trunk: 3 patches from dan.
This commit is contained in:
Chris PeBenito
parent
14c0edc7e9
commit
fb4826f424
@ -3,6 +3,8 @@
|
||||
#
|
||||
/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
|
||||
|
||||
/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lpd, 1.10.2)
|
||||
policy_module(lpd, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -233,7 +233,6 @@ allow lpr_t self:capability { setuid dac_override net_bind_service chown };
|
||||
allow lpr_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow lpr_t self:tcp_socket create_socket_perms;
|
||||
allow lpr_t self:udp_socket create_socket_perms;
|
||||
allow lpr_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
can_exec(lpr_t, lpr_exec_t)
|
||||
|
||||
@ -273,9 +272,9 @@ fs_getattr_xattr_fs(lpr_t)
|
||||
term_use_controlling_term(lpr_t)
|
||||
term_use_generic_ptys(lpr_t)
|
||||
|
||||
miscfiles_read_localization(lpr_t)
|
||||
auth_use_nsswitch(lpr_t)
|
||||
|
||||
sysnet_read_config(lpr_t)
|
||||
miscfiles_read_localization(lpr_t)
|
||||
|
||||
userdom_read_user_tmp_symlinks(lpr_t)
|
||||
# Write to the user domain tty.
|
||||
@ -338,11 +337,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(lpr_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(lpr_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(lpr_t)
|
||||
')
|
||||
|
||||
@ -1,3 +1,6 @@
|
||||
/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@ -8,6 +11,8 @@
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||
|
||||
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
||||
|
||||
|
||||
@ -95,23 +95,34 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the snmp domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`snmp_admin',`
|
||||
gen_require(`
|
||||
type snmpd_t, snmpd_log_t;
|
||||
type snmpd_var_lib_t, snmpd_var_run_t;
|
||||
type snmpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 snmpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, snmpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 snmpd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
|
||||
admin_pattern($1, snmpd_log_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
||||
admin_pattern($1, snmpd_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
|
||||
admin_pattern($1, snmpd_var_run_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(snmp, 1.8.1)
|
||||
policy_module(snmp, 1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -9,6 +9,9 @@ type snmpd_t;
|
||||
type snmpd_exec_t;
|
||||
init_daemon_domain(snmpd_t, snmpd_exec_t)
|
||||
|
||||
type snmpd_initrc_exec_t;
|
||||
init_script_file(snmpd_initrc_exec_t)
|
||||
|
||||
type snmpd_log_t;
|
||||
logging_log_file(snmpd_log_t)
|
||||
|
||||
@ -22,8 +25,9 @@ files_type(snmpd_var_lib_t)
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
|
||||
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
|
||||
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
||||
allow snmpd_t self:process { getsched setsched };
|
||||
allow snmpd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -45,6 +49,7 @@ files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
|
||||
|
||||
kernel_read_device_sysctls(snmpd_t)
|
||||
kernel_read_kernel_sysctls(snmpd_t)
|
||||
kernel_read_fs_sysctls(snmpd_t)
|
||||
kernel_read_net_sysctls(snmpd_t)
|
||||
kernel_read_proc_symlinks(snmpd_t)
|
||||
kernel_read_system_state(snmpd_t)
|
||||
@ -76,13 +81,13 @@ dev_getattr_usbfs_dirs(snmpd_t)
|
||||
domain_use_interactive_fds(snmpd_t)
|
||||
domain_signull_all_domains(snmpd_t)
|
||||
domain_read_all_domains_state(snmpd_t)
|
||||
domain_dontaudit_ptrace_all_domains(snmpd_t)
|
||||
domain_exec_all_entry_files(snmpd_t)
|
||||
|
||||
files_read_etc_files(snmpd_t)
|
||||
files_read_usr_files(snmpd_t)
|
||||
files_read_etc_runtime_files(snmpd_t)
|
||||
files_search_home(snmpd_t)
|
||||
files_getattr_boot_dirs(snmpd_t)
|
||||
files_dontaudit_getattr_home_dir(snmpd_t)
|
||||
|
||||
fs_getattr_all_dirs(snmpd_t)
|
||||
fs_getattr_all_fs(snmpd_t)
|
||||
@ -91,6 +96,9 @@ fs_search_auto_mountpoints(snmpd_t)
|
||||
storage_dontaudit_read_fixed_disk(snmpd_t)
|
||||
storage_dontaudit_read_removable_device(snmpd_t)
|
||||
|
||||
auth_use_nsswitch(snmpd_t)
|
||||
auth_read_all_dirs_except_shadow(snmpd_t)
|
||||
|
||||
init_read_utmp(snmpd_t)
|
||||
init_dontaudit_write_utmp(snmpd_t)
|
||||
|
||||
@ -117,7 +125,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_use_nsswitch(snmpd_t)
|
||||
consoletype_exec(snmpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -148,3 +156,15 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(snmpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_stream_connect(snmpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_read_xen_state(snmpd_t)
|
||||
kernel_write_xen_state(snmpd_t)
|
||||
|
||||
xen_stream_connect(snmpd_t)
|
||||
xen_stream_connect_xenstore(snmpd_t)
|
||||
')
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
|
||||
/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||
/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||
|
||||
|
||||
@ -1,5 +1,27 @@
|
||||
## <summary>Libvirt virtualization API</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type usable as a virt image
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type to be used as a virtual image
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_image',`
|
||||
gen_require(`
|
||||
attribute virt_image_type;
|
||||
')
|
||||
|
||||
typeattribute $1 virt_image_type;
|
||||
files_type($1)
|
||||
|
||||
# virt images can be assigned to blk devices
|
||||
dev_node($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run virt.
|
||||
@ -18,6 +40,25 @@ interface(`virt_domtrans',`
|
||||
domtrans_pattern($1, virtd_exec_t, virtd_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Connect to virt over an unix domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_stream_connect',`
|
||||
gen_require(`
|
||||
type virtd_t, virt_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read virt config files.
|
||||
@ -39,6 +80,27 @@ interface(`virt_read_config',`
|
||||
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## manage virt config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_manage_config',`
|
||||
gen_require(`
|
||||
type virt_etc_t;
|
||||
type virt_etc_rw_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_files_pattern($1, virt_etc_t, virt_etc_t)
|
||||
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read virt PID files.
|
||||
@ -214,6 +276,7 @@ interface(`virt_manage_images',`
|
||||
manage_dirs_pattern($1, virt_image_t, virt_image_t)
|
||||
manage_files_pattern($1, virt_image_t, virt_image_t)
|
||||
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
|
||||
rw_blk_files_pattern($1, virt_image_t, virt_image_t)
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs($1)
|
||||
@ -242,12 +305,17 @@ interface(`virt_manage_images',`
|
||||
#
|
||||
interface(`virt_admin',`
|
||||
gen_require(`
|
||||
type virtd_t;
|
||||
type virtd_t, virtd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 virtd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, virtd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 virtd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
virt_manage_pid_files($1)
|
||||
|
||||
virt_manage_lib_files($1)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(virt, 1.0.1)
|
||||
policy_module(virt, 1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -20,6 +20,8 @@ gen_tunable(virt_use_nfs, false)
|
||||
## </desc>
|
||||
gen_tunable(virt_use_samba, false)
|
||||
|
||||
attribute virt_image_type;
|
||||
|
||||
type virt_etc_t;
|
||||
files_config_file(virt_etc_t)
|
||||
|
||||
@ -27,10 +29,8 @@ type virt_etc_rw_t;
|
||||
files_type(virt_etc_rw_t)
|
||||
|
||||
# virt Image files
|
||||
type virt_image_t; # customizable
|
||||
files_type(virt_image_t)
|
||||
# virt_image_t can be assigned to blk devices
|
||||
dev_node(virt_image_t)
|
||||
type virt_image_t, virt_image_type; # customizable
|
||||
virt_image(virt_image_t)
|
||||
|
||||
type virt_log_t;
|
||||
logging_log_file(virt_log_t)
|
||||
@ -45,13 +45,16 @@ type virtd_t;
|
||||
type virtd_exec_t;
|
||||
init_daemon_domain(virtd_t, virtd_exec_t)
|
||||
|
||||
type virtd_initrc_exec_t;
|
||||
init_script_file(virtd_initrc_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# virtd local policy
|
||||
#
|
||||
|
||||
allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
|
||||
allow virtd_t self:process { sigkill signal execmem };
|
||||
allow virtd_t self:process { getsched sigkill signal execmem };
|
||||
allow virtd_t self:fifo_file rw_file_perms;
|
||||
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow virtd_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -64,7 +67,7 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
|
||||
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@ -109,6 +112,7 @@ files_read_usr_files(virtd_t)
|
||||
files_read_etc_files(virtd_t)
|
||||
files_read_etc_runtime_files(virtd_t)
|
||||
files_search_all(virtd_t)
|
||||
files_list_kernel_modules(virtd_t)
|
||||
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
|
||||
@ -159,11 +163,11 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
#optional_policy(`
|
||||
# dnsmasq_domtrans(virtd_t)
|
||||
# dnsmasq_signal(virtd_t)
|
||||
# dnsmasq_sigkill(virtd_t)
|
||||
#')
|
||||
optional_policy(`
|
||||
dnsmasq_domtrans(virtd_t)
|
||||
dnsmasq_signal(virtd_t)
|
||||
dnsmasq_kill(virtd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
iptables_domtrans(virtd_t)
|
||||
@ -192,3 +196,7 @@ optional_policy(`
|
||||
xen_stream_connect(virtd_t)
|
||||
xen_stream_connect_xenstore(virtd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(virtd_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user