more merging from 1.27.1-15

This commit is contained in:
Chris PeBenito 2005-10-14 17:55:40 +00:00
parent 77f6e2cd27
commit d8636fc937
27 changed files with 276 additions and 28 deletions

View File

@ -30,3 +30,7 @@ ifdef(`distro_suse', `
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) /var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
') ')
ifdef(`enable_mls',`
/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')

View File

@ -87,6 +87,7 @@ template(`su_per_userdomain_template',`
auth_domtrans_user_chk_passwd($1_su_t,$1) auth_domtrans_user_chk_passwd($1_su_t,$1)
auth_dontaudit_read_shadow($1_su_t) auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
domain_wide_inherit_fd($1_su_t) domain_wide_inherit_fd($1_su_t)
@ -109,8 +110,7 @@ template(`su_per_userdomain_template',`
userdom_use_user_terminals($1,$1_su_t) userdom_use_user_terminals($1,$1_su_t)
if(secure_mode) if(secure_mode) {
{
# Only allow transitions to unprivileged user domains. # Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t) userdom_spec_domtrans_unpriv_users($1_su_t)
} else { } else {
@ -134,10 +134,6 @@ template(`su_per_userdomain_template',`
kerberos_use($1_su_t) kerberos_use($1_su_t)
') ')
optional_policy(`nis.te',`
nis_use_ypbind($1_su_t)
')
optional_policy(`nscd.te',` optional_policy(`nscd.te',`
nscd_use_socket($1_su_t) nscd_use_socket($1_su_t)
') ')

View File

@ -59,14 +59,15 @@ template(`sudo_per_userdomain_template',`
allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use; allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_file_perms; allow $1_sudo_t self:fifo_file rw_file_perms;
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
allow $1_sudo_t self:shm create_shm_perms; allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms; allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms; allow $1_sudo_t self:msgq create_msgq_perms;
allow $1_sudo_t self:msg { send receive }; allow $1_sudo_t self:msg { send receive };
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
# Enter this derived domain from the user domain # Enter this derived domain from the user domain
domain_auto_trans($2, sudo_exec_t, $1_sudo_t) domain_auto_trans($2, sudo_exec_t, $1_sudo_t)

View File

@ -423,6 +423,24 @@ interface(`kernel_search_debugfs',`
allow $1 debugfs_t:dir search; allow $1 debugfs_t:dir search;
') ')
########################################
## <summary>
## Read information from the debugging filesystem.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kernel_read_debugfs',`
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:dir r_file_perms;
allow $1 debugfs_t:file r_file_perms;
allow $1 debugfs_t:lnk_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the proc filesystem. ## Get the attributes of the proc filesystem.
@ -504,9 +522,6 @@ interface(`kernel_read_proc_symlinks',`
interface(`kernel_read_system_state',` interface(`kernel_read_system_state',`
gen_require(` gen_require(`
type proc_t; type proc_t;
class dir r_dir_perms;
class lnk_file { getattr read };
class file r_file_perms;
') ')
allow $1 proc_t:dir r_dir_perms; allow $1 proc_t:dir r_dir_perms;
@ -514,6 +529,27 @@ interface(`kernel_read_system_state',`
allow $1 proc_t:file r_file_perms; allow $1 proc_t:file r_file_perms;
') ')
########################################
## <summary>
## Write to generic proc entries.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: this should probably go away. any
# file thats writable in proc should really
# have its own label.
#
interface(`kernel_write_proc_file',`
gen_require(`
type proc_t;
')
allow $1 proc_t:dir search;
allow $1 proc_t:file write;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts by caller to ## Do not audit attempts by caller to

View File

@ -11,6 +11,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)

View File

@ -21,6 +21,7 @@ init_system_domain(named_t,named_checkconf_exec_t)
# A type for configuration files of named. # A type for configuration files of named.
type named_conf_t; type named_conf_t;
files_type(named_conf_t) files_type(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files # for secondary zone files
type named_cache_t; type named_cache_t;
@ -149,6 +150,17 @@ ifdef(`targeted_policy',`
#dontaudit ndc_t unlabeled_t:file { getattr read }; #dontaudit ndc_t unlabeled_t:file { getattr read };
') ')
optional_policy(`dbus.te',`
gen_require(`
class dbus send_msg;
')
allow named_t self:dbus send_msg;
dbus_system_bus_client_template(named,named_t)
dbus_connect_system_bus(named_t)
dbus_send_system_bus_msg(named_t)
')
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(named_t) nis_use_ypbind(named_t)
') ')

View File

@ -2,10 +2,12 @@
# /etc # /etc
# #
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) /etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
# #
# /usr # /usr
# #
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
@ -16,4 +18,5 @@
# #
# /var # /var
# #
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)

View File

@ -12,31 +12,53 @@ init_daemon_domain(bluetooth_t,bluetooth_exec_t)
type bluetooth_conf_t; type bluetooth_conf_t;
files_type(bluetooth_conf_t) files_type(bluetooth_conf_t)
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
type bluetooth_helper_t;
type bluetooth_helper_exec_t;
domain_type(bluetooth_helper_t)
domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
role system_r types bluetooth_helper_t;
type bluetooth_lock_t; type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t) files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t; type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t) files_tmp_file(bluetooth_tmp_t)
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t; type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t) files_pid_file(bluetooth_var_run_t)
######################################## ########################################
# #
# Local policy # Bluetooth services local policy
# #
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
dontaudit bluetooth_t self:capability sys_tty_config; dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process signal_perms; allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect }; allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
allow bluetooth_t self:udp_socket create_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms;
allow bluetooth_t bluetooth_conf_t:dir search; allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
allow bluetooth_t bluetooth_lock_t:file create_file_perms; allow bluetooth_t bluetooth_lock_t:file create_file_perms;
files_create_lock(bluetooth_t,bluetooth_lock_t) files_create_lock(bluetooth_t,bluetooth_lock_t)
@ -44,14 +66,17 @@ allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
allow bluetooth_t bluetooth_tmp_t:file create_file_perms; allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir }) files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir })
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
files_create_var_lib(bluetooth_t,bluetooth_var_lib_t)
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
allow bluetooth_t bluetooth_var_run_t:file create_file_perms; allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctl(bluetooth_t) kernel_read_kernel_sysctl(bluetooth_t)
kernel_list_proc(bluetooth_t) kernel_read_system_state(bluetooth_t)
kernel_read_proc_symlinks(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t) corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t) corenet_udp_sendrecv_all_if(bluetooth_t)
@ -66,16 +91,24 @@ corenet_udp_sendrecv_all_ports(bluetooth_t)
dev_read_sysfs(bluetooth_t) dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t) dev_rw_usbfs(bluetooth_t)
dev_read_urand(bluetooth_t)
fs_getattr_all_fs(bluetooth_t) fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t)
term_dontaudit_use_console(bluetooth_t) term_dontaudit_use_console(bluetooth_t)
#Handle bluetooth serial devices
term_use_unallocated_tty(bluetooth_t)
corecmd_exec_bin(bluetooth_t) corecmd_exec_bin(bluetooth_t)
corecmd_exec_shell(bluetooth_t)
domain_use_wide_inherit_fd(bluetooth_t) domain_use_wide_inherit_fd(bluetooth_t)
files_read_etc_files(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
files_read_usr_files(bluetooth_t)
init_use_fd(bluetooth_t) init_use_fd(bluetooth_t)
init_use_script_pty(bluetooth_t) init_use_script_pty(bluetooth_t)
@ -85,6 +118,7 @@ libs_use_shared_libs(bluetooth_t)
logging_send_syslog_msg(bluetooth_t) logging_send_syslog_msg(bluetooth_t)
miscfiles_read_localization(bluetooth_t) miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
sysnet_read_config(bluetooth_t) sysnet_read_config(bluetooth_t)
@ -119,4 +153,73 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(bluetooth_t) rhgb_domain(bluetooth_t)
') ')
') dnl end TOOD
########################################
#
# Bluetooth helper local policy
#
allow bluetooth_helper_t self:capability sys_nice;
allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
kernel_read_system_state(bluetooth_helper_t)
kernel_read_kernel_sysctl(bluetooth_helper_t)
term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
corecmd_exec_bin(bluetooth_helper_t)
corecmd_exec_shell(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_files(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
libs_use_ld_so(bluetooth_helper_t)
libs_use_shared_libs(bluetooth_helper_t)
miscfiles_read_localization(bluetooth_helper_t)
miscfiles_read_fonts(bluetooth_helper_t)
optional_policy(`nscd.te',`
nscd_use_socket(bluetooth_helper_t)
') ')
ifdef(`TODO',`
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
# a "run" interface needs to be
# added, and have sysadm_t use it
# in a optional_policy block.
allow bluetooth_helper_t tmp_t:dir search;
allow bluetooth_helper_t home_dir_type:dir search;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
ifdef(`targeted_policy', `
allow bluetooth_helper_t tmp_t:sock_file { read write };
allow bluetooth_helper_t tmpfs_t:file { read write };
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
allow bluetooth_t unconfined_t:dbus send_msg;
allow unconfined_t bluetooth_t:dbus send_msg;
', `
ifdef(`xdm.te', `
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
')
allow bluetooth_t unpriv_userdomain:dbus send_msg;
allow unpriv_userdomain bluetooth_t:dbus send_msg;
')
') dnl end TODO

View File

@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
# Cron Local policy # Cron Local policy
# #
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
dontaudit crond_t self:capability { sys_resource sys_tty_config }; dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate }; allow crond_t self:process { setexec setfscreate };
@ -182,6 +182,12 @@ rhgb_domain(crond_t)
# crond tries to search /root. Not sure why. # crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms; allow crond_t sysadm_home_dir_t:dir r_dir_perms;
ifdef(`apache.te',`
allow system_crond_t httpd_modules_t:lnk_file read;
# Needed for certwatch
can_exec(system_crond_t, httpd_modules_t)
')
# to search /home # to search /home
allow crond_t user_home_dir_type:dir r_dir_perms; allow crond_t user_home_dir_type:dir r_dir_perms;
') dnl endif TODO ') dnl endif TODO

View File

@ -1,6 +1,7 @@
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) /var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)

View File

@ -22,5 +22,6 @@
/var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0) /var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)

View File

@ -133,11 +133,15 @@ tunable_policy(`allow_ftpd_anon_write',`
tunable_policy(`ftp_home_dir',` tunable_policy(`ftp_home_dir',`
# allow access to /home # allow access to /home
files_getattr_home_dir(ftpd_t) files_list_home(ftpd_t)
userdom_read_all_user_files(ftpd_t) userdom_read_all_user_files(ftpd_t)
userdom_manage_all_user_dirs(ftpd_t) userdom_manage_all_user_dirs(ftpd_t)
userdom_manage_all_user_files(ftpd_t) userdom_manage_all_user_files(ftpd_t)
userdom_manage_all_user_symlinks(ftpd_t) userdom_manage_all_user_symlinks(ftpd_t)
ifdef(`targeted_policy',`
userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
') ')
tunable_policy(`ftpd_is_daemon',` tunable_policy(`ftpd_is_daemon',`
@ -198,4 +202,13 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
rhgb_domain(ftpd_t) rhgb_domain(ftpd_t)
') ')
# cjp: this was in base user macro, but we cannot
# use typeattribute ftpd_t privhome; interface
# since typeattribute doesnt work in conditionals
ifdef(`ftpd.te' , `
if (ftpd_is_daemon) {
file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
}
')
') ')

View File

@ -42,6 +42,7 @@ files_create_pid(hald_t,hald_var_run_t)
kernel_read_system_state(hald_t) kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t) kernel_read_network_state(hald_t)
kernel_read_kernel_sysctl(hald_t) kernel_read_kernel_sysctl(hald_t)
kernel_write_proc_file(hald_t)
corenet_tcp_sendrecv_all_if(hald_t) corenet_tcp_sendrecv_all_if(hald_t)
corenet_raw_sendrecv_all_if(hald_t) corenet_raw_sendrecv_all_if(hald_t)

View File

@ -37,7 +37,7 @@ allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms; allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket connected_socket_perms; allow mysqld_t self:udp_socket create_socket_perms;
allow mysqld_t mysqld_db_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:dir create_dir_perms;
allow mysqld_t mysqld_db_t:file create_file_perms; allow mysqld_t mysqld_db_t:file create_file_perms;
@ -62,11 +62,15 @@ kernel_read_proc_symlinks(mysqld_t)
kernel_read_system_state(mysqld_t) kernel_read_system_state(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t) corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
corenet_raw_sendrecv_all_if(mysqld_t) corenet_raw_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t) corenet_tcp_sendrecv_all_nodes(mysqld_t)
corenet_udp_sendrecv_all_nodes(mysqld_t)
corenet_raw_sendrecv_all_nodes(mysqld_t) corenet_raw_sendrecv_all_nodes(mysqld_t)
corenet_tcp_sendrecv_all_ports(mysqld_t) corenet_tcp_sendrecv_all_ports(mysqld_t)
corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_all_nodes(mysqld_t) corenet_tcp_bind_all_nodes(mysqld_t)
corenet_udp_bind_all_nodes(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t) corenet_tcp_bind_mysqld_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t) corenet_tcp_connect_mysqld_port(mysqld_t)
@ -110,6 +114,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(mysqld_t) files_dontaudit_read_root_file(mysqld_t)
') ')
optional_policy(`mount.te',`
mount_send_nfs_client_request(mysqld_t)
')
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(mysqld_t) nis_use_ypbind(mysqld_t)
') ')

View File

@ -119,6 +119,22 @@ interface(`nis_use_ypbind',`
') ')
') ')
########################################
## <summary>
## Send generic signals to ypbind.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`nis_signal_ypbind',`
gen_require(`
type ypbind_t;
')
allow $1 ypbind_t:process signal;
')
######################################## ########################################
## <summary> ## <summary>
## Send UDP network traffic to NIS clients. ## Send UDP network traffic to NIS clients.
@ -129,7 +145,7 @@ interface(`nis_use_ypbind',`
# #
interface(`nis_list_var_yp',` interface(`nis_list_var_yp',`
gen_require(` gen_require(`
type ypbind_t; type var_yp_t;
') ')
files_search_var($1) files_search_var($1)

View File

@ -69,6 +69,7 @@ auth_rw_lastlog(remote_login_t)
auth_rw_faillog(remote_login_t) auth_rw_faillog(remote_login_t)
auth_exec_pam(remote_login_t) auth_exec_pam(remote_login_t)
auth_manage_pam_console_data(remote_login_t) auth_manage_pam_console_data(remote_login_t)
auth_domtrans_pam_console(remote_login_t)
corecmd_list_bin(remote_login_t) corecmd_list_bin(remote_login_t)
corecmd_list_sbin(remote_login_t) corecmd_list_sbin(remote_login_t)
@ -170,6 +171,10 @@ optional_policy(`remotelogin.te',`
# Login can polyinstantiate # Login can polyinstantiate
polyinstantiater(remote_login_t) polyinstantiater(remote_login_t)
ifdef(`alsa.te', `
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
allow remote_login_t userpty_type:chr_file { setattr write }; allow remote_login_t userpty_type:chr_file { setattr write };
allow remote_login_t ptyfile:chr_file { getattr ioctl }; allow remote_login_t ptyfile:chr_file { getattr ioctl };

View File

@ -110,3 +110,5 @@ ifdef(`distro_suse',`
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0) /var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)

View File

@ -20,8 +20,13 @@
## </required> ## </required>
######################################## ########################################
# ## <summary>
# files_type(type) ## Make the specified type usable for files
## in a filesystem.
## </summary>
## <param name="type">
## Type to be used for files.
## </param>
# #
interface(`files_type',` interface(`files_type',`
gen_require(` gen_require(`
@ -221,6 +226,9 @@ interface(`files_tmpfs_file',`
## Domain allowed access. ## Domain allowed access.
## </param> ## </param>
# #
# cjp: this is an odd interface, because to getattr
# all dirs, you need to search all the parent directories
#
interface(`files_getattr_all_dirs',` interface(`files_getattr_all_dirs',`
gen_require(` gen_require(`
attribute file_type; attribute file_type;
@ -248,6 +256,22 @@ interface(`files_dontaudit_getattr_all_dirs',`
dontaudit $1 file_type:dir getattr; dontaudit $1 file_type:dir getattr;
') ')
########################################
## <summary>
## Search all directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_search_all',`
gen_require(`
attribute file_type;
')
allow $1 file_type:dir { getattr search };
')
######################################## ########################################
## <summary> ## <summary>
## List the contents of all directories. ## List the contents of all directories.

View File

@ -112,6 +112,8 @@ files_rw_isid_type_dir(fsadm_t)
files_rw_isid_type_blk_node(fsadm_t) files_rw_isid_type_blk_node(fsadm_t)
# Recreate /mnt/cdrom. # Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t) files_manage_mnt_dirs(fsadm_t)
# for tune2fs
files_search_all(fsadm_t)
init_use_fd(fsadm_t) init_use_fd(fsadm_t)
init_use_script_pty(fsadm_t) init_use_script_pty(fsadm_t)

View File

@ -29,4 +29,6 @@
/usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)

View File

@ -113,6 +113,7 @@ auth_rw_lastlog(local_login_t)
auth_rw_faillog(local_login_t) auth_rw_faillog(local_login_t)
auth_exec_pam(local_login_t) auth_exec_pam(local_login_t)
auth_manage_pam_console_data(local_login_t) auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
corecmd_list_bin(local_login_t) corecmd_list_bin(local_login_t)
corecmd_list_sbin(local_login_t) corecmd_list_sbin(local_login_t)
@ -221,6 +222,10 @@ optional_policy(`locallogin.te',`
') ')
# Login can polyinstantiate # Login can polyinstantiate
polyinstantiater(local_login_t) polyinstantiater(local_login_t)
ifdef(`alsa.te', `
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
') dnl endif TODO ') dnl endif TODO
################################# #################################

View File

@ -30,6 +30,7 @@
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)

View File

@ -53,7 +53,7 @@ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t) kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t) kernel_read_system_state(insmod_t)
kernel_mount_debugfs(insmod_t) kernel_mount_debugfs(insmod_t)
kernel_search_debugfs(insmod_t) kernel_read_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted # Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t) kernel_read_kernel_sysctl(insmod_t)
kernel_rw_kernel_sysctl(insmod_t) kernel_rw_kernel_sysctl(insmod_t)

View File

@ -188,12 +188,13 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
allow newrole_t self:process setexec; allow newrole_t self:process setexec;
allow newrole_t self:fd use; allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_file_perms; allow newrole_t self:fifo_file rw_file_perms;
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
allow newrole_t self:shm create_shm_perms; allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms; allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive }; allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
@ -287,6 +288,7 @@ kernel_read_system_state(restorecon_t)
dev_rw_generic_file(restorecon_t) dev_rw_generic_file(restorecon_t)
fs_getattr_xattr_fs(restorecon_t) fs_getattr_xattr_fs(restorecon_t)
fs_search_auto_mountpoints(restorecon_t)
mls_file_read_up(restorecon_t) mls_file_read_up(restorecon_t)
mls_file_write_down(restorecon_t) mls_file_write_down(restorecon_t)

View File

@ -21,6 +21,7 @@
# /sbin # /sbin
# #
/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@ -45,5 +46,6 @@
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)

View File

@ -181,6 +181,7 @@ optional_policy(`netutils.te',`
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(dhcpc_t) nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
# dhclient sometimes starts ypbind # dhclient sometimes starts ypbind
init_exec_script(dhcpc_t) init_exec_script(dhcpc_t)
#nis_domtrans_ypbind(dhcpc_t) #nis_domtrans_ypbind(dhcpc_t)

View File

@ -57,7 +57,7 @@ ifdef(`targeted_policy',`
type user_home_t alias { staff_home_t sysadm_home_t }, home_type; type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
files_type(user_home_t) files_type(user_home_t)
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type; type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
files_type(user_home_dir_t) files_type(user_home_dir_t)
unconfined_role(user_r) unconfined_role(user_r)