clean up more todos

This commit is contained in:
Chris PeBenito 2005-06-29 20:53:53 +00:00
parent e8d8faa820
commit ebdc3b7902
31 changed files with 544 additions and 209 deletions

View File

@ -52,7 +52,7 @@ libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(consoletype_t)
fs_use_tmpfs_chr_dev(consoletype_t)
')
optional_policy(`authlogin.te', `
@ -67,6 +67,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(consoletype_t)
')
optional_policy(`rpm.te',`
# Commonly used from postinst scripts
rpm_read_pipe(consoletype_t)
')
optional_policy(`userdomain.te',`
userdom_use_unpriv_users_fd(consoletype_t)
')
@ -94,4 +99,5 @@ allow consoletype_t printconf_t:file r_file_perms;
optional_policy(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
') dnl end TODO

View File

@ -158,6 +158,7 @@ rw_dir_create_file(logrotate_t, backup_store_t)
')
allow logrotate_t syslogd_t:unix_dgram_socket sendto;
allow logrotate_t syslogd_exec_t:file r_file_perms;
dontaudit logrotate_t selinux_config_t:dir search;
') dnl end TODO

View File

@ -129,6 +129,12 @@ optional_policy(`nis.te',`
nis_use_ypbind(ping_t)
')
optional_policy(`sysnetwork.te',`
optional_policy(`hotplug.te',`
hotplug_use_fd(ping_t)
')
')
ifdef(`TODO',`
in_user_role(ping_t)
tunable_policy(`user_ping',`

View File

@ -1,9 +1,9 @@
## <summary>Policy for the RPM package manager.</summary>
########################################
## <desc>
## <summary>
## Execute rpm programs in the rpm domain.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -27,9 +27,9 @@ interface(`rpm_domtrans',`
')
########################################
## <desc>
## <summary>
## Execute RPM programs in the RPM domain.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -53,9 +53,9 @@ interface(`rpm_run',`
')
########################################
## <desc>
## <summary>
## Inherit and use file descriptors from RPM.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -70,9 +70,9 @@ interface(`rpm_use_fd',`
')
########################################
## <desc>
## <summary>
## Read from a RPM pipe.
## </desc>
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -87,9 +87,9 @@ interface(`rpm_read_pipe',`
')
########################################
## <desc>
## Read RPM package database.
## </desc>
## <summary>
## Read the RPM package database.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@ -108,8 +108,12 @@ interface(`rpm_read_db',`
')
########################################
#
# rpm_manage_db(domain)
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`rpm_manage_db',`
gen_require(`

View File

@ -95,6 +95,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
selinux_compute_access_vector(rpm_t)
@ -128,6 +129,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
corecmd_exec_bin(rpm_t)
@ -162,6 +165,10 @@ optional_policy(`cron.te',`
cron_system_entry(rpm_t,rpm_exec_t)
')
optional_policy(`mount.te',`
mount_send_nfs_client_request(rpm_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(rpm_t)
')
@ -173,9 +180,6 @@ type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpf
dontaudit rpm_t domain:process ptrace;
# read/write/create any files in the system
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink;
@ -194,23 +198,10 @@ optional_policy(`gnome-pty-helper.te', `
allow rpm_t sysadm_gph_t:fd use;
')
optional_policy(`mount.te', `
allow rpm_t mount_t:udp_socket rw_socket_perms;
')
# for kernel package installation
optional_policy(`mount.te', `
allow mount_t rpm_t:fifo_file rw_file_perms;
')
# Commonly used from postinst scripts
optional_policy(`consoletype.te', `
allow consoletype_t rpm_t:fifo_file r_file_perms;
')
optional_policy(`crond.te', `
allow crond_t rpm_t:fifo_file r_file_perms;
')
') dnl endif TODO
########################################
@ -289,6 +280,7 @@ domain_signull_all_domains(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
@ -322,8 +314,6 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
can_exec(rpm_script_t,usr_t)
optional_policy(`lpd.te', `
can_exec(rpm_script_t,printconf_t)
')

View File

@ -208,3 +208,19 @@ interface(`usermanage_run_useradd',`
allow useradd_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Read the crack database.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`usermanage_read_crack_db',`
gen_require(`
type crack_db_t;
class file r_file_perms;
')
allow $1 crack_db_t:file r_file_perms;
')

View File

@ -93,6 +93,10 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
# can exec /sbin/unix_chkpwd
corecmd_search_bin(chfn_t)
corecmd_search_sbin(chfn_t)
domain_use_wide_inherit_fd(chfn_t)
files_manage_etc_files(chfn_t)
@ -120,10 +124,9 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
role sysadm_r types chfn_t;
in_user_role(chfn_t)
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
ifdef(`firstboot.te',`
domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
')
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
@ -134,9 +137,6 @@ allow chfn_t shell_exec_t:file execute;
# on user home dir
dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
# can exec /sbin/unix_chkpwd
allow chfn_t { bin_t sbin_t }:dir search;
# uses unix_chkpwd for checking passwords
dontaudit chfn_t selinux_config_t:dir search;
') dnl endif TODO

View File

@ -79,6 +79,9 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
allow $1_t $1_gpg_secret_t:file getattr;
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_raw_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
@ -95,8 +98,13 @@ template(`gpg_per_userdomain_template',`
fs_getattr_xattr_fs($1_gpg_t)
domain_use_wide_inherit_fd($1_gpg_t)
files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t)
files_dontaudit_search_var($1_gpg_t)
# should not need read access...
files_list_home($1_gpg_t)
libs_use_shared_libs($1_gpg_t)
libs_use_ld_so($1_gpg_t)
@ -135,20 +143,12 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
allow $1_t $1_gpg_secret_t:file getattr;
access_terminal($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
# Inherit and use descriptors
allow $1_gpg_t { privfd $1_t }:fd use;
# allow ps to show gpg
can_ps($1_t, $1_gpg_t)
# should not need read access...
allow $1_gpg_t home_root_t:dir { read search };
# use $1_gpg_secret_t for files it creates
# NB we are doing the type transition for directory creation only!
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
@ -164,9 +164,6 @@ template(`gpg_per_userdomain_template',`
rw_dir_create_file($1_gpg_t, $1_file_type)
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
dontaudit $1_gpg_t var_t:dir search;
') dnl end TODO
########################################
@ -246,11 +243,26 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
# allow gpg to connect to the gpg agent
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
# Allow the user shell to signal the gpg-agent program.
allow $1_t $1_gpg_agent_t:process { signal sigkill };
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
corecmd_search_bin($1_gpg_agent_t)
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
@ -280,24 +292,15 @@ template(`gpg_per_userdomain_template',`
# Write to the user domain tty.
access_terminal($1_gpg_agent_t, $1)
# Allow the user shell to signal the gpg-agent program.
allow $1_t $1_gpg_agent_t:process { signal sigkill };
# allow ps to show gpg-agent
can_ps($1_t, $1_gpg_agent_t)
allow $1_gpg_agent_t proc_t:dir search;
allow $1_gpg_agent_t proc_t:lnk_file read;
allow $1_gpg_agent_t device_t:dir r_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
# gpg connect
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
') dnl endif TODO
##############################
@ -330,14 +333,20 @@ template(`gpg_per_userdomain_template',`
miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t)
ifdef(`TODO',`
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_gpg_pinentry_t)
')
allow $1_gpg_agent_t bin_t:dir search;
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files($1_gpg_pinentry_t)
')
ifdef(`TODO',`
ifdef(`xdm.te', `
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
allow $1_gpg_pinentry_t xdm_t:fd use;
')
@ -351,16 +360,12 @@ template(`gpg_per_userdomain_template',`
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
tunable_policy(`use_nfs_home_dirs',`
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:dir write;
dontaudit $1_gpg_pinentry_t nfs_t:file write;
')
tunable_policy(`use_samba_home_dirs',`
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
dontaudit $1_gpg_pinentry_t cifs_t:dir write;
dontaudit $1_gpg_pinentry_t cifs_t:file write;
')

View File

@ -950,3 +950,21 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
########################################
## <summary>
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
## The domain allowed access.
## </param>
#
interface(`corenet_use_tun_tap_device',`
gen_require(`
type tun_tap_device_t;
class chr_file { read write };
')
dev_list_all_dev_nodes($1)
allow $1 tun_tap_device_t:chr_file { read write };
')

View File

@ -646,6 +646,25 @@ interface(`dev_manage_all_chr_files',`
typeattribute $1 memory_raw_read, memory_raw_write;
')
########################################
## <summary>
## Read and write the apm bios.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 apm_bios_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Read raw memory devices (e.g. /dev/mem).
@ -1671,7 +1690,7 @@ interface(`dev_getattr_sysfs_dir',`
########################################
## <summary>
## Search the directory containing hardware information.
## Search sysfs.
## </summary>
## <param name="domain">
## The type of the process performing this action.
@ -1686,6 +1705,23 @@ interface(`dev_search_sysfs',`
allow $1 sysfs_t:dir search;
')
########################################
## <summary>
## Do not audit attempts to search sysfs.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`dev_dontaudit_search_sysfs',`
gen_require(`
type sysfs_t;
class dir search;
')
dontaudit $1 sysfs_t:dir search;
')
########################################
## <summary>
## Allow caller to read hardware state information.

View File

@ -1380,7 +1380,7 @@ interface(`fs_create_tmpfs_data',`
## The type of the process performing this action.
## </param>
#
interface(`fs_use_tmpfs_character_devices',`
interface(`fs_use_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@ -1399,7 +1399,7 @@ interface(`fs_use_tmpfs_character_devices',`
## The type of the process performing this action.
## </param>
#
interface(`fs_relabel_tmpfs_character_devices',`
interface(`fs_relabel_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@ -1418,7 +1418,7 @@ interface(`fs_relabel_tmpfs_character_devices',`
## The type of the process performing this action.
## </param>
#
interface(`fs_use_tmpfs_block_devices',`
interface(`fs_use_tmpfs_blk_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@ -1437,7 +1437,7 @@ interface(`fs_use_tmpfs_block_devices',`
## The type of the process performing this action.
## </param>
#
interface(`fs_relabel_tmpfs_block_devices',`
interface(`fs_relabel_tmpfs_blk_dev',`
gen_require(`
type tmpfs_t;
class dir r_dir_perms;
@ -1448,6 +1448,46 @@ interface(`fs_relabel_tmpfs_block_devices',`
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
')
########################################
## <desc>
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_symlinks',`
gen_require(`
type tmpfs_t;
class dir rw_dir_perms;
class chr_file create_lnk_perms;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:chr_file create_lnk_perms;
')
########################################
## <desc>
## Read and write, create and delete socket
## files on tmpfs filesystems.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_sockets',`
gen_require(`
type tmpfs_t;
class dir rw_dir_perms;
class sock_file create_file_perms;
')
allow $1 tmpfs_t:dir rw_dir_perms;
allow $1 tmpfs_t:sock_file create_file_perms;
')
########################################
## <desc>
## Read and write, create and delete character
@ -1457,7 +1497,7 @@ interface(`fs_relabel_tmpfs_block_devices',`
## The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_character_devices',`
interface(`fs_manage_tmpfs_chr_dev',`
gen_require(`
type tmpfs_t;
class dir rw_dir_perms;
@ -1477,7 +1517,7 @@ interface(`fs_manage_tmpfs_character_devices',`
## The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_block_devices',`
interface(`fs_manage_tmpfs_blk_dev',`
gen_require(`
type tmpfs_t;
class dir rw_dir_perms;

View File

@ -132,6 +132,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(crond_t)
')
optional_policy(`crond.te',`
# Commonly used from postinst scripts
rpm_read_pipe(crond_t)
')
optional_policy(`udev.te', `
udev_read_db(crond_t)
')
@ -355,4 +360,7 @@ allow mta_user_agent system_crond_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
') dnl end TODO

View File

@ -257,6 +257,8 @@ miscfiles_read_localization(system_chkpwd_t)
seutil_read_config(system_chkpwd_t)
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
tunable_policy(`use_dns',`
allow system_chkpwd_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(system_chkpwd_t)
@ -275,8 +277,6 @@ optional_policy(`nis.te',`
ifdef(`TODO',`
can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
') dnl end TODO
########################################
@ -309,10 +309,9 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_user_tmp(utempter_t)
ifdef(`TODO',`
ifdef(`xdm.te', `
allow utempter_t xdm_t:fd use;
allow utempter_t xdm_t:fifo_file { write getattr };
optional_policy(`xserver.te', `
#allow utempter_t xdm_t:fd use;
xserver_use_xdm_fd(utempter_t)
#allow utempter_t xdm_t:fifo_file { write getattr };
xserver_write_xdm_fifo(utempter_t)
')
') dnl endif TODO

View File

@ -167,6 +167,25 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
dontaudit $1 privfd:fd use;
')
########################################
## <summary>
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: this was added because of newrole
interface(`domain_sigchld_wide_inherit_fd',`
gen_require(`
attribute privfd;
class process signal;
')
dontaudit $1 privfd:fd use;
')
########################################
#
# domain_setpriority_all_domains(domain)

View File

@ -814,6 +814,23 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir r_dir_perms;
')
########################################
## <summary>
## Search the tmp directory (/tmp)
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_search_tmp',`
gen_require(`
type tmp_t;
class dir search;
')
allow $1 tmp_t:dir search;
')
########################################
#
# files_create_tmp_files(domain,private_type,[object class(es)])
@ -1000,17 +1017,33 @@ interface(`files_manage_urandom_seed',`
allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
########################################
#
# files_search_generic_locks(domain)
#
interface(`files_search_generic_locks',`
gen_require(`
type var_t;
type var_lock_t;
class dir search;
')
allow $1 { var_t var_lock_t }:dir search;
')
########################################
#
# files_getattr_generic_locks(domain)
#
interface(`files_getattr_generic_locks',`
gen_require(`
type var_t;
type var_lock_t;
class dir r_dir_perms;
class file getattr;
')
allow $1 var_t:dir search;
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:file getattr;
')

View File

@ -56,7 +56,7 @@ miscfiles_read_localization(hostname_t)
userdom_use_all_user_fd(hostname_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(hostname_t)
fs_use_tmpfs_chr_dev(hostname_t)
')
ifdef(`targeted_policy', `
@ -92,7 +92,7 @@ ifdef(`TODO',`
##daemon_base_domain(hostname, , nosysadm)
##must remembe to go back and take care of the nosysadm part
allow hostname_t proc_t:dir { read getattr lock search ioctl };
allow hostname_t proc_t:dir r_dir_perms;
allow hostname_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `

View File

@ -43,7 +43,6 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_sigchld(hotplug_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
@ -116,7 +115,7 @@ ifdef(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(hotplug_t)
fs_use_tmpfs_character_devices(hotplug_t)
fs_use_tmpfs_chr_dev(hotplug_t)
')
files_getattr_generic_locks(hotplug_t)
')
@ -156,6 +155,14 @@ optional_policy(`selinux.te',`
')
optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(hotplug_t)
sysnet_signal_dhcpc(hotplug_t)
sysnet_kill_dhcpc(hotplug_t)
sysnet_signull_dhcpc(hotplug_t)
sysnet_sigstop_dhcpc(hotplug_t)
sysnet_sigchld_dhcpc(hotplug_t)
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
sysnet_domtrans_ifconfig(hotplug_t)
')
@ -188,8 +195,7 @@ optional_policy(`hald.te', `
# this block goes to hald:
optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
hotplug_read_config(hald_t)
')
optional_policy(`lpd.te', `

View File

@ -130,7 +130,7 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
ifdef(`distro_redhat',`
fs_use_tmpfs_character_devices(init_t)
fs_use_tmpfs_chr_dev(init_t)
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
')
@ -326,7 +326,7 @@ ifdef(`distro_redhat',`
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
fs_use_tmpfs_character_devices(initrc_t)
fs_use_tmpfs_chr_dev(initrc_t)
files_create_boot_flag(initrc_t)
@ -383,6 +383,14 @@ optional_policy(`ssh.te',`
')
')
optional_policy(`sysnetwork.te',`
ifdef(`distro_redhat',`
sysnet_rw_dhcp_config(initrc_t)
')
sysnet_read_dhcpc_state(initrc_t)
')
ifdef(`TODO',`
# Mount and unmount file systems.

View File

@ -66,6 +66,7 @@ domain_use_wide_inherit_fd(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
files_delete_etc_files(ldconfig_t)
@ -77,8 +78,6 @@ userdom_use_all_user_fd(ldconfig_t)
ifdef(`TODO',`
allow ldconfig_t tmp_t:dir search;
ifdef(`apache.te', `
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;

View File

@ -68,6 +68,7 @@ dev_dontaudit_getattr_misc(local_login_t)
dev_dontaudit_setattr_misc(local_login_t)
dev_dontaudit_getattr_scanner(local_login_t)
dev_dontaudit_setattr_scanner(local_login_t)
dev_dontaudit_search_sysfs(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
@ -106,6 +107,7 @@ files_read_etc_files(local_login_t)
files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t)
files_manage_generic_locks(var_lock_t)
files_list_mnt(local_login_t)
init_rw_script_pid(local_login_t)
init_dontaudit_use_fd(local_login_t)
@ -149,6 +151,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(local_login_t)
')
optional_policy(`usermanage.te',`
usermanage_read_crack_db(local_login_t)
')
ifdef(`TODO',`
allow local_login_t bin_t:dir r_dir_perms;
@ -169,32 +175,22 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
# for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read;
dontaudit local_login_t sysfs_t:dir search;
allow local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?
optional_policy(`xdm.te', `
allow xdm_t local_login_t:process signull;
')
ifdef(`crack.te', `
allow local_login_t crack_db_t:file r_file_perms;
')
ifdef(`targeted_policy',`
unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
# Do not audit denied attempts to access devices.
dontaudit local_login_t device_t:lnk_file { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
# Do not audit denied attempts to access /mnt.
dontaudit local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?
optional_policy(`xdm.te', `
allow xdm_t local_login_t:process signull;
')
ifdef(`targeted_policy',`
unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };

View File

@ -247,6 +247,10 @@ ifdef(`klogd.te', `', `
kernel_change_ring_buffer_level(syslogd_t)
')
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_sysadm_terms(syslogd_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t)
term_dontaudit_use_generic_pty(syslogd_t)
@ -275,9 +279,6 @@ dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
rhgb_domain(syslogd_t)
')
tunable_policy(`direct_sysadm_daemon',`
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
')
ifdef(`distro_suse', `
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
@ -287,15 +288,6 @@ ifdef(`distro_suse', `
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
ifdef(`crond.te', `
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')
ifdef(`logrotate.te', `
allow logrotate_t syslogd_exec_t:file r_file_perms;
')
#
# Special case to handle crashes
#

View File

@ -141,6 +141,7 @@ miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
ifdef(`distro_redhat',`
@ -164,8 +165,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
allow lvm_t default_context_t:dir search;
dontaudit lvm_t var_run_t:dir getattr;
optional_policy(`gnome-pty-helper.te', `

View File

@ -67,6 +67,7 @@ dev_read_urand(insmod_t)
dev_rw_agp_dev(insmod_t)
dev_read_snd_dev(insmod_t)
dev_write_snd_dev(insmod_t)
dev_rw_apm_bios(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@ -105,8 +106,6 @@ optional_policy(`mount.te',`
ifdef(`TODO',`
allow insmod_t apm_bios_t:chr_file { read write };
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
')

View File

@ -77,7 +77,7 @@ miscfiles_read_localization(mount_t)
userdom_use_all_user_fd(mount_t)
ifdef(`distro_redhat',`
fs_use_tmpfs_character_devices(mount_t)
fs_use_tmpfs_chr_dev(mount_t)
allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',`

View File

@ -473,6 +473,25 @@ interface(`seutil_read_config',`
allow $1 selinux_config_t:file r_file_perms;
')
########################################
## <summary>
## Search the policy directory with default_context files.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_search_default_contexts',`
gen_require(`
type selinux_config_t, default_context_t;
class dir search;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search;
')
########################################
#
# seutil_read_default_contexts(domain)

View File

@ -212,11 +212,14 @@ term_relabel_all_user_ptys(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
domain_use_wide_inherit_fd(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_wide_inherit_fd(newrole_t)
# Write to utmp.
init_rw_script_pid(newrole_t)
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@ -240,13 +243,6 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;
# Read /var.
allow newrole_t var_t:dir r_dir_perms;
allow newrole_t var_t:notdevfile_class_set r_file_perms;
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
@ -303,10 +299,10 @@ files_list_all_dirs(restorecon_t)
auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(restorecon_t)
fs_use_tmpfs_block_devices(restorecon_t)
fs_relabel_tmpfs_block_devices(restorecon_t)
fs_relabel_tmpfs_character_devices(restorecon_t)
fs_use_tmpfs_chr_dev(restorecon_t)
fs_use_tmpfs_blk_dev(restorecon_t)
fs_relabel_tmpfs_blk_dev(restorecon_t)
fs_relabel_tmpfs_chr_dev(restorecon_t)
')
optional_policy(`hotplug.te',`
@ -323,6 +319,10 @@ allow restorecon_t fs_type:dir r_dir_perms;
allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fifo_file { read write };
tunable_policy(`hide_broken_symptoms',`
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
')
') dnl endif TODO
#################################

View File

@ -25,6 +25,162 @@ interface(`sysnet_domtrans_dhcpc',`
allow dhcpc_t $1:process sigchld;
')
########################################
## <summary>
## Send a SIGCHLD signal to the dhcp client.
## </summary>
## <param name="domain">
## The domain sending the SIGCHLD.
## </param>
#
interface(`sysnet_sigchld_dhcpc',`
gen_require(`
type dhcpc_t;
class process sigchld;
')
allow $1 dhcpc_t:process sigchld;
')
########################################
## <summary>
## Send a kill signal to the dhcp client.
## </summary>
## <param name="domain">
## The domain sending the SIGKILL.
## </param>
#
interface(`sysnet_kill_dhcpc',`
gen_require(`
type dhcpc_t;
class process sigkill;
')
allow $1 dhcpc_t:process sigkill;
')
########################################
## <summary>
## Send a SIGSTOP signal to the dhcp client.
## </summary>
## <param name="domain">
## The domain sending the SIGSTOP.
## </param>
#
interface(`sysnet_sigstop_dhcpc',`
gen_require(`
type dhcpc_t;
class process sigstop;
')
allow $1 dhcpc_t:process sigstop;
')
########################################
## <summary>
## Send a null signal to the dhcp client.
## </summary>
## <param name="domain">
## The domain sending the null signal.
## </param>
#
interface(`sysnet_signull_dhcpc',`
gen_require(`
type dhcpc_t;
class process signull;
')
allow $1 dhcpc_t:process signull;
')
########################################
## <summary>
## Send a generic signal to the dhcp client.
## </summary>
## <param name="domain">
## The domain sending the signal.
## </param>
#
interface(`sysnet_signal_dhcpc',`
gen_require(`
type dhcpc_t;
class process signal;
')
allow $1 dhcpc_t:process signal;
')
########################################
## <summary>
## Read and write dhcp configuration files.
## </summary>
## <param name="domain">
## The domain allowed access.
## </param>
#
interface(`sysnet_rw_dhcp_config',`
gen_require(`
type dhcp_etc_t;
class file { getattr read };
')
files_search_etc($1)
allow $1 dhcp_etc_t:file { getattr read };
')
########################################
## <summary>
## Read dhcp client state files.
## </summary>
## <param name="domain">
## The domain allowed access.
## </param>
#
interface(`sysnet_read_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
class file { getattr read };
')
allow $1 dhcpc_state_t:file { getattr read };
')
#######################################
## <summary>
## Allow network init to read network config files.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`sysnet_read_config',`
gen_require(`
type net_conf_t;
class file r_file_perms;
')
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
')
#######################################
## <summary>
## Read the dhcp client pid file.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`sysnet_read_dhcpc_pid',`
gen_require(`
type dhcpc_var_run_t;
class file { getattr read };
')
files_list_pids($1)
allow $1 dhcpc_var_run_t:file { getattr read };
')
#######################################
## <desc>
## Execute ifconfig in the ifconfig domain.
@ -77,22 +233,3 @@ interface(`sysnet_run_ifconfig',`
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file rw_term_perms;
')
#######################################
## <desc>
## Allow network init to read network config files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`sysnet_read_config',`
gen_require(`
type net_conf_t;
class file r_file_perms;
')
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
')

View File

@ -194,38 +194,26 @@ domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
allow hotplug_t dhcpc_t:process signal_perms;
allow hotplug_t dhcpc_var_run_t:file { getattr read };
allow hotplug_t dhcp_etc_t:file rw_file_perms;
allow dhcpc_t hotplug_etc_t:dir { getattr search };
ifdef(`distro_redhat', `
logging_syslogd_transition(dhcpc_t)
optional_policy(`hotplug.te', `
allow dhcpc_t hotplug_etc_t:dir { getattr search };
ifdef(`distro_redhat', `
logging_syslogd_transition(dhcpc_t)
')
')
')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
optional_policy(`hotplug.te',`
allow ping_t hotplug_t:fd use;
')
ifdef(`cardmgr.te',`
allow ping_t cardmgr_t:fd use;
')
')
ifdef(`distro_redhat', `
allow initrc_t dhcp_etc_t:file rw_file_perms;
')
allow dhcpc_t var_lib_t:dir search;
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir search;
dontaudit dhcpc_t selinux_config_t:dir search;
dontaudit dhcpc_t domain:dir getattr;
@ -265,6 +253,8 @@ kernel_read_network_state(ifconfig_t)
kernel_dontaudit_search_sysctl_dir(ifconfig_t)
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
corenet_use_tun_tap_device(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@ -298,10 +288,12 @@ ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
optional_policy(`rhgb.te', `
rhgb_domain(ifconfig_t)
')
tunable_policy(`hide_broken_symptoms',`
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
')
') dnl endif TODO

View File

@ -94,6 +94,8 @@ files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dir(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
init_use_fd(udev_t)
init_read_script_pid(udev_t)
@ -117,8 +119,12 @@ seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t)
ifdef(`distro_redhat',`
fs_manage_tmpfs_block_devices(udev_t)
fs_manage_tmpfs_character_devices(udev_t)
fs_manage_tmpfs_symlinks(udev_t)
fs_manage_tmpfs_sockets(udev_t)
fs_manage_tmpfs_blk_dev(udev_t)
fs_manage_tmpfs_chr_dev(udev_t)
fs_relabel_tmpfs_blk_dev(udev_t)
fs_relabel_tmpfs_chr_dev(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@ -142,12 +148,6 @@ optional_policy(`sysnetwork.te',`
')
ifdef(`TODO',`
allow udev_t var_lock_t:dir search;
allow udev_t var_lock_t:file getattr;
allow udev_t mnt_t:dir search;
allow udev_t devpts_t:dir { getattr search };
allow udev_t sysadm_tty_device_t:chr_file { read write };
@ -159,17 +159,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev)
ifdef(`distro_redhat',`
allow udev_t tmpfs_t:sock_file create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
')
tunable_policy(`hide_broken_symptoms',`
dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
')
optional_policy(`xdm.te',`
allow udev_t xdm_var_run_t:file { getattr read };
')

View File

@ -122,6 +122,8 @@ template(`base_user_template',`
kernel_get_sysvipc_info($1_t)
# Find CDROM devices:
kernel_read_device_sysctl($1_t)
dev_rw_power_management($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@ -172,6 +174,7 @@ template(`base_user_template',`
files_exec_etc_files($1_t)
files_read_usr_src_files($1_t)
files_search_generic_locks($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_pty($1_t)
@ -242,9 +245,6 @@ template(`base_user_template',`
#
dontaudit $1_t usr_t:file setattr;
# Access the power device.
allow $1_t power_device_t:chr_file rw_file_perms;
# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };
@ -296,7 +296,9 @@ template(`base_user_template',`
create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
# Write floppies
allow $1_t removable_device_t:blk_file rw_file_perms;
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
# cjp: what does this have to do with removable devices?
allow $1_t usbtty_device_t:chr_file write;
',`
r_dir_file($1_t, noexattrfile)
@ -312,12 +314,8 @@ template(`base_user_template',`
r_dir_file($1_t, tetex_data_t)
can_exec($1_t, tetex_data_t)
# Run programs developed by other users in the same domain.
can_resmgrd_connect($1_t)
allow $1_t var_lock_t:dir search;
# Grant permissions to access the system DBus
ifdef(`dbusd.te', `
dbusd_client(system, $1)
@ -442,7 +440,7 @@ template(`unpriv_user_template', `
typeattribute $1_tmp_t user_tmpfile;
#typeattribute $1_tty_device_t user_tty_type;
typeattribute $1_tty_device_t user_ttynode;
##############################
#
@ -1105,3 +1103,20 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
dontaudit $1 unpriv_userdomain:fd use;
')
########################################
## <summary>
## Do not audit attempts to use unprivileged
## user ttys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_tty',`
gen_require(`
attribute user_ttynode;
class chr_file rw_file_perms;
')
dontaudit $1 user_ttynode:chr_file rw_file_perms;
')

View File

@ -23,6 +23,9 @@ attribute privhome;
# all unprivileged users tmp files
attribute user_tmpfile;
# all unprivileged users ttys
attribute user_ttynode;
# all user domains
attribute userdomain;