rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: 21 patches from dan.

Browse Source
This commit is contained in:
Chris PeBenito 2008-10-08 15:50:03 +00:00
parent ed8ae5ebeb
commit e87221cefe
58 changed files with 797 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/services/apcupsd.fc
View File

@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
ifdef(`distro_debian',` ifdef(`distro_debian',`
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
') ')

45
policy/modules/services/apcupsd.if
View File

@ -97,3 +97,48 @@ interface(`apcupsd_cgi_script_domtrans',`
domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an apcupsd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the apcupsd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t;
type apcupsd_log_t, apcupsd_lock_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t;
')
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
allow $2 system_r;
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
logging_list_logs($1)
admin_pattern($1, apcupsd_log_t)
files_list_tmp($1)
admin_pattern($1, apcupsd_tmp_t)
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
')

11
policy/modules/services/apcupsd.te
View File

@ -1,5 +1,5 @@
policy_module(apcupsd, 1.3.1) policy_module(apcupsd, 1.3.2)
######################################## ########################################
# #
@ -13,6 +13,9 @@ init_daemon_domain(apcupsd_t, apcupsd_exec_t)
type apcupsd_lock_t; type apcupsd_lock_t;
files_lock_file(apcupsd_lock_t) files_lock_file(apcupsd_lock_t)
type apcupsd_initrc_exec_t;
init_script_file(apcupsd_initrc_exec_t)
type apcupsd_log_t; type apcupsd_log_t;
logging_log_file(apcupsd_log_t) logging_log_file(apcupsd_log_t)
@ -86,12 +89,18 @@ logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t) miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
userdom_use_unpriv_users_ttys(apcupsd_t)
userdom_use_unpriv_users_ptys(apcupsd_t)
optional_policy(` optional_policy(`
hostname_exec(apcupsd_t) hostname_exec(apcupsd_t)
') ')
optional_policy(` optional_policy(`
mta_send_mail(apcupsd_t) mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
') ')
######################################## ########################################

5
policy/modules/services/bitlbee.fc
View File

@ -1,3 +1,6 @@
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)

37
policy/modules/services/bitlbee.if
View File

@ -20,3 +20,40 @@ interface(`bitlbee_read_config',`
allow $1 bitlbee_conf_t:file { read getattr }; allow $1 bitlbee_conf_t:file { read getattr };
') ')
########################################
## <summary>
## All of the rules required to administrate
## an bitlbee environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the bitlbee domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`bitlbee_admin',`
gen_require(`
type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
type bitlbee_initrc_exec_t;
')
allow $1 bitlbee_t:process { ptrace signal_perms };
ps_process_pattern($1, bitlbee_t)
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, bitlbee_conf_t)
files_list_var($1)
admin_pattern($1, bitlbee_var_t)
')

19
policy/modules/services/bitlbee.te
View File

@ -1,5 +1,5 @@
policy_module(bitlbee, 1.0.0) policy_module(bitlbee, 1.0.1)
######################################## ########################################
# #
@ -14,6 +14,12 @@ inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
type bitlbee_conf_t; type bitlbee_conf_t;
files_config_file(bitlbee_conf_t) files_config_file(bitlbee_conf_t)
type bitlbee_initrc_exec_t;
init_script_file(bitlbee_initrc_exec_t)
type bitlbee_tmp_t;
files_tmp_file(bitlbee_tmp_t)
type bitlbee_var_t; type bitlbee_var_t;
files_type(bitlbee_var_t) files_type(bitlbee_var_t)
@ -26,9 +32,15 @@ files_type(bitlbee_var_t)
allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:process signal;
bitlbee_read_config(bitlbee_t) bitlbee_read_config(bitlbee_t)
# tmp files
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
# user account information is read and edited at runtime; give the usual # user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t # r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
@ -54,6 +66,9 @@ corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
corenet_tcp_connect_msnp_port(bitlbee_t) corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t) corenet_tcp_sendrecv_msnp_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
files_read_etc_files(bitlbee_t) files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t) files_search_pids(bitlbee_t)
# grant read-only access to the user help files # grant read-only access to the user help files
@ -62,6 +77,8 @@ files_read_usr_files(bitlbee_t)
libs_legacy_use_shared_libs(bitlbee_t) libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t) libs_use_ld_so(bitlbee_t)
miscfiles_read_localization(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t) sysnet_dns_name_resolve(bitlbee_t)
optional_policy(` optional_policy(`

1
policy/modules/services/canna.fc
View File

@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
# #
# /usr # /usr

41
policy/modules/services/canna.if
View File

@ -18,3 +18,44 @@ interface(`canna_stream_connect',`
files_search_pids($1) files_search_pids($1)
stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t) stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an canna environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the canna domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`canna_admin',`
gen_require(`
type canna_t, canna_log_t, canna_var_lib_t;
type canna_var_run_t, canna_initrc_exec_t;
')
allow $1 canna_t:process { ptrace signal_perms };
ps_process_pattern($1, canna_t)
init_labeled_script_domtrans($1, canna_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, canna_log_t)
files_list_var_lib($1)
admin_pattern($1, canna_var_lib_t)
files_list_pids($1)
admin_pattern($1, canna_var_run_t)
')

5
policy/modules/services/canna.te
View File

@ -1,5 +1,5 @@
policy_module(canna, 1.7.0) policy_module(canna, 1.7.1)
######################################## ########################################
# #
@ -10,6 +10,9 @@ type canna_t;
type canna_exec_t; type canna_exec_t;
init_daemon_domain(canna_t, canna_exec_t) init_daemon_domain(canna_t, canna_exec_t)
type canna_initrc_exec_t;
init_script_file(canna_initrc_exec_t)
type canna_log_t; type canna_log_t;
logging_log_file(canna_log_t) logging_log_file(canna_log_t)

1
policy/modules/services/ddclient.fc
View File

@ -1,5 +1,6 @@
/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) /etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) /etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) /usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) /usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)

48
policy/modules/services/ddclient.if
View File

@ -18,3 +18,51 @@ interface(`ddclient_domtrans',`
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, ddclient_exec_t, ddclient_t) domtrans_pattern($1, ddclient_exec_t, ddclient_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an ddclient environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the ddclient domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`ddclient_admin',`
gen_require(`
type ddclient_t, ddclient_etc_t, ddclient_log_t;
type ddclient_var_t, ddclient_var_lib_t;
type ddclient_var_run_t, ddclient_initrc_exec_t;
')
allow $1 ddclient_t:process { ptrace signal_perms };
ps_process_pattern($1, ddclient_t)
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
logging_list_logs($1)
admin_pattern($1, ddclient_log_t)
files_list_var($1)
admin_pattern($1, ddclient_var_t)
files_list_var_lib($1)
admin_pattern($1, ddclient_var_lib_t)
files_list_pids($1)
admin_pattern($1, ddclient_var_run_t)
')

7
policy/modules/services/ddclient.te
View File

@ -1,5 +1,5 @@
policy_module(ddclient, 1.5.0) policy_module(ddclient, 1.5.1)
######################################## ########################################
# #
@ -11,7 +11,10 @@ type ddclient_exec_t;
init_daemon_domain(ddclient_t, ddclient_exec_t) init_daemon_domain(ddclient_t, ddclient_exec_t)
type ddclient_etc_t; type ddclient_etc_t;
files_type(ddclient_etc_t) files_config_file(ddclient_etc_t)
type ddclient_initrc_exec_t;
init_script_file(ddclient_initrc_exec_t)
type ddclient_log_t; type ddclient_log_t;
logging_log_file(ddclient_log_t) logging_log_file(ddclient_log_t)

3
policy/modules/services/dictd.fc
View File

@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) /etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)

41
policy/modules/services/dictd.if
View File

@ -14,3 +14,44 @@
interface(`dictd_tcp_connect',` interface(`dictd_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
########################################
## <summary>
## All of the rules required to administrate
## an dictd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the dictd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`dictd_admin',`
gen_require(`
type dictd_t, dictd_etc_t, dictd_var_lib_t;
type dictd_var_run_t, dictd_initrc_exec_t;
')
allow $1 dictd_t:process { ptrace signal_perms };
ps_process_pattern($1, dictd_t)
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dictd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
files_list_var_lib($1)
admin_pattern($1, dictd_var_lib_t)
files_list_pids($1)
admin_pattern($1, dictd_var_run_t)
')

11
policy/modules/services/dictd.te
View File

@ -1,5 +1,5 @@
policy_module(dictd, 1.5.0) policy_module(dictd, 1.5.1)
######################################## ########################################
# #
@ -13,9 +13,15 @@ init_daemon_domain(dictd_t, dictd_exec_t)
type dictd_etc_t; type dictd_etc_t;
files_config_file(dictd_etc_t) files_config_file(dictd_etc_t)
type dictd_initrc_exec_t;
init_script_file(dictd_initrc_exec_t)
type dictd_var_lib_t alias var_lib_dictd_t; type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t) files_type(dictd_var_lib_t)
type dictd_var_run_t;
files_pid_file(dictd_var_run_t)
######################################## ########################################
# #
# Local policy # Local policy
@ -34,6 +40,9 @@ files_search_etc(dictd_t)
allow dictd_t dictd_var_lib_t:dir list_dir_perms; allow dictd_t dictd_var_lib_t:dir list_dir_perms;
allow dictd_t dictd_var_lib_t:file read_file_perms; allow dictd_t dictd_var_lib_t:file read_file_perms;
manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
files_pid_filetrans(dictd_t, dictd_var_run_t, file)
kernel_read_system_state(dictd_t) kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t) kernel_read_kernel_sysctls(dictd_t)

3
policy/modules/services/fail2ban.fc
View File

@ -3,5 +3,4 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)

38
policy/modules/services/fail2ban.if
View File

@ -78,3 +78,41 @@ interface(`fail2ban_read_pid_files',`
files_search_pids($1) files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms; allow $1 fail2ban_var_run_t:file read_file_perms;
') ')
########################################
## <summary>
## All of the rules required to administrate
## an fail2ban environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the fail2ban domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`fail2ban_admin',`
gen_require(`
type fail2ban_t, fail2ban_log_t;
type fail2ban_var_run_t, fail2ban_initrc_exec_t;
')
allow $1 fail2ban_t:process { ptrace signal_perms };
ps_process_pattern($1, fail2ban_t)
init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
')

5
policy/modules/services/fail2ban.te
View File

@ -1,5 +1,5 @@
policy_module(fail2ban, 1.1.1) policy_module(fail2ban, 1.1.2)
######################################## ########################################
# #
@ -37,9 +37,10 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
# pid file # pid file
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file }) files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
kernel_read_system_state(fail2ban_t) kernel_read_system_state(fail2ban_t)

1
policy/modules/services/inn.fc
View File

@ -4,6 +4,7 @@
# #
/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0) /etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0) /etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
# #
# /usr # /usr

51
policy/modules/services/inn.if
View File

@ -54,8 +54,7 @@ interface(`inn_manage_log',`
') ')
logging_rw_generic_log_dirs($1) logging_rw_generic_log_dirs($1)
allow $1 innd_log_t:dir search; manage_files_pattern($1, innd_log_t, innd_log_t)
allow $1 innd_log_t:file manage_file_perms;
') ')
######################################## ########################################
@ -176,3 +175,51 @@ interface(`inn_domtrans',`
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, innd_exec_t, innd_t) domtrans_pattern($1, innd_exec_t, innd_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an inn environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the inn domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
type news_spool_t, innd_var_lib_t;
type innd_var_run_t, innd_initrc_exec_t;
')
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
init_labeled_script_domtrans($1, innd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 innd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, innd_etc_t)
logging_list_logs($1)
admin_pattern($1, innd_log_t)
files_list_var_lib($1)
admin_pattern($1, innd_var_lib_t)
files_list_pids($1)
admin_pattern($1, innd_var_run_t)
files_list_spool($1)
admin_pattern($1, news_spool_t)
')

7
policy/modules/services/inn.te
View File

@ -1,5 +1,5 @@
policy_module(inn, 1.6.0) policy_module(inn, 1.6.1)
######################################## ########################################
# #
@ -12,6 +12,9 @@ init_daemon_domain(innd_t, innd_exec_t)
type innd_etc_t; type innd_etc_t;
files_config_file(innd_etc_t) files_config_file(innd_etc_t)
type innd_initrc_exec_t;
init_script_file(innd_initrc_exec_t)
type innd_log_t; type innd_log_t;
logging_log_file(innd_log_t) logging_log_file(innd_log_t)
@ -22,7 +25,7 @@ type innd_var_run_t;
files_pid_file(innd_var_run_t) files_pid_file(innd_var_run_t)
type news_spool_t; type news_spool_t;
files_type(news_spool_t) files_mountpoint(news_spool_t)
######################################## ########################################
# #

2
policy/modules/services/jabber.fc
View File

@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) /usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)

41
policy/modules/services/jabber.if
View File

@ -13,3 +13,44 @@
interface(`jabber_tcp_connect',` interface(`jabber_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
########################################
## <summary>
## All of the rules required to administrate
## an jabber environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the jabber domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`jabber_admin',`
gen_require(`
type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
type jabberd_var_run_t, jabberd_initrc_exec_t;
')
allow $1 jabberd_t:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_t)
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, jabberd_log_t)
files_list_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
files_list_pids($1)
admin_pattern($1, jabberd_var_run_t)
')

5
policy/modules/services/jabber.te
View File

@ -1,5 +1,5 @@
policy_module(jabber, 1.5.0) policy_module(jabber, 1.5.1)
######################################## ########################################
# #
@ -10,6 +10,9 @@ type jabberd_t;
type jabberd_exec_t; type jabberd_exec_t;
init_daemon_domain(jabberd_t, jabberd_exec_t) init_daemon_domain(jabberd_t, jabberd_exec_t)
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
type jabberd_log_t; type jabberd_log_t;
logging_log_file(jabberd_log_t) logging_log_file(jabberd_log_t)

44
policy/modules/services/ntp.if
View File

@ -53,3 +53,47 @@ interface(`ntp_domtrans_ntpdate',`
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, ntpdate_exec_t, ntpd_t) domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
') ')
########################################
## <summary>
## All of the rules required to administrate
## an ntp environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the ntp domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t;
type ntpd_initrc_exec_t;
')
allow $1 ntpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
files_list_tmp($1)
admin_pattern($1, ntpd_tmp_t)
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
')

2
policy/modules/services/ntp.te
View File

@ -1,5 +1,5 @@
policy_module(ntp, 1.6.2) policy_module(ntp, 1.6.3)
######################################## ########################################
# #

1
policy/modules/services/postfixpolicyd.fc
View File

@ -1,4 +1,5 @@
/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0) /etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)

39
policy/modules/services/postfixpolicyd.if
View File

@ -1 +1,40 @@
## <summary>Postfix policy server</summary> ## <summary>Postfix policy server</summary>
########################################
## <summary>
## All of the rules required to administrate
## an postfixpolicyd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the postfixpolicyd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`postfixpolicyd_admin',`
gen_require(`
type postfix_policyd_t, postfix_policyd_conf_t;
type postfix_policyd_var_run_t;
type postfix_policyd_initrc_exec_t;
')
allow $1 postfix_policyd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_policyd_t)
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postfix_policyd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
files_list_pids($1)
admin_pattern($1, postfix_policyd_var_run_t)
')

5
policy/modules/services/postfixpolicyd.te
View File

@ -1,5 +1,5 @@
policy_module(postfixpolicyd, 1.0.0) policy_module(postfixpolicyd, 1.0.1)
######################################## ########################################
# #
@ -13,6 +13,9 @@ init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
type postfix_policyd_conf_t; type postfix_policyd_conf_t;
files_config_file(postfix_policyd_conf_t) files_config_file(postfix_policyd_conf_t)
type postfix_policyd_initrc_exec_t;
init_script_file(postfix_policyd_initrc_exec_t)
type postfix_policyd_var_run_t; type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t) files_pid_file(postfix_policyd_var_run_t)

1
policy/modules/services/radius.fc
View File

@ -1,6 +1,7 @@
/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) /etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) /etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)

21
policy/modules/services/radius.if
View File

@ -24,28 +24,39 @@ interface(`radius_use',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`radius_admin',` interface(`radius_admin',`
gen_require(` gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t; type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
type radiusd_initrc_exec_t;
') ')
allow $1 radiusd_t:process { ptrace signal_perms getattr }; allow $1 radiusd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, radiusd_t) ps_process_pattern($1, radiusd_t)
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 radiusd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1) files_list_etc($1)
manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t) admin_pattern($1, radiusd_etc_t)
logging_list_logs($1) logging_list_logs($1)
manage_files_pattern($1, radiusd_log_t, radiusd_log_t) admin_pattern($1, radiusd_log_t)
manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t) admin_pattern($1, radiusd_etc_rw_t)
files_list_var_lib($1) files_list_var_lib($1)
manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t) admin_pattern($1, radiusd_var_lib_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t) admin_pattern($1, radiusd_var_run_t)
') ')

24
policy/modules/services/radius.te
View File

@ -1,5 +1,5 @@
policy_module(radius, 1.8.0) policy_module(radius, 1.8.1)
######################################## ########################################
# #
@ -16,6 +16,9 @@ files_config_file(radiusd_etc_t)
type radiusd_etc_rw_t; type radiusd_etc_rw_t;
files_type(radiusd_etc_rw_t) files_type(radiusd_etc_rw_t)
type radiusd_initrc_exec_t;
init_script_file(radiusd_initrc_exec_t)
type radiusd_log_t; type radiusd_log_t;
logging_log_file(radiusd_log_t) logging_log_file(radiusd_log_t)
@ -34,12 +37,11 @@ files_pid_file(radiusd_var_run_t)
# gzip also needs chown access to preserve GID for radwtmp files # gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config; dontaudit radiusd_t self:capability sys_tty_config;
allow radiusd_t self:process { setsched signal }; allow radiusd_t self:process { getsched setsched sigkill signal };
allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms;
allow radiusd_t self:udp_socket create_socket_perms; allow radiusd_t self:udp_socket create_socket_perms;
allow radiusd_t self:netlink_route_socket r_netlink_socket_perms;
allow radiusd_t radiusd_etc_t:dir list_dir_perms; allow radiusd_t radiusd_etc_t:dir list_dir_perms;
read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
@ -74,8 +76,12 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_all_nodes(radiusd_t) corenet_udp_bind_all_nodes(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t)
corenet_tcp_connect_mysqld_port(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t) corenet_sendrecv_radius_server_packets(radiusd_t)
corenet_sendrecv_radacct_server_packets(radiusd_t) corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_sendrecv_mysqld_client_packets(radiusd_t)
corenet_sendrecv_snmp_client_packets(radiusd_t)
# for RADIUS proxy port # for RADIUS proxy port
corenet_udp_bind_generic_port(radiusd_t) corenet_udp_bind_generic_port(radiusd_t)
corenet_dontaudit_udp_bind_all_ports(radiusd_t) corenet_dontaudit_udp_bind_all_ports(radiusd_t)
@ -86,9 +92,6 @@ dev_read_sysfs(radiusd_t)
fs_getattr_all_fs(radiusd_t) fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t) fs_search_auto_mountpoints(radiusd_t)
auth_read_shadow(radiusd_t)
auth_domtrans_chk_passwd(radiusd_t)
corecmd_exec_bin(radiusd_t) corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t) corecmd_exec_shell(radiusd_t)
@ -98,6 +101,10 @@ files_read_usr_files(radiusd_t)
files_read_etc_files(radiusd_t) files_read_etc_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t) files_read_etc_runtime_files(radiusd_t)
auth_use_nsswitch(radiusd_t)
auth_read_shadow(radiusd_t)
auth_domtrans_chk_passwd(radiusd_t)
libs_use_ld_so(radiusd_t) libs_use_ld_so(radiusd_t)
libs_use_shared_libs(radiusd_t) libs_use_shared_libs(radiusd_t)
libs_exec_lib_files(radiusd_t) libs_exec_lib_files(radiusd_t)
@ -107,8 +114,6 @@ logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t) miscfiles_read_localization(radiusd_t)
miscfiles_read_certs(radiusd_t) miscfiles_read_certs(radiusd_t)
sysnet_read_config(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
sysadm_dontaudit_search_home_dirs(radiusd_t) sysadm_dontaudit_search_home_dirs(radiusd_t)
@ -123,7 +128,8 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
nis_use_ypbind(radiusd_t) mysql_read_config(radiusd_t)
mysql_stream_connect(radiusd_t)
') ')
optional_policy(` optional_policy(`

2
policy/modules/services/radvd.fc
View File

@ -1,5 +1,5 @@
/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0) /etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) /usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)

18
policy/modules/services/radvd.if
View File

@ -10,20 +10,30 @@
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`radvd_admin',` interface(`radvd_admin',`
gen_require(` gen_require(`
type radvd_t, radvd_etc_t; type radvd_t, radvd_etc_t;
type radvd_var_run_t; type radvd_var_run_t, radvd_initrc_exec_t;
') ')
allow $1 radvd_t:process { ptrace signal_perms getattr }; allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t) ps_process_pattern($1, radvd_t)
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 radvd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1) files_list_etc($1)
manage_files_pattern($1, radvd_etc_t, radvd_etc_t) admin_pattern($1, radvd_etc_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t) admin_pattern($1, radvd_var_run_t)
') ')

6
policy/modules/services/radvd.te
View File

@ -1,5 +1,5 @@
policy_module(radvd, 1.8.0) policy_module(radvd, 1.8.1)
######################################## ########################################
# #
@ -9,6 +9,9 @@ type radvd_t;
type radvd_exec_t; type radvd_exec_t;
init_daemon_domain(radvd_t, radvd_exec_t) init_daemon_domain(radvd_t, radvd_exec_t)
type radvd_initrc_exec_t;
init_script_file(radvd_initrc_exec_t)
type radvd_var_run_t; type radvd_var_run_t;
files_pid_file(radvd_var_run_t) files_pid_file(radvd_var_run_t)
@ -27,6 +30,7 @@ allow radvd_t self:unix_stream_socket create_socket_perms;
allow radvd_t self:rawip_socket create_socket_perms; allow radvd_t self:rawip_socket create_socket_perms;
allow radvd_t self:tcp_socket create_stream_socket_perms; allow radvd_t self:tcp_socket create_stream_socket_perms;
allow radvd_t self:udp_socket create_socket_perms; allow radvd_t self:udp_socket create_socket_perms;
allow radvd_t self:fifo_file rw_file_perms;
allow radvd_t radvd_etc_t:file read_file_perms; allow radvd_t radvd_etc_t:file read_file_perms;

2
policy/modules/services/rwho.fc
View File

@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0) /usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) /var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)

17
policy/modules/services/rwho.if
View File

@ -126,19 +126,30 @@ interface(`rwho_manage_spool_files',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## The role allowed access.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`rwho_admin',` interface(`rwho_admin',`
gen_require(` gen_require(`
type rwho_t, rwho_log_t, rwho_spool_t; type rwho_t, rwho_log_t, rwho_spool_t;
type rwho_initrc_exec_t;
') ')
allow $1 rwho_t:process { ptrace signal_perms getattr }; allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t) ps_process_pattern($1, rwho_t)
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rwho_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1) logging_list_logs($1)
manage_files_pattern($1, rwho_log_t, rwho_log_t) admin_pattern($1, rwho_log_t)
files_list_spool($1) files_list_spool($1)
manage_files_pattern($1, rwho_spool_t, rwho_spool_t) admin_pattern($1, rwho_spool_t)
') ')

5
policy/modules/services/rwho.te
View File

@ -1,5 +1,5 @@
policy_module(rwho, 1.4.0) policy_module(rwho, 1.4.1)
######################################## ########################################
# #
@ -10,6 +10,9 @@ type rwho_t;
type rwho_exec_t; type rwho_exec_t;
init_daemon_domain(rwho_t, rwho_exec_t) init_daemon_domain(rwho_t, rwho_exec_t)
type rwho_initrc_exec_t;
init_script_file(rwho_initrc_exec_t)
type rwho_log_t; type rwho_log_t;
files_type(rwho_log_t) files_type(rwho_log_t)

3
policy/modules/services/soundserver.fc
View File

@ -1,4 +1,5 @@
/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) /etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) /etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) /usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
@ -6,5 +7,7 @@
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)

42
policy/modules/services/soundserver.if
View File

@ -13,3 +13,45 @@
interface(`soundserver_tcp_connect',` interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
########################################
## <summary>
## All of the rules required to administrate
## an soundd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the soundd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`soundserver_admin',`
gen_require(`
type soundd_t, soundd_etc_t;
type soundd_tmp_t, soundd_var_run_t;
type soundd_initrc_exec_t;
')
allow $1 soundd_t:process { ptrace signal_perms };
ps_process_pattern($1, soundd_t)
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 soundd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
files_list_tmp($1)
admin_pattern($1, soundd_tmp_t)
files_list_pids($1)
admin_pattern($1, soundd_var_run_t)
')

23
policy/modules/services/soundserver.te
View File

@ -1,5 +1,5 @@
policy_module(soundserver, 1.5.0) policy_module(soundserver, 1.5.1)
######################################## ########################################
# #
@ -11,7 +11,10 @@ type soundd_exec_t;
init_daemon_domain(soundd_t, soundd_exec_t) init_daemon_domain(soundd_t, soundd_exec_t)
type soundd_etc_t alias etc_soundd_t; type soundd_etc_t alias etc_soundd_t;
files_type(soundd_etc_t) files_config_file(soundd_etc_t)
type soundd_initrc_exec_t;
init_script_file(soundd_initrc_exec_t)
type soundd_state_t; type soundd_state_t;
files_type(soundd_state_t) files_type(soundd_state_t)
@ -31,16 +34,18 @@ files_pid_file(soundd_var_run_t)
# Declarations # Declarations
# #
allow soundd_t self:capability dac_override;
dontaudit soundd_t self:capability sys_tty_config; dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms }; allow soundd_t self:process { setpgid signal_perms };
allow soundd_t self:tcp_socket create_stream_socket_perms; allow soundd_t self:tcp_socket create_stream_socket_perms;
allow soundd_t self:udp_socket create_socket_perms; allow soundd_t self:udp_socket create_socket_perms;
allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
# for yiff # for yiff
allow soundd_t self:shm create_shm_perms; allow soundd_t self:shm create_shm_perms;
allow soundd_t soundd_etc_t:dir list_dir_perms; read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
allow soundd_t soundd_etc_t:file read_file_perms; read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
allow soundd_t soundd_etc_t:lnk_file { getattr read };
manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
@ -55,8 +60,10 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
files_pid_filetrans(soundd_t, soundd_var_run_t, file) manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
kernel_read_kernel_sysctls(soundd_t) kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t) kernel_list_proc(soundd_t)
@ -99,6 +106,10 @@ userdom_dontaudit_use_unpriv_user_fds(soundd_t)
sysadm_dontaudit_search_home_dirs(soundd_t) sysadm_dontaudit_search_home_dirs(soundd_t)
optional_policy(`
alsa_domtrans(soundd_t)
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(soundd_t) seutil_sigchld_newrole(soundd_t)
') ')

2
policy/modules/services/squid.fc
View File

@ -1,4 +1,4 @@
/etc/rc.d/init.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) /etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)

45
policy/modules/services/squid.if
View File

@ -168,3 +168,48 @@ interface(`squid_manage_logs',`
interface(`squid_use',` interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
########################################
## <summary>
## All of the rules required to administrate
## an squid environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the squid domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`squid_admin',`
gen_require(`
type squid_t, squid_cache_t, squid_conf_t;
type squid_log_t, squid_var_run_t;
type squid_initrc_exec_t;
')
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
allow $2 system_r;
files_list_var($1)
admin_pattern($1, squid_cache_t)
files_list_etc($1)
admin_pattern($1, squid_conf_t)
logging_list_logs($1)
admin_pattern($1, squid_log_t)
files_list_pids($1)
admin_pattern($1, squid_var_run_t)
')

4
policy/modules/services/squid.te
View File

@ -1,5 +1,5 @@
policy_module(squid, 1.6.1) policy_module(squid, 1.6.2)
######################################## ########################################
# #
@ -156,6 +156,8 @@ sysadm_dontaudit_search_home_dirs(squid_t)
tunable_policy(`squid_connect_any',` tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t) corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
corenet_sendrecv_all_packets(squid_t)
') ')
optional_policy(` optional_policy(`

6
policy/modules/services/tftp.if
View File

@ -20,10 +20,10 @@ interface(`tftp_admin',`
allow $1 tftpd_t:process { ptrace signal_perms getattr }; allow $1 tftpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tftpd_t) ps_process_pattern($1, tftpd_t)
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) admin_pattern($1, tftpdir_rw_t)
manage_files_pattern($1, tftpdir_t, tftpdir_t) admin_pattern($1, tftpdir_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t) admin_pattern($1, tftpd_var_run_t)
') ')

17
policy/modules/services/tftp.te
View File

@ -1,5 +1,5 @@
policy_module(tftp, 1.8.0) policy_module(tftp, 1.8.1)
######################################## ########################################
# #
@ -37,7 +37,6 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config; dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search }; allow tftpd_t tftpdir_t:dir { getattr read search };
@ -80,6 +79,8 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t) files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t) files_search_var(tftpd_t)
auth_use_nsswitch(tftpd_t)
libs_use_ld_so(tftpd_t) libs_use_ld_so(tftpd_t)
libs_use_shared_libs(tftpd_t) libs_use_shared_libs(tftpd_t)
@ -88,11 +89,7 @@ logging_send_syslog_msg(tftpd_t)
miscfiles_read_localization(tftpd_t) miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t) miscfiles_read_public_files(tftpd_t)
sysnet_read_config(tftpd_t)
sysnet_use_ldap(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
sysadm_dontaudit_use_ttys(tftpd_t) sysadm_dontaudit_use_ttys(tftpd_t)
sysadm_dontaudit_search_home_dirs(tftpd_t) sysadm_dontaudit_search_home_dirs(tftpd_t)
@ -104,14 +101,6 @@ optional_policy(`
inetd_udp_service_domain(tftpd_t, tftpd_exec_t) inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
') ')
optional_policy(`
nis_use_ypbind(tftpd_t)
')
optional_policy(`
nscd_socket_use(tftpd_t)
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(tftpd_t) seutil_sigchld_newrole(tftpd_t)
') ')

1
policy/modules/services/tor.fc
View File

@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0) /etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)

21
policy/modules/services/tor.if
View File

@ -28,26 +28,37 @@ interface(`tor_domtrans',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the tor domain.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`tor_admin',` interface(`tor_admin',`
gen_require(` gen_require(`
type tor_t, tor_var_log_t, tor_etc_t; type tor_t, tor_var_log_t, tor_etc_t;
type tor_var_lib_t, tor_var_run_t; type tor_var_lib_t, tor_var_run_t;
type tor_initrc_exec_t;
') ')
allow $1 tor_t:process { ptrace signal_perms getattr }; allow $1 tor_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tor_t) ps_process_pattern($1, tor_t)
logging_list_logs($1) init_labeled_script_domtrans($1, tor_initrc_exec_t)
manage_files_pattern($1, tor_var_log_t, tor_var_log_t) domain_system_change_exemption($1)
role_transition $2 tor_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1) files_list_etc($1)
manage_files_pattern($1, tor_etc_t, tor_etc_t) admin_pattern($1, tor_etc_t)
files_list_var_lib($1) files_list_var_lib($1)
manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t) admin_pattern($1, tor_var_lib_t)
logging_list_logs($1)
admin_pattern($1, tor_var_log_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, tor_var_run_t, tor_var_run_t) admin_pattern($1, tor_var_run_t)
') ')

10
policy/modules/services/tor.te
View File

@ -1,5 +1,5 @@
policy_module(tor, 1.4.0) policy_module(tor, 1.4.1)
######################################## ########################################
# #
@ -14,6 +14,9 @@ init_daemon_domain(tor_t, tor_exec_t)
type tor_etc_t; type tor_etc_t;
files_config_file(tor_etc_t) files_config_file(tor_etc_t)
type tor_initrc_exec_t;
init_script_file(tor_initrc_exec_t)
# var/lib/tor # var/lib/tor
type tor_var_lib_t; type tor_var_lib_t;
files_type(tor_var_lib_t) files_type(tor_var_lib_t)
@ -31,6 +34,7 @@ files_pid_file(tor_var_run_t)
# tor local policy # tor local policy
# #
allow tor_t self:capability { setgid setuid };
allow tor_t self:fifo_file { read write }; allow tor_t self:fifo_file { read write };
allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@ -86,13 +90,13 @@ domain_use_interactive_fds(tor_t)
files_read_etc_files(tor_t) files_read_etc_files(tor_t)
files_read_etc_runtime_files(tor_t) files_read_etc_runtime_files(tor_t)
auth_use_nsswitch(tor_t)
libs_use_ld_so(tor_t) libs_use_ld_so(tor_t)
libs_use_shared_libs(tor_t) libs_use_shared_libs(tor_t)
miscfiles_read_localization(tor_t) miscfiles_read_localization(tor_t)
sysnet_dns_name_resolve(tor_t)
optional_policy(` optional_policy(`
seutil_sigchld_newrole(tor_t) seutil_sigchld_newrole(tor_t)
') ')

16
policy/modules/services/uucp.if
View File

@ -83,19 +83,19 @@ interface(`uucp_admin',`
allow $1 uucpd_t:process { ptrace signal_perms getattr }; allow $1 uucpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, uucpd_t) ps_process_pattern($1, uucpd_t)
files_list_tmp($1)
manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
logging_list_logs($1) logging_list_logs($1)
manage_files_pattern($1, uucpd_log_t, uucpd_log_t) admin_pattern($1, uucpd_log_t)
files_list_spool($1) files_list_spool($1)
manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) admin_pattern($1, uucpd_spool_t)
manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t) admin_pattern($1, uucpd_ro_t)
manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t) admin_pattern($1, uucpd_rw_t)
files_list_tmp($1)
admin_pattern($1, uucpd_tmp_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t) admin_pattern($1, uucpd_var_run_t)
') ')

4
policy/modules/services/uucp.te
View File

@ -1,5 +1,5 @@
policy_module(uucp, 1.7.0) policy_module(uucp, 1.7.1)
######################################## ########################################
# #
@ -116,6 +116,8 @@ corecmd_exec_bin(uux_t)
files_read_etc_files(uux_t) files_read_etc_files(uux_t)
fs_rw_anon_inodefs_files(uux_t)
libs_use_ld_so(uux_t) libs_use_ld_so(uux_t)
libs_use_shared_libs(uux_t) libs_use_shared_libs(uux_t)

2
policy/modules/services/zabbix.fc
View File

@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)

19
policy/modules/services/zabbix.if
View File

@ -87,19 +87,30 @@ interface(`zabbix_read_pid_files',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the zabbix domain.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`zabbix_admin',` interface(`zabbix_admin',`
gen_require(` gen_require(`
type zabbix_t, zabbix_log_t, zabbix_var_run_t; type zabbix_t, zabbix_log_t, zabbix_var_run_t;
type zabbix_initrc_exec_t;
') ')
allow $1 zabbix_t:process { ptrace signal_perms getattr }; allow $1 zabbix_t:process { ptrace signal_perms };
read_files_pattern($1, zabbix_t, zabbix_t) ps_process_pattern($1, zabbix_t)
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zabbix_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1) logging_list_logs($1)
manage_files_pattern($1, zabbix_log_t, zabbix_log_t) admin_pattern($1, zabbix_log_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t) admin_pattern($1, zabbix_var_run_t)
') ')

5
policy/modules/services/zabbix.te
View File

@ -1,5 +1,5 @@
policy_module(zabbix, 1.1.0) policy_module(zabbix, 1.1.1)
######################################## ########################################
# #
@ -10,6 +10,9 @@ type zabbix_t;
type zabbix_exec_t; type zabbix_exec_t;
init_daemon_domain(zabbix_t, zabbix_exec_t) init_daemon_domain(zabbix_t, zabbix_exec_t)
type zabbix_initrc_exec_t;
init_script_file(zabbix_initrc_exec_t)
# log files # log files
type zabbix_log_t; type zabbix_log_t;
logging_log_file(zabbix_log_t) logging_log_file(zabbix_log_t)

6
policy/modules/services/zebra.fc
View File

@ -1,3 +1,9 @@
/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)

29
policy/modules/services/zebra.if
View File

@ -32,26 +32,37 @@ interface(`zebra_read_config',`
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the zebra domain.
## </summary>
## </param>
## <rolecap/> ## <rolecap/>
# #
interface(`zebra_admin',` interface(`zebra_admin',`
gen_require(` gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t; type zebra_t, zebra_tmp_t, zebra_log_t;
type zebra_conf_t, zebra_var_run_t; type zebra_conf_t, zebra_var_run_t;
type zebra_initrc_exec_t;
') ')
allow $1 zebra_t:process { ptrace signal_perms getattr }; allow $1 zebra_t:process { ptrace signal_perms };
read_files_pattern($1, zebra_t, zebra_t) ps_process_pattern($1, zebra_t)
files_list_tmp($1) init_labeled_script_domtrans($1, zebra_initrc_exec_t)
manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t) domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
logging_list_logs($1) allow $2 system_r;
manage_files_pattern($1, zebra_log_t, zebra_log_t)
files_list_etc($1) files_list_etc($1)
manage_files_pattern($1, zebra_conf_t, zebra_conf_t) admin_pattern($1, zebra_conf_t)
logging_list_logs($1)
admin_pattern($1, zebra_log_t)
files_list_tmp($1)
admin_pattern($1, zebra_tmp_t)
files_list_pids($1) files_list_pids($1)
manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t) admin_pattern($1, zebra_var_run_t)
') ')

8
policy/modules/services/zebra.te
View File

@ -1,5 +1,5 @@
policy_module(zebra, 1.7.0) policy_module(zebra, 1.7.1)
######################################## ########################################
# #
@ -21,6 +21,9 @@ init_daemon_domain(zebra_t, zebra_exec_t)
type zebra_conf_t; type zebra_conf_t;
files_type(zebra_conf_t) files_type(zebra_conf_t)
type zebra_initrc_exec_t;
init_script_file(zebra_initrc_exec_t)
type zebra_log_t; type zebra_log_t;
logging_log_file(zebra_log_t) logging_log_file(zebra_log_t)
@ -37,7 +40,7 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw }; allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config; dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms setcap }; allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:file { ioctl read write getattr lock append }; allow zebra_t self:file { ioctl read write getattr lock append };
allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
@ -64,6 +67,7 @@ manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file }) files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
kernel_read_system_state(zebra_t) kernel_read_system_state(zebra_t)
kernel_read_network_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t) kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t)

14
policy/support/file_patterns.spt
View File

@ -537,3 +537,17 @@ define(`filetrans_pattern',`
allow $1 $2:dir rw_dir_perms; allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3; type_transition $1 $2:$4 $3;
') ')
define(`admin_pattern',`
manage_dirs_pattern($1,$2,$2)
manage_files_pattern($1,$2,$2)
manage_lnk_files_pattern($1,$2,$2)
manage_fifo_files_pattern($1,$2,$2)
manage_sock_files_pattern($1,$2,$2)
relabel_dirs_pattern($1,$2,$2)
relabel_files_pattern($1,$2,$2)
relabel_lnk_files_pattern($1,$2,$2)
relabel_fifo_files_pattern($1,$2,$2)
relabel_sock_files_pattern($1,$2,$2)
')