patch from dan Tue, 24 Oct 2006 11:00:28 -0400
This commit is contained in:
parent
582438054d
commit
d9845ae92a
@ -1,4 +1,8 @@
|
|||||||
- Enhanced setransd support from Darrel Goeddel.
|
- Enhanced setransd support from Darrel Goeddel.
|
||||||
|
- Patches from Dan Walsh:
|
||||||
|
Tue, 24 Oct 2006
|
||||||
|
- Added modules:
|
||||||
|
iscsi (Dan Walsh)
|
||||||
|
|
||||||
* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
|
* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
|
||||||
- Patch from Russell Coker Thu, 5 Oct 2006
|
- Patch from Russell Coker Thu, 5 Oct 2006
|
||||||
|
6
Makefile
6
Makefile
@ -194,11 +194,6 @@ ifeq "$(DISTRO)" "rhel4"
|
|||||||
M4PARAM += -D distro_redhat
|
M4PARAM += -D distro_redhat
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# enable polyinstantiation
|
|
||||||
ifeq ($(POLY),y)
|
|
||||||
M4PARAM += -D enable_polyinstantiation
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifneq ($(OUTPUT_POLICY),)
|
ifneq ($(OUTPUT_POLICY),)
|
||||||
CHECKPOLICY += -c $(OUTPUT_POLICY)
|
CHECKPOLICY += -c $(OUTPUT_POLICY)
|
||||||
endif
|
endif
|
||||||
@ -543,7 +538,6 @@ ifneq "$(DISTRO)" ""
|
|||||||
endif
|
endif
|
||||||
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
|
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
|
||||||
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
|
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
|
||||||
$(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf
|
|
||||||
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
|
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
|
||||||
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
|
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
|
||||||
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
|
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
|
||||||
|
@ -42,10 +42,6 @@ DIRECT_INITRC=n
|
|||||||
# will build a loadable module policy.
|
# will build a loadable module policy.
|
||||||
MONOLITHIC=y
|
MONOLITHIC=y
|
||||||
|
|
||||||
# Polyinstantiation
|
|
||||||
# Enable polyinstantiated directory support.
|
|
||||||
POLY=n
|
|
||||||
|
|
||||||
# Number of MLS Sensitivities
|
# Number of MLS Sensitivities
|
||||||
# The sensitivities will be s0 to s(MLS_SENS-1).
|
# The sensitivities will be s0 to s(MLS_SENS-1).
|
||||||
# Dominance will be in increasing numerical order
|
# Dominance will be in increasing numerical order
|
||||||
|
@ -124,6 +124,13 @@ gen_tunable(allow_kerberos,false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_nfsd_anon_write,false)
|
gen_tunable(allow_nfsd_anon_write,false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Enable polyinstantiated directory support.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(allow_polyinstantiation,false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow rsync to modify public files
|
## Allow rsync to modify public files
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(amanda,1.4.0)
|
policy_module(amanda,1.4.1)
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@ -97,7 +97,7 @@ allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
|
|||||||
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
|
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
|
||||||
|
|
||||||
allow amanda_t amanda_log_t:file create_file_perms;
|
allow amanda_t amanda_log_t:file create_file_perms;
|
||||||
allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
|
allow amanda_t amanda_log_t:dir manage_dir_perms;
|
||||||
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
|
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
|
||||||
|
|
||||||
allow amanda_t amanda_tmp_t:dir create_dir_perms;
|
allow amanda_t amanda_tmp_t:dir create_dir_perms;
|
||||||
@ -123,6 +123,7 @@ corenet_tcp_sendrecv_all_ports(amanda_t)
|
|||||||
corenet_udp_sendrecv_all_ports(amanda_t)
|
corenet_udp_sendrecv_all_ports(amanda_t)
|
||||||
corenet_tcp_bind_all_nodes(amanda_t)
|
corenet_tcp_bind_all_nodes(amanda_t)
|
||||||
corenet_udp_bind_all_nodes(amanda_t)
|
corenet_udp_bind_all_nodes(amanda_t)
|
||||||
|
corenet_tcp_bind_all_rpc_ports(amanda_t)
|
||||||
|
|
||||||
dev_getattr_all_blk_files(amanda_t)
|
dev_getattr_all_blk_files(amanda_t)
|
||||||
dev_getattr_all_chr_files(amanda_t)
|
dev_getattr_all_chr_files(amanda_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(anaconda,1.1.0)
|
policy_module(anaconda,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -36,10 +36,6 @@ unconfined_domain(anaconda_t)
|
|||||||
|
|
||||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
|
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
|
||||||
bootloader_create_runtime_file(anaconda_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dmesg_domtrans(anaconda_t)
|
dmesg_domtrans(anaconda_t)
|
||||||
')
|
')
|
||||||
|
@ -7,8 +7,6 @@
|
|||||||
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
|
||||||
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
|
|
||||||
#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
|
|
||||||
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(bootloader,1.3.0)
|
policy_module(bootloader,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(netutils,1.2.0)
|
policy_module(netutils,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -87,6 +87,10 @@ optional_policy(`
|
|||||||
nis_use_ypbind(netutils_t)
|
nis_use_ypbind(netutils_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
xen_append_log(netutils_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Ping local policy
|
# Ping local policy
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(prelink,1.2.0)
|
policy_module(prelink,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -24,7 +24,7 @@ logging_log_file(prelink_log_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow prelink_t self:capability { chown dac_override fowner fsetid };
|
allow prelink_t self:capability { chown dac_override fowner fsetid };
|
||||||
allow prelink_t self:process { execheap execmem execstack };
|
allow prelink_t self:process { execheap execmem execstack signal };
|
||||||
allow prelink_t self:fifo_file rw_file_perms;
|
allow prelink_t self:fifo_file rw_file_perms;
|
||||||
|
|
||||||
allow prelink_t prelink_cache_t:file manage_file_perms;
|
allow prelink_t prelink_cache_t:file manage_file_perms;
|
||||||
@ -76,6 +76,14 @@ libs_delete_lib_symlinks(prelink_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(prelink_t)
|
miscfiles_read_localization(prelink_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_use_unallocated_ttys(prelink_t)
|
||||||
|
term_use_generic_ptys(prelink_t)
|
||||||
|
|
||||||
|
# prelink executables in the user homedir
|
||||||
|
userdom_manage_generic_user_home_content_files(prelink_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(prelink_t, prelink_exec_t)
|
cron_system_entry(prelink_t, prelink_exec_t)
|
||||||
')
|
')
|
||||||
|
@ -158,6 +158,27 @@ interface(`rpm_rw_pipes',`
|
|||||||
allow $1 rpm_t:fifo_file rw_file_perms;
|
allow $1 rpm_t:fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send and receive messages from
|
||||||
|
## rpm over dbus.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`rpm_dbus_chat',`
|
||||||
|
gen_require(`
|
||||||
|
type rpm_t;
|
||||||
|
class dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 rpm_t:dbus send_msg;
|
||||||
|
allow rpm_t $1:dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete the RPM log.
|
## Create, read, write, and delete the RPM log.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rpm,1.4.0)
|
policy_module(rpm,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -79,6 +79,7 @@ template(`su_restricted_domain_template', `
|
|||||||
auth_domtrans_chk_passwd($1_su_t)
|
auth_domtrans_chk_passwd($1_su_t)
|
||||||
auth_dontaudit_read_shadow($1_su_t)
|
auth_dontaudit_read_shadow($1_su_t)
|
||||||
auth_use_nsswitch($1_su_t)
|
auth_use_nsswitch($1_su_t)
|
||||||
|
auth_rw_faillog($1_su_t)
|
||||||
|
|
||||||
domain_use_interactive_fds($1_su_t)
|
domain_use_interactive_fds($1_su_t)
|
||||||
|
|
||||||
@ -266,11 +267,6 @@ template(`su_per_role_template',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_polyinstantiation',`
|
|
||||||
fs_mount_xattr_fs($1_su_t)
|
|
||||||
fs_unmount_xattr_fs($1_su_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
# allow user to suspend terminal.
|
# allow user to suspend terminal.
|
||||||
# does not work in strict since the
|
# does not work in strict since the
|
||||||
@ -284,6 +280,11 @@ template(`su_per_role_template',`
|
|||||||
userdom_manage_all_users_home_content_symlinks($1_su_t)
|
userdom_manage_all_users_home_content_symlinks($1_su_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
|
fs_mount_xattr_fs($1_su_t)
|
||||||
|
fs_unmount_xattr_fs($1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_search_nfs($1_su_t)
|
fs_search_nfs($1_su_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(su,1.4.0)
|
policy_module(su,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(usermanage,1.4.0)
|
policy_module(usermanage,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -379,6 +379,7 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
|
|||||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
||||||
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||||
files_search_var(sysadm_passwd_t)
|
files_search_var(sysadm_passwd_t)
|
||||||
|
files_dontaudit_search_home(sysadm_passwd_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(sysadm_passwd_t)
|
kernel_read_kernel_sysctls(sysadm_passwd_t)
|
||||||
# for /proc/meminfo
|
# for /proc/meminfo
|
||||||
@ -444,6 +445,7 @@ optional_policy(`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nscd_domtrans(sysadm_passwd_t)
|
nscd_domtrans(sysadm_passwd_t)
|
||||||
|
nscd_socket_use(sysadm_passwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -466,29 +468,9 @@ allow useradd_t self:unix_dgram_socket sendto;
|
|||||||
allow useradd_t self:unix_stream_socket connectto;
|
allow useradd_t self:unix_stream_socket connectto;
|
||||||
allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
|
|
||||||
# Allow access to context for shadow file
|
|
||||||
selinux_get_fs_mount(useradd_t)
|
|
||||||
selinux_validate_context(useradd_t)
|
|
||||||
selinux_compute_access_vector(useradd_t)
|
|
||||||
selinux_compute_create_context(useradd_t)
|
|
||||||
selinux_compute_relabel_context(useradd_t)
|
|
||||||
selinux_compute_user_contexts(useradd_t)
|
|
||||||
# for getting the number of groups
|
# for getting the number of groups
|
||||||
kernel_read_kernel_sysctls(useradd_t)
|
kernel_read_kernel_sysctls(useradd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(useradd_t)
|
|
||||||
fs_getattr_xattr_fs(useradd_t)
|
|
||||||
|
|
||||||
term_use_all_user_ttys(useradd_t)
|
|
||||||
term_use_all_user_ptys(useradd_t)
|
|
||||||
|
|
||||||
auth_manage_shadow(useradd_t)
|
|
||||||
auth_relabel_shadow(useradd_t)
|
|
||||||
auth_etc_filetrans_shadow(useradd_t)
|
|
||||||
auth_rw_lastlog(useradd_t)
|
|
||||||
auth_rw_faillog(useradd_t)
|
|
||||||
auth_use_nsswitch(useradd_t)
|
|
||||||
|
|
||||||
corecmd_exec_shell(useradd_t)
|
corecmd_exec_shell(useradd_t)
|
||||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||||
corecmd_exec_bin(useradd_t)
|
corecmd_exec_bin(useradd_t)
|
||||||
@ -501,6 +483,27 @@ files_search_var_lib(useradd_t)
|
|||||||
files_relabel_etc_files(useradd_t)
|
files_relabel_etc_files(useradd_t)
|
||||||
files_read_etc_runtime_files(useradd_t)
|
files_read_etc_runtime_files(useradd_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints(useradd_t)
|
||||||
|
fs_getattr_xattr_fs(useradd_t)
|
||||||
|
|
||||||
|
# Allow access to context for shadow file
|
||||||
|
selinux_get_fs_mount(useradd_t)
|
||||||
|
selinux_validate_context(useradd_t)
|
||||||
|
selinux_compute_access_vector(useradd_t)
|
||||||
|
selinux_compute_create_context(useradd_t)
|
||||||
|
selinux_compute_relabel_context(useradd_t)
|
||||||
|
selinux_compute_user_contexts(useradd_t)
|
||||||
|
|
||||||
|
term_use_all_user_ttys(useradd_t)
|
||||||
|
term_use_all_user_ptys(useradd_t)
|
||||||
|
|
||||||
|
auth_manage_shadow(useradd_t)
|
||||||
|
auth_relabel_shadow(useradd_t)
|
||||||
|
auth_etc_filetrans_shadow(useradd_t)
|
||||||
|
auth_rw_lastlog(useradd_t)
|
||||||
|
auth_rw_faillog(useradd_t)
|
||||||
|
auth_use_nsswitch(useradd_t)
|
||||||
|
|
||||||
init_use_fds(useradd_t)
|
init_use_fds(useradd_t)
|
||||||
init_rw_utmp(useradd_t)
|
init_rw_utmp(useradd_t)
|
||||||
|
|
||||||
@ -513,6 +516,7 @@ miscfiles_read_localization(useradd_t)
|
|||||||
|
|
||||||
seutil_read_config(useradd_t)
|
seutil_read_config(useradd_t)
|
||||||
seutil_read_file_contexts(useradd_t)
|
seutil_read_file_contexts(useradd_t)
|
||||||
|
seutil_read_default_contexts(useradd_t)
|
||||||
|
|
||||||
userdom_use_unpriv_users_fds(useradd_t)
|
userdom_use_unpriv_users_fds(useradd_t)
|
||||||
# for when /root is the cwd
|
# for when /root is the cwd
|
||||||
@ -521,6 +525,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
|
|||||||
userdom_home_filetrans_generic_user_home_dir(useradd_t)
|
userdom_home_filetrans_generic_user_home_dir(useradd_t)
|
||||||
userdom_manage_generic_user_home_content_dirs(useradd_t)
|
userdom_manage_generic_user_home_content_dirs(useradd_t)
|
||||||
userdom_manage_generic_user_home_content_files(useradd_t)
|
userdom_manage_generic_user_home_content_files(useradd_t)
|
||||||
|
userdom_manage_generic_user_home_dirs(useradd_t)
|
||||||
userdom_manage_staff_home_dirs(useradd_t)
|
userdom_manage_staff_home_dirs(useradd_t)
|
||||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
|
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
|
||||||
|
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
/opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
/opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(java,1.2.0)
|
policy_module(java,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -16,7 +16,8 @@ init_system_domain(java_t,java_exec_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
allow java_t self:process { execstack execmem };
|
# execheap is needed for itanium/BEA jrocket
|
||||||
|
allow java_t self:process { execstack execmem execheap };
|
||||||
unconfined_domain_noaudit(java_t)
|
unconfined_domain_noaudit(java_t)
|
||||||
role system_r types java_t;
|
role system_r types java_t;
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mono,1.2.0)
|
policy_module(mono,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -41,6 +41,10 @@ ifdef(`targeted_policy',`
|
|||||||
networkmanager_dbus_chat(mono_t)
|
networkmanager_dbus_chat(mono_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rpm_dbus_chat(mono_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_dbus_connect(mono_t)
|
unconfined_dbus_connect(mono_t)
|
||||||
')
|
')
|
||||||
|
@ -63,6 +63,7 @@ ifdef(`distro_redhat',`
|
|||||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corecommands,1.4.1)
|
policy_module(corecommands,1.4.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork,1.2.0)
|
policy_module(corenetwork,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -92,6 +92,7 @@ network_port(innd, tcp,119,s0)
|
|||||||
network_port(ipp, tcp,631,s0, udp,631,s0)
|
network_port(ipp, tcp,631,s0, udp,631,s0)
|
||||||
network_port(ircd, tcp,6667,s0)
|
network_port(ircd, tcp,6667,s0)
|
||||||
network_port(isakmp, udp,500,s0)
|
network_port(isakmp, udp,500,s0)
|
||||||
|
network_port(iscsi, tcp,3260,s0)
|
||||||
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||||
network_port(jabber_interserver, tcp,5269,s0)
|
network_port(jabber_interserver, tcp,5269,s0)
|
||||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||||
@ -205,4 +206,4 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
|
|||||||
|
|
||||||
# Bind to any network address.
|
# Bind to any network address.
|
||||||
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
|
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
|
||||||
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
|
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||||
|
@ -98,6 +98,7 @@ ifdef(`distro_suse', `
|
|||||||
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||||
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||||
|
|
||||||
|
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(devices,1.2.0)
|
policy_module(devices,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -123,6 +123,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
|||||||
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
|
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
|
||||||
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
||||||
/media/[^/]*/.* <<none>>
|
/media/[^/]*/.* <<none>>
|
||||||
|
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /misc
|
# /misc
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(files,1.3.0)
|
policy_module(files,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -402,6 +402,26 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
|
|||||||
dontaudit $1 autofs_t:dir r_dir_perms;
|
dontaudit $1 autofs_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete symbolic links
|
||||||
|
## on an autofs filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_autofs_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
type autofs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 autofs_t:dir rw_dir_perms;
|
||||||
|
allow $1 autofs_t:lnk_file create_lnk_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of directories on
|
## Get the attributes of directories on
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(filesystem,1.4.0)
|
policy_module(filesystem,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -50,9 +50,10 @@ ifdef(`distro_redhat', `
|
|||||||
|
|
||||||
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
|
||||||
|
/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
|
||||||
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
|
||||||
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
|
|
||||||
|
@ -37,6 +37,7 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||||
|
dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(storage,1.1.0)
|
policy_module(storage,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -458,6 +458,26 @@ interface(`term_ioctl_generic_ptys',`
|
|||||||
allow $1 devpts_t:chr_file ioctl;
|
allow $1 devpts_t:chr_file ioctl;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow setting the attributes of
|
||||||
|
## generic pty devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
# dwalsh: added for rhgb
|
||||||
|
interface(`term_setattr_generic_ptys',`
|
||||||
|
gen_require(`
|
||||||
|
type devpts_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 devpts_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Dontaudit setting the attributes of
|
## Dontaudit setting the attributes of
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(terminal,1.2.0)
|
policy_module(terminal,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -168,7 +168,7 @@ template(`apache_content_template',`
|
|||||||
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
|
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
|
||||||
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
|
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
|
||||||
|
|
||||||
allow httpd_$1_script_t self:process signal_perms;
|
allow httpd_$1_script_t self:process { setsched signal_perms };
|
||||||
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow httpd_$1_script_t httpd_t:fd use;
|
allow httpd_$1_script_t httpd_t:fd use;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(apache,1.4.0)
|
policy_module(apache,1.4.1)
|
||||||
|
|
||||||
#
|
#
|
||||||
# NOTES:
|
# NOTES:
|
||||||
@ -235,6 +235,7 @@ auth_use_nsswitch(httpd_t)
|
|||||||
# execute perl
|
# execute perl
|
||||||
corecmd_exec_bin(httpd_t)
|
corecmd_exec_bin(httpd_t)
|
||||||
corecmd_exec_sbin(httpd_t)
|
corecmd_exec_sbin(httpd_t)
|
||||||
|
corecmd_check_exec_shell(httpd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(httpd_t)
|
domain_use_interactive_fds(httpd_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(automount,1.3.0)
|
policy_module(automount,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -36,6 +36,8 @@ allow automount_t self:unix_stream_socket create_socket_perms;
|
|||||||
allow automount_t self:unix_dgram_socket create_socket_perms;
|
allow automount_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow automount_t self:tcp_socket create_stream_socket_perms;
|
allow automount_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow automount_t self:udp_socket create_socket_perms;
|
allow automount_t self:udp_socket create_socket_perms;
|
||||||
|
allow automount_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
|
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
allow automount_t automount_etc_t:file { getattr read };
|
allow automount_t automount_etc_t:file { getattr read };
|
||||||
@ -128,6 +130,7 @@ fs_search_auto_mountpoints(automount_t)
|
|||||||
fs_manage_auto_mountpoints(automount_t)
|
fs_manage_auto_mountpoints(automount_t)
|
||||||
fs_unmount_autofs(automount_t)
|
fs_unmount_autofs(automount_t)
|
||||||
fs_mount_autofs(automount_t)
|
fs_mount_autofs(automount_t)
|
||||||
|
fs_manage_autofs_symlinks(automount_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(automount_t)
|
term_dontaudit_use_console(automount_t)
|
||||||
term_dontaudit_getattr_pty_dirs(automount_t)
|
term_dontaudit_getattr_pty_dirs(automount_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(bluetooth,1.3.0)
|
policy_module(bluetooth,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -55,11 +55,11 @@ allow bluetooth_t self:udp_socket create_socket_perms;
|
|||||||
allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
|
allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
|
||||||
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
|
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
|
||||||
|
|
||||||
allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
|
allow bluetooth_t bluetooth_conf_rw_t:dir manage_dir_perms;
|
||||||
allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
|
allow bluetooth_t bluetooth_conf_rw_t:file manage_file_perms;
|
||||||
allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
|
allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
|
||||||
allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
|
allow bluetooth_t bluetooth_conf_rw_t:sock_file manage_file_perms;
|
||||||
allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
|
allow bluetooth_t bluetooth_conf_rw_t:fifo_file manage_file_perms;
|
||||||
type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
|
type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
|
||||||
|
|
||||||
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
||||||
@ -68,16 +68,16 @@ allow bluetooth_helper_t bluetooth_t:fd use;
|
|||||||
allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
|
allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
|
||||||
allow bluetooth_helper_t bluetooth_t:process sigchld;
|
allow bluetooth_helper_t bluetooth_t:process sigchld;
|
||||||
|
|
||||||
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
|
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
|
||||||
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
|
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
|
||||||
|
|
||||||
allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
|
allow bluetooth_t bluetooth_tmp_t:dir manage_dir_perms;
|
||||||
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
|
allow bluetooth_t bluetooth_tmp_t:file manage_file_perms;
|
||||||
files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
|
files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||||
|
|
||||||
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
|
allow bluetooth_t bluetooth_var_lib_t:file manage_file_perms;
|
||||||
allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
|
allow bluetooth_t bluetooth_var_lib_t:dir manage_dir_perms;
|
||||||
files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
|
files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,{ dir file } )
|
||||||
|
|
||||||
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
|
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
|
||||||
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cron,1.4.0)
|
policy_module(cron,1.4.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -86,6 +86,7 @@ allow crond_t self:shm create_shm_perms;
|
|||||||
allow crond_t self:sem create_sem_perms;
|
allow crond_t self:sem create_sem_perms;
|
||||||
allow crond_t self:msgq create_msgq_perms;
|
allow crond_t self:msgq create_msgq_perms;
|
||||||
allow crond_t self:msg { send receive };
|
allow crond_t self:msg { send receive };
|
||||||
|
allow crond_t self:key { search write };
|
||||||
|
|
||||||
allow crond_t crond_var_run_t:file create_file_perms;
|
allow crond_t crond_var_run_t:file create_file_perms;
|
||||||
files_pid_filetrans(crond_t,crond_var_run_t,file)
|
files_pid_filetrans(crond_t,crond_var_run_t,file)
|
||||||
@ -96,6 +97,8 @@ allow crond_t system_cron_spool_t:dir r_dir_perms;
|
|||||||
allow crond_t system_cron_spool_t:file r_file_perms;
|
allow crond_t system_cron_spool_t:file r_file_perms;
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(crond_t)
|
kernel_read_kernel_sysctls(crond_t)
|
||||||
|
kernel_search_key(crond_t)
|
||||||
|
|
||||||
dev_read_sysfs(crond_t)
|
dev_read_sysfs(crond_t)
|
||||||
selinux_get_fs_mount(crond_t)
|
selinux_get_fs_mount(crond_t)
|
||||||
selinux_validate_context(crond_t)
|
selinux_validate_context(crond_t)
|
||||||
|
@ -37,7 +37,7 @@
|
|||||||
|
|
||||||
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
||||||
|
|
||||||
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
||||||
@ -51,4 +51,4 @@
|
|||||||
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||||
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
||||||
|
|
||||||
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
|
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
|
||||||
|
@ -79,6 +79,25 @@ interface(`cups_dbus_chat',`
|
|||||||
allow cupsd_t $1:dbus send_msg;
|
allow cupsd_t $1:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read cups PID files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cups_read_pid_files',`
|
||||||
|
gen_require(`
|
||||||
|
type cupsd_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
allow $1 cupsd_var_run_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute cups_config in the cups_config domain.
|
## Execute cups_config in the cups_config domain.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cups,1.4.0)
|
policy_module(cups,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -68,6 +68,12 @@ ifdef(`enable_mcs',`
|
|||||||
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
|
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
|
||||||
|
|
||||||
|
mls_trusted_object(cupsd_var_run_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Cups local policy
|
# Cups local policy
|
||||||
@ -118,6 +124,9 @@ allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
|
|||||||
allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
|
allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
|
||||||
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
|
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
|
||||||
|
|
||||||
|
allow cupsd_t hplip_etc_t:file r_file_perms;
|
||||||
|
allow cupsd_t hplip_etc_t:dir r_dir_perms;
|
||||||
|
|
||||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||||
|
|
||||||
allow cupsd_t ptal_var_run_t:dir search;
|
allow cupsd_t ptal_var_run_t:dir search;
|
||||||
@ -158,6 +167,13 @@ domain_read_all_domains_state(cupsd_t)
|
|||||||
fs_getattr_all_fs(cupsd_t)
|
fs_getattr_all_fs(cupsd_t)
|
||||||
fs_search_auto_mountpoints(cupsd_t)
|
fs_search_auto_mountpoints(cupsd_t)
|
||||||
|
|
||||||
|
mls_fd_use_all_levels(cupsd_t)
|
||||||
|
mls_file_downgrade(cupsd_t)
|
||||||
|
mls_file_write_down(cupsd_t)
|
||||||
|
mls_file_read_up(cupsd_t)
|
||||||
|
mls_rangetrans_target(cupsd_t)
|
||||||
|
mls_socket_write_all_levels(cupsd_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(cupsd_t)
|
term_dontaudit_use_console(cupsd_t)
|
||||||
term_use_unallocated_ttys(cupsd_t)
|
term_use_unallocated_ttys(cupsd_t)
|
||||||
term_search_ptys(cupsd_t)
|
term_search_ptys(cupsd_t)
|
||||||
@ -214,6 +230,10 @@ userdom_dontaudit_search_all_users_home_content(cupsd_t)
|
|||||||
# Write to /var/spool/cups.
|
# Write to /var/spool/cups.
|
||||||
lpd_manage_spool(cupsd_t)
|
lpd_manage_spool(cupsd_t)
|
||||||
|
|
||||||
|
ifdef(`enable_mls',`
|
||||||
|
lpd_relabel_spool(cupsd_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
files_dontaudit_read_root_files(cupsd_t)
|
files_dontaudit_read_root_files(cupsd_t)
|
||||||
|
|
||||||
@ -269,6 +289,7 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
# cups execs smbtool which reads samba_etc_t files
|
||||||
samba_read_config(cupsd_t)
|
samba_read_config(cupsd_t)
|
||||||
samba_rw_var_files(cupsd_t)
|
samba_rw_var_files(cupsd_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(dovecot,1.3.0)
|
policy_module(dovecot,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -186,6 +186,8 @@ files_read_usr_symlinks(dovecot_auth_t)
|
|||||||
files_search_tmp(dovecot_auth_t)
|
files_search_tmp(dovecot_auth_t)
|
||||||
files_read_var_lib_files(dovecot_t)
|
files_read_var_lib_files(dovecot_t)
|
||||||
|
|
||||||
|
init_rw_utmp(dovecot_auth_t)
|
||||||
|
|
||||||
libs_use_ld_so(dovecot_auth_t)
|
libs_use_ld_so(dovecot_auth_t)
|
||||||
libs_use_shared_libs(dovecot_auth_t)
|
libs_use_shared_libs(dovecot_auth_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(hal,1.4.0)
|
policy_module(hal,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -74,6 +74,7 @@ dev_manage_generic_chr_files(hald_t)
|
|||||||
dev_rw_generic_usb_dev(hald_t)
|
dev_rw_generic_usb_dev(hald_t)
|
||||||
dev_setattr_generic_usb_dev(hald_t)
|
dev_setattr_generic_usb_dev(hald_t)
|
||||||
dev_setattr_usbfs_files(hald_t)
|
dev_setattr_usbfs_files(hald_t)
|
||||||
|
dev_rw_power_management(hald_t)
|
||||||
# hal is now execing pm-suspend
|
# hal is now execing pm-suspend
|
||||||
dev_rw_sysfs(hald_t)
|
dev_rw_sysfs(hald_t)
|
||||||
|
|
||||||
@ -85,6 +86,7 @@ files_read_etc_files(hald_t)
|
|||||||
files_rw_etc_runtime_files(hald_t)
|
files_rw_etc_runtime_files(hald_t)
|
||||||
files_manage_mnt_dirs(hald_t)
|
files_manage_mnt_dirs(hald_t)
|
||||||
files_manage_mnt_files(hald_t)
|
files_manage_mnt_files(hald_t)
|
||||||
|
files_manage_mnt_symlinks(hald_t)
|
||||||
files_search_var_lib(hald_t)
|
files_search_var_lib(hald_t)
|
||||||
files_read_usr_files(hald_t)
|
files_read_usr_files(hald_t)
|
||||||
# hal is now execing pm-suspend
|
# hal is now execing pm-suspend
|
||||||
|
@ -6,16 +6,21 @@
|
|||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
|
/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
|
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
|
||||||
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
|
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
|
||||||
/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||||
|
|
||||||
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
||||||
|
|
||||||
|
@ -184,6 +184,7 @@ template(`lpd_per_role_template',`
|
|||||||
cups_read_config($1_lpr_t)
|
cups_read_config($1_lpr_t)
|
||||||
cups_read_config($2)
|
cups_read_config($2)
|
||||||
cups_stream_connect($1_lpr_t)
|
cups_stream_connect($1_lpr_t)
|
||||||
|
cups_read_pid_files($1_lpr_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -327,6 +328,25 @@ interface(`lpd_manage_spool',`
|
|||||||
allow $1 print_spool_t:file manage_file_perms;
|
allow $1 print_spool_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel from and to the spool files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`lpd_relabel_spool',`
|
||||||
|
gen_require(`
|
||||||
|
type print_spool_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_spool($1)
|
||||||
|
allow $1 print_spool_t:file { relabelto relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## List the contents of the printer spool directories.
|
## List the contents of the printer spool directories.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(lpd,1.3.0)
|
policy_module(lpd,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(networkmanager,1.4.0)
|
policy_module(networkmanager,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -119,6 +119,10 @@ ifdef(`targeted_policy', `
|
|||||||
term_dontaudit_use_unallocated_ttys(NetworkManager_t)
|
term_dontaudit_use_unallocated_ttys(NetworkManager_t)
|
||||||
term_dontaudit_use_generic_ptys(NetworkManager_t)
|
term_dontaudit_use_generic_ptys(NetworkManager_t)
|
||||||
files_dontaudit_read_root_files(NetworkManager_t)
|
files_dontaudit_read_root_files(NetworkManager_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_rw_pipes(NetworkManager_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(oddjob,1.0.0)
|
policy_module(oddjob,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -38,9 +38,12 @@ files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
|
|||||||
|
|
||||||
kernel_read_system_state(oddjob_t)
|
kernel_read_system_state(oddjob_t)
|
||||||
|
|
||||||
corecmd_search_sbin(oddjob_t)
|
corecmd_exec_sbin(oddjob_t)
|
||||||
|
corecmd_exec_bin(oddjob_t)
|
||||||
corecmd_exec_shell(oddjob_t)
|
corecmd_exec_shell(oddjob_t)
|
||||||
|
|
||||||
|
mcs_process_set_categories(oddjob_t)
|
||||||
|
|
||||||
selinux_compute_create_context(oddjob_t)
|
selinux_compute_create_context(oddjob_t)
|
||||||
|
|
||||||
files_read_etc_files(oddjob_t)
|
files_read_etc_files(oddjob_t)
|
||||||
@ -55,6 +58,7 @@ init_dontaudit_use_fds(oddjob_t)
|
|||||||
locallogin_dontaudit_use_fds(oddjob_t)
|
locallogin_dontaudit_use_fds(oddjob_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
|
term_dontaudit_use_console(oddjob_t)
|
||||||
term_dontaudit_use_generic_ptys(oddjob_t)
|
term_dontaudit_use_generic_ptys(oddjob_t)
|
||||||
term_dontaudit_use_unallocated_ttys(oddjob_t)
|
term_dontaudit_use_unallocated_ttys(oddjob_t)
|
||||||
')
|
')
|
||||||
@ -83,3 +87,12 @@ libs_use_ld_so(oddjob_mkhomedir_t)
|
|||||||
libs_use_shared_libs(oddjob_mkhomedir_t)
|
libs_use_shared_libs(oddjob_mkhomedir_t)
|
||||||
|
|
||||||
miscfiles_read_localization(oddjob_mkhomedir_t)
|
miscfiles_read_localization(oddjob_mkhomedir_t)
|
||||||
|
|
||||||
|
# Add/remove user home directories
|
||||||
|
userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
|
||||||
|
userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
|
||||||
|
userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
|
||||||
|
userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
|
||||||
|
userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
|
||||||
|
userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(procmail,1.3.0)
|
policy_module(procmail,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -43,6 +43,7 @@ corenet_sendrecv_comsat_client_packets(procmail_t)
|
|||||||
dev_read_urand(procmail_t)
|
dev_read_urand(procmail_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(procmail_t)
|
fs_getattr_xattr_fs(procmail_t)
|
||||||
|
fs_search_auto_mountpoints(procmail_t)
|
||||||
|
|
||||||
auth_use_nsswitch(procmail_t)
|
auth_use_nsswitch(procmail_t)
|
||||||
|
|
||||||
@ -73,11 +74,6 @@ ifdef(`hide_broken_symptoms',`
|
|||||||
mta_dontaudit_rw_queue(procmail_t)
|
mta_dontaudit_rw_queue(procmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
|
||||||
corenet_udp_bind_generic_port(procmail_t)
|
|
||||||
files_getattr_tmp_dirs(procmail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
clamav_domtrans_clamscan(procmail_t)
|
clamav_domtrans_clamscan(procmail_t)
|
||||||
clamav_search_lib(procmail_t)
|
clamav_search_lib(procmail_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rhgb,1.1.0)
|
policy_module(rhgb,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -13,10 +13,8 @@ init_daemon_domain(rhgb_t,rhgb_exec_t)
|
|||||||
type rhgb_tmpfs_t;
|
type rhgb_tmpfs_t;
|
||||||
files_tmpfs_file(rhgb_tmpfs_t)
|
files_tmpfs_file(rhgb_tmpfs_t)
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
type rhgb_devpts_t;
|
||||||
type rhgb_devpts_t;
|
term_pty(rhgb_devpts_t)
|
||||||
term_pty(rhgb_devpts_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -25,7 +23,7 @@ ifdef(`strict_policy',`
|
|||||||
|
|
||||||
allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
|
allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
|
||||||
dontaudit rhgb_t self:capability sys_tty_config;
|
dontaudit rhgb_t self:capability sys_tty_config;
|
||||||
allow rhgb_t self:process signal_perms;
|
allow rhgb_t self:process { setpgid signal_perms };
|
||||||
allow rhgb_t self:shm create_shm_perms;
|
allow rhgb_t self:shm create_shm_perms;
|
||||||
allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
|
allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow rhgb_t self:fifo_file rw_file_perms;
|
allow rhgb_t self:fifo_file rw_file_perms;
|
||||||
@ -82,6 +80,8 @@ fs_manage_ramfs_files(rhgb_t)
|
|||||||
fs_manage_ramfs_pipes(rhgb_t)
|
fs_manage_ramfs_pipes(rhgb_t)
|
||||||
fs_manage_ramfs_sockets(rhgb_t)
|
fs_manage_ramfs_sockets(rhgb_t)
|
||||||
|
|
||||||
|
selinux_dontaudit_read_fs(rhgb_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(rhgb_t)
|
term_dontaudit_use_console(rhgb_t)
|
||||||
term_use_unallocated_ttys(rhgb_t)
|
term_use_unallocated_ttys(rhgb_t)
|
||||||
term_use_ptmx(rhgb_t)
|
term_use_ptmx(rhgb_t)
|
||||||
@ -101,6 +101,9 @@ logging_send_syslog_msg(rhgb_t)
|
|||||||
miscfiles_read_localization(rhgb_t)
|
miscfiles_read_localization(rhgb_t)
|
||||||
miscfiles_read_fonts(rhgb_t)
|
miscfiles_read_fonts(rhgb_t)
|
||||||
|
|
||||||
|
seutil_search_default_contexts(rhgb_t)
|
||||||
|
seutil_read_config(rhgb_t)
|
||||||
|
|
||||||
sysnet_read_config(rhgb_t)
|
sysnet_read_config(rhgb_t)
|
||||||
sysnet_domtrans_ifconfig(rhgb_t)
|
sysnet_domtrans_ifconfig(rhgb_t)
|
||||||
|
|
||||||
@ -118,16 +121,19 @@ ifdef(`strict_policy',`
|
|||||||
', `
|
', `
|
||||||
files_dontaudit_read_root_files(rhgb_t)
|
files_dontaudit_read_root_files(rhgb_t)
|
||||||
|
|
||||||
term_dontaudit_use_generic_ptys(rhgb_t)
|
term_use_generic_ptys(rhgb_t)
|
||||||
term_dontaudit_setattr_generic_ptys(rhgb_t)
|
term_setattr_generic_ptys(rhgb_t)
|
||||||
term_dontaudit_use_unallocated_ttys(rhgb_t)
|
term_dontaudit_use_unallocated_ttys(rhgb_t)
|
||||||
term_dontaudit_use_generic_ptys(rhgb_t)
|
|
||||||
|
|
||||||
xserver_domtrans_xdm_xserver(rhgb_t)
|
xserver_domtrans_xdm_xserver(rhgb_t)
|
||||||
xserver_signal_xdm_xserver(rhgb_t)
|
xserver_signal_xdm_xserver(rhgb_t)
|
||||||
xserver_read_xdm_tmp_files(rhgb_t)
|
xserver_read_xdm_tmp_files(rhgb_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
consoletype_exec(rhgb_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nis_use_ypbind(rhgb_t)
|
nis_use_ypbind(rhgb_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rpc,1.3.0)
|
policy_module(rpc,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -80,6 +80,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
|
|||||||
kernel_read_system_state(nfsd_t)
|
kernel_read_system_state(nfsd_t)
|
||||||
kernel_read_network_state(nfsd_t)
|
kernel_read_network_state(nfsd_t)
|
||||||
|
|
||||||
|
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||||
|
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||||
|
|
||||||
fs_mount_nfsd_fs(nfsd_t)
|
fs_mount_nfsd_fs(nfsd_t)
|
||||||
fs_search_nfsd_fs(nfsd_t)
|
fs_search_nfsd_fs(nfsd_t)
|
||||||
fs_getattr_all_fs(nfsd_t)
|
fs_getattr_all_fs(nfsd_t)
|
||||||
@ -135,6 +138,8 @@ files_list_tmp(gssd_t)
|
|||||||
files_read_generic_tmp_files(gssd_t)
|
files_read_generic_tmp_files(gssd_t)
|
||||||
files_read_generic_tmp_symlinks(gssd_t)
|
files_read_generic_tmp_symlinks(gssd_t)
|
||||||
|
|
||||||
|
miscfiles_read_certs(gssd_t)
|
||||||
|
|
||||||
tunable_policy(`allow_gssd_read_tmp',`
|
tunable_policy(`allow_gssd_read_tmp',`
|
||||||
userdom_list_unpriv_users_tmp(gssd_t)
|
userdom_list_unpriv_users_tmp(gssd_t)
|
||||||
userdom_read_unpriv_users_tmp_files(gssd_t)
|
userdom_read_unpriv_users_tmp_files(gssd_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(samba,1.3.0)
|
policy_module(samba,1.3.1)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
@ -501,6 +501,10 @@ sysnet_read_config(smbmount_t)
|
|||||||
userdom_use_all_users_fds(smbmount_t)
|
userdom_use_all_users_fds(smbmount_t)
|
||||||
userdom_use_sysadm_ttys(smbmount_t)
|
userdom_use_sysadm_ttys(smbmount_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cups_read_rw_config(smbd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nis_use_ypbind(smbmount_t)
|
nis_use_ypbind(smbmount_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(setroubleshoot,1.1.0)
|
policy_module(setroubleshoot,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -28,7 +28,7 @@ files_pid_file(setroubleshoot_var_run_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow setroubleshootd_t self:capability { dac_override sys_tty_config };
|
allow setroubleshootd_t self:capability { dac_override sys_tty_config };
|
||||||
allow setroubleshootd_t self:process { signal getattr };
|
allow setroubleshootd_t self:process { signal getattr getsched };
|
||||||
allow setroubleshootd_t self:fifo_file rw_file_perms;
|
allow setroubleshootd_t self:fifo_file rw_file_perms;
|
||||||
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(snmp,1.2.0)
|
policy_module(snmp,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -86,6 +86,7 @@ files_read_etc_files(snmpd_t)
|
|||||||
files_read_usr_files(snmpd_t)
|
files_read_usr_files(snmpd_t)
|
||||||
files_read_etc_runtime_files(snmpd_t)
|
files_read_etc_runtime_files(snmpd_t)
|
||||||
files_search_home(snmpd_t)
|
files_search_home(snmpd_t)
|
||||||
|
files_getattr_boot_dirs(snmpd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(snmpd_t)
|
fs_getattr_all_fs(snmpd_t)
|
||||||
fs_getattr_rpc_dirs(snmpd_t)
|
fs_getattr_rpc_dirs(snmpd_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(spamassassin,1.4.0)
|
policy_module(spamassassin,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -51,6 +51,7 @@ allow spamd_t self:unix_dgram_socket sendto;
|
|||||||
allow spamd_t self:unix_stream_socket connectto;
|
allow spamd_t self:unix_stream_socket connectto;
|
||||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow spamd_t self:udp_socket create_socket_perms;
|
allow spamd_t self:udp_socket create_socket_perms;
|
||||||
|
allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
allow spamd_t spamd_spool_t:file create_file_perms;
|
allow spamd_t spamd_spool_t:file create_file_perms;
|
||||||
allow spamd_t spamd_spool_t:dir create_dir_perms;
|
allow spamd_t spamd_spool_t:dir create_dir_perms;
|
||||||
|
@ -505,6 +505,7 @@ template(`ssh_server_template', `
|
|||||||
fs_dontaudit_getattr_all_fs($1_t)
|
fs_dontaudit_getattr_all_fs($1_t)
|
||||||
|
|
||||||
auth_rw_login_records($1_t)
|
auth_rw_login_records($1_t)
|
||||||
|
auth_rw_faillog($1_t)
|
||||||
|
|
||||||
corecmd_read_bin_symlinks($1_t)
|
corecmd_read_bin_symlinks($1_t)
|
||||||
corecmd_getattr_bin_files($1_t)
|
corecmd_getattr_bin_files($1_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(ssh,1.4.0)
|
policy_module(ssh,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(xserver,1.2.0)
|
policy_module(xserver,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -463,7 +463,7 @@ allow xdm_xserver_t ramfs_t:file create_file_perms;
|
|||||||
allow rhgb_t xdm_xserver_t:process signal;
|
allow rhgb_t xdm_xserver_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
# xdm needs access for linking .X11-unix to poly /tmp
|
# xdm needs access for linking .X11-unix to poly /tmp
|
||||||
allow xdm_t polymember:dir { add_name remove_name write };
|
allow xdm_t polymember:dir { add_name remove_name write };
|
||||||
allow xdm_t polymember:lnk_file { create unlink };
|
allow xdm_t polymember:lnk_file { create unlink };
|
||||||
|
@ -34,6 +34,7 @@ ifdef(`distro_gentoo', `
|
|||||||
/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
|
/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
|
||||||
/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
|
/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
|
||||||
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
|
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
|
||||||
|
/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
|
||||||
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
|
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
|
||||||
|
|
||||||
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
|
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
|
||||||
|
@ -230,7 +230,7 @@ interface(`auth_login_pgm_domain',`
|
|||||||
seutil_read_config($1)
|
seutil_read_config($1)
|
||||||
seutil_read_default_contexts($1)
|
seutil_read_default_contexts($1)
|
||||||
|
|
||||||
ifdef(`enable_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
files_polyinstantiate_all($1)
|
files_polyinstantiate_all($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(authlogin,1.4.0)
|
policy_module(authlogin,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(clock,1.1.0)
|
policy_module(clock,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -25,6 +25,7 @@ allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config
|
|||||||
dontaudit hwclock_t self:capability sys_tty_config;
|
dontaudit hwclock_t self:capability sys_tty_config;
|
||||||
allow hwclock_t self:process signal_perms;
|
allow hwclock_t self:process signal_perms;
|
||||||
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
|
allow hwclock_t self:fifo_file { getattr read };
|
||||||
|
|
||||||
# Allow hwclock to store & retrieve correction factors.
|
# Allow hwclock to store & retrieve correction factors.
|
||||||
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
|
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
|
||||||
@ -33,6 +34,8 @@ kernel_read_kernel_sysctls(hwclock_t)
|
|||||||
kernel_list_proc(hwclock_t)
|
kernel_list_proc(hwclock_t)
|
||||||
kernel_read_proc_symlinks(hwclock_t)
|
kernel_read_proc_symlinks(hwclock_t)
|
||||||
|
|
||||||
|
corecmd_search_bin(hwclock_t)
|
||||||
|
|
||||||
dev_read_sysfs(hwclock_t)
|
dev_read_sysfs(hwclock_t)
|
||||||
dev_rw_realtime_clock(hwclock_t)
|
dev_rw_realtime_clock(hwclock_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(fstools,1.4.0)
|
policy_module(fstools,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -97,6 +97,7 @@ fs_search_tmpfs(fsadm_t)
|
|||||||
fs_getattr_tmpfs_dirs(fsadm_t)
|
fs_getattr_tmpfs_dirs(fsadm_t)
|
||||||
fs_read_tmpfs_symlinks(fsadm_t)
|
fs_read_tmpfs_symlinks(fsadm_t)
|
||||||
|
|
||||||
|
mls_file_read_up(fsadm_t)
|
||||||
mls_file_write_down(fsadm_t)
|
mls_file_write_down(fsadm_t)
|
||||||
|
|
||||||
storage_raw_read_fixed_disk(fsadm_t)
|
storage_raw_read_fixed_disk(fsadm_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.4.0)
|
policy_module(init,1.4.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -132,6 +132,7 @@ fs_write_ramfs_sockets(init_t)
|
|||||||
mcs_process_set_categories(init_t)
|
mcs_process_set_categories(init_t)
|
||||||
|
|
||||||
mls_process_write_down(init_t)
|
mls_process_write_down(init_t)
|
||||||
|
mls_fd_use_all_levels(init_t)
|
||||||
|
|
||||||
selinux_set_boolean(init_t)
|
selinux_set_boolean(init_t)
|
||||||
|
|
||||||
@ -444,6 +445,7 @@ ifdef(`distro_redhat',`
|
|||||||
storage_raw_write_fixed_disk(initrc_t)
|
storage_raw_write_fixed_disk(initrc_t)
|
||||||
|
|
||||||
files_create_boot_flag(initrc_t)
|
files_create_boot_flag(initrc_t)
|
||||||
|
files_rw_boot_symlinks(initrc_t)
|
||||||
# wants to read /.fonts directory
|
# wants to read /.fonts directory
|
||||||
files_read_default_files(initrc_t)
|
files_read_default_files(initrc_t)
|
||||||
files_mountpoint(initrc_tmp_t)
|
files_mountpoint(initrc_tmp_t)
|
||||||
|
5
policy/modules/system/iscsi.fc
Normal file
5
policy/modules/system/iscsi.fc
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_var_lib_t,s0)
|
||||||
|
/var/lock/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_lock_t,s0)
|
||||||
|
/var/run/iscsid.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
|
22
policy/modules/system/iscsi.if
Normal file
22
policy/modules/system/iscsi.if
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
## <summary>Establish connections to iSCSI devices</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run iscsid.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iscsid_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type iscsid_t, iscsid_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,iscsid_exec_t,iscsid_t)
|
||||||
|
allow iscsid_t $1:fd use;
|
||||||
|
allow iscsid_t $1:fifo_file rw_file_perms;
|
||||||
|
allow iscsid_t $1:process sigchld;
|
||||||
|
')
|
85
policy/modules/system/iscsi.te
Normal file
85
policy/modules/system/iscsi.te
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
|
||||||
|
policy_module(iscsid,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type iscsid_t;
|
||||||
|
type iscsid_exec_t;
|
||||||
|
domain_type(iscsid_t)
|
||||||
|
init_daemon_domain(iscsid_t, iscsid_exec_t)
|
||||||
|
|
||||||
|
type iscsi_lock_t;
|
||||||
|
files_lock_file(iscsi_lock_t)
|
||||||
|
|
||||||
|
type iscsi_tmp_t;
|
||||||
|
files_tmp_file(iscsi_tmp_t)
|
||||||
|
|
||||||
|
type iscsi_var_lib_t;
|
||||||
|
files_type(iscsi_var_lib_t)
|
||||||
|
|
||||||
|
type iscsi_var_run_t;
|
||||||
|
files_pid_file(iscsi_var_run_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# iscsid local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
|
||||||
|
allow iscsid_t self:process setsched;
|
||||||
|
allow iscsid_t self:fifo_file { read write };
|
||||||
|
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
allow iscsid_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
allow iscsid_t self:sem create_sem_perms;
|
||||||
|
allow iscsid_t self:shm create_shm_perms;
|
||||||
|
allow iscsid_t self:netlink_socket create_socket_perms;
|
||||||
|
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||||
|
allow iscsid_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
allow iscsid_t iscsi_lock_t:file manage_file_perms;
|
||||||
|
files_lock_filetrans(iscsid_t,iscsi_lock_t,file)
|
||||||
|
|
||||||
|
allow iscsid_t iscsi_tmp_t:dir create_dir_perms;
|
||||||
|
allow iscsid_t iscsi_tmp_t:file create_file_perms;
|
||||||
|
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
|
||||||
|
|
||||||
|
allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
|
||||||
|
allow iscsid_t iscsi_var_lib_t:file read_file_perms;
|
||||||
|
allow iscsid_t iscsi_var_lib_t:lnk_file { getattr read };
|
||||||
|
files_search_var_lib(iscsid_t)
|
||||||
|
|
||||||
|
allow iscsid_t iscsi_var_run_t:dir rw_dir_perms;
|
||||||
|
allow iscsid_t iscsi_var_run_t:file manage_file_perms;
|
||||||
|
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(iscsid_t)
|
||||||
|
corenet_tcp_sendrecv_all_if(iscsid_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(iscsid_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(iscsid_t)
|
||||||
|
corenet_tcp_connect_http_port(iscsid_t)
|
||||||
|
corenet_tcp_connect_iscsi_port(iscsid_t)
|
||||||
|
|
||||||
|
dev_rw_sysfs(iscsid_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(iscsid_t)
|
||||||
|
|
||||||
|
files_read_etc_files(iscsid_t)
|
||||||
|
|
||||||
|
init_use_fds(iscsid_t)
|
||||||
|
init_use_script_ptys(iscsid_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(iscsid_t)
|
||||||
|
libs_use_shared_libs(iscsid_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(iscsid_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(iscsid_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(iscsid_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_use_generic_ptys(iscsid_t)
|
||||||
|
')
|
@ -74,11 +74,11 @@ ifdef(`distro_gentoo',`
|
|||||||
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||||
/opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
|
/opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/opt/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
|
/opt/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/opt/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/opt/(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
||||||
/opt/(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
|
||||||
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
|
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# despite the extensions, they are actually libs
|
# despite the extensions, they are actually libs
|
||||||
@ -261,6 +261,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
|||||||
/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(libraries,1.4.0)
|
policy_module(libraries,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(locallogin,1.3.0)
|
policy_module(locallogin,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -47,7 +47,7 @@ allow local_login_t self:shm create_shm_perms;
|
|||||||
allow local_login_t self:sem create_sem_perms;
|
allow local_login_t self:sem create_sem_perms;
|
||||||
allow local_login_t self:msgq create_msgq_perms;
|
allow local_login_t self:msgq create_msgq_perms;
|
||||||
allow local_login_t self:msg { send receive };
|
allow local_login_t self:msg { send receive };
|
||||||
allow local_login_t self:key { search write };
|
allow local_login_t self:key { search write link };
|
||||||
|
|
||||||
allow local_login_t local_login_lock_t:file create_file_perms;
|
allow local_login_t local_login_lock_t:file create_file_perms;
|
||||||
files_lock_filetrans(local_login_t,local_login_lock_t,file)
|
files_lock_filetrans(local_login_t,local_login_lock_t,file)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(logging,1.4.0)
|
policy_module(logging,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -136,6 +136,8 @@ dev_read_sysfs(auditd_t)
|
|||||||
fs_getattr_all_fs(auditd_t)
|
fs_getattr_all_fs(auditd_t)
|
||||||
fs_search_auto_mountpoints(auditd_t)
|
fs_search_auto_mountpoints(auditd_t)
|
||||||
|
|
||||||
|
selinux_search_fs(auditctl_t)
|
||||||
|
|
||||||
term_dontaudit_use_console(auditd_t)
|
term_dontaudit_use_console(auditd_t)
|
||||||
|
|
||||||
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
|
||||||
@ -164,6 +166,7 @@ miscfiles_read_localization(auditd_t)
|
|||||||
mls_file_read_up(auditd_t)
|
mls_file_read_up(auditd_t)
|
||||||
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
|
||||||
mls_rangetrans_target(auditd_t)
|
mls_rangetrans_target(auditd_t)
|
||||||
|
mls_fd_use_all_levels(auditd_t)
|
||||||
|
|
||||||
seutil_dontaudit_read_config(auditd_t)
|
seutil_dontaudit_read_config(auditd_t)
|
||||||
|
|
||||||
|
@ -1,7 +1,4 @@
|
|||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# mount file contexts
|
|
||||||
#
|
|
||||||
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mount,1.4.0)
|
policy_module(mount,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -38,6 +38,7 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
|
|||||||
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
|
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
|
||||||
|
|
||||||
kernel_read_system_state(mount_t)
|
kernel_read_system_state(mount_t)
|
||||||
|
kernel_read_kernel_sysctls(mount_t)
|
||||||
kernel_dontaudit_getattr_core_if(mount_t)
|
kernel_dontaudit_getattr_core_if(mount_t)
|
||||||
|
|
||||||
dev_getattr_all_blk_files(mount_t)
|
dev_getattr_all_blk_files(mount_t)
|
||||||
@ -104,6 +105,7 @@ mls_file_write_down(mount_t)
|
|||||||
sysnet_use_portmap(mount_t)
|
sysnet_use_portmap(mount_t)
|
||||||
|
|
||||||
selinux_get_enforce_mode(mount_t)
|
selinux_get_enforce_mode(mount_t)
|
||||||
|
seutil_read_config(mount_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(mount_t)
|
userdom_use_all_users_fds(mount_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(raid,1.1.0)
|
policy_module(raid,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -22,7 +22,9 @@ files_pid_file(mdadm_var_run_t)
|
|||||||
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
|
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
|
||||||
dontaudit mdadm_t self:capability sys_tty_config;
|
dontaudit mdadm_t self:capability sys_tty_config;
|
||||||
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
|
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
|
allow mdadm_t self:fifo_file rw_file_perms;
|
||||||
|
|
||||||
|
allow mdadm_t mdadm_var_run_t:dir rw_dir_perms;
|
||||||
allow mdadm_t mdadm_var_run_t:file create_file_perms;
|
allow mdadm_t mdadm_var_run_t:file create_file_perms;
|
||||||
files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
|
files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
|
||||||
|
|
||||||
@ -49,6 +51,7 @@ term_dontaudit_list_ptys(mdadm_t)
|
|||||||
# Helper program access
|
# Helper program access
|
||||||
corecmd_exec_bin(mdadm_t)
|
corecmd_exec_bin(mdadm_t)
|
||||||
corecmd_exec_sbin(mdadm_t)
|
corecmd_exec_sbin(mdadm_t)
|
||||||
|
corecmd_exec_shell(mdadm_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(mdadm_t)
|
domain_use_interactive_fds(mdadm_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(selinuxutil,1.3.2)
|
policy_module(selinuxutil,1.3.3)
|
||||||
|
|
||||||
ifdef(`strict_policy',`
|
ifdef(`strict_policy',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -270,6 +270,7 @@ mls_file_write_down(newrole_t)
|
|||||||
mls_file_upgrade(newrole_t)
|
mls_file_upgrade(newrole_t)
|
||||||
mls_file_downgrade(newrole_t)
|
mls_file_downgrade(newrole_t)
|
||||||
mls_process_set_level(newrole_t)
|
mls_process_set_level(newrole_t)
|
||||||
|
mls_fd_share_all_levels(newrole_t)
|
||||||
|
|
||||||
selinux_get_fs_mount(newrole_t)
|
selinux_get_fs_mount(newrole_t)
|
||||||
selinux_validate_context(newrole_t)
|
selinux_validate_context(newrole_t)
|
||||||
@ -286,6 +287,7 @@ term_getattr_unallocated_ttys(newrole_t)
|
|||||||
term_dontaudit_use_unallocated_ttys(newrole_t)
|
term_dontaudit_use_unallocated_ttys(newrole_t)
|
||||||
|
|
||||||
auth_domtrans_chk_passwd(newrole_t)
|
auth_domtrans_chk_passwd(newrole_t)
|
||||||
|
auth_rw_faillog(newrole_t)
|
||||||
|
|
||||||
corecmd_list_bin(newrole_t)
|
corecmd_list_bin(newrole_t)
|
||||||
corecmd_read_bin_symlinks(newrole_t)
|
corecmd_read_bin_symlinks(newrole_t)
|
||||||
@ -580,6 +582,7 @@ mls_file_write_down(semanage_t)
|
|||||||
mls_rangetrans_target(semanage_t)
|
mls_rangetrans_target(semanage_t)
|
||||||
mls_file_read_up(semanage_t)
|
mls_file_read_up(semanage_t)
|
||||||
|
|
||||||
|
selinux_validate_context(semanage_t)
|
||||||
selinux_get_enforce_mode(semanage_t)
|
selinux_get_enforce_mode(semanage_t)
|
||||||
# for setsebool:
|
# for setsebool:
|
||||||
selinux_set_boolean(semanage_t)
|
selinux_set_boolean(semanage_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(setrans,1.1.1)
|
policy_module(setrans,1.1.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -58,6 +58,9 @@ mls_file_write_down(setrans_t)
|
|||||||
mls_net_receive_all_levels(setrans_t)
|
mls_net_receive_all_levels(setrans_t)
|
||||||
mls_rangetrans_target(setrans_t)
|
mls_rangetrans_target(setrans_t)
|
||||||
mls_socket_write_all_levels(setrans_t)
|
mls_socket_write_all_levels(setrans_t)
|
||||||
|
mls_process_read_up(setrans_t)
|
||||||
|
mls_socket_read_all_levels(setrans_t)
|
||||||
|
mls_fd_use_all_levels(setrans_t)
|
||||||
|
|
||||||
selinux_compute_access_vector(setrans_t)
|
selinux_compute_access_vector(setrans_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(unconfined,1.4.0)
|
policy_module(unconfined,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -59,14 +59,6 @@ ifdef(`targeted_policy',`
|
|||||||
bind_domtrans_ndc(unconfined_t)
|
bind_domtrans_ndc(unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
bluetooth_domtrans_helper(unconfined_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
bootloader_domtrans(unconfined_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
init_dbus_chat_script(unconfined_t)
|
init_dbus_chat_script(unconfined_t)
|
||||||
|
|
||||||
@ -93,10 +85,6 @@ ifdef(`targeted_policy',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
dmidecode_domtrans(unconfined_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
firstboot_domtrans(unconfined_t)
|
firstboot_domtrans(unconfined_t)
|
||||||
')
|
')
|
||||||
|
@ -135,10 +135,12 @@ template(`userdom_ro_home_template',`
|
|||||||
files_type($1_home_t)
|
files_type($1_home_t)
|
||||||
files_associate_tmp($1_home_t)
|
files_associate_tmp($1_home_t)
|
||||||
fs_associate_tmpfs($1_home_t)
|
fs_associate_tmpfs($1_home_t)
|
||||||
|
files_mountpoint($1_home_t)
|
||||||
|
|
||||||
# type of home directory
|
# type of home directory
|
||||||
type $1_home_dir_t, home_dir_type, home_type;
|
type $1_home_dir_t, home_dir_type, home_type;
|
||||||
files_type($1_home_dir_t)
|
files_type($1_home_dir_t)
|
||||||
|
files_mountpoint($1_home_dir_t)
|
||||||
files_associate_tmp($1_home_dir_t)
|
files_associate_tmp($1_home_dir_t)
|
||||||
fs_associate_tmpfs($1_home_dir_t)
|
fs_associate_tmpfs($1_home_dir_t)
|
||||||
|
|
||||||
@ -3995,12 +3997,7 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
|
|||||||
#
|
#
|
||||||
interface(`userdom_manage_staff_home_dirs',`
|
interface(`userdom_manage_staff_home_dirs',`
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
gen_require(`
|
userdom_manage_generic_user_home_dirs($1)
|
||||||
type user_home_dir_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
files_search_home($1)
|
|
||||||
allow $1 user_home_dir_t:dir manage_dir_perms;
|
|
||||||
',`
|
',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type staff_home_dir_t;
|
type staff_home_dir_t;
|
||||||
@ -4821,6 +4818,26 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',`
|
|||||||
dontaudit $1 user_home_t:dir search;
|
dontaudit $1 user_home_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete generic user
|
||||||
|
## home directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_manage_generic_user_home_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type user_home_dir_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir manage_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete
|
## Create, read, write, and delete
|
||||||
@ -4877,13 +4894,13 @@ interface(`userdom_read_generic_user_home_content_files',`
|
|||||||
#
|
#
|
||||||
interface(`userdom_manage_generic_user_home_content_files',`
|
interface(`userdom_manage_generic_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
allow $1 user_home_t:dir rw_dir_perms;
|
allow $1 user_home_t:dir rw_dir_perms;
|
||||||
allow $1 user_home_t:file create_file_perms;
|
allow $1 user_home_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,2.0.0)
|
policy_module(userdomain,2.0.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
@ -128,6 +128,7 @@ ifdef(`strict_policy',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
|
allow auditadm_t self:capability { dac_read_search dac_override };
|
||||||
seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
||||||
domain_kill_all_domains(auditadm_t)
|
domain_kill_all_domains(auditadm_t)
|
||||||
seutil_read_bin_policy(auditadm_t)
|
seutil_read_bin_policy(auditadm_t)
|
||||||
@ -140,7 +141,7 @@ ifdef(`strict_policy',`
|
|||||||
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
||||||
userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
|
userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
|
||||||
|
|
||||||
allow secadm_t self:capability dac_override;
|
allow secadm_t self:capability { dac_read_search dac_override };
|
||||||
corecmd_exec_shell(secadm_t)
|
corecmd_exec_shell(secadm_t)
|
||||||
domain_obj_id_change_exemption(secadm_t)
|
domain_obj_id_change_exemption(secadm_t)
|
||||||
mls_process_read_up(secadm_t)
|
mls_process_read_up(secadm_t)
|
||||||
@ -149,13 +150,16 @@ ifdef(`strict_policy',`
|
|||||||
mls_file_upgrade(secadm_t)
|
mls_file_upgrade(secadm_t)
|
||||||
mls_file_downgrade(secadm_t)
|
mls_file_downgrade(secadm_t)
|
||||||
auth_relabel_all_files_except_shadow(secadm_t)
|
auth_relabel_all_files_except_shadow(secadm_t)
|
||||||
|
dev_relabel_all_dev_nodes(secadm_t)
|
||||||
auth_relabel_shadow(secadm_t)
|
auth_relabel_shadow(secadm_t)
|
||||||
init_exec(secadm_t)
|
init_exec(secadm_t)
|
||||||
logging_read_audit_log(secadm_t)
|
logging_read_audit_log(secadm_t)
|
||||||
logging_read_generic_logs(secadm_t)
|
logging_read_generic_logs(secadm_t)
|
||||||
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
||||||
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
|
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
|
||||||
netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
|
optional_policy(`
|
||||||
|
netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
|
||||||
|
')
|
||||||
',`
|
',`
|
||||||
logging_manage_audit_log(sysadm_t)
|
logging_manage_audit_log(sysadm_t)
|
||||||
logging_manage_audit_config(sysadm_t)
|
logging_manage_audit_config(sysadm_t)
|
||||||
|
@ -1,3 +1,7 @@
|
|||||||
|
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
|
||||||
|
|
||||||
|
/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
|
||||||
|
|
||||||
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||||
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
||||||
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(xen,1.1.0)
|
policy_module(xen,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -14,6 +14,12 @@ files_type(xen_devpts_t);
|
|||||||
# Xen Image files
|
# Xen Image files
|
||||||
type xen_image_t; # customizable
|
type xen_image_t; # customizable
|
||||||
files_type(xen_image_t)
|
files_type(xen_image_t)
|
||||||
|
# xen_image_t can be assigned to blk devices
|
||||||
|
dev_node(xen_image_t)
|
||||||
|
|
||||||
|
type xenctl_t;
|
||||||
|
files_type(xenctl_t)
|
||||||
|
|
||||||
|
|
||||||
type xend_t;
|
type xend_t;
|
||||||
type xend_exec_t;
|
type xend_exec_t;
|
||||||
@ -68,7 +74,7 @@ init_daemon_domain(xm_t, xm_exec_t)
|
|||||||
# xend local policy
|
# xend local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
|
allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
|
||||||
dontaudit xend_t self:capability { sys_ptrace };
|
dontaudit xend_t self:capability { sys_ptrace };
|
||||||
allow xend_t self:process { signal sigkill };
|
allow xend_t self:process { signal sigkill };
|
||||||
dontaudit xend_t self:process ptrace;
|
dontaudit xend_t self:process ptrace;
|
||||||
@ -82,6 +88,10 @@ allow xend_t self:packet_socket create_socket_perms;
|
|||||||
|
|
||||||
allow xend_t xen_image_t:dir r_dir_perms;
|
allow xend_t xen_image_t:dir r_dir_perms;
|
||||||
allow xend_t xen_image_t:file rw_file_perms;
|
allow xend_t xen_image_t:file rw_file_perms;
|
||||||
|
allow xend_t xen_image_t:blk_file rw_file_perms;
|
||||||
|
|
||||||
|
allow xend_t xenctl_t:fifo_file create_file_perms;
|
||||||
|
dev_filetrans(xend_t, xenctl_t, fifo_file)
|
||||||
|
|
||||||
# pid file
|
# pid file
|
||||||
allow xend_t xend_var_run_t:file manage_file_perms;
|
allow xend_t xend_var_run_t:file manage_file_perms;
|
||||||
@ -132,6 +142,8 @@ corenet_tcp_bind_xen_port(xend_t)
|
|||||||
corenet_tcp_bind_soundd_port(xend_t)
|
corenet_tcp_bind_soundd_port(xend_t)
|
||||||
corenet_tcp_bind_generic_port(xend_t)
|
corenet_tcp_bind_generic_port(xend_t)
|
||||||
corenet_tcp_bind_vnc_port(xend_t)
|
corenet_tcp_bind_vnc_port(xend_t)
|
||||||
|
corenet_tcp_connect_xserver_port(xend_t)
|
||||||
|
corenet_sendrecv_xserver_client_packets(xend_t)
|
||||||
corenet_sendrecv_xen_server_packets(xend_t)
|
corenet_sendrecv_xen_server_packets(xend_t)
|
||||||
corenet_sendrecv_soundd_server_packets(xend_t)
|
corenet_sendrecv_soundd_server_packets(xend_t)
|
||||||
corenet_rw_tun_tap_dev(xend_t)
|
corenet_rw_tun_tap_dev(xend_t)
|
||||||
@ -166,6 +178,8 @@ init_use_script_ptys(xend_t)
|
|||||||
libs_use_ld_so(xend_t)
|
libs_use_ld_so(xend_t)
|
||||||
libs_use_shared_libs(xend_t)
|
libs_use_shared_libs(xend_t)
|
||||||
|
|
||||||
|
locallogin_dontaudit_use_fds(xend_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(xend_t)
|
logging_send_syslog_msg(xend_t)
|
||||||
|
|
||||||
miscfiles_read_localization(xend_t)
|
miscfiles_read_localization(xend_t)
|
||||||
@ -176,6 +190,7 @@ sysnet_domtrans_ifconfig(xend_t)
|
|||||||
sysnet_dns_name_resolve(xend_t)
|
sysnet_dns_name_resolve(xend_t)
|
||||||
sysnet_delete_dhcpc_pid(xend_t)
|
sysnet_delete_dhcpc_pid(xend_t)
|
||||||
sysnet_read_dhcpc_pid(xend_t)
|
sysnet_read_dhcpc_pid(xend_t)
|
||||||
|
sysnet_rw_dhcp_config(xend_t)
|
||||||
|
|
||||||
userdom_dontaudit_search_sysadm_home_dirs(xend_t)
|
userdom_dontaudit_search_sysadm_home_dirs(xend_t)
|
||||||
|
|
||||||
@ -187,6 +202,15 @@ optional_policy(`
|
|||||||
consoletype_exec(xend_t)
|
consoletype_exec(xend_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
term_dontaudit_use_unallocated_ttys(xend_t)
|
||||||
|
term_dontaudit_use_generic_ptys(xend_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_rw_pipes(xend_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Xen console local policy
|
# Xen console local policy
|
||||||
@ -210,6 +234,8 @@ kernel_read_xen_state(xenconsoled_t)
|
|||||||
|
|
||||||
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
|
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
|
||||||
|
|
||||||
|
files_read_usr_files(xenconsoled_t)
|
||||||
|
|
||||||
term_create_pty(xenconsoled_t,xen_devpts_t);
|
term_create_pty(xenconsoled_t,xen_devpts_t);
|
||||||
term_use_generic_ptys(xenconsoled_t)
|
term_use_generic_ptys(xenconsoled_t)
|
||||||
term_use_console(xenconsoled_t)
|
term_use_console(xenconsoled_t)
|
||||||
@ -250,9 +276,12 @@ kernel_write_xen_state(xenstored_t)
|
|||||||
kernel_read_xen_state(xenstored_t)
|
kernel_read_xen_state(xenstored_t)
|
||||||
|
|
||||||
dev_create_generic_dirs(xenstored_t)
|
dev_create_generic_dirs(xenstored_t)
|
||||||
dev_manage_xen(xenconsoled_t)
|
dev_manage_xen(xenstored_t)
|
||||||
dev_filetrans_xen(xenstored_t)
|
dev_filetrans_xen(xenstored_t)
|
||||||
dev_rw_xen(xenstored_t)
|
dev_rw_xen(xenstored_t)
|
||||||
|
dev_read_sysfs(xenstored_t)
|
||||||
|
|
||||||
|
files_read_usr_files(xenstored_t)
|
||||||
|
|
||||||
term_use_generic_ptys(xenstored_t)
|
term_use_generic_ptys(xenstored_t)
|
||||||
term_use_console(xenconsoled_t)
|
term_use_console(xenconsoled_t)
|
||||||
@ -278,7 +307,8 @@ allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
|||||||
|
|
||||||
# internal communication is often done using fifo and unix sockets.
|
# internal communication is often done using fifo and unix sockets.
|
||||||
allow xm_t self:fifo_file { read write };
|
allow xm_t self:fifo_file { read write };
|
||||||
allow xm_t self:unix_stream_socket create_stream_socket_perms;
|
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
allow xm_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
allow xm_t xend_var_lib_t:dir rw_dir_perms;
|
allow xm_t xend_var_lib_t:dir rw_dir_perms;
|
||||||
allow xm_t xend_var_lib_t:fifo_file create_file_perms;
|
allow xm_t xend_var_lib_t:fifo_file create_file_perms;
|
||||||
@ -296,6 +326,10 @@ kernel_write_xen_state(xm_t)
|
|||||||
corecmd_exec_bin(xm_t)
|
corecmd_exec_bin(xm_t)
|
||||||
corecmd_exec_sbin(xm_t)
|
corecmd_exec_sbin(xm_t)
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_generic_if(xm_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(xm_t)
|
||||||
|
corenet_tcp_connect_soundd_port(xm_t)
|
||||||
|
|
||||||
dev_read_urand(xm_t)
|
dev_read_urand(xm_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(xm_t)
|
files_read_etc_runtime_files(xm_t)
|
||||||
@ -314,6 +348,8 @@ libs_use_shared_libs(xm_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(xm_t)
|
miscfiles_read_localization(xm_t)
|
||||||
|
|
||||||
|
sysnet_read_config(xm_t)
|
||||||
|
|
||||||
xen_append_log(xm_t)
|
xen_append_log(xm_t)
|
||||||
xen_stream_connect(xm_t)
|
xen_stream_connect(xm_t)
|
||||||
xen_stream_connect_xenstore(xm_t)
|
xen_stream_connect_xenstore(xm_t)
|
||||||
|
@ -67,11 +67,6 @@ ifneq ($(DISTRO),)
|
|||||||
M4PARAM += -D distro_$(DISTRO)
|
M4PARAM += -D distro_$(DISTRO)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# enable polyinstantiation
|
|
||||||
ifeq ($(POLY),y)
|
|
||||||
M4PARAM += -D enable_polyinstantiation
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifeq ($(DIRECT_INITRC),y)
|
ifeq ($(DIRECT_INITRC),y)
|
||||||
M4PARAM += -D direct_sysadm_daemon
|
M4PARAM += -D direct_sysadm_daemon
|
||||||
endif
|
endif
|
||||||
|
Loading…
Reference in New Issue
Block a user