patch from dan Tue, 02 May 2006 10:08:17 -0400, includes pyzor, bug 1541
This commit is contained in:
parent
ea5333d1f9
commit
e993594365
|
@ -71,6 +71,7 @@
|
||||||
perdition
|
perdition
|
||||||
postgrey
|
postgrey
|
||||||
pxe
|
pxe
|
||||||
|
pyzor (Dan Walsh)
|
||||||
qmail (Petre Rodan)
|
qmail (Petre Rodan)
|
||||||
resmgr
|
resmgr
|
||||||
rhgb
|
rhgb
|
||||||
|
|
|
@ -152,7 +152,7 @@ template(`cdrecord_per_userdomain_template', `
|
||||||
files_dontaudit_list_tmp($1_cdrecord_t)
|
files_dontaudit_list_tmp($1_cdrecord_t)
|
||||||
files_dontaudit_list_home($1_cdrecord_t)
|
files_dontaudit_list_home($1_cdrecord_t)
|
||||||
fs_dontaudit_list_removable($1_cdrecord_t)
|
fs_dontaudit_list_removable($1_cdrecord_t)
|
||||||
fs_donaudit_read_removable_files($1_cdrecord_t)
|
fs_dontaudit_read_removable_files($1_cdrecord_t)
|
||||||
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
|
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
|
||||||
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
|
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
|
||||||
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
|
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(cdrecord,1.0.2)
|
policy_module(cdrecord,1.0.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -303,7 +303,7 @@ template(`evolution_per_userdomain_template',`
|
||||||
files_dontaudit_list_tmp($1_evolution_t)
|
files_dontaudit_list_tmp($1_evolution_t)
|
||||||
files_dontaudit_list_home($1_evolution_t)
|
files_dontaudit_list_home($1_evolution_t)
|
||||||
fs_dontaudit_list_removable($1_evolution_t)
|
fs_dontaudit_list_removable($1_evolution_t)
|
||||||
fs_donaudit_read_removable_files($1_evolution_t)
|
fs_dontaudit_read_removable_files($1_evolution_t)
|
||||||
userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
|
userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
|
||||||
userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
|
userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
|
||||||
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
|
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(evolution,1.0.1)
|
policy_module(evolution,1.0.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(mono,1.1.2)
|
policy_module(mono,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -20,7 +20,7 @@ domain_entry_file(mono_t,mono_exec_t)
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
allow mono_t self:process { execheap execmem };
|
allow mono_t self:process { execheap execmem };
|
||||||
unconfined_domain_noaudit(mono_t)
|
unconfined_domain_noaudit(mono_t)
|
||||||
role system_r types mono_t;
|
unconfined_dbus_chat(mono_t)
|
||||||
|
|
||||||
init_dbus_chat_script(mono_t)
|
init_dbus_chat_script(mono_t)
|
||||||
|
|
||||||
|
|
|
@ -249,7 +249,7 @@ template(`mozilla_per_userdomain_template',`
|
||||||
files_dontaudit_list_tmp($1_mozilla_t)
|
files_dontaudit_list_tmp($1_mozilla_t)
|
||||||
files_dontaudit_list_home($1_mozilla_t)
|
files_dontaudit_list_home($1_mozilla_t)
|
||||||
fs_dontaudit_list_removable($1_mozilla_t)
|
fs_dontaudit_list_removable($1_mozilla_t)
|
||||||
fs_donaudit_read_removable_files($1_mozilla_t)
|
fs_dontaudit_read_removable_files($1_mozilla_t)
|
||||||
userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
|
userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
|
||||||
userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
|
userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
|
||||||
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
|
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(mozilla,1.0.1)
|
policy_module(mozilla,1.0.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -216,7 +216,7 @@ template(`thunderbird_per_userdomain_template',`
|
||||||
files_dontaudit_list_home($1_thunderbird_t)
|
files_dontaudit_list_home($1_thunderbird_t)
|
||||||
|
|
||||||
fs_dontaudit_list_removable($1_thunderbird_t)
|
fs_dontaudit_list_removable($1_thunderbird_t)
|
||||||
fs_donaudit_read_removable_files($1_thunderbird_t)
|
fs_dontaudit_read_removable_files($1_thunderbird_t)
|
||||||
|
|
||||||
userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
|
userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
|
||||||
userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
|
userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(thunderbird,1.0.1)
|
policy_module(thunderbird,1.0.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1242,6 +1242,80 @@ interface(`corenet_non_ipsec_sendrecv',`
|
||||||
kernel_sendrecv_unlabeled_association($1)
|
kernel_sendrecv_unlabeled_association($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Bind TCP sockets to all RPC ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_tcp_bind_all_rpc_ports',`
|
||||||
|
gen_require(`
|
||||||
|
attribute rpc_port_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 rpc_port_type:tcp_socket name_bind;
|
||||||
|
allow $1 self:capability net_bind_service;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to bind TCP sockets to all RPC ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
|
||||||
|
gen_require(`
|
||||||
|
attribute rpc_port_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 rpc_port_type:tcp_socket name_bind;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Bind UDP sockets to all RPC ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_udp_bind_all_rpc_ports',`
|
||||||
|
gen_require(`
|
||||||
|
attribute rpc_port_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 rpc_port_type:udp_socket name_bind;
|
||||||
|
allow $1 self:capability net_bind_service;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to bind UDP sockets to all RPC ports.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
|
||||||
|
gen_require(`
|
||||||
|
attribute rpc_port_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 rpc_port_type:udp_socket name_bind;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Unconfined access to network objects.
|
## Unconfined access to network objects.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(corenetwork,1.1.6)
|
policy_module(corenetwork,1.1.7)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -10,6 +10,7 @@ attribute netif_type;
|
||||||
attribute node_type;
|
attribute node_type;
|
||||||
attribute port_type;
|
attribute port_type;
|
||||||
attribute reserved_port_type;
|
attribute reserved_port_type;
|
||||||
|
attribute rpc_port_type;
|
||||||
|
|
||||||
attribute corenet_unconfined_type;
|
attribute corenet_unconfined_type;
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,11 @@ ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inn
|
||||||
') dnl end determine reserved capability depend
|
') dnl end determine reserved capability depend
|
||||||
|
|
||||||
define(`declare_ports',`dnl
|
define(`declare_ports',`dnl
|
||||||
ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
|
ifelse(eval($3 < 1024),1,`
|
||||||
|
typeattribute $1 reserved_port_type;
|
||||||
|
#bindresvport in glibc starts searching for reserved ports at 600
|
||||||
|
ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
|
||||||
|
',`dnl')
|
||||||
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
|
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
|
||||||
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
|
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
|
||||||
')
|
')
|
||||||
|
|
|
@ -609,7 +609,7 @@ interface(`fs_read_noxattr_fs_files',`
|
||||||
attribute noxattrfs;
|
attribute noxattrfs;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 noxattrfs:dir search;
|
allow $1 noxattrfs:dir search_dir_perms;
|
||||||
allow $1 noxattrfs:file r_file_perms;
|
allow $1 noxattrfs:file r_file_perms;
|
||||||
|
|
||||||
')
|
')
|
||||||
|
@ -629,7 +629,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
|
||||||
attribute noxattrfs;
|
attribute noxattrfs;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 noxattrfs:dir search;
|
allow $1 noxattrfs:dir search_dir_perms;
|
||||||
allow $1 noxattrfs:lnk_file r_file_perms;
|
allow $1 noxattrfs:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -1491,7 +1491,7 @@ interface(`fs_read_removable_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`fs_donaudit_read_removable_files',`
|
interface(`fs_dontaudit_read_removable_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type removable_t;
|
type removable_t;
|
||||||
')
|
')
|
||||||
|
@ -3204,3 +3204,29 @@ interface(`fs_unconfined',`
|
||||||
|
|
||||||
typeattribute $1 filesystem_unconfined_type;
|
typeattribute $1 filesystem_unconfined_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel all objets from filesystems that
|
||||||
|
## do not support extended attributes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_relabelfrom_noxattr_fs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute noxattrfs;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
|
||||||
|
allow $1 noxattrfs:file { getattr relabelfrom };
|
||||||
|
allow $1 noxattrfs:lnk_file { getattr relabelfrom };
|
||||||
|
allow $1 noxattrfs:fifo_file { getattr relabelfrom };
|
||||||
|
allow $1 noxattrfs:sock_file { getattr relabelfrom };
|
||||||
|
allow $1 noxattrfs:blk_file { getattr relabelfrom };
|
||||||
|
allow $1 noxattrfs:chr_file { getattr relabelfrom };
|
||||||
|
')
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(filesystem,1.3.6)
|
policy_module(filesystem,1.3.7)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(amavis,1.0.0)
|
policy_module(amavis,1.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -142,6 +142,10 @@ optional_policy(`
|
||||||
ldap_use(amavis_t)
|
ldap_use(amavis_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
pyzor_domtrans(amavis_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
spamassassin_exec(amavis_t)
|
spamassassin_exec(amavis_t)
|
||||||
spamassassin_exec_client(amavis_t)
|
spamassassin_exec_client(amavis_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(automount,1.2.2)
|
policy_module(automount,1.2.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -86,6 +86,7 @@ corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
|
||||||
# Automount execs showmount when you browse /net. This is required until
|
# Automount execs showmount when you browse /net. This is required until
|
||||||
# Someone writes a showmount policy
|
# Someone writes a showmount policy
|
||||||
corenet_tcp_bind_reserved_port(automount_t)
|
corenet_tcp_bind_reserved_port(automount_t)
|
||||||
|
corenet_tcp_bind_all_rpc_ports(automount_t)
|
||||||
|
|
||||||
dev_read_sysfs(automount_t)
|
dev_read_sysfs(automount_t)
|
||||||
# for SSP
|
# for SSP
|
||||||
|
|
|
@ -20,3 +20,25 @@ interface(`cyrus_manage_data',`
|
||||||
allow $1 cyrus_var_lib_t:dir rw_dir_perms;
|
allow $1 cyrus_var_lib_t:dir rw_dir_perms;
|
||||||
allow $1 cyrus_var_lib_t:file manage_file_perms;
|
allow $1 cyrus_var_lib_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to Cyrus using a unix domain stream socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cyrus_stream_connect',`
|
||||||
|
gen_require(`
|
||||||
|
type cyrus_t, cyrus_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
allow $1 cyrus_var_lib_t:dir search;
|
||||||
|
allow $1 cyrus_var_lib_t:sock_file write;
|
||||||
|
allow $1 cyrus_t:unix_stream_socket connectto;
|
||||||
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(cyrus,1.1.0)
|
policy_module(cyrus,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(postfix,1.2.3)
|
policy_module(postfix,1.2.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -171,6 +171,10 @@ sysnet_read_config(postfix_master_t)
|
||||||
mta_rw_aliases(postfix_master_t)
|
mta_rw_aliases(postfix_master_t)
|
||||||
mta_read_sendmail_bin(postfix_master_t)
|
mta_read_sendmail_bin(postfix_master_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cyrus_stream_connect(postfix_master_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# for postalias
|
# for postalias
|
||||||
mailman_manage_data_files(postfix_master_t)
|
mailman_manage_data_files(postfix_master_t)
|
||||||
|
@ -390,6 +394,7 @@ allow postfix_pickup_t postfix_private_t:sock_file write;
|
||||||
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
|
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
|
||||||
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
|
allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
|
||||||
|
|
||||||
|
postfix_list_spool(postfix_pickup_t)
|
||||||
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||||
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
|
allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
|
||||||
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
|
allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
|
||||||
|
@ -430,6 +435,7 @@ allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
||||||
allow postfix_postdrop_t postfix_public_t:dir search;
|
allow postfix_postdrop_t postfix_public_t:dir search;
|
||||||
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
|
allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
|
||||||
|
|
||||||
|
postfix_list_spool(postfix_postdrop_t)
|
||||||
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||||
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
|
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
|
||||||
|
|
||||||
|
@ -538,6 +544,8 @@ allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_per
|
||||||
|
|
||||||
allow postfix_showq_t postfix_spool_t:file r_file_perms;
|
allow postfix_showq_t postfix_spool_t:file r_file_perms;
|
||||||
|
|
||||||
|
postfix_list_spool(postfix_showq_t)
|
||||||
|
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(procmail,1.2.0)
|
policy_module(procmail,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -93,15 +93,19 @@ optional_policy(`
|
||||||
postfix_dontaudit_use_fds(procmail_t)
|
postfix_dontaudit_use_fds(procmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
pyzor_domtrans(procmail_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mta_read_config(procmail_t)
|
mta_read_config(procmail_t)
|
||||||
|
sendmail_domtrans(procmail_t)
|
||||||
sendmail_rw_tcp_sockets(procmail_t)
|
sendmail_rw_tcp_sockets(procmail_t)
|
||||||
sendmail_rw_unix_stream_sockets(procmail_t)
|
sendmail_rw_unix_stream_sockets(procmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
corenet_udp_bind_generic_port(procmail_t)
|
corenet_udp_bind_generic_port(procmail_t)
|
||||||
corenet_tcp_connect_spamd_port(procmail_t)
|
|
||||||
|
|
||||||
files_getattr_tmp_dirs(procmail_t)
|
files_getattr_tmp_dirs(procmail_t)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
|
||||||
|
|
||||||
|
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
|
||||||
|
|
||||||
|
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
|
||||||
|
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
|
||||||
|
/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
|
|
@ -0,0 +1,46 @@
|
||||||
|
## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute pyzor with a domain transition.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`pyzor_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type pyzor_exec_t, pyzor_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domain_auto_trans($1,pyzor_exec_t,pyzor_t)
|
||||||
|
|
||||||
|
allow $1 pyzor_t:fd use;
|
||||||
|
allow pyzor_t $1:fd use;
|
||||||
|
allow pyzor_t $1:fifo_file rw_file_perms;
|
||||||
|
allow pyzor_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute pyzor in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`pyzor_exec',`
|
||||||
|
gen_require(`
|
||||||
|
type pyzor_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
can_exec($1,pyzor_exec_t)
|
||||||
|
')
|
|
@ -0,0 +1,116 @@
|
||||||
|
|
||||||
|
policy_module(pyzor,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type pyzor_t;
|
||||||
|
type pyzor_exec_t;
|
||||||
|
domain_type(pyzor_t)
|
||||||
|
domain_entry_file(pyzor_t,pyzor_exec_t)
|
||||||
|
role system_r types pyzor_t;
|
||||||
|
|
||||||
|
type pyzord_t;
|
||||||
|
type pyzord_exec_t;
|
||||||
|
domain_type(pyzord_t)
|
||||||
|
init_daemon_domain(pyzord_t,pyzord_exec_t)
|
||||||
|
|
||||||
|
type pyzor_etc_t;
|
||||||
|
files_type(pyzor_etc_t)
|
||||||
|
|
||||||
|
type pyzord_log_t;
|
||||||
|
logging_log_file(pyzord_log_t)
|
||||||
|
|
||||||
|
type pyzor_var_lib_t;
|
||||||
|
files_type(pyzor_var_lib_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Pyzor local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
|
||||||
|
allow pyzor_t pyzor_var_lib_t:file r_file_perms;
|
||||||
|
files_search_var_lib(pyzor_t)
|
||||||
|
|
||||||
|
files_read_etc_files(pyzor_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(pyzor_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(pyzor_t)
|
||||||
|
libs_use_shared_libs(pyzor_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(pyzor_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
amavis_manage_lib_files(pyzor_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
spamassassin_read_spamd_tmp_files(pyzor_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Pyzord local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow pyzord_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow pyzord_t pyzor_var_lib_t:file create_file_perms;
|
||||||
|
allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
|
||||||
|
files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
|
||||||
|
|
||||||
|
allow pyzord_t pyzor_etc_t:file create_file_perms;
|
||||||
|
allow pyzord_t pyzor_etc_t:dir r_dir_perms;
|
||||||
|
|
||||||
|
can_exec(pyzord_t,pyzor_exec_t)
|
||||||
|
|
||||||
|
allow pyzord_t pyzord_log_t:file create_file_perms;
|
||||||
|
allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
|
||||||
|
logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctls(pyzord_t)
|
||||||
|
kernel_read_system_state(pyzord_t)
|
||||||
|
|
||||||
|
dev_read_urand(pyzord_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(pyzord_t)
|
||||||
|
|
||||||
|
corenet_raw_sendrecv_all_if(pyzord_t)
|
||||||
|
corenet_udp_sendrecv_all_if(pyzord_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(pyzord_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(pyzord_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(pyzord_t)
|
||||||
|
corenet_non_ipsec_sendrecv(pyzord_t)
|
||||||
|
corenet_udp_bind_all_nodes(pyzord_t)
|
||||||
|
corenet_udp_bind_pyzor_port(pyzord_t)
|
||||||
|
|
||||||
|
files_read_etc_files(pyzord_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_generic_ptys(pyzord_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(pyzord_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(pyzord_t)
|
||||||
|
libs_use_shared_libs(pyzord_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(pyzord_t)
|
||||||
|
|
||||||
|
# only works until we define a different type for maildir
|
||||||
|
userdom_priveleged_home_dir_manager(pyzord_t)
|
||||||
|
# Do not audit attempts to access /root.
|
||||||
|
userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
|
||||||
|
userdom_dontaudit_search_staff_home_dirs(pyzord_t)
|
||||||
|
|
||||||
|
mta_manage_spool(pyzord_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
logging_send_syslog_msg(pyzord_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
nscd_socket_use(pyzord_t)
|
||||||
|
')
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(rpc,1.2.2)
|
policy_module(rpc,1.2.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -52,6 +52,9 @@ kernel_read_sysctl(rpcd_t)
|
||||||
corenet_udp_bind_generic_port(rpcd_t)
|
corenet_udp_bind_generic_port(rpcd_t)
|
||||||
corenet_udp_bind_reserved_port(rpcd_t)
|
corenet_udp_bind_reserved_port(rpcd_t)
|
||||||
|
|
||||||
|
dev_read_urand(rpcd_t)
|
||||||
|
dev_read_rand(rpcd_t)
|
||||||
|
|
||||||
fs_list_rpc(rpcd_t)
|
fs_list_rpc(rpcd_t)
|
||||||
fs_read_rpc_files(rpcd_t)
|
fs_read_rpc_files(rpcd_t)
|
||||||
fs_read_rpc_symlinks(rpcd_t)
|
fs_read_rpc_symlinks(rpcd_t)
|
||||||
|
@ -61,6 +64,8 @@ term_use_controlling_term(rpcd_t)
|
||||||
# cjp: this should really have its own type
|
# cjp: this should really have its own type
|
||||||
files_manage_mounttab(rpcd_t)
|
files_manage_mounttab(rpcd_t)
|
||||||
|
|
||||||
|
miscfiles_read_certs(rpcd_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config(rpcd_t)
|
seutil_dontaudit_search_config(rpcd_t)
|
||||||
|
|
||||||
portmap_udp_chat(rpcd_t)
|
portmap_udp_chat(rpcd_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(spamassassin,1.3.3)
|
policy_module(spamassassin,1.3.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -139,11 +139,11 @@ tunable_policy(`use_samba_home_dirs',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cron_system_entry(spamd_t,spamd_exec_t)
|
amavis_manage_lib_files(spamd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
amavis_manage_lib_files(spamd_t)
|
cron_system_entry(spamd_t,spamd_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -154,6 +154,14 @@ optional_policy(`
|
||||||
nis_use_ypbind(spamd_t)
|
nis_use_ypbind(spamd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
postgresql_stream_connect(spamd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
pyzor_domtrans(spamd_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
seutil_sigchld_newrole(spamd_t)
|
seutil_sigchld_newrole(spamd_t)
|
||||||
')
|
')
|
||||||
|
@ -166,13 +174,3 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(spamd_t)
|
udev_read_db(spamd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
optional_policy(`
|
|
||||||
# for bayes tokens
|
|
||||||
allow spamd_t var_lib_t:dir { getattr search };
|
|
||||||
allow spamd_t amavisd_lib_t:dir rw_dir_perms;
|
|
||||||
allow spamd_t amavisd_lib_t:file create_file_perms;
|
|
||||||
allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
|
|
||||||
')
|
|
||||||
') dnl end TODO
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(authlogin,1.3.2)
|
policy_module(authlogin,1.3.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -188,6 +188,8 @@ storage_getattr_scsi_generic_dev(pam_console_t)
|
||||||
storage_setattr_scsi_generic_dev(pam_console_t)
|
storage_setattr_scsi_generic_dev(pam_console_t)
|
||||||
|
|
||||||
term_use_console(pam_console_t)
|
term_use_console(pam_console_t)
|
||||||
|
term_use_all_user_ttys(pam_console_t)
|
||||||
|
term_use_all_user_ptys(pam_console_t)
|
||||||
term_setattr_console(pam_console_t)
|
term_setattr_console(pam_console_t)
|
||||||
term_getattr_unallocated_ttys(pam_console_t)
|
term_getattr_unallocated_ttys(pam_console_t)
|
||||||
term_setattr_unallocated_ttys(pam_console_t)
|
term_setattr_unallocated_ttys(pam_console_t)
|
||||||
|
|
|
@ -75,6 +75,7 @@ ifdef(`distro_gentoo',`
|
||||||
|
|
||||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/lib(64)?/ati-fglrx/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
@ -84,9 +85,9 @@ ifdef(`distro_gentoo',`
|
||||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
|
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||||
/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
|
||||||
|
|
||||||
/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
@ -195,10 +196,12 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
||||||
|
|
||||||
# Java, Sun Microsystems (JPackage SRPM)
|
# Java, Sun Microsystems (JPackage SRPM)
|
||||||
/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
|
||||||
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(libraries,1.3.5)
|
policy_module(libraries,1.3.6)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(lvm,1.3.1)
|
policy_module(lvm,1.3.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -205,9 +205,10 @@ dev_create_generic_dirs(lvm_t)
|
||||||
fs_getattr_xattr_fs(lvm_t)
|
fs_getattr_xattr_fs(lvm_t)
|
||||||
fs_search_auto_mountpoints(lvm_t)
|
fs_search_auto_mountpoints(lvm_t)
|
||||||
fs_read_tmpfs_symlinks(lvm_t)
|
fs_read_tmpfs_symlinks(lvm_t)
|
||||||
fs_donaudit_read_removable_files(lvm_t)
|
fs_dontaudit_read_removable_files(lvm_t)
|
||||||
|
|
||||||
storage_relabel_fixed_disk(lvm_t)
|
storage_relabel_fixed_disk(lvm_t)
|
||||||
|
storage_dontaudit_read_removable_device(lvm_t)
|
||||||
# LVM creates block devices in /dev/mapper or /dev/<vg>
|
# LVM creates block devices in /dev/mapper or /dev/<vg>
|
||||||
# depending on its version
|
# depending on its version
|
||||||
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
|
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(mount,1.3.4)
|
policy_module(mount,1.3.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -127,6 +127,8 @@ optional_policy(`
|
||||||
corenet_udp_bind_generic_port(mount_t)
|
corenet_udp_bind_generic_port(mount_t)
|
||||||
corenet_tcp_bind_reserved_port(mount_t)
|
corenet_tcp_bind_reserved_port(mount_t)
|
||||||
corenet_udp_bind_reserved_port(mount_t)
|
corenet_udp_bind_reserved_port(mount_t)
|
||||||
|
corenet_tcp_bind_all_rpc_ports(mount_t)
|
||||||
|
corenet_udp_bind_all_rpc_ports(mount_t)
|
||||||
corenet_tcp_connect_all_ports(mount_t)
|
corenet_tcp_connect_all_ports(mount_t)
|
||||||
|
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(selinuxutil,1.2.4)
|
policy_module(selinuxutil,1.2.5)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
bool secure_mode;
|
bool secure_mode;
|
||||||
|
@ -393,6 +393,8 @@ logging_send_syslog_msg(restorecon_t)
|
||||||
userdom_use_all_users_fds(restorecon_t)
|
userdom_use_all_users_fds(restorecon_t)
|
||||||
|
|
||||||
files_relabel_all_files(restorecon_t)
|
files_relabel_all_files(restorecon_t)
|
||||||
|
fs_relabelfrom_noxattr_fs(restorecon_t)
|
||||||
|
|
||||||
files_list_all(restorecon_t)
|
files_list_all(restorecon_t)
|
||||||
# this is to satisfy the assertion:
|
# this is to satisfy the assertion:
|
||||||
auth_relabelto_shadow(restorecon_t)
|
auth_relabelto_shadow(restorecon_t)
|
||||||
|
@ -427,6 +429,7 @@ files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
|
||||||
|
|
||||||
auth_relabel_all_files_except_shadow(restorecond_t )
|
auth_relabel_all_files_except_shadow(restorecond_t )
|
||||||
auth_read_all_files_except_shadow(restorecond_t)
|
auth_read_all_files_except_shadow(restorecond_t)
|
||||||
|
fs_relabelfrom_noxattr_fs(restorecond_t)
|
||||||
|
|
||||||
kernel_use_fds(restorecond_t)
|
kernel_use_fds(restorecond_t)
|
||||||
kernel_rw_pipes(restorecond_t)
|
kernel_rw_pipes(restorecond_t)
|
||||||
|
@ -627,6 +630,7 @@ files_read_etc_runtime_files(setfiles_t)
|
||||||
files_read_etc_files(setfiles_t)
|
files_read_etc_files(setfiles_t)
|
||||||
files_list_all(setfiles_t)
|
files_list_all(setfiles_t)
|
||||||
files_relabel_all_files(setfiles_t)
|
files_relabel_all_files(setfiles_t)
|
||||||
|
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(setfiles_t)
|
logging_send_syslog_msg(setfiles_t)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(sysnetwork,1.1.2)
|
policy_module(sysnetwork,1.1.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -286,6 +286,7 @@ kernel_use_fds(ifconfig_t)
|
||||||
kernel_read_system_state(ifconfig_t)
|
kernel_read_system_state(ifconfig_t)
|
||||||
kernel_read_network_state(ifconfig_t)
|
kernel_read_network_state(ifconfig_t)
|
||||||
kernel_search_network_sysctl(ifconfig_t)
|
kernel_search_network_sysctl(ifconfig_t)
|
||||||
|
kernel_rw_net_sysctls(ifconfig_t)
|
||||||
|
|
||||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||||
|
|
||||||
|
|
|
@ -379,6 +379,27 @@ interface(`unconfined_dbus_send',`
|
||||||
allow $1 unconfined_t:dbus send_msg;
|
allow $1 unconfined_t:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send and receive messages from
|
||||||
|
## unconfined_t over dbus.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`unconfined_dbus_chat',`
|
||||||
|
gen_require(`
|
||||||
|
type unconfined_t;
|
||||||
|
class dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 unconfined_t:dbus send_msg;
|
||||||
|
allow unconfined_t $1:dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Add an alias type to the unconfined domain.
|
## Add an alias type to the unconfined domain.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(unconfined,1.3.7)
|
policy_module(unconfined,1.3.8)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
||||||
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
||||||
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
||||||
|
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||||
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
||||||
|
|
|
@ -48,11 +48,12 @@ interface(`xen_append_log',`
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to read and write
|
## Do not audit attempts to read and write
|
||||||
## Xen unix domain stream sockets.
|
## Xen unix domain stream sockets. These
|
||||||
|
## are leaked file descriptors.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Domain to don't audit.
|
## Domain to not audit.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
|
@ -84,3 +85,45 @@ interface(`xen_stream_connect_xenstore',`
|
||||||
allow $1 xenstored_var_run_t:sock_file { getattr write };
|
allow $1 xenstored_var_run_t:sock_file { getattr write };
|
||||||
allow $1 xenstored_t:unix_stream_socket connectto;
|
allow $1 xenstored_t:unix_stream_socket connectto;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to xend over an unix domain stream socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`xen_stream_connect',`
|
||||||
|
gen_require(`
|
||||||
|
type xend_t, xend_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
allow $1 xend_var_run_t:dir search;
|
||||||
|
allow $1 xend_var_run_t:sock_file { getattr write };
|
||||||
|
allow $1 xend_t:unix_stream_socket connectto;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run xm.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`xen_domtrans_xm',`
|
||||||
|
gen_requires(`
|
||||||
|
type xm_t, xm_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domain_auto_trans($1,xm_exec_t,xm_t)
|
||||||
|
allow xm_t $1:fd use;
|
||||||
|
allow xm_t:$1:fifo_file rw_file_perms;
|
||||||
|
allow xm_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(xen,1.0.2)
|
policy_module(xen,1.0.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -54,6 +54,11 @@ role system_r types xenconsoled_t;
|
||||||
type xenconsoled_var_run_t;
|
type xenconsoled_var_run_t;
|
||||||
files_pid_file(xenconsoled_var_run_t)
|
files_pid_file(xenconsoled_var_run_t)
|
||||||
|
|
||||||
|
type xm_t;
|
||||||
|
type xm_exec_t;
|
||||||
|
domain_type(xm_t)
|
||||||
|
init_daemon_domain(xm_t, xm_exec_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# xend local policy
|
# xend local policy
|
||||||
|
@ -224,3 +229,37 @@ libs_use_shared_libs(xenstored_t)
|
||||||
miscfiles_read_localization(xenstored_t)
|
miscfiles_read_localization(xenstored_t)
|
||||||
|
|
||||||
xen_append_log(xenstored_t)
|
xen_append_log(xenstored_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# xm local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow xm_t self:capability dac_override;
|
||||||
|
# internal communication is often done using fifo and unix sockets.
|
||||||
|
allow xm_t self:fifo_file { read write };
|
||||||
|
allow xm_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
kernel_read_system_state(xm_t)
|
||||||
|
kernel_read_kernel_sysctls(xm_t)
|
||||||
|
kernel_read_xen_state(xm_t)
|
||||||
|
kernel_write_xen_state(xm_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(xm_t)
|
||||||
|
corecmd_exec_sbin(xm_t)
|
||||||
|
|
||||||
|
dev_read_urand(xm_t)
|
||||||
|
|
||||||
|
# Some common macros (you might be able to remove some)
|
||||||
|
files_read_etc_files(xm_t)
|
||||||
|
|
||||||
|
term_use_all_terms(xm_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(xm_t)
|
||||||
|
libs_use_shared_libs(xm_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(xm_t)
|
||||||
|
|
||||||
|
xen_append_log(xm_t)
|
||||||
|
xen_stream_connect(xm_t)
|
||||||
|
xen_stream_connect_xenstore(xm_t)
|
||||||
|
|
Loading…
Reference in New Issue