This commit is contained in:
Chris PeBenito 2005-06-09 17:21:52 +00:00
parent 0a10b1fa12
commit dc67f782e4
10 changed files with 140 additions and 142 deletions

View File

@ -6,10 +6,7 @@
define(`consoletype_transition',`
requires_block_template(`$0'_depend)
allow $1 consoletype_exec_t:file { getattr read execute };
allow $1 consoletype_t:process transition;
type_transition $1 consoletype_exec_t:process consoletype_t;
dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
allow $1 consoletype_t:fd use;
allow consoletype_t $1:fd use;
@ -20,7 +17,7 @@ define(`consoletype_transition',`
define(`consoletype_transition_depend',`
type consoletype_t, consoletype_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -33,7 +30,8 @@ define(`consoletype_transition_depend',`
define(`consoletype_execute',`
requires_block_template(`$0'_depend)
allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,consoletype_exec_t)
')
define(`consoletype_execute_depend',`

View File

@ -21,14 +21,14 @@ allow consoletype_t self:capability sys_admin;
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow consoletype_t self:fd use;
allow consoletype_t self:fifo_file { read getattr lock ioctl write append };
allow consoletype_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow consoletype_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow consoletype_t self:fifo_file rw_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
allow consoletype_t self:unix_stream_socket connectto;
allow consoletype_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow consoletype_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow consoletype_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow consoletype_t self:shm rw_shm_perms;
allow consoletype_t self:sem rw_sem_perms;
allow consoletype_t self:msgq rw_msgq_perms;
allow consoletype_t self:msg { send receive };
kernel_use_file_descriptors(consoletype_t)
@ -70,7 +70,7 @@ allow consoletype_t sysadm_t:fifo_file rw_file_perms;
allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use;
optional_policy(`ypbind.te', `
@ -95,11 +95,11 @@ allow consoletype_t autofs_t:dir { search getattr };
optional_policy(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
optional_policy(`lpd.te', `
allow consoletype_t printconf_t:file { getattr read };
allow consoletype_t printconf_t:file r_file_perms;
')
optional_policy(`firstboot.te', `

View File

@ -15,7 +15,7 @@
define(`dmesg_transition',`
requires_block_template(`$0'_depend)
allow $1 dmesg_exec_t:file { getattr read execute };
allow $1 dmesg_exec_t:file rx_file_perms;
allow $1 dmesg_t:process transition;
type_transition $1 dmesg_exec_t:process dmesg_t;
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
@ -29,7 +29,7 @@ define(`dmesg_transition',`
define(`dmesg_transition_depend',`
type dmesg_t, dmesg_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -49,7 +49,8 @@ define(`dmesg_transition_depend',`
define(`dmesg_execute',`
requires_block_template(`$0'_depend)
allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,dmesg_exec_t)
')
define(`dmesg_execute_depend',`

View File

@ -19,7 +19,7 @@ role system_r types dmesg_t;
allow dmesg_t self:capability sys_admin;
dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process { sigchld sigkill sigstop signull signal };
allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctl(dmesg_t)
kernel_read_hardware_state(dmesg_t)
@ -70,7 +70,7 @@ allow dmesg_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
allow dmesg_t rhgb_t:process sigchld;
allow dmesg_t rhgb_t:fd use;
allow dmesg_t rhgb_t:fifo_file { read write };
allow dmesg_t rhgb_t:fifo_file rw_file_perms;
')
allow dmesg_t autofs_t:dir { search getattr };

View File

@ -6,7 +6,7 @@
define(`netutils_transition',`
requires_block_template(`$0'_depend)
allow $1 netutils_exec_t:file { getattr read execute };
allow $1 netutils_exec_t:file rx_file_perms;
allow $1 netutils_t:process transition;
type_transition $1 netutils_exec_t:process netutils_t;
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
@ -20,7 +20,7 @@ define(`netutils_transition',`
define(`netutils_transition_depend',`
type netutils_t, netutils_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -33,7 +33,8 @@ define(`netutils_transition_depend',`
define(`netutils_execute',`
requires_block_template(`$0'_depend)
allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,netutils_exec_t)
')
define(`netutils_execute_depend',`

View File

@ -38,12 +38,12 @@ bool user_ping false;
allow netutils_t self:capability { net_admin net_raw setuid setgid };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow netutils_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow netutils_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_socket_perms;
allow netutils_t netutils_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow netutils_t netutils_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t)
@ -100,8 +100,8 @@ allow netutils_t proc_t:dir search;
allow ping_t self:capability setuid;
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow ping_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:udp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
corenetwork_sendrecv_tcp_on_all_interfaces(ping_t)
@ -155,8 +155,8 @@ if (user_ping) {
#
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow traceroute_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
kernel_read_system_state(traceroute_t)

View File

@ -15,7 +15,7 @@
define(`rpm_transition',`
requires_block_template(`$0'_depend)
allow $1 rpm_exec_t:file { getattr read execute };
allow $1 rpm_exec_t:file rx_file_perms;
allow $1 rpm_t:process transition;
type_transition $1 rpm_exec_t:process rpm_t;
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
@ -29,7 +29,7 @@ define(`rpm_transition',`
define(`rpm_transition_depend',`
type rpm_t, rpm_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -104,13 +104,13 @@ define(`rpm_use_file_descriptors_depend',`
define(`rpm_read_pipe',`
requires_block_template(`$0'_depend)
allow $1 rpm_t:fifo_file { getattr read };
allow $1 rpm_t:fifo_file r_file_perms;
')
define(`rpm_read_pipe_depend',`
type rpm_t;
class fifo_file { getattr read };
class fifo_file r_file_perms;
')
########################################
@ -127,17 +127,17 @@ define(`rpm_read_pipe_depend',`
define(`rpm_read_package_database',`
requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir { getattr read search };
allow $1 rpm_var_lib_t:file { read getattr };
allow $1 rpm_var_lib_t:lnk_file { getattr read };
allow $1 rpm_var_lib_t:dir r_dir_perms;
allow $1 rpm_var_lib_t:file r_file_perms;
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
define(`rpm_read_package_database_depend',`
type rpm_var_lib_t_t;
class dir { search getattr read };
class lnk_file { getattr read };
class file { getattr read };
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
')
########################################
@ -147,7 +147,7 @@ define(`rpm_read_package_database_depend',`
define(`rpm_manage_package_database',`
requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
@ -155,9 +155,9 @@ define(`rpm_manage_package_database',`
define(`rpm_manage_package_database_depend',`
type rpm_var_lib_t_t;
class dir { search getattr read };
class lnk_file { getattr read };
class file { getattr read };
class dir rw_dir_perms;
class lnk_file { getattr read write unlink };
class file { getattr create read write append unlink };
')
## </module>

View File

@ -59,38 +59,38 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file { read getattr lock ioctl write append };
allow rpm_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow rpm_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow rpm_t self:fifo_file rw_file_perms;
allow rpm_t self:unix_dgram_socket create_socket_perms;
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
allow rpm_t self:unix_stream_socket connectto;
allow rpm_t self:udp_socket { connect };
allow rpm_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow rpm_t self:tcp_socket { listen accept create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow rpm_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow rpm_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow rpm_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow rpm_t self:udp_socket create_socket_perms;
allow rpm_t self:tcp_socket rw_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file { getattr read write };
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t rpm_log_t:file create_file_perms;
logging_create_private_log(rpm_t,rpm_log_t)
allow rpm_t rpm_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow rpm_t rpm_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t rpm_tmp_t:dir create_dir_perms;
allow rpm_t rpm_tmp_t:file create_file_perms;
files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir })
allow rpm_t rpm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow rpm_t rpm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t rpm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow rpm_t rpm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t rpm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
allow rpm_t rpm_tmpfs_t:file create_file_perms;
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
allow rpm_t rpm_var_lib_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t rpm_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write };
allow rpm_t rpm_var_lib_t:file create_file_perms;
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
@ -166,8 +166,8 @@ dontaudit rpm_t domain:process ptrace;
# read/write/create any files in the system
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
allow rpm_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink;
@ -176,10 +176,10 @@ allow rpm_t ttyfile:chr_file unlink;
allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t mount_t:tcp_socket write;
allow rpm_t nfs_t:lnk_file { create read getattr setattr link unlink rename };
allow rpm_t nfs_t:lnk_file create_file_perms;
allow rpm_t sysfs_t:dir { read getattr lock search ioctl };
allow rpm_t usbdevfs_t:dir { read getattr lock search ioctl };
allow rpm_t sysfs_t:dir r_dir_perms;
allow rpm_t usbdevfs_t:dir r_dir_perms;
allow rpm_t rpc_pipefs_t:dir search;
@ -220,28 +220,28 @@ allow crond_t rpm_t:fifo_file r_file_perms;
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file { read getattr lock ioctl write append };
allow rpm_script_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow rpm_script_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow rpm_script_t self:fifo_file rw_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
allow rpm_script_t self:unix_stream_socket connectto;
allow rpm_script_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow rpm_script_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow rpm_script_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
allow rpm_script_t rpm_tmp_t:file r_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
allow rpm_script_t rpm_script_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow rpm_script_t rpm_script_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir })
allow rpm_script_t rpm_script_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow rpm_script_t rpm_script_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t rpm_script_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow rpm_script_t rpm_script_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t rpm_script_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms;
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctl(rpm_script_t)
@ -316,7 +316,8 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
can_exec(rpm_script_t,usr_t)
allow rpm_script_t autofs_t:dir { search getattr };
@ -327,7 +328,8 @@ allow rpm_script_t autofs_t:dir { search getattr };
')
optional_policy(`lpd.te', `
allow rpm_script_t printconf_t:file { getattr read execute execute_no_trans };
can_exec(rpm_script_t,printconf_t)
')
optional_policy(`ssh.te', `
@ -358,13 +360,13 @@ ifdef(`TODO',`
allow userdomain var_lib_t:dir { getattr search };
allow { insmod_t depmod_t } rpm_t:fifo_file { getattr read write append ioctl lock };
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
optional_policy(`cups.te', `
allow cupsd_t rpm_var_lib_t:dir { getattr read search };
allow cupsd_t rpm_var_lib_t:file { read getattr };
allow cupsd_t rpb_var_lib_t:lnk_file { getattr read };
allow cupsd_t initrc_exec_t:file { getattr read };
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
allow cupsd_t rpm_var_lib_t:file r_file_perms;
allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
allow cupsd_t initrc_exec_t:file r_file_perms;
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
')

View File

@ -15,7 +15,7 @@
define(`usermanage_chfn_transition',`
requires_block_template(`$0'_depend)
allow $1 chfn_exec_t:file { getattr read execute };
allow $1 chfn_exec_t:file rx_file_perms;
allow $1 chfn_t:process transition;
type_transition $1 chfn_exec_t:process chfn_t;
dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
@ -29,7 +29,7 @@ define(`usermanage_chfn_transition',`
define(`usermanage_chfn_transition_depend',`
type chfn_t, chfn_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -81,11 +81,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
define(`usermanage_groupadd_transition',`
requires_block_template(`$0'_depend)
allow $1 groupadd_exec_t:file { getattr read execute };
allow $1 groupadd_t:process transition;
type_transition $1 groupadd_exec_t:process groupadd_t;
dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1,groupadd_t,groupadd_t)
allow $1 groupadd_t:fd use;
allow groupadd_t $1:fd use;
allow groupadd_t $1:fifo_file rw_file_perms;
@ -95,7 +91,7 @@ define(`usermanage_groupadd_transition',`
define(`usermanage_groupadd_transition_depend',`
type groupadd_t, groupadd_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -147,7 +143,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
define(`usermanage_passwd_transition',`
requires_block_template(`$0'_depend)
allow $1 passwd_exec_t:file { getattr read execute };
allow $1 passwd_exec_t:file rx_file_perms;
allow $1 passwd_t:process transition;
type_transition $1 passwd_exec_t:process passwd_t;
dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
@ -161,7 +157,7 @@ define(`usermanage_passwd_transition',`
define(`usermanage_passwd_transition_depend',`
type passwd_t, passwd_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@ -213,7 +209,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
define(`usermanage_useradd_transition',`
requires_block_template(`$0'_depend)
allow $1 useradd_exec_t:file { getattr read execute };
allow $1 useradd_exec_t:file rx_file_perms;
allow $1 useradd_t:process transition;
type_transition $1 useradd_exec_t:process useradd_t;
dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
@ -227,7 +223,7 @@ define(`usermanage_useradd_transition',`
define(`usermanage_useradd_transition_depend',`
type useradd_t, useradd_exec_t;
class file { getattr read execute };
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;

View File

@ -66,14 +66,14 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file { read getattr lock ioctl write append };
allow chfn_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow chfn_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow chfn_t self:fifo_file rw_file_perms;
allow chfn_t self:unix_dgram_socket create_rw_socket_perms;
allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms;
allow chfn_t self:unix_dgram_socket sendto;
allow chfn_t self:unix_stream_socket connectto;
allow chfn_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow chfn_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow chfn_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow chfn_t self:shm create_shm_perms;
allow chfn_t self:sem create_sem_perms;
allow chfn_t self:msgq create_msgq_perms;
allow chfn_t self:msg { send receive };
kernel_read_system_state(chfn_t)
@ -147,15 +147,15 @@ dontaudit chfn_t selinux_config_t:dir search;
#
allow crack_t self:process { sigkill sigstop signull signal };
allow crack_t self:fifo_file { read write getattr };
allow crack_t self:fifo_file rw_file_perms;
allow crack_t crack_db_t:dir { read getattr lock search ioctl add_name remove_name write };
allow crack_t crack_db_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow crack_t crack_db_t:lnk_file { create read getattr setattr link unlink rename };
allow crack_t crack_db_t:dir rw_dir_perms;
allow crack_t crack_db_t:file create_file_perms;
allow crack_t crack_db_t:lnk_file create_file_perms;
files_search_system_state_data_directory(crack_t)
allow crack_t crack_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow crack_t crack_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow crack_t crack_tmp_t:dir create_dir_perms;
allow crack_t crack_tmp_t:file create_file_perms;
files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t)
@ -180,7 +180,7 @@ logging_send_system_log_message(crack_t)
ifdef(`TODO',`
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
allow crack_t crond_t:fifo_file { getattr read write ioctl };
allow crack_t crond_t:fifo_file rw_file_perms;
# a rule for privfd may make this obsolete
allow crack_t crond_t:fd use;
allow crack_t crond_t:process sigchld;
@ -199,14 +199,14 @@ dontaudit groupadd_t self:capability fsetid;
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file { read getattr lock ioctl write append };
allow groupadd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow groupadd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow groupadd_t self:fifo_file rw_file_perms;
allow groupadd_t self:unix_dgram_socket create_socket_perms;
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;
allow groupadd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow groupadd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow groupadd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow groupadd_t self:shm create_shm_perms;
allow groupadd_t self:sem create_sem_perms;
allow groupadd_t self:msgq create_msgq_perms;
allow groupadd_t self:msg { send receive };
# Allow access to context for shadow file
@ -275,14 +275,14 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
allow passwd_t self:fifo_file { read getattr lock ioctl write append };
allow passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow passwd_t self:fifo_file rw_file_perms;
allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
allow passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perm;
allow passwd_t self:msg { send receive };
kernel_get_selinuxfs_mount_point(passwd_t)
@ -366,19 +366,19 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
allow sysadm_passwd_t self:fifo_file { read getattr lock ioctl write append };
allow sysadm_passwd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow sysadm_passwd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow sysadm_passwd_t self:fifo_file rw_file_perms;
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow sysadm_passwd_t self:unix_dgram_socket sendto;
allow sysadm_passwd_t self:unix_stream_socket connectto;
allow sysadm_passwd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow sysadm_passwd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow sysadm_passwd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow sysadm_passwd_t self:shm create_shm_perms;
allow sysadm_passwd_t self:sem create_sem_perms;
allow sysadm_passwd_t self:msgq create_msgq_perms;
allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow sysadm_passwd_t sysadm_passwd_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms;
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_system_state_data_directory(sysadm_passwd_t)
@ -463,14 +463,14 @@ allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid s
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
allow useradd_t self:fifo_file { read getattr lock ioctl write append };
allow useradd_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow useradd_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow useradd_t self:fifo_file rw_file_perms;
allow useradd_t self:unix_dgram_socket create_socket_perms;
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
allow useradd_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow useradd_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow useradd_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow useradd_t self:shm create_shm_perms;
allow useradd_t self:sem create_sem_perms;
allow useradd_t self:msgq create_msgq_perms;
allow useradd_t self:msg { send receive };
# Allow access to context for shadow file