add a couple more nfs and cifs interfaces, to cover most of the
use_(nfs|cifs)_home_dirs tunable
This commit is contained in:
parent
77c124c8cd
commit
d35c621eb0
@ -118,6 +118,7 @@ dev_read_urand(rpm_t)
|
||||
|
||||
#fs_manage_nfs_dir(rpm_t)
|
||||
#fs_manage_nfs_files(rpm_t)
|
||||
fs_manage_nfs_symlinks(rpm_t)
|
||||
fs_getattr_all_fs(rpm_t)
|
||||
|
||||
storage_raw_write_fixed_disk(rpm_t)
|
||||
@ -176,7 +177,6 @@ allow rpm_t ttyfile:chr_file unlink;
|
||||
allow rpm_t fs_type:dir { setattr rw_dir_perms };
|
||||
|
||||
allow rpm_t mount_t:tcp_socket write;
|
||||
allow rpm_t nfs_t:lnk_file create_file_perms;
|
||||
|
||||
allow rpm_t sysfs_t:dir r_dir_perms;
|
||||
allow rpm_t usbdevfs_t:dir r_dir_perms;
|
||||
|
@ -43,10 +43,7 @@ define(`gpg_per_userdomain_template',`
|
||||
#
|
||||
|
||||
# transition from the userdomain to the derived domain
|
||||
allow $1_t $1_gpg_t:process transition;
|
||||
allow $1_t gpg_exec_t:file rx_file_perms;
|
||||
type_transition $1_t gpg_exec_t:process $1_gpg_t;
|
||||
dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)
|
||||
|
||||
allow $1_t $1_gpg_t:fd use;
|
||||
allow $1_gpg_t $1_t:fd use;
|
||||
@ -103,6 +100,18 @@ define(`gpg_per_userdomain_template',`
|
||||
allow $1_gpg_t gpg_exec_t:file execmod;
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_gpg_t)
|
||||
fs_manage_nfs_files($1_gpg_t)
|
||||
fs_manage_nfs_symlinks($1_gpg_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs($1_gpg_t)
|
||||
fs_manage_cifs_files($1_gpg_t)
|
||||
fs_manage_cifs_symlinks($1_gpg_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind($1_gpg_t)
|
||||
@ -134,13 +143,6 @@ define(`gpg_per_userdomain_template',`
|
||||
# allow the usual access to /tmp
|
||||
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
create_dir_file($1_gpg_t, nfs_t)
|
||||
')
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
create_dir_file($1_gpg_t, cifs_t)
|
||||
')
|
||||
|
||||
rw_dir_create_file($1_gpg_t, $1_file_type)
|
||||
|
||||
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
||||
@ -157,11 +159,12 @@ define(`gpg_per_userdomain_template',`
|
||||
# Note: this is only tested with the hkp interface. If you use eg the
|
||||
# mail interface you will likely need additional permissions.
|
||||
|
||||
# communicate with the user
|
||||
allow $1_gpg_helper_t $1_t:fd use;
|
||||
allow $1_gpg_helper_t $1_t:fifo_file write;
|
||||
|
||||
# transition from the gpg domain to the helper domain
|
||||
allow $1_gpg_t $1_gpg_helper_t:process transition;
|
||||
allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
|
||||
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
|
||||
dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
|
||||
|
||||
allow $1_gpg_t $1_gpg_helper_t:fd use;
|
||||
allow $1_gpg_helper_t $1_gpg_t:fd use;
|
||||
@ -197,18 +200,15 @@ define(`gpg_per_userdomain_template',`
|
||||
|
||||
sysnet_read_config($1_gpg_helper_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
dontaudit $1_gpg_helper_t nfs_t:file { read write };
|
||||
')
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
dontaudit $1_gpg_helper_t cifs_t:file { read write };
|
||||
fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
|
||||
')
|
||||
|
||||
# communicate with the user
|
||||
allow $1_gpg_helper_t $1_t:fd use;
|
||||
allow $1_gpg_helper_t $1_t:fifo_file write;
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
dontaudit $1_gpg_t xdm_t:fd use;
|
||||
@ -232,6 +232,9 @@ define(`gpg_per_userdomain_template',`
|
||||
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
|
||||
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_gpg_agent_t)
|
||||
|
||||
libs_use_ld_so($1_gpg_agent_t)
|
||||
@ -239,9 +242,19 @@ define(`gpg_per_userdomain_template',`
|
||||
|
||||
miscfiles_read_localization($1_gpg_agent_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_gpg_agent_t)
|
||||
fs_manage_nfs_files($1_gpg_agent_t)
|
||||
fs_manage_nfs_symlinks($1_gpg_agent_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs($1_gpg_agent_t)
|
||||
fs_manage_cifs_files($1_gpg_agent_t)
|
||||
fs_manage_cifs_symlinks($1_gpg_agent_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
||||
|
||||
allow $1_gpg_agent_t xdm_t:fd use;
|
||||
|
||||
@ -261,12 +274,6 @@ define(`gpg_per_userdomain_template',`
|
||||
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
||||
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
|
||||
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
create_dir_file($1_gpg_agent_t, nfs_t)
|
||||
')
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
create_dir_file($1_gpg_agent_t, cifs_t)
|
||||
')
|
||||
|
||||
# gpg connect
|
||||
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
||||
@ -281,10 +288,7 @@ define(`gpg_per_userdomain_template',`
|
||||
|
||||
# we need to allow gpg-agent to call pinentry so it can get the passphrase
|
||||
# from the user.
|
||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
|
||||
allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
|
||||
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
|
||||
dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
|
||||
|
||||
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
|
||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
|
||||
|
@ -399,17 +399,14 @@ define(`fs_mount_cifs_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_remount_cifs',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class filesystem remount;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:filesystem remount;
|
||||
')
|
||||
|
||||
define(`fs_remount_cifs_depend',`
|
||||
type cifs_t;
|
||||
|
||||
class filesystem remount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_unmount_cifs">
|
||||
## <description>
|
||||
@ -421,17 +418,14 @@ define(`fs_remount_cifs_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_unmount_cifs',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class filesystem unmount;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:filesystem mount;
|
||||
')
|
||||
|
||||
define(`fs_unmount_cifs_depend',`
|
||||
type cifs_t;
|
||||
|
||||
class filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_getattr_cifs">
|
||||
## <description>
|
||||
@ -445,15 +439,74 @@ define(`fs_unmount_cifs_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_getattr_cifs',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class filesystem getattr;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
define(`fs_getattr_cifs_depend',`
|
||||
type cifs_t;
|
||||
########################################
|
||||
## <interface name="fs_read_cifs_files">
|
||||
## <description>
|
||||
## Read files on a CIFS or SMB filesystem.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain reading the files.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_read_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
class filesystem getattr;
|
||||
allow $1 cifs_t:dir r_dir_perms;
|
||||
allow $1 cifs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_dontaudit_rw_cifs_files">
|
||||
## <description>
|
||||
## Do not audit attempts to read or
|
||||
## write files on a CIFS or SMB filesystem.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_dontaudit_rw_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_read_cifs_symlinks">
|
||||
## <description>
|
||||
## Read symbolic links on a CIFS or SMB filesystem.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain reading the symbolic links.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_read_cifs_symlinks',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:dir r_dir_perms;
|
||||
allow $1 cifs_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -482,6 +535,26 @@ define(`fs_execute_cifs_files_depend',`
|
||||
class file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_dontaudit_rw_cifs_files">
|
||||
## <description>
|
||||
## Do not audit attempts to read or
|
||||
## write files on a CIFS or SMB filesystems.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_read_cifs_files',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 cifs_t:file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_manage_cifs_dirs">
|
||||
## <description>
|
||||
@ -906,6 +979,27 @@ define(`fs_getattr_nfs_depend',`
|
||||
class filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_read_nfs_files">
|
||||
## <description>
|
||||
## Read files on a NFS filesystem.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain reading the files.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_read_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir r_dir_perms;
|
||||
allow $1 nfs_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_execute_nfs_files">
|
||||
## <description>
|
||||
@ -917,17 +1011,54 @@ define(`fs_getattr_nfs_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_execute_nfs_files',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir r_dir_perms;
|
||||
can_exec($1, nfs_t)
|
||||
')
|
||||
|
||||
define(`fs_execute_nfs_files_depend',`
|
||||
type nfs_t;
|
||||
########################################
|
||||
## <interface name="fs_dontaudit_rw_nfs_files">
|
||||
## <description>
|
||||
## Do not audit attempts to read or
|
||||
## write files on a NFS filesystem.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_dontaudit_rw_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
class dir r_dir_perms;
|
||||
class file { getattr read execute execute_no_trans };
|
||||
dontaudit $1 nfs_t:file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_read_nfs_symlinks">
|
||||
## <description>
|
||||
## Read symbolic links on a NFS filesystem.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the domain reading the symbolic links.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_read_nfs_symlinks',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir r_dir_perms;
|
||||
allow $1 nfs_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -990,19 +1121,16 @@ define(`fs_manage_nfs_files_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_manage_nfs_symlinks',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir rw_dir_perms;
|
||||
allow $1 nfs_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
define(`fs_manage_nfs_symlinks_depend',`
|
||||
type nfs_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <interface name="fs_manage_nfs_named_pipes">
|
||||
## <description>
|
||||
|
@ -13,18 +13,15 @@
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_getattr_fixed_disk',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type fixed_disk_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`storage_getattr_fixed_disk_depend',`
|
||||
type fixed_disk_device_t;
|
||||
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_getattr_fixed_disk">
|
||||
## <description>
|
||||
@ -37,17 +34,14 @@ define(`storage_getattr_fixed_disk_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_dontaudit_getattr_fixed_disk',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type fixed_disk_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`storage_dontaudit_getattr_fixed_disk_depend',`
|
||||
type fixed_disk_device_t;
|
||||
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_fixed_disk">
|
||||
## <description>
|
||||
@ -60,16 +54,33 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_setattr_fixed_disk',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type fixed_disk_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
define(`storage_setattr_fixed_disk_depend',`
|
||||
type fixed_disk_device_t;
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_setattr_fixed_disk">
|
||||
## <description>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_dontaudit_setattr_fixed_disk',`
|
||||
gen_require(`
|
||||
type fixed_disk_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
class blk_file setattr;
|
||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -86,21 +97,17 @@ define(`storage_setattr_fixed_disk_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_raw_read_fixed_disk',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read;
|
||||
type fixed_disk_device_t;
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file r_file_perms;
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
')
|
||||
|
||||
define(`storage_raw_read_fixed_disk_depend',`
|
||||
attribute fixed_disk_raw_read;
|
||||
|
||||
type fixed_disk_device_t;
|
||||
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_write_fixed_disk">
|
||||
## <description>
|
||||
@ -115,21 +122,17 @@ define(`storage_raw_read_fixed_disk_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_raw_write_fixed_disk',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
||||
typeattribute $1 fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
define(`storage_raw_write_fixed_disk_depend',`
|
||||
attribute fixed_disk_raw_write;
|
||||
|
||||
type fixed_disk_device_t;
|
||||
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_create_fixed_disk">
|
||||
## <description>
|
||||
@ -141,19 +144,17 @@ define(`storage_raw_write_fixed_disk_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_create_fixed_disk_dev_entry',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
dev_create_dev_node($1,fixed_disk_device_t,blk_file)
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
define(`storage_create_fixed_disk_dev_entry_depend',`
|
||||
type fixed_disk_device_t;
|
||||
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_manage_fixed_disk">
|
||||
## <description>
|
||||
@ -165,21 +166,17 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_manage_fixed_disk',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
define(`storage_manage_fixed_disk_depend',`
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
|
||||
type fixed_disk_device_t;
|
||||
|
||||
class blk_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_read_lvm_volume">
|
||||
## <description>
|
||||
@ -194,21 +191,17 @@ define(`storage_manage_fixed_disk_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_raw_read_lvm_volume',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read;
|
||||
type lvm_vg_t;
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 lvm_vg_t:blk_file r_file_perms;
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
')
|
||||
|
||||
define(`storage_raw_read_lvm_volume_depend',`
|
||||
attribute fixed_disk_raw_read;
|
||||
|
||||
type lvm_vg_t;
|
||||
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_write_lvm_volume">
|
||||
## <description>
|
||||
@ -223,21 +216,17 @@ define(`storage_raw_read_lvm_volume_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_raw_write_lvm_volume',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_write;
|
||||
type lvm_vg_t;
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
||||
typeattribute $1 fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
define(`storage_raw_write_lvm_volume_depend',`
|
||||
attribute fixed_disk_raw_write;
|
||||
|
||||
type lvm_vg_t;
|
||||
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_read_scsi_generic">
|
||||
## <description>
|
||||
@ -253,21 +242,17 @@ define(`storage_raw_write_lvm_volume_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_read_scsi_generic',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute scsi_generic_read;
|
||||
type scsi_generic_device_t;
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:blk_file r_file_perms;
|
||||
typeattribute $1 scsi_generic_read;
|
||||
')
|
||||
|
||||
define(`storage_read_scsi_generic_depend',`
|
||||
attribute scsi_generic_read;
|
||||
|
||||
type scsi_generic_device_t;
|
||||
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_write_scsi_generic">
|
||||
## <description>
|
||||
@ -283,21 +268,17 @@ define(`storage_read_scsi_generic_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_write_scsi_generic',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
attribute scsi_generic_write;
|
||||
type scsi_generic_device_t;
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
|
||||
typeattribute $1 scsi_generic_write;
|
||||
')
|
||||
|
||||
define(`storage_write_scsi_generic_depend',`
|
||||
attribute scsi_generic_write;
|
||||
|
||||
type scsi_generic_device_t;
|
||||
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_scsi_generic">
|
||||
## <description>
|
||||
@ -310,18 +291,15 @@ define(`storage_write_scsi_generic_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_getattr_scsi_generic',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type scsi_generic_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`storage_getattr_scsi_generic_depend',`
|
||||
type scsi_generic_device_t;
|
||||
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_scsi_generic">
|
||||
## <description>
|
||||
@ -334,18 +312,15 @@ define(`storage_getattr_scsi_generic_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_set_scsi_generic_attributes',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type scsi_generic_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 scsi_generic_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
define(`storage_set_scsi_generic_attributes_depend',`
|
||||
type scsi_generic_device_t;
|
||||
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_removable_device">
|
||||
## <description>
|
||||
@ -358,18 +333,15 @@ define(`storage_set_scsi_generic_attributes_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_getattr_removable_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 removable_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`storage_getattr_removable_device_depend',`
|
||||
type removable_device_t;
|
||||
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_getattr_removable_device">
|
||||
## <description>
|
||||
@ -382,17 +354,14 @@ define(`storage_getattr_removable_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_dontaudit_getattr_removable_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 removable_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`storage_dontaudit_getattr_removable_device_depend',`
|
||||
type removable_device_t;
|
||||
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_removable_device">
|
||||
## <description>
|
||||
@ -405,18 +374,15 @@ define(`storage_dontaudit_getattr_removable_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_setattr_removable_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 removable_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
define(`storage_setattr_removable_device_depend',`
|
||||
type removable_device_t;
|
||||
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_read_removable_device">
|
||||
## <description>
|
||||
@ -432,18 +398,15 @@ define(`storage_setattr_removable_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_raw_read_removable_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 removable_device_t:blk_file r_file_perms;
|
||||
')
|
||||
|
||||
define(`storage_raw_read_removable_device_depend',`
|
||||
type removable_device_t;
|
||||
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_write_removable_device">
|
||||
## <description>
|
||||
@ -459,18 +422,15 @@ define(`storage_raw_read_removable_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_raw_write_removable_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type removable_device_t;
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`storage_raw_write_removable_device_depend',`
|
||||
type removable_device_t;
|
||||
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_read_tape_device">
|
||||
## <description>
|
||||
@ -483,18 +443,15 @@ define(`storage_raw_write_removable_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_read_tape_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type tape_device_t;
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tape_device_t:blk_file r_file_perms;
|
||||
')
|
||||
|
||||
define(`storage_read_tape_device_depend',`
|
||||
type tape_device_t;
|
||||
|
||||
class blk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_write_tape_device">
|
||||
## <description>
|
||||
@ -507,18 +464,15 @@ define(`storage_read_tape_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_write_tape_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type tape_device_t;
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`storage_write_tape_device_depend',`
|
||||
type tape_device_t;
|
||||
|
||||
class blk_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_tape_device">
|
||||
## <description>
|
||||
@ -531,18 +485,15 @@ define(`storage_write_tape_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_getattr_tape_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type tape_device_t;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tape_device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`storage_getattr_tape_device_depend',`
|
||||
type tape_device_t;
|
||||
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_tape_device">
|
||||
## <description>
|
||||
@ -555,15 +506,13 @@ define(`storage_getattr_tape_device_depend',`
|
||||
## </interface>
|
||||
#
|
||||
define(`storage_setattr_tape_device',`
|
||||
gen_require(`$0'_depend)
|
||||
gen_require(`
|
||||
type tape_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tape_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
define(`storage_setattr_tape_device_depend',`
|
||||
type tape_device_t;
|
||||
class blk_file setattr;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -81,6 +81,16 @@ auth_manage_pam_console_data(remote_login_t)
|
||||
|
||||
miscfiles_read_localization(remote_login_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(remote_login_t)
|
||||
fs_read_nfs_symlinks(remote_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_read_cifs_files(remote_login_t)
|
||||
fs_read_cifs_symlinks(remote_login_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow remote_login_t unpriv_userdomain:fd use;
|
||||
can_ypbind(remote_login_t)
|
||||
@ -116,14 +126,6 @@ dontaudit remote_login_t sysfs_t:dir search;
|
||||
allow remote_login_t autofs_t:dir r_dir_perms;
|
||||
allow remote_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
r_dir_file(remote_login_t, nfs_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
r_dir_file(remote_login_t, cifs_t)
|
||||
')
|
||||
|
||||
# FIXME: what is this for?
|
||||
ifdef(`xdm.te', `
|
||||
allow xdm_t remote_login_t:process signull;
|
||||
|
@ -138,9 +138,10 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(pam_console_t)
|
||||
kernel_read_system_state(pam_console_t)
|
||||
dev_read_sysfs(pam_console_t)
|
||||
kernel_use_fd(pam_console_t)
|
||||
|
||||
dev_read_sysfs(pam_console_t)
|
||||
|
||||
# Allow to set attributes on /dev entries
|
||||
storage_getattr_fixed_disk(pam_console_t)
|
||||
storage_setattr_fixed_disk(pam_console_t)
|
||||
@ -151,15 +152,15 @@ term_use_console(pam_console_t)
|
||||
term_getattr_unallocated_ttys(pam_console_t)
|
||||
term_setattr_unallocated_ttys(pam_console_t)
|
||||
|
||||
init_use_fd(pam_console_t)
|
||||
init_use_script_pty(pam_console_t)
|
||||
|
||||
domain_use_wide_inherit_fd(pam_console_t)
|
||||
|
||||
files_read_generic_etc_files(pam_console_t)
|
||||
files_search_pids(pam_console_t)
|
||||
files_list_mnt(pam_console_t)
|
||||
|
||||
init_use_fd(pam_console_t)
|
||||
init_use_script_pty(pam_console_t)
|
||||
|
||||
libs_use_ld_so(pam_console_t)
|
||||
libs_use_shared_libs(pam_console_t)
|
||||
|
||||
|
@ -30,8 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
|
||||
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
|
||||
|
||||
kernel_read_kernel_sysctl(hwclock_t)
|
||||
dev_read_sysfs(hwclock_t)
|
||||
|
||||
dev_read_sysfs(hwclock_t)
|
||||
dev_rw_realtime_clock(hwclock_t)
|
||||
|
||||
fs_getattr_xattr_fs(hwclock_t)
|
||||
@ -41,11 +41,11 @@ term_use_unallocated_tty(hwclock_t)
|
||||
term_use_all_user_ttys(hwclock_t)
|
||||
term_use_all_user_ptys(hwclock_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hwclock_t)
|
||||
|
||||
init_use_fd(hwclock_t)
|
||||
init_use_script_pty(hwclock_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hwclock_t)
|
||||
|
||||
files_read_generic_etc_files_directory(hwclock_t)
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dir(hwclock_t)
|
||||
|
@ -26,9 +26,10 @@ dontaudit hostname_t self:capability sys_tty_config;
|
||||
sysnet_read_config(hostname_t)
|
||||
|
||||
kernel_read_kernel_sysctl(hostname_t)
|
||||
dev_read_sysfs(hostname_t)
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
|
||||
dev_read_sysfs(hostname_t)
|
||||
|
||||
fs_getattr_xattr_fs(hostname_t)
|
||||
|
||||
term_dontaudit_use_console(hostname_t)
|
||||
|
@ -45,9 +45,7 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||
|
||||
kernel_read_system_state(hotplug_t)
|
||||
kernel_read_kernel_sysctl(hotplug_t)
|
||||
dev_read_sysfs(hotplug_t)
|
||||
kernel_read_net_sysctl(hotplug_t)
|
||||
dev_read_usbfs(hotplug_t)
|
||||
|
||||
bootloader_read_kernel_modules(hotplug_t)
|
||||
|
||||
@ -58,7 +56,9 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
|
||||
corenet_tcp_sendrecv_all_ports(hotplug_t)
|
||||
corenet_tcp_bind_all_nodes(hotplug_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_sysfs(hotplug_t)
|
||||
dev_read_usbfs(hotplug_t)
|
||||
# for SSP:
|
||||
dev_read_urand(hotplug_t)
|
||||
|
||||
fs_getattr_all_fs(hotplug_t)
|
||||
|
@ -88,11 +88,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
# Run init scripts.
|
||||
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
|
||||
|
||||
selinux_set_boolean(init_t)
|
||||
kernel_read_system_state(init_t)
|
||||
dev_read_sysfs(init_t)
|
||||
kernel_share_state(init_t)
|
||||
|
||||
dev_read_sysfs(init_t)
|
||||
|
||||
selinux_set_boolean(init_t)
|
||||
|
||||
term_use_all_terms(init_t)
|
||||
|
||||
corecmd_chroot_exec_chroot(init_t)
|
||||
|
@ -39,11 +39,12 @@ allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
kernel_read_system_state(iptables_t)
|
||||
kernel_read_network_state(iptables_t)
|
||||
dev_read_sysfs(iptables_t)
|
||||
kernel_read_kernel_sysctl(iptables_t)
|
||||
kernel_read_modprobe_sysctl(iptables_t)
|
||||
kernel_use_fd(iptables_t)
|
||||
|
||||
dev_read_sysfs(iptables_t)
|
||||
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
|
||||
term_dontaudit_use_console(iptables_t)
|
||||
|
@ -74,7 +74,6 @@ logging_send_syslog_msg(ldconfig_t)
|
||||
|
||||
userdom_use_all_user_fd(ldconfig_t)
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow ldconfig_t tmp_t:dir search;
|
||||
|
@ -7,11 +7,11 @@ policy_module(locallogin,1.0)
|
||||
#
|
||||
|
||||
type local_login_t; #, nscd_client_domain;
|
||||
auth_login_entry_type(local_login_t)
|
||||
domain_type(local_login_t)
|
||||
domain_obj_id_change_exempt(local_login_t)
|
||||
domain_subj_id_change_exempt(local_login_t)
|
||||
domain_role_change_exempt(local_login_t)
|
||||
auth_login_entry_type(local_login_t)
|
||||
domain_type(local_login_t)
|
||||
domain_wide_inherit_fd(local_login_t)
|
||||
role system_r types local_login_t;
|
||||
|
||||
@ -53,6 +53,10 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctl(local_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(local_login_t)
|
||||
|
||||
selinux_get_fs_mount(local_login_t)
|
||||
selinux_validate_context(local_login_t)
|
||||
selinux_compute_access_vector(local_login_t)
|
||||
@ -60,8 +64,8 @@ selinux_compute_create_context(local_login_t)
|
||||
selinux_compute_relabel_context(local_login_t)
|
||||
selinux_compute_user_contexts(local_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(local_login_t)
|
||||
storage_dontaudit_getattr_fixed_disk(local_login_t)
|
||||
storage_dontaudit_setattr_fixed_disk(local_login_t)
|
||||
|
||||
term_use_all_user_ttys(local_login_t)
|
||||
term_use_unallocated_tty(local_login_t)
|
||||
@ -106,6 +110,16 @@ userdom_use_unpriv_users_fd(local_login_t)
|
||||
# Search for mail spool file.
|
||||
mta_getattr_spool(local_login_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files(local_login_t)
|
||||
fs_read_nfs_symlinks(local_login_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_read_cifs_files(local_login_t)
|
||||
fs_read_cifs_symlinks(local_login_t)
|
||||
')
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
@ -152,15 +166,16 @@ ifdef(`crack.te', `
|
||||
allow local_login_t crack_db_t:file r_file_perms;
|
||||
')
|
||||
|
||||
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(local_login_t)
|
||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
||||
allow local_login_t sound_device_t:chr_file { getattr setattr };
|
||||
allow local_login_t power_device_t:chr_file { getattr setattr };
|
||||
|
||||
# Do not audit denied attempts to access devices.
|
||||
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
|
||||
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
|
||||
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
|
||||
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
|
||||
@ -177,20 +192,6 @@ optional_policy(`gpm.te',`
|
||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||
')
|
||||
|
||||
# Allow setting of attributes on sound devices.
|
||||
allow local_login_t sound_device_t:chr_file { getattr setattr };
|
||||
|
||||
# Allow setting of attributes on power management devices.
|
||||
allow local_login_t power_device_t:chr_file { getattr setattr };
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
r_dir_file(local_login_t, nfs_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
r_dir_file(local_login_t, cifs_t)
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
|
@ -59,6 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
|
||||
files_create_pid(auditd_t,auditd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(auditd_t)
|
||||
|
||||
dev_read_sysfs(auditd_t)
|
||||
|
||||
fs_getattr_all_fs(auditd_t)
|
||||
@ -186,10 +187,10 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
|
||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_pid(syslogd_t,syslogd_var_run_t)
|
||||
|
||||
dev_read_sysfs(syslogd_t)
|
||||
kernel_read_kernel_sysctl(syslogd_t)
|
||||
|
||||
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
|
||||
dev_read_sysfs(syslogd_t)
|
||||
|
||||
term_dontaudit_use_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
|
@ -69,20 +69,18 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
|
||||
files_create_etc_config(lvm_t,lvm_metadata_t,file)
|
||||
|
||||
kernel_read_system_state(lvm_t)
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
# Read system variables in /proc/sys
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
# it has no reason to need this
|
||||
kernel_dontaudit_getattr_core(lvm_t)
|
||||
|
||||
selinux_get_fs_mount(lvm_t)
|
||||
selinux_validate_context(lvm_t)
|
||||
selinux_compute_access_vector(lvm_t)
|
||||
selinux_compute_create_context(lvm_t)
|
||||
selinux_compute_relabel_context(lvm_t)
|
||||
selinux_compute_user_contexts(lvm_t)
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
dev_read_sysfs(lvm_t)
|
||||
# Read /sys/block. Device mapper metadata is kept there.
|
||||
dev_read_sysfs(sysfs_t)
|
||||
# Read system variables in /proc/sys
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
# it has no reason to need this
|
||||
kernel_dontaudit_getattr_core(lvm_t)
|
||||
|
||||
dev_create_generic_chr_file(lvm_t)
|
||||
dev_read_rand(lvm_t)
|
||||
@ -91,7 +89,9 @@ dev_rw_lvm_control(lvm_t)
|
||||
dev_manage_generic_symlinks(lvm_t)
|
||||
dev_relabel_dev_dirs(lvm_t)
|
||||
dev_manage_generic_blk_file(lvm_t)
|
||||
|
||||
dev_read_sysfs(lvm_t)
|
||||
# Read /sys/block. Device mapper metadata is kept there.
|
||||
dev_read_sysfs(sysfs_t)
|
||||
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
||||
dev_dontaudit_getattr_all_chr_files(lvm_t)
|
||||
dev_dontaudit_getattr_all_blk_files(lvm_t)
|
||||
|
@ -131,13 +131,13 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
|
||||
|
||||
kernel_read_system_state(depmod_t)
|
||||
|
||||
bootloader_read_kernel_symbol_table(depmod_t)
|
||||
bootloader_read_kernel_modules(depmod_t)
|
||||
|
||||
fs_getattr_xattr_fs(depmod_t)
|
||||
|
||||
term_use_console(depmod_t)
|
||||
|
||||
bootloader_read_kernel_symbol_table(depmod_t)
|
||||
bootloader_read_kernel_modules(depmod_t)
|
||||
|
||||
init_use_fd(depmod_t)
|
||||
init_use_script_fd(depmod_t)
|
||||
init_use_script_pty(depmod_t)
|
||||
|
@ -149,12 +149,12 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
|
||||
allow load_policy_t selinux_config_t:file r_file_perms;
|
||||
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
|
||||
|
||||
fs_getattr_xattr_fs(load_policy_t)
|
||||
|
||||
selinux_get_fs_mount(load_policy_t)
|
||||
selinux_load_policy(load_policy_t)
|
||||
selinux_set_boolean(load_policy_t)
|
||||
|
||||
fs_getattr_xattr_fs(load_policy_t)
|
||||
|
||||
term_use_console(load_policy_t)
|
||||
term_list_ptys(load_policy_t)
|
||||
|
||||
@ -196,6 +196,11 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
|
||||
dev_read_urand(newrole_t)
|
||||
|
||||
fs_getattr_xattr_fs(newrole_t)
|
||||
|
||||
selinux_get_fs_mount(newrole_t)
|
||||
selinux_validate_context(newrole_t)
|
||||
selinux_compute_access_vector(newrole_t)
|
||||
@ -203,10 +208,6 @@ selinux_compute_create_context(newrole_t)
|
||||
selinux_compute_relabel_context(newrole_t)
|
||||
selinux_compute_user_contexts(newrole_t)
|
||||
|
||||
dev_read_urand(newrole_t)
|
||||
|
||||
fs_getattr_xattr_fs(newrole_t)
|
||||
|
||||
term_use_all_user_ttys(newrole_t)
|
||||
term_use_all_user_ptys(newrole_t)
|
||||
|
||||
@ -280,6 +281,9 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
|
||||
|
||||
kernel_use_fd(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
selinux_get_fs_mount(restorecon_t)
|
||||
selinux_validate_context(restorecon_t)
|
||||
selinux_compute_access_vector(restorecon_t)
|
||||
@ -287,8 +291,6 @@ selinux_compute_create_context(restorecon_t)
|
||||
selinux_compute_relabel_context(restorecon_t)
|
||||
selinux_compute_user_contexts(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
term_use_unallocated_tty(restorecon_t)
|
||||
|
||||
init_use_fd(restorecon_t)
|
||||
@ -320,10 +322,10 @@ files_list_all_dirs(restorecon_t)
|
||||
auth_relabelto_shadow(restorecon_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
fs_use_tmpfs_character_devices(restorecon_t)
|
||||
fs_use_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_character_devices(restorecon_t)
|
||||
fs_use_tmpfs_character_devices(restorecon_t)
|
||||
fs_use_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_character_devices(restorecon_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -414,6 +416,9 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(setfiles_t)
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
|
||||
selinux_get_fs_mount(setfiles_t)
|
||||
selinux_validate_context(setfiles_t)
|
||||
selinux_compute_access_vector(setfiles_t)
|
||||
@ -421,8 +426,6 @@ selinux_compute_create_context(setfiles_t)
|
||||
selinux_compute_relabel_context(setfiles_t)
|
||||
selinux_compute_user_contexts(setfiles_t)
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
|
||||
term_use_all_user_ttys(setfiles_t)
|
||||
term_use_all_user_ptys(setfiles_t)
|
||||
term_use_unallocated_tty(setfiles_t)
|
||||
|
@ -86,7 +86,6 @@ allow ifconfig_t dhcpc_t:process sigchld;
|
||||
kernel_read_system_state(dhcpc_t)
|
||||
kernel_read_network_state(dhcpc_t)
|
||||
kernel_read_kernel_sysctl(dhcpc_t)
|
||||
dev_read_sysfs(dhcpc_t)
|
||||
kernel_use_fd(dhcpc_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(dhcpc_t)
|
||||
@ -101,7 +100,8 @@ corenet_tcp_bind_all_nodes(dhcpc_t)
|
||||
corenet_udp_bind_all_nodes(dhcpc_t)
|
||||
corenet_udp_bind_dhcpc_port(dhcpc_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_sysfs(dhcpc_t)
|
||||
# for SSP:
|
||||
dev_read_urand(dhcpc_t)
|
||||
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
|
@ -70,7 +70,12 @@ kernel_read_device_sysctl(udev_t)
|
||||
kernel_read_hotplug_sysctl(udev_t)
|
||||
kernel_read_modprobe_sysctl(udev_t)
|
||||
kernel_read_kernel_sysctl(udev_t)
|
||||
|
||||
dev_read_sysfs(udev_t)
|
||||
dev_manage_dev_nodes(udev_t)
|
||||
|
||||
fs_getattr_all_fs(udev_t)
|
||||
|
||||
selinux_get_fs_mount(udev_t)
|
||||
selinux_validate_context(udev_t)
|
||||
selinux_compute_access_vector(udev_t)
|
||||
@ -78,10 +83,6 @@ selinux_compute_create_context(udev_t)
|
||||
selinux_compute_relabel_context(udev_t)
|
||||
selinux_compute_user_contexts(udev_t)
|
||||
|
||||
dev_manage_dev_nodes(udev_t)
|
||||
|
||||
fs_getattr_all_fs(udev_t)
|
||||
|
||||
corecmd_exec_bin(udev_t)
|
||||
corecmd_exec_sbin(udev_t)
|
||||
corecmd_exec_shell(udev_t)
|
||||
|
Loading…
Reference in New Issue
Block a user