more work on current modules

This commit is contained in:
Chris PeBenito 2005-06-30 18:54:08 +00:00
parent ebdc3b7902
commit fd89e19f12
26 changed files with 460 additions and 92 deletions

View File

@ -51,6 +51,10 @@ files_dontaudit_read_root_file(consoletype_t)
libs_use_ld_so(consoletype_t) libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t) libs_use_shared_libs(consoletype_t)
userdom_use_sysadm_terms(consoletype_t)
userdom_use_sysadm_fd(consoletype_t)
userdom_rw_sysadm_pipe(consoletype_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
fs_use_tmpfs_chr_dev(consoletype_t) fs_use_tmpfs_chr_dev(consoletype_t)
') ')
@ -59,6 +63,10 @@ optional_policy(`authlogin.te', `
auth_read_pam_pid(consoletype_t) auth_read_pam_pid(consoletype_t)
') ')
optional_policy(`cron.te',`
cron_read_pipe(consoletype_t)
')
optional_policy(`logrotate.te',` optional_policy(`logrotate.te',`
logrotate_dontaudit_use_fd(consoletype_t) logrotate_dontaudit_use_fd(consoletype_t)
') ')
@ -77,21 +85,19 @@ optional_policy(`userdomain.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow consoletype_t sysadm_t:fd use;
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
allow consoletype_t nfs_t:file write; allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use; allow consoletype_t system_crond_t:fd use;
optional_policy(`xdm.te', ` optional_policy(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file rw_file_perms; allow consoletype_t xdm_tmp_t:file rw_file_perms;
') ')
# is goes to xserver module
optional_policy(`consoletype.te',`
consoletype_domtrans(xdm_t)
')
optional_policy(`lpd.te', ` optional_policy(`lpd.te', `
allow consoletype_t printconf_t:file r_file_perms; allow consoletype_t printconf_t:file r_file_perms;
') ')

View File

@ -150,8 +150,6 @@ allow squid_t self:capability kill;
# for /var/lib/logrotate.status and /var/lib/logcheck # for /var/lib/logrotate.status and /var/lib/logcheck
file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file) file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
allow crond_t logrotate_var_lib_t:dir search;
# for /var/backups on Debian # for /var/backups on Debian
ifdef(`backup.te', ` ifdef(`backup.te', `
rw_dir_create_file(logrotate_t, backup_store_t) rw_dir_create_file(logrotate_t, backup_store_t)

View File

@ -135,13 +135,17 @@ optional_policy(`sysnetwork.te',`
') ')
') ')
ifdef(`TODO',` ifdef(`TODO',`
in_user_role(ping_t) in_user_role(ping_t)
tunable_policy(`user_ping',` tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
') ')
ifdef(`cardmgr.te',`
allow ping_t cardmgr_t:fd use;
')
') dnl end TODO ') dnl end TODO
######################################## ########################################

View File

@ -1,6 +1,11 @@
policy_module(corenetwork,1.0) policy_module(corenetwork,1.0)
########################################
#
# Declarations
#
attribute netif_type; attribute netif_type;
attribute node_type; attribute node_type;
attribute port_type; attribute port_type;

View File

@ -646,6 +646,80 @@ interface(`dev_manage_all_chr_files',`
typeattribute $1 memory_raw_read, memory_raw_write; typeattribute $1 memory_raw_read, memory_raw_write;
') ')
########################################
## <summary>
## Get the attributes of the apm bios device node.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_getattr_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
class dir r_dir_perms;
class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
allow $1 apm_bios_t:chr_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes of
## the apm bios device node.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_getattr_apm_bios',`
gen_require(`
type apm_bios_t;
class chr_file getattr;
')
dontaudit $1 apm_bios_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the apm bios device node.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_setattr_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
class dir r_dir_perms;
class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
allow $1 apm_bios_t:chr_file setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes of
## the apm bios device node.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_setattr_apm_bios',`
gen_require(`
type apm_bios_t;
class chr_file setattr;
')
dontaudit $1 apm_bios_t:chr_file setattr;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write the apm bios. ## Read and write the apm bios.
@ -1163,7 +1237,7 @@ interface(`dev_write_mtrr',`
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the framebuffer device. ## Get the attributes of the framebuffer device node.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## Domain allowed access. ## Domain allowed access.
@ -1171,7 +1245,7 @@ interface(`dev_write_mtrr',`
# #
interface(`dev_getattr_framebuffer',` interface(`dev_getattr_framebuffer',`
gen_require(` gen_require(`
type framebuf_device_t; type device_t, framebuf_device_t;
class dir r_dir_perms; class dir r_dir_perms;
class chr_file getattr; class chr_file getattr;
') ')
@ -1182,7 +1256,7 @@ interface(`dev_getattr_framebuffer',`
######################################## ########################################
## <summary> ## <summary>
## Set the attributes of the framebuffer device. ## Set the attributes of the framebuffer device node.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## Domain allowed access. ## Domain allowed access.
@ -1190,9 +1264,9 @@ interface(`dev_getattr_framebuffer',`
# #
interface(`dev_setattr_framebuffer',` interface(`dev_setattr_framebuffer',`
gen_require(` gen_require(`
type framebuf_device_t; type device_t, framebuf_device_t;
class dir r_dir_perms; class dir r_dir_perms;
class chr_file getattr; class chr_file setattr;
') ')
allow $1 device_t:dir r_dir_perms; allow $1 device_t:dir r_dir_perms;
@ -1201,7 +1275,25 @@ interface(`dev_setattr_framebuffer',`
######################################## ########################################
## <summary> ## <summary>
## Read the framebuffer device. ## Dot not audit attempts to set the attributes
## of the framebuffer device node.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_setattr_framebuffer',`
gen_require(`
type framebuf_device_t;
class chr_file setattr;
')
dontaudit $1 framebuf_device_t:chr_file setattr;
')
########################################
## <summary>
## Read the framebuffer.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## Domain allowed access. ## Domain allowed access.
@ -1220,7 +1312,24 @@ interface(`dev_read_framebuffer',`
######################################## ########################################
## <summary> ## <summary>
## Write the framebuffer device. ## Do not audit attempts to read the framebuffer.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_dontaudit_read_framebuffer',`
gen_require(`
type framebuf_device_t;
class chr_file r_file_perms;
')
dontaudit $1 framebuf_device_t:chr_file { getattr read };
')
########################################
## <summary>
## Write the framebuffer.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## Domain allowed access. ## Domain allowed access.
@ -1763,6 +1872,23 @@ interface(`dev_rw_sysfs',`
allow $1 sysfs_t:file rw_file_perms; allow $1 sysfs_t:file rw_file_perms;
') ')
########################################
## <summary>
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`dev_mount_usbfs',`
gen_require(`
type usbfs_t;
class filesystem mount;
')
allow $1 usbfs_t:filesystem mount;
')
######################################## ########################################
## <summary> ## <summary>
## Search the directory containing USB hardware information. ## Search the directory containing USB hardware information.
@ -1848,7 +1974,7 @@ interface(`dev_rw_usbfs',`
## Get the attributes of video4linux devices. ## Get the attributes of video4linux devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The process type modifying the options. ## Domain allowed access.
## </param> ## </param>
# #
interface(`dev_getattr_video_dev',` interface(`dev_getattr_video_dev',`
@ -1864,10 +1990,28 @@ interface(`dev_getattr_video_dev',`
######################################## ########################################
## <summary> ## <summary>
## Set the attributes of video4linux devices. ## Do not audit attempts to get the attributes
## of video4linux device nodes.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The process type modifying the options. ## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_getattr_video_dev',`
gen_require(`
type v4l_device_t;
class chr_file getattr;
')
dontaudit $1 v4l_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of video4linux device nodes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param> ## </param>
# #
interface(`dev_setattr_video_dev',` interface(`dev_setattr_video_dev',`
@ -1881,3 +2025,20 @@ interface(`dev_setattr_video_dev',`
allow $1 v4l_device_t:chr_file setattr; allow $1 v4l_device_t:chr_file setattr;
') ')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of video4linux device nodes.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`dev_dontaudit_setattr_video_dev',`
gen_require(`
type v4l_device_t;
class chr_file setattr;
')
dontaudit $1 v4l_device_t:chr_file setattr;
')

View File

@ -1,6 +1,11 @@
policy_module(devices,1.0) policy_module(devices,1.0)
########################################
#
# Declarations
#
attribute device_node; attribute device_node;
attribute memory_raw_read; attribute memory_raw_read;
attribute memory_raw_write; attribute memory_raw_write;
@ -19,7 +24,7 @@ fs_associate_tmpfs(device_t)
# a device node has no specific type yet, but is for some # a device node has no specific type yet, but is for some
# reason labeled with a specific type # reason labeled with a specific type
#cjp: want this, but udev policy breaks this #cjp: want this, but udev policy breaks this
#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; #neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
# #
# Type for /dev/agpgart # Type for /dev/agpgart

View File

@ -1,10 +1,15 @@
policy_module(filesystem,1.0) policy_module(filesystem,1.0)
########################################
#
# Declarations
#
attribute filesystem_type; attribute filesystem_type;
attribute noxattrfs; attribute noxattrfs;
######################################## ##############################
# #
# fs_t is the default type for persistent # fs_t is the default type for persistent
# filesystems with extended attributes # filesystems with extended attributes
@ -27,7 +32,7 @@ fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
fs_use_task pipefs context_template(system_u:object_r:fs_t,s0); fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
fs_use_task sockfs context_template(system_u:object_r:fs_t,s0); fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
######################################## ##############################
# #
# Non-persistent/pseudo filesystems # Non-persistent/pseudo filesystems
# #
@ -75,7 +80,7 @@ fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t self:filesystem associate; allow tmpfs_t self:filesystem associate;
allow tmpfs_t noxattrfs:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate;
######################################## ##############################
# #
# Filesystems without extended attribute support # Filesystems without extended attribute support
# #

View File

@ -1,6 +1,11 @@
policy_module(storage,1.0) policy_module(storage,1.0)
########################################
#
# Declarations
#
attribute fixed_disk_raw_read; attribute fixed_disk_raw_read;
attribute fixed_disk_raw_write; attribute fixed_disk_raw_write;
attribute scsi_generic_read; attribute scsi_generic_read;

View File

@ -1,6 +1,10 @@
policy_module(terminal,1.0) policy_module(terminal,1.0)
########################################
#
# Declarations
#
attribute ttynode; attribute ttynode;
attribute ptynode; attribute ptynode;
attribute server_ptynode; attribute server_ptynode;

View File

@ -302,6 +302,24 @@ interface(`cron_system_entry',`
allow $1 crond_t:process sigchld; allow $1 crond_t:process sigchld;
') ')
########################################
## <summary>
## Read a cron daemon unnamed pipe
## </summary>
## <param name="domain">
## The type of the process to performing this action.
## </param>
#
interface(`cron_read_pipe',`
gen_require(`
type crond_t;
class file r_file_perms;
')
allow $1 crond_t:file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write the cron daemon log files. ## Read and write the cron daemon log files.

View File

@ -142,6 +142,8 @@ kernel_read_system_state(pam_console_t)
kernel_use_fd(pam_console_t) kernel_use_fd(pam_console_t)
dev_read_sysfs(pam_console_t) dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios(pam_console_t)
dev_setattr_apm_bios(pam_console_t)
dev_getattr_framebuffer(pam_console_t) dev_getattr_framebuffer(pam_console_t)
dev_setattr_framebuffer(pam_console_t) dev_setattr_framebuffer(pam_console_t)
dev_getattr_misc(pam_console_t) dev_getattr_misc(pam_console_t)
@ -216,8 +218,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(pam_console_t) rhgb_domain(pam_console_t)
') ')
allow pam_console_t apm_bios_t:chr_file { getattr setattr };
ifdef(`gpm.te', ` ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr }; allow pam_console_t gpmctl_t:sock_file { getattr setattr };
') ')

View File

@ -1,6 +1,11 @@
policy_module(corecommands,1.0) policy_module(corecommands,1.0)
########################################
#
# Declarations
#
# #
# bin_t is the type of files in the system bin directories. # bin_t is the type of files in the system bin directories.
# #

View File

@ -1,6 +1,11 @@
policy_module(domain,1.0) policy_module(domain,1.0)
########################################
#
# Declarations
#
# Mark process types as domains # Mark process types as domains
attribute domain; attribute domain;

View File

@ -745,6 +745,23 @@ interface(`files_manage_isid_type_chr_node',`
allow $1 file_t:chr_file create_file_perms; allow $1 file_t:chr_file create_file_perms;
') ')
########################################
## <summary>
## Search home directories.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_search_home',`
gen_require(`
type home_root_t;
class dir search;
')
allow $1 home_root_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Get listing of home directories. ## Get listing of home directories.

View File

@ -1,6 +1,11 @@
policy_module(files,1.0) policy_module(files,1.0)
########################################
#
# Declarations
#
attribute file_type; attribute file_type;
attribute lockfile; attribute lockfile;
attribute mountpoint; attribute mountpoint;

View File

@ -5,6 +5,7 @@ policy_module(fstools,1.0)
# #
# Declarations # Declarations
# #
type fsadm_t; type fsadm_t;
type fsadm_exec_t; type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t) init_system_domain(fsadm_t,fsadm_exec_t)
@ -17,6 +18,9 @@ type swapfile_t;
files_type(swapfile_t) files_type(swapfile_t)
######################################## ########################################
#
# local policy
#
# ipc_lock is for losetup # ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };

View File

@ -291,7 +291,7 @@ sysnet_read_config(initrc_t)
udev_rw_db(initrc_t) udev_rw_db(initrc_t)
userdom_read_all_user_data(initrc_t) userdom_read_all_user_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the # Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such # TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain. # started from init should be placed in their own domain.

View File

@ -1,9 +1,9 @@
## <summary>Policy for local logins.</summary> ## <summary>Policy for local logins.</summary>
######################################## ########################################
## <desc> ## <summary>
## Execute local logins in the locallogin domain. ## Execute local logins in the local login domain.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -17,9 +17,9 @@ interface(`locallogin_domtrans',`
') ')
######################################## ########################################
## <desc> ## <summary>
## Allow processes to inherit local login file descriptors ## Allow processes to inherit local login file descriptors
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
@ -33,3 +33,19 @@ interface(`locallogin_use_fd',`
allow $1 local_login_t:fd use; allow $1 local_login_t:fd use;
') ')
########################################
## <summary>
## Send a null signal to local login processes.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`locallogin_signull',`
gen_require(`
type local_login_t;
class process signull;
')
allow $1 local_login_t:process signull;
')

View File

@ -56,10 +56,14 @@ kernel_read_kernel_sysctl(local_login_t)
dev_setattr_mouse(local_login_t) dev_setattr_mouse(local_login_t)
dev_getattr_mouse(local_login_t) dev_getattr_mouse(local_login_t)
dev_getattr_snd_dev(local_login_t)
dev_setattr_snd_dev(local_login_t)
dev_getattr_power_management(local_login_t) dev_getattr_power_management(local_login_t)
dev_setattr_power_management(local_login_t) dev_setattr_power_management(local_login_t)
dev_getattr_snd_dev(local_login_t)
dev_setattr_snd_dev(local_login_t)
dev_dontaudit_getattr_apm_bios(local_login_t)
dev_dontaudit_setattr_apm_bios(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
dev_dontaudit_setattr_framebuffer(local_login_t)
dev_dontaudit_getattr_generic_blk_file(local_login_t) dev_dontaudit_getattr_generic_blk_file(local_login_t)
dev_dontaudit_setattr_generic_blk_file(local_login_t) dev_dontaudit_setattr_generic_blk_file(local_login_t)
dev_dontaudit_getattr_generic_chr_file(local_login_t) dev_dontaudit_getattr_generic_chr_file(local_login_t)
@ -69,6 +73,8 @@ dev_dontaudit_setattr_misc(local_login_t)
dev_dontaudit_getattr_scanner(local_login_t) dev_dontaudit_getattr_scanner(local_login_t)
dev_dontaudit_setattr_scanner(local_login_t) dev_dontaudit_setattr_scanner(local_login_t)
dev_dontaudit_search_sysfs(local_login_t) dev_dontaudit_search_sysfs(local_login_t)
dev_dontaudit_getattr_video_dev(local_login_t)
dev_dontaudit_setattr_video_dev(local_login_t)
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand(local_login_t) dev_read_urand(local_login_t)
@ -175,16 +181,12 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
# for when /var/mail is a sym-link # for when /var/mail is a sym-link
allow local_login_t var_t:lnk_file read; allow local_login_t var_t:lnk_file read;
# Do not audit denied attempts to access devices.
dontaudit local_login_t device_t:lnk_file { getattr setattr }; dontaudit local_login_t device_t:lnk_file { getattr setattr };
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
# FIXME: what is this for?
optional_policy(`xdm.te', `
allow xdm_t local_login_t:process signull;
# this goes to xserver:
optional_policy(`locallogin.te',`
# FIXME: what is this for?
locallogin_signull(xdm_t)
') ')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
@ -237,6 +239,7 @@ auth_read_shadow(sulogin_t)
userdom_shell_domtrans_sysadm(sulogin_t) userdom_shell_domtrans_sysadm(sulogin_t)
userdom_use_unpriv_users_fd(sulogin_t) userdom_use_unpriv_users_fd(sulogin_t)
userdom_use_sysadm_pty(sulogin_t)
# suse and debian do not use pam with sulogin... # suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',` ifdef(`monolithic_policy',`
@ -262,6 +265,5 @@ optional_policy(`nis.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
') dnl endif TODO ') dnl endif TODO

View File

@ -82,6 +82,10 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t) miscfiles_read_localization(auditd_t)
userdom_dontaudit_use_unpriv_user_fd(auditd_t) userdom_dontaudit_use_unpriv_user_fd(auditd_t)
# cjp: this is questionable. it should probably
# be a userdom_dontaudit_use_sysadm_terms(auditd_t)
# in a direct_sysadm_daemon tunable
userdom_use_sysadm_tty(auditd_t)
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t) term_dontaudit_use_unallocated_tty(auditd_t)
@ -106,9 +110,6 @@ rhgb_domain(auditd_t)
') ')
dontaudit auditd_t sysadm_home_dir_t:dir search; dontaudit auditd_t sysadm_home_dir_t:dir search;
# cjp: this is questionable:
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################

View File

@ -1,6 +1,11 @@
policy_module(miscfiles,1.0) policy_module(miscfiles,1.0)
########################################
#
# Declarations
#
# #
# catman_t is the type for /var/catman. # catman_t is the type for /var/catman.
# #

View File

@ -68,6 +68,9 @@ dev_rw_agp_dev(insmod_t)
dev_read_snd_dev(insmod_t) dev_read_snd_dev(insmod_t)
dev_write_snd_dev(insmod_t) dev_write_snd_dev(insmod_t)
dev_rw_apm_bios(insmod_t) dev_rw_apm_bios(insmod_t)
# cjp: why is this needed? insmod cannot mounton any dir
# and it also transitions to mount
dev_mount_usbfs(insmod_t)
fs_getattr_xattr_fs(insmod_t) fs_getattr_xattr_fs(insmod_t)
@ -104,17 +107,10 @@ optional_policy(`mount.te',`
mount_domtrans(insmod_t) mount_domtrans(insmod_t)
') ')
ifdef(`TODO',` optional_policy(`xserver.te',`
xserver_getattr_log(insmod_t)
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
') ')
# why is this needed? insmod cannot mounton any dir
# and it also transitions to mount
allow insmod_t usbfs_t:filesystem mount;
') dnl if TODO
######################################## ########################################
# #
# depmod local policy # depmod local policy
@ -153,13 +149,14 @@ files_read_usr_src_files(depmod_t)
libs_use_ld_so(depmod_t) libs_use_ld_so(depmod_t)
libs_use_shared_libs(depmod_t) libs_use_shared_libs(depmod_t)
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories. # Read System.map from home directories.
allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms; files_list_home(depmod_t)
r_dir_file(depmod_t, { staff_home_t sysadm_home_t }) userdom_read_staff_home_files(depmod_t)
userdom_read_sysadm_home_files(depmod_t)
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
') dnl end ifdef TODO ') dnl end ifdef TODO
################################# #################################

View File

@ -435,7 +435,7 @@ miscfiles_read_localization(setfiles_t)
userdom_use_all_user_fd(setfiles_t) userdom_use_all_user_fd(setfiles_t)
# for config files in a home directory # for config files in a home directory
userdom_read_all_user_data(setfiles_t) userdom_read_all_user_files(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled(setfiles_t) kernel_relabel_unlabeled(setfiles_t)

View File

@ -120,6 +120,7 @@ domain_use_wide_inherit_fd(dhcpc_t)
files_read_etc_files(dhcpc_t) files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t)
files_search_home(dhcpc_t)
init_use_fd(dhcpc_t) init_use_fd(dhcpc_t)
init_use_script_pty(dhcpc_t) init_use_script_pty(dhcpc_t)
@ -153,6 +154,11 @@ optional_policy(`hostname.te',`
hostname_domtrans(dhcpc_t) hostname_domtrans(dhcpc_t)
') ')
# for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
')
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(dhcpc_t) nis_use_ypbind(dhcpc_t)
# dhclient sometimes starts ypbind # dhclient sometimes starts ypbind
@ -189,10 +195,18 @@ optional_policy(`rhgb.te',`
rhgb_domain(dhcpc_t) rhgb_domain(dhcpc_t)
') ')
ifdef(`cardmgr.te', ` ifdef(`cardmgr.te',`
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read }; ')
allow cardmgr_t dhcpc_t:process signal_perms;
#this goes to pcmcia module
optional_policy(`sysnetwork.te',`
sysnet_read_dhcpc_pid(cardmgr_t)
sysnet_kill_dhcpc(cardmgr_t)
sysnet_sigchld_dhcpc(cardmgr_t)
sysnet_signal_dhcpc(cardmgr_t)
sysnet_signull_dhcpc(cardmgr_t)
sysnet_sigstop_dhcpc(cardmgr_t)
') ')
optional_policy(`hotplug.te', ` optional_policy(`hotplug.te', `
@ -203,17 +217,7 @@ optional_policy(`hotplug.te', `
') ')
') ')
# for the dhcp client to run ping to check IP addresses
optional_policy(`netutils.te',`
netutils_domtrans_ping(dhcpc_t)
ifdef(`cardmgr.te',`
allow ping_t cardmgr_t:fd use;
')
')
allow dhcpc_t var_lib_t:dir search; allow dhcpc_t var_lib_t:dir search;
allow dhcpc_t home_root_t:dir search;
dontaudit dhcpc_t var_lock_t:dir search; dontaudit dhcpc_t var_lock_t:dir search;
dontaudit dhcpc_t selinux_config_t:dir search; dontaudit dhcpc_t selinux_config_t:dir search;
dontaudit dhcpc_t domain:dir getattr; dontaudit dhcpc_t domain:dir getattr;

View File

@ -118,6 +118,8 @@ seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t) sysnet_domtrans_ifconfig(udev_t)
userdom_use_sysadm_tty(udev_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
fs_manage_tmpfs_symlinks(udev_t) fs_manage_tmpfs_symlinks(udev_t)
fs_manage_tmpfs_sockets(udev_t) fs_manage_tmpfs_sockets(udev_t)
@ -147,9 +149,12 @@ optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(udev_t) sysnet_domtrans_dhcpc(udev_t)
') ')
optional_policy(`xserver.te',`
xserver_read_xdm_pid(udev_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow udev_t devpts_t:dir { getattr search }; allow udev_t devpts_t:dir { getattr search };
allow udev_t sysadm_tty_device_t:chr_file { read write };
# Dontaudits # Dontaudits
dontaudit udev_t staff_home_dir_t:dir search; dontaudit udev_t staff_home_dir_t:dir search;
@ -159,8 +164,4 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
dbusd_client(system, udev) dbusd_client(system, udev)
optional_policy(`xdm.te',`
allow udev_t xdm_var_run_t:file { getattr read };
')
') dnl endif TODO ') dnl endif TODO

View File

@ -907,6 +907,27 @@ interface(`userdom_shell_domtrans_sysadm',`
corecmd_domtrans_shell($1,sysadm_t) corecmd_domtrans_shell($1,sysadm_t)
') ')
########################################
## <summary>
## Read files in the staff users home directory.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_read_staff_home_files',`
gen_require(`
type staff_home_dir_t, staff_home_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
files_search_home($1)
allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
allow $1 staff_home_t:{ file lnk_file } r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read and write sysadm ttys. ## Read and write sysadm ttys.
@ -918,12 +939,31 @@ interface(`userdom_shell_domtrans_sysadm',`
interface(`userdom_use_sysadm_tty',` interface(`userdom_use_sysadm_tty',`
gen_require(` gen_require(`
type sysadm_tty_device_t; type sysadm_tty_device_t;
class chr_file { getattr read write ioctl }; class chr_file rw_term_perms;
') ')
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
term_list_ptys($1) term_list_ptys($1)
allow $1 sysadm_tty_device_t:chr_file { getattr read write ioctl }; allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Read and write sysadm ptys.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_pty',`
gen_require(`
type sysadm_devpts_t;
class chr_file rw_term_perms;
')
dev_list_all_dev_nodes($1)
term_list_ptys($1)
allow $1 sysadm_devpts_t:chr_file rw_term_perms;
') ')
######################################## ########################################
@ -937,12 +977,12 @@ interface(`userdom_use_sysadm_tty',`
interface(`userdom_use_sysadm_terms',` interface(`userdom_use_sysadm_terms',`
gen_require(` gen_require(`
attribute admin_terminal; attribute admin_terminal;
class chr_file { getattr read write ioctl }; class chr_file rw_term_perms;
') ')
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
term_list_ptys($1) term_list_ptys($1)
allow $1 admin_terminal:chr_file { getattr read write ioctl }; allow $1 admin_terminal:chr_file rw_term_perms;
') ')
######################################## ########################################
@ -962,6 +1002,61 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
dontaudit $1 admin_terminal:chr_file { read write }; dontaudit $1 admin_terminal:chr_file { read write };
') ')
########################################
## <summary>
## Inherit and use sysadm file descriptors
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_fd',`
gen_require(`
type sysadm_t;
class fd use;
')
allow $1 sysadm_t:fd use;
')
########################################
## <summary>
## Read and write sysadm user unnamed pipes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_rw_sysadm_pipe',`
gen_require(`
type sysadm_t;
class fd use;
')
allow $1 sysadm_t:fd use;
')
########################################
## <summary>
## Read files in the sysadm users home directory.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_read_sysadm_home_files',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
files_search_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Search all users home directories. ## Search all users home directories.
@ -988,7 +1083,7 @@ interface(`userdom_search_all_users_home',`
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`userdom_read_all_user_data',` interface(`userdom_read_all_user_files',`
gen_require(` gen_require(`
attribute home_type; attribute home_type;
class dir r_dir_perms; class dir r_dir_perms;