Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
This commit is contained in:
Dan Walsh
commit
f7307c60ba
@ -383,6 +383,7 @@ interface(`gnome_read_gconf_home_files',`
|
||||
type data_home_t;
|
||||
')
|
||||
|
||||
userdom_search_user_home_dirs($1)
|
||||
allow $1 gconf_home_t:dir list_dir_perms;
|
||||
allow $1 data_home_t:dir list_dir_perms;
|
||||
read_files_pattern($1, gconf_home_t, gconf_home_t)
|
||||
|
||||
@ -7,7 +7,7 @@ HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
|
||||
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
|
||||
|
||||
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
|
||||
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
||||
/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
|
||||
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
||||
/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
|
||||
/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
|
||||
|
||||
@ -4,9 +4,9 @@
|
||||
|
||||
# for new version of jabberd
|
||||
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
|
||||
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
||||
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
||||
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
|
||||
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
||||
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
||||
|
||||
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
|
||||
|
||||
|
||||
@ -30,6 +30,52 @@ files_pid_file(jabberd_var_run_t)
|
||||
permissive jabberd_router_t;
|
||||
permissive jabberd_t;
|
||||
|
||||
######################################
|
||||
#
|
||||
# Local policy for jabberd-router and c2s components
|
||||
#
|
||||
|
||||
allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
corenet_tcp_bind_jabber_client_port(jabberd_router_t)
|
||||
corenet_tcp_bind_jabber_router_port(jabberd_router_t)
|
||||
corenet_tcp_connect_jabber_router_port(jabberd_router_t)
|
||||
corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
|
||||
corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
|
||||
|
||||
fs_getattr_all_fs(jabberd_router_t)
|
||||
|
||||
miscfiles_read_certs(jabberd_router_t)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(jabberd_router_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(jabberd_router_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
#
|
||||
# Local policy for other jabberd components
|
||||
#
|
||||
|
||||
kernel_read_system_state(jabberd_t)
|
||||
|
||||
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
|
||||
corenet_tcp_connect_jabber_router_port(jabberd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(jabberd_t)
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(jabberd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(jabberd_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Local policy for jabberd domains
|
||||
@ -62,6 +108,7 @@ corenet_tcp_bind_generic_node(jabberd_domain)
|
||||
|
||||
dev_read_urand(jabberd_domain)
|
||||
dev_read_urand(jabberd_domain)
|
||||
dev_read_sysfs(jabberd_domain)
|
||||
|
||||
files_read_etc_files(jabberd_domain)
|
||||
files_read_etc_runtime_files(jabberd_domain)
|
||||
@ -71,59 +118,3 @@ logging_send_syslog_msg(jabberd_domain)
|
||||
miscfiles_read_localization(jabberd_domain)
|
||||
|
||||
sysnet_read_config(jabberd_domain)
|
||||
|
||||
######################################
|
||||
#
|
||||
# Local policy for jabberd-router
|
||||
#
|
||||
|
||||
allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
corenet_tcp_bind_jabber_router_port(jabberd_router_t)
|
||||
corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(jabberd_router_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy for jabberd
|
||||
#
|
||||
|
||||
allow jabberd_t self:capability dac_override;
|
||||
dontaudit jabberd_t self:capability sys_tty_config;
|
||||
|
||||
kernel_read_kernel_sysctls(jabberd_t)
|
||||
kernel_read_proc_symlinks(jabberd_t)
|
||||
kernel_read_system_state(jabberd_t)
|
||||
|
||||
corenet_tcp_connect_jabber_router_port(jabberd_t)
|
||||
corenet_tcp_bind_jabber_client_port(jabberd_t)
|
||||
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
|
||||
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
|
||||
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
|
||||
|
||||
dev_read_sysfs(jabberd_t)
|
||||
# For SSL
|
||||
dev_read_rand(jabberd_t)
|
||||
|
||||
domain_use_interactive_fds(jabberd_t)
|
||||
|
||||
fs_getattr_all_fs(jabberd_t)
|
||||
fs_search_auto_mountpoints(jabberd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(jabberd_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(jabberd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(jabberd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(jabberd_t)
|
||||
')
|
||||
|
||||
@ -6,16 +6,10 @@ policy_module(razor, 2.1.1)
|
||||
#
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
||||
gen_require(`
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
type spamd_log_t;
|
||||
type spamd_spool_t;
|
||||
type spamd_var_lib_t;
|
||||
type spamd_etc_t;
|
||||
type spamc_home_t;
|
||||
type spamc_tmp_t;
|
||||
type spamc_t, spamc_exec_t, spamd_log_t;
|
||||
type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
|
||||
type spamc_home_t, spamc_tmp_t;
|
||||
')
|
||||
|
||||
typealias spamc_t alias razor_t;
|
||||
@ -28,126 +22,122 @@ ifdef(`distro_redhat',`
|
||||
typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
||||
typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
||||
|
||||
',`
|
||||
type razor_exec_t;
|
||||
corecmd_executable_file(razor_exec_t)
|
||||
|
||||
type razor_exec_t;
|
||||
corecmd_executable_file(razor_exec_t)
|
||||
type razor_etc_t;
|
||||
files_config_file(razor_etc_t)
|
||||
|
||||
type razor_etc_t;
|
||||
files_config_file(razor_etc_t)
|
||||
type razor_home_t;
|
||||
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
||||
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
||||
userdom_user_home_content(razor_home_t)
|
||||
|
||||
type razor_home_t;
|
||||
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
||||
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
||||
files_poly_member(razor_home_t)
|
||||
userdom_user_home_content(razor_home_t)
|
||||
type razor_log_t;
|
||||
logging_log_file(razor_log_t)
|
||||
|
||||
type razor_log_t;
|
||||
logging_log_file(razor_log_t)
|
||||
type razor_tmp_t;
|
||||
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
||||
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
||||
files_tmp_file(razor_tmp_t)
|
||||
ubac_constrained(razor_tmp_t)
|
||||
|
||||
type razor_tmp_t;
|
||||
typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
||||
typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
||||
files_tmp_file(razor_tmp_t)
|
||||
ubac_constrained(razor_tmp_t)
|
||||
type razor_var_lib_t;
|
||||
files_type(razor_var_lib_t)
|
||||
|
||||
type razor_var_lib_t;
|
||||
files_type(razor_var_lib_t)
|
||||
# these are here due to ordering issues:
|
||||
razor_common_domain_template(razor)
|
||||
typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
|
||||
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
|
||||
ubac_constrained(razor_t)
|
||||
|
||||
# these are here due to ordering issues:
|
||||
razor_common_domain_template(razor)
|
||||
typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
|
||||
typealias razor_t alias { auditadm_razor_t secadm_razor_t };
|
||||
ubac_constrained(razor_t)
|
||||
razor_common_domain_template(system_razor)
|
||||
role system_r types system_razor_t;
|
||||
|
||||
razor_common_domain_template(system_razor)
|
||||
role system_r types system_razor_t;
|
||||
########################################
|
||||
#
|
||||
# System razor local policy
|
||||
#
|
||||
|
||||
########################################
|
||||
#
|
||||
# System razor local policy
|
||||
#
|
||||
# this version of razor is invoked typically
|
||||
# via the system spam filter
|
||||
|
||||
# this version of razor is invoked typically
|
||||
# via the system spam filter
|
||||
allow system_razor_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow system_razor_t self:tcp_socket create_socket_perms;
|
||||
manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
files_search_etc(system_razor_t)
|
||||
|
||||
manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
||||
files_search_etc(system_razor_t)
|
||||
allow system_razor_t razor_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(system_razor_t, razor_log_t, file)
|
||||
|
||||
allow system_razor_t razor_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(system_razor_t, razor_log_t, file)
|
||||
manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
||||
files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
|
||||
|
||||
manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
||||
files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
|
||||
corenet_all_recvfrom_unlabeled(system_razor_t)
|
||||
corenet_all_recvfrom_netlabel(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_if(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_if(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_node(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_node(system_razor_t)
|
||||
corenet_tcp_sendrecv_razor_port(system_razor_t)
|
||||
corenet_tcp_connect_razor_port(system_razor_t)
|
||||
corenet_sendrecv_razor_client_packets(system_razor_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(system_razor_t)
|
||||
corenet_all_recvfrom_netlabel(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_if(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_if(system_razor_t)
|
||||
corenet_tcp_sendrecv_generic_node(system_razor_t)
|
||||
corenet_raw_sendrecv_generic_node(system_razor_t)
|
||||
corenet_tcp_sendrecv_razor_port(system_razor_t)
|
||||
corenet_tcp_connect_razor_port(system_razor_t)
|
||||
corenet_sendrecv_razor_client_packets(system_razor_t)
|
||||
sysnet_read_config(system_razor_t)
|
||||
|
||||
sysnet_read_config(system_razor_t)
|
||||
# cjp: this shouldn't be needed
|
||||
userdom_use_unpriv_users_fds(system_razor_t)
|
||||
|
||||
# cjp: this shouldn't be needed
|
||||
userdom_use_unpriv_users_fds(system_razor_t)
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(system_razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(system_razor_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# User razor local policy
|
||||
#
|
||||
|
||||
# Allow razor to be run by hand. Needed by any action other than
|
||||
# invocation from a spam filter.
|
||||
|
||||
allow razor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
|
||||
|
||||
auth_use_nsswitch(razor_t)
|
||||
|
||||
logging_send_syslog_msg(razor_t)
|
||||
|
||||
userdom_search_user_home_dirs(razor_t)
|
||||
userdom_use_user_terminals(razor_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(razor_t)
|
||||
fs_manage_nfs_files(razor_t)
|
||||
fs_manage_nfs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(razor_t)
|
||||
fs_manage_cifs_files(razor_t)
|
||||
fs_manage_cifs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
milter_manage_spamass_state(razor_t)
|
||||
')
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(system_razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(system_razor_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# User razor local policy
|
||||
#
|
||||
|
||||
# Allow razor to be run by hand. Needed by any action other than
|
||||
# invocation from a spam filter.
|
||||
|
||||
allow razor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
|
||||
userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
|
||||
|
||||
manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
||||
files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
|
||||
|
||||
auth_use_nsswitch(razor_t)
|
||||
|
||||
logging_send_syslog_msg(razor_t)
|
||||
|
||||
userdom_search_user_home_dirs(razor_t)
|
||||
userdom_use_user_terminals(razor_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(razor_t)
|
||||
fs_manage_nfs_files(razor_t)
|
||||
fs_manage_nfs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(razor_t)
|
||||
fs_manage_cifs_files(razor_t)
|
||||
fs_manage_cifs_symlinks(razor_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
milter_manage_spamass_state(razor_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -6,15 +6,14 @@ policy_module(rgmanager, 1.0.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow rgmanager domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow rgmanager domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(rgmanager_can_network_connect, false)
|
||||
|
||||
type rgmanager_t;
|
||||
type rgmanager_exec_t;
|
||||
domain_type(rgmanager_t)
|
||||
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
|
||||
|
||||
type rgmanager_initrc_exec_t;
|
||||
@ -40,7 +39,7 @@ files_pid_file(rgmanager_var_run_t)
|
||||
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
|
||||
dontaudit rgmanager_t self:capability { sys_ptrace };
|
||||
allow rgmanager_t self:process { setsched signal };
|
||||
dontaudit rgmanager_t self:process { ptrace };
|
||||
dontaudit rgmanager_t self:process ptrace;
|
||||
|
||||
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
|
||||
|
||||
@ -6,9 +6,9 @@ policy_module(rhcs, 1.1.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow fenced domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow fenced domain to connect to the network using TCP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(fenced_can_network_connect, false)
|
||||
|
||||
@ -111,7 +111,7 @@ tunable_policy(`fenced_can_network_connect',`
|
||||
|
||||
# needed by fence_scsi
|
||||
optional_policy(`
|
||||
corosync_exec(fenced_t)
|
||||
corosync_exec(fenced_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -129,7 +129,6 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow gfs_controld_t self:capability { net_admin sys_resource };
|
||||
|
||||
allow gfs_controld_t self:shm create_shm_perms;
|
||||
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
@ -159,7 +158,6 @@ optional_policy(`
|
||||
|
||||
allow groupd_t self:capability { sys_nice sys_resource };
|
||||
allow groupd_t self:process setsched;
|
||||
|
||||
allow groupd_t self:shm create_shm_perms;
|
||||
|
||||
dev_list_sysfs(groupd_t)
|
||||
@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t)
|
||||
#
|
||||
|
||||
allow qdiskd_t self:capability { ipc_lock sys_boot };
|
||||
|
||||
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow qdiskd_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -224,9 +221,8 @@ optional_policy(`
|
||||
# rhcs domains common policy
|
||||
#
|
||||
|
||||
allow cluster_domain self:capability { sys_nice };
|
||||
allow cluster_domain self:capability sys_nice;
|
||||
allow cluster_domain self:process setsched;
|
||||
|
||||
allow cluster_domain self:sem create_sem_perms;
|
||||
allow cluster_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
|
||||
allow rhgb_t self:udp_socket create_socket_perms;
|
||||
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
term_create_pty(rhgb_t, rhgb_devpts_t)
|
||||
|
||||
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
|
||||
|
||||
@ -7,7 +7,6 @@ policy_module(ricci, 1.7.0)
|
||||
|
||||
type ricci_t;
|
||||
type ricci_exec_t;
|
||||
domain_type(ricci_t)
|
||||
init_daemon_domain(ricci_t, ricci_exec_t)
|
||||
|
||||
type ricci_initrc_exec_t;
|
||||
@ -42,7 +41,6 @@ files_pid_file(ricci_modcluster_var_run_t)
|
||||
|
||||
type ricci_modclusterd_t;
|
||||
type ricci_modclusterd_exec_t;
|
||||
domain_type(ricci_modclusterd_t)
|
||||
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
|
||||
|
||||
type ricci_modclusterd_tmpfs_t;
|
||||
@ -101,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
|
||||
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
|
||||
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
|
||||
|
||||
allow ricci_t ricci_var_log_t:dir setattr;
|
||||
allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
|
||||
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
|
||||
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
|
||||
|
||||
@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
||||
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
|
||||
allow rlogind_t self:process signal_perms;
|
||||
allow rlogind_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow rlogind_t self:capability { setuid setgid };
|
||||
|
||||
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
term_create_pty(rlogind_t, rlogind_devpts_t)
|
||||
|
||||
# for /usr/lib/telnetlogin
|
||||
|
||||
@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow gssd to read temp directory. For access to kerberos tgt.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow gssd to read temp directory. For access to kerberos tgt.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_gssd_read_tmp, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow nfs servers to modify public files
|
||||
## used for public file transfer services. Files/Directories must be
|
||||
## labeled public_content_rw_t.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow nfs servers to modify public files
|
||||
## used for public file transfer services. Files/Directories must be
|
||||
## labeled public_content_rw_t.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_nfsd_anon_write, false)
|
||||
|
||||
@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
|
||||
allow rpcd_t self:process { getcap setcap };
|
||||
allow rpcd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow rpcd_t rpcd_var_run_t:dir setattr;
|
||||
allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
|
||||
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
|
||||
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
|
||||
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
|
||||
@ -162,6 +162,8 @@ storage_raw_read_removable_device(nfsd_t)
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
|
||||
userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
|
||||
# Write access to public_content_t and public_content_rw_t
|
||||
tunable_policy(`allow_nfsd_anon_write',`
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
@ -174,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
')
|
||||
userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
dev_getattr_all_blk_files(nfsd_t)
|
||||
@ -196,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
|
||||
allow gssd_t self:process { getsched setsched };
|
||||
allow gssd_t self:fifo_file rw_file_perms;
|
||||
allow gssd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
|
||||
@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type snmpd_t;
|
||||
type snmpd_exec_t;
|
||||
init_daemon_domain(snmpd_t, snmpd_exec_t)
|
||||
@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
|
||||
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
||||
allow snmpd_t self:process { signal_perms getsched setsched };
|
||||
@ -117,7 +119,7 @@ sysnet_read_config(snmpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(snmpd_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
rpm_read_db(snmpd_t)
|
||||
rpm_dontaudit_manage_db(snmpd_t)
|
||||
|
||||
@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
|
||||
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
|
||||
dontaudit snort_t self:capability sys_tty_config;
|
||||
allow snort_t self:process signal_perms;
|
||||
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
allow snort_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow snort_t self:tcp_socket create_stream_socket_perms;
|
||||
allow snort_t self:udp_socket create_socket_perms;
|
||||
allow snort_t self:packet_socket create_socket_perms;
|
||||
allow snort_t self:socket create_socket_perms;
|
||||
# Snort IPS node. unverified.
|
||||
allow snort_t self:netlink_firewall_socket { bind create getattr };
|
||||
allow snort_t self:netlink_firewall_socket create_socket_perms;
|
||||
|
||||
allow snort_t snort_etc_t:dir list_dir_perms;
|
||||
allow snort_t snort_etc_t:file read_file_perms;
|
||||
allow snort_t snort_etc_t:lnk_file { getattr read };
|
||||
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
|
||||
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
|
||||
|
||||
@ -6,85 +6,83 @@ policy_module(spamassassin, 2.3.1)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow user spamassassin clients to use the network.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow user spamassassin clients to use the network.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(spamassassin_can_network, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow spamd to read/write user home directories.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow spamd to read/write user home directories.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(spamd_enable_home_dirs, true)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# spamassassin client executable
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
role system_r types spamc_t;
|
||||
# spamassassin client executable
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
role system_r types spamc_t;
|
||||
|
||||
type spamd_etc_t;
|
||||
files_config_file(spamd_etc_t)
|
||||
type spamd_etc_t;
|
||||
files_config_file(spamd_etc_t)
|
||||
|
||||
typealias spamc_exec_t alias spamassassin_exec_t;
|
||||
typealias spamc_t alias spamassassin_t;
|
||||
typealias spamc_exec_t alias spamassassin_exec_t;
|
||||
typealias spamc_t alias spamassassin_t;
|
||||
|
||||
type spamc_home_t;
|
||||
userdom_user_home_content(spamc_home_t)
|
||||
typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
|
||||
type spamc_home_t;
|
||||
userdom_user_home_content(spamc_home_t)
|
||||
typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
|
||||
typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
|
||||
|
||||
type spamc_tmp_t;
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
typealias spamc_tmp_t alias spamassassin_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
type spamc_tmp_t;
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
typealias spamc_tmp_t alias spamassassin_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
', `
|
||||
type spamassassin_t;
|
||||
type spamassassin_exec_t;
|
||||
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
||||
typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
||||
application_domain(spamassassin_t, spamassassin_exec_t)
|
||||
ubac_constrained(spamassassin_t)
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
',`
|
||||
type spamassassin_t;
|
||||
type spamassassin_exec_t;
|
||||
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
||||
typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
||||
application_domain(spamassassin_t, spamassassin_exec_t)
|
||||
ubac_constrained(spamassassin_t)
|
||||
|
||||
type spamassassin_home_t;
|
||||
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
userdom_user_home_content(spamassassin_home_t)
|
||||
files_poly_member(spamassassin_home_t)
|
||||
type spamassassin_home_t;
|
||||
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
||||
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
||||
userdom_user_home_content(spamassassin_home_t)
|
||||
|
||||
type spamassassin_tmp_t;
|
||||
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
files_tmp_file(spamassassin_tmp_t)
|
||||
ubac_constrained(spamassassin_tmp_t)
|
||||
type spamassassin_tmp_t;
|
||||
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
||||
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
||||
files_tmp_file(spamassassin_tmp_t)
|
||||
ubac_constrained(spamassassin_tmp_t)
|
||||
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
||||
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
ubac_constrained(spamc_t)
|
||||
type spamc_t;
|
||||
type spamc_exec_t;
|
||||
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
||||
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
||||
application_domain(spamc_t, spamc_exec_t)
|
||||
ubac_constrained(spamc_t)
|
||||
|
||||
type spamc_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
ubac_constrained(spamc_tmp_t)
|
||||
type spamc_tmp_t;
|
||||
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
||||
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
||||
files_tmp_file(spamc_tmp_t)
|
||||
ubac_constrained(spamc_tmp_t)
|
||||
')
|
||||
|
||||
type spamd_t;
|
||||
type spamd_exec_t;
|
||||
init_daemon_domain(spamd_t, spamd_exec_t)
|
||||
can_exec(spamd_t, spamd_exec_t)
|
||||
|
||||
type spamd_compiled_t;
|
||||
files_type(spamd_compiled_t)
|
||||
@ -252,11 +250,6 @@ allow spamc_t self:unix_dgram_socket sendto;
|
||||
allow spamc_t self:unix_stream_socket connectto;
|
||||
allow spamc_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamc_t self:udp_socket create_socket_perms;
|
||||
corenet_all_recvfrom_unlabeled(spamc_t)
|
||||
corenet_all_recvfrom_netlabel(spamc_t)
|
||||
corenet_tcp_sendrecv_generic_if(spamc_t)
|
||||
corenet_tcp_sendrecv_generic_node(spamc_t)
|
||||
corenet_tcp_connect_spamd_port(spamc_t)
|
||||
|
||||
can_exec(spamc_t, spamc_exec_t)
|
||||
|
||||
@ -272,6 +265,9 @@ manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
||||
userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
|
||||
userdom_append_user_home_content_files(spamc_t)
|
||||
|
||||
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
|
||||
# Allow connecting to a local spamd
|
||||
allow spamc_t spamd_t:unix_stream_socket connectto;
|
||||
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
|
||||
@ -290,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
|
||||
corenet_udp_sendrecv_all_ports(spamc_t)
|
||||
corenet_tcp_connect_all_ports(spamc_t)
|
||||
corenet_sendrecv_all_client_packets(spamc_t)
|
||||
corenet_tcp_connect_spamd_port(spamc_t)
|
||||
|
||||
fs_search_auto_mountpoints(spamc_t)
|
||||
|
||||
@ -309,8 +306,6 @@ files_dontaudit_search_var(spamc_t)
|
||||
# cjp: this may be removable:
|
||||
files_list_home(spamc_t)
|
||||
files_list_var_lib(spamc_t)
|
||||
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
||||
|
||||
fs_search_auto_mountpoints(spamc_t)
|
||||
|
||||
@ -413,6 +408,8 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
|
||||
|
||||
can_exec(spamd_t, spamd_exec_t)
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
kernel_read_system_state(spamd_t)
|
||||
|
||||
@ -508,9 +505,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
corenet_tcp_connect_mysqld_port(spamd_t)
|
||||
corenet_sendrecv_mysqld_client_packets(spamd_t)
|
||||
|
||||
mysql_tcp_connect(spamd_t)
|
||||
mysql_search_db(spamd_t)
|
||||
mysql_stream_connect(spamd_t)
|
||||
')
|
||||
@ -520,9 +515,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
corenet_tcp_connect_postgresql_port(spamd_t)
|
||||
corenet_sendrecv_postgresql_client_packets(spamd_t)
|
||||
|
||||
postgresql_tcp_connect(spamd_t)
|
||||
postgresql_stream_connect(spamd_t)
|
||||
')
|
||||
|
||||
|
||||
@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow squid to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow squid to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(squid_connect_any, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow squid to run as a transparent proxy (TPROXY)
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow squid to run as a transparent proxy (TPROXY)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(squid_use_tproxy, false)
|
||||
|
||||
|
||||
@ -6,23 +6,23 @@ policy_module(ssh, 2.2.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## allow host key based authentication
|
||||
## </p>
|
||||
## <p>
|
||||
## allow host key based authentication
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_ssh_keysign, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(ssh_sysadm_login, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## allow sshd to forward port connections
|
||||
## </p>
|
||||
## <p>
|
||||
## allow sshd to forward port connections
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sshd_forward_ports, false)
|
||||
|
||||
@ -32,7 +32,6 @@ attribute ssh_agent_type;
|
||||
type ssh_keygen_t;
|
||||
type ssh_keygen_exec_t;
|
||||
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
|
||||
role system_r types ssh_keygen_t;
|
||||
|
||||
type sshd_exec_t;
|
||||
corecmd_executable_file(sshd_exec_t)
|
||||
@ -46,10 +45,6 @@ init_script_file(sshd_initrc_exec_t)
|
||||
type sshd_key_t;
|
||||
files_type(sshd_key_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
type ssh_t;
|
||||
type ssh_exec_t;
|
||||
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
|
||||
@ -82,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
|
||||
type ssh_home_t;
|
||||
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
|
||||
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
files_type(ssh_home_t)
|
||||
userdom_user_home_content(ssh_home_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# SSH client local policy
|
||||
@ -180,10 +178,7 @@ userdom_write_user_tmp_files(ssh_t)
|
||||
userdom_read_user_home_content_symlinks(ssh_t)
|
||||
|
||||
tunable_policy(`allow_ssh_keysign',`
|
||||
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
|
||||
allow ssh_keysign_t ssh_t:fd use;
|
||||
allow ssh_keysign_t ssh_t:process sigchld;
|
||||
allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
|
||||
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -217,7 +212,6 @@ optional_policy(`
|
||||
|
||||
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
||||
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
@ -264,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
|
||||
allow ssh_keysign_t self:capability { setgid setuid };
|
||||
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow ssh_keysign_t sshd_key_t:file { getattr read };
|
||||
allow ssh_keysign_t sshd_key_t:file read_file_perms;
|
||||
|
||||
dev_read_urand(ssh_keysign_t)
|
||||
|
||||
@ -287,7 +281,6 @@ optional_policy(`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow sshd_t self:key { search link write };
|
||||
|
||||
allow sshd_t self:process setcurrent;
|
||||
|
||||
kernel_search_key(sshd_t)
|
||||
@ -303,15 +296,17 @@ term_use_ptmx(sshd_t)
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
tunable_policy(`sshd_forward_ports', `
|
||||
corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
||||
corenet_tcp_connect_all_ports(sshd_t)
|
||||
')
|
||||
|
||||
userdom_read_user_home_content_files(sshd_t)
|
||||
userdom_read_user_home_content_symlinks(sshd_t)
|
||||
userdom_search_admin_dir(sshd_t)
|
||||
userdom_manage_tmp_role(system_r, sshd_t)
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
tunable_policy(`sshd_forward_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
||||
corenet_tcp_connect_all_ports(sshd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
@ -321,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
userdom_signal_all_users(sshd_t)
|
||||
')
|
||||
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
@ -373,26 +365,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t ptyfile:chr_file relabelto;
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t ptyfile:chr_file relabelto;
|
||||
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, userdomain)
|
||||
')
|
||||
',`
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
||||
')
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
|
||||
')
|
||||
',`
|
||||
optional_policy(`
|
||||
domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
|
||||
')
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
# display the tty.
|
||||
# some versions of sshd on the new SE Linux require setattr
|
||||
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -405,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
|
||||
dontaudit ssh_keygen_t self:capability sys_tty_config;
|
||||
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
|
||||
@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t)
|
||||
#
|
||||
# sssd local policy
|
||||
#
|
||||
|
||||
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
|
||||
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
|
||||
allow sssd_t self:fifo_file rw_file_perms;
|
||||
allow sssd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow sssd_t self:key manage_key_perms;
|
||||
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
@ -40,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
||||
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
||||
|
||||
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
||||
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
|
||||
|
||||
@ -6,17 +6,7 @@ policy_module(stunnel, 1.9.1)
|
||||
#
|
||||
|
||||
type stunnel_t;
|
||||
domain_type(stunnel_t)
|
||||
role system_r types stunnel_t;
|
||||
|
||||
type stunnel_exec_t;
|
||||
domain_entry_file(stunnel_t, stunnel_exec_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
init_daemon_domain(stunnel_t, stunnel_exec_t)
|
||||
',`
|
||||
inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
|
||||
')
|
||||
|
||||
type stunnel_etc_t;
|
||||
files_config_file(stunnel_etc_t)
|
||||
@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
|
||||
type stunnel_var_run_t;
|
||||
files_pid_file(stunnel_var_run_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
init_daemon_domain(stunnel_t, stunnel_exec_t)
|
||||
',`
|
||||
inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
|
||||
allow stunnel_t stunnel_etc_t:file read_file_perms;
|
||||
allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
|
||||
allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
|
||||
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
|
||||
@ -77,7 +73,7 @@ miscfiles_read_localization(stunnel_t)
|
||||
|
||||
sysnet_read_config(stunnel_t)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
ifdef(`distro_gentoo',`
|
||||
dontaudit stunnel_t self:capability sys_tty_config;
|
||||
allow stunnel_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
|
||||
gen_require(`
|
||||
type stunnel_port_t;
|
||||
')
|
||||
|
||||
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||
|
||||
@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
|
||||
type sysstat_t;
|
||||
type sysstat_exec_t;
|
||||
init_system_domain(sysstat_t, sysstat_exec_t)
|
||||
role system_r types sysstat_t;
|
||||
|
||||
type sysstat_log_t;
|
||||
logging_log_file(sysstat_log_t)
|
||||
@ -71,4 +70,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
nscd_socket_use(sysstat_t)
|
||||
')
|
||||
|
||||
|
||||
@ -7,7 +7,6 @@ policy_module(tcpd, 1.4.0)
|
||||
type tcpd_t;
|
||||
type tcpd_exec_t;
|
||||
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
|
||||
role system_r types tcpd_t;
|
||||
|
||||
type tcpd_tmp_t;
|
||||
files_tmp_file(tcpd_tmp_t)
|
||||
|
||||
@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
|
||||
type telnetd_t;
|
||||
type telnetd_exec_t;
|
||||
inetd_service_domain(telnetd_t, telnetd_exec_t)
|
||||
role system_r types telnetd_t;
|
||||
|
||||
type telnetd_devpts_t; #, userpty_type;
|
||||
term_login_pty(telnetd_devpts_t)
|
||||
@ -24,16 +23,15 @@ files_pid_file(telnetd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
||||
allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
|
||||
allow telnetd_t self:process signal_perms;
|
||||
allow telnetd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow telnetd_t self:udp_socket create_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow telnetd_t self:capability { setuid setgid };
|
||||
|
||||
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
term_create_pty(telnetd_t, telnetd_devpts_t)
|
||||
|
||||
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
||||
@ -69,8 +67,6 @@ corecmd_search_bin(telnetd_t)
|
||||
files_read_usr_files(telnetd_t)
|
||||
files_read_etc_files(telnetd_t)
|
||||
files_read_etc_runtime_files(telnetd_t)
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
files_search_home(telnetd_t)
|
||||
|
||||
init_rw_utmp(telnetd_t)
|
||||
|
||||
@ -87,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t)
|
||||
userdom_manage_user_tmp_files(telnetd_t)
|
||||
userdom_tmp_filetrans_user_tmp(telnetd_t, file)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(telnetd, telnetd_t)
|
||||
kerberos_manage_host_rcache(telnetd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_search_nfs(telnetd_t)
|
||||
')
|
||||
@ -99,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_search_cifs(telnetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(telnetd, telnetd_t)
|
||||
kerberos_manage_host_rcache(telnetd_t)
|
||||
')
|
||||
|
||||
|
||||
@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow tftp to modify public files
|
||||
## used for public file transfer services.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow tftp to modify public files
|
||||
## used for public file transfer services.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(tftp_anon_write, false)
|
||||
|
||||
@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
|
||||
#
|
||||
|
||||
allow tftpd_t self:capability { setgid setuid sys_chroot };
|
||||
dontaudit tftpd_t self:capability sys_tty_config;
|
||||
allow tftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow tftpd_t self:udp_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit tftpd_t self:capability sys_tty_config;
|
||||
|
||||
allow tftpd_t tftpdir_t:dir list_dir_perms;
|
||||
allow tftpd_t tftpdir_t:file read_file_perms;
|
||||
allow tftpd_t tftpdir_t:lnk_file { getattr read };
|
||||
allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
|
||||
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
|
||||
|
||||
@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
|
||||
allow tgtd_t self:capability sys_resource;
|
||||
allow tgtd_t self:process { setrlimit signal };
|
||||
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow tgtd_t self:shm create_shm_perms;
|
||||
allow tgtd_t self:sem create_sem_perms;
|
||||
allow tgtd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
@ -6,10 +6,10 @@ policy_module(tor, 1.7.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow tor daemon to bind
|
||||
## tcp sockets to all unreserved ports.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow tor daemon to bind
|
||||
## tcp sockets to all unreserved ports.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(tor_bind_all_unreserved_ports, false)
|
||||
|
||||
@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t)
|
||||
|
||||
allow tor_t self:capability { setgid setuid sys_tty_config };
|
||||
allow tor_t self:process signal;
|
||||
|
||||
allow tor_t self:fifo_file rw_fifo_file_perms;
|
||||
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
@ -108,7 +107,7 @@ logging_send_syslog_msg(tor_t)
|
||||
|
||||
miscfiles_read_localization(tor_t)
|
||||
|
||||
tunable_policy(`tor_bind_all_unreserved_ports', `
|
||||
tunable_policy(`tor_bind_all_unreserved_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(tor_t)
|
||||
')
|
||||
|
||||
|
||||
@ -8,12 +8,10 @@ policy_module(ucspitcp, 1.3.0)
|
||||
type rblsmtpd_t;
|
||||
type rblsmtpd_exec_t;
|
||||
init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
|
||||
role system_r types rblsmtpd_t;
|
||||
|
||||
type ucspitcp_t;
|
||||
type ucspitcp_exec_t;
|
||||
init_system_domain(ucspitcp_t, ucspitcp_exec_t)
|
||||
role system_r types ucspitcp_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -89,10 +87,7 @@ sysnet_read_config(ucspitcp_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
|
||||
daemontools_sigchld_run(ucspitcp_t)
|
||||
daemontools_read_svc(ucspitcp_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_sigchld_run(ucspitcp_t)
|
||||
')
|
||||
|
||||
|
||||
@ -54,10 +54,11 @@ miscfiles_read_localization(ulogd_t)
|
||||
sysnet_dns_name_resolve(ulogd_t)
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(ulogd_t)
|
||||
mysql_stream_connect(ulogd_t)
|
||||
mysql_tcp_connect(ulogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(ulogd_t)
|
||||
postgresql_stream_connect(ulogd_t)
|
||||
postgresql_tcp_connect(ulogd_t)
|
||||
')
|
||||
|
||||
@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
|
||||
|
||||
dontaudit uptimed_t self:capability sys_tty_config;
|
||||
allow uptimed_t self:process signal_perms;
|
||||
allow uptimed_t self:fifo_file write_file_perms;
|
||||
allow uptimed_t self:fifo_file write_fifo_file_perms;
|
||||
|
||||
allow uptimed_t uptimed_etc_t:file read_file_perms;
|
||||
files_search_etc(uptimed_t)
|
||||
|
||||
@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
|
||||
type uucpd_t;
|
||||
type uucpd_exec_t;
|
||||
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
|
||||
role system_r types uucpd_t;
|
||||
|
||||
type uucpd_lock_t;
|
||||
files_lock_file(uucpd_lock_t)
|
||||
@ -124,7 +123,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow uux_t self:capability { setuid setgid };
|
||||
allow uux_t self:fifo_file write_file_perms;
|
||||
allow uux_t self:fifo_file write_fifo_file_perms;
|
||||
|
||||
uucp_append_log(uux_t)
|
||||
uucp_manage_spool(uux_t)
|
||||
|
||||
@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow varnishd to connect to all ports,
|
||||
## not just HTTP.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow varnishd to connect to all ports,
|
||||
## not just HTTP.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(varnishd_connect_any, false)
|
||||
|
||||
@ -70,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
|
||||
files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
|
||||
|
||||
manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
|
||||
files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file })
|
||||
files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(varnishd_t)
|
||||
|
||||
@ -108,7 +108,7 @@ tunable_policy(`varnishd_connect_any',`
|
||||
#
|
||||
|
||||
manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
|
||||
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file })
|
||||
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
|
||||
|
||||
manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
|
||||
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
|
||||
|
||||
@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
|
||||
|
||||
allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
|
||||
allow vhostmd_t self:process { setsched getsched };
|
||||
allow vhostmd_t self:fifo_file rw_file_perms;
|
||||
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
|
||||
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
|
||||
|
||||
@ -4,54 +4,55 @@ policy_module(virt, 1.4.0)
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute virsh_transition_domain;
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to use serial/parallell communication ports
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to use serial/parallell communication ports
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_comm, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to read fuse files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to read fuse files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_fusefs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to manage nfs files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to manage nfs files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_nfs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to manage cifs files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to manage cifs files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_samba, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to manage device configuration, (pci)
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to manage device configuration, (pci)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_sysfs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virtual machine to interact with the xserver
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virtual machine to interact with the xserver
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_xserver, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow virt to use usb devices
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow virt to use usb devices
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(virt_use_usb, true)
|
||||
|
||||
@ -205,7 +206,6 @@ optional_policy(`
|
||||
|
||||
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
|
||||
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
|
||||
|
||||
allow virtd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow virtd_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -473,7 +473,7 @@ optional_policy(`
|
||||
|
||||
allow virt_domain self:capability { dac_read_search dac_override kill };
|
||||
allow virt_domain self:process { execmem execstack signal getsched signull };
|
||||
allow virt_domain self:fifo_file rw_file_perms;
|
||||
allow virt_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow virt_domain self:shm create_shm_perms;
|
||||
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@ -571,15 +571,12 @@ optional_policy(`
|
||||
#
|
||||
type virsh_t;
|
||||
type virsh_exec_t;
|
||||
domain_type(virsh_t)
|
||||
init_system_domain(virsh_t, virsh_exec_t)
|
||||
typealias virsh_t alias xm_t;
|
||||
typealias virsh_exec_t alias xm_exec_t;
|
||||
|
||||
allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
allow virsh_t self:process { getcap getsched setcap signal };
|
||||
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow virsh_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -647,7 +644,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
vhostmd_rw_tmpfs_files(virsh_t)
|
||||
vhostmd_stream_connect(virsh_t)
|
||||
vhostmd_stream_connect(virsh_t)
|
||||
vhostmd_dontaudit_rw_stream_connect(virsh_t)
|
||||
')
|
||||
|
||||
@ -672,4 +669,3 @@ optional_policy(`
|
||||
|
||||
userdom_search_admin_dir(virsh_ssh_t)
|
||||
')
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -24,7 +24,7 @@ interface(`vnstatd_domtrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(vnstatd,1.0.0)
|
||||
policy_module(vnstatd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -24,13 +24,12 @@ cron_system_entry(vnstat_t, vnstat_exec_t)
|
||||
# vnstatd local policy
|
||||
#
|
||||
allow vnstatd_t self:process { fork signal };
|
||||
|
||||
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
|
||||
files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
|
||||
|
||||
domain_use_interactive_fds(vnstatd_t)
|
||||
|
||||
@ -44,14 +43,13 @@ miscfiles_read_localization(vnstatd_t)
|
||||
#
|
||||
# vnstat local policy
|
||||
#
|
||||
allow vnstat_t self:process { signal };
|
||||
|
||||
allow vnstat_t self:process signal;
|
||||
allow vnstat_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
||||
files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
|
||||
files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
|
||||
|
||||
kernel_read_network_state(vnstat_t)
|
||||
kernel_read_system_state(vnstat_t)
|
||||
@ -65,5 +63,3 @@ fs_getattr_xattr_fs(vnstat_t)
|
||||
logging_send_syslog_msg(vnstat_t)
|
||||
|
||||
miscfiles_read_localization(vnstat_t)
|
||||
|
||||
|
||||
|
||||
@ -26,44 +26,43 @@ gen_require(`
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allows clients to write to the X server shared
|
||||
## memory segments.
|
||||
## </p>
|
||||
## <p>
|
||||
## Allows clients to write to the X server shared
|
||||
## memory segments.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_write_xshm, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allows XServer to execute writable memory
|
||||
## </p>
|
||||
## <p>
|
||||
## Allows XServer to execute writable memory
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_xserver_execmem, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow xdm logins as sysadm
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(xdm_sysadm_login, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Support X userspace object manager
|
||||
## </p>
|
||||
## <p>
|
||||
## Support X userspace object manager
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(xserver_object_manager, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow regular users direct dri device access
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow regular users direct dri device access
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(user_direct_dri, false)
|
||||
|
||||
attribute xdmhomewriter;
|
||||
attribute x_userdomain;
|
||||
|
||||
attribute x_domain;
|
||||
|
||||
# X Events
|
||||
@ -121,19 +120,18 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
|
||||
|
||||
type remote_t;
|
||||
xserver_object_types_template(remote)
|
||||
xserver_common_x_domain_template(remote,remote_t)
|
||||
xserver_common_x_domain_template(remote, remote_t)
|
||||
|
||||
type user_fonts_t;
|
||||
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
|
||||
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
|
||||
typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
|
||||
typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
|
||||
userdom_user_home_content(user_fonts_t)
|
||||
|
||||
type user_fonts_cache_t;
|
||||
typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
|
||||
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
|
||||
typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
|
||||
;
|
||||
userdom_user_home_content(user_fonts_cache_t)
|
||||
|
||||
type user_fonts_config_t;
|
||||
@ -153,8 +151,7 @@ ubac_constrained(iceauth_t)
|
||||
type iceauth_home_t;
|
||||
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
|
||||
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
|
||||
typealias iceauth_home_t alias { xguest_iceauth_home_t };
|
||||
files_poly_member(iceauth_home_t)
|
||||
typealias iceauth_home_t alias { xguest_iceauth_home_t };
|
||||
userdom_user_home_content(iceauth_home_t)
|
||||
|
||||
type xauth_t;
|
||||
@ -169,7 +166,6 @@ type xauth_home_t;
|
||||
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
|
||||
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
|
||||
typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
|
||||
files_poly_member(xauth_home_t)
|
||||
userdom_user_home_content(xauth_home_t)
|
||||
|
||||
type xauth_tmp_t;
|
||||
@ -292,13 +288,13 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(iceauth_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_read_urand(iceauth_t)
|
||||
dev_dontaudit_rw_dri(iceauth_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
|
||||
fs_dontaudit_list_inotifyfs(iceauth_t)
|
||||
fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
|
||||
term_dontaudit_use_unallocated_ttys(iceauth_t)
|
||||
term_dontaudit_use_unallocated_ttys(iceauth_t)
|
||||
|
||||
userdom_dontaudit_read_user_home_content_files(iceauth_t)
|
||||
userdom_dontaudit_write_user_home_content_files(iceauth_t)
|
||||
@ -362,17 +358,17 @@ userdom_use_user_terminals(xauth_t)
|
||||
userdom_read_user_tmp_files(xauth_t)
|
||||
userdom_read_all_users_state(xauth_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
|
||||
fs_dontaudit_list_inotifyfs(xauth_t)
|
||||
userdom_manage_user_home_content_files(xauth_t)
|
||||
userdom_manage_user_tmp_files(xauth_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(xauth_t)
|
||||
miscfiles_read_fonts(xauth_t)
|
||||
')
|
||||
|
||||
xserver_rw_xdm_tmp_files(xauth_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
|
||||
fs_dontaudit_list_inotifyfs(xauth_t)
|
||||
userdom_manage_user_home_content_files(xauth_t)
|
||||
userdom_manage_user_tmp_files(xauth_t)
|
||||
dev_dontaudit_rw_generic_dev_nodes(xauth_t)
|
||||
miscfiles_read_fonts(xauth_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(xauth_t)
|
||||
fs_read_nfs_symlinks(xauth_t)
|
||||
@ -382,8 +378,8 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(xauth_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
term_dontaudit_use_unallocated_ttys(xauth_t)
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
term_dontaudit_use_unallocated_ttys(xauth_t)
|
||||
dev_dontaudit_rw_dri(xauth_t)
|
||||
')
|
||||
|
||||
@ -403,8 +399,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
|
||||
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
|
||||
allow xdm_t self:process { getattr getcap setcap };
|
||||
allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
|
||||
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xdm_t self:shm create_shm_perms;
|
||||
allow xdm_t self:sem create_sem_perms;
|
||||
@ -419,7 +414,7 @@ allow xdm_t self:key { search link write };
|
||||
|
||||
allow xdm_t xauth_home_t:file manage_file_perms;
|
||||
|
||||
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
|
||||
allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
|
||||
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
|
||||
@ -470,7 +465,7 @@ manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
|
||||
manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
|
||||
files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
|
||||
@ -488,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull };
|
||||
allow xdm_t xserver_t:unix_stream_socket connectto;
|
||||
|
||||
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
|
||||
allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
|
||||
allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
|
||||
|
||||
# transition to the xdm xserver
|
||||
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
|
||||
@ -656,6 +651,14 @@ application_signal(xdm_t)
|
||||
xserver_rw_session(xdm_t, xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_t)
|
||||
fs_manage_nfs_files(xdm_t)
|
||||
@ -728,10 +731,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(xdm_t)
|
||||
')
|
||||
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
# Talk to the console mouse server.
|
||||
gpm_stream_connect(xdm_t)
|
||||
@ -763,7 +764,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_dbus_chat(xdm_t)
|
||||
policykit_dbus_chat(xdm_t)
|
||||
policykit_domtrans_auth(xdm_t)
|
||||
policykit_read_lib(xdm_t)
|
||||
policykit_read_reload(xdm_t)
|
||||
@ -822,14 +823,6 @@ optional_policy(`
|
||||
unconfined_signal(xdm_t)
|
||||
')
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
')
|
||||
@ -884,10 +877,6 @@ allow xserver_t self:udp_socket create_socket_perms;
|
||||
allow xserver_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
# Device rules
|
||||
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
|
||||
allow x_domain xserver_t:x_screen getattr;
|
||||
|
||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||
|
||||
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
|
||||
@ -912,11 +901,11 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
|
||||
manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
|
||||
manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
|
||||
files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
|
||||
|
||||
manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
|
||||
manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
|
||||
manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
|
||||
files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
|
||||
@ -1126,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
allow xserver_t xdm_var_lib_t:file read_file_perms;
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||
dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
|
||||
|
||||
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
|
||||
|
||||
@ -1136,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
allow xserver_t xkb_var_lib_t:lnk_file read;
|
||||
allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@ -1153,10 +1142,6 @@ userdom_read_all_users_state(xserver_t)
|
||||
|
||||
xserver_use_user_fonts(xserver_t)
|
||||
|
||||
optional_policy(`
|
||||
userhelper_search_config(xserver_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@ -1186,6 +1171,10 @@ optional_policy(`
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userhelper_search_config(xserver_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@ -1229,7 +1218,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
allow x_domain self:x_drawable { blend };
|
||||
allow x_domain self:x_drawable blend;
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@ -1283,11 +1272,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
# Device rules
|
||||
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
|
||||
allow x_domain xserver_t:x_screen getattr;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules for unconfined access to this module
|
||||
#
|
||||
|
||||
allow xserver_unconfined_type xserver_t:x_server *;
|
||||
allow xserver_unconfined_type xdrawable_type:x_drawable *;
|
||||
allow xserver_unconfined_type xserver_t:x_screen *;
|
||||
allow xserver_unconfined_type x_domain:x_gc *;
|
||||
allow xserver_unconfined_type xcolormap_type:x_colormap *;
|
||||
allow xserver_unconfined_type xproperty_type:x_property *;
|
||||
allow xserver_unconfined_type xselection_type:x_selection *;
|
||||
allow xserver_unconfined_type x_domain:x_cursor *;
|
||||
allow xserver_unconfined_type x_domain:x_client *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
|
||||
allow xserver_unconfined_type xextension_type:x_extension *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@ -1309,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
allow xserver_unconfined_type xserver_t:x_server *;
|
||||
allow xserver_unconfined_type xdrawable_type:x_drawable *;
|
||||
allow xserver_unconfined_type xserver_t:x_screen *;
|
||||
allow xserver_unconfined_type x_domain:x_gc *;
|
||||
allow xserver_unconfined_type xcolormap_type:x_colormap *;
|
||||
allow xserver_unconfined_type xproperty_type:x_property *;
|
||||
allow xserver_unconfined_type xselection_type:x_selection *;
|
||||
allow xserver_unconfined_type x_domain:x_cursor *;
|
||||
allow xserver_unconfined_type x_domain:x_client *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
|
||||
allow xserver_unconfined_type xextension_type:x_extension *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
optional_policy(`
|
||||
unconfined_rw_shm(xserver_t)
|
||||
unconfined_execmem_rw_shm(xserver_t)
|
||||
|
||||
# xserver signals unconfined user on startx
|
||||
unconfined_signal(xserver_t)
|
||||
unconfined_getpgid(xserver_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_xserver_execmem',`
|
||||
allow xserver_t self:process { execheap execmem execstack };
|
||||
')
|
||||
@ -1354,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_append_cifs_files(xdmhomewriter)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_rw_shm(xserver_t)
|
||||
unconfined_execmem_rw_shm(xserver_t)
|
||||
|
||||
# xserver signals unconfined user on startx
|
||||
unconfined_signal(xserver_t)
|
||||
unconfined_getpgid(xserver_t)
|
||||
')
|
||||
|
||||
@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
|
||||
#
|
||||
|
||||
allow zabbix_t self:capability { setuid setgid };
|
||||
allow zabbix_t self:fifo_file rw_file_perms;
|
||||
allow zabbix_t self:fifo_file rw_fifo_file_perms;
|
||||
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# log files
|
||||
allow zabbix_t zabbix_log_t:dir setattr;
|
||||
allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
||||
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
|
||||
# zarafa_server local policy
|
||||
#
|
||||
|
||||
allow zarafa_server_t self:capability { chown kill net_bind_service};
|
||||
allow zarafa_server_t self:capability { chown kill net_bind_service };
|
||||
allow zarafa_server_t self:process { setrlimit signal };
|
||||
|
||||
corenet_tcp_bind_zarafa_port(zarafa_server_t)
|
||||
@ -73,7 +73,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow zarafa_spooler_t self:capability { chown kill };
|
||||
allow zarafa_spooler_t self:process { signal };
|
||||
allow zarafa_spooler_t self:process signal;
|
||||
|
||||
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
|
||||
|
||||
@ -110,7 +110,6 @@ allow zarafa_monitor_t self:capability chown;
|
||||
|
||||
# bad permission on /etc/zarafa
|
||||
allow zarafa_domain self:capability { dac_override setgid setuid };
|
||||
|
||||
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
|
||||
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
|
||||
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -6,11 +6,10 @@ policy_module(zebra, 1.11.1)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow zebra daemon to write it configuration files
|
||||
## </p>
|
||||
## <p>
|
||||
## Allow zebra daemon to write it configuration files
|
||||
## </p>
|
||||
## </desc>
|
||||
#
|
||||
gen_tunable(allow_zebra_write_config, false)
|
||||
|
||||
type zebra_t;
|
||||
@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
|
||||
read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
||||
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
||||
|
||||
allow zebra_t zebra_log_t:dir setattr;
|
||||
allow zebra_t zebra_log_t:dir setattr_dir_perms;
|
||||
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
||||
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
||||
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
|
||||
|
||||
@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
|
||||
#
|
||||
|
||||
allow zos_remote_t self:process signal;
|
||||
allow zos_remote_t self:fifo_file rw_file_perms;
|
||||
allow zos_remote_t self:fifo_file rw_fifo_file_perms;
|
||||
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
files_read_etc_files(zos_remote_t)
|
||||
|
||||
@ -520,7 +520,7 @@ logging_read_audit_config(initrc_t)
|
||||
|
||||
miscfiles_read_localization(initrc_t)
|
||||
# slapd needs to read cert files from its initscript
|
||||
miscfiles_manage_cert_files(initrc_t)
|
||||
miscfiles_manage_generic_cert_files(initrc_t)
|
||||
|
||||
modutils_read_module_config(initrc_t)
|
||||
modutils_domtrans_insmod(initrc_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user