Merge branch 'base'
This commit is contained in:
Dominick Grift
commit
fc0d3d55f8
@ -258,7 +258,6 @@ interface(`mpd_admin',`
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, mpd_var_lib_t)
|
||||
|
||||
mpd_list_lib($1)
|
||||
admin_pattern($1, mpd_data_t)
|
||||
|
||||
admin_pattern($1, mpd_log_t)
|
||||
|
||||
@ -710,8 +710,8 @@ interface(`postfix_admin',`
|
||||
allow $1 postfix_smtpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_smtpd_t)
|
||||
|
||||
postfix_run_map($1,$2)
|
||||
postfix_run_postdrop($1,$2)
|
||||
postfix_run_map($1, $2)
|
||||
postfix_run_postdrop($1, $2)
|
||||
|
||||
postfix_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -20,8 +20,7 @@
|
||||
interface(`postfixpolicyd_admin',`
|
||||
gen_require(`
|
||||
type postfix_policyd_t, postfix_policyd_conf_t;
|
||||
type postfix_policyd_var_run_t;
|
||||
type postfix_policyd_initrc_exec_t;
|
||||
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_policyd_t:process { ptrace signal_perms };
|
||||
|
||||
@ -45,14 +45,6 @@ interface(`postgresql_role',`
|
||||
# Client local policy
|
||||
#
|
||||
|
||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
|
||||
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
|
||||
|
||||
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||
')
|
||||
|
||||
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
|
||||
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
|
||||
@ -69,6 +61,14 @@ interface(`postgresql_role',`
|
||||
|
||||
allow $2 sepgsql_trusted_proc_t:process transition;
|
||||
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
||||
|
||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
|
||||
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
|
||||
|
||||
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
|
||||
type postgresql_db_t;
|
||||
')
|
||||
|
||||
allow $1 postgresql_db_t:dir search;
|
||||
allow $1 postgresql_db_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -207,6 +207,7 @@ interface(`postgresql_search_db',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_manage_db',`
|
||||
gen_require(`
|
||||
type postgresql_db_t;
|
||||
@ -214,7 +215,7 @@ interface(`postgresql_manage_db',`
|
||||
|
||||
allow $1 postgresql_db_t:dir rw_dir_perms;
|
||||
allow $1 postgresql_db_t:file rw_file_perms;
|
||||
allow $1 postgresql_db_t:lnk_file { getattr read };
|
||||
allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`postgresql_stream_connect',`
|
||||
gen_require(`
|
||||
@ -313,7 +313,7 @@ interface(`postgresql_stream_connect',`
|
||||
|
||||
files_search_pids($1)
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
|
||||
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -359,13 +359,6 @@ interface(`postgresql_unpriv_client',`
|
||||
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
||||
allow $1 sepgsql_trusted_proc_t:process transition;
|
||||
|
||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
|
||||
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
|
||||
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||
')
|
||||
|
||||
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
|
||||
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
|
||||
@ -379,6 +372,13 @@ interface(`postgresql_unpriv_client',`
|
||||
|
||||
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
|
||||
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
|
||||
|
||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
|
||||
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
|
||||
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -418,13 +418,10 @@ interface(`postgresql_unconfined',`
|
||||
#
|
||||
interface(`postgresql_admin',`
|
||||
gen_require(`
|
||||
attribute sepgsql_admin_type;
|
||||
attribute sepgsql_client_type;
|
||||
|
||||
type postgresql_t, postgresql_var_run_t;
|
||||
type postgresql_tmp_t, postgresql_db_t;
|
||||
type postgresql_etc_t, postgresql_log_t;
|
||||
type postgresql_initrc_exec_t;
|
||||
attribute sepgsql_admin_type, sepgsql_client_type;
|
||||
type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
|
||||
type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
|
||||
type postgresql_etc_t;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_admin_type;
|
||||
@ -437,6 +434,7 @@ interface(`postgresql_admin',`
|
||||
role_transition $2 postgresql_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, postgresql_var_run_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
@ -448,6 +446,7 @@ interface(`postgresql_admin',`
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, postgresql_log_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, postgresql_tmp_t)
|
||||
|
||||
postgresql_tcp_connect($1)
|
||||
|
||||
@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
|
||||
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
|
||||
')
|
||||
|
||||
stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
|
||||
stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
|
||||
stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
|
||||
files_search_pids($1)
|
||||
files_search_spool($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
|
||||
type postgrey_spool_t;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 postgrey_spool_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
@ -57,9 +58,8 @@ interface(`postgrey_search_spool',`
|
||||
#
|
||||
interface(`postgrey_admin',`
|
||||
gen_require(`
|
||||
type postgrey_t, postgrey_etc_t;
|
||||
type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
|
||||
type postgrey_var_lib_t, postgrey_var_run_t;
|
||||
type postgrey_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 postgrey_t:process { ptrace signal_perms };
|
||||
|
||||
@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`ppp_kill',`
|
||||
gen_require(`
|
||||
type pppd_t;
|
||||
@ -180,8 +179,7 @@ interface(`ppp_run',`
|
||||
')
|
||||
|
||||
ppp_domtrans($1)
|
||||
role $2 types pppd_t;
|
||||
role $2 types pptp_t;
|
||||
role $2 types { pppd_t pptp_t };
|
||||
|
||||
optional_policy(`
|
||||
ddclient_run(pppd_t, $2)
|
||||
@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',`
|
||||
type pppd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 pppd_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',`
|
||||
type pppd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 pppd_var_run_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',`
|
||||
interface(`ppp_admin',`
|
||||
gen_require(`
|
||||
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
|
||||
type pppd_etc_t, pppd_secret_t;
|
||||
type pppd_etc_rw_t, pppd_var_run_t;
|
||||
|
||||
type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
|
||||
type pptp_t, pptp_log_t, pptp_var_run_t;
|
||||
type pppd_initrc_exec_t;
|
||||
type pppd_initrc_exec_t, pppd_etc_rw_t;
|
||||
')
|
||||
|
||||
allow $1 pppd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pppd_t)
|
||||
|
||||
allow $1 pptp_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pptp_t)
|
||||
|
||||
ppp_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 pppd_initrc_exec_t system_r;
|
||||
@ -374,6 +375,7 @@ interface(`ppp_admin',`
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, pppd_log_t)
|
||||
|
||||
files_list_locks($1)
|
||||
admin_pattern($1, pppd_lock_t)
|
||||
|
||||
files_list_etc($1)
|
||||
@ -386,9 +388,6 @@ interface(`ppp_admin',`
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, pppd_var_run_t)
|
||||
|
||||
allow $1 pptp_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pptp_t)
|
||||
|
||||
admin_pattern($1, pptp_log_t)
|
||||
|
||||
admin_pattern($1, pptp_var_run_t)
|
||||
|
||||
@ -112,13 +112,10 @@ interface(`prelude_manage_spool',`
|
||||
#
|
||||
interface(`prelude_admin',`
|
||||
gen_require(`
|
||||
type prelude_t, prelude_spool_t;
|
||||
type prelude_var_run_t, prelude_var_lib_t;
|
||||
type prelude_audisp_t, prelude_audisp_var_run_t;
|
||||
type prelude_initrc_exec_t;
|
||||
|
||||
type prelude_lml_t, prelude_lml_tmp_t;
|
||||
type prelude_lml_var_run_t;
|
||||
type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
|
||||
type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
|
||||
type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
|
||||
type prelude_lml_t;
|
||||
')
|
||||
|
||||
allow $1 prelude_t:process { ptrace signal_perms };
|
||||
@ -144,9 +141,8 @@ interface(`prelude_admin',`
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, prelude_var_run_t)
|
||||
admin_pattern($1, prelude_audisp_var_run_t)
|
||||
admin_pattern($1, prelude_lml_var_run_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, prelude_lml_tmp_t)
|
||||
|
||||
admin_pattern($1, prelude_lml_var_run_t)
|
||||
')
|
||||
|
||||
@ -19,9 +19,8 @@
|
||||
#
|
||||
interface(`privoxy_admin',`
|
||||
gen_require(`
|
||||
type privoxy_t, privoxy_log_t;
|
||||
type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
|
||||
type privoxy_etc_rw_t, privoxy_var_run_t;
|
||||
type privoxy_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 privoxy_t:process { ptrace signal_perms };
|
||||
|
||||
@ -96,4 +96,3 @@ interface(`procmail_read_home_files',`
|
||||
userdom_search_user_home_dirs($1)
|
||||
read_files_pattern($1, procmail_home_t, procmail_home_t)
|
||||
')
|
||||
|
||||
|
||||
@ -91,7 +91,6 @@ interface(`psad_manage_config',`
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
|
||||
manage_files_pattern($1, psad_etc_t, psad_etc_t)
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read psad PID files.
|
||||
## Read and write psad PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -253,8 +252,8 @@ interface(`psad_rw_tmp_files',`
|
||||
interface(`psad_admin',`
|
||||
gen_require(`
|
||||
type psad_t, psad_var_run_t, psad_var_log_t;
|
||||
type psad_initrc_exec_t, psad_var_lib_t;
|
||||
type psad_tmp_t, psad_etc_t;
|
||||
type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
|
||||
type psad_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 psad_t:process { ptrace signal_perms };
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`puppet_rw_tmp', `
|
||||
interface(`puppet_rw_tmp',`
|
||||
gen_require(`
|
||||
type puppet_tmp_t;
|
||||
')
|
||||
|
||||
@ -14,6 +14,7 @@
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`pyzor_role',`
|
||||
gen_require(`
|
||||
@ -28,7 +29,7 @@ interface(`pyzor_role',`
|
||||
|
||||
# allow ps to show pyzor and allow the user to kill it
|
||||
ps_process_pattern($2, pyzor_t)
|
||||
allow $2 pyzor_t:process signal;
|
||||
allow $2 pyzor_t:process { ptrace signal_perms };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -109,8 +110,7 @@ interface(`pyzor_exec',`
|
||||
interface(`pyzor_admin',`
|
||||
gen_require(`
|
||||
type pyzord_t, pyzor_tmp_t, pyzord_log_t;
|
||||
type pyzor_etc_t, pyzor_var_lib_t;
|
||||
type pyzord_initrc_exec_t;
|
||||
type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 pyzord_t:process { ptrace signal_perms };
|
||||
@ -133,5 +133,3 @@ interface(`pyzor_admin',`
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, pyzor_var_lib_t)
|
||||
')
|
||||
|
||||
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
|
||||
## <summary>policy for qpidd</summary>
|
||||
|
||||
########################################
|
||||
@ -19,7 +18,6 @@ interface(`qpidd_domtrans',`
|
||||
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute qpidd server in the qpidd domain.
|
||||
@ -72,12 +70,12 @@ interface(`qpidd_manage_var_run',`
|
||||
type qpidd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
|
||||
manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
|
||||
manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search qpidd lib directories.
|
||||
@ -151,12 +149,12 @@ interface(`qpidd_manage_var_lib',`
|
||||
type qpidd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
||||
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
||||
manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
@ -176,17 +174,12 @@ interface(`qpidd_manage_var_lib',`
|
||||
#
|
||||
interface(`qpidd_admin',`
|
||||
gen_require(`
|
||||
type qpidd_t;
|
||||
type qpidd_t, qpidd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 qpidd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, qpidd_t)
|
||||
|
||||
|
||||
gen_require(`
|
||||
type qpidd_initrc_exec_t;
|
||||
')
|
||||
|
||||
# Allow qpidd_t to restart the apache service
|
||||
qpidd_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
@ -196,7 +189,6 @@ interface(`qpidd_admin',`
|
||||
qpidd_manage_var_run($1)
|
||||
|
||||
qpidd_manage_var_lib($1)
|
||||
|
||||
')
|
||||
|
||||
#####################################
|
||||
|
||||
@ -19,8 +19,8 @@
|
||||
#
|
||||
interface(`radvd_admin',`
|
||||
gen_require(`
|
||||
type radvd_t, radvd_etc_t;
|
||||
type radvd_var_run_t, radvd_initrc_exec_t;
|
||||
type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
|
||||
type radvd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 radvd_t:process { ptrace signal_perms };
|
||||
|
||||
@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
|
||||
gen_require(`
|
||||
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
|
||||
')
|
||||
|
||||
type $1_t;
|
||||
domain_type($1_t)
|
||||
domain_entry_file($1_t, razor_exec_t)
|
||||
@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
|
||||
# Read system config file
|
||||
allow $1_t razor_etc_t:dir list_dir_perms;
|
||||
allow $1_t razor_etc_t:file read_file_perms;
|
||||
allow $1_t razor_etc_t:lnk_file { getattr read };
|
||||
allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
|
||||
manage_files_pattern($1_t, razor_log_t, razor_log_t)
|
||||
@ -117,6 +118,7 @@ template(`razor_common_domain_template',`
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`razor_role',`
|
||||
gen_require(`
|
||||
@ -130,7 +132,7 @@ interface(`razor_role',`
|
||||
|
||||
# allow ps to show razor and allow the user to kill it
|
||||
ps_process_pattern($2, razor_t)
|
||||
allow $2 razor_t:process signal;
|
||||
allow $2 razor_t:process { ptrace signal_perms };
|
||||
|
||||
manage_dirs_pattern($2, razor_home_t, razor_home_t)
|
||||
manage_files_pattern($2, razor_home_t, razor_home_t)
|
||||
@ -197,4 +199,3 @@ interface(`razor_read_lib_files',`
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
|
||||
')
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ interface(`rgmanager_rw_semaphores',`
|
||||
type rgmanager_t;
|
||||
')
|
||||
|
||||
allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
|
||||
allow $1 rgmanager_t:sem rw_sem_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
|
||||
@ -13,9 +13,7 @@
|
||||
#
|
||||
template(`rhcs_domain_template',`
|
||||
gen_require(`
|
||||
attribute cluster_domain;
|
||||
attribute cluster_tmpfs;
|
||||
attribute cluster_pid;
|
||||
attribute cluster_domain, cluster_tmpfs, cluster_pid;
|
||||
')
|
||||
|
||||
##############################
|
||||
@ -53,7 +51,6 @@ template(`rhcs_domain_template',`
|
||||
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
||||
files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
|
||||
|
||||
')
|
||||
|
||||
######################################
|
||||
@ -171,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',`
|
||||
type fenced_var_run_t, fenced_t;
|
||||
')
|
||||
|
||||
allow $1 fenced_t:unix_stream_socket connectto;
|
||||
allow $1 fenced_var_run_t:sock_file { getattr write };
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
@ -349,8 +345,7 @@ interface(`rhcs_rw_groupd_shm',`
|
||||
#
|
||||
interface(`rhcs_rw_cluster_shm',`
|
||||
gen_require(`
|
||||
attribute cluster_domain;
|
||||
attribute cluster_tmpfs;
|
||||
attribute cluster_domain, cluster_tmpfs;
|
||||
')
|
||||
|
||||
allow $1 cluster_domain:shm { rw_shm_perms destroy };
|
||||
@ -390,8 +385,7 @@ interface(`rhcs_rw_cluster_semaphores',`
|
||||
#
|
||||
interface(`rhcs_stream_connect_cluster',`
|
||||
gen_require(`
|
||||
attribute cluster_domain;
|
||||
attribute cluster_pid;
|
||||
attribute cluster_domain, cluster_pid;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
@ -432,6 +426,7 @@ interface(`rhcs_read_qdiskd_tmpfs_files',`
|
||||
type qdiskd_tmpfs_t;
|
||||
')
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
allow $1 qdiskd_tmpfs_t:file read_file_perms;
|
||||
')
|
||||
|
||||
|
||||
@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
|
||||
type rhgb_tmpfs_t;
|
||||
')
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
allow $1 rhgb_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@ -28,7 +28,7 @@ interface(`ricci_domtrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ricci_initrc_domtrans', `
|
||||
interface(`ricci_initrc_domtrans',`
|
||||
gen_require(`
|
||||
type ricci_initrc_exec_t;
|
||||
')
|
||||
@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
|
||||
type ricci_modcluster_t;
|
||||
')
|
||||
|
||||
dontaudit $1 ricci_modcluster_t:fifo_file { read write };
|
||||
dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -126,6 +126,7 @@ interface(`ricci_rw_modclusterd_tmpfs_files',`
|
||||
type ricci_modcluserd_tmpfs_t;
|
||||
')
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
|
||||
@ -32,7 +32,11 @@ interface(`rpc_stub',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`rpc_domain_template', `
|
||||
template(`rpc_domain_template',`
|
||||
gen_require(`
|
||||
type var_lib_nfs_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
|
||||
type exports_t;
|
||||
')
|
||||
|
||||
dontaudit $1 exports_t:file getattr;
|
||||
dontaudit $1 exports_t:file getattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -188,7 +192,7 @@ interface(`rpc_write_exports',`
|
||||
type exports_t;
|
||||
')
|
||||
|
||||
allow $1 exports_t:file write;
|
||||
allow $1 exports_t:file write_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -302,7 +306,7 @@ interface(`rpc_read_nfs_content',`
|
||||
|
||||
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
|
||||
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
|
||||
allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
|
||||
allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -395,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 var_lib_nfs_t:dir search;
|
||||
allow $1 var_lib_nfs_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -148,7 +148,7 @@ interface(`rsync_write_config',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -46,7 +46,7 @@ interface(`rtkit_daemon_dbus_chat',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -75,6 +75,7 @@ interface(`rtkit_scheduled',`
|
||||
type rtkit_daemon_t;
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
ps_process_pattern(rtkit_daemon_t, $1)
|
||||
allow rtkit_daemon_t $1:process { getsched setsched };
|
||||
rtkit_daemon_dbus_chat($1)
|
||||
|
||||
@ -83,7 +83,7 @@ interface(`samba_domtrans_net',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -148,7 +148,7 @@ interface(`samba_role_notrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
@ -391,7 +391,6 @@ interface(`samba_search_var',`
|
||||
type samba_var_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
')
|
||||
@ -412,7 +411,6 @@ interface(`samba_read_var_files',`
|
||||
type samba_var_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, samba_var_t, samba_var_t)
|
||||
')
|
||||
@ -452,7 +450,6 @@ interface(`samba_rw_var_files',`
|
||||
type samba_var_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
rw_files_pattern($1, samba_var_t, samba_var_t)
|
||||
')
|
||||
@ -473,7 +470,6 @@ interface(`samba_manage_var_files',`
|
||||
type samba_var_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, samba_var_t, samba_var_t)
|
||||
manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
|
||||
@ -761,9 +757,8 @@ interface(`samba_admin',`
|
||||
type smbd_t, smbd_tmp_t, samba_secrets_t;
|
||||
type samba_initrc_exec_t, samba_log_t, samba_var_t;
|
||||
type samba_etc_t, samba_share_t, winbind_log_t;
|
||||
type swat_var_run_t, swat_tmp_t;
|
||||
type winbind_var_run_t, winbind_tmp_t;
|
||||
type samba_unconfined_script_t, samba_unconfined_script_exec_t;
|
||||
type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
|
||||
type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
|
||||
')
|
||||
|
||||
allow $1 smbd_t:process { ptrace signal_perms };
|
||||
|
||||
@ -136,8 +136,8 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',`
|
||||
#
|
||||
interface(`setroubleshoot_admin',`
|
||||
gen_require(`
|
||||
type setroubleshootd_t, setroubleshoot_var_log_t;
|
||||
type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
|
||||
type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
|
||||
type setroubleshoot_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 setroubleshootd_t:process { ptrace signal_perms };
|
||||
|
||||
@ -125,9 +125,8 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
|
||||
#
|
||||
interface(`snmp_admin',`
|
||||
gen_require(`
|
||||
type snmpd_t, snmpd_log_t;
|
||||
type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
|
||||
type snmpd_var_lib_t, snmpd_var_run_t;
|
||||
type snmpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 snmpd_t:process { ptrace signal_perms };
|
||||
|
||||
@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',`
|
||||
#
|
||||
interface(`soundserver_admin',`
|
||||
gen_require(`
|
||||
type soundd_t, soundd_etc_t;
|
||||
type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
|
||||
type soundd_tmp_t, soundd_var_run_t;
|
||||
type soundd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 soundd_t:process { ptrace signal_perms };
|
||||
|
||||
@ -206,8 +206,7 @@ interface(`squid_use',`
|
||||
interface(`squid_admin',`
|
||||
gen_require(`
|
||||
type squid_t, squid_cache_t, squid_conf_t;
|
||||
type squid_log_t, squid_var_run_t;
|
||||
type squid_initrc_exec_t;
|
||||
type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 squid_t:process { ptrace signal_perms };
|
||||
|
||||
@ -151,8 +151,8 @@ interface(`varnishd_manage_log',`
|
||||
#
|
||||
interface(`varnishd_admin_varnishlog',`
|
||||
gen_require(`
|
||||
type varnishlog_t, varnishlog_initrc_exec_t;
|
||||
type varnishlog_var_run_t, varnishlog_log_t;
|
||||
type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
|
||||
type varnishlog_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 varnishlog_t:process { ptrace signal_perms };
|
||||
|
||||
@ -596,7 +596,7 @@ interface(`virt_transition_svirt',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -1,7 +1,5 @@
|
||||
|
||||
## <summary>policy for vnstatd</summary>
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run vnstatd.
|
||||
@ -20,8 +18,6 @@ interface(`vnstatd_domtrans',`
|
||||
domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
|
||||
')
|
||||
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run vnstat.
|
||||
@ -137,8 +133,7 @@ interface(`vnstatd_manage_lib_dirs',`
|
||||
#
|
||||
interface(`vnstatd_admin',`
|
||||
gen_require(`
|
||||
type vnstatd_t;
|
||||
type vnstatd_var_lib_t;
|
||||
type vnstatd_t, vnstatd_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 vnstatd_t:process { ptrace signal_perms };
|
||||
@ -146,5 +141,4 @@ interface(`vnstatd_admin',`
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, vnstatd_var_lib_t)
|
||||
|
||||
')
|
||||
|
||||
@ -47,7 +47,7 @@ interface(`xserver_restricted_role',`
|
||||
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
|
||||
|
||||
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
|
||||
allow $2 xserver_tmp_t:sock_file unlink;
|
||||
allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
|
||||
files_search_tmp($2)
|
||||
|
||||
# Communicate via System V shared memory.
|
||||
@ -243,7 +243,7 @@ interface(`xserver_rw_session',`
|
||||
type xserver_t, xserver_tmpfs_t;
|
||||
')
|
||||
|
||||
xserver_ro_session($1,$2)
|
||||
xserver_ro_session($1, $2)
|
||||
allow $1 xserver_t:shm rw_shm_perms;
|
||||
allow $1 xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',`
|
||||
|
||||
allow $1 self:x_gc { create setattr };
|
||||
|
||||
allow $1 xdm_var_run_t:dir search;
|
||||
allow $1 xdm_var_run_t:dir search_dir_perms;
|
||||
allow $1 xserver_t:unix_stream_socket connectto;
|
||||
|
||||
allow $1 xextension_t:x_extension { query use };
|
||||
@ -313,7 +313,7 @@ interface(`xserver_user_client',`
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $1 xdm_t:fd use;
|
||||
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow $1 xdm_tmp_t:dir search;
|
||||
allow $1 xdm_tmp_t:dir search_dir_perms;
|
||||
allow $1 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $1 xdm_t:tcp_socket { read write };
|
||||
|
||||
@ -358,7 +358,7 @@ interface(`xserver_user_client',`
|
||||
#
|
||||
template(`xserver_common_x_domain_template',`
|
||||
gen_require(`
|
||||
type root_xdrawable_t;
|
||||
type root_xdrawable_t, xdm_t, xserver_t;
|
||||
type xproperty_t, $1_xproperty_t;
|
||||
type xevent_t, client_xevent_t;
|
||||
type input_xevent_t, $1_input_xevent_t;
|
||||
@ -375,7 +375,6 @@ template(`xserver_common_x_domain_template',`
|
||||
class x_screen { saver_setattr saver_hide saver_show };
|
||||
class x_pointer { get_property set_property manage };
|
||||
class x_keyboard { read manage };
|
||||
type xdm_t, xserver_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
@ -474,8 +473,8 @@ template(`xserver_object_types_template',`
|
||||
#
|
||||
template(`xserver_user_x_domain_template',`
|
||||
gen_require(`
|
||||
type xdm_t, xdm_tmp_t;
|
||||
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
|
||||
type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
|
||||
type xauth_home_t, iceauth_home_t, xserver_t;
|
||||
')
|
||||
|
||||
allow $2 self:shm create_shm_perms;
|
||||
@ -787,8 +786,7 @@ interface(`xserver_stream_connect_xdm',`
|
||||
|
||||
files_search_tmp($1)
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
|
||||
stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
|
||||
stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -98,5 +98,5 @@ interface(`zarafa_stream_connect_server',`
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
|
||||
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
|
||||
')
|
||||
|
||||
@ -61,8 +61,7 @@ interface(`zebra_stream_connect',`
|
||||
interface(`zebra_admin',`
|
||||
gen_require(`
|
||||
type zebra_t, zebra_tmp_t, zebra_log_t;
|
||||
type zebra_conf_t, zebra_var_run_t;
|
||||
type zebra_initrc_exec_t;
|
||||
type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 zebra_t:process { ptrace signal_perms };
|
||||
|
||||
@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zosremote_run',`
|
||||
gen_require(`
|
||||
|
||||
@ -1207,12 +1207,7 @@ interface(`init_read_script_state',`
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
read_files_pattern($1, initrc_t, initrc_t)
|
||||
read_lnk_files_pattern($1, initrc_t, initrc_t)
|
||||
list_dirs_pattern($1, initrc_t, initrc_t)
|
||||
|
||||
# should move this to separate interface
|
||||
allow $1 initrc_t:process getattr;
|
||||
ps_process_pattern($1, initrc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
Loading…
Reference in New Issue
Block a user