more work on current modules
This commit is contained in:
parent
ebdc3b7902
commit
fd89e19f12
@ -51,6 +51,10 @@ files_dontaudit_read_root_file(consoletype_t)
|
|||||||
libs_use_ld_so(consoletype_t)
|
libs_use_ld_so(consoletype_t)
|
||||||
libs_use_shared_libs(consoletype_t)
|
libs_use_shared_libs(consoletype_t)
|
||||||
|
|
||||||
|
userdom_use_sysadm_terms(consoletype_t)
|
||||||
|
userdom_use_sysadm_fd(consoletype_t)
|
||||||
|
userdom_rw_sysadm_pipe(consoletype_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
fs_use_tmpfs_chr_dev(consoletype_t)
|
fs_use_tmpfs_chr_dev(consoletype_t)
|
||||||
')
|
')
|
||||||
@ -59,6 +63,10 @@ optional_policy(`authlogin.te', `
|
|||||||
auth_read_pam_pid(consoletype_t)
|
auth_read_pam_pid(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`cron.te',`
|
||||||
|
cron_read_pipe(consoletype_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`logrotate.te',`
|
optional_policy(`logrotate.te',`
|
||||||
logrotate_dontaudit_use_fd(consoletype_t)
|
logrotate_dontaudit_use_fd(consoletype_t)
|
||||||
')
|
')
|
||||||
@ -77,21 +85,19 @@ optional_policy(`userdomain.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
allow consoletype_t sysadm_t:fd use;
|
|
||||||
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
|
|
||||||
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
|
|
||||||
|
|
||||||
allow consoletype_t nfs_t:file write;
|
allow consoletype_t nfs_t:file write;
|
||||||
|
|
||||||
allow consoletype_t crond_t:fifo_file r_file_perms;
|
|
||||||
allow consoletype_t system_crond_t:fd use;
|
allow consoletype_t system_crond_t:fd use;
|
||||||
|
|
||||||
optional_policy(`xdm.te', `
|
optional_policy(`xdm.te', `
|
||||||
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
|
|
||||||
allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# is goes to xserver module
|
||||||
|
optional_policy(`consoletype.te',`
|
||||||
|
consoletype_domtrans(xdm_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`lpd.te', `
|
optional_policy(`lpd.te', `
|
||||||
allow consoletype_t printconf_t:file r_file_perms;
|
allow consoletype_t printconf_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
@ -150,8 +150,6 @@ allow squid_t self:capability kill;
|
|||||||
# for /var/lib/logrotate.status and /var/lib/logcheck
|
# for /var/lib/logrotate.status and /var/lib/logcheck
|
||||||
file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
|
file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
|
||||||
|
|
||||||
allow crond_t logrotate_var_lib_t:dir search;
|
|
||||||
|
|
||||||
# for /var/backups on Debian
|
# for /var/backups on Debian
|
||||||
ifdef(`backup.te', `
|
ifdef(`backup.te', `
|
||||||
rw_dir_create_file(logrotate_t, backup_store_t)
|
rw_dir_create_file(logrotate_t, backup_store_t)
|
||||||
|
@ -135,13 +135,17 @@ optional_policy(`sysnetwork.te',`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
in_user_role(ping_t)
|
in_user_role(ping_t)
|
||||||
tunable_policy(`user_ping',`
|
tunable_policy(`user_ping',`
|
||||||
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
|
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
|
||||||
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
|
||||||
')
|
')
|
||||||
|
ifdef(`cardmgr.te',`
|
||||||
|
allow ping_t cardmgr_t:fd use;
|
||||||
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(corenetwork,1.0)
|
policy_module(corenetwork,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
attribute netif_type;
|
attribute netif_type;
|
||||||
attribute node_type;
|
attribute node_type;
|
||||||
attribute port_type;
|
attribute port_type;
|
||||||
|
@ -646,6 +646,80 @@ interface(`dev_manage_all_chr_files',`
|
|||||||
typeattribute $1 memory_raw_read, memory_raw_write;
|
typeattribute $1 memory_raw_read, memory_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of the apm bios device node.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_apm_bios',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, apm_bios_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir r_dir_perms;
|
||||||
|
allow $1 apm_bios_t:chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to get the attributes of
|
||||||
|
## the apm bios device node.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_getattr_apm_bios',`
|
||||||
|
gen_require(`
|
||||||
|
type apm_bios_t;
|
||||||
|
class chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 apm_bios_t:chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of the apm bios device node.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_setattr_apm_bios',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, apm_bios_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir r_dir_perms;
|
||||||
|
allow $1 apm_bios_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to set the attributes of
|
||||||
|
## the apm bios device node.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_setattr_apm_bios',`
|
||||||
|
gen_require(`
|
||||||
|
type apm_bios_t;
|
||||||
|
class chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 apm_bios_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write the apm bios.
|
## Read and write the apm bios.
|
||||||
@ -1163,7 +1237,7 @@ interface(`dev_write_mtrr',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of the framebuffer device.
|
## Get the attributes of the framebuffer device node.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
@ -1171,7 +1245,7 @@ interface(`dev_write_mtrr',`
|
|||||||
#
|
#
|
||||||
interface(`dev_getattr_framebuffer',`
|
interface(`dev_getattr_framebuffer',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type framebuf_device_t;
|
type device_t, framebuf_device_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class chr_file getattr;
|
class chr_file getattr;
|
||||||
')
|
')
|
||||||
@ -1182,7 +1256,7 @@ interface(`dev_getattr_framebuffer',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Set the attributes of the framebuffer device.
|
## Set the attributes of the framebuffer device node.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
@ -1190,9 +1264,9 @@ interface(`dev_getattr_framebuffer',`
|
|||||||
#
|
#
|
||||||
interface(`dev_setattr_framebuffer',`
|
interface(`dev_setattr_framebuffer',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type framebuf_device_t;
|
type device_t, framebuf_device_t;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
class chr_file getattr;
|
class chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 device_t:dir r_dir_perms;
|
allow $1 device_t:dir r_dir_perms;
|
||||||
@ -1201,7 +1275,25 @@ interface(`dev_setattr_framebuffer',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the framebuffer device.
|
## Dot not audit attempts to set the attributes
|
||||||
|
## of the framebuffer device node.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_setattr_framebuffer',`
|
||||||
|
gen_require(`
|
||||||
|
type framebuf_device_t;
|
||||||
|
class chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 framebuf_device_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the framebuffer.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
@ -1220,7 +1312,24 @@ interface(`dev_read_framebuffer',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Write the framebuffer device.
|
## Do not audit attempts to read the framebuffer.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_read_framebuffer',`
|
||||||
|
gen_require(`
|
||||||
|
type framebuf_device_t;
|
||||||
|
class chr_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 framebuf_device_t:chr_file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Write the framebuffer.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Domain allowed access.
|
## Domain allowed access.
|
||||||
@ -1763,6 +1872,23 @@ interface(`dev_rw_sysfs',`
|
|||||||
allow $1 sysfs_t:file rw_file_perms;
|
allow $1 sysfs_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Mount a usbfs filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_mount_usbfs',`
|
||||||
|
gen_require(`
|
||||||
|
type usbfs_t;
|
||||||
|
class filesystem mount;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 usbfs_t:filesystem mount;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search the directory containing USB hardware information.
|
## Search the directory containing USB hardware information.
|
||||||
@ -1848,7 +1974,7 @@ interface(`dev_rw_usbfs',`
|
|||||||
## Get the attributes of video4linux devices.
|
## Get the attributes of video4linux devices.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The process type modifying the options.
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_getattr_video_dev',`
|
interface(`dev_getattr_video_dev',`
|
||||||
@ -1864,10 +1990,28 @@ interface(`dev_getattr_video_dev',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Set the attributes of video4linux devices.
|
## Do not audit attempts to get the attributes
|
||||||
|
## of video4linux device nodes.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The process type modifying the options.
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_getattr_video_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type v4l_device_t;
|
||||||
|
class chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 v4l_device_t:chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of video4linux device nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_setattr_video_dev',`
|
interface(`dev_setattr_video_dev',`
|
||||||
@ -1881,3 +2025,20 @@ interface(`dev_setattr_video_dev',`
|
|||||||
allow $1 v4l_device_t:chr_file setattr;
|
allow $1 v4l_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to set the attributes
|
||||||
|
## of video4linux device nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_setattr_video_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type v4l_device_t;
|
||||||
|
class chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 v4l_device_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(devices,1.0)
|
policy_module(devices,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
attribute device_node;
|
attribute device_node;
|
||||||
attribute memory_raw_read;
|
attribute memory_raw_read;
|
||||||
attribute memory_raw_write;
|
attribute memory_raw_write;
|
||||||
@ -19,7 +24,7 @@ fs_associate_tmpfs(device_t)
|
|||||||
# a device node has no specific type yet, but is for some
|
# a device node has no specific type yet, but is for some
|
||||||
# reason labeled with a specific type
|
# reason labeled with a specific type
|
||||||
#cjp: want this, but udev policy breaks this
|
#cjp: want this, but udev policy breaks this
|
||||||
#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
|
#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Type for /dev/agpgart
|
# Type for /dev/agpgart
|
||||||
|
@ -1,10 +1,15 @@
|
|||||||
|
|
||||||
policy_module(filesystem,1.0)
|
policy_module(filesystem,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
attribute filesystem_type;
|
attribute filesystem_type;
|
||||||
attribute noxattrfs;
|
attribute noxattrfs;
|
||||||
|
|
||||||
########################################
|
##############################
|
||||||
#
|
#
|
||||||
# fs_t is the default type for persistent
|
# fs_t is the default type for persistent
|
||||||
# filesystems with extended attributes
|
# filesystems with extended attributes
|
||||||
@ -27,7 +32,7 @@ fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
|
|||||||
fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
|
fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
|
||||||
fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
|
fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
|
||||||
|
|
||||||
########################################
|
##############################
|
||||||
#
|
#
|
||||||
# Non-persistent/pseudo filesystems
|
# Non-persistent/pseudo filesystems
|
||||||
#
|
#
|
||||||
@ -75,7 +80,7 @@ fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
|
|||||||
allow tmpfs_t self:filesystem associate;
|
allow tmpfs_t self:filesystem associate;
|
||||||
allow tmpfs_t noxattrfs:filesystem associate;
|
allow tmpfs_t noxattrfs:filesystem associate;
|
||||||
|
|
||||||
########################################
|
##############################
|
||||||
#
|
#
|
||||||
# Filesystems without extended attribute support
|
# Filesystems without extended attribute support
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(storage,1.0)
|
policy_module(storage,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
attribute fixed_disk_raw_read;
|
attribute fixed_disk_raw_read;
|
||||||
attribute fixed_disk_raw_write;
|
attribute fixed_disk_raw_write;
|
||||||
attribute scsi_generic_read;
|
attribute scsi_generic_read;
|
||||||
|
@ -1,6 +1,10 @@
|
|||||||
|
|
||||||
policy_module(terminal,1.0)
|
policy_module(terminal,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
attribute ptynode;
|
attribute ptynode;
|
||||||
attribute server_ptynode;
|
attribute server_ptynode;
|
||||||
|
@ -302,6 +302,24 @@ interface(`cron_system_entry',`
|
|||||||
allow $1 crond_t:process sigchld;
|
allow $1 crond_t:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read a cron daemon unnamed pipe
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process to performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cron_read_pipe',`
|
||||||
|
gen_require(`
|
||||||
|
type crond_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 crond_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write the cron daemon log files.
|
## Read and write the cron daemon log files.
|
||||||
|
@ -142,6 +142,8 @@ kernel_read_system_state(pam_console_t)
|
|||||||
kernel_use_fd(pam_console_t)
|
kernel_use_fd(pam_console_t)
|
||||||
|
|
||||||
dev_read_sysfs(pam_console_t)
|
dev_read_sysfs(pam_console_t)
|
||||||
|
dev_getattr_apm_bios(pam_console_t)
|
||||||
|
dev_setattr_apm_bios(pam_console_t)
|
||||||
dev_getattr_framebuffer(pam_console_t)
|
dev_getattr_framebuffer(pam_console_t)
|
||||||
dev_setattr_framebuffer(pam_console_t)
|
dev_setattr_framebuffer(pam_console_t)
|
||||||
dev_getattr_misc(pam_console_t)
|
dev_getattr_misc(pam_console_t)
|
||||||
@ -216,8 +218,6 @@ optional_policy(`rhgb.te', `
|
|||||||
rhgb_domain(pam_console_t)
|
rhgb_domain(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
allow pam_console_t apm_bios_t:chr_file { getattr setattr };
|
|
||||||
|
|
||||||
ifdef(`gpm.te', `
|
ifdef(`gpm.te', `
|
||||||
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
||||||
')
|
')
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(corecommands,1.0)
|
policy_module(corecommands,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# bin_t is the type of files in the system bin directories.
|
# bin_t is the type of files in the system bin directories.
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(domain,1.0)
|
policy_module(domain,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
# Mark process types as domains
|
# Mark process types as domains
|
||||||
attribute domain;
|
attribute domain;
|
||||||
|
|
||||||
|
@ -745,6 +745,23 @@ interface(`files_manage_isid_type_chr_node',`
|
|||||||
allow $1 file_t:chr_file create_file_perms;
|
allow $1 file_t:chr_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search home directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_search_home',`
|
||||||
|
gen_require(`
|
||||||
|
type home_root_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 home_root_t:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get listing of home directories.
|
## Get listing of home directories.
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(files,1.0)
|
policy_module(files,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
attribute file_type;
|
attribute file_type;
|
||||||
attribute lockfile;
|
attribute lockfile;
|
||||||
attribute mountpoint;
|
attribute mountpoint;
|
||||||
|
@ -5,6 +5,7 @@ policy_module(fstools,1.0)
|
|||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type fsadm_t;
|
type fsadm_t;
|
||||||
type fsadm_exec_t;
|
type fsadm_exec_t;
|
||||||
init_system_domain(fsadm_t,fsadm_exec_t)
|
init_system_domain(fsadm_t,fsadm_exec_t)
|
||||||
@ -17,6 +18,9 @@ type swapfile_t;
|
|||||||
files_type(swapfile_t)
|
files_type(swapfile_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
#
|
||||||
|
# local policy
|
||||||
|
#
|
||||||
|
|
||||||
# ipc_lock is for losetup
|
# ipc_lock is for losetup
|
||||||
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
|
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
|
||||||
|
@ -291,7 +291,7 @@ sysnet_read_config(initrc_t)
|
|||||||
|
|
||||||
udev_rw_db(initrc_t)
|
udev_rw_db(initrc_t)
|
||||||
|
|
||||||
userdom_read_all_user_data(initrc_t)
|
userdom_read_all_user_files(initrc_t)
|
||||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||||
# started from init should be placed in their own domain.
|
# started from init should be placed in their own domain.
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
## <summary>Policy for local logins.</summary>
|
## <summary>Policy for local logins.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Execute local logins in the locallogin domain.
|
## Execute local logins in the local login domain.
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
@ -17,9 +17,9 @@ interface(`locallogin_domtrans',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Allow processes to inherit local login file descriptors
|
## Allow processes to inherit local login file descriptors
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
@ -33,3 +33,19 @@ interface(`locallogin_use_fd',`
|
|||||||
allow $1 local_login_t:fd use;
|
allow $1 local_login_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send a null signal to local login processes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`locallogin_signull',`
|
||||||
|
gen_require(`
|
||||||
|
type local_login_t;
|
||||||
|
class process signull;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 local_login_t:process signull;
|
||||||
|
')
|
||||||
|
@ -56,10 +56,14 @@ kernel_read_kernel_sysctl(local_login_t)
|
|||||||
|
|
||||||
dev_setattr_mouse(local_login_t)
|
dev_setattr_mouse(local_login_t)
|
||||||
dev_getattr_mouse(local_login_t)
|
dev_getattr_mouse(local_login_t)
|
||||||
dev_getattr_snd_dev(local_login_t)
|
|
||||||
dev_setattr_snd_dev(local_login_t)
|
|
||||||
dev_getattr_power_management(local_login_t)
|
dev_getattr_power_management(local_login_t)
|
||||||
dev_setattr_power_management(local_login_t)
|
dev_setattr_power_management(local_login_t)
|
||||||
|
dev_getattr_snd_dev(local_login_t)
|
||||||
|
dev_setattr_snd_dev(local_login_t)
|
||||||
|
dev_dontaudit_getattr_apm_bios(local_login_t)
|
||||||
|
dev_dontaudit_setattr_apm_bios(local_login_t)
|
||||||
|
dev_dontaudit_read_framebuffer(local_login_t)
|
||||||
|
dev_dontaudit_setattr_framebuffer(local_login_t)
|
||||||
dev_dontaudit_getattr_generic_blk_file(local_login_t)
|
dev_dontaudit_getattr_generic_blk_file(local_login_t)
|
||||||
dev_dontaudit_setattr_generic_blk_file(local_login_t)
|
dev_dontaudit_setattr_generic_blk_file(local_login_t)
|
||||||
dev_dontaudit_getattr_generic_chr_file(local_login_t)
|
dev_dontaudit_getattr_generic_chr_file(local_login_t)
|
||||||
@ -69,6 +73,8 @@ dev_dontaudit_setattr_misc(local_login_t)
|
|||||||
dev_dontaudit_getattr_scanner(local_login_t)
|
dev_dontaudit_getattr_scanner(local_login_t)
|
||||||
dev_dontaudit_setattr_scanner(local_login_t)
|
dev_dontaudit_setattr_scanner(local_login_t)
|
||||||
dev_dontaudit_search_sysfs(local_login_t)
|
dev_dontaudit_search_sysfs(local_login_t)
|
||||||
|
dev_dontaudit_getattr_video_dev(local_login_t)
|
||||||
|
dev_dontaudit_setattr_video_dev(local_login_t)
|
||||||
# for SSP/ProPolice
|
# for SSP/ProPolice
|
||||||
dev_read_urand(local_login_t)
|
dev_read_urand(local_login_t)
|
||||||
|
|
||||||
@ -175,16 +181,12 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
|
|||||||
# for when /var/mail is a sym-link
|
# for when /var/mail is a sym-link
|
||||||
allow local_login_t var_t:lnk_file read;
|
allow local_login_t var_t:lnk_file read;
|
||||||
|
|
||||||
# Do not audit denied attempts to access devices.
|
|
||||||
dontaudit local_login_t device_t:lnk_file { getattr setattr };
|
dontaudit local_login_t device_t:lnk_file { getattr setattr };
|
||||||
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
|
|
||||||
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
|
|
||||||
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
|
|
||||||
|
|
||||||
# FIXME: what is this for?
|
|
||||||
optional_policy(`xdm.te', `
|
|
||||||
allow xdm_t local_login_t:process signull;
|
|
||||||
|
|
||||||
|
# this goes to xserver:
|
||||||
|
optional_policy(`locallogin.te',`
|
||||||
|
# FIXME: what is this for?
|
||||||
|
locallogin_signull(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
@ -237,6 +239,7 @@ auth_read_shadow(sulogin_t)
|
|||||||
|
|
||||||
userdom_shell_domtrans_sysadm(sulogin_t)
|
userdom_shell_domtrans_sysadm(sulogin_t)
|
||||||
userdom_use_unpriv_users_fd(sulogin_t)
|
userdom_use_unpriv_users_fd(sulogin_t)
|
||||||
|
userdom_use_sysadm_pty(sulogin_t)
|
||||||
|
|
||||||
# suse and debian do not use pam with sulogin...
|
# suse and debian do not use pam with sulogin...
|
||||||
ifdef(`monolithic_policy',`
|
ifdef(`monolithic_policy',`
|
||||||
@ -262,6 +265,5 @@ optional_policy(`nis.te',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
|
|
||||||
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
@ -82,6 +82,10 @@ libs_use_shared_libs(auditd_t)
|
|||||||
miscfiles_read_localization(auditd_t)
|
miscfiles_read_localization(auditd_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
|
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
|
||||||
|
# cjp: this is questionable. it should probably
|
||||||
|
# be a userdom_dontaudit_use_sysadm_terms(auditd_t)
|
||||||
|
# in a direct_sysadm_daemon tunable
|
||||||
|
userdom_use_sysadm_tty(auditd_t)
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
term_dontaudit_use_unallocated_tty(auditd_t)
|
term_dontaudit_use_unallocated_tty(auditd_t)
|
||||||
@ -106,9 +110,6 @@ rhgb_domain(auditd_t)
|
|||||||
')
|
')
|
||||||
|
|
||||||
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
dontaudit auditd_t sysadm_home_dir_t:dir search;
|
||||||
|
|
||||||
# cjp: this is questionable:
|
|
||||||
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
|
|
||||||
policy_module(miscfiles,1.0)
|
policy_module(miscfiles,1.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# catman_t is the type for /var/catman.
|
# catman_t is the type for /var/catman.
|
||||||
#
|
#
|
||||||
|
@ -68,6 +68,9 @@ dev_rw_agp_dev(insmod_t)
|
|||||||
dev_read_snd_dev(insmod_t)
|
dev_read_snd_dev(insmod_t)
|
||||||
dev_write_snd_dev(insmod_t)
|
dev_write_snd_dev(insmod_t)
|
||||||
dev_rw_apm_bios(insmod_t)
|
dev_rw_apm_bios(insmod_t)
|
||||||
|
# cjp: why is this needed? insmod cannot mounton any dir
|
||||||
|
# and it also transitions to mount
|
||||||
|
dev_mount_usbfs(insmod_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(insmod_t)
|
fs_getattr_xattr_fs(insmod_t)
|
||||||
|
|
||||||
@ -104,17 +107,10 @@ optional_policy(`mount.te',`
|
|||||||
mount_domtrans(insmod_t)
|
mount_domtrans(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`xserver.te',`
|
||||||
|
xserver_getattr_log(insmod_t)
|
||||||
ifdef(`xserver.te', `
|
|
||||||
allow insmod_t xserver_log_t:file getattr;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
# why is this needed? insmod cannot mounton any dir
|
|
||||||
# and it also transitions to mount
|
|
||||||
allow insmod_t usbfs_t:filesystem mount;
|
|
||||||
') dnl if TODO
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# depmod local policy
|
# depmod local policy
|
||||||
@ -153,13 +149,14 @@ files_read_usr_src_files(depmod_t)
|
|||||||
libs_use_ld_so(depmod_t)
|
libs_use_ld_so(depmod_t)
|
||||||
libs_use_shared_libs(depmod_t)
|
libs_use_shared_libs(depmod_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
|
||||||
|
|
||||||
# Read System.map from home directories.
|
# Read System.map from home directories.
|
||||||
allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
|
files_list_home(depmod_t)
|
||||||
r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
|
userdom_read_staff_home_files(depmod_t)
|
||||||
|
userdom_read_sysadm_home_files(depmod_t)
|
||||||
|
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
|
||||||
') dnl end ifdef TODO
|
') dnl end ifdef TODO
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
|
@ -435,7 +435,7 @@ miscfiles_read_localization(setfiles_t)
|
|||||||
|
|
||||||
userdom_use_all_user_fd(setfiles_t)
|
userdom_use_all_user_fd(setfiles_t)
|
||||||
# for config files in a home directory
|
# for config files in a home directory
|
||||||
userdom_read_all_user_data(setfiles_t)
|
userdom_read_all_user_files(setfiles_t)
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
kernel_relabel_unlabeled(setfiles_t)
|
kernel_relabel_unlabeled(setfiles_t)
|
||||||
|
@ -120,6 +120,7 @@ domain_use_wide_inherit_fd(dhcpc_t)
|
|||||||
|
|
||||||
files_read_etc_files(dhcpc_t)
|
files_read_etc_files(dhcpc_t)
|
||||||
files_read_etc_runtime_files(dhcpc_t)
|
files_read_etc_runtime_files(dhcpc_t)
|
||||||
|
files_search_home(dhcpc_t)
|
||||||
|
|
||||||
init_use_fd(dhcpc_t)
|
init_use_fd(dhcpc_t)
|
||||||
init_use_script_pty(dhcpc_t)
|
init_use_script_pty(dhcpc_t)
|
||||||
@ -153,6 +154,11 @@ optional_policy(`hostname.te',`
|
|||||||
hostname_domtrans(dhcpc_t)
|
hostname_domtrans(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# for the dhcp client to run ping to check IP addresses
|
||||||
|
optional_policy(`netutils.te',`
|
||||||
|
netutils_domtrans_ping(dhcpc_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind(dhcpc_t)
|
nis_use_ypbind(dhcpc_t)
|
||||||
# dhclient sometimes starts ypbind
|
# dhclient sometimes starts ypbind
|
||||||
@ -189,10 +195,18 @@ optional_policy(`rhgb.te',`
|
|||||||
rhgb_domain(dhcpc_t)
|
rhgb_domain(dhcpc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`cardmgr.te', `
|
ifdef(`cardmgr.te',`
|
||||||
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||||
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
')
|
||||||
allow cardmgr_t dhcpc_t:process signal_perms;
|
|
||||||
|
#this goes to pcmcia module
|
||||||
|
optional_policy(`sysnetwork.te',`
|
||||||
|
sysnet_read_dhcpc_pid(cardmgr_t)
|
||||||
|
sysnet_kill_dhcpc(cardmgr_t)
|
||||||
|
sysnet_sigchld_dhcpc(cardmgr_t)
|
||||||
|
sysnet_signal_dhcpc(cardmgr_t)
|
||||||
|
sysnet_signull_dhcpc(cardmgr_t)
|
||||||
|
sysnet_sigstop_dhcpc(cardmgr_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te', `
|
optional_policy(`hotplug.te', `
|
||||||
@ -203,17 +217,7 @@ optional_policy(`hotplug.te', `
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
# for the dhcp client to run ping to check IP addresses
|
|
||||||
optional_policy(`netutils.te',`
|
|
||||||
netutils_domtrans_ping(dhcpc_t)
|
|
||||||
|
|
||||||
ifdef(`cardmgr.te',`
|
|
||||||
allow ping_t cardmgr_t:fd use;
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
allow dhcpc_t var_lib_t:dir search;
|
allow dhcpc_t var_lib_t:dir search;
|
||||||
allow dhcpc_t home_root_t:dir search;
|
|
||||||
dontaudit dhcpc_t var_lock_t:dir search;
|
dontaudit dhcpc_t var_lock_t:dir search;
|
||||||
dontaudit dhcpc_t selinux_config_t:dir search;
|
dontaudit dhcpc_t selinux_config_t:dir search;
|
||||||
dontaudit dhcpc_t domain:dir getattr;
|
dontaudit dhcpc_t domain:dir getattr;
|
||||||
|
@ -118,6 +118,8 @@ seutil_domtrans_restorecon(udev_t)
|
|||||||
|
|
||||||
sysnet_domtrans_ifconfig(udev_t)
|
sysnet_domtrans_ifconfig(udev_t)
|
||||||
|
|
||||||
|
userdom_use_sysadm_tty(udev_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
fs_manage_tmpfs_symlinks(udev_t)
|
fs_manage_tmpfs_symlinks(udev_t)
|
||||||
fs_manage_tmpfs_sockets(udev_t)
|
fs_manage_tmpfs_sockets(udev_t)
|
||||||
@ -147,9 +149,12 @@ optional_policy(`sysnetwork.te',`
|
|||||||
sysnet_domtrans_dhcpc(udev_t)
|
sysnet_domtrans_dhcpc(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`xserver.te',`
|
||||||
|
xserver_read_xdm_pid(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow udev_t devpts_t:dir { getattr search };
|
allow udev_t devpts_t:dir { getattr search };
|
||||||
allow udev_t sysadm_tty_device_t:chr_file { read write };
|
|
||||||
|
|
||||||
# Dontaudits
|
# Dontaudits
|
||||||
dontaudit udev_t staff_home_dir_t:dir search;
|
dontaudit udev_t staff_home_dir_t:dir search;
|
||||||
@ -159,8 +164,4 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
|||||||
|
|
||||||
dbusd_client(system, udev)
|
dbusd_client(system, udev)
|
||||||
|
|
||||||
optional_policy(`xdm.te',`
|
|
||||||
allow udev_t xdm_var_run_t:file { getattr read };
|
|
||||||
')
|
|
||||||
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
@ -907,6 +907,27 @@ interface(`userdom_shell_domtrans_sysadm',`
|
|||||||
corecmd_domtrans_shell($1,sysadm_t)
|
corecmd_domtrans_shell($1,sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read files in the staff users home directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_read_staff_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
type staff_home_dir_t, staff_home_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
|
||||||
|
allow $1 staff_home_t:{ file lnk_file } r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write sysadm ttys.
|
## Read and write sysadm ttys.
|
||||||
@ -918,12 +939,31 @@ interface(`userdom_shell_domtrans_sysadm',`
|
|||||||
interface(`userdom_use_sysadm_tty',`
|
interface(`userdom_use_sysadm_tty',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sysadm_tty_device_t;
|
type sysadm_tty_device_t;
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
term_list_ptys($1)
|
term_list_ptys($1)
|
||||||
allow $1 sysadm_tty_device_t:chr_file { getattr read write ioctl };
|
allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write sysadm ptys.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_use_sysadm_pty',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_devpts_t;
|
||||||
|
class chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
dev_list_all_dev_nodes($1)
|
||||||
|
term_list_ptys($1)
|
||||||
|
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -937,12 +977,12 @@ interface(`userdom_use_sysadm_tty',`
|
|||||||
interface(`userdom_use_sysadm_terms',`
|
interface(`userdom_use_sysadm_terms',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute admin_terminal;
|
attribute admin_terminal;
|
||||||
class chr_file { getattr read write ioctl };
|
class chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
term_list_ptys($1)
|
term_list_ptys($1)
|
||||||
allow $1 admin_terminal:chr_file { getattr read write ioctl };
|
allow $1 admin_terminal:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -962,6 +1002,61 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
|
|||||||
dontaudit $1 admin_terminal:chr_file { read write };
|
dontaudit $1 admin_terminal:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Inherit and use sysadm file descriptors
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_use_sysadm_fd',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_t;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sysadm_t:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write sysadm user unnamed pipes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_rw_sysadm_pipe',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_t;
|
||||||
|
class fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sysadm_t:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read files in the sysadm users home directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_read_sysadm_home_files',`
|
||||||
|
gen_require(`
|
||||||
|
type sysadm_home_dir_t, sysadm_home_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
|
||||||
|
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search all users home directories.
|
## Search all users home directories.
|
||||||
@ -988,7 +1083,7 @@ interface(`userdom_search_all_users_home',`
|
|||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`userdom_read_all_user_data',`
|
interface(`userdom_read_all_user_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute home_type;
|
attribute home_type;
|
||||||
class dir r_dir_perms;
|
class dir r_dir_perms;
|
||||||
|
Loading…
Reference in New Issue
Block a user