patch from dan Mon, 25 Sep 2006 15:46:40 -0400

This commit is contained in:
Chris PeBenito 2006-09-28 14:37:29 +00:00
parent 693d4aedb5
commit e2b84ef79a
21 changed files with 282 additions and 16 deletions

View File

@ -71,6 +71,7 @@
Tue, 05 Sep 2006
Wed, 20 Sep 2006
Fri, 22 Sep 2006
Mon, 25 Sep 2006
- Added modules:
afs
amavis (Erich Schubert)
@ -107,6 +108,7 @@
ntop
nx
oav
oddjob (Dan Walsh)
openca
openvpn (Petre Rodan)
perdition

View File

@ -78,6 +78,7 @@ interface(`prelink_delete_cache',`
')
allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(prelink,1.1.6)
policy_module(prelink,1.1.7)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(readahead,1.2.2)
policy_module(readahead,1.2.3)
########################################
#
@ -36,6 +36,8 @@ dev_getattr_all_chr_files(readahead_t)
dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram(readahead_t)
storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
domain_use_interactive_fds(readahead_t)

View File

@ -1,5 +1,5 @@
policy_module(slocate,1.1.0)
policy_module(slocate,1.1.1)
#################################
#
@ -45,6 +45,7 @@ files_read_etc_files(locate_t)
files_dontaudit_getattr_all_dirs(locate_t)
fs_getattr_xattr_fs(locate_t)
fs_getattr_rpc_pipefs(locate_t)
libs_use_shared_libs(locate_t)
libs_use_ld_so(locate_t)

View File

@ -3211,3 +3211,23 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
########################################
## <summary>
## dontaudit getattr generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_generic_files',`
gen_require(`
type device_t;
')
allow $1 device_t:dir search;
dontaudit $1 device_t:file getattr;
')

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.23)
policy_module(devices,1.1.24)
########################################
#

View File

@ -1763,6 +1763,24 @@ interface(`files_list_etc',`
allow $1 etc_t:dir r_dir_perms;
')
########################################
## <summary>
## Add and remove entries from /etc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_rw_etc_dirs',`
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
')
########################################
## <summary>
## Read generic files in /etc.

View File

@ -1,5 +1,5 @@
policy_module(files,1.2.19)
policy_module(files,1.2.20)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(cron,1.3.14)
policy_module(cron,1.3.15)
gen_require(`
class passwd rootok;
@ -17,6 +17,14 @@ corecmd_executable_file(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
type crond_t;
# real declaration moved to mls until
# range_transition works in loadable modules
@ -228,6 +236,16 @@ optional_policy(`
# System cron process domain
#
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
allow system_crond_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_crond_t,cron_log_t,file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
optional_policy(`
# cjp: why?
squid_domtrans(system_crond_t)

View File

@ -6,13 +6,18 @@
#
# /usr
#
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
#
# /var

View File

@ -1,5 +1,5 @@
policy_module(lpd,1.2.7)
policy_module(lpd,1.2.8)
########################################
#

View File

@ -0,0 +1,5 @@
/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)

View File

@ -0,0 +1,96 @@
## <summary>
## Oddjob provides a mechanism by which unprivileged applications can
## request that specified privileged operations be performed on their
## behalf.
## </summary>
########################################
## <summary>
## Execute a domain transition to run oddjob.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`oddjob_domtrans',`
gen_require(`
type oddjob_t, oddjob_exec_t;
')
domain_auto_trans($1,oddjob_exec_t,oddjob_t)
allow oddjob_t $1:fd use;
allow oddjob_t $1:fifo_file rw_file_perms;
allow oddjob_t $1:process sigchld;
')
########################################
## <summary>
## Make the specified program domain accessable
## from the oddjob.
## </summary>
## <param name="domain">
## <summary>
## The type of the process to transition to.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type of the file used as an entrypoint to this domain.
## </summary>
## </param>
#
interface(`oddjob_system_entry',`
gen_require(`
type oddjob_t;
')
domain_auto_trans(oddjob_t, $2, $1)
allow $1 oddjob_t:fd use;
allow $1 oddjob_t:fifo_file rw_file_perms;
allow $1 oddjob_t:process sigchld;
')
########################################
## <summary>
## Send and receive messages from
## oddjob over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`oddjob_dbus_chat',`
gen_require(`
type oddjob_t;
class dbus send_msg;
')
allow $1 oddjob_t:dbus send_msg;
allow oddjob_t $1:dbus send_msg;
')
########################################
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
allow oddjob_mkhomedir_t $1:fd use;
allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
allow oddjob_mkhomedir_t $1:process sigchld;
')

View File

@ -0,0 +1,85 @@
policy_module(oddjob,1.0.0)
########################################
#
# Declarations
#
type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
init_daemon_domain(oddjob_t, oddjob_exec_t)
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
########################################
#
# oddjob local policy
#
allow oddjob_t self:capability { audit_write setgid } ;
allow oddjob_t self:process setexec;
allow oddjob_t self:fifo_file { read write };
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
allow oddjob_t oddjob_var_run_t:file manage_file_perms;
allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
kernel_read_system_state(oddjob_t)
corecmd_search_sbin(oddjob_t)
corecmd_exec_shell(oddjob_t)
selinux_compute_create_context(oddjob_t)
files_read_etc_files(oddjob_t)
libs_use_ld_so(oddjob_t)
libs_use_shared_libs(oddjob_t)
miscfiles_read_localization(oddjob_t)
init_dontaudit_use_fds(oddjob_t)
locallogin_dontaudit_use_fds(oddjob_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(oddjob_t)
term_dontaudit_use_unallocated_ttys(oddjob_t)
')
optional_policy(`
dbus_system_bus_client_template(oddjob,oddjob_t)
dbus_send_system_bus(oddjob_t)
dbus_connect_system_bus(oddjob_t)
')
optional_policy(`
unconfined_domtrans(oddjob_t)
')
########################################
#
# oddjob_mkhomedir local policy
#
allow oddjob_mkhomedir_t self:fifo_file { read write };
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)
libs_use_ld_so(oddjob_mkhomedir_t)
libs_use_shared_libs(oddjob_mkhomedir_t)
miscfiles_read_localization(oddjob_mkhomedir_t)

View File

@ -1,5 +1,5 @@
policy_module(sendmail,1.2.3)
policy_module(sendmail,1.2.4)
########################################
#
@ -32,6 +32,7 @@ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
allow sendmail_t self:udp_socket create_socket_perms;
allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
allow sendmail_t sendmail_log_t:file create_file_perms;
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };

View File

@ -1,5 +1,5 @@
policy_module(smartmon,1.0.2)
policy_module(smartmon,1.0.3)
########################################
#
@ -60,8 +60,11 @@ files_read_etc_files(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
mls_file_read_up(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
term_dontaudit_use_console(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)

View File

@ -1,5 +1,5 @@
policy_module(init,1.3.26)
policy_module(init,1.3.27)
gen_require(`
class passwd rootok;
@ -580,6 +580,8 @@ optional_policy(`
cups_read_log(initrc_t)
cups_read_rw_config(initrc_t)
#cups init script clears error log
cups_write_log(initrc_t)
')
optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.12)
policy_module(logging,1.3.13)
########################################
#
@ -18,6 +18,7 @@ files_security_file(auditd_etc_t)
type auditd_log_t;
files_security_file(auditd_log_t)
files_mountpoint(auditd_log_t)
type auditd_t;
# real declaration moved to mls until

View File

@ -1,5 +1,5 @@
policy_module(raid,1.0.0)
policy_module(raid,1.0.1)
########################################
#
@ -29,11 +29,13 @@ files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
dev_read_sysfs(mdadm_t)
# Ignore attempts to read every device file
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_files(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.3.14)
policy_module(unconfined,1.3.15)
########################################
#
@ -129,6 +129,10 @@ ifdef(`targeted_policy',`
mono_domtrans(unconfined_t)
')
optional_policy(`
oddjob_domtrans_mkhomedir(unconfined_t)
')
optional_policy(`
prelink_domtrans(unconfined_t)
')