another pile o fixes
This commit is contained in:
Chris PeBenito
parent
33acca55ce
commit
d1b9d9228b
@ -37,10 +37,16 @@ files_type(amanda_gnutarlists_t)
|
||||
type amanda_user_exec_t;
|
||||
files_type(amanda_user_exec_t)
|
||||
|
||||
# temp:
|
||||
typeattribute amanda_user_exec_t entry_type;
|
||||
|
||||
# type for same awk and other scripts
|
||||
type amanda_script_exec_t;
|
||||
files_type(amanda_script_exec_t)
|
||||
|
||||
# temp:
|
||||
typeattribute amanda_user_exec_t entry_type;
|
||||
|
||||
# type for the shell configuration files
|
||||
type amanda_shellconfig_t;
|
||||
files_type(amanda_shellconfig_t)
|
||||
|
||||
@ -73,8 +73,15 @@ logging_send_syslog_msg(netutils_t)
|
||||
|
||||
miscfiles_read_localization(netutils_t)
|
||||
|
||||
sysnet_read_config(netutils_t)
|
||||
|
||||
userdom_use_all_user_fd(netutils_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_pty(netutils_t)
|
||||
term_use_unallocated_tty(netutils_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(netutils_t)
|
||||
')
|
||||
|
||||
@ -55,9 +55,10 @@ files_pid_file(krb5kdc_var_run_t)
|
||||
# Use capabilities. Surplus capabilities may be allowed.
|
||||
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
|
||||
dontaudit kadmind_t self:capability sys_tty_config;
|
||||
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow kadmind_t self:unix_dgram_socket { connect create write };
|
||||
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow kadmind_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow kadmind_t kadmind_log_t:file create_file_perms;
|
||||
logging_create_log(kadmind_t,kadmind_log_t)
|
||||
@ -77,7 +78,8 @@ allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
|
||||
allow kadmind_t kadmind_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
|
||||
allow kadmind_t kadmind_var_run_t:file { getattr create read write append setattr unlink };
|
||||
allow kadmind_t kadmind_var_run_t:file create_file_perms;
|
||||
allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(kadmind_t,kadmind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(kadmind_t)
|
||||
|
||||
@ -43,6 +43,7 @@ allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(ktalkd_t, ktalkd_tmp_t, { file dir })
|
||||
|
||||
allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
|
||||
allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(ktalkd_t,ktalkd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ktalkd_t)
|
||||
|
||||
@ -37,6 +37,7 @@ dontaudit slapd_t self:capability sys_tty_config;
|
||||
allow slapd_t self:process setsched;
|
||||
allow slapd_t self:fifo_file { read write };
|
||||
allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow slapd_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Allow access to the slapd databases
|
||||
allow slapd_t slapd_db_t:dir create_dir_perms;
|
||||
@ -97,8 +98,11 @@ libs_use_shared_libs(slapd_t)
|
||||
|
||||
logging_send_syslog_msg(slapd_t)
|
||||
|
||||
miscfiles_read_certs(slapd_t)
|
||||
miscfiles_read_localization(slapd_t)
|
||||
|
||||
sysnet_read_config(slapd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(slapd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(slapd_t)
|
||||
|
||||
@ -121,7 +125,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
r_dir_file(slapd_t, cert_t)
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(slapd_t)
|
||||
')
|
||||
|
||||
@ -42,8 +42,11 @@ allow mysqld_t self:udp_socket create_socket_perms;
|
||||
allow mysqld_t mysqld_db_t:dir create_dir_perms;
|
||||
allow mysqld_t mysqld_db_t:file create_file_perms;
|
||||
allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
|
||||
files_create_var_lib(mysqld_t,mysqld_db_t,{ dir file })
|
||||
|
||||
allow mysqld_t mysqld_etc_t:file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
||||
|
||||
allow mysqld_t mysqld_log_t:file create_file_perms;
|
||||
logging_create_log(mysqld_t,mysqld_log_t)
|
||||
|
||||
@ -49,6 +49,7 @@ logging_create_log(nscd_t,nscd_log_t)
|
||||
|
||||
allow nscd_t nscd_var_run_t:file create_file_perms;
|
||||
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
|
||||
allow nscd_t nscd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(nscd_t)
|
||||
@ -110,7 +111,10 @@ sysnet_read_config(nscd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(nscd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(nscd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_unallocated_tty(nscd_t)
|
||||
term_use_generic_pty(nscd_t)
|
||||
|
||||
term_dontaudit_use_unallocated_tty(nscd_t)
|
||||
term_dontaudit_use_generic_pty(nscd_t)
|
||||
files_dontaudit_read_root_file(nscd_t)
|
||||
@ -120,23 +124,22 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba.te',`
|
||||
samba_connect_winbind(nscd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(nscd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`winbind.te', `
|
||||
# Handle winbind for samba, Might only be needed for targeted policy
|
||||
|
||||
allow nscd_t winbind_var_run_t:sock_file { read write getattr };
|
||||
can_unix_connect(nscd_t, winbind_t)
|
||||
allow nscd_t samba_var_t:dir search;
|
||||
allow nscd_t winbind_var_run_t:dir { getattr search };
|
||||
')
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(nscd_t)
|
||||
')
|
||||
r_dir_file(nscd_t, cert_t)
|
||||
|
||||
allow nscd_t tmp_t:dir { search getattr };
|
||||
allow nscd_t tmp_t:lnk_file read;
|
||||
') dnl end TODO
|
||||
|
||||
@ -57,6 +57,7 @@ allow ntpd_t ntpd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(ntpd_t, ntpd_tmp_t, { file dir })
|
||||
|
||||
allow ntpd_t ntpd_var_run_t:file create_file_perms;
|
||||
allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(ntpd_t,ntpd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(ntpd_t)
|
||||
|
||||
@ -19,6 +19,9 @@ files_type(postfix_etc_t)
|
||||
type postfix_exec_t;
|
||||
files_type(postfix_exec_t)
|
||||
|
||||
# temp:
|
||||
typeattribute postfix_exec_t entry_type;
|
||||
|
||||
postfix_server_domain_template(local)
|
||||
mta_mailserver_delivery(postfix_local_t)
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ allow privoxy_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow privoxy_t privoxy_log_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
||||
logging_search_logs(privoxy_t,privoxy_log_t,{ file dir })
|
||||
logging_create_log(privoxy_t,privoxy_log_t)
|
||||
|
||||
allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
||||
files_create_pid(privoxy_t,privoxy_var_run_t)
|
||||
|
||||
@ -157,3 +157,5 @@ allow spamd_t amavisd_lib_t:file create_file_perms;
|
||||
allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
typeattribute spamc_exec_t entry_type;
|
||||
|
||||
@ -31,16 +31,19 @@ files_pid_file(squid_var_run_t)
|
||||
allow squid_t self:capability { setgid setuid dac_override };
|
||||
dontaudit squid_t self:capability sys_tty_config;
|
||||
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow squid_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow squid_t self:unix_dgram_socket create_socket_perms;
|
||||
allow squid_t self:unix_dgram_socket sendto;
|
||||
allow squid_t self:unix_stream_socket connectto;
|
||||
allow squid_t self:fifo_file rw_file_perms;
|
||||
allow squid_t self:sock_file r_file_perms;
|
||||
allow squid_t self:fd use;
|
||||
allow squid_t self:shm create_shm_perms;
|
||||
allow squid_t self:sem create_sem_perms;
|
||||
allow squid_t self:msgq create_msgq_perms;
|
||||
allow squid_t self:msg { send receive };
|
||||
allow squid_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow squid_t self:unix_dgram_socket create_socket_perms;
|
||||
allow squid_t self:unix_dgram_socket sendto;
|
||||
allow squid_t self:unix_stream_socket connectto;
|
||||
allow squid_t self:tcp_socket create_stream_socket_perms;
|
||||
allow squid_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Grant permissions to create, access, and delete cache files.
|
||||
allow squid_t squid_cache_t:dir create_dir_perms;
|
||||
@ -58,6 +61,7 @@ allow squid_t squid_log_t:dir rw_dir_perms;
|
||||
logging_create_log(squid_t,squid_log_t,{ file dir })
|
||||
|
||||
allow squid_t squid_var_run_t:file create_file_perms;
|
||||
allow squid_t squid_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(squid_t,squid_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(squid_t)
|
||||
@ -124,6 +128,8 @@ logging_send_syslog_msg(squid_t)
|
||||
miscfiles_read_certs(squid_t)
|
||||
miscfiles_read_localization(squid_t)
|
||||
|
||||
sysnet_read_config(squid_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(squid_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(squid_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(squid_t)
|
||||
@ -158,6 +164,10 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba.te',`
|
||||
samba_domtrans_winbind_helper(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(squid_t)
|
||||
')
|
||||
|
||||
@ -24,6 +24,9 @@ init_daemon_domain(xdm_t,xdm_exec_t)
|
||||
type xsession_exec_t;
|
||||
files_type(xsession_exec_t)
|
||||
|
||||
# temp:
|
||||
typeattribute xsession_exec_t entry_type;
|
||||
|
||||
type xserver_log_t;
|
||||
files_type(xserver_log_t)
|
||||
|
||||
|
||||
@ -24,6 +24,9 @@ files_type(sbin_t)
|
||||
type ls_exec_t;
|
||||
files_type(ls_exec_t)
|
||||
|
||||
#cjp: temp
|
||||
typeattribute ls_exec_t entry_type;
|
||||
|
||||
#
|
||||
# shell_exec_t is the type of user shells such as /bin/bash.
|
||||
#
|
||||
|
||||
@ -359,10 +359,9 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
|
||||
interface(`domain_sigchld_wide_inherit_fd',`
|
||||
gen_require(`
|
||||
attribute privfd;
|
||||
class process signal;
|
||||
')
|
||||
|
||||
dontaudit $1 privfd:fd use;
|
||||
allow $1 privfd:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -196,6 +196,7 @@ dontaudit klogd_t self:capability sys_resource;
|
||||
|
||||
kernel_read_system_state(klogd_t)
|
||||
kernel_read_messages(klogd_t)
|
||||
kernel_read_kernel_sysctl(klogd_t)
|
||||
# Control syslog and console logging
|
||||
kernel_clear_ring_buffer(klogd_t)
|
||||
kernel_change_ring_buffer_level(klogd_t)
|
||||
@ -203,8 +204,10 @@ kernel_change_ring_buffer_level(klogd_t)
|
||||
bootloader_read_kernel_symbol_table(klogd_t)
|
||||
|
||||
dev_read_raw_memory(klogd_t)
|
||||
dev_read_sysfs(klogd_t)
|
||||
|
||||
fs_getattr_all_fs(klogd_t)
|
||||
fs_search_auto_mountpoints(klogd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(klogd_t)
|
||||
|
||||
@ -214,6 +217,7 @@ files_read_etc_runtime_files(klogd_t)
|
||||
files_read_etc_files(klogd_t)
|
||||
|
||||
init_use_fd(klogd_t)
|
||||
init_use_script_pty(klogd_t)
|
||||
|
||||
libs_use_ld_so(klogd_t)
|
||||
libs_use_shared_libs(klogd_t)
|
||||
@ -222,10 +226,13 @@ logging_send_syslog_msg(klogd_t)
|
||||
|
||||
miscfiles_read_localization(klogd_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`targeted_policy', `
|
||||
allow klogd_t unconfined_t:system syslog_mod;
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(klogd_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_pty(klogd_t)
|
||||
term_dontaudit_use_unallocated_tty(klogd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -261,7 +268,8 @@ allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
# manage temporary files
|
||||
allow syslogd_t syslogd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(syslogd_t,syslogd_tmp_t)
|
||||
allow syslogd_t syslogd_tmp_t:dir create_dir_perms;
|
||||
files_create_tmp_files(syslogd_t,syslogd_tmp_t,{ dir file })
|
||||
|
||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_pid(syslogd_t,syslogd_var_run_t,file)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user