add a couple more nfs and cifs interfaces, to cover most of the

use_(nfs|cifs)_home_dirs tunable
This commit is contained in:
Chris PeBenito 2005-06-16 20:33:51 +00:00
parent 77c124c8cd
commit d35c621eb0
19 changed files with 402 additions and 309 deletions

View File

@ -118,6 +118,7 @@ dev_read_urand(rpm_t)
#fs_manage_nfs_dir(rpm_t)
#fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
@ -176,7 +177,6 @@ allow rpm_t ttyfile:chr_file unlink;
allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t mount_t:tcp_socket write;
allow rpm_t nfs_t:lnk_file create_file_perms;
allow rpm_t sysfs_t:dir r_dir_perms;
allow rpm_t usbdevfs_t:dir r_dir_perms;

View File

@ -43,10 +43,7 @@ define(`gpg_per_userdomain_template',`
#
# transition from the userdomain to the derived domain
allow $1_t $1_gpg_t:process transition;
allow $1_t gpg_exec_t:file rx_file_perms;
type_transition $1_t gpg_exec_t:process $1_gpg_t;
dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)
allow $1_t $1_gpg_t:fd use;
allow $1_gpg_t $1_t:fd use;
@ -103,6 +100,18 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_t gpg_exec_t:file execmod;
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gpg_t)
fs_manage_nfs_files($1_gpg_t)
fs_manage_nfs_symlinks($1_gpg_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_gpg_t)
fs_manage_cifs_files($1_gpg_t)
fs_manage_cifs_symlinks($1_gpg_t)
')
ifdef(`TODO',`
can_ypbind($1_gpg_t)
@ -134,13 +143,6 @@ define(`gpg_per_userdomain_template',`
# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
tunable_policy(`use_nfs_home_dirs',`
create_dir_file($1_gpg_t, nfs_t)
')
tunable_policy(`use_samba_home_dirs',`
create_dir_file($1_gpg_t, cifs_t)
')
rw_dir_create_file($1_gpg_t, $1_file_type)
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
@ -157,11 +159,12 @@ define(`gpg_per_userdomain_template',`
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
# communicate with the user
allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file write;
# transition from the gpg domain to the helper domain
allow $1_gpg_t $1_gpg_helper_t:process transition;
allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
allow $1_gpg_t $1_gpg_helper_t:fd use;
allow $1_gpg_helper_t $1_gpg_t:fd use;
@ -197,18 +200,15 @@ define(`gpg_per_userdomain_template',`
sysnet_read_config($1_gpg_helper_t)
ifdef(`TODO',`
tunable_policy(`use_nfs_home_dirs',`
dontaudit $1_gpg_helper_t nfs_t:file { read write };
')
tunable_policy(`use_samba_home_dirs',`
dontaudit $1_gpg_helper_t cifs_t:file { read write };
fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
')
# communicate with the user
allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file write;
tunable_policy(`use_samba_home_dirs',`
fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
')
ifdef(`TODO',`
ifdef(`xdm.te', `
dontaudit $1_gpg_t xdm_t:fd use;
@ -232,6 +232,9 @@ define(`gpg_per_userdomain_template',`
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
domain_use_wide_inherit_fd($1_gpg_agent_t)
libs_use_ld_so($1_gpg_agent_t)
@ -239,9 +242,19 @@ define(`gpg_per_userdomain_template',`
miscfiles_read_localization($1_gpg_agent_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gpg_agent_t)
fs_manage_nfs_files($1_gpg_agent_t)
fs_manage_nfs_symlinks($1_gpg_agent_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_gpg_agent_t)
fs_manage_cifs_files($1_gpg_agent_t)
fs_manage_cifs_symlinks($1_gpg_agent_t)
')
ifdef(`TODO',`
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
allow $1_gpg_agent_t xdm_t:fd use;
@ -261,12 +274,6 @@ define(`gpg_per_userdomain_template',`
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
tunable_policy(`use_nfs_home_dirs',`
create_dir_file($1_gpg_agent_t, nfs_t)
')
tunable_policy(`use_samba_home_dirs',`
create_dir_file($1_gpg_agent_t, cifs_t)
')
# gpg connect
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
@ -281,10 +288,7 @@ define(`gpg_per_userdomain_template',`
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;

View File

@ -399,17 +399,14 @@ define(`fs_mount_cifs_depend',`
## </interface>
#
define(`fs_remount_cifs',`
gen_require(`$0'_depend)
gen_require(`
type cifs_t;
class filesystem remount;
')
allow $1 cifs_t:filesystem remount;
')
define(`fs_remount_cifs_depend',`
type cifs_t;
class filesystem remount;
')
########################################
## <interface name="fs_unmount_cifs">
## <description>
@ -421,17 +418,14 @@ define(`fs_remount_cifs_depend',`
## </interface>
#
define(`fs_unmount_cifs',`
gen_require(`$0'_depend)
gen_require(`
type cifs_t;
class filesystem unmount;
')
allow $1 cifs_t:filesystem mount;
')
define(`fs_unmount_cifs_depend',`
type cifs_t;
class filesystem unmount;
')
########################################
## <interface name="fs_getattr_cifs">
## <description>
@ -445,15 +439,74 @@ define(`fs_unmount_cifs_depend',`
## </interface>
#
define(`fs_getattr_cifs',`
gen_require(`$0'_depend)
gen_require(`
type cifs_t;
class filesystem getattr;
')
allow $1 cifs_t:filesystem getattr;
')
define(`fs_getattr_cifs_depend',`
type cifs_t;
########################################
## <interface name="fs_read_cifs_files">
## <description>
## Read files on a CIFS or SMB filesystem.
## </description>
## <parameter name="domain">
## The type of the domain reading the files.
## </parameter>
## </interface>
#
define(`fs_read_cifs_files',`
gen_require(`
type cifs_t;
class dir r_dir_perms;
class file r_file_perms;
')
class filesystem getattr;
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:file r_file_perms;
')
########################################
## <interface name="fs_dontaudit_rw_cifs_files">
## <description>
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </description>
## <parameter name="domain">
## The type of the domain to not audit.
## </parameter>
## </interface>
#
define(`fs_dontaudit_rw_cifs_files',`
gen_require(`
type cifs_t;
class file { read write };
')
dontaudit $1 cifs_t:file { read write };
')
########################################
## <interface name="fs_read_cifs_symlinks">
## <description>
## Read symbolic links on a CIFS or SMB filesystem.
## </description>
## <parameter name="domain">
## The type of the domain reading the symbolic links.
## </parameter>
## </interface>
#
define(`fs_read_cifs_symlinks',`
gen_require(`
type cifs_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 cifs_t:dir r_dir_perms;
allow $1 cifs_t:lnk_file r_file_perms;
')
########################################
@ -482,6 +535,26 @@ define(`fs_execute_cifs_files_depend',`
class file { getattr read execute execute_no_trans };
')
########################################
## <interface name="fs_dontaudit_rw_cifs_files">
## <description>
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystems.
## </description>
## <parameter name="domain">
## The type of the domain to not audit.
## </parameter>
## </interface>
#
define(`fs_read_cifs_files',`
gen_require(`
type cifs_t;
class file { read write };
')
dontaudit $1 cifs_t:file { read write };
')
########################################
## <interface name="fs_manage_cifs_dirs">
## <description>
@ -906,6 +979,27 @@ define(`fs_getattr_nfs_depend',`
class filesystem getattr;
')
########################################
## <interface name="fs_read_nfs_files">
## <description>
## Read files on a NFS filesystem.
## </description>
## <parameter name="domain">
## The type of the domain reading the files.
## </parameter>
## </interface>
#
define(`fs_read_nfs_files',`
gen_require(`
type nfs_t;
class dir r_dir_perms;
class file r_file_perms;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:file r_file_perms;
')
########################################
## <interface name="fs_execute_nfs_files">
## <description>
@ -917,17 +1011,54 @@ define(`fs_getattr_nfs_depend',`
## </interface>
#
define(`fs_execute_nfs_files',`
gen_require(`$0'_depend)
gen_require(`
type nfs_t;
class dir r_dir_perms;
')
allow $1 nfs_t:dir r_dir_perms;
can_exec($1, nfs_t)
')
define(`fs_execute_nfs_files_depend',`
type nfs_t;
########################################
## <interface name="fs_dontaudit_rw_nfs_files">
## <description>
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </description>
## <parameter name="domain">
## The type of the domain to not audit.
## </parameter>
## </interface>
#
define(`fs_dontaudit_rw_nfs_files',`
gen_require(`
type nfs_t;
class file { read write };
')
class dir r_dir_perms;
class file { getattr read execute execute_no_trans };
dontaudit $1 nfs_t:file { read write };
')
########################################
## <interface name="fs_read_nfs_symlinks">
## <description>
## Read symbolic links on a NFS filesystem.
## </description>
## <parameter name="domain">
## The type of the domain reading the symbolic links.
## </parameter>
## </interface>
#
define(`fs_read_nfs_symlinks',`
gen_require(`
type nfs_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 nfs_t:dir r_dir_perms;
allow $1 nfs_t:lnk_file r_file_perms;
')
########################################
@ -990,19 +1121,16 @@ define(`fs_manage_nfs_files_depend',`
## </interface>
#
define(`fs_manage_nfs_symlinks',`
gen_require(`$0'_depend)
gen_require(`
type nfs_t;
class dir r_dir_perms;
class lnk_file create_lnk_perms;
')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:lnk_file create_lnk_perms;
')
define(`fs_manage_nfs_symlinks_depend',`
type nfs_t;
class dir r_dir_perms;
class lnk_file create_lnk_perms;
')
#########################################
## <interface name="fs_manage_nfs_named_pipes">
## <description>

View File

@ -13,18 +13,15 @@
## </interface>
#
define(`storage_getattr_fixed_disk',`
gen_require(`$0'_depend)
gen_require(`
type fixed_disk_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
')
define(`storage_getattr_fixed_disk_depend',`
type fixed_disk_device_t;
class blk_file getattr;
')
########################################
## <interface name="storage_dontaudit_getattr_fixed_disk">
## <description>
@ -37,17 +34,14 @@ define(`storage_getattr_fixed_disk_depend',`
## </interface>
#
define(`storage_dontaudit_getattr_fixed_disk',`
gen_require(`$0'_depend)
gen_require(`
type fixed_disk_device_t;
class blk_file getattr;
')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
define(`storage_dontaudit_getattr_fixed_disk_depend',`
type fixed_disk_device_t;
class blk_file getattr;
')
########################################
## <interface name="storage_setattr_fixed_disk">
## <description>
@ -60,16 +54,33 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',`
## </interface>
#
define(`storage_setattr_fixed_disk',`
gen_require(`$0'_depend)
gen_require(`
type fixed_disk_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
')
define(`storage_setattr_fixed_disk_depend',`
type fixed_disk_device_t;
########################################
## <interface name="storage_dontaudit_setattr_fixed_disk">
## <description>
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
## </description>
## <parameter name="domain">
## The type of the process to not audit.
## </parameter>
## </interface>
#
define(`storage_dontaudit_setattr_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
class blk_file getattr;
')
class blk_file setattr;
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
########################################
@ -86,21 +97,17 @@ define(`storage_setattr_fixed_disk_depend',`
## </interface>
#
define(`storage_raw_read_fixed_disk',`
gen_require(`$0'_depend)
gen_require(`
attribute fixed_disk_raw_read;
type fixed_disk_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
define(`storage_raw_read_fixed_disk_depend',`
attribute fixed_disk_raw_read;
type fixed_disk_device_t;
class blk_file r_file_perms;
')
########################################
## <interface name="storage_raw_write_fixed_disk">
## <description>
@ -115,21 +122,17 @@ define(`storage_raw_read_fixed_disk_depend',`
## </interface>
#
define(`storage_raw_write_fixed_disk',`
gen_require(`$0'_depend)
gen_require(`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
typeattribute $1 fixed_disk_raw_write;
')
define(`storage_raw_write_fixed_disk_depend',`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_create_fixed_disk">
## <description>
@ -141,19 +144,17 @@ define(`storage_raw_write_fixed_disk_depend',`
## </interface>
#
define(`storage_create_fixed_disk_dev_entry',`
gen_require(`$0'_depend)
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file create_file_perms;
')
allow $1 fixed_disk_device_t:blk_file create_file_perms;
dev_create_dev_node($1,fixed_disk_device_t,blk_file)
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
define(`storage_create_fixed_disk_dev_entry_depend',`
type fixed_disk_device_t;
class blk_file create_file_perms;
')
########################################
## <interface name="storage_manage_fixed_disk">
## <description>
@ -165,21 +166,17 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
## </interface>
#
define(`storage_manage_fixed_disk',`
gen_require(`$0'_depend)
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file create_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file create_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
define(`storage_manage_fixed_disk_depend',`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file create_file_perms;
')
########################################
## <interface name="storage_raw_read_lvm_volume">
## <description>
@ -194,21 +191,17 @@ define(`storage_manage_fixed_disk_depend',`
## </interface>
#
define(`storage_raw_read_lvm_volume',`
gen_require(`$0'_depend)
gen_require(`
attribute fixed_disk_raw_read;
type lvm_vg_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 lvm_vg_t:blk_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
define(`storage_raw_read_lvm_volume_depend',`
attribute fixed_disk_raw_read;
type lvm_vg_t;
class blk_file r_file_perms;
')
########################################
## <interface name="storage_raw_write_lvm_volume">
## <description>
@ -223,21 +216,17 @@ define(`storage_raw_read_lvm_volume_depend',`
## </interface>
#
define(`storage_raw_write_lvm_volume',`
gen_require(`$0'_depend)
gen_require(`
attribute fixed_disk_raw_write;
type lvm_vg_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
typeattribute $1 fixed_disk_raw_write;
')
define(`storage_raw_write_lvm_volume_depend',`
attribute fixed_disk_raw_write;
type lvm_vg_t;
class blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_read_scsi_generic">
## <description>
@ -253,21 +242,17 @@ define(`storage_raw_write_lvm_volume_depend',`
## </interface>
#
define(`storage_read_scsi_generic',`
gen_require(`$0'_depend)
gen_require(`
attribute scsi_generic_read;
type scsi_generic_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file r_file_perms;
typeattribute $1 scsi_generic_read;
')
define(`storage_read_scsi_generic_depend',`
attribute scsi_generic_read;
type scsi_generic_device_t;
class blk_file r_file_perms;
')
########################################
## <interface name="storage_write_scsi_generic">
## <description>
@ -283,21 +268,17 @@ define(`storage_read_scsi_generic_depend',`
## </interface>
#
define(`storage_write_scsi_generic',`
gen_require(`$0'_depend)
gen_require(`
attribute scsi_generic_write;
type scsi_generic_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
typeattribute $1 scsi_generic_write;
')
define(`storage_write_scsi_generic_depend',`
attribute scsi_generic_write;
type scsi_generic_device_t;
class blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_getattr_scsi_generic">
## <description>
@ -310,18 +291,15 @@ define(`storage_write_scsi_generic_depend',`
## </interface>
#
define(`storage_getattr_scsi_generic',`
gen_require(`$0'_depend)
gen_require(`
type scsi_generic_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')
define(`storage_getattr_scsi_generic_depend',`
type scsi_generic_device_t;
class blk_file getattr;
')
########################################
## <interface name="storage_setattr_scsi_generic">
## <description>
@ -334,18 +312,15 @@ define(`storage_getattr_scsi_generic_depend',`
## </interface>
#
define(`storage_set_scsi_generic_attributes',`
gen_require(`$0'_depend)
gen_require(`
type scsi_generic_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file setattr;
')
define(`storage_set_scsi_generic_attributes_depend',`
type scsi_generic_device_t;
class blk_file setattr;
')
########################################
## <interface name="storage_getattr_removable_device">
## <description>
@ -358,18 +333,15 @@ define(`storage_set_scsi_generic_attributes_depend',`
## </interface>
#
define(`storage_getattr_removable_device',`
gen_require(`$0'_depend)
gen_require(`
type removable_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file getattr;
')
define(`storage_getattr_removable_device_depend',`
type removable_device_t;
class blk_file getattr;
')
########################################
## <interface name="storage_dontaudit_getattr_removable_device">
## <description>
@ -382,17 +354,14 @@ define(`storage_getattr_removable_device_depend',`
## </interface>
#
define(`storage_dontaudit_getattr_removable_device',`
gen_require(`$0'_depend)
gen_require(`
type removable_device_t;
class blk_file getattr;
')
dontaudit $1 removable_device_t:blk_file getattr;
')
define(`storage_dontaudit_getattr_removable_device_depend',`
type removable_device_t;
class blk_file getattr;
')
########################################
## <interface name="storage_setattr_removable_device">
## <description>
@ -405,18 +374,15 @@ define(`storage_dontaudit_getattr_removable_device_depend',`
## </interface>
#
define(`storage_setattr_removable_device',`
gen_require(`$0'_depend)
gen_require(`
type removable_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file setattr;
')
define(`storage_setattr_removable_device_depend',`
type removable_device_t;
class blk_file setattr;
')
########################################
## <interface name="storage_raw_read_removable_device">
## <description>
@ -432,18 +398,15 @@ define(`storage_setattr_removable_device_depend',`
## </interface>
#
define(`storage_raw_read_removable_device',`
gen_require(`$0'_depend)
gen_require(`
type removable_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file r_file_perms;
')
define(`storage_raw_read_removable_device_depend',`
type removable_device_t;
class blk_file r_file_perms;
')
########################################
## <interface name="storage_raw_write_removable_device">
## <description>
@ -459,18 +422,15 @@ define(`storage_raw_read_removable_device_depend',`
## </interface>
#
define(`storage_raw_write_removable_device',`
gen_require(`$0'_depend)
gen_require(`
type removable_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file { getattr write ioctl };
')
define(`storage_raw_write_removable_device_depend',`
type removable_device_t;
class blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_read_tape_device">
## <description>
@ -483,18 +443,15 @@ define(`storage_raw_write_removable_device_depend',`
## </interface>
#
define(`storage_read_tape_device',`
gen_require(`$0'_depend)
gen_require(`
type tape_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file r_file_perms;
')
define(`storage_read_tape_device_depend',`
type tape_device_t;
class blk_file r_file_perms;
')
########################################
## <interface name="storage_write_tape_device">
## <description>
@ -507,18 +464,15 @@ define(`storage_read_tape_device_depend',`
## </interface>
#
define(`storage_write_tape_device',`
gen_require(`$0'_depend)
gen_require(`
type tape_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file { getattr write ioctl };
')
define(`storage_write_tape_device_depend',`
type tape_device_t;
class blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_getattr_tape_device">
## <description>
@ -531,18 +485,15 @@ define(`storage_write_tape_device_depend',`
## </interface>
#
define(`storage_getattr_tape_device',`
gen_require(`$0'_depend)
gen_require(`
type tape_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file getattr;
')
define(`storage_getattr_tape_device_depend',`
type tape_device_t;
class blk_file getattr;
')
########################################
## <interface name="storage_setattr_tape_device">
## <description>
@ -555,15 +506,13 @@ define(`storage_getattr_tape_device_depend',`
## </interface>
#
define(`storage_setattr_tape_device',`
gen_require(`$0'_depend)
gen_require(`
type tape_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file setattr;
')
define(`storage_setattr_tape_device_depend',`
type tape_device_t;
class blk_file setattr;
')
## </module>

View File

@ -81,6 +81,16 @@ auth_manage_pam_console_data(remote_login_t)
miscfiles_read_localization(remote_login_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
fs_read_nfs_symlinks(remote_login_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(remote_login_t)
fs_read_cifs_symlinks(remote_login_t)
')
ifdef(`TODO',`
allow remote_login_t unpriv_userdomain:fd use;
can_ypbind(remote_login_t)
@ -116,14 +126,6 @@ dontaudit remote_login_t sysfs_t:dir search;
allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms;
tunable_policy(`use_nfs_home_dirs',`
r_dir_file(remote_login_t, nfs_t)
')
tunable_policy(`use_samba_home_dirs',`
r_dir_file(remote_login_t, cifs_t)
')
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t remote_login_t:process signull;

View File

@ -138,9 +138,10 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
kernel_read_kernel_sysctl(pam_console_t)
kernel_read_system_state(pam_console_t)
dev_read_sysfs(pam_console_t)
kernel_use_fd(pam_console_t)
dev_read_sysfs(pam_console_t)
# Allow to set attributes on /dev entries
storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
@ -151,15 +152,15 @@ term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
init_use_fd(pam_console_t)
init_use_script_pty(pam_console_t)
domain_use_wide_inherit_fd(pam_console_t)
files_read_generic_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
init_use_fd(pam_console_t)
init_use_script_pty(pam_console_t)
libs_use_ld_so(pam_console_t)
libs_use_shared_libs(pam_console_t)

View File

@ -30,8 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
kernel_read_kernel_sysctl(hwclock_t)
dev_read_sysfs(hwclock_t)
dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
@ -41,11 +41,11 @@ term_use_unallocated_tty(hwclock_t)
term_use_all_user_ttys(hwclock_t)
term_use_all_user_ptys(hwclock_t)
domain_use_wide_inherit_fd(hwclock_t)
init_use_fd(hwclock_t)
init_use_script_pty(hwclock_t)
domain_use_wide_inherit_fd(hwclock_t)
files_read_generic_etc_files_directory(hwclock_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hwclock_t)

View File

@ -26,9 +26,10 @@ dontaudit hostname_t self:capability sys_tty_config;
sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
dev_read_sysfs(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
dev_read_sysfs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
term_dontaudit_use_console(hostname_t)

View File

@ -45,9 +45,7 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
dev_read_sysfs(hotplug_t)
kernel_read_net_sysctl(hotplug_t)
dev_read_usbfs(hotplug_t)
bootloader_read_kernel_modules(hotplug_t)
@ -58,7 +56,9 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_tcp_bind_all_nodes(hotplug_t)
# for SSP
dev_read_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
# for SSP:
dev_read_urand(hotplug_t)
fs_getattr_all_fs(hotplug_t)

View File

@ -88,11 +88,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
# Run init scripts.
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
selinux_set_boolean(init_t)
kernel_read_system_state(init_t)
dev_read_sysfs(init_t)
kernel_share_state(init_t)
dev_read_sysfs(init_t)
selinux_set_boolean(init_t)
term_use_all_terms(init_t)
corecmd_chroot_exec_chroot(init_t)

View File

@ -39,11 +39,12 @@ allow iptables_t self:rawip_socket create_socket_perms;
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
dev_read_sysfs(iptables_t)
kernel_read_kernel_sysctl(iptables_t)
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_fd(iptables_t)
dev_read_sysfs(iptables_t)
fs_getattr_xattr_fs(iptables_t)
term_dontaudit_use_console(iptables_t)

View File

@ -74,7 +74,6 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_user_fd(ldconfig_t)
ifdef(`TODO',`
allow ldconfig_t tmp_t:dir search;

View File

@ -7,11 +7,11 @@ policy_module(locallogin,1.0)
#
type local_login_t; #, nscd_client_domain;
auth_login_entry_type(local_login_t)
domain_type(local_login_t)
domain_obj_id_change_exempt(local_login_t)
domain_subj_id_change_exempt(local_login_t)
domain_role_change_exempt(local_login_t)
auth_login_entry_type(local_login_t)
domain_type(local_login_t)
domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t;
@ -53,6 +53,10 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
selinux_get_fs_mount(local_login_t)
selinux_validate_context(local_login_t)
selinux_compute_access_vector(local_login_t)
@ -60,8 +64,8 @@ selinux_compute_create_context(local_login_t)
selinux_compute_relabel_context(local_login_t)
selinux_compute_user_contexts(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
storage_dontaudit_getattr_fixed_disk(local_login_t)
storage_dontaudit_setattr_fixed_disk(local_login_t)
term_use_all_user_ttys(local_login_t)
term_use_unallocated_tty(local_login_t)
@ -106,6 +110,16 @@ userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(local_login_t)
fs_read_nfs_symlinks(local_login_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(local_login_t)
fs_read_cifs_symlinks(local_login_t)
')
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
@ -152,15 +166,16 @@ ifdef(`crack.te', `
allow local_login_t crack_db_t:file r_file_perms;
')
allow local_login_t mouse_device_t:chr_file { getattr setattr };
ifdef(`targeted_policy',`
unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
allow local_login_t mouse_device_t:chr_file { getattr setattr };
allow local_login_t sound_device_t:chr_file { getattr setattr };
allow local_login_t power_device_t:chr_file { getattr setattr };
# Do not audit denied attempts to access devices.
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
@ -177,20 +192,6 @@ optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
# Allow setting of attributes on sound devices.
allow local_login_t sound_device_t:chr_file { getattr setattr };
# Allow setting of attributes on power management devices.
allow local_login_t power_device_t:chr_file { getattr setattr };
tunable_policy(`use_nfs_home_dirs',`
r_dir_file(local_login_t, nfs_t)
')
tunable_policy(`use_samba_home_dirs',`
r_dir_file(local_login_t, cifs_t)
')
') dnl endif TODO
#################################

View File

@ -59,6 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
@ -186,10 +187,10 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
dev_read_sysfs(syslogd_t)
kernel_read_kernel_sysctl(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
term_dontaudit_use_console(syslogd_t)
# Allow syslog to a terminal

View File

@ -69,20 +69,18 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
files_create_etc_config(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctl(lvm_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctl(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core(lvm_t)
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
selinux_compute_access_vector(lvm_t)
selinux_compute_create_context(lvm_t)
selinux_compute_relabel_context(lvm_t)
selinux_compute_user_contexts(lvm_t)
kernel_read_kernel_sysctl(lvm_t)
dev_read_sysfs(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
dev_read_sysfs(sysfs_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctl(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core(lvm_t)
dev_create_generic_chr_file(lvm_t)
dev_read_rand(lvm_t)
@ -91,7 +89,9 @@ dev_rw_lvm_control(lvm_t)
dev_manage_generic_symlinks(lvm_t)
dev_relabel_dev_dirs(lvm_t)
dev_manage_generic_blk_file(lvm_t)
dev_read_sysfs(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
dev_read_sysfs(sysfs_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dev_dontaudit_getattr_all_chr_files(lvm_t)
dev_dontaudit_getattr_all_blk_files(lvm_t)

View File

@ -131,13 +131,13 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t)
fs_getattr_xattr_fs(depmod_t)
term_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t)
init_use_fd(depmod_t)
init_use_script_fd(depmod_t)
init_use_script_pty(depmod_t)

View File

@ -149,12 +149,12 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
fs_getattr_xattr_fs(load_policy_t)
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
@ -196,6 +196,11 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
dev_read_urand(newrole_t)
fs_getattr_xattr_fs(newrole_t)
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
@ -203,10 +208,6 @@ selinux_compute_create_context(newrole_t)
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)
dev_read_urand(newrole_t)
fs_getattr_xattr_fs(newrole_t)
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
@ -280,6 +281,9 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
kernel_use_fd(restorecon_t)
kernel_read_system_state(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
selinux_get_fs_mount(restorecon_t)
selinux_validate_context(restorecon_t)
selinux_compute_access_vector(restorecon_t)
@ -287,8 +291,6 @@ selinux_compute_create_context(restorecon_t)
selinux_compute_relabel_context(restorecon_t)
selinux_compute_user_contexts(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
term_use_unallocated_tty(restorecon_t)
init_use_fd(restorecon_t)
@ -320,10 +322,10 @@ files_list_all_dirs(restorecon_t)
auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(restorecon_t)
fs_use_tmpfs_block_devices(restorecon_t)
fs_relabel_tmpfs_block_devices(restorecon_t)
fs_relabel_tmpfs_character_devices(restorecon_t)
fs_use_tmpfs_character_devices(restorecon_t)
fs_use_tmpfs_block_devices(restorecon_t)
fs_relabel_tmpfs_block_devices(restorecon_t)
fs_relabel_tmpfs_character_devices(restorecon_t)
')
ifdef(`TODO',`
@ -414,6 +416,9 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
selinux_get_fs_mount(setfiles_t)
selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t)
@ -421,8 +426,6 @@ selinux_compute_create_context(setfiles_t)
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)

View File

@ -86,7 +86,6 @@ allow ifconfig_t dhcpc_t:process sigchld;
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctl(dhcpc_t)
dev_read_sysfs(dhcpc_t)
kernel_use_fd(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
@ -101,7 +100,8 @@ corenet_tcp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
# for SSP
dev_read_sysfs(dhcpc_t)
# for SSP:
dev_read_urand(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)

View File

@ -70,7 +70,12 @@ kernel_read_device_sysctl(udev_t)
kernel_read_hotplug_sysctl(udev_t)
kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t)
dev_read_sysfs(udev_t)
dev_manage_dev_nodes(udev_t)
fs_getattr_all_fs(udev_t)
selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)
selinux_compute_access_vector(udev_t)
@ -78,10 +83,6 @@ selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)
dev_manage_dev_nodes(udev_t)
fs_getattr_all_fs(udev_t)
corecmd_exec_bin(udev_t)
corecmd_exec_sbin(udev_t)
corecmd_exec_shell(udev_t)