tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs. Must allow them to create directories
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
When cgroup policy was merged, some changes were made. One of these changes was the renaming of the type for cgroup rules engine daemon configuration file. The cgroup_admin interface was not modified to reflect this change.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Clean up network control section.
Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are:
- hddtemp_t no longer needs access to read all generic etc_t files.
- allows us to implement a meaningful hddtemp_admin()
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Removed 'SELinux policy for' from policy summaries
Removed rgmanager interface for semaphores (doesn't appear to be needed or used)
Removed redundant calls to libs_use_ld_so and libs_use_shared_libs
Fixed rhcs interface names to match naming rules
Merged tmpfs and semaphore/shm interfaces
Edits:
- Style and whitespace fixes
- Removed interfaces for default_t from ricci.te - this didn't seem right
- Removed link files from rgmanager_manage_tmpfs_files
- Removed rdisc.if patch. it was previously committed
- Not including kernel_kill interface call for rgmanager
- Not including ldap interfaces in rgmanager.te (currently not in refpolicy)
- Not including files_create_var_run_dirs call for rgmanager (not in refpolicy)
Edits:
- Style and whitespace fixes
- Removed read_lnk_files_pattern from nx_read_home_files
- Delete declaration of nx_server_home_ssh_t and files_type since the template already does this
asterisk_manage_lib_files(logrotate_t)
asterisk_exec(logrotate_t)
Needs net_admin
Drops capabilities
connects to unix_stream
execs itself
Requests kernel load modules
Execs shells
Connects to postgresql and snmp ports
Reads urand and generic usb devices
Has mysql and postgresql back ends
sends mail
- signal interfaces
- fusefs support
- bug 566984: getattrs on all blk and chr files
Did not include:
- changes related to samba_unconfined_script_t and samba_unconfined_net_t
- samba_helper_template (didn't appear to be used)
- manage_lnk_files_pattern in samba_manage_var_files
- signal allow rule in samba_domtrans_winbind_helper
- samba_role_notrans
- userdom_manage_user_home_content
Some style and spacing fixes
Removed manage_var_run and manage_var_lib interfaces
Added missing requires to admin interface
Removed permissive line
Fixed some spacing / style issues
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.
In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.
And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
Didn't include the usbmod (doesn't exist in refpolicy at this time).
Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.
Made some style / spacing changes
Did not include read access to /etc/shadow
Removed manage_var_run and manage_var_lib interfaces
Removed permissive line
some fixes in interfaces, added bind_setattr_zone_dirs interface
sysnet_read_config not needed with auth_use_nsswitch
Did not include init_read_script_tmp_files for named_t
Fixed some style and spacing issues
Replace manage_var_run interface with manage_pid_files with fewer permissions
Replaced rkit_daemon_system_domain with rtkit_schedule
rtkit_daemon_system_domain interface allows domains to say rtkit can setsched on their process.
Needs sys_nice capability
Needs to getsched on all domains.
Fix bug in te file
Me:
changed interface name from rtkit_daemon_system_domain to rtkit_schedule
Already had sys_nice capability
"File context for /etc/sysconfig/pgsql and other bugs.
Sends audit messages connect to posgresql_server port
Reads its own process info"
Moved signal interface for style.
Create apcupsd initrc domtrans.
Call apcupsd initrc domtrans in apcupsd_admin.
Remove obsolete require.
Allow domains to search bin to enable run apcupsd executable file.
Allow domains to search httpd system content to enable run apcupsd cgi script executables.
Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Create amavis_initrc_domtrans.
Call amavis_initrc_domtrans from amavis_admin.
Remove obsolete require.
Allow domains to search bin to enable run amavis executable.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Fix networking compatibility.
Allow domains to search bin to enable run abrt executables.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Fix afs_initrc_domtrans.
Remove obsolete require in afs_admin.
Allow domains to search var to enable read write cache.
Allow domains to search bin to enable run afs executable.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.
Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.
As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.
Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
This one makes an effort to check for syntax and that it actually compiles.
Signed-off-by: Matthew Ife <deleriux@airattack-central.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The motivation for this was xdm_t objects not getting cleaned up,
so the user session tried to interact with them. But since the
default user type is unconfined this problem has gone away for now.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
X Object Manager policy revisions to xserver.if.
This commit consists of two parts:
1. Revisions to xserver_object_types_template and
xserver_common_x_domain_template. This reflects the dropping
of many of the specific event, extension, and property types.
2. New interfaces:
xserver_manage_core_devices: Gives control over core mouse/keyboard.
xserver_unprotected: Allows all clients to access a domain's X objects.
Modified interfaces:
xserver_unconfined: Added x_domain typeattribute statement.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
X Object Manager policy revisions to xserver.te.
This commit consists of three main parts:
1. Code movement. There were X object manager-related statements
scattered somewhat throughout the file; these have been consolidated,
which resulted in some other statements moving (e.g. iceauth_t).
2. Type changes. Many of the specific event, extension, and property
types have been dropped for the time being. The rootwindow_t and
remote_xclient_t types have been renamed, and a root_xcolormap_t
type has been (re-)added. This is for naming consistency.
An "xserver_unprotected" alias has been added for use in labeling
clients whose resources should be globally accessible (e.g. xdm_t).
3. Policy changes. These are mostly related to devices, which now have
separate x_keyboard and x_pointer classes. The "Hacks" section
has been cleaned up, and various other classes have had the default
permissions tweaked.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>