.te', `
neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
', `
ifdef(`syslogd.te', `
neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
')dnl end if syslogd
')dnl end if klogd
neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
#
# Verify that /proc/kcore is inaccessible.
@ -93,14 +87,14 @@ neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
# Verify that sysctl variables are only changeable
# by initrc and administrators.
#
neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
#
# Verify that certain domains are limited to only being
@ -146,13 +140,13 @@ neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:f
#
# Verify that only the admin domains and initrc_t have setenforce.
#
neverallow { domain -admin -initrc_t } security_t:security setenforce;
neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
#
# Verify that only the kernel and load_policy_t have load_policy.
#
neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
#
# for gross mistakes in policy

25
strict/attrib.te
View File

@ -141,6 +141,10 @@ attribute privhome;
# to read /etc/shadow, and grants the permission.
attribute auth;
# The auth_bool attribute identifies every domain that can
# read /etc/shadow if its boolean is set;
attribute auth_bool;
# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;
@ -180,6 +184,12 @@ attribute sysctl_type;
# XXX used in different assertions within assert.te.
attribute admin;
# The secadmin attribute identifies every security administrator domain.
# It is used in TE assertions when verifying that only administrator
# domains have certain permissions.
# This attribute is presently associated with sysadm_t and secadm_t
attribute secadmin;
# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t. It is used in TE rules that should be applied
# to all user domains.
@ -454,3 +464,18 @@ attribute transitionbool;
# of the file system.
attribute customizable;
##############################
# Attributes for polyinstatiation support:
#
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;

13
strict/domains/program/lvm.te
View File

@ -121,3 +121,16 @@ r_dir_file(lvm_t, selinux_config_t)
# it has no reason to need this
dontaudit lvm_t proc_kcore_t:file getattr;
# cluster LVM daemon
daemon_domain(clvmd)
can_network(clvmd_t)
can_ypbind(clvmd_t)
allow clvmd_t self:capability net_bind_service;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file { read write };
allow clvmd_t self:file { getattr read };
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow clvmd_t reserved_port_t:tcp_socket name_bind;
dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
dontaudit clvmd_t selinux_config_t:dir search;

17
strict/domains/program/snmpd.te
View File

@ -8,7 +8,7 @@
#
# Rules for the snmpd_t domain.
#
daemon_domain(snmpd)
daemon_domain(snmpd, `, nscd_client_domain')
#temp
allow snmpd_t var_t:dir getattr;
@ -16,17 +16,14 @@ allow snmpd_t var_t:dir getattr;
can_network_server(snmpd_t)
can_ypbind(snmpd_t)
type snmp_port_t, port_type, reserved_port_type;
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
etc_domain(snmpd)
typealias snmpd_etc_t alias etc_snmpd_t;
# for the .index file
var_lib_domain(snmpd)
file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
typealias snmpd_var_lib_t alias snmpd_var_rw_t;
log_domain(snmpd)
# for /usr/share/snmp/mibs
@ -39,13 +36,15 @@ allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_socket_perms;
allow snmpd_t etc_t:lnk_file read;
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
allow snmpd_t urandom_device_t:chr_file read;
allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
allow snmpd_t proc_t:dir search;
allow snmpd_t proc_t:file r_file_perms;
allow snmpd_t self:file { getattr read };
allow snmpd_t self:fifo_file { read write };
allow snmpd_t self:fifo_file rw_file_perms;
allow snmpd_t { bin_t sbin_t }:dir search;
can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
@ -61,6 +60,9 @@ dontaudit snmpd_t initrc_var_run_t:file write;
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
allow snmpd_t rpc_pipefs_t:dir getattr;
read_sysctl(snmpd_t)
allow snmpd_t sysctl_net_t:dir search;
allow snmpd_t sysctl_net_t:file { getattr read };
dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
allow snmpd_t sysfs_t:dir { getattr read search };
ifdef(`amanda.te', `
@ -75,6 +77,7 @@ allow snmpd_t var_lib_nfs_t:dir search;
allow snmpd_t proc_net_t:dir search;
allow snmpd_t proc_net_t:file r_file_perms;
dontaudit snmpd_t domain:dir { getattr search };
allow snmpd_t domain:dir { getattr search };
allow snmpd_t domain:file { getattr read };
dontaudit snmpd_t selinux_config_t:dir search;

9
strict/file_contexts/program/kerberos.fc
View File

@ -9,3 +9,12 @@
/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
/var/log/kadmind\.log system_u:object_r:kadmind_log_t
/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
# gentoo file locations
/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t
/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t
/var/log/kadmin.log -- system_u:object_r:kadmind_log_t

7
strict/file_contexts/program/lvm.fc
View File

@ -13,8 +13,8 @@
/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
/dev/lvm -c system_u:object_r:fixed_disk_device_t
/dev/mapper/control -c system_u:object_r:lvm_control_t
/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t
/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t
/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t
/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t
/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
/sbin/lvchange -- system_u:object_r:lvm_exec_t
/sbin/lvcreate -- system_u:object_r:lvm_exec_t
@ -64,3 +64,6 @@
/sbin/pvremove -- system_u:object_r:lvm_exec_t
/sbin/pvs -- system_u:object_r:lvm_exec_t
/sbin/vgs -- system_u:object_r:lvm_exec_t
/sbin/multipathd -- system_u:object_r:lvm_exec_t
/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t

1
strict/file_contexts/program/rsync.fc
View File

@ -1,2 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t

60
strict/file_contexts/types.fc
View File

@ -261,13 +261,13 @@ ifdef(`distro_suse', `
# /opt
#
/opt(/.*)? system_u:object_r:usr_t
/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t
/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/opt/.*/libexec(/.*)? system_u:object_r:bin_t
/opt/.*/bin(/.*)? system_u:object_r:bin_t
/opt/.*/sbin(/.*)? system_u:object_r:sbin_t
/opt/.*/man(/.*)? system_u:object_r:man_t
/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t
/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t
/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
/opt(/.*)?/man(/.*)? system_u:object_r:man_t
/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
#
# /etc
@ -359,7 +359,9 @@ ifdef(`distro_gentoo', `
# nvidia share libraries
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
# libGL
@ -385,6 +387,10 @@ ifdef(`distro_gentoo', `
/usr/local/etc(/.*)? system_u:object_r:etc_t
/usr/local/src(/.*)? system_u:object_r:src_t
/usr/local/man(/.*)? system_u:object_r:man_t
/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
#
# /usr/X11R6/man
@ -442,13 +448,22 @@ HOME_ROOT/\.journal <<none>>
#
# Lost and found directories.
#
/lost\+found(/.*)? system_u:object_r:lost_found_t
/usr/lost\+found(/.*)? system_u:object_r:lost_found_t
/boot/lost\+found(/.*)? system_u:object_r:lost_found_t
HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
/var/lost\+found(/.*)? system_u:object_r:lost_found_t
/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t
/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t
/lost\+found -d system_u:object_r:lost_found_t
/lost\+found/.* <<none>>
/usr/lost\+found -d system_u:object_r:lost_found_t
/usr/lost\+found/.* <<none>>
/boot/lost\+found -d system_u:object_r:lost_found_t
/boot/lost\+found/.* <<none>>
HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t
HOME_ROOT/lost\+found/.* <<none>>
/var/lost\+found -d system_u:object_r:lost_found_t
/var/lost\+found/.* <<none>>
/tmp/lost\+found -d system_u:object_r:lost_found_t
/tmp/lost\+found/.* <<none>>
/var/tmp/lost\+found -d system_u:object_r:lost_found_t
/var/tmp/lost\+found/.* <<none>>
/usr/local/lost\+found -d system_u:object_r:lost_found_t
/usr/local/lost\+found/.* <<none>>
#
# system localization
@ -458,6 +473,7 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
/usr/lib/locale(/.*)? system_u:object_r:locale_t
/etc/localtime -- system_u:object_r:locale_t
/etc/localtime -l system_u:object_r:etc_t
/etc/pki(/.*)? system_u:object_r:cert_t
#
# Gnu Cash
@ -465,6 +481,11 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
#
# Turboprint
#
/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
#
# initrd mount point, only used during boot
#
@ -481,5 +502,12 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
#
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
#
# /srv
#
/srv(/.*)? system_u:object_r:var_t

25
strict/macros/program/chkpwd_macros.te
View File

@ -17,30 +17,25 @@ define(`chkpwd_domain',`
# Derived domain based on the calling user domain and the program.
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
role $1_r types $1_chkpwd_t;
# is_selinux_enabled
allow $1_chkpwd_t proc_t:file read;
can_getcon($1_chkpwd_t)
can_ypbind($1_chkpwd_t)
can_kerberos($1_chkpwd_t)
can_ldap($1_chkpwd_t)
can_resolve($1_chkpwd_t)
# Transition from the user domain to this domain.
authentication_domain($1_chkpwd_t)
ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
role system_r types system_chkpwd_t;
dontaudit auth_chkpwd shadow_t:file { getattr read };
allow auth_chkpwd sbin_t:dir search;
dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
can_ypbind(auth_chkpwd)
can_kerberos(auth_chkpwd)
can_ldap(auth_chkpwd)
can_resolve(auth_chkpwd)
allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
authentication_domain(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
allow $1_t sbin_t:dir search;
# The user role is authorized for this domain.
role $1_r types $1_chkpwd_t;
allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# Write to the user domain tty.
access_terminal($1_chkpwd_t, $1)

1
strict/macros/program/crond_macros.te
View File

@ -67,6 +67,7 @@ role $1_r types $1_crond_t;
# This domain is granted permissions common to most domains.
can_network($1_crond_t)
allow $1_crond_t port_type:tcp_socket name_connect;
can_ypbind($1_crond_t)
r_dir_file($1_crond_t, self)
allow $1_crond_t self:fifo_file rw_file_perms;

7
strict/macros/program/crontab_macros.te
View File

@ -41,8 +41,6 @@ read_locale($1_crontab_t)
# Use capabilities dac_override is to create the file in the directory
# under /tmp
allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
dontaudit $1_crontab_t proc_t:dir search;
dontaudit $1_crontab_t selinux_config_t:dir search;
# Type for temporary files.
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
@ -65,6 +63,11 @@ dontaudit $1_crontab_t crond_t:process signal;
# for the checks used by crontab -u
dontaudit $1_crontab_t security_t:dir search;
allow $1_crontab_t proc_t:dir search;
allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
allow $1_crontab_t selinux_config_t:dir search;
allow $1_crontab_t selinux_config_t:file { getattr read };
dontaudit $1_crontab_t self:dir search;
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;

9
strict/macros/program/dbusd_macros.te
View File

@ -30,17 +30,20 @@ r_dir_file($1_dbusd_t, etc_dbusd_t)
tmp_domain($1_dbusd)
allow $1_dbusd_t self:process fork;
ifdef(`xdm.te', `
allow $1_dbusd_t xdm_t:fd use;
allow $1_dbusd_t xdm_t:fifo_file write;
can_pipe_xdm($1_dbusd_t)
')
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
allow $1_dbusd_t self:file { getattr read };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t proc_t:file read;
can_getsecurity($1_dbusd_t)
r_dir_file($1_dbusd_t, default_context_t)
allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
ifdef(`pamconsole.te', `
r_dir_file($1_dbusd_t, pam_var_console_t)
')

4
strict/macros/program/gpg_agent_macros.te
View File

@ -22,7 +22,6 @@ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
role $1_r types $1_gpg_agent_t;
allow $1_gpg_agent_t privfd:fd use;
allow $1_gpg_agent_t xdm_t:fd use;
# Write to the user domain tty.
access_terminal($1_gpg_agent_t, $1)
@ -86,10 +85,9 @@ ifdef(`xdm.te', `
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
allow $1_gpg_pinentry_t xdm_t:fd use;
')dnl end ig xdm.te
r_dir_file($1_gpg_pinentry_t, fonts_t)
read_fonts($1_gpg_pinentry_t, $1)
# read kde font cache
allow $1_gpg_pinentry_t usr_t:file { getattr read };

49
strict/macros/program/gpg_macros.te
View File

@ -23,27 +23,15 @@ type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
role $1_r types $1_gpg_t;
can_network($1_gpg_t)
allow $1_gpg_t port_type:tcp_socket name_connect;
can_ypbind($1_gpg_t)
# for a bug in kmail
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
# The user role is authorized for this domain.
role $1_r types $1_gpg_t;
# Legacy
if (allow_gpg_execstack) {
legacy_domain($1_gpg)
allow $1_gpg_t locale_t:file execute;
# Not quite sure why this is needed...
allow $1_gpg_t gpg_exec_t:file execmod;
}
allow $1_t $1_gpg_secret_t:file getattr;
allow $1_gpg_t device_t:dir r_dir_perms;
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
@ -60,45 +48,28 @@ allow $1_gpg_t { privfd $1_t }:fd use;
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap };
allow $1_gpg_t self:process { setrlimit setcap setpgid };
# allow ps to show gpg
can_ps($1_t, $1_gpg_t)
uses_shlib($1_gpg_t)
# should not need read access...
allow $1_gpg_t home_root_t:dir { read search };
# use $1_gpg_secret_t for files it creates
# NB we are doing the type transition for directory creation only!
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
# a file and write output to your home directory it will use user_home_t.
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
# Access .gnupg
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
create_dir_file($1_gpg_t, $1_home_t)
# Read content to encrypt/decrypt/sign
read_content($1_gpg_t, $1)
# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
if (use_nfs_home_dirs) {
create_dir_file($1_gpg_t, nfs_t)
}
if (use_samba_home_dirs) {
create_dir_file($1_gpg_t, cifs_t)
}
# Write content to encrypt/decrypt/sign
write_trusted($1_gpg_t, $1)
allow $1_gpg_t self:capability { ipc_lock setuid };
rw_dir_create_file($1_gpg_t, $1_file_type)
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
allow $1_gpg_t fs_t:filesystem getattr;
allow $1_gpg_t usr_t:file r_file_perms;
read_locale($1_gpg_t)
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
dontaudit $1_gpg_t var_t:dir search;
@ -130,6 +101,7 @@ allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file write;
# get keys from the network
can_network_client($1_gpg_helper_t)
allow $1_gpg_helper_t port_type:tcp_socket name_connect;
allow $1_gpg_helper_t etc_t:file { getattr read };
allow $1_gpg_helper_t urandom_device_t:chr_file read;
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
@ -137,8 +109,7 @@ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
dontaudit $1_gpg_helper_t var_t:dir search;
ifdef(`xdm.te', `
dontaudit $1_gpg_t xdm_t:fd use;
dontaudit $1_gpg_t xdm_t:fifo_file read;
can_pipe_xdm($1_gpg_t)
')
')dnl end gpg_domain definition

1
strict/macros/program/inetd_macros.te
View File

@ -56,7 +56,6 @@ allow $1_t self:dir search;
allow $1_t self:{ lnk_file file } { getattr read };
can_kerberos($1_t)
allow $1_t urandom_device_t:chr_file r_file_perms;
type $1_port_t, port_type, reserved_port_type;
# Use sockets inherited from inetd.
ifelse($2, `', `
allow inetd_t $1_port_t:udp_socket name_bind;

1
strict/macros/program/kerberos_macros.te
View File

@ -2,6 +2,7 @@ define(`can_kerberos',`
ifdef(`kerberos.te',`
if (allow_kerberos) {
can_network_client($1, `kerberos_port_t')
allow $1 kerberos_port_t:tcp_socket name_connect;
can_resolve($1)
}
') dnl kerberos.te

1
strict/macros/program/mta_macros.te
View File

@ -34,6 +34,7 @@ role $1_r types $1_mail_t;
uses_shlib($1_mail_t)
can_network_client_tcp($1_mail_t)
allow $1_mail_t port_type:tcp_socket name_connect;
can_resolve($1_mail_t)
can_ypbind($1_mail_t)
allow $1_mail_t self:unix_dgram_socket create_socket_perms;

5
strict/macros/program/newrole_macros.te
View File

@ -49,7 +49,7 @@ can_setexec($1_t)
allow $1_t autofs_t:dir search;
# Use capabilities.
allow $1_t self:capability { setuid setgid net_bind_service dac_override };
allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
# Read the devpts root directory.
allow $1_t devpts_t:dir r_dir_perms;
@ -60,8 +60,7 @@ r_dir_file($1_t, selinux_config_t)
allow $1_t etc_t:file r_file_perms;
# Read /var.
allow $1_t var_t:dir r_dir_perms;
allow $1_t var_t:notdevfile_class_set r_file_perms;
r_dir_file($1_t, var_t)
# Read /dev directories and any symbolic links.
allow $1_t device_t:dir r_dir_perms;

6
strict/macros/program/ssh_agent_macros.te
View File

@ -49,6 +49,7 @@ read_locale($1_ssh_agent_t)
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
read_sysctl($1_ssh_agent_t)
# Access the ssh temporary files. Should we have an own type here
@ -62,7 +63,7 @@ allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
allow $1_ssh_agent_t self:capability setgid;
# access the random devices
allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
# for ssh-add
can_unix_connect($1_t, $1_ssh_agent_t)
@ -89,8 +90,7 @@ allow $1_ssh_t $1_t:unix_stream_socket connectto;
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
ifdef(`xdm.te', `
allow $1_ssh_agent_t xdm_t:fd use;
allow $1_ssh_agent_t xdm_t:fifo_file { read write };
can_pipe_xdm($1_ssh_agent_t)
# kdm: sigchld
allow $1_ssh_agent_t xdm_t:process sigchld;

51
strict/macros/program/ssh_macros.te
View File

@ -53,8 +53,7 @@ allow $1_ssh_t fs_type:filesystem getattr;
base_file_read_access($1_ssh_t)
# Read /var.
allow $1_ssh_t var_t:dir r_dir_perms;
allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
r_dir_file($1_ssh_t, var_t)
# Read /var/run, /var/log.
allow $1_ssh_t var_run_t:dir r_dir_perms;
@ -63,8 +62,7 @@ allow $1_ssh_t var_log_t:dir r_dir_perms;
allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
# Read /etc.
allow $1_ssh_t etc_t:dir r_dir_perms;
allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms;
r_dir_file($1_ssh_t, etc_t)
allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
@ -80,6 +78,7 @@ allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
can_network_client_tcp($1_ssh_t)
allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
can_resolve($1_ssh_t)
can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t)
@ -130,18 +129,8 @@ allow $1_t $1_ssh_t:process signal;
# allow ps to show ssh
can_ps($1_t, $1_ssh_t)
ifdef(`xserver.te', `
# Communicate with the X server.
ifdef(`startx.te', `
can_unix_connect($1_ssh_t, $1_xserver_t)
allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
allow $1_ssh_t $1_xserver_tmp_t:dir search;
')dnl end if startx
ifdef(`xdm.te', `
allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
allow $1_ssh_t { xdm_tmp_t }:sock_file write;
')
')dnl end if xserver
# Connect to X server
x_client_domain($1_ssh, $1)
ifdef(`ssh-agent.te', `
ssh_agent_domain($1)
@ -152,18 +141,26 @@ ssh_agent_domain($1)
allow $1_ssh_t mnt_t:dir search;
r_dir_file($1_ssh_t, removable_t)
ifdef(`xdm.te', `
# should be able to remove these two later
allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_ssh_t xdm_xserver_tmp_t:dir search;
allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
allow $1_ssh_t xdm_xserver_t:fd use;
allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
allow $1_ssh_t xdm_t:fd use;
')dnl end if xdm.te
')dnl end macro definition
type $1_ssh_keysign_t, domain, nscd_client_domain;
role $1_r types $1_ssh_keysign_t;
if (allow_ssh_keysign) {
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
allow $1_ssh_keysign_t self:capability { setgid setuid };
allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
uses_shlib($1_ssh_keysign_t)
dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
dontaudit $1_ssh_keysign_t proc_t:dir search;
dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
allow $1_ssh_keysign_t usr_t:dir search;
allow $1_ssh_keysign_t etc_t:file { getattr read };
allow $1_ssh_keysign_t self:dir search;
allow $1_ssh_keysign_t self:file { getattr read };
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
}
')dnl end macro definition
', `
define(`ssh_domain',`')

31
strict/macros/program/su_macros.te
View File

@ -24,6 +24,13 @@ ifdef(`su.te', `
define(`su_restricted_domain', `
# Derived domain based on the calling user domain and the program.
type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
ifdef(`support_polyinstantiation', `
typeattribute $1_su_t mlsfileread;
typeattribute $1_su_t mlsfilewrite;
typeattribute $1_su_t mlsfileupgrade;
typeattribute $1_su_t mlsfiledowngrade;
typeattribute $1_su_t mlsprocsetsl;
')
# for SSP
allow $1_su_t urandom_device_t:chr_file { getattr read };
@ -32,7 +39,6 @@ allow $1_su_t urandom_device_t:chr_file { getattr read };
domain_auto_trans($1_t, su_exec_t, $1_su_t)
allow $1_su_t sbin_t:dir search;
domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
uses_shlib($1_su_t)
allow $1_su_t etc_t:file { getattr read };
@ -62,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read;
')
# Use capabilities.
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
dontaudit $1_su_t self:capability sys_tty_config;
#
# Caused by su - init scripts
@ -88,6 +94,13 @@ allow $1_su_t privfd:fd use;
allow $1_su_t { var_t var_run_t }:dir search;
allow $1_su_t initrc_var_run_t:file rw_file_perms;
can_kerberos($1_su_t)
ifdef(`chkpwd.te', `
domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
')
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
') dnl end su_restricted_domain
define(`su_mini_domain', `
@ -109,10 +122,6 @@ allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
define(`su_domain', `
su_mini_domain($1)
ifdef(`chkpwd.te', `
# Run chkpwd.
can_exec($1_su_t, chkpwd_exec_t)
')
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
@ -139,6 +148,16 @@ if (use_samba_home_dirs) {
allow $1_su_t cifs_t:dir search;
}
ifdef(`support_polyinstantiation', `
# Su can polyinstantiate
polyinstantiater($1_su_t)
# Su has to unmount polyinstantiated directories (like home)
# that should not be polyinstantiated under the new user
allow $1_su_t fs_t:filesystem unmount;
# Su needs additional permission to mount over a previous mount
allow $1_su_t polymember:dir mounton;
')
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)

212
strict/mcs Normal file
View File

@ -0,0 +1,212 @@
#
# Define sensitivities
#
# Each sensitivity has a name and zero or more aliases.
#
# MCS is single-sensitivity.
#
sensitivity s0;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 }
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0;
category c1;
category c2;
category c3;
category c4;
category c5;
category c6;
category c7;
category c8;
category c9;
category c10;
category c11;
category c12;
category c13;
category c14;
category c15;
category c16;
category c17;
category c18;
category c19;
category c20;
category c21;
category c22;
category c23;
category c24;
category c25;
category c26;
category c27;
category c28;
category c29;
category c30;
category c31;
category c32;
category c33;
category c34;
category c35;
category c36;
category c37;
category c38;
category c39;
category c40;
category c41;
category c42;
category c43;
category c44;
category c45;
category c46;
category c47;
category c48;
category c49;
category c50;
category c51;
category c52;
category c53;
category c54;
category c55;
category c56;
category c57;
category c58;
category c59;
category c60;
category c61;
category c62;
category c63;
category c64;
category c65;
category c66;
category c67;
category c68;
category c69;
category c70;
category c71;
category c72;
category c73;
category c74;
category c75;
category c76;
category c77;
category c78;
category c79;
category c80;
category c81;
category c82;
category c83;
category c84;
category c85;
category c86;
category c87;
category c88;
category c89;
category c90;
category c91;
category c92;
category c93;
category c94;
category c95;
category c96;
category c97;
category c98;
category c99;
category c100;
category c101;
category c102;
category c103;
category c104;
category c105;
category c106;
category c107;
category c108;
category c109;
category c110;
category c111;
category c112;
category c113;
category c114;
category c115;
category c116;
category c117;
category c118;
category c119;
category c120;
category c121;
category c122;
category c123;
category c124;
category c125;
category c126;
category c127;
#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
level s0:c0.c127;
#
# Define the MCS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# MCS policy for the file classes
#
# Constrain file access so that the high range of the process dominates
# the high range of the file. We use the high range of the process so
# that processes can always simply run at s0.
#
# Only files are constrained by MCS at this stage.
#
mlsconstrain file { read write setattr append unlink link rename
create ioctl lock execute } (h1 dom h2);
# XXX
#
# For some reason, we need to reference the mlsfileread attribute
# or we get a build error. Below is a dummy entry to do this.
mlsconstrain xextension query ( t1 == mlsfileread );

4
strict/types/file.te
View File

@ -276,7 +276,8 @@ allow { file_type device_type ttyfile } fs_t:filesystem associate;
# Allow the pty to be associated with the file system.
allow devpts_t self:filesystem associate;
type tmpfs_t, file_type, sysadmfile, fs_type;
type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
ifdef(`distro_redhat', `
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
@ -332,6 +333,7 @@ allow file_type noexattrfile:filesystem associate;
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
allow customizable self:filesystem associate;

12
strict/types/security.te
View File

@ -12,32 +12,32 @@
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
type security_t, fs_type;
type security_t, mount_point, fs_type, mlstrustedobject;
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t, file_type;
type policy_config_t, file_type, secadmfile;
#
# policy_src_t is the type of the policy source
# files.
#
type policy_src_t, file_type, sysadmfile;
type policy_src_t, file_type, secadmfile;
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t, file_type, sysadmfile, login_contexts;
type default_context_t, file_type, login_contexts, secadmfile;
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t, file_type, sysadmfile;
type file_context_t, file_type, secadmfile;
#
# no_access_t is the type for objects that should
@ -49,6 +49,6 @@ type no_access_t, file_type, sysadmfile;
# selinux_config_t is the type applied to
# /etc/selinux/config
#
type selinux_config_t, file_type, sysadmfile;
type selinux_config_t, file_type, secadmfile;

9
strict/users
View File

@ -41,10 +41,17 @@ user user_u roles { user_r };
# The sysadm_r user also needs to be permitted system_r if we are to allow
# direct execution of daemons
user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') };
# sample for administrative user
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
# sample for regular user
#user jdoe roles { user_r };
#
# The following users correspond to special Unix identities
#
ifdef(`nx_server.te', `
user nx roles nx_server_r;
')

4
tools/regression.sh
View File

@ -1,8 +1,8 @@
#!/bin/bash
DISTROS="redhat gentoo debian suse"
STRICT_TYPES="strict strict-mls"
TARG_TYPES="targeted targeted-mls"
STRICT_TYPES="strict strict-mls strict-mcs"
TARG_TYPES="targeted targeted-mls targeted-mcs"
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
SETFILES="/usr/sbin/setfiles"