more merging from 1.27.1-15
This commit is contained in:
Chris PeBenito
parent
77f6e2cd27
commit
d8636fc937
@ -30,3 +30,7 @@ ifdef(`distro_suse', `
|
||||
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
')
|
||||
|
||||
@ -87,6 +87,7 @@ template(`su_per_userdomain_template',`
|
||||
|
||||
auth_domtrans_user_chk_passwd($1_su_t,$1)
|
||||
auth_dontaudit_read_shadow($1_su_t)
|
||||
auth_use_nsswitch($1_su_t)
|
||||
|
||||
domain_wide_inherit_fd($1_su_t)
|
||||
|
||||
@ -109,8 +110,7 @@ template(`su_per_userdomain_template',`
|
||||
|
||||
userdom_use_user_terminals($1,$1_su_t)
|
||||
|
||||
if(secure_mode)
|
||||
{
|
||||
if(secure_mode) {
|
||||
# Only allow transitions to unprivileged user domains.
|
||||
userdom_spec_domtrans_unpriv_users($1_su_t)
|
||||
} else {
|
||||
@ -134,10 +134,6 @@ template(`su_per_userdomain_template',`
|
||||
kerberos_use($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket($1_su_t)
|
||||
')
|
||||
|
||||
@ -59,14 +59,15 @@ template(`sudo_per_userdomain_template',`
|
||||
allow $1_sudo_t self:process { setexec setrlimit };
|
||||
allow $1_sudo_t self:fd use;
|
||||
allow $1_sudo_t self:fifo_file rw_file_perms;
|
||||
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||
allow $1_sudo_t self:unix_stream_socket connectto;
|
||||
allow $1_sudo_t self:shm create_shm_perms;
|
||||
allow $1_sudo_t self:sem create_sem_perms;
|
||||
allow $1_sudo_t self:msgq create_msgq_perms;
|
||||
allow $1_sudo_t self:msg { send receive };
|
||||
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_sudo_t self:unix_dgram_socket sendto;
|
||||
allow $1_sudo_t self:unix_stream_socket connectto;
|
||||
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||
|
||||
# Enter this derived domain from the user domain
|
||||
domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
|
||||
|
||||
@ -423,6 +423,24 @@ interface(`kernel_search_debugfs',`
|
||||
allow $1 debugfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read information from the debugging filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_debugfs',`
|
||||
gen_require(`
|
||||
type debugfs_t;
|
||||
')
|
||||
|
||||
allow $1 debugfs_t:dir r_file_perms;
|
||||
allow $1 debugfs_t:file r_file_perms;
|
||||
allow $1 debugfs_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the proc filesystem.
|
||||
@ -504,9 +522,6 @@ interface(`kernel_read_proc_symlinks',`
|
||||
interface(`kernel_read_system_state',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir r_dir_perms;
|
||||
@ -514,6 +529,27 @@ interface(`kernel_read_system_state',`
|
||||
allow $1 proc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to generic proc entries.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: this should probably go away. any
|
||||
# file thats writable in proc should really
|
||||
# have its own label.
|
||||
#
|
||||
interface(`kernel_write_proc_file',`
|
||||
gen_require(`
|
||||
type proc_t;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts by caller to
|
||||
|
||||
@ -11,6 +11,7 @@
|
||||
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
|
||||
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
|
||||
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
|
||||
|
||||
@ -21,6 +21,7 @@ init_system_domain(named_t,named_checkconf_exec_t)
|
||||
# A type for configuration files of named.
|
||||
type named_conf_t;
|
||||
files_type(named_conf_t)
|
||||
files_mountpoint(named_conf_t)
|
||||
|
||||
# for secondary zone files
|
||||
type named_cache_t;
|
||||
@ -149,6 +150,17 @@ ifdef(`targeted_policy',`
|
||||
#dontaudit ndc_t unlabeled_t:file { getattr read };
|
||||
')
|
||||
|
||||
optional_policy(`dbus.te',`
|
||||
gen_require(`
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow named_t self:dbus send_msg;
|
||||
dbus_system_bus_client_template(named,named_t)
|
||||
dbus_connect_system_bus(named_t)
|
||||
dbus_send_system_bus_msg(named_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(named_t)
|
||||
')
|
||||
|
||||
@ -2,10 +2,12 @@
|
||||
# /etc
|
||||
#
|
||||
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
|
||||
/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
|
||||
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
|
||||
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
@ -16,4 +18,5 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
|
||||
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
|
||||
|
||||
@ -12,31 +12,53 @@ init_daemon_domain(bluetooth_t,bluetooth_exec_t)
|
||||
type bluetooth_conf_t;
|
||||
files_type(bluetooth_conf_t)
|
||||
|
||||
type bluetooth_conf_rw_t;
|
||||
files_type(bluetooth_conf_rw_t)
|
||||
|
||||
type bluetooth_helper_t;
|
||||
type bluetooth_helper_exec_t;
|
||||
domain_type(bluetooth_helper_t)
|
||||
domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
|
||||
role system_r types bluetooth_helper_t;
|
||||
|
||||
type bluetooth_lock_t;
|
||||
files_lock_file(bluetooth_lock_t)
|
||||
|
||||
type bluetooth_tmp_t;
|
||||
files_tmp_file(bluetooth_tmp_t)
|
||||
|
||||
type bluetooth_var_lib_t;
|
||||
files_type(bluetooth_var_lib_t)
|
||||
|
||||
type bluetooth_var_run_t;
|
||||
files_pid_file(bluetooth_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
# Bluetooth services local policy
|
||||
#
|
||||
|
||||
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
|
||||
dontaudit bluetooth_t self:capability sys_tty_config;
|
||||
allow bluetooth_t self:process signal_perms;
|
||||
allow bluetooth_t self:process { getsched signal_perms };
|
||||
allow bluetooth_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_t self:shm create_shm_perms;
|
||||
allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
|
||||
allow bluetooth_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow bluetooth_t bluetooth_conf_t:dir search;
|
||||
allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
|
||||
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
|
||||
|
||||
allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
|
||||
allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
|
||||
allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
|
||||
allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
|
||||
type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
|
||||
|
||||
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
|
||||
files_create_lock(bluetooth_t,bluetooth_lock_t)
|
||||
|
||||
@ -44,14 +66,17 @@ allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
|
||||
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||
|
||||
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
|
||||
files_create_var_lib(bluetooth_t,bluetooth_var_lib_t)
|
||||
|
||||
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
|
||||
files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(bluetooth_t)
|
||||
kernel_list_proc(bluetooth_t)
|
||||
kernel_read_proc_symlinks(bluetooth_t)
|
||||
kernel_read_system_state(bluetooth_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(bluetooth_t)
|
||||
corenet_udp_sendrecv_all_if(bluetooth_t)
|
||||
@ -66,16 +91,24 @@ corenet_udp_sendrecv_all_ports(bluetooth_t)
|
||||
|
||||
dev_read_sysfs(bluetooth_t)
|
||||
dev_rw_usbfs(bluetooth_t)
|
||||
dev_read_urand(bluetooth_t)
|
||||
|
||||
fs_getattr_all_fs(bluetooth_t)
|
||||
fs_search_auto_mountpoints(bluetooth_t)
|
||||
|
||||
term_dontaudit_use_console(bluetooth_t)
|
||||
#Handle bluetooth serial devices
|
||||
term_use_unallocated_tty(bluetooth_t)
|
||||
|
||||
corecmd_exec_bin(bluetooth_t)
|
||||
corecmd_exec_shell(bluetooth_t)
|
||||
|
||||
domain_use_wide_inherit_fd(bluetooth_t)
|
||||
|
||||
files_read_etc_files(bluetooth_t)
|
||||
files_read_etc_runtime_files(bluetooth_t)
|
||||
files_read_usr_files(bluetooth_t)
|
||||
|
||||
init_use_fd(bluetooth_t)
|
||||
init_use_script_pty(bluetooth_t)
|
||||
|
||||
@ -85,6 +118,7 @@ libs_use_shared_libs(bluetooth_t)
|
||||
logging_send_syslog_msg(bluetooth_t)
|
||||
|
||||
miscfiles_read_localization(bluetooth_t)
|
||||
miscfiles_read_fonts(bluetooth_t)
|
||||
|
||||
sysnet_read_config(bluetooth_t)
|
||||
|
||||
@ -119,4 +153,73 @@ ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(bluetooth_t)
|
||||
')
|
||||
') dnl end TOOD
|
||||
|
||||
########################################
|
||||
#
|
||||
# Bluetooth helper local policy
|
||||
#
|
||||
|
||||
allow bluetooth_helper_t self:capability sys_nice;
|
||||
allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||
|
||||
kernel_read_system_state(bluetooth_helper_t)
|
||||
kernel_read_kernel_sysctl(bluetooth_helper_t)
|
||||
|
||||
term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
|
||||
|
||||
corecmd_exec_bin(bluetooth_helper_t)
|
||||
corecmd_exec_shell(bluetooth_helper_t)
|
||||
|
||||
domain_read_all_domains_state(bluetooth_helper_t)
|
||||
|
||||
files_read_etc_files(bluetooth_helper_t)
|
||||
files_read_etc_runtime_files(bluetooth_helper_t)
|
||||
files_read_usr_files(bluetooth_helper_t)
|
||||
files_dontaudit_list_default(bluetooth_helper_t)
|
||||
|
||||
libs_use_ld_so(bluetooth_helper_t)
|
||||
libs_use_shared_libs(bluetooth_helper_t)
|
||||
|
||||
miscfiles_read_localization(bluetooth_helper_t)
|
||||
miscfiles_read_fonts(bluetooth_helper_t)
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(bluetooth_helper_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
||||
|
||||
# a "run" interface needs to be
|
||||
# added, and have sysadm_t use it
|
||||
# in a optional_policy block.
|
||||
|
||||
allow bluetooth_helper_t tmp_t:dir search;
|
||||
|
||||
allow bluetooth_helper_t home_dir_type:dir search;
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
allow bluetooth_helper_t xserver_log_t:dir search;
|
||||
allow bluetooth_helper_t xserver_log_t:file { getattr read };
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
allow bluetooth_helper_t tmp_t:sock_file { read write };
|
||||
allow bluetooth_helper_t tmpfs_t:file { read write };
|
||||
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
|
||||
allow bluetooth_t unconfined_t:dbus send_msg;
|
||||
allow unconfined_t bluetooth_t:dbus send_msg;
|
||||
', `
|
||||
ifdef(`xdm.te', `
|
||||
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
')
|
||||
|
||||
allow bluetooth_t unpriv_userdomain:dbus send_msg;
|
||||
allow unpriv_userdomain bluetooth_t:dbus send_msg;
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
|
||||
# Cron Local policy
|
||||
#
|
||||
|
||||
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
|
||||
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
|
||||
dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
||||
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow crond_t self:process { setexec setfscreate };
|
||||
@ -182,6 +182,12 @@ rhgb_domain(crond_t)
|
||||
# crond tries to search /root. Not sure why.
|
||||
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
|
||||
|
||||
ifdef(`apache.te',`
|
||||
allow system_crond_t httpd_modules_t:lnk_file read;
|
||||
# Needed for certwatch
|
||||
can_exec(system_crond_t, httpd_modules_t)
|
||||
')
|
||||
|
||||
# to search /home
|
||||
allow crond_t user_home_dir_type:dir r_dir_perms;
|
||||
') dnl endif TODO
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
|
||||
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
|
||||
|
||||
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
|
||||
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
|
||||
|
||||
/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
|
||||
|
||||
@ -22,5 +22,6 @@
|
||||
/var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
|
||||
|
||||
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
|
||||
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
|
||||
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
|
||||
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
|
||||
|
||||
@ -133,11 +133,15 @@ tunable_policy(`allow_ftpd_anon_write',`
|
||||
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
# allow access to /home
|
||||
files_getattr_home_dir(ftpd_t)
|
||||
files_list_home(ftpd_t)
|
||||
userdom_read_all_user_files(ftpd_t)
|
||||
userdom_manage_all_user_dirs(ftpd_t)
|
||||
userdom_manage_all_user_files(ftpd_t)
|
||||
userdom_manage_all_user_symlinks(ftpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
@ -198,4 +202,13 @@ ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(ftpd_t)
|
||||
')
|
||||
|
||||
# cjp: this was in base user macro, but we cannot
|
||||
# use typeattribute ftpd_t privhome; interface
|
||||
# since typeattribute doesnt work in conditionals
|
||||
ifdef(`ftpd.te' , `
|
||||
if (ftpd_is_daemon) {
|
||||
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
|
||||
}
|
||||
')
|
||||
')
|
||||
|
||||
@ -42,6 +42,7 @@ files_create_pid(hald_t,hald_var_run_t)
|
||||
kernel_read_system_state(hald_t)
|
||||
kernel_read_network_state(hald_t)
|
||||
kernel_read_kernel_sysctl(hald_t)
|
||||
kernel_write_proc_file(hald_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(hald_t)
|
||||
corenet_raw_sendrecv_all_if(hald_t)
|
||||
|
||||
@ -37,7 +37,7 @@ allow mysqld_t self:fifo_file { read write };
|
||||
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:tcp_socket connected_socket_perms;
|
||||
allow mysqld_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow mysqld_t mysqld_db_t:dir create_dir_perms;
|
||||
allow mysqld_t mysqld_db_t:file create_file_perms;
|
||||
@ -62,11 +62,15 @@ kernel_read_proc_symlinks(mysqld_t)
|
||||
kernel_read_system_state(mysqld_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(mysqld_t)
|
||||
corenet_udp_sendrecv_all_if(mysqld_t)
|
||||
corenet_raw_sendrecv_all_if(mysqld_t)
|
||||
corenet_tcp_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_udp_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_raw_sendrecv_all_nodes(mysqld_t)
|
||||
corenet_tcp_sendrecv_all_ports(mysqld_t)
|
||||
corenet_udp_sendrecv_all_ports(mysqld_t)
|
||||
corenet_tcp_bind_all_nodes(mysqld_t)
|
||||
corenet_udp_bind_all_nodes(mysqld_t)
|
||||
corenet_tcp_bind_mysqld_port(mysqld_t)
|
||||
corenet_tcp_connect_mysqld_port(mysqld_t)
|
||||
|
||||
@ -110,6 +114,10 @@ ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_file(mysqld_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(mysqld_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(mysqld_t)
|
||||
')
|
||||
|
||||
@ -119,6 +119,22 @@ interface(`nis_use_ypbind',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to ypbind.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`nis_signal_ypbind',`
|
||||
gen_require(`
|
||||
type ypbind_t;
|
||||
')
|
||||
|
||||
allow $1 ypbind_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send UDP network traffic to NIS clients.
|
||||
@ -129,7 +145,7 @@ interface(`nis_use_ypbind',`
|
||||
#
|
||||
interface(`nis_list_var_yp',`
|
||||
gen_require(`
|
||||
type ypbind_t;
|
||||
type var_yp_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
|
||||
@ -69,6 +69,7 @@ auth_rw_lastlog(remote_login_t)
|
||||
auth_rw_faillog(remote_login_t)
|
||||
auth_exec_pam(remote_login_t)
|
||||
auth_manage_pam_console_data(remote_login_t)
|
||||
auth_domtrans_pam_console(remote_login_t)
|
||||
|
||||
corecmd_list_bin(remote_login_t)
|
||||
corecmd_list_sbin(remote_login_t)
|
||||
@ -170,6 +171,10 @@ optional_policy(`remotelogin.te',`
|
||||
# Login can polyinstantiate
|
||||
polyinstantiater(remote_login_t)
|
||||
|
||||
ifdef(`alsa.te', `
|
||||
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
|
||||
')
|
||||
|
||||
allow remote_login_t userpty_type:chr_file { setattr write };
|
||||
allow remote_login_t ptyfile:chr_file { getattr ioctl };
|
||||
|
||||
|
||||
@ -110,3 +110,5 @@ ifdef(`distro_suse',`
|
||||
|
||||
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
|
||||
|
||||
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -20,8 +20,13 @@
|
||||
## </required>
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_type(type)
|
||||
## <summary>
|
||||
## Make the specified type usable for files
|
||||
## in a filesystem.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## Type to be used for files.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_type',`
|
||||
gen_require(`
|
||||
@ -221,6 +226,9 @@ interface(`files_tmpfs_file',`
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: this is an odd interface, because to getattr
|
||||
# all dirs, you need to search all the parent directories
|
||||
#
|
||||
interface(`files_getattr_all_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
@ -248,6 +256,22 @@ interface(`files_dontaudit_getattr_all_dirs',`
|
||||
dontaudit $1 file_type:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search all directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_all',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of all directories.
|
||||
|
||||
@ -112,6 +112,8 @@ files_rw_isid_type_dir(fsadm_t)
|
||||
files_rw_isid_type_blk_node(fsadm_t)
|
||||
# Recreate /mnt/cdrom.
|
||||
files_manage_mnt_dirs(fsadm_t)
|
||||
# for tune2fs
|
||||
files_search_all(fsadm_t)
|
||||
|
||||
init_use_fd(fsadm_t)
|
||||
init_use_script_pty(fsadm_t)
|
||||
|
||||
@ -29,4 +29,6 @@
|
||||
/usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
|
||||
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
|
||||
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
|
||||
@ -113,6 +113,7 @@ auth_rw_lastlog(local_login_t)
|
||||
auth_rw_faillog(local_login_t)
|
||||
auth_exec_pam(local_login_t)
|
||||
auth_manage_pam_console_data(local_login_t)
|
||||
auth_domtrans_pam_console(local_login_t)
|
||||
|
||||
corecmd_list_bin(local_login_t)
|
||||
corecmd_list_sbin(local_login_t)
|
||||
@ -221,6 +222,10 @@ optional_policy(`locallogin.te',`
|
||||
')
|
||||
# Login can polyinstantiate
|
||||
polyinstantiater(local_login_t)
|
||||
|
||||
ifdef(`alsa.te', `
|
||||
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
|
||||
@ -30,6 +30,7 @@
|
||||
|
||||
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
|
||||
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
|
||||
/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
|
||||
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
|
||||
/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
|
||||
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
|
||||
|
||||
@ -53,7 +53,7 @@ can_exec(insmod_t, insmod_exec_t)
|
||||
kernel_load_module(insmod_t)
|
||||
kernel_read_system_state(insmod_t)
|
||||
kernel_mount_debugfs(insmod_t)
|
||||
kernel_search_debugfs(insmod_t)
|
||||
kernel_read_debugfs(insmod_t)
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
kernel_read_kernel_sysctl(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
|
||||
@ -188,12 +188,13 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
allow newrole_t self:fifo_file rw_file_perms;
|
||||
allow newrole_t self:unix_dgram_socket sendto;
|
||||
allow newrole_t self:unix_stream_socket connectto;
|
||||
allow newrole_t self:shm create_shm_perms;
|
||||
allow newrole_t self:sem create_sem_perms;
|
||||
allow newrole_t self:msgq create_msgq_perms;
|
||||
allow newrole_t self:msg { send receive };
|
||||
allow newrole_t self:unix_dgram_socket sendto;
|
||||
allow newrole_t self:unix_stream_socket connectto;
|
||||
allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||
|
||||
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
|
||||
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
|
||||
@ -287,6 +288,7 @@ kernel_read_system_state(restorecon_t)
|
||||
dev_rw_generic_file(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
fs_search_auto_mountpoints(restorecon_t)
|
||||
|
||||
mls_file_read_up(restorecon_t)
|
||||
mls_file_write_down(restorecon_t)
|
||||
|
||||
@ -21,6 +21,7 @@
|
||||
# /sbin
|
||||
#
|
||||
/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
@ -45,5 +46,6 @@
|
||||
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
|
||||
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
|
||||
@ -181,6 +181,7 @@ optional_policy(`netutils.te',`
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(dhcpc_t)
|
||||
nis_signal_ypbind(dhcpc_t)
|
||||
# dhclient sometimes starts ypbind
|
||||
init_exec_script(dhcpc_t)
|
||||
#nis_domtrans_ypbind(dhcpc_t)
|
||||
|
||||
@ -57,7 +57,7 @@ ifdef(`targeted_policy',`
|
||||
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
|
||||
files_type(user_home_t)
|
||||
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
|
||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
|
||||
files_type(user_home_dir_t)
|
||||
|
||||
unconfined_role(user_r)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user