targeted policy fixes

This commit is contained in:
Chris PeBenito 2005-10-19 19:45:20 +00:00
parent af4752bcb9
commit de764944d8
6 changed files with 36 additions and 20 deletions

View File

@ -4,3 +4,4 @@ system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0

View File

@ -4,3 +4,4 @@ system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0

View File

@ -4,3 +4,4 @@ system_r:local_login_t system_r:unconfined_t
system_r:remote_login_t system_r:unconfined_t
system_r:rshd_t system_r:unconfined_t
system_r:crond_t system_r:unconfined_t
system_r:sshd_t system_r:unconfined_t

View File

@ -11,7 +11,6 @@ init_daemon_domain(apmd_t,apmd_exec_t)
type apm_t;
domain_type(apm_t)
role sysadm_r types apm_t;
role system_r types apm_t;
type apm_exec_t;

View File

@ -163,6 +163,8 @@ template(`ssh_per_userdomain_template',`
sysnet_dns_name_resolve($1_ssh_t)
userdom_use_unpriv_users_fd($1_ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
tunable_policy(`read_default_t',`
files_list_default($1_ssh_t)
@ -220,11 +222,6 @@ template(`ssh_per_userdomain_template',`
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
# Write to the user domain tty.
allow $1_ssh_t $1_tty_device_t:chr_file { read write getattr ioctl };
allow $1_ssh_t devpts_t:dir { read search getattr };
allow $1_ssh_t $1_devpts_t:chr_file { read write getattr ioctl };
# allow ps to show ssh
can_ps($1_t, $1_ssh_t)

View File

@ -423,6 +423,23 @@ interface(`auth_read_lastlog',`
allow $1 lastlog_t:file { getattr read };
')
#######################################
## <summary>
## Append only to the last logins log.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`auth_append_lastlog',`
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file { getattr lock append };
')
#######################################
## <summary>
## Read and write to the last logins log.