rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Policy files should not be in repository

Browse Source
This commit is contained in:
Dan Walsh 2011-04-12 10:58:28 -04:00
parent e935d25737
commit d652e87854
1096 changed files with 0 additions and 161301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

245
policy/constraints
View File

@ -1,245 +0,0 @@
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
define(`basic_ubac_conditions',`
ifdef(`enable_ubac',`
u1 == u2
or u1 == system_u
or u2 == system_u
or t1 != ubac_constrained_type
or t2 != ubac_constrained_type
')
')
define(`basic_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
basic_ubac_conditions
);
')
')
define(`exempted_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
basic_ubac_conditions
or t1 == $2
);
')
')
########################################
#
# File rules
#
exempted_ubac_constraint(dir, ubacfile)
exempted_ubac_constraint(file, ubacfile)
exempted_ubac_constraint(lnk_file, ubacfile)
exempted_ubac_constraint(fifo_file, ubacfile)
exempted_ubac_constraint(sock_file, ubacfile)
exempted_ubac_constraint(chr_file, ubacfile)
exempted_ubac_constraint(blk_file, ubacfile)
# SELinux object identity change constraint:
constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
);
########################################
#
# Process rules
#
ifdef(`enable_ubac',`
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
(
basic_ubac_conditions
or t1 == ubacproc
);
')
constrain process { transition noatsecure siginh rlimitinh }
(
u1 == u2
or ( t1 == can_change_process_identity and t2 == process_user_target )
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == can_system_change and u2 == system_u )
or ( t1 == process_uncond_exempt )
);
constrain process { transition noatsecure siginh rlimitinh }
(
r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == can_system_change and r2 == system_r )
or ( t1 == process_uncond_exempt )
);
constrain process dyntransition
(
u1 == u2 and r1 == r2
);
# These permissions do not have ubac constraints:
# fork
# setexec
# setfscreate
# setcurrent
# execmem
# execstack
# execheap
# setkeycreate
# setsockcreate
########################################
#
# File descriptor rules
#
exempted_ubac_constraint(fd, ubacfd)
########################################
#
# Socket rules
#
exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
exempted_ubac_constraint(packet_socket, ubacsock)
exempted_ubac_constraint(key_socket, ubacsock)
exempted_ubac_constraint(unix_stream_socket, ubacsock)
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
exempted_ubac_constraint(netlink_route_socket, ubacsock)
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
);
########################################
#
# SysV IPC rules
exempted_ubac_constraint(sem, ubacipc)
exempted_ubac_constraint(msg, ubacipc)
exempted_ubac_constraint(msgq, ubacipc)
exempted_ubac_constraint(shm, ubacipc)
exempted_ubac_constraint(ipc, ubacipc)
########################################
#
# SE-X Windows rules
#
exempted_ubac_constraint(x_drawable, ubacxwin)
exempted_ubac_constraint(x_screen, ubacxwin)
exempted_ubac_constraint(x_gc, ubacxwin)
exempted_ubac_constraint(x_font, ubacxwin)
exempted_ubac_constraint(x_colormap, ubacxwin)
exempted_ubac_constraint(x_property, ubacxwin)
exempted_ubac_constraint(x_selection, ubacxwin)
exempted_ubac_constraint(x_cursor, ubacxwin)
exempted_ubac_constraint(x_client, ubacxwin)
exempted_ubac_constraint(x_device, ubacxwin)
exempted_ubac_constraint(x_server, ubacxwin)
exempted_ubac_constraint(x_extension, ubacxwin)
exempted_ubac_constraint(x_resource, ubacxwin)
exempted_ubac_constraint(x_event, ubacxwin)
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
exempted_ubac_constraint(x_application_data, ubacxwin)
########################################
#
# D-BUS rules
#
exempted_ubac_constraint(dbus, ubacdbus)
########################################
#
# Key rules
#
exempted_ubac_constraint(key, ubackey)
########################################
#
# Database rules
#
exempted_ubac_constraint(db_database, ubacdb)
exempted_ubac_constraint(db_table, ubacdb)
exempted_ubac_constraint(db_procedure, ubacdb)
exempted_ubac_constraint(db_column, ubacdb)
exempted_ubac_constraint(db_tuple, ubacdb)
exempted_ubac_constraint(db_blob, ubacdb)
basic_ubac_constraint(association)
basic_ubac_constraint(peer)
# these classes have no UBAC restrictions
#class security
#class system
#class capability
#class memprotect
#class passwd # userspace
#class node
#class netif
#class packet
#class capability2
#class nscd # userspace
#class context # userspace
undefine(`basic_ubac_constraint')
undefine(`basic_ubac_conditions')
undefine(`exempted_ubac_constraint')

51
policy/flask/Makefile
View File

@ -1,51 +0,0 @@
PYTHON ?= python
# flask needs to know where to export the libselinux headers.
LIBSELINUX_D ?= ../../libselinux
# flask needs to know where to export the kernel headers.
LINUX_D ?= ../../../linux-2.6
ACCESS_VECTORS_F = access_vectors
INITIAL_SIDS_F = initial_sids
SECURITY_CLASSES_F = security_classes
USER_D = userspace
KERN_D = kernel
LIBSELINUX_INCLUDE_H = flask.h av_permissions.h
LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h
FLASK_H = class_to_string.h flask.h initial_sid_to_string.h
ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H)
USER_H = $(addprefix $(USER_D)/, $(ALL_H))
KERN_H = $(addprefix $(KERN_D)/, $(ALL_H))
FLASK_NOWARNINGS = --nowarnings
all: $(USER_H) $(KERN_H)
$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
mkdir -p $(USER_D)
$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS)
$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
mkdir -p $(KERN_D)
$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS)
tolib: all
install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux
install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src
tokern: all
install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include
install: all
relabel:
clean:
rm -fr userspace
rm -fr kernel

818
policy/flask/access_vectors
View File

@ -1,818 +0,0 @@
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common prefix for userspace database object access vectors.
#
common database
{
create
drop
getattr
setattr
relabelfrom
relabelto
}
#
# Define a common prefix for pointer and keyboard access vectors.
#
common x_device
{
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove
create
destroy
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
open
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
}
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
open
}
class blk_file
inherits file
{
open
}
class sock_file
inherits file
{
open
}
class fifo_file
inherits file
{
open
}
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
dccp_recv
dccp_send
recvfrom
sendto
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
dccp_recv
dccp_send
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the capability2 class.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
}
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
class x_drawable
{
create
destroy
read
write
blend
getattr
setattr
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive
}
class x_screen
{
getattr
setattr
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show
}
class x_gc
{
create
destroy
getattr
setattr
use
}
class x_font
{
create
destroy
getattr
add_glyph
remove_glyph
use
}
class x_colormap
{
create
destroy
read
write
getattr
add_color
remove_color
install
uninstall
use
}
class x_property
{
create
destroy
read
write
append
getattr
setattr
}
class x_selection
{
read
write
getattr
setattr
}
class x_cursor
{
create
destroy
read
write
getattr
setattr
use
}
class x_client
{
destroy
getattr
setattr
manage
}
class x_device
inherits x_device
class x_server
{
getattr
setattr
record
debug
grab
manage
}
class x_extension
{
query
use
}
class x_resource
{
read
write
}
class x_event
{
send
receive
}
class x_synthetic_event
{
send
receive
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_ip6fw_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
getserv
shmemserv
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
flow_in # deprecated
flow_out # deprecated
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class context
{
translate
contains
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
class db_database
inherits database
{
access
install_module
load_module
get_param # deprecated
set_param # deprecated
}
class db_table
inherits database
{
use # deprecated
select
update
insert
delete
lock
}
class db_procedure
inherits database
{
execute
entrypoint
install
}
class db_column
inherits database
{
use # deprecated
select
update
insert
}
class db_tuple
{
relabelfrom
relabelto
use # deprecated
select
update
insert
delete
}
class db_blob
inherits database
{
read
write
import
export
}
# network peer labels
class peer
{
recv
}
class x_application_data
{
paste
paste_after_confirm
copy
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
class x_pointer
inherits x_device
class x_keyboard
inherits x_device

536
policy/flask/flask.py
View File

@ -1,536 +0,0 @@
#!/usr/bin/python -E
#
# Author(s): Caleb Case <ccase@tresys.com>
#
# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh
#
import getopt
import os
import sys
import re
class ParseError(Exception):
def __init__(self, type, file, line):
self.type = type
self.file = file
self.line = line
def __str__(self):
typeS = self.type
if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file)
class DuplicateError(Exception):
def __init__(self, type, file, line, symbol):
self.type = type
self.file = file
self.line = line
self.symbol = symbol
def __str__(self):
typeS = self.type
if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file)
class UndefinedError(Exception):
def __init__(self, type, file, line, symbol):
self.type = type
self.file = file
self.line = line
self.symbol = symbol
def __str__(self):
typeS = self.type
if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file)
class UnusedError(Exception):
def __init__(self, info):
self.info = info
def __str__(self):
return "Unused Error: %s" % self.info
class Flask:
'''
FLASK container class with utilities for parsing definition
files and creating c header files.
'''
#Constants used in definitions parsing.
WHITE = re.compile(r'^\s*$')
COMMENT = re.compile(r'^\s*#')
USERFLAG = re.compile(r'# userspace')
CLASS = re.compile(r'^class (?P<name>\w+)')
COMMON = re.compile(r'^common (?P<name>\w+)')
INHERITS = re.compile(r'^inherits (?P<name>\w+)')
OPENB = re.compile(r'^{')
VECTOR = re.compile(r'^\s*(?P<name>\w+)')
CLOSEB = re.compile(r'^}')
SID = re.compile(r'^sid (?P<name>\w+)')
EOF = "end of file"
#Constants used in header generation.
USERSPACE = 0
KERNEL = 1
CONSTANT_S = { \
#parsing constants
WHITE : "whitespace", \
COMMENT : "comment", \
USERFLAG : "userspace flag", \
CLASS : "class definition", \
COMMON : "common definition", \
INHERITS : "inherits definition", \
OPENB : "'{'", \
VECTOR : "access vector definition", \
CLOSEB : "'}'", \
SID : "security identifier", \
EOF : "end of file", \
#generation constants
USERSPACE : "userspace mode", \
KERNEL : "kernel mode", \
}
def __init__(self, warn = True):
self.WARN = warn
self.autogen = "/* This file is automatically generated. Do not edit. */\n"
self.commons = []
self.user_commons = []
self.common = {}
self.classes = []
self.vectors = []
self.vector = {}
self.userspace = {}
self.sids = []
self.inherits = {}
def warning(self, msg):
'''
Prints a warning message out to stderr if warnings are enabled.
'''
if self.WARN: sys.stderr.write("Warning: %s\n" % msg)
def parseClasses(self, path):
'''
Parses security class definitions from the given path.
'''
classes = []
input = open(path, 'r')
number = 0
for line in input:
number += 1
m = self.COMMENT.search(line)
if m: continue
m = self.WHITE.search(line)
if m: continue
m = self.CLASS.search(line)
if m:
g = m.groupdict()
c = g['name']
if c in classes: raise DuplicateError, (self.CLASS, path, number, c)
classes.append(c)
if self.USERFLAG.search(line):
self.userspace[c] = True
else:
self.userspace[c] = False
continue
raise ParseError, ("data. Was expecting either a comment, whitespace, or class definition. ", path, number)
self.classes = classes
return classes
def parseSids(self, path):
'''
Parses initial SID definitions from the given path.
'''
sids = []
input = open(path, 'r')
for line in input:
m = self.COMMENT.search(line)
if m: continue
m = self.WHITE.search(line)
if m: continue
m = self.SID.search(line)
if m:
g = m.groupdict()
s = g['name']
if s in sids: raise DuplicateError, (self.SID, path, number, s)
sids.append(s)
continue
raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number)
self.sids = sids
return sids
def parseVectors(self, path):
'''
Parses access vector definitions from the given path.
'''
vectors = []
vector = {}
commons = []
common = {}
inherits = {}
user_commons = {}
input = open(path, 'r')
# states
NONE = 0
COMMON = 1
CLASS = 2
INHERIT = 3
OPEN = 4
state = NONE
state2 = NONE
number = 0
for line in input:
number += 1
m = self.COMMENT.search(line)
if m: continue
m = self.WHITE.search(line)
if m:
if state == INHERIT:
state = NONE
continue
m = self.COMMON.search(line)
if m:
if state != NONE: raise ParseError, (self.COMMON, path, number)
g = m.groupdict()
c = g['name']
if c in commons: raise DuplicateError, (self.COMMON, path, number, c)
commons.append(c)
common[c] = []
user_commons[c] = True
state = COMMON
continue
m = self.CLASS.search(line)
if m:
if state != NONE: raise ParseError, (self.CLASS, number)
g = m.groupdict()
c = g['name']
if c in vectors: raise DuplicateError, (self.CLASS, path, number, c)
if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c)
vectors.append(c)
vector[c] = []
state = CLASS
continue
m = self.INHERITS.search(line)
if m:
if state != CLASS: raise ParseError, (self.INHERITS, number)
g = m.groupdict()
i = g['name']
if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c)
if i not in common: raise UndefinedError, (self.COMMON, path, number, i)
inherits[c] = i
state = INHERIT
if not self.userspace[c]: user_commons[i] = False
continue
m = self.OPENB.search(line)
if m:
if (state != CLASS \
and state != INHERIT \
and state != COMMON) \
or state2 != NONE:
raise ParseError, (self.OPENB, path, number)
state2 = OPEN
continue
m = self.VECTOR.search(line)
if m:
if state2 != OPEN: raise ParseError, (self.VECTOR, path, number)
g = m.groupdict()
v = g['name']
if state == CLASS or state == INHERIT:
if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v)
vector[c].append(v)
elif state == COMMON:
if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v)
common[c].append(v)
continue
m = self.CLOSEB.search(line)
if m:
if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number)
state = NONE
state2 = NONE
c = None
continue
raise ParseError, ("data", path, number)
if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number)
cvdiff = set(self.classes) - set(vectors)
if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error
self.commons = commons
self.user_commons = user_commons
self.common = common
self.vectors = vectors
self.vector = vector
self.inherits = inherits
return vector
def createHeaders(self, path, mode = USERSPACE):
'''
Creates the C header files in the specified MODE and outputs
them to give PATH.
'''
headers = { \
'av_inherit.h' : self.createAvInheritH(mode), \
'av_perm_to_string.h' : self.createAvPermToStringH(mode), \
'av_permissions.h' : self.createAvPermissionsH(mode), \
'class_to_string.h' : self.createClassToStringH(mode), \
'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \
'flask.h' : self.createFlaskH(mode), \
'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \
}
for key, value in headers.items():
of = open(os.path.join(path, key), 'w')
of.writelines(value)
of.close()
def createUL(self, count):
fields = [1, 2, 4, 8]
return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4))
def createAvInheritH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
for c in self.vectors:
if self.inherits.has_key(c):
i = self.inherits[c]
count = len(self.common[i])
if not (mode == self.KERNEL and self.userspace[c]):
results.append(" S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count)))
return results
def createAvPermToStringH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
for c in self.vectors:
for p in self.vector[c]:
if not (mode == self.KERNEL and self.userspace[c]):
results.append(" S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p))
return results
def createAvPermissionsH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
width = 57
count = 0
for common in self.commons:
count = 0
shift = 0
for p in self.common[common]:
if not (mode == self.KERNEL and self.user_commons[common]):
columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper())
columnA += "".join([" " for i in range(width - len(columnA))])
results.append("%s%s\n" % (columnA, self.createUL(count)))
count += 1
width = 50 # broken for old tools whitespace
for c in self.vectors:
count = 0
ps = []
if self.inherits.has_key(c):
ps += self.common[self.inherits[c]]
ps += self.vector[c]
for p in ps:
columnA = "#define %s__%s " % (c.upper(), p.upper())
columnA += "".join([" " for i in range(width - len(columnA))])
if not (mode == self.KERNEL and self.userspace[c]):
results.append("%s%s\n" % (columnA, self.createUL(count)))
count += 1
return results
def createClassToStringH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
results.append("/*\n * Security object class definitions\n */\n")
if mode == self.KERNEL:
results.append(" S_(NULL)\n")
else:
results.append(" S_(\"null\")\n")
for c in self.classes:
if mode == self.KERNEL and self.userspace[c]:
results.append(" S_(NULL)\n")
else:
results.append(" S_(\"%s\")\n" % c)
return results
def createCommonPermToStringH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
for common in self.commons:
if not (mode == self.KERNEL and self.user_commons[common]):
results.append("TB_(common_%s_perm_to_string)\n" % common)
for p in self.common[common]:
results.append(" S_(\"%s\")\n" % p)
results.append("TE_(common_%s_perm_to_string)\n\n" % common)
return results
def createFlaskH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
results.append("#ifndef _SELINUX_FLASK_H_\n")
results.append("#define _SELINUX_FLASK_H_\n")
results.append("\n")
results.append("/*\n")
results.append(" * Security object class definitions\n")
results.append(" */\n")
count = 0
width = 57
for c in self.classes:
count += 1
columnA = "#define SECCLASS_%s " % c.upper()
columnA += "".join([" " for i in range(width - len(columnA))])
if not (mode == self.KERNEL and self.userspace[c]):
results.append("%s%d\n" % (columnA, count))
results.append("\n")
results.append("/*\n")
results.append(" * Security identifier indices for initial entities\n")
results.append(" */\n")
count = 0
width = 56 # broken for old tools whitespace
for s in self.sids:
count += 1
columnA = "#define SECINITSID_%s " % s.upper()
columnA += "".join([" " for i in range(width - len(columnA))])
results.append("%s%d\n" % (columnA, count))
results.append("\n")
columnA = "#define SECINITSID_NUM "
columnA += "".join([" " for i in range(width - len(columnA))])
results.append("%s%d\n" % (columnA, count))
results.append("\n")
results.append("#endif\n")
return results
def createInitialSidToStringH(self, mode = USERSPACE):
'''
'''
results = []
results.append(self.autogen)
results.append("static char *initial_sid_to_string[] =\n")
results.append("{\n")
results.append(" \"null\",\n")
for s in self.sids:
results.append(" \"%s\",\n" % s)
results.append("};\n")
results.append("\n")
return results
def usage():
'''
Returns the usage string.
'''
usage = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0])
usage += '\n'
usage += ' -a --access_vectors\taccess vector definitions\n'
usage += ' -i --initial_sids\tinitial sid definitions\n'
usage += ' -s --security_classes\tsecurity class definitions\n'
usage += ' -o --output\toutput directory for generated files\n'
usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n'
usage += ' -u --user\toutput mode set to userspace\n'
usage += ' -w --nowarnings\tsupresses output of warning messages\n'
return usage
########## MAIN ##########
if __name__ == '__main__':
# Parse command line args
try:
opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help'])
except getopt.GetoptError:
print(usage())
sys.exit(2)
avec = None
isid = None
secc = None
outd = None
mode = None
warn = True
for o, a in opts:
if o in ('-h', '--help'):
print(usage())
sys.exit(0)
elif o in ('-a', '--access_vectors'):
avec = a
elif o in ('-i', '--initial_sids'):
isid = a
elif o in ('-s', '--security_classes'):
secc = a
elif o in ('-o', '--output'):
outd = a
elif o in ('-k', '--kernel'):
if mode != None:
print(usage())
sys.exit(2)
mode = Flask.KERNEL
elif o in ('-u', '--user'):
if mode != None:
print(usage())
sys.exit(2)
mode = Flask.USERSPACE
elif o in ('-w', '--nowarnings'):
warn = False
else:
print(usage())
sys.exit(2)
if avec == None or \
isid == None or \
secc == None or \
outd == None:
print(usage())
sys.exit(2)
try:
f = Flask(warn)
f.parseSids(isid)
f.parseClasses(secc)
f.parseVectors(avec)
f.createHeaders(outd, mode)
except Exception, e:
print(e)
sys.exit(2)

35
policy/flask/initial_sids
View File

@ -1,35 +0,0 @@
# FLASK
#
# Define initial security identifiers
#
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
# FLASK

128
policy/flask/security_classes
View File

@ -1,128 +0,0 @@
# FLASK
#
# Define the security object classes
#
# Classes marked as userspace are classes
# for userspace object managers
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
#
# userspace object manager classes
#
# passwd/chfn/chsh
class passwd # userspace
# SE-X Windows stuff (more classes below)
class x_drawable # userspace
class x_screen # userspace
class x_gc # userspace
class x_font # userspace
class x_colormap # userspace
class x_property # userspace
class x_selection # userspace
class x_cursor # userspace
class x_client # userspace
class x_device # userspace
class x_server # userspace
class x_extension # userspace
# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket
class dbus # userspace
class nscd # userspace
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
class appletalk_socket
class packet
# Kernel access key retention
class key
class context # userspace
class dccp_socket
class memprotect
class db_database # userspace
class db_table # userspace
class db_procedure # userspace
class db_column # userspace
class db_tuple # userspace
class db_blob # userspace
# network peer labels
class peer
# Capabilities >= 32
class capability2
# More SE-X Windows stuff
class x_resource # userspace
class x_event # userspace
class x_synthetic_event # userspace
class x_application_data # userspace
# kernel services that need to override task security, e.g. cachefiles
class kernel_service
class tun_socket
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
# FLASK

30
policy/global_booleans
View File

@ -1,30 +0,0 @@
#
# This file is for the declaration of global booleans.
# To change the default value at build time, the booleans.conf
# file should be used.
#
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
## newrole, from transitioning to administrative
## user domains.
## </p>
## </desc>
gen_bool(secure_mode,false)
## <desc>
## <p>
## Disable transitions to insmod.
## </p>
## </desc>
gen_bool(secure_mode_insmod,false)
## <desc>
## <p>
## boolean to determine whether the system permits loading policy, setting
## enforcing mode, and changing boolean values. Set this to true and you
## have to reboot to set it back
## </p>
## </desc>
gen_bool(secure_mode_policyload,false)

112
policy/global_tunables
View File

@ -1,112 +0,0 @@
#
# This file is for the declaration of global tunables.
# To change the default value at build time, the booleans.conf
# file should be used.
#
## <desc>
## <p>
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execheap,false)
## <desc>
## <p>
## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execmem,false)
## <desc>
## <p>
## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
## </p>
## </desc>
gen_tunable(allow_execmod,false)
## <desc>
## <p>
## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
## </p>
## </desc>
gen_tunable(allow_execstack,false)
## <desc>
## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)
## <desc>
## <p>
## Allow system to run with NIS
## </p>
## </desc>
gen_tunable(allow_ypbind,false)
## <desc>
## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
## This should be enabled when all programs
## are compiled with ProPolice/SSP
## stack smashing protection. All domains will
## be allowed to read from /dev/urandom.
## </p>
## </desc>
gen_tunable(global_ssp,false)
## <desc>
## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_rw,false)
## <desc>
## <p>
## Allow any files/directories to be exported read/only via NFS.
## </p>
## </desc>
gen_tunable(nfs_export_all_ro,false)
## <desc>
## <p>
## Support NFS home directories
## </p>
## </desc>
gen_tunable(use_nfs_home_dirs,false)
## <desc>
## <p>
## Support SAMBA home directories
## </p>
## </desc>
gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
## Support fusefs home directories
## </p>
## </desc>
gen_tunable(use_fusefs_home_dirs,false)
## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users) disabling this forces FTP passive mode
## and may change other protocols.
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
## <desc>
## <p>
## Allow direct login to the console device. Required for System 390
## </p>
## </desc>
gen_tunable(allow_console_login,false)

138
policy/mcs
View File

@ -1,138 +0,0 @@
ifdef(`enable_mcs',`
#
# Define sensitivities
#
# MCS is single-sensitivity.
gen_sens(1)
#
# Define the categories
#
# Generate declarations
gen_cats(mcs_num_cats)
#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
gen_levels(1,mcs_num_cats)
#
# Define the MCS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# MCS policy for the file classes
#
# Constrain file access so that the high range of the process dominates
# the high range of the file. We use the high range of the process so
# that processes can always simply run at s0.
#
# Note:
# - getattr on dirs/files is not constrained.
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
mlsconstrain file { write setattr append unlink link rename }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
mlsconstrain dir { search read ioctl lock }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
( h1 dom h2 );
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
mlsconstrain process { ptrace }
(( h1 dom h2) or ( t1 == mcsptraceall ));
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
#
# MCS policy for SELinux-enabled databases
#
# Any database object must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain { db_tuple } { insert relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
( h1 dom h2 );
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
mlsconstrain db_procedure { drop getattr setattr execute install }
( h1 dom h2 );
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
') dnl end enable_mcs

830
policy/mls
View File

@ -1,830 +0,0 @@
ifdef(`enable_mls',`
#
# Define sensitivities
#
# Domination of sensitivities is in increasin
# numerical order, with s0 being the lowest
gen_sens(mls_num_sens)
#
# Define the categories
#
# Generate declarations
gen_cats(mls_num_cats)
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
# Generate levels from all sensitivities
# with all categories
gen_levels(mls_num_sens,mls_num_cats)
#
# Define the MLS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# MLS policy for the file classes
#
# make sure these file classes are "single level"
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
# new file labels must be dominated by the relabeling subjects clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
mlsconstrain dir search
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# Directory "write" ops
mlsconstrain dir { add_name remove_name reparent rmdir }
(( l1 eq l2 ) or
(( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
# { file chr_file } { execute_no_trans entrypoint execmod }
# the file upgrade/downgrade rule
mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( h1 eq h2 ) or
(( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
# default to the process sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
#
# MLS policy for the filesystem class
#
# new filesystem labels must be dominated by the relabeling subjects clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
# the filesystem "read" ops (implicit single level)
mlsconstrain filesystem { getattr quotaget }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ));
# all the filesystem "write" ops (implicit single level)
mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ));
# these access vectors have no MLS restrictions
# filesystem { transition associate }
#
# MLS policy for the socket classes
#
# new socket labels must be dominated by the relabeling subjects clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
# require equal levels for unprivileged subjects, or read *and* write overrides)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
(( l1 eq l2 ) or
(((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )) and
((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ))));
# the socket "read" ops (note the check is dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# UNIX domain socket ops
mlsconstrain unix_stream_socket connectto
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain unix_dgram_socket sendto
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
#
# tcp_socket name_connect
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
#
# netlink_kobject_uevent_socket *
#
#
# MLS policy for the ipc classes
#
# the ipc "read" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
mlsconstrain msg receive
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
# the ipc "write" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msgq enqueue
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain shm lock
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msg send
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
# these access vectors have no MLS restrictions
# { ipc sem msgq shm } associate
#
# MLS policy for the fd class
#
# No sharing of open file descriptors between levels unless
# the process type is authorized to use fds created by
# other levels (mlsfduse) or the fd type is authorized to
# shared among levels (mlsfdshare).
mlsconstrain fd use (
l1 eq l2
or t1 == mlsfduse
or t2 == mlsfdshare
);
#
# MLS policy for the network object classes
#
# the netif/node "read" ops (implicit single level socket doing the read)
# (note the check is dominance of the low level)
mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
# the netif/node "write" ops (implicit single level socket doing the write)
mlsconstrain { netif node } { tcp_send udp_send rawip_send }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
# these access vectors have no MLS restrictions
# node enforce_dest
#
# MLS policy for the network ingress/egress controls
#
# the netif ingress/egress ops, the ingress permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network interface which is acting as the object
mlsconstrain { netif } { ingress }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { netif } { egress }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ));
# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { node } { sendto }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ));
# the forward ops, the forward_in permission is a "write" operation because the
# subject in this particular case is the remote domain which is writing data
# to the network with a secmark label, the object in this case
mlsconstrain { packet } { forward_in }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { packet } { forward_out }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ) or
( t1 == unlabeled_t ));
#
# MLS policy for the secmark and peer controls
#
# the peer/packet recv op
mlsconstrain { peer packet } { recv }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
#
# MLS policy for the process class
#
# new process labels must be dominated by the relabeling subjects clearance
# and sensitivity level changes require privilege
mlsconstrain process transition
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
(( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
mlsconstrain process dyntransition
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
# all the process "read" ops
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(( l1 dom l2 ) or
(( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsprocread ));
# all the process "write" ops (note the check is equality on the low level)
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
(( l1 eq l2 ) or
(( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
#
# MLS policy for the security class
#
# these access vectors have no MLS restrictions
# security *
#
# MLS policy for the system class
#
# these access vectors have no MLS restrictions
# system *
#
# MLS policy for the capability class
#
# these access vectors have no MLS restrictions
# capability *
#
# MLS policy for the passwd class
#
# these access vectors have no MLS restrictions
# passwd *
#
# MLS policy for the x_drawable class
#
# the x_drawable "read" ops (implicit single level)
mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_drawable "write" ops (implicit single level)
mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# No MLS restrictions: x_drawable { show hide override }
#
# MLS policy for the x_gc class
#
# the x_gc "read" ops (implicit single level)
mlsconstrain x_gc { getattr use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_gc "write" ops (implicit single level)
mlsconstrain x_gc { create destroy setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_font class
#
# the x_font "read" ops (implicit single level)
mlsconstrain x_font { use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_font "write" ops (implicit single level)
mlsconstrain x_font { create destroy add_glyph remove_glyph }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# font use
#
# MLS policy for the x_colormap class
#
# the x_colormap "read" ops (implicit single level)
mlsconstrain x_colormap { read getattr use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinreadcolormap ) or
( t1 == mlsxwinread ));
# the x_colormap "write" ops (implicit single level)
mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritecolormap ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_property class
#
# the x_property "read" ops (implicit single level)
mlsconstrain x_property { read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinreadproperty ) or
( t1 == mlsxwinread ));
# the x_property "write" ops (implicit single level)
mlsconstrain x_property { create destroy write append setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwriteproperty ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_selection class
#
# the x_selection "read" ops (implicit single level)
mlsconstrain x_selection { read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinreadselection ) or
( t1 == mlsxwinread ));
# the x_selection "write" ops (implicit single level)
mlsconstrain x_selection { write setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwriteselection ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_cursor class
#
# the x_cursor "read" ops (implicit single level)
mlsconstrain x_cursor { read getattr use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_cursor "write" ops (implicit single level)
mlsconstrain x_cursor { create destroy write setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_client class
#
# the x_client "read" ops (implicit single level)
mlsconstrain x_client { getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_client "write" ops (implicit single level)
mlsconstrain x_client { destroy setattr manage }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_device class
#
# the x_device "read" ops (implicit single level)
mlsconstrain x_device { getattr use read getfocus grab }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_device "write" ops (implicit single level)
mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritexinput ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_server class
#
# these access vectors have no MLS restrictions
# x_server *
#
# MLS policy for the x_extension class
#
# these access vectors have no MLS restrictions
# x_extension { query use }
#
# MLS policy for the x_resource class
#
# the x_resource "read" ops (implicit single level)
mlsconstrain x_resource { read }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_resource "write" ops (implicit single level)
mlsconstrain x_resource { write }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritexinput ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_event class
#
# the x_event "read" ops (implicit single level)
mlsconstrain x_event { receive }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_event "write" ops (implicit single level)
mlsconstrain x_event { send }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritexinput ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the x_application_data class
#
# the x_application_data "paste" ops
mlsconstrain x_application_data { paste }
( l1 domby l2 );
# the x_application_data "paste_after_confirm" ops
mlsconstrain x_application_data { paste_after_confirm }
( l1 dom l2 );
#
# MLS policy for the dbus class
#
mlsconstrain dbus { send_msg }
(( l1 eq l2 ) or
( t1 == mlsdbussend ) or
( t2 == mlsdbusrecv ));
# these access vectors have no MLS restrictions
# dbus { acquire_svc }
#
# MLS policy for the nscd class
#
# these access vectors have no MLS restrictions
# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
#
# MLS policy for the association class
#
mlsconstrain association { recvfrom }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ) or
( t2 == unlabeled_t ));
mlsconstrain association { sendto }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
(( l1 dom l2 ) and ( h1 domby h2 ));
#
# MLS policy for the context class
#
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
mlsconstrain context contains
( h1 dom h2 );
#
# MLS policy for database classes
#
# make sure these database classes are "single level"
mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
( l2 eq h2 );
mlsconstrain { db_tuple } { insert relabelto }
( l2 eq h2 );
# new database labels must be dominated by the relabeling subjects clearance
mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }
( h1 dom h2 );
# the database "read" ops (note the check is dominance of the low level)
mlsconstrain { db_database } { getattr access get_param }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_table } { getattr use select lock }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_column } { getattr use select }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_procedure } { getattr execute install }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_blob } { getattr read export }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_tuple } { use select }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_procedure } { create drop setattr relabelfrom }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_tuple } { relabelfrom update insert delete }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
# the database upgrade/downgrade rule
mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }
((( l1 eq l2 ) or
(( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
') dnl end enable_mls

9
policy/modules/admin/acct.fc
View File

@ -1,9 +0,0 @@
/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)

80
policy/modules/admin/acct.if
View File

@ -1,80 +0,0 @@
## <summary>Berkeley process accounting</summary>
########################################
## <summary>
## Transition to the accounting management domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`acct_domtrans',`
gen_require(`
type acct_t, acct_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, acct_exec_t, acct_t)
')
########################################
## <summary>
## Execute accounting management tools in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_exec',`
gen_require(`
type acct_exec_t;
')
corecmd_search_bin($1)
can_exec($1, acct_exec_t)
')
########################################
## <summary>
## Execute accounting management data in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: this is added for logrotate, and does
# not make sense to me.
interface(`acct_exec_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1, acct_data_t)
')
########################################
## <summary>
## Create, read, write, and delete process accounting data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_manage_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
manage_files_pattern($1, acct_data_t, acct_data_t)
manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
')

89
policy/modules/admin/acct.te
View File

@ -1,89 +0,0 @@
policy_module(acct, 1.4.1)
########################################
#
# Declarations
#
type acct_t;
type acct_exec_t;
init_system_domain(acct_t, acct_exec_t)
type acct_data_t;
logging_log_file(acct_data_t)
########################################
#
# Local Policy
#
# gzip needs chown capability for some reason
allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file rw_fifo_file_perms;
allow acct_t self:process signal_perms;
manage_files_pattern(acct_t, acct_data_t, acct_data_t)
manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
can_exec(acct_t, acct_exec_t)
kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
kernel_read_kernel_sysctls(acct_t)
dev_read_sysfs(acct_t)
# for SSP
dev_read_urand(acct_t)
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
domain_use_interactive_fds(acct_t)
files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
userdom_dontaudit_search_user_home_dirs(acct_t)
optional_policy(`
optional_policy(`
# for monthly cron job
auth_log_filetrans_login_records(acct_t)
auth_manage_login_records(acct_t)
')
cron_system_entry(acct_t, acct_exec_t)
')
optional_policy(`
nscd_socket_use(acct_t)
')
optional_policy(`
seutil_sigchld_newrole(acct_t)
')
optional_policy(`
udev_read_db(acct_t)
')

18
policy/modules/admin/alsa.fc
View File

@ -1,18 +0,0 @@
HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)

170
policy/modules/admin/alsa.if
View File

@ -1,170 +0,0 @@
## <summary>Ainit ALSA configuration tool.</summary>
########################################
## <summary>
## Execute a domain transition to run Alsa.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`alsa_domtrans',`
gen_require(`
type alsa_t, alsa_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, alsa_exec_t, alsa_t)
')
########################################
## <summary>
## Execute a domain transition to run
## Alsa, and allow the specified role
## the Alsa domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`alsa_run',`
gen_require(`
type alsa_t;
')
alsa_domtrans($1)
role $2 types alsa_t;
')
########################################
## <summary>
## Read and write Alsa semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_rw_semaphores',`
gen_require(`
type alsa_t;
')
allow $1 alsa_t:sem rw_sem_perms;
')
########################################
## <summary>
## Read and write Alsa shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_rw_shared_mem',`
gen_require(`
type alsa_t;
')
allow $1 alsa_t:shm rw_shm_perms;
')
########################################
## <summary>
## Read writable Alsa config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_rw_config',`
gen_require(`
type alsa_etc_rw_t;
')
files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
ifdef(`distro_debian',`
files_search_usr($1)
')
')
########################################
## <summary>
## Manage writable Alsa config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_manage_rw_config',`
gen_require(`
type alsa_etc_rw_t;
')
files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
ifdef(`distro_debian',`
files_search_usr($1)
')
')
########################################
## <summary>
## Read Alsa home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_home_files',`
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file read_file_perms;
')
########################################
## <summary>
## Read Alsa lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_lib',`
gen_require(`
type alsa_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')

76
policy/modules/admin/alsa.te
View File

@ -1,76 +0,0 @@
policy_module(alsa, 1.9.2)
########################################
#
# Declarations
#
type alsa_t;
type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role system_r types alsa_t;
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
########################################
#
# Local policy
#
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
allow alsa_t alsa_home_t:file read_file_perms;
manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
files_search_var_lib(alsa_t)
kernel_read_system_state(alsa_t)
dev_read_sound(alsa_t)
dev_write_sound(alsa_t)
dev_read_sysfs(alsa_t)
corecmd_exec_bin(alsa_t)
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
auth_use_nsswitch(alsa_t)
init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
hal_write_log(alsa_t)
')

26
policy/modules/admin/amanda.fc
View File

@ -1,26 +0,0 @@
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
# the null string in here because index is a m4 builtin function
/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0)
/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)

161
policy/modules/admin/amanda.if
View File

@ -1,161 +0,0 @@
## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
########################################
## <summary>
## Execute a domain transition to run
## Amanda recover.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`amanda_domtrans_recover',`
gen_require(`
type amanda_recover_t, amanda_recover_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################
## <summary>
## Execute a domain transition to run
## Amanda recover, and allow the specified
## role the Amanda recover domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`amanda_run_recover',`
gen_require(`
type amanda_recover_t;
')
amanda_domtrans_recover($1)
role $2 types amanda_recover_t;
')
########################################
## <summary>
## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_search_lib',`
gen_require(`
type amanda_usr_lib_t;
')
files_search_usr($1)
allow $1 amanda_usr_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to read /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`amanda_dontaudit_read_dumpdates',`
gen_require(`
type amanda_dumpdates_t;
')
dontaudit $1 amanda_dumpdates_t:file { getattr read };
')
########################################
## <summary>
## Read and write /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_rw_dumpdates_files',`
gen_require(`
type amanda_dumpdates_t;
')
files_search_etc($1)
allow $1 amanda_dumpdates_t:file rw_file_perms;
')
########################################
## <summary>
## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_manage_lib',`
gen_require(`
type amanda_usr_lib_t;
')
files_search_usr($1)
allow $1 amanda_usr_lib_t:dir manage_dir_perms;
')
########################################
## <summary>
## Read and append amanda logs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_append_log_files',`
gen_require(`
type amanda_log_t;
')
logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
#######################################
## <summary>
## Search Amanda var library directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_search_var_lib',`
gen_require(`
type amanda_var_lib_t;
')
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
')

211
policy/modules/admin/amanda.te
View File

@ -1,211 +0,0 @@
policy_module(amanda, 1.12.1)
#######################################
#
# Declarations
#
type amanda_t;
type amanda_inetd_exec_t;
inetd_service_domain(amanda_t, amanda_inetd_exec_t)
role system_r types amanda_t;
type amanda_exec_t;
domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
type amanda_config_t;
files_type(amanda_config_t)
type amanda_usr_lib_t;
files_type(amanda_usr_lib_t)
type amanda_var_lib_t;
files_type(amanda_var_lib_t)
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
type amanda_amandates_t;
files_type(amanda_amandates_t)
type amanda_dumpdates_t;
files_type(amanda_dumpdates_t)
type amanda_data_t;
files_type(amanda_data_t)
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
optional_policy(`
prelink_object_file(amanda_usr_lib_t)
')
########################################
#
# Amanda local policy
#
allow amanda_t self:capability { chown dac_override setuid kill };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
allow amanda_t amanda_amandates_t:file rw_file_perms;
allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
logging_log_filetrans(amanda_t, amanda_log_t, { file dir })
manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
kernel_read_system_state(amanda_t)
kernel_read_kernel_sysctls(amanda_t)
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
corenet_all_recvfrom_unlabeled(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_udp_sendrecv_generic_if(amanda_t)
corenet_raw_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
corenet_udp_sendrecv_generic_node(amanda_t)
corenet_raw_sendrecv_generic_node(amanda_t)
corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_udp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_generic_node(amanda_t)
corenet_udp_bind_generic_node(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
files_read_etc_files(amanda_t)
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
files_read_all_files(amanda_t)
files_read_all_symlinks(amanda_t)
files_read_all_blk_files(amanda_t)
files_read_all_chr_files(amanda_t)
files_getattr_all_pipes(amanda_t)
files_getattr_all_sockets(amanda_t)
fs_getattr_xattr_fs(amanda_t)
fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
logging_send_syslog_msg(amanda_t)
########################################
#
# Amanda recover local policy
#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
corenet_all_recvfrom_unlabeled(amanda_recover_t)
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
corenet_tcp_sendrecv_generic_node(amanda_recover_t)
corenet_udp_sendrecv_generic_node(amanda_recover_t)
corenet_tcp_sendrecv_all_ports(amanda_recover_t)
corenet_udp_sendrecv_all_ports(amanda_recover_t)
corenet_tcp_bind_generic_node(amanda_recover_t)
corenet_udp_bind_generic_node(amanda_recover_t)
corenet_tcp_bind_reserved_port(amanda_recover_t)
corenet_tcp_connect_amanda_port(amanda_recover_t)
corenet_sendrecv_amanda_client_packets(amanda_recover_t)
domain_use_interactive_fds(amanda_recover_t)
files_read_etc_files(amanda_recover_t)
files_read_etc_runtime_files(amanda_recover_t)
files_search_tmp(amanda_recover_t)
files_search_pids(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
fstools_domtrans(amanda_t)
fstools_signal(amanda_t)
logging_search_logs(amanda_recover_t)
miscfiles_read_localization(amanda_recover_t)
userdom_use_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)

1
policy/modules/admin/amtu.fc
View File

@ -1 +0,0 @@
/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)

46
policy/modules/admin/amtu.if
View File

@ -1,46 +0,0 @@
## <summary>Abstract Machine Test Utility.</summary>
########################################
## <summary>
## Execute a domain transition to run Amtu.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`amtu_domtrans',`
gen_require(`
type amtu_t, amtu_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amtu_exec_t, amtu_t)
')
########################################
## <summary>
## Execute a domain transition to run
## Amtu, and allow the specified role
## the Amtu domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`amtu_run',`
gen_require(`
type amtu_t;
')
amtu_domtrans($1)
role $2 types amtu_t;
')

34
policy/modules/admin/amtu.te
View File

@ -1,34 +0,0 @@
policy_module(amtu, 1.2.0)
########################################
#
# Declarations
#
type amtu_t;
type amtu_exec_t;
domain_type(amtu_t)
domain_entry_file(amtu_t, amtu_exec_t)
########################################
#
# amtu local policy
#
kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
files_read_etc_runtime_files(amtu_t)
files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
userdom_use_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
')
optional_policy(`
seutil_use_newrole_fds(amtu_t)
')

1
policy/modules/admin/anaconda.fc
View File

@ -1 +0,0 @@
# No file context specifications.

1
policy/modules/admin/anaconda.if
View File

@ -1 +0,0 @@
## <summary>Anaconda installer.</summary>

60
policy/modules/admin/anaconda.te
View File

@ -1,60 +0,0 @@
policy_module(anaconda, 1.5.1)
########################################
#
# Declarations
#
type anaconda_t;
type anaconda_exec_t;
domain_type(anaconda_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
########################################
#
# Local policy
#
allow anaconda_t self:process execmem;
kernel_domtrans_to(anaconda_t, anaconda_exec_t)
init_domtrans_script(anaconda_t)
libs_domtrans_ldconfig(anaconda_t)
logging_send_syslog_msg(anaconda_t)
modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
seutil_domtrans_setsebool(anaconda_t)
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
kudzu_domtrans(anaconda_t)
')
optional_policy(`
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
optional_policy(`
ssh_domtrans_keygen(anaconda_t)
')
optional_policy(`
udev_domtrans(anaconda_t)
')
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')

21
policy/modules/admin/apt.fc
View File

@ -1,21 +0,0 @@
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
# apt-shell is redhat specific
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
# other package managers
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
# package cache repository
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
# aptitude lock
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
# aptitude log
/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
# dpkg terminal log
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)

225
policy/modules/admin/apt.if
View File

@ -1,225 +0,0 @@
## <summary>APT advanced package tool.</summary>
########################################
## <summary>
## Execute apt programs in the apt domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apt_domtrans',`
gen_require(`
type apt_t, apt_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, apt_exec_t, apt_t)
')
########################################
## <summary>
## Execute apt programs in the apt domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the apt domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`apt_run',`
gen_require(`
type apt_t;
')
apt_domtrans($1)
role $2 types apt_t;
# TODO: likely have to add dpkg_run here.
')
########################################
## <summary>
## Inherit and use file descriptors from apt.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_use_fds',`
gen_require(`
type apt_t;
')
allow $1 apt_t:fd use;
# TODO: enforce dpkg_use_fd?
')
########################################
## <summary>
## Do not audit attempts to use file descriptors from apt.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apt_dontaudit_use_fds',`
gen_require(`
type apt_t;
')
dontaudit $1 apt_t:fd use;
')
########################################
## <summary>
## Read from an unnamed apt pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_read_pipes',`
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file read_fifo_file_perms;
# TODO: enforce dpkg_read_pipes?
')
########################################
## <summary>
## Read and write an unnamed apt pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_rw_pipes',`
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file rw_file_perms;
# TODO: enforce dpkg_rw_pipes?
')
########################################
## <summary>
## Read from and write to apt ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_use_ptys',`
gen_require(`
type apt_devpts_t;
')
allow $1 apt_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Read the apt package cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_read_cache',`
gen_require(`
type apt_var_cache_t;
')
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
dontaudit $1 apt_var_cache_t:dir write;
allow $1 apt_var_cache_t:file read_file_perms;
')
########################################
## <summary>
## Read the apt package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_read_db',`
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir list_dir_perms;
read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the apt package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_manage_db',`
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
# cjp: shouldnt this be manage_lnk_files?
rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the apt package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apt_dontaudit_manage_db',`
gen_require(`
type apt_var_lib_t;
')
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file manage_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
')

162
policy/modules/admin/apt.te
View File

@ -1,162 +0,0 @@
policy_module(apt, 1.6.0)
########################################
#
# Declarations
#
type apt_t;
type apt_exec_t;
init_system_domain(apt_t, apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
# pseudo terminal for running dpkg
type apt_devpts_t;
term_pty(apt_devpts_t)
# aptitude lock file
type apt_lock_t;
files_lock_file(apt_lock_t)
type apt_tmp_t;
files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)
# package cache
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
# status files
type apt_var_lib_t alias var_lib_apt_t;
files_type(apt_var_lib_t)
# aptitude log file
type apt_var_log_t;
logging_log_file(apt_var_log_t)
########################################
#
# apt Local policy
#
allow apt_t self:capability { chown dac_override fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
allow apt_t self:unix_dgram_socket create_socket_perms;
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
allow apt_t self:unix_dgram_socket sendto;
allow apt_t self:unix_stream_socket connectto;
allow apt_t self:udp_socket { connect create_socket_perms };
allow apt_t self:tcp_socket create_stream_socket_perms;
allow apt_t self:shm create_shm_perms;
allow apt_t self:sem create_sem_perms;
allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
# Run update
allow apt_t self:netlink_route_socket r_netlink_socket_perms;
# lock files
allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
files_lock_filetrans(apt_t, apt_lock_t, {dir file})
manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/cache/apt files
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
# Access /var/lib/apt files
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
# log files
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
# to launch dpkg-preconfigure
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_udp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
corenet_udp_sendrecv_generic_node(apt_t)
corenet_tcp_sendrecv_all_ports(apt_t)
corenet_udp_sendrecv_all_ports(apt_t)
# TODO: really allow all these?
corenet_tcp_bind_generic_node(apt_t)
corenet_udp_bind_generic_node(apt_t)
corenet_tcp_connect_all_ports(apt_t)
corenet_sendrecv_all_client_packets(apt_t)
dev_read_urand(apt_t)
domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
miscfiles_read_localization(apt_t)
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
userdom_use_user_terminals(apt_t)
# with boolean, for cron-apt and such?
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
#')
optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
')
optional_policy(`
nis_use_ypbind(apt_t)
')
optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
optional_policy(`
unconfined_domain(apt_t)
')

13
policy/modules/admin/backup.fc
View File

@ -1,13 +0,0 @@
# backup
# label programs that do backups to other files on disk (IE a cron job that
# calls tar) in backup_exec_t and label the directory for storing them as
# backup_store_t, Debian uses /var/backups
#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0)
ifdef(`distro_debian',`
/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
')
/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)

45
policy/modules/admin/backup.if
View File

@ -1,45 +0,0 @@
## <summary>System backup scripts</summary>
########################################
## <summary>
## Execute backup in the backup domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`backup_domtrans',`
gen_require(`
type backup_t, backup_exec_t;
')
domtrans_pattern($1, backup_exec_t, backup_t)
')
########################################
## <summary>
## Execute backup in the backup domain, and
## allow the specified role the backup domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`backup_run',`
gen_require(`
type backup_t;
')
backup_domtrans($1)
role $2 types backup_t;
')

85
policy/modules/admin/backup.te
View File

@ -1,85 +0,0 @@
policy_module(backup, 1.5.0)
########################################
#
# Declarations
#
type backup_t;
type backup_exec_t;
domain_type(backup_t)
domain_entry_file(backup_t, backup_exec_t)
role system_r types backup_t;
type backup_store_t;
files_type(backup_store_t)
########################################
#
# Local policy
#
allow backup_t self:capability dac_override;
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;
allow backup_t backup_store_t:file setattr;
manage_files_pattern(backup_t, backup_store_t, backup_store_t)
rw_files_pattern(backup_t, backup_store_t, backup_store_t)
read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
corenet_udp_sendrecv_generic_node(backup_t)
corenet_raw_sendrecv_generic_node(backup_t)
corenet_tcp_sendrecv_all_ports(backup_t)
corenet_udp_sendrecv_all_ports(backup_t)
corenet_tcp_connect_all_ports(backup_t)
corenet_sendrecv_all_client_packets(backup_t)
dev_getattr_all_blk_files(backup_t)
dev_getattr_all_chr_files(backup_t)
# for SSP
dev_read_urand(backup_t)
domain_use_interactive_fds(backup_t)
files_read_all_files(backup_t)
files_read_all_symlinks(backup_t)
files_getattr_all_pipes(backup_t)
files_getattr_all_sockets(backup_t)
fs_getattr_xattr_fs(backup_t)
fs_list_all(backup_t)
auth_read_shadow(backup_t)
logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
userdom_use_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
')
optional_policy(`
hostname_exec(backup_t)
')
optional_policy(`
nis_use_ypbind(backup_t)
')

9
policy/modules/admin/bootloader.fc
View File

@ -1,9 +0,0 @@
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)

129
policy/modules/admin/bootloader.if
View File

@ -1,129 +0,0 @@
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
########################################
## <summary>
## Execute bootloader in the bootloader domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`bootloader_domtrans',`
gen_require(`
type bootloader_t, bootloader_exec_t;
')
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
')
########################################
## <summary>
## Execute bootloader interactively and do
## a domain transition to the bootloader domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`bootloader_run',`
gen_require(`
type bootloader_t;
')
bootloader_domtrans($1)
role $2 types bootloader_t;
ifdef(`distro_redhat',`
# for mke2fs
mount_run(bootloader_t, $2)
')
')
########################################
## <summary>
## Read the bootloader configuration file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_read_config',`
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file read_file_perms;
')
########################################
## <summary>
## Read and write the bootloader
## configuration file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`bootloader_rw_config',`
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file rw_file_perms;
')
########################################
## <summary>
## Read and write the bootloader
## temporary data in /tmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_rw_tmp_files',`
gen_require(`
type bootloader_tmp_t;
')
# FIXME: read tmp_t dir
allow $1 bootloader_tmp_t:file rw_file_perms;
')
########################################
## <summary>
## Read and write the bootloader
## temporary data in /tmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bootloader_create_runtime_file',`
gen_require(`
type boot_runtime_t;
')
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
')

215
policy/modules/admin/bootloader.te
View File

@ -1,215 +0,0 @@
policy_module(bootloader, 1.11.0)
########################################
#
# Declarations
#
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
# only for Red Hat
#
type boot_runtime_t;
files_type(boot_runtime_t)
type bootloader_t;
type bootloader_exec_t;
application_domain(bootloader_t, bootloader_exec_t)
role system_r types bootloader_t;
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
files_type(bootloader_etc_t)
#
# The temp file is used for initrd creation;
# it consists of files and device nodes
#
type bootloader_tmp_t;
files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)
#
# /var/log/ksyms
# cjp: this probably can be removed, I do not
# think it is used on 2.6 kernels
type var_log_ksyms_t;
logging_log_file(var_log_ksyms_t)
########################################
#
# bootloader local policy
#
allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)
storage_raw_read_fixed_disk(bootloader_t)
storage_raw_write_fixed_disk(bootloader_t)
storage_raw_read_removable_device(bootloader_t)
storage_raw_write_removable_device(bootloader_t)
dev_getattr_all_chr_files(bootloader_t)
dev_getattr_all_blk_files(bootloader_t)
dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_read_sysfs(bootloader_t)
# needed on some hardware
dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
files_read_kernel_modules(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
modutils_domtrans_insmod_uncond(bootloader_t)
seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
userdom_use_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
fs_list_tmpfs(bootloader_t)
files_relabel_kernel_modules(bootloader_t)
files_relabelfrom_boot_files(bootloader_t)
files_delete_kernel_modules(bootloader_t)
files_relabelto_usr_files(bootloader_t)
files_search_var_lib(bootloader_t)
# for /usr/share/initrd-tools/scripts
files_exec_usr_files(bootloader_t)
fstools_manage_entry_files(bootloader_t)
fstools_relabelto_entry_files(bootloader_t)
libs_relabelto_lib_files(bootloader_t)
')
ifdef(`distro_redhat',`
# for memlock
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dirs(bootloader_t)
files_manage_isid_type_files(bootloader_t)
files_manage_isid_type_symlinks(bootloader_t)
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
mount_domtrans(bootloader_t)
optional_policy(`
unconfined_domain(bootloader_t)
')
')
optional_policy(`
fstools_exec(bootloader_t)
')
optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
hal_write_log(bootloader_t)
')
optional_policy(`
kudzu_domtrans(bootloader_t)
')
optional_policy(`
dev_rw_lvm_control(bootloader_t)
lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t)
')
optional_policy(`
modutils_exec_insmod(bootloader_t)
modutils_read_module_deps(bootloader_t)
modutils_read_module_config(bootloader_t)
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
')
optional_policy(`
nscd_socket_use(bootloader_t)
')
optional_policy(`
rpm_rw_pipes(bootloader_t)
')

1
policy/modules/admin/brctl.fc
View File

@ -1 +0,0 @@
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)

38
policy/modules/admin/brctl.if
View File

@ -1,38 +0,0 @@
## <summary>Utilities for configuring the linux ethernet bridge</summary>
########################################
## <summary>
## Execute a domain transition to run brctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`brctl_domtrans',`
gen_require(`
type brctl_t, brctl_exec_t;
')
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
#####################################
## <summary>
## Execute brctl in the brctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`brctl_run',`
gen_require(`
type brctl_t, brctl_exec_t;
')
brctl_domtrans($1)
role $2 types brctl_t;
')

45
policy/modules/admin/brctl.te
View File

@ -1,45 +0,0 @@
policy_module(brctl, 1.5.0)
########################################
#
# Declarations
#
type brctl_t;
type brctl_exec_t;
domain_type(brctl_t)
init_system_domain(brctl_t, brctl_exec_t)
########################################
#
# brctl local policy
#
allow brctl_t self:capability net_admin;
allow brctl_t self:fifo_file rw_file_perms;
allow brctl_t self:unix_stream_socket create_stream_socket_perms;
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
kernel_request_load_module(brctl_t)
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
corenet_rw_tun_tap_dev(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
# Init script handling
domain_use_interactive_fds(brctl_t)
files_read_etc_files(brctl_t)
term_dontaudit_use_console(brctl_t)
miscfiles_read_localization(brctl_t)
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')

1
policy/modules/admin/certwatch.fc
View File

@ -1 +0,0 @@
/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0)

78
policy/modules/admin/certwatch.if
View File

@ -1,78 +0,0 @@
## <summary>Digital Certificate Tracking</summary>
########################################
## <summary>
## Domain transition to certwatch.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`certwatch_domtrans',`
gen_require(`
type certwatch_exec_t, certwatch_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, certwatch_exec_t, certwatch_t)
')
########################################
## <summary>
## Execute certwatch in the certwatch domain, and
## allow the specified role the certwatch domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`certwatch_run',`
gen_require(`
type certwatch_t;
')
certwatch_domtrans($1)
role $2 types certwatch_t;
')
########################################
## <summary>
## Execute certwatch in the certwatch domain, and
## allow the specified role the certwatch domain,
## and use the caller's terminal. Has a sigchld
## backchannel. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the certwatch domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`certwatach_run',`
refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
certwatch_run($*)
')

53
policy/modules/admin/certwatch.te
View File

@ -1,53 +0,0 @@
policy_module(certwatch, 1.5.2)
########################################
#
# Declarations
#
type certwatch_t;
type certwatch_exec_t;
application_domain(certwatch_t, certwatch_exec_t)
role system_r types certwatch_t;
########################################
#
# Local policy
#
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
miscfiles_read_generic_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
userdom_use_user_terminals(certwatch_t)
userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
optional_policy(`
pcscd_domtrans(certwatch_t)
pcscd_stream_connect(certwatch_t)
pcscd_read_pub_files(certwatch_t)
')

2
policy/modules/admin/consoletype.fc
View File

@ -1,2 +0,0 @@
/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)

71
policy/modules/admin/consoletype.if
View File

@ -1,71 +0,0 @@
## <summary>
## Determine of the console connected to the controlling terminal.
## </summary>
########################################
## <summary>
## Execute consoletype in the consoletype domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`consoletype_domtrans',`
gen_require(`
type consoletype_t, consoletype_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, consoletype_exec_t, consoletype_t)
ifdef(`hide_broken_symptoms', `
dontaudit consoletype_t $1:socket_class_set { read write };
')
')
########################################
## <summary>
## Execute consoletype in the consoletype domain, and
## allow the specified role the consoletype domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`consoletype_run',`
gen_require(`
type consoletype_t;
')
consoletype_domtrans($1)
role $2 types consoletype_t;
')
########################################
## <summary>
## Execute consoletype in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`consoletype_exec',`
gen_require(`
type consoletype_exec_t;
')
corecmd_search_bin($1)
can_exec($1, consoletype_exec_t)
')

118
policy/modules/admin/consoletype.te
View File

@ -1,118 +0,0 @@
policy_module(consoletype, 1.9.1)
########################################
#
# Declarations
#
type consoletype_t;
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
init_domain(consoletype_t, consoletype_exec_t)
init_system_domain(consoletype_t, consoletype_exec_t)
role system_r types consoletype_t;
########################################
#
# Local declarations
#
allow consoletype_t self:capability { sys_admin sys_tty_config };
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file rw_fifo_file_perms;
allow consoletype_t self:sock_file read_sock_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
allow consoletype_t self:unix_stream_socket connectto;
allow consoletype_t self:shm create_shm_perms;
allow consoletype_t self:sem create_sem_perms;
allow consoletype_t self:msgq create_msgq_perms;
allow consoletype_t self:msg { send receive };
kernel_use_fds(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)
fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t)
fs_write_nfs_files(consoletype_t)
fs_list_inotifyfs(consoletype_t)
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
term_use_all_terms(consoletype_t)
init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
init_rw_script_pipes(consoletype_t)
domain_use_interactive_fds(consoletype_t)
files_dontaudit_read_root_files(consoletype_t)
files_list_usr(consoletype_t)
userdom_use_user_terminals(consoletype_t)
ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
')
optional_policy(`
apm_use_fds(consoletype_t)
apm_write_pipes(consoletype_t)
')
optional_policy(`
auth_read_pam_pid(consoletype_t)
')
optional_policy(`
cron_read_pipes(consoletype_t)
cron_use_system_job_fds(consoletype_t)
')
optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_rw_pipes(consoletype_t)
')
optional_policy(`
hal_dontaudit_leaks(consoletype_t)
')
optional_policy(`
hotplug_dontaudit_use_fds(consoletype_t)
')
optional_policy(`
logrotate_dontaudit_use_fds(consoletype_t)
')
optional_policy(`
lpd_read_config(consoletype_t)
')
optional_policy(`
nis_use_ypbind(consoletype_t)
')
optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(consoletype_t)
')
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
')
optional_policy(`
kernel_read_xen_state(consoletype_t)
kernel_write_xen_state(consoletype_t)
xen_append_log(consoletype_t)
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
xen_dontaudit_use_fds(consoletype_t)
')

4
policy/modules/admin/ddcprobe.fc
View File

@ -1,4 +0,0 @@
#
# /usr
#
/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)

45
policy/modules/admin/ddcprobe.if
View File

@ -1,45 +0,0 @@
## <summary>ddcprobe retrieves monitor and graphics card information</summary>
########################################
## <summary>
## Execute ddcprobe in the ddcprobe domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ddcprobe_domtrans',`
gen_require(`
type ddcprobe_t, ddcprobe_exec_t;
')
domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
')
########################################
## <summary>
## Execute ddcprobe in the ddcprobe domain, and
## allow the specified role the ddcprobe domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role to be authenticated for ddcprobe domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`ddcprobe_run',`
gen_require(`
type ddcprobe_t;
')
ddcprobe_domtrans($1)
role $2 types ddcprobe_t;
')

51
policy/modules/admin/ddcprobe.te
View File

@ -1,51 +0,0 @@
policy_module(ddcprobe, 1.2.0)
########################################
#
# Declarations
#
type ddcprobe_t;
type ddcprobe_exec_t;
application_domain(ddcprobe_t, ddcprobe_exec_t)
role system_r types ddcprobe_t;
########################################
#
# Local policy
#
allow ddcprobe_t self:capability { sys_rawio sys_admin };
allow ddcprobe_t self:process execmem;
kernel_read_system_state(ddcprobe_t)
kernel_read_kernel_sysctls(ddcprobe_t)
kernel_change_ring_buffer_level(ddcprobe_t)
files_search_kernel_modules(ddcprobe_t)
corecmd_list_bin(ddcprobe_t)
corecmd_exec_bin(ddcprobe_t)
dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
files_read_etc_files(ddcprobe_t)
files_read_etc_runtime_files(ddcprobe_t)
files_read_usr_files(ddcprobe_t)
term_use_all_ttys(ddcprobe_t)
term_use_all_ptys(ddcprobe_t)
libs_read_lib_files(ddcprobe_t)
miscfiles_read_localization(ddcprobe_t)
modutils_read_module_deps(ddcprobe_t)
userdom_use_user_terminals(ddcprobe_t)
userdom_use_all_users_fds(ddcprobe_t)
#reh why? this does not seem even necessary to function properly
kudzu_getattr_exec_files(ddcprobe_t)

2
policy/modules/admin/dmesg.fc
View File

@ -1,2 +0,0 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)

40
policy/modules/admin/dmesg.if
View File

@ -1,40 +0,0 @@
## <summary>Policy for dmesg.</summary>
########################################
## <summary>
## Execute dmesg in the dmesg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dmesg_domtrans',`
gen_require(`
type dmesg_t, dmesg_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dmesg_exec_t, dmesg_t)
')
########################################
## <summary>
## Execute dmesg in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dmesg_exec',`
gen_require(`
type dmesg_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dmesg_exec_t)
')

64
policy/modules/admin/dmesg.te
View File

@ -1,64 +0,0 @@
policy_module(dmesg, 1.3.0)
########################################
#
# Declarations
#
type dmesg_t;
type dmesg_exec_t;
init_system_domain(dmesg_t, dmesg_exec_t)
########################################
#
# Local policy
#
allow dmesg_t self:capability sys_admin;
dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
dev_read_sysfs(dmesg_t)
fs_search_auto_mountpoints(dmesg_t)
term_dontaudit_use_console(dmesg_t)
domain_use_interactive_fds(dmesg_t)
files_list_etc(dmesg_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
init_use_fds(dmesg_t)
init_use_script_ptys(dmesg_t)
logging_send_syslog_msg(dmesg_t)
logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
userdom_use_user_terminals(dmesg_t)
optional_policy(`
abrt_cache_append(dmesg_t)
abrt_rw_fifo_file(dmesg_t)
abrt_manage_pid_files(dmesg_t)
')
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
')
optional_policy(`
udev_read_db(dmesg_t)
')

4
policy/modules/admin/dmidecode.fc
View File

@ -1,4 +0,0 @@
/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)

50
policy/modules/admin/dmidecode.if
View File

@ -1,50 +0,0 @@
## <summary>Decode DMI data for x86/ia64 bioses.</summary>
########################################
## <summary>
## Execute dmidecode in the dmidecode domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dmidecode_domtrans',`
gen_require(`
type dmidecode_t, dmidecode_exec_t;
')
domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
allow $1 dmidecode_t:fd use;
allow dmidecode_t $1:fd use;
allow dmidecode_t $1:fifo_file rw_file_perms;
allow dmidecode_t $1:process sigchld;
')
########################################
## <summary>
## Execute dmidecode in the dmidecode domain, and
## allow the specified role the dmidecode domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dmidecode_run',`
gen_require(`
type dmidecode_t;
')
dmidecode_domtrans($1)
role $2 types dmidecode_t;
')

30
policy/modules/admin/dmidecode.te
View File

@ -1,30 +0,0 @@
policy_module(dmidecode, 1.4.0)
########################################
#
# Declarations
#
type dmidecode_t;
type dmidecode_exec_t;
application_domain(dmidecode_t, dmidecode_exec_t)
role system_r types dmidecode_t;
########################################
#
# Local policy
#
allow dmidecode_t self:capability sys_rawio;
dev_read_sysfs(dmidecode_t)
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
userdom_use_user_terminals(dmidecode_t)

12
policy/modules/admin/dpkg.fc
View File

@ -1,12 +0,0 @@
# Debian package manager
/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
# not sure if dselect should be in apt instead?
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
# lockfile is treated specially, since used by apt, too
/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)

226
policy/modules/admin/dpkg.if
View File

@ -1,226 +0,0 @@
## <summary>Policy for the Debian package manager.</summary>
# TODO: need debconf policy
# TODO: need install-menu policy
########################################
## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dpkg_domtrans',`
gen_require(`
type dpkg_t, dpkg_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, dpkg_exec_t, dpkg_t)
')
########################################
## <summary>
## Execute dpkg_script programs in the dpkg_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dpkg_domtrans_script',`
gen_require(`
type dpkg_script_t;
')
# transition to dpkg script:
corecmd_shell_domtrans($1, dpkg_script_t)
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the dpkg domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`dpkg_run',`
gen_require(`
type dpkg_t, dpkg_script_t;
')
dpkg_domtrans($1)
role $2 types dpkg_t;
role $2 types dpkg_script_t;
seutil_run_loadpolicy(dpkg_script_t, $2)
')
########################################
## <summary>
## Inherit and use file descriptors from dpkg.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_use_fds',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fd use;
')
########################################
## <summary>
## Read from an unnamed dpkg pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_read_pipes',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed dpkg pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_rw_pipes',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Inherit and use file descriptors from dpkg scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_use_script_fds',`
gen_require(`
type dpkg_script_t;
')
allow $1 dpkg_script_t:fd use;
')
########################################
## <summary>
## Read the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_read_db',`
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_manage_db',`
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dpkg_dontaudit_manage_db',`
gen_require(`
type dpkg_var_lib_t;
')
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## Lock the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_lock_db',`
gen_require(`
type dpkg_lock_t, dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')

338
policy/modules/admin/dpkg.te
View File

@ -1,338 +0,0 @@
policy_module(dpkg, 1.7.0)
########################################
#
# Declarations
#
type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;
# lockfile
type dpkg_lock_t;
files_type(dpkg_lock_t)
type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)
type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)
# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)
# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)
########################################
#
# dpkg Local policy
#
allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
corenet_raw_sendrecv_generic_if(dpkg_t)
corenet_udp_sendrecv_generic_if(dpkg_t)
corenet_tcp_sendrecv_generic_node(dpkg_t)
corenet_raw_sendrecv_generic_node(dpkg_t)
corenet_udp_sendrecv_generic_node(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)
dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)
domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)
mls_file_read_all_levels(dpkg_t)
mls_file_write_all_levels(dpkg_t)
mls_file_upgrade(dpkg_t)
selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)
storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)
logging_send_syslog_msg(dpkg_t)
# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)
sysnet_read_config(dpkg_t)
userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
optional_policy(`
apt_use_ptys(dpkg_t)
')
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
#')
optional_policy(`
nis_use_ypbind(dpkg_t)
')
optional_policy(`
unconfined_domain(dpkg_t)
')
# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
modutils_domtrans_depmod(dpkg_t)
modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
mta_send_mail(dpkg_t)
')
optional_policy(`
usermanage_domtrans_groupadd(dpkg_t)
usermanage_domtrans_useradd(dpkg_t)
')
########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t
allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)
domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)
files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)
fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)
mls_file_read_all_levels(dpkg_script_t)
mls_file_write_all_levels(dpkg_script_t)
selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)
logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
modutils_domtrans_depmod(dpkg_script_t)
modutils_domtrans_insmod(dpkg_script_t)
seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)
userdom_use_all_users_fds(dpkg_script_t)
tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
optional_policy(`
apt_rw_pipes(dpkg_script_t)
apt_use_fds(dpkg_script_t)
')
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
optional_policy(`
mta_send_mail(dpkg_script_t)
')
optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
optional_policy(`
unconfined_domain(dpkg_script_t)
')
optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t)
')

3
policy/modules/admin/firstboot.fc
View File

@ -1,3 +0,0 @@
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)

157
policy/modules/admin/firstboot.if
View File

@ -1,157 +0,0 @@
## <summary>
## Final system configuration run during the first boot
## after installation of Red Hat/Fedora systems.
## </summary>
########################################
## <summary>
## Execute firstboot in the firstboot domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`firstboot_domtrans',`
gen_require(`
type firstboot_t, firstboot_exec_t;
')
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
')
########################################
## <summary>
## Execute firstboot in the firstboot domain, and
## allow the specified role the firstboot domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`firstboot_run',`
gen_require(`
type firstboot_t;
')
firstboot_domtrans($1)
role $2 types firstboot_t;
')
########################################
## <summary>
## Inherit and use a file descriptor from firstboot.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firstboot_use_fds',`
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit a
## file descriptor from firstboot.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_use_fds',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fd use;
')
########################################
## <summary>
## Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firstboot_write_pipes',`
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fifo_file write;
')
########################################
## <summary>
## Read and Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firstboot_rw_pipes',`
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fifo_file { read write };
')
########################################
## <summary>
## Do not audit attemps to read and write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_rw_pipes',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fifo_file { read write };
')
########################################
## <summary>
## Do not audit attemps to read and write to a firstboot
## unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_rw_stream_sockets',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:unix_stream_socket { read write };
')

140
policy/modules/admin/firstboot.te
View File

@ -1,140 +0,0 @@
policy_module(firstboot, 1.11.2)
gen_require(`
class passwd rootok;
')
########################################
#
# Declarations
#
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t, firstboot_exec_t)
domain_obj_id_change_exemption(firstboot_t)
domain_subj_id_change_exemption(firstboot_t)
role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
########################################
#
# Local policy
#
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
allow firstboot_t self:tcp_socket create_stream_socket_perms;
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file read_file_perms;
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
corenet_all_recvfrom_unlabeled(firstboot_t)
corenet_all_recvfrom_netlabel(firstboot_t)
corenet_tcp_sendrecv_generic_if(firstboot_t)
corenet_tcp_sendrecv_generic_node(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
dev_read_urand(firstboot_t)
selinux_get_fs_mount(firstboot_t)
selinux_validate_context(firstboot_t)
selinux_compute_access_vector(firstboot_t)
selinux_compute_create_context(firstboot_t)
selinux_compute_relabel_context(firstboot_t)
selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
corecmd_exec_all_executables(firstboot_t)
files_exec_etc_files(firstboot_t)
files_manage_etc_files(firstboot_t)
files_manage_etc_runtime_files(firstboot_t)
files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
libs_exec_ld_so(firstboot_t)
libs_exec_lib_files(firstboot_t)
locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
modutils_domtrans_insmod(firstboot_t)
modutils_domtrans_depmod(firstboot_t)
modutils_read_module_config(firstboot_t)
modutils_read_module_deps(firstboot_t)
userdom_use_user_terminals(firstboot_t)
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
userdom_manage_user_home_content_symlinks(firstboot_t)
userdom_manage_user_home_content_pipes(firstboot_t)
userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
consoletype_domtrans(firstboot_t)
')
optional_policy(`
dbus_system_bus_client(firstboot_t)
optional_policy(`
hal_dbus_chat(firstboot_t)
')
')
optional_policy(`
iptables_domtrans(firstboot_t)
')
optional_policy(`
nis_use_ypbind(firstboot_t)
')
optional_policy(`
samba_rw_config(firstboot_t)
')
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
unconfined_domain(firstboot_t)
')
optional_policy(`
usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)
usermanage_domtrans_useradd(firstboot_t)
usermanage_domtrans_admin_passwd(firstboot_t)
')
optional_policy(`
gnome_admin_home_gconf_filetrans(firstboot_t, dir)
gnome_manage_config(firstboot_t)
')
optional_policy(`
xserver_domtrans(firstboot_t)
xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
')

6
policy/modules/admin/kismet.fc
View File

@ -1,6 +0,0 @@
HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)

247
policy/modules/admin/kismet.if
View File

@ -1,247 +0,0 @@
## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
########################################
## <summary>
## Execute a domain transition to run kismet.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kismet_domtrans',`
gen_require(`
type kismet_t, kismet_exec_t;
')
domtrans_pattern($1, kismet_exec_t, kismet_t)
allow kismet_t $1:process signull;
')
########################################
## <summary>
## Execute kismet in the kismet domain, and
## allow the specified role the kismet domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`kismet_run',`
gen_require(`
type kismet_t;
')
kismet_domtrans($1)
role $2 types kismet_t;
')
########################################
## <summary>
## Read kismet PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_read_pid_files',`
gen_require(`
type kismet_var_run_t;
')
allow $1 kismet_var_run_t:file read_file_perms;
files_search_pids($1)
')
########################################
## <summary>
## Manage kismet var_run files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_pid_files',`
gen_require(`
type kismet_var_run_t;
')
allow $1 kismet_var_run_t:file manage_file_perms;
files_search_pids($1)
')
########################################
## <summary>
## Search kismet lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_search_lib',`
gen_require(`
type kismet_var_lib_t;
')
allow $1 kismet_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read kismet lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_read_lib_files',`
gen_require(`
type kismet_var_lib_t;
')
allow $1 kismet_var_lib_t:file read_file_perms;
allow $1 kismet_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Create, read, write, and delete
## kismet lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_lib_files',`
gen_require(`
type kismet_var_lib_t;
')
manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage kismet var_lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_lib',`
gen_require(`
type kismet_var_lib_t;
')
manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
')
########################################
## <summary>
## Allow the specified domain to read kismet's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kismet_read_log',`
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
read_files_pattern($1, kismet_log_t, kismet_log_t)
')
########################################
## <summary>
## Allow the specified domain to append
## kismet log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_append_log',`
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
append_files_pattern($1, kismet_log_t, kismet_log_t)
')
########################################
## <summary>
## Allow domain to manage kismet log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_log',`
gen_require(`
type kismet_log_t;
')
manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
manage_files_pattern($1, kismet_log_t, kismet_log_t)
manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
logging_search_logs($1)
')
########################################
## <summary>
## All of the rules required to administrate an kismet environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kismet_admin',`
gen_require(`
type kismet_t;
')
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
kismet_manage_pid_files($1)
kismet_manage_lib($1)
kismet_manage_log($1)
')

101
policy/modules/admin/kismet.te
View File

@ -1,101 +0,0 @@
policy_module(kismet, 1.5.1)
########################################
#
# Declarations
#
type kismet_t;
type kismet_exec_t;
application_domain(kismet_t, kismet_exec_t)
role system_r types kismet_t;
type kismet_home_t;
userdom_user_home_content(kismet_home_t)
type kismet_log_t;
logging_log_file(kismet_log_t)
type kismet_tmp_t;
files_tmp_file(kismet_tmp_t)
type kismet_tmpfs_t;
files_tmp_file(kismet_tmpfs_t)
type kismet_var_lib_t;
files_type(kismet_var_lib_t)
type kismet_var_run_t;
files_pid_file(kismet_var_run_t)
########################################
#
# kismet local policy
#
allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
allow kismet_t self:unix_stream_socket create_stream_socket_perms;
allow kismet_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
userdom_search_user_home_dirs(kismet_t)
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr;
logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
allow kismet_t kismet_var_lib_t:file manage_file_perms;
allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
allow kismet_t kismet_var_run_t:file manage_file_perms;
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
kernel_search_debugfs(kismet_t)
kernel_read_system_state(kismet_t)
kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
corenet_all_recvfrom_unlabeled(kismet_t)
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
corenet_tcp_sendrecv_all_ports(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
corenet_tcp_bind_kismet_port(kismet_t)
corenet_tcp_connect_kismet_port(kismet_t)
corenet_tcp_connect_pulseaudio_port(kismet_t)
auth_use_nsswitch(kismet_t)
files_read_etc_files(kismet_t)
files_read_usr_files(kismet_t)
miscfiles_read_localization(kismet_t)
userdom_use_user_terminals(kismet_t)
userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
dbus_system_bus_client(kismet_t)
networkmanager_dbus_chat(kismet_t)
')

5
policy/modules/admin/kudzu.fc
View File

@ -1,5 +0,0 @@
/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)

64
policy/modules/admin/kudzu.if
View File

@ -1,64 +0,0 @@
## <summary>Hardware detection and configuration tools</summary>
########################################
## <summary>
## Execute kudzu in the kudzu domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kudzu_domtrans',`
gen_require(`
type kudzu_t, kudzu_exec_t;
')
domtrans_pattern($1, kudzu_exec_t, kudzu_t)
')
########################################
## <summary>
## Execute kudzu in the kudzu domain, and
## allow the specified role the kudzu domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kudzu_run',`
gen_require(`
type kudzu_t;
')
kudzu_domtrans($1)
role $2 types kudzu_t;
')
########################################
## <summary>
## Get attributes of kudzu executable.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for ddcprobe
interface(`kudzu_getattr_exec_files',`
gen_require(`
type kudzu_exec_t;
')
allow $1 kudzu_exec_t:file getattr;
')

145
policy/modules/admin/kudzu.te
View File

@ -1,145 +0,0 @@
policy_module(kudzu, 1.8.0)
########################################
#
# Declarations
#
type kudzu_t;
type kudzu_exec_t;
init_system_domain(kudzu_t, kudzu_exec_t)
type kudzu_tmp_t;
files_tmp_file(kudzu_tmp_t)
type kudzu_var_run_t;
files_pid_file(kudzu_var_run_t)
########################################
#
# Local policy
#
allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
allow kudzu_t self:udp_socket { create ioctl };
manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
files_pid_filetrans(kudzu_t, kudzu_var_run_t, file)
kernel_change_ring_buffer_level(kudzu_t)
kernel_list_proc(kudzu_t)
kernel_read_device_sysctls(kudzu_t)
kernel_read_kernel_sysctls(kudzu_t)
kernel_read_proc_symlinks(kudzu_t)
kernel_read_network_state(kudzu_t)
kernel_read_system_state(kudzu_t)
kernel_rw_hotplug_sysctls(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
files_read_kernel_modules(kudzu_t)
dev_list_sysfs(kudzu_t)
dev_read_usbfs(kudzu_t)
dev_read_sysfs(kudzu_t)
dev_rx_raw_memory(kudzu_t)
dev_wx_raw_memory(kudzu_t)
dev_rw_mouse(kudzu_t)
dev_rwx_zero(kudzu_t)
fs_search_auto_mountpoints(kudzu_t)
fs_search_ramfs(kudzu_t)
fs_write_ramfs_sockets(kudzu_t)
mls_file_read_all_levels(kudzu_t)
mls_file_write_all_levels(kudzu_t)
storage_read_scsi_generic(kudzu_t)
storage_read_tape(kudzu_t)
storage_raw_write_fixed_disk(kudzu_t)
storage_raw_write_removable_device(kudzu_t)
storage_raw_read_fixed_disk(kudzu_t)
storage_raw_read_removable_device(kudzu_t)
term_dontaudit_use_console(kudzu_t)
# so it can write messages to the console
term_use_unallocated_ttys(kudzu_t)
corecmd_exec_all_executables(kudzu_t)
domain_use_interactive_fds(kudzu_t)
files_search_var(kudzu_t)
files_search_locks(kudzu_t)
files_manage_etc_files(kudzu_t)
files_manage_etc_runtime_files(kudzu_t)
files_etc_filetrans_etc_runtime(kudzu_t, file)
files_manage_mnt_files(kudzu_t)
files_manage_mnt_symlinks(kudzu_t)
files_dontaudit_search_src(kudzu_t)
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
files_read_usr_files(kudzu_t)
# for /etc/sysconfig/hwconf - probably need a new type
files_rw_etc_runtime_files(kudzu_t)
# for file systems that are not yet mounted
files_dontaudit_search_isid_type_dirs(kudzu_t)
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
init_read_state(kudzu_t)
init_ptrace(kudzu_t)
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
# Read /usr/lib/gconv/gconv-modules.*
libs_read_lib_files(kudzu_t)
logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
miscfiles_read_localization(kudzu_t)
modutils_read_module_config(kudzu_t)
modutils_read_module_deps(kudzu_t)
modutils_rename_module_config(kudzu_t)
modutils_delete_module_config(kudzu_t)
modutils_domtrans_insmod(kudzu_t)
sysnet_read_config(kudzu_t)
userdom_use_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
optional_policy(`
nscd_socket_use(kudzu_t)
')
optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
optional_policy(`
udev_read_db(kudzu_t)
')
optional_policy(`
unconfined_domtrans(kudzu_t)
unconfined_domain(kudzu_t)
')

9
policy/modules/admin/logrotate.fc
View File

@ -1,9 +0,0 @@
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
ifdef(`distro_debian', `
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
', `
/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
')

118
policy/modules/admin/logrotate.if
View File

@ -1,118 +0,0 @@
## <summary>Rotate and archive system logs</summary>
########################################
## <summary>
## Execute logrotate in the logrotate domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`logrotate_domtrans',`
gen_require(`
type logrotate_t, logrotate_exec_t;
')
domtrans_pattern($1, logrotate_exec_t, logrotate_t)
')
########################################
## <summary>
## Execute logrotate in the logrotate domain, and
## allow the specified role the logrotate domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logrotate_run',`
gen_require(`
type logrotate_t;
')
logrotate_domtrans($1)
role $2 types logrotate_t;
')
########################################
## <summary>
## Execute logrotate in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logrotate_exec',`
gen_require(`
type logrotate_exec_t;
')
can_exec($1, logrotate_exec_t)
')
########################################
## <summary>
## Inherit and use logrotate file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logrotate_use_fds',`
gen_require(`
type logrotate_t;
')
allow $1 logrotate_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit logrotate file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`logrotate_dontaudit_use_fds',`
gen_require(`
type logrotate_t;
')
dontaudit $1 logrotate_t:fd use;
')
########################################
## <summary>
## Read a logrotate temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logrotate_read_tmp_files',`
gen_require(`
type logrotate_tmp_t;
')
files_search_tmp($1)
allow $1 logrotate_tmp_t:file read_file_perms;
')

236
policy/modules/admin/logrotate.te
View File

@ -1,236 +0,0 @@
policy_module(logrotate, 1.13.0)
########################################
#
# Declarations
#
type logrotate_t;
domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
domain_entry_file(logrotate_t, logrotate_exec_t)
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
type logrotate_tmp_t;
files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
########################################
#
# Local policy
#
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
# Set a context other than the default one for newly created files.
allow logrotate_t self:process setfscreate;
allow logrotate_t self:fd use;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
allow logrotate_t self:unix_stream_socket connectto;
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
can_exec(logrotate_t, logrotate_tmp_t)
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
dev_read_urand(logrotate_t)
fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
mls_file_upgrade(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
files_read_usr_files(logrotate_t)
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
files_read_var_lib_files(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
userdom_dontaudit_list_admin_dir(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
#mta_send_mail(logrotate_t)
mta_base_mail_template(logrotate)
mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
role system_r types logrotate_mail_t;
logging_read_all_logs(logrotate_mail_t)
manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
# for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
# for "test -x /sbin/syslogd"
logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
abrt_cache_manage(logrotate_t)
')
optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
')
optional_policy(`
apache_read_config(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`
asterisk_domtrans(logrotate_t)
')
optional_policy(`
bind_manage_cache(logrotate_t)
')
optional_policy(`
consoletype_exec(logrotate_t)
')
optional_policy(`
cups_domtrans(logrotate_t)
')
optional_policy(`
fail2ban_stream_connect(logrotate_t)
')
optional_policy(`
hostname_exec(logrotate_t)
')
optional_policy(`
icecast_signal(logrotate_t)
')
optional_policy(`
mailman_domtrans(logrotate_t)
mailman_search_data(logrotate_t)
mailman_manage_log(logrotate_t)
')
optional_policy(`
munin_read_config(logrotate_t)
munin_stream_connect(logrotate_t)
munin_search_lib(logrotate_t)
')
optional_policy(`
mysql_read_config(logrotate_t)
mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`
psad_domtrans(logrotate_t)
')
optional_policy(`
samba_exec_log(logrotate_t)
')
optional_policy(`
sssd_domtrans(logrotate_t)
')
optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
optional_policy(`
squid_domtrans(logrotate_t)
')
optional_policy(`
#Red Hat bug 564565
su_exec(logrotate_t)
')
optional_policy(`
varnishd_manage_log(logrotate_t)
')

11
policy/modules/admin/logwatch.fc
View File

@ -1,11 +0,0 @@
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)

38
policy/modules/admin/logwatch.if
View File

@ -1,38 +0,0 @@
## <summary>System log analyzer and reporter</summary>
########################################
## <summary>
## Read logwatch temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logwatch_read_tmp_files',`
gen_require(`
type logwatch_tmp_t;
')
files_search_tmp($1)
allow $1 logwatch_tmp_t:file read_file_perms;
')
########################################
## <summary>
## Search logwatch cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logwatch_search_cache_dir',`
gen_require(`
type logwatch_cache_t;
')
allow $1 logwatch_cache_t:dir search_dir_perms;
')

161
policy/modules/admin/logwatch.te
View File

@ -1,161 +0,0 @@
policy_module(logwatch, 1.11.0)
#################################
#
# Declarations
#
type logwatch_t;
type logwatch_exec_t;
application_domain(logwatch_t, logwatch_exec_t)
role system_r types logwatch_t;
type logwatch_cache_t;
files_type(logwatch_cache_t)
type logwatch_lock_t;
files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
type logwatch_var_run_t;
files_pid_file(logwatch_var_run_t)
########################################
#
# Local policy
#
allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
allow logwatch_t logwatch_lock_t:file manage_file_perms;
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
allow logwatch_t logwatch_var_run_t:file manage_file_perms;
files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
kernel_read_net_sysctls(logwatch_t)
kernel_read_network_state(logwatch_t)
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
dev_read_urand(logwatch_t)
dev_read_sysfs(logwatch_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
files_list_var(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
files_dontaudit_search_home(logwatch_t)
files_dontaudit_search_boot(logwatch_t)
# Execs df and if file system mounted with a context avc raised
files_dontaudit_search_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
auth_use_nsswitch(logwatch_t)
auth_dontaudit_read_shadow(logwatch_t)
init_read_utmp(logwatch_t)
init_dontaudit_write_utmp(logwatch_t)
libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
miscfiles_read_localization(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
userdom_dontaudit_list_admin_dir(logwatch_t)
#mta_send_mail(logwatch_t)
mta_base_mail_template(logwatch)
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
role system_r types logwatch_mail_t;
logging_read_all_logs(logwatch_mail_t)
manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
allow logwatch_mail_t self:capability { dac_read_search dac_override };
mta_read_home(logwatch_mail_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
files_getattr_all_file_type_fs(logwatch_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(logwatch_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(logwatch_t)
')
optional_policy(`
apache_read_log(logwatch_t)
')
optional_policy(`
avahi_dontaudit_search_pid(logwatch_t)
')
optional_policy(`
bind_read_config(logwatch_t)
bind_read_zone(logwatch_t)
')
optional_policy(`
cron_system_entry(logwatch_t, logwatch_exec_t)
')
optional_policy(`
hostname_exec(logwatch_t)
')
optional_policy(`
mta_getattr_spool(logwatch_t)
')
optional_policy(`
ntp_domtrans(logwatch_t)
')
optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')

1
policy/modules/admin/mcelog.fc
View File

@ -1 +0,0 @@
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)

20
policy/modules/admin/mcelog.if
View File

@ -1,20 +0,0 @@
## <summary>policy for mcelog</summary>
########################################
## <summary>
## Execute a domain transition to run mcelog.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`mcelog_domtrans',`
gen_require(`
type mcelog_t, mcelog_exec_t;
')
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')

32
policy/modules/admin/mcelog.te
View File

@ -1,32 +0,0 @@
policy_module(mcelog, 1.0.1)
########################################
#
# Declarations
#
type mcelog_t;
type mcelog_exec_t;
application_domain(mcelog_t, mcelog_exec_t)
cron_system_entry(mcelog_t, mcelog_exec_t)
########################################
#
# mcelog local policy
#
allow mcelog_t self:capability sys_admin;
kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
files_read_etc_files(mcelog_t)
# for /dev/mem access
mls_file_read_all_levels(mcelog_t)
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)

3
policy/modules/admin/metadata.xml
View File

@ -1,3 +0,0 @@
<summary>
Policy modules for administrative functions, such as package management.
</summary>

18
policy/modules/admin/mrtg.fc
View File

@ -1,18 +0,0 @@
#
# /etc
#
/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0)
#
# /usr
#
/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0)
/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0)
#
# /var
#
/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)

20
policy/modules/admin/mrtg.if
View File

@ -1,20 +0,0 @@
## <summary>Network traffic graphing</summary>
########################################
## <summary>
## Create and append mrtg logs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mrtg_append_create_logs',`
gen_require(`
type mrtg_log_t;
')
append_files_pattern($1, mrtg_log_t, mrtg_log_t)
create_files_pattern($1, mrtg_log_t, mrtg_log_t)
')

161
policy/modules/admin/mrtg.te
View File

@ -1,161 +0,0 @@
policy_module(mrtg, 1.8.0)
########################################
#
# Declarations
#
type mrtg_t;
type mrtg_exec_t;
init_system_domain(mrtg_t, mrtg_exec_t)
type mrtg_etc_t;
files_config_file(mrtg_etc_t)
type mrtg_lock_t;
files_lock_file(mrtg_lock_t)
type mrtg_log_t;
logging_log_file(mrtg_log_t)
type mrtg_var_lib_t;
files_type(mrtg_var_lib_t)
type mrtg_var_run_t;
files_pid_file(mrtg_var_run_t)
########################################
#
# Local policy
#
allow mrtg_t self:capability { setgid setuid chown };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file rw_fifo_file_perms;
allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;
allow mrtg_t mrtg_etc_t:dir list_dir_perms;
read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
allow mrtg_t mrtg_var_run_t:file manage_file_perms;
files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
kernel_read_system_state(mrtg_t)
kernel_read_network_state(mrtg_t)
kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_generic_node(mrtg_t)
corenet_udp_sendrecv_generic_node(mrtg_t)
corenet_tcp_sendrecv_all_ports(mrtg_t)
corenet_udp_sendrecv_all_ports(mrtg_t)
corenet_tcp_connect_all_ports(mrtg_t)
corenet_sendrecv_all_client_packets(mrtg_t)
dev_read_sysfs(mrtg_t)
dev_read_urand(mrtg_t)
domain_use_interactive_fds(mrtg_t)
domain_dontaudit_search_all_domains_state(mrtg_t)
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
files_search_spool(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
# for uptime
files_read_etc_runtime_files(mrtg_t)
# read config files
files_read_etc_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
fs_getattr_xattr_fs(mrtg_t)
fs_list_inotifyfs(mrtg_t)
term_dontaudit_use_console(mrtg_t)
init_use_fds(mrtg_t)
init_use_script_ptys(mrtg_t)
# for uptime
init_read_utmp(mrtg_t)
init_dontaudit_write_utmp(mrtg_t)
auth_use_nsswitch(mrtg_t)
libs_read_lib_files(mrtg_t)
logging_send_syslog_msg(mrtg_t)
miscfiles_read_localization(mrtg_t)
selinux_dontaudit_getattr_dir(mrtg_t)
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
')
ifdef(`distro_redhat',`
allow mrtg_t mrtg_lock_t:file manage_file_perms;
filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
')
optional_policy(`
apache_manage_sys_content(mrtg_t)
')
optional_policy(`
cron_system_entry(mrtg_t, mrtg_exec_t)
')
optional_policy(`
hostname_exec(mrtg_t)
')
optional_policy(`
hddtemp_domtrans(mrtg_t)
')
optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
optional_policy(`
quota_dontaudit_getattr_db(mrtg_t)
')
optional_policy(`
snmp_read_snmp_var_lib_files(mrtg_t)
')
optional_policy(`
udev_read_db(mrtg_t)
')

2
policy/modules/admin/ncftool.fc
View File

@ -1,2 +0,0 @@
/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)

78
policy/modules/admin/ncftool.if
View File

@ -1,78 +0,0 @@
## <summary>policy for ncftool</summary>
########################################
## <summary>
## Execute a domain transition to run ncftool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ncftool_domtrans',`
gen_require(`
type ncftool_t, ncftool_exec_t;
')
domtrans_pattern($1, ncftool_exec_t, ncftool_t)
')
########################################
## <summary>
## Execute ncftool in the ncftool domain, and
## allow the specified role the ncftool domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the ncftool domain.
## </summary>
## </param>
#
interface(`ncftool_run',`
gen_require(`
type ncftool_t;
')
ncftool_domtrans($1)
role $2 types ncftool_t;
optional_policy(`
brctl_run(ncftool_t, $2)
')
')
########################################
## <summary>
## Role access for ncftool
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`ncftool_role',`
gen_require(`
type ncftool_t;
')
role $1 types ncftool_t;
ncftool_domtrans($2)
ps_process_pattern($2, ncftool_t)
allow $2 ncftool_t:process signal;
')

91
policy/modules/admin/ncftool.te
View File

@ -1,91 +0,0 @@
policy_module(ncftool, 1.0.0)
########################################
#
# Declarations
#
type ncftool_t;
type ncftool_exec_t;
application_domain(ncftool_t, ncftool_exec_t)
domain_obj_id_change_exemption(ncftool_t)
domain_system_change_exemption(ncftool_t)
role system_r types ncftool_t;
permissive ncftool_t;
########################################
#
# ncftool local policy
#
allow ncftool_t self:capability { net_admin sys_ptrace };
allow ncftool_t self:process signal;
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
allow ncftool_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(ncftool_t)
kernel_read_modprobe_sysctls(ncftool_t)
kernel_read_network_state(ncftool_t)
kernel_read_system_state(ncftool_t)
kernel_request_load_module(ncftool_t)
kernel_rw_net_sysctls(ncftool_t)
corecmd_exec_bin(ncftool_t)
corecmd_exec_shell(ncftool_t)
domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
files_manage_system_conf_files(ncftool_t)
files_relabelto_system_conf_files(ncftool_t)
files_read_etc_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
files_read_usr_files(ncftool_t)
term_use_all_terms(ncftool_t)
miscfiles_read_localization(ncftool_t)
modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
modutils_domtrans_insmod(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
sysnet_domtrans_dhcpc(ncftool_t)
sysnet_domtrans_ifconfig(ncftool_t)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
sysnet_relabelfrom_net_conf(ncftool_t)
sysnet_relabelto_net_conf(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
userdom_read_user_tmp_files(ncftool_t)
optional_policy(`
consoletype_exec(ncftool_t)
')
optional_policy(`
dbus_system_bus_client(ncftool_t)
')
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
')
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
')
optional_policy(`
netutils_domtrans(ncftool_t)
')

15
policy/modules/admin/netutils.fc
View File

@ -1,15 +0,0 @@
/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)

301
policy/modules/admin/netutils.if
View File

@ -1,301 +0,0 @@
## <summary>Network analysis utilities</summary>
########################################
## <summary>
## Execute network utilities in the netutils domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`netutils_domtrans',`
gen_require(`
type netutils_t, netutils_exec_t;
')
domtrans_pattern($1, netutils_exec_t, netutils_t)
')
########################################
## <summary>
## Execute network utilities in the netutils domain, and
## allow the specified role the netutils domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`netutils_run',`
gen_require(`
type netutils_t;
')
netutils_domtrans($1)
role $2 types netutils_t;
')
########################################
## <summary>
## Execute network utilities in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_exec',`
gen_require(`
type netutils_exec_t;
')
can_exec($1, netutils_exec_t)
')
########################################
## <summary>
## Send generic signals to network utilities.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_signal',`
gen_require(`
type netutils_t;
')
allow $1 netutils_t:process signal;
')
########################################
## <summary>
## Execute ping in the ping domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`netutils_domtrans_ping',`
gen_require(`
type ping_t, ping_exec_t;
')
domtrans_pattern($1, ping_exec_t, ping_t)
')
########################################
## <summary>
## Send a kill (SIGKILL) signal to ping.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_kill_ping',`
gen_require(`
type ping_t;
')
allow $1 ping_t:process sigkill;
')
########################################
## <summary>
## Send generic signals to ping.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_signal_ping',`
gen_require(`
type ping_t;
')
allow $1 ping_t:process signal;
')
########################################
## <summary>
## Execute ping in the ping domain, and
## allow the specified role the ping domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_ping',`
gen_require(`
type ping_t;
')
netutils_domtrans_ping($1)
role $2 types ping_t;
')
########################################
## <summary>
## Conditionally execute ping in the ping domain, and
## allow the specified role the ping domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_ping_cond',`
gen_require(`
type ping_t;
bool user_ping;
')
role $2 types ping_t;
if ( user_ping ) {
netutils_domtrans_ping($1)
}
')
########################################
## <summary>
## Execute ping in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_exec_ping',`
gen_require(`
type ping_exec_t;
')
can_exec($1, ping_exec_t)
')
########################################
## <summary>
## Execute traceroute in the traceroute domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`netutils_domtrans_traceroute',`
gen_require(`
type traceroute_t, traceroute_exec_t;
')
domtrans_pattern($1, traceroute_exec_t, traceroute_t)
')
########################################
## <summary>
## Execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_traceroute',`
gen_require(`
type traceroute_t;
')
netutils_domtrans_traceroute($1)
role $2 types traceroute_t;
')
########################################
## <summary>
## Conditionally execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_traceroute_cond',`
gen_require(`
type traceroute_t;
bool user_ping;
')
role $2 types traceroute_t;
if( user_ping ) {
netutils_domtrans_traceroute($1)
}
')
########################################
## <summary>
## Execute traceroute in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_exec_traceroute',`
gen_require(`
type traceroute_exec_t;
')
can_exec($1, traceroute_exec_t)
')

240
policy/modules/admin/netutils.te
View File

@ -1,240 +0,0 @@
policy_module(netutils, 1.10.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping, false)
type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t, netutils_exec_t)
role system_r types netutils_t;
type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)
type ping_t;
type ping_exec_t;
init_system_domain(ping_t, ping_exec_t)
role system_r types ping_t;
type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t, traceroute_exec_t)
role system_r types traceroute_t;
########################################
#
# Netutils local policy
#
# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
dontaudit netutils_t self:capability sys_tty_config;
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t self:socket create_socket_perms;
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
kernel_read_network_state(netutils_t)
kernel_request_load_module(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_generic_if(netutils_t)
corenet_raw_sendrecv_generic_if(netutils_t)
corenet_udp_sendrecv_generic_if(netutils_t)
corenet_tcp_sendrecv_generic_node(netutils_t)
corenet_raw_sendrecv_generic_node(netutils_t)
corenet_udp_sendrecv_generic_node(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
dev_read_usbmon_dev(netutils_t)
dev_write_usbmon_dev(netutils_t)
dev_rw_generic_usb_dev(netutils_t)
fs_getattr_xattr_fs(netutils_t)
domain_use_interactive_fds(netutils_t)
files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
init_use_fds(netutils_t)
init_use_script_ptys(netutils_t)
auth_use_nsswitch(netutils_t)
logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
term_dontaudit_use_console(netutils_t)
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
optional_policy(`
nis_use_ypbind(netutils_t)
')
optional_policy(`
vmware_append_log(netutils_t)
')
optional_policy(`
xen_append_log(netutils_t)
')
########################################
#
# Ping local policy
#
allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
corenet_all_recvfrom_unlabeled(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_node(ping_t)
corenet_tcp_sendrecv_generic_node(ping_t)
corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
domain_use_interactive_fds(ping_t)
files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
auth_use_nsswitch(ping_t)
logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
optional_policy(`
nagios_dontaudit_rw_log(ping_t)
nagios_dontaudit_rw_pipes(ping_t)
')
')
term_use_all_terms(ping_t)
tunable_policy(`user_ping',`
term_use_all_ttys(ping_t)
term_use_all_ptys(ping_t)
',`
term_dontaudit_use_all_ttys(ping_t)
term_dontaudit_use_all_ptys(ping_t)
')
optional_policy(`
munin_append_log(ping_t)
')
optional_policy(`
nagios_rw_inerited_tmp_files(ping_t)
')
optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
optional_policy(`
hotplug_use_fds(ping_t)
')
########################################
#
# Traceroute local policy
#
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
corenet_all_recvfrom_unlabeled(traceroute_t)
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
corenet_raw_sendrecv_generic_if(traceroute_t)
corenet_tcp_sendrecv_generic_node(traceroute_t)
corenet_udp_sendrecv_generic_node(traceroute_t)
corenet_raw_sendrecv_generic_node(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_generic_node(traceroute_t)
corenet_tcp_bind_generic_node(traceroute_t)
# traceroute needs this but not tracepath
corenet_raw_bind_generic_node(traceroute_t)
corenet_udp_bind_traceroute_port(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
files_read_usr_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
term_use_all_terms(traceroute_t)
tunable_policy(`user_ping',`
term_use_all_ttys(traceroute_t)
term_use_all_ptys(traceroute_t)
',`
term_dontaudit_use_all_ttys(traceroute_t)
term_dontaudit_use_all_ptys(traceroute_t)
')

24
policy/modules/admin/portage.fc
View File

@ -1,24 +0,0 @@
/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)

283
policy/modules/admin/portage.if
View File

@ -1,283 +0,0 @@
## <summary>
## Portage Package Management System. The primary package management and
## distribution system for Gentoo.
## </summary>
########################################
## <summary>
## Execute emerge in the portage domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
# transition to portage
domtrans_pattern($1, portage_exec_t, portage_t)
')
########################################
## <summary>
## Execute emerge in the portage domain, and
## allow the specified role the portage domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the portage domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`portage_run',`
gen_require(`
type portage_t, portage_fetch_t, portage_sandbox_t;
')
portage_domtrans($1)
role $2 types { portage_t portage_fetch_t portage_sandbox_t };
')
########################################
## <summary>
## Template for portage sandbox.
## </summary>
## <desc>
## <p>
## Template for portage sandbox. Portage
## does all compiling in the sandbox.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_tmp_t;
type portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
# really shouldnt need this
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1 self:rawip_socket { create ioctl };
# needed for merging dbus:
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1, portage_devpts_t)
# write compile logs
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { write_file_perms setattr };
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
allow $1 portage_tmp_t:file relabel_file_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
kernel_getattr_core_if($1)
kernel_getattr_message_if($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_all_executables($1)
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_raw_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
dev_read_sysfs($1)
dev_read_rand($1)
dev_read_urand($1)
domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
# SELinux-aware installs doing relabels in the sandbox
domain_obj_id_change_exemption($1)
files_exec_etc_files($1)
files_exec_usr_src_files($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
fs_read_noxattr_fs_symlinks($1)
fs_search_auto_mountpoints($1)
selinux_validate_context($1)
# needed for merging dbus:
selinux_compute_access_vector($1)
auth_read_all_dirs_except_shadow($1)
auth_read_all_files_except_shadow($1)
auth_read_all_symlinks_except_shadow($1)
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
# this violates the idea of sandbox, but
# regular sandbox allows it
libs_domtrans_ldconfig($1)
logging_send_syslog_msg($1)
userdom_use_user_terminals($1)
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
') dnl end TODO
')
########################################
## <summary>
## Execute gcc-config in the gcc_config domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`portage_domtrans_gcc_config',`
gen_require(`
type gcc_config_t, gcc_config_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
')
########################################
## <summary>
## Execute gcc-config in the gcc_config domain, and
## allow the specified role the gcc_config domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the gcc_config domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`portage_run_gcc_config',`
gen_require(`
type gcc_config_t;
')
portage_domtrans_gcc_config($1)
role $2 types gcc_config_t;
')
########################################
## <summary>
## Do not audit attempts to search the
## portage temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`portage_dontaudit_search_tmp',`
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write
## the portage temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`portage_dontaudit_rw_tmp_files',`
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:file rw_file_perms;
')

276
policy/modules/admin/portage.te
View File

@ -1,276 +0,0 @@
policy_module(portage, 1.10.0)
########################################
#
# Declarations
#
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)
# constraining type
type portage_t;
type portage_exec_t;
application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
# portage compile sandbox domain
type portage_sandbox_t;
application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
# portage package fetching domain
type portage_fetch_t;
application_type(portage_fetch_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
type portage_devpts_t;
term_pty(portage_devpts_t)
type portage_ebuild_t;
files_type(portage_ebuild_t)
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
type portage_db_t;
files_type(portage_db_t)
type portage_conf_t;
files_type(portage_conf_t)
type portage_cache_t;
files_type(portage_cache_t)
type portage_log_t;
logging_log_file(portage_log_t)
type portage_tmp_t;
files_tmp_file(portage_tmp_t)
type portage_tmpfs_t;
files_tmpfs_file(portage_tmpfs_t)
########################################
#
# gcc-config policy
#
allow gcc_config_t self:capability { chown fsetid };
allow gcc_config_t self:fifo_file rw_file_perms;
manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
allow gcc_config_t portage_exec_t:file mmap_file_perms;
kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)
corecmd_exec_shell(gcc_config_t)
corecmd_exec_bin(gcc_config_t)
corecmd_manage_bin_files(gcc_config_t)
domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
# the directory it is being run from
files_list_all(gcc_config_t)
# seems to be ok without this
init_dontaudit_read_script_status_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
logging_send_syslog_msg(gcc_config_t)
miscfiles_read_localization(gcc_config_t)
userdom_use_user_terminals(gcc_config_t)
consoletype_exec(gcc_config_t)
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
')
########################################
#
# Portage Merging Rules
#
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };
# - kill for mysql merging, at least
allow portage_t self:capability { sys_nice kill };
# user post-sync scripts
can_exec(portage_t, portage_conf_t)
allow portage_t portage_log_t:file manage_file_perms;
logging_log_filetrans(portage_t, portage_log_t, file)
allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
rsync_entry_domtrans(portage_t, portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;
# transition to sandbox for compiling
domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;
# run scripts out of the build directory
can_exec(portage_t, portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files(portage_t)
domain_dontaudit_read_all_domains_state(portage_t)
# modify any files in the system
files_manage_all_files(portage_t)
selinux_get_fs_mount(portage_t)
auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
# run setfiles -r
seutil_domtrans_setfiles(portage_t)
# run semodule
seutil_domtrans_semanage(portage_t)
portage_domtrans_gcc_config(portage_t)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
optional_policy(`
bootloader_domtrans(portage_t)
')
optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
usermanage_domtrans_groupadd(portage_t)
usermanage_domtrans_useradd(portage_t)
')
ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:chr_file read_chr_file_perms;
dontaudit portage_t device_type:blk_file read_blk_file_perms;
')
##########################################
#
# Portage fetch domain
# - for rsync and distfile fetching
#
allow portage_fetch_t self:capability { dac_override fowner fsetid };
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
# rsync server timestamp check
allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)
corecmd_exec_bin(portage_fetch_t)
corenet_all_recvfrom_unlabeled(portage_fetch_t)
corenet_all_recvfrom_netlabel(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_generic_node(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_search_var(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
term_search_ptys(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
##########################################
#
# Portage sandbox domain
# - SELinux-enforced sandbox
#
portage_compile_domain(portage_sandbox_t)
ifdef(`hide_broken_symptoms',`
# leaked descriptors
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
')

11
policy/modules/admin/prelink.fc
View File

@ -1,11 +0,0 @@
/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)

204
policy/modules/admin/prelink.if
View File

@ -1,204 +0,0 @@
## <summary>Prelink ELF shared library mappings.</summary>
########################################
## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`prelink_domtrans',`
gen_require(`
type prelink_t, prelink_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
dontaudit prelink_t $1:fifo_file setattr;
')
')
########################################
## <summary>
## Execute the prelink program in the current domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_exec',`
gen_require(`
type prelink_exec_t;
')
corecmd_search_bin($1)
can_exec($1, prelink_exec_t)
')
########################################
## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the prelink domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`prelink_run',`
gen_require(`
type prelink_t;
')
prelink_domtrans($1)
role $2 types prelink_t;
')
########################################
## <summary>
## Make the specified file type prelinkable.
## </summary>
## <param name="file_type">
## <summary>
## File type to be prelinked.
## </summary>
## </param>
#
# cjp: added for misc non-entrypoint objects
interface(`prelink_object_file',`
gen_require(`
attribute prelink_object;
')
typeattribute $1 prelink_object;
')
########################################
## <summary>
## Read the prelink cache.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_read_cache',`
gen_require(`
type prelink_cache_t;
')
files_search_etc($1)
allow $1 prelink_cache_t:file read_file_perms;
')
########################################
## <summary>
## Delete the prelink cache.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_delete_cache',`
gen_require(`
type prelink_cache_t;
')
allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
')
########################################
## <summary>
## Create, read, write, and delete
## prelink log files.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_manage_log',`
gen_require(`
type prelink_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, prelink_log_t, prelink_log_t)
')
########################################
## <summary>
## Create, read, write, and delete
## prelink var_lib files.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_manage_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
########################################
## <summary>
## Relabel from files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_relabelfrom_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
########################################
## <summary>
## Relabel from files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_relabel_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')

182
policy/modules/admin/prelink.te
View File

@ -1,182 +0,0 @@
policy_module(prelink, 1.9.1)
########################################
#
# Declarations
attribute prelink_object;
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
type prelink_cache_t;
files_type(prelink_cache_t)
type prelink_cron_system_t;
type prelink_cron_system_exec_t;
domain_type(prelink_cron_system_t)
domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
type prelink_log_t;
logging_log_file(prelink_log_t)
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
type prelink_tmpfs_t;
files_tmpfs_file(prelink_tmpfs_t)
type prelink_var_lib_t;
files_type(prelink_var_lib_t)
########################################
#
# Local policy
#
allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
files_search_var_lib(prelink_t)
# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
dev_getattr_all_chr_files(prelink_t)
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
files_manage_var_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
storage_getattr_fixed_disk_dev(prelink_t)
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
userdom_manage_user_home_content(prelink_t)
userdom_execmod_user_home_files(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
')
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
optional_policy(`
nsplugin_manage_rw_files(prelink_t)
')
optional_policy(`
rpm_manage_tmp_files(prelink_t)
')
optional_policy(`
unconfined_domain(prelink_t)
')
########################################
#
# Prelink Cron system Policy
#
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
allow prelink_cron_system_t self:process { setsched setfscreate signal };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
kernel_read_system_state(prelink_cron_system_t)
corecmd_exec_bin(prelink_cron_system_t)
corecmd_exec_shell(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
miscfiles_read_localization(prelink_cron_system_t)
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
')
ifdef(`hide_broken_symptoms', `
optional_policy(`
dbus_read_config(prelink_t)
')
')

19
policy/modules/admin/quota.fc
View File

@ -1,19 +0,0 @@
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
ifdef(`distro_redhat',`
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
',`
/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
')

84
policy/modules/admin/quota.if
View File

@ -1,84 +0,0 @@
## <summary>File system quota management</summary>
########################################
## <summary>
## Execute quota management tools in the quota domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`quota_domtrans',`
gen_require(`
type quota_t, quota_exec_t;
')
domtrans_pattern($1, quota_exec_t, quota_t)
')
########################################
## <summary>
## Execute quota management tools in the quota domain, and
## allow the specified role the quota domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`quota_run',`
gen_require(`
type quota_t;
')
quota_domtrans($1)
role $2 types quota_t;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of filesystem quota data files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`quota_dontaudit_getattr_db',`
gen_require(`
type quota_db_t;
')
dontaudit $1 quota_db_t:file getattr;
')
########################################
## <summary>
## Create, read, write, and delete quota
## flag files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`quota_manage_flags',`
gen_require(`
type quota_flag_t;
')
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')

84
policy/modules/admin/quota.te
View File

@ -1,84 +0,0 @@
policy_module(quota, 1.4.1)
########################################
#
# Declarations
#
type quota_t;
type quota_exec_t;
init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
########################################
#
# Local policy
#
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
# for /quota.*
allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
files_etc_filetrans(quota_t, quota_db_t, file)
files_tmp_filetrans(quota_t, quota_db_t, file)
files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
kernel_setsched(quota_t)
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
fs_get_xattr_fs_quotas(quota_t)
fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t)
fs_remount_xattr_fs(quota_t)
fs_search_auto_mountpoints(quota_t)
mls_file_read_all_levels(quota_t)
storage_raw_read_fixed_disk(quota_t)
term_dontaudit_use_console(quota_t)
domain_use_interactive_fds(quota_t)
files_list_all(quota_t)
files_read_all_files(quota_t)
files_read_all_symlinks(quota_t)
files_getattr_all_pipes(quota_t)
files_getattr_all_sockets(quota_t)
files_getattr_all_file_type_fs(quota_t)
# Read /etc/mtab.
files_read_etc_runtime_files(quota_t)
init_use_fds(quota_t)
init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
userdom_use_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
seutil_sigchld_newrole(quota_t)
')
optional_policy(`
udev_read_db(quota_t)
')

3
policy/modules/admin/readahead.fc
View File

@ -1,3 +0,0 @@
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)

1
policy/modules/admin/readahead.if
View File

@ -1 +0,0 @@
## <summary>Readahead, read files into page cache for improved performance</summary>

103
policy/modules/admin/readahead.te
View File

@ -1,103 +0,0 @@
policy_module(readahead, 1.11.1)
########################################
#
# Declarations
#
type readahead_t;
type readahead_exec_t;
init_daemon_domain(readahead_t, readahead_exec_t)
application_domain(readahead_t, readahead_exec_t)
type readahead_var_lib_t;
files_type(readahead_var_lib_t)
typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
########################################
#
# Local policy
#
allow readahead_t self:capability { fowner dac_override dac_read_search };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
files_search_var_lib(readahead_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
dev_read_sysfs(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(readahead_t)
domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_dontaudit_read_security_files(readahead_t)
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_user_home_dirs(readahead_t)
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
')
optional_policy(`
seutil_sigchld_newrole(readahead_t)
')

58
policy/modules/admin/rpm.fc
View File

@ -1,58 +0,0 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
')
ifdef(`enable_mls',`
/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')

690
policy/modules/admin/rpm.if
View File

@ -1,690 +0,0 @@
## <summary>Policy for the RPM package manager.</summary>
########################################
## <summary>
## Execute rpm programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
attribute rpm_transition_domain;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
typeattribute $1 rpm_transition_domain;
rpm_debuginfo_domtrans($1)
')
########################################
## <summary>
## Execute debuginfo_install programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_debuginfo_domtrans',`
gen_require(`
type rpm_t;
type debuginfo_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
')
########################################
## <summary>
## Execute rpm_script programs in the rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans_script',`
gen_require(`
type rpm_script_t;
')
# transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute RPM programs in the RPM domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the RPM domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
type rpm_t, rpm_script_t;
')
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
domain_system_change_exemption($1)
role_transition $2 rpm_exec_t system_r;
allow $2 system_r;
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
')
########################################
## <summary>
## Execute the rpm client in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_exec',`
gen_require(`
type rpm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rpm_exec_t)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_signull',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:process signull;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_fds',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fd use;
')
########################################
## <summary>
## Read from an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_rw_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## dontaudit read and write an leaked file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dontaudit_leaks',`
gen_require(`
type rpm_t, rpm_var_cache_t;
type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_t:tcp_socket { read write };
dontaudit $1 rpm_t:unix_dgram_socket { read write };
dontaudit $1 rpm_t:shm rw_shm_perms;
dontaudit $1 rpm_script_t:fd use;
dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
allow $1 rpm_t:dbus send_msg;
allow rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Do not audit attempts to send and
## receive messages from rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
dontaudit $1 rpm_t:dbus send_msg;
dontaudit rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## rpm_script over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_dbus_chat',`
gen_require(`
type rpm_script_t;
class dbus send_msg;
')
allow $1 rpm_script_t:dbus send_msg;
allow rpm_script_t $1:dbus send_msg;
')
########################################
## <summary>
## Search RPM log directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_search_log',`
gen_require(`
type rpm_log_t;
')
allow $1 rpm_log_t:dir search_dir_perms;
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_log',`
gen_require(`
type rpm_log_t;
')
logging_search_logs($1)
append_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_log',`
gen_require(`
type rpm_log_t;
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file manage_file_perms;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_script_fds',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:fd use;
')
########################################
## <summary>
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Create, read, write, and delete RPM
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Read RPM script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
########################################
## <summary>
## Read the RPM cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var($1)
allow $1 rpm_var_cache_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Read the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
rpm_read_cache($1)
')
########################################
## <summary>
## Delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_delete_db',`
gen_require(`
type rpm_var_lib_t;
')
delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
#####################################
## <summary>
## Read rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pid_files',`
gen_require(`
type rpm_var_run_t;
')
read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
#####################################
## <summary>
## Create, read, write, and delete rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_pid_files',`
gen_require(`
type rpm_var_run_t;
')
manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
######################################
## <summary>
## Create files in /var/run with the rpm pid file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_pid_filetrans',`
gen_require(`
type rpm_var_run_t;
')
files_pid_filetrans($1, rpm_var_run_t, file)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_inherited_fifo',`
gen_require(`
attribute rpm_transition_domain;
')
allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Make rpm_exec_t an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_entry_type',`
gen_require(`
type rpm_exec_t;
')
domain_entry_file($1, rpm_exec_t)
')
########################################
## <summary>
## Allow application to transition to rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_transition_script',`
gen_require(`
type rpm_script_t;
attribute rpm_transition_domain;
')
typeattribute $1 rpm_transition_domain;
allow $1 rpm_script_t:process transition;
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
allow rpm_script_t $1:process sigchld;
')

404
policy/modules/admin/rpm.te
View File

@ -1,404 +0,0 @@
policy_module(rpm, 1.11.1)
attribute rpm_transition_domain;
########################################
#
# Declarations
#
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
type rpm_file_t;
files_type(rpm_file_t)
type rpm_tmp_t;
files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
files_tmpfs_file(rpm_tmpfs_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_var_cache_t;
files_type(rpm_var_cache_t)
type rpm_var_run_t;
files_pid_file(rpm_var_run_t)
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
domain_system_change_exemption(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
role system_r types rpm_script_t;
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
type rpm_script_tmpfs_t;
files_tmpfs_file(rpm_script_tmpfs_t)
########################################
#
# rpm Local policy
#
allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket create_socket_perms;
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
allow rpm_t self:unix_stream_socket connectto;
allow rpm_t self:udp_socket { connect };
allow rpm_t self:udp_socket create_socket_perms;
allow rpm_t self:tcp_socket create_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
can_exec(rpm_t, rpm_tmp_t)
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_t, rpm_tmpfs_t)
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
kernel_read_network_state_symlinks(rpm_t)
corecmd_exec_all_executables(rpm_t)
corenet_all_recvfrom_unlabeled(rpm_t)
corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_generic_if(rpm_t)
corenet_raw_sendrecv_generic_if(rpm_t)
corenet_udp_sendrecv_generic_if(rpm_t)
corenet_tcp_sendrecv_generic_node(rpm_t)
corenet_raw_sendrecv_generic_node(rpm_t)
corenet_udp_sendrecv_generic_node(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_connect_all_ports(rpm_t)
corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
dev_read_raw_memory(rpm_t)
#devices_manage_all_device_types(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
mls_file_upgrade(rpm_t)
mls_file_downgrade(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
selinux_compute_access_vector(rpm_t)
selinux_compute_create_context(rpm_t)
selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
# transition to rpm script:
rpm_domtrans_script(rpm_t)
domain_read_all_domains_state(rpm_t)
domain_getattr_all_domains(rpm_t)
domain_dontaudit_ptrace_all_domains(rpm_t)
domain_use_interactive_fds(rpm_t)
domain_dontaudit_getattr_all_pipes(rpm_t)
domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
domain_dontaudit_getattr_all_udp_sockets(rpm_t)
domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
init_use_script_ptys(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t)
# allow compiling and loading new policy
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
cron_system_entry(rpm_t, rpm_exec_t)
')
optional_policy(`
dbus_system_domain(rpm_t, rpm_exec_t)
dbus_system_domain(rpm_t, debuginfo_exec_t)
optional_policy(`
hal_dbus_chat(rpm_t)
')
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
')
optional_policy(`
prelink_domtrans(rpm_t)
')
optional_policy(`
unconfined_domain_noaudit(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
')
########################################
#
# rpm-script Local policy
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
allow rpm_script_t self:unix_stream_socket connectto;
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(rpm_script_t)
dev_manage_generic_chr_files(rpm_script_t)
dev_manage_all_blk_files(rpm_script_t)
dev_manage_all_chr_files(rpm_script_t)
fs_manage_nfs_files(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
fs_search_all(rpm_script_t)
fs_getattr_all_fs(rpm_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
selinux_get_fs_mount(rpm_script_t)
selinux_validate_context(rpm_script_t)
selinux_compute_access_vector(rpm_script_t)
selinux_compute_create_context(rpm_script_t)
selinux_compute_relabel_context(rpm_script_t)
selinux_compute_user_contexts(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
can_exec(rpm_script_t, rpm_script_tmp_t)
can_exec(rpm_script_t, rpm_script_tmpfs_t)
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
domain_dontaudit_ptrace_all_domains(rpm_script_t)
domain_use_interactive_fds(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
libs_domtrans_ldconfig(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
modutils_domtrans_depmod(rpm_script_t)
modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
seutil_domtrans_setsebool(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
mta_system_content(rpm_var_run_t)
')
')
tunable_policy(`allow_execmem',`
allow rpm_script_t self:process execmem;
')
optional_policy(`
bootloader_domtrans(rpm_script_t)
')
optional_policy(`
dbus_system_bus_client(rpm_script_t)
')
optional_policy(`
lvm_domtrans(rpm_script_t)
')
optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
optional_policy(`
udev_domtrans(rpm_script_t)
')
optional_policy(`
unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
')
optional_policy(`
mono_domtrans(rpm_script_t)
')
')
optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')

4
policy/modules/admin/sectoolm.fc
View File

@ -1,4 +0,0 @@
/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)

2
policy/modules/admin/sectoolm.if
View File

@ -1,2 +0,0 @@
## <summary>Sectool security audit tool</summary>

Some files were not shown because too many files have changed in this diff Show More