trunk: 21 patches from dan.
This commit is contained in:
parent
ed8ae5ebeb
commit
e87221cefe
@ -1,3 +1,5 @@
|
||||
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
||||
')
|
||||
|
@ -97,3 +97,48 @@ interface(`apcupsd_cgi_script_domtrans',`
|
||||
|
||||
domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an apcupsd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the apcupsd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`apcupsd_admin',`
|
||||
gen_require(`
|
||||
type apcupsd_t, apcupsd_tmp_t;
|
||||
type apcupsd_log_t, apcupsd_lock_t;
|
||||
type apcupsd_var_run_t, apcupsd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 apcupsd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, apcupsd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 apcupsd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, apcupsd_lock_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, apcupsd_log_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, apcupsd_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, apcupsd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apcupsd, 1.3.1)
|
||||
policy_module(apcupsd, 1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,9 @@ init_daemon_domain(apcupsd_t, apcupsd_exec_t)
|
||||
type apcupsd_lock_t;
|
||||
files_lock_file(apcupsd_lock_t)
|
||||
|
||||
type apcupsd_initrc_exec_t;
|
||||
init_script_file(apcupsd_initrc_exec_t)
|
||||
|
||||
type apcupsd_log_t;
|
||||
logging_log_file(apcupsd_log_t)
|
||||
|
||||
@ -86,12 +89,18 @@ logging_send_syslog_msg(apcupsd_t)
|
||||
|
||||
miscfiles_read_localization(apcupsd_t)
|
||||
|
||||
sysnet_dns_name_resolve(apcupsd_t)
|
||||
|
||||
userdom_use_unpriv_users_ttys(apcupsd_t)
|
||||
userdom_use_unpriv_users_ptys(apcupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(apcupsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(apcupsd_t)
|
||||
mta_system_content(apcupsd_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,3 +1,6 @@
|
||||
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
|
||||
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
|
||||
|
||||
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
|
||||
|
||||
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
|
||||
|
@ -20,3 +20,40 @@ interface(`bitlbee_read_config',`
|
||||
allow $1 bitlbee_conf_t:file { read getattr };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an bitlbee environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the bitlbee domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`bitlbee_admin',`
|
||||
gen_require(`
|
||||
type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
|
||||
type bitlbee_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bitlbee_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, bitlbee_t)
|
||||
|
||||
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 bitlbee_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, bitlbee_conf_t)
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, bitlbee_var_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bitlbee, 1.0.0)
|
||||
policy_module(bitlbee, 1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -14,6 +14,12 @@ inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
|
||||
type bitlbee_conf_t;
|
||||
files_config_file(bitlbee_conf_t)
|
||||
|
||||
type bitlbee_initrc_exec_t;
|
||||
init_script_file(bitlbee_initrc_exec_t)
|
||||
|
||||
type bitlbee_tmp_t;
|
||||
files_tmp_file(bitlbee_tmp_t)
|
||||
|
||||
type bitlbee_var_t;
|
||||
files_type(bitlbee_var_t)
|
||||
|
||||
@ -26,9 +32,15 @@ files_type(bitlbee_var_t)
|
||||
allow bitlbee_t self:udp_socket create_socket_perms;
|
||||
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
|
||||
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
|
||||
allow bitlbee_t self:process signal;
|
||||
|
||||
bitlbee_read_config(bitlbee_t)
|
||||
|
||||
# tmp files
|
||||
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
|
||||
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
|
||||
|
||||
# user account information is read and edited at runtime; give the usual
|
||||
# r/w access to bitlbee_var_t
|
||||
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
|
||||
@ -54,6 +66,9 @@ corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
|
||||
corenet_tcp_connect_msnp_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
|
||||
|
||||
dev_read_rand(bitlbee_t)
|
||||
dev_read_urand(bitlbee_t)
|
||||
|
||||
files_read_etc_files(bitlbee_t)
|
||||
files_search_pids(bitlbee_t)
|
||||
# grant read-only access to the user help files
|
||||
@ -62,6 +77,8 @@ files_read_usr_files(bitlbee_t)
|
||||
libs_legacy_use_shared_libs(bitlbee_t)
|
||||
libs_use_ld_so(bitlbee_t)
|
||||
|
||||
miscfiles_read_localization(bitlbee_t)
|
||||
|
||||
sysnet_dns_name_resolve(bitlbee_t)
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,3 +1,4 @@
|
||||
/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -18,3 +18,44 @@ interface(`canna_stream_connect',`
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an canna environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the canna domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`canna_admin',`
|
||||
gen_require(`
|
||||
type canna_t, canna_log_t, canna_var_lib_t;
|
||||
type canna_var_run_t, canna_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 canna_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, canna_t)
|
||||
|
||||
init_labeled_script_domtrans($1, canna_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 canna_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, canna_log_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, canna_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, canna_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(canna, 1.7.0)
|
||||
policy_module(canna, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type canna_t;
|
||||
type canna_exec_t;
|
||||
init_daemon_domain(canna_t, canna_exec_t)
|
||||
|
||||
type canna_initrc_exec_t;
|
||||
init_script_file(canna_initrc_exec_t)
|
||||
|
||||
type canna_log_t;
|
||||
logging_log_file(canna_log_t)
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
|
||||
/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
|
||||
/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
|
||||
|
@ -18,3 +18,51 @@ interface(`ddclient_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, ddclient_exec_t, ddclient_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an ddclient environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the ddclient domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ddclient_admin',`
|
||||
gen_require(`
|
||||
type ddclient_t, ddclient_etc_t, ddclient_log_t;
|
||||
type ddclient_var_t, ddclient_var_lib_t;
|
||||
type ddclient_var_run_t, ddclient_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ddclient_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ddclient_t)
|
||||
|
||||
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ddclient_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, ddclient_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, ddclient_log_t)
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, ddclient_var_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, ddclient_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, ddclient_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ddclient, 1.5.0)
|
||||
policy_module(ddclient, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -11,7 +11,10 @@ type ddclient_exec_t;
|
||||
init_daemon_domain(ddclient_t, ddclient_exec_t)
|
||||
|
||||
type ddclient_etc_t;
|
||||
files_type(ddclient_etc_t)
|
||||
files_config_file(ddclient_etc_t)
|
||||
|
||||
type ddclient_initrc_exec_t;
|
||||
init_script_file(ddclient_initrc_exec_t)
|
||||
|
||||
type ddclient_log_t;
|
||||
logging_log_file(ddclient_log_t)
|
||||
|
@ -1,6 +1,9 @@
|
||||
/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
|
||||
|
||||
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
|
||||
|
||||
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
|
||||
|
||||
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
|
||||
|
||||
/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
|
||||
|
@ -14,3 +14,44 @@
|
||||
interface(`dictd_tcp_connect',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an dictd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the dictd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dictd_admin',`
|
||||
gen_require(`
|
||||
type dictd_t, dictd_etc_t, dictd_var_lib_t;
|
||||
type dictd_var_run_t, dictd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 dictd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, dictd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 dictd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, dictd_etc_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, dictd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, dictd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dictd, 1.5.0)
|
||||
policy_module(dictd, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,9 +13,15 @@ init_daemon_domain(dictd_t, dictd_exec_t)
|
||||
type dictd_etc_t;
|
||||
files_config_file(dictd_etc_t)
|
||||
|
||||
type dictd_initrc_exec_t;
|
||||
init_script_file(dictd_initrc_exec_t)
|
||||
|
||||
type dictd_var_lib_t alias var_lib_dictd_t;
|
||||
files_type(dictd_var_lib_t)
|
||||
|
||||
type dictd_var_run_t;
|
||||
files_pid_file(dictd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -34,6 +40,9 @@ files_search_etc(dictd_t)
|
||||
allow dictd_t dictd_var_lib_t:dir list_dir_perms;
|
||||
allow dictd_t dictd_var_lib_t:file read_file_perms;
|
||||
|
||||
manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
|
||||
files_pid_filetrans(dictd_t, dictd_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(dictd_t)
|
||||
kernel_read_kernel_sysctls(dictd_t)
|
||||
|
||||
|
@ -3,5 +3,4 @@
|
||||
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
|
||||
/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
|
@ -78,3 +78,41 @@ interface(`fail2ban_read_pid_files',`
|
||||
files_search_pids($1)
|
||||
allow $1 fail2ban_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an fail2ban environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the fail2ban domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fail2ban_admin',`
|
||||
gen_require(`
|
||||
type fail2ban_t, fail2ban_log_t;
|
||||
type fail2ban_var_run_t, fail2ban_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 fail2ban_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, fail2ban_t)
|
||||
|
||||
init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 fail2ban_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, fail2ban_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, fail2ban_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(fail2ban, 1.1.1)
|
||||
policy_module(fail2ban, 1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,9 +37,10 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
||||
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
||||
|
||||
# pid file
|
||||
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
|
||||
|
||||
kernel_read_system_state(fail2ban_t)
|
||||
|
||||
|
@ -4,6 +4,7 @@
|
||||
#
|
||||
/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
|
||||
/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -54,8 +54,7 @@ interface(`inn_manage_log',`
|
||||
')
|
||||
|
||||
logging_rw_generic_log_dirs($1)
|
||||
allow $1 innd_log_t:dir search;
|
||||
allow $1 innd_log_t:file manage_file_perms;
|
||||
manage_files_pattern($1, innd_log_t, innd_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -176,3 +175,51 @@ interface(`inn_domtrans',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, innd_exec_t, innd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an inn environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the inn domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`inn_admin',`
|
||||
gen_require(`
|
||||
type innd_t, innd_etc_t, innd_log_t;
|
||||
type news_spool_t, innd_var_lib_t;
|
||||
type innd_var_run_t, innd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 innd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, innd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, innd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 innd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, innd_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, innd_log_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, innd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, innd_var_run_t)
|
||||
|
||||
files_list_spool($1)
|
||||
admin_pattern($1, news_spool_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inn, 1.6.0)
|
||||
policy_module(inn, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -12,6 +12,9 @@ init_daemon_domain(innd_t, innd_exec_t)
|
||||
type innd_etc_t;
|
||||
files_config_file(innd_etc_t)
|
||||
|
||||
type innd_initrc_exec_t;
|
||||
init_script_file(innd_initrc_exec_t)
|
||||
|
||||
type innd_log_t;
|
||||
logging_log_file(innd_log_t)
|
||||
|
||||
@ -22,7 +25,7 @@ type innd_var_run_t;
|
||||
files_pid_file(innd_var_run_t)
|
||||
|
||||
type news_spool_t;
|
||||
files_type(news_spool_t)
|
||||
files_mountpoint(news_spool_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,3 +1,5 @@
|
||||
/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
||||
|
||||
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
|
||||
|
@ -13,3 +13,44 @@
|
||||
interface(`jabber_tcp_connect',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an jabber environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the jabber domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`jabber_admin',`
|
||||
gen_require(`
|
||||
type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
|
||||
type jabberd_var_run_t, jabberd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 jabberd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, jabberd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 jabberd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, jabberd_log_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, jabberd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, jabberd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(jabber, 1.5.0)
|
||||
policy_module(jabber, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type jabberd_t;
|
||||
type jabberd_exec_t;
|
||||
init_daemon_domain(jabberd_t, jabberd_exec_t)
|
||||
|
||||
type jabberd_initrc_exec_t;
|
||||
init_script_file(jabberd_initrc_exec_t)
|
||||
|
||||
type jabberd_log_t;
|
||||
logging_log_file(jabberd_log_t)
|
||||
|
||||
|
@ -53,3 +53,47 @@ interface(`ntp_domtrans_ntpdate',`
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an ntp environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the ntp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ntp_admin',`
|
||||
gen_require(`
|
||||
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
|
||||
type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t;
|
||||
type ntpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ntpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, ntpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ntpd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, ntpd_key_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, ntpd_log_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, ntpd_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, ntpd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ntp, 1.6.2)
|
||||
policy_module(ntp, 1.6.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,4 +1,5 @@
|
||||
/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
|
||||
/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
|
||||
|
||||
|
@ -1 +1,40 @@
|
||||
## <summary>Postfix policy server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an postfixpolicyd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the postfixpolicyd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`postfixpolicyd_admin',`
|
||||
gen_require(`
|
||||
type postfix_policyd_t, postfix_policyd_conf_t;
|
||||
type postfix_policyd_var_run_t;
|
||||
type postfix_policyd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_policyd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_policyd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 postfix_policyd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, postfix_policyd_conf_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, postfix_policyd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfixpolicyd, 1.0.0)
|
||||
policy_module(postfixpolicyd, 1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,9 @@ init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
|
||||
type postfix_policyd_conf_t;
|
||||
files_config_file(postfix_policyd_conf_t)
|
||||
|
||||
type postfix_policyd_initrc_exec_t;
|
||||
init_script_file(postfix_policyd_initrc_exec_t)
|
||||
|
||||
type postfix_policyd_var_run_t;
|
||||
files_pid_file(postfix_policyd_var_run_t)
|
||||
|
||||
|
@ -1,6 +1,7 @@
|
||||
|
||||
/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
|
||||
|
||||
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
|
||||
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
|
||||
|
@ -24,28 +24,39 @@ interface(`radius_use',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`radius_admin',`
|
||||
gen_require(`
|
||||
type radiusd_t, radiusd_etc_t, radiusd_log_t;
|
||||
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
|
||||
type radiusd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 radiusd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, radiusd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 radiusd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
|
||||
admin_pattern($1, radiusd_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
|
||||
admin_pattern($1, radiusd_log_t)
|
||||
|
||||
manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
|
||||
admin_pattern($1, radiusd_etc_rw_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
|
||||
admin_pattern($1, radiusd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
|
||||
admin_pattern($1, radiusd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radius, 1.8.0)
|
||||
policy_module(radius, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -16,6 +16,9 @@ files_config_file(radiusd_etc_t)
|
||||
type radiusd_etc_rw_t;
|
||||
files_type(radiusd_etc_rw_t)
|
||||
|
||||
type radiusd_initrc_exec_t;
|
||||
init_script_file(radiusd_initrc_exec_t)
|
||||
|
||||
type radiusd_log_t;
|
||||
logging_log_file(radiusd_log_t)
|
||||
|
||||
@ -34,12 +37,11 @@ files_pid_file(radiusd_var_run_t)
|
||||
# gzip also needs chown access to preserve GID for radwtmp files
|
||||
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
|
||||
dontaudit radiusd_t self:capability sys_tty_config;
|
||||
allow radiusd_t self:process { setsched signal };
|
||||
allow radiusd_t self:process { getsched setsched sigkill signal };
|
||||
allow radiusd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow radiusd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow radiusd_t self:udp_socket create_socket_perms;
|
||||
allow radiusd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow radiusd_t radiusd_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
|
||||
@ -74,8 +76,12 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
|
||||
corenet_udp_bind_all_nodes(radiusd_t)
|
||||
corenet_udp_bind_radacct_port(radiusd_t)
|
||||
corenet_udp_bind_radius_port(radiusd_t)
|
||||
corenet_tcp_connect_mysqld_port(radiusd_t)
|
||||
corenet_tcp_connect_snmp_port(radiusd_t)
|
||||
corenet_sendrecv_radius_server_packets(radiusd_t)
|
||||
corenet_sendrecv_radacct_server_packets(radiusd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(radiusd_t)
|
||||
corenet_sendrecv_snmp_client_packets(radiusd_t)
|
||||
# for RADIUS proxy port
|
||||
corenet_udp_bind_generic_port(radiusd_t)
|
||||
corenet_dontaudit_udp_bind_all_ports(radiusd_t)
|
||||
@ -86,9 +92,6 @@ dev_read_sysfs(radiusd_t)
|
||||
fs_getattr_all_fs(radiusd_t)
|
||||
fs_search_auto_mountpoints(radiusd_t)
|
||||
|
||||
auth_read_shadow(radiusd_t)
|
||||
auth_domtrans_chk_passwd(radiusd_t)
|
||||
|
||||
corecmd_exec_bin(radiusd_t)
|
||||
corecmd_exec_shell(radiusd_t)
|
||||
|
||||
@ -98,6 +101,10 @@ files_read_usr_files(radiusd_t)
|
||||
files_read_etc_files(radiusd_t)
|
||||
files_read_etc_runtime_files(radiusd_t)
|
||||
|
||||
auth_use_nsswitch(radiusd_t)
|
||||
auth_read_shadow(radiusd_t)
|
||||
auth_domtrans_chk_passwd(radiusd_t)
|
||||
|
||||
libs_use_ld_so(radiusd_t)
|
||||
libs_use_shared_libs(radiusd_t)
|
||||
libs_exec_lib_files(radiusd_t)
|
||||
@ -107,8 +114,6 @@ logging_send_syslog_msg(radiusd_t)
|
||||
miscfiles_read_localization(radiusd_t)
|
||||
miscfiles_read_certs(radiusd_t)
|
||||
|
||||
sysnet_read_config(radiusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(radiusd_t)
|
||||
@ -123,7 +128,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(radiusd_t)
|
||||
mysql_read_config(radiusd_t)
|
||||
mysql_stream_connect(radiusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
|
||||
|
||||
|
@ -10,20 +10,30 @@
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`radvd_admin',`
|
||||
gen_require(`
|
||||
type radvd_t, radvd_etc_t;
|
||||
type radvd_var_run_t;
|
||||
type radvd_var_run_t, radvd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 radvd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 radvd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, radvd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 radvd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, radvd_etc_t, radvd_etc_t)
|
||||
admin_pattern($1, radvd_etc_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
|
||||
admin_pattern($1, radvd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(radvd, 1.8.0)
|
||||
policy_module(radvd, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -9,6 +9,9 @@ type radvd_t;
|
||||
type radvd_exec_t;
|
||||
init_daemon_domain(radvd_t, radvd_exec_t)
|
||||
|
||||
type radvd_initrc_exec_t;
|
||||
init_script_file(radvd_initrc_exec_t)
|
||||
|
||||
type radvd_var_run_t;
|
||||
files_pid_file(radvd_var_run_t)
|
||||
|
||||
@ -27,6 +30,7 @@ allow radvd_t self:unix_stream_socket create_socket_perms;
|
||||
allow radvd_t self:rawip_socket create_socket_perms;
|
||||
allow radvd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow radvd_t self:udp_socket create_socket_perms;
|
||||
allow radvd_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow radvd_t radvd_etc_t:file read_file_perms;
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
|
||||
|
||||
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
|
||||
|
@ -126,19 +126,30 @@ interface(`rwho_manage_spool_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`rwho_admin',`
|
||||
gen_require(`
|
||||
type rwho_t, rwho_log_t, rwho_spool_t;
|
||||
type rwho_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 rwho_t:process { ptrace signal_perms getattr };
|
||||
allow $1 rwho_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, rwho_t)
|
||||
|
||||
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 rwho_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, rwho_log_t, rwho_log_t)
|
||||
admin_pattern($1, rwho_log_t)
|
||||
|
||||
files_list_spool($1)
|
||||
manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
|
||||
admin_pattern($1, rwho_spool_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rwho, 1.4.0)
|
||||
policy_module(rwho, 1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type rwho_t;
|
||||
type rwho_exec_t;
|
||||
init_daemon_domain(rwho_t, rwho_exec_t)
|
||||
|
||||
type rwho_initrc_exec_t;
|
||||
init_script_file(rwho_initrc_exec_t)
|
||||
|
||||
type rwho_log_t;
|
||||
files_type(rwho_log_t)
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
|
||||
/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
|
||||
|
||||
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
|
||||
@ -6,5 +7,7 @@
|
||||
|
||||
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
|
||||
|
||||
/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
|
||||
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
|
||||
|
||||
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
|
||||
|
@ -13,3 +13,45 @@
|
||||
interface(`soundserver_tcp_connect',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an soundd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the soundd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`soundserver_admin',`
|
||||
gen_require(`
|
||||
type soundd_t, soundd_etc_t;
|
||||
type soundd_tmp_t, soundd_var_run_t;
|
||||
type soundd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 soundd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, soundd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 soundd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, soundd_etc_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, soundd_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, soundd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(soundserver, 1.5.0)
|
||||
policy_module(soundserver, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -11,7 +11,10 @@ type soundd_exec_t;
|
||||
init_daemon_domain(soundd_t, soundd_exec_t)
|
||||
|
||||
type soundd_etc_t alias etc_soundd_t;
|
||||
files_type(soundd_etc_t)
|
||||
files_config_file(soundd_etc_t)
|
||||
|
||||
type soundd_initrc_exec_t;
|
||||
init_script_file(soundd_initrc_exec_t)
|
||||
|
||||
type soundd_state_t;
|
||||
files_type(soundd_state_t)
|
||||
@ -31,16 +34,18 @@ files_pid_file(soundd_var_run_t)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
allow soundd_t self:capability dac_override;
|
||||
dontaudit soundd_t self:capability sys_tty_config;
|
||||
allow soundd_t self:process { setpgid signal_perms };
|
||||
allow soundd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow soundd_t self:udp_socket create_socket_perms;
|
||||
allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
# for yiff
|
||||
allow soundd_t self:shm create_shm_perms;
|
||||
|
||||
allow soundd_t soundd_etc_t:dir list_dir_perms;
|
||||
allow soundd_t soundd_etc_t:file read_file_perms;
|
||||
allow soundd_t soundd_etc_t:lnk_file { getattr read };
|
||||
read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
|
||||
read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
|
||||
|
||||
manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
|
||||
manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
|
||||
@ -55,8 +60,10 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
|
||||
manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
|
||||
manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
|
||||
files_pid_filetrans(soundd_t, soundd_var_run_t, file)
|
||||
manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
|
||||
files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(soundd_t)
|
||||
kernel_list_proc(soundd_t)
|
||||
@ -99,6 +106,10 @@ userdom_dontaudit_use_unpriv_user_fds(soundd_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(soundd_t)
|
||||
|
||||
optional_policy(`
|
||||
alsa_domtrans(soundd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(soundd_t)
|
||||
')
|
||||
|
@ -1,4 +1,4 @@
|
||||
/etc/rc.d/init.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
|
||||
/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
||||
|
||||
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
|
||||
|
@ -168,3 +168,48 @@ interface(`squid_manage_logs',`
|
||||
interface(`squid_use',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an squid environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the squid domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`squid_admin',`
|
||||
gen_require(`
|
||||
type squid_t, squid_cache_t, squid_conf_t;
|
||||
type squid_log_t, squid_var_run_t;
|
||||
type squid_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 squid_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, squid_t)
|
||||
|
||||
init_labeled_script_domtrans($1, squid_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 squid_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, squid_cache_t)
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, squid_conf_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, squid_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, squid_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(squid, 1.6.1)
|
||||
policy_module(squid, 1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -156,6 +156,8 @@ sysadm_dontaudit_search_home_dirs(squid_t)
|
||||
|
||||
tunable_policy(`squid_connect_any',`
|
||||
corenet_tcp_connect_all_ports(squid_t)
|
||||
corenet_tcp_bind_all_ports(squid_t)
|
||||
corenet_sendrecv_all_packets(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -20,10 +20,10 @@ interface(`tftp_admin',`
|
||||
allow $1 tftpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, tftpd_t)
|
||||
|
||||
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
||||
admin_pattern($1, tftpdir_rw_t)
|
||||
|
||||
manage_files_pattern($1, tftpdir_t, tftpdir_t)
|
||||
admin_pattern($1, tftpdir_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
|
||||
admin_pattern($1, tftpd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tftp, 1.8.0)
|
||||
policy_module(tftp, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,7 +37,6 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow tftpd_t self:udp_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
dontaudit tftpd_t self:capability sys_tty_config;
|
||||
|
||||
allow tftpd_t tftpdir_t:dir { getattr read search };
|
||||
@ -80,6 +79,8 @@ files_read_var_files(tftpd_t)
|
||||
files_read_var_symlinks(tftpd_t)
|
||||
files_search_var(tftpd_t)
|
||||
|
||||
auth_use_nsswitch(tftpd_t)
|
||||
|
||||
libs_use_ld_so(tftpd_t)
|
||||
libs_use_shared_libs(tftpd_t)
|
||||
|
||||
@ -88,11 +89,7 @@ logging_send_syslog_msg(tftpd_t)
|
||||
miscfiles_read_localization(tftpd_t)
|
||||
miscfiles_read_public_files(tftpd_t)
|
||||
|
||||
sysnet_read_config(tftpd_t)
|
||||
sysnet_use_ldap(tftpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
|
||||
|
||||
sysadm_dontaudit_use_ttys(tftpd_t)
|
||||
sysadm_dontaudit_search_home_dirs(tftpd_t)
|
||||
|
||||
@ -104,14 +101,6 @@ optional_policy(`
|
||||
inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(tftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(tftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(tftpd_t)
|
||||
')
|
||||
|
@ -1,3 +1,4 @@
|
||||
/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
|
||||
/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
|
||||
|
||||
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
|
||||
|
@ -28,26 +28,37 @@ interface(`tor_domtrans',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the tor domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tor_admin',`
|
||||
gen_require(`
|
||||
type tor_t, tor_var_log_t, tor_etc_t;
|
||||
type tor_var_lib_t, tor_var_run_t;
|
||||
type tor_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 tor_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, tor_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
|
||||
init_labeled_script_domtrans($1, tor_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 tor_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, tor_etc_t, tor_etc_t)
|
||||
admin_pattern($1, tor_etc_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t)
|
||||
admin_pattern($1, tor_var_lib_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, tor_var_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, tor_var_run_t, tor_var_run_t)
|
||||
admin_pattern($1, tor_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tor, 1.4.0)
|
||||
policy_module(tor, 1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -14,6 +14,9 @@ init_daemon_domain(tor_t, tor_exec_t)
|
||||
type tor_etc_t;
|
||||
files_config_file(tor_etc_t)
|
||||
|
||||
type tor_initrc_exec_t;
|
||||
init_script_file(tor_initrc_exec_t)
|
||||
|
||||
# var/lib/tor
|
||||
type tor_var_lib_t;
|
||||
files_type(tor_var_lib_t)
|
||||
@ -31,6 +34,7 @@ files_pid_file(tor_var_run_t)
|
||||
# tor local policy
|
||||
#
|
||||
|
||||
allow tor_t self:capability { setgid setuid };
|
||||
allow tor_t self:fifo_file { read write };
|
||||
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
@ -86,13 +90,13 @@ domain_use_interactive_fds(tor_t)
|
||||
files_read_etc_files(tor_t)
|
||||
files_read_etc_runtime_files(tor_t)
|
||||
|
||||
auth_use_nsswitch(tor_t)
|
||||
|
||||
libs_use_ld_so(tor_t)
|
||||
libs_use_shared_libs(tor_t)
|
||||
|
||||
miscfiles_read_localization(tor_t)
|
||||
|
||||
sysnet_dns_name_resolve(tor_t)
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(tor_t)
|
||||
')
|
||||
|
@ -83,19 +83,19 @@ interface(`uucp_admin',`
|
||||
allow $1 uucpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, uucpd_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
|
||||
admin_pattern($1, uucpd_log_t)
|
||||
|
||||
files_list_spool($1)
|
||||
manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
|
||||
admin_pattern($1, uucpd_spool_t)
|
||||
|
||||
manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
|
||||
admin_pattern($1, uucpd_ro_t)
|
||||
|
||||
manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
|
||||
admin_pattern($1, uucpd_rw_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, uucpd_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
|
||||
admin_pattern($1, uucpd_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(uucp, 1.7.0)
|
||||
policy_module(uucp, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -116,6 +116,8 @@ corecmd_exec_bin(uux_t)
|
||||
|
||||
files_read_etc_files(uux_t)
|
||||
|
||||
fs_rw_anon_inodefs_files(uux_t)
|
||||
|
||||
libs_use_ld_so(uux_t)
|
||||
libs_use_shared_libs(uux_t)
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
||||
|
||||
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
|
||||
|
@ -87,19 +87,30 @@ interface(`zabbix_read_pid_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the zabbix domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zabbix_admin',`
|
||||
gen_require(`
|
||||
type zabbix_t, zabbix_log_t, zabbix_var_run_t;
|
||||
type zabbix_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 zabbix_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, zabbix_t, zabbix_t)
|
||||
allow $1 zabbix_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, zabbix_t)
|
||||
|
||||
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 zabbix_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
|
||||
admin_pattern($1, zabbix_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
|
||||
admin_pattern($1, zabbix_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(zabbix, 1.1.0)
|
||||
policy_module(zabbix, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ type zabbix_t;
|
||||
type zabbix_exec_t;
|
||||
init_daemon_domain(zabbix_t, zabbix_exec_t)
|
||||
|
||||
type zabbix_initrc_exec_t;
|
||||
init_script_file(zabbix_initrc_exec_t)
|
||||
|
||||
# log files
|
||||
type zabbix_log_t;
|
||||
logging_log_file(zabbix_log_t)
|
||||
|
@ -1,3 +1,9 @@
|
||||
/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
||||
/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
||||
|
@ -32,26 +32,37 @@ interface(`zebra_read_config',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the zebra domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zebra_admin',`
|
||||
gen_require(`
|
||||
type zebra_t, zebra_tmp_t, zebra_log_t;
|
||||
type zebra_conf_t, zebra_var_run_t;
|
||||
type zebra_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 zebra_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, zebra_t, zebra_t)
|
||||
allow $1 zebra_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, zebra_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, zebra_log_t, zebra_log_t)
|
||||
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 zebra_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
|
||||
admin_pattern($1, zebra_conf_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, zebra_log_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, zebra_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
|
||||
admin_pattern($1, zebra_var_run_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(zebra, 1.7.0)
|
||||
policy_module(zebra, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -21,6 +21,9 @@ init_daemon_domain(zebra_t, zebra_exec_t)
|
||||
type zebra_conf_t;
|
||||
files_type(zebra_conf_t)
|
||||
|
||||
type zebra_initrc_exec_t;
|
||||
init_script_file(zebra_initrc_exec_t)
|
||||
|
||||
type zebra_log_t;
|
||||
logging_log_file(zebra_log_t)
|
||||
|
||||
@ -37,7 +40,7 @@ files_pid_file(zebra_var_run_t)
|
||||
|
||||
allow zebra_t self:capability { setgid setuid net_admin net_raw };
|
||||
dontaudit zebra_t self:capability sys_tty_config;
|
||||
allow zebra_t self:process { signal_perms setcap };
|
||||
allow zebra_t self:process { signal_perms getcap setcap };
|
||||
allow zebra_t self:file { ioctl read write getattr lock append };
|
||||
allow zebra_t self:unix_dgram_socket create_socket_perms;
|
||||
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
@ -64,6 +67,7 @@ manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
|
||||
files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(zebra_t)
|
||||
kernel_read_network_state(zebra_t)
|
||||
kernel_read_kernel_sysctls(zebra_t)
|
||||
kernel_rw_net_sysctls(zebra_t)
|
||||
|
||||
|
@ -537,3 +537,17 @@ define(`filetrans_pattern',`
|
||||
allow $1 $2:dir rw_dir_perms;
|
||||
type_transition $1 $2:$4 $3;
|
||||
')
|
||||
|
||||
define(`admin_pattern',`
|
||||
manage_dirs_pattern($1,$2,$2)
|
||||
manage_files_pattern($1,$2,$2)
|
||||
manage_lnk_files_pattern($1,$2,$2)
|
||||
manage_fifo_files_pattern($1,$2,$2)
|
||||
manage_sock_files_pattern($1,$2,$2)
|
||||
|
||||
relabel_dirs_pattern($1,$2,$2)
|
||||
relabel_files_pattern($1,$2,$2)
|
||||
relabel_lnk_files_pattern($1,$2,$2)
|
||||
relabel_fifo_files_pattern($1,$2,$2)
|
||||
relabel_sock_files_pattern($1,$2,$2)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user