Merge branch 'master' into xselinux
This commit is contained in:
commit
e331a05c77
@ -1,6 +1,7 @@
|
|||||||
|
* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
|
||||||
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
|
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
|
||||||
From Eamon Walsh.
|
From Eamon Walsh.
|
||||||
- Deprecated the userdom_xwindwos_client_template().
|
- Deprecated the userdom_xwindows_client_template().
|
||||||
- Misc Gentoo fixes from Corentin Labbe.
|
- Misc Gentoo fixes from Corentin Labbe.
|
||||||
- Debian policykit fixes from Martin Orr.
|
- Debian policykit fixes from Martin Orr.
|
||||||
- Fix unconfined_r use of unconfined_java_t.
|
- Fix unconfined_r use of unconfined_java_t.
|
||||||
@ -19,9 +20,11 @@
|
|||||||
kdump (Dan Walsh)
|
kdump (Dan Walsh)
|
||||||
modemmanager(Dan Walsh)
|
modemmanager(Dan Walsh)
|
||||||
nslcd (Dan Walsh)
|
nslcd (Dan Walsh)
|
||||||
|
puppet (Craig Grube)
|
||||||
rtkit (Dan Walsh)
|
rtkit (Dan Walsh)
|
||||||
seunshare (Dan Walsh)
|
seunshare (Dan Walsh)
|
||||||
shorewall (Dan Walsh)
|
shorewall (Dan Walsh)
|
||||||
|
tgtd (Matthew Ife)
|
||||||
tuned (Miroslav Grepl)
|
tuned (Miroslav Grepl)
|
||||||
xscreensaver (Corentin Labbe)
|
xscreensaver (Corentin Labbe)
|
||||||
|
|
||||||
|
@ -376,6 +376,7 @@ class system
|
|||||||
syslog_read
|
syslog_read
|
||||||
syslog_mod
|
syslog_mod
|
||||||
syslog_console
|
syslog_console
|
||||||
|
module_request
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(certwatch, 1.4.1)
|
policy_module(certwatch, 1.5.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
|
||||||
|
|
||||||
/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
|
/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
|
||||||
/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
|
/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
|
||||||
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
|
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kismet, 1.3.1)
|
policy_module(kismet, 1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -11,6 +11,9 @@ type kismet_exec_t;
|
|||||||
application_domain(kismet_t, kismet_exec_t)
|
application_domain(kismet_t, kismet_exec_t)
|
||||||
role system_r types kismet_t;
|
role system_r types kismet_t;
|
||||||
|
|
||||||
|
type kismet_home_t;
|
||||||
|
userdom_user_home_content(kismet_home_t)
|
||||||
|
|
||||||
type kismet_log_t;
|
type kismet_log_t;
|
||||||
logging_log_file(kismet_log_t)
|
logging_log_file(kismet_log_t)
|
||||||
|
|
||||||
@ -39,6 +42,11 @@ allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
|
|||||||
allow kismet_t self:unix_stream_socket create_stream_socket_perms;
|
allow kismet_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow kismet_t self:tcp_socket create_stream_socket_perms;
|
allow kismet_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
|
||||||
|
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
|
||||||
|
manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
|
||||||
|
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||||
allow kismet_t kismet_log_t:dir setattr;
|
allow kismet_t kismet_log_t:dir setattr;
|
||||||
logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
|
logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mrtg, 1.7.1)
|
policy_module(mrtg, 1.8.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(portage, 1.8.1)
|
policy_module(portage, 1.9.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(prelink, 1.7.1)
|
policy_module(prelink, 1.8.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(readahead, 1.9.1)
|
policy_module(readahead, 1.10.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -19,6 +19,8 @@ application_domain(tzdata_t, tzdata_exec_t)
|
|||||||
files_read_etc_files(tzdata_t)
|
files_read_etc_files(tzdata_t)
|
||||||
files_search_spool(tzdata_t)
|
files_search_spool(tzdata_t)
|
||||||
|
|
||||||
|
fs_getattr_xattr_fs(tzdata_t)
|
||||||
|
|
||||||
term_dontaudit_list_ptys(tzdata_t)
|
term_dontaudit_list_ptys(tzdata_t)
|
||||||
|
|
||||||
locallogin_dontaudit_use_fds(tzdata_t)
|
locallogin_dontaudit_use_fds(tzdata_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(usermanage, 1.13.1)
|
policy_module(usermanage, 1.14.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -242,6 +242,10 @@ optional_policy(`
|
|||||||
nscd_domtrans(groupadd_t)
|
nscd_domtrans(groupadd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
puppet_rw_tmp(groupadd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_use_fds(groupadd_t)
|
rpm_use_fds(groupadd_t)
|
||||||
rpm_rw_pipes(groupadd_t)
|
rpm_rw_pipes(groupadd_t)
|
||||||
@ -520,6 +524,10 @@ optional_policy(`
|
|||||||
nscd_domtrans(useradd_t)
|
nscd_domtrans(useradd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
puppet_rw_tmp(useradd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_use_fds(useradd_t)
|
rpm_use_fds(useradd_t)
|
||||||
rpm_rw_pipes(useradd_t)
|
rpm_rw_pipes(useradd_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(vpn, 1.11.1)
|
policy_module(vpn, 1.12.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(awstats, 1.1.1)
|
policy_module(awstats, 1.2.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(calamaris, 1.5.0)
|
policy_module(calamaris, 1.5.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -59,12 +59,12 @@ files_read_etc_runtime_files(calamaris_t)
|
|||||||
|
|
||||||
libs_read_lib_files(calamaris_t)
|
libs_read_lib_files(calamaris_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(calamaris_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(calamaris_t)
|
logging_send_syslog_msg(calamaris_t)
|
||||||
|
|
||||||
miscfiles_read_localization(calamaris_t)
|
miscfiles_read_localization(calamaris_t)
|
||||||
|
|
||||||
sysnet_read_config(calamaris_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_list_user_home_dirs(calamaris_t)
|
userdom_dontaudit_list_user_home_dirs(calamaris_t)
|
||||||
|
|
||||||
squid_read_log(calamaris_t)
|
squid_read_log(calamaris_t)
|
||||||
@ -80,7 +80,3 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
mta_send_mail(calamaris_t)
|
mta_send_mail(calamaris_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
nis_use_ypbind(calamaris_t)
|
|
||||||
')
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cdrecord, 2.1.1)
|
policy_module(cdrecord, 2.2.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cpufreqselector, 1.0.1)
|
policy_module(cpufreqselector, 1.1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(gpg, 2.1.1)
|
policy_module(gpg, 2.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -104,11 +104,36 @@ files_dontaudit_search_var(gpg_t)
|
|||||||
|
|
||||||
auth_use_nsswitch(gpg_t)
|
auth_use_nsswitch(gpg_t)
|
||||||
|
|
||||||
miscfiles_read_localization(gpg_t)
|
|
||||||
|
|
||||||
logging_send_syslog_msg(gpg_t)
|
logging_send_syslog_msg(gpg_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(gpg_t)
|
||||||
|
|
||||||
userdom_use_user_terminals(gpg_t)
|
userdom_use_user_terminals(gpg_t)
|
||||||
|
# sign/encrypt user files
|
||||||
|
userdom_manage_user_tmp_files(gpg_t)
|
||||||
|
userdom_manage_user_home_content_files(gpg_t)
|
||||||
|
|
||||||
|
mta_write_config(gpg_t)
|
||||||
|
|
||||||
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
fs_manage_nfs_dirs(gpg_t)
|
||||||
|
fs_manage_nfs_files(gpg_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
fs_manage_cifs_dirs(gpg_t)
|
||||||
|
fs_manage_cifs_files(gpg_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
xserver_use_xdm_fds(gpg_t)
|
||||||
|
xserver_rw_xdm_pipes(gpg_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cron_system_entry(gpg_t, gpg_exec_t)
|
||||||
|
cron_read_system_job_tmp_files(gpg_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -146,23 +171,13 @@ files_read_etc_files(gpg_helper_t)
|
|||||||
auth_use_nsswitch(gpg_helper_t)
|
auth_use_nsswitch(gpg_helper_t)
|
||||||
|
|
||||||
userdom_use_user_terminals(gpg_helper_t)
|
userdom_use_user_terminals(gpg_helper_t)
|
||||||
# sign/encrypt user files
|
|
||||||
userdom_manage_user_tmp_files(gpg_t)
|
|
||||||
userdom_manage_user_home_content_files(gpg_t)
|
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(gpg_t)
|
fs_dontaudit_rw_nfs_files(gpg_helper_t)
|
||||||
fs_manage_nfs_files(gpg_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
fs_manage_cifs_dirs(gpg_t)
|
fs_dontaudit_rw_cifs_files(gpg_helper_t)
|
||||||
fs_manage_cifs_files(gpg_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
xserver_use_xdm_fds(gpg_t)
|
|
||||||
xserver_rw_xdm_pipes(gpg_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(java, 2.1.1)
|
policy_module(java, 2.2.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -45,6 +45,12 @@ interface(`mozilla_role',`
|
|||||||
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
|
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
||||||
|
|
||||||
|
mozilla_dbus_chat($2)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
pulseaudio_role($1, mozilla_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -64,6 +70,7 @@ interface(`mozilla_read_user_home_files',`
|
|||||||
|
|
||||||
allow $1 mozilla_home_t:dir list_dir_perms;
|
allow $1 mozilla_home_t:dir list_dir_perms;
|
||||||
allow $1 mozilla_home_t:file read_file_perms;
|
allow $1 mozilla_home_t:file read_file_perms;
|
||||||
|
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
|
||||||
userdom_search_user_home_dirs($1)
|
userdom_search_user_home_dirs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -86,6 +93,43 @@ interface(`mozilla_write_user_home_files',`
|
|||||||
userdom_search_user_home_dirs($1)
|
userdom_search_user_home_dirs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Dontaudit attempts to read/write mozilla home directory content
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mozilla_dontaudit_rw_user_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
type mozilla_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 mozilla_home_t:file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Dontaudit attempts to write mozilla home directory content
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mozilla_dontaudit_manage_user_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
type mozilla_home_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
|
||||||
|
dontaudit $1 mozilla_home_t:file manage_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Run mozilla in the mozilla domain.
|
## Run mozilla in the mozilla domain.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mozilla, 2.1.0)
|
policy_module(mozilla, 2.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -59,6 +59,7 @@ manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
|||||||
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
||||||
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
||||||
userdom_search_user_home_dirs(mozilla_t)
|
userdom_search_user_home_dirs(mozilla_t)
|
||||||
|
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
|
||||||
|
|
||||||
# Mozpluggerrc
|
# Mozpluggerrc
|
||||||
allow mozilla_t mozilla_conf_t:file read_file_perms;
|
allow mozilla_t mozilla_conf_t:file read_file_perms;
|
||||||
@ -97,6 +98,7 @@ corenet_tcp_connect_http_cache_port(mozilla_t)
|
|||||||
corenet_tcp_connect_ftp_port(mozilla_t)
|
corenet_tcp_connect_ftp_port(mozilla_t)
|
||||||
corenet_tcp_connect_ipp_port(mozilla_t)
|
corenet_tcp_connect_ipp_port(mozilla_t)
|
||||||
corenet_tcp_connect_generic_port(mozilla_t)
|
corenet_tcp_connect_generic_port(mozilla_t)
|
||||||
|
corenet_tcp_connect_soundd_port(mozilla_t)
|
||||||
corenet_sendrecv_http_client_packets(mozilla_t)
|
corenet_sendrecv_http_client_packets(mozilla_t)
|
||||||
corenet_sendrecv_http_cache_client_packets(mozilla_t)
|
corenet_sendrecv_http_cache_client_packets(mozilla_t)
|
||||||
corenet_sendrecv_ftp_client_packets(mozilla_t)
|
corenet_sendrecv_ftp_client_packets(mozilla_t)
|
||||||
@ -114,6 +116,8 @@ dev_read_sound(mozilla_t)
|
|||||||
dev_dontaudit_rw_dri(mozilla_t)
|
dev_dontaudit_rw_dri(mozilla_t)
|
||||||
dev_getattr_sysfs_dirs(mozilla_t)
|
dev_getattr_sysfs_dirs(mozilla_t)
|
||||||
|
|
||||||
|
domain_dontaudit_read_all_domains_state(mozilla_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(mozilla_t)
|
files_read_etc_runtime_files(mozilla_t)
|
||||||
files_read_usr_files(mozilla_t)
|
files_read_usr_files(mozilla_t)
|
||||||
files_read_etc_files(mozilla_t)
|
files_read_etc_files(mozilla_t)
|
||||||
@ -231,6 +235,10 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(mozilla_t)
|
dbus_system_bus_client(mozilla_t)
|
||||||
dbus_session_bus_client(mozilla_t)
|
dbus_session_bus_client(mozilla_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
networkmanager_dbus_chat(mozilla_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(podsleuth, 1.2.0)
|
policy_module(podsleuth, 1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -71,6 +71,8 @@ miscfiles_read_localization(podsleuth_t)
|
|||||||
|
|
||||||
sysnet_dns_name_resolve(podsleuth_t)
|
sysnet_dns_name_resolve(podsleuth_t)
|
||||||
|
|
||||||
|
userdom_signal_unpriv_users(podsleuth_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(podsleuth_t)
|
dbus_system_bus_client(podsleuth_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(pulseaudio, 1.0.1)
|
policy_module(pulseaudio, 1.1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(qemu, 1.2.1)
|
policy_module(qemu, 1.3.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -80,6 +80,11 @@ template(`screen_role_template',`
|
|||||||
relabel_files_pattern($3, screen_home_t, screen_home_t)
|
relabel_files_pattern($3, screen_home_t, screen_home_t)
|
||||||
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
|
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
|
||||||
|
manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
|
||||||
|
manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
|
||||||
|
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
|
||||||
|
|
||||||
kernel_read_system_state($1_screen_t)
|
kernel_read_system_state($1_screen_t)
|
||||||
kernel_read_kernel_sysctls($1_screen_t)
|
kernel_read_kernel_sysctls($1_screen_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(screen, 2.1.1)
|
policy_module(screen, 2.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -41,6 +41,14 @@ interface(`seunshare_run',`
|
|||||||
|
|
||||||
seunshare_domtrans($1)
|
seunshare_domtrans($1)
|
||||||
role $2 types seunshare_t;
|
role $2 types seunshare_t;
|
||||||
|
|
||||||
|
allow $1 seunshare_t:process signal_perms;
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms', `
|
||||||
|
dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
|
||||||
|
dontaudit seunshare_t $1:udp_socket rw_socket_perms;
|
||||||
|
dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(seunshare, 1.0.0)
|
policy_module(seunshare, 1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -16,7 +16,7 @@ role system_r types seunshare_t;
|
|||||||
# seunshare local policy
|
# seunshare local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow seunshare_t self:capability setpcap;
|
allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
|
||||||
allow seunshare_t self:process { setexec signal getcap setcap };
|
allow seunshare_t self:process { setexec signal getcap setcap };
|
||||||
|
|
||||||
allow seunshare_t self:fifo_file rw_file_perms;
|
allow seunshare_t self:fifo_file rw_file_perms;
|
||||||
@ -30,6 +30,16 @@ files_mounton_all_poly_members(seunshare_t)
|
|||||||
|
|
||||||
auth_use_nsswitch(seunshare_t)
|
auth_use_nsswitch(seunshare_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(seunshare_t)
|
||||||
|
|
||||||
miscfiles_read_localization(seunshare_t)
|
miscfiles_read_localization(seunshare_t)
|
||||||
|
|
||||||
userdom_use_user_terminals(seunshare_t)
|
userdom_use_user_terminals(seunshare_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms', `
|
||||||
|
fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mozilla_dontaudit_manage_user_home_files(seunshare_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(vmware, 2.1.1)
|
policy_module(vmware, 2.2.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(webalizer, 1.9.1)
|
policy_module(webalizer, 1.10.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(wireshark, 2.0.1)
|
policy_module(wireshark, 2.1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -54,6 +54,8 @@ ifdef(`distro_redhat',`
|
|||||||
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
|
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
|
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -123,8 +125,9 @@ ifdef(`distro_gentoo',`
|
|||||||
#
|
#
|
||||||
/sbin -d gen_context(system_u:object_r:bin_t,s0)
|
/sbin -d gen_context(system_u:object_r:bin_t,s0)
|
||||||
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
||||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
|
||||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@ -135,7 +138,6 @@ ifdef(`distro_gentoo',`
|
|||||||
|
|
||||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -211,6 +213,8 @@ ifdef(`distro_gentoo',`
|
|||||||
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -220,7 +224,10 @@ ifdef(`distro_gentoo',`
|
|||||||
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
@ -263,6 +270,7 @@ ifdef(`distro_redhat', `
|
|||||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
|
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
|
||||||
|
@ -447,7 +447,7 @@ interface(`corecmd_bin_domtrans',`
|
|||||||
type bin_t;
|
type bin_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
corecmd_bin_spec_domtrans($1,$2)
|
corecmd_bin_spec_domtrans($1, $2)
|
||||||
type_transition $1 bin_t:process $2;
|
type_transition $1 bin_t:process $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corecommands, 1.12.0)
|
policy_module(corecommands, 1.12.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork, 1.12.1)
|
policy_module(corenetwork, 1.13.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
|||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
network_port(ptal, tcp,5703,s0)
|
network_port(ptal, tcp,5703,s0)
|
||||||
network_port(pulseaudio, tcp,4713,s0)
|
network_port(pulseaudio, tcp,4713,s0)
|
||||||
|
network_port(puppet, tcp, 8140, s0)
|
||||||
network_port(pxe, udp,4011,s0)
|
network_port(pxe, udp,4011,s0)
|
||||||
network_port(pyzor, udp,24441,s0)
|
network_port(pyzor, udp,24441,s0)
|
||||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||||
|
@ -47,8 +47,10 @@
|
|||||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||||
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||||
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
|
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
|
||||||
|
/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
|
||||||
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
|
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
|
||||||
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
|
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
|
||||||
|
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
|
||||||
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||||
@ -61,10 +63,12 @@
|
|||||||
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
|
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||||
|
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||||
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||||
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||||
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||||
|
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||||
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
|
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
|
||||||
@ -82,6 +86,7 @@
|
|||||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||||
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
|
||||||
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
|
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
@ -101,7 +106,8 @@ ifdef(`distro_suse', `
|
|||||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||||
')
|
')
|
||||||
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
|
/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
|
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||||
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
|
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||||
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
|
|||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# originally from named.fc
|
# originally from named.fc
|
||||||
|
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
|
||||||
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||||
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
|
@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
|
|||||||
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||||
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||||
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||||
relabel_blk_files_pattern($1, device_t,{ device_t device_node })
|
relabel_blk_files_pattern($1, device_t, { device_t device_node })
|
||||||
relabel_chr_files_pattern($1, device_t,{ device_t device_node })
|
relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1690,6 +1690,78 @@ interface(`dev_read_kmsg',`
|
|||||||
read_chr_files_pattern($1, device_t, kmsg_device_t)
|
read_chr_files_pattern($1, device_t, kmsg_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of the ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_ksm_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of the ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_setattr_ksm_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
setattr_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_read_ksm',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write to ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_ksm',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of the kvm devices.
|
## Get the attributes of the kvm devices.
|
||||||
@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',`
|
|||||||
rw_chr_files_pattern($1, device_t, kvm_device_t)
|
rw_chr_files_pattern($1, device_t, kvm_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Read the lirc device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_read_lirc',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, lirc_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, lirc_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write the lirc device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_lirc',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, lirc_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, lirc_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Automatic type transition to the type
|
||||||
|
## for lirc device nodes when created in /dev.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_filetrans_lirc',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, lirc_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
filetrans_pattern($1, device_t, lirc_device_t, chr_file)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the lvm comtrol device.
|
## Read the lvm comtrol device.
|
||||||
@ -1798,6 +1925,24 @@ interface(`dev_rw_lvm_control',`
|
|||||||
rw_chr_files_pattern($1, device_t, lvm_control_t)
|
rw_chr_files_pattern($1, device_t, lvm_control_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read and write lvm control device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_rw_lvm_control',`
|
||||||
|
gen_require(`
|
||||||
|
type lvm_control_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Delete the lvm control device.
|
## Delete the lvm control device.
|
||||||
@ -2044,6 +2189,78 @@ interface(`dev_dontaudit_rw_misc',`
|
|||||||
dontaudit $1 misc_device_t:chr_file rw_file_perms;
|
dontaudit $1 misc_device_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of the modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_modem_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of the modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_setattr_modem_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
setattr_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_read_modem',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write to modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_modem',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of the mouse devices.
|
## Get the attributes of the mouse devices.
|
||||||
@ -2303,6 +2520,24 @@ interface(`dev_setattr_null_dev',`
|
|||||||
setattr_chr_files_pattern($1, device_t, null_device_t)
|
setattr_chr_files_pattern($1, device_t, null_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete the null device (/dev/null).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_delete_null',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, null_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
delete_chr_files_pattern($1, device_t, null_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write to the null device (/dev/null).
|
## Read and write to the null device (/dev/null).
|
||||||
@ -3597,6 +3832,24 @@ interface(`dev_write_watchdog',`
|
|||||||
write_chr_files_pattern($1, device_t, watchdog_device_t)
|
write_chr_files_pattern($1, device_t, watchdog_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write the the wireless device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_wireless',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, wireless_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, wireless_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write Xen devices.
|
## Read and write Xen devices.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(devices, 1.8.2)
|
policy_module(devices, 1.9.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -83,6 +83,12 @@ dev_node(ipmi_device_t)
|
|||||||
type kmsg_device_t;
|
type kmsg_device_t;
|
||||||
dev_node(kmsg_device_t)
|
dev_node(kmsg_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# ksm_device_t is the type of /dev/ksm
|
||||||
|
#
|
||||||
|
type ksm_device_t;
|
||||||
|
dev_node(ksm_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# kvm_device_t is the type of
|
# kvm_device_t is the type of
|
||||||
# /dev/kvm
|
# /dev/kvm
|
||||||
@ -90,6 +96,12 @@ dev_node(kmsg_device_t)
|
|||||||
type kvm_device_t;
|
type kvm_device_t;
|
||||||
dev_node(kvm_device_t)
|
dev_node(kvm_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Type for /dev/lirc
|
||||||
|
#
|
||||||
|
type lirc_device_t;
|
||||||
|
dev_node(lirc_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Type for /dev/mapper/control
|
# Type for /dev/mapper/control
|
||||||
#
|
#
|
||||||
@ -109,6 +121,12 @@ neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_f
|
|||||||
type misc_device_t;
|
type misc_device_t;
|
||||||
dev_node(misc_device_t)
|
dev_node(misc_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# A general type for modem devices.
|
||||||
|
#
|
||||||
|
type modem_device_t;
|
||||||
|
dev_node(modem_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# A more general type for mouse devices.
|
# A more general type for mouse devices.
|
||||||
#
|
#
|
||||||
@ -224,6 +242,12 @@ dev_node(vmware_device_t)
|
|||||||
type watchdog_device_t;
|
type watchdog_device_t;
|
||||||
dev_node(watchdog_device_t)
|
dev_node(watchdog_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# wireless control devices
|
||||||
|
#
|
||||||
|
type wireless_device_t;
|
||||||
|
dev_node(wireless_device_t)
|
||||||
|
|
||||||
type xen_device_t;
|
type xen_device_t;
|
||||||
dev_node(xen_device_t)
|
dev_node(xen_device_t)
|
||||||
|
|
||||||
|
@ -110,7 +110,11 @@ interface(`files_pid_file',`
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`files_config_file',`
|
interface(`files_config_file',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
files_type($1)
|
files_type($1)
|
||||||
|
typeattribute $1 configfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1150,6 +1154,102 @@ interface(`files_unmount_all_file_type_fs',`
|
|||||||
allow $1 file_type:filesystem unmount;
|
allow $1 file_type:filesystem unmount;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#############################################
|
||||||
|
## <summary>
|
||||||
|
## Manage all configuration directories on filesystem
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_manage_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
#########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel configuration directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_relabel_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
relabel_dirs_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read config files in /etc.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 configfile:dir list_dir_perms;
|
||||||
|
read_files_pattern($1, configfile, configfile)
|
||||||
|
read_lnk_files_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage all configuration files on filesystem
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_manage_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel configuration files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_relabel_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
relabel_files_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a filesystem on all mount points.
|
## Mount a filesystem on all mount points.
|
||||||
@ -1485,6 +1585,25 @@ interface(`files_boot_filetrans',`
|
|||||||
filetrans_pattern($1, boot_t, $2, $3)
|
filetrans_pattern($1, boot_t, $2, $3)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## read files in the /boot directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`files_read_boot_files',`
|
||||||
|
gen_require(`
|
||||||
|
type boot_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, boot_t, boot_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete files
|
## Create, read, write, and delete files
|
||||||
@ -1713,6 +1832,25 @@ interface(`files_dontaudit_list_default',`
|
|||||||
dontaudit $1 default_t:dir list_dir_perms;
|
dontaudit $1 default_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete directories with
|
||||||
|
## the default file type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_manage_default_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type default_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, default_t, default_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a filesystem on a directory with the default file type.
|
## Mount a filesystem on a directory with the default file type.
|
||||||
@ -1787,6 +1925,25 @@ interface(`files_dontaudit_read_default_files',`
|
|||||||
dontaudit $1 default_t:file read_file_perms;
|
dontaudit $1 default_t:file read_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files with
|
||||||
|
## the default file type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_manage_default_files',`
|
||||||
|
gen_require(`
|
||||||
|
type default_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, default_t, default_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read symbolic links with the default file type.
|
## Read symbolic links with the default file type.
|
||||||
@ -1913,6 +2070,25 @@ interface(`files_rw_etc_dirs',`
|
|||||||
allow $1 etc_t:dir rw_dir_perms;
|
allow $1 etc_t:dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
##########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage generic directories in /etc
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_manage_etc_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type etc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, etc_t, etc_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read generic files in /etc.
|
## Read generic files in /etc.
|
||||||
@ -3390,6 +3566,24 @@ interface(`files_setattr_all_tmp_dirs',`
|
|||||||
allow $1 tmpfile:dir { search_dir_perms setattr };
|
allow $1 tmpfile:dir { search_dir_perms setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List all tmp directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_list_all_tmp',`
|
||||||
|
gen_require(`
|
||||||
|
attribute tmpfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 tmpfile:dir list_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
@ -4222,6 +4416,24 @@ interface(`files_list_var_lib',`
|
|||||||
list_dirs_pattern($1, var_t, var_lib_t)
|
list_dirs_pattern($1, var_t, var_lib_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
## <summary>
|
||||||
|
## Read-write /var/lib directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_rw_var_lib_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_dirs_pattern($1, var_lib_t, var_lib_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create objects in the /var/lib directory
|
## Create objects in the /var/lib directory
|
||||||
@ -4955,7 +5167,7 @@ interface(`files_polyinstantiate_all',`
|
|||||||
selinux_compute_member($1)
|
selinux_compute_member($1)
|
||||||
|
|
||||||
# Need sys_admin capability for mounting
|
# Need sys_admin capability for mounting
|
||||||
allow $1 self:capability { chown fsetid sys_admin };
|
allow $1 self:capability { chown fsetid sys_admin fowner };
|
||||||
|
|
||||||
# Need to give access to the directories to be polyinstantiated
|
# Need to give access to the directories to be polyinstantiated
|
||||||
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(files, 1.12.0)
|
policy_module(files, 1.12.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -11,6 +11,7 @@ attribute files_unconfined_type;
|
|||||||
attribute lockfile;
|
attribute lockfile;
|
||||||
attribute mountpoint;
|
attribute mountpoint;
|
||||||
attribute pidfile;
|
attribute pidfile;
|
||||||
|
attribute configfile;
|
||||||
|
|
||||||
# For labeling types that are to be polyinstantiated
|
# For labeling types that are to be polyinstantiated
|
||||||
attribute polydir;
|
attribute polydir;
|
||||||
@ -52,7 +53,7 @@ files_mountpoint(default_t)
|
|||||||
#
|
#
|
||||||
# etc_t is the type of the system etc directories.
|
# etc_t is the type of the system etc directories.
|
||||||
#
|
#
|
||||||
type etc_t;
|
type etc_t, configfile;
|
||||||
files_type(etc_t)
|
files_type(etc_t)
|
||||||
# compatibility aliases for removed types:
|
# compatibility aliases for removed types:
|
||||||
typealias etc_t alias automount_etc_t;
|
typealias etc_t alias automount_etc_t;
|
||||||
|
@ -1 +1 @@
|
|||||||
# This module currently does not have any file contexts.
|
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
|
||||||
|
@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',`
|
|||||||
rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
|
rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read or write files on
|
||||||
|
## anon_inodefs file systems.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_rw_anon_inodefs_files',`
|
||||||
|
gen_require(`
|
||||||
|
type anon_inodefs_t;
|
||||||
|
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 anon_inodefs_t:file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount an automount pseudo filesystem.
|
## Mount an automount pseudo filesystem.
|
||||||
@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
|
|||||||
domain_auto_transition_pattern($1, cifs_t, $2)
|
domain_auto_transition_pattern($1, cifs_t, $2)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete dirs
|
||||||
|
## on a configfs filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_configfs_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type configfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, configfs_t, configfs_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files
|
||||||
|
## on a configfs filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_configfs_files',`
|
||||||
|
gen_require(`
|
||||||
|
type configfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, configfs_t, configfs_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a DOS filesystem, such as
|
## Mount a DOS filesystem, such as
|
||||||
@ -1535,6 +1593,24 @@ interface(`fs_rw_hugetlbfs_files',`
|
|||||||
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
|
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the type to associate to hugetlbfs filesystems.
|
||||||
|
## </summary>
|
||||||
|
## <param name="type">
|
||||||
|
## <summary>
|
||||||
|
## The type of the object to be associated.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_associate_hugetlbfs',`
|
||||||
|
gen_require(`
|
||||||
|
type hugetlbfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 hugetlbfs_t:filesystem associate;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search inotifyfs filesystem.
|
## Search inotifyfs filesystem.
|
||||||
@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',`
|
|||||||
allow $1 nfsd_fs_t:dir search_dir_perms;
|
allow $1 nfsd_fs_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## List NFS server directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_list_nfsd_fs',`
|
||||||
|
gen_require(`
|
||||||
|
type nfsd_fs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 nfsd_fs_t:dir list_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Getattr files on an nfsd filesystem
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_getattr_nfsd_files',`
|
||||||
|
gen_require(`
|
||||||
|
type nfsd_fs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write NFS server files.
|
## Read and write NFS server files.
|
||||||
@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',`
|
|||||||
manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
|
manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Mount a XENFS filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_mount_xenfs',`
|
||||||
|
gen_require(`
|
||||||
|
type xenfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 xenfs_t:filesystem mount;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete directories
|
||||||
|
## on a XENFS filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_xenfs_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type xenfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 xenfs_t:dir manage_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to create, read,
|
||||||
|
## write, and delete directories
|
||||||
|
## on a XENFS filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_manage_xenfs_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type xenfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 xenfs_t:dir manage_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete files
|
||||||
|
## on a XENFS filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`fs_manage_xenfs_files',`
|
||||||
|
gen_require(`
|
||||||
|
type xenfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, xenfs_t, xenfs_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to create,
|
||||||
|
## read, write, and delete files
|
||||||
|
## on a XENFS filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_dontaudit_manage_xenfs_files',`
|
||||||
|
gen_require(`
|
||||||
|
type xenfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 xenfs_t:file manage_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount all filesystems.
|
## Mount all filesystems.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(filesystem, 1.12.0)
|
policy_module(filesystem, 1.12.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
|||||||
type hugetlbfs_t;
|
type hugetlbfs_t;
|
||||||
fs_type(hugetlbfs_t)
|
fs_type(hugetlbfs_t)
|
||||||
files_mountpoint(hugetlbfs_t)
|
files_mountpoint(hugetlbfs_t)
|
||||||
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
|
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
||||||
|
|
||||||
type ibmasmfs_t;
|
type ibmasmfs_t;
|
||||||
fs_type(ibmasmfs_t)
|
fs_type(ibmasmfs_t)
|
||||||
@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
|
|||||||
|
|
||||||
allow tmpfs_t noxattrfs:filesystem associate;
|
allow tmpfs_t noxattrfs:filesystem associate;
|
||||||
|
|
||||||
|
type xenfs_t;
|
||||||
|
fs_noxattr_type(xenfs_t)
|
||||||
|
files_mountpoint(xenfs_t)
|
||||||
|
genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# Filesystems without extended attribute support
|
# Filesystems without extended attribute support
|
||||||
@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
|||||||
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
|
|
||||||
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs)
|
|||||||
|
|
||||||
allow filesystem_unconfined_type filesystem_type:filesystem *;
|
allow filesystem_unconfined_type filesystem_type:filesystem *;
|
||||||
|
|
||||||
# Create/access other files. fs_type is to pick up various
|
# Create/access other files. fs_type is to pick up various
|
||||||
# pseudo filesystem types that are applied to both the filesystem
|
# pseudo filesystem types that are applied to both the filesystem
|
||||||
# and its files.
|
# and its files.
|
||||||
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|
||||||
|
@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
|
|||||||
type kernel_t;
|
type kernel_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
kernel_domtrans_to($1,$2)
|
kernel_domtrans_to($1, $2)
|
||||||
|
|
||||||
ifdef(`enable_mcs',`
|
ifdef(`enable_mcs',`
|
||||||
range_transition kernel_t $2:process $3;
|
range_transition kernel_t $2:process $3;
|
||||||
@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
|
|||||||
allow $1 kernel_t:system syslog_mod;
|
allow $1 kernel_t:system syslog_mod;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allows caller to request the kernel to load a module
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`kernel_request_load_module',`
|
||||||
|
gen_require(`
|
||||||
|
type kernel_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 kernel_t:system module_request;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get information on all System V IPC objects.
|
## Get information on all System V IPC objects.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
##
|
## Domain allowed access.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -939,6 +958,29 @@ interface(`kernel_dontaudit_getattr_core_if',`
|
|||||||
dontaudit $1 proc_kcore_t:file getattr;
|
dontaudit $1 proc_kcore_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allows caller to read the core kernel interface.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`kernel_read_core_if',`
|
||||||
|
gen_require(`
|
||||||
|
type proc_t, proc_kcore_t;
|
||||||
|
attribute can_dump_kernel;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 self:capability sys_rawio;
|
||||||
|
read_files_pattern($1, proc_t, proc_kcore_t)
|
||||||
|
list_dirs_pattern($1, proc_t, proc_t)
|
||||||
|
|
||||||
|
typeattribute $1 can_dump_kernel;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow caller to read kernel messages
|
## Allow caller to read kernel messages
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kernel, 1.11.0)
|
policy_module(kernel, 1.11.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
|
|||||||
# assertion related attributes
|
# assertion related attributes
|
||||||
attribute can_load_kernmodule;
|
attribute can_load_kernmodule;
|
||||||
attribute can_receive_kernel_messages;
|
attribute can_receive_kernel_messages;
|
||||||
|
attribute can_dump_kernel;
|
||||||
|
|
||||||
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
|
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
|
||||||
|
|
||||||
@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
|
|||||||
|
|
||||||
# /proc kcore: inaccessible
|
# /proc kcore: inaccessible
|
||||||
type proc_kcore_t, proc_type;
|
type proc_kcore_t, proc_type;
|
||||||
neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
|
neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
|
||||||
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
|
||||||
|
|
||||||
type proc_mdstat_t, proc_type;
|
type proc_mdstat_t, proc_type;
|
||||||
@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t)
|
|||||||
dev_read_sysfs(kernel_t)
|
dev_read_sysfs(kernel_t)
|
||||||
dev_search_usbfs(kernel_t)
|
dev_search_usbfs(kernel_t)
|
||||||
|
|
||||||
# Mount root file system. Used when loading a policy
|
# Mount root file system. Used when loading a policy
|
||||||
# from initrd, then mounting the root filesystem
|
# from initrd, then mounting the root filesystem
|
||||||
fs_mount_all_fs(kernel_t)
|
fs_mount_all_fs(kernel_t)
|
||||||
fs_unmount_all_fs(kernel_t)
|
fs_unmount_all_fs(kernel_t)
|
||||||
@ -309,7 +310,7 @@ optional_policy(`
|
|||||||
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow kernel_t self:udp_socket create_socket_perms;
|
allow kernel_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
||||||
# to just give it everything.
|
# to just give it everything.
|
||||||
corenet_udp_sendrecv_generic_if(kernel_t)
|
corenet_udp_sendrecv_generic_if(kernel_t)
|
||||||
corenet_udp_sendrecv_generic_node(kernel_t)
|
corenet_udp_sendrecv_generic_node(kernel_t)
|
||||||
@ -355,7 +356,7 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(kernel_t)
|
unconfined_domain_noaudit(kernel_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mcs, 1.1.1)
|
policy_module(mcs, 1.2.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -28,6 +28,7 @@
|
|||||||
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
|
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||||
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||||
|
@ -529,7 +529,7 @@ interface(`storage_dontaudit_read_removable_device',`
|
|||||||
|
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
|
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(storage, 1.7.0)
|
policy_module(storage, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
|
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||||
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||||
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
|
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
|
||||||
|
/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
|
||||||
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||||
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||||
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
|
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
|
||||||
|
@ -196,7 +196,7 @@ interface(`term_use_all_terms',`
|
|||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 devpts_t:dir list_dir_perms;
|
allow $1 devpts_t:dir list_dir_perms;
|
||||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
|
allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -472,6 +472,24 @@ interface(`term_dontaudit_manage_pty_dirs',`
|
|||||||
dontaudit $1 devpts_t:dir manage_dir_perms;
|
dontaudit $1 devpts_t:dir manage_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to get the attributes
|
||||||
|
## of generic pty devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`term_dontaudit_getattr_generic_ptys',`
|
||||||
|
gen_require(`
|
||||||
|
type devpts_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 devpts_t:chr_file getattr;
|
||||||
|
')
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## ioctl of generic pty devices.
|
## ioctl of generic pty devices.
|
||||||
@ -575,6 +593,25 @@ interface(`term_dontaudit_use_generic_ptys',`
|
|||||||
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of the tty device
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`term_setattr_controlling_term',`
|
||||||
|
gen_require(`
|
||||||
|
type devtty_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
|
allow $1 devtty_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write the controlling
|
## Read and write the controlling
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(terminal, 1.7.0)
|
policy_module(terminal, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -44,6 +44,7 @@ mls_trusted_object(devtty_t)
|
|||||||
type ptmx_t;
|
type ptmx_t;
|
||||||
dev_node(ptmx_t)
|
dev_node(ptmx_t)
|
||||||
mls_trusted_object(ptmx_t)
|
mls_trusted_object(ptmx_t)
|
||||||
|
allow ptmx_t devpts_t:filesystem associate;
|
||||||
|
|
||||||
#
|
#
|
||||||
# tty_device_t is the type of /dev/*tty*
|
# tty_device_t is the type of /dev/*tty*
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cron, 2.1.2)
|
policy_module(cron, 2.2.0)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(dbus, 1.11.1)
|
policy_module(dbus, 1.12.0)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class dbus all_dbus_perms;
|
class dbus all_dbus_perms;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(nscd, 1.9.2)
|
policy_module(nscd, 1.10.0)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class nscd all_nscd_perms;
|
class nscd all_nscd_perms;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(openvpn, 1.8.2)
|
policy_module(openvpn, 1.9.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(policykit, 1.0.1)
|
policy_module(policykit, 1.1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
11
policy/modules/services/puppet.fc
Normal file
11
policy/modules/services/puppet.fc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
||||||
|
|
||||||
|
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||||
|
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
||||||
|
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||||
|
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
|
31
policy/modules/services/puppet.if
Normal file
31
policy/modules/services/puppet.if
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
## <summary>Puppet client daemon</summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Puppet is a configuration management system written in Ruby.
|
||||||
|
## The client daemon is responsible for periodically requesting the
|
||||||
|
## desired system state from the server and ensuring the state of
|
||||||
|
## the client system matches.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
|
||||||
|
################################################
|
||||||
|
## <summary>
|
||||||
|
## Read / Write to Puppet temp files. Puppet uses
|
||||||
|
## some system binaries (groupadd, etc) that run in
|
||||||
|
## a non-puppet domain and redirects output into temp
|
||||||
|
## files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`puppet_rw_tmp', `
|
||||||
|
gen_require(`
|
||||||
|
type puppet_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 puppet_tmp_t:file rw_file_perms;
|
||||||
|
files_search_tmp($1)
|
||||||
|
')
|
234
policy/modules/services/puppet.te
Normal file
234
policy/modules/services/puppet.te
Normal file
@ -0,0 +1,234 @@
|
|||||||
|
|
||||||
|
policy_module(puppet, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow Puppet client to manage all file
|
||||||
|
## types.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(puppet_manage_all_files, false)
|
||||||
|
|
||||||
|
type puppet_t;
|
||||||
|
type puppet_exec_t;
|
||||||
|
init_daemon_domain(puppet_t, puppet_exec_t)
|
||||||
|
|
||||||
|
type puppet_etc_t;
|
||||||
|
files_config_file(puppet_etc_t)
|
||||||
|
|
||||||
|
type puppet_initrc_exec_t;
|
||||||
|
init_script_file(puppet_initrc_exec_t)
|
||||||
|
|
||||||
|
type puppet_log_t;
|
||||||
|
logging_log_file(puppet_log_t)
|
||||||
|
|
||||||
|
type puppet_tmp_t;
|
||||||
|
files_tmp_file(puppet_tmp_t)
|
||||||
|
|
||||||
|
type puppet_var_lib_t;
|
||||||
|
files_type(puppet_var_lib_t)
|
||||||
|
|
||||||
|
type puppet_var_run_t;
|
||||||
|
files_pid_file(puppet_var_run_t)
|
||||||
|
|
||||||
|
type puppetmaster_t;
|
||||||
|
type puppetmaster_exec_t;
|
||||||
|
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
|
||||||
|
|
||||||
|
type puppetmaster_initrc_exec_t;
|
||||||
|
init_script_file(puppetmaster_initrc_exec_t)
|
||||||
|
|
||||||
|
type puppetmaster_tmp_t;
|
||||||
|
files_tmp_file(puppetmaster_tmp_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Puppet personal policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
|
||||||
|
allow puppet_t self:process { signal signull getsched setsched };
|
||||||
|
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
allow puppet_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow puppet_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
|
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
|
files_search_var_lib(puppet_t)
|
||||||
|
|
||||||
|
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
|
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
|
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
|
||||||
|
|
||||||
|
create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
|
||||||
|
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
||||||
|
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
||||||
|
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
||||||
|
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
||||||
|
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
||||||
|
|
||||||
|
kernel_dontaudit_search_sysctl(puppet_t)
|
||||||
|
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
||||||
|
kernel_read_system_state(puppet_t)
|
||||||
|
kernel_read_crypto_sysctls(puppet_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(puppet_t)
|
||||||
|
corecmd_exec_shell(puppet_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_netlabel(puppet_t)
|
||||||
|
corenet_all_recvfrom_unlabeled(puppet_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(puppet_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(puppet_t)
|
||||||
|
corenet_tcp_bind_generic_node(puppet_t)
|
||||||
|
corenet_tcp_connect_puppet_port(puppet_t)
|
||||||
|
corenet_sendrecv_puppet_client_packets(puppet_t)
|
||||||
|
|
||||||
|
dev_read_rand(puppet_t)
|
||||||
|
dev_read_sysfs(puppet_t)
|
||||||
|
dev_read_urand(puppet_t)
|
||||||
|
|
||||||
|
domain_read_all_domains_state(puppet_t)
|
||||||
|
domain_interactive_fd(puppet_t)
|
||||||
|
|
||||||
|
files_manage_config_files(puppet_t)
|
||||||
|
files_manage_config_dirs(puppet_t)
|
||||||
|
files_manage_etc_dirs(puppet_t)
|
||||||
|
files_manage_etc_files(puppet_t)
|
||||||
|
files_read_usr_symlinks(puppet_t)
|
||||||
|
files_relabel_config_dirs(puppet_t)
|
||||||
|
files_relabel_config_files(puppet_t)
|
||||||
|
|
||||||
|
selinux_search_fs(puppet_t)
|
||||||
|
selinux_set_all_booleans(puppet_t)
|
||||||
|
selinux_set_generic_booleans(puppet_t)
|
||||||
|
selinux_validate_context(puppet_t)
|
||||||
|
|
||||||
|
term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
||||||
|
term_dontaudit_getattr_all_user_ttys(puppet_t)
|
||||||
|
|
||||||
|
init_all_labeled_script_domtrans(puppet_t)
|
||||||
|
init_domtrans_script(puppet_t)
|
||||||
|
init_read_utmp(puppet_t)
|
||||||
|
init_signull_script(puppet_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(puppet_t)
|
||||||
|
|
||||||
|
miscfiles_read_hwdata(puppet_t)
|
||||||
|
miscfiles_read_localization(puppet_t)
|
||||||
|
|
||||||
|
seutil_domtrans_setfiles(puppet_t)
|
||||||
|
seutil_domtrans_semanage(puppet_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(puppet_t)
|
||||||
|
sysnet_run_ifconfig(puppet_t, system_r)
|
||||||
|
|
||||||
|
tunable_policy(`puppet_manage_all_files',`
|
||||||
|
auth_manage_all_files_except_shadow(puppet_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
consoletype_domtrans(puppet_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hostname_exec(puppet_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
files_rw_var_files(puppet_t)
|
||||||
|
|
||||||
|
rpm_domtrans(puppet_t)
|
||||||
|
rpm_manage_db(puppet_t)
|
||||||
|
rpm_manage_log(puppet_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_domain(puppet_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
usermanage_domtrans_groupadd(puppet_t)
|
||||||
|
usermanage_domtrans_useradd(puppet_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Pupper master personal policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
||||||
|
allow puppetmaster_t self:process { signal_perms getsched setsched };
|
||||||
|
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
allow puppetmaster_t self:socket create;
|
||||||
|
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow puppetmaster_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||||
|
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||||
|
|
||||||
|
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
|
||||||
|
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
|
||||||
|
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
|
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
|
|
||||||
|
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
|
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
|
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||||
|
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||||
|
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
||||||
|
|
||||||
|
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||||
|
kernel_read_system_state(puppetmaster_t)
|
||||||
|
kernel_read_crypto_sysctls(puppetmaster_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(puppetmaster_t)
|
||||||
|
corecmd_exec_shell(puppetmaster_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_netlabel(puppetmaster_t)
|
||||||
|
corenet_all_recvfrom_unlabeled(puppetmaster_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
|
||||||
|
corenet_tcp_bind_generic_node(puppetmaster_t)
|
||||||
|
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
||||||
|
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
||||||
|
|
||||||
|
dev_read_rand(puppetmaster_t)
|
||||||
|
dev_read_urand(puppetmaster_t)
|
||||||
|
|
||||||
|
domain_read_all_domains_state(puppetmaster_t)
|
||||||
|
|
||||||
|
files_read_etc_files(puppetmaster_t)
|
||||||
|
files_search_var_lib(puppetmaster_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(puppetmaster_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(puppetmaster_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(puppetmaster_t)
|
||||||
|
sysnet_run_ifconfig(puppetmaster_t, system_r)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hostname_exec(puppetmaster_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
files_read_usr_symlinks(puppetmaster_t)
|
||||||
|
|
||||||
|
rpm_exec(puppetmaster_t)
|
||||||
|
rpm_read_db(puppetmaster_t)
|
||||||
|
')
|
3
policy/modules/services/tgtd.fc
Normal file
3
policy/modules/services/tgtd.fc
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
|
||||||
|
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
|
||||||
|
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
11
policy/modules/services/tgtd.if
Normal file
11
policy/modules/services/tgtd.if
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
## <summary>Linux Target Framework Daemon.</summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Linux target framework (tgt) aims to simplify various
|
||||||
|
## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
|
||||||
|
## and maintenance. Our key goals are the clean integration into
|
||||||
|
## the scsi-mid layer and implementing a great portion of tgt
|
||||||
|
## in user space.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
|
67
policy/modules/services/tgtd.te
Normal file
67
policy/modules/services/tgtd.te
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
|
||||||
|
policy_module(tgtd, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# TGTD personal declarations.
|
||||||
|
#
|
||||||
|
|
||||||
|
type tgtd_t;
|
||||||
|
type tgtd_exec_t;
|
||||||
|
init_daemon_domain(tgtd_t, tgtd_exec_t)
|
||||||
|
|
||||||
|
type tgtd_initrc_exec_t;
|
||||||
|
init_script_file(tgtd_initrc_exec_t)
|
||||||
|
|
||||||
|
type tgtd_tmp_t;
|
||||||
|
files_tmp_file(tgtd_tmp_t)
|
||||||
|
|
||||||
|
type tgtd_tmpfs_t;
|
||||||
|
files_tmpfs_file(tgtd_tmpfs_t)
|
||||||
|
|
||||||
|
type tgtd_var_lib_t;
|
||||||
|
files_type(tgtd_var_lib_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# TGTD personal policy.
|
||||||
|
#
|
||||||
|
|
||||||
|
allow tgtd_t self:capability sys_resource;
|
||||||
|
allow tgtd_t self:process { setrlimit signal };
|
||||||
|
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||||
|
allow tgtd_t self:shm create_shm_perms;
|
||||||
|
allow tgtd_t self:sem create_sem_perms;
|
||||||
|
allow tgtd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow tgtd_t self:udp_socket create_socket_perms;
|
||||||
|
allow tgtd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
|
||||||
|
files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
|
||||||
|
|
||||||
|
manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
|
||||||
|
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
|
||||||
|
|
||||||
|
manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||||
|
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
|
||||||
|
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
|
||||||
|
|
||||||
|
kernel_read_fs_sysctls(tgtd_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_netlabel(tgtd_t)
|
||||||
|
corenet_all_recvfrom_unlabeled(tgtd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(tgtd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(tgtd_t)
|
||||||
|
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
||||||
|
corenet_tcp_bind_generic_node(tgtd_t)
|
||||||
|
corenet_tcp_bind_iscsi_port(tgtd_t)
|
||||||
|
corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
||||||
|
|
||||||
|
files_read_etc_files(tgtd_t)
|
||||||
|
|
||||||
|
storage_getattr_fixed_disk_dev(tgtd_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(tgtd_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(tgtd_t)
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(virt, 1.2.1)
|
policy_module(virt, 1.3.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(xserver, 3.2.3)
|
policy_module(xserver, 3.3.0)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class x_drawable all_x_drawable_perms;
|
class x_drawable all_x_drawable_perms;
|
||||||
|
@ -99,5 +99,23 @@ interface(`application_exec_all',`
|
|||||||
interface(`application_domain',`
|
interface(`application_domain',`
|
||||||
application_type($1)
|
application_type($1)
|
||||||
application_executable_file($2)
|
application_executable_file($2)
|
||||||
domain_entry_file($1,$2)
|
domain_entry_file($1, $2)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send signull to all application domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`application_signull',`
|
||||||
|
gen_require(`
|
||||||
|
attribute application_domain_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 application_domain_type:process signull;
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(application, 1.1.0)
|
policy_module(application, 1.1.1)
|
||||||
|
|
||||||
# Attribute of user applications
|
# Attribute of user applications
|
||||||
attribute application_domain_type;
|
attribute application_domain_type;
|
||||||
@ -11,3 +11,7 @@ optional_policy(`
|
|||||||
ssh_sigchld(application_domain_type)
|
ssh_sigchld(application_domain_type)
|
||||||
ssh_rw_stream_sockets(application_domain_type)
|
ssh_rw_stream_sockets(application_domain_type)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
sudo_sigchld(application_domain_type)
|
||||||
|
')
|
||||||
|
@ -6,6 +6,7 @@
|
|||||||
/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
|
/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(fstools, 1.13.0)
|
policy_module(fstools, 1.13.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -144,6 +144,7 @@ logging_send_syslog_msg(fsadm_t)
|
|||||||
miscfiles_read_localization(fsadm_t)
|
miscfiles_read_localization(fsadm_t)
|
||||||
|
|
||||||
modutils_read_module_config(fsadm_t)
|
modutils_read_module_config(fsadm_t)
|
||||||
|
modutils_read_module_deps(fsadm_t)
|
||||||
|
|
||||||
seutil_read_config(fsadm_t)
|
seutil_read_config(fsadm_t)
|
||||||
|
|
||||||
@ -177,4 +178,5 @@ optional_policy(`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xen_append_log(fsadm_t)
|
xen_append_log(fsadm_t)
|
||||||
|
xen_rw_image_files(fsadm_t)
|
||||||
')
|
')
|
||||||
|
@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
|
|||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#########################################
|
||||||
|
## <summary>
|
||||||
|
## Transition to the init script domain
|
||||||
|
## for all labeled init script types
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`init_all_labeled_script_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
attribute init_script_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, init_script_file_type)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Start and stop daemon programs directly.
|
## Start and stop daemon programs directly.
|
||||||
|
@ -687,6 +687,10 @@ optional_policy(`
|
|||||||
postfix_list_spool(initrc_t)
|
postfix_list_spool(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
puppet_rw_tmp(initrc_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
quota_manage_flags(initrc_t)
|
quota_manage_flags(initrc_t)
|
||||||
')
|
')
|
||||||
|
@ -1,3 +1,6 @@
|
|||||||
|
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
|
||||||
|
|
||||||
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
|
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
|
||||||
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
|
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
|
||||||
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
|
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
|
||||||
|
@ -187,6 +187,31 @@ interface(`ipsec_domtrans_racoon',`
|
|||||||
domtrans_pattern($1, racoon_exec_t, racoon_t)
|
domtrans_pattern($1, racoon_exec_t, racoon_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute racoon and allow the specified role the domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`ipsec_run_racoon',`
|
||||||
|
gen_require(`
|
||||||
|
type racoon_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
ipsec_domtrans_racoon($1)
|
||||||
|
role $2 types racoon_t;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute setkey in the setkey domain.
|
## Execute setkey in the setkey domain.
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
|
|
||||||
policy_module(ipsec, 1.10.0)
|
policy_module(ipsec, 1.10.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow racoon to read shadow
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(racoon_read_shadow, false)
|
||||||
|
|
||||||
type ipsec_t;
|
type ipsec_t;
|
||||||
type ipsec_exec_t;
|
type ipsec_exec_t;
|
||||||
init_daemon_domain(ipsec_t, ipsec_exec_t)
|
init_daemon_domain(ipsec_t, ipsec_exec_t)
|
||||||
@ -15,6 +22,9 @@ role system_r types ipsec_t;
|
|||||||
type ipsec_conf_file_t;
|
type ipsec_conf_file_t;
|
||||||
files_type(ipsec_conf_file_t)
|
files_type(ipsec_conf_file_t)
|
||||||
|
|
||||||
|
type ipsec_initrc_exec_t;
|
||||||
|
init_script_file(ipsec_initrc_exec_t)
|
||||||
|
|
||||||
# type for file(s) containing ipsec keys - RSA or preshared
|
# type for file(s) containing ipsec keys - RSA or preshared
|
||||||
type ipsec_key_file_t;
|
type ipsec_key_file_t;
|
||||||
files_type(ipsec_key_file_t)
|
files_type(ipsec_key_file_t)
|
||||||
@ -43,6 +53,9 @@ type racoon_exec_t;
|
|||||||
init_daemon_domain(racoon_t, racoon_exec_t)
|
init_daemon_domain(racoon_t, racoon_exec_t)
|
||||||
role system_r types racoon_t;
|
role system_r types racoon_t;
|
||||||
|
|
||||||
|
type racoon_tmp_t;
|
||||||
|
files_tmp_file(racoon_tmp_t)
|
||||||
|
|
||||||
type setkey_t;
|
type setkey_t;
|
||||||
type setkey_exec_t;
|
type setkey_exec_t;
|
||||||
init_system_domain(setkey_t, setkey_exec_t)
|
init_system_domain(setkey_t, setkey_exec_t)
|
||||||
@ -53,21 +66,23 @@ role system_r types setkey_t;
|
|||||||
# ipsec Local policy
|
# ipsec Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
|
allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
|
||||||
dontaudit ipsec_t self:capability sys_tty_config;
|
dontaudit ipsec_t self:capability sys_tty_config;
|
||||||
allow ipsec_t self:process { signal setsched };
|
allow ipsec_t self:process { getcap setcap getsched signal setsched };
|
||||||
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow ipsec_t self:udp_socket create_socket_perms;
|
allow ipsec_t self:udp_socket create_socket_perms;
|
||||||
allow ipsec_t self:key_socket create_socket_perms;
|
allow ipsec_t self:key_socket create_socket_perms;
|
||||||
allow ipsec_t self:fifo_file read_fifo_file_perms;
|
allow ipsec_t self:fifo_file read_fifo_file_perms;
|
||||||
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
|
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
|
||||||
|
|
||||||
|
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
|
||||||
|
|
||||||
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
|
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
|
||||||
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||||
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
|
||||||
|
|
||||||
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
|
||||||
read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||||
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||||
|
|
||||||
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||||
@ -82,7 +97,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
|||||||
# so try flipping back into the ipsec_mgmt_t domain
|
# so try flipping back into the ipsec_mgmt_t domain
|
||||||
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
|
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||||
allow ipsec_mgmt_t ipsec_t:process sigchld;
|
allow ipsec_mgmt_t ipsec_t:process sigchld;
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(ipsec_t)
|
kernel_read_kernel_sysctls(ipsec_t)
|
||||||
@ -92,6 +107,7 @@ kernel_read_proc_symlinks(ipsec_t)
|
|||||||
kernel_read_system_state(ipsec_t)
|
kernel_read_system_state(ipsec_t)
|
||||||
kernel_read_network_state(ipsec_t)
|
kernel_read_network_state(ipsec_t)
|
||||||
kernel_read_software_raid_state(ipsec_t)
|
kernel_read_software_raid_state(ipsec_t)
|
||||||
|
kernel_request_load_module(ipsec_t)
|
||||||
kernel_getattr_core_if(ipsec_t)
|
kernel_getattr_core_if(ipsec_t)
|
||||||
kernel_getattr_message_if(ipsec_t)
|
kernel_getattr_message_if(ipsec_t)
|
||||||
|
|
||||||
@ -120,7 +136,9 @@ dev_read_urand(ipsec_t)
|
|||||||
|
|
||||||
domain_use_interactive_fds(ipsec_t)
|
domain_use_interactive_fds(ipsec_t)
|
||||||
|
|
||||||
|
files_list_tmp(ipsec_t)
|
||||||
files_read_etc_files(ipsec_t)
|
files_read_etc_files(ipsec_t)
|
||||||
|
files_read_usr_files(ipsec_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(ipsec_t)
|
fs_getattr_all_fs(ipsec_t)
|
||||||
fs_search_auto_mountpoints(ipsec_t)
|
fs_search_auto_mountpoints(ipsec_t)
|
||||||
@ -159,7 +177,7 @@ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
|
|||||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||||
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
allow ipsec_mgmt_t self:key_socket create_socket_perms;
|
||||||
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
|
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||||
@ -280,6 +298,15 @@ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
|||||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||||
allow racoon_t self:udp_socket create_socket_perms;
|
allow racoon_t self:udp_socket create_socket_perms;
|
||||||
allow racoon_t self:key_socket create_socket_perms;
|
allow racoon_t self:key_socket create_socket_perms;
|
||||||
|
allow racoon_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
|
||||||
|
manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
|
||||||
|
files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
|
||||||
|
|
||||||
|
can_exec(racoon_t, racoon_exec_t)
|
||||||
|
|
||||||
|
can_exec(racoon_t, setkey_exec_t)
|
||||||
|
|
||||||
# manage pid file
|
# manage pid file
|
||||||
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
|
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||||
@ -297,6 +324,9 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
|
|||||||
kernel_read_system_state(racoon_t)
|
kernel_read_system_state(racoon_t)
|
||||||
kernel_read_network_state(racoon_t)
|
kernel_read_network_state(racoon_t)
|
||||||
|
|
||||||
|
corecmd_exec_shell(racoon_t)
|
||||||
|
corecmd_exec_bin(racoon_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(racoon_t)
|
corenet_all_recvfrom_unlabeled(racoon_t)
|
||||||
corenet_tcp_sendrecv_all_if(racoon_t)
|
corenet_tcp_sendrecv_all_if(racoon_t)
|
||||||
corenet_udp_sendrecv_all_if(racoon_t)
|
corenet_udp_sendrecv_all_if(racoon_t)
|
||||||
@ -314,6 +344,8 @@ domain_ipsec_setcontext_all_domains(racoon_t)
|
|||||||
|
|
||||||
files_read_etc_files(racoon_t)
|
files_read_etc_files(racoon_t)
|
||||||
|
|
||||||
|
fs_dontaudit_getattr_xattr_fs(racoon_t)
|
||||||
|
|
||||||
# allow racoon to use avc_has_perm to check context on proposed SA
|
# allow racoon to use avc_has_perm to check context on proposed SA
|
||||||
selinux_compute_access_vector(racoon_t)
|
selinux_compute_access_vector(racoon_t)
|
||||||
|
|
||||||
@ -328,6 +360,13 @@ logging_send_audit_msgs(racoon_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(racoon_t)
|
miscfiles_read_localization(racoon_t)
|
||||||
|
|
||||||
|
sysnet_exec_ifconfig(racoon_t)
|
||||||
|
|
||||||
|
auth_can_read_shadow_passwords(racoon_t)
|
||||||
|
tunable_policy(`racoon_read_shadow',`
|
||||||
|
auth_tunable_read_shadow(racoon_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Setkey local policy
|
# Setkey local policy
|
||||||
|
@ -1,7 +1,13 @@
|
|||||||
/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||||
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||||
/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||||
|
|
||||||
/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||||
|
@ -69,3 +69,99 @@ interface(`iptables_exec',`
|
|||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
can_exec($1, iptables_exec_t)
|
can_exec($1, iptables_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
## <summary>
|
||||||
|
## Execute iptables in the iptables domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iptables_initrc_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type iptables_initrc_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of iptables config files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iptables_setattr_config',`
|
||||||
|
gen_require(`
|
||||||
|
type iptables_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 iptables_conf_t:file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
## <summary>
|
||||||
|
## Read iptables config files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iptables_read_config',`
|
||||||
|
gen_require(`
|
||||||
|
type iptables_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 iptables_conf_t:dir list_dir_perms;
|
||||||
|
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
## <summary>
|
||||||
|
## Create files in /etc with the type used for
|
||||||
|
## the iptables config files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iptables_etc_filetrans_config',`
|
||||||
|
gen_require(`
|
||||||
|
type iptables_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_etc_filetrans($1, iptables_conf_t, file)
|
||||||
|
')
|
||||||
|
|
||||||
|
###################################
|
||||||
|
## <summary>
|
||||||
|
## Manage iptables config files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iptables_manage_config',`
|
||||||
|
gen_require(`
|
||||||
|
type iptables_conf_t;
|
||||||
|
type etc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(iptables, 1.9.1)
|
policy_module(iptables, 1.10.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -11,6 +11,12 @@ type iptables_exec_t;
|
|||||||
init_system_domain(iptables_t, iptables_exec_t)
|
init_system_domain(iptables_t, iptables_exec_t)
|
||||||
role system_r types iptables_t;
|
role system_r types iptables_t;
|
||||||
|
|
||||||
|
type iptables_initrc_exec_t;
|
||||||
|
init_script_file(iptables_initrc_exec_t)
|
||||||
|
|
||||||
|
type iptables_conf_t;
|
||||||
|
files_config_file(iptables_conf_t)
|
||||||
|
|
||||||
type iptables_tmp_t;
|
type iptables_tmp_t;
|
||||||
files_tmp_file(iptables_tmp_t)
|
files_tmp_file(iptables_tmp_t)
|
||||||
|
|
||||||
@ -27,6 +33,9 @@ dontaudit iptables_t self:capability sys_tty_config;
|
|||||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
allow iptables_t self:rawip_socket create_socket_perms;
|
allow iptables_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
|
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
|
||||||
|
files_etc_filetrans(iptables_t, iptables_conf_t, file)
|
||||||
|
|
||||||
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
|
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
|
||||||
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
|
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
|
||||||
|
|
||||||
@ -36,6 +45,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
|
|||||||
allow iptables_t iptables_tmp_t:file manage_file_perms;
|
allow iptables_t iptables_tmp_t:file manage_file_perms;
|
||||||
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
|
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
|
||||||
|
|
||||||
|
kernel_request_load_module(iptables_t)
|
||||||
kernel_read_system_state(iptables_t)
|
kernel_read_system_state(iptables_t)
|
||||||
kernel_read_network_state(iptables_t)
|
kernel_read_network_state(iptables_t)
|
||||||
kernel_read_kernel_sysctls(iptables_t)
|
kernel_read_kernel_sysctls(iptables_t)
|
||||||
@ -99,6 +109,10 @@ optional_policy(`
|
|||||||
ppp_dontaudit_use_fds(iptables_t)
|
ppp_dontaudit_use_fds(iptables_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
psad_rw_tmp_files(iptables_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rhgb_dontaudit_use_ptys(iptables_t)
|
rhgb_dontaudit_use_ptys(iptables_t)
|
||||||
')
|
')
|
||||||
|
@ -17,3 +17,42 @@ interface(`iscsid_domtrans',`
|
|||||||
|
|
||||||
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
|
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to ISCSI using a unix domain stream socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iscsi_stream_connect',`
|
||||||
|
gen_require(`
|
||||||
|
type iscsid_t, iscsi_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read iscsi lib files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`iscsi_read_lib_files',`
|
||||||
|
gen_require(`
|
||||||
|
type iscsi_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
|
||||||
|
allow $1 iscsi_var_lib_t:dir list_dir_perms;
|
||||||
|
files_search_var_lib($1)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(iscsi, 1.6.0)
|
policy_module(iscsi, 1.6.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -55,6 +55,7 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
|
|||||||
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
|
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
|
||||||
|
|
||||||
kernel_read_system_state(iscsid_t)
|
kernel_read_system_state(iscsid_t)
|
||||||
|
kernel_search_debugfs(iscsid_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(iscsid_t)
|
corenet_all_recvfrom_unlabeled(iscsid_t)
|
||||||
corenet_all_recvfrom_netlabel(iscsid_t)
|
corenet_all_recvfrom_netlabel(iscsid_t)
|
||||||
@ -73,6 +74,6 @@ files_read_etc_files(iscsid_t)
|
|||||||
|
|
||||||
logging_send_syslog_msg(iscsid_t)
|
logging_send_syslog_msg(iscsid_t)
|
||||||
|
|
||||||
miscfiles_read_localization(iscsid_t)
|
auth_use_nsswitch(iscsid_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(iscsid_t)
|
miscfiles_read_localization(iscsid_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kdump, 1.0.0)
|
policy_module(kdump, 1.0.1)
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@ -29,6 +29,7 @@ files_read_etc_runtime_files(kdump_t)
|
|||||||
files_read_kernel_img(kdump_t)
|
files_read_kernel_img(kdump_t)
|
||||||
|
|
||||||
kernel_read_system_state(kdump_t)
|
kernel_read_system_state(kdump_t)
|
||||||
|
kernel_read_core_if(kdump_t)
|
||||||
|
|
||||||
dev_read_framebuffer(kdump_t)
|
dev_read_framebuffer(kdump_t)
|
||||||
dev_read_sysfs(kdump_t)
|
dev_read_sysfs(kdump_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(libraries, 2.5.1)
|
policy_module(libraries, 2.6.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -117,6 +117,10 @@ optional_policy(`
|
|||||||
apt_use_ptys(ldconfig_t)
|
apt_use_ptys(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
puppet_rw_tmp(ldconfig_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# When you install a kernel the postinstall builds a initrd image in tmp
|
# When you install a kernel the postinstall builds a initrd image in tmp
|
||||||
# and executes ldconfig on it. If you dont allow this kernel installs
|
# and executes ldconfig on it. If you dont allow this kernel installs
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(logging, 1.14.1)
|
policy_module(logging, 1.15.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -19,6 +19,25 @@ interface(`lvm_domtrans',`
|
|||||||
domtrans_pattern($1, lvm_exec_t, lvm_t)
|
domtrans_pattern($1, lvm_exec_t, lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute lvm programs in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`lvm_exec',`
|
||||||
|
gen_require(`
|
||||||
|
type lvm_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_sbin($1)
|
||||||
|
can_exec($1, lvm_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute lvm programs in the lvm domain.
|
## Execute lvm programs in the lvm domain.
|
||||||
@ -85,3 +104,22 @@ interface(`lvm_manage_config',`
|
|||||||
manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
|
manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
|
||||||
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
|
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run clvmd.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`lvm_domtrans_clvmd',`
|
||||||
|
gen_require(`
|
||||||
|
type clvmd_t, clvmd_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(lvm, 1.11.0)
|
policy_module(lvm, 1.11.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -10,6 +10,9 @@ type clvmd_t;
|
|||||||
type clvmd_exec_t;
|
type clvmd_exec_t;
|
||||||
init_daemon_domain(clvmd_t, clvmd_exec_t)
|
init_daemon_domain(clvmd_t, clvmd_exec_t)
|
||||||
|
|
||||||
|
type clvmd_initrc_exec_t;
|
||||||
|
init_script_file(clvmd_initrc_exec_t)
|
||||||
|
|
||||||
type clvmd_var_run_t;
|
type clvmd_var_run_t;
|
||||||
files_pid_file(clvmd_var_run_t)
|
files_pid_file(clvmd_var_run_t)
|
||||||
|
|
||||||
@ -102,6 +105,7 @@ fs_getattr_all_fs(clvmd_t)
|
|||||||
fs_search_auto_mountpoints(clvmd_t)
|
fs_search_auto_mountpoints(clvmd_t)
|
||||||
fs_dontaudit_list_tmpfs(clvmd_t)
|
fs_dontaudit_list_tmpfs(clvmd_t)
|
||||||
fs_dontaudit_read_removable_files(clvmd_t)
|
fs_dontaudit_read_removable_files(clvmd_t)
|
||||||
|
fs_rw_anon_inodefs_files(clvmd_t)
|
||||||
|
|
||||||
storage_dontaudit_getattr_removable_dev(clvmd_t)
|
storage_dontaudit_getattr_removable_dev(clvmd_t)
|
||||||
storage_manage_fixed_disk(clvmd_t)
|
storage_manage_fixed_disk(clvmd_t)
|
||||||
@ -168,7 +172,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
|||||||
# LVM will complain a lot if it cannot set its priority.
|
# LVM will complain a lot if it cannot set its priority.
|
||||||
allow lvm_t self:process setsched;
|
allow lvm_t self:process setsched;
|
||||||
allow lvm_t self:file rw_file_perms;
|
allow lvm_t self:file rw_file_perms;
|
||||||
allow lvm_t self:fifo_file rw_fifo_file_perms;
|
allow lvm_t self:fifo_file manage_fifo_file_perms;
|
||||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
|
|
||||||
@ -192,12 +196,12 @@ files_lock_filetrans(lvm_t, lvm_lock_t, file)
|
|||||||
|
|
||||||
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
|
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
|
||||||
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
|
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
|
||||||
files_var_lib_filetrans(lvm_t, lvm_var_lib_t,{ dir file })
|
files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
|
||||||
|
|
||||||
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
|
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
|
||||||
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
|
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
|
||||||
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
|
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
|
||||||
files_pid_filetrans(lvm_t, lvm_var_run_t,{ file sock_file })
|
files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
|
||||||
|
|
||||||
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
|
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
|
||||||
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
|
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
|
||||||
@ -214,6 +218,7 @@ kernel_read_kernel_sysctls(lvm_t)
|
|||||||
# it has no reason to need this
|
# it has no reason to need this
|
||||||
kernel_dontaudit_getattr_core_if(lvm_t)
|
kernel_dontaudit_getattr_core_if(lvm_t)
|
||||||
kernel_use_fds(lvm_t)
|
kernel_use_fds(lvm_t)
|
||||||
|
kernel_search_debugfs(lvm_t)
|
||||||
|
|
||||||
corecmd_exec_bin(lvm_t)
|
corecmd_exec_bin(lvm_t)
|
||||||
corecmd_exec_shell(lvm_t)
|
corecmd_exec_shell(lvm_t)
|
||||||
@ -255,6 +260,10 @@ fs_list_tmpfs(lvm_t)
|
|||||||
fs_read_tmpfs_symlinks(lvm_t)
|
fs_read_tmpfs_symlinks(lvm_t)
|
||||||
fs_dontaudit_read_removable_files(lvm_t)
|
fs_dontaudit_read_removable_files(lvm_t)
|
||||||
fs_dontaudit_getattr_tmpfs_files(lvm_t)
|
fs_dontaudit_getattr_tmpfs_files(lvm_t)
|
||||||
|
fs_rw_anon_inodefs_files(lvm_t)
|
||||||
|
|
||||||
|
mls_file_read_all_levels(lvm_t)
|
||||||
|
mls_file_write_to_clearance(lvm_t)
|
||||||
|
|
||||||
selinux_get_fs_mount(lvm_t)
|
selinux_get_fs_mount(lvm_t)
|
||||||
selinux_validate_context(lvm_t)
|
selinux_validate_context(lvm_t)
|
||||||
@ -274,9 +283,12 @@ storage_dev_filetrans_fixed_disk(lvm_t)
|
|||||||
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
|
||||||
storage_manage_fixed_disk(lvm_t)
|
storage_manage_fixed_disk(lvm_t)
|
||||||
|
|
||||||
|
term_use_all_terms(lvm_t)
|
||||||
|
|
||||||
init_use_fds(lvm_t)
|
init_use_fds(lvm_t)
|
||||||
init_dontaudit_getattr_initctl(lvm_t)
|
init_dontaudit_getattr_initctl(lvm_t)
|
||||||
init_use_script_ptys(lvm_t)
|
init_use_script_ptys(lvm_t)
|
||||||
|
init_read_script_state(lvm_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(lvm_t)
|
logging_send_syslog_msg(lvm_t)
|
||||||
|
|
||||||
@ -313,7 +325,9 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(lvm_t)
|
dbus_system_bus_client(lvm_t)
|
||||||
|
|
||||||
hal_dbus_chat(lvm_t)
|
optional_policy(`
|
||||||
|
hal_dbus_chat(lvm_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -328,6 +342,10 @@ optional_policy(`
|
|||||||
udev_read_db(lvm_t)
|
udev_read_db(lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
virt_manage_images(lvm_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xen_append_log(lvm_t)
|
xen_append_log(lvm_t)
|
||||||
xen_dontaudit_rw_unix_stream_sockets(lvm_t)
|
xen_dontaudit_rw_unix_stream_sockets(lvm_t)
|
||||||
|
@ -85,6 +85,45 @@ interface(`miscfiles_read_fonts',`
|
|||||||
read_lnk_files_pattern($1, fonts_t, fonts_t)
|
read_lnk_files_pattern($1, fonts_t, fonts_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes on a fonts directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_setattr_fonts_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type fonts_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 fonts_t:dir setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to set the attributes
|
||||||
|
## on a fonts directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type fonts_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 fonts_t:dir setattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to write fonts.
|
## Do not audit attempts to write fonts.
|
||||||
@ -253,6 +292,25 @@ interface(`miscfiles_legacy_read_localization',`
|
|||||||
allow $1 locale_t:file execute;
|
allow $1 locale_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search man pages.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_search_man_pages',`
|
||||||
|
gen_require(`
|
||||||
|
type man_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 man_t:dir search_dir_perms;
|
||||||
|
files_search_usr($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to search man pages.
|
## Do not audit attempts to search man pages.
|
||||||
@ -268,7 +326,7 @@ interface(`miscfiles_dontaudit_search_man_pages',`
|
|||||||
type man_t;
|
type man_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 man_t:dir search;
|
dontaudit $1 man_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -358,8 +416,8 @@ interface(`miscfiles_read_public_files',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
|
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
|
||||||
read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
|
read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
|
||||||
read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
|
read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(miscfiles, 1.7.0)
|
policy_module(miscfiles, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
|
|
||||||
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
|
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
|
||||||
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
|
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
|
||||||
|
/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_gentoo',`
|
ifdef(`distro_gentoo',`
|
||||||
# gentoo init scripts still manage this file
|
# gentoo init scripts still manage this file
|
||||||
|
@ -1,5 +1,23 @@
|
|||||||
## <summary>Policy for kernel module utilities</summary>
|
## <summary>Policy for kernel module utilities</summary>
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Getattr the dependencies of kernel modules.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`modutils_getattr_module_deps',`
|
||||||
|
gen_require(`
|
||||||
|
type modules_dep_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_files_pattern($1, modules_object_t, modules_dep_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the dependencies of kernel modules.
|
## Read the dependencies of kernel modules.
|
||||||
@ -41,8 +59,8 @@ interface(`modutils_read_module_config',`
|
|||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
files_search_boot($1)
|
files_search_boot($1)
|
||||||
|
|
||||||
allow $1 modules_conf_t:file read_file_perms;
|
read_files_pattern($1, modules_conf_t, modules_conf_t)
|
||||||
allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
|
read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -61,7 +79,7 @@ interface(`modutils_rename_module_config',`
|
|||||||
type modules_conf_t;
|
type modules_conf_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 modules_conf_t:file rename_file_perms;
|
rename_files_pattern($1, modules_conf_t, modules_conf_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -80,7 +98,26 @@ interface(`modutils_delete_module_config',`
|
|||||||
type modules_conf_t;
|
type modules_conf_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 modules_conf_t:file unlink;
|
delete_files_pattern($1, modules_conf_t, modules_conf_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage files with the configuration options used when
|
||||||
|
## loading modules.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`modutils_manage_module_config',`
|
||||||
|
gen_require(`
|
||||||
|
type modules_conf_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, modules_conf_t, modules_conf_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(modutils, 1.9.0)
|
policy_module(modutils, 1.9.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
bool secure_mode_insmod;
|
bool secure_mode_insmod;
|
||||||
@ -45,7 +45,7 @@ files_tmp_file(update_modules_tmp_t)
|
|||||||
can_exec(depmod_t, depmod_exec_t)
|
can_exec(depmod_t, depmod_exec_t)
|
||||||
|
|
||||||
# Read conf.modules.
|
# Read conf.modules.
|
||||||
allow depmod_t modules_conf_t:file read_file_perms;
|
read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
|
||||||
|
|
||||||
allow depmod_t modules_dep_t:file manage_file_perms;
|
allow depmod_t modules_dep_t:file manage_file_perms;
|
||||||
files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
|
files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
|
||||||
@ -82,8 +82,22 @@ ifdef(`distro_ubuntu',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
|
fs_read_nfs_files(depmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
fs_read_cifs_files(depmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_rw_pipes(depmod_t)
|
rpm_rw_pipes(depmod_t)
|
||||||
|
rpm_manage_script_tmp_files(depmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
# Read System.map from home directories.
|
||||||
|
unconfined_domain(depmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -91,19 +105,23 @@ optional_policy(`
|
|||||||
# insmod local policy
|
# insmod local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow insmod_t self:capability { dac_override net_raw sys_tty_config };
|
allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
|
||||||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||||
|
|
||||||
allow insmod_t self:udp_socket create_socket_perms;
|
allow insmod_t self:udp_socket create_socket_perms;
|
||||||
allow insmod_t self:rawip_socket create_socket_perms;
|
allow insmod_t self:rawip_socket create_socket_perms;
|
||||||
|
|
||||||
# Read module config and dependency information
|
# Read module config and dependency information
|
||||||
allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
|
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
|
||||||
|
read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
|
||||||
|
list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
|
||||||
|
read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
|
||||||
|
|
||||||
can_exec(insmod_t, insmod_exec_t)
|
can_exec(insmod_t, insmod_exec_t)
|
||||||
|
|
||||||
kernel_load_module(insmod_t)
|
kernel_load_module(insmod_t)
|
||||||
kernel_read_system_state(insmod_t)
|
kernel_read_system_state(insmod_t)
|
||||||
|
kernel_read_network_state(insmod_t)
|
||||||
kernel_write_proc_files(insmod_t)
|
kernel_write_proc_files(insmod_t)
|
||||||
kernel_mount_debugfs(insmod_t)
|
kernel_mount_debugfs(insmod_t)
|
||||||
kernel_mount_kvmfs(insmod_t)
|
kernel_mount_kvmfs(insmod_t)
|
||||||
@ -112,6 +130,7 @@ kernel_read_debugfs(insmod_t)
|
|||||||
kernel_read_kernel_sysctls(insmod_t)
|
kernel_read_kernel_sysctls(insmod_t)
|
||||||
kernel_rw_kernel_sysctl(insmod_t)
|
kernel_rw_kernel_sysctl(insmod_t)
|
||||||
kernel_read_hotplug_sysctls(insmod_t)
|
kernel_read_hotplug_sysctls(insmod_t)
|
||||||
|
kernel_setsched(insmod_t)
|
||||||
|
|
||||||
corecmd_exec_bin(insmod_t)
|
corecmd_exec_bin(insmod_t)
|
||||||
corecmd_exec_shell(insmod_t)
|
corecmd_exec_shell(insmod_t)
|
||||||
@ -124,9 +143,6 @@ dev_rw_agp(insmod_t)
|
|||||||
dev_read_sound(insmod_t)
|
dev_read_sound(insmod_t)
|
||||||
dev_write_sound(insmod_t)
|
dev_write_sound(insmod_t)
|
||||||
dev_rw_apm_bios(insmod_t)
|
dev_rw_apm_bios(insmod_t)
|
||||||
# cjp: why is this needed? insmod cannot mounton any dir
|
|
||||||
# and it also transitions to mount
|
|
||||||
dev_mount_usbfs(insmod_t)
|
|
||||||
|
|
||||||
domain_signal_all_domains(insmod_t)
|
domain_signal_all_domains(insmod_t)
|
||||||
domain_use_interactive_fds(insmod_t)
|
domain_use_interactive_fds(insmod_t)
|
||||||
@ -159,16 +175,25 @@ seutil_read_file_contexts(insmod_t)
|
|||||||
|
|
||||||
userdom_use_user_terminals(insmod_t)
|
userdom_use_user_terminals(insmod_t)
|
||||||
|
|
||||||
ifdef(`distro_ubuntu',`
|
userdom_dontaudit_search_user_home_dirs(insmod_t)
|
||||||
optional_policy(`
|
|
||||||
unconfined_domain(insmod_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
if( ! secure_mode_insmod ) {
|
if( ! secure_mode_insmod ) {
|
||||||
kernel_domtrans_to(insmod_t, insmod_exec_t)
|
kernel_domtrans_to(insmod_t, insmod_exec_t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
alsa_domtrans(insmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
firstboot_dontaudit_rw_pipes(insmod_t)
|
||||||
|
firstboot_dontaudit_rw_stream_sockets(insmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hal_write_log(insmod_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hotplug_search_config(insmod_t)
|
hotplug_search_config(insmod_t)
|
||||||
')
|
')
|
||||||
@ -205,7 +230,7 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_dontaudit_rw_pipes(insmod_t)
|
unconfined_domain(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -228,7 +253,7 @@ can_exec(update_modules_t, insmod_exec_t)
|
|||||||
can_exec(update_modules_t, update_modules_exec_t)
|
can_exec(update_modules_t, update_modules_exec_t)
|
||||||
|
|
||||||
# manage module loading configuration
|
# manage module loading configuration
|
||||||
allow update_modules_t modules_conf_t:file manage_file_perms;
|
manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
|
||||||
files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
|
files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
|
||||||
files_etc_filetrans(update_modules_t, modules_conf_t, file)
|
files_etc_filetrans(update_modules_t, modules_conf_t, file)
|
||||||
|
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
|
||||||
|
|
||||||
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(raid, 1.9.0)
|
policy_module(raid, 1.9.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -11,6 +11,9 @@ type mdadm_exec_t;
|
|||||||
init_daemon_domain(mdadm_t, mdadm_exec_t)
|
init_daemon_domain(mdadm_t, mdadm_exec_t)
|
||||||
role system_r types mdadm_t;
|
role system_r types mdadm_t;
|
||||||
|
|
||||||
|
type mdadm_map_t;
|
||||||
|
files_type(mdadm_map_t)
|
||||||
|
|
||||||
type mdadm_var_run_t;
|
type mdadm_var_run_t;
|
||||||
files_pid_file(mdadm_var_run_t)
|
files_pid_file(mdadm_var_run_t)
|
||||||
|
|
||||||
@ -24,6 +27,10 @@ dontaudit mdadm_t self:capability sys_tty_config;
|
|||||||
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
|
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
allow mdadm_t self:fifo_file rw_fifo_file_perms;
|
allow mdadm_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
|
# create .mdadm files in /dev
|
||||||
|
allow mdadm_t mdadm_map_t:file manage_file_perms;
|
||||||
|
dev_filetrans(mdadm_t, mdadm_map_t, file)
|
||||||
|
|
||||||
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
||||||
files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
|
files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
|
||||||
|
|
||||||
|
@ -1,5 +1,24 @@
|
|||||||
## <summary>SELinux MLS/MCS label translation service.</summary>
|
## <summary>SELinux MLS/MCS label translation service.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute setrans server in the setrans domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
#
|
||||||
|
interface(`setrans_initrc_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type setrans_initrc_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, setrans_initrc_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow a domain to translate contexts.
|
## Allow a domain to translate contexts.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(setrans, 1.6.0)
|
policy_module(setrans, 1.6.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class context contains;
|
class context contains;
|
||||||
|
@ -6,8 +6,11 @@
|
|||||||
|
|
||||||
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
||||||
|
|
||||||
|
/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
||||||
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
||||||
|
|
||||||
|
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
|
||||||
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
@ -1,5 +1,23 @@
|
|||||||
## <summary>Policy for udev.</summary>
|
## <summary>Policy for udev.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send generic signals to udev.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`udev_signal',`
|
||||||
|
gen_require(`
|
||||||
|
type udev_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 udev_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute udev in the udev domain.
|
## Execute udev in the udev domain.
|
||||||
@ -169,3 +187,23 @@ interface(`udev_rw_db',`
|
|||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 udev_tbl_t:file rw_file_perms;
|
allow $1 udev_tbl_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## udev pid files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`udev_manage_pid_files',`
|
||||||
|
gen_require(`
|
||||||
|
type udev_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(udev, 1.11.0)
|
policy_module(udev, 1.11.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -66,9 +66,11 @@ dev_filetrans(udev_t, udev_tbl_t, file)
|
|||||||
|
|
||||||
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||||
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||||
|
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||||
files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
|
files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
|
||||||
|
|
||||||
kernel_read_system_state(udev_t)
|
kernel_read_system_state(udev_t)
|
||||||
|
kernel_request_load_module(udev_t)
|
||||||
kernel_getattr_core_if(udev_t)
|
kernel_getattr_core_if(udev_t)
|
||||||
kernel_use_fds(udev_t)
|
kernel_use_fds(udev_t)
|
||||||
kernel_read_device_sysctls(udev_t)
|
kernel_read_device_sysctls(udev_t)
|
||||||
@ -111,6 +113,7 @@ files_search_mnt(udev_t)
|
|||||||
|
|
||||||
fs_getattr_all_fs(udev_t)
|
fs_getattr_all_fs(udev_t)
|
||||||
fs_list_inotifyfs(udev_t)
|
fs_list_inotifyfs(udev_t)
|
||||||
|
fs_rw_anon_inodefs_files(udev_t)
|
||||||
|
|
||||||
mcs_ptrace_all(udev_t)
|
mcs_ptrace_all(udev_t)
|
||||||
|
|
||||||
@ -140,6 +143,7 @@ logging_send_syslog_msg(udev_t)
|
|||||||
logging_send_audit_msgs(udev_t)
|
logging_send_audit_msgs(udev_t)
|
||||||
|
|
||||||
miscfiles_read_localization(udev_t)
|
miscfiles_read_localization(udev_t)
|
||||||
|
miscfiles_read_hwdata(udev_t)
|
||||||
|
|
||||||
modutils_domtrans_insmod(udev_t)
|
modutils_domtrans_insmod(udev_t)
|
||||||
# read modules.inputmap:
|
# read modules.inputmap:
|
||||||
@ -193,6 +197,10 @@ optional_policy(`
|
|||||||
alsa_read_rw_config(udev_t)
|
alsa_read_rw_config(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
bluetooth_domtrans(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
brctl_domtrans(udev_t)
|
brctl_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
@ -205,10 +213,19 @@ optional_policy(`
|
|||||||
consoletype_exec(udev_t)
|
consoletype_exec(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cups_domtrans_config(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(udev_t)
|
dbus_system_bus_client(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
devicekit_read_pid_files(udev_t)
|
||||||
|
devicekit_dgram_send(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
lvm_domtrans(udev_t)
|
lvm_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
@ -227,6 +244,10 @@ optional_policy(`
|
|||||||
hotplug_search_pids(udev_t)
|
hotplug_search_pids(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mount_domtrans(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
openct_read_pid_files(udev_t)
|
openct_read_pid_files(udev_t)
|
||||||
openct_domtrans(udev_t)
|
openct_domtrans(udev_t)
|
||||||
@ -241,6 +262,14 @@ optional_policy(`
|
|||||||
raid_domtrans_mdadm(udev_t)
|
raid_domtrans_mdadm(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_signal(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
vbetool_domtrans(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kernel_write_xen_state(udev_t)
|
kernel_write_xen_state(udev_t)
|
||||||
kernel_read_xen_state(udev_t)
|
kernel_read_xen_state(udev_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(unconfined, 3.0.1)
|
policy_module(unconfined, 3.1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain, 4.2.4)
|
policy_module(userdomain, 4.3.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
|
/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||||
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
||||||
@ -19,14 +21,18 @@ ifdef(`distro_debian',`
|
|||||||
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||||
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
|
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
|
||||||
|
|
||||||
|
/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
|
||||||
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
|
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||||
/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||||
/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||||
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
||||||
|
|
||||||
|
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
|
||||||
|
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
|
||||||
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
|
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
|
||||||
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
||||||
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
|
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
|
||||||
|
/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
||||||
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
||||||
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
||||||
|
|
||||||
|
@ -71,7 +71,30 @@ interface(`xen_read_image_files',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
|
|
||||||
|
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
|
||||||
|
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to read/write
|
||||||
|
## xend image files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`xen_rw_image_files',`
|
||||||
|
gen_require(`
|
||||||
|
type xen_image_t, xend_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_list_var_lib($1)
|
||||||
|
allow $1 xend_var_lib_t:dir search_dir_perms;
|
||||||
|
rw_files_pattern($1, xen_image_t, xen_image_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -167,11 +190,14 @@ interface(`xen_stream_connect_xenstore',`
|
|||||||
#
|
#
|
||||||
interface(`xen_stream_connect',`
|
interface(`xen_stream_connect',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type xend_t, xend_var_run_t;
|
type xend_t, xend_var_run_t, xend_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
|
stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user