Merge branch 'base'

This commit is contained in:
Dominick Grift 2010-09-21 13:57:06 +02:00
commit fc0d3d55f8
37 changed files with 237 additions and 276 deletions

View File

@ -258,7 +258,6 @@ interface(`mpd_admin',`
files_list_var_lib($1)
admin_pattern($1, mpd_var_lib_t)
mpd_list_lib($1)
admin_pattern($1, mpd_data_t)
admin_pattern($1, mpd_log_t)

View File

@ -710,8 +710,8 @@ interface(`postfix_admin',`
allow $1 postfix_smtpd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_smtpd_t)
postfix_run_map($1,$2)
postfix_run_postdrop($1,$2)
postfix_run_map($1, $2)
postfix_run_postdrop($1, $2)
postfix_initrc_domtrans($1)
domain_system_change_exemption($1)

View File

@ -20,8 +20,7 @@
interface(`postfixpolicyd_admin',`
gen_require(`
type postfix_policyd_t, postfix_policyd_conf_t;
type postfix_policyd_var_run_t;
type postfix_policyd_initrc_exec_t;
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
allow $1 postfix_policyd_t:process { ptrace signal_perms };

View File

@ -10,7 +10,7 @@
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## <summary>
## The type of the user domain.
## </summary>
## </param>
@ -45,14 +45,6 @@ interface(`postgresql_role',`
# Client local policy
#
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
@ -69,6 +61,14 @@ interface(`postgresql_role',`
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
')
########################################
@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search;
allow $1 postgresql_db_t:dir search_dir_perms;
')
########################################
@ -207,6 +207,7 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
@ -214,7 +215,7 @@ interface(`postgresql_manage_db',`
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
allow $1 postgresql_db_t:lnk_file { getattr read };
allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
')
########################################
@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgresql_stream_connect',`
gen_require(`
@ -313,7 +313,7 @@ interface(`postgresql_stream_connect',`
files_search_pids($1)
files_search_tmp($1)
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
@ -359,13 +359,6 @@ interface(`postgresql_unpriv_client',`
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
@ -379,6 +372,13 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
')
########################################
@ -418,13 +418,10 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
attribute sepgsql_admin_type;
attribute sepgsql_client_type;
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
type postgresql_initrc_exec_t;
attribute sepgsql_admin_type, sepgsql_client_type;
type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
type postgresql_etc_t;
')
typeattribute $1 sepgsql_admin_type;
@ -437,6 +434,7 @@ interface(`postgresql_admin',`
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
files_list_var_lib($1)
@ -448,6 +446,7 @@ interface(`postgresql_admin',`
logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)

View File

@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
files_search_spool($1)
')
########################################
@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
type postgrey_spool_t;
')
files_search_spool($1)
allow $1 postgrey_spool_t:dir search_dir_perms;
')
@ -57,9 +58,8 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
type postgrey_t, postgrey_etc_t;
type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
type postgrey_var_lib_t, postgrey_var_run_t;
type postgrey_initrc_exec_t;
')
allow $1 postgrey_t:process { ptrace signal_perms };

View File

@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
## </summary>
## </param>
#
#
interface(`ppp_kill',`
gen_require(`
type pppd_t;
@ -180,8 +179,7 @@ interface(`ppp_run',`
')
ppp_domtrans($1)
role $2 types pppd_t;
role $2 types pptp_t;
role $2 types { pppd_t pptp_t };
optional_policy(`
ddclient_run(pppd_t, $2)
@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',`
type pppd_var_run_t;
')
files_search_pids($1)
allow $1 pppd_var_run_t:file read_file_perms;
')
@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',`
type pppd_var_run_t;
')
files_search_pids($1)
allow $1 pppd_var_run_t:file manage_file_perms;
')
@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',`
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
type pppd_etc_t, pppd_secret_t;
type pppd_etc_rw_t, pppd_var_run_t;
type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
type pppd_initrc_exec_t;
type pppd_initrc_exec_t, pppd_etc_rw_t;
')
allow $1 pppd_t:process { ptrace signal_perms };
ps_process_pattern($1, pppd_t)
allow $1 pptp_t:process { ptrace signal_perms };
ps_process_pattern($1, pptp_t)
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
@ -374,6 +375,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
@ -386,9 +388,6 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
allow $1 pptp_t:process { ptrace signal_perms };
ps_process_pattern($1, pptp_t)
admin_pattern($1, pptp_log_t)
admin_pattern($1, pptp_var_run_t)

View File

@ -5,9 +5,9 @@
## Execute a domain transition to run prelude.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`prelude_domtrans',`
@ -23,9 +23,9 @@ interface(`prelude_domtrans',`
## Execute a domain transition to run prelude_audisp.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`prelude_domtrans_audisp',`
@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',`
## Signal the prelude_audisp domain.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed acccess.
## </summary>
## </summary>
## </param>
#
interface(`prelude_signal_audisp',`
@ -78,9 +78,9 @@ interface(`prelude_read_spool',`
## Manage to prelude-manager spool files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`prelude_manage_spool',`
@ -112,13 +112,10 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
type prelude_t, prelude_spool_t;
type prelude_var_run_t, prelude_var_lib_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
type prelude_initrc_exec_t;
type prelude_lml_t, prelude_lml_tmp_t;
type prelude_lml_var_run_t;
type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
type prelude_lml_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
@ -144,9 +141,8 @@ interface(`prelude_admin',`
files_list_pids($1)
admin_pattern($1, prelude_var_run_t)
admin_pattern($1, prelude_audisp_var_run_t)
admin_pattern($1, prelude_lml_var_run_t)
files_list_tmp($1)
admin_pattern($1, prelude_lml_tmp_t)
admin_pattern($1, prelude_lml_var_run_t)
')

View File

@ -19,9 +19,8 @@
#
interface(`privoxy_admin',`
gen_require(`
type privoxy_t, privoxy_log_t;
type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
type privoxy_etc_rw_t, privoxy_var_run_t;
type privoxy_initrc_exec_t;
')
allow $1 privoxy_t:process { ptrace signal_perms };

View File

@ -93,7 +93,6 @@ interface(`procmail_read_home_files',`
type procmail_home_t;
')
userdom_search_user_home_dirs($1)
userdom_search_user_home_dirs($1)
read_files_pattern($1, procmail_home_t, procmail_home_t)
')

View File

@ -91,7 +91,6 @@ interface(`psad_manage_config',`
files_search_etc($1)
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
manage_files_pattern($1, psad_etc_t, psad_etc_t)
')
########################################
@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
########################################
## <summary>
## Read psad PID files.
## Read and write psad PID files.
## </summary>
## <param name="domain">
## <summary>
@ -253,8 +252,8 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
type psad_initrc_exec_t, psad_var_lib_t;
type psad_tmp_t, psad_etc_t;
type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
type psad_tmp_t;
')
allow $1 psad_t:process { ptrace signal_perms };

View File

@ -21,7 +21,7 @@
## </summary>
## </param>
#
interface(`puppet_rw_tmp', `
interface(`puppet_rw_tmp',`
gen_require(`
type puppet_tmp_t;
')

View File

@ -14,6 +14,7 @@
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`pyzor_role',`
gen_require(`
@ -28,7 +29,7 @@ interface(`pyzor_role',`
# allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
allow $2 pyzor_t:process signal;
allow $2 pyzor_t:process { ptrace signal_perms };
')
########################################
@ -109,13 +110,12 @@ interface(`pyzor_exec',`
interface(`pyzor_admin',`
gen_require(`
type pyzord_t, pyzor_tmp_t, pyzord_log_t;
type pyzor_etc_t, pyzor_var_lib_t;
type pyzord_initrc_exec_t;
type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
')
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pyzord_initrc_exec_t system_r;
@ -133,5 +133,3 @@ interface(`pyzor_admin',`
files_list_var_lib($1)
admin_pattern($1, pyzor_var_lib_t)
')

View File

@ -1,4 +1,3 @@
## <summary>policy for qpidd</summary>
########################################
@ -6,9 +5,9 @@
## Execute a domain transition to run qpidd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`qpidd_domtrans',`
@ -19,7 +18,6 @@ interface(`qpidd_domtrans',`
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
########################################
## <summary>
## Execute qpidd server in the qpidd domain.
@ -72,12 +70,12 @@ interface(`qpidd_manage_var_run',`
type qpidd_var_run_t;
')
manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
files_search_pids($1)
manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
')
########################################
## <summary>
## Search qpidd lib directories.
@ -113,7 +111,7 @@ interface(`qpidd_read_lib_files',`
')
files_search_var_lib($1)
read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
@ -133,7 +131,7 @@ interface(`qpidd_manage_lib_files',`
')
files_search_var_lib($1)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
@ -151,12 +149,12 @@ interface(`qpidd_manage_var_lib',`
type qpidd_var_lib_t;
')
manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
files_search_var_lib($1)
manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
########################################
## <summary>
## All of the rules required to administrate
@ -176,16 +174,11 @@ interface(`qpidd_manage_var_lib',`
#
interface(`qpidd_admin',`
gen_require(`
type qpidd_t;
type qpidd_t, qpidd_initrc_exec_t;
')
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
gen_require(`
type qpidd_initrc_exec_t;
')
# Allow qpidd_t to restart the apache service
qpidd_initrc_domtrans($1)
@ -196,41 +189,40 @@ interface(`qpidd_admin',`
qpidd_manage_var_run($1)
qpidd_manage_var_lib($1)
')
#####################################
## <summary>
## Allow read and write access to qpidd semaphores.
## Allow read and write access to qpidd semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`qpidd_rw_semaphores',`
gen_require(`
type qpidd_t;
')
gen_require(`
type qpidd_t;
')
allow $1 qpidd_t:sem rw_sem_perms;
allow $1 qpidd_t:sem rw_sem_perms;
')
########################################
## <summary>
## Read and write to qpidd shared memory.
## Read and write to qpidd shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`qpidd_rw_shm',`
gen_require(`
type qpidd_t;
')
gen_require(`
type qpidd_t;
')
allow $1 qpidd_t:shm rw_shm_perms;
allow $1 qpidd_t:shm rw_shm_perms;
')

View File

@ -19,8 +19,8 @@
#
interface(`radvd_admin',`
gen_require(`
type radvd_t, radvd_etc_t;
type radvd_var_run_t, radvd_initrc_exec_t;
type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
type radvd_var_run_t;
')
allow $1 radvd_t:process { ptrace signal_perms };

View File

@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file { getattr read };
allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
manage_files_pattern($1_t, razor_log_t, razor_log_t)
@ -117,6 +118,7 @@ template(`razor_common_domain_template',`
## User domain for the role
## </summary>
## </param>
## <rolecap/>
#
interface(`razor_role',`
gen_require(`
@ -130,7 +132,7 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
allow $2 razor_t:process signal;
allow $2 razor_t:process { ptrace signal_perms };
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
@ -197,4 +199,3 @@ interface(`razor_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
')

View File

@ -5,9 +5,9 @@
## Execute a domain transition to run rgmanager.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`rgmanager_domtrans',`
@ -78,20 +78,20 @@ interface(`rgmanager_manage_tmpfs_files',`
#######################################
## <summary>
## Allow read and write access to rgmanager semaphores.
## Allow read and write access to rgmanager semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_rw_semaphores',`
gen_require(`
type rgmanager_t;
')
gen_require(`
type rgmanager_t;
')
allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
allow $1 rgmanager_t:sem rw_sem_perms;
')
######################################
@ -100,9 +100,9 @@ interface(`rgmanager_rw_semaphores',`
## an rgmanager environment
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
## <param name="role">
## <summary>
@ -115,7 +115,7 @@ interface(`rgmanager_admin',`
gen_require(`
type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
')
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)

View File

@ -13,9 +13,7 @@
#
template(`rhcs_domain_template',`
gen_require(`
attribute cluster_domain;
attribute cluster_tmpfs;
attribute cluster_pid;
attribute cluster_domain, cluster_tmpfs, cluster_pid;
')
##############################
@ -53,7 +51,6 @@ template(`rhcs_domain_template',`
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
')
######################################
@ -61,9 +58,9 @@ template(`rhcs_domain_template',`
## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
@ -171,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
allow $1 fenced_t:unix_stream_socket connectto;
allow $1 fenced_var_run_t:sock_file { getattr write };
files_search_pids($1)
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
#####################################
@ -349,8 +345,7 @@ interface(`rhcs_rw_groupd_shm',`
#
interface(`rhcs_rw_cluster_shm',`
gen_require(`
attribute cluster_domain;
attribute cluster_tmpfs;
attribute cluster_domain, cluster_tmpfs;
')
allow $1 cluster_domain:shm { rw_shm_perms destroy };
@ -361,41 +356,40 @@ interface(`rhcs_rw_cluster_shm',`
####################################
## <summary>
## Read and write access to cluster domains semaphores.
## Read and write access to cluster domains semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rhcs_rw_cluster_semaphores',`
gen_require(`
gen_require(`
attribute cluster_domain;
')
')
allow $1 cluster_domain:sem { rw_sem_perms destroy };
allow $1 cluster_domain:sem { rw_sem_perms destroy };
')
####################################
## <summary>
## Connect to cluster domains over a unix domain
## stream socket.
## Connect to cluster domains over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rhcs_stream_connect_cluster',`
gen_require(`
attribute cluster_domain;
attribute cluster_pid;
')
gen_require(`
attribute cluster_domain, cluster_pid;
')
files_search_pids($1)
stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
files_search_pids($1)
stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
')
######################################
@ -432,24 +426,25 @@ interface(`rhcs_read_qdiskd_tmpfs_files',`
type qdiskd_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 qdiskd_tmpfs_t:file read_file_perms;
')
######################################
## <summary>
## Allow domain to read cluster lib files
## Allow domain to read cluster lib files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rhcs_read_cluster_lib_files',`
gen_require(`
type cluster_var_lib_t;
')
gen_require(`
type cluster_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
files_search_var_lib($1)
read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
')

View File

@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')

View File

@ -5,9 +5,9 @@
## Execute a domain transition to run ricci.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ricci_domtrans',`
@ -20,20 +20,20 @@ interface(`ricci_domtrans',`
#######################################
## <summary>
## Execute ricci server in the ricci domain.
## Execute ricci server in the ricci domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ricci_initrc_domtrans', `
gen_require(`
type ricci_initrc_exec_t;
')
interface(`ricci_initrc_domtrans',`
gen_require(`
type ricci_initrc_exec_t;
')
init_labeled_script_domtrans($1, ricci_initrc_exec_t)
init_labeled_script_domtrans($1, ricci_initrc_exec_t)
')
########################################
@ -41,9 +41,9 @@ interface(`ricci_initrc_domtrans', `
## Execute a domain transition to run ricci_modcluster.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ricci_domtrans_modcluster',`
@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
type ricci_modcluster_t;
')
dontaudit $1 ricci_modcluster_t:fifo_file { read write };
dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@ -126,6 +126,7 @@ interface(`ricci_rw_modclusterd_tmpfs_files',`
type ricci_modcluserd_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
')
@ -134,9 +135,9 @@ interface(`ricci_rw_modclusterd_tmpfs_files',`
## Execute a domain transition to run ricci_modlog.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ricci_domtrans_modlog',`
@ -152,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
## Execute a domain transition to run ricci_modrpm.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ricci_domtrans_modrpm',`
@ -170,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
## Execute a domain transition to run ricci_modservice.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ricci_domtrans_modservice',`
@ -188,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
## Execute a domain transition to run ricci_modstorage.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`ricci_domtrans_modstorage',`
@ -203,22 +204,22 @@ interface(`ricci_domtrans_modstorage',`
####################################
## <summary>
## Allow the specified domain to manage ricci's lib files.
## Allow the specified domain to manage ricci's lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ricci_manage_lib_files',`
gen_require(`
type ricci_var_lib_t;
')
gen_require(`
type ricci_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
files_search_var_lib($1)
manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
')
########################################
@ -254,7 +255,7 @@ interface(`ricci_admin',`
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
files_list_var_lib($1)
admin_pattern($1, ricci_var_lib_t)

View File

@ -32,7 +32,11 @@ interface(`rpc_stub',`
## </summary>
## </param>
#
template(`rpc_domain_template', `
template(`rpc_domain_template',`
gen_require(`
type var_lib_nfs_t;
')
########################################
#
# Declarations
@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
dontaudit $1 exports_t:file getattr;
dontaudit $1 exports_t:file getattr_file_perms;
')
########################################
@ -188,7 +192,7 @@ interface(`rpc_write_exports',`
type exports_t;
')
allow $1 exports_t:file write;
allow $1 exports_t:file write_file_perms;
')
########################################
@ -302,7 +306,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
')
########################################
@ -395,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir search;
allow $1 var_lib_nfs_t:dir search_dir_perms;
')
########################################

View File

@ -5,9 +5,9 @@
## Execute a domain transition to run rpcbind.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`rpcbind_domtrans',`

View File

@ -109,9 +109,9 @@ interface(`rsync_exec',`
## Read rsync config files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`rsync_read_config',`
@ -128,9 +128,9 @@ interface(`rsync_read_config',`
## Write to rsync config files.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`rsync_write_config',`
@ -147,9 +147,9 @@ interface(`rsync_write_config',`
## Manage rsync config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rsync_manage_config',`

View File

@ -5,9 +5,9 @@
## Execute a domain transition to run rtkit_daemon.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`rtkit_daemon_domtrans',`
@ -46,7 +46,7 @@ interface(`rtkit_daemon_dbus_chat',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#
@ -75,6 +75,7 @@ interface(`rtkit_scheduled',`
type rtkit_daemon_t;
')
kernel_search_proc($1)
ps_process_pattern(rtkit_daemon_t, $1)
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)

View File

@ -5,9 +5,9 @@
## Execute a domain transition to run rwho.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </summary>
## </param>
#
interface(`rwho_domtrans',`

View File

@ -83,7 +83,7 @@ interface(`samba_domtrans_net',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain allowed to transition.
## </summary>
## </param>
#
@ -148,7 +148,7 @@ interface(`samba_role_notrans',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
@ -391,7 +391,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
@ -412,7 +411,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
@ -452,7 +450,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
@ -473,7 +470,6 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
@ -761,9 +757,8 @@ interface(`samba_admin',`
type smbd_t, smbd_tmp_t, samba_secrets_t;
type samba_initrc_exec_t, samba_log_t, samba_var_t;
type samba_etc_t, samba_share_t, winbind_log_t;
type swat_var_run_t, swat_tmp_t;
type winbind_var_run_t, winbind_tmp_t;
type samba_unconfined_script_t, samba_unconfined_script_exec_t;
type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
allow $1 smbd_t:process { ptrace signal_perms };

View File

@ -136,8 +136,8 @@ interface(`setroubleshoot_fixit_dontaudit_leaks',`
#
interface(`setroubleshoot_admin',`
gen_require(`
type setroubleshootd_t, setroubleshoot_var_log_t;
type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
type setroubleshoot_var_lib_t;
')
allow $1 setroubleshootd_t:process { ptrace signal_perms };

View File

@ -125,9 +125,8 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
#
interface(`snmp_admin',`
gen_require(`
type snmpd_t, snmpd_log_t;
type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
type snmpd_var_lib_t, snmpd_var_run_t;
type snmpd_initrc_exec_t;
')
allow $1 snmpd_t:process { ptrace signal_perms };

View File

@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',`
#
interface(`soundserver_admin',`
gen_require(`
type soundd_t, soundd_etc_t;
type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
type soundd_tmp_t, soundd_var_run_t;
type soundd_initrc_exec_t;
')
allow $1 soundd_t:process { ptrace signal_perms };

View File

@ -206,8 +206,7 @@ interface(`squid_use',`
interface(`squid_admin',`
gen_require(`
type squid_t, squid_cache_t, squid_conf_t;
type squid_log_t, squid_var_run_t;
type squid_initrc_exec_t;
type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
')
allow $1 squid_t:process { ptrace signal_perms };

View File

@ -58,7 +58,7 @@ interface(`varnishd_read_config',`
#####################################
## <summary>
## Read varnish lib files.
## Read varnish lib files.
## </summary>
## <param name="domain">
## <summary>
@ -151,8 +151,8 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
type varnishlog_t, varnishlog_initrc_exec_t;
type varnishlog_var_run_t, varnishlog_log_t;
type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
type varnishlog_var_run_t;
')
allow $1 varnishlog_t:process { ptrace signal_perms };

View File

@ -596,7 +596,7 @@ interface(`virt_transition_svirt',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain to not audit.
## </summary>
## </param>
#

View File

@ -1,15 +1,13 @@
## <summary>policy for vnstatd</summary>
########################################
## <summary>
## Execute a domain transition to run vnstatd.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`vnstatd_domtrans',`
@ -20,16 +18,14 @@ interface(`vnstatd_domtrans',`
domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
')
########################################
## <summary>
## Execute a domain transition to run vnstat.
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
interface(`vnstatd_domtrans_vnstat',`
@ -75,7 +71,7 @@ interface(`vnstatd_read_lib_files',`
')
files_search_var_lib($1)
read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
########################################
@ -95,7 +91,7 @@ interface(`vnstatd_manage_lib_files',`
')
files_search_var_lib($1)
manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
########################################
@ -114,7 +110,7 @@ interface(`vnstatd_manage_lib_dirs',`
')
files_search_var_lib($1)
manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
')
@ -137,8 +133,7 @@ interface(`vnstatd_manage_lib_dirs',`
#
interface(`vnstatd_admin',`
gen_require(`
type vnstatd_t;
type vnstatd_var_lib_t;
type vnstatd_t, vnstatd_var_lib_t;
')
allow $1 vnstatd_t:process { ptrace signal_perms };
@ -146,5 +141,4 @@ interface(`vnstatd_admin',`
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
')

View File

@ -47,7 +47,7 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
allow $2 xserver_tmp_t:sock_file unlink;
allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
files_search_tmp($2)
# Communicate via System V shared memory.
@ -243,7 +243,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
xserver_ro_session($1,$2)
xserver_ro_session($1, $2)
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
allow $1 xdm_var_run_t:dir search;
allow $1 xdm_var_run_t:dir search_dir_perms;
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
@ -313,7 +313,7 @@ interface(`xserver_user_client',`
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
@ -358,7 +358,7 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
type root_xdrawable_t;
type root_xdrawable_t, xdm_t, xserver_t;
type xproperty_t, $1_xproperty_t;
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
@ -375,7 +375,6 @@ template(`xserver_common_x_domain_template',`
class x_screen { saver_setattr saver_hide saver_show };
class x_pointer { get_property set_property manage };
class x_keyboard { read manage };
type xdm_t, xserver_t;
')
##############################
@ -474,8 +473,8 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
type xauth_home_t, iceauth_home_t, xserver_t;
')
allow $2 self:shm create_shm_perms;
@ -787,8 +786,7 @@ interface(`xserver_stream_connect_xdm',`
files_search_tmp($1)
files_search_pids($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
')
########################################

View File

@ -98,5 +98,5 @@ interface(`zarafa_stream_connect_server',`
')
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')

View File

@ -61,8 +61,7 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
type zebra_conf_t, zebra_var_run_t;
type zebra_initrc_exec_t;
type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
allow $1 zebra_t:process { ptrace signal_perms };

View File

@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`zosremote_run',`
gen_require(`

View File

@ -1207,12 +1207,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
read_files_pattern($1, initrc_t, initrc_t)
read_lnk_files_pattern($1, initrc_t, initrc_t)
list_dirs_pattern($1, initrc_t, initrc_t)
# should move this to separate interface
allow $1 initrc_t:process getattr;
ps_process_pattern($1, initrc_t)
')
########################################