Merge branch 'base'

This commit is contained in:
Dominick Grift 2010-09-24 12:52:43 +02:00
commit ff9b16dc29
37 changed files with 413 additions and 474 deletions

View File

@ -383,6 +383,7 @@ interface(`gnome_read_gconf_home_files',`
type data_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir list_dir_perms;
allow $1 data_home_t:dir list_dir_perms;
read_files_pattern($1, gconf_home_t, gconf_home_t)

View File

@ -7,7 +7,7 @@ HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

View File

@ -6,16 +6,10 @@ policy_module(razor, 2.1.1)
#
ifdef(`distro_redhat',`
gen_require(`
type spamc_t;
type spamc_exec_t;
type spamd_log_t;
type spamd_spool_t;
type spamd_var_lib_t;
type spamd_etc_t;
type spamc_home_t;
type spamc_tmp_t;
type spamc_t, spamc_exec_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
type spamc_home_t, spamc_tmp_t;
')
typealias spamc_t alias razor_t;
@ -28,9 +22,7 @@ ifdef(`distro_redhat',`
typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
',`
type razor_exec_t;
corecmd_executable_file(razor_exec_t)
@ -40,7 +32,6 @@ files_config_file(razor_etc_t)
type razor_home_t;
typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
files_poly_member(razor_home_t)
userdom_user_home_content(razor_home_t)
type razor_log_t;
@ -149,5 +140,4 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
milter_manage_spamass_state(razor_t)
')
')

View File

@ -14,7 +14,6 @@ gen_tunable(rgmanager_can_network_connect, false)
type rgmanager_t;
type rgmanager_exec_t;
domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
type rgmanager_initrc_exec_t;
@ -40,7 +39,7 @@ files_pid_file(rgmanager_var_run_t)
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
dontaudit rgmanager_t self:process { ptrace };
dontaudit rgmanager_t self:process ptrace;
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };

View File

@ -129,7 +129,6 @@ optional_policy(`
#
allow gfs_controld_t self:capability { net_admin sys_resource };
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -159,7 +158,6 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
allow groupd_t self:shm create_shm_perms;
dev_list_sysfs(groupd_t)
@ -174,7 +172,6 @@ init_rw_script_tmp_files(groupd_t)
#
allow qdiskd_t self:capability { ipc_lock sys_boot };
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
@ -224,9 +221,8 @@ optional_policy(`
# rhcs domains common policy
#
allow cluster_domain self:capability { sys_nice };
allow cluster_domain self:capability sys_nice;
allow cluster_domain self:process setsched;
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;

View File

@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rhgb_t, rhgb_devpts_t)
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)

View File

@ -7,7 +7,6 @@ policy_module(ricci, 1.7.0)
type ricci_t;
type ricci_exec_t;
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
type ricci_initrc_exec_t;
@ -42,7 +41,6 @@ files_pid_file(ricci_modcluster_var_run_t)
type ricci_modclusterd_t;
type ricci_modclusterd_exec_t;
domain_type(ricci_modclusterd_t)
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
type ricci_modclusterd_tmpfs_t;
@ -101,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
allow ricci_t ricci_var_log_t:dir setattr;
allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })

View File

@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t self:capability { setuid setgid };
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
# for /usr/lib/telnetlogin

View File

@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
@ -161,6 +161,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
@ -173,7 +175,6 @@ tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
@ -195,7 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_file_perms;
allow gssd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)

View File

@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
#
# Declarations
#
type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
@ -24,6 +25,7 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };

View File

@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow snort_t self:netlink_route_socket create_netlink_socket_perms;
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket { bind create getattr };
allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
allow snort_t snort_etc_t:file read_file_perms;
allow snort_t snort_etc_t:lnk_file { getattr read };
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(snort_t, snort_log_t, snort_log_t)
create_dirs_pattern(snort_t, snort_log_t, snort_log_t)

View File

@ -59,7 +59,6 @@ type spamassassin_home_t;
typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t)
files_poly_member(spamassassin_home_t)
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
@ -84,7 +83,6 @@ ubac_constrained(spamc_tmp_t)
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
can_exec(spamd_t, spamd_exec_t)
type spamd_compiled_t;
files_type(spamd_compiled_t)
@ -252,11 +250,6 @@ allow spamc_t self:unix_dgram_socket sendto;
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
corenet_tcp_sendrecv_generic_if(spamc_t)
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_tcp_connect_spamd_port(spamc_t)
can_exec(spamc_t, spamc_exec_t)
@ -272,6 +265,9 @@ manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
userdom_append_user_home_content_files(spamc_t)
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@ -290,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
corenet_tcp_connect_spamd_port(spamc_t)
fs_search_auto_mountpoints(spamc_t)
@ -309,8 +306,6 @@ files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
files_list_var_lib(spamc_t)
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
fs_search_auto_mountpoints(spamc_t)
@ -413,6 +408,8 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
can_exec(spamd_t, spamd_exec_t)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
@ -508,9 +505,7 @@ optional_policy(`
')
optional_policy(`
corenet_tcp_connect_mysqld_port(spamd_t)
corenet_sendrecv_mysqld_client_packets(spamd_t)
mysql_tcp_connect(spamd_t)
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
')
@ -520,9 +515,7 @@ optional_policy(`
')
optional_policy(`
corenet_tcp_connect_postgresql_port(spamd_t)
corenet_sendrecv_postgresql_client_packets(spamd_t)
postgresql_tcp_connect(spamd_t)
postgresql_stream_connect(spamd_t)
')

View File

@ -32,7 +32,6 @@ attribute ssh_agent_type;
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
role system_r types ssh_keygen_t;
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
@ -46,10 +45,6 @@ init_script_file(sshd_initrc_exec_t)
type sshd_key_t;
files_type(sshd_key_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@ -82,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
##############################
#
# SSH client local policy
@ -180,10 +178,7 @@ userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
allow ssh_keysign_t ssh_t:fd use;
allow ssh_keysign_t ssh_t:process sigchld;
allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
')
tunable_policy(`use_nfs_home_dirs',`
@ -217,7 +212,6 @@ optional_policy(`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
@ -264,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
allow ssh_keysign_t sshd_key_t:file read_file_perms;
dev_read_urand(ssh_keysign_t)
@ -287,7 +281,6 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
allow sshd_t self:process setcurrent;
kernel_search_key(sshd_t)
@ -303,15 +296,17 @@ term_use_ptmx(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
tunable_policy(`sshd_forward_ports', `
corenet_tcp_bind_all_unreserved_ports(sshd_t)
corenet_tcp_connect_all_ports(sshd_t)
')
userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
userdom_search_admin_dir(sshd_t)
userdom_manage_tmp_role(system_r, sshd_t)
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
tunable_policy(`sshd_forward_ports',`
corenet_tcp_bind_all_unreserved_ports(sshd_t)
corenet_tcp_connect_all_ports(sshd_t)
')
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@ -321,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',`
userdom_signal_all_users(sshd_t)
')
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
@ -391,7 +383,7 @@ tunable_policy(`ssh_sysadm_login',`
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
')
') dnl endif TODO
@ -405,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;

View File

@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };

View File

@ -6,17 +6,7 @@ policy_module(stunnel, 1.9.1)
#
type stunnel_t;
domain_type(stunnel_t)
role system_r types stunnel_t;
type stunnel_exec_t;
domain_entry_file(stunnel_t, stunnel_exec_t)
ifdef(`distro_gentoo',`
init_daemon_domain(stunnel_t, stunnel_exec_t)
',`
inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
')
type stunnel_etc_t;
files_config_file(stunnel_etc_t)
@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
type stunnel_var_run_t;
files_pid_file(stunnel_var_run_t)
ifdef(`distro_gentoo',`
init_daemon_domain(stunnel_t, stunnel_exec_t)
',`
inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
')
########################################
#
# Local policy
@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
gen_require(`
type stunnel_port_t;
')
allow stunnel_t stunnel_port_t:tcp_socket name_bind;

View File

@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
type sysstat_t;
type sysstat_exec_t;
init_system_domain(sysstat_t, sysstat_exec_t)
role system_r types sysstat_t;
type sysstat_log_t;
logging_log_file(sysstat_log_t)
@ -71,4 +70,3 @@ optional_policy(`
optional_policy(`
nscd_socket_use(sysstat_t)
')

View File

@ -7,7 +7,6 @@ policy_module(tcpd, 1.4.0)
type tcpd_t;
type tcpd_exec_t;
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
role system_r types tcpd_t;
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)

View File

@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
type telnetd_t;
type telnetd_exec_t;
inetd_service_domain(telnetd_t, telnetd_exec_t)
role system_r types telnetd_t;
type telnetd_devpts_t; #, userpty_type;
term_login_pty(telnetd_devpts_t)
@ -24,16 +23,15 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t self:capability { setuid setgid };
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@ -69,8 +67,6 @@ corecmd_search_bin(telnetd_t)
files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(telnetd_t)
init_rw_utmp(telnetd_t)
@ -87,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t)
userdom_manage_user_tmp_files(telnetd_t)
userdom_tmp_filetrans_user_tmp(telnetd_t, file)
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
kerberos_manage_host_rcache(telnetd_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
')
@ -99,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
kerberos_manage_host_rcache(telnetd_t)
')

View File

@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
#
allow tftpd_t self:capability { setgid setuid sys_chroot };
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
allow tftpd_t tftpdir_t:lnk_file { getattr read };
allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)

View File

@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;

View File

@ -43,7 +43,6 @@ files_pid_file(tor_var_run_t)
allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;

View File

@ -8,12 +8,10 @@ policy_module(ucspitcp, 1.3.0)
type rblsmtpd_t;
type rblsmtpd_exec_t;
init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
role system_r types rblsmtpd_t;
type ucspitcp_t;
type ucspitcp_exec_t;
init_system_domain(ucspitcp_t, ucspitcp_exec_t)
role system_r types ucspitcp_t;
########################################
#
@ -89,10 +87,7 @@ sysnet_read_config(ucspitcp_t)
optional_policy(`
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
daemontools_sigchld_run(ucspitcp_t)
daemontools_read_svc(ucspitcp_t)
')
optional_policy(`
daemontools_sigchld_run(ucspitcp_t)
')

View File

@ -55,6 +55,7 @@ sysnet_dns_name_resolve(ulogd_t)
optional_policy(`
mysql_stream_connect(ulogd_t)
mysql_tcp_connect(ulogd_t)
')
optional_policy(`

View File

@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
allow uptimed_t self:process signal_perms;
allow uptimed_t self:fifo_file write_file_perms;
allow uptimed_t self:fifo_file write_fifo_file_perms;
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)

View File

@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
type uucpd_t;
type uucpd_exec_t;
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
role system_r types uucpd_t;
type uucpd_lock_t;
files_lock_file(uucpd_lock_t)
@ -124,7 +123,7 @@ optional_policy(`
#
allow uux_t self:capability { setuid setgid };
allow uux_t self:fifo_file write_file_perms;
allow uux_t self:fifo_file write_fifo_file_perms;
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)

View File

@ -70,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file })
files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
kernel_read_system_state(varnishd_t)
@ -108,7 +108,7 @@ tunable_policy(`varnishd_connect_any',`
#
manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file })
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)

View File

@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
allow vhostmd_t self:process { setsched getsched };
allow vhostmd_t self:fifo_file rw_file_perms;
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)

View File

@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
#
# Declarations
#
attribute virsh_transition_domain;
## <desc>
@ -205,7 +206,6 @@ optional_policy(`
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file rw_fifo_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
@ -473,7 +473,7 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
allow virt_domain self:fifo_file rw_file_perms;
allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
@ -571,15 +571,12 @@ optional_policy(`
#
type virsh_t;
type virsh_exec_t;
domain_type(virsh_t)
init_system_domain(virsh_t, virsh_exec_t)
typealias virsh_t alias xm_t;
typealias virsh_exec_t alias xm_exec_t;
allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
allow virsh_t self:process { getcap getsched setcap signal };
# internal communication is often done using fifo and unix sockets.
allow virsh_t self:fifo_file rw_fifo_file_perms;
allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow virsh_t self:tcp_socket create_stream_socket_perms;
@ -672,4 +669,3 @@ optional_policy(`
userdom_search_admin_dir(virsh_ssh_t)
')

View File

@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain allowed to transition.
## </summary>
## </param>
#
@ -24,7 +24,7 @@ interface(`vnstatd_domtrans',`
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Domain allowed to transition.
## </summary>
## </param>
#

View File

@ -24,7 +24,6 @@ cron_system_entry(vnstat_t, vnstat_exec_t)
# vnstatd local policy
#
allow vnstatd_t self:process { fork signal };
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
@ -44,8 +43,7 @@ miscfiles_read_localization(vnstatd_t)
#
# vnstat local policy
#
allow vnstat_t self:process { signal };
allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
@ -65,5 +63,3 @@ fs_getattr_xattr_fs(vnstat_t)
logging_send_syslog_msg(vnstat_t)
miscfiles_read_localization(vnstat_t)

View File

@ -63,7 +63,6 @@ gen_tunable(user_direct_dri, false)
attribute xdmhomewriter;
attribute x_userdomain;
attribute x_domain;
# X Events
@ -133,7 +132,6 @@ type user_fonts_cache_t;
typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
;
userdom_user_home_content(user_fonts_cache_t)
type user_fonts_config_t;
@ -154,7 +152,6 @@ type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
typealias iceauth_home_t alias { xguest_iceauth_home_t };
files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
type xauth_t;
@ -169,7 +166,6 @@ type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
@ -362,6 +358,8 @@ userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
userdom_read_all_users_state(xauth_t)
xserver_rw_xdm_tmp_files(xauth_t)
ifdef(`hide_broken_symptoms',`
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
fs_dontaudit_list_inotifyfs(xauth_t)
@ -371,8 +369,6 @@ ifdef(`hide_broken_symptoms', `
miscfiles_read_fonts(xauth_t)
')
xserver_rw_xdm_tmp_files(xauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(xauth_t)
fs_read_nfs_symlinks(xauth_t)
@ -403,8 +399,7 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:process { getattr getcap setcap };
allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@ -419,7 +414,7 @@ allow xdm_t self:key { search link write };
allow xdm_t xauth_home_t:file manage_file_perms;
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@ -488,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull };
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@ -656,6 +651,14 @@ application_signal(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
')
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
@ -728,10 +731,8 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(xdm_t)
')
')
optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
@ -822,14 +823,6 @@ optional_policy(`
unconfined_signal(xdm_t)
')
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
')
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
')
@ -884,10 +877,6 @@ allow xserver_t self:udp_socket create_socket_perms;
allow xserver_t self:netlink_selinux_socket create_socket_perms;
allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
# Device rules
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
allow x_domain xserver_t:x_screen getattr;
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
@ -1126,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xserver_t xdm_var_lib_t:file read_file_perms;
dontaudit xserver_t xdm_var_lib_t:dir search;
dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
@ -1136,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
@ -1153,10 +1142,6 @@ userdom_read_all_users_state(xserver_t)
xserver_use_user_fonts(xserver_t)
optional_policy(`
userhelper_search_config(xserver_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
@ -1186,6 +1171,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
optional_policy(`
userhelper_search_config(xserver_t)
')
########################################
#
# Rules common to all X window domains
@ -1229,7 +1218,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
allow x_domain self:x_drawable { blend };
allow x_domain self:x_drawable blend;
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@ -1283,11 +1272,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
# Device rules
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
allow x_domain xserver_t:x_screen getattr;
########################################
#
# Rules for unconfined access to this module
#
allow xserver_unconfined_type xserver_t:x_server *;
allow xserver_unconfined_type xdrawable_type:x_drawable *;
allow xserver_unconfined_type xserver_t:x_screen *;
allow xserver_unconfined_type x_domain:x_gc *;
allow xserver_unconfined_type xcolormap_type:x_colormap *;
allow xserver_unconfined_type xproperty_type:x_property *;
allow xserver_unconfined_type xselection_type:x_selection *;
allow xserver_unconfined_type x_domain:x_cursor *;
allow xserver_unconfined_type x_domain:x_client *;
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
@ -1309,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
allow xserver_unconfined_type xserver_t:x_server *;
allow xserver_unconfined_type xdrawable_type:x_drawable *;
allow xserver_unconfined_type xserver_t:x_screen *;
allow xserver_unconfined_type x_domain:x_gc *;
allow xserver_unconfined_type xcolormap_type:x_colormap *;
allow xserver_unconfined_type xproperty_type:x_property *;
allow xserver_unconfined_type xselection_type:x_selection *;
allow xserver_unconfined_type x_domain:x_cursor *;
allow xserver_unconfined_type x_domain:x_client *;
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
optional_policy(`
unconfined_rw_shm(xserver_t)
unconfined_execmem_rw_shm(xserver_t)
# xserver signals unconfined user on startx
unconfined_signal(xserver_t)
unconfined_getpgid(xserver_t)
')
tunable_policy(`allow_xserver_execmem',`
allow xserver_t self:process { execheap execmem execstack };
')
@ -1354,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_append_cifs_files(xdmhomewriter)
')
optional_policy(`
unconfined_rw_shm(xserver_t)
unconfined_execmem_rw_shm(xserver_t)
# xserver signals unconfined user on startx
unconfined_signal(xserver_t)
unconfined_getpgid(xserver_t)
')

View File

@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
#
allow zabbix_t self:capability { setuid setgid };
allow zabbix_t self:fifo_file rw_file_perms;
allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
# log files
allow zabbix_t zabbix_log_t:dir setattr;
allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)

View File

@ -73,7 +73,7 @@ optional_policy(`
#
allow zarafa_spooler_t self:capability { chown kill };
allow zarafa_spooler_t self:process { signal };
allow zarafa_spooler_t self:process signal;
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
@ -110,7 +110,6 @@ allow zarafa_monitor_t self:capability chown;
# bad permission on /etc/zarafa
allow zarafa_domain self:capability { dac_override setgid setuid };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket create_stream_socket_perms;
allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;

View File

@ -10,7 +10,6 @@ policy_module(zebra, 1.11.1)
## Allow zebra daemon to write it configuration files
## </p>
## </desc>
#
gen_tunable(allow_zebra_write_config, false)
type zebra_t;
@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
allow zebra_t zebra_log_t:dir setattr;
allow zebra_t zebra_log_t:dir setattr_dir_perms;
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })

View File

@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
#
allow zos_remote_t self:process signal;
allow zos_remote_t self:fifo_file rw_file_perms;
allow zos_remote_t self:fifo_file rw_fifo_file_perms;
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(zos_remote_t)

View File

@ -520,7 +520,7 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_manage_cert_files(initrc_t)
miscfiles_manage_generic_cert_files(initrc_t)
modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)