clean up more todos
This commit is contained in:
parent
e8d8faa820
commit
ebdc3b7902
@ -52,7 +52,7 @@ libs_use_ld_so(consoletype_t)
|
||||
libs_use_shared_libs(consoletype_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
fs_use_tmpfs_character_devices(consoletype_t)
|
||||
fs_use_tmpfs_chr_dev(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin.te', `
|
||||
@ -67,6 +67,11 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
# Commonly used from postinst scripts
|
||||
rpm_read_pipe(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`userdomain.te',`
|
||||
userdom_use_unpriv_users_fd(consoletype_t)
|
||||
')
|
||||
@ -94,4 +99,5 @@ allow consoletype_t printconf_t:file r_file_perms;
|
||||
optional_policy(`firstboot.te', `
|
||||
allow consoletype_t firstboot_t:fifo_file write;
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
@ -158,6 +158,7 @@ rw_dir_create_file(logrotate_t, backup_store_t)
|
||||
')
|
||||
|
||||
allow logrotate_t syslogd_t:unix_dgram_socket sendto;
|
||||
allow logrotate_t syslogd_exec_t:file r_file_perms;
|
||||
|
||||
dontaudit logrotate_t selinux_config_t:dir search;
|
||||
') dnl end TODO
|
||||
|
@ -129,6 +129,12 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(ping_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_use_fd(ping_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
in_user_role(ping_t)
|
||||
tunable_policy(`user_ping',`
|
||||
|
@ -1,9 +1,9 @@
|
||||
## <summary>Policy for the RPM package manager.</summary>
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Execute rpm programs in the rpm domain.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -27,9 +27,9 @@ interface(`rpm_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Execute RPM programs in the RPM domain.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -53,9 +53,9 @@ interface(`rpm_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Inherit and use file descriptors from RPM.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -70,9 +70,9 @@ interface(`rpm_use_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read from a RPM pipe.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -87,9 +87,9 @@ interface(`rpm_read_pipe',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Read RPM package database.
|
||||
## </desc>
|
||||
## <summary>
|
||||
## Read the RPM package database.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -108,8 +108,12 @@ interface(`rpm_read_db',`
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# rpm_manage_db(domain)
|
||||
## <summary>
|
||||
## Create, read, write, and delete the RPM package database.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_manage_db',`
|
||||
gen_require(`
|
||||
|
@ -95,6 +95,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctl(rpm_t)
|
||||
|
||||
selinux_get_fs_mount(rpm_t)
|
||||
selinux_validate_context(rpm_t)
|
||||
selinux_compute_access_vector(rpm_t)
|
||||
@ -128,6 +129,8 @@ storage_raw_read_fixed_disk(rpm_t)
|
||||
|
||||
term_list_ptys(rpm_t)
|
||||
|
||||
auth_relabel_all_files_except_shadow(rpm_t)
|
||||
auth_manage_all_files_except_shadow(rpm_t)
|
||||
auth_dontaudit_read_shadow(rpm_t)
|
||||
|
||||
corecmd_exec_bin(rpm_t)
|
||||
@ -162,6 +165,10 @@ optional_policy(`cron.te',`
|
||||
cron_system_entry(rpm_t,rpm_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(rpm_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(rpm_t)
|
||||
')
|
||||
@ -173,9 +180,6 @@ type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpf
|
||||
dontaudit rpm_t domain:process ptrace;
|
||||
|
||||
# read/write/create any files in the system
|
||||
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
|
||||
allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
|
||||
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
|
||||
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
|
||||
allow rpm_t ttyfile:chr_file unlink;
|
||||
|
||||
@ -194,23 +198,10 @@ optional_policy(`gnome-pty-helper.te', `
|
||||
allow rpm_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
||||
optional_policy(`mount.te', `
|
||||
allow rpm_t mount_t:udp_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
# for kernel package installation
|
||||
optional_policy(`mount.te', `
|
||||
allow mount_t rpm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
# Commonly used from postinst scripts
|
||||
optional_policy(`consoletype.te', `
|
||||
allow consoletype_t rpm_t:fifo_file r_file_perms;
|
||||
')
|
||||
optional_policy(`crond.te', `
|
||||
allow crond_t rpm_t:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -289,6 +280,7 @@ domain_signull_all_domains(rpm_script_t)
|
||||
|
||||
files_exec_etc_files(rpm_script_t)
|
||||
files_read_etc_runtime_files(rpm_script_t)
|
||||
files_exec_usr_files(rpm_script_t)
|
||||
|
||||
init_domtrans_script(rpm_script_t)
|
||||
|
||||
@ -322,8 +314,6 @@ ifdef(`TODO',`
|
||||
|
||||
allow rpm_script_t sysfs_t:dir r_dir_perms;
|
||||
|
||||
can_exec(rpm_script_t,usr_t)
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
can_exec(rpm_script_t,printconf_t)
|
||||
')
|
||||
|
@ -208,3 +208,19 @@ interface(`usermanage_run_useradd',`
|
||||
allow useradd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the crack database.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_read_crack_db',`
|
||||
gen_require(`
|
||||
type crack_db_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 crack_db_t:file r_file_perms;
|
||||
')
|
||||
|
@ -93,6 +93,10 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
# for SSP
|
||||
dev_read_urand(chfn_t)
|
||||
|
||||
# can exec /sbin/unix_chkpwd
|
||||
corecmd_search_bin(chfn_t)
|
||||
corecmd_search_sbin(chfn_t)
|
||||
|
||||
domain_use_wide_inherit_fd(chfn_t)
|
||||
|
||||
files_manage_etc_files(chfn_t)
|
||||
@ -120,10 +124,9 @@ optional_policy(`nis.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types chfn_t;
|
||||
in_user_role(chfn_t)
|
||||
|
||||
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
|
||||
ifdef(`firstboot.te',`
|
||||
domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
|
||||
')
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
|
||||
|
||||
@ -134,9 +137,6 @@ allow chfn_t shell_exec_t:file execute;
|
||||
# on user home dir
|
||||
dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
|
||||
|
||||
# can exec /sbin/unix_chkpwd
|
||||
allow chfn_t { bin_t sbin_t }:dir search;
|
||||
|
||||
# uses unix_chkpwd for checking passwords
|
||||
dontaudit chfn_t selinux_config_t:dir search;
|
||||
') dnl endif TODO
|
||||
|
@ -79,6 +79,9 @@ template(`gpg_per_userdomain_template',`
|
||||
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
|
||||
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow $1_t $1_gpg_secret_t:file getattr;
|
||||
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_gpg_t)
|
||||
corenet_raw_sendrecv_all_if($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_if($1_gpg_t)
|
||||
@ -95,8 +98,13 @@ template(`gpg_per_userdomain_template',`
|
||||
|
||||
fs_getattr_xattr_fs($1_gpg_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_gpg_t)
|
||||
|
||||
files_read_etc_files($1_gpg_t)
|
||||
files_read_usr_files($1_gpg_t)
|
||||
files_dontaudit_search_var($1_gpg_t)
|
||||
# should not need read access...
|
||||
files_list_home($1_gpg_t)
|
||||
|
||||
libs_use_shared_libs($1_gpg_t)
|
||||
libs_use_ld_so($1_gpg_t)
|
||||
@ -135,20 +143,12 @@ template(`gpg_per_userdomain_template',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow $1_t $1_gpg_secret_t:file getattr;
|
||||
|
||||
access_terminal($1_gpg_t, $1)
|
||||
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
||||
|
||||
# Inherit and use descriptors
|
||||
allow $1_gpg_t { privfd $1_t }:fd use;
|
||||
|
||||
# allow ps to show gpg
|
||||
can_ps($1_t, $1_gpg_t)
|
||||
|
||||
# should not need read access...
|
||||
allow $1_gpg_t home_root_t:dir { read search };
|
||||
|
||||
# use $1_gpg_secret_t for files it creates
|
||||
# NB we are doing the type transition for directory creation only!
|
||||
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
||||
@ -164,9 +164,6 @@ template(`gpg_per_userdomain_template',`
|
||||
|
||||
rw_dir_create_file($1_gpg_t, $1_file_type)
|
||||
|
||||
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
||||
|
||||
dontaudit $1_gpg_t var_t:dir search;
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -246,11 +243,26 @@ template(`gpg_per_userdomain_template',`
|
||||
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
|
||||
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
|
||||
|
||||
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
||||
allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
|
||||
allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
|
||||
allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
||||
|
||||
# allow gpg to connect to the gpg agent
|
||||
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
||||
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
|
||||
allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
|
||||
|
||||
# Allow the user shell to signal the gpg-agent program.
|
||||
allow $1_t $1_gpg_agent_t:process { signal sigkill };
|
||||
|
||||
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
|
||||
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
|
||||
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
|
||||
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
||||
|
||||
corecmd_search_bin($1_gpg_agent_t)
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
||||
|
||||
@ -280,24 +292,15 @@ template(`gpg_per_userdomain_template',`
|
||||
# Write to the user domain tty.
|
||||
access_terminal($1_gpg_agent_t, $1)
|
||||
|
||||
# Allow the user shell to signal the gpg-agent program.
|
||||
allow $1_t $1_gpg_agent_t:process { signal sigkill };
|
||||
# allow ps to show gpg-agent
|
||||
can_ps($1_t, $1_gpg_agent_t)
|
||||
|
||||
allow $1_gpg_agent_t proc_t:dir search;
|
||||
allow $1_gpg_agent_t proc_t:lnk_file read;
|
||||
|
||||
allow $1_gpg_agent_t device_t:dir r_file_perms;
|
||||
|
||||
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
||||
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
|
||||
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
|
||||
|
||||
# gpg connect
|
||||
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
||||
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
|
||||
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
|
||||
') dnl endif TODO
|
||||
|
||||
##############################
|
||||
@ -330,14 +333,20 @@ template(`gpg_per_userdomain_template',`
|
||||
miscfiles_read_fonts($1_gpg_pinentry_t)
|
||||
miscfiles_read_localization($1_gpg_pinentry_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files($1_gpg_pinentry_t)
|
||||
')
|
||||
|
||||
allow $1_gpg_agent_t bin_t:dir search;
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_read_cifs_files($1_gpg_pinentry_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
||||
allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
allow $1_gpg_pinentry_t xdm_t:fd use;
|
||||
')
|
||||
|
||||
@ -351,16 +360,12 @@ template(`gpg_per_userdomain_template',`
|
||||
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
|
||||
allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
|
||||
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
|
||||
dontaudit $1_gpg_pinentry_t nfs_t:dir write;
|
||||
dontaudit $1_gpg_pinentry_t nfs_t:file write;
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
|
||||
allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
|
||||
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
|
||||
dontaudit $1_gpg_pinentry_t cifs_t:dir write;
|
||||
dontaudit $1_gpg_pinentry_t cifs_t:file write;
|
||||
')
|
||||
|
||||
|
@ -950,3 +950,21 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
|
||||
|
||||
dontaudit $1 reserved_port_type:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the TUN/TAP virtual network device.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_use_tun_tap_device',`
|
||||
gen_require(`
|
||||
type tun_tap_device_t;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tun_tap_device_t:chr_file { read write };
|
||||
')
|
||||
|
@ -646,6 +646,25 @@ interface(`dev_manage_all_chr_files',`
|
||||
typeattribute $1 memory_raw_read, memory_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the apm bios.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_rw_apm_bios',`
|
||||
gen_require(`
|
||||
type device_t, apm_bios_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 apm_bios_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read raw memory devices (e.g. /dev/mem).
|
||||
@ -1671,7 +1690,7 @@ interface(`dev_getattr_sysfs_dir',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the directory containing hardware information.
|
||||
## Search sysfs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -1686,6 +1705,23 @@ interface(`dev_search_sysfs',`
|
||||
allow $1 sysfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search sysfs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_dontaudit_search_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 sysfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read hardware state information.
|
||||
|
@ -1380,7 +1380,7 @@ interface(`fs_create_tmpfs_data',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_use_tmpfs_character_devices',`
|
||||
interface(`fs_use_tmpfs_chr_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir r_dir_perms;
|
||||
@ -1399,7 +1399,7 @@ interface(`fs_use_tmpfs_character_devices',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabel_tmpfs_character_devices',`
|
||||
interface(`fs_relabel_tmpfs_chr_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir r_dir_perms;
|
||||
@ -1418,7 +1418,7 @@ interface(`fs_relabel_tmpfs_character_devices',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_use_tmpfs_block_devices',`
|
||||
interface(`fs_use_tmpfs_blk_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir r_dir_perms;
|
||||
@ -1437,7 +1437,7 @@ interface(`fs_use_tmpfs_block_devices',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_relabel_tmpfs_block_devices',`
|
||||
interface(`fs_relabel_tmpfs_blk_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir r_dir_perms;
|
||||
@ -1448,6 +1448,46 @@ interface(`fs_relabel_tmpfs_block_devices',`
|
||||
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Read and write, create and delete symbolic
|
||||
## links on tmpfs filesystems.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_tmpfs_symlinks',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir rw_dir_perms;
|
||||
class chr_file create_lnk_perms;
|
||||
')
|
||||
|
||||
allow $1 tmpfs_t:dir rw_dir_perms;
|
||||
allow $1 tmpfs_t:chr_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Read and write, create and delete socket
|
||||
## files on tmpfs filesystems.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_tmpfs_sockets',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir rw_dir_perms;
|
||||
class sock_file create_file_perms;
|
||||
')
|
||||
|
||||
allow $1 tmpfs_t:dir rw_dir_perms;
|
||||
allow $1 tmpfs_t:sock_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Read and write, create and delete character
|
||||
@ -1457,7 +1497,7 @@ interface(`fs_relabel_tmpfs_block_devices',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_tmpfs_character_devices',`
|
||||
interface(`fs_manage_tmpfs_chr_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir rw_dir_perms;
|
||||
@ -1477,7 +1517,7 @@ interface(`fs_manage_tmpfs_character_devices',`
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_tmpfs_block_devices',`
|
||||
interface(`fs_manage_tmpfs_blk_dev',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
class dir rw_dir_perms;
|
||||
|
@ -132,6 +132,11 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
# Commonly used from postinst scripts
|
||||
rpm_read_pipe(crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(crond_t)
|
||||
')
|
||||
@ -355,4 +360,7 @@ allow mta_user_agent system_crond_t:fd use;
|
||||
r_dir_file(system_mail_t, crond_tmp_t)
|
||||
')
|
||||
|
||||
# for daemon re-start
|
||||
allow system_crond_t syslogd_t:lnk_file read;
|
||||
|
||||
') dnl end TODO
|
||||
|
@ -257,6 +257,8 @@ miscfiles_read_localization(system_chkpwd_t)
|
||||
|
||||
seutil_read_config(system_chkpwd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow system_chkpwd_t self:udp_socket create_socket_perms;
|
||||
corenet_udp_sendrecv_all_if(system_chkpwd_t)
|
||||
@ -275,8 +277,6 @@ optional_policy(`nis.te',`
|
||||
ifdef(`TODO',`
|
||||
can_kerberos(system_chkpwd_t)
|
||||
can_ldap(system_chkpwd_t)
|
||||
|
||||
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -309,10 +309,9 @@ logging_search_logs(utempter_t)
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
userdom_write_unpriv_user_tmp(utempter_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`xdm.te', `
|
||||
allow utempter_t xdm_t:fd use;
|
||||
allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
optional_policy(`xserver.te', `
|
||||
#allow utempter_t xdm_t:fd use;
|
||||
xserver_use_xdm_fd(utempter_t)
|
||||
#allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
xserver_write_xdm_fifo(utempter_t)
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
@ -167,6 +167,25 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
|
||||
dontaudit $1 privfd:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to domains whose file
|
||||
## discriptors are widely inheritable.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: this was added because of newrole
|
||||
interface(`domain_sigchld_wide_inherit_fd',`
|
||||
gen_require(`
|
||||
attribute privfd;
|
||||
class process signal;
|
||||
')
|
||||
|
||||
dontaudit $1 privfd:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_setpriority_all_domains(domain)
|
||||
|
@ -814,6 +814,23 @@ interface(`files_list_mnt',`
|
||||
allow $1 mnt_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the tmp directory (/tmp)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_tmp_files(domain,private_type,[object class(es)])
|
||||
@ -1000,17 +1017,33 @@ interface(`files_manage_urandom_seed',`
|
||||
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_generic_locks(domain)
|
||||
#
|
||||
interface(`files_search_generic_locks',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
type var_lock_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 { var_t var_lock_t }:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_getattr_generic_locks(domain)
|
||||
#
|
||||
interface(`files_getattr_generic_locks',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
type var_lock_t;
|
||||
class dir r_dir_perms;
|
||||
class file getattr;
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_lock_t:dir r_dir_perms;
|
||||
allow $1 var_lock_t:file getattr;
|
||||
')
|
||||
|
@ -56,7 +56,7 @@ miscfiles_read_localization(hostname_t)
|
||||
userdom_use_all_user_fd(hostname_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
fs_use_tmpfs_character_devices(hostname_t)
|
||||
fs_use_tmpfs_chr_dev(hostname_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -92,7 +92,7 @@ ifdef(`TODO',`
|
||||
|
||||
##daemon_base_domain(hostname, , nosysadm)
|
||||
##must remembe to go back and take care of the nosysadm part
|
||||
allow hostname_t proc_t:dir { read getattr lock search ioctl };
|
||||
allow hostname_t proc_t:dir r_dir_perms;
|
||||
allow hostname_t proc_t:lnk_file read;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
|
@ -43,7 +43,6 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
|
||||
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
|
||||
files_create_pid(hotplug_t,hotplug_var_run_t)
|
||||
|
||||
|
||||
kernel_sigchld(hotplug_t)
|
||||
kernel_read_system_state(hotplug_t)
|
||||
kernel_read_kernel_sysctl(hotplug_t)
|
||||
@ -116,7 +115,7 @@ ifdef(`distro_redhat', `
|
||||
optional_policy(`netutils.te', `
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(hotplug_t)
|
||||
fs_use_tmpfs_character_devices(hotplug_t)
|
||||
fs_use_tmpfs_chr_dev(hotplug_t)
|
||||
')
|
||||
files_getattr_generic_locks(hotplug_t)
|
||||
')
|
||||
@ -156,6 +155,14 @@ optional_policy(`selinux.te',`
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnet_domtrans_dhcpc(hotplug_t)
|
||||
sysnet_signal_dhcpc(hotplug_t)
|
||||
sysnet_kill_dhcpc(hotplug_t)
|
||||
sysnet_signull_dhcpc(hotplug_t)
|
||||
sysnet_sigstop_dhcpc(hotplug_t)
|
||||
sysnet_sigchld_dhcpc(hotplug_t)
|
||||
sysnet_read_dhcpc_pid(hotplug_t)
|
||||
sysnet_rw_dhcp_config(hotplug_t)
|
||||
sysnet_domtrans_ifconfig(hotplug_t)
|
||||
')
|
||||
|
||||
@ -188,8 +195,7 @@ optional_policy(`hald.te', `
|
||||
|
||||
# this block goes to hald:
|
||||
optional_policy(`hotplug.te',`
|
||||
allow hald_t hotplug_etc_t:dir search;
|
||||
allow hald_t hotplug_etc_t:file { getattr read };
|
||||
hotplug_read_config(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`lpd.te', `
|
||||
|
@ -130,7 +130,7 @@ seutil_read_config(init_t)
|
||||
miscfiles_read_localization(init_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_use_tmpfs_character_devices(init_t)
|
||||
fs_use_tmpfs_chr_dev(init_t)
|
||||
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
|
||||
')
|
||||
|
||||
@ -326,7 +326,7 @@ ifdef(`distro_redhat',`
|
||||
storage_raw_read_fixed_disk(initrc_t)
|
||||
storage_raw_write_fixed_disk(initrc_t)
|
||||
|
||||
fs_use_tmpfs_character_devices(initrc_t)
|
||||
fs_use_tmpfs_chr_dev(initrc_t)
|
||||
|
||||
files_create_boot_flag(initrc_t)
|
||||
|
||||
@ -383,6 +383,14 @@ optional_policy(`ssh.te',`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
ifdef(`distro_redhat',`
|
||||
sysnet_rw_dhcp_config(initrc_t)
|
||||
')
|
||||
|
||||
sysnet_read_dhcpc_state(initrc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Mount and unmount file systems.
|
||||
|
@ -66,6 +66,7 @@ domain_use_wide_inherit_fd(ldconfig_t)
|
||||
|
||||
files_search_var_lib(ldconfig_t)
|
||||
files_read_etc_files(ldconfig_t)
|
||||
files_search_tmp(ldconfig_t)
|
||||
# for when /etc/ld.so.cache is mislabeled:
|
||||
files_delete_etc_files(ldconfig_t)
|
||||
|
||||
@ -77,8 +78,6 @@ userdom_use_all_user_fd(ldconfig_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow ldconfig_t tmp_t:dir search;
|
||||
|
||||
ifdef(`apache.te', `
|
||||
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
||||
|
@ -68,6 +68,7 @@ dev_dontaudit_getattr_misc(local_login_t)
|
||||
dev_dontaudit_setattr_misc(local_login_t)
|
||||
dev_dontaudit_getattr_scanner(local_login_t)
|
||||
dev_dontaudit_setattr_scanner(local_login_t)
|
||||
dev_dontaudit_search_sysfs(local_login_t)
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(local_login_t)
|
||||
|
||||
@ -106,6 +107,7 @@ files_read_etc_files(local_login_t)
|
||||
files_read_etc_runtime_files(local_login_t)
|
||||
files_read_usr_files(local_login_t)
|
||||
files_manage_generic_locks(var_lock_t)
|
||||
files_list_mnt(local_login_t)
|
||||
|
||||
init_rw_script_pid(local_login_t)
|
||||
init_dontaudit_use_fd(local_login_t)
|
||||
@ -149,6 +151,10 @@ optional_policy(`nis.te',`
|
||||
nis_use_ypbind(local_login_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_read_crack_db(local_login_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow local_login_t bin_t:dir r_dir_perms;
|
||||
@ -169,32 +175,22 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
|
||||
# for when /var/mail is a sym-link
|
||||
allow local_login_t var_t:lnk_file read;
|
||||
|
||||
dontaudit local_login_t sysfs_t:dir search;
|
||||
|
||||
allow local_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
# FIXME: what is this for?
|
||||
optional_policy(`xdm.te', `
|
||||
allow xdm_t local_login_t:process signull;
|
||||
')
|
||||
|
||||
ifdef(`crack.te', `
|
||||
allow local_login_t crack_db_t:file r_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(local_login_t)
|
||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
# Do not audit denied attempts to access devices.
|
||||
dontaudit local_login_t device_t:lnk_file { getattr setattr };
|
||||
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
|
||||
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
|
||||
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
|
||||
|
||||
# Do not audit denied attempts to access /mnt.
|
||||
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
||||
# FIXME: what is this for?
|
||||
optional_policy(`xdm.te', `
|
||||
allow xdm_t local_login_t:process signull;
|
||||
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(local_login_t)
|
||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`gpm.te',`
|
||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||
|
@ -247,6 +247,10 @@ ifdef(`klogd.te', `', `
|
||||
kernel_change_ring_buffer_level(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
userdom_dontaudit_use_sysadm_terms(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(syslogd_t)
|
||||
term_dontaudit_use_generic_pty(syslogd_t)
|
||||
@ -275,9 +279,6 @@ dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(syslogd_t)
|
||||
')
|
||||
tunable_policy(`direct_sysadm_daemon',`
|
||||
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
||||
@ -287,15 +288,6 @@ ifdef(`distro_suse', `
|
||||
# log to the xconsole
|
||||
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
||||
|
||||
ifdef(`crond.te', `
|
||||
# for daemon re-start
|
||||
allow system_crond_t syslogd_t:lnk_file read;
|
||||
')
|
||||
|
||||
ifdef(`logrotate.te', `
|
||||
allow logrotate_t syslogd_exec_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#
|
||||
# Special case to handle crashes
|
||||
#
|
||||
|
@ -141,6 +141,7 @@ miscfiles_read_localization(lvm_t)
|
||||
|
||||
seutil_read_config(lvm_t)
|
||||
seutil_read_file_contexts(lvm_t)
|
||||
seutil_search_default_contexts(lvm_t)
|
||||
seutil_sigchld_newrole(lvm_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -164,8 +165,6 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow lvm_t default_context_t:dir search;
|
||||
|
||||
dontaudit lvm_t var_run_t:dir getattr;
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `
|
||||
|
@ -67,6 +67,7 @@ dev_read_urand(insmod_t)
|
||||
dev_rw_agp_dev(insmod_t)
|
||||
dev_read_snd_dev(insmod_t)
|
||||
dev_write_snd_dev(insmod_t)
|
||||
dev_rw_apm_bios(insmod_t)
|
||||
|
||||
fs_getattr_xattr_fs(insmod_t)
|
||||
|
||||
@ -105,8 +106,6 @@ optional_policy(`mount.te',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow insmod_t apm_bios_t:chr_file { read write };
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
allow insmod_t xserver_log_t:file getattr;
|
||||
')
|
||||
|
@ -77,7 +77,7 @@ miscfiles_read_localization(mount_t)
|
||||
userdom_use_all_user_fd(mount_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_use_tmpfs_character_devices(mount_t)
|
||||
fs_use_tmpfs_chr_dev(mount_t)
|
||||
allow mount_t tmpfs_t:dir mounton;
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
|
@ -473,6 +473,25 @@ interface(`seutil_read_config',`
|
||||
allow $1 selinux_config_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the policy directory with default_context files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_search_default_contexts',`
|
||||
gen_require(`
|
||||
type selinux_config_t, default_context_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 { selinux_config_t default_context_t }:dir search;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# seutil_read_default_contexts(domain)
|
||||
|
@ -212,11 +212,14 @@ term_relabel_all_user_ptys(newrole_t)
|
||||
auth_domtrans_chk_passwd(newrole_t)
|
||||
|
||||
domain_use_wide_inherit_fd(newrole_t)
|
||||
# for when the user types "exec newrole" at the command line:
|
||||
domain_sigchld_wide_inherit_fd(newrole_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_rw_script_pid(newrole_t)
|
||||
|
||||
files_read_etc_files(newrole_t)
|
||||
files_read_var_files(newrole_t)
|
||||
|
||||
libs_use_ld_so(newrole_t)
|
||||
libs_use_shared_libs(newrole_t)
|
||||
@ -240,13 +243,6 @@ optional_policy(`nis.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for when the user types "exec newrole" at the command line
|
||||
allow newrole_t privfd:process sigchld;
|
||||
|
||||
# Read /var.
|
||||
allow newrole_t var_t:dir r_dir_perms;
|
||||
allow newrole_t var_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
||||
|
||||
# for some PAM modules and for cwd
|
||||
@ -303,10 +299,10 @@ files_list_all_dirs(restorecon_t)
|
||||
auth_relabelto_shadow(restorecon_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
fs_use_tmpfs_character_devices(restorecon_t)
|
||||
fs_use_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_block_devices(restorecon_t)
|
||||
fs_relabel_tmpfs_character_devices(restorecon_t)
|
||||
fs_use_tmpfs_chr_dev(restorecon_t)
|
||||
fs_use_tmpfs_blk_dev(restorecon_t)
|
||||
fs_relabel_tmpfs_blk_dev(restorecon_t)
|
||||
fs_relabel_tmpfs_chr_dev(restorecon_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
@ -323,6 +319,10 @@ allow restorecon_t fs_type:dir r_dir_perms;
|
||||
|
||||
allow restorecon_t device_t:file { read write };
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
|
||||
tunable_policy(`hide_broken_symptoms',`
|
||||
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
#################################
|
||||
|
@ -25,6 +25,162 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||
allow dhcpc_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to the dhcp client.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain sending the SIGCHLD.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_sigchld_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a kill signal to the dhcp client.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain sending the SIGKILL.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_kill_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process sigkill;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGSTOP signal to the dhcp client.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain sending the SIGSTOP.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_sigstop_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process sigstop;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process sigstop;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a null signal to the dhcp client.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain sending the null signal.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_signull_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process signull;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a generic signal to the dhcp client.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain sending the signal.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_signal_dhcpc',`
|
||||
gen_require(`
|
||||
type dhcpc_t;
|
||||
class process signal;
|
||||
')
|
||||
|
||||
allow $1 dhcpc_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write dhcp configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_rw_dhcp_config',`
|
||||
gen_require(`
|
||||
type dhcp_etc_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 dhcp_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read dhcp client state files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_read_dhcpc_state',`
|
||||
gen_require(`
|
||||
type dhcpc_state_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 dhcpc_state_t:file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow network init to read network config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_read_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the dhcp client pid file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_read_dhcpc_pid',`
|
||||
gen_require(`
|
||||
type dhcpc_var_run_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
files_list_pids($1)
|
||||
allow $1 dhcpc_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <desc>
|
||||
## Execute ifconfig in the ifconfig domain.
|
||||
@ -77,22 +233,3 @@ interface(`sysnet_run_ifconfig',`
|
||||
role $2 types ifconfig_t;
|
||||
allow ifconfig_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <desc>
|
||||
## Allow network init to read network config files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_read_config',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
|
@ -194,38 +194,26 @@ domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
||||
allow cardmgr_t dhcpc_t:process signal_perms;
|
||||
')
|
||||
ifdef(`hotplug.te', `
|
||||
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow hotplug_t dhcpc_t:process signal_perms;
|
||||
allow hotplug_t dhcpc_var_run_t:file { getattr read };
|
||||
allow hotplug_t dhcp_etc_t:file rw_file_perms;
|
||||
|
||||
optional_policy(`hotplug.te', `
|
||||
allow dhcpc_t hotplug_etc_t:dir { getattr search };
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
logging_syslogd_transition(dhcpc_t)
|
||||
')
|
||||
')dnl end hotplug.te
|
||||
')
|
||||
|
||||
# for the dhcp client to run ping to check IP addresses
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_domtrans_ping(dhcpc_t)
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
allow ping_t hotplug_t:fd use;
|
||||
')
|
||||
|
||||
ifdef(`cardmgr.te',`
|
||||
allow ping_t cardmgr_t:fd use;
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
allow initrc_t dhcp_etc_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
allow dhcpc_t var_lib_t:dir search;
|
||||
|
||||
allow dhcpc_t home_root_t:dir search;
|
||||
allow initrc_t dhcpc_state_t:file { getattr read };
|
||||
dontaudit dhcpc_t var_lock_t:dir search;
|
||||
dontaudit dhcpc_t selinux_config_t:dir search;
|
||||
dontaudit dhcpc_t domain:dir getattr;
|
||||
@ -265,6 +253,8 @@ kernel_read_network_state(ifconfig_t)
|
||||
kernel_dontaudit_search_sysctl_dir(ifconfig_t)
|
||||
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
|
||||
|
||||
corenet_use_tun_tap_device(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
||||
@ -298,10 +288,12 @@ ifdef(`TODO',`
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
rhgb_domain(ifconfig_t)
|
||||
')
|
||||
|
||||
tunable_policy(`hide_broken_symptoms',`
|
||||
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
@ -94,6 +94,8 @@ files_read_etc_runtime_files(udev_t)
|
||||
files_read_etc_files(udev_t)
|
||||
files_exec_etc_files(udev_t)
|
||||
files_dontaudit_search_isid_type_dir(udev_t)
|
||||
files_getattr_generic_locks(udev_t)
|
||||
files_search_mnt(udev_t)
|
||||
|
||||
init_use_fd(udev_t)
|
||||
init_read_script_pid(udev_t)
|
||||
@ -117,8 +119,12 @@ seutil_domtrans_restorecon(udev_t)
|
||||
sysnet_domtrans_ifconfig(udev_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_manage_tmpfs_block_devices(udev_t)
|
||||
fs_manage_tmpfs_character_devices(udev_t)
|
||||
fs_manage_tmpfs_symlinks(udev_t)
|
||||
fs_manage_tmpfs_sockets(udev_t)
|
||||
fs_manage_tmpfs_blk_dev(udev_t)
|
||||
fs_manage_tmpfs_chr_dev(udev_t)
|
||||
fs_relabel_tmpfs_blk_dev(udev_t)
|
||||
fs_relabel_tmpfs_chr_dev(udev_t)
|
||||
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
netutils_domtrans(udev_t)
|
||||
@ -142,12 +148,6 @@ optional_policy(`sysnetwork.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow udev_t var_lock_t:dir search;
|
||||
allow udev_t var_lock_t:file getattr;
|
||||
|
||||
allow udev_t mnt_t:dir search;
|
||||
|
||||
allow udev_t devpts_t:dir { getattr search };
|
||||
allow udev_t sysadm_tty_device_t:chr_file { read write };
|
||||
|
||||
@ -159,17 +159,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
||||
|
||||
dbusd_client(system, udev)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow udev_t tmpfs_t:sock_file create_file_perms;
|
||||
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
tunable_policy(`hide_broken_symptoms',`
|
||||
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
|
||||
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
|
||||
')
|
||||
|
||||
optional_policy(`xdm.te',`
|
||||
allow udev_t xdm_var_run_t:file { getattr read };
|
||||
')
|
||||
|
@ -122,6 +122,8 @@ template(`base_user_template',`
|
||||
kernel_get_sysvipc_info($1_t)
|
||||
# Find CDROM devices:
|
||||
kernel_read_device_sysctl($1_t)
|
||||
|
||||
dev_rw_power_management($1_t)
|
||||
# GNOME checks for usb and other devices:
|
||||
dev_rw_usbfs($1_t)
|
||||
|
||||
@ -172,6 +174,7 @@ template(`base_user_template',`
|
||||
|
||||
files_exec_etc_files($1_t)
|
||||
files_read_usr_src_files($1_t)
|
||||
files_search_generic_locks($1_t)
|
||||
|
||||
# Caused by su - init scripts
|
||||
init_dontaudit_use_script_pty($1_t)
|
||||
@ -242,9 +245,6 @@ template(`base_user_template',`
|
||||
#
|
||||
dontaudit $1_t usr_t:file setattr;
|
||||
|
||||
# Access the power device.
|
||||
allow $1_t power_device_t:chr_file rw_file_perms;
|
||||
|
||||
# Check to see if cdrom is mounted
|
||||
allow $1_t mnt_t:dir { getattr search };
|
||||
|
||||
@ -296,7 +296,9 @@ template(`base_user_template',`
|
||||
create_dir_file($1_t, noexattrfile)
|
||||
create_dir_file($1_t, removable_t)
|
||||
# Write floppies
|
||||
allow $1_t removable_device_t:blk_file rw_file_perms;
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
# cjp: what does this have to do with removable devices?
|
||||
allow $1_t usbtty_device_t:chr_file write;
|
||||
',`
|
||||
r_dir_file($1_t, noexattrfile)
|
||||
@ -312,12 +314,8 @@ template(`base_user_template',`
|
||||
r_dir_file($1_t, tetex_data_t)
|
||||
can_exec($1_t, tetex_data_t)
|
||||
|
||||
# Run programs developed by other users in the same domain.
|
||||
|
||||
can_resmgrd_connect($1_t)
|
||||
|
||||
allow $1_t var_lock_t:dir search;
|
||||
|
||||
# Grant permissions to access the system DBus
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, $1)
|
||||
@ -442,7 +440,7 @@ template(`unpriv_user_template', `
|
||||
|
||||
typeattribute $1_tmp_t user_tmpfile;
|
||||
|
||||
#typeattribute $1_tty_device_t user_tty_type;
|
||||
typeattribute $1_tty_device_t user_ttynode;
|
||||
|
||||
##############################
|
||||
#
|
||||
@ -1105,3 +1103,20 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
|
||||
dontaudit $1 unpriv_userdomain:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use unprivileged
|
||||
## user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_unpriv_user_tty',`
|
||||
gen_require(`
|
||||
attribute user_ttynode;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
dontaudit $1 user_ttynode:chr_file rw_file_perms;
|
||||
')
|
||||
|
@ -23,6 +23,9 @@ attribute privhome;
|
||||
# all unprivileged users tmp files
|
||||
attribute user_tmpfile;
|
||||
|
||||
# all unprivileged users ttys
|
||||
attribute user_ttynode;
|
||||
|
||||
# all user domains
|
||||
attribute userdomain;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user