another cleanup pass

This commit is contained in:
Chris PeBenito 2005-05-24 15:55:57 +00:00
parent 6276f10155
commit dc771ff40e
16 changed files with 372 additions and 80 deletions

View File

@ -30,13 +30,13 @@ class process { transition noatsecure siginh rlimitinh };
######################################## ########################################
## <interface name="rpm_transition_add_role_use_terminal"> ## <interface name="rpm_transition_add_role_use_terminal">
## <description> ## <description>
## Execute rpm programs in the rpm domain. ## Execute RPM programs in the RPM domain.
## </description> ## </description>
## <parameter name="domain"> ## <parameter name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </parameter> ## </parameter>
## <parameter name="role"> ## <parameter name="role">
## The role to allow the rpm domain. ## The role to allow the RPM domain.
## </parameter> ## </parameter>
## <parameter name="terminal"> ## <parameter name="terminal">
## The type of the terminal allow the RPM domain to use. ## The type of the terminal allow the RPM domain to use.
@ -100,18 +100,43 @@ class fifo_file { getattr read };
') ')
######################################## ########################################
## <interface name="rpm_read_package_database">
## <description>
## Read RPM package database.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="read" weight="10"/>
## </interface>
# #
# rpm_read_library_state(domain) define(`rpm_read_package_database',`
#
define(`rpm_read_library_state',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir { getattr read search }; allow $1 rpm_var_lib_t:dir { getattr read search };
allow $1 rpm_var_lib_t:file { read getattr }; allow $1 rpm_var_lib_t:file { read getattr };
allow $1 rpm_var_lib_t:lnk_file { getattr read }; allow $1 rpm_var_lib_t:lnk_file { getattr read };
') ')
define(`kernel_read_system_state_depend',` define(`rpm_read_package_database_depend',`
type proc_t; type rpm_var_lib_t_t;
class dir { search getattr read };
class lnk_file { getattr read };
class file { getattr read };
')
########################################
#
# rpm_manage_package_database(domain)
#
define(`rpm_manage_package_database',`
requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
define(`rpm_manage_package_database_depend',`
type rpm_var_lib_t_t;
class dir { search getattr read }; class dir { search getattr read };
class lnk_file { getattr read }; class lnk_file { getattr read };
class file { getattr read }; class file { getattr read };

View File

@ -86,6 +86,21 @@ type boot_t;
class dir search; class dir search;
') ')
########################################
#
# bootloader_modify_bootloader_data_directory_symbolic_links(domain)
#
define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir { getattr search read };
allow $1 boot_t:lnk_file { getattr read write };
')
define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
type boot_t;
class dir { getattr search read };
')
######################################## ########################################
# #
# bootloader_install_kernel(domain) # bootloader_install_kernel(domain)

View File

@ -179,9 +179,6 @@ modutils_update_modules_execute(bootloader_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
# admin runs bootloader:
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
allow bootloader_t admin_tty_type:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write }; allow bootloader_t initrc_t:fifo_file { read write };

View File

@ -132,6 +132,30 @@ type device_t;
class chr_file getattr; class chr_file getattr;
') ')
########################################
## <interface name="devices_remove_dev_symbolic_links">
## <description>
## Delete symbolic links in /dev.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="1"/>
## </interface>
#
define(`devices_remove_dev_symbolic_links',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read write remove_name };
allow $1 device_t:lnk_file unlink;
')
define(`devices_remove_dev_symbolic_links_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
class dir { getattr read write remove_name };
class lnk_file unlink;
')
######################################## ########################################
# #
# devices_manage_dev_symbolic_links(domain) # devices_manage_dev_symbolic_links(domain)
@ -143,7 +167,6 @@ allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
') ')
define(`devices_manage_dev_symbolic_links_depend',` define(`devices_manage_dev_symbolic_links_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t; type device_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
class lnk_file { create read getattr setattr link unlink rename }; class lnk_file { create read getattr setattr link unlink rename };

View File

@ -117,6 +117,20 @@ type fs_t;
class filesystem getattr; class filesystem getattr;
') ')
########################################
#
# filesystem_relabelfrom_persistent_filesystem(domain)
#
define(`filesystem_relabelfrom_persistent_filesystem',`
requires_block_template(`$0'_depend)
allow $1 fs_t:filesystem relabelfrom;
')
define(`filesystem_relabelfrom_persistent_filesystem_depend',`
type fs_t;
class filesystem relabelfrom;
')
######################################## ########################################
# #
# filesystem_mount_automount_filesystem(domain) # filesystem_mount_automount_filesystem(domain)
@ -395,6 +409,20 @@ type dosfs_t;
class filesystem getattr; class filesystem getattr;
') ')
########################################
#
# filesystem_relabelfrom_dos_filesystem(domain)
#
define(`filesystem_relabelfrom_dos_filesystem',`
requires_block_template(`$0'_depend)
allow $1 dosfs_t:filesystem relabelfrom;
')
define(`filesystem_relabelfrom_dos_filesystem_depend',`
type dosfs_t;
class filesystem relabelfrom;
')
######################################## ########################################
# #
# filesystem_mount_cd_filesystem(domain) # filesystem_mount_cd_filesystem(domain)

View File

@ -142,6 +142,20 @@ type unlabeled_t;
class process sigkill; class process sigkill;
') ')
########################################
#
# kernel_ignore_get_unlabeled_block_device_attributes(domain)
#
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
requires_block_template(`$0'_depend)
allow $1 unlabeled_t:blk_file getattr;
')
define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
type unlabeled_t;
class process getattr;
')
######################################## ########################################
# #
# kernel_relabel_unlabeled_object(domain) # kernel_relabel_unlabeled_object(domain)

View File

@ -1,4 +1,6 @@
# Copyright (C) 2005 Tresys Technology, LLC # Copyright (C) 2005 Tresys Technology, LLC
## <module name="authlogin" layer="system">
## <summary>Common policy for authentication and user login.</summary>
####################################### #######################################
# #
@ -249,9 +251,16 @@ type lastlog_t;
class file { getattr read write setattr }; class file { getattr read write setattr };
') ')
####################################### ########################################
# ## <interface name="authlogin_pam_transition">
# authlogin_pam_transition(domain) ## <description>
## Execute pam programs in the pam domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
# #
define(`authlogin_pam_transition',` define(`authlogin_pam_transition',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
@ -267,6 +276,35 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
## <interface name="authlogin_pam_transition_add_role_use_terminal">
## <description>
## Execute pam programs in the PAM domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to allow the PAM domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the PAM domain to use.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
#
define(`authlogin_pam_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
authlogin_pam_transition($1)
role $2 types pam_t;
allow pam_t $3:chr_file { getattr read write ioctl };
')
define(`authlogin_pam_transition_add_role_use_terminal_depend',`
type pam_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# authlogin_pam_execute(domain) # authlogin_pam_execute(domain)
@ -373,6 +411,60 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
class lnk_file { create read getattr setattr link unlink rename }; class lnk_file { create read getattr setattr link unlink rename };
') ')
########################################
## <interface name="authlogin_utempter_transition">
## <description>
## Execute utempter programs in the utempter domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="write" weight="10"/>
## </interface>
#
define(`authlogin_utempter_transition',`
requires_block_template(`$0'_depend)
allow $1 utempter_exec_t:file { getattr read execute };
allow $1 utempter_t:process transition;
type_transition $1 utempter_exec_t:file utempter_t;
dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
')
define(`authlogin_utempter_transition_depend',`
type utempter_t, utempter_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
########################################
## <interface name="authlogin_utempter_transition_add_role_use_terminal">
## <description>
## Execute utempter programs in the utempter domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <parameter name="role">
## The role to allow the utempter domain.
## </parameter>
## <parameter name="terminal">
## The type of the terminal allow the utempter domain to use.
## </parameter>
## <infoflow type="both" weight="10"/>
## </interface>
#
define(`authlogin_utempter_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
authlogin_utempter_transition($1)
role $2 types utempter_t;
allow utempter_t $3:chr_file { getattr read write ioctl };
')
define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
type utempter_t;
class chr_file { getattr read write ioctl };
')
####################################### #######################################
# #
# authlogin_read_login_records(domain) # authlogin_read_login_records(domain)
@ -416,3 +508,5 @@ define(`authlogin_modify_login_records_depend',`
type wtmp_t; type wtmp_t;
class file { getattr read write setattr }; class file { getattr read write setattr };
') ')
## </module>

View File

@ -107,19 +107,18 @@ libraries_use_shared_libraries(pam_t)
logging_send_system_log_message(pam_t) logging_send_system_log_message(pam_t)
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
optional_policy(`locallogin.te',` optional_policy(`locallogin.te',`
locallogin_use_file_descriptors(pam_t) locallogin_use_file_descriptors(pam_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow pam_t unpriv_userdomain:fd use;
can_ypbind(pam_t) can_ypbind(pam_t)
ifdef(`automount.te', ` ifdef(`automount.te', `
allow pam_t autofs_t:dir { search getattr }; allow pam_t autofs_t:dir { search getattr };
') ')
in_user_role(pam_t)
domain_auto_trans(userdomain, pam_exec_t, pam_t)
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO ') dnl endif TODO
@ -169,6 +168,8 @@ logging_send_system_log_message(pam_console_t)
selinux_read_file_contexts(pam_console_t) selinux_read_file_contexts(pam_console_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
tunable_policy(`direct_sysadm_daemon', ` tunable_policy(`direct_sysadm_daemon', `
dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms; dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
') ')
@ -198,7 +199,6 @@ allow pam_console_t rhgb_t:process sigchld;
allow pam_console_t rhgb_t:fd use; allow pam_console_t rhgb_t:fd use;
allow pam_console_t rhgb_t:fifo_file { read write }; allow pam_console_t rhgb_t:fifo_file { read write };
') ')
dontaudit pam_console_t unpriv_userdomain:fd use;
allow pam_console_t autofs_t:dir { search getattr }; allow pam_console_t autofs_t:dir { search getattr };
allow pam_console_t { allow pam_console_t {
@ -214,8 +214,6 @@ removable_device_t
scsi_generic_device_t scsi_generic_device_t
}:chr_file { getattr setattr }; }:chr_file { getattr setattr };
allow pam_console_t mnt_t:dir r_dir_perms; allow pam_console_t mnt_t:dir r_dir_perms;
ifdef(`gpm.te', ` ifdef(`gpm.te', `
@ -306,10 +304,6 @@ libraries_use_shared_libraries(utempter_t)
logging_search_system_log_directory(utempter_t) logging_search_system_log_directory(utempter_t)
ifdef(`TODO',` ifdef(`TODO',`
in_user_role(utempter_t)
role sysadm_r types utempter_t;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
# Allow utemper to write to /tmp/.xses-* # Allow utemper to write to /tmp/.xses-*
allow utempter_t user_tmpfile:file { getattr write append }; allow utempter_t user_tmpfile:file { getattr write append };

View File

@ -200,6 +200,48 @@ attribute file_type;
class dir { getattr search read }; class dir { getattr search read };
') ')
#######################################
#
# files_relabelto_all_file_type_filesystems(domain)
#
define(`files_relabelto_all_file_type_filesystems',`
requires_block_template(`$0'_depend)
allow $1 file_type:filesystem relabelto;
')
define(`files_relabelto_all_file_type_filesystems_depend',`
attribute file_type;
filesystem relabelto;
')
#######################################
#
# files_mount_all_file_type_filesystems(domain)
#
define(`files_mount_all_file_type_filesystems',`
requires_block_template(`$0'_depend)
allow $1 file_type:filesystem mount;
')
define(`files_mount_all_file_type_filesystems_depend',`
attribute file_type;
filesystem mount;
')
#######################################
#
# files_unmount_all_file_type_filesystems(domain)
#
define(`files_unmount_all_file_type_filesystems',`
requires_block_template(`$0'_depend)
allow $1 file_type:filesystem mount;
')
define(`files_unmount_all_file_type_filesystems_depend',`
attribute file_type;
filesystem mount;
')
######################################## ########################################
# #
# files_mount_on_all_mountpoints(domain) # files_mount_on_all_mountpoints(domain)
@ -710,6 +752,22 @@ class dir { getattr search read write add_name remove_name };
class file { getattr create read write setattr unlink }; class file { getattr create read write setattr unlink };
') ')
########################################
#
# files_get_system_lock_file_attributes(domain)
#
define(`files_get_system_lock_file_attributes',`
requires_block_template(`$0'_depend)
allow $1 var_lock_t:dir { getattr search read };
allow $1 var_lock_t:file getattr;
')
define(`files_get_system_lock_file_attributes_depend',`
type var_lock_t;
class dir { getattr search read };
class file getattr;
')
######################################## ########################################
# #
# files_manage_system_lock_files(domain) # files_manage_system_lock_files(domain)
@ -843,6 +901,50 @@ class dir { getattr search read };
class file { getattr read write }; class file { getattr read write };
') ')
########################################
## <interface name="files_ignore_write_all_daemon_runtime_data">
## <description>
## Do not audit attempts to write to daemon runtime data files.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`files_ignore_write_all_daemon_runtime_data',`
requires_block_template(`$0'_depend)
dontaudit $1 pidfile:file write;
')
define(`files_ignore_write_all_daemon_runtime_data_depend',`
attribute pidfile;
class file write;
')
########################################
## <interface name="files_ignore_ioctl_all_daemon_runtime_data">
## <description>
## Do not audit attempts to ioctl daemon runtime data files.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## <infoflow type="none"/>
## </interface>
#
define(`files_ignore_ioctl_all_daemon_runtime_data',`
requires_block_template(`$0'_depend)
dontaudit $1 pidfile:file ioctl;
')
define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
attribute pidfile;
class file ioctl;
')
######################################## ########################################
# #
# files_remove_all_daemon_runtime_data(domain) # files_remove_all_daemon_runtime_data(domain)

View File

@ -32,6 +32,7 @@ allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:fifo_file { read write getattr ioctl }; allow hotplug_t self:fifo_file { read write getattr ioctl };
allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow hotplug_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept };
allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl }; allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl }; allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
@ -50,6 +51,13 @@ kernel_read_usb_hardware_state(hotplug_t)
bootloader_read_kernel_modules(hotplug_t) bootloader_read_kernel_modules(hotplug_t)
corenetwork_network_tcp_on_all_interfaces(hotplug_t)
corenetwork_network_raw_on_all_interfaces(hotplug_t)
corenetwork_network_tcp_on_all_nodes(hotplug_t)
corenetwork_network_raw_on_all_nodes(hotplug_t)
corenetwork_network_tcp_on_all_ports(hotplug_t)
corenetwork_bind_tcp_on_all_nodes(hotplug_t)
# for SSP # for SSP
devices_get_pseudorandom_data(hotplug_t) devices_get_pseudorandom_data(hotplug_t)
@ -94,8 +102,19 @@ miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t) mount_transition(hotplug_t)
sysnetwork_read_network_config(hotplug_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
tunable_policy(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(hotplug_t)
filesystem_use_tmpfs_character_devices(hotplug_t)
') dnl endif netutils optional
files_get_system_lock_file_attribues(hotplug_t)
')dnl end distro_redhat tunable
tunable_policy(`targeted_policy', ` tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t) terminal_ignore_use_general_physical_terminal(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t)
@ -144,13 +163,10 @@ allow hotplug_t rhgb_t:fd use;
allow hotplug_t rhgb_t:fifo_file { read write }; allow hotplug_t rhgb_t:fifo_file { read write };
') ')
can_exec(hotplug_t, { ls_exec_t })
allow kernel_t hotplug_etc_t:dir search; allow kernel_t hotplug_etc_t:dir search;
allow hotplug_t sound_device_t:chr_file setattr; allow hotplug_t sound_device_t:chr_file setattr;
can_network_server(hotplug_t)
can_ypbind(hotplug_t) can_ypbind(hotplug_t)
dbusd_client(system, hotplug) dbusd_client(system, hotplug)
@ -159,23 +175,10 @@ allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot # for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr }; dontaudit hotplug_t file_t:dir { search getattr };
allow hotplug_t udev_runtime_t:file rw_file_perms;
# for ps # for ps
dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read; dontaudit hotplug_t { init_t kernel_t }:file read;
tunable_policy(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(hotplug_t)
allow hotplug_t tmpfs_t:dir search;
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
') dnl endif netutils optional
allow hotplug_t var_lock_t:dir search;
allow hotplug_t var_lock_t:file getattr;
')dnl end distro_redhat tunable
optional_policy(`hald.te', ` optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto; allow hotplug_t hald_t:unix_dgram_socket sendto;
') ')

View File

@ -209,6 +209,8 @@ devices_read_realtime_clock(initrc_t)
devices_read_sound_mixer_levels(initrc_t) devices_read_sound_mixer_levels(initrc_t)
devices_write_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t)
devices_set_all_character_device_attributes(initrc_t) devices_set_all_character_device_attributes(initrc_t)
# Wants to remove udev.tbl:
devices_remove_dev_symbolic_links(initrc_t)
filesystem_register_binary_executable_type(initrc_t) filesystem_register_binary_executable_type(initrc_t)
# cjp: not sure why these are here; should use mount policy # cjp: not sure why these are here; should use mount policy
@ -283,6 +285,7 @@ kernel_set_selinux_enforcement_mode(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map. # Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time. # Redhat systems typically create this file at boot time.
bootloader_create_runtime_data(initrc_t) bootloader_create_runtime_data(initrc_t)
bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
filesystem_use_tmpfs_character_devices(initrc_t) filesystem_use_tmpfs_character_devices(initrc_t)
@ -304,6 +307,17 @@ hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t) modutils_read_kernel_module_dependencies(initrc_t)
') ')
optional_policy(`rpm.te',`
# why is this needed:
rpm_manage_package_database(initrc_t)
# for a bug in rm
files_ignore_write_all_daemon_runtime_data(initrc_t)
# bash tries ioctl for some reason
files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
# bash tries to access a block device in the initrd
kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
') dnl end rpm.te
ifdef(`TODO',` ifdef(`TODO',`
# Mount and unmount file systems. # Mount and unmount file systems.
@ -319,12 +333,6 @@ can_kerberos(initrc_t)
dontaudit initrc_t krb5_conf_t:file write; dontaudit initrc_t krb5_conf_t:file write;
allow initrc_t krb5_conf_t:file { getattr read }; allow initrc_t krb5_conf_t:file { getattr read };
#
# Wants to remove udev.tbl
#
allow initrc_t device_t:dir rw_dir_perms;
allow initrc_t device_t:lnk_file unlink;
# #
# These rules are here to allow init scripts to su # These rules are here to allow init scripts to su
# #
@ -343,10 +351,6 @@ file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
')dnl end distro_debian ')dnl end distro_debian
tunable_policy(`distro_redhat', ` tunable_policy(`distro_redhat', `
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file rw_file_perms;
# readahead asks for these # readahead asks for these
allow initrc_t var_lib_nfs_t:file { getattr read }; allow initrc_t var_lib_nfs_t:file { getattr read };
')dnl end distro_redhat ')dnl end distro_redhat
@ -360,19 +364,4 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
# for lsof which is used by alsa shutdown # for lsof which is used by alsa shutdown
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
optional_policy(`rpm.te',`
# Access /var/lib/rpm.
allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
allow initrc_t rpm_var_lib_t:file create_file_perms;
# for a bug in rm
dontaudit initrc_t pidfile:file write;
# bash tries to access a block device in the initrd
dontaudit initrc_t unlabeled_t:blk_file getattr;
# bash tries ioctl for some reason
dontaudit initrc_t pidfile:file ioctl;
') dnl end rpm.te
') dnl end TODO ') dnl end TODO

View File

@ -94,9 +94,10 @@ miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t) selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t) selinux_read_default_contexts(local_login_t)
userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
ifdef(`TODO',` ifdef(`TODO',`
allow local_login_t unpriv_userdomain:fd use;
can_ypbind(local_login_t) can_ypbind(local_login_t)
ifdef(`automount.te', ` ifdef(`automount.te', `
allow local_login_t autofs_t:dir { search getattr }; allow local_login_t autofs_t:dir { search getattr };
@ -240,6 +241,8 @@ selinux_read_default_contexts(sulogin_t)
authlogin_read_shadow_passwords(sulogin_t) authlogin_read_shadow_passwords(sulogin_t)
userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
# suse and debian do not use pam with sulogin... # suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',` ifdef(`monolithic_policy',`
ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_suse', `define(`sulogin_no_pam')')
@ -249,7 +252,6 @@ ifdef(`distro_debian', `define(`sulogin_no_pam')')
tunable_policy(`sulogin_no_pam', ` tunable_policy(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config; allow sulogin_t self:capability sys_tty_config;
init_get_process_group(sulogin_t) init_get_process_group(sulogin_t)
#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
', ` ', `
allow sulogin_t self:process setexec; allow sulogin_t self:process setexec;
kernel_get_selinuxfs_mount_point(sulogin_t) kernel_get_selinuxfs_mount_point(sulogin_t)
@ -258,17 +260,18 @@ kernel_compute_selinux_access_vector(sulogin_t)
kernel_compute_selinux_create_context(sulogin_t) kernel_compute_selinux_create_context(sulogin_t)
kernel_compute_selinux_relabel_context(sulogin_t) kernel_compute_selinux_relabel_context(sulogin_t)
kernel_compute_selinux_reachable_user_contexts(sulogin_t) kernel_compute_selinux_reachable_user_contexts(sulogin_t)
#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow sulogin_t unpriv_userdomain:fd use;
domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
can_ypbind(sulogin_t) can_ypbind(sulogin_t)
ifdef(`automount.te', ` ifdef(`automount.te', `
allow sulogin_t autofs_t:dir { search getattr }; allow sulogin_t autofs_t:dir { search getattr };
') ')
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
# because file systems are not mounted # because file systems are not mounted

View File

@ -69,6 +69,8 @@ files_read_runtime_system_config(insmod_t)
files_read_general_system_config(insmod_t) files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t) files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t) files_execute_system_config_script(insmod_t)
# for nscd
files_ignore_search_runtime_data_directory(insmod_t)
init_use_file_descriptors(insmod_t) init_use_file_descriptors(insmod_t)
init_script_use_file_descriptors(insmod_t) init_script_use_file_descriptors(insmod_t)
@ -113,8 +115,6 @@ allow insmod_t usbfs_t:filesystem mount;
# for when /var is not mounted early in the boot # for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search; dontaudit insmod_t file_t:dir search;
# for nscd
dontaudit insmod_t var_run_t:dir search;
') dnl if TODO ') dnl if TODO

View File

@ -36,7 +36,7 @@ filesystem_get_persistent_filesystem_attributes(mount_t)
filesystem_mount_all_filesystems(mount_t) filesystem_mount_all_filesystems(mount_t)
filesystem_unmount_all_filesystems(mount_t) filesystem_unmount_all_filesystems(mount_t)
filesystem_remount_all_filesystems(mount_t) filesystem_remount_all_filesystems(mount_t)
files_unmount_root_filesystem(mount_t) filesystem_relabelfrom_persistent_filesystem(mount_t)
terminal_use_console(mount_t) terminal_use_console(mount_t)
@ -51,6 +51,11 @@ files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
files_read_general_system_config(mount_t) files_read_general_system_config(mount_t)
files_create_runtime_system_config(mount_t) files_create_runtime_system_config(mount_t)
files_mount_on_all_mountpoints(mount_t) files_mount_on_all_mountpoints(mount_t)
files_unmount_root_filesystem(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
files_relabelto_all_file_type_filesystems(mount_t)
files_mount_all_file_type_filesystems(mount_t)
files_mount_all_file_type_filesystems(mount_t)
init_use_file_descriptors(mount_t) init_use_file_descriptors(mount_t)
init_script_use_pseudoterminal(mount_t) init_script_use_pseudoterminal(mount_t)
@ -71,7 +76,7 @@ allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',` optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(mount_t) authlogin_pam_console_read_runtime_data(mount_t)
# mount config by default sets fscontext=removable_t # mount config by default sets fscontext=removable_t
allow mount_t dosfs_t:filesystem relabelfrom; filesystem_relabelfrom_dos_filesystem(mount_t)
') dnl end authlogin ') dnl end authlogin
') dnl end distro_redhat ') dnl end distro_redhat
@ -112,12 +117,6 @@ files_make_mountpoint(var_lib_nfs_t)
# for when /etc/mtab loses its type # for when /etc/mtab loses its type
allow mount_t file_t:file { getattr read unlink }; allow mount_t file_t:file { getattr read unlink };
# TODO: Need macro for granting relabelto, relabelfrom
allow mount_t fs_t:filesystem relabelfrom;
# This rule needs to be generalized. Only admin, initrc should have it.
allow mount_t file_type:filesystem { unmount mount relabelto };
ifdef(`gnome-pty-helper.te', ` ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use; allow mount_t sysadm_gph_t:fd use;
') ')

View File

@ -105,6 +105,8 @@ storage_get_fixed_disk_attributes($1_t)
authlogin_read_login_records($1_t) authlogin_read_login_records($1_t)
authlogin_ignore_write_login_records($1_t) authlogin_ignore_write_login_records($1_t)
authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
corecommands_execute_general_programs($1_t) corecommands_execute_general_programs($1_t)
corecommands_execute_system_programs($1_t) corecommands_execute_system_programs($1_t)

View File

@ -98,6 +98,10 @@ admin_domain_template(sysadm)
# for su # for su
allow sysadm_t userdomain:fd use; allow sysadm_t userdomain:fd use;
optional_policy(`bootloader.te',`
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`iptables.te',` optional_policy(`iptables.te',`
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
') ')