Merge branch 'master' into xselinux

This commit is contained in:
Chris PeBenito 2009-12-03 10:13:41 -05:00
commit e331a05c77
102 changed files with 2152 additions and 189 deletions

View File

@ -1,6 +1,7 @@
* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
- Add separate x_pointer and x_keyboard classes inheriting from x_device. - Add separate x_pointer and x_keyboard classes inheriting from x_device.
From Eamon Walsh. From Eamon Walsh.
- Deprecated the userdom_xwindwos_client_template(). - Deprecated the userdom_xwindows_client_template().
- Misc Gentoo fixes from Corentin Labbe. - Misc Gentoo fixes from Corentin Labbe.
- Debian policykit fixes from Martin Orr. - Debian policykit fixes from Martin Orr.
- Fix unconfined_r use of unconfined_java_t. - Fix unconfined_r use of unconfined_java_t.
@ -19,9 +20,11 @@
kdump (Dan Walsh) kdump (Dan Walsh)
modemmanager(Dan Walsh) modemmanager(Dan Walsh)
nslcd (Dan Walsh) nslcd (Dan Walsh)
puppet (Craig Grube)
rtkit (Dan Walsh) rtkit (Dan Walsh)
seunshare (Dan Walsh) seunshare (Dan Walsh)
shorewall (Dan Walsh) shorewall (Dan Walsh)
tgtd (Matthew Ife)
tuned (Miroslav Grepl) tuned (Miroslav Grepl)
xscreensaver (Corentin Labbe) xscreensaver (Corentin Labbe)

View File

@ -1 +1 @@
2.20090730 2.20091117

View File

@ -376,6 +376,7 @@ class system
syslog_read syslog_read
syslog_mod syslog_mod
syslog_console syslog_console
module_request
} }
# #

View File

@ -1,5 +1,5 @@
policy_module(certwatch, 1.4.1) policy_module(certwatch, 1.5.0)
######################################## ########################################
# #

View File

@ -1,3 +1,5 @@
HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(kismet, 1.3.1) policy_module(kismet, 1.4.1)
######################################## ########################################
# #
@ -11,6 +11,9 @@ type kismet_exec_t;
application_domain(kismet_t, kismet_exec_t) application_domain(kismet_t, kismet_exec_t)
role system_r types kismet_t; role system_r types kismet_t;
type kismet_home_t;
userdom_user_home_content(kismet_home_t)
type kismet_log_t; type kismet_log_t;
logging_log_file(kismet_log_t) logging_log_file(kismet_log_t)
@ -39,6 +42,11 @@ allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
allow kismet_t self:unix_stream_socket create_stream_socket_perms; allow kismet_t self:unix_stream_socket create_stream_socket_perms;
allow kismet_t self:tcp_socket create_stream_socket_perms; allow kismet_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr; allow kismet_t kismet_log_t:dir setattr;
logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) logging_log_filetrans(kismet_t, kismet_log_t, { file dir })

View File

@ -1,5 +1,5 @@
policy_module(mrtg, 1.7.1) policy_module(mrtg, 1.8.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(portage, 1.8.1) policy_module(portage, 1.9.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(prelink, 1.7.1) policy_module(prelink, 1.8.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(readahead, 1.9.1) policy_module(readahead, 1.10.0)
######################################## ########################################
# #

View File

@ -19,6 +19,8 @@ application_domain(tzdata_t, tzdata_exec_t)
files_read_etc_files(tzdata_t) files_read_etc_files(tzdata_t)
files_search_spool(tzdata_t) files_search_spool(tzdata_t)
fs_getattr_xattr_fs(tzdata_t)
term_dontaudit_list_ptys(tzdata_t) term_dontaudit_list_ptys(tzdata_t)
locallogin_dontaudit_use_fds(tzdata_t) locallogin_dontaudit_use_fds(tzdata_t)

View File

@ -1,5 +1,5 @@
policy_module(usermanage, 1.13.1) policy_module(usermanage, 1.14.0)
######################################## ########################################
# #
@ -242,6 +242,10 @@ optional_policy(`
nscd_domtrans(groupadd_t) nscd_domtrans(groupadd_t)
') ')
optional_policy(`
puppet_rw_tmp(groupadd_t)
')
optional_policy(` optional_policy(`
rpm_use_fds(groupadd_t) rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t) rpm_rw_pipes(groupadd_t)
@ -520,6 +524,10 @@ optional_policy(`
nscd_domtrans(useradd_t) nscd_domtrans(useradd_t)
') ')
optional_policy(`
puppet_rw_tmp(useradd_t)
')
optional_policy(` optional_policy(`
rpm_use_fds(useradd_t) rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t) rpm_rw_pipes(useradd_t)

View File

@ -1,5 +1,5 @@
policy_module(vpn, 1.11.1) policy_module(vpn, 1.12.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(awstats, 1.1.1) policy_module(awstats, 1.2.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(calamaris, 1.5.0) policy_module(calamaris, 1.5.1)
######################################## ########################################
# #
@ -59,12 +59,12 @@ files_read_etc_runtime_files(calamaris_t)
libs_read_lib_files(calamaris_t) libs_read_lib_files(calamaris_t)
auth_use_nsswitch(calamaris_t)
logging_send_syslog_msg(calamaris_t) logging_send_syslog_msg(calamaris_t)
miscfiles_read_localization(calamaris_t) miscfiles_read_localization(calamaris_t)
sysnet_read_config(calamaris_t)
userdom_dontaudit_list_user_home_dirs(calamaris_t) userdom_dontaudit_list_user_home_dirs(calamaris_t)
squid_read_log(calamaris_t) squid_read_log(calamaris_t)
@ -80,7 +80,3 @@ optional_policy(`
optional_policy(` optional_policy(`
mta_send_mail(calamaris_t) mta_send_mail(calamaris_t)
') ')
optional_policy(`
nis_use_ypbind(calamaris_t)
')

View File

@ -1,5 +1,5 @@
policy_module(cdrecord, 2.1.1) policy_module(cdrecord, 2.2.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(cpufreqselector, 1.0.1) policy_module(cpufreqselector, 1.1.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(gpg, 2.1.1) policy_module(gpg, 2.2.1)
######################################## ########################################
# #
@ -104,11 +104,36 @@ files_dontaudit_search_var(gpg_t)
auth_use_nsswitch(gpg_t) auth_use_nsswitch(gpg_t)
miscfiles_read_localization(gpg_t)
logging_send_syslog_msg(gpg_t) logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t) userdom_use_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
mta_write_config(gpg_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_t)
fs_manage_nfs_files(gpg_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(gpg_t)
fs_manage_cifs_files(gpg_t)
')
optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
optional_policy(`
cron_system_entry(gpg_t, gpg_exec_t)
cron_read_system_job_tmp_files(gpg_t)
')
######################################## ########################################
# #
@ -146,23 +171,13 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t) auth_use_nsswitch(gpg_helper_t)
userdom_use_user_terminals(gpg_helper_t) userdom_use_user_terminals(gpg_helper_t)
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_t) fs_dontaudit_rw_nfs_files(gpg_helper_t)
fs_manage_nfs_files(gpg_t)
') ')
tunable_policy(`use_samba_home_dirs',` tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(gpg_t) fs_dontaudit_rw_cifs_files(gpg_helper_t)
fs_manage_cifs_files(gpg_t)
')
optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(java, 2.1.1) policy_module(java, 2.2.0)
######################################## ########################################
# #

View File

@ -45,6 +45,12 @@ interface(`mozilla_role',`
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
mozilla_dbus_chat($2)
optional_policy(`
pulseaudio_role($1, mozilla_t)
')
') ')
######################################## ########################################
@ -64,6 +70,7 @@ interface(`mozilla_read_user_home_files',`
allow $1 mozilla_home_t:dir list_dir_perms; allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms; allow $1 mozilla_home_t:file read_file_perms;
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
') ')
@ -86,6 +93,43 @@ interface(`mozilla_write_user_home_files',`
userdom_search_user_home_dirs($1) userdom_search_user_home_dirs($1)
') ')
########################################
## <summary>
## Dontaudit attempts to read/write mozilla home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mozilla_dontaudit_rw_user_home_files',`
gen_require(`
type mozilla_home_t;
')
dontaudit $1 mozilla_home_t:file rw_file_perms;
')
########################################
## <summary>
## Dontaudit attempts to write mozilla home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mozilla_dontaudit_manage_user_home_files',`
gen_require(`
type mozilla_home_t;
')
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
dontaudit $1 mozilla_home_t:file manage_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Run mozilla in the mozilla domain. ## Run mozilla in the mozilla domain.

View File

@ -1,5 +1,5 @@
policy_module(mozilla, 2.1.0) policy_module(mozilla, 2.1.1)
######################################## ########################################
# #
@ -59,6 +59,7 @@ manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs(mozilla_t) userdom_search_user_home_dirs(mozilla_t)
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
# Mozpluggerrc # Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms; allow mozilla_t mozilla_conf_t:file read_file_perms;
@ -75,7 +76,7 @@ kernel_read_network_state(mozilla_t)
kernel_read_system_state(mozilla_t) kernel_read_system_state(mozilla_t)
kernel_read_net_sysctls(mozilla_t) kernel_read_net_sysctls(mozilla_t)
# Look for plugins # Look for plugins
corecmd_list_bin(mozilla_t) corecmd_list_bin(mozilla_t)
# for bash - old mozilla binary # for bash - old mozilla binary
corecmd_exec_shell(mozilla_t) corecmd_exec_shell(mozilla_t)
@ -97,6 +98,7 @@ corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_connect_ftp_port(mozilla_t) corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t) corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t) corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t) corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t) corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t) corenet_sendrecv_ftp_client_packets(mozilla_t)
@ -114,6 +116,8 @@ dev_read_sound(mozilla_t)
dev_dontaudit_rw_dri(mozilla_t) dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t) dev_getattr_sysfs_dirs(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t) files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t) files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t) files_read_etc_files(mozilla_t)
@ -231,6 +235,10 @@ optional_policy(`
optional_policy(` optional_policy(`
dbus_system_bus_client(mozilla_t) dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t) dbus_session_bus_client(mozilla_t)
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
')
') ')
optional_policy(` optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(podsleuth, 1.2.0) policy_module(podsleuth, 1.2.1)
######################################## ########################################
# #
@ -71,6 +71,8 @@ miscfiles_read_localization(podsleuth_t)
sysnet_dns_name_resolve(podsleuth_t) sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
optional_policy(` optional_policy(`
dbus_system_bus_client(podsleuth_t) dbus_system_bus_client(podsleuth_t)

View File

@ -1,5 +1,5 @@
policy_module(pulseaudio, 1.0.1) policy_module(pulseaudio, 1.1.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(qemu, 1.2.1) policy_module(qemu, 1.3.0)
######################################## ########################################
# #

View File

@ -80,6 +80,11 @@ template(`screen_role_template',`
relabel_files_pattern($3, screen_home_t, screen_home_t) relabel_files_pattern($3, screen_home_t, screen_home_t)
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t) kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t) kernel_read_kernel_sysctls($1_screen_t)

View File

@ -1,5 +1,5 @@
policy_module(screen, 2.1.1) policy_module(screen, 2.2.1)
######################################## ########################################
# #

View File

@ -41,6 +41,14 @@ interface(`seunshare_run',`
seunshare_domtrans($1) seunshare_domtrans($1)
role $2 types seunshare_t; role $2 types seunshare_t;
allow $1 seunshare_t:process signal_perms;
ifdef(`hide_broken_symptoms', `
dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
dontaudit seunshare_t $1:udp_socket rw_socket_perms;
dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
')
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(seunshare, 1.0.0) policy_module(seunshare, 1.0.1)
######################################## ########################################
# #
@ -16,7 +16,7 @@ role system_r types seunshare_t;
# seunshare local policy # seunshare local policy
# #
allow seunshare_t self:capability setpcap; allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
allow seunshare_t self:process { setexec signal getcap setcap }; allow seunshare_t self:process { setexec signal getcap setcap };
allow seunshare_t self:fifo_file rw_file_perms; allow seunshare_t self:fifo_file rw_file_perms;
@ -30,6 +30,16 @@ files_mounton_all_poly_members(seunshare_t)
auth_use_nsswitch(seunshare_t) auth_use_nsswitch(seunshare_t)
logging_send_syslog_msg(seunshare_t)
miscfiles_read_localization(seunshare_t) miscfiles_read_localization(seunshare_t)
userdom_use_user_terminals(seunshare_t) userdom_use_user_terminals(seunshare_t)
ifdef(`hide_broken_symptoms', `
fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
optional_policy(`
mozilla_dontaudit_manage_user_home_files(seunshare_t)
')
')

View File

@ -1,5 +1,5 @@
policy_module(vmware, 2.1.1) policy_module(vmware, 2.2.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(webalizer, 1.9.1) policy_module(webalizer, 1.10.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(wireshark, 2.0.1) policy_module(wireshark, 2.1.0)
######################################## ########################################
# #

View File

@ -54,6 +54,8 @@ ifdef(`distro_redhat',`
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@ -123,8 +125,9 @@ ifdef(`distro_gentoo',`
# #
/sbin -d gen_context(system_u:object_r:bin_t,s0) /sbin -d gen_context(system_u:object_r:bin_t,s0)
/sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
# #
# /opt # /opt
@ -135,7 +138,6 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -211,6 +213,8 @@ ifdef(`distro_gentoo',`
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@ -220,7 +224,10 @@ ifdef(`distro_gentoo',`
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -263,6 +270,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)

View File

@ -447,7 +447,7 @@ interface(`corecmd_bin_domtrans',`
type bin_t; type bin_t;
') ')
corecmd_bin_spec_domtrans($1,$2) corecmd_bin_spec_domtrans($1, $2)
type_transition $1 bin_t:process $2; type_transition $1 bin_t:process $2;
') ')

View File

@ -1,5 +1,5 @@
policy_module(corecommands, 1.12.0) policy_module(corecommands, 1.12.1)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(corenetwork, 1.12.1) policy_module(corenetwork, 1.13.0)
######################################## ########################################
# #
@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(printer, tcp,515,s0) network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0) network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0) network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0) network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0) network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radacct, udp,1646,s0, udp,1813,s0)

View File

@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
@ -61,10 +63,12 @@
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
@ -82,6 +86,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
@ -101,7 +106,8 @@ ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
') ')
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# originally from named.fc # originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)

View File

@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_fifo_files_pattern($1, device_t, device_node)
relabelfrom_sock_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1, device_t,{ device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t,{ device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node })
') ')
######################################## ########################################
@ -1690,6 +1690,78 @@ interface(`dev_read_kmsg',`
read_chr_files_pattern($1, device_t, kmsg_device_t) read_chr_files_pattern($1, device_t, kmsg_device_t)
') ')
########################################
## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_ksm_dev',`
gen_require(`
type device_t, ksm_device_t;
')
getattr_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Set the attributes of the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_ksm_dev',`
gen_require(`
type device_t, ksm_device_t;
')
setattr_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Read the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_ksm',`
gen_require(`
type device_t, ksm_device_t;
')
read_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Read and write to ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_ksm',`
gen_require(`
type device_t, ksm_device_t;
')
rw_chr_files_pattern($1, device_t, ksm_device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the kvm devices. ## Get the attributes of the kvm devices.
@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',`
rw_chr_files_pattern($1, device_t, kvm_device_t) rw_chr_files_pattern($1, device_t, kvm_device_t)
') ')
######################################
## <summary>
## Read the lirc device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
read_chr_files_pattern($1, device_t, lirc_device_t)
')
######################################
## <summary>
## Read and write the lirc device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
rw_chr_files_pattern($1, device_t, lirc_device_t)
')
######################################
## <summary>
## Automatic type transition to the type
## for lirc device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_filetrans_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
filetrans_pattern($1, device_t, lirc_device_t, chr_file)
')
######################################## ########################################
## <summary> ## <summary>
## Read the lvm comtrol device. ## Read the lvm comtrol device.
@ -1798,6 +1925,24 @@ interface(`dev_rw_lvm_control',`
rw_chr_files_pattern($1, device_t, lvm_control_t) rw_chr_files_pattern($1, device_t, lvm_control_t)
') ')
########################################
## <summary>
## Do not audit attempts to read and write lvm control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_lvm_control',`
gen_require(`
type lvm_control_t;
')
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Delete the lvm control device. ## Delete the lvm control device.
@ -2044,6 +2189,78 @@ interface(`dev_dontaudit_rw_misc',`
dontaudit $1 misc_device_t:chr_file rw_file_perms; dontaudit $1 misc_device_t:chr_file rw_file_perms;
') ')
########################################
## <summary>
## Get the attributes of the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_modem_dev',`
gen_require(`
type device_t, modem_device_t;
')
getattr_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Set the attributes of the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_modem_dev',`
gen_require(`
type device_t, modem_device_t;
')
setattr_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Read the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_modem',`
gen_require(`
type device_t, modem_device_t;
')
read_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Read and write to modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_modem',`
gen_require(`
type device_t, modem_device_t;
')
rw_chr_files_pattern($1, device_t, modem_device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the mouse devices. ## Get the attributes of the mouse devices.
@ -2303,6 +2520,24 @@ interface(`dev_setattr_null_dev',`
setattr_chr_files_pattern($1, device_t, null_device_t) setattr_chr_files_pattern($1, device_t, null_device_t)
') ')
########################################
## <summary>
## Delete the null device (/dev/null).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_null',`
gen_require(`
type device_t, null_device_t;
')
delete_chr_files_pattern($1, device_t, null_device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read and write to the null device (/dev/null). ## Read and write to the null device (/dev/null).
@ -3597,6 +3832,24 @@ interface(`dev_write_watchdog',`
write_chr_files_pattern($1, device_t, watchdog_device_t) write_chr_files_pattern($1, device_t, watchdog_device_t)
') ')
########################################
## <summary>
## Read and write the the wireless device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_wireless',`
gen_require(`
type device_t, wireless_device_t;
')
rw_chr_files_pattern($1, device_t, wireless_device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read and write Xen devices. ## Read and write Xen devices.

View File

@ -1,5 +1,5 @@
policy_module(devices, 1.8.2) policy_module(devices, 1.9.1)
######################################## ########################################
# #
@ -83,6 +83,12 @@ dev_node(ipmi_device_t)
type kmsg_device_t; type kmsg_device_t;
dev_node(kmsg_device_t) dev_node(kmsg_device_t)
#
# ksm_device_t is the type of /dev/ksm
#
type ksm_device_t;
dev_node(ksm_device_t)
# #
# kvm_device_t is the type of # kvm_device_t is the type of
# /dev/kvm # /dev/kvm
@ -90,6 +96,12 @@ dev_node(kmsg_device_t)
type kvm_device_t; type kvm_device_t;
dev_node(kvm_device_t) dev_node(kvm_device_t)
#
# Type for /dev/lirc
#
type lirc_device_t;
dev_node(lirc_device_t)
# #
# Type for /dev/mapper/control # Type for /dev/mapper/control
# #
@ -109,6 +121,12 @@ neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_f
type misc_device_t; type misc_device_t;
dev_node(misc_device_t) dev_node(misc_device_t)
#
# A general type for modem devices.
#
type modem_device_t;
dev_node(modem_device_t)
# #
# A more general type for mouse devices. # A more general type for mouse devices.
# #
@ -123,7 +141,7 @@ dev_node(mtrr_device_t)
genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
# #
# network control devices # network control devices
# #
type netcontrol_device_t; type netcontrol_device_t;
dev_node(netcontrol_device_t) dev_node(netcontrol_device_t)
@ -137,13 +155,13 @@ mls_trusted_object(null_device_t)
sid devnull gen_context(system_u:object_r:null_device_t,s0) sid devnull gen_context(system_u:object_r:null_device_t,s0)
# #
# Type for /dev/nvram # Type for /dev/nvram
# #
type nvram_device_t; type nvram_device_t;
dev_node(nvram_device_t) dev_node(nvram_device_t)
# #
# Type for /dev/pmu # Type for /dev/pmu
# #
type power_device_t; type power_device_t;
dev_node(power_device_t) dev_node(power_device_t)
@ -153,7 +171,7 @@ dev_node(printer_device_t)
mls_file_write_within_range(printer_device_t) mls_file_write_within_range(printer_device_t)
# #
# qemu control devices # qemu control devices
# #
type qemu_device_t; type qemu_device_t;
dev_node(qemu_device_t) dev_node(qemu_device_t)
@ -224,6 +242,12 @@ dev_node(vmware_device_t)
type watchdog_device_t; type watchdog_device_t;
dev_node(watchdog_device_t) dev_node(watchdog_device_t)
#
# wireless control devices
#
type wireless_device_t;
dev_node(wireless_device_t)
type xen_device_t; type xen_device_t;
dev_node(xen_device_t) dev_node(xen_device_t)

View File

@ -100,7 +100,7 @@ interface(`files_pid_file',`
######################################## ########################################
## <summary> ## <summary>
## Make the specified type a ## Make the specified type a
## configuration file. ## configuration file.
## </summary> ## </summary>
## <param name="file_type"> ## <param name="file_type">
@ -110,12 +110,16 @@ interface(`files_pid_file',`
## </param> ## </param>
# #
interface(`files_config_file',` interface(`files_config_file',`
gen_require(`
attribute configfile;
')
files_type($1) files_type($1)
typeattribute $1 configfile;
') ')
######################################## ########################################
## <summary> ## <summary>
## Make the specified type a ## Make the specified type a
## polyinstantiated directory. ## polyinstantiated directory.
## </summary> ## </summary>
## <param name="file_type"> ## <param name="file_type">
@ -1066,7 +1070,7 @@ interface(`files_dontaudit_search_all_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
# dwalsh: This interface is to allow quotacheck to work on a # dwalsh: This interface is to allow quotacheck to work on a
# a filesystem mounted with the --context switch # a filesystem mounted with the --context switch
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
# #
@ -1150,6 +1154,102 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount; allow $1 file_type:filesystem unmount;
') ')
#############################################
## <summary>
## Manage all configuration directories on filesystem
## </summary>
## <param name="domain">
## <summary>
## The type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_manage_config_dirs',`
gen_require(`
attribute configfile;
')
manage_dirs_pattern($1, configfile, configfile)
')
#########################################
## <summary>
## Relabel configuration directories
## </summary>
## <param name="domain">
## <summary>
## Type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_relabel_config_dirs',`
gen_require(`
attribute configfile;
')
relabel_dirs_pattern($1, configfile, configfile)
')
########################################
## <summary>
## Read config files in /etc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_read_config_files',`
gen_require(`
attribute configfile;
')
allow $1 configfile:dir list_dir_perms;
read_files_pattern($1, configfile, configfile)
read_lnk_files_pattern($1, configfile, configfile)
')
###########################################
## <summary>
## Manage all configuration files on filesystem
## </summary>
## <param name="domain">
## <summary>
## The type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_manage_config_files',`
gen_require(`
attribute configfile;
')
manage_files_pattern($1, configfile, configfile)
')
#######################################
## <summary>
## Relabel configuration files
## </summary>
## <param name="domain">
## <summary>
## Type of domain performing this action
## </summary>
## </param>
##
#
interface(`files_relabel_config_files',`
gen_require(`
attribute configfile;
')
relabel_files_pattern($1, configfile, configfile)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a filesystem on all mount points. ## Mount a filesystem on all mount points.
@ -1485,6 +1585,25 @@ interface(`files_boot_filetrans',`
filetrans_pattern($1, boot_t, $2, $3) filetrans_pattern($1, boot_t, $2, $3)
') ')
########################################
## <summary>
## read files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_read_boot_files',`
gen_require(`
type boot_t;
')
manage_files_pattern($1, boot_t, boot_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete files ## Create, read, write, and delete files
@ -1713,6 +1832,25 @@ interface(`files_dontaudit_list_default',`
dontaudit $1 default_t:dir list_dir_perms; dontaudit $1 default_t:dir list_dir_perms;
') ')
########################################
## <summary>
## Create, read, write, and delete directories with
## the default file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_manage_default_dirs',`
gen_require(`
type default_t;
')
manage_dirs_pattern($1, default_t, default_t)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a filesystem on a directory with the default file type. ## Mount a filesystem on a directory with the default file type.
@ -1787,6 +1925,25 @@ interface(`files_dontaudit_read_default_files',`
dontaudit $1 default_t:file read_file_perms; dontaudit $1 default_t:file read_file_perms;
') ')
########################################
## <summary>
## Create, read, write, and delete files with
## the default file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_manage_default_files',`
gen_require(`
type default_t;
')
manage_files_pattern($1, default_t, default_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read symbolic links with the default file type. ## Read symbolic links with the default file type.
@ -1913,6 +2070,25 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:dir rw_dir_perms;
') ')
##########################################
## <summary>
## Manage generic directories in /etc
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
##
#
interface(`files_manage_etc_dirs',`
gen_require(`
type etc_t;
')
manage_dirs_pattern($1, etc_t, etc_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read generic files in /etc. ## Read generic files in /etc.
@ -2460,7 +2636,7 @@ interface(`files_manage_isid_type_symlinks',`
######################################## ########################################
## <summary> ## <summary>
## Read and write block device nodes on new filesystems ## Read and write block device nodes on new filesystems
## that have not yet been labeled. ## that have not yet been labeled.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -3390,10 +3566,28 @@ interface(`files_setattr_all_tmp_dirs',`
allow $1 tmpfile:dir { search_dir_perms setattr }; allow $1 tmpfile:dir { search_dir_perms setattr };
') ')
########################################
## <summary>
## List all tmp directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_list_all_tmp',`
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir list_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of all tmp files. ## of all tmp files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -3412,7 +3606,7 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
## Allow attempts to get the attributes ## Allow attempts to get the attributes
## of all tmp files. ## of all tmp files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -3431,7 +3625,7 @@ interface(`files_getattr_all_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of all tmp sock_file. ## of all tmp sock_file.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -4222,6 +4416,24 @@ interface(`files_list_var_lib',`
list_dirs_pattern($1, var_t, var_lib_t) list_dirs_pattern($1, var_t, var_lib_t)
') ')
###########################################
## <summary>
## Read-write /var/lib directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_rw_var_lib_dirs',`
gen_require(`
type var_lib_t;
')
rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create objects in the /var/lib directory ## Create objects in the /var/lib directory
@ -4955,7 +5167,7 @@ interface(`files_polyinstantiate_all',`
selinux_compute_member($1) selinux_compute_member($1)
# Need sys_admin capability for mounting # Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin }; allow $1 self:capability { chown fsetid sys_admin fowner };
# Need to give access to the directories to be polyinstantiated # Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };

View File

@ -1,5 +1,5 @@
policy_module(files, 1.12.0) policy_module(files, 1.12.1)
######################################## ########################################
# #
@ -11,6 +11,7 @@ attribute files_unconfined_type;
attribute lockfile; attribute lockfile;
attribute mountpoint; attribute mountpoint;
attribute pidfile; attribute pidfile;
attribute configfile;
# For labeling types that are to be polyinstantiated # For labeling types that are to be polyinstantiated
attribute polydir; attribute polydir;
@ -52,7 +53,7 @@ files_mountpoint(default_t)
# #
# etc_t is the type of the system etc directories. # etc_t is the type of the system etc directories.
# #
type etc_t; type etc_t, configfile;
files_type(etc_t) files_type(etc_t)
# compatibility aliases for removed types: # compatibility aliases for removed types:
typealias etc_t alias automount_etc_t; typealias etc_t alias automount_etc_t;
@ -219,7 +220,7 @@ fs_associate_tmpfs(tmpfsfile)
allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
# Mount/unmount any filesystem with the context= option. # Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *; allow files_unconfined_type file_type:filesystem *;
tunable_policy(`allow_execmod',` tunable_policy(`allow_execmod',`

View File

@ -1 +1 @@
# This module currently does not have any file contexts. /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)

View File

@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',`
rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t) rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
') ')
########################################
## <summary>
## Do not audit attempts to read or write files on
## anon_inodefs file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_dontaudit_rw_anon_inodefs_files',`
gen_require(`
type anon_inodefs_t;
')
dontaudit $1 anon_inodefs_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Mount an automount pseudo filesystem. ## Mount an automount pseudo filesystem.
@ -462,7 +482,7 @@ interface(`fs_manage_autofs_symlinks',`
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of directories on ## Get the attributes of directories on
## binfmt_misc filesystems. ## binfmt_misc filesystems.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2) domain_auto_transition_pattern($1, cifs_t, $2)
') ')
#######################################
## <summary>
## Create, read, write, and delete dirs
## on a configfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_configfs_dirs',`
gen_require(`
type configfs_t;
')
manage_dirs_pattern($1, configfs_t, configfs_t)
')
#######################################
## <summary>
## Create, read, write, and delete files
## on a configfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_configfs_files',`
gen_require(`
type configfs_t;
')
manage_files_pattern($1, configfs_t, configfs_t)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a DOS filesystem, such as ## Mount a DOS filesystem, such as
@ -1248,7 +1306,7 @@ interface(`fs_relabelfrom_dos_fs',`
######################################## ########################################
## <summary> ## <summary>
## Search dosfs filesystem. ## Search dosfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1537,7 +1595,25 @@ interface(`fs_rw_hugetlbfs_files',`
######################################## ########################################
## <summary> ## <summary>
## Search inotifyfs filesystem. ## Allow the type to associate to hugetlbfs filesystems.
## </summary>
## <param name="type">
## <summary>
## The type of the object to be associated.
## </summary>
## </param>
#
interface(`fs_associate_hugetlbfs',`
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:filesystem associate;
')
########################################
## <summary>
## Search inotifyfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1555,7 +1631,7 @@ interface(`fs_search_inotifyfs',`
######################################## ########################################
## <summary> ## <summary>
## List inotifyfs filesystem. ## List inotifyfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',`
allow $1 nfsd_fs_t:dir search_dir_perms; allow $1 nfsd_fs_t:dir search_dir_perms;
') ')
########################################
## <summary>
## List NFS server directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_list_nfsd_fs',`
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir list_dir_perms;
')
########################################
## <summary>
## Getattr files on an nfsd filesystem
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_getattr_nfsd_files',`
gen_require(`
type nfsd_fs_t;
')
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read and write NFS server files. ## Read and write NFS server files.
@ -2687,7 +2799,7 @@ interface(`fs_dontaudit_search_ramfs',`
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete ## Create, read, write, and delete
## directories on a ramfs. ## directories on a ramfs.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -2779,7 +2891,7 @@ interface(`fs_write_ramfs_pipes',`
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to write to named ## Do not audit attempts to write to named
## pipes on a ramfs filesystem. ## pipes on a ramfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -2816,7 +2928,7 @@ interface(`fs_rw_ramfs_pipes',`
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete ## Create, read, write, and delete
## named pipes on a ramfs filesystem. ## named pipes on a ramfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',`
manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
') ')
########################################
## <summary>
## Mount a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mount_xenfs',`
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:filesystem mount;
')
########################################
## <summary>
## Create, read, write, and delete directories
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_xenfs_dirs',`
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:dir manage_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete directories
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`fs_dontaudit_manage_xenfs_dirs',`
gen_require(`
type xenfs_t;
')
dontaudit $1 xenfs_t:dir manage_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_xenfs_files',`
gen_require(`
type xenfs_t;
')
manage_files_pattern($1, xenfs_t, xenfs_t)
')
########################################
## <summary>
## Do not audit attempts to create,
## read, write, and delete files
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`fs_dontaudit_manage_xenfs_files',`
gen_require(`
type xenfs_t;
')
dontaudit $1 xenfs_t:file manage_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Mount all filesystems. ## Mount all filesystems.

View File

@ -1,5 +1,5 @@
policy_module(filesystem, 1.12.0) policy_module(filesystem, 1.12.1)
######################################## ########################################
# #
@ -38,7 +38,7 @@ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
# types, and label the filesystem itself with the specified context. # types, and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems that represent objects # This is appropriate for pseudo filesystems that represent objects
# like pipes and sockets, so that these objects are labeled with the same # like pipes and sockets, so that these objects are labeled with the same
# type as the creating task. # type as the creating task.
fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
type hugetlbfs_t; type hugetlbfs_t;
fs_type(hugetlbfs_t) fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t) files_mountpoint(hugetlbfs_t)
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t; type ibmasmfs_t;
fs_type(ibmasmfs_t) fs_type(ibmasmfs_t)
@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t noxattrfs:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate;
type xenfs_t;
fs_noxattr_type(xenfs_t)
files_mountpoint(xenfs_t)
genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
############################## ##############################
# #
# Filesystems without extended attribute support # Filesystems without extended attribute support
@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
######################################## ########################################
@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs)
allow filesystem_unconfined_type filesystem_type:filesystem *; allow filesystem_unconfined_type filesystem_type:filesystem *;
# Create/access other files. fs_type is to pick up various # Create/access other files. fs_type is to pick up various
# pseudo filesystem types that are applied to both the filesystem # pseudo filesystem types that are applied to both the filesystem
# and its files. # and its files.
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;

View File

@ -1,5 +1,5 @@
## <summary> ## <summary>
## Policy for kernel threads, proc filesystem, ## Policy for kernel threads, proc filesystem,
## and unlabeled processes and objects. ## and unlabeled processes and objects.
## </summary> ## </summary>
## <required val="true"> ## <required val="true">
@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
type kernel_t; type kernel_t;
') ')
kernel_domtrans_to($1,$2) kernel_domtrans_to($1, $2)
ifdef(`enable_mcs',` ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3; range_transition kernel_t $2:process $3;
@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
allow $1 kernel_t:system syslog_mod; allow $1 kernel_t:system syslog_mod;
') ')
########################################
## <summary>
## Allows caller to request the kernel to load a module
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_request_load_module',`
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system module_request;
')
######################################## ########################################
## <summary> ## <summary>
## Get information on all System V IPC objects. ## Get information on all System V IPC objects.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
# #
@ -939,6 +958,29 @@ interface(`kernel_dontaudit_getattr_core_if',`
dontaudit $1 proc_kcore_t:file getattr; dontaudit $1 proc_kcore_t:file getattr;
') ')
########################################
## <summary>
## Allows caller to read the core kernel interface.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_read_core_if',`
gen_require(`
type proc_t, proc_kcore_t;
attribute can_dump_kernel;
')
allow $1 self:capability sys_rawio;
read_files_pattern($1, proc_t, proc_kcore_t)
list_dirs_pattern($1, proc_t, proc_t)
typeattribute $1 can_dump_kernel;
')
######################################## ########################################
## <summary> ## <summary>
## Allow caller to read kernel messages ## Allow caller to read kernel messages

View File

@ -1,5 +1,5 @@
policy_module(kernel, 1.11.0) policy_module(kernel, 1.11.2)
######################################## ########################################
# #
@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
# assertion related attributes # assertion related attributes
attribute can_load_kernmodule; attribute can_load_kernmodule;
attribute can_receive_kernel_messages; attribute can_receive_kernel_messages;
attribute can_dump_kernel;
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
@ -37,7 +38,7 @@ ifdef(`enable_mls',`
# #
# kernel_t is the domain of kernel threads. # kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class. # It is also the target type when checking permissions in the system class.
# #
type kernel_t, can_load_kernmodule; type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t) domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t) mls_rangetrans_source(kernel_t)
@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
# /proc kcore: inaccessible # /proc kcore: inaccessible
type proc_kcore_t, proc_type; type proc_kcore_t, proc_type;
neverallow ~kern_unconfined proc_kcore_t:file ~getattr; neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type; type proc_mdstat_t, proc_type;
@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t)
dev_read_sysfs(kernel_t) dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t) dev_search_usbfs(kernel_t)
# Mount root file system. Used when loading a policy # Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem # from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t) fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t)
@ -275,7 +276,7 @@ mcs_process_set_categories(kernel_t)
mls_process_read_up(kernel_t) mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t) mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t) mls_file_read_all_levels(kernel_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# Bugzilla 222337 # Bugzilla 222337
@ -309,7 +310,7 @@ optional_policy(`
allow kernel_t self:tcp_socket create_stream_socket_perms; allow kernel_t self:tcp_socket create_stream_socket_perms;
allow kernel_t self:udp_socket create_socket_perms; allow kernel_t self:udp_socket create_socket_perms;
# nfs kernel server needs kernel UDP access. It is less risky and painful # nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything. # to just give it everything.
corenet_udp_sendrecv_generic_if(kernel_t) corenet_udp_sendrecv_generic_if(kernel_t)
corenet_udp_sendrecv_generic_node(kernel_t) corenet_udp_sendrecv_generic_node(kernel_t)
@ -326,7 +327,7 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',` tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t) fs_getattr_noxattr_fs(kernel_t)
@ -355,7 +356,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
unconfined_domain(kernel_t) unconfined_domain_noaudit(kernel_t)
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(mcs, 1.1.1) policy_module(mcs, 1.2.0)
######################################## ########################################
# #

View File

@ -28,6 +28,7 @@
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)

View File

@ -529,7 +529,7 @@ interface(`storage_dontaudit_read_removable_device',`
') ')
dontaudit $1 removable_device_t:blk_file { getattr ioctl read }; dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(storage, 1.7.0) policy_module(storage, 1.7.1)
######################################## ########################################
# #
@ -13,7 +13,7 @@ attribute scsi_generic_write;
attribute storage_unconfined_type; attribute storage_unconfined_type;
# #
# fixed_disk_device_t is the type of # fixed_disk_device_t is the type of
# /dev/hd* and /dev/sd*. # /dev/hd* and /dev/sd*.
# #
type fixed_disk_device_t; type fixed_disk_device_t;

View File

@ -13,6 +13,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)

View File

@ -196,7 +196,7 @@ interface(`term_use_all_terms',`
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:dir list_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
') ')
######################################## ########################################
@ -472,6 +472,24 @@ interface(`term_dontaudit_manage_pty_dirs',`
dontaudit $1 devpts_t:dir manage_dir_perms; dontaudit $1 devpts_t:dir manage_dir_perms;
') ')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of generic pty devices.
## </summary>
## <param name="domain">
## <summary>
## The type of the process to not audit.
## </summary>
## </param>
#
interface(`term_dontaudit_getattr_generic_ptys',`
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:chr_file getattr;
')
######################################## ########################################
## <summary> ## <summary>
## ioctl of generic pty devices. ## ioctl of generic pty devices.
@ -575,6 +593,25 @@ interface(`term_dontaudit_use_generic_ptys',`
dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
') ')
#######################################
## <summary>
## Set the attributes of the tty device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`term_setattr_controlling_term',`
gen_require(`
type devtty_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file setattr;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write the controlling ## Read and write the controlling

View File

@ -1,5 +1,5 @@
policy_module(terminal, 1.7.0) policy_module(terminal, 1.7.1)
######################################## ########################################
# #
@ -22,7 +22,7 @@ type console_device_t;
dev_node(console_device_t) dev_node(console_device_t)
# #
# devpts_t is the type of the devpts file system and # devpts_t is the type of the devpts file system and
# the type of the root directory of the file system. # the type of the root directory of the file system.
# #
type devpts_t; type devpts_t;
@ -44,6 +44,7 @@ mls_trusted_object(devtty_t)
type ptmx_t; type ptmx_t;
dev_node(ptmx_t) dev_node(ptmx_t)
mls_trusted_object(ptmx_t) mls_trusted_object(ptmx_t)
allow ptmx_t devpts_t:filesystem associate;
# #
# tty_device_t is the type of /dev/*tty* # tty_device_t is the type of /dev/*tty*

View File

@ -1,5 +1,5 @@
policy_module(cron, 2.1.2) policy_module(cron, 2.2.0)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;

View File

@ -1,5 +1,5 @@
policy_module(dbus, 1.11.1) policy_module(dbus, 1.12.0)
gen_require(` gen_require(`
class dbus all_dbus_perms; class dbus all_dbus_perms;

View File

@ -1,5 +1,5 @@
policy_module(nscd, 1.9.2) policy_module(nscd, 1.10.0)
gen_require(` gen_require(`
class nscd all_nscd_perms; class nscd all_nscd_perms;

View File

@ -1,5 +1,5 @@
policy_module(openvpn, 1.8.2) policy_module(openvpn, 1.9.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(policykit, 1.0.1) policy_module(policykit, 1.1.0)
######################################## ########################################
# #

View File

@ -0,0 +1,11 @@
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)

View File

@ -0,0 +1,31 @@
## <summary>Puppet client daemon</summary>
## <desc>
## <p>
## Puppet is a configuration management system written in Ruby.
## The client daemon is responsible for periodically requesting the
## desired system state from the server and ensuring the state of
## the client system matches.
## </p>
## </desc>
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
## some system binaries (groupadd, etc) that run in
## a non-puppet domain and redirects output into temp
## files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`puppet_rw_tmp', `
gen_require(`
type puppet_tmp_t;
')
allow $1 puppet_tmp_t:file rw_file_perms;
files_search_tmp($1)
')

View File

@ -0,0 +1,234 @@
policy_module(puppet, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow Puppet client to manage all file
## types.
## </p>
## </desc>
gen_tunable(puppet_manage_all_files, false)
type puppet_t;
type puppet_exec_t;
init_daemon_domain(puppet_t, puppet_exec_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
type puppet_initrc_exec_t;
init_script_file(puppet_initrc_exec_t)
type puppet_log_t;
logging_log_file(puppet_log_t)
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
type puppet_var_lib_t;
files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
type puppetmaster_initrc_exec_t;
init_script_file(puppetmaster_initrc_exec_t)
type puppetmaster_tmp_t;
files_tmp_file(puppetmaster_tmp_t)
########################################
#
# Puppet personal policy
#
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:tcp_socket create_stream_socket_perms;
allow puppet_t self:udp_socket create_socket_perms;
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
kernel_dontaudit_search_sysctl(puppet_t)
kernel_dontaudit_search_kernel_sysctl(puppet_t)
kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t)
corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
corenet_tcp_bind_generic_node(puppet_t)
corenet_tcp_connect_puppet_port(puppet_t)
corenet_sendrecv_puppet_client_packets(puppet_t)
dev_read_rand(puppet_t)
dev_read_sysfs(puppet_t)
dev_read_urand(puppet_t)
domain_read_all_domains_state(puppet_t)
domain_interactive_fd(puppet_t)
files_manage_config_files(puppet_t)
files_manage_config_dirs(puppet_t)
files_manage_etc_dirs(puppet_t)
files_manage_etc_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
selinux_validate_context(puppet_t)
term_dontaudit_getattr_unallocated_ttys(puppet_t)
term_dontaudit_getattr_all_user_ttys(puppet_t)
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
init_signull_script(puppet_t)
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
miscfiles_read_localization(puppet_t)
seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
auth_manage_all_files_except_shadow(puppet_t)
')
optional_policy(`
consoletype_domtrans(puppet_t)
')
optional_policy(`
hostname_exec(puppet_t)
')
optional_policy(`
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
rpm_manage_db(puppet_t)
rpm_manage_log(puppet_t)
')
optional_policy(`
unconfined_domain(puppet_t)
')
optional_policy(`
usermanage_domtrans_groupadd(puppet_t)
usermanage_domtrans_useradd(puppet_t)
')
########################################
#
# Pupper master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
files_read_etc_files(puppetmaster_t)
files_search_var_lib(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
sysnet_dns_name_resolve(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
optional_policy(`
hostname_exec(puppetmaster_t)
')
optional_policy(`
files_read_usr_symlinks(puppetmaster_t)
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')

View File

@ -0,0 +1,3 @@
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)

View File

@ -0,0 +1,11 @@
## <summary>Linux Target Framework Daemon.</summary>
## <desc>
## <p>
## Linux target framework (tgt) aims to simplify various
## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
## and maintenance. Our key goals are the clean integration into
## the scsi-mid layer and implementing a great portion of tgt
## in user space.
## </p>
## </desc>

View File

@ -0,0 +1,67 @@
policy_module(tgtd, 1.0.0)
########################################
#
# TGTD personal declarations.
#
type tgtd_t;
type tgtd_exec_t;
init_daemon_domain(tgtd_t, tgtd_exec_t)
type tgtd_initrc_exec_t;
init_script_file(tgtd_initrc_exec_t)
type tgtd_tmp_t;
files_tmp_file(tgtd_tmp_t)
type tgtd_tmpfs_t;
files_tmpfs_file(tgtd_tmpfs_t)
type tgtd_var_lib_t;
files_type(tgtd_var_lib_t)
########################################
#
# TGTD personal policy.
#
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
allow tgtd_t self:udp_socket create_socket_perms;
allow tgtd_t self:unix_dgram_socket create_socket_perms;
manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
corenet_all_recvfrom_unlabeled(tgtd_t)
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
files_read_etc_files(tgtd_t)
storage_getattr_fixed_disk_dev(tgtd_t)
logging_send_syslog_msg(tgtd_t)
miscfiles_read_localization(tgtd_t)

View File

@ -1,5 +1,5 @@
policy_module(virt, 1.2.1) policy_module(virt, 1.3.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(xserver, 3.2.3) policy_module(xserver, 3.3.0)
gen_require(` gen_require(`
class x_drawable all_x_drawable_perms; class x_drawable all_x_drawable_perms;

View File

@ -99,5 +99,23 @@ interface(`application_exec_all',`
interface(`application_domain',` interface(`application_domain',`
application_type($1) application_type($1)
application_executable_file($2) application_executable_file($2)
domain_entry_file($1,$2) domain_entry_file($1, $2)
')
########################################
## <summary>
## Send signull to all application domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`application_signull',`
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process signull;
') ')

View File

@ -1,5 +1,5 @@
policy_module(application, 1.1.0) policy_module(application, 1.1.1)
# Attribute of user applications # Attribute of user applications
attribute application_domain_type; attribute application_domain_type;
@ -11,3 +11,7 @@ optional_policy(`
ssh_sigchld(application_domain_type) ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type) ssh_rw_stream_sockets(application_domain_type)
') ')
optional_policy(`
sudo_sigchld(application_domain_type)
')

View File

@ -6,6 +6,7 @@
/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(fstools, 1.13.0) policy_module(fstools, 1.13.1)
######################################## ########################################
# #
@ -144,6 +144,7 @@ logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t) miscfiles_read_localization(fsadm_t)
modutils_read_module_config(fsadm_t) modutils_read_module_config(fsadm_t)
modutils_read_module_deps(fsadm_t)
seutil_read_config(fsadm_t) seutil_read_config(fsadm_t)
@ -177,4 +178,5 @@ optional_policy(`
optional_policy(` optional_policy(`
xen_append_log(fsadm_t) xen_append_log(fsadm_t)
xen_rw_image_files(fsadm_t)
') ')

View File

@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
files_search_etc($1) files_search_etc($1)
') ')
#########################################
## <summary>
## Transition to the init script domain
## for all labeled init script types
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`init_all_labeled_script_domtrans',`
gen_require(`
attribute init_script_file_type;
')
init_labeled_script_domtrans($1, init_script_file_type)
')
######################################## ########################################
## <summary> ## <summary>
## Start and stop daemon programs directly. ## Start and stop daemon programs directly.

View File

@ -687,6 +687,10 @@ optional_policy(`
postfix_list_spool(initrc_t) postfix_list_spool(initrc_t)
') ')
optional_policy(`
puppet_rw_tmp(initrc_t)
')
optional_policy(` optional_policy(`
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')

View File

@ -1,3 +1,6 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)

View File

@ -187,6 +187,31 @@ interface(`ipsec_domtrans_racoon',`
domtrans_pattern($1, racoon_exec_t, racoon_t) domtrans_pattern($1, racoon_exec_t, racoon_t)
') ')
########################################
## <summary>
## Execute racoon and allow the specified role the domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`ipsec_run_racoon',`
gen_require(`
type racoon_t;
')
ipsec_domtrans_racoon($1)
role $2 types racoon_t;
')
######################################## ########################################
## <summary> ## <summary>
## Execute setkey in the setkey domain. ## Execute setkey in the setkey domain.

View File

@ -1,11 +1,18 @@
policy_module(ipsec, 1.10.0) policy_module(ipsec, 1.10.1)
######################################## ########################################
# #
# Declarations # Declarations
# #
## <desc>
## <p>
## Allow racoon to read shadow
## </p>
## </desc>
gen_tunable(racoon_read_shadow, false)
type ipsec_t; type ipsec_t;
type ipsec_exec_t; type ipsec_exec_t;
init_daemon_domain(ipsec_t, ipsec_exec_t) init_daemon_domain(ipsec_t, ipsec_exec_t)
@ -15,6 +22,9 @@ role system_r types ipsec_t;
type ipsec_conf_file_t; type ipsec_conf_file_t;
files_type(ipsec_conf_file_t) files_type(ipsec_conf_file_t)
type ipsec_initrc_exec_t;
init_script_file(ipsec_initrc_exec_t)
# type for file(s) containing ipsec keys - RSA or preshared # type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t; type ipsec_key_file_t;
files_type(ipsec_key_file_t) files_type(ipsec_key_file_t)
@ -43,6 +53,9 @@ type racoon_exec_t;
init_daemon_domain(racoon_t, racoon_exec_t) init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t; role system_r types racoon_t;
type racoon_tmp_t;
files_tmp_file(racoon_tmp_t)
type setkey_t; type setkey_t;
type setkey_exec_t; type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t) init_system_domain(setkey_t, setkey_exec_t)
@ -53,21 +66,23 @@ role system_r types setkey_t;
# ipsec Local policy # ipsec Local policy
# #
allow ipsec_t self:capability { net_admin dac_override dac_read_search }; allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config; dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { signal setsched }; allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:fifo_file read_fifo_file_perms;
allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms; allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@ -82,7 +97,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
# so try flipping back into the ipsec_mgmt_t domain # so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld; allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t) kernel_read_kernel_sysctls(ipsec_t)
@ -92,6 +107,7 @@ kernel_read_proc_symlinks(ipsec_t)
kernel_read_system_state(ipsec_t) kernel_read_system_state(ipsec_t)
kernel_read_network_state(ipsec_t) kernel_read_network_state(ipsec_t)
kernel_read_software_raid_state(ipsec_t) kernel_read_software_raid_state(ipsec_t)
kernel_request_load_module(ipsec_t)
kernel_getattr_core_if(ipsec_t) kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t) kernel_getattr_message_if(ipsec_t)
@ -120,7 +136,9 @@ dev_read_urand(ipsec_t)
domain_use_interactive_fds(ipsec_t) domain_use_interactive_fds(ipsec_t)
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t) files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
fs_getattr_all_fs(ipsec_t) fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t) fs_search_auto_mountpoints(ipsec_t)
@ -159,7 +177,7 @@ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_file_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@ -280,6 +298,15 @@ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms;
allow racoon_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
can_exec(racoon_t, racoon_exec_t)
can_exec(racoon_t, setkey_exec_t)
# manage pid file # manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
@ -297,6 +324,9 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
kernel_read_system_state(racoon_t) kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t) kernel_read_network_state(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t)
@ -314,6 +344,8 @@ domain_ipsec_setcontext_all_domains(racoon_t)
files_read_etc_files(racoon_t) files_read_etc_files(racoon_t)
fs_dontaudit_getattr_xattr_fs(racoon_t)
# allow racoon to use avc_has_perm to check context on proposed SA # allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t) selinux_compute_access_vector(racoon_t)
@ -328,6 +360,13 @@ logging_send_audit_msgs(racoon_t)
miscfiles_read_localization(racoon_t) miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
')
######################################## ########################################
# #
# Setkey local policy # Setkey local policy

View File

@ -1,7 +1,13 @@
/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)

View File

@ -69,3 +69,99 @@ interface(`iptables_exec',`
corecmd_search_bin($1) corecmd_search_bin($1)
can_exec($1, iptables_exec_t) can_exec($1, iptables_exec_t)
') ')
#####################################
## <summary>
## Execute iptables in the iptables domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`iptables_initrc_domtrans',`
gen_require(`
type iptables_initrc_exec_t;
')
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
#####################################
## <summary>
## Set the attributes of iptables config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`iptables_setattr_config',`
gen_require(`
type iptables_conf_t;
')
files_search_etc($1)
allow $1 iptables_conf_t:file setattr;
')
#####################################
## <summary>
## Read iptables config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`iptables_read_config',`
gen_require(`
type iptables_conf_t;
')
files_search_etc($1)
allow $1 iptables_conf_t:dir list_dir_perms;
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
#####################################
## <summary>
## Create files in /etc with the type used for
## the iptables config files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`iptables_etc_filetrans_config',`
gen_require(`
type iptables_conf_t;
')
files_etc_filetrans($1, iptables_conf_t, file)
')
###################################
## <summary>
## Manage iptables config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`iptables_manage_config',`
gen_require(`
type iptables_conf_t;
type etc_t;
')
files_search_etc($1)
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')

View File

@ -1,5 +1,5 @@
policy_module(iptables, 1.9.1) policy_module(iptables, 1.10.1)
######################################## ########################################
# #
@ -11,6 +11,12 @@ type iptables_exec_t;
init_system_domain(iptables_t, iptables_exec_t) init_system_domain(iptables_t, iptables_exec_t)
role system_r types iptables_t; role system_r types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
type iptables_conf_t;
files_config_file(iptables_conf_t)
type iptables_tmp_t; type iptables_tmp_t;
files_tmp_file(iptables_tmp_t) files_tmp_file(iptables_tmp_t)
@ -27,6 +33,9 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms;
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
files_etc_filetrans(iptables_t, iptables_conf_t, file)
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file) files_pid_filetrans(iptables_t, iptables_var_run_t, file)
@ -36,6 +45,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms; allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t) kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t) kernel_read_network_state(iptables_t)
kernel_read_kernel_sysctls(iptables_t) kernel_read_kernel_sysctls(iptables_t)
@ -99,6 +109,10 @@ optional_policy(`
ppp_dontaudit_use_fds(iptables_t) ppp_dontaudit_use_fds(iptables_t)
') ')
optional_policy(`
psad_rw_tmp_files(iptables_t)
')
optional_policy(` optional_policy(`
rhgb_dontaudit_use_ptys(iptables_t) rhgb_dontaudit_use_ptys(iptables_t)
') ')

View File

@ -17,3 +17,42 @@ interface(`iscsid_domtrans',`
domtrans_pattern($1, iscsid_exec_t, iscsid_t) domtrans_pattern($1, iscsid_exec_t, iscsid_t)
') ')
########################################
## <summary>
## Connect to ISCSI using a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`iscsi_stream_connect',`
gen_require(`
type iscsid_t, iscsi_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
')
########################################
## <summary>
## Read iscsi lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`iscsi_read_lib_files',`
gen_require(`
type iscsi_var_lib_t;
')
read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
allow $1 iscsi_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
')

View File

@ -1,5 +1,5 @@
policy_module(iscsi, 1.6.0) policy_module(iscsi, 1.6.1)
######################################## ########################################
# #
@ -55,6 +55,7 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_system_state(iscsid_t) kernel_read_system_state(iscsid_t)
kernel_search_debugfs(iscsid_t)
corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t)
@ -73,6 +74,6 @@ files_read_etc_files(iscsid_t)
logging_send_syslog_msg(iscsid_t) logging_send_syslog_msg(iscsid_t)
miscfiles_read_localization(iscsid_t) auth_use_nsswitch(iscsid_t)
sysnet_dns_name_resolve(iscsid_t) miscfiles_read_localization(iscsid_t)

View File

@ -1,5 +1,5 @@
policy_module(kdump, 1.0.0) policy_module(kdump, 1.0.1)
####################################### #######################################
# #
@ -29,6 +29,7 @@ files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t) files_read_kernel_img(kdump_t)
kernel_read_system_state(kdump_t) kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
dev_read_framebuffer(kdump_t) dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t) dev_read_sysfs(kdump_t)

View File

@ -1,5 +1,5 @@
policy_module(libraries, 2.5.1) policy_module(libraries, 2.6.0)
######################################## ########################################
# #
@ -117,6 +117,10 @@ optional_policy(`
apt_use_ptys(ldconfig_t) apt_use_ptys(ldconfig_t)
') ')
optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
optional_policy(` optional_policy(`
# When you install a kernel the postinstall builds a initrd image in tmp # When you install a kernel the postinstall builds a initrd image in tmp
# and executes ldconfig on it. If you dont allow this kernel installs # and executes ldconfig on it. If you dont allow this kernel installs

View File

@ -1,5 +1,5 @@
policy_module(logging, 1.14.1) policy_module(logging, 1.15.0)
######################################## ########################################
# #

View File

@ -19,6 +19,25 @@ interface(`lvm_domtrans',`
domtrans_pattern($1, lvm_exec_t, lvm_t) domtrans_pattern($1, lvm_exec_t, lvm_t)
') ')
########################################
## <summary>
## Execute lvm programs in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`lvm_exec',`
gen_require(`
type lvm_exec_t;
')
corecmd_search_sbin($1)
can_exec($1, lvm_exec_t)
')
######################################## ########################################
## <summary> ## <summary>
## Execute lvm programs in the lvm domain. ## Execute lvm programs in the lvm domain.
@ -85,3 +104,22 @@ interface(`lvm_manage_config',`
manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
manage_files_pattern($1, lvm_etc_t, lvm_etc_t) manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
') ')
######################################
## <summary>
## Execute a domain transition to run clvmd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`lvm_domtrans_clvmd',`
gen_require(`
type clvmd_t, clvmd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')

View File

@ -1,5 +1,5 @@
policy_module(lvm, 1.11.0) policy_module(lvm, 1.11.1)
######################################## ########################################
# #
@ -10,6 +10,9 @@ type clvmd_t;
type clvmd_exec_t; type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t) init_daemon_domain(clvmd_t, clvmd_exec_t)
type clvmd_initrc_exec_t;
init_script_file(clvmd_initrc_exec_t)
type clvmd_var_run_t; type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t) files_pid_file(clvmd_var_run_t)
@ -102,6 +105,7 @@ fs_getattr_all_fs(clvmd_t)
fs_search_auto_mountpoints(clvmd_t) fs_search_auto_mountpoints(clvmd_t)
fs_dontaudit_list_tmpfs(clvmd_t) fs_dontaudit_list_tmpfs(clvmd_t)
fs_dontaudit_read_removable_files(clvmd_t) fs_dontaudit_read_removable_files(clvmd_t)
fs_rw_anon_inodefs_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t)
storage_manage_fixed_disk(clvmd_t) storage_manage_fixed_disk(clvmd_t)
@ -168,7 +172,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority. # LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched; allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms; allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file rw_fifo_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -192,12 +196,12 @@ files_lock_filetrans(lvm_t, lvm_lock_t, file)
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
files_var_lib_filetrans(lvm_t, lvm_var_lib_t,{ dir file }) files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
files_pid_filetrans(lvm_t, lvm_var_run_t,{ file sock_file }) files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@ -214,6 +218,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this # it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t) kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t) kernel_use_fds(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t) corecmd_exec_bin(lvm_t)
corecmd_exec_shell(lvm_t) corecmd_exec_shell(lvm_t)
@ -255,6 +260,10 @@ fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t) fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t) fs_dontaudit_read_removable_files(lvm_t)
fs_dontaudit_getattr_tmpfs_files(lvm_t) fs_dontaudit_getattr_tmpfs_files(lvm_t)
fs_rw_anon_inodefs_files(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
selinux_get_fs_mount(lvm_t) selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t) selinux_validate_context(lvm_t)
@ -274,9 +283,12 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed? # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t) storage_manage_fixed_disk(lvm_t)
term_use_all_terms(lvm_t)
init_use_fds(lvm_t) init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t) init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t) init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t) logging_send_syslog_msg(lvm_t)
@ -313,7 +325,9 @@ optional_policy(`
optional_policy(` optional_policy(`
dbus_system_bus_client(lvm_t) dbus_system_bus_client(lvm_t)
hal_dbus_chat(lvm_t) optional_policy(`
hal_dbus_chat(lvm_t)
')
') ')
optional_policy(` optional_policy(`
@ -328,6 +342,10 @@ optional_policy(`
udev_read_db(lvm_t) udev_read_db(lvm_t)
') ')
optional_policy(`
virt_manage_images(lvm_t)
')
optional_policy(` optional_policy(`
xen_append_log(lvm_t) xen_append_log(lvm_t)
xen_dontaudit_rw_unix_stream_sockets(lvm_t) xen_dontaudit_rw_unix_stream_sockets(lvm_t)

View File

@ -85,6 +85,45 @@ interface(`miscfiles_read_fonts',`
read_lnk_files_pattern($1, fonts_t, fonts_t) read_lnk_files_pattern($1, fonts_t, fonts_t)
') ')
########################################
## <summary>
## Set the attributes on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir setattr;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to write fonts. ## Do not audit attempts to write fonts.
@ -253,6 +292,25 @@ interface(`miscfiles_legacy_read_localization',`
allow $1 locale_t:file execute; allow $1 locale_t:file execute;
') ')
########################################
## <summary>
## Search man pages.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`miscfiles_search_man_pages',`
gen_require(`
type man_t;
')
allow $1 man_t:dir search_dir_perms;
files_search_usr($1)
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to search man pages. ## Do not audit attempts to search man pages.
@ -268,7 +326,7 @@ interface(`miscfiles_dontaudit_search_man_pages',`
type man_t; type man_t;
') ')
dontaudit $1 man_t:dir search; dontaudit $1 man_t:dir search_dir_perms;
') ')
######################################## ########################################
@ -358,8 +416,8 @@ interface(`miscfiles_read_public_files',`
') ')
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms; allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t }) read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t }) read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(miscfiles, 1.7.0) policy_module(miscfiles, 1.7.1)
######################################## ########################################
# #

View File

@ -1,6 +1,7 @@
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) /etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0)
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
# gentoo init scripts still manage this file # gentoo init scripts still manage this file

View File

@ -1,5 +1,23 @@
## <summary>Policy for kernel module utilities</summary> ## <summary>Policy for kernel module utilities</summary>
######################################
## <summary>
## Getattr the dependencies of kernel modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_getattr_module_deps',`
gen_require(`
type modules_dep_t;
')
getattr_files_pattern($1, modules_object_t, modules_dep_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read the dependencies of kernel modules. ## Read the dependencies of kernel modules.
@ -41,8 +59,8 @@ interface(`modutils_read_module_config',`
files_search_etc($1) files_search_etc($1)
files_search_boot($1) files_search_boot($1)
allow $1 modules_conf_t:file read_file_perms; read_files_pattern($1, modules_conf_t, modules_conf_t)
allow $1 modules_conf_t:lnk_file read_lnk_file_perms; read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
') ')
######################################## ########################################
@ -61,7 +79,7 @@ interface(`modutils_rename_module_config',`
type modules_conf_t; type modules_conf_t;
') ')
allow $1 modules_conf_t:file rename_file_perms; rename_files_pattern($1, modules_conf_t, modules_conf_t)
') ')
######################################## ########################################
@ -80,7 +98,26 @@ interface(`modutils_delete_module_config',`
type modules_conf_t; type modules_conf_t;
') ')
allow $1 modules_conf_t:file unlink; delete_files_pattern($1, modules_conf_t, modules_conf_t)
')
########################################
## <summary>
## Manage files with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`modutils_manage_module_config',`
gen_require(`
type modules_conf_t;
')
manage_files_pattern($1, modules_conf_t, modules_conf_t)
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(modutils, 1.9.0) policy_module(modutils, 1.9.1)
gen_require(` gen_require(`
bool secure_mode_insmod; bool secure_mode_insmod;
@ -45,7 +45,7 @@ files_tmp_file(update_modules_tmp_t)
can_exec(depmod_t, depmod_exec_t) can_exec(depmod_t, depmod_exec_t)
# Read conf.modules. # Read conf.modules.
allow depmod_t modules_conf_t:file read_file_perms; read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
allow depmod_t modules_dep_t:file manage_file_perms; allow depmod_t modules_dep_t:file manage_file_perms;
files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
@ -82,8 +82,22 @@ ifdef(`distro_ubuntu',`
') ')
') ')
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(depmod_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(depmod_t)
')
optional_policy(` optional_policy(`
rpm_rw_pipes(depmod_t) rpm_rw_pipes(depmod_t)
rpm_manage_script_tmp_files(depmod_t)
')
optional_policy(`
# Read System.map from home directories.
unconfined_domain(depmod_t)
') ')
######################################## ########################################
@ -91,19 +105,23 @@ optional_policy(`
# insmod local policy # insmod local policy
# #
allow insmod_t self:capability { dac_override net_raw sys_tty_config }; allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:rawip_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms;
# Read module config and dependency information # Read module config and dependency information
allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms; list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t) can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t) kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t) kernel_read_system_state(insmod_t)
kernel_read_network_state(insmod_t)
kernel_write_proc_files(insmod_t) kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t) kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t) kernel_mount_kvmfs(insmod_t)
@ -112,6 +130,7 @@ kernel_read_debugfs(insmod_t)
kernel_read_kernel_sysctls(insmod_t) kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t) kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t) kernel_read_hotplug_sysctls(insmod_t)
kernel_setsched(insmod_t)
corecmd_exec_bin(insmod_t) corecmd_exec_bin(insmod_t)
corecmd_exec_shell(insmod_t) corecmd_exec_shell(insmod_t)
@ -124,9 +143,6 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t) dev_read_sound(insmod_t)
dev_write_sound(insmod_t) dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t) dev_rw_apm_bios(insmod_t)
# cjp: why is this needed? insmod cannot mounton any dir
# and it also transitions to mount
dev_mount_usbfs(insmod_t)
domain_signal_all_domains(insmod_t) domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t) domain_use_interactive_fds(insmod_t)
@ -159,16 +175,25 @@ seutil_read_file_contexts(insmod_t)
userdom_use_user_terminals(insmod_t) userdom_use_user_terminals(insmod_t)
ifdef(`distro_ubuntu',` userdom_dontaudit_search_user_home_dirs(insmod_t)
optional_policy(`
unconfined_domain(insmod_t)
')
')
if( ! secure_mode_insmod ) { if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t, insmod_exec_t) kernel_domtrans_to(insmod_t, insmod_exec_t)
} }
optional_policy(`
alsa_domtrans(insmod_t)
')
optional_policy(`
firstboot_dontaudit_rw_pipes(insmod_t)
firstboot_dontaudit_rw_stream_sockets(insmod_t)
')
optional_policy(`
hal_write_log(insmod_t)
')
optional_policy(` optional_policy(`
hotplug_search_config(insmod_t) hotplug_search_config(insmod_t)
') ')
@ -205,7 +230,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
unconfined_dontaudit_rw_pipes(insmod_t) unconfined_domain(insmod_t)
') ')
optional_policy(` optional_policy(`
@ -228,7 +253,7 @@ can_exec(update_modules_t, insmod_exec_t)
can_exec(update_modules_t, update_modules_exec_t) can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration # manage module loading configuration
allow update_modules_t modules_conf_t:file manage_file_perms; manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
files_etc_filetrans(update_modules_t, modules_conf_t, file) files_etc_filetrans(update_modules_t, modules_conf_t, file)

View File

@ -1,3 +1,4 @@
/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(raid, 1.9.0) policy_module(raid, 1.9.1)
######################################## ########################################
# #
@ -11,6 +11,9 @@ type mdadm_exec_t;
init_daemon_domain(mdadm_t, mdadm_exec_t) init_daemon_domain(mdadm_t, mdadm_exec_t)
role system_r types mdadm_t; role system_r types mdadm_t;
type mdadm_map_t;
files_type(mdadm_map_t)
type mdadm_var_run_t; type mdadm_var_run_t;
files_pid_file(mdadm_var_run_t) files_pid_file(mdadm_var_run_t)
@ -24,6 +27,10 @@ dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t self:fifo_file rw_fifo_file_perms;
# create .mdadm files in /dev
allow mdadm_t mdadm_map_t:file manage_file_perms;
dev_filetrans(mdadm_t, mdadm_map_t, file)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)

View File

@ -1,5 +1,24 @@
## <summary>SELinux MLS/MCS label translation service.</summary> ## <summary>SELinux MLS/MCS label translation service.</summary>
########################################
## <summary>
## Execute setrans server in the setrans domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
#
interface(`setrans_initrc_domtrans',`
gen_require(`
type setrans_initrc_exec_t;
')
init_labeled_script_domtrans($1, setrans_initrc_exec_t)
')
####################################### #######################################
## <summary> ## <summary>
## Allow a domain to translate contexts. ## Allow a domain to translate contexts.

View File

@ -1,5 +1,5 @@
policy_module(setrans, 1.6.0) policy_module(setrans, 1.6.1)
gen_require(` gen_require(`
class context contains; class context contains;

View File

@ -6,8 +6,11 @@
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)

View File

@ -1,5 +1,23 @@
## <summary>Policy for udev.</summary> ## <summary>Policy for udev.</summary>
########################################
## <summary>
## Send generic signals to udev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_signal',`
gen_require(`
type udev_t;
')
allow $1 udev_t:process signal;
')
######################################## ########################################
## <summary> ## <summary>
## Execute udev in the udev domain. ## Execute udev in the udev domain.
@ -169,3 +187,23 @@ interface(`udev_rw_db',`
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms; allow $1 udev_tbl_t:file rw_file_perms;
') ')
########################################
## <summary>
## Create, read, write, and delete
## udev pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`udev_manage_pid_files',`
gen_require(`
type udev_var_run_t;
')
files_search_var_lib($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(udev, 1.11.0) policy_module(udev, 1.11.1)
######################################## ########################################
# #
@ -66,9 +66,11 @@ dev_filetrans(udev_t, udev_tbl_t, file)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
kernel_read_system_state(udev_t) kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
kernel_getattr_core_if(udev_t) kernel_getattr_core_if(udev_t)
kernel_use_fds(udev_t) kernel_use_fds(udev_t)
kernel_read_device_sysctls(udev_t) kernel_read_device_sysctls(udev_t)
@ -99,7 +101,7 @@ dev_relabel_all_dev_nodes(udev_t)
dev_relabel_generic_symlinks(udev_t) dev_relabel_generic_symlinks(udev_t)
domain_read_all_domains_state(udev_t) domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t) files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t) files_read_etc_runtime_files(udev_t)
@ -111,6 +113,7 @@ files_search_mnt(udev_t)
fs_getattr_all_fs(udev_t) fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t) fs_list_inotifyfs(udev_t)
fs_rw_anon_inodefs_files(udev_t)
mcs_ptrace_all(udev_t) mcs_ptrace_all(udev_t)
@ -140,6 +143,7 @@ logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t) logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t) miscfiles_read_localization(udev_t)
miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t) modutils_domtrans_insmod(udev_t)
# read modules.inputmap: # read modules.inputmap:
@ -193,6 +197,10 @@ optional_policy(`
alsa_read_rw_config(udev_t) alsa_read_rw_config(udev_t)
') ')
optional_policy(`
bluetooth_domtrans(udev_t)
')
optional_policy(` optional_policy(`
brctl_domtrans(udev_t) brctl_domtrans(udev_t)
') ')
@ -205,10 +213,19 @@ optional_policy(`
consoletype_exec(udev_t) consoletype_exec(udev_t)
') ')
optional_policy(`
cups_domtrans_config(udev_t)
')
optional_policy(` optional_policy(`
dbus_system_bus_client(udev_t) dbus_system_bus_client(udev_t)
') ')
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
')
optional_policy(` optional_policy(`
lvm_domtrans(udev_t) lvm_domtrans(udev_t)
') ')
@ -227,6 +244,10 @@ optional_policy(`
hotplug_search_pids(udev_t) hotplug_search_pids(udev_t)
') ')
optional_policy(`
mount_domtrans(udev_t)
')
optional_policy(` optional_policy(`
openct_read_pid_files(udev_t) openct_read_pid_files(udev_t)
openct_domtrans(udev_t) openct_domtrans(udev_t)
@ -241,6 +262,14 @@ optional_policy(`
raid_domtrans_mdadm(udev_t) raid_domtrans_mdadm(udev_t)
') ')
optional_policy(`
unconfined_signal(udev_t)
')
optional_policy(`
vbetool_domtrans(udev_t)
')
optional_policy(` optional_policy(`
kernel_write_xen_state(udev_t) kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t) kernel_read_xen_state(udev_t)

View File

@ -1,5 +1,5 @@
policy_module(unconfined, 3.0.1) policy_module(unconfined, 3.1.0)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(userdomain, 4.2.4) policy_module(userdomain, 4.3.0)
######################################## ########################################
# #

View File

@ -2,6 +2,8 @@
/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
ifdef(`distro_debian',` ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) /usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
@ -19,14 +21,18 @@ ifdef(`distro_debian',`
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)

View File

@ -71,7 +71,30 @@ interface(`xen_read_image_files',`
') ')
files_list_var_lib($1) files_list_var_lib($1)
read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
')
########################################
## <summary>
## Allow the specified domain to read/write
## xend image files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
')
files_list_var_lib($1)
allow $1 xend_var_lib_t:dir search_dir_perms;
rw_files_pattern($1, xen_image_t, xen_image_t)
') ')
######################################## ########################################
@ -167,11 +190,14 @@ interface(`xen_stream_connect_xenstore',`
# #
interface(`xen_stream_connect',` interface(`xen_stream_connect',`
gen_require(` gen_require(`
type xend_t, xend_var_run_t; type xend_t, xend_var_run_t, xend_var_lib_t;
') ')
files_search_pids($1) files_search_pids($1)
stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
files_search_var_lib($1)
stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
') ')
######################################## ########################################

Some files were not shown because too many files have changed in this diff Show More