trunk: 5 patches from dan.
This commit is contained in:
Chris PeBenito
parent
01e9e7dbf5
commit
fcee22ad0d
@ -2,3 +2,5 @@
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
|
||||
|
||||
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(audio_entropy, 1.4.1)
|
||||
policy_module(audio_entropy, 1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -35,6 +35,10 @@ dev_write_urand(entropyd_t)
|
||||
dev_read_rand(entropyd_t)
|
||||
dev_write_rand(entropyd_t)
|
||||
dev_read_sound(entropyd_t)
|
||||
# set sound card parameters such as
|
||||
# sample format, number of channels
|
||||
# and sample rate.
|
||||
dev_write_sound(entropyd_t)
|
||||
|
||||
fs_getattr_all_fs(entropyd_t)
|
||||
fs_search_auto_mountpoints(entropyd_t)
|
||||
|
||||
@ -1,5 +1,9 @@
|
||||
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
|
||||
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
|
||||
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
|
||||
|
||||
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
|
||||
|
||||
/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
|
||||
|
||||
@ -1,5 +1,60 @@
|
||||
## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute avahi server in the avahi domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`avahi_domtrans',`
|
||||
gen_require(`
|
||||
type avahi_exec_t, avahi_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, avahi_exec_t, avahi_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send avahi a signal
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`avahi_signal',`
|
||||
gen_require(`
|
||||
type avahi_t;
|
||||
')
|
||||
|
||||
allow $1 avahi_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send avahi a kill signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`avahi_kill',`
|
||||
gen_require(`
|
||||
type avahi_t;
|
||||
')
|
||||
|
||||
allow $1 avahi_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
@ -57,3 +112,38 @@ interface(`avahi_dontaudit_search_pid',`
|
||||
|
||||
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an avahi environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the avahi domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`avahi_admin',`
|
||||
gen_require(`
|
||||
type avahi_t, avahi_var_run_t;
|
||||
type avahi_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 avahi_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, avahi_t)
|
||||
|
||||
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 avahi_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, avahi_var_run_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(avahi, 1.9.1)
|
||||
policy_module(avahi, 1.9.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,12 @@ type avahi_t;
|
||||
type avahi_exec_t;
|
||||
init_daemon_domain(avahi_t, avahi_exec_t)
|
||||
|
||||
type avahi_initrc_exec_t;
|
||||
init_script_file(avahi_initrc_exec_t)
|
||||
|
||||
type avahi_var_lib_t;
|
||||
files_pid_file(avahi_var_lib_t)
|
||||
|
||||
type avahi_var_run_t;
|
||||
files_pid_file(avahi_var_run_t)
|
||||
|
||||
@ -20,13 +26,17 @@ files_pid_file(avahi_var_run_t)
|
||||
|
||||
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
|
||||
dontaudit avahi_t self:capability sys_tty_config;
|
||||
allow avahi_t self:process { setrlimit signal_perms setcap };
|
||||
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
|
||||
allow avahi_t self:fifo_file rw_fifo_file_perms;
|
||||
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow avahi_t self:unix_dgram_socket create_socket_perms;
|
||||
allow avahi_t self:tcp_socket create_stream_socket_perms;
|
||||
allow avahi_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
|
||||
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
|
||||
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
|
||||
|
||||
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
||||
allow avahi_t avahi_var_run_t:dir setattr;
|
||||
@ -73,6 +83,7 @@ init_signull_script(avahi_t)
|
||||
logging_send_syslog_msg(avahi_t)
|
||||
|
||||
miscfiles_read_localization(avahi_t)
|
||||
miscfiles_read_certs(avahi_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
||||
userdom_dontaudit_search_user_home_dirs(avahi_t)
|
||||
|
||||
@ -3,6 +3,9 @@
|
||||
#
|
||||
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
|
||||
/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
|
||||
/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
@ -21,4 +24,6 @@
|
||||
# /var
|
||||
#
|
||||
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
|
||||
|
||||
/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
|
||||
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
|
||||
|
||||
@ -152,3 +152,56 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
||||
dontaudit $1 bluetooth_helper_t:dir search;
|
||||
dontaudit $1 bluetooth_helper_t:file { read getattr };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an bluetooth environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the bluetooth domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`bluetooth_admin',`
|
||||
gen_require(`
|
||||
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
||||
type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
|
||||
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
||||
type bluetooth_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 bluetooth_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, bluetooth_t)
|
||||
|
||||
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 bluetooth_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, bluetooth_tmp_t)
|
||||
|
||||
files_list_var($1)
|
||||
admin_pattern($1, bluetooth_lock_t)
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, bluetooth_conf_t)
|
||||
admin_pattern($1, bluetooth_conf_rw_t)
|
||||
|
||||
files_list_spool($1)
|
||||
admin_pattern($1, bluetooth_spool_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, bluetooth_var_lib_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, bluetooth_var_run_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bluetooth, 3.0.0)
|
||||
policy_module(bluetooth, 3.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -34,6 +34,9 @@ typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t sec
|
||||
files_tmpfs_file(bluetooth_helper_tmpfs_t)
|
||||
ubac_constrained(bluetooth_helper_tmpfs_t)
|
||||
|
||||
type bluetooth_initrc_exec_t;
|
||||
init_script_file(bluetooth_initrc_exec_t)
|
||||
|
||||
type bluetooth_lock_t;
|
||||
files_lock_file(bluetooth_lock_t)
|
||||
|
||||
@ -51,14 +54,14 @@ files_pid_file(bluetooth_var_run_t)
|
||||
# Bluetooth services local policy
|
||||
#
|
||||
|
||||
allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
|
||||
allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
|
||||
dontaudit bluetooth_t self:capability sys_tty_config;
|
||||
allow bluetooth_t self:process { getsched signal_perms };
|
||||
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow bluetooth_t self:shm create_shm_perms;
|
||||
allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -106,6 +109,7 @@ dev_read_sysfs(bluetooth_t)
|
||||
dev_rw_usbfs(bluetooth_t)
|
||||
dev_rw_generic_usb_dev(bluetooth_t)
|
||||
dev_read_urand(bluetooth_t)
|
||||
dev_rw_input_dev(bluetooth_t)
|
||||
|
||||
fs_getattr_all_fs(bluetooth_t)
|
||||
fs_search_auto_mountpoints(bluetooth_t)
|
||||
@ -124,12 +128,13 @@ files_read_etc_files(bluetooth_t)
|
||||
files_read_etc_runtime_files(bluetooth_t)
|
||||
files_read_usr_files(bluetooth_t)
|
||||
|
||||
auth_use_nsswitch(bluetooth_t)
|
||||
|
||||
logging_send_syslog_msg(bluetooth_t)
|
||||
|
||||
miscfiles_read_localization(bluetooth_t)
|
||||
miscfiles_read_fonts(bluetooth_t)
|
||||
|
||||
sysnet_read_config(bluetooth_t)
|
||||
miscfiles_read_hwdata(bluetooth_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||
@ -138,6 +143,10 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(bluetooth_t)
|
||||
dbus_connect_system_bus(bluetooth_t)
|
||||
|
||||
optional_policy(`
|
||||
cups_dbus_chat(bluetooth_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -64,6 +64,24 @@ interface(`dcc_domtrans_client',`
|
||||
domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a signal to the dcc_client.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dcc_signal_client',`
|
||||
gen_require(`
|
||||
type dcc_client_t;
|
||||
')
|
||||
|
||||
allow $1 dcc_client_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute dcc_client in the dcc_client domain, and
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dcc, 1.6.1)
|
||||
policy_module(dcc, 1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -105,25 +105,20 @@ corenet_udp_sendrecv_all_ports(cdcc_t)
|
||||
files_read_etc_files(cdcc_t)
|
||||
files_read_etc_runtime_files(cdcc_t)
|
||||
|
||||
auth_use_nsswitch(cdcc_t)
|
||||
|
||||
logging_send_syslog_msg(cdcc_t)
|
||||
|
||||
miscfiles_read_localization(cdcc_t)
|
||||
|
||||
sysnet_read_config(cdcc_t)
|
||||
sysnet_dns_name_resolve(cdcc_t)
|
||||
|
||||
userdom_use_user_terminals(cdcc_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(cdcc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# dcc procmail interface local policy
|
||||
#
|
||||
|
||||
allow dcc_client_t self:capability setuid;
|
||||
allow dcc_client_t self:capability { setuid setgid };
|
||||
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dcc_client_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -138,6 +133,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms;
|
||||
read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
|
||||
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
|
||||
|
||||
kernel_read_system_state(dcc_client_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(dcc_client_t)
|
||||
corenet_all_recvfrom_netlabel(dcc_client_t)
|
||||
corenet_udp_sendrecv_generic_if(dcc_client_t)
|
||||
@ -147,17 +144,16 @@ corenet_udp_sendrecv_all_ports(dcc_client_t)
|
||||
files_read_etc_files(dcc_client_t)
|
||||
files_read_etc_runtime_files(dcc_client_t)
|
||||
|
||||
auth_use_nsswitch(dcc_client_t)
|
||||
|
||||
logging_send_syslog_msg(dcc_client_t)
|
||||
|
||||
miscfiles_read_localization(dcc_client_t)
|
||||
|
||||
sysnet_read_config(dcc_client_t)
|
||||
sysnet_dns_name_resolve(dcc_client_t)
|
||||
|
||||
userdom_use_user_terminals(dcc_client_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(dcc_client_t)
|
||||
spamassassin_read_spamd_tmp_files(dcc_client_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -189,19 +185,14 @@ corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
|
||||
files_read_etc_files(dcc_dbclean_t)
|
||||
files_read_etc_runtime_files(dcc_dbclean_t)
|
||||
|
||||
auth_use_nsswitch(dcc_dbclean_t)
|
||||
|
||||
logging_send_syslog_msg(dcc_dbclean_t)
|
||||
|
||||
miscfiles_read_localization(dcc_dbclean_t)
|
||||
|
||||
sysnet_read_config(dcc_dbclean_t)
|
||||
sysnet_dns_name_resolve(dcc_dbclean_t)
|
||||
|
||||
userdom_use_user_terminals(dcc_dbclean_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(dcc_dbclean_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Server daemon local policy
|
||||
@ -259,20 +250,15 @@ files_read_etc_runtime_files(dccd_t)
|
||||
fs_getattr_all_fs(dccd_t)
|
||||
fs_search_auto_mountpoints(dccd_t)
|
||||
|
||||
auth_use_nsswitch(dccd_t)
|
||||
|
||||
logging_send_syslog_msg(dccd_t)
|
||||
|
||||
miscfiles_read_localization(dccd_t)
|
||||
|
||||
sysnet_read_config(dccd_t)
|
||||
sysnet_dns_name_resolve(dccd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(dccd_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(dccd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dccd_t)
|
||||
')
|
||||
@ -329,20 +315,15 @@ files_read_etc_runtime_files(dccifd_t)
|
||||
fs_getattr_all_fs(dccifd_t)
|
||||
fs_search_auto_mountpoints(dccifd_t)
|
||||
|
||||
auth_use_nsswitch(dccifd_t)
|
||||
|
||||
logging_send_syslog_msg(dccifd_t)
|
||||
|
||||
miscfiles_read_localization(dccifd_t)
|
||||
|
||||
sysnet_read_config(dccifd_t)
|
||||
sysnet_dns_name_resolve(dccifd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(dccifd_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(dccifd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dccifd_t)
|
||||
')
|
||||
@ -398,20 +379,15 @@ files_read_etc_runtime_files(dccm_t)
|
||||
fs_getattr_all_fs(dccm_t)
|
||||
fs_search_auto_mountpoints(dccm_t)
|
||||
|
||||
auth_use_nsswitch(dccm_t)
|
||||
|
||||
logging_send_syslog_msg(dccm_t)
|
||||
|
||||
miscfiles_read_localization(dccm_t)
|
||||
|
||||
sysnet_read_config(dccm_t)
|
||||
sysnet_dns_name_resolve(dccm_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
|
||||
userdom_dontaudit_search_user_home_dirs(dccm_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(dccm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dccm_t)
|
||||
')
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
|
||||
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
|
||||
/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
|
||||
/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
|
||||
|
||||
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
|
||||
|
||||
@ -17,7 +18,7 @@
|
||||
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
|
||||
|
||||
/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
|
||||
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
|
||||
/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
|
||||
|
||||
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
|
||||
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
|
||||
|
||||
@ -18,6 +18,45 @@ interface(`hal_domtrans',`
|
||||
domtrans_pattern($1, hald_exec_t, hald_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of a hal process.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_getattr',`
|
||||
gen_require(`
|
||||
type hald_t;
|
||||
')
|
||||
|
||||
allow $1 hald_t:process getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read hal system state
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_read_state',`
|
||||
gen_require(`
|
||||
type hald_t;
|
||||
')
|
||||
|
||||
allow $1 hald_t:dir list_dir_perms;
|
||||
read_files_pattern($1, hald_t, hald_t)
|
||||
read_lnk_files_pattern($1, hald_t, hald_t)
|
||||
dontaudit $1 hald_t:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow ptrace of hal domain
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal, 1.10.1)
|
||||
policy_module(hal, 1.10.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -297,6 +297,10 @@ optional_policy(`
|
||||
vbetool_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_manage_images(hald_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Hal acl local policy
|
||||
@ -338,6 +342,8 @@ storage_setattr_removable_dev(hald_acl_t)
|
||||
|
||||
auth_use_nsswitch(hald_acl_t)
|
||||
|
||||
logging_send_syslog_msg(hald_acl_t)
|
||||
|
||||
miscfiles_read_localization(hald_acl_t)
|
||||
|
||||
########################################
|
||||
@ -345,6 +351,8 @@ miscfiles_read_localization(hald_acl_t)
|
||||
# Local hald mac policy
|
||||
#
|
||||
|
||||
allow hald_mac_t self:capability { setgid setuid };
|
||||
|
||||
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
|
||||
allow hald_t hald_mac_t:process signal;
|
||||
allow hald_mac_t hald_t:unix_stream_socket connectto;
|
||||
@ -353,6 +361,8 @@ manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
|
||||
manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
|
||||
files_search_var_lib(hald_mac_t)
|
||||
|
||||
write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
|
||||
|
||||
kernel_read_system_state(hald_mac_t)
|
||||
|
||||
dev_read_raw_memory(hald_mac_t)
|
||||
@ -360,6 +370,9 @@ dev_write_raw_memory(hald_mac_t)
|
||||
dev_read_sysfs(hald_mac_t)
|
||||
|
||||
files_read_usr_files(hald_mac_t)
|
||||
files_read_etc_files(hald_mac_t)
|
||||
|
||||
auth_use_nsswitch(hald_mac_t)
|
||||
|
||||
miscfiles_read_localization(hald_mac_t)
|
||||
|
||||
@ -379,6 +392,8 @@ manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
|
||||
manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
|
||||
files_search_var_lib(hald_sonypic_t)
|
||||
|
||||
write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
|
||||
|
||||
files_read_usr_files(hald_sonypic_t)
|
||||
|
||||
miscfiles_read_localization(hald_sonypic_t)
|
||||
@ -396,12 +411,10 @@ manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
|
||||
manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
|
||||
files_search_var_lib(hald_keymap_t)
|
||||
|
||||
write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
|
||||
|
||||
dev_rw_input_dev(hald_keymap_t)
|
||||
|
||||
files_read_usr_files(hald_keymap_t)
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
|
||||
# This is caused by a bug in hald and PolicyKit.
|
||||
# Should be removed when this is fixed
|
||||
#cron_read_system_job_lib_files(hald_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user